From 3c7e97343065fc728dbdba27c1c1abd41847bd12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Nov 2018 01:33:08 +0100 Subject: [PATCH 0001/1383] Update for 4.1 Signed-off-by: Michael Niedermayer --- RELEASE | 2 +- doc/Doxyfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RELEASE b/RELEASE index ff2c9d1a30..7d5c902e77 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.0.git +4.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0891899505..452057c46b 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 4.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 1665ac6a446190c24c4875e2bab6f76132f7b05c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Nov 2018 01:36:21 +0100 Subject: [PATCH 0002/1383] RELEASE_NOTES: Based on the version from 4.0 Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..a24c9e6f44 --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌─────────────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 4.1 "al-Khwarizmi" │ + └─────────────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 4.1 "al-Khwarizmi", about 6 + months after the release of FFmpeg 4.0. + + A complete Changelog is available at the root of the project, and the + complete Git history on https://git.ffmpeg.org/gitweb/ffmpeg.git + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + on the mailing-lists. From 5060a615c7389808a4006e2d3e9acb9562d6ebec Mon Sep 17 00:00:00 2001 From: Josh de Kock Date: Tue, 30 Oct 2018 14:38:41 +0000 Subject: [PATCH 0003/1383] fate/api-h264-slice-test: don't use ssize_t Fixes ticket #7521 Signed-off-by: James Almer (cherry picked from commit 8096f52049acb1861645815a54435b9fd2d5e77a) --- tests/api/api-h264-slice-test.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/tests/api/api-h264-slice-test.c b/tests/api/api-h264-slice-test.c index 57e7dc79c3..e68fa6e252 100644 --- a/tests/api/api-h264-slice-test.c +++ b/tests/api/api-h264-slice-test.c @@ -180,15 +180,12 @@ int main(int argc, char **argv) while(1) { uint16_t size = 0; - ssize_t ret = fread(&size, 1, sizeof(uint16_t), fd); - if (ret < 0) { - perror("Couldn't read size"); - exit(1); - } else if (ret != sizeof(uint16_t)) + size_t ret = fread(&size, 1, sizeof(uint16_t), fd); + if (ret != sizeof(uint16_t)) break; size = ntohs(size); ret = fread(p, 1, size, fd); - if (ret < 0 || ret != size) { + if (ret != size) { perror("Couldn't read data"); exit(1); } From 765fb1f224f61c563d3c82cfefbe44f43d452290 Mon Sep 17 00:00:00 2001 From: Josh de Kock Date: Tue, 30 Oct 2018 14:38:42 +0000 Subject: [PATCH 0004/1383] fate/api-h264-slice-test: use cleaner error handling Signed-off-by: James Almer (cherry picked from commit 1052578dadf72e400cee5ad2ad5dce899032d362) --- tests/api/api-h264-slice-test.c | 79 ++++++++++++++++++++------------- 1 file changed, 47 insertions(+), 32 deletions(-) diff --git a/tests/api/api-h264-slice-test.c b/tests/api/api-h264-slice-test.c index e68fa6e252..be03e80049 100644 --- a/tests/api/api-h264-slice-test.c +++ b/tests/api/api-h264-slice-test.c @@ -48,7 +48,7 @@ static int header = 0; -static void decode(AVCodecContext *dec_ctx, AVFrame *frame, +static int decode(AVCodecContext *dec_ctx, AVFrame *frame, AVPacket *pkt) { static uint64_t frame_cnt = 0; @@ -57,20 +57,20 @@ static void decode(AVCodecContext *dec_ctx, AVFrame *frame, ret = avcodec_send_packet(dec_ctx, pkt); if (ret < 0) { fprintf(stderr, "Error sending a packet for decoding: %s\n", av_err2str(ret)); - exit(1); + return ret; } while (ret >= 0) { const AVPixFmtDescriptor *desc; - char *sum; + char sum[AV_HASH_MAX_SIZE * 2 + 1]; struct AVHashContext *hash; ret = avcodec_receive_frame(dec_ctx, frame); if (ret == AVERROR(EAGAIN) || ret == AVERROR_EOF) { - return; + return 0; } else if (ret < 0) { fprintf(stderr, "Error during decoding: %s\n", av_err2str(ret)); - exit(1); + return ret; } if (!header) { @@ -87,9 +87,10 @@ static void decode(AVCodecContext *dec_ctx, AVFrame *frame, header = 1; } desc = av_pix_fmt_desc_get(dec_ctx->pix_fmt); - av_hash_alloc(&hash, "md5"); + if ((ret = av_hash_alloc(&hash, "md5")) < 0) { + return ret; + } av_hash_init(hash); - sum = av_mallocz(av_hash_get_size(hash) * 2 + 1); for (int i = 0; i < frame->height; i++) av_hash_update(hash, &frame->data[0][i * frame->linesize[0]], frame->width); @@ -104,25 +105,25 @@ static void decode(AVCodecContext *dec_ctx, AVFrame *frame, (frame->width * frame->height + 2 * (frame->height >> desc->log2_chroma_h) * (frame->width >> desc->log2_chroma_w)), sum); frame_cnt += 1; av_hash_freep(&hash); - av_free(sum); } + return 0; } int main(int argc, char **argv) { - const AVCodec *codec; + const AVCodec *codec = NULL; AVCodecContext *c = NULL; - AVFrame *frame; + AVFrame *frame = NULL; unsigned int threads; AVPacket *pkt; - FILE *fd; + FILE *file = NULL; char nal[MAX_SLICES * UINT16_MAX + AV_INPUT_BUFFER_PADDING_SIZE]; - int nals = 0; + int nals = 0, ret = 0; char *p = nal; if (argc < 4) { fprintf(stderr, "Usage: %s \n", argv[0]); - exit(1); + return -1; } if (!(threads = strtoul(argv[1], NULL, 0))) @@ -134,17 +135,20 @@ int main(int argc, char **argv) setmode(fileno(stdout), O_BINARY); #endif - if (!(pkt = av_packet_alloc())) - exit(1); + if (!(pkt = av_packet_alloc())) { + return -1; + } if (!(codec = avcodec_find_decoder(AV_CODEC_ID_H264))) { fprintf(stderr, "Codec not found\n"); - exit(1); + ret = -1; + goto err; } if (!(c = avcodec_alloc_context3(codec))) { fprintf(stderr, "Could not allocate video codec context\n"); - exit(1); + ret = -1; + goto err; } c->width = 352; @@ -154,15 +158,16 @@ int main(int argc, char **argv) c->thread_type = FF_THREAD_SLICE; c->thread_count = threads; - if (avcodec_open2(c, codec, NULL) < 0) { + if ((ret = avcodec_open2(c, codec, NULL)) < 0) { fprintf(stderr, "Could not open codec\n"); - exit(1); + goto err; } #if HAVE_THREADS if (c->active_thread_type != FF_THREAD_SLICE) { fprintf(stderr, "Couldn't activate slice threading: %d\n", c->active_thread_type); - exit(1); + ret = -1; + goto err; } #else fprintf(stderr, "WARN: not using threads, only checking decoding slice NALUs\n"); @@ -170,31 +175,37 @@ int main(int argc, char **argv) if (!(frame = av_frame_alloc())) { fprintf(stderr, "Could not allocate video frame\n"); - exit(1); + ret = -1; + goto err; } - if (!(fd = fopen(argv[2], "rb"))) { + if (!(file = fopen(argv[2], "rb"))) { fprintf(stderr, "Couldn't open NALU file: %s\n", argv[2]); - exit(1); + ret = -1; + goto err; } while(1) { uint16_t size = 0; - size_t ret = fread(&size, 1, sizeof(uint16_t), fd); + size_t ret = fread(&size, 1, sizeof(uint16_t), file); if (ret != sizeof(uint16_t)) break; + size = ntohs(size); - ret = fread(p, 1, size, fd); + ret = fread(p, 1, size, file); if (ret != size) { perror("Couldn't read data"); - exit(1); + goto err; } p += ret; if (++nals >= threads) { + int decret = 0; pkt->data = nal; pkt->size = p - nal; - decode(c, frame, pkt); + if ((decret = decode(c, frame, pkt)) < 0) { + goto err; + } memset(nal, 0, MAX_SLICES * UINT16_MAX + AV_INPUT_BUFFER_PADDING_SIZE); nals = 0; p = nal; @@ -204,15 +215,19 @@ int main(int argc, char **argv) if (nals) { pkt->data = nal; pkt->size = p - nal; - decode(c, frame, pkt); + if ((ret = decode(c, frame, pkt)) < 0) { + goto err; + } } - decode(c, frame, NULL); + ret = decode(c, frame, NULL); - fclose(fd); - avcodec_free_context(&c); +err: + if (file) + fclose(file); av_frame_free(&frame); + avcodec_free_context(&c); av_packet_free(&pkt); - return 0; + return ret; } From 041231fcd632a33506689e44e5b45f29ac4ce050 Mon Sep 17 00:00:00 2001 From: Philip Langdale Date: Wed, 24 Oct 2018 11:52:42 -0700 Subject: [PATCH 0005/1383] libavfilter/vf_yadif: Make frame management logic and options shareable I'm writing a cuda implementation of yadif, and while this obviously has a very different implementation of the actual filtering, all the frame management is unchanged. To avoid duplicating that logic, let's make it shareable. From the perspective of the existing filter, the only real change is introducing a function pointer for the filter() function so it can be specified for the specific filter. (cherry picked from commit 598f0f39271d6033588b4d8ccc672c5bdc85fec7) --- libavfilter/Makefile | 2 +- libavfilter/vf_yadif.c | 196 ++-------------------------------- libavfilter/yadif.h | 9 ++ libavfilter/yadif_common.c | 209 +++++++++++++++++++++++++++++++++++++ 4 files changed, 228 insertions(+), 188 deletions(-) create mode 100644 libavfilter/yadif_common.c diff --git a/libavfilter/Makefile b/libavfilter/Makefile index c35cd8f422..ffbcb40806 100644 --- a/libavfilter/Makefile +++ b/libavfilter/Makefile @@ -407,7 +407,7 @@ OBJS-$(CONFIG_WAVEFORM_FILTER) += vf_waveform.o OBJS-$(CONFIG_WEAVE_FILTER) += vf_weave.o OBJS-$(CONFIG_XBR_FILTER) += vf_xbr.o OBJS-$(CONFIG_XSTACK_FILTER) += vf_stack.o framesync.o -OBJS-$(CONFIG_YADIF_FILTER) += vf_yadif.o +OBJS-$(CONFIG_YADIF_FILTER) += vf_yadif.o yadif_common.o OBJS-$(CONFIG_ZMQ_FILTER) += f_zmq.o OBJS-$(CONFIG_ZOOMPAN_FILTER) += vf_zoompan.o OBJS-$(CONFIG_ZSCALE_FILTER) += vf_zscale.o diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index f58d8ac2bc..3107924932 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -22,7 +22,6 @@ #include "libavutil/avassert.h" #include "libavutil/cpu.h" #include "libavutil/common.h" -#include "libavutil/opt.h" #include "libavutil/pixdesc.h" #include "libavutil/imgutils.h" #include "avfilter.h" @@ -254,166 +253,6 @@ static void filter(AVFilterContext *ctx, AVFrame *dstpic, emms_c(); } -static int return_frame(AVFilterContext *ctx, int is_second) -{ - YADIFContext *yadif = ctx->priv; - AVFilterLink *link = ctx->outputs[0]; - int tff, ret; - - if (yadif->parity == -1) { - tff = yadif->cur->interlaced_frame ? - yadif->cur->top_field_first : 1; - } else { - tff = yadif->parity ^ 1; - } - - if (is_second) { - yadif->out = ff_get_video_buffer(link, link->w, link->h); - if (!yadif->out) - return AVERROR(ENOMEM); - - av_frame_copy_props(yadif->out, yadif->cur); - yadif->out->interlaced_frame = 0; - } - - filter(ctx, yadif->out, tff ^ !is_second, tff); - - if (is_second) { - int64_t cur_pts = yadif->cur->pts; - int64_t next_pts = yadif->next->pts; - - if (next_pts != AV_NOPTS_VALUE && cur_pts != AV_NOPTS_VALUE) { - yadif->out->pts = cur_pts + next_pts; - } else { - yadif->out->pts = AV_NOPTS_VALUE; - } - } - ret = ff_filter_frame(ctx->outputs[0], yadif->out); - - yadif->frame_pending = (yadif->mode&1) && !is_second; - return ret; -} - -static int checkstride(YADIFContext *yadif, const AVFrame *a, const AVFrame *b) -{ - int i; - for (i = 0; i < yadif->csp->nb_components; i++) - if (a->linesize[i] != b->linesize[i]) - return 1; - return 0; -} - -static void fixstride(AVFilterLink *link, AVFrame *f) -{ - AVFrame *dst = ff_default_get_video_buffer(link, f->width, f->height); - if(!dst) - return; - av_frame_copy_props(dst, f); - av_image_copy(dst->data, dst->linesize, - (const uint8_t **)f->data, f->linesize, - dst->format, dst->width, dst->height); - av_frame_unref(f); - av_frame_move_ref(f, dst); - av_frame_free(&dst); -} - -static int filter_frame(AVFilterLink *link, AVFrame *frame) -{ - AVFilterContext *ctx = link->dst; - YADIFContext *yadif = ctx->priv; - - av_assert0(frame); - - if (yadif->frame_pending) - return_frame(ctx, 1); - - if (yadif->prev) - av_frame_free(&yadif->prev); - yadif->prev = yadif->cur; - yadif->cur = yadif->next; - yadif->next = frame; - - if (!yadif->cur && - !(yadif->cur = av_frame_clone(yadif->next))) - return AVERROR(ENOMEM); - - if (checkstride(yadif, yadif->next, yadif->cur)) { - av_log(ctx, AV_LOG_VERBOSE, "Reallocating frame due to differing stride\n"); - fixstride(link, yadif->next); - } - if (checkstride(yadif, yadif->next, yadif->cur)) - fixstride(link, yadif->cur); - if (yadif->prev && checkstride(yadif, yadif->next, yadif->prev)) - fixstride(link, yadif->prev); - if (checkstride(yadif, yadif->next, yadif->cur) || (yadif->prev && checkstride(yadif, yadif->next, yadif->prev))) { - av_log(ctx, AV_LOG_ERROR, "Failed to reallocate frame\n"); - return -1; - } - - if (!yadif->prev) - return 0; - - if ((yadif->deint && !yadif->cur->interlaced_frame) || - ctx->is_disabled || - (yadif->deint && !yadif->prev->interlaced_frame && yadif->prev->repeat_pict) || - (yadif->deint && !yadif->next->interlaced_frame && yadif->next->repeat_pict) - ) { - yadif->out = av_frame_clone(yadif->cur); - if (!yadif->out) - return AVERROR(ENOMEM); - - av_frame_free(&yadif->prev); - if (yadif->out->pts != AV_NOPTS_VALUE) - yadif->out->pts *= 2; - return ff_filter_frame(ctx->outputs[0], yadif->out); - } - - yadif->out = ff_get_video_buffer(ctx->outputs[0], link->w, link->h); - if (!yadif->out) - return AVERROR(ENOMEM); - - av_frame_copy_props(yadif->out, yadif->cur); - yadif->out->interlaced_frame = 0; - - if (yadif->out->pts != AV_NOPTS_VALUE) - yadif->out->pts *= 2; - - return return_frame(ctx, 0); -} - -static int request_frame(AVFilterLink *link) -{ - AVFilterContext *ctx = link->src; - YADIFContext *yadif = ctx->priv; - int ret; - - if (yadif->frame_pending) { - return_frame(ctx, 1); - return 0; - } - - if (yadif->eof) - return AVERROR_EOF; - - ret = ff_request_frame(ctx->inputs[0]); - - if (ret == AVERROR_EOF && yadif->cur) { - AVFrame *next = av_frame_clone(yadif->next); - - if (!next) - return AVERROR(ENOMEM); - - next->pts = yadif->next->pts * 2 - yadif->cur->pts; - - filter_frame(ctx->inputs[0], next); - yadif->eof = 1; - } else if (ret < 0) { - return ret; - } - - return 0; -} - static av_cold void uninit(AVFilterContext *ctx) { YADIFContext *yadif = ctx->priv; @@ -492,6 +331,7 @@ static int config_props(AVFilterLink *link) } s->csp = av_pix_fmt_desc_get(link->format); + s->filter = filter; if (s->csp->comp[0].depth > 8) { s->filter_line = filter_line_c_16bit; s->filter_edges = filter_edges_16bit; @@ -507,37 +347,19 @@ static int config_props(AVFilterLink *link) } -#define OFFSET(x) offsetof(YADIFContext, x) -#define FLAGS AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_FILTERING_PARAM - -#define CONST(name, help, val, unit) { name, help, 0, AV_OPT_TYPE_CONST, {.i64=val}, INT_MIN, INT_MAX, FLAGS, unit } - -static const AVOption yadif_options[] = { - { "mode", "specify the interlacing mode", OFFSET(mode), AV_OPT_TYPE_INT, {.i64=YADIF_MODE_SEND_FRAME}, 0, 3, FLAGS, "mode"}, - CONST("send_frame", "send one frame for each frame", YADIF_MODE_SEND_FRAME, "mode"), - CONST("send_field", "send one frame for each field", YADIF_MODE_SEND_FIELD, "mode"), - CONST("send_frame_nospatial", "send one frame for each frame, but skip spatial interlacing check", YADIF_MODE_SEND_FRAME_NOSPATIAL, "mode"), - CONST("send_field_nospatial", "send one frame for each field, but skip spatial interlacing check", YADIF_MODE_SEND_FIELD_NOSPATIAL, "mode"), - - { "parity", "specify the assumed picture field parity", OFFSET(parity), AV_OPT_TYPE_INT, {.i64=YADIF_PARITY_AUTO}, -1, 1, FLAGS, "parity" }, - CONST("tff", "assume top field first", YADIF_PARITY_TFF, "parity"), - CONST("bff", "assume bottom field first", YADIF_PARITY_BFF, "parity"), - CONST("auto", "auto detect parity", YADIF_PARITY_AUTO, "parity"), - - { "deint", "specify which frames to deinterlace", OFFSET(deint), AV_OPT_TYPE_INT, {.i64=YADIF_DEINT_ALL}, 0, 1, FLAGS, "deint" }, - CONST("all", "deinterlace all frames", YADIF_DEINT_ALL, "deint"), - CONST("interlaced", "only deinterlace frames marked as interlaced", YADIF_DEINT_INTERLACED, "deint"), - - { NULL } +static const AVClass yadif_class = { + .class_name = "yadif", + .item_name = av_default_item_name, + .option = ff_yadif_options, + .version = LIBAVUTIL_VERSION_INT, + .category = AV_CLASS_CATEGORY_FILTER, }; -AVFILTER_DEFINE_CLASS(yadif); - static const AVFilterPad avfilter_vf_yadif_inputs[] = { { .name = "default", .type = AVMEDIA_TYPE_VIDEO, - .filter_frame = filter_frame, + .filter_frame = ff_yadif_filter_frame, }, { NULL } }; @@ -546,7 +368,7 @@ static const AVFilterPad avfilter_vf_yadif_outputs[] = { { .name = "default", .type = AVMEDIA_TYPE_VIDEO, - .request_frame = request_frame, + .request_frame = ff_yadif_request_frame, .config_props = config_props, }, { NULL } diff --git a/libavfilter/yadif.h b/libavfilter/yadif.h index d23d1380d0..32d6f4a0d4 100644 --- a/libavfilter/yadif.h +++ b/libavfilter/yadif.h @@ -19,6 +19,7 @@ #ifndef AVFILTER_YADIF_H #define AVFILTER_YADIF_H +#include "libavutil/opt.h" #include "libavutil/pixdesc.h" #include "avfilter.h" @@ -54,6 +55,8 @@ typedef struct YADIFContext { AVFrame *prev; AVFrame *out; + void (*filter)(AVFilterContext *ctx, AVFrame *dstpic, int parity, int tff); + /** * Required alignment for filter_line */ @@ -71,4 +74,10 @@ typedef struct YADIFContext { void ff_yadif_init_x86(YADIFContext *yadif); +int ff_yadif_filter_frame(AVFilterLink *link, AVFrame *frame); + +int ff_yadif_request_frame(AVFilterLink *link); + +extern const AVOption ff_yadif_options[]; + #endif /* AVFILTER_YADIF_H */ diff --git a/libavfilter/yadif_common.c b/libavfilter/yadif_common.c new file mode 100644 index 0000000000..19e8ac5281 --- /dev/null +++ b/libavfilter/yadif_common.c @@ -0,0 +1,209 @@ +/* + * Copyright (C) 2006-2011 Michael Niedermayer + * 2010 James Darnley + + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "libavutil/avassert.h" +#include "libavutil/imgutils.h" +#include "internal.h" +#include "yadif.h" + +static int return_frame(AVFilterContext *ctx, int is_second) +{ + YADIFContext *yadif = ctx->priv; + AVFilterLink *link = ctx->outputs[0]; + int tff, ret; + + if (yadif->parity == -1) { + tff = yadif->cur->interlaced_frame ? + yadif->cur->top_field_first : 1; + } else { + tff = yadif->parity ^ 1; + } + + if (is_second) { + yadif->out = ff_get_video_buffer(link, link->w, link->h); + if (!yadif->out) + return AVERROR(ENOMEM); + + av_frame_copy_props(yadif->out, yadif->cur); + yadif->out->interlaced_frame = 0; + } + + yadif->filter(ctx, yadif->out, tff ^ !is_second, tff); + + if (is_second) { + int64_t cur_pts = yadif->cur->pts; + int64_t next_pts = yadif->next->pts; + + if (next_pts != AV_NOPTS_VALUE && cur_pts != AV_NOPTS_VALUE) { + yadif->out->pts = cur_pts + next_pts; + } else { + yadif->out->pts = AV_NOPTS_VALUE; + } + } + ret = ff_filter_frame(ctx->outputs[0], yadif->out); + + yadif->frame_pending = (yadif->mode&1) && !is_second; + return ret; +} + +static int checkstride(YADIFContext *yadif, const AVFrame *a, const AVFrame *b) +{ + int i; + for (i = 0; i < yadif->csp->nb_components; i++) + if (a->linesize[i] != b->linesize[i]) + return 1; + return 0; +} + +static void fixstride(AVFilterLink *link, AVFrame *f) +{ + AVFrame *dst = ff_default_get_video_buffer(link, f->width, f->height); + if(!dst) + return; + av_frame_copy_props(dst, f); + av_image_copy(dst->data, dst->linesize, + (const uint8_t **)f->data, f->linesize, + dst->format, dst->width, dst->height); + av_frame_unref(f); + av_frame_move_ref(f, dst); + av_frame_free(&dst); +} + +int ff_yadif_filter_frame(AVFilterLink *link, AVFrame *frame) +{ + AVFilterContext *ctx = link->dst; + YADIFContext *yadif = ctx->priv; + + av_assert0(frame); + + if (yadif->frame_pending) + return_frame(ctx, 1); + + if (yadif->prev) + av_frame_free(&yadif->prev); + yadif->prev = yadif->cur; + yadif->cur = yadif->next; + yadif->next = frame; + + if (!yadif->cur && + !(yadif->cur = av_frame_clone(yadif->next))) + return AVERROR(ENOMEM); + + if (checkstride(yadif, yadif->next, yadif->cur)) { + av_log(ctx, AV_LOG_VERBOSE, "Reallocating frame due to differing stride\n"); + fixstride(link, yadif->next); + } + if (checkstride(yadif, yadif->next, yadif->cur)) + fixstride(link, yadif->cur); + if (yadif->prev && checkstride(yadif, yadif->next, yadif->prev)) + fixstride(link, yadif->prev); + if (checkstride(yadif, yadif->next, yadif->cur) || (yadif->prev && checkstride(yadif, yadif->next, yadif->prev))) { + av_log(ctx, AV_LOG_ERROR, "Failed to reallocate frame\n"); + return -1; + } + + if (!yadif->prev) + return 0; + + if ((yadif->deint && !yadif->cur->interlaced_frame) || + ctx->is_disabled || + (yadif->deint && !yadif->prev->interlaced_frame && yadif->prev->repeat_pict) || + (yadif->deint && !yadif->next->interlaced_frame && yadif->next->repeat_pict) + ) { + yadif->out = av_frame_clone(yadif->cur); + if (!yadif->out) + return AVERROR(ENOMEM); + + av_frame_free(&yadif->prev); + if (yadif->out->pts != AV_NOPTS_VALUE) + yadif->out->pts *= 2; + return ff_filter_frame(ctx->outputs[0], yadif->out); + } + + yadif->out = ff_get_video_buffer(ctx->outputs[0], link->w, link->h); + if (!yadif->out) + return AVERROR(ENOMEM); + + av_frame_copy_props(yadif->out, yadif->cur); + yadif->out->interlaced_frame = 0; + + if (yadif->out->pts != AV_NOPTS_VALUE) + yadif->out->pts *= 2; + + return return_frame(ctx, 0); +} + +int ff_yadif_request_frame(AVFilterLink *link) +{ + AVFilterContext *ctx = link->src; + YADIFContext *yadif = ctx->priv; + int ret; + + if (yadif->frame_pending) { + return_frame(ctx, 1); + return 0; + } + + if (yadif->eof) + return AVERROR_EOF; + + ret = ff_request_frame(ctx->inputs[0]); + + if (ret == AVERROR_EOF && yadif->cur) { + AVFrame *next = av_frame_clone(yadif->next); + + if (!next) + return AVERROR(ENOMEM); + + next->pts = yadif->next->pts * 2 - yadif->cur->pts; + + ff_yadif_filter_frame(ctx->inputs[0], next); + yadif->eof = 1; + } else if (ret < 0) { + return ret; + } + + return 0; +} + +#define OFFSET(x) offsetof(YADIFContext, x) +#define FLAGS AV_OPT_FLAG_VIDEO_PARAM|AV_OPT_FLAG_FILTERING_PARAM + +#define CONST(name, help, val, unit) { name, help, 0, AV_OPT_TYPE_CONST, {.i64=val}, INT_MIN, INT_MAX, FLAGS, unit } + +const AVOption ff_yadif_options[] = { + { "mode", "specify the interlacing mode", OFFSET(mode), AV_OPT_TYPE_INT, {.i64=YADIF_MODE_SEND_FRAME}, 0, 3, FLAGS, "mode"}, + CONST("send_frame", "send one frame for each frame", YADIF_MODE_SEND_FRAME, "mode"), + CONST("send_field", "send one frame for each field", YADIF_MODE_SEND_FIELD, "mode"), + CONST("send_frame_nospatial", "send one frame for each frame, but skip spatial interlacing check", YADIF_MODE_SEND_FRAME_NOSPATIAL, "mode"), + CONST("send_field_nospatial", "send one frame for each field, but skip spatial interlacing check", YADIF_MODE_SEND_FIELD_NOSPATIAL, "mode"), + + { "parity", "specify the assumed picture field parity", OFFSET(parity), AV_OPT_TYPE_INT, {.i64=YADIF_PARITY_AUTO}, -1, 1, FLAGS, "parity" }, + CONST("tff", "assume top field first", YADIF_PARITY_TFF, "parity"), + CONST("bff", "assume bottom field first", YADIF_PARITY_BFF, "parity"), + CONST("auto", "auto detect parity", YADIF_PARITY_AUTO, "parity"), + + { "deint", "specify which frames to deinterlace", OFFSET(deint), AV_OPT_TYPE_INT, {.i64=YADIF_DEINT_ALL}, 0, 1, FLAGS, "deint" }, + CONST("all", "deinterlace all frames", YADIF_DEINT_ALL, "deint"), + CONST("interlaced", "only deinterlace frames marked as interlaced", YADIF_DEINT_INTERLACED, "deint"), + + { NULL } +}; From 67126555fc030e465806a84084e710f20c8a4775 Mon Sep 17 00:00:00 2001 From: Philip Langdale Date: Sun, 21 Oct 2018 13:49:16 -0700 Subject: [PATCH 0006/1383] avfilter/vf_yadif_cuda: CUDA accelerated yadif deinterlacer This is a cuda implementation of yadif, which gives us a way to do deinterlacing when using the nvdec hwaccel. In that scenario we don't have access to the nvidia deinterlacer. (cherry picked from commit d5272e94ab22bfc8f01fa3174e2c4664161ddf5a) --- Changelog | 1 + configure | 1 + doc/filters.texi | 58 +++++ libavfilter/Makefile | 1 + libavfilter/allfilters.c | 1 + libavfilter/version.h | 2 +- libavfilter/vf_yadif_cuda.c | 426 +++++++++++++++++++++++++++++++++++ libavfilter/vf_yadif_cuda.cu | 296 ++++++++++++++++++++++++ 8 files changed, 785 insertions(+), 1 deletion(-) create mode 100644 libavfilter/vf_yadif_cuda.c create mode 100644 libavfilter/vf_yadif_cuda.cu diff --git a/Changelog b/Changelog index 36c00b456a..97ea8e12c3 100644 --- a/Changelog +++ b/Changelog @@ -42,6 +42,7 @@ version 4.1: - xstack filter - pcm vidc decoder and encoder - (a)graphmonitor filter +- yadif_cuda filter version 4.0: diff --git a/configure b/configure index 01c3a1011d..5a5d0b0868 100755 --- a/configure +++ b/configure @@ -3481,6 +3481,7 @@ zscale_filter_deps="libzimg const_nan" scale_vaapi_filter_deps="vaapi" vpp_qsv_filter_deps="libmfx" vpp_qsv_filter_select="qsvvpp" +yadif_cuda_filter_deps="cuda_sdk" # examples avio_dir_cmd_deps="avformat avutil" diff --git a/doc/filters.texi b/doc/filters.texi index 4345a4931b..5d4bfd2e8e 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -17943,6 +17943,64 @@ filter"). It accepts the following parameters: +@table @option + +@item mode +The interlacing mode to adopt. It accepts one of the following values: + +@table @option +@item 0, send_frame +Output one frame for each frame. +@item 1, send_field +Output one frame for each field. +@item 2, send_frame_nospatial +Like @code{send_frame}, but it skips the spatial interlacing check. +@item 3, send_field_nospatial +Like @code{send_field}, but it skips the spatial interlacing check. +@end table + +The default value is @code{send_frame}. + +@item parity +The picture field parity assumed for the input interlaced video. It accepts one +of the following values: + +@table @option +@item 0, tff +Assume the top field is first. +@item 1, bff +Assume the bottom field is first. +@item -1, auto +Enable automatic detection of field parity. +@end table + +The default value is @code{auto}. +If the interlacing is unknown or the decoder does not export this information, +top field first will be assumed. + +@item deint +Specify which frames to deinterlace. Accept one of the following +values: + +@table @option +@item 0, all +Deinterlace all frames. +@item 1, interlaced +Only deinterlace frames marked as interlaced. +@end table + +The default value is @code{all}. +@end table + +@section yadif_cuda + +Deinterlace the input video using the @ref{yadif} algorithm, but implemented +in CUDA so that it can work as part of a GPU accelerated pipeline with nvdec +and/or nvenc. + +It accepts the following parameters: + + @table @option @item mode diff --git a/libavfilter/Makefile b/libavfilter/Makefile index ffbcb40806..4b78b29fad 100644 --- a/libavfilter/Makefile +++ b/libavfilter/Makefile @@ -408,6 +408,7 @@ OBJS-$(CONFIG_WEAVE_FILTER) += vf_weave.o OBJS-$(CONFIG_XBR_FILTER) += vf_xbr.o OBJS-$(CONFIG_XSTACK_FILTER) += vf_stack.o framesync.o OBJS-$(CONFIG_YADIF_FILTER) += vf_yadif.o yadif_common.o +OBJS-$(CONFIG_YADIF_CUDA_FILTER) += vf_yadif_cuda.o vf_yadif_cuda.ptx.o yadif_common.o OBJS-$(CONFIG_ZMQ_FILTER) += f_zmq.o OBJS-$(CONFIG_ZOOMPAN_FILTER) += vf_zoompan.o OBJS-$(CONFIG_ZSCALE_FILTER) += vf_zscale.o diff --git a/libavfilter/allfilters.c b/libavfilter/allfilters.c index d5a211bda5..c40c7e3a3c 100644 --- a/libavfilter/allfilters.c +++ b/libavfilter/allfilters.c @@ -389,6 +389,7 @@ extern AVFilter ff_vf_weave; extern AVFilter ff_vf_xbr; extern AVFilter ff_vf_xstack; extern AVFilter ff_vf_yadif; +extern AVFilter ff_vf_yadif_cuda; extern AVFilter ff_vf_zmq; extern AVFilter ff_vf_zoompan; extern AVFilter ff_vf_zscale; diff --git a/libavfilter/version.h b/libavfilter/version.h index 91c37509b4..9f0a9966eb 100644 --- a/libavfilter/version.h +++ b/libavfilter/version.h @@ -31,7 +31,7 @@ #define LIBAVFILTER_VERSION_MAJOR 7 #define LIBAVFILTER_VERSION_MINOR 40 -#define LIBAVFILTER_VERSION_MICRO 100 +#define LIBAVFILTER_VERSION_MICRO 101 #define LIBAVFILTER_VERSION_INT AV_VERSION_INT(LIBAVFILTER_VERSION_MAJOR, \ LIBAVFILTER_VERSION_MINOR, \ diff --git a/libavfilter/vf_yadif_cuda.c b/libavfilter/vf_yadif_cuda.c new file mode 100644 index 0000000000..be22344d9d --- /dev/null +++ b/libavfilter/vf_yadif_cuda.c @@ -0,0 +1,426 @@ +/* + * Copyright (C) 2018 Philip Langdale + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include +#include "libavutil/avassert.h" +#include "libavutil/hwcontext_cuda.h" +#include "internal.h" +#include "yadif.h" + +extern char vf_yadif_cuda_ptx[]; + +typedef struct DeintCUDAContext { + YADIFContext yadif; + + AVCUDADeviceContext *hwctx; + AVBufferRef *device_ref; + AVBufferRef *input_frames_ref; + AVHWFramesContext *input_frames; + + CUcontext cu_ctx; + CUstream stream; + CUmodule cu_module; + CUfunction cu_func_uchar; + CUfunction cu_func_uchar2; + CUfunction cu_func_ushort; + CUfunction cu_func_ushort2; +} DeintCUDAContext; + +#define DIV_UP(a, b) ( ((a) + (b) - 1) / (b) ) +#define ALIGN_UP(a, b) (((a) + (b) - 1) & ~((b) - 1)) +#define BLOCKX 32 +#define BLOCKY 16 + +static int check_cu(AVFilterContext *avctx, CUresult err, const char *func) +{ + const char *err_name; + const char *err_string; + + av_log(avctx, AV_LOG_TRACE, "Calling %s\n", func); + + if (err == CUDA_SUCCESS) + return 0; + + cuGetErrorName(err, &err_name); + cuGetErrorString(err, &err_string); + + av_log(avctx, AV_LOG_ERROR, "%s failed", func); + if (err_name && err_string) + av_log(avctx, AV_LOG_ERROR, " -> %s: %s", err_name, err_string); + av_log(avctx, AV_LOG_ERROR, "\n"); + + return AVERROR_EXTERNAL; +} + +#define CHECK_CU(x) check_cu(ctx, (x), #x) + +static CUresult call_kernel(AVFilterContext *ctx, CUfunction func, + CUdeviceptr prev, CUdeviceptr cur, CUdeviceptr next, + CUarray_format format, int channels, + int src_width, // Width is pixels per channel + int src_height, // Height is pixels per channel + int src_pitch, // Pitch is bytes + CUdeviceptr dst, + int dst_width, // Width is pixels per channel + int dst_height, // Height is pixels per channel + int dst_pitch, // Pitch is pixels per channel + int parity, int tff) +{ + DeintCUDAContext *s = ctx->priv; + CUtexObject tex_prev = 0, tex_cur = 0, tex_next = 0; + CUresult err; + int skip_spatial_check = s->yadif.mode&2; + + void *args[] = { &dst, &tex_prev, &tex_cur, &tex_next, + &dst_width, &dst_height, &dst_pitch, + &src_width, &src_height, &parity, &tff, + &skip_spatial_check }; + + CUDA_TEXTURE_DESC tex_desc = { + .filterMode = CU_TR_FILTER_MODE_POINT, + .flags = CU_TRSF_READ_AS_INTEGER, + }; + + CUDA_RESOURCE_DESC res_desc = { + .resType = CU_RESOURCE_TYPE_PITCH2D, + .res.pitch2D.format = format, + .res.pitch2D.numChannels = channels, + .res.pitch2D.width = src_width, + .res.pitch2D.height = src_height, + .res.pitch2D.pitchInBytes = src_pitch, + }; + + res_desc.res.pitch2D.devPtr = (CUdeviceptr)prev; + err = CHECK_CU(cuTexObjectCreate(&tex_prev, &res_desc, &tex_desc, NULL)); + if (err != CUDA_SUCCESS) { + goto exit; + } + + res_desc.res.pitch2D.devPtr = (CUdeviceptr)cur; + err = CHECK_CU(cuTexObjectCreate(&tex_cur, &res_desc, &tex_desc, NULL)); + if (err != CUDA_SUCCESS) { + goto exit; + } + + res_desc.res.pitch2D.devPtr = (CUdeviceptr)next; + err = CHECK_CU(cuTexObjectCreate(&tex_next, &res_desc, &tex_desc, NULL)); + if (err != CUDA_SUCCESS) { + goto exit; + } + + err = CHECK_CU(cuLaunchKernel(func, + DIV_UP(dst_width, BLOCKX), DIV_UP(dst_height, BLOCKY), 1, + BLOCKX, BLOCKY, 1, + 0, s->stream, args, NULL)); + +exit: + if (tex_prev) + CHECK_CU(cuTexObjectDestroy(tex_prev)); + if (tex_cur) + CHECK_CU(cuTexObjectDestroy(tex_cur)); + if (tex_next) + CHECK_CU(cuTexObjectDestroy(tex_next)); + + return err; +} + +static void filter(AVFilterContext *ctx, AVFrame *dst, + int parity, int tff) +{ + DeintCUDAContext *s = ctx->priv; + YADIFContext *y = &s->yadif; + CUcontext dummy; + CUresult err; + int i; + + err = CHECK_CU(cuCtxPushCurrent(s->cu_ctx)); + if (err != CUDA_SUCCESS) { + goto exit; + } + + for (i = 0; i < y->csp->nb_components; i++) { + CUfunction func; + CUarray_format format; + int pixel_size, channels; + const AVComponentDescriptor *comp = &y->csp->comp[i]; + + if (comp->plane < i) { + // We process planes as a whole, so don't reprocess + // them for additional components + continue; + } + + pixel_size = (comp->depth + comp->shift) / 8; + channels = comp->step / pixel_size; + if (pixel_size > 2 || channels > 2) { + av_log(ctx, AV_LOG_ERROR, "Unsupported pixel format: %s\n", y->csp->name); + goto exit; + } + switch (pixel_size) { + case 1: + func = channels == 1 ? s->cu_func_uchar : s->cu_func_uchar2; + format = CU_AD_FORMAT_UNSIGNED_INT8; + break; + case 2: + func = channels == 1 ? s->cu_func_ushort : s->cu_func_ushort2; + format = CU_AD_FORMAT_UNSIGNED_INT16; + break; + default: + av_log(ctx, AV_LOG_ERROR, "Unsupported pixel format: %s\n", y->csp->name); + goto exit; + } + av_log(ctx, AV_LOG_TRACE, + "Deinterlacing plane %d: pixel_size: %d channels: %d\n", + comp->plane, pixel_size, channels); + call_kernel(ctx, func, + (CUdeviceptr)y->prev->data[i], + (CUdeviceptr)y->cur->data[i], + (CUdeviceptr)y->next->data[i], + format, channels, + AV_CEIL_RSHIFT(y->cur->width, i ? y->csp->log2_chroma_w : 0), + AV_CEIL_RSHIFT(y->cur->height, i ? y->csp->log2_chroma_h : 0), + y->cur->linesize[i], + (CUdeviceptr)dst->data[i], + AV_CEIL_RSHIFT(dst->width, i ? y->csp->log2_chroma_w : 0), + AV_CEIL_RSHIFT(dst->height, i ? y->csp->log2_chroma_h : 0), + dst->linesize[i] / comp->step, + parity, tff); + } + + err = CHECK_CU(cuStreamSynchronize(s->stream)); + if (err != CUDA_SUCCESS) { + goto exit; + } + +exit: + CHECK_CU(cuCtxPopCurrent(&dummy)); + return; +} + +static av_cold void deint_cuda_uninit(AVFilterContext *ctx) +{ + CUcontext dummy; + DeintCUDAContext *s = ctx->priv; + YADIFContext *y = &s->yadif; + + if (s->cu_module) { + CHECK_CU(cuCtxPushCurrent(s->cu_ctx)); + CHECK_CU(cuModuleUnload(s->cu_module)); + CHECK_CU(cuCtxPopCurrent(&dummy)); + } + + av_frame_free(&y->prev); + av_frame_free(&y->cur); + av_frame_free(&y->next); + + av_buffer_unref(&s->device_ref); + s->hwctx = NULL; + av_buffer_unref(&s->input_frames_ref); + s->input_frames = NULL; +} + +static int deint_cuda_query_formats(AVFilterContext *ctx) +{ + enum AVPixelFormat pix_fmts[] = { + AV_PIX_FMT_CUDA, AV_PIX_FMT_NONE, + }; + int ret; + + if ((ret = ff_formats_ref(ff_make_format_list(pix_fmts), + &ctx->inputs[0]->out_formats)) < 0) + return ret; + if ((ret = ff_formats_ref(ff_make_format_list(pix_fmts), + &ctx->outputs[0]->in_formats)) < 0) + return ret; + + return 0; +} + +static int config_input(AVFilterLink *inlink) +{ + AVFilterContext *ctx = inlink->dst; + DeintCUDAContext *s = ctx->priv; + + if (!inlink->hw_frames_ctx) { + av_log(ctx, AV_LOG_ERROR, "A hardware frames reference is " + "required to associate the processing device.\n"); + return AVERROR(EINVAL); + } + + s->input_frames_ref = av_buffer_ref(inlink->hw_frames_ctx); + if (!s->input_frames_ref) { + av_log(ctx, AV_LOG_ERROR, "A input frames reference create " + "failed.\n"); + return AVERROR(ENOMEM); + } + s->input_frames = (AVHWFramesContext*)s->input_frames_ref->data; + + return 0; +} + +static int config_output(AVFilterLink *link) +{ + AVHWFramesContext *output_frames; + AVFilterContext *ctx = link->src; + DeintCUDAContext *s = ctx->priv; + YADIFContext *y = &s->yadif; + int ret = 0; + CUcontext dummy; + CUresult err; + + av_assert0(s->input_frames); + s->device_ref = av_buffer_ref(s->input_frames->device_ref); + if (!s->device_ref) { + av_log(ctx, AV_LOG_ERROR, "A device reference create " + "failed.\n"); + return AVERROR(ENOMEM); + } + s->hwctx = ((AVHWDeviceContext*)s->device_ref->data)->hwctx; + s->cu_ctx = s->hwctx->cuda_ctx; + s->stream = s->hwctx->stream; + + link->hw_frames_ctx = av_hwframe_ctx_alloc(s->device_ref); + if (!link->hw_frames_ctx) { + av_log(ctx, AV_LOG_ERROR, "Failed to create HW frame context " + "for output.\n"); + ret = AVERROR(ENOMEM); + goto exit; + } + + output_frames = (AVHWFramesContext*)link->hw_frames_ctx->data; + + output_frames->format = AV_PIX_FMT_CUDA; + output_frames->sw_format = s->input_frames->sw_format; + output_frames->width = ctx->inputs[0]->w; + output_frames->height = ctx->inputs[0]->h; + + output_frames->initial_pool_size = 4; + + ret = ff_filter_init_hw_frames(ctx, link, 10); + if (ret < 0) + goto exit; + + ret = av_hwframe_ctx_init(link->hw_frames_ctx); + if (ret < 0) { + av_log(ctx, AV_LOG_ERROR, "Failed to initialise CUDA frame " + "context for output: %d\n", ret); + goto exit; + } + + link->time_base.num = ctx->inputs[0]->time_base.num; + link->time_base.den = ctx->inputs[0]->time_base.den * 2; + link->w = ctx->inputs[0]->w; + link->h = ctx->inputs[0]->h; + + if(y->mode & 1) + link->frame_rate = av_mul_q(ctx->inputs[0]->frame_rate, + (AVRational){2, 1}); + + if (link->w < 3 || link->h < 3) { + av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n"); + ret = AVERROR(EINVAL); + goto exit; + } + + y->csp = av_pix_fmt_desc_get(output_frames->sw_format); + y->filter = filter; + + err = CHECK_CU(cuCtxPushCurrent(s->cu_ctx)); + if (err != CUDA_SUCCESS) { + ret = AVERROR_EXTERNAL; + goto exit; + } + + err = CHECK_CU(cuModuleLoadData(&s->cu_module, vf_yadif_cuda_ptx)); + if (err != CUDA_SUCCESS) { + ret = AVERROR_INVALIDDATA; + goto exit; + } + + err = CHECK_CU(cuModuleGetFunction(&s->cu_func_uchar, s->cu_module, "yadif_uchar")); + if (err != CUDA_SUCCESS) { + ret = AVERROR_INVALIDDATA; + goto exit; + } + + err = CHECK_CU(cuModuleGetFunction(&s->cu_func_uchar2, s->cu_module, "yadif_uchar2")); + if (err != CUDA_SUCCESS) { + ret = AVERROR_INVALIDDATA; + goto exit; + } + + err= CHECK_CU(cuModuleGetFunction(&s->cu_func_ushort, s->cu_module, "yadif_ushort")); + if (err != CUDA_SUCCESS) { + ret = AVERROR_INVALIDDATA; + goto exit; + } + + err = CHECK_CU(cuModuleGetFunction(&s->cu_func_ushort2, s->cu_module, "yadif_ushort2")); + if (err != CUDA_SUCCESS) { + ret = AVERROR_INVALIDDATA; + goto exit; + } + +exit: + CHECK_CU(cuCtxPopCurrent(&dummy)); + + return ret; +} + +static const AVClass yadif_cuda_class = { + .class_name = "yadif_cuda", + .item_name = av_default_item_name, + .option = ff_yadif_options, + .version = LIBAVUTIL_VERSION_INT, + .category = AV_CLASS_CATEGORY_FILTER, +}; + +static const AVFilterPad deint_cuda_inputs[] = { + { + .name = "default", + .type = AVMEDIA_TYPE_VIDEO, + .filter_frame = ff_yadif_filter_frame, + .config_props = config_input, + }, + { NULL } +}; + +static const AVFilterPad deint_cuda_outputs[] = { + { + .name = "default", + .type = AVMEDIA_TYPE_VIDEO, + .request_frame = ff_yadif_request_frame, + .config_props = config_output, + }, + { NULL } +}; + +AVFilter ff_vf_yadif_cuda = { + .name = "yadif_cuda", + .description = NULL_IF_CONFIG_SMALL("Deinterlace CUDA frames"), + .priv_size = sizeof(DeintCUDAContext), + .priv_class = &yadif_cuda_class, + .uninit = deint_cuda_uninit, + .query_formats = deint_cuda_query_formats, + .inputs = deint_cuda_inputs, + .outputs = deint_cuda_outputs, + .flags = AVFILTER_FLAG_SUPPORT_TIMELINE_INTERNAL, + .flags_internal = FF_FILTER_FLAG_HWFRAME_AWARE, +}; diff --git a/libavfilter/vf_yadif_cuda.cu b/libavfilter/vf_yadif_cuda.cu new file mode 100644 index 0000000000..65a902c66b --- /dev/null +++ b/libavfilter/vf_yadif_cuda.cu @@ -0,0 +1,296 @@ +/* + * Copyright (C) 2018 Philip Langdale + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with FFmpeg; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +template +__inline__ __device__ T spatial_predictor(T a, T b, T c, T d, T e, T f, T g, + T h, T i, T j, T k, T l, T m, T n) +{ + int spatial_pred = (d + k)/2; + int spatial_score = abs(c - j) + abs(d - k) + abs(e - l); + + int score = abs(b - k) + abs(c - l) + abs(d - m); + if (score < spatial_score) { + spatial_pred = (c + l)/2; + spatial_score = score; + score = abs(a - l) + abs(b - m) + abs(c - n); + if (score < spatial_score) { + spatial_pred = (b + m)/2; + spatial_score = score; + } + } + score = abs(d - i) + abs(e - j) + abs(f - k); + if (score < spatial_score) { + spatial_pred = (e + j)/2; + spatial_score = score; + score = abs(e - h) + abs(f - i) + abs(g - j); + if (score < spatial_score) { + spatial_pred = (f + i)/2; + spatial_score = score; + } + } + return spatial_pred; +} + +__inline__ __device__ int max3(int a, int b, int c) +{ + int x = max(a, b); + return max(x, c); +} + +__inline__ __device__ int min3(int a, int b, int c) +{ + int x = min(a, b); + return min(x, c); +} + +template +__inline__ __device__ T temporal_predictor(T A, T B, T C, T D, T E, T F, + T G, T H, T I, T J, T K, T L, + T spatial_pred, bool skip_check) +{ + int p0 = (C + H) / 2; + int p1 = F; + int p2 = (D + I) / 2; + int p3 = G; + int p4 = (E + J) / 2; + + int tdiff0 = abs(D - I); + int tdiff1 = (abs(A - F) + abs(B - G)) / 2; + int tdiff2 = (abs(K - F) + abs(G - L)) / 2; + + int diff = max3(tdiff0, tdiff1, tdiff2); + + if (!skip_check) { + int maxi = max3(p2 - p3, p2 - p1, min(p0 - p1, p4 - p3)); + int mini = min3(p2 - p3, p2 - p1, max(p0 - p1, p4 - p3)); + diff = max3(diff, mini, -maxi); + } + + if (spatial_pred > p2 + diff) { + spatial_pred = p2 + diff; + } + if (spatial_pred < p2 - diff) { + spatial_pred = p2 - diff; + } + + return spatial_pred; +} + +template +__inline__ __device__ void yadif_single(T *dst, + cudaTextureObject_t prev, + cudaTextureObject_t cur, + cudaTextureObject_t next, + int dst_width, int dst_height, int dst_pitch, + int src_width, int src_height, + int parity, int tff, bool skip_spatial_check) +{ + // Identify location + int xo = blockIdx.x * blockDim.x + threadIdx.x; + int yo = blockIdx.y * blockDim.y + threadIdx.y; + + if (xo >= dst_width || yo >= dst_height) { + return; + } + + // Don't modify the primary field + if (yo % 2 == parity) { + dst[yo*dst_pitch+xo] = tex2D(cur, xo, yo); + return; + } + + // Calculate spatial prediction + T a = tex2D(cur, xo - 3, yo - 1); + T b = tex2D(cur, xo - 2, yo - 1); + T c = tex2D(cur, xo - 1, yo - 1); + T d = tex2D(cur, xo - 0, yo - 1); + T e = tex2D(cur, xo + 1, yo - 1); + T f = tex2D(cur, xo + 2, yo - 1); + T g = tex2D(cur, xo + 3, yo - 1); + + T h = tex2D(cur, xo - 3, yo + 1); + T i = tex2D(cur, xo - 2, yo + 1); + T j = tex2D(cur, xo - 1, yo + 1); + T k = tex2D(cur, xo - 0, yo + 1); + T l = tex2D(cur, xo + 1, yo + 1); + T m = tex2D(cur, xo + 2, yo + 1); + T n = tex2D(cur, xo + 3, yo + 1); + + T spatial_pred = + spatial_predictor(a, b, c, d, e, f, g, h, i, j, k, l, m, n); + + // Calculate temporal prediction + int is_second_field = !(parity ^ tff); + + cudaTextureObject_t prev2 = prev; + cudaTextureObject_t prev1 = is_second_field ? cur : prev; + cudaTextureObject_t next1 = is_second_field ? next : cur; + cudaTextureObject_t next2 = next; + + T A = tex2D(prev2, xo, yo - 1); + T B = tex2D(prev2, xo, yo + 1); + T C = tex2D(prev1, xo, yo - 2); + T D = tex2D(prev1, xo, yo + 0); + T E = tex2D(prev1, xo, yo + 2); + T F = tex2D(cur, xo, yo - 1); + T G = tex2D(cur, xo, yo + 1); + T H = tex2D(next1, xo, yo - 2); + T I = tex2D(next1, xo, yo + 0); + T J = tex2D(next1, xo, yo + 2); + T K = tex2D(next2, xo, yo - 1); + T L = tex2D(next2, xo, yo + 1); + + spatial_pred = temporal_predictor(A, B, C, D, E, F, G, H, I, J, K, L, + spatial_pred, skip_spatial_check); + + dst[yo*dst_pitch+xo] = spatial_pred; +} + +template +__inline__ __device__ void yadif_double(T *dst, + cudaTextureObject_t prev, + cudaTextureObject_t cur, + cudaTextureObject_t next, + int dst_width, int dst_height, int dst_pitch, + int src_width, int src_height, + int parity, int tff, bool skip_spatial_check) +{ + int xo = blockIdx.x * blockDim.x + threadIdx.x; + int yo = blockIdx.y * blockDim.y + threadIdx.y; + + if (xo >= dst_width || yo >= dst_height) { + return; + } + + if (yo % 2 == parity) { + // Don't modify the primary field + dst[yo*dst_pitch+xo] = tex2D(cur, xo, yo); + return; + } + + T a = tex2D(cur, xo - 3, yo - 1); + T b = tex2D(cur, xo - 2, yo - 1); + T c = tex2D(cur, xo - 1, yo - 1); + T d = tex2D(cur, xo - 0, yo - 1); + T e = tex2D(cur, xo + 1, yo - 1); + T f = tex2D(cur, xo + 2, yo - 1); + T g = tex2D(cur, xo + 3, yo - 1); + + T h = tex2D(cur, xo - 3, yo + 1); + T i = tex2D(cur, xo - 2, yo + 1); + T j = tex2D(cur, xo - 1, yo + 1); + T k = tex2D(cur, xo - 0, yo + 1); + T l = tex2D(cur, xo + 1, yo + 1); + T m = tex2D(cur, xo + 2, yo + 1); + T n = tex2D(cur, xo + 3, yo + 1); + + T spatial_pred = { + spatial_predictor(a.x, b.x, c.x, d.x, e.x, f.x, g.x, h.x, i.x, j.x, k.x, l.x, m.x, n.x), + spatial_predictor(a.y, b.y, c.y, d.y, e.y, f.y, g.y, h.y, i.y, j.y, k.y, l.y, m.y, n.y) }; + + // Calculate temporal prediction + int is_second_field = !(parity ^ tff); + + cudaTextureObject_t prev2 = prev; + cudaTextureObject_t prev1 = is_second_field ? cur : prev; + cudaTextureObject_t next1 = is_second_field ? next : cur; + cudaTextureObject_t next2 = next; + + T A = tex2D(prev2, xo, yo - 1); + T B = tex2D(prev2, xo, yo + 1); + T C = tex2D(prev1, xo, yo - 2); + T D = tex2D(prev1, xo, yo + 0); + T E = tex2D(prev1, xo, yo + 2); + T F = tex2D(cur, xo, yo - 1); + T G = tex2D(cur, xo, yo + 1); + T H = tex2D(next1, xo, yo - 2); + T I = tex2D(next1, xo, yo + 0); + T J = tex2D(next1, xo, yo + 2); + T K = tex2D(next2, xo, yo - 1); + T L = tex2D(next2, xo, yo + 1); + + spatial_pred = { + temporal_predictor(A.x, B.x, C.x, D.x, E.x, F.x, G.x, H.x, I.x, J.x, K.x, L.x, + spatial_pred.x, skip_spatial_check), + temporal_predictor(A.y, B.y, C.y, D.y, E.y, F.y, G.y, H.y, I.y, J.y, K.y, L.y, + spatial_pred.y, skip_spatial_check) }; + + dst[yo*dst_pitch+xo] = spatial_pred; +} + +extern "C" { + +__global__ void yadif_uchar(unsigned char *dst, + cudaTextureObject_t prev, + cudaTextureObject_t cur, + cudaTextureObject_t next, + int dst_width, int dst_height, int dst_pitch, + int src_width, int src_height, + int parity, int tff, bool skip_spatial_check) +{ + yadif_single(dst, prev, cur, next, + dst_width, dst_height, dst_pitch, + src_width, src_height, + parity, tff, skip_spatial_check); +} + +__global__ void yadif_ushort(unsigned short *dst, + cudaTextureObject_t prev, + cudaTextureObject_t cur, + cudaTextureObject_t next, + int dst_width, int dst_height, int dst_pitch, + int src_width, int src_height, + int parity, int tff, bool skip_spatial_check) +{ + yadif_single(dst, prev, cur, next, + dst_width, dst_height, dst_pitch, + src_width, src_height, + parity, tff, skip_spatial_check); +} + +__global__ void yadif_uchar2(uchar2 *dst, + cudaTextureObject_t prev, + cudaTextureObject_t cur, + cudaTextureObject_t next, + int dst_width, int dst_height, int dst_pitch, + int src_width, int src_height, + int parity, int tff, bool skip_spatial_check) +{ + yadif_double(dst, prev, cur, next, + dst_width, dst_height, dst_pitch, + src_width, src_height, + parity, tff, skip_spatial_check); +} + +__global__ void yadif_ushort2(ushort2 *dst, + cudaTextureObject_t prev, + cudaTextureObject_t cur, + cudaTextureObject_t next, + int dst_width, int dst_height, int dst_pitch, + int src_width, int src_height, + int parity, int tff, bool skip_spatial_check) +{ + yadif_double(dst, prev, cur, next, + dst_width, dst_height, dst_pitch, + src_width, src_height, + parity, tff, skip_spatial_check); +} + +} /* extern "C" */ From 6feec11e489b729a0ed7ead205e2aca6837d5f20 Mon Sep 17 00:00:00 2001 From: Philip Langdale Date: Wed, 24 Oct 2018 18:38:44 -0700 Subject: [PATCH 0007/1383] avcodec/nvdec: Increase frame pool size to help deinterlacing With the cuda yadif filter in use, the number of mapped decoder frames could increase by two, as the filter holds on to additional frames. (cherry picked from commit 1b41115ef70896d9b98ce842dc5f21c465396ce2) --- libavcodec/nvdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index 4dd6b1acf3..0426c9b319 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -601,7 +601,11 @@ int ff_nvdec_frame_params(AVCodecContext *avctx, frames_ctx->format = AV_PIX_FMT_CUDA; frames_ctx->width = (avctx->coded_width + 1) & ~1; frames_ctx->height = (avctx->coded_height + 1) & ~1; - frames_ctx->initial_pool_size = dpb_size; + /* + * We add two extra frames to the pool to account for deinterlacing filters + * holding onto their frames. + */ + frames_ctx->initial_pool_size = dpb_size + 2; frames_ctx->free = nvdec_free_dummy; frames_ctx->pool = av_buffer_pool_init(0, nvdec_alloc_dummy); From ebc1c49e417cf7d7096d7a038d1e3e61f0432f19 Mon Sep 17 00:00:00 2001 From: Philip Langdale Date: Fri, 2 Nov 2018 14:08:18 -0700 Subject: [PATCH 0008/1383] avfilter/vf_cuda_yadif: Avoid new syntax for vector initialisation This requires a newer version of CUDA than we want to require. (cherry picked from commit 8e50215b5e02074b0773dfcf55867654ee59c179) --- libavfilter/vf_yadif_cuda.cu | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libavfilter/vf_yadif_cuda.cu b/libavfilter/vf_yadif_cuda.cu index 65a902c66b..12e7e4a443 100644 --- a/libavfilter/vf_yadif_cuda.cu +++ b/libavfilter/vf_yadif_cuda.cu @@ -201,9 +201,11 @@ __inline__ __device__ void yadif_double(T *dst, T m = tex2D(cur, xo + 2, yo + 1); T n = tex2D(cur, xo + 3, yo + 1); - T spatial_pred = { - spatial_predictor(a.x, b.x, c.x, d.x, e.x, f.x, g.x, h.x, i.x, j.x, k.x, l.x, m.x, n.x), - spatial_predictor(a.y, b.y, c.y, d.y, e.y, f.y, g.y, h.y, i.y, j.y, k.y, l.y, m.y, n.y) }; + T spatial_pred; + spatial_pred.x = + spatial_predictor(a.x, b.x, c.x, d.x, e.x, f.x, g.x, h.x, i.x, j.x, k.x, l.x, m.x, n.x); + spatial_pred.y = + spatial_predictor(a.y, b.y, c.y, d.y, e.y, f.y, g.y, h.y, i.y, j.y, k.y, l.y, m.y, n.y); // Calculate temporal prediction int is_second_field = !(parity ^ tff); @@ -226,11 +228,12 @@ __inline__ __device__ void yadif_double(T *dst, T K = tex2D(next2, xo, yo - 1); T L = tex2D(next2, xo, yo + 1); - spatial_pred = { + spatial_pred.x = temporal_predictor(A.x, B.x, C.x, D.x, E.x, F.x, G.x, H.x, I.x, J.x, K.x, L.x, - spatial_pred.x, skip_spatial_check), + spatial_pred.x, skip_spatial_check); + spatial_pred.y = temporal_predictor(A.y, B.y, C.y, D.y, E.y, F.y, G.y, H.y, I.y, J.y, K.y, L.y, - spatial_pred.y, skip_spatial_check) }; + spatial_pred.y, skip_spatial_check); dst[yo*dst_pitch+xo] = spatial_pred; } From b9875b75837dc75ba65254f1cdb0be50b1037d2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Oct 2018 03:06:59 +0100 Subject: [PATCH 0009/1383] avcodec/prosumer: Check for bytestream eof in decompress() Fixes: Infinite loop Fixes: 10685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PROSUMER_fuzzer-5652236881887232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9acdf17b2c30c44e6e6a3d3b3c22989b7e1117c3) Signed-off-by: Michael Niedermayer --- libavcodec/prosumer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c index 6e98677b55..2fd9880ee1 100644 --- a/libavcodec/prosumer.c +++ b/libavcodec/prosumer.c @@ -57,7 +57,7 @@ static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui b = lut[2 * idx]; while (1) { - if (bytestream2_get_bytes_left_p(pb) <= 0) + if (bytestream2_get_bytes_left_p(pb) <= 0 || bytestream2_get_eof(pb)) return 0; if (((b & 0xFF00u) != 0x8000u) || (b & 0xFFu)) { if ((b & 0xFF00u) != 0x8000u) { From a163384467ddaef143b86d611d3717ffbc4a0134 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Oct 2018 10:18:45 +0100 Subject: [PATCH 0010/1383] avcodec/prosumer: Remove unneeded () Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 506839a3e9cc34c8f719937430008fc12d132fce) Signed-off-by: Michael Niedermayer --- libavcodec/prosumer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c index 2fd9880ee1..24905ac80f 100644 --- a/libavcodec/prosumer.c +++ b/libavcodec/prosumer.c @@ -59,7 +59,7 @@ static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui while (1) { if (bytestream2_get_bytes_left_p(pb) <= 0 || bytestream2_get_eof(pb)) return 0; - if (((b & 0xFF00u) != 0x8000u) || (b & 0xFFu)) { + if ((b & 0xFF00u) != 0x8000u || (b & 0xFFu)) { if ((b & 0xFF00u) != 0x8000u) { bytestream2_put_le16(pb, b); } else if (b & 0xFFu) { From fd05e20650a50f3cd2b660367d0e73cb8fef9a07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Oct 2018 10:19:08 +0100 Subject: [PATCH 0011/1383] avcodec/prosumer: Remove always true check in decompress() Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1dfa0b6f36d29293f2d0219c4095dc8bb7a4b0dc) Signed-off-by: Michael Niedermayer --- libavcodec/prosumer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c index 24905ac80f..3125636cf1 100644 --- a/libavcodec/prosumer.c +++ b/libavcodec/prosumer.c @@ -62,7 +62,7 @@ static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui if ((b & 0xFF00u) != 0x8000u || (b & 0xFFu)) { if ((b & 0xFF00u) != 0x8000u) { bytestream2_put_le16(pb, b); - } else if (b & 0xFFu) { + } else { idx = 0; for (int i = 0; i < (b & 0xFFu); i++) bytestream2_put_le32(pb, 0); From 2f04b78b95464c46468c1d8c252f2360ffe7c183 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Oct 2018 10:19:43 +0100 Subject: [PATCH 0012/1383] avcodec/prosumer: Simplify bit juggling of the c variable in decompress() Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 66425add270cd262a22c0fdaf6aad09a0db6f8c0) Signed-off-by: Michael Niedermayer --- libavcodec/prosumer.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c index 3125636cf1..505de71980 100644 --- a/libavcodec/prosumer.c +++ b/libavcodec/prosumer.c @@ -69,15 +69,13 @@ static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui } c = b >> 16; if (c & 0xFF00u) { - c = (((c >> 8) & 0xFFu) | (c & 0xFF00)) & 0xF00F; fill = lut[2 * idx + 1]; - if ((c & 0xFF00u) == 0x1000) { + if ((c & 0xF000u) == 0x1000) { bytestream2_put_le16(pb, fill); - c &= 0xFFFF00FFu; } else { bytestream2_put_le32(pb, fill); - c &= 0xFFFF00FFu; } + c = (c >> 8) & 0x0Fu; } while (c) { a <<= 4; From 7d23ccac8d371e7ea28960d23a812f6b8446a642 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Oct 2018 21:08:39 +0100 Subject: [PATCH 0013/1383] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case Fixes: Timeout Fixes: 10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896 Fixes: 10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index a109f12701..1005e89aae 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -101,7 +101,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, "MP3ADU full parser"); *poutbuf = NULL; *poutbuf_size = 0; - return 0; /* parsers must not return error codes */ + return buf_size; /* parsers must not return error codes */ } break; From bc5777bdab7d5515088713f73507d3a49df7695d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Nov 2018 19:02:55 +0100 Subject: [PATCH 0014/1383] avcodec/mpeg4videodec: Clear partitioned frame in decode_studio_vop_header() partitioned_frame is also set/cleared in decode_vop_header() Fixes: out of array read Fixes: 9789/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5638681627983872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 074187d599a2ece2bdf77bd08b4b797c5800eda6) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 233b8525ce..f44ee76bd4 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -3056,6 +3056,7 @@ static int decode_studio_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (get_bits_left(gb) <= 32) return 0; + s->partitioned_frame = 0; s->decode_mb = mpeg4_decode_studio_mb; decode_smpte_tc(ctx, gb); From 7ebc27e1fa73c4db3409166b3465825a613bfa86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Nov 2018 20:00:16 +0100 Subject: [PATCH 0015/1383] avcodec/cavsdec: Propagate error codes inside decode_mb_i() Fixes: Timeout Fixes: 10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index c7fff67c06..5f3b354518 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, } -static inline void decode_residual_chroma(AVSContext *h) +static inline int decode_residual_chroma(AVSContext *h) { - if (h->cbp & (1 << 4)) - decode_residual_block(h, &h->gb, chroma_dec, 0, + if (h->cbp & (1 << 4)) { + int ret = decode_residual_block(h, &h->gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride); - if (h->cbp & (1 << 5)) - decode_residual_block(h, &h->gb, chroma_dec, 0, + if (ret < 0) + return ret; + } + if (h->cbp & (1 << 5)) { + int ret = decode_residual_block(h, &h->gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride); + if (ret < 0) + return ret; + } + return 0; } static inline int decode_residual_inter(AVSContext *h) @@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; + int ret; ff_cavs_init_mb(h); @@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code) ff_cavs_load_intra_pred_luma(h, top, &left, block); h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]] (d, top, left, h->l_stride); - if (h->cbp & (1<qp, d, h->l_stride); + if (h->cbp & (1<qp, d, h->l_stride); + if (ret < 0) + return ret; + } } /* chroma intra prediction */ @@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code) h->intra_pred_c[pred_mode_uv](h->cv, &h->top_border_v[h->mbx * 10], h->left_border_v, h->c_stride); - decode_residual_chroma(h); + ret = decode_residual_chroma(h); + if (ret < 0) + return ret; ff_cavs_filter(h, I_8X8); set_mv_intra(h); return 0; From 63c1e291ef7ba97ce0dc7c0bdd46b81f71a52b9d Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Thu, 1 Nov 2018 21:03:59 +0100 Subject: [PATCH 0016/1383] avformat/ftp: allow nonstandard 202 reply to OPTS UTF8 Fixes ticket #7481. Signed-off-by: Marton Balint (cherry picked from commit 8e5a2495a8dad262e0a00fbca09b7779b4ebf0bf) --- libavformat/ftp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 5063b7c204..e072067480 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -513,7 +513,7 @@ static int ftp_features(FTPContext *s) static const char *feat_command = "FEAT\r\n"; static const char *enable_utf8_command = "OPTS UTF8 ON\r\n"; static const int feat_codes[] = {211, 0}; - static const int opts_codes[] = {200, 451, 0}; + static const int opts_codes[] = {200, 202, 451, 0}; av_freep(&s->features); if (ftp_send_command(s, feat_command, feat_codes, &s->features) != 211) { @@ -521,7 +521,8 @@ static int ftp_features(FTPContext *s) } if (ftp_has_feature(s, "UTF8")) { - if (ftp_send_command(s, enable_utf8_command, opts_codes, NULL) == 200) + int ret = ftp_send_command(s, enable_utf8_command, opts_codes, NULL); + if (ret == 200 || ret == 202) s->utf8 = 1; } From 1c98cf4ddd38400793a4d01b3c3a662beb9e3ba8 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 2 Oct 2018 21:08:54 -0300 Subject: [PATCH 0017/1383] avformat/ivfenc: use the av1_metadata bsf to insert Temporal Delimiter OBUs if needed Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 2d2af23349cae0d84c8ed51c249bfc1e6f2e28a2) --- configure | 1 + libavformat/ivfenc.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/configure b/configure index 5a5d0b0868..f3fa0cde86 100755 --- a/configure +++ b/configure @@ -3180,6 +3180,7 @@ image2_alias_pix_demuxer_select="image2_demuxer" image2_brender_pix_demuxer_select="image2_demuxer" ipod_muxer_select="mov_muxer" ismv_muxer_select="mov_muxer" +ivf_muxer_select="av1_metadata" matroska_audio_muxer_select="matroska_muxer" matroska_demuxer_select="iso_media riffdec" matroska_demuxer_suggest="bzlib lzo zlib" diff --git a/libavformat/ivfenc.c b/libavformat/ivfenc.c index 66441a2a43..adf72117e9 100644 --- a/libavformat/ivfenc.c +++ b/libavformat/ivfenc.c @@ -97,6 +97,8 @@ static int ivf_check_bitstream(struct AVFormatContext *s, const AVPacket *pkt) if (st->codecpar->codec_id == AV_CODEC_ID_VP9) ret = ff_stream_add_bitstream_filter(st, "vp9_superframe", NULL); + else if (st->codecpar->codec_id == AV_CODEC_ID_AV1) + ret = ff_stream_add_bitstream_filter(st, "av1_metadata", "td=insert"); return ret; } From acd13f12556bd1e8d90a0afe1cbd3a949adf26a2 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Mon, 5 Nov 2018 00:01:54 +0000 Subject: [PATCH 0018/1383] configure: Fix av1_metadata BSF dependency (cherry picked from commit 34429182b93123a25e38819ef15bdae42793209f) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index f3fa0cde86..23ad59031c 100755 --- a/configure +++ b/configure @@ -3180,7 +3180,7 @@ image2_alias_pix_demuxer_select="image2_demuxer" image2_brender_pix_demuxer_select="image2_demuxer" ipod_muxer_select="mov_muxer" ismv_muxer_select="mov_muxer" -ivf_muxer_select="av1_metadata" +ivf_muxer_select="av1_metadata_bsf" matroska_audio_muxer_select="matroska_muxer" matroska_demuxer_select="iso_media riffdec" matroska_demuxer_suggest="bzlib lzo zlib" From 398a70309e4fa99433e98ab7f184ee7eb0abbca4 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 4 Nov 2018 17:07:39 -0300 Subject: [PATCH 0019/1383] avcodec/cbs_av1: fix decoder/encoder_buffer_delay variable types buffer_delay_length_minus_1 is five bits long, meaning decode_buffer_delay and encoder_buffer_delay can have values up to 32 bits long. Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 89a0d33e3a53e8edefd734b131a7035d13052947) --- libavcodec/cbs_av1.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index b66a09c389..614a0bf108 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -87,8 +87,8 @@ typedef struct AV1RawSequenceHeader { uint8_t seq_level_idx[AV1_MAX_OPERATING_POINTS]; uint8_t seq_tier[AV1_MAX_OPERATING_POINTS]; uint8_t decoder_model_present_for_this_op[AV1_MAX_OPERATING_POINTS]; - uint8_t decoder_buffer_delay[AV1_MAX_OPERATING_POINTS]; - uint8_t encoder_buffer_delay[AV1_MAX_OPERATING_POINTS]; + uint32_t decoder_buffer_delay[AV1_MAX_OPERATING_POINTS]; + uint32_t encoder_buffer_delay[AV1_MAX_OPERATING_POINTS]; uint8_t low_delay_mode_flag[AV1_MAX_OPERATING_POINTS]; uint8_t initial_display_delay_present_for_this_op[AV1_MAX_OPERATING_POINTS]; uint8_t initial_display_delay_minus_1[AV1_MAX_OPERATING_POINTS]; From 066ff02621cea7d78d7791c91e0d916c30bffb27 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Mon, 5 Nov 2018 14:22:05 +0000 Subject: [PATCH 0020/1383] configure: Add missing IVF muxer BSF dependency (cherry picked from commit a4fb2b115071220f23ad7b3d82037647e94279ed) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 23ad59031c..5e8c20f8fb 100755 --- a/configure +++ b/configure @@ -3180,7 +3180,7 @@ image2_alias_pix_demuxer_select="image2_demuxer" image2_brender_pix_demuxer_select="image2_demuxer" ipod_muxer_select="mov_muxer" ismv_muxer_select="mov_muxer" -ivf_muxer_select="av1_metadata_bsf" +ivf_muxer_select="av1_metadata_bsf vp9_superframe_bsf" matroska_audio_muxer_select="matroska_muxer" matroska_demuxer_select="iso_media riffdec" matroska_demuxer_suggest="bzlib lzo zlib" From ec1b5216fc65602b97cf5dc97a9a9a266f38894f Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Mon, 5 Nov 2018 14:22:10 +0000 Subject: [PATCH 0021/1383] configure: Add missing V4L2 M2M decoder BSF dependencies (cherry picked from commit e9d2e3fdaacb6872dd689ffd5a65e476b70dee3d) --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index 5e8c20f8fb..e79dae896c 100755 --- a/configure +++ b/configure @@ -2957,6 +2957,7 @@ h264_rkmpp_decoder_deps="rkmpp" h264_rkmpp_decoder_select="h264_mp4toannexb_bsf" h264_vaapi_encoder_select="cbs_h264 vaapi_encode" h264_v4l2m2m_decoder_deps="v4l2_m2m h264_v4l2_m2m" +h264_v4l2m2m_decoder_select="h264_mp4toannexb_bsf" h264_v4l2m2m_encoder_deps="v4l2_m2m h264_v4l2_m2m" hevc_amf_encoder_deps="amf" hevc_cuvid_decoder_deps="cuvid" @@ -2971,6 +2972,7 @@ hevc_rkmpp_decoder_select="hevc_mp4toannexb_bsf" hevc_vaapi_encoder_deps="VAEncPictureParameterBufferHEVC" hevc_vaapi_encoder_select="cbs_h265 vaapi_encode" hevc_v4l2m2m_decoder_deps="v4l2_m2m hevc_v4l2_m2m" +hevc_v4l2m2m_decoder_select="hevc_mp4toannexb_bsf" hevc_v4l2m2m_encoder_deps="v4l2_m2m hevc_v4l2_m2m" mjpeg_cuvid_decoder_deps="cuvid" mjpeg_qsv_encoder_deps="libmfx" From af3fccfeff74da54fc3e702fbb6757c2aad2814e Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 4 Nov 2018 23:56:39 +0000 Subject: [PATCH 0022/1383] cbs_av1: Fix header writing when already aligned (cherry picked from commit 6bdb7712ae0267ba4f69c7434d2b3dee12762d1d) --- libavcodec/cbs_av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 9bac9dde09..1c49d90f51 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -1179,7 +1179,7 @@ static int cbs_av1_write_obu(CodedBitstreamContext *ctx, if (err < 0) return err; end_pos = put_bits_count(pbc); - obu->obu_size = (end_pos - start_pos + 7) / 8; + obu->obu_size = header_size = (end_pos - start_pos + 7) / 8; } else { // Empty OBU. obu->obu_size = 0; From 10506de9ad1fb050737ef79cf4853742b793c37d Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 4 Nov 2018 23:58:01 +0000 Subject: [PATCH 0023/1383] cbs_av1: Support redundant frame headers (cherry picked from commit f5894178fb8063ec17c61c04df96a70607ca2daa) --- libavcodec/cbs_av1.c | 16 ++++-- libavcodec/cbs_av1.h | 5 +- libavcodec/cbs_av1_syntax_template.c | 82 +++++++++++++++++++++++++--- 3 files changed, 91 insertions(+), 12 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 1c49d90f51..ff32a6fca5 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -996,7 +996,10 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, case AV1_OBU_REDUNDANT_FRAME_HEADER: { err = cbs_av1_read_frame_header_obu(ctx, &gbc, - &obu->obu.frame_header); + &obu->obu.frame_header, + obu->header.obu_type == + AV1_OBU_REDUNDANT_FRAME_HEADER, + unit->data_ref); if (err < 0) return err; } @@ -1016,7 +1019,8 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, break; case AV1_OBU_FRAME: { - err = cbs_av1_read_frame_obu(ctx, &gbc, &obu->obu.frame); + err = cbs_av1_read_frame_obu(ctx, &gbc, &obu->obu.frame, + unit->data_ref); if (err < 0) return err; @@ -1124,7 +1128,10 @@ static int cbs_av1_write_obu(CodedBitstreamContext *ctx, case AV1_OBU_REDUNDANT_FRAME_HEADER: { err = cbs_av1_write_frame_header_obu(ctx, pbc, - &obu->obu.frame_header); + &obu->obu.frame_header, + obu->header.obu_type == + AV1_OBU_REDUNDANT_FRAME_HEADER, + NULL); if (err < 0) return err; } @@ -1141,7 +1148,7 @@ static int cbs_av1_write_obu(CodedBitstreamContext *ctx, break; case AV1_OBU_FRAME: { - err = cbs_av1_write_frame_obu(ctx, pbc, &obu->obu.frame); + err = cbs_av1_write_frame_obu(ctx, pbc, &obu->obu.frame, NULL); if (err < 0) return err; @@ -1302,6 +1309,7 @@ static void cbs_av1_close(CodedBitstreamContext *ctx) CodedBitstreamAV1Context *priv = ctx->priv_data; av_buffer_unref(&priv->sequence_header_ref); + av_buffer_unref(&priv->frame_header_ref); av_freep(&priv->write_buffer); } diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index 614a0bf108..f662265f75 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -399,7 +399,10 @@ typedef struct CodedBitstreamAV1Context { AV1RawSequenceHeader *sequence_header; AVBufferRef *sequence_header_ref; - int seen_frame_header; + int seen_frame_header; + AVBufferRef *frame_header_ref; + uint8_t *frame_header; + size_t frame_header_size; int temporal_id; int spatial_id; diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index e146bbf8bb..0da79b615d 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1463,24 +1463,90 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, } static int FUNC(frame_header_obu)(CodedBitstreamContext *ctx, RWContext *rw, - AV1RawFrameHeader *current) + AV1RawFrameHeader *current, int redundant, + AVBufferRef *rw_buffer_ref) { CodedBitstreamAV1Context *priv = ctx->priv_data; - int err; - - HEADER("Frame Header"); + int start_pos, fh_bits, fh_bytes, err; + uint8_t *fh_start; if (priv->seen_frame_header) { - // Nothing to do. + if (!redundant) { + av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid repeated " + "frame header OBU.\n"); + return AVERROR_INVALIDDATA; + } else { + GetBitContext fh; + size_t i, b; + uint32_t val; + + HEADER("Redundant Frame Header"); + + av_assert0(priv->frame_header_ref && priv->frame_header); + + init_get_bits(&fh, priv->frame_header, + priv->frame_header_size); + for (i = 0; i < priv->frame_header_size; i += 8) { + b = FFMIN(priv->frame_header_size - i, 8); + val = get_bits(&fh, b); + xf(b, frame_header_copy[i], + val, val, val, 1, i / 8); + } + } } else { + if (redundant) + HEADER("Redundant Frame Header (used as Frame Header)"); + else + HEADER("Frame Header"); + priv->seen_frame_header = 1; +#ifdef READ + start_pos = get_bits_count(rw); +#else + start_pos = put_bits_count(rw); +#endif + CHECK(FUNC(uncompressed_header)(ctx, rw, current)); if (current->show_existing_frame) { priv->seen_frame_header = 0; } else { priv->seen_frame_header = 1; + + av_buffer_unref(&priv->frame_header_ref); + +#ifdef READ + fh_bits = get_bits_count(rw) - start_pos; + fh_start = (uint8_t*)rw->buffer + start_pos / 8; +#else + // Need to flush the bitwriter so that we can copy its output, + // but use a copy so we don't affect the caller's structure. + { + PutBitContext tmp = *rw; + flush_put_bits(&tmp); + } + + fh_bits = put_bits_count(rw) - start_pos; + fh_start = rw->buf + start_pos / 8; +#endif + fh_bytes = (fh_bits + 7) / 8; + + priv->frame_header_size = fh_bits; + + if (rw_buffer_ref) { + priv->frame_header_ref = av_buffer_ref(rw_buffer_ref); + if (!priv->frame_header_ref) + return AVERROR(ENOMEM); + priv->frame_header = fh_start; + } else { + priv->frame_header_ref = + av_buffer_alloc(fh_bytes + AV_INPUT_BUFFER_PADDING_SIZE); + if (!priv->frame_header_ref) + return AVERROR(ENOMEM); + priv->frame_header = priv->frame_header_ref->data; + memcpy(priv->frame_header, fh_start, fh_bytes); + } } } @@ -1524,11 +1590,13 @@ static int FUNC(tile_group_obu)(CodedBitstreamContext *ctx, RWContext *rw, } static int FUNC(frame_obu)(CodedBitstreamContext *ctx, RWContext *rw, - AV1RawFrame *current) + AV1RawFrame *current, + AVBufferRef *rw_buffer_ref) { int err; - CHECK(FUNC(frame_header_obu)(ctx, rw, ¤t->header)); + CHECK(FUNC(frame_header_obu)(ctx, rw, ¤t->header, + 0, rw_buffer_ref)); CHECK(FUNC(byte_alignment)(ctx, rw)); From 11dff170ef79d26d1de2bcd13b603a6c4c5c9815 Mon Sep 17 00:00:00 2001 From: Mark Wu Date: Tue, 23 Oct 2018 12:49:08 +0800 Subject: [PATCH 0024/1383] avcodec/hevcdec: fix non-ref frame judgement After inspecting the source code of x265, mpv and ffmpeg, I've found that ffmpeg mistakenly regards EVC_NAL_BLA_N_LP and HEVC_NAL_IDR_N_LP as non- reference frames, which are acutally reference frames according to the specification in x265, and drops them. This patch should address the problem. I have tested it with mpv. Signed-off-by: Mark Wu Signed-off-by: James Almer (cherry picked from commit 10bc4c3a7df7bb26303067b97311b7eeedfd453e) --- libavcodec/hevcdec.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/hevcdec.h b/libavcodec/hevcdec.h index f0f588f2b8..dd951aae06 100644 --- a/libavcodec/hevcdec.h +++ b/libavcodec/hevcdec.h @@ -559,8 +559,6 @@ static av_always_inline int ff_hevc_nal_is_nonref(enum HEVCNALUnitType type) case HEVC_NAL_VCL_N10: case HEVC_NAL_VCL_N12: case HEVC_NAL_VCL_N14: - case HEVC_NAL_BLA_N_LP: - case HEVC_NAL_IDR_N_LP: return 1; break; default: break; From 4f1e07090a9f6064078cac694f1d7148f86176c3 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Wed, 14 Nov 2018 22:56:18 +0000 Subject: [PATCH 0025/1383] configure: Add missing xlib dependency for VAAPI X11 code Fixes #7538. (cherry picked from commit 2ce3a48f30fe3cec7153aa3f18a1012a366aca3a) --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index e79dae896c..a70c5f9e9e 100755 --- a/configure +++ b/configure @@ -2812,6 +2812,7 @@ d3d11va_deps="dxva_h ID3D11VideoDecoder ID3D11VideoContext" dxva2_deps="dxva2api_h DXVA2_ConfigPictureDecode ole32 user32" ffnvcodec_deps_any="libdl LoadLibrary" nvdec_deps="ffnvcodec" +vaapi_x11_deps="xlib" videotoolbox_hwaccel_deps="videotoolbox pthreads" videotoolbox_hwaccel_extralibs="-framework QuartzCore" xvmc_deps="X11_extensions_XvMClib_h" From 49bc641e89f7c89648f28feafa2daa3756ba9c7d Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 10 Nov 2018 22:51:18 -0300 Subject: [PATCH 0026/1383] avcodec/cbs_av1: fix storage size for segmentation_params feature_value fields The valid range is -255 to 255. Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 79831f4531d98c3c1eab96c10f1135d08abef5f3) --- libavcodec/cbs_av1.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index f662265f75..84622ed189 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -210,7 +210,7 @@ typedef struct AV1RawFrameHeader { uint8_t segmentation_temporal_update; uint8_t segmentation_update_data; uint8_t feature_enabled[AV1_MAX_SEGMENTS][AV1_SEG_LVL_MAX]; - uint8_t feature_value[AV1_MAX_SEGMENTS][AV1_SEG_LVL_MAX]; + int16_t feature_value[AV1_MAX_SEGMENTS][AV1_SEG_LVL_MAX]; uint8_t delta_q_present; uint8_t delta_q_res; From a9e9303f26597b2a166374cd46b00adc0401e634 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 10 Nov 2018 22:52:12 -0300 Subject: [PATCH 0027/1383] avcodec/cbs_av1: fix parsing signed integer values Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit f0f2832a5ce93bad9b1d29f99df6bda2380fc41c) --- libavcodec/cbs_av1.c | 30 +++++++++--------------------- 1 file changed, 9 insertions(+), 21 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index ff32a6fca5..ed5211be19 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -189,30 +189,26 @@ static int cbs_av1_read_su(CodedBitstreamContext *ctx, GetBitContext *gbc, int width, const char *name, const int *subscripts, int32_t *write_to) { - uint32_t magnitude; - int position, sign; + int position; int32_t value; if (ctx->trace_enable) position = get_bits_count(gbc); - if (get_bits_left(gbc) < width + 1) { + if (get_bits_left(gbc) < width) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid signed value at " "%s: bitstream ended.\n", name); return AVERROR_INVALIDDATA; } - magnitude = get_bits(gbc, width); - sign = get_bits1(gbc); - value = sign ? -(int32_t)magnitude : magnitude; + value = get_sbits(gbc, width); if (ctx->trace_enable) { char bits[33]; int i; for (i = 0; i < width; i++) - bits[i] = magnitude >> (width - i - 1) & 1 ? '1' : '0'; - bits[i] = sign ? '1' : '0'; - bits[i + 1] = 0; + bits[i] = value & (1 << (width - i - 1)) ? '1' : '0'; + bits[i] = 0; ff_cbs_trace_syntax_element(ctx, position, name, subscripts, bits, value); @@ -226,29 +222,21 @@ static int cbs_av1_write_su(CodedBitstreamContext *ctx, PutBitContext *pbc, int width, const char *name, const int *subscripts, int32_t value) { - uint32_t magnitude; - int sign; - - if (put_bits_left(pbc) < width + 1) + if (put_bits_left(pbc) < width) return AVERROR(ENOSPC); - sign = value < 0; - magnitude = sign ? -value : value; - if (ctx->trace_enable) { char bits[33]; int i; for (i = 0; i < width; i++) - bits[i] = magnitude >> (width - i - 1) & 1 ? '1' : '0'; - bits[i] = sign ? '1' : '0'; - bits[i + 1] = 0; + bits[i] = value & (1 << (width - i - 1)) ? '1' : '0'; + bits[i] = 0; ff_cbs_trace_syntax_element(ctx, put_bits_count(pbc), name, subscripts, bits, value); } - put_bits(pbc, width, magnitude); - put_bits(pbc, 1, sign); + put_sbits(pbc, width, value); return 0; } From fed94c2f22fc165e1b012e3b621802b4d03e9214 Mon Sep 17 00:00:00 2001 From: Mark Harris Date: Sun, 11 Nov 2018 22:54:04 -0800 Subject: [PATCH 0028/1383] avfilter/vf_fade: fix start/duration max value A fade out (usually at the end of a video) can easily start beyond INT32_MAX (about 36 minutes). Regression since d40dc64173. (cherry picked from commit ae4323548ae821db81b73bc66cf5a2f9885296cb) --- libavfilter/vf_fade.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_fade.c b/libavfilter/vf_fade.c index c30c41db0d..17eca109b6 100644 --- a/libavfilter/vf_fade.c +++ b/libavfilter/vf_fade.c @@ -386,13 +386,13 @@ static const AVOption fade_options[] = { OFFSET(nb_frames), AV_OPT_TYPE_INT, { .i64 = 25 }, 0, INT_MAX, FLAGS }, { "alpha", "fade alpha if it is available on the input", OFFSET(alpha), AV_OPT_TYPE_BOOL, {.i64 = 0 }, 0, 1, FLAGS }, { "start_time", "Number of seconds of the beginning of the effect.", - OFFSET(start_time), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT32_MAX, FLAGS }, + OFFSET(start_time), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT64_MAX, FLAGS }, { "st", "Number of seconds of the beginning of the effect.", - OFFSET(start_time), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT32_MAX, FLAGS }, + OFFSET(start_time), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT64_MAX, FLAGS }, { "duration", "Duration of the effect in seconds.", - OFFSET(duration), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT32_MAX, FLAGS }, + OFFSET(duration), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT64_MAX, FLAGS }, { "d", "Duration of the effect in seconds.", - OFFSET(duration), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT32_MAX, FLAGS }, + OFFSET(duration), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT64_MAX, FLAGS }, { "color", "set color", OFFSET(color_rgba), AV_OPT_TYPE_COLOR, {.str = "black"}, CHAR_MIN, CHAR_MAX, FLAGS }, { "c", "set color", OFFSET(color_rgba), AV_OPT_TYPE_COLOR, {.str = "black"}, CHAR_MIN, CHAR_MAX, FLAGS }, { NULL } From bb01cd3cc01c9982e4b57f8ce5cfd6ec4724f848 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Mon, 12 Nov 2018 22:00:49 +0100 Subject: [PATCH 0029/1383] avfilter/af_afade: fix duration maximum Signed-off-by: Marton Balint (cherry picked from commit aecd63b926812148014c4f01270473722ae5e945) --- libavfilter/af_afade.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_afade.c b/libavfilter/af_afade.c index 9aab644039..8d9ba916bf 100644 --- a/libavfilter/af_afade.c +++ b/libavfilter/af_afade.c @@ -245,8 +245,8 @@ static const AVOption afade_options[] = { { "ns", "set number of samples for fade duration", OFFSET(nb_samples), AV_OPT_TYPE_INT64, {.i64 = 44100}, 1, INT64_MAX, FLAGS }, { "start_time", "set time to start fading", OFFSET(start_time), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT64_MAX, FLAGS }, { "st", "set time to start fading", OFFSET(start_time), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT64_MAX, FLAGS }, - { "duration", "set fade duration", OFFSET(duration), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT32_MAX, FLAGS }, - { "d", "set fade duration", OFFSET(duration), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT32_MAX, FLAGS }, + { "duration", "set fade duration", OFFSET(duration), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT64_MAX, FLAGS }, + { "d", "set fade duration", OFFSET(duration), AV_OPT_TYPE_DURATION, {.i64 = 0. }, 0, INT64_MAX, FLAGS }, { "curve", "set fade curve type", OFFSET(curve), AV_OPT_TYPE_INT, {.i64 = TRI }, 0, NB_CURVES - 1, FLAGS, "curve" }, { "c", "set fade curve type", OFFSET(curve), AV_OPT_TYPE_INT, {.i64 = TRI }, 0, NB_CURVES - 1, FLAGS, "curve" }, { "tri", "linear slope", 0, AV_OPT_TYPE_CONST, {.i64 = TRI }, 0, 0, FLAGS, "curve" }, From d4c5f515f09076635bf5e1591e5ff9d21ac13572 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 17 Nov 2018 23:26:24 +0100 Subject: [PATCH 0030/1383] avcodec/mpeg_er: fix clearing chroma blocks for 422 and 444 Fixes ticket #7494. Signed-off-by: Marton Balint (cherry picked from commit e3a96309826dd0ea33db0300f7c75414fdbea0a4) --- libavcodec/mpeg_er.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg_er.c b/libavcodec/mpeg_er.c index ada1a1692f..f54cb8548b 100644 --- a/libavcodec/mpeg_er.c +++ b/libavcodec/mpeg_er.c @@ -78,6 +78,8 @@ static void mpeg_er_decode_mb(void *opaque, int ref, int mv_dir, int mv_type, ff_update_block_index(s); s->bdsp.clear_blocks(s->block[0]); + if (!s->chroma_y_shift) + s->bdsp.clear_blocks(s->block[6]); s->dest[0] = s->current_picture.f->data[0] + s->mb_y * 16 * s->linesize + From 9efc591cb72b96a5880b0968978692fa4c1d99b6 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 20 Nov 2018 23:18:47 +0100 Subject: [PATCH 0031/1383] avfilter/vf_overlay: fix crash with negative y (cherry picked from commit 57815cfad5c5d6beb6f3fc0ae86b050a970d3a08) --- libavfilter/vf_overlay.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_overlay.c b/libavfilter/vf_overlay.c index ba25893739..a12e7a793f 100644 --- a/libavfilter/vf_overlay.c +++ b/libavfilter/vf_overlay.c @@ -473,12 +473,12 @@ static av_always_inline void blend_plane(AVFilterContext *ctx, slice_start = (jmax * jobnr) / nb_jobs; slice_end = (jmax * (jobnr+1)) / nb_jobs; - sp = src->data[i] + slice_start * src->linesize[i]; + sp = src->data[i] + (j + slice_start) * src->linesize[i]; dp = dst->data[dst_plane] - + (yp + slice_start) * dst->linesize[dst_plane] + + (yp + j + slice_start) * dst->linesize[dst_plane] + dst_offset; - ap = src->data[3] + (slice_start << vsub) * src->linesize[3]; - dap = dst->data[3] + ((yp + slice_start) << vsub) * dst->linesize[3]; + ap = src->data[3] + (j + slice_start << vsub) * src->linesize[3]; + dap = dst->data[3] + ((yp + j + slice_start) << vsub) * dst->linesize[3]; for (j = j + slice_start; j < slice_end; j++) { k = FFMAX(-xp, 0); From fcffed470a5236bc1799bc3022d588704d9ae5ef Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 21 Nov 2018 11:45:02 +0100 Subject: [PATCH 0032/1383] avformat/movenc: fix size calculation in mov_write_eac3_tag() Otherwise it would assert when flushing bits. (cherry picked from commit 027f032bbce9bdf7bbec40665b98590cade33416) --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 33978ee1b0..bee8e89760 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -541,7 +541,7 @@ static int mov_write_eac3_tag(AVIOContext *pb, MOVTrack *track) return AVERROR(EINVAL); info = track->eac3_priv; - size = 2 + 4 * (info->num_ind_sub + 1); + size = 2 + ((34 * (info->num_ind_sub + 1) + 7) >> 3); buf = av_malloc(size); if (!buf) { size = AVERROR(ENOMEM); From 59e30c05d74e59d28f2ec4ffd4dbf1822f921f06 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 22 Nov 2018 21:28:59 +0100 Subject: [PATCH 0033/1383] avformat/movenc: get number of written bytes from bitstream writer Update fate test. (cherry picked from commit 97d1ee437bbf67d7e3897bc73df4f7d9771ac309) --- libavformat/movenc.c | 2 +- tests/ref/fate/copy-trac3074 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index bee8e89760..6dab5193b0 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -563,12 +563,12 @@ static int mov_write_eac3_tag(AVIOContext *pb, MOVTrack *track) put_bits(&pbc, 4, info->substream[i].num_dep_sub); if (!info->substream[i].num_dep_sub) { put_bits(&pbc, 1, 0); /* reserved */ - size--; } else { put_bits(&pbc, 9, info->substream[i].chan_loc); } } flush_put_bits(&pbc); + size = put_bits_count(&pbc) >> 3; avio_wb32(pb, size + 8); ffio_wfourcc(pb, "dec3"); diff --git a/tests/ref/fate/copy-trac3074 b/tests/ref/fate/copy-trac3074 index 5ce5694260..ff66900253 100644 --- a/tests/ref/fate/copy-trac3074 +++ b/tests/ref/fate/copy-trac3074 @@ -1,5 +1,5 @@ -39aef1afff761d673fd1be07182941d1 *tests/data/fate/copy-trac3074.mp4 -333991 tests/data/fate/copy-trac3074.mp4 +f92a201033712bda262f1e071e25544a *tests/data/fate/copy-trac3074.mp4 +333992 tests/data/fate/copy-trac3074.mp4 #tb 0: 1/48000 #media_type 0: audio #codec_id 0: eac3 From a4ddc3c9fc60e6cf8123966f4ca7a7db70aa58eb Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 3 Dec 2018 10:00:01 +0100 Subject: [PATCH 0034/1383] avfilter/vf_overlay: fix filtering with negative y (cherry picked from commit 8440835dbe93ef9972ceb940af9bda9bc0e178e7) --- libavfilter/vf_overlay.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavfilter/vf_overlay.c b/libavfilter/vf_overlay.c index a12e7a793f..0a8f089c0d 100644 --- a/libavfilter/vf_overlay.c +++ b/libavfilter/vf_overlay.c @@ -380,15 +380,15 @@ static av_always_inline void blend_slice_packed_rgb(AVFilterContext *ctx, uint8_t *S, *sp, *d, *dp; i = FFMAX(-y, 0); - imax = FFMIN(-y + dst_h, src_h); + imax = FFMIN3(-y + dst_h, FFMIN(src_h, dst_h), y + src_h); - slice_start = (imax * jobnr) / nb_jobs; - slice_end = (imax * (jobnr+1)) / nb_jobs; + slice_start = i + (imax * jobnr) / nb_jobs; + slice_end = i + (imax * (jobnr+1)) / nb_jobs; - sp = src->data[0] + (i + slice_start) * src->linesize[0]; - dp = dst->data[0] + (y + i + slice_start) * dst->linesize[0]; + sp = src->data[0] + (slice_start) * src->linesize[0]; + dp = dst->data[0] + (y + slice_start) * dst->linesize[0]; - for (i = i + slice_start; i < slice_end; i++) { + for (i = slice_start; i < slice_end; i++) { j = FFMAX(-x, 0); S = sp + j * sstep; d = dp + (x+j) * dstep; @@ -468,19 +468,19 @@ static av_always_inline void blend_plane(AVFilterContext *ctx, int slice_start, slice_end; j = FFMAX(-yp, 0); - jmax = FFMIN(-yp + dst_hp, src_hp); + jmax = FFMIN3(-yp + dst_hp, FFMIN(src_hp, dst_hp), yp + src_hp); - slice_start = (jmax * jobnr) / nb_jobs; - slice_end = (jmax * (jobnr+1)) / nb_jobs; + slice_start = j + (jmax * jobnr) / nb_jobs; + slice_end = j + (jmax * (jobnr+1)) / nb_jobs; - sp = src->data[i] + (j + slice_start) * src->linesize[i]; + sp = src->data[i] + (slice_start) * src->linesize[i]; dp = dst->data[dst_plane] - + (yp + j + slice_start) * dst->linesize[dst_plane] + + (yp + slice_start) * dst->linesize[dst_plane] + dst_offset; - ap = src->data[3] + (j + slice_start << vsub) * src->linesize[3]; - dap = dst->data[3] + ((yp + j + slice_start) << vsub) * dst->linesize[3]; + ap = src->data[3] + (slice_start << vsub) * src->linesize[3]; + dap = dst->data[3] + ((yp + slice_start) << vsub) * dst->linesize[3]; - for (j = j + slice_start; j < slice_end; j++) { + for (j = slice_start; j < slice_end; j++) { k = FFMAX(-xp, 0); d = dp + (xp+k) * dst_step; s = sp + k; @@ -961,13 +961,13 @@ static int do_blend(FFFrameSync *fs) s->var_values[VAR_Y], s->y); } - if (s->x < mainpic->width && s->x + second->width >= 0 || + if (s->x < mainpic->width && s->x + second->width >= 0 && s->y < mainpic->height && s->y + second->height >= 0) { ThreadData td; td.dst = mainpic; td.src = second; - ctx->internal->execute(ctx, s->blend_slice, &td, NULL, FFMIN(FFMIN(mainpic->height - s->y, second->height), + ctx->internal->execute(ctx, s->blend_slice, &td, NULL, FFMIN(FFMAX(1, FFMIN3(s->y + second->height, FFMIN(second->height, mainpic->height), mainpic->height - s->y)), ff_filter_get_nb_threads(ctx))); } return ff_filter_frame(ctx->outputs[0], mainpic); From 5356e610010a25809e6e43146b813056a8929804 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 20 Dec 2018 12:26:43 -0300 Subject: [PATCH 0035/1383] avcodec/cbs_av1: fix parsing delta_frame_id_minus1 delta_frame_id_minus1 is not a single value in the bitstream, and can store values up to 17 bits wide. Fixes parsing files with frame ids. Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 064f9505f49816650516c7afe93e43d8f547891a) --- libavcodec/cbs_av1.h | 2 +- libavcodec/cbs_av1_syntax_template.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index 84622ed189..71ceff9427 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -170,7 +170,7 @@ typedef struct AV1RawFrameHeader { uint8_t last_frame_idx; uint8_t golden_frame_idx; int8_t ref_frame_idx[AV1_REFS_PER_FRAME]; - uint8_t delta_frame_id_minus1; + uint32_t delta_frame_id_minus1[AV1_REFS_PER_FRAME]; uint8_t allow_high_precision_mv; uint8_t is_filter_switchable; diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 0da79b615d..48f4fab514 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1323,8 +1323,8 @@ static int FUNC(uncompressed_header)(CodedBitstreamContext *ctx, RWContext *rw, if (!current->frame_refs_short_signaling) fbs(3, ref_frame_idx[i], 1, i); if (seq->frame_id_numbers_present_flag) { - fb(seq->delta_frame_id_length_minus_2 + 2, - delta_frame_id_minus1); + fbs(seq->delta_frame_id_length_minus_2 + 2, + delta_frame_id_minus1[i], 1, i); } } From b420f23566825192c3fc1f46fce24d19ffc1d72e Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 2 Dec 2018 20:49:24 +0000 Subject: [PATCH 0036/1383] cbs_av1: Fix reading of overlong uvlc codes The specification allows 2^32-1 to be encoded as any number of zeroes greater than 31, followed by a one. This previously failed because the trace code would overflow the array containing the string representation of the bits if there were more than 63 zeroes. Fix that by splitting the trace output into batches, and at the same time move it out of the default path. (While this seems likely to be a specification error, libaom does support it so we probably should as well.) From a test case by keval shah . Reviewed-by: Michael Niedermayer (cherry picked from commit b97a4b658814b2de8b9f2a3bce491c002d34de31) --- libavcodec/cbs_av1.c | 58 ++++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 18 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index ed5211be19..535139e703 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -29,45 +29,67 @@ static int cbs_av1_read_uvlc(CodedBitstreamContext *ctx, GetBitContext *gbc, const char *name, uint32_t *write_to, uint32_t range_min, uint32_t range_max) { - uint32_t value; - int position, zeroes, i, j; - char bits[65]; + uint32_t zeroes, bits_value, value; + int position; if (ctx->trace_enable) position = get_bits_count(gbc); - zeroes = i = 0; + zeroes = 0; while (1) { - if (get_bits_left(gbc) < zeroes + 1) { + if (get_bits_left(gbc) < 1) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " "%s: bitstream ended.\n", name); return AVERROR_INVALIDDATA; } - if (get_bits1(gbc)) { - bits[i++] = '1'; + if (get_bits1(gbc)) break; - } else { - bits[i++] = '0'; - ++zeroes; - } + ++zeroes; } if (zeroes >= 32) { value = MAX_UINT_BITS(32); } else { - value = get_bits_long(gbc, zeroes); + if (get_bits_left(gbc) < zeroes) { + av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid uvlc code at " + "%s: bitstream ended.\n", name); + return AVERROR_INVALIDDATA; + } - for (j = 0; j < zeroes; j++) - bits[i++] = (value >> (zeroes - j - 1) & 1) ? '1' : '0'; - - value += (1 << zeroes) - 1; + bits_value = get_bits_long(gbc, zeroes); + value = bits_value + (UINT32_C(1) << zeroes) - 1; } if (ctx->trace_enable) { + char bits[65]; + int i, j, k; + + if (zeroes >= 32) { + while (zeroes > 32) { + k = FFMIN(zeroes - 32, 32); + for (i = 0; i < k; i++) + bits[i] = '0'; + bits[i] = 0; + ff_cbs_trace_syntax_element(ctx, position, name, + NULL, bits, 0); + zeroes -= k; + position += k; + } + } + + for (i = 0; i < zeroes; i++) + bits[i] = '0'; + bits[i++] = '1'; + + if (zeroes < 32) { + for (j = 0; j < zeroes; j++) + bits[i++] = (bits_value >> (zeroes - j - 1) & 1) ? '1' : '0'; + } + bits[i] = 0; - ff_cbs_trace_syntax_element(ctx, position, name, NULL, - bits, value); + ff_cbs_trace_syntax_element(ctx, position, name, + NULL, bits, value); } if (value < range_min || value > range_max) { From ddc284300eb09b516cef96b6242041b410369302 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 25 Dec 2018 22:26:18 +0100 Subject: [PATCH 0037/1383] avfilter/af_asetnsamples: fix last frame props Frame properties were not copied, so e.g. PTS was not set for the last frame. Regression since ef3babb2c70f564dc1634b3f29c6e35a2b2dc239. Signed-off-by: Marton Balint (cherry picked from commit f9e947845f9ac5ccb84cf5e6f4121ec2e23b9946) --- libavfilter/af_asetnsamples.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavfilter/af_asetnsamples.c b/libavfilter/af_asetnsamples.c index e8daec8d8f..c60ce3063f 100644 --- a/libavfilter/af_asetnsamples.c +++ b/libavfilter/af_asetnsamples.c @@ -76,6 +76,13 @@ static int activate(AVFilterContext *ctx) return AVERROR(ENOMEM); } + ret = av_frame_copy_props(pad_frame, frame); + if (ret < 0) { + av_frame_free(&pad_frame); + av_frame_free(&frame); + return ret; + } + av_samples_copy(pad_frame->extended_data, frame->extended_data, 0, 0, frame->nb_samples, frame->channels, frame->format); av_samples_set_silence(pad_frame->extended_data, frame->nb_samples, From ac50246cc49add4e53d6716afd454dbe86666efd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 9 Nov 2018 06:31:38 +0100 Subject: [PATCH 0038/1383] h264_redundant_pps: Fix logging context The first element of H264RedundantPPSContext is not a pointer to an AVClass as required. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6dafcb6fdb6271d35220b889833561705c2b366f) Signed-off-by: Michael Niedermayer --- libavcodec/h264_redundant_pps_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_redundant_pps_bsf.c b/libavcodec/h264_redundant_pps_bsf.c index cc5a3060f5..af247eef21 100644 --- a/libavcodec/h264_redundant_pps_bsf.c +++ b/libavcodec/h264_redundant_pps_bsf.c @@ -91,7 +91,7 @@ static int h264_redundant_pps_filter(AVBSFContext *bsf, AVPacket *out) if (nal->type == H264_NAL_PPS) { h264_redundant_pps_fixup_pps(ctx, nal->content); if (!au_has_sps) { - av_log(ctx, AV_LOG_VERBOSE, "Deleting redundant PPS " + av_log(bsf, AV_LOG_VERBOSE, "Deleting redundant PPS " "at %"PRId64".\n", in->pts); ff_cbs_delete_unit(ctx->input, au, i); } From b66152a4e5e578c731f7e59e43f4db6b77d7c6d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Nov 2018 23:07:23 +0100 Subject: [PATCH 0039/1383] avcodec/imm4: Use ff_set_dimensions() Fixes: Out of memory Fixes: 10970/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IMM4_fuzzer-5698750043914240 Reviewed-by: Paul B Mahol Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c305e134ce23b46a1164527ade3e1b7e2ecedf5f) Signed-off-by: Michael Niedermayer --- libavcodec/imm4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/imm4.c b/libavcodec/imm4.c index a4e9b5d4d2..b72f0be28e 100644 --- a/libavcodec/imm4.c +++ b/libavcodec/imm4.c @@ -428,8 +428,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, av_log(avctx, AV_LOG_ERROR, "Frame size change is unsupported.\n"); return AVERROR_INVALIDDATA; } - avctx->width = width; - avctx->height = height; + ret = ff_set_dimensions(avctx, width, height); + if (ret < 0) + return ret; } s->changed_size = 1; From 98a9d868d19b67808b035d121b71e0edeb6269c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Nov 2018 19:59:27 +0100 Subject: [PATCH 0040/1383] avcodec/shorten: Fix integer overflow with offset Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented in type 'int' Fixes: 10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4b45e6d6dc..4134af74cf 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -382,7 +382,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* subtract offset from previous samples to use in prediction */ if (command == FN_QLPC && coffset) for (i = -pred_order; i < 0; i++) - s->decoded[channel][i] -= coffset; + s->decoded[channel][i] -= (unsigned)coffset; /* decode residual and do LPC prediction */ init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset; @@ -397,7 +397,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* add offset to current samples */ if (command == FN_QLPC && coffset) for (i = 0; i < s->blocksize; i++) - s->decoded[channel][i] += coffset; + s->decoded[channel][i] += (unsigned)coffset; return 0; } From e69bb0fb05550523a143efdfeffd51d4d2e813c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Nov 2018 20:29:40 +0100 Subject: [PATCH 0041/1383] fftools/ffmpeg: Repair reinit_filter feature Signed-off-by: Michael Niedermayer (cherry picked from commit 35040048793bc5d19942277fe17d1235e915a7d8) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index da4259a9a8..f502961196 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -2139,9 +2139,6 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) /* determine if the parameters for this input changed */ need_reinit = ifilter->format != frame->format; - if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || - (ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) - need_reinit = 1; switch (ifilter->ist->st->codecpar->codec_type) { case AVMEDIA_TYPE_AUDIO: @@ -2155,6 +2152,13 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) break; } + if (!ifilter->ist->reinit_filters && fg->graph) + need_reinit = 0; + + if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || + (ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) + need_reinit = 1; + if (need_reinit) { ret = ifilter_parameters_from_frame(ifilter, frame); if (ret < 0) From 89d65915cf6e7d79bd57896a4eb3fd626e699fc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Nov 2018 03:12:45 +0100 Subject: [PATCH 0042/1383] avcodec/pngdec: Check compression method method 0 (inflate/deflate) is the only specified in the specification and the only supported Fixes: Timeout Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f99674ddddcc33f4c37def0a206e31ad7c4c1af) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 01144680f2..189bb9a4c1 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -578,6 +578,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); + if (s->compression_type) { + av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type); + goto error; + } s->filter_type = bytestream2_get_byte(&s->gb); s->interlace_type = bytestream2_get_byte(&s->gb); bytestream2_skip(&s->gb, 4); /* crc */ From ab744447e141ecb997c0f01d7242a8aeb824f333 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Nov 2018 00:38:53 +0100 Subject: [PATCH 0043/1383] avcodec/truemotion2: fix integer overflows in tm2_low_chroma() Fixes: 11295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-4888953459572736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ae39d795613f3c6925c59852b625029b747fe42) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 58a577f53c..c583ff4032 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -484,7 +484,7 @@ static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *C } } -static inline void tm2_low_chroma(int *data, int stride, int *clast, int *CD, int *deltas, int bx) +static inline void tm2_low_chroma(int *data, int stride, int *clast, unsigned *CD, int *deltas, int bx) { int t; int l; @@ -494,8 +494,8 @@ static inline void tm2_low_chroma(int *data, int stride, int *clast, int *CD, in prev = clast[-3]; else prev = 0; - t = (CD[0] + CD[1]) >> 1; - l = (prev - CD[0] - CD[1] + clast[1]) >> 1; + t = (int)(CD[0] + CD[1]) >> 1; + l = (int)(prev - CD[0] - CD[1] + clast[1]) >> 1; CD[1] = CD[0] + CD[1] - t; CD[0] = t; clast[0] = l; From ee349bd0fd5acae9eb3bc142c93aedbf0dffee3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Nov 2018 02:33:04 +0100 Subject: [PATCH 0044/1383] avcodec/tiff: Limit filtering to decoded data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout Fixes: 11068/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5698456681709568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 90ac0e5f29ba4730cd92d3268938b3730823e52b) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index b537ec06a5..d5b88923fd 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1304,6 +1304,7 @@ static int decode_frame(AVCodecContext *avctx, planes = s->planar ? s->bppcount : 1; for (plane = 0; plane < planes; plane++) { int remaining = avpkt->size; + int decoded_height; stride = p->linesize[plane]; dst = p->data[plane]; for (i = 0; i < s->height; i += s->rps) { @@ -1331,6 +1332,8 @@ static int decode_frame(AVCodecContext *avctx, break; } } + decoded_height = FFMIN(i, s->height); + if (s->predictor == 2) { if (s->photometric == TIFF_PHOTOMETRIC_YCBCR) { av_log(s->avctx, AV_LOG_ERROR, "predictor == 2 with YUV is unsupported"); @@ -1347,7 +1350,7 @@ static int decode_frame(AVCodecContext *avctx, s->avctx->pix_fmt == AV_PIX_FMT_YA16LE || s->avctx->pix_fmt == AV_PIX_FMT_GBRP16LE || s->avctx->pix_fmt == AV_PIX_FMT_GBRAP16LE) { - for (i = 0; i < s->height; i++) { + for (i = 0; i < decoded_height; i++) { for (j = soff; j < ssize; j += 2) AV_WL16(dst + j, AV_RL16(dst + j) + AV_RL16(dst + j - soff)); dst += stride; @@ -1358,13 +1361,13 @@ static int decode_frame(AVCodecContext *avctx, s->avctx->pix_fmt == AV_PIX_FMT_YA16BE || s->avctx->pix_fmt == AV_PIX_FMT_GBRP16BE || s->avctx->pix_fmt == AV_PIX_FMT_GBRAP16BE) { - for (i = 0; i < s->height; i++) { + for (i = 0; i < decoded_height; i++) { for (j = soff; j < ssize; j += 2) AV_WB16(dst + j, AV_RB16(dst + j) + AV_RB16(dst + j - soff)); dst += stride; } } else { - for (i = 0; i < s->height; i++) { + for (i = 0; i < decoded_height; i++) { for (j = soff; j < ssize; j++) dst[j] += dst[j - soff]; dst += stride; From 4fe90900d82aa14ea9e79dc05b8f174f92cfe4dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Nov 2018 09:42:44 +0100 Subject: [PATCH 0045/1383] avcodec/diracdec: Check component quant Fixes: Timeout Fixes: 10708/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5730140957442048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28c96c2ce2781c2cd147a9f3c299e18ce1dc7ff8) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index af561d1426..fd23139062 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -676,6 +676,11 @@ static int decode_component(DiracContext *s, int comp) b->length = get_interleaved_ue_golomb(&s->gb); if (b->length) { b->quant = get_interleaved_ue_golomb(&s->gb); + if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported quant %d\n", b->quant); + b->quant = 0; + return AVERROR_INVALIDDATA; + } align_get_bits(&s->gb); b->coeff_data = s->gb.buffer + get_bits_count(&s->gb)/8; b->length = FFMIN(b->length, FFMAX(get_bits_left(&s->gb)/8, 0)); From 90db1e441fcd927a76690a7acf3f3225583d7b4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Nov 2018 09:24:30 +0100 Subject: [PATCH 0046/1383] avcodec/truemotion2rt: Fix rounding in input size check Fixes: Timeout Fixes: 11332/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2RT_fuzzer-5678456612847616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f22a4ebc97817fd0968f5ea8295c9a59a6292e0) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2rt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2rt.c b/libavcodec/truemotion2rt.c index 9df0b527bb..e3ab998fda 100644 --- a/libavcodec/truemotion2rt.c +++ b/libavcodec/truemotion2rt.c @@ -116,7 +116,7 @@ static int truemotion2rt_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; - if (avctx->width / s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4) + if ((avctx->width + s->hscale - 1)/ s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4) return AVERROR_INVALIDDATA; ret = init_get_bits8(gb, avpkt->data + ret, avpkt->size - ret); From eee0cf487aade926af27d7ffb079201ef5e8287e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Nov 2018 02:32:10 +0100 Subject: [PATCH 0047/1383] avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size Frames that small are not valid and of limited use for error concealment, while being very computationally intensive to process. Fixes: Timeout Fixes: 11318/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSMPEG4V1_fuzzer-5710884555456512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09ec182864d41c990bc18f620eabb77444aeff57) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 457a37e745..16b67192b5 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -412,6 +412,14 @@ int ff_msmpeg4_decode_picture_header(MpegEncContext * s) { int code; + // at minimum one bit per macroblock is required at least in a valid frame, + // we discard frames much smaller than this. Frames smaller than 1/8 of the + // smallest "black/skip" frame generally contain not much recoverable content + // while at the same time they have the highest computational requirements + // per byte + if (get_bits_left(&s->gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16)) + return AVERROR_INVALIDDATA; + if(s->msmpeg4_version==1){ int start_code = get_bits_long(&s->gb, 32); if(start_code!=0x00000100){ From 1a5db666ace66a4ebc42557753d09426df561923 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Nov 2018 23:37:03 +0100 Subject: [PATCH 0048/1383] avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size Frames that small are not valid and of limited use for error concealment, while being very computationally intensive to process. Fixes: Timeout Fixes: 11168/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-5733782032744448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6f4341522c3eafb046c47b115d79ce684a899fc) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index 4f97d9227c..92daa1639e 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -181,6 +181,14 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } s->dc_table_index = get_bits1(&s->gb); + + // at minimum one bit per macroblock is required at least in a valid frame, + // we discard frames much smaller than this. Frames smaller than 1/8 of the + // smallest "black/skip" frame generally contain not much recoverable content + // while at the same time they have the highest computational requirements + // per byte + if (get_bits_left(&s->gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16)) + return AVERROR_INVALIDDATA; } s->inter_intra_pred = 0; s->no_rounding = 1; From 558ba71de5c75bd7d2cced51361180baaf32cfd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Dec 2018 22:16:19 +0100 Subject: [PATCH 0049/1383] avcodec/msvideo1: Check for too small dimensions Such low resolution would result in empty output as a minimum of 4x4 is needed We could also check for multiple of 4 dimensions but that is not needed Fixes: Timeout Fixes: 11191/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSVIDEO1_fuzzer-5739529588178944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 953bd58861ad933e614510140b05a61e3d1375be) Signed-off-by: Michael Niedermayer --- libavcodec/msvideo1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 29700f54b6..de048d8b6f 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -62,6 +62,9 @@ static av_cold int msvideo1_decode_init(AVCodecContext *avctx) s->avctx = avctx; + if (avctx->width < 4 || avctx->height < 4) + return AVERROR_INVALIDDATA; + /* figure out the colorspace based on the presence of a palette */ if (s->avctx->bits_per_coded_sample == 8) { s->mode_8bit = 1; From 55c36d2498119b3a01337115b28be006602ccb44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Dec 2018 16:29:40 +0100 Subject: [PATCH 0050/1383] avcodec/ppc/hevcdsp: Fix build failures with powerpc-linux-gnu-gcc-4.8 with --disable-optimizations The affected functions could also be changed into macros, this is the smaller change to fix it though. And avoids (probably) less readable macros The extra code should be optimized out when optimizations are done as all values are known at build after inlining. Signed-off-by: Michael Niedermayer (cherry picked from commit 2c64a6bcd280c64997e6c4799bc89c0a9393bbf3) Signed-off-by: Michael Niedermayer --- libavcodec/ppc/hevcdsp.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/libavcodec/ppc/hevcdsp.c b/libavcodec/ppc/hevcdsp.c index dcae43305a..c1d562a409 100644 --- a/libavcodec/ppc/hevcdsp.c +++ b/libavcodec/ppc/hevcdsp.c @@ -58,7 +58,13 @@ static av_always_inline void transform4x4(vec_s16 src_01, vec_s16 src_23, e1 = vec_msums(src_02, trans4[2], zero); o1 = vec_msums(src_13, trans4[3], zero); - add = vec_sl(vec_splat_s32(1), vec_splat_u32(shift - 1)); + switch(shift) { + case 7: add = vec_sl(vec_splat_s32(1), vec_splat_u32( 7 - 1)); break; + case 10: add = vec_sl(vec_splat_s32(1), vec_splat_u32(10 - 1)); break; + case 12: add = vec_sl(vec_splat_s32(1), vec_splat_u32(12 - 1)); break; + default: abort(); + } + e0 = vec_add(e0, add); e1 = vec_add(e1, add); @@ -72,7 +78,14 @@ static av_always_inline void scale(vec_s32 res[4], vec_s16 res_packed[2], const int shift) { int i; - vec_u32 v_shift = vec_splat_u32(shift); + vec_u32 v_shift; + + switch(shift) { + case 7: v_shift = vec_splat_u32(7) ; break; + case 10: v_shift = vec_splat_u32(10); break; + case 12: v_shift = vec_splat_u32(12); break; + default: abort(); + } for (i = 0; i < 4; i++) res[i] = vec_sra(res[i], v_shift); From 219cbc55277ab64b305c82bfa1f85e919610f81d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Dec 2018 21:41:01 +0100 Subject: [PATCH 0051/1383] avcodec/dxv: Check that there is enough data to decompress Fixes: Timeout Fixes: 10979/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-6178582203203584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bc3811c0d6b34e43a55a7541722761f548628d0) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 08aca73b1f..bf53d7d706 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -1192,6 +1192,12 @@ static int dxv_decode(AVCodecContext *avctx, void *data, ret = decompress_tex(avctx); if (ret < 0) return ret; + { + int w_block = avctx->coded_width / ctx->texture_block_w; + int h_block = avctx->coded_height / ctx->texture_block_h; + if (w_block * h_block * ctx->tex_step > ctx->tex_size * 8LL) + return AVERROR_INVALIDDATA; + } tframe.f = data; ret = ff_thread_get_buffer(avctx, &tframe, 0); From 9b5a6bb67ba35b3442667964f9e3a7e330b10bdc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Dec 2018 02:18:51 +0100 Subject: [PATCH 0052/1383] avcodec/rasc: Check input space before reading chunk Fixes: Timeout Fixes: 11118/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5652564066959360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 52ba824c65817c1db6aad41c470dde7162252036) Signed-off-by: Michael Niedermayer --- libavcodec/rasc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index e8e0740ddd..67351dfd19 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -680,6 +680,9 @@ static int decode_frame(AVCodecContext *avctx, while (bytestream2_get_bytes_left(gb) > 0) { unsigned type, size = 0; + if (bytestream2_get_bytes_left(gb) < 8) + return AVERROR_INVALIDDATA; + type = bytestream2_get_le32(gb); if (type == KBND || type == BNDL) { intra = type == KBND; From 228f17ced3bd394677f0421f462067a0f287ca8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Dec 2018 01:19:37 +0100 Subject: [PATCH 0053/1383] avcodec/clearvideo: Check remaining input bits in P macro block loop Fixes: Timeout Fixes: 11083/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5657180351496192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7aaab127bebb33003105a620736d6cae8c45a6e5) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 0e3c772123..ad3012f7b7 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -570,6 +570,8 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data, for (j = 0; j < c->pmb_height; j++) { for (i = 0; i < c->pmb_width; i++) { + if (get_bits_left(&c->gb) <= 0) + return AVERROR_INVALIDDATA; if (get_bits1(&c->gb)) { MV mv = mvi_predict(&c->mvi, i, j, zero_mv); From 54fbdacc3791a6c5ff5945b139c7221d466676b5 Mon Sep 17 00:00:00 2001 From: chcunningham Date: Thu, 13 Dec 2018 13:58:40 -0800 Subject: [PATCH 0054/1383] lavf/mov: ensure only one tkhd per trak Chromium fuzzing produced a whacky file with extra tkhds. This caused an AVStream that was already in use to be corrupted by assigning it a new id, which blows up later in mov_read_trun because the MOVFragmentStreamInfo.index_entry now points OOB. Reviewed-by: Baptiste Coudurier Signed-off-by: Michael Niedermayer (cherry picked from commit c9f7b6f7a9fdffa0ab8f3aa84a1f701cf5b3a6e9) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ec57a05803..6f92742e23 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1326,6 +1326,10 @@ static int update_frag_index(MOVContext *c, int64_t offset) return -1; for (i = 0; i < c->fc->nb_streams; i++) { + // Avoid building frag index if streams lack track id. + if (c->fc->streams[i]->id < 0) + return AVERROR_INVALIDDATA; + frag_stream_info[i].id = c->fc->streams[i]->id; frag_stream_info[i].sidx_pts = AV_NOPTS_VALUE; frag_stream_info[i].tfdt_dts = AV_NOPTS_VALUE; @@ -4154,7 +4158,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = avformat_new_stream(c->fc, NULL); if (!st) return AVERROR(ENOMEM); - st->id = c->fc->nb_streams; + st->id = -1; sc = av_mallocz(sizeof(MOVStreamContext)); if (!sc) return AVERROR(ENOMEM); @@ -4438,6 +4442,11 @@ static int mov_read_tkhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; + // Each stream (trak) should have exactly 1 tkhd. This catches bad files and + // avoids corrupting AVStreams mapped to an earlier tkhd. + if (st->id != -1) + return AVERROR_INVALIDDATA; + version = avio_r8(pb); flags = avio_rb24(pb); st->disposition |= (flags & MOV_TKHD_FLAG_ENABLED) ? AV_DISPOSITION_DEFAULT : 0; @@ -4704,6 +4713,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) break; } } + av_assert0(index_entry_pos <= st->nb_index_entries); avio_r8(pb); /* version */ flags = avio_rb24(pb); From f5859d4a8ee22f73d75d6b498d459700b034dd55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Dec 2018 21:52:09 +0100 Subject: [PATCH 0055/1383] avformat/nutenc: Document trailer index assert better Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3a95b73abc868995b08ca2b4d8bbf2cda43184f8) Signed-off-by: Michael Niedermayer --- libavformat/nutenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index a92ff55c01..e9a3bb49db 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -1172,7 +1172,7 @@ static int nut_write_trailer(AVFormatContext *s) ret = avio_open_dyn_buf(&dyn_bc); if (ret >= 0 && nut->sp_count) { - av_assert1(nut->write_index); + av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written write_index(nut, dyn_bc); put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE); } From 321c418b8715e9b3142648561dcd1fd6494a9d62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Dec 2018 00:10:17 +0100 Subject: [PATCH 0056/1383] avcodec/rasc: Check that the number of moves is less than or equal the number of pixels Fixes: OOM Fixes: 10307/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5393974559244288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 092cb17983b2660b4e050a05c739060f8e03d27a) Signed-off-by: Michael Niedermayer --- libavcodec/rasc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 67351dfd19..1b607ac31e 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -215,7 +215,7 @@ static int decode_move(AVCodecContext *avctx, bytestream2_skip(gb, 8); compression = bytestream2_get_le32(gb); - if (nb_moves > INT32_MAX / 16) + if (nb_moves > INT32_MAX / 16 || nb_moves > avctx->width * avctx->height) return AVERROR_INVALIDDATA; uncompressed_size = 16 * nb_moves; From 45f5f2086ebe838b2aad7fa394fb1a2a31952ee8 Mon Sep 17 00:00:00 2001 From: chcunningham Date: Fri, 14 Dec 2018 13:44:07 -0800 Subject: [PATCH 0057/1383] lavf/id3v2: fail read_apic on EOF reading mimetype MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit avio_read may return EOF, leaving the mimetype array unitialized. fail early when this occurs to avoid using the array in an unitialized state. Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit ee1e39a576977fd38c3b94fc56125d31d38833e9) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index f7de26a1d8..5fe055b591 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -590,7 +590,7 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, int isv34) { int enc, pic_type; - char mimetype[64]; + char mimetype[64] = {0}; const CodecMime *mime = ff_id3v2_mime_tags; enum AVCodecID id = AV_CODEC_ID_NONE; ID3v2ExtraMetaAPIC *apic = NULL; @@ -612,7 +612,9 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, if (isv34) { taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); } else { - avio_read(pb, mimetype, 3); + if (avio_read(pb, mimetype, 3) < 0) + goto fail; + mimetype[3] = 0; taglen -= 3; } From e1f40f0dae68ba82cd955fafd82aec336a81d27d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Dec 2018 14:27:48 +0100 Subject: [PATCH 0058/1383] avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan() Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit ea30ac1e408246382796f61d645d1e087aed390a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index b0cb3ffc83..53598fdb3c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1206,25 +1206,25 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, || v * mb_y + y >= s->height) { // Nothing to do } else if (bits<=8) { - ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap - if(y==0 && toprow){ - if(x==0 && leftcol){ - pred= 1 << (bits - 1); + ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap + if(y==0 && toprow){ + if(x==0 && leftcol){ + pred= 1 << (bits - 1); + }else{ + pred= ptr[-1]; + } }else{ - pred= ptr[-1]; + if(x==0 && leftcol){ + pred= ptr[-linesize]; + }else{ + PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); + } } - }else{ - if(x==0 && leftcol){ - pred= ptr[-linesize]; - }else{ - PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); - } - } - if (s->interlaced && s->bottom_field) - ptr += linesize >> 1; - pred &= mask; - *ptr= pred + ((unsigned)dc << point_transform); + if (s->interlaced && s->bottom_field) + ptr += linesize >> 1; + pred &= mask; + *ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ From 2f75965c47da0a25ec03a8aebd565fba20aa317b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Dec 2018 21:51:22 +0100 Subject: [PATCH 0059/1383] tests/fate/filter-video: increase fuzz for fate-filter-refcmp-psnr-rgb Fixes: test failure on powerpc Signed-off-by: Michael Niedermayer (cherry picked from commit f8f762c300e29d80ece363edc08e137b371d909f) Signed-off-by: Michael Niedermayer --- tests/fate/filter-video.mak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate/filter-video.mak b/tests/fate/filter-video.mak index 8bbdc04896..1042e96e54 100644 --- a/tests/fate/filter-video.mak +++ b/tests/fate/filter-video.mak @@ -782,7 +782,7 @@ fate-filter-meta-4560-rotate0: CMD = framecrc -flags +bitexact -c:a aac_fixed -i REFCMP_DEPS = FFMPEG LAVFI_INDEV TESTSRC2_FILTER AVGBLUR_FILTER METADATA_FILTER FATE_FILTER_SAMPLES-$(call ALLYES, $(REFCMP_DEPS) PSNR_FILTER) += fate-filter-refcmp-psnr-rgb -fate-filter-refcmp-psnr-rgb: CMD = refcmp_metadata psnr rgb24 0.001 +fate-filter-refcmp-psnr-rgb: CMD = refcmp_metadata psnr rgb24 0.002 FATE_FILTER_SAMPLES-$(call ALLYES, $(REFCMP_DEPS) PSNR_FILTER) += fate-filter-refcmp-psnr-yuv fate-filter-refcmp-psnr-yuv: CMD = refcmp_metadata psnr yuv422p 0.0015 From e3fbbb7d18b6a19a55ce4f2662e726e41d330553 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Dec 2018 21:51:48 +0100 Subject: [PATCH 0060/1383] avformat/mpegts: Fix side data type for stream id Signed-off-by: Michael Niedermayer (cherry picked from commit ab1319d82f0c77308792fa2d88cbfc73c3e47cb7) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index edf6b5701d..a5e850e121 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -918,7 +918,7 @@ static void new_data_packet(const uint8_t *buffer, int len, AVPacket *pkt) static int new_pes_packet(PESContext *pes, AVPacket *pkt) { - char *sd; + uint8_t *sd; av_init_packet(pkt); From 42357b37cb9d5960907ccf74972de3a9cf826703 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Dec 2018 21:52:30 +0100 Subject: [PATCH 0061/1383] avcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID Signed-off-by: Michael Niedermayer (cherry picked from commit 68e011e4103b9cb5ac2d152d73ca8393065a33fb) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 7ffef768dc..bee2234575 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1321,7 +1321,7 @@ enum AVPacketSideDataType { AV_PKT_DATA_METADATA_UPDATE, /** - * MPEGTS stream ID, this is required to pass the stream ID + * MPEGTS stream ID as uint8_t, this is required to pass the stream ID * information from the demuxer to the corresponding muxer. */ AV_PKT_DATA_MPEGTS_STREAM_ID, From 4c0be3a60cf862656d276443fb0ca1bfcfa7bdc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Dec 2018 19:04:56 +0100 Subject: [PATCH 0062/1383] avcodec/rpza: Move frame allocation to a later point This will allow performing some fast checks before the slow allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 8a708aa99cb0e8d76e52117b1fd89d221f0055e9) Signed-off-by: Michael Niedermayer --- libavcodec/rpza.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index b71ebd1cbe..cffbfe4416 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -73,13 +73,12 @@ typedef struct RpzaContext { static int rpza_decode_stream(RpzaContext *s) { int width = s->avctx->width; - int stride = s->frame->linesize[0] / 2; - int row_inc = stride - 4; + int stride, row_inc, ret; int chunk_size; uint16_t colorA = 0, colorB; uint16_t color4[4]; uint16_t ta, tb; - uint16_t *pixels = (uint16_t *)s->frame->data[0]; + uint16_t *pixels; int row_ptr = 0; int pixel_ptr = 0; @@ -106,6 +105,12 @@ static int rpza_decode_stream(RpzaContext *s) /* Number of 4x4 blocks in frame. */ total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); + if ((ret = ff_reget_buffer(s->avctx, s->frame)) < 0) + return ret; + pixels = (uint16_t *)s->frame->data[0]; + stride = s->frame->linesize[0] / 2; + row_inc = stride - 4; + /* Process chunk data */ while (bytestream2_get_bytes_left(&s->gb)) { uint8_t opcode = bytestream2_get_byte(&s->gb); /* Get opcode */ @@ -256,9 +261,6 @@ static int rpza_decode_frame(AVCodecContext *avctx, bytestream2_init(&s->gb, avpkt->data, avpkt->size); - if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) - return ret; - ret = rpza_decode_stream(s); if (ret < 0) return ret; From c22b67feaae9f6b5a9ebbbb84d64ff749f084135 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Dec 2018 19:13:27 +0100 Subject: [PATCH 0063/1383] avcodec/rpza: Check that there is enough data for all the blocks Fixes: Timeout Fixes: 11547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RPZA_fuzzer-5678435842654208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e63517e00a1a8375c7fb3b8c4c64c9a7c3da713e) Signed-off-by: Michael Niedermayer --- libavcodec/rpza.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index cffbfe4416..8e1efa2445 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -105,6 +105,9 @@ static int rpza_decode_stream(RpzaContext *s) /* Number of 4x4 blocks in frame. */ total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); + if (total_blocks / 32 > bytestream2_get_bytes_left(&s->gb)) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(s->avctx, s->frame)) < 0) return ret; pixels = (uint16_t *)s->frame->data[0]; From 73c90818b116e3783e6479172a565cfb9fa36036 Mon Sep 17 00:00:00 2001 From: Jacob Trimble Date: Wed, 19 Dec 2018 16:00:22 -0800 Subject: [PATCH 0064/1383] libavformat/mov: Fix NULL-dereference read for some encrypted content. When reading frames, we need to use the fragment for the correct stream. Sometimes the "current" fragment is not the same as the one the frame is for. Found by Chromium's ClusterFuzz: https://crbug.com/906392 and https://crbug.com/915524 Signed-off-by: Jacob Trimble Signed-off-by: Michael Niedermayer (cherry picked from commit 555f332e7adbd492ca74fa7329c492819b52e2ed) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6f92742e23..ff7fdd48e2 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6556,14 +6556,14 @@ static int cenc_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryptionInfo *s return 0; } -static int cenc_filter(MOVContext *mov, MOVStreamContext *sc, AVPacket *pkt, int current_index) +static int cenc_filter(MOVContext *mov, AVStream* st, MOVStreamContext *sc, AVPacket *pkt, int current_index) { MOVFragmentStreamInfo *frag_stream_info; MOVEncryptionIndex *encryption_index; AVEncryptionInfo *encrypted_sample; int encrypted_index, ret; - frag_stream_info = get_current_frag_stream_info(&mov->frag_index); + frag_stream_info = get_frag_stream_info(&mov->frag_index, mov->frag_index.current, st->id); encrypted_index = current_index; encryption_index = NULL; if (frag_stream_info) { @@ -7793,7 +7793,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) if (mov->aax_mode) aax_filter(pkt->data, pkt->size, mov); - ret = cenc_filter(mov, sc, pkt, current_index); + ret = cenc_filter(mov, st, sc, pkt, current_index); if (ret < 0) return ret; From 69f50eb9150c3b587038e9742a0abdab57a94919 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Dec 2018 22:40:05 +0100 Subject: [PATCH 0065/1383] postproc/postprocess_template: Avoid using %4 for the threshold compare This avoids problems if %4 is the stack pointer the constraints do not allow %4 to be the stack pointer but gcc 9 may no longer support specifying such constraints Signed-off-by: Michael Niedermayer (cherry picked from commit 4325527e1c4fd2da119e81933172065ee1274eda) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libpostproc/postprocess_template.c b/libpostproc/postprocess_template.c index 0a43989266..485eb5cfc0 100644 --- a/libpostproc/postprocess_template.c +++ b/libpostproc/postprocess_template.c @@ -1184,10 +1184,10 @@ FIND_MIN_MAX((%0, %1, 8)) #endif "movq %%mm6, %%mm0 \n\t" // max "psubb %%mm7, %%mm6 \n\t" // max - min - "push %4 \n\t" - "movd %%mm6, %k4 \n\t" - "cmpb "MANGLE(deringThreshold)", %b4 \n\t" - "pop %4 \n\t" + "push %%"FF_REG_a" \n\t" + "movd %%mm6, %%eax \n\t" + "cmpb "MANGLE(deringThreshold)", %%al \n\t" + "pop %%"FF_REG_a" \n\t" " jb 1f \n\t" PAVGB(%%mm0, %%mm7) // a=(max + min)/2 "punpcklbw %%mm7, %%mm7 \n\t" From daef9d43828733534267dd15975f761ce7277a5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Dec 2018 22:40:06 +0100 Subject: [PATCH 0066/1383] postproc/postprocess_template: remove FF_REG_sp from clobber list Future gcc may no longer support this Tested-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit c1cbeb87db4bfc6e281e4254a6c7fdd3854fc9b9) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpostproc/postprocess_template.c b/libpostproc/postprocess_template.c index 485eb5cfc0..b0adfd168c 100644 --- a/libpostproc/postprocess_template.c +++ b/libpostproc/postprocess_template.c @@ -1317,7 +1317,7 @@ DERING_CORE((%0, %1, 8) ,(%%FF_REGd, %1, 4),%%mm2,%%mm4,%%mm0,%%mm3,%%mm5, "1: \n\t" : : "r" (src), "r" ((x86_reg)stride), "m" (c->pQPb), "m"(c->pQPb2), "q"(tmp) NAMED_CONSTRAINTS_ADD(deringThreshold,b00,b02,b08) - : "%"FF_REG_a, "%"FF_REG_d, "%"FF_REG_sp + : "%"FF_REG_a, "%"FF_REG_d ); #else // HAVE_7REGS && (TEMPLATE_PP_MMXEXT || TEMPLATE_PP_3DNOW) int y; From 5550946ff4bdb4f6092e6aabd8d11888695ffbd0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Dec 2018 02:26:18 +0100 Subject: [PATCH 0067/1383] avcodec/ilbcdec: fix integer overflow in energy webrtc uses a int32_t like the existing code in ilbcdec Fixes: signed integer overflow: 2080245063 + 257939661 cannot be represented in type 'int' Fixes: 11037/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-5682976612941824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbf409cd91aca2b4738c6b5bc963ae6041f26701) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index 8a6dbe0b75..50012c0231 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -1303,7 +1303,8 @@ static int xcorr_coeff(int16_t *target, int16_t *regressor, pos += step; /* Do a +/- to get the next energy */ - energy += step * ((*rp_end * *rp_end - *rp_beg * *rp_beg) >> shifts); + energy += (unsigned)step * ((*rp_end * *rp_end - *rp_beg * *rp_beg) >> shifts); + rp_beg += step; rp_end += step; } From 5ed024e40bdbc0047d7cad38f6b7d52903dbc108 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Dec 2018 21:43:07 +0100 Subject: [PATCH 0068/1383] avcodec/fic: Fail on invalid slice size/off Fixes: Timeout Fixes: 11486/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-5677133863583744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 30a7a81cdc2ee2eac6d3271439c43f11b7327b3e) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index dcf0777674..3e36346358 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -380,6 +380,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, slice_h = FFALIGN(avctx->height - ctx->slice_h * (nslices - 1), 16); } else { slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4); + if (slice_size < slice_off) + return AVERROR_INVALIDDATA; } if (slice_size < slice_off || slice_size > msize) From 929b5519d8e9fb0bada84a708c7b43bdb447574d Mon Sep 17 00:00:00 2001 From: gxw Date: Mon, 24 Dec 2018 14:07:44 +0800 Subject: [PATCH 0069/1383] avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa The AV_INPUT_BUFFER_PADDING_SIZE has been increased to 64, but the value is still 32 in function ff_hevc_sao_edge_filter_8_msa. So, use AV_INPUT_BUFFER_PADDING_SIZE directly. Also, use MAX_PB_SIZE directly instead of 64. Fate tests passed. Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit f652c7a45c60427db0a89fae665e63b546af6ebb) Signed-off-by: Michael Niedermayer --- libavcodec/mips/hevc_lpf_sao_msa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mips/hevc_lpf_sao_msa.c b/libavcodec/mips/hevc_lpf_sao_msa.c index 5b5537a264..adcafde621 100644 --- a/libavcodec/mips/hevc_lpf_sao_msa.c +++ b/libavcodec/mips/hevc_lpf_sao_msa.c @@ -2630,7 +2630,7 @@ void ff_hevc_sao_edge_filter_8_msa(uint8_t *dst, uint8_t *src, int16_t *sao_offset_val, int eo, int width, int height) { - ptrdiff_t stride_src = (2 * 64 + 32) / sizeof(uint8_t); + ptrdiff_t stride_src = (2 * MAX_PB_SIZE + AV_INPUT_BUFFER_PADDING_SIZE) / sizeof(uint8_t); switch (eo) { case 0: From ea279bd160d973e7bc765002fcc13d064d1d356d Mon Sep 17 00:00:00 2001 From: David Bryant Date: Tue, 20 Nov 2018 21:00:47 -0800 Subject: [PATCH 0070/1383] avformat/wvdec: detect and error out on WavPack DSD files Not currently supported. (cherry picked from commit db109373d87b1fa5fe9f3d027d1bb752f725b74a) Signed-off-by: Michael Niedermayer --- libavformat/wvdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/wvdec.c b/libavformat/wvdec.c index 82526563ec..2060523c3b 100644 --- a/libavformat/wvdec.c +++ b/libavformat/wvdec.c @@ -40,6 +40,7 @@ enum WV_FLAGS { WV_HBAL = 0x0400, WV_MCINIT = 0x0800, WV_MCEND = 0x1000, + WV_DSD = 0x80000000, }; static const int wv_rates[16] = { @@ -97,6 +98,11 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb) return ret; } + if (wc->header.flags & WV_DSD) { + avpriv_report_missing_feature(ctx, "WV DSD"); + return AVERROR_PATCHWELCOME; + } + if (wc->header.version < 0x402 || wc->header.version > 0x410) { avpriv_report_missing_feature(ctx, "WV version 0x%03X", wc->header.version); From 33b4aba5bdf43415aeb1aa3d51dc03a7cd62b2ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Dec 2018 22:22:56 +0100 Subject: [PATCH 0071/1383] avcodec/mjpegbdec: Fix some misplaced {} and spaces Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit 11a8d2ccab1fe165eef4578c048d38731dbe1d6f) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegbdec.c | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index a858707d54..8583fcb4f9 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -70,8 +70,7 @@ read_header: skip_bits(&hgb, 32); /* reserved zeros */ - if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g')) - { + if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g')) { av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n"); return AVERROR_INVALIDDATA; } @@ -85,19 +84,17 @@ read_header: dqt_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "dqt is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "dqt offs: 0x%"PRIx32"\n", dqt_offs); - if (dqt_offs) - { + if (dqt_offs) { init_get_bits(&s->gb, buf_ptr+dqt_offs, (buf_end - (buf_ptr+dqt_offs))*8); s->start_code = DQT; if (ff_mjpeg_decode_dqt(s) < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return AVERROR_INVALIDDATA; + return AVERROR_INVALIDDATA; } dht_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "dht is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "dht offs: 0x%"PRIx32"\n", dht_offs); - if (dht_offs) - { + if (dht_offs) { init_get_bits(&s->gb, buf_ptr+dht_offs, (buf_end - (buf_ptr+dht_offs))*8); s->start_code = DHT; ff_mjpeg_decode_dht(s); @@ -105,8 +102,7 @@ read_header: sof_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "sof is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "sof offs: 0x%"PRIx32"\n", sof_offs); - if (sof_offs) - { + if (sof_offs) { init_get_bits(&s->gb, buf_ptr+sof_offs, (buf_end - (buf_ptr+sof_offs))*8); s->start_code = SOF0; if (ff_mjpeg_decode_sof(s) < 0) @@ -117,25 +113,23 @@ read_header: av_log(avctx, AV_LOG_DEBUG, "sos offs: 0x%"PRIx32"\n", sos_offs); sod_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "sof is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%"PRIx32"\n", sod_offs); - if (sos_offs) - { + if (sos_offs) { init_get_bits(&s->gb, buf_ptr + sos_offs, 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; if (ff_mjpeg_decode_sos(s, NULL, 0, NULL) < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return AVERROR_INVALIDDATA; + return AVERROR_INVALIDDATA; } if (s->interlaced) { s->bottom_field ^= 1; /* if not bottom field, do not output image yet */ - if (s->bottom_field != s->interlace_polarity && second_field_offs) - { + if (s->bottom_field != s->interlace_polarity && second_field_offs) { buf_ptr = buf + second_field_offs; goto read_header; - } + } } //XXX FIXME factorize, this looks very similar to the EOI code From 41ee513c81a3741760532bad1a929b27b3dacf49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Dec 2018 22:22:53 +0100 Subject: [PATCH 0072/1383] avcodec/v4l2_m2m: fix cant typo Reviewed-by: Lou Logan Signed-off-by: Michael Niedermayer (cherry picked from commit 062bf5639359e183e016bcb795ac10735f83e863) Signed-off-by: Michael Niedermayer --- libavcodec/v4l2_m2m.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/v4l2_m2m.h b/libavcodec/v4l2_m2m.h index 452bf0d9bc..0d4671beb1 100644 --- a/libavcodec/v4l2_m2m.h +++ b/libavcodec/v4l2_m2m.h @@ -104,7 +104,7 @@ int ff_v4l2_m2m_codec_init(AVCodecContext *avctx); int ff_v4l2_m2m_codec_end(AVCodecContext *avctx); /** - * Reinitializes the V4L2m2mContext when the driver cant continue processing + * Reinitializes the V4L2m2mContext when the driver cannot continue processing * with the capture parameters. * * @param[in] ctx The V4L2m2mContext instantiated by the encoder/decoder. @@ -114,7 +114,7 @@ int ff_v4l2_m2m_codec_end(AVCodecContext *avctx); int ff_v4l2_m2m_codec_reinit(V4L2m2mContext *ctx); /** - * Reinitializes the V4L2m2mContext when the driver cant continue processing + * Reinitializes the V4L2m2mContext when the driver cannot continue processing * with the any of the current V4L2Contexts (ie, changes in output and capture). * * @param[in] ctx The V4L2m2mContext instantiated by the encoder/decoder. From 6b6c854658661573dbc598a1fc5921c5756dd6cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Dec 2018 22:22:52 +0100 Subject: [PATCH 0073/1383] avformat/libopenmpt: Fix successfull typo Reviewed-by: Lou Logan Signed-off-by: Michael Niedermayer (cherry picked from commit 571af98a5959d72c65a6753eb8e82cde407f4cd0) Signed-off-by: Michael Niedermayer --- libavformat/libopenmpt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/libopenmpt.c b/libavformat/libopenmpt.c index 0fff702a36..a334270847 100644 --- a/libavformat/libopenmpt.c +++ b/libavformat/libopenmpt.c @@ -259,7 +259,7 @@ static int read_probe_openmpt(AVProbeData *p) } else { /* The file extension is unknown and we have very few data * bytes available. libopenmpt cannot decide anything here, - * and returning any score > 0 would result in successfull + * and returning any score > 0 would result in successful * probing of random data. */ return 0; From 15857674c51db30f6862bf5e643f06c9e64f3209 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 Dec 2018 18:11:44 +0100 Subject: [PATCH 0074/1383] avcodec/4xm: Fix returned error codes Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 07607a1db879d0d96e2c91e1354bc4e425937d3a) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 5547dfd87f..8e05a4c366 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -498,7 +498,7 @@ static int decode_i_block(FourXContext *f, int16_t *block) if (get_bits_left(&f->gb) < 2){ av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb)); - return -1; + return AVERROR_INVALIDDATA; } /* DC coef */ @@ -732,7 +732,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length) for (x = 0; x < width; x += 16) { unsigned int color[4] = { 0 }, bits; if (buf_end - buf < 8) - return -1; + return AVERROR_INVALIDDATA; // warning following is purely guessed ... color[0] = bytestream2_get_le16u(&g3); color[1] = bytestream2_get_le16u(&g3); From e385fc45dddc064dbc48c933d08cdedc764d15f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 Dec 2018 20:45:17 +0100 Subject: [PATCH 0075/1383] doc/indevs: fix upto typo Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b33de557470471fe5d3a07fb441ec3f548f1d50a) Signed-off-by: Michael Niedermayer --- doc/indevs.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/indevs.texi b/doc/indevs.texi index e1301ccf97..ba6a2ad02f 100644 --- a/doc/indevs.texi +++ b/doc/indevs.texi @@ -374,7 +374,7 @@ Defaults to @option{false}. @item timestamp_align Capture start time alignment in seconds. If set to nonzero, input frames are dropped till the system timestamp aligns with configured value. -Alignment difference of upto one frame duration is tolerated. +Alignment difference of up to one frame duration is tolerated. This is useful for maintaining input synchronization across N different hardware devices deployed for 'N-way' redundancy. The system time of different hardware devices should be synchronized with protocols such as NTP or PTP, From 99576bf034ce283f1e7c48ba4898ca2e991b7286 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 Dec 2018 20:54:12 +0100 Subject: [PATCH 0076/1383] avfilter/vf_tonemap_opencl: Make static tables const Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 47c3a10b16f2721c7afa333869aafa8c007fb419) Signed-off-by: Michael Niedermayer --- libavfilter/vf_tonemap_opencl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_tonemap_opencl.c b/libavfilter/vf_tonemap_opencl.c index cd293c2522..ae3f98d817 100644 --- a/libavfilter/vf_tonemap_opencl.c +++ b/libavfilter/vf_tonemap_opencl.c @@ -98,12 +98,12 @@ static const struct LumaCoefficients luma_coefficients[AVCOL_SPC_NB] = { [AVCOL_SPC_BT2020_NCL] = { 0.2627, 0.6780, 0.0593 }, }; -static struct PrimaryCoefficients primaries_table[AVCOL_PRI_NB] = { +static const struct PrimaryCoefficients primaries_table[AVCOL_PRI_NB] = { [AVCOL_PRI_BT709] = { 0.640, 0.330, 0.300, 0.600, 0.150, 0.060 }, [AVCOL_PRI_BT2020] = { 0.708, 0.292, 0.170, 0.797, 0.131, 0.046 }, }; -static struct WhitepointCoefficients whitepoint_table[AVCOL_PRI_NB] = { +static const struct WhitepointCoefficients whitepoint_table[AVCOL_PRI_NB] = { [AVCOL_PRI_BT709] = { 0.3127, 0.3290 }, [AVCOL_PRI_BT2020] = { 0.3127, 0.3290 }, }; From 1623f42d993adb9fa2bb9f7c766b6ce55922a8d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Dec 2018 18:41:58 +0100 Subject: [PATCH 0077/1383] avcodec/exr: Check for duplicate channel index Fixes: Out of memory Fixes: 11582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5730204559867904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f9728feaf90eb7493f8872356f54150efafb59cc) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 5253cc3f13..13755e1e6e 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1463,6 +1463,11 @@ static int decode_header(EXRContext *s, AVFrame *frame) } s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; + } else if (channel_index >= 0) { + av_log(s->avctx, AV_LOG_ERROR, + "Multiple channels with index %d.\n", channel_index); + ret = AVERROR_INVALIDDATA; + goto fail; } s->channels = av_realloc(s->channels, From 9239d58b3653c876004b49995a8b698327f7cf87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Dec 2018 21:30:54 +0100 Subject: [PATCH 0078/1383] avcodec/exr: set layer_match in all branches Otherwise it is left to the value from the previous iteration Signed-off-by: Michael Niedermayer (cherry picked from commit 433d2ae4353f3c513a45780845d9d8ca252cd4dc) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 13755e1e6e..0f8b0fda9f 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1389,6 +1389,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (*ch_gb.buffer == '.') ch_gb.buffer++; /* skip dot if not given */ } else { + layer_match = 0; av_log(s->avctx, AV_LOG_INFO, "Channel doesn't match layer : %s.\n", ch_gb.buffer); } From c694273feb813263122f121eae7c3c881cbf13ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Jan 2019 20:00:38 +0100 Subject: [PATCH 0079/1383] avcodec/h264_slice: Fix integer overflow in implicit_weight_table() Fixes: signed integer overflow: 2 * 2132811760 cannot be represented in type 'int' Fixes: 11156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6237685933408256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 77e56d74f972537aecd5bc2c5c4111e1d6ad0963) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 2e158745a0..1c9a270fb6 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -678,7 +678,7 @@ static void implicit_weight_table(const H264Context *h, H264SliceContext *sl, in cur_poc = h->cur_pic_ptr->field_poc[h->picture_structure - 1]; } if (sl->ref_count[0] == 1 && sl->ref_count[1] == 1 && !FRAME_MBAFF(h) && - sl->ref_list[0][0].poc + (int64_t)sl->ref_list[1][0].poc == 2 * cur_poc) { + sl->ref_list[0][0].poc + (int64_t)sl->ref_list[1][0].poc == 2LL * cur_poc) { sl->pwt.use_weight = 0; sl->pwt.use_weight_chroma = 0; return; From 792df36f42ab2f5c61281f428bb3a2af2cfef70b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Jan 2019 19:51:04 +0100 Subject: [PATCH 0080/1383] avcodec/gdv: Optimize and factorize scaling loops Fixes: Timeout Fixes: 11067/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5686623711264768 Before change: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5686623711264768 in 34386 ms After change: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5686623711264768 in 24327 ms Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e23736aefa83859fdb6faae4fd14c169f1a41ab) Signed-off-by: Michael Niedermayer --- libavcodec/gdv.c | 87 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 64 insertions(+), 23 deletions(-) diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index 538bc38e3e..a29de28aa1 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -72,9 +72,64 @@ static av_cold int gdv_decode_init(AVCodecContext *avctx) return 0; } +static void scaleup(uint8_t *dst, const uint8_t *src, int w) +{ + int x; + for (x = 0; x < w - 7; x+=8) { + dst[x + 0] = + dst[x + 1] = src[(x>>1) + 0]; + dst[x + 2] = + dst[x + 3] = src[(x>>1) + 1]; + dst[x + 4] = + dst[x + 5] = src[(x>>1) + 2]; + dst[x + 6] = + dst[x + 7] = src[(x>>1) + 3]; + } + for (; x < w; x++) { + dst[x] = src[(x>>1)]; + } +} + +static void scaleup_rev(uint8_t *dst, const uint8_t *src, int w) +{ + int x; + + for (x = w - 1; (x+1) & 7; x--) { + dst[x] = src[(x>>1)]; + } + for (x -= 7; x >= 0; x -= 8) { + dst[x + 6] = + dst[x + 7] = src[(x>>1) + 3]; + dst[x + 4] = + dst[x + 5] = src[(x>>1) + 2]; + dst[x + 2] = + dst[x + 3] = src[(x>>1) + 1]; + dst[x + 0] = + dst[x + 1] = src[(x>>1) + 0]; + } +} + +static void scaledown(uint8_t *dst, const uint8_t *src, int w) +{ + int x; + for (x = 0; x < w - 7; x+=8) { + dst[x + 0] = src[2*x + 0]; + dst[x + 1] = src[2*x + 2]; + dst[x + 2] = src[2*x + 4]; + dst[x + 3] = src[2*x + 6]; + dst[x + 4] = src[2*x + 8]; + dst[x + 5] = src[2*x +10]; + dst[x + 6] = src[2*x +12]; + dst[x + 7] = src[2*x +14]; + } + for (; x < w; x++) { + dst[x] = src[2*x]; + } +} + static void rescale(GDVContext *gdv, uint8_t *dst, int w, int h, int scale_v, int scale_h) { - int j, y, x; + int j, y; if ((gdv->scale_v == scale_v) && (gdv->scale_h == scale_h)) { return; @@ -86,14 +141,7 @@ static void rescale(GDVContext *gdv, uint8_t *dst, int w, int h, int scale_v, in uint8_t *dst1 = dst + PREAMBLE_SIZE + y * w; uint8_t *src1 = dst + PREAMBLE_SIZE + (y>>!!gdv->scale_h) * (w>>1); - for (x = w - 1; x >= 0 && !(x&1); x--) { - dst1[x] = src1[(x>>1)]; - } - - for (x--; x >= 0; x-=2) { - dst1[x ] = - dst1[x+1] = src1[(x>>1)]; - } + scaleup_rev(dst1, src1, w); } } else if (gdv->scale_h) { for (j = 0; j < h; j++) { @@ -108,9 +156,7 @@ static void rescale(GDVContext *gdv, uint8_t *dst, int w, int h, int scale_v, in for (y = 0; y < (h>>1); y++) { uint8_t *dst1 = dst + PREAMBLE_SIZE + y * (w>>1); uint8_t *src1 = dst + PREAMBLE_SIZE + y*2 * w; - for (x = 0; x < (w>>1); x++) { - dst1[x] = src1[x*2]; - } + scaledown(dst1, src1, w>>1); } } else if (scale_h) { for (y = 0; y < (h>>1); y++) { @@ -121,9 +167,7 @@ static void rescale(GDVContext *gdv, uint8_t *dst, int w, int h, int scale_v, in } else if (scale_v) { for (y = 0; y < h; y++) { uint8_t *dst1 = dst + PREAMBLE_SIZE + y * w; - for (x = 0; x < (w>>1); x++) { - dst1[x] = dst1[x*2]; - } + scaledown(dst1, dst1, w>>1); } } @@ -481,19 +525,16 @@ static int gdv_decode_frame(AVCodecContext *avctx, void *data, } } else { int sidx = PREAMBLE_SIZE, didx = 0; - int y, x; + int y; for (y = 0; y < avctx->height; y++) { if (!gdv->scale_v) { memcpy(dst + didx, gdv->frame + sidx, avctx->width); } else { - for (x = 0; x < avctx->width - 1; x+=2) { - dst[didx + x ] = - dst[didx + x + 1] = gdv->frame[sidx + (x>>1)]; - } - for (; x < avctx->width; x++) { - dst[didx + x] = gdv->frame[sidx + (x>>1)]; - } + uint8_t *dst2 = dst + didx; + uint8_t *src2 = gdv->frame + sidx; + + scaleup(dst2, src2, avctx->width); } if (!gdv->scale_h || ((y & 1) == 1)) { sidx += !gdv->scale_v ? avctx->width : avctx->width/2; From 3a52cae2c70a8409c96f4df63dff85dd5460d8bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Jan 2019 02:46:29 +0100 Subject: [PATCH 0081/1383] avcodec/tests/rangecoder: initialize array to avoid valgrind warning Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit c15972f0af7679b466dd4a10a54ab2f04f9372c8) Signed-off-by: Michael Niedermayer --- libavcodec/tests/rangecoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/rangecoder.c b/libavcodec/tests/rangecoder.c index 2da5c0ce33..3a8ba6759c 100644 --- a/libavcodec/tests/rangecoder.c +++ b/libavcodec/tests/rangecoder.c @@ -29,7 +29,7 @@ int main(void) { RangeCoder c; - uint8_t b[9 * SIZE]; + uint8_t b[9 * SIZE] = {0}; uint8_t r[9 * SIZE]; int i; uint8_t state[10]; From 29d978c91e8e675e025552eeab16a38c051cb3f1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 1 Jan 2019 15:26:31 -0300 Subject: [PATCH 0082/1383] configure: bump year Happy new year! (cherry picked from commit 3209d7b3930bab554bf7d97d8041d9d0b88423a8) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index a70c5f9e9e..7310b962f2 100755 --- a/configure +++ b/configure @@ -7243,7 +7243,7 @@ cat > $TMPH < Date: Thu, 17 Jan 2019 22:35:10 +0100 Subject: [PATCH 0083/1383] avutil/mem: Optimize fill32() by unrolling and using 64bit Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 12b1338be376a3e5fb606d9fe41b58dc4a9e62c7) Signed-off-by: Michael Niedermayer --- libavutil/mem.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavutil/mem.c b/libavutil/mem.c index 6149755a6b..88fe09b179 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -399,6 +399,18 @@ static void fill32(uint8_t *dst, int len) { uint32_t v = AV_RN32(dst - 4); +#if HAVE_FAST_64BIT + uint64_t v2= v + ((uint64_t)v<<32); + while (len >= 32) { + AV_WN64(dst , v2); + AV_WN64(dst+ 8, v2); + AV_WN64(dst+16, v2); + AV_WN64(dst+24, v2); + dst += 32; + len -= 32; + } +#endif + while (len >= 4) { AV_WN32(dst, v); dst += 4; From a8b5990f4594d511a854f7d9920573d33c85253a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Dec 2018 23:15:20 +0100 Subject: [PATCH 0084/1383] avutil/imgutils: Optimize memset_bytes() by using av_memcpy_backptr() This is strongly based on code by Marton Balint, and depends on the previous commit Fixes: Timeout Fixes: 11502/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 Before: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 in 11209 ms After: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 in 4104 ms Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit f64c0dffa13e6263de3fdff0058ab2fdb03ac1d6) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 4938a7ef67..afc73e2def 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -501,7 +501,6 @@ int av_image_copy_to_buffer(uint8_t *dst, int dst_size, static void memset_bytes(uint8_t *dst, size_t dst_size, uint8_t *clear, size_t clear_size) { - size_t pos = 0; int same = 1; int i; @@ -521,28 +520,12 @@ static void memset_bytes(uint8_t *dst, size_t dst_size, uint8_t *clear, if (clear_size == 1) { memset(dst, clear[0], dst_size); dst_size = 0; - } else if (clear_size == 2) { - uint16_t val = AV_RN16(clear); - for (; dst_size >= 2; dst_size -= 2) { - AV_WN16(dst, val); - dst += 2; - } - } else if (clear_size == 4) { - uint32_t val = AV_RN32(clear); - for (; dst_size >= 4; dst_size -= 4) { - AV_WN32(dst, val); - dst += 4; - } - } else if (clear_size == 8) { - uint32_t val = AV_RN64(clear); - for (; dst_size >= 8; dst_size -= 8) { - AV_WN64(dst, val); - dst += 8; - } + } else { + if (clear_size > dst_size) + clear_size = dst_size; + memcpy(dst, clear, clear_size); + av_memcpy_backptr(dst + clear_size, clear_size, dst_size - clear_size); } - - for (; dst_size; dst_size--) - *dst++ = clear[pos++ % clear_size]; } // Maximum size in bytes of a plane element (usually a pixel, or multiple pixels From 552733d48ba591eb8d6821da428ee2ef42429e49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Jan 2019 19:37:18 +0100 Subject: [PATCH 0085/1383] avcodec/tiff: Check for 12bit gray fax Fixes: Assertion failure Fixes: 11898/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5759794191794176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec28a85107cccece4dce17c0ccb633defe2d6e98) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index d5b88923fd..bf17d9fe60 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -571,7 +571,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid if (s->compr == TIFF_CCITT_RLE || s->compr == TIFF_G3 || s->compr == TIFF_G4) { - if (is_yuv) + if (is_yuv || p->format == AV_PIX_FMT_GRAY12) return AVERROR_INVALIDDATA; return tiff_unpack_fax(s, dst, stride, src, size, width, lines); From 31fa50f3d97ca4c722e2b35af7b66a4b44a8f46a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Jan 2019 22:36:00 +0100 Subject: [PATCH 0086/1383] avcodec/prosumer: Error out if decompress() stops reading data if 0 is encountered in the LUT then decompress() will continue to output 0 bytes but never read more data. Without a specification it is impossible to say if this is invalid or a feature. None of the valid prosumer files tested cause a 0 to be read, so it is likely not a intended feature. Fixes: Timeout Fixes: 11266/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PROSUMER_fuzzer-5681827423977472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62f8d27ef1995354d6529ea0d9428501d7f914b4) Signed-off-by: Michael Niedermayer --- libavcodec/prosumer.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c index 505de71980..93f0c84d3a 100644 --- a/libavcodec/prosumer.c +++ b/libavcodec/prosumer.c @@ -99,6 +99,8 @@ static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui } idx = a >> 20; b = lut[2 * idx]; + if (!b) + return AVERROR_INVALIDDATA; continue; } idx = 2; @@ -159,8 +161,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, memset(s->decbuffer, 0, s->size); bytestream2_init(&s->gb, avpkt->data, avpkt->size); bytestream2_init_writer(&s->pb, s->decbuffer, s->size); - - decompress(&s->gb, AV_RL32(avpkt->data + 28) >> 1, &s->pb, s->lut); + ret = decompress(&s->gb, AV_RL32(avpkt->data + 28) >> 1, &s->pb, s->lut); + if (ret < 0) + return ret; vertical_predict((uint32_t *)s->decbuffer, 0, (uint32_t *)s->initial_line, s->stride, 1); vertical_predict((uint32_t *)s->decbuffer, s->stride, (uint32_t *)s->decbuffer, s->stride, avctx->height - 1); From bcfd82b0be0a389497d641b330e29923ce05e5fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Jan 2019 08:34:57 +0100 Subject: [PATCH 0087/1383] Update for 4.1.1 Signed-off-by: Michael Niedermayer --- Changelog | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 68 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 97ea8e12c3..0919015174 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,72 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.1.1: +- avcodec/prosumer: Error out if decompress() stops reading data +- avcodec/tiff: Check for 12bit gray fax +- avutil/imgutils: Optimize memset_bytes() by using av_memcpy_backptr() +- avutil/mem: Optimize fill32() by unrolling and using 64bit +- configure: bump year +- avcodec/tests/rangecoder: initialize array to avoid valgrind warning +- avcodec/gdv: Optimize and factorize scaling loops +- avcodec/h264_slice: Fix integer overflow in implicit_weight_table() +- avcodec/exr: set layer_match in all branches +- avcodec/exr: Check for duplicate channel index +- avfilter/vf_tonemap_opencl: Make static tables const +- doc/indevs: fix upto typo +- avcodec/4xm: Fix returned error codes +- avformat/libopenmpt: Fix successfull typo +- avcodec/v4l2_m2m: fix cant typo +- avcodec/mjpegbdec: Fix some misplaced {} and spaces +- avformat/wvdec: detect and error out on WavPack DSD files +- avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa +- avcodec/fic: Fail on invalid slice size/off +- avcodec/ilbcdec: fix integer overflow in energy +- postproc/postprocess_template: remove FF_REG_sp from clobber list +- postproc/postprocess_template: Avoid using %4 for the threshold compare +- libavformat/mov: Fix NULL-dereference read for some encrypted content. +- avcodec/rpza: Check that there is enough data for all the blocks +- avcodec/rpza: Move frame allocation to a later point +- avcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID +- avformat/mpegts: Fix side data type for stream id +- tests/fate/filter-video: increase fuzz for fate-filter-refcmp-psnr-rgb +- avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan() +- lavf/id3v2: fail read_apic on EOF reading mimetype +- avcodec/rasc: Check that the number of moves is less than or equal the number of pixels +- avformat/nutenc: Document trailer index assert better +- lavf/mov: ensure only one tkhd per trak +- avcodec/clearvideo: Check remaining input bits in P macro block loop +- avcodec/rasc: Check input space before reading chunk +- avcodec/dxv: Check that there is enough data to decompress +- avcodec/ppc/hevcdsp: Fix build failures with powerpc-linux-gnu-gcc-4.8 with --disable-optimizations +- avcodec/msvideo1: Check for too small dimensions +- avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size +- avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size +- avcodec/truemotion2rt: Fix rounding in input size check +- avcodec/diracdec: Check component quant +- avcodec/tiff: Limit filtering to decoded data +- avcodec/truemotion2: fix integer overflows in tm2_low_chroma() +- avcodec/pngdec: Check compression method +- fftools/ffmpeg: Repair reinit_filter feature +- avcodec/shorten: Fix integer overflow with offset +- avcodec/imm4: Use ff_set_dimensions() +- h264_redundant_pps: Fix logging context +- avfilter/af_asetnsamples: fix last frame props +- cbs_av1: Fix reading of overlong uvlc codes +- avcodec/cbs_av1: fix parsing delta_frame_id_minus1 +- avfilter/vf_overlay: fix filtering with negative y +- avformat/movenc: get number of written bytes from bitstream writer +- avformat/movenc: fix size calculation in mov_write_eac3_tag() +- avfilter/vf_overlay: fix crash with negative y +- avcodec/mpeg_er: fix clearing chroma blocks for 422 and 444 +- avfilter/af_afade: fix duration maximum +- avfilter/vf_fade: fix start/duration max value +- avcodec/cbs_av1: fix parsing signed integer values +- avcodec/cbs_av1: fix storage size for segmentation_params feature_value fields +- configure: Add missing xlib dependency for VAAPI X11 code +- avcodec/hevcdec: fix non-ref frame judgement + + version 4.1: - deblock filter - tmix filter diff --git a/RELEASE b/RELEASE index 7d5c902e77..627a3f43a6 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1 +4.1.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 452057c46b..3fcdbd74d1 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1 +PROJECT_NUMBER = 4.1.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 62f5325ca30a3cc27c625bb468d65e2e4bfd7996 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Jan 2019 00:02:25 +0100 Subject: [PATCH 0088/1383] avcodec/ilbcdec: Fix integer overflow in construct_vector() webrtc contains explicit code to ignore the undefined behavior (RTC_NO_SANITIZE / OverflowingAddS32S32ToS32()) Probably fixes: Integer overflow (unreproducable here) Probably fixes: 12215/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-5767142427852800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c95d0fb23917c35886f3b62daa05af20d2700a1e) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index 50012c0231..643547f4ab 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -745,7 +745,7 @@ static void construct_vector ( for (j = 0; j < veclen; j++) { a32 = SPL_MUL_16_16(*gainPtr++, cbvec0[j]); a32 += SPL_MUL_16_16(*gainPtr++, cbvec1[j]); - a32 += SPL_MUL_16_16(*gainPtr, cbvec2[j]); + a32 += (unsigned)SPL_MUL_16_16(*gainPtr, cbvec2[j]); gainPtr -= 2; decvector[j] = (a32 + 8192) >> 14; } From d8b8b27dc3126c9c18d22b81815076c43ebcac7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Jan 2019 00:09:30 +0100 Subject: [PATCH 0089/1383] avcodec/ilbcdec: Fix undefined integer overflow lsf2poly() The addition is moved up into the context where the variable is unsigned avoiding the undefined behavior Fixes: runtime error: signed integer overflow: 2147481972 + 4096 cannot be represented in type 'int' Fixes: 12444/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-5755706244857856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4523cc5e75c8ecfba8975d16e96c29f9bf70973f) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index 643547f4ab..bba83a5896 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -408,11 +408,11 @@ static void lsf2poly(int16_t *a, int16_t *lsf) a[0] = 4096; for (i = 5; i > 0; i--) { - tmp = f[0][6 - i] + (unsigned)f[1][6 - i]; - a[6 - i] = (tmp + 4096) >> 13; + tmp = f[0][6 - i] + (unsigned)f[1][6 - i] + 4096; + a[6 - i] = tmp >> 13; - tmp = f[0][6 - i] - (unsigned)f[1][6 - i]; - a[5 + i] = (tmp + 4096) >> 13; + tmp = f[0][6 - i] - (unsigned)f[1][6 - i] + 4096; + a[5 + i] = tmp >> 13; } } From f5c9753bfdab20ad54fbdbbe85b52c82d0bb3c4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Jan 2019 00:30:53 +0100 Subject: [PATCH 0090/1383] avcodec/fic: Check that there is input left in fic_decode_block() Fixes: Timeout Fixes: 12450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-5661984622641152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db1c4acd02af4de5dfbea6012c296470679aa7a6) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 3e36346358..418dff1934 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -139,6 +139,9 @@ static int fic_decode_block(FICContext *ctx, GetBitContext *gb, { int i, num_coeff; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; + /* Is it a skip block? */ if (get_bits1(gb)) { *is_p = 1; From 0f1332309aff3924fcd740cf36c61f1f9e6f026e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Jan 2019 00:16:02 +0100 Subject: [PATCH 0091/1383] avcodec/rasc: Check uncompressed dlta size We assume that if the compressed size is bigger than if each byte is encoded in a single raw packet that the data is invalid. Fixes: Out of memory Fixes: 12208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5648916473708544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f4079d5174c20eddbc99eef6ebe98d411f8014c5) Signed-off-by: Michael Niedermayer --- libavcodec/rasc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 1b607ac31e..6e32c1540e 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -353,6 +353,8 @@ static int decode_dlta(AVCodecContext *avctx, compression = bytestream2_get_le32(gb); if (compression == 1) { + if (w * h * s->bpp * 3 < uncompressed_size) + return AVERROR_INVALIDDATA; ret = decode_zlib(avctx, avpkt, size, uncompressed_size); if (ret < 0) return ret; From b482e94e59b15efde07326619c3cdab5826d1320 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Jan 2019 00:19:14 +0100 Subject: [PATCH 0092/1383] avcodec/rasc: Move ff_get_buffer() after frame checks If the frame1/2 checks fail this avoids doing the allocation of a new frame Signed-off-by: Michael Niedermayer (cherry picked from commit 9f4af97aff899571663342fbe68df8caee30097f) Signed-off-by: Michael Niedermayer --- libavcodec/rasc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 6e32c1540e..21fc43f325 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -723,12 +723,12 @@ static int decode_frame(AVCodecContext *avctx, return ret; } - if ((ret = ff_get_buffer(avctx, s->frame, 0)) < 0) - return ret; - if (!s->frame2->data[0] || !s->frame1->data[0]) return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, s->frame, 0)) < 0) + return ret; + copy_plane(avctx, s->frame2, s->frame); if (avctx->pix_fmt == AV_PIX_FMT_PAL8) memcpy(s->frame->data[1], s->frame2->data[1], 1024); From e75a73d6294807a8d4d6022280cd6e25dac32990 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jan 2019 00:53:22 +0100 Subject: [PATCH 0093/1383] avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect() Fixes: Infinite loop Found-by: Michael Hanselmann Reviewed-by: Michael Hanselmann Signed-off-by: Michael Niedermayer (cherry picked from commit 0b50f27635f684ec0526e9975c9979f35bbf486b) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index ceb770a3a4..82c6c12af5 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1663,7 +1663,7 @@ int ff_rtsp_connect(AVFormatContext *s) char tcpname[1024], cmd[2048], auth[128]; const char *lower_rtsp_proto = "tcp"; int port, err, tcp_fd; - RTSPMessageHeader reply1 = {0}, *reply = &reply1; + RTSPMessageHeader reply1, *reply = &reply1; int lower_transport_mask = 0; int default_port = RTSP_DEFAULT_PORT; char real_challenge[64] = ""; @@ -1692,6 +1692,7 @@ int ff_rtsp_connect(AVFormatContext *s) rt->lower_transport_mask &= (1 << RTSP_LOWER_TRANSPORT_NB) - 1; redirect: + memset(&reply1, 0, sizeof(reply1)); /* extract hostname and port */ av_url_split(proto, sizeof(proto), auth, sizeof(auth), host, sizeof(host), &port, path, sizeof(path), s->url); From 953f97979fc292abb3fd166c90bf8fbbf8ef5a73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Jan 2019 21:30:04 +0100 Subject: [PATCH 0094/1383] avformat/rtsp: Check number of streams in sdp_parse_line() Fixes: OOM Found-by: Michael Hanselmann Reviewed-by: Michael Hanselmann Signed-off-by: Michael Niedermayer (cherry picked from commit 497c9b0cce559d43607bbbd679fe42f1d7e9040e) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 82c6c12af5..975637cf54 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -454,7 +454,10 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1, } else if (!strcmp(st_type, "text")) { codec_type = AVMEDIA_TYPE_SUBTITLE; } - if (codec_type == AVMEDIA_TYPE_UNKNOWN || !(rt->media_type_mask & (1 << codec_type))) { + if (codec_type == AVMEDIA_TYPE_UNKNOWN || + !(rt->media_type_mask & (1 << codec_type)) || + rt->nb_rtsp_streams >= s->max_streams + ) { s1->skip_media = 1; return; } From 7816497ba081003287557096eea830327281f15d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2019 01:06:01 +0100 Subject: [PATCH 0095/1383] avcodec/pgssubdec: Check for duplicate display segments In such a duplication the previous gets overwritten and leaks Fixes: memleak Fixes: 12510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5694439226343424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e35c3d887b3e374c6a091342206a42da48785d70) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index b897d72aab..8c10f6d573 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -676,6 +676,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size, */ break; case DISPLAY_SEGMENT: + if (*data_size) { + av_log(avctx, AV_LOG_ERROR, "Duplicate display segment\n"); + ret = AVERROR_INVALIDDATA; + break; + } ret = display_end_segment(avctx, data, buf, segment_length); if (ret >= 0) *data_size = ret; From 31a1d2aa83096c3a07bd2f943bb9be6bda411147 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Feb 2019 00:51:42 +0100 Subject: [PATCH 0096/1383] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Changelog b/Changelog index 0919015174..acf01244ec 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,14 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.1.1: +- avcodec/pgssubdec: Check for duplicate display segments +- avformat/rtsp: Check number of streams in sdp_parse_line() +- avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect() +- avcodec/rasc: Move ff_get_buffer() after frame checks +- avcodec/rasc: Check uncompressed dlta size +- avcodec/fic: Check that there is input left in fic_decode_block() +- avcodec/ilbcdec: Fix undefined integer overflow lsf2poly() +- avcodec/ilbcdec: Fix integer overflow in construct_vector() - avcodec/prosumer: Error out if decompress() stops reading data - avcodec/tiff: Check for 12bit gray fax - avutil/imgutils: Optimize memset_bytes() by using av_memcpy_backptr() From bcc71f30adc9de8b02f0b54636f02f20f71ef065 Mon Sep 17 00:00:00 2001 From: chcunningham Date: Wed, 6 Feb 2019 16:12:51 -0800 Subject: [PATCH 0097/1383] avformat/mov.c: require tfhd to begin parsing trun Detecting missing tfhd avoids re-using tfhd track info from the previous moof. For files with multiple tracks, this may make a mess of the avindex and fragindex, which can later trigger av_assert0 in mov_read_trun(). Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit 3ea87e5d9ea075d5b3c0f4f8c6c48e514b454cbe) Signed-off-by: Michael Niedermayer --- libavformat/isom.h | 1 + libavformat/mov.c | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/libavformat/isom.h b/libavformat/isom.h index e629663949..69452cae8e 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -87,6 +87,7 @@ typedef struct MOVAtom { struct MOVParseTableEntry; typedef struct MOVFragment { + int found_tfhd; unsigned track_id; uint64_t base_data_offset; uint64_t moof_offset; diff --git a/libavformat/mov.c b/libavformat/mov.c index ff7fdd48e2..4b67044219 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1370,6 +1370,9 @@ static void fix_frag_index_entries(MOVFragmentIndex *frag_index, int index, static int mov_read_moof(MOVContext *c, AVIOContext *pb, MOVAtom atom) { + // Set by mov_read_tfhd(). mov_read_trun() will reject files missing tfhd. + c->fragment.found_tfhd = 0; + if (!c->has_looked_for_mfra && c->use_mfra_for > 0) { c->has_looked_for_mfra = 1; if (pb->seekable & AVIO_SEEKABLE_NORMAL) { @@ -4549,6 +4552,8 @@ static int mov_read_tfhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVTrackExt *trex = NULL; int flags, track_id, i; + c->fragment.found_tfhd = 1; + avio_r8(pb); /* version */ flags = avio_rb24(pb); @@ -4684,6 +4689,11 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) AVIndexEntry *new_entries; MOVFragmentStreamInfo * frag_stream_info; + if (!frag->found_tfhd) { + av_log(c->fc, AV_LOG_ERROR, "trun track id unknown, no tfhd was found\n"); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < c->fc->nb_streams; i++) { if (c->fc->streams[i]->id == frag->track_id) { st = c->fc->streams[i]; From 00cdf4e4e51750daa1e99ecbd49d6ee5f98dac51 Mon Sep 17 00:00:00 2001 From: chcunningham Date: Thu, 7 Feb 2019 14:58:17 -0800 Subject: [PATCH 0098/1383] avformat/mov: validate chunk_count vs stsc_data Bad content may contain stsc boxes with a first_chunk index that exceeds stco.entries (chunk_count). This ammends the existing check to include cases where chunk_count == 0. It also patches up the case when stsc refers to unknown chunks, but stts has no samples (so we can simply ignore stsc). Signed-off-by: Michael Niedermayer (cherry picked from commit 1c15449ca9a5bfa387868ac55628397273da761f) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4b67044219..38c1d9b7eb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2696,8 +2696,11 @@ static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc, unsigned int in if (mov_stsc_index_valid(index, sc->stsc_count)) chunk_count = sc->stsc_data[index + 1].first - sc->stsc_data[index].first; - else + else { + // Validation for stsc / stco happens earlier in mov_read_stsc + mov_read_trak. + av_assert0(sc->stsc_data[index].first <= sc->chunk_count); chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1); + } return sc->stsc_data[index].count * (int64_t)chunk_count; } @@ -4175,6 +4178,13 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->trak_index = -1; + // Here stsc refers to a chunk not described in stco. This is technically invalid, + // but we can overlook it (clearing stsc) whenever stts_count == 0 (indicating no samples). + if (!sc->chunk_count && !sc->stts_count && sc->stsc_count) { + sc->stsc_count = 0; + av_freep(&sc->stsc_data); + } + /* sanity checks */ if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count || (!sc->sample_size && !sc->sample_count))) || @@ -4183,7 +4193,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } - if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", st->index); return AVERROR_INVALIDDATA; From 74700e50bf7444930bfc12935bd3e17cd5f766c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Feb 2019 18:20:02 +0100 Subject: [PATCH 0099/1383] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index acf01244ec..809d2967a2 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,8 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.1.1: +- avformat/mov: validate chunk_count vs stsc_data +- avformat/mov: require tfhd to begin parsing trun - avcodec/pgssubdec: Check for duplicate display segments - avformat/rtsp: Check number of streams in sdp_parse_line() - avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect() From 33c8009773500fe969af9044a81ca6b18a17a83d Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 10 Feb 2019 17:41:38 -0300 Subject: [PATCH 0100/1383] avcodec/cbs_av1: don't call cbs_av1_read_trailing_bits() when no bits remain in the OBU Reviewed-by: jkqxz Signed-off-by: James Almer (cherry picked from commit 3e8b8b6b509c8c37defd3a8c32883fa54bc00de8) --- libavcodec/cbs_av1.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 535139e703..4513287ef9 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -1071,8 +1071,12 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, if (obu->obu_size > 0 && obu->header.obu_type != AV1_OBU_TILE_GROUP && obu->header.obu_type != AV1_OBU_FRAME) { - err = cbs_av1_read_trailing_bits(ctx, &gbc, - obu->obu_size * 8 + start_pos - end_pos); + int nb_bits = obu->obu_size * 8 + start_pos - end_pos; + + if (nb_bits <= 0) + return AVERROR_INVALIDDATA; + + err = cbs_av1_read_trailing_bits(ctx, &gbc, nb_bits); if (err < 0) return err; } From 110eff79caf41a1c0ba9f35f5d46d91f8097be5f Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sun, 27 Jan 2019 19:48:12 +0100 Subject: [PATCH 0101/1383] avformat/async: fix assertion condition when draining buffer Fixes some random assertion failures with ffprobe -show_packets async:samples/ffmpeg-bugs/trac/ticket6132/Samsung_HDR_-_Chasing_the_Light.ts > /dev/null Signed-off-by: Marton Balint (cherry picked from commit 4b46d1ee463f6bb2d2be967d418d275a44fe2a9c) --- libavformat/async.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/async.c b/libavformat/async.c index 54dbd2312a..4e295b5e10 100644 --- a/libavformat/async.c +++ b/libavformat/async.c @@ -142,7 +142,7 @@ static int ring_size_of_read_back(RingBuffer *ring) static int ring_drain(RingBuffer *ring, int offset) { av_assert2(offset >= -ring_size_of_read_back(ring)); - av_assert2(offset <= -ring_size(ring)); + av_assert2(offset <= ring_size(ring)); ring->read_pos += offset; return 0; } From 53f3f5233f38aef0b544ebfbb2c450134aae0639 Mon Sep 17 00:00:00 2001 From: Charles Liu Date: Sun, 3 Feb 2019 23:09:06 +0800 Subject: [PATCH 0102/1383] avformat/mov: fix hang while seek on a kind of fragmented mp4 Binary searching would hang if the fragment items do NOT have timestamp for the specified stream. For example, a fmp4 consists of separated 'moof' boxes for each track, and separated 'sidx' for each segment, but no 'mfra' box. Then every fragment item only have the timestamp for one of its tracks. Example: ffmpeg -f lavfi -i testsrc -f lavfi -i sine -movflags dash+frag_keyframe+skip_trailer+separate_moof -t 1 out.mp4 ffmpeg -ss 0.5 -i out.mp4 -f null none Also fixes the hang in ticket #7572, but not the reason for having AV_NOPTS_VALUE timestamps there. Signed-off-by: Charles Liu Signed-off-by: Marton Balint (cherry picked from commit aa25198f1b925a464bdfa83a98476f08d26c9209) --- libavformat/mov.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 38c1d9b7eb..3491d680db 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1270,7 +1270,7 @@ static int64_t get_frag_time(MOVFragmentIndex *frag_index, static int search_frag_timestamp(MOVFragmentIndex *frag_index, AVStream *st, int64_t timestamp) { - int a, b, m; + int a, b, m, m0; int64_t frag_time; int id = -1; @@ -1286,15 +1286,18 @@ static int search_frag_timestamp(MOVFragmentIndex *frag_index, b = frag_index->nb_items; while (b - a > 1) { - m = (a + b) >> 1; - frag_time = get_frag_time(frag_index, m, id); - if (frag_time != AV_NOPTS_VALUE) { - if (frag_time >= timestamp) - b = m; - if (frag_time <= timestamp) - a = m; - } + m0 = m = (a + b) >> 1; + + while (m < b && + (frag_time = get_frag_time(frag_index, m, id)) == AV_NOPTS_VALUE) + m++; + + if (m < b && frag_time <= timestamp) + a = m; + else + b = m0; } + return a; } From 7e204f72607c95a7d7f791e085ba48882e778a9b Mon Sep 17 00:00:00 2001 From: Alex Mogurenko Date: Fri, 28 Dec 2018 22:30:08 +0200 Subject: [PATCH 0103/1383] avcodec/prores_ks: Fix luma quantization if q >= MAX_STORED_Q The problem occurs in slice quant estimation and slice encoding: If the slice quant is larger than MAX_STORED_Q we don't use pre-calculated quant matrices, but generate a new one, but both qmat and qmat_chroma both point to the same table, so the luma table ends up having chroma table values. Add custom_chroma_q the same way as custom_q. Signed-off-by: Derek Buitenhuis (cherry picked from commit e4788ae31b2e9af45d11f4bf4498c075dcc25a6c) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 81f3865ea6..123f6c1f5a 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -221,6 +221,7 @@ typedef struct ProresThreadData { DECLARE_ALIGNED(16, int16_t, blocks)[MAX_PLANES][64 * 4 * MAX_MBS_PER_SLICE]; DECLARE_ALIGNED(16, uint16_t, emu_buf)[16 * 16]; int16_t custom_q[64]; + int16_t custom_chroma_q[64]; struct TrellisNode *nodes; } ProresThreadData; @@ -231,6 +232,7 @@ typedef struct ProresContext { int16_t quants[MAX_STORED_Q][64]; int16_t quants_chroma[MAX_STORED_Q][64]; int16_t custom_q[64]; + int16_t custom_chroma_q[64]; const uint8_t *quant_mat; const uint8_t *quant_chroma_mat; const uint8_t *scantable; @@ -573,7 +575,7 @@ static int encode_slice(AVCodecContext *avctx, const AVFrame *pic, qmat_chroma = ctx->quants_chroma[quant]; } else { qmat = ctx->custom_q; - qmat_chroma = ctx->custom_q; + qmat_chroma = ctx->custom_chroma_q; for (i = 0; i < 64; i++) { qmat[i] = ctx->quant_mat[i] * quant; qmat_chroma[i] = ctx->quant_chroma_mat[i] * quant; @@ -901,7 +903,7 @@ static int find_slice_quant(AVCodecContext *avctx, qmat_chroma = ctx->quants_chroma[q]; } else { qmat = td->custom_q; - qmat_chroma = td->custom_q; + qmat_chroma = td->custom_chroma_q; for (i = 0; i < 64; i++) { qmat[i] = ctx->quant_mat[i] * q; qmat_chroma[i] = ctx->quant_chroma_mat[i] * q; From 1a82246caed8496aa932a668dce6139d220f68ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Feb 2019 15:13:03 +0100 Subject: [PATCH 0104/1383] avcodec/sbrdsp_fixed.c: remove input value limit for sbr_sum_square_c() Fixes: 1377/clusterfuzz-testcase-minimized-5487049807233024 Fixes: assertion failure in sbr_sum_square_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 4cde7e62dbaa63eda173e8d24a97d273890f282c) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 57d98da979..91fa664c08 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -34,32 +34,36 @@ static SoftFloat sbr_sum_square_c(int (*x)[2], int n) { SoftFloat ret; - uint64_t accu, round; + uint64_t accu = 0, round; uint64_t accu0 = 0, accu1 = 0, accu2 = 0, accu3 = 0; int i, nz, nz0; unsigned u; + nz = 0; for (i = 0; i < n; i += 2) { - // Larger values are inavlid and could cause overflows of accu. - av_assert2(FFABS(x[i + 0][0]) >> 30 == 0); accu0 += (int64_t)x[i + 0][0] * x[i + 0][0]; - av_assert2(FFABS(x[i + 0][1]) >> 30 == 0); accu1 += (int64_t)x[i + 0][1] * x[i + 0][1]; - av_assert2(FFABS(x[i + 1][0]) >> 30 == 0); accu2 += (int64_t)x[i + 1][0] * x[i + 1][0]; - av_assert2(FFABS(x[i + 1][1]) >> 30 == 0); accu3 += (int64_t)x[i + 1][1] * x[i + 1][1]; + if ((accu0|accu1|accu2|accu3) > UINT64_MAX - INT32_MIN*(int64_t)INT32_MIN || i+2>=n) { + accu0 >>= nz; + accu1 >>= nz; + accu2 >>= nz; + accu3 >>= nz; + while ((accu0|accu1|accu2|accu3) > (UINT64_MAX - accu) >> 2) { + accu0 >>= 1; + accu1 >>= 1; + accu2 >>= 1; + accu3 >>= 1; + accu >>= 1; + nz ++; + } + accu += accu0 + accu1 + accu2 + accu3; + accu0 = accu1 = accu2 = accu3 = 0; + } } - nz0 = 15; - while ((accu0|accu1|accu2|accu3) >> 62) { - accu0 >>= 1; - accu1 >>= 1; - accu2 >>= 1; - accu3 >>= 1; - nz0 --; - } - accu = accu0 + accu1 + accu2 + accu3; + nz0 = 15 - nz; u = accu >> 32; if (u) { From d25f388584a36b709c780b4bf91de2cabfe6137f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Feb 2019 23:28:35 +0100 Subject: [PATCH 0105/1383] avformat/mov: Do not use reference stream in mov_read_sidx() if there is no reference stream Fixes: NULL pointer dereference Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5634316373721088 Reported-by: Chris Cunningham Signed-off-by: Michael Niedermayer (cherry picked from commit b0d8b7cb8e86367178ef0c35dcae359d820c3b27) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3491d680db..60309b4869 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5050,7 +5050,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) } } } - for (i = 0; i < c->fc->nb_streams; i++) { + if (ref_st) for (i = 0; i < c->fc->nb_streams; i++) { st = c->fc->streams[i]; sc = st->priv_data; if (!sc->has_sidx) { From 8066cb3556e77570b72b28ccef9613ea0887d5ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Feb 2019 01:57:09 +0100 Subject: [PATCH 0106/1383] avcodec/mpeg4videodec: Clear interlaced_dct for studio profile Fixes: Out of array access Fixes: 13090/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5408668986638336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 1f686d023b95219db933394a7704ad9aa5f01cbb) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index f44ee76bd4..ecd028a87c 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -3057,6 +3057,7 @@ static int decode_studio_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) return 0; s->partitioned_frame = 0; + s->interlaced_dct = 0; s->decode_mb = mpeg4_decode_studio_mb; decode_smpte_tc(ctx, gb); From 4d1fcd734e877b0bcb635664dbc7a0a0ff0627ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Feb 2019 15:29:38 +0100 Subject: [PATCH 0107/1383] avformat/matroskadec: Do not leak queued packets on sync errors Fixes: memleak Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5649187601121280 Reported-by: Chris Cunningham Tested-by: Chris Cunningham Signed-off-by: Michael Niedermayer (cherry picked from commit d1afa7284c3feba4debfebf1b9cf8ad67640e34a) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2daa1dba6f..2b42cff9a8 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3541,7 +3541,7 @@ static int matroska_read_packet(AVFormatContext *s, AVPacket *pkt) ret = matroska_resync(matroska, pos); } - return ret; + return 0; } static int matroska_read_seek(AVFormatContext *s, int stream_index, From cc5361ed18ab0f69cfbead7afc88fb81ed4b36ae Mon Sep 17 00:00:00 2001 From: Kevin Backhouse via RT Date: Wed, 6 Feb 2019 11:29:22 +0000 Subject: [PATCH 0108/1383] avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning Fixes: [Semmle Security Reports #19438] Fixes: dos_sscanf1.mkv Signed-off-by: Michael Niedermayer (cherry picked from commit 1f00c97bc3475c477f3c468cf2d924d5761d0982) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index fb9f900422..c0cfccfb16 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -74,6 +74,34 @@ struct font_tag { uint32_t color; }; +/* + * Fast code for scanning the rest of a tag. Functionally equivalent to + * this sscanf call: + * + * sscanf(in, "%127[^<>]>%n", buffer, lenp) == 2 + */ +static int scantag(const char* in, char* buffer, int* lenp) { + int len; + + for (len = 0; len < 128; len++) { + const char c = *in++; + switch (c) { + case '\0': + return 0; + case '<': + return 0; + case '>': + buffer[len] = '\0'; + *lenp = len+1; + return 1; + default: + break; + } + buffer[len] = c; + } + return 0; +} + /* * The general politic of the convert is to mask unsupported tags or formatting * errors (but still alert the user/subtitles writer with an error/warning) @@ -155,7 +183,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) len = 0; - if (sscanf(in+tag_close+1, "%127[^<>]>%n", buffer, &len) >= 1 && len > 0) { + if (scantag(in+tag_close+1, buffer, &len) && len > 0) { const int skip = len + tag_close; const char *tagname = buffer; while (*tagname == ' ') { From f7f3937494f6734d27fc3d0081c9c7a9a19614a8 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse via RT Date: Wed, 6 Feb 2019 12:56:01 +0000 Subject: [PATCH 0109/1383] avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces Fixes: [Semmle Security Reports #19439] Fixes: dos_sscanf2.mkv Signed-off-by: Michael Niedermayer (cherry picked from commit 894995c41e0795c7a44f81adc4838dedc3932e65) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index c0cfccfb16..d9221ba16b 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -24,6 +24,7 @@ #include "libavutil/common.h" #include "libavutil/parseutils.h" #include "htmlsubtitles.h" +#include static int html_color_parse(void *log_ctx, const char *str) { @@ -44,14 +45,32 @@ static void rstrip_spaces_buf(AVBPrint *buf) buf->str[--buf->len] = 0; } +/* + * Fast code for scanning text enclosed in braces. Functionally + * equivalent to this sscanf call: + * + * sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0 + */ +static int scanbraces(const char* in) { + if (strncmp(in, "{\\an", 4) != 0) { + return 0; + } + if (!isdigit(in[4])) { + return 0; + } + if (in[5] != '}') { + return 0; + } + return 1; +} + /* skip all {\xxx} substrings except for {\an%d} and all microdvd like styles such as {Y:xxx} */ static void handle_open_brace(AVBPrint *dst, const char **inp, int *an, int *closing_brace_missing) { - int len = 0; const char *in = *inp; - *an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0; + *an += scanbraces(in); if (!*closing_brace_missing) { if ( (*an != 1 && in[1] == '\\') From 11375cd1014766c50fb6f36344096f3714569fb3 Mon Sep 17 00:00:00 2001 From: Wenxiang Qian Date: Wed, 13 Feb 2019 08:47:20 +0100 Subject: [PATCH 0110/1383] avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393 Signed-off-by: Michael Niedermayer (cherry picked from commit a142ffdcaec06fcbf7d4b00dbb0e5ddfb9e3344d) Signed-off-by: Michael Niedermayer --- libavformat/ftp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index e072067480..3adc04ee1f 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -389,7 +389,7 @@ static int ftp_file_size(FTPContext *s) static const int size_codes[] = {213, 0}; snprintf(command, sizeof(command), "SIZE %s\r\n", s->path); - if (ftp_send_command(s, command, size_codes, &res) == 213 && res) { + if (ftp_send_command(s, command, size_codes, &res) == 213 && res && strlen(res) > 4) { s->filesize = strtoll(&res[4], NULL, 10); } else { s->filesize = -1; From ec22b46a4d34e8d01a2bb69335680c2d84fb26b9 Mon Sep 17 00:00:00 2001 From: Wenxiang Qian Date: Wed, 13 Feb 2019 08:54:08 +0100 Subject: [PATCH 0111/1383] avformat/http: Fix Out-of-Bounds access in process_line() Signed-off-by: Michael Niedermayer (cherry picked from commit 85f91ed760a517c0d5fcf692d40a5a9d7efa9476) Signed-off-by: Michael Niedermayer --- libavformat/http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/http.c b/libavformat/http.c index 3a35bc7eac..8cd84aa3fb 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -915,7 +915,7 @@ static int process_line(URLContext *h, char *line, int line_count, while (av_isspace(*p)) p++; resource = p; - while (!av_isspace(*p)) + while (*p && !av_isspace(*p)) p++; *(p++) = '\0'; av_log(h, AV_LOG_TRACE, "Requested resource: %s\n", resource); From 339f40f6181849bb9ecbc8ebffd88b2006e60c8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Feb 2019 10:15:04 +0100 Subject: [PATCH 0112/1383] avformat/webmdashenc: Check id in adaption_sets Fixes: out of array access Found-by: Wenxiang Qian Signed-off-by: Michael Niedermayer (cherry picked from commit b687b549aa0fb115861b1343208de8c2630803bf) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 1280d8a763..26b8727304 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -466,6 +466,7 @@ static int parse_adaptation_sets(AVFormatContext *s) continue; else if (state == new_set && !strncmp(p, "id=", 3)) { void *mem = av_realloc(w->as, sizeof(*w->as) * (w->nb_as + 1)); + const char *comma; if (mem == NULL) return AVERROR(ENOMEM); w->as = mem; @@ -474,6 +475,11 @@ static int parse_adaptation_sets(AVFormatContext *s) w->as[w->nb_as - 1].streams = NULL; p += 3; // consume "id=" q = w->as[w->nb_as - 1].id; + comma = strchr(p, ','); + if (!comma || comma - p >= sizeof(w->as[w->nb_as - 1].id)) { + av_log(s, AV_LOG_ERROR, "'id' in 'adaptation_sets' is malformed.\n"); + return AVERROR(EINVAL); + } while (*p != ',') *q++ = *p++; *q = 0; p++; From 9495228df0288e61f9fa8ebb8ba86c14223aa949 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2019 00:05:34 +0100 Subject: [PATCH 0113/1383] avcodec/h264_direct: Fix overflow in POC comparission Fixes: runtime error: signed integer overflow: 2147421862 - -33624063 cannot be represented in type 'int' Fixes: 12885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5733516975800320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5ccf296e74725bc8bdfbfe500d0482daa200b6f3) Signed-off-by: Michael Niedermayer --- libavcodec/h264_direct.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index ec9fca0350..a01d823e7a 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -156,8 +156,8 @@ void ff_h264_direct_ref_list_init(const H264Context *const h, H264SliceContext * av_log(h->avctx, AV_LOG_ERROR, "co located POCs unavailable\n"); sl->col_parity = 1; } else - sl->col_parity = (FFABS(col_poc[0] - cur_poc) >= - FFABS(col_poc[1] - cur_poc)); + sl->col_parity = (FFABS(col_poc[0] - (int64_t)cur_poc) >= + FFABS(col_poc[1] - (int64_t)cur_poc)); ref1sidx = sidx = sl->col_parity; // FL -> FL & differ parity From 4e624c89fddd90907609a0cc907040204ad67468 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Feb 2019 01:09:43 +0100 Subject: [PATCH 0114/1383] avcodec/jvdec: Check available input space before decode8x8() Fixes: Timeout (78 sec -> 15 millisec) Fixes: 13147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JV_fuzzer-5727107827630080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61523683c5a9bda9aaa7ae24764a3df0401a9877) Signed-off-by: Michael Niedermayer --- libavcodec/jvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index cbe83d3c10..4337d5681e 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -170,6 +170,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, GetBitContext gb; init_get_bits(&gb, buf, 8 * video_size); + if (avctx->height/8 * (avctx->width/8) > 4 * video_size) { + av_log(avctx, AV_LOG_ERROR, "Insufficient input data for dimensions\n"); + return AVERROR_INVALIDDATA; + } + for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) decode8x8(&gb, From ff491b15444238db26aa7c842d94eb7c1e7bc82c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Feb 2019 17:25:14 +0100 Subject: [PATCH 0115/1383] avcodec/zmbv: obtain frame later MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The frame is not needed that early so obtaining it later avoids the costly operation in case other checks fail. Fixes: Timeout (14sec -> 4sec) Fixes: 13140/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-5738330308739072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 177b40890c6de8c6896e0a1d4a631ea1ca89c044) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 79e0892070..e07009d0fb 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -525,9 +525,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac return AVERROR_INVALIDDATA; } - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - if (c->comp == 0) { // uncompressed data if (c->decomp_size < len) { av_log(avctx, AV_LOG_ERROR, "Buffer too small\n"); @@ -553,6 +550,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); return AVERROR_INVALIDDATA; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; From 92335fc02b2c86536d161db34dfbeab85bc74e75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Feb 2019 22:00:39 +0100 Subject: [PATCH 0116/1383] avcodec/mlpdec: Insuffient typo Signed-off-by: Michael Niedermayer (cherry picked from commit fc32e08941ea2795a3096e7a4013843e9ebf5fe3) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 8caa266b7e..3139a0172f 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -1195,7 +1195,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, } if (length < header_size + substr_header_size) { - av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + av_log(m->avctx, AV_LOG_ERROR, "Insufficient data for headers\n"); goto error; } From b8dd1d2d4bde740f61ba10eea399109c5e772da9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Feb 2019 18:41:42 +0100 Subject: [PATCH 0117/1383] avcodec/error_resilience: Use a symmetric check for skipping MV estimation This speeds up the testcase by a factor of 4 Fixes: Timeout Fixes: 13100/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-5767533905313792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e4289cb253e29e4d62dc46759eb1a45d8f6d82df) Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 1abae53f41..35d0c609e5 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -437,7 +437,7 @@ static void guess_mv(ERContext *s) } if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) || - num_avail <= mb_width / 2) { + num_avail <= FFMAX(mb_width, mb_height) / 2) { for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; From 662b6351c80a7768a5b46943a067b7c633e29088 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Feb 2019 00:05:51 +0100 Subject: [PATCH 0118/1383] avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() Fixes: runtime error: signed integer overflow: 2147483598 + 128 cannot be represented in type 'int' Fixes: 12926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5705100733972480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4801eea0d465cd54670e7c19322705544e3e7524) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index ce1678a3d7..badf0f8cd0 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -531,7 +531,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) } for (i = 0; i < w * h; i++) - data[i] = (data[i] + ((1<>1)) >> I_PRESHIFT; + data[i] = (data[i] + ((1LL<>1)) >> I_PRESHIFT; } int ff_jpeg2000_dwt_init(DWTContext *s, int border[2][2], From 09683e1f4e215be41afa189c0dd67902a61b70fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Feb 2019 23:39:44 +0100 Subject: [PATCH 0119/1383] avcodec/bethsoftvideo: Check block_type Fixes: Timeout (17 seconds -> 1 second) Fixes: 13184/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BETHSOFTVID_fuzzer-5711446296494080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b8ecadec0582a1521b5d0d253376966138e6ca78) Signed-off-by: Michael Niedermayer --- libavcodec/bethsoftvideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/bethsoftvideo.c b/libavcodec/bethsoftvideo.c index 274516bf4d..e5a73f55a1 100644 --- a/libavcodec/bethsoftvideo.c +++ b/libavcodec/bethsoftvideo.c @@ -109,6 +109,11 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, if(yoffset >= avctx->height) return AVERROR_INVALIDDATA; dst += vid->frame->linesize[0] * yoffset; + case VIDEO_P_FRAME: + case VIDEO_I_FRAME: + break; + default: + return AVERROR_INVALIDDATA; } // main code From 29619a8ac2751508f368b24b6d83343fc030611f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Feb 2019 01:26:30 +0100 Subject: [PATCH 0120/1383] avcodec/gdv: Check for truncated tags in decompress_5() Testcase: 13169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5666354038833152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5cf42f65b60d226d1223d2100cb1d90402189275) Signed-off-by: Michael Niedermayer --- libavcodec/gdv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index a29de28aa1..e946bd61df 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -294,6 +294,8 @@ static int decompress_5(AVCodecContext *avctx, unsigned skip) while (bytestream2_get_bytes_left_p(pb) > 0 && bytestream2_get_bytes_left(gb) > 0) { int tag = read_bits2(&bits, gb); + if (bytestream2_get_bytes_left(gb) < 1) + return AVERROR_INVALIDDATA; if (tag == 0) { bytestream2_put_byte(pb, bytestream2_get_byte(gb)); } else if (tag == 1) { From 6c0124d3921d95cf92adf8d052f86240d7d73a35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Feb 2019 13:26:25 +0100 Subject: [PATCH 0121/1383] avcodec/aic: Check remaining bits in aic_decode_coeffs() Fixes: Timeout (78 seconds -> 2 seconds) Fixes: 13186/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-5639516533030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 951bb7632fe6e3bb1a9c3b47610705871e471f34) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index 9c6f806655..dc28c83661 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -208,6 +208,9 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst, int mb, idx; unsigned val; + if (get_bits_left(gb) < 5) + return AVERROR_INVALIDDATA; + has_skips = get_bits1(gb); coeff_type = get_bits1(gb); coeff_bits = get_bits(gb, 3); From c90836cc3df3ab00dad329e51cebded37d276991 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Feb 2019 00:44:40 +0100 Subject: [PATCH 0122/1383] avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes Fixes: Timeout (27 sec -> 39 milli sec) Fixes: 13151/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QPEG_fuzzer-5717536023248896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b819472995f55e827d6bb70dcdd86d963f65ae31) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index e1210c1972..10b55d2dff 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -90,6 +90,8 @@ static void qpeg_decode_intra(QpegContext *qctx, uint8_t *dst, } } } else { + if (bytestream2_get_bytes_left(&qctx->buffer) < copy) + copy = bytestream2_get_bytes_left(&qctx->buffer); for(i = 0; i < copy; i++) { dst[filled++] = bytestream2_get_byte(&qctx->buffer); if (filled >= width) { From 67d030787e0b9b5350545bf2d2d64642d2c5ccb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Feb 2019 00:12:14 +0100 Subject: [PATCH 0123/1383] avcodec/scpr: Fix use of uninitialized variable Fixes: Undefined shift Fixes: 12911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5677102915911680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53248acfb3b23007c89ae822d7bcae451272d5a7) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index e41fbbec13..5714e25170 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -512,7 +512,7 @@ static int decompress_p(AVCodecContext *avctx, { SCPRContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; - int ret, temp, min, max, x, y, cx = 0, cx1 = 0; + int ret, temp = 0, min, max, x, y, cx = 0, cx1 = 0; int backstep = linesize - avctx->width; if (bytestream2_get_byte(gb) == 0) From ad12d9df1ed939e47cccc832ca4c363e68374adc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Mar 2019 00:47:47 +0100 Subject: [PATCH 0124/1383] avcodec/dxv: Correct integer overflow in get_opcodes() Fixes: 13099/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5665598896340992 Fixes: signed integer overflow: 2147483647 + 7 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e0b5d3a20e107860a34e90139b860d6b8219a1d) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index bf53d7d706..aef5ec19dd 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -426,7 +426,8 @@ static int fill_optable(unsigned *table0, OpcodeTable *table1, int nb_elements) static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op_size, int nb_elements) { OpcodeTable optable[1024]; - int sum, x, val, lshift, rshift, ret, size_in_bits, i, idx; + int sum, x, val, lshift, rshift, ret, i, idx; + int64_t size_in_bits; unsigned endoffset, newoffset, offset; unsigned next; uint8_t *src = (uint8_t *)gb->buffer; From 1e50a327c649c8a00741996b9f6db83fdc00285a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Mar 2019 01:40:59 +0100 Subject: [PATCH 0125/1383] avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block() Fixes: Out of array access Fixes: 13500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5769760178962432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit d227ed5d598340e719eff7156b1aa0a4469e9a6a) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index ecd028a87c..bb9f1e3f2c 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1899,14 +1899,20 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n code >>= 1; run = (1 << (additional_code_len - 1)) + code; idx += run; + if (idx > 63) + return AVERROR_INVALIDDATA; j = scantable[idx++]; block[j] = sign ? 1 : -1; } else if (group >= 13 && group <= 20) { /* Level value (Table B.49) */ + if (idx > 63) + return AVERROR_INVALIDDATA; j = scantable[idx++]; block[j] = get_xbits(&s->gb, additional_code_len); } else if (group == 21) { /* Escape */ + if (idx > 63) + return AVERROR_INVALIDDATA; j = scantable[idx++]; additional_code_len = s->avctx->bits_per_raw_sample + s->dct_precision + 4; flc = get_bits(&s->gb, additional_code_len); From 9bf40978c65714bd4448d6d445ffe5ac36189ec3 Mon Sep 17 00:00:00 2001 From: "Guo, Yejun" Date: Tue, 5 Mar 2019 06:09:11 +0800 Subject: [PATCH 0126/1383] configure: add missing pthreads extralibs dependency for libvpx-vp9 Signed-off-by: Guo, Yejun Signed-off-by: James Almer (cherry picked from commit 402bf262375dfecd0e90d7acc67c238abe952fc3) Signed-off-by: Michael Niedermayer --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 7310b962f2..5ba35811d1 100755 --- a/configure +++ b/configure @@ -6162,11 +6162,11 @@ enabled libvpx && { } enabled libvpx_vp9_decoder && { check_pkg_config libvpx_vp9_decoder "vpx >= 1.4.0" "vpx/vpx_decoder.h vpx/vp8dx.h" vpx_codec_vp9_dx || - check_lib libvpx_vp9_decoder "vpx/vpx_decoder.h vpx/vp8dx.h" "vpx_codec_vp9_dx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs" + check_lib libvpx_vp9_decoder "vpx/vpx_decoder.h vpx/vp8dx.h" "vpx_codec_vp9_dx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs $pthreads_extralibs" } enabled libvpx_vp9_encoder && { check_pkg_config libvpx_vp9_encoder "vpx >= 1.4.0" "vpx/vpx_encoder.h vpx/vp8cx.h" vpx_codec_vp9_cx || - check_lib libvpx_vp9_encoder "vpx/vpx_encoder.h vpx/vp8cx.h" "vpx_codec_vp9_cx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs" + check_lib libvpx_vp9_encoder "vpx/vpx_encoder.h vpx/vp8cx.h" "vpx_codec_vp9_cx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs $pthreads_extralibs" } if disabled_all libvpx_vp8_decoder libvpx_vp9_decoder libvpx_vp8_encoder libvpx_vp9_encoder; then die "libvpx enabled but no supported decoders found" From 83bfd4f3b5b649fc84066495a2886bc819763fd1 Mon Sep 17 00:00:00 2001 From: "Guo, Yejun" Date: Tue, 5 Mar 2019 06:09:18 +0800 Subject: [PATCH 0127/1383] configure: use vpx_codec_vp8_dx/cx for libvpx-vp8 checking Signed-off-by: Guo, Yejun Signed-off-by: James Almer (cherry picked from commit d9b2668766e3e924d4ebb3c6531b449874e13666) Signed-off-by: Michael Niedermayer --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 5ba35811d1..a9644e211b 100755 --- a/configure +++ b/configure @@ -6152,12 +6152,12 @@ enabled libvorbis && require_pkg_config libvorbis vorbis vorbis/codec.h enabled libvpx && { enabled libvpx_vp8_decoder && { check_pkg_config libvpx_vp8_decoder "vpx >= 1.4.0" "vpx/vpx_decoder.h vpx/vp8dx.h" vpx_codec_vp8_dx || - check_lib libvpx_vp8_decoder "vpx/vpx_decoder.h vpx/vp8dx.h" "vpx_codec_dec_init_ver VPX_IMG_FMT_HIGHBITDEPTH" -lvpx || + check_lib libvpx_vp8_decoder "vpx/vpx_decoder.h vpx/vp8dx.h" "vpx_codec_vp8_dx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs $pthreads_extralibs" || die "ERROR: libvpx decoder version must be >=1.4.0"; } enabled libvpx_vp8_encoder && { check_pkg_config libvpx_vp8_encoder "vpx >= 1.4.0" "vpx/vpx_encoder.h vpx/vp8cx.h" vpx_codec_vp8_cx || - check_lib libvpx_vp8_encoder "vpx/vpx_encoder.h vpx/vp8cx.h" "vpx_codec_enc_init_ver VPX_IMG_FMT_HIGHBITDEPTH" -lvpx || + check_lib libvpx_vp8_encoder "vpx/vpx_encoder.h vpx/vp8cx.h" "vpx_codec_vp8_cx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs $pthreads_extralibs" || die "ERROR: libvpx encoder version must be >=1.4.0"; } enabled libvpx_vp9_decoder && { From 5d208aac52538e67d76c3fdd173e24ada876ca47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2019 00:48:18 +0100 Subject: [PATCH 0128/1383] avformat/gdv: Check fps Fixes: Division by 0 Fixes: ffmpeg_zero_division.bin Found-by: Anatoly Trosinenko Signed-off-by: Michael Niedermayer (cherry picked from commit 38381400fca45d1ae6e7604335b507b7dc70a903) Signed-off-by: Michael Niedermayer --- libavformat/gdv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/gdv.c b/libavformat/gdv.c index a69c349cab..3ead383892 100644 --- a/libavformat/gdv.c +++ b/libavformat/gdv.c @@ -86,6 +86,9 @@ static int gdv_read_header(AVFormatContext *ctx) vst->nb_frames = avio_rl16(pb); fps = avio_rl16(pb); + if (!fps) + return AVERROR_INVALIDDATA; + snd_flags = avio_rl16(pb); if (snd_flags & 1) { ast = avformat_new_stream(ctx, 0); From 04ce4cc0728e35d908da7f5e1aa71f9adf0b65de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2019 12:51:22 +0100 Subject: [PATCH 0129/1383] avcodec/cdgraphics: Use ff_set_dimensions() Fixes: Timeout (17 sec -> 65 milli sec) Fixes: 13264/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5711167941509120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a9f0e239c1c6f5c96cc90ba673087f86ca1eabc) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index be85e54288..cf3f01a417 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -81,11 +81,8 @@ static av_cold int cdg_decode_init(AVCodecContext *avctx) return AVERROR(ENOMEM); cc->transparency = -1; - avctx->width = CDG_FULL_WIDTH; - avctx->height = CDG_FULL_HEIGHT; avctx->pix_fmt = AV_PIX_FMT_PAL8; - - return 0; + return ff_set_dimensions(avctx, CDG_FULL_WIDTH, CDG_FULL_HEIGHT); } static void cdg_border_preset(CDGraphicsContext *cc, uint8_t *data) From 8cee4190f368c11b590bb95e2ea03fedbf5295a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2019 20:14:05 +0100 Subject: [PATCH 0130/1383] avcodec/dvbsubdec: Check object position Reference: ETSI EN 300 743 V1.2.1 7.2.2 Region composition segment Fixes: Timeout Fixes: 13325/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVBSUB_fuzzer-5143979392237568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8c5ae451184e879fc8ff1333c6f26f9542c8ebf) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index b59e836657..bc4a17bde0 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1267,6 +1267,13 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, display->y_pos = AV_RB16(buf) & 0xfff; buf += 2; + if (display->x_pos >= region->width || + display->y_pos >= region->height) { + av_log(avctx, AV_LOG_ERROR, "Object outside region\n"); + av_free(display); + return AVERROR_INVALIDDATA; + } + if ((object->type == 1 || object->type == 2) && buf+1 < buf_end) { display->fgcolor = *buf++; display->bgcolor = *buf++; From 77d244e7a937bf7e491d1783013e6b5a7c2ef797 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Mar 2019 17:31:54 +0100 Subject: [PATCH 0131/1383] Update for 4.1.2 Signed-off-by: Michael Niedermayer --- Changelog | 33 +++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 809d2967a2..5d2d645d34 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,39 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.1.2: +- avcodec/dvbsubdec: Check object position +- avcodec/cdgraphics: Use ff_set_dimensions() +- avformat/gdv: Check fps +- configure: use vpx_codec_vp8_dx/cx for libvpx-vp8 checking +- configure: add missing pthreads extralibs dependency for libvpx-vp9 +- avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block() +- avcodec/dxv: Correct integer overflow in get_opcodes() +- avcodec/scpr: Fix use of uninitialized variable +- avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes +- avcodec/aic: Check remaining bits in aic_decode_coeffs() +- avcodec/gdv: Check for truncated tags in decompress_5() +- avcodec/bethsoftvideo: Check block_type +- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() +- avcodec/error_resilience: Use a symmetric check for skipping MV estimation +- avcodec/mlpdec: Insuffient typo +- avcodec/zmbv: obtain frame later +- avcodec/jvdec: Check available input space before decode8x8() +- avcodec/h264_direct: Fix overflow in POC comparission +- avformat/webmdashenc: Check id in adaption_sets +- avformat/http: Fix Out-of-Bounds access in process_line() +- avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393 +- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces +- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning +- avformat/matroskadec: Do not leak queued packets on sync errors +- avcodec/mpeg4videodec: Clear interlaced_dct for studio profile +- avformat/mov: Do not use reference stream in mov_read_sidx() if there is no reference stream +- avcodec/sbrdsp_fixed.c: remove input value limit for sbr_sum_square_c() +- avcodec/prores_ks: Fix luma quantization if q >= MAX_STORED_Q +- avformat/mov: fix hang while seek on a kind of fragmented mp4 +- avformat/async: fix assertion condition when draining buffer +- avcodec/cbs_av1: don't call cbs_av1_read_trailing_bits() when no bits remain in the OBU + version 4.1.1: - avformat/mov: validate chunk_count vs stsc_data - avformat/mov: require tfhd to begin parsing trun diff --git a/RELEASE b/RELEASE index 627a3f43a6..4d0dcda01c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.1 +4.1.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3fcdbd74d1..730c4c36b5 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1.1 +PROJECT_NUMBER = 4.1.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From dbef08b60f44469228d37c63ede587490492acb2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 18 Mar 2019 17:25:58 -0300 Subject: [PATCH 0132/1383] avcodec/hevcdec: decode at most one slice reporting being the first in the picture Fixes deadlocks when decoding packets containing more than one of the aforementioned slices when using frame threads. Tested-by: Derek Buitenhuis Signed-off-by: James Almer (cherry picked from commit 70c8c8a818f39bc262565ec29fae2baffb3e1660) --- libavcodec/hevcdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index a3b5c8cb71..0dee673dac 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2924,6 +2924,10 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) } if (s->sh.first_slice_in_pic_flag) { + if (s->ref) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + goto fail; + } if (s->max_ra == INT_MAX) { if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { s->max_ra = s->poc; From 7ce56329e71fc75512ef82f4794c43b629b8c488 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Mar 2019 01:42:06 +0100 Subject: [PATCH 0133/1383] avcodec/clearvideo: Check remaining data in P frames Fixes: Timeout (19sec -> 419msec) Fixes: 13411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5733153811988480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 41f93f941155f9f9dbb2d5e7f5d20b2238150836) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index ad3012f7b7..82df8f3752 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -555,6 +555,9 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data, } else { int plane; + if (c->pmb_width * c->pmb_height > 8LL*(buf_size - bytestream2_tell(&gb))) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) return ret; From b429df281d50e960fb7f44659cac393a42cdfd35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Mar 2019 23:45:19 +0100 Subject: [PATCH 0134/1383] avcodec/dfa: Check the chunk header is not truncated Fixes: Timeout (11sec -> 3sec) Fixes: 13218/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-5661074316066816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f20760fadbc77483b9ff4b400b53ebb38ee33793) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 970175fb73..c6106b9397 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -355,6 +355,8 @@ static int dfa_decode_frame(AVCodecContext *avctx, bytestream2_init(&gb, avpkt->data, avpkt->size); while (bytestream2_get_bytes_left(&gb) > 0) { + if (bytestream2_get_bytes_left(&gb) < 12) + return AVERROR_INVALIDDATA; bytestream2_skip(&gb, 4); chunk_size = bytestream2_get_le32(&gb); chunk_type = bytestream2_get_le32(&gb); From a7cb7a2e4314956e06a351333ff8096fab9afa7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Mar 2019 09:02:44 +0100 Subject: [PATCH 0135/1383] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index 5d2d645d34..7df4e199bf 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.1.2: +- avcodec/dfa: Check the chunk header is not truncated +- avcodec/clearvideo: Check remaining data in P frames +- avcodec/hevcdec: decode at most one slice reporting being the first in the picture - avcodec/dvbsubdec: Check object position - avcodec/cdgraphics: Use ff_set_dimensions() - avformat/gdv: Check fps From abf36b76de63b4cdf07e0f8360422ff4758f7f70 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 24 Mar 2019 18:22:32 -0300 Subject: [PATCH 0136/1383] avcodec/av1_parser: don't abort parsing the first frame if extradata parsing fails The first frame contains the sequence header, which is needed to parse every following frame. This fixes parsing streams with broken extradata but correct packet data. Signed-off-by: James Almer (cherry picked from commit 699d0c2a30d5b2a10b6a0f459a35d665dc22b2f1) --- libavcodec/av1_parser.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/av1_parser.c b/libavcodec/av1_parser.c index 8df66498f4..0390de0b36 100644 --- a/libavcodec/av1_parser.c +++ b/libavcodec/av1_parser.c @@ -68,8 +68,7 @@ static int av1_parser_parse(AVCodecParserContext *ctx, ret = ff_cbs_read(s->cbc, td, avctx->extradata, avctx->extradata_size); if (ret < 0) { - av_log(avctx, AV_LOG_ERROR, "Failed to parse extradata.\n"); - goto end; + av_log(avctx, AV_LOG_WARNING, "Failed to parse extradata.\n"); } ff_cbs_fragment_uninit(s->cbc, td); From 6972b353b4e00f784b9e70939e4d37dc61295e28 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 21 Mar 2019 15:37:26 -0300 Subject: [PATCH 0137/1383] avcodec/cbs_av1: fix range of values for Mastering Display Color Volume Metadata OBUs Signed-off-by: James Almer (cherry picked from commit 40490b3a63368bdc2403bf7415b214e6dc0a9a3a) --- libavcodec/cbs_av1_syntax_template.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 48f4fab514..76eb90b279 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1637,15 +1637,18 @@ static int FUNC(metadata_hdr_mdcv)(CodedBitstreamContext *ctx, RWContext *rw, int err, i; for (i = 0; i < 3; i++) { - fcs(16, primary_chromaticity_x[i], 0, 50000, 1, i); - fcs(16, primary_chromaticity_y[i], 0, 50000, 1, i); + fbs(16, primary_chromaticity_x[i], 1, i); + fbs(16, primary_chromaticity_y[i], 1, i); } - fc(16, white_point_chromaticity_x, 0, 50000); - fc(16, white_point_chromaticity_y, 0, 50000); + fb(16, white_point_chromaticity_x); + fb(16, white_point_chromaticity_y); fc(32, luminance_max, 1, MAX_UINT_BITS(32)); - fc(32, luminance_min, 0, current->luminance_max >> 6); + // luminance_min must be lower than luminance_max. Convert luminance_max from + // 24.8 fixed point to 18.14 fixed point in order to compare them. + fc(32, luminance_min, 0, FFMIN(((uint64_t)current->luminance_max << 6) - 1, + MAX_UINT_BITS(32))); return 0; } From cb4768e7f20b6bc6eef28266ee9a3361967e65df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Mar 2019 02:30:57 +0100 Subject: [PATCH 0138/1383] avcodec/truemotion2: Fix integer overflow in tm2_null_res_block() Fixes: signed integer overflow: 1111638592 - -2122219136 cannot be represented in type 'int' Fixes: 13441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5732769815068672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1223696c725a8ea7e80498e6ccfab37eea179b76) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index c583ff4032..1aa7a4b870 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -591,7 +591,8 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int { int i; int ct; - int left, right, diff; + unsigned left, right; + int diff; int deltas[16]; TM2_INIT_POINTERS(); From ad0f4a7d10f91c63cceeb25010bec83311ad84fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Mar 2019 11:14:26 +0100 Subject: [PATCH 0139/1383] avformat/mov: Fix potential integer overflow in entry check in mov_read_trun() No testcase Signed-off-by: Michael Niedermayer (cherry picked from commit ff13a92a6f8413402f5b3cacedda7c10d350b487) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 60309b4869..caba256161 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4781,7 +4781,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_TRACE, "first sample flags 0x%x\n", first_sample_flags); // realloc space for new index entries - if((unsigned)st->nb_index_entries + entries >= UINT_MAX / sizeof(AVIndexEntry)) { + if((uint64_t)st->nb_index_entries + entries >= UINT_MAX / sizeof(AVIndexEntry)) { entries = UINT_MAX / sizeof(AVIndexEntry) - st->nb_index_entries; av_log(c->fc, AV_LOG_ERROR, "Failed to add index entry\n"); } From 65f94b732a27cd7479c3fcff337bc247442016d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Mar 2019 15:18:20 +0100 Subject: [PATCH 0140/1383] avcodec/mpegpicture: Check size of edge_emu_buffer Fixes: OOM Fixes: 13710/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5633152942342144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 635067b75fce06928431ce9b9fcaee0c9b6b7280) Signed-off-by: Michael Niedermayer --- libavcodec/mpegpicture.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegpicture.c b/libavcodec/mpegpicture.c index c0e06900fe..ecbd77d50e 100644 --- a/libavcodec/mpegpicture.c +++ b/libavcodec/mpegpicture.c @@ -23,6 +23,7 @@ #include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/pixdesc.h" +#include "libavutil/imgutils.h" #include "avcodec.h" #include "motion_est.h" @@ -57,6 +58,7 @@ do {\ int ff_mpeg_framesize_alloc(AVCodecContext *avctx, MotionEstContext *me, ScratchpadContext *sc, int linesize) { +# define EMU_EDGE_HEIGHT (4 * 70) int alloc_size = FFALIGN(FFABS(linesize) + 64, 32); if (avctx->hwaccel) @@ -67,13 +69,16 @@ int ff_mpeg_framesize_alloc(AVCodecContext *avctx, MotionEstContext *me, return AVERROR_PATCHWELCOME; } + if (av_image_check_size2(alloc_size, EMU_EDGE_HEIGHT, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx) < 0) + return AVERROR(ENOMEM); + // edge emu needs blocksize + filter length - 1 // (= 17x17 for halfpel / 21x21 for H.264) // VC-1 computes luma and chroma simultaneously and needs 19X19 + 9x9 // at uvlinesize. It supports only YUV420 so 24x24 is enough // linesize * interlaced * MBsize // we also use this buffer for encoding in encode_mb_internal() needig an additional 32 lines - FF_ALLOCZ_ARRAY_OR_GOTO(avctx, sc->edge_emu_buffer, alloc_size, 4 * 70, + FF_ALLOCZ_ARRAY_OR_GOTO(avctx, sc->edge_emu_buffer, alloc_size, EMU_EDGE_HEIGHT, fail); FF_ALLOCZ_ARRAY_OR_GOTO(avctx, me->scratchpad, alloc_size, 4 * 16 * 2, From daca529112d8cefa9d1f661b3493def303ba63c5 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 26 Mar 2019 13:32:11 +0100 Subject: [PATCH 0141/1383] lavc/bmp: Avoid a heap buffer overwrite for 1bpp input. Found by Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University. (cherry picked from commit 1e34014010dba9325fc5430934b51a61a5007c63) Signed-off-by: Michael Niedermayer --- libavcodec/bmp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index 65d239e4f8..40010ac46f 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -291,7 +291,7 @@ static int bmp_decode_frame(AVCodecContext *avctx, case 1: for (i = 0; i < avctx->height; i++) { int j; - for (j = 0; j < n; j++) { + for (j = 0; j < avctx->width >> 3; j++) { ptr[j*8+0] = buf[j] >> 7; ptr[j*8+1] = (buf[j] >> 6) & 1; ptr[j*8+2] = (buf[j] >> 5) & 1; @@ -301,6 +301,9 @@ static int bmp_decode_frame(AVCodecContext *avctx, ptr[j*8+6] = (buf[j] >> 1) & 1; ptr[j*8+7] = buf[j] & 1; } + for (j = 0; j < (avctx->width & 7); j++) { + ptr[avctx->width - (avctx->width & 7) + j] = buf[avctx->width >> 3] >> (7 - j) & 1; + } buf += n; ptr += linesize; } From f1ecebcdb72b5928b585ec8f07c3847927b4bf1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Mar 2019 20:55:08 +0100 Subject: [PATCH 0142/1383] avcodec/hevcdec: Avoid only partly skiping duplicate first slices Fixes: NULL pointer dereference and out of array access Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432 Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304 This also fixes the return code for explode mode Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 54655623a82632e7624714d7b2a3e039dc5faa7e) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 0dee673dac..afb3b1b554 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -485,6 +485,11 @@ static int hls_slice_header(HEVCContext *s) // Coded parameters sh->first_slice_in_pic_flag = get_bits1(gb); + if (s->ref && sh->first_slice_in_pic_flag) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + return 1; // This slice will be skiped later, do not corrupt state + } + if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { s->seq_decode = (s->seq_decode + 1) & 0xff; s->max_ra = INT_MAX; @@ -2915,6 +2920,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) ret = hls_slice_header(s); if (ret < 0) return ret; + if (ret == 1) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + if ( (s->avctx->skip_frame >= AVDISCARD_BIDIR && s->sh.slice_type == HEVC_SLICE_B) || @@ -2924,10 +2934,6 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) } if (s->sh.first_slice_in_pic_flag) { - if (s->ref) { - av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); - goto fail; - } if (s->max_ra == INT_MAX) { if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { s->max_ra = s->poc; From 1d720b37f0f3ae3d8e9fa2a991a8dca7deac7490 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Mar 2019 23:31:47 +0200 Subject: [PATCH 0143/1383] Update for 4.1.3 Signed-off-by: Michael Niedermayer --- Changelog | 9 +++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 7df4e199bf..6f4a623552 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,15 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.1.3: +- avcodec/hevcdec: Avoid only partly skiping duplicate first slices +- lavc/bmp: Avoid a heap buffer overwrite for 1bpp input. +- avcodec/mpegpicture: Check size of edge_emu_buffer +- avformat/mov: Fix potential integer overflow in entry check in mov_read_trun() +- avcodec/truemotion2: Fix integer overflow in tm2_null_res_block() +- avcodec/cbs_av1: fix range of values for Mastering Display Color Volume Metadata OBUs +- avcodec/av1_parser: don't abort parsing the first frame if extradata parsing fails + version 4.1.2: - avcodec/dfa: Check the chunk header is not truncated - avcodec/clearvideo: Check remaining data in P frames diff --git a/RELEASE b/RELEASE index 4d0dcda01c..de197cc337 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.2 +4.1.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 730c4c36b5..f7b277adf6 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1.2 +PROJECT_NUMBER = 4.1.3 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 58cd70201edc57b46fb4ad8c0810725f0bf80c86 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 28 Mar 2019 22:36:25 -0300 Subject: [PATCH 0144/1383] avformat/movenc: free eac3 private data only when closing the stream This makes sure the data is available when writing the moov atom during the second pass triggered by the faststart movflag. Fixes ticket #7780 Signed-off-by: James Almer (cherry picked from commit 27c94c57dc84da8125225fda7d241be57d19b391) --- libavformat/movenc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 6dab5193b0..2a45302ebb 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -544,8 +544,7 @@ static int mov_write_eac3_tag(AVIOContext *pb, MOVTrack *track) size = 2 + ((34 * (info->num_ind_sub + 1) + 7) >> 3); buf = av_malloc(size); if (!buf) { - size = AVERROR(ENOMEM); - goto end; + return AVERROR(ENOMEM); } init_put_bits(&pbc, buf, size); @@ -576,10 +575,6 @@ static int mov_write_eac3_tag(AVIOContext *pb, MOVTrack *track) av_free(buf); -end: - av_packet_unref(&info->pkt); - av_freep(&track->eac3_priv); - return size; } @@ -5947,6 +5942,11 @@ static void mov_free(AVFormatContext *s) av_freep(&mov->tracks[i].frag_info); av_packet_unref(&mov->tracks[i].cover_image); + if (mov->tracks[i].eac3_priv) { + struct eac3_info *info = mov->tracks[i].eac3_priv; + av_packet_unref(&info->pkt); + av_freep(&mov->tracks[i].eac3_priv); + } if (mov->tracks[i].vos_len) av_freep(&mov->tracks[i].vos_data); From 6c75df556f8ce97398789f363f5b323ae3abc920 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Mar 2019 17:31:17 +0200 Subject: [PATCH 0145/1383] avcodec/rscc: Check that the to be uncompressed input is large enough Fixes: Out of array access Fixes: 13984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5734128093233152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3a0ec1511e7040845a0d1ce99fe2f30a0972b6d2) Signed-off-by: Michael Niedermayer --- libavcodec/rscc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index 7921f149ed..69cb702777 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -198,6 +198,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, /* If necessary, uncompress tiles, and hijack the bytestream reader */ if (packed_tiles_size != tiles_nb * TILE_SIZE) { uLongf length = tiles_nb * TILE_SIZE; + + if (bytestream2_get_bytes_left(gbc) < packed_tiles_size) { + ret = AVERROR_INVALIDDATA; + goto end; + } + inflated_tiles = av_malloc(length); if (!inflated_tiles) { ret = AVERROR(ENOMEM); From 4154f8967820ca734a77ce91bb590cd77649dee8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2019 10:33:02 +0200 Subject: [PATCH 0146/1383] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index 6f4a623552..5b76927071 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,8 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.1.3: +- avcodec/rscc: Check that the to be uncompressed input is large enough +- avformat/movenc: free eac3 private data only when closing the stream - avcodec/hevcdec: Avoid only partly skiping duplicate first slices - lavc/bmp: Avoid a heap buffer overwrite for 1bpp input. - avcodec/mpegpicture: Check size of edge_emu_buffer From ec82b3ecbbff1320be2b13f4a5ec41047810d315 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 25 Mar 2019 01:08:30 -0300 Subject: [PATCH 0147/1383] avcodec/cbs_av1: fix parsing spatial_id Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 461303f94ab64e0cbd502cddb6e79473f8f525a1) --- libavcodec/cbs_av1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 4513287ef9..e4e3964118 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -960,7 +960,7 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, if (obu->header.obu_extension_flag) { priv->temporal_id = obu->header.temporal_id; - priv->spatial_id = obu->header.temporal_id; + priv->spatial_id = obu->header.spatial_id; if (obu->header.obu_type != AV1_OBU_SEQUENCE_HEADER && obu->header.obu_type != AV1_OBU_TEMPORAL_DELIMITER && From 420fe39aff3dff17b064630963bbea1bdcdf79f4 Mon Sep 17 00:00:00 2001 From: Jeremy Dorfman Date: Mon, 8 Apr 2019 08:14:27 -0400 Subject: [PATCH 0148/1383] avformat/av1: Initialize padding in ff_isom_write_av1c Otherwise, AV1 encodes with FFmpeg trigger use-of-uninitialized-value warnings under MemorySanitizer, and the output buffer potentially changes from run to run. Signed-off-by: James Almer (cherry picked from commit bb5efd1727eeecc9be8f1402810c7ab72344eed3) --- libavformat/av1.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/av1.c b/libavformat/av1.c index a0aad436a6..5fde8df97e 100644 --- a/libavformat/av1.c +++ b/libavformat/av1.c @@ -372,6 +372,7 @@ int ff_isom_write_av1c(AVIOContext *pb, const uint8_t *buf, int size) put_bits(&pbc, 1, seq_params.chroma_subsampling_x); put_bits(&pbc, 1, seq_params.chroma_subsampling_y); put_bits(&pbc, 2, seq_params.chroma_sample_position); + put_bits(&pbc, 8, 0); // padding flush_put_bits(&pbc); avio_write(pb, header, sizeof(header)); From cf7a5c655c04cd7d1a8912f390a7ae971ecf447b Mon Sep 17 00:00:00 2001 From: Tristan Matthews Date: Thu, 4 Apr 2019 12:56:26 -0400 Subject: [PATCH 0149/1383] avformat/matroskaenc: fix leak on error Signed-off-by: James Almer (cherry picked from commit 1ec777dcdd03b43d3d694c3b4532dccea0b419f0) --- libavformat/matroskaenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index aed83aef70..ff1cba0145 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -694,8 +694,10 @@ static int put_flac_codecpriv(AVFormatContext *s, av_dict_set(&dict, "WAVEFORMATEXTENSIBLE_CHANNEL_MASK", buf, 0); len = ff_vorbiscomment_length(dict, vendor); - if (len >= ((1<<24) - 4)) + if (len >= ((1<<24) - 4)) { + av_dict_free(&dict); return AVERROR(EINVAL); + } data = av_malloc(len + 4); if (!data) { From 7c2dd1f969c9decf217f1b2117087c4b8918de22 Mon Sep 17 00:00:00 2001 From: Sergey Svechnikov Date: Mon, 22 Apr 2019 22:26:24 +0500 Subject: [PATCH 0150/1383] avcodec/cuviddec: improve progressive frame detection There are 2 types of problems when using adaptive deinterlace with cuvid: 1. Sometimes, in the middle of transcoding, cuvid outputs frames with visible horizontal lines (as though weave deinterlace method was chosen); 2. Occasionally, on scene changes, cuvid outputs a wrong frame, which should have been shown several seconds before (as if the frame was assigned some wrong PTS value). The reason is that sometimes CUVIDPARSERDISPINFO has property progressive_frame equal to 1 with interlaced videos. In order to fix the problem we should check if the video is interlaced or progressive in the beginning of a video sequence (cuvid_handle_video_sequence). And then we just use this information instead of the property progressive_frame in CUVIDPARSERDISPINFO (which is unreliable). Signed-off-by: Timo Rothenpieler --- libavcodec/cuviddec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/cuviddec.c b/libavcodec/cuviddec.c index f21273c07e..67e39ac719 100644 --- a/libavcodec/cuviddec.c +++ b/libavcodec/cuviddec.c @@ -70,6 +70,7 @@ typedef struct CuvidContext int deint_mode; int deint_mode_current; int64_t prev_pts; + int progressive_sequence; int internal_error; int decoder_flushing; @@ -228,6 +229,8 @@ static int CUDAAPI cuvid_handle_video_sequence(void *opaque, CUVIDEOFORMAT* form ? cudaVideoDeinterlaceMode_Weave : ctx->deint_mode; + ctx->progressive_sequence = format->progressive_sequence; + if (!format->progressive_sequence && ctx->deint_mode_current == cudaVideoDeinterlaceMode_Weave) avctx->flags |= AV_CODEC_FLAG_INTERLACED_DCT; else @@ -360,6 +363,9 @@ static int CUDAAPI cuvid_handle_picture_display(void *opaque, CUVIDPARSERDISPINF parsed_frame.dispinfo = *dispinfo; ctx->internal_error = 0; + // For some reason, dispinfo->progressive_frame is sometimes wrong. + parsed_frame.dispinfo.progressive_frame = ctx->progressive_sequence; + if (ctx->deint_mode_current == cudaVideoDeinterlaceMode_Weave) { av_fifo_generic_write(ctx->frame_queue, &parsed_frame, sizeof(CuvidParsedFrame), NULL); } else { From 7211e1ca9367f7f1a4a04983a66c7b1e2c9a3c92 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 25 Apr 2019 19:04:01 -0300 Subject: [PATCH 0151/1383] avformat/aacdec: fix demuxing of small frames 10 bytes (id3v2 header amount of bytes) were being read before any checks were made on the bitstream. The result was that we were overreading into the next frame if the current one was 8 or 9 bytes long. Fixes tickets #7271 and #7869. Signed-off-by: James Almer (cherry picked from commit d88193c2196cf5342424aaa7a44b046c71c2527a) --- libavformat/aacdec.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c index 685458b911..e23abd0abf 100644 --- a/libavformat/aacdec.c +++ b/libavformat/aacdec.c @@ -20,6 +20,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "avformat.h" #include "avio_internal.h" @@ -154,17 +155,8 @@ static int adts_aac_read_packet(AVFormatContext *s, AVPacket *pkt) { int ret, fsize; - // Parse all the ID3 headers between frames - while (1) { - ret = av_get_packet(s->pb, pkt, FFMAX(ID3v2_HEADER_SIZE, ADTS_HEADER_SIZE)); - if (ret >= ID3v2_HEADER_SIZE && ff_id3v2_match(pkt->data, ID3v2_DEFAULT_MAGIC)) { - if ((ret = handle_id3(s, pkt)) >= 0) { - continue; - } - } - break; - } - +retry: + ret = av_get_packet(s->pb, pkt, ADTS_HEADER_SIZE); if (ret < 0) return ret; @@ -174,8 +166,24 @@ static int adts_aac_read_packet(AVFormatContext *s, AVPacket *pkt) } if ((AV_RB16(pkt->data) >> 4) != 0xfff) { - av_packet_unref(pkt); - return AVERROR_INVALIDDATA; + // Parse all the ID3 headers between frames + int append = ID3v2_HEADER_SIZE - ADTS_HEADER_SIZE; + + av_assert2(append > 0); + ret = av_append_packet(s->pb, pkt, append); + if (ret != append) { + av_packet_unref(pkt); + return AVERROR(EIO); + } + if (!ff_id3v2_match(pkt->data, ID3v2_DEFAULT_MAGIC)) { + av_packet_unref(pkt); + return AVERROR_INVALIDDATA; + } + ret = handle_id3(s, pkt); + if (ret < 0) + return ret; + + goto retry; } fsize = (AV_RB32(pkt->data + 3) >> 13) & 0x1FFF; From 72f03b2af489af4c6d2efc6006629d1f2dabdead Mon Sep 17 00:00:00 2001 From: Jun Zhao Date: Tue, 27 Nov 2018 17:18:26 +0800 Subject: [PATCH 0152/1383] lavc/libaomenc: Add a maximum constraint of 64 encoder threads. fixed the error in Intel(R) Xeon(R) Gold 6152 CPU like: [libaom-av1 @ 0x469f340] Failed to initialize encoder: Invalid parameter [libaom-av1 @ 0x469f340] Additional information: g_threads out of range [..MAX_NUM_THREADS] Signed-off-by: Jun Zhao Signed-off-by: James Almer (cherry picked from commit b87063c06dde35ef6b56f51df7642661a3b115da) --- libavcodec/libaomenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libaomenc.c b/libavcodec/libaomenc.c index c5458766cb..b2fcf31031 100644 --- a/libavcodec/libaomenc.c +++ b/libavcodec/libaomenc.c @@ -505,7 +505,8 @@ static av_cold int aom_init(AVCodecContext *avctx, enccfg.g_h = avctx->height; enccfg.g_timebase.num = avctx->time_base.num; enccfg.g_timebase.den = avctx->time_base.den; - enccfg.g_threads = avctx->thread_count ? avctx->thread_count : av_cpu_count(); + enccfg.g_threads = + FFMIN(avctx->thread_count ? avctx->thread_count : av_cpu_count(), 64); if (ctx->lag_in_frames >= 0) enccfg.g_lag_in_frames = ctx->lag_in_frames; From b5229a0b3e422e0de5f0f3d06b354aa8abe901e3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 23 Jun 2019 06:46:12 +0200 Subject: [PATCH 0153/1383] movsub_bsf: Fix mov2textsub regression The mov flavour of timed text uses the first two bytes of the packet as a length field. And up until 11bef2fe said length field has been read correctly in the mov2textsub bsf. But since then the next two bytes are read as if they were the length field. This is fixed in this commit. Reviewed-by: Philip Langdale Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 800f618a340d122754e7bdb82c22463cb9bd17b0) --- libavcodec/movsub_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/movsub_bsf.c b/libavcodec/movsub_bsf.c index 5878607061..cd48aa7bb8 100644 --- a/libavcodec/movsub_bsf.c +++ b/libavcodec/movsub_bsf.c @@ -75,8 +75,8 @@ static int mov2textsub(AVBSFContext *ctx, AVPacket *pkt) return AVERROR_INVALIDDATA; } - pkt->data += 2; pkt->size = FFMIN(pkt->size - 2, AV_RB16(pkt->data)); + pkt->data += 2; return 0; } From 6a0895bdf30821ca05516040c13addc770453ef9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Mar 2019 00:39:56 +0100 Subject: [PATCH 0154/1383] avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks() Fixes: signed integer overflow: 255 + 2147483634 cannot be represented in type 'int' Fixes: 13472/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5712444142387200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ad0533e914a2618aea1dc77748037bd8459f61d) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 1aa7a4b870..4bfe6e14ad 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -828,7 +828,7 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) dst = p->data[0]; for (j = 0; j < h; j++) { for (i = 0; i < w; i++) { - int y = Y[i], u = U[i >> 1], v = V[i >> 1]; + unsigned y = Y[i], u = U[i >> 1], v = V[i >> 1]; dst[3*i+0] = av_clip_uint8(y + v); dst[3*i+1] = av_clip_uint8(y); dst[3*i+2] = av_clip_uint8(y + u); From fb3135ae97948c9dab2b68cfe8a59f35f1e7d287 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Apr 2019 16:44:53 +0200 Subject: [PATCH 0155/1383] avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation It seems the specification does not limit the value to 32bit Fixes: signed integer overflow: -109611143 * 24 cannot be represented in type 'int' Fixes: 13477/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5648337460527104 Signed-off-by: Michael Niedermayer (cherry picked from commit 837820f385af699f9bee5e2ba3169dda15e5894d) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index fd23139062..0216cf2650 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1427,7 +1427,7 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *b = s->globalmc[ref].pan_tilt; int *c = s->globalmc[ref].perspective; - int m = (1< Date: Fri, 12 Apr 2019 00:09:57 +0200 Subject: [PATCH 0156/1383] avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform() Fixes: assertion failure Fixes: 14078/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5760571284127744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 110dce96331529a13cc815d3c852aed9d37f83d0) Signed-off-by: Michael Niedermayer --- libavcodec/ivi.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index b23d4af27e..19a3798718 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -488,12 +488,6 @@ static int ivi_dec_tile_data_size(GetBitContext *gb) static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs, int blk_size) { - int buf_size = band->pitch * band->aheight - buf_offs; - int min_size = (blk_size - 1) * band->pitch + blk_size; - - if (min_size > buf_size) - return AVERROR_INVALIDDATA; - band->dc_transform(prev_dc, band->buf + buf_offs, band->pitch, blk_size); @@ -724,6 +718,11 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, if (ret < 0) return ret; } else { + int buf_size = band->pitch * band->aheight - buf_offs; + int min_size = (blk_size - 1) * band->pitch + blk_size; + + if (min_size > buf_size) + return AVERROR_INVALIDDATA; /* block not coded */ /* for intra blocks apply the dc slant transform */ /* for inter - perform the motion compensation without delta */ From d39467262d2f34803eccf6b48560b65b37efeee4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Apr 2019 18:11:42 +0200 Subject: [PATCH 0157/1383] avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside Fixes: index 20 out of bounds for type 'const char *[4][128]' Fixes: 14367/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CCAPTION_fuzzer-5718819672162304 Reviewed-by: Paul B Mahol Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f17e8e90bb1fe5e4db18cc6dde9522417108c7bd) Signed-off-by: Michael Niedermayer --- libavcodec/ccaption_dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/ccaption_dec.c b/libavcodec/ccaption_dec.c index 09ceb1b3bf..bf3563a0bc 100644 --- a/libavcodec/ccaption_dec.c +++ b/libavcodec/ccaption_dec.c @@ -212,10 +212,10 @@ static const unsigned char pac2_attribs[32][3] = // Color, font, ident struct Screen { /* +1 is used to compensate null character of string */ - uint8_t characters[SCREEN_ROWS][SCREEN_COLUMNS+1]; - uint8_t charsets[SCREEN_ROWS][SCREEN_COLUMNS+1]; - uint8_t colors[SCREEN_ROWS][SCREEN_COLUMNS+1]; - uint8_t fonts[SCREEN_ROWS][SCREEN_COLUMNS+1]; + uint8_t characters[SCREEN_ROWS+1][SCREEN_COLUMNS+1]; + uint8_t charsets[SCREEN_ROWS+1][SCREEN_COLUMNS+1]; + uint8_t colors[SCREEN_ROWS+1][SCREEN_COLUMNS+1]; + uint8_t fonts[SCREEN_ROWS+1][SCREEN_COLUMNS+1]; /* * Bitmask of used rows; if a bit is not set, the * corresponding row is not used. From 9b4004c054964a49c7ba44583f4cee22486dd8f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Apr 2019 23:56:43 +0200 Subject: [PATCH 0158/1383] avformat/aadec: Check for scanf() failure Fixes: use of uninitialized variables Fixes: blank.aa Found-by: Chamal De Silva Signed-off-by: Michael Niedermayer (cherry picked from commit ed188f6dcdf0935c939ed813cf8745d50742014b) Signed-off-by: Michael Niedermayer --- libavformat/aadec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/aadec.c b/libavformat/aadec.c index d83f283ffe..e8a6b33e30 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -85,6 +85,7 @@ static int aa_read_header(AVFormatContext *s) AADemuxContext *c = s->priv_data; AVIOContext *pb = s->pb; AVStream *st; + int ret; /* parse .aa header */ avio_skip(pb, 4); // file size @@ -118,8 +119,12 @@ static int aa_read_header(AVFormatContext *s) header_seed = atoi(val); } else if (!strcmp(key, "HeaderKey")) { // this looks like "1234567890 1234567890 1234567890 1234567890" av_log(s, AV_LOG_DEBUG, "HeaderKey is <%s>\n", val); - sscanf(val, "%"SCNu32"%"SCNu32"%"SCNu32"%"SCNu32, + + ret = sscanf(val, "%"SCNu32"%"SCNu32"%"SCNu32"%"SCNu32, &header_key_part[0], &header_key_part[1], &header_key_part[2], &header_key_part[3]); + if (ret != 4) + return AVERROR_INVALIDDATA; + for (idx = 0; idx < 4; idx++) { AV_WB32(&header_key[idx * 4], header_key_part[idx]); // convert each part to BE! } From 05a90821d05f88bd0a290878d1aa2c459aed67ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Apr 2019 22:15:14 +0200 Subject: [PATCH 0159/1383] avformat/mov: Skip stsd adjustment without chunks Fixes: Assertion failure Fixes: clusterfuzz-testcase-minimized-media_pipeline_integration_fuzzer-5683096400822272 Found-by: Clusterfuzz Reported-by: Dan Sanders Signed-off-by: Michael Niedermayer (cherry picked from commit 18a567c369d74af5ef651b07c4c5615f5598616b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index caba256161..9c5442988c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7879,6 +7879,7 @@ static int mov_seek_stream(AVFormatContext *s, AVStream *st, int64_t timestamp, } /* adjust stsd index */ + if (sc->chunk_count) { time_sample = 0; for (i = 0; i < sc->stsc_count; i++) { int64_t next = time_sample + mov_get_stsc_samples(sc, i); @@ -7890,6 +7891,7 @@ static int mov_seek_stream(AVFormatContext *s, AVStream *st, int64_t timestamp, av_assert0(next == (int)next); time_sample = next; } + } return sample; } From d8bdc954579b0bb2e2b34d19e8cf3ff3d6201601 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Apr 2019 00:09:38 +0200 Subject: [PATCH 0160/1383] avutil/avstring: Fix bug and undefined behavior in av_strncasecmp() The function in case of n=0 would read more bytes than 0. The end pointer could be beyond the allocated space, which is undefined. Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6f0e9a863466bfcbd75ee15d4d8a6aad2a5126a4) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index f03dd25141..4c068f5bc5 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -222,12 +222,13 @@ int av_strcasecmp(const char *a, const char *b) int av_strncasecmp(const char *a, const char *b, size_t n) { - const char *end = a + n; uint8_t c1, c2; + if (n <= 0) + return 0; do { c1 = av_tolower(*a++); c2 = av_tolower(*b++); - } while (a < end && c1 && c1 == c2); + } while (--n && c1 && c1 == c2); return c1 - c2; } From d5ba641ff4dccaf2bd9b324397f23845d7521da5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2019 08:58:49 +0100 Subject: [PATCH 0161/1383] avcodec/aacdec_fixed: Fix undefined shift in noise_scale() Fixes: 13655/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5120559430500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ea211ab79d646f6d0af0945971ee55f36bfcbc9) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 1bdb93f5bc..ffcffbdaaa 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -221,7 +221,7 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) } else { s = s + 32; - round = 1 << (s-1); + round = s ? 1 << (s-1) : 0; for (i=0; i> s); coefs[i] = out * ssign; From 3f950b866a839041d587bd5b91d25a35d85408b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Apr 2019 00:41:54 +0200 Subject: [PATCH 0162/1383] avcodec/jpeg2000: Check stepsize before using it Fixes: value 1.87633e+10 is outside the range of representable values of type 'int' Fixes: Undefined behavior Fixes: 14246/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5758393601490944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06ef186fa1b7329c6fe6723372a72464c998059b) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index 8e90980976..3f50bf9fb3 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -247,6 +247,11 @@ static void init_band_stepsize(AVCodecContext *avctx, } } + if (band->f_stepsize > (INT_MAX >> 15)) { + band->f_stepsize = 0; + av_log(avctx, AV_LOG_ERROR, "stepsize out of range\n"); + } + band->i_stepsize = band->f_stepsize * (1 << 15); /* FIXME: In OpenJPEG code stepsize = stepsize * 0.5. Why? From 08d736d5363e1ad9210f2067de3bedc9a9229b45 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Apr 2019 19:18:08 +0200 Subject: [PATCH 0163/1383] avcodec/gdv: Check input palette size before rescale() Fixes: Timeout (22sec -> 11sec) Fixes: 13576/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5681024577568768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f857753f56f86046d454969e33ba85b3bac99be2) Signed-off-by: Michael Niedermayer --- libavcodec/gdv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index e946bd61df..f46bc28210 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -475,6 +475,8 @@ static int gdv_decode_frame(AVCodecContext *avctx, void *data, if (pal && pal_size == AVPALETTE_SIZE) memcpy(gdv->pal, pal, AVPALETTE_SIZE); + if (compression < 2 && bytestream2_get_bytes_left(gb) < 256*3) + return AVERROR_INVALIDDATA; rescale(gdv, gdv->frame, avctx->width, avctx->height, !!(flags & 0x10), !!(flags & 0x20)); @@ -482,8 +484,6 @@ static int gdv_decode_frame(AVCodecContext *avctx, void *data, case 1: memset(gdv->frame + PREAMBLE_SIZE, 0, gdv->frame_size - PREAMBLE_SIZE); case 0: - if (bytestream2_get_bytes_left(gb) < 256*3) - return AVERROR_INVALIDDATA; for (i = 0; i < 256; i++) { unsigned r = bytestream2_get_byte(gb); unsigned g = bytestream2_get_byte(gb); From 5ea8ce3b37747b0e255d40b486c20943262c2334 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Apr 2019 01:05:44 +0200 Subject: [PATCH 0164/1383] avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block() Fixes: signed integer overflow: -2147483648 + -1 cannot be represented in type 'int' Fixes: 14107/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5694078680825856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f4a1b8d409639b2394589efe20ad55410cce391c) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 4bfe6e14ad..60354fd4a0 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -678,8 +678,8 @@ static inline void tm2_update_block(TM2Context *ctx, AVFrame *pic, int bx, int b /* update chroma */ for (j = 0; j < 2; j++) { for (i = 0; i < 2; i++) { - U[i] = Uo[i] + GET_TOK(ctx, TM2_UPD); - V[i] = Vo[i] + GET_TOK(ctx, TM2_UPD); + U[i] = Uo[i] + (unsigned)GET_TOK(ctx, TM2_UPD); + V[i] = Vo[i] + (unsigned)GET_TOK(ctx, TM2_UPD); } U += Ustride; V += Vstride; From 0060dc62f1aa059527a6d48a36c2f3ab1c5dc26b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 May 2019 00:15:33 +0200 Subject: [PATCH 0165/1383] avcodec/jvdec: Use ff_get_buffer() when the content is not reused Fixes: Timeout (11sec -> 5sec) Fixes: 14473/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JV_fuzzer-5761630857592832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 09edcd35726c9ebea8a175b54dfe05483f7154f2) Signed-off-by: Michael Niedermayer --- libavcodec/jvdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 4337d5681e..b06e7cf2bf 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -163,13 +163,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size); return AVERROR_INVALIDDATA; } - if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) - return ret; if (video_type == 0 || video_type == 1) { GetBitContext gb; init_get_bits(&gb, buf, 8 * video_size); + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) + return ret; + if (avctx->height/8 * (avctx->width/8) > 4 * video_size) { av_log(avctx, AV_LOG_ERROR, "Insufficient input data for dimensions\n"); return AVERROR_INVALIDDATA; @@ -184,6 +185,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, buf += video_size; } else if (video_type == 2) { int v = *buf++; + + av_frame_unref(s->frame); + if ((ret = ff_get_buffer(avctx, s->frame, AV_GET_BUFFER_FLAG_REF)) < 0) + return ret; + for (j = 0; j < avctx->height; j++) memset(s->frame->data[0] + j * s->frame->linesize[0], v, avctx->width); From 8c9e131d3a1eabb9bd181ff6ecac453e88dcf813 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2019 18:38:33 +0200 Subject: [PATCH 0166/1383] avcodec/fits: Check bitpix Reference: Table 8: Interpretation of valid BITPIX value from FITS standard 4.0 Fixes: runtime error: division by zero Fixes: 14581/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5652382425284608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0b5c93b276a14d1990aaabd77410a562f4b242c3) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index 365347fc64..ad73ab70de 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -138,6 +138,17 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t case STATE_BITPIX: CHECK_KEYWORD("BITPIX"); CHECK_VALUE("BITPIX", bitpix); + + switch(header->bitpix) { + case 8: + case 16: + case 32: case -32: + case 64: case -64: break; + default: + av_log(avcl, AV_LOG_ERROR, "invalid value of BITPIX %d\n", header->bitpix); \ + return AVERROR_INVALIDDATA; + } + dict_set_if_not_null(metadata, keyword, value); header->state = STATE_NAXIS; From 85578838cbc0d86baac9713b2cc47054e55d1a8e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 20 Apr 2019 00:03:14 +0200 Subject: [PATCH 0167/1383] lavf/webm_chunk: Respect buffer size The last argument of av_strlcpy is supposed to contain the size of the destination buffer, but it was filled with the size of the source string, effectively negating its very purpose. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 73ef1f47f59333328264a968c8fbbcfb0bf0643f) Signed-off-by: Michael Niedermayer --- libavformat/webm_chunk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index 7ceb276fc4..f60696e3ad 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -96,7 +96,7 @@ static int get_chunk_filename(AVFormatContext *s, int is_header, char *filename) av_log(oc, AV_LOG_ERROR, "No header filename provided\n"); return AVERROR(EINVAL); } - av_strlcpy(filename, wc->header_filename, strlen(wc->header_filename) + 1); + av_strlcpy(filename, wc->header_filename, MAX_FILENAME_SIZE); } else { if (av_get_frame_filename(filename, MAX_FILENAME_SIZE, s->url, wc->chunk_index - 1) < 0) { From 1d015d840b47643562541fdffd325b8d6622a436 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2019 23:05:47 +0200 Subject: [PATCH 0168/1383] avcodec/hq_hqa: Check available space before reading slice offsets Fixes: Timeout (43sec -> 18sec) Fixes: 14556/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5673543024508928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 407e7c34ca8a3047e4f1b14287053638b4add68d) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index ec9da3e04f..90bafdc72a 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -248,6 +248,9 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size) int width, height, quant; const uint8_t *src = ctx->gbc.buffer; + if (bytestream2_get_bytes_left(&ctx->gbc) < 8 + 4*(num_slices + 1)) + return AVERROR_INVALIDDATA; + width = bytestream2_get_be16(&ctx->gbc); height = bytestream2_get_be16(&ctx->gbc); From b6529605cefbf65425896d7811083f86b10ed3a2 Mon Sep 17 00:00:00 2001 From: Adam Richter Date: Sun, 12 May 2019 05:03:25 -0700 Subject: [PATCH 0169/1383] libswcale: Fix possible string overflow in test. In libswcale/tests/swcale.c, the function fileTest() calls sscanf in an argument of "%12s" on character srcStr[] and dstStr[], which are only 12 bytes. So, if the input string is 12 characters, a terminating null byte can be written past the end of these arrays. This bug was found by cppcheck. Signed-off-by: Michael Niedermayer (cherry picked from commit b8ed4930618b170de57a9086e1e9892216454684) Signed-off-by: Michael Niedermayer --- libswscale/tests/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index e72c4c3306..cb731f6211 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -312,10 +312,10 @@ static int fileTest(const uint8_t * const ref[4], int refStride[4], while (fgets(buf, sizeof(buf), fp)) { struct Results r; enum AVPixelFormat srcFormat; - char srcStr[12]; + char srcStr[13]; int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; - char dstStr[12]; + char dstStr[13]; int dstW = 0, dstH = 0; int flags; int ret; From 0a0f052868d33b7660bdebe47cf612ffdfee9be2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2019 12:50:38 +0200 Subject: [PATCH 0170/1383] swscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes Some formats use longer names than 12. Signed-off-by: Michael Niedermayer (cherry picked from commit 9d269301f017657c3ae2e95a411317640acd39a8) Signed-off-by: Michael Niedermayer --- libswscale/tests/swscale.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index cb731f6211..19878a7877 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -312,22 +312,22 @@ static int fileTest(const uint8_t * const ref[4], int refStride[4], while (fgets(buf, sizeof(buf), fp)) { struct Results r; enum AVPixelFormat srcFormat; - char srcStr[13]; + char srcStr[21]; int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; - char dstStr[13]; + char dstStr[21]; int dstW = 0, dstH = 0; int flags; int ret; ret = sscanf(buf, - " %12s %dx%d -> %12s %dx%d flags=%d CRC=%x" + " %20s %dx%d -> %20s %dx%d flags=%d CRC=%x" " SSD=%"SCNu64 ", %"SCNu64 ", %"SCNu64 ", %"SCNu64 "\n", srcStr, &srcW, &srcH, dstStr, &dstW, &dstH, &flags, &r.crc, &r.ssdY, &r.ssdU, &r.ssdV, &r.ssdA); if (ret != 12) { srcStr[0] = dstStr[0] = 0; - ret = sscanf(buf, "%12s -> %12s\n", srcStr, dstStr); + ret = sscanf(buf, "%20s -> %20s\n", srcStr, dstStr); } srcFormat = av_get_pix_fmt(srcStr); From 7ffd2ae87eaa7cda08bdd14bd593c2911f959994 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2019 17:42:04 +0200 Subject: [PATCH 0171/1383] avcodec/cpia: Check input size also against linesizes and EOL Fixes: Timeout (14sec -> 29ms) Fixes: 14733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CPIA_fuzzer-5707022445576192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Carl Eugen Hoyos Signed-off-by: Michael Niedermayer (cherry picked from commit 3c0bfa7d1a90a22d5fe8daa415cc689c111562f1) Signed-off-by: Michael Niedermayer --- libavcodec/cpia.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cpia.c b/libavcodec/cpia.c index 58833b2f26..f6d7332606 100644 --- a/libavcodec/cpia.c +++ b/libavcodec/cpia.c @@ -63,7 +63,7 @@ static int cpia_decode_frame(AVCodecContext *avctx, uint8_t *y, *u, *v, *y_end, *u_end, *v_end; // Check header - if ( avpkt->size < FRAME_HEADER_SIZE + if ( avpkt->size < FRAME_HEADER_SIZE + avctx->height * 3 || header[0] != MAGIC_0 || header[1] != MAGIC_1 || (header[17] != SUBSAMPLE_420 && header[17] != SUBSAMPLE_422) || (header[18] != YUVORDER_YUYV && header[18] != YUVORDER_UYVY) From fd05665f9c9997cc43275be1befe81806a1a79d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 May 2019 20:45:14 +0200 Subject: [PATCH 0172/1383] avformat/webm_chunk: Check header filename length Signed-off-by: Michael Niedermayer (cherry picked from commit 3b5b977c9f96e2c3803317ad75253801bc571791) Signed-off-by: Michael Niedermayer --- libavformat/webm_chunk.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index f60696e3ad..a11036634c 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -92,11 +92,16 @@ static int get_chunk_filename(AVFormatContext *s, int is_header, char *filename) return AVERROR(EINVAL); } if (is_header) { + int len; if (!wc->header_filename) { av_log(oc, AV_LOG_ERROR, "No header filename provided\n"); return AVERROR(EINVAL); } - av_strlcpy(filename, wc->header_filename, MAX_FILENAME_SIZE); + len = av_strlcpy(filename, wc->header_filename, MAX_FILENAME_SIZE); + if (len >= MAX_FILENAME_SIZE) { + av_log(oc, AV_LOG_ERROR, "Header filename too long\n"); + return AVERROR(EINVAL); + } } else { if (av_get_frame_filename(filename, MAX_FILENAME_SIZE, s->url, wc->chunk_index - 1) < 0) { From 75501f90fd203949903ba103e5f719e1530e1444 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 May 2019 20:36:18 +0200 Subject: [PATCH 0173/1383] avformat/webm_chunk: Specify expected argument length of get_chunk_filename() Signed-off-by: Michael Niedermayer (cherry picked from commit 1a74b04737f08e2e11a02ada280407889f6cadb1) Signed-off-by: Michael Niedermayer --- libavformat/webm_chunk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index a11036634c..5590e1d5bb 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -84,7 +84,7 @@ static int chunk_mux_init(AVFormatContext *s) return 0; } -static int get_chunk_filename(AVFormatContext *s, int is_header, char *filename) +static int get_chunk_filename(AVFormatContext *s, int is_header, char filename[MAX_FILENAME_SIZE]) { WebMChunkContext *wc = s->priv_data; AVFormatContext *oc = wc->avf; From 57e9b3cac1b646967ef4c228b1463338e403ee52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2019 00:31:24 +0200 Subject: [PATCH 0174/1383] avcodec/truemotion2: Fix several integer overflows in tm2_update_block() Fixes: signed integer overflow: -1877966852 + -469491713 cannot be represented in type 'int' Fixes: 14561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5167608359288832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8eecf761a65baf4ce6f25c0a149819cc9414c0f0) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 60354fd4a0..8936741c6c 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -692,15 +692,15 @@ static inline void tm2_update_block(TM2Context *ctx, AVFrame *pic, int bx, int b TM2_RECALC_BLOCK(V, Vstride, (clast + 2), (ctx->CD + 2)); /* update deltas */ - ctx->D[0] = Yo[3] - last[3]; - ctx->D[1] = Yo[3 + oYstride] - Yo[3]; - ctx->D[2] = Yo[3 + oYstride * 2] - Yo[3 + oYstride]; - ctx->D[3] = Yo[3 + oYstride * 3] - Yo[3 + oYstride * 2]; + ctx->D[0] = (unsigned)Yo[3] - last[3]; + ctx->D[1] = (unsigned)Yo[3 + oYstride] - Yo[3]; + ctx->D[2] = (unsigned)Yo[3 + oYstride * 2] - Yo[3 + oYstride]; + ctx->D[3] = (unsigned)Yo[3 + oYstride * 3] - Yo[3 + oYstride * 2]; for (j = 0; j < 4; j++) { d = last[3]; for (i = 0; i < 4; i++) { - Y[i] = Yo[i] + GET_TOK(ctx, TM2_UPD); + Y[i] = Yo[i] + (unsigned)GET_TOK(ctx, TM2_UPD); last[i] = Y[i]; } ctx->D[j] = last[3] - d; From 3760f17e9b867ea6f31b06899982714736816cf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 May 2019 12:12:29 +0200 Subject: [PATCH 0175/1383] avformat/mp3enc: Avoid SEEK_END as it is unsupported Signed-off-by: Michael Niedermayer (cherry picked from commit bf3ee6a13053d37a0c5022a324624e89f0bce8c5) Signed-off-by: Michael Niedermayer --- libavformat/mp3enc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index dd662f5473..f4814be80e 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -391,6 +391,7 @@ static void mp3_update_xing(AVFormatContext *s) uint16_t tag_crc; uint8_t *toc; int i, rg_size; + int64_t old_pos = avio_tell(s->pb); /* replace "Xing" identification string with "Info" for CBR files. */ if (!mp3->has_variable_bitrate) @@ -450,7 +451,7 @@ static void mp3_update_xing(AVFormatContext *s) avio_seek(s->pb, mp3->xing_frame_offset, SEEK_SET); avio_write(s->pb, mp3->xing_frame, mp3->xing_frame_size); - avio_seek(s->pb, 0, SEEK_END); + avio_seek(s->pb, old_pos, SEEK_SET); } static int mp3_write_trailer(struct AVFormatContext *s) From a527b49cb927fb1dcbb305b345479979a71e0478 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2019 11:03:59 +0200 Subject: [PATCH 0176/1383] avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify (cherry picked from commit 3d5863d73915748013975cac8d2148c5fc3d01c3) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index ffcffbdaaa..35425bd468 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -195,12 +195,12 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) static void noise_scale(int *coefs, int scale, int band_energy, int len) { - int ssign = scale < 0 ? -1 : 1; - int s = FFABS(scale); + int s = -scale; unsigned int round; int i, out, c = exp2tab[s & 3]; int nlz = 0; + av_assert0(s >= 0); while (band_energy > 0x7fff) { band_energy >>= 1; nlz++; @@ -216,7 +216,7 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) round = s ? 1 << (s-1) : 0; for (i=0; i> 32); - coefs[i] = ((int)(out+round) >> s) * ssign; + coefs[i] = -((int)(out+round) >> s); } } else { @@ -224,7 +224,7 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) round = s ? 1 << (s-1) : 0; for (i=0; i> s); - coefs[i] = out * ssign; + coefs[i] = -out; } } } From 11f5eb0f16378581171ca3068ea7e751947f43a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2019 11:55:43 +0200 Subject: [PATCH 0177/1383] avcodec/aacdec_template: Merge 3 #ifs related to noise handling Fewer #if and fewer lines Signed-off-by: Michael Niedermayer (cherry picked from commit bc33c99d56791fc26ccafb49512b59e38b99ca12) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index dce6035d67..e88a26fda9 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1673,25 +1673,24 @@ static int decode_spectrum_and_dequant(AACContext *ac, INTFLOAT coef[1024], } } else if (cbt_m1 == NOISE_BT - 1) { for (group = 0; group < (AAC_SIGNE)g_len; group++, cfo+=128) { -#if !USE_FIXED - float scale; -#endif /* !USE_FIXED */ INTFLOAT band_energy; - +#if USE_FIXED for (k = 0; k < off_len; k++) { ac->random_state = lcg_random(ac->random_state); -#if USE_FIXED cfo[k] = ac->random_state >> 3; -#else - cfo[k] = ac->random_state; -#endif /* USE_FIXED */ } -#if USE_FIXED band_energy = ac->fdsp->scalarproduct_fixed(cfo, cfo, off_len); band_energy = fixed_sqrt(band_energy, 31); noise_scale(cfo, sf[idx], band_energy, off_len); #else + float scale; + + for (k = 0; k < off_len; k++) { + ac->random_state = lcg_random(ac->random_state); + cfo[k] = ac->random_state; + } + band_energy = ac->fdsp->scalarproduct_float(cfo, cfo, off_len); scale = sf[idx] / sqrtf(band_energy); ac->fdsp->vector_fmul_scalar(cfo, cfo, scale, off_len); From 42245d49a4ad76b84e62aa1f7d2eca5b15534fbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2019 12:00:18 +0200 Subject: [PATCH 0178/1383] avcodec/aacdec_fixed: Handle more extreem cases in noise_scale() Its unclear if these cases have any relevance in real files Fixes: shift exponent -2 is negative Fixes: 14489/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5681941631729664 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d14663f8345a84613b1ec041fd65e4a90057320) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 35425bd468..411d96d5a6 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -221,10 +221,15 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) } else { s = s + 32; - round = s ? 1 << (s-1) : 0; - for (i=0; i> s); - coefs[i] = -out; + if (s > 0) { + round = 1 << (s-1); + for (i=0; i> s); + coefs[i] = -out; + } + } else { + for (i=0; i Date: Sat, 18 May 2019 10:37:26 +0200 Subject: [PATCH 0179/1383] avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure) Fixes: NULL pointer dereference Fixes: 14723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5654612436058112 Fixes: 14724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5712607111020544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf3156e762bbd3fbaf9da53f3ef1ea6d1bad2ec5) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index e88a26fda9..05505c0359 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2492,6 +2492,9 @@ static void apply_tns(INTFLOAT coef_param[1024], TemporalNoiseShaping *tns, INTFLOAT tmp[TNS_MAX_ORDER+1]; UINTFLOAT *coef = coef_param; + if(!mmm) + return; + for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; for (filt = 0; filt < tns->n_filt[w]; filt++) { From eed8561f7cb845aa6df8daf4abf1945be18a4930 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2019 23:28:49 +0200 Subject: [PATCH 0180/1383] avcodec/vmnc: Check available space against chunks before reget_buffer() Fixes: Timeout (16sec -> 60ms) Fixes: 14673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMNC_fuzzer-5640217517621248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 279d9a84af37cc1a7cf79c1cd667105eeb948611) Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 30b1414e49..e273043311 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -333,11 +333,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint8_t *outptr; int dx, dy, w, h, depth, enc, chunks, res, size_left, ret; + bytestream2_init(gb, buf, buf_size); + bytestream2_skip(gb, 2); + chunks = bytestream2_get_be16(gb); + if (12LL * chunks > bytestream2_get_bytes_left(gb)) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) return ret; - bytestream2_init(gb, buf, buf_size); - c->pic->key_frame = 0; c->pic->pict_type = AV_PICTURE_TYPE_P; @@ -369,8 +373,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } } - bytestream2_skip(gb, 2); - chunks = bytestream2_get_be16(gb); + while (chunks--) { if (bytestream2_get_bytes_left(gb) < 12) { av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n"); From 04c3e3d4e257a7e46e7e699f5d26f849837f907d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 May 2019 02:01:33 +0200 Subject: [PATCH 0181/1383] avcodec/diracdec: Fix integer overflow in global_mv() Fixes: signed integer overflow: 16384 * 196607 cannot be represented in type 'int' Fixes: 14810/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5091232683917312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a99ffb5bb4454c625748972d9389cfaa5433a342) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 0216cf2650..a5489094cf 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1428,8 +1428,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int64_t m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From 43afeaa08652543fd44f993001b2be01aca122a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2019 01:33:03 +0200 Subject: [PATCH 0182/1383] avcodec/dxv: Check op_offset in dxv_decompress_cocg() Fixes: signed integer overflow: -2147483648 - 12 cannot be represented in type 'int' Fixes: 14732/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5735273129836544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e520843dd76a644c019134ac7b17eba9f1118b3) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index aef5ec19dd..7ae3315493 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -743,6 +743,9 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, int skip0, skip1, oi0 = 0, oi1 = 0; int ret, state0 = 0, state1 = 0; + if (op_offset < 12) + return AVERROR_INVALIDDATA; + dst = tex_data; bytestream2_skip(gb, op_offset - 12); if (op_size0 > max_op_size0) From f021c40c30564d08215d3014cd4ae336588c0b4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 May 2019 14:29:43 +0200 Subject: [PATCH 0183/1383] avcodec/mss4: Check input size against skip bits Fixes: Timeout (17sec -> 20ms) Fixes: 14615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-5093007763701760 Fixes: 14797/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-5651696119709696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0fef412dffb74fef3494f7fae0c138c32a444484) Signed-off-by: Michael Niedermayer --- libavcodec/mss4.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/mss4.c b/libavcodec/mss4.c index b58c21be93..76c746a2d5 100644 --- a/libavcodec/mss4.c +++ b/libavcodec/mss4.c @@ -552,6 +552,11 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, "Empty frame found but it is not a skip frame.\n"); return AVERROR_INVALIDDATA; } + mb_width = FFALIGN(width, 16) >> 4; + mb_height = FFALIGN(height, 16) >> 4; + + if (frame_type != SKIP_FRAME && 8*buf_size < 8*HEADER_SIZE + mb_width*mb_height) + return AVERROR_INVALIDDATA; if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) return ret; @@ -574,9 +579,6 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if ((ret = init_get_bits8(&gb, buf + HEADER_SIZE, buf_size - HEADER_SIZE)) < 0) return ret; - - mb_width = FFALIGN(width, 16) >> 4; - mb_height = FFALIGN(height, 16) >> 4; dst[0] = c->pic->data[0]; dst[1] = c->pic->data[1]; dst[2] = c->pic->data[2]; From 66cbac4a0bdbb84b5f5eae4a5a821796e31623cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2019 23:17:35 +0200 Subject: [PATCH 0184/1383] avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle Fixes: signed integer overflow: -2142516591 + -267814575 cannot be represented in type 'int' Fixes: 14450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5716105319940096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 4896fa18add7636ea9986edde51493331f1fb01e) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parse.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index 34ffe3b1fe..e03a05555d 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -296,7 +296,8 @@ int ff_h264_init_poc(int pic_field_poc[2], int *pic_poc, if (picture_structure == PICT_FRAME) field_poc[1] += pc->delta_poc_bottom; } else if (sps->poc_type == 1) { - int abs_frame_num, expected_delta_per_poc_cycle, expectedpoc; + int abs_frame_num; + int64_t expected_delta_per_poc_cycle, expectedpoc; int i; if (sps->poc_cycle_length != 0) From c4a14a630328b45d8b98309056d88563c7fef0c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2019 23:18:34 +0200 Subject: [PATCH 0185/1383] avcodec/interplayvideo: check decoding_map_size with video_data_size Fixes: Timeout (90543 ms -> 59 ms) Fixes: 14721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer-5697492148027392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 914d6a7c1a7a1850b4053847a784b174c9146c55) Signed-off-by: Michael Niedermayer --- libavcodec/interplayvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index deaa09cba6..4313fdf7ac 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -1260,7 +1260,7 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, s->decoding_map_size = ((s->avctx->width / 8) * (s->avctx->height / 8)) * 2; s->decoding_map = buf + 8 + 14; /* 14 bits of op data */ video_data_size -= s->decoding_map_size + 14; - if (video_data_size <= 0) + if (video_data_size <= 0 || s->decoding_map_size == 0) return AVERROR_INVALIDDATA; if (buf_size < 8 + s->decoding_map_size + 14 + video_data_size) From 1a022c66c827d8f3192c6c1d1dca0c679b8cff92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Jun 2019 19:06:07 +0200 Subject: [PATCH 0186/1383] avcodec/mjpegdec: Check for non ls PAL8 Fixes: Null-dereference READ in av_malloc Fixes: 15002/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5643474625363968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 442375fee7f1fb15e42fbc128dc38bdfcc2cc105) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 53598fdb3c..d61a69b437 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -704,7 +704,9 @@ unk_pixfmt: } if ((s->rgb && !s->lossless && !s->ls) || - (!s->rgb && s->ls && s->nb_components > 1)) { + (!s->rgb && s->ls && s->nb_components > 1) || + (s->avctx->pix_fmt == AV_PIX_FMT_PAL8 && !s->ls) + ) { av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format combination\n"); return AVERROR_PATCHWELCOME; } From a2ebfb6afe9df2fa51d0ece0a205638fe6e1b832 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Jun 2019 23:14:13 +0200 Subject: [PATCH 0187/1383] avformat/vpk: Fix integer overflow in samples_per_block computation Fixes: signed integer overflow: 84026453 * 28 cannot be represented in type 'int' Fixes: 15111/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5675630072430592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c6c4129b4cc3b9e0b3a527a5a15c904ec6ae3b6) Signed-off-by: Michael Niedermayer --- libavformat/vpk.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/vpk.c b/libavformat/vpk.c index bb9eabb2ba..0a058b9d7f 100644 --- a/libavformat/vpk.c +++ b/libavformat/vpk.c @@ -56,12 +56,12 @@ static int vpk_read_header(AVFormatContext *s) st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX; st->codecpar->block_align = avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); - if (st->codecpar->sample_rate <= 0) + if (st->codecpar->sample_rate <= 0 || st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; st->codecpar->channels = avio_rl32(s->pb); if (st->codecpar->channels <= 0) return AVERROR_INVALIDDATA; - samples_per_block = ((st->codecpar->block_align / st->codecpar->channels) * 28) / 16; + samples_per_block = ((st->codecpar->block_align / st->codecpar->channels) * 28LL) / 16; if (samples_per_block <= 0) return AVERROR_INVALIDDATA; vpk->block_count = (st->duration + (samples_per_block - 1)) / samples_per_block; From e73ef454e89dcce85fbc8c12ccb5c6b73c7a343c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Jun 2019 23:17:18 +0200 Subject: [PATCH 0188/1383] avformat/vpk: Check offset for validity Signed-off-by: Michael Niedermayer (cherry picked from commit aa003019ab9ec5ef7e7b3ff9d6262d3472b427eb) Signed-off-by: Michael Niedermayer --- libavformat/vpk.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/vpk.c b/libavformat/vpk.c index 0a058b9d7f..64a0d56926 100644 --- a/libavformat/vpk.c +++ b/libavformat/vpk.c @@ -66,6 +66,9 @@ static int vpk_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; vpk->block_count = (st->duration + (samples_per_block - 1)) / samples_per_block; vpk->last_block_size = (st->duration % samples_per_block) * 16 * st->codecpar->channels / 28; + + if (offset < avio_tell(s->pb)) + return AVERROR_INVALIDDATA; avio_skip(s->pb, offset - avio_tell(s->pb)); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 837e9e8898f3110cc6328d35ca77eda4fc630820 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Jun 2019 23:20:49 +0200 Subject: [PATCH 0189/1383] avformat/sbgdec: Fixes integer overflow in str_to_time() with hours Fixes: signed integer overflow: 904444 * 3600 cannot be represented in type 'int' Fixes: 15113/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5764083346833408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0f23b9d647ad84e0351b43ca4b552add00c8dc) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index cbedd120fb..1541836439 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -197,7 +197,7 @@ static int str_to_time(const char *str, int64_t *rtime) if (end > cur + 1) cur = end; } - *rtime = (hours * 3600 + minutes * 60 + seconds) * AV_TIME_BASE; + *rtime = (hours * 3600LL + minutes * 60LL + seconds) * AV_TIME_BASE; return cur - str; } From ec23fe0fd908e78b0bf23cf2b880dcb7a7c5640a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Jun 2019 12:18:54 +0200 Subject: [PATCH 0190/1383] avcodec/bitstream: Check for integer code truncation in build_table() Fixes: out of array read Fixes: 14563/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5646451545210880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e78b0f83748f92ea9e93b21c36082e0dd04d7cb1) Signed-off-by: Michael Niedermayer --- libavcodec/bitstream.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index ed528fe4af..218412bb9b 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -226,6 +226,10 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, /* note: realloc has been done, so reload tables */ table = (volatile VLC_TYPE (*)[2])&vlc->table[table_index]; table[j][0] = index; //code + if (table[j][0] != index) { + avpriv_request_sample(NULL, "strange codes"); + return AVERROR_PATCHWELCOME; + } i = k-1; } } From 0ccdabffd7890402a290b53ab3908bfbd4991f71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Jun 2019 12:18:54 +0200 Subject: [PATCH 0191/1383] avcodec/bitstream: Check for more conflicting codes in build_table() Fixes: out of array read Fixes: 14563/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5646451545210880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a7e3b271fc9a91c5d2e4df32e70e525c15c6d3ef) Signed-off-by: Michael Niedermayer --- libavcodec/bitstream.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index 218412bb9b..32f3055a6f 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -188,8 +188,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, } for (k = 0; k < nb; k++) { int bits = table[j][1]; + int oldsym = table[j][0]; ff_dlog(NULL, "%4x: code=%d n=%d\n", j, i, n); - if (bits != 0 && bits != n) { + if ((bits || oldsym) && (bits != n || oldsym != symbol)) { av_log(NULL, AV_LOG_ERROR, "incorrect codes\n"); return AVERROR_INVALIDDATA; } From f487aa964b4e4fcdea8ae2e899d31494ede8c3cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 01:20:19 +0200 Subject: [PATCH 0192/1383] avformat/wtvdec: Avoid (32bit signed) sectors Fixes: left shift of negative value -14614752 Fixes: 15174/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5670543606415360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit dd357d76e5faf3ce6fc46ffb924cf30f1cb54af9) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 301163bdcb..b9648c02d6 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -149,7 +149,7 @@ static int read_ints(AVIOContext *pb, uint32_t *data, int count) * @param depth File allocation table depth * @return NULL on error */ -static AVIOContext * wtvfile_open_sector(int first_sector, uint64_t length, int depth, AVFormatContext *s) +static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length, int depth, AVFormatContext *s) { AVIOContext *pb; WtvFile *wf; @@ -957,7 +957,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p static int read_header(AVFormatContext *s) { WtvContext *wtv = s->priv_data; - int root_sector, root_size; + unsigned root_sector; + int root_size; uint8_t root[WTV_SECTOR_SIZE]; AVIOContext *pb; int64_t timeline_pos; From 6e26b1b0b18df60f77f6c0878438783a8b851f6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 21:52:24 +0200 Subject: [PATCH 0193/1383] avcodec/bink: Reorder operations in init to avoid memleak on error Fixes: Direct leak of 536 byte(s) in 1 object(s) Fixes: 15266/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5629530426834944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 2603f25d326476a83f5d093b522590b05b6e703b) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 9c17dedcba..a0784f9482 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -1335,13 +1335,13 @@ static av_cold int decode_init(AVCodecContext *avctx) } c->avctx = avctx; + if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0) + return ret; + c->last = av_frame_alloc(); if (!c->last) return AVERROR(ENOMEM); - if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0) - return ret; - avctx->pix_fmt = c->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; avctx->color_range = c->version == 'k' ? AVCOL_RANGE_JPEG : AVCOL_RANGE_MPEG; From a56b96a3dade2552efd13a30d395c135fab7f8cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jun 2019 23:16:40 +0200 Subject: [PATCH 0194/1383] avcodec/fmvc: Check if header fields are available before allocating the image Fixes: Timeout (15sec -> 0.5sec) Fixes: 14846/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FMVC_fuzzer-5068322120400896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 561cc161ca617c1b8d48fef0f02d56c0f1af0486) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 5778d7b53f..5bee96a18d 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -402,6 +402,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, AVFrame *frame = data; int ret, y, x; + if (avpkt->size < 8) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; From 0789b6295bbf343ef07bb6629ff19aaf1de49ed7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2019 09:27:49 +0200 Subject: [PATCH 0195/1383] avformat/wsddec: Fix undefined shift Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 15123/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5738039235575808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 112eb17a2bbf6d02f81fdf0743b353a6b010aedc) Signed-off-by: Michael Niedermayer --- libavformat/wsddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wsddec.c b/libavformat/wsddec.c index 81a4dcc71e..a6bddec138 100644 --- a/libavformat/wsddec.c +++ b/libavformat/wsddec.c @@ -137,7 +137,7 @@ static int wsd_read_header(AVFormatContext *s) if (!(channel_assign & 1)) { int i; for (i = 1; i < 32; i++) - if (channel_assign & (1 << i)) + if ((channel_assign >> i) & 1) st->codecpar->channel_layout |= wsd_to_av_channel_layoyt(s, i); } From 45d3ba9e5f57761a56f08f743f8ba9a137fca623 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2019 10:48:41 +0200 Subject: [PATCH 0196/1383] avformat/icodec: Free ico->images on error paths Fixes: 15116/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5715173567889408 Fixes: memleak Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 54918b51161610a364de697b80acb9583eecf41b) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index f33fa1195b..00c03d409c 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -96,8 +96,10 @@ static int read_header(AVFormatContext *s) break; st = avformat_new_stream(s, NULL); - if (!st) + if (!st) { + av_freep(&ico->images); return AVERROR(ENOMEM); + } st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; st->codecpar->width = avio_r8(pb); @@ -111,6 +113,7 @@ static int read_header(AVFormatContext *s) ico->images[i].size = avio_rl32(pb); if (ico->images[i].size <= 0) { av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); + av_freep(&ico->images); return AVERROR_INVALIDDATA; } ico->images[i].offset = avio_rl32(pb); @@ -126,8 +129,10 @@ static int read_header(AVFormatContext *s) st->codecpar->height = 0; break; case 40: - if (ico->images[i].size < 40) + if (ico->images[i].size < 40) { + av_freep(&ico->images); return AVERROR_INVALIDDATA; + } st->codecpar->codec_id = AV_CODEC_ID_BMP; tmp = avio_rl32(pb); if (tmp) @@ -138,6 +143,7 @@ static int read_header(AVFormatContext *s) break; default: avpriv_request_sample(s, "codec %d", codec); + av_freep(&ico->images); return AVERROR_INVALIDDATA; } } From 4d2343825c04fdf0433678da2d58d6f342124e3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 20:05:15 +0200 Subject: [PATCH 0197/1383] avcodec/iff: Fix mask_buf / mask_palbuf leak Fixes: 15372/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5708881759567872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 92e8db532cdee3c73913174413428ffdc35032e2) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 33cf2e3a94..b43bd507b3 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -371,6 +371,8 @@ static av_cold int decode_end(AVCodecContext *avctx) av_freep(&s->planebuf); av_freep(&s->ham_buf); av_freep(&s->ham_palbuf); + av_freep(&s->mask_buf); + av_freep(&s->mask_palbuf); av_freep(&s->video[0]); av_freep(&s->video[1]); av_freep(&s->pal); From 8ba9b195e7780f86260d3eb2023504dac10e7277 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 21:17:52 +0200 Subject: [PATCH 0198/1383] avcodec/iff: finetune the palette size check in the mask case Fixes: out of array access Fixes: 15381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5668057826983936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 0f9789c8e37eb6d166729e876729beb21b7d5647) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index b43bd507b3..4099d118e4 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1514,7 +1514,7 @@ static int decode_frame(AVCodecContext *avctx, buf_size -= bytestream2_tell(gb); desc = av_pix_fmt_desc_get(avctx->pix_fmt); - if (!s->init && avctx->bits_per_coded_sample <= 8 && + if (!s->init && avctx->bits_per_coded_sample <= 8 - (s->masking == MASK_HAS_MASK) && avctx->pix_fmt == AV_PIX_FMT_PAL8) { if ((res = cmap_read_palette(avctx, (uint32_t *)frame->data[1])) < 0) return res; From ef73b0da2df22f5f589692961d17d2294cd2a457 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 19:45:50 +0200 Subject: [PATCH 0199/1383] avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block() Fixes: signed integer overflow: -1727985666 - 538976288 cannot be represented in type 'int' Fixes: 15031/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5100228035739648 Signed-off-by: Michael Niedermayer (cherry picked from commit 3aecd0170413c7e56f19de4e34d093a2c4027c2a) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 8936741c6c..e1e9f63397 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -672,7 +672,7 @@ static inline void tm2_still_block(TM2Context *ctx, AVFrame *pic, int bx, int by static inline void tm2_update_block(TM2Context *ctx, AVFrame *pic, int bx, int by) { int i, j; - int d; + unsigned d; TM2_INIT_POINTERS_2(); /* update chroma */ From 26605408f1aaf212d966277ece9dc6ce73ce5a1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 15:00:14 +0200 Subject: [PATCH 0200/1383] avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c() Fixes: signed integer overflow: -1539565182 + -798086761 cannot be represented in type 'int' Fixes: 14807/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-564925382682214 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f8f5668df590d853429586e1f95cbd9cee38920e) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 5f4be017d5..eef8adc7e2 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -54,10 +54,10 @@ static void ps_hybrid_analysis_c(INTFLOAT (*out)[2], INTFLOAT (*in)[2], INT64FLOAT sum_im = (INT64FLOAT)filter[i][6][0] * in[6][1]; for (j = 0; j < 6; j++) { - INTFLOAT in0_re = in[j][0]; - INTFLOAT in0_im = in[j][1]; - INTFLOAT in1_re = in[12-j][0]; - INTFLOAT in1_im = in[12-j][1]; + INT64FLOAT in0_re = in[j][0]; + INT64FLOAT in0_im = in[j][1]; + INT64FLOAT in1_re = in[12-j][0]; + INT64FLOAT in1_im = in[12-j][1]; sum_re += (INT64FLOAT)filter[i][j][0] * (in0_re + in1_re) - (INT64FLOAT)filter[i][j][1] * (in0_im - in1_im); sum_im += (INT64FLOAT)filter[i][j][0] * (in0_im + in1_im) + From c0e3f54ec061629d79549ee4855c8b4f844d3ad1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 16:08:03 +0200 Subject: [PATCH 0201/1383] avcodec/fitsdec: Fix division by 0 in size check Fixes: division by zero Fixes: 15210/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5746033243455488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 07ffe94c172041cfb03109b9bb6b8bf577332bda) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index b0753813c9..67a8bd71f4 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -143,7 +143,7 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead size = abs(header->bitpix) >> 3; for (i = 0; i < header->naxis; i++) { - if (header->naxisn[i] > SIZE_MAX / size) { + if (size && header->naxisn[i] > SIZE_MAX / size) { av_log(avctx, AV_LOG_ERROR, "unsupported size of FITS image"); return AVERROR_INVALIDDATA; } From 529a719a25e2949e80a4efee7880e3cf314cb98e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jun 2019 20:13:34 +0200 Subject: [PATCH 0202/1383] avcodec/xpmdec: Do not use context dimensions as temporary variables Fixes: Integer overflow Fixes: 15134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5722635939348480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5ea7f2050050fd6a9177a9b618f2bb2d4add9230) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 03172e4aad..82a484dabb 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -307,6 +307,7 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, int ncolors, cpp, ret, i, j; int64_t size; uint32_t *dst; + int width, height; avctx->pix_fmt = AV_PIX_FMT_BGRA; @@ -328,12 +329,12 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, ptr += mod_strcspn(ptr, "\""); if (sscanf(ptr, "\"%u %u %u %u\",", - &avctx->width, &avctx->height, &ncolors, &cpp) != 4) { + &width, &height, &ncolors, &cpp) != 4) { av_log(avctx, AV_LOG_ERROR, "missing image parameters\n"); return AVERROR_INVALIDDATA; } - if ((ret = ff_set_dimensions(avctx, avctx->width, avctx->height)) < 0) + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) From 65e144014080281165a4cc04ab6096995c118d91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 00:12:36 +0200 Subject: [PATCH 0203/1383] avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed Fixes: Assertion failure Fixes: crbug971646.mp4 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 696312c487d9d8c49a087017a829d1cdcbd68651) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9c5442988c..156454741c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4565,8 +4565,6 @@ static int mov_read_tfhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVTrackExt *trex = NULL; int flags, track_id, i; - c->fragment.found_tfhd = 1; - avio_r8(pb); /* version */ flags = avio_rb24(pb); @@ -4584,6 +4582,7 @@ static int mov_read_tfhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_ERROR, "could not find corresponding trex\n"); return AVERROR_INVALIDDATA; } + c->fragment.found_tfhd = 1; frag->base_data_offset = flags & MOV_TFHD_BASE_DATA_OFFSET ? avio_rb64(pb) : flags & MOV_TFHD_DEFAULT_BASE_IS_MOOF ? From 479b70d2f84b340a66ade598454df968bf71cf5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 21:47:16 +0200 Subject: [PATCH 0204/1383] avcodec/loco: Limit lossy parameter so it is sane and does not overflow Fixes: 15248/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5087440458481664 Fixes: signed integer overflow: 3 + 2147483647 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce3b0b9066b433564ed3ee3eed3a1e8f2c0834a1) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 741db3bdce..e8c62b8178 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -295,6 +295,11 @@ static av_cold int decode_init(AVCodecContext *avctx) avpriv_request_sample(avctx, "LOCO codec version %i", version); } + if (l->lossy > 65536U) { + av_log(avctx, AV_LOG_ERROR, "lossy %i is too large\n", l->lossy); + return AVERROR_INVALIDDATA; + } + l->mode = AV_RL32(avctx->extradata + 4); switch (l->mode) { case LOCO_CYUY2: From da081ecf69f4c46c6638abb28b0acac33c2be075 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 21:08:31 +0200 Subject: [PATCH 0205/1383] avcodec/motionpixels: Check for vlc error in mp_get_vlc() Fixes: 15246/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-5168534407086080 Fixes: runtime error: index -1 out of bounds for type 'HuffCode [16]' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 930cdef80ab695132d3de2128c3c23f2d698918b) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index a88b837b3e..73977664a5 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -201,6 +201,8 @@ static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) int i; i = (mp->codes_count == 1) ? 0 : get_vlc2(gb, mp->vlc.table, mp->max_codes_bits, 1); + if (i < 0) + return i; return mp->codes[i].delta; } From 9a68341e9ee90e8f02d3aea7b8a981a867e8da14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2019 14:28:17 +0200 Subject: [PATCH 0206/1383] avcodec/bink: Fix integer overflow in unquantize_dct_coeffs() Fixes: signed integer overflow: -3447 * 2883584 cannot be represented in type 'int' Fixes: 15265/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5088311799971840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 62ad08cef993f7a103b6d3a5498f6fa49190e085) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index a0784f9482..ca10a0ce81 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -702,15 +702,15 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64], return quant_idx; } -static void unquantize_dct_coeffs(int32_t block[64], const int32_t quant[64], +static void unquantize_dct_coeffs(int32_t block[64], const uint32_t quant[64], int coef_count, int coef_idx[64], const uint8_t *scan) { int i; - block[0] = (block[0] * quant[0]) >> 11; + block[0] = (int)(block[0] * quant[0]) >> 11; for (i = 0; i < coef_count; i++) { int idx = coef_idx[i]; - block[scan[idx]] = (block[scan[idx]] * quant[idx]) >> 11; + block[scan[idx]] = (int)(block[scan[idx]] * quant[idx]) >> 11; } } From d08d4b1066d3c7956b6f7bce74d159fae888f41b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2019 14:28:17 +0200 Subject: [PATCH 0207/1383] avcodec/binkdsp: Fix integer overflows in idct Fixes: signed integer overflow: 3784 * 682038 cannot be represented in type 'int' Fixes: 15265/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5088311799971840 Fixes: 15268/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5666502344179712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 7a072fbcc4c6f8ddbf37b131c2d141589118abcd) Signed-off-by: Michael Niedermayer --- libavcodec/binkdsp.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/binkdsp.c b/libavcodec/binkdsp.c index 9d70e2326f..a357d31672 100644 --- a/libavcodec/binkdsp.c +++ b/libavcodec/binkdsp.c @@ -33,20 +33,22 @@ #define A3 3784 #define A4 -5352 +#define MUL(X,Y) ((int)((unsigned)(X) * (Y)) >> 11) + #define IDCT_TRANSFORM(dest,s0,s1,s2,s3,s4,s5,s6,s7,d0,d1,d2,d3,d4,d5,d6,d7,munge,src) {\ const int a0 = (src)[s0] + (src)[s4]; \ const int a1 = (src)[s0] - (src)[s4]; \ const int a2 = (src)[s2] + (src)[s6]; \ - const int a3 = (A1*((src)[s2] - (src)[s6])) >> 11; \ + const int a3 = MUL(A1, (src)[s2] - (src)[s6]); \ const int a4 = (src)[s5] + (src)[s3]; \ const int a5 = (src)[s5] - (src)[s3]; \ const int a6 = (src)[s1] + (src)[s7]; \ const int a7 = (src)[s1] - (src)[s7]; \ const int b0 = a4 + a6; \ - const int b1 = (A3*(a5 + a7)) >> 11; \ - const int b2 = ((A4*a5) >> 11) - b0 + b1; \ - const int b3 = (A1*(a6 - a4) >> 11) - b2; \ - const int b4 = ((A2*a7) >> 11) + b3 - b1; \ + const int b1 = MUL(A3, a5 + a7); \ + const int b2 = MUL(A4, a5) - b0 + b1; \ + const int b3 = MUL(A1, a6 - a4) - b2; \ + const int b4 = MUL(A2, a7) + b3 - b1; \ (dest)[d0] = munge(a0+a2 +b0); \ (dest)[d1] = munge(a1+a3-a2+b2); \ (dest)[d2] = munge(a1-a3+a2+b3); \ From 9b8a58fa78062ddee07a54237c77dcdc6186aab1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 16:01:45 +0200 Subject: [PATCH 0208/1383] avcodec/bintext: Check font height Fixes: division by zero Fixes: 15257/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINTEXT_fuzzer-5757352881422336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bfb58bdd7015a6df2d130c92cf284d6a2362f3df) Signed-off-by: Michael Niedermayer --- libavcodec/bintext.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c index d85f2c2dd4..c310035830 100644 --- a/libavcodec/bintext.c +++ b/libavcodec/bintext.c @@ -63,6 +63,10 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "not enough extradata\n"); return AVERROR_INVALIDDATA; } + if (!s->font_height) { + av_log(avctx, AV_LOG_ERROR, "invalid font height\n"); + return AVERROR_INVALIDDATA; + } } else { s->font_height = 8; s->flags = 0; From d00e33ed3a2127901b622081b364580144be12c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 15:53:27 +0200 Subject: [PATCH 0209/1383] avcodec/qdmc: Fix integer overflows in PRNG Fixes: signed integer overflow: 214013 * 2531011 cannot be represented in type 'int' Fixes: 15254/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDMC_fuzzer-5698137026461696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2921b45a388a81968d946996bb32e72d7bb5d5b7) Signed-off-by: Michael Niedermayer --- libavcodec/qdmc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/qdmc.c b/libavcodec/qdmc.c index 8f5b7b920d..8bea1552e1 100644 --- a/libavcodec/qdmc.c +++ b/libavcodec/qdmc.c @@ -577,9 +577,9 @@ static void add_noise(QDMCContext *s, int ch, int current_subframe) for (j = 2; j < s->subframe_size - 1; j++) { float rnd_re, rnd_im; - s->rndval = 214013 * s->rndval + 2531011; + s->rndval = 214013U * s->rndval + 2531011; rnd_im = ((s->rndval & 0x7FFF) - 16384.0f) * 0.000030517578f * s->noise2_buffer[j]; - s->rndval = 214013 * s->rndval + 2531011; + s->rndval = 214013U * s->rndval + 2531011; rnd_re = ((s->rndval & 0x7FFF) - 16384.0f) * 0.000030517578f * s->noise2_buffer[j]; im[j ] += rnd_im; re[j ] += rnd_re; From 1b4b738033df2d3afd0acf23aa668ec874dafac4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 15:55:55 +0200 Subject: [PATCH 0210/1383] avcodec/tta: Fix undefined shift Fixes: left shift of negative value -4483 Fixes: 15256/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5738691617619968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebccd2f778a861b41ad38a8464ea120d4f16b2d7) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 8f097b3bcc..c7702610b6 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -372,7 +372,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; for (i = 0; i < framelen * s->channels; i++) - *samples++ <<= 8; + *samples++ *= 256; // reset decode buffer s->decode_buffer = NULL; break; From 92140d7b24e40797d171e73482e8d408fbdfbfd5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 16:17:12 +0200 Subject: [PATCH 0211/1383] avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c Fixes: left shift of negative value -13 Fixes: 15260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5702076048343040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 507ca66ee41aa8a95b75654163f77af0a99a25b1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dsp.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/vc1dsp.c b/libavcodec/vc1dsp.c index 778b811f1a..c25a6f3adf 100644 --- a/libavcodec/vc1dsp.c +++ b/libavcodec/vc1dsp.c @@ -95,10 +95,10 @@ static void vc1_v_s_overlap_c(int16_t *top, int16_t *bottom) d1 = a - d; d2 = a - d + b - c; - top[48] = ((a << 3) - d1 + rnd1) >> 3; - top[56] = ((b << 3) - d2 + rnd2) >> 3; - bottom[0] = ((c << 3) + d2 + rnd1) >> 3; - bottom[8] = ((d << 3) + d1 + rnd2) >> 3; + top[48] = ((a * 8) - d1 + rnd1) >> 3; + top[56] = ((b * 8) - d2 + rnd2) >> 3; + bottom[0] = ((c * 8) + d2 + rnd1) >> 3; + bottom[8] = ((d * 8) + d1 + rnd2) >> 3; bottom++; top++; @@ -122,10 +122,10 @@ static void vc1_h_s_overlap_c(int16_t *left, int16_t *right, int left_stride, in d1 = a - d; d2 = a - d + b - c; - left[6] = ((a << 3) - d1 + rnd1) >> 3; - left[7] = ((b << 3) - d2 + rnd2) >> 3; - right[0] = ((c << 3) + d2 + rnd1) >> 3; - right[1] = ((d << 3) + d1 + rnd2) >> 3; + left[6] = ((a * 8) - d1 + rnd1) >> 3; + left[7] = ((b * 8) - d2 + rnd2) >> 3; + right[0] = ((c * 8) + d2 + rnd1) >> 3; + right[1] = ((d * 8) + d1 + rnd2) >> 3; right += right_stride; left += left_stride; From c434a043ac081e0f5d8c166f8416346002d462fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 16:12:42 +0200 Subject: [PATCH 0212/1383] avcodec/ffwavesynth: Check ts_end - ts_start for overflow Fixes: signed integer overflow: 2314885530818453536 - -8926099139098304480 cannot be represented in type 'long' Fixes: 15259/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5764366093254656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2db7a3bc4acdd293ed10b71e55f16a45ca28b629) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 9d055e4019..a66113972b 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -267,7 +267,10 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) in->type = AV_RL32(edata + 16); in->channels = AV_RL32(edata + 20); edata += 24; - if (in->ts_start < cur_ts || in->ts_end <= in->ts_start) + if (in->ts_start < cur_ts || + in->ts_end <= in->ts_start || + (uint64_t)in->ts_end - in->ts_start > INT64_MAX + ) return AVERROR(EINVAL); cur_ts = in->ts_start; dt = in->ts_end - in->ts_start; From 9ede5cab3afae1473a63f148b15af9d88809e646 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2019 19:09:11 +0200 Subject: [PATCH 0213/1383] avcodec/alsdec: Fix invalid shift in multiply() Fixes: shift exponent -24 is negative Fixes: 15292/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5768533318828032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f30be1ec9856551d96f3876eec5f8b8abf456b81) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index ca8701e6d0..891f742e7e 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1379,6 +1379,9 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) { mantissa_temp = (uint64_t)a.mant * (uint64_t)b.mant; mask_64 = (uint64_t)0x1 << 47; + if (!mantissa_temp) + return FLOAT_0; + // Count the valid bit count while (!(mantissa_temp & mask_64) && mask_64) { bit_count--; From 297c5c26cddab668f22a2595ddc0a5984ddd4056 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 00:47:06 +0200 Subject: [PATCH 0214/1383] avcodec/videodsp_template: Fix overflow of addition Fixes: addition of unsigned offset to 0x7f56fc26a9b6 overflowed to 0x7f56fc26a8be* Fixes: clusterfuzz-testcase-minimized-mediasource_MP4_AVC1_pipeline_integration_fuzzer-4917949056679936 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 247a1de7f7d9c5628cf188e677d10ce9e12bd2f2) Signed-off-by: Michael Niedermayer --- libavcodec/videodsp_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c index 94c1b7188d..55123a5844 100644 --- a/libavcodec/videodsp_template.c +++ b/libavcodec/videodsp_template.c @@ -44,7 +44,8 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, src_y = 1 - block_h; } if (src_x >= w) { - src += (w - 1 - src_x) * sizeof(pixel); + // The subtracted expression has an unsigned type and must thus not be negative + src -= (1 + src_x - w) * sizeof(pixel); src_x = w - 1; } else if (src_x <= -block_w) { src += (1 - block_w - src_x) * sizeof(pixel); From 1603661523e37940ec98e320e631886fca48fd87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2019 23:55:56 +0200 Subject: [PATCH 0215/1383] avcodec/utils: Check bits_per_coded_sample This avoids the need for each decoder separately having to handle this case Fixes: shift exponent -100663046 is negative Fixes: out of array access Fixes: 15270/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5727829913763840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d33414d2ad27a5d2193c9ab0948ba7a282c2f910) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 1661d48b90..e82cb43dbb 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -958,6 +958,10 @@ FF_ENABLE_DEPRECATION_WARNINGS ret = AVERROR(EINVAL); goto free_and_end; } + if (avctx->bits_per_coded_sample < 0) { + ret = AVERROR(EINVAL); + goto free_and_end; + } if (avctx->sub_charenc) { if (avctx->codec_type != AVMEDIA_TYPE_SUBTITLE) { av_log(avctx, AV_LOG_ERROR, "Character encoding is only " From 6872daee87b9b7a8adcb3bd3b1defea6f2153d2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jun 2019 19:51:59 +0200 Subject: [PATCH 0216/1383] Update for 4.1.4 Signed-off-by: Michael Niedermayer --- Changelog | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 73 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 5b76927071..5702f8b264 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,77 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +versiob 4.1.4: + avcodec/utils: Check bits_per_coded_sample + avcodec/videodsp_template: Fix overflow of addition + avcodec/alsdec: Fix invalid shift in multiply() + avcodec/ffwavesynth: Check ts_end - ts_start for overflow + avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c + avcodec/tta: Fix undefined shift + avcodec/qdmc: Fix integer overflows in PRNG + avcodec/bintext: Check font height + avcodec/binkdsp: Fix integer overflows in idct + avcodec/bink: Fix integer overflow in unquantize_dct_coeffs() + avcodec/motionpixels: Check for vlc error in mp_get_vlc() + avcodec/loco: Limit lossy parameter so it is sane and does not overflow + avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed + avcodec/xpmdec: Do not use context dimensions as temporary variables + avcodec/fitsdec: Fix division by 0 in size check + avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c() + avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block() + avcodec/iff: finetune the palette size check in the mask case + avcodec/iff: Fix mask_buf / mask_palbuf leak + avformat/icodec: Free ico->images on error paths + avformat/wsddec: Fix undefined shift + avcodec/fmvc: Check if header fields are available before allocating the image + avcodec/bink: Reorder operations in init to avoid memleak on error + avformat/wtvdec: Avoid (32bit signed) sectors + avcodec/bitstream: Check for more conflicting codes in build_table() + avcodec/bitstream: Check for integer code truncation in build_table() + avformat/sbgdec: Fixes integer overflow in str_to_time() with hours + avformat/vpk: Check offset for validity + avformat/vpk: Fix integer overflow in samples_per_block computation + avcodec/mjpegdec: Check for non ls PAL8 + avcodec/interplayvideo: check decoding_map_size with video_data_size + avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle + avcodec/mss4: Check input size against skip bits + avcodec/dxv: Check op_offset in dxv_decompress_cocg() + avcodec/diracdec: Fix integer overflow in global_mv() + avcodec/vmnc: Check available space against chunks before reget_buffer() + avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure) + avcodec/aacdec_fixed: Handle more extreem cases in noise_scale() + avcodec/aacdec_template: Merge 3 #ifs related to noise handling + avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify + avformat/mp3enc: Avoid SEEK_END as it is unsupported + avcodec/truemotion2: Fix several integer overflows in tm2_update_block() + avformat/webm_chunk: Specify expected argument length of get_chunk_filename() + avformat/webm_chunk: Check header filename length + avcodec/cpia: Check input size also against linesizes and EOL + swscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes + libswcale: Fix possible string overflow in test. + avcodec/hq_hqa: Check available space before reading slice offsets + lavf/webm_chunk: Respect buffer size + avcodec/fits: Check bitpix + avcodec/jvdec: Use ff_get_buffer() when the content is not reused + avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block() + avcodec/gdv: Check input palette size before rescale() + avcodec/jpeg2000: Check stepsize before using it + avcodec/aacdec_fixed: Fix undefined shift in noise_scale() + avutil/avstring: Fix bug and undefined behavior in av_strncasecmp() + avformat/mov: Skip stsd adjustment without chunks + avformat/aadec: Check for scanf() failure + avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside + avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform() + avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation + avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks() + movsub_bsf: Fix mov2textsub regression + lavc/libaomenc: Add a maximum constraint of 64 encoder threads. + avformat/aacdec: fix demuxing of small frames + avcodec/cuviddec: improve progressive frame detection + avformat/matroskaenc: fix leak on error + avformat/av1: Initialize padding in ff_isom_write_av1c + avcodec/cbs_av1: fix parsing spatial_id + version 4.1.3: - avcodec/rscc: Check that the to be uncompressed input is large enough - avformat/movenc: free eac3 private data only when closing the stream diff --git a/RELEASE b/RELEASE index de197cc337..a95f288444 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.3 +4.1.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index f7b277adf6..f04da164f5 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1.3 +PROJECT_NUMBER = 4.1.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 3d1903acfee865935b73957e1b4df5ae090c93f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 20:56:20 +0200 Subject: [PATCH 0217/1383] avcodec/atrac9dec: Check that the reused block has succeeded initilization Fixes: global-buffer-overflow Fixes: 15247/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5671602181636096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac9af7e9a5befa8a554bacbcc59ab2f11203d85e) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 805d46f3b8..11b683d136 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -71,6 +71,8 @@ typedef struct ATRAC9BlockData { int cpe_base_channel; int is_signs[30]; + int reuseable; + } ATRAC9BlockData; typedef struct ATRAC9Context { @@ -668,6 +670,7 @@ static int atrac9_decode_block(ATRAC9Context *s, GetBitContext *gb, if (!reuse_params) { int stereo_band, ext_band; const int min_band_count = s->samplerate_idx > 7 ? 1 : 3; + b->reuseable = 0; b->band_count = get_bits(gb, 4) + min_band_count; b->q_unit_cnt = at9_tab_band_q_unit_map[b->band_count]; @@ -699,6 +702,11 @@ static int atrac9_decode_block(ATRAC9Context *s, GetBitContext *gb, } b->band_ext_q_unit = at9_tab_band_q_unit_map[ext_band]; } + b->reuseable = 1; + } + if (!b->reuseable) { + av_log(s->avctx, AV_LOG_ERROR, "invalid block reused!\n"); + return AVERROR_INVALIDDATA; } /* Calculate bit alloc gradient */ From 7daa138f6819ef5ec65fd6af52aeb2ebb0ed9486 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 21:01:50 +0200 Subject: [PATCH 0218/1383] avcodec/atrac9dec: Check q_unit_cnt in parse_band_ext() Fixes: global-buffer-overflow Fixes: 15247/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5671602181636096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fb4a4557d15bce601e2462207648741600fa273f) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 11b683d136..ff4991a573 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -202,6 +202,8 @@ static inline int parse_band_ext(ATRAC9Context *s, ATRAC9BlockData *b, int ext_band = 0; if (b->has_band_ext) { + if (b->q_unit_cnt < 13) + return AVERROR_INVALIDDATA; ext_band = at9_tab_band_ext_group[b->q_unit_cnt - 13][2]; if (stereo) { b->channel[1].band_ext = get_bits(gb, 2); From 5b8bce805c687e3558f0c77deea49aa97190e0ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2019 23:17:23 +0200 Subject: [PATCH 0219/1383] avformat/vqf: Check header_size Fixes: 15271/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5735262606327808 Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c30ff38880570377168096417f714b21102b343) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index d00fa5e08c..ff38a3d1ca 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -107,6 +107,9 @@ static int vqf_read_header(AVFormatContext *s) header_size = avio_rb32(s->pb); + if (header_size < 0) + return AVERROR_INVALIDDATA; + st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->codec_id = AV_CODEC_ID_TWINVQ; st->start_time = 0; @@ -120,7 +123,7 @@ static int vqf_read_header(AVFormatContext *s) len = avio_rb32(s->pb); - if ((unsigned) len > INT_MAX/2) { + if ((unsigned) len > INT_MAX/2 || header_size < 8) { av_log(s, AV_LOG_ERROR, "Malformed header\n"); return -1; } From 1aa0c2a06f005cac6e2f310f368a38af91682c62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2019 21:26:45 +0200 Subject: [PATCH 0220/1383] avcodec/libvorbisdec: Check extradata size Fixes: out of array read Fixes: 15261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_fuzzer-5764908467093504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf3c245566e8a8d45ed2ad9fdff9ef50327ba2d3) Signed-off-by: Michael Niedermayer --- libavcodec/libvorbisdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c index ecf690a553..89cbbb41b6 100644 --- a/libavcodec/libvorbisdec.c +++ b/libavcodec/libvorbisdec.c @@ -49,8 +49,16 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) { vorbis_comment_init(&context->vc) ; if(p[0] == 0 && p[1] == 30) { + int sizesum = 0; for(i = 0; i < 3; i++){ hsizes[i] = bytestream_get_be16((const uint8_t **)&p); + sizesum += 2 + hsizes[i]; + if (sizesum > avccontext->extradata_size) { + av_log(avccontext, AV_LOG_ERROR, "vorbis extradata too small\n"); + ret = AVERROR_INVALIDDATA; + goto error; + } + headers[i] = p; p += hsizes[i]; } From 423d0bbc556721849847d6dc9143d41d97b9a03c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2019 20:58:47 +0200 Subject: [PATCH 0221/1383] avcodec/qdm2: Move fft_order check up This avoids undefined computations with unchecked values Fixes: shift exponent -21 is negative Fixes: 15262/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5651261753393152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8d8b8c4ac6fb5b5d40bd131f2d2ea9d85b8759a6) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 88b6b19d11..1397218bdd 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1702,6 +1702,12 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->fft_order = av_log2(s->fft_size) + 1; + // Fail on unknown fft order + if ((s->fft_order < 7) || (s->fft_order > 9)) { + avpriv_request_sample(avctx, "Unknown FFT order %d", s->fft_order); + return AVERROR_PATCHWELCOME; + } + // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block @@ -1735,11 +1741,6 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) else s->coeff_per_sb_select = 2; - // Fail on unknown fft order - if ((s->fft_order < 7) || (s->fft_order > 9)) { - avpriv_request_sample(avctx, "Unknown FFT order %d", s->fft_order); - return AVERROR_PATCHWELCOME; - } if (s->fft_size != (1 << (s->fft_order - 1))) { av_log(avctx, AV_LOG_ERROR, "FFT size %d not power of 2.\n", s->fft_size); return AVERROR_INVALIDDATA; From f3bfb0717982992959ac4ecd40f4d2ddcab25eb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2019 21:13:17 +0200 Subject: [PATCH 0222/1383] avcodec/m101: Fix off be 2 error Fixes: out of array read Fixes: 15263/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_M101_fuzzer-5728999453491200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89b96900fa7c17d0770c9af26af7c3ae36ae0253) Signed-off-by: Michael Niedermayer --- libavcodec/m101.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/m101.c b/libavcodec/m101.c index d2549668fd..70f1da4f45 100644 --- a/libavcodec/m101.c +++ b/libavcodec/m101.c @@ -61,7 +61,7 @@ static int m101_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, stride = AV_RL32(avctx->extradata + 5*4); if (avctx->pix_fmt == AV_PIX_FMT_YUV422P10) - min_stride = (avctx->width + 15) / 16 * 20; + min_stride = (avctx->width + 15) / 16 * 40; if (stride < min_stride || avpkt->size < stride * (uint64_t)avctx->height) { av_log(avctx, AV_LOG_ERROR, "stride (%d) is invalid for packet sized %d\n", From b5d6b509b1ce6c663c30d329d939ff13bfd4e280 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 00:24:53 +0200 Subject: [PATCH 0223/1383] avcodec/fitsdec: Check data_min/max Fixes: division by 0 Fixes: 15206/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5657260212092928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb82d19f035f59edf0aee215f02baaea908875de) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 67a8bd71f4..4f452422ef 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -168,6 +168,14 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead header->data_min = (header->data_min - header->bzero) / header->bscale; header->data_max = (header->data_max - header->bzero) / header->bscale; } + if (!header->rgb && header->data_min >= header->data_max) { + if (header->data_min > header->data_max) { + av_log(avctx, AV_LOG_ERROR, "data min/max (%g %g) is invalid\n", header->data_min, header->data_max); + return AVERROR_INVALIDDATA; + } + av_log(avctx, AV_LOG_WARNING, "data min/max indicates a blank image\n"); + header->data_max ++; + } return 0; } From 7d075c5f337f76bbefee8fbcff7e3cc8d9f14a24 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2019 22:04:16 +0200 Subject: [PATCH 0224/1383] avformat/aviobuf: Delay buffer downsizing until asserts are met Fixes: Assertion failure Fixes: 15151/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5757079496687616 Fixes: 15205/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5767573242642432 May fix: Ticket7094 Signed-off-by: Michael Niedermayer (cherry picked from commit 0334632d5c02720f1829d59cd20c009584b5b163) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 5a33f82950..6a5cd97b0a 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -570,7 +570,7 @@ static void fill_buffer(AVIOContext *s) } /* make buffer smaller in case it ended up large after probing */ - if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size) { + if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size && len >= s->orig_buffer_size) { if (dst == s->buffer && s->buf_ptr != dst) { int ret = ffio_set_buf_size(s, s->orig_buffer_size); if (ret < 0) @@ -578,7 +578,6 @@ static void fill_buffer(AVIOContext *s) s->checksum_ptr = dst = s->buffer; } - av_assert0(len >= s->orig_buffer_size); len = s->orig_buffer_size; } From 523a47b3f6004352236ec46e9d870e236b1428f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 11:26:57 +0200 Subject: [PATCH 0225/1383] avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check Fixes: 15255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718831688843264 Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d4f4f4a15e79c96c3613e5c252b2f5cc4190e18) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 15eb416ba4..eb31fd70c1 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -460,7 +460,7 @@ static inline void update_rice(APERice *rice, unsigned int x) if (rice->ksum < lim) rice->k--; - else if (rice->ksum >= (1 << (rice->k + 5))) + else if (rice->ksum >= (1 << (rice->k + 5)) && rice->k < 24) rice->k++; } From 3fa15bb096b1e64206f0307460c9b694e6d368d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 15:05:54 +0200 Subject: [PATCH 0226/1383] avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 14880/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5130977304641536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit c692051252693155c4eecd16f4f8a79caf66cd54) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 23 +++++++++++++---------- libavcodec/hevc_ps.h | 4 ++-- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index ea984af0a1..1e84fcf634 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1587,22 +1587,25 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, pps->entropy_coding_sync_enabled_flag = get_bits1(gb); if (pps->tiles_enabled_flag) { - pps->num_tile_columns = get_ue_golomb_long(gb) + 1; - pps->num_tile_rows = get_ue_golomb_long(gb) + 1; - if (pps->num_tile_columns <= 0 || - pps->num_tile_columns >= sps->width) { + int num_tile_columns_minus1 = get_ue_golomb(gb); + int num_tile_rows_minus1 = get_ue_golomb(gb); + + if (num_tile_columns_minus1 < 0 || + num_tile_columns_minus1 >= sps->width - 1) { av_log(avctx, AV_LOG_ERROR, "num_tile_columns_minus1 out of range: %d\n", - pps->num_tile_columns - 1); - ret = AVERROR_INVALIDDATA; + num_tile_columns_minus1); + ret = num_tile_columns_minus1 < 0 ? num_tile_columns_minus1 : AVERROR_INVALIDDATA; goto err; } - if (pps->num_tile_rows <= 0 || - pps->num_tile_rows >= sps->height) { + if (num_tile_rows_minus1 < 0 || + num_tile_rows_minus1 >= sps->height - 1) { av_log(avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of range: %d\n", - pps->num_tile_rows - 1); - ret = AVERROR_INVALIDDATA; + num_tile_rows_minus1); + ret = num_tile_rows_minus1 < 0 ? num_tile_rows_minus1 : AVERROR_INVALIDDATA; goto err; } + pps->num_tile_columns = num_tile_columns_minus1 + 1; + pps->num_tile_rows = num_tile_rows_minus1 + 1; pps->column_width = av_malloc_array(pps->num_tile_columns, sizeof(*pps->column_width)); pps->row_height = av_malloc_array(pps->num_tile_rows, sizeof(*pps->row_height)); diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h index 1fbda199e3..77e5fd83c7 100644 --- a/libavcodec/hevc_ps.h +++ b/libavcodec/hevc_ps.h @@ -344,8 +344,8 @@ typedef struct HEVCPPS { uint8_t tiles_enabled_flag; uint8_t entropy_coding_sync_enabled_flag; - int num_tile_columns; ///< num_tile_columns_minus1 + 1 - int num_tile_rows; ///< num_tile_rows_minus1 + 1 + uint16_t num_tile_columns; ///< num_tile_columns_minus1 + 1 + uint16_t num_tile_rows; ///< num_tile_rows_minus1 + 1 uint8_t uniform_spacing_flag; uint8_t loop_filter_across_tiles_enabled_flag; From df61ec263faa1408a0a63bad2d3d5bf0462dadb2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Jun 2019 10:29:57 +0200 Subject: [PATCH 0227/1383] avcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight Suggested-by: James Almer Reviewed-by: James Almer (cherry picked from commit 3b2082c663dac93fd722289a540c1b1e24a12564) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 1e84fcf634..9b6cc49355 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1591,14 +1591,14 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, int num_tile_rows_minus1 = get_ue_golomb(gb); if (num_tile_columns_minus1 < 0 || - num_tile_columns_minus1 >= sps->width - 1) { + num_tile_columns_minus1 >= sps->ctb_width - 1) { av_log(avctx, AV_LOG_ERROR, "num_tile_columns_minus1 out of range: %d\n", num_tile_columns_minus1); ret = num_tile_columns_minus1 < 0 ? num_tile_columns_minus1 : AVERROR_INVALIDDATA; goto err; } if (num_tile_rows_minus1 < 0 || - num_tile_rows_minus1 >= sps->height - 1) { + num_tile_rows_minus1 >= sps->ctb_height - 1) { av_log(avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of range: %d\n", num_tile_rows_minus1); ret = num_tile_rows_minus1 < 0 ? num_tile_rows_minus1 : AVERROR_INVALIDDATA; From 10562175405277ac24f02ee2d29455169b1b54e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2019 21:53:43 +0200 Subject: [PATCH 0228/1383] avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT() Fixes: left shift of negative value -6 Fixes: 15275/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5742361767837696 Fixes: signed integer overflow: 41582592 * 256 cannot be represented in type 'int' Fixes: 15296/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5739558227935232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e131568752ad41222946304c61eadb87b0a24791) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 891f742e7e..2660747472 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -767,8 +767,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (*bd->use_ltp) { int r, c; - bd->ltp_gain[0] = decode_rice(gb, 1) << 3; - bd->ltp_gain[1] = decode_rice(gb, 2) << 3; + bd->ltp_gain[0] = decode_rice(gb, 1) * 8; + bd->ltp_gain[1] = decode_rice(gb, 2) * 8; r = get_unary(gb, 0, 4); c = get_bits(gb, 2); @@ -779,8 +779,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) bd->ltp_gain[2] = ltp_gain_values[r][c]; - bd->ltp_gain[3] = decode_rice(gb, 2) << 3; - bd->ltp_gain[4] = decode_rice(gb, 1) << 3; + bd->ltp_gain[3] = decode_rice(gb, 2) * 8; + bd->ltp_gain[4] = decode_rice(gb, 1) * 8; *bd->ltp_lag = get_bits(gb, ctx->ltp_lag_length); *bd->ltp_lag += FFMAX(4, opt_order + 1); @@ -1799,11 +1799,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, if (!ctx->cs_switch) { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[c][sample] << shift; \ + *dest++ = ctx->raw_samples[c][sample] * (1U << shift); \ } else { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] << shift; \ + *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] * (1U << shift); \ } \ } From dcef55b5ff8e36d30100df956102ce190b835840 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2019 23:17:31 +0200 Subject: [PATCH 0229/1383] avcodec/alsdec: Fix undefined behavior in decode_rice() Fixes: left shift of 72 by 26 places cannot be represented in type 'int' Fixes: 15279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5700665621348352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51f6870c37cc29e1ea7e0c66df2fe505938b7561) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 2660747472..e54440910c 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -487,7 +487,7 @@ static void parse_bs_info(const uint32_t bs_info, unsigned int n, static int32_t decode_rice(GetBitContext *gb, unsigned int k) { int max = get_bits_left(gb) - k; - int q = get_unary(gb, 0, max); + unsigned q = get_unary(gb, 0, max); int r = k ? get_bits1(gb) : !(q & 1); if (k > 1) { From 99745dc2f353be1eb97291bd501053709b7b2d61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2019 23:27:21 +0200 Subject: [PATCH 0230/1383] avcodec/alsdec: Fix integer overflow with shifting samples Fixes: signed integer overflow: -346039050 * 8 cannot be represented in type 'int' Fixes: 15283/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5692700268953600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3bd4b260eb9f0d5817f9b3d672844f127c51a0b) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e54440910c..420bcf835a 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1033,7 +1033,7 @@ static int decode_block(ALSDecContext *ctx, ALSBlockData *bd) if (*bd->shift_lsbs) for (smp = 0; smp < bd->block_length; smp++) - bd->raw_samples[smp] <<= *bd->shift_lsbs; + bd->raw_samples[smp] = (unsigned)bd->raw_samples[smp] << *bd->shift_lsbs; return 0; } From 75e838a6daa76a913361c7e725976b3b07a1312a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 00:47:15 +0200 Subject: [PATCH 0231/1383] avcodec/alsdec: Check opt_order / sb_length in ra_block handling Fixes: out of array access Fixes: 15277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5184853437317120 Fixes: 15280/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5741062137577472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0794494c8f2f756e3c9384dba21c54f7d4ba9286) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 420bcf835a..96cfbbf1fe 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -789,14 +789,20 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // read first value and residuals in case of a random access block if (bd->ra_block) { + start = FFMIN(opt_order, 3); + av_assert0(sb_length <= sconf->frame_length); + if (sb_length <= start) { + // opt_order or sb_length may be corrupted, either way this is unsupported and not well defined in the specification + av_log(avctx, AV_LOG_ERROR, "Sub block length smaller or equal start\n"); + return AVERROR_PATCHWELCOME; + } + if (opt_order) bd->raw_samples[0] = decode_rice(gb, avctx->bits_per_raw_sample - 4); if (opt_order > 1) bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max)); if (opt_order > 2) bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max)); - - start = FFMIN(opt_order, 3); } // read all residuals From ed8e191bfb1f64612d9a751e5003f985d9adb402 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 00:47:16 +0200 Subject: [PATCH 0232/1383] avcodec/alsdec: Fixes signed integer overflow in LSB addition Fixes: signed integer overflow: 8 * 536870912 cannot be represented in type 'int' Fixes: 15281/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5744458785619968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f527021df73b4792323f38f84a4bf2fbe5a2052) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 96cfbbf1fe..4b69775414 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -867,7 +867,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) res >>= 1; if (cur_k) { - res *= 1 << cur_k; + res *= 1U << cur_k; res |= get_bits_long(gb, cur_k); } } From fa2dbcfd8f4b1ed7b62c464fb509a6b3b9bf4ab2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 00:47:17 +0200 Subject: [PATCH 0233/1383] avcodec/alsdec: Fix integer overflow with buffer number Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5738074249625600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f64f6058e0c23641a68ce7dfe47b1f55efd401c) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 4b69775414..e38d7b21d3 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1993,6 +1993,8 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate quantized parcor coefficient buffer num_buffers = sconf->mc_coding ? avctx->channels : 1; + if (num_buffers * (uint64_t)num_buffers > INT_MAX) // protect chan_data_buffer allocation + return AVERROR_INVALIDDATA; ctx->quant_cof = av_malloc_array(num_buffers, sizeof(*ctx->quant_cof)); ctx->lpc_cof = av_malloc_array(num_buffers, sizeof(*ctx->lpc_cof)); From c34512371e1d09a1862a3c7f53a17b3e9198729a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 00:47:19 +0200 Subject: [PATCH 0234/1383] avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP Fixes: multiple memleaks Fixes: 15293/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5642409288925184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7b6ddd59693008c35b3247496ecc946331d0856) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e38d7b21d3..5eb2a58aaf 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -2127,7 +2127,6 @@ static av_cold int decode_init(AVCodecContext *avctx) return 0; fail: - decode_end(avctx); return ret; } @@ -2153,4 +2152,5 @@ AVCodec ff_als_decoder = { .decode = decode_frame, .flush = flush, .capabilities = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From c697819aee7ff44181077859ca5f0962049272e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2019 11:22:36 +0200 Subject: [PATCH 0235/1383] avcodec/dxv: Initialize tex_funct to NULL Fixes: Various anomalies Fixes: 14493/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5071018000908288 Fixes: 14630/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5714888963391488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e96b7a8ba62c5e010328b80b647b64dd9cdbdc01) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 7ae3315493..e28a6ba724 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -1055,6 +1055,10 @@ static int dxv_decode(AVCodecContext *avctx, void *data, avctx->pix_fmt = AV_PIX_FMT_RGBA; avctx->colorspace = AVCOL_SPC_RGB; + ctx->tex_funct = NULL; + ctx->tex_funct_planar[0] = NULL; + ctx->tex_funct_planar[1] = NULL; + tag = bytestream2_get_le32(gbc); switch (tag) { case MKBETAG('D', 'X', 'T', '1'): From ac9d8e7c501cc1118d99b6226a7fbef4e0578c72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2019 01:04:07 +0200 Subject: [PATCH 0236/1383] avcodec/alac: Check lpc_quant lpc_quant of 0 produces undefined behavior, thus disallow this. If valid samples use this then such a sample would be quite usefull to confirm the correct&lossles handling of this. Fixes: libavcodec/alac.c:218:25: runtime error: shift exponent -1 is negative Fixes: 15273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5656388535058432 Fixes: 15276/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5761238417539072 Fixes: 15315/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5767260766994432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6474b899c1153e3bb95e399b6605c3507aea0d0) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 93cf198eea..19e62ddbe0 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -306,7 +306,7 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, rice_history_mult[ch] = get_bits(&alac->gb, 3); lpc_order[ch] = get_bits(&alac->gb, 5); - if (lpc_order[ch] >= alac->max_samples_per_frame) + if (lpc_order[ch] >= alac->max_samples_per_frame || !lpc_quant[ch]) return AVERROR_INVALIDDATA; /* read the predictor table */ From 4d7ee3b0ff12c79a84ec29f9b876760795ef3d5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 23:28:25 +0200 Subject: [PATCH 0237/1383] avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff() Fixes: index -1 out of bounds for type 'const uint8_t [185][2]' Fixes: 15250/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5648992869810176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79204a1fc8f1988f7d7e6cae2c3b68f513444d38) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 86320db959..ec5339d2f0 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -508,13 +508,15 @@ static inline int vc1_coded_block_pred(MpegEncContext * s, int n, * @param codingset set of VLC to decode data * @see 8.1.3.4 */ -static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, +static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int *value, int codingset) { GetBitContext *gb = &v->s.gb; int index, run, level, lst, sign; index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); + if (index < 0) + return index; if (index != ff_vc1_ac_sizes[codingset] - 1) { run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; @@ -560,6 +562,8 @@ static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, *last = lst; *skip = run; *value = (level ^ -sign) + sign; + + return 0; } /** Decode intra block in intra frames - should be faster than decode_intra_block @@ -639,7 +643,9 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n, zz_table = v->zz_8x8[1]; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + if (ret < 0) + return ret; i += skip; if (i > 63) break; @@ -812,7 +818,9 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, } while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + if (ret < 0) + return ret; i += skip; if (i > 63) break; @@ -995,7 +1003,9 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, int k; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + if (ret < 0) + return ret; i += skip; if (i > 63) break; @@ -1161,7 +1171,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n, i = 0; last = 0; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + if (ret < 0) + return ret; i += skip; if (i > 63) break; @@ -1189,7 +1201,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n, i = 0; off = (j & 1) * 4 + (j & 2) * 16; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + if (ret < 0) + return ret; i += skip; if (i > 15) break; @@ -1216,7 +1230,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n, i = 0; off = j * 32; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + if (ret < 0) + return ret; i += skip; if (i > 31) break; @@ -1243,7 +1259,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n, i = 0; off = j * 4; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + if (ret < 0) + return ret; i += skip; if (i > 31) break; From 10880dd695daa1fb85ef96a15be5b46ce339d2fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 23:45:36 +0200 Subject: [PATCH 0238/1383] avcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP() Fixes: out of array access Fixes: 15360/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5653837190266880 Fixes: 15412/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5740537648250880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37708cbae8d6887b80f58a70a1dfa01af6ea2c85) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index ba5bda48c4..c0e1e16bcd 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -900,7 +900,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, } else { if (bytestream2_tell(&g2) + 2*byte_run > stream_ptr_after_chunk) break; - CHECK_PIXEL_PTR(2 * byte_run); + CHECK_PIXEL_PTR(3 * byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { pixel = bytestream2_get_le24(&g2); AV_WL24(&pixels[pixel_ptr], pixel); From 24ea2679e2c93891a6a4c5fbddad6c27e459c140 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 22:08:27 +0200 Subject: [PATCH 0239/1383] avcodec/ffwavesynth: Fix backward lcg_seek() Signed-off-by: Michael Niedermayer (cherry picked from commit cf2bd3ce79b12256d7d129b2ada5ee649b9a27eb) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index a66113972b..cf8c780f3e 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -122,7 +122,7 @@ static void lcg_seek(uint32_t *s, int64_t dt) c = LCG_C; } else { /* coefficients for a step backward */ a = LCG_AI; - c = (uint32_t)(LCG_AI * LCG_C); + c = (uint32_t)(-LCG_AI * LCG_C); dt = -dt; } while (dt) { From 73885bf3e19651b2316eac6690167095039603b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 22:41:25 +0200 Subject: [PATCH 0240/1383] avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself Fixes: 15289/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5709034499342336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c022099351c04ae21e0b8696ea71a690ed03cd2) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index cf8c780f3e..b2cc7c8fc1 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -113,18 +113,12 @@ static uint32_t lcg_next(uint32_t *s) return *s; } -static void lcg_seek(uint32_t *s, int64_t dt) +static void lcg_seek(uint32_t *s, uint32_t dt) { uint32_t a, c, t = *s; - if (dt >= 0) { - a = LCG_A; - c = LCG_C; - } else { /* coefficients for a step backward */ - a = LCG_AI; - c = (uint32_t)(-LCG_AI * LCG_C); - dt = -dt; - } + a = LCG_A; + c = LCG_C; while (dt) { if (dt & 1) t = a * t + c; From 074f40608e19ce7ce44c320dda87836806991d59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 22:43:23 +0200 Subject: [PATCH 0241/1383] avcodec/ffwavesynth: use uint32_t to compute difference, it is enough Fixes: signed integer overflow: 6494225984479297536 - -6043795377581187040 cannot be represented in type 'long' Fixes: 15285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5632780307791872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e9dd3c7126097d7c8d4f137db9957b81a219aa2c) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index b2cc7c8fc1..793eada7a5 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -215,7 +215,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) ws->next_inter = i; ws->next_ts = i < ws->nb_inter ? ws->inter[i].ts_start : INF_TS; *last = -1; - lcg_seek(&ws->dither_state, ts - ws->cur_ts); + lcg_seek(&ws->dither_state, (uint32_t)ts - ws->cur_ts); if (ws->pink_need) { int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); From d534cb834564f440c6368b5c6597c67e1f97635d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 19:21:50 +0200 Subject: [PATCH 0242/1383] avcodec/iff: Check ham vs bpp This checks the ham value much stricter and avoids hitting cases which cannot be reached with data from the libavformat demuxer. Fixes: out of array access Fixes: 15320/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5080476840099840 Fixes: 15423/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5630765833912320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f76d7352e05526fde7c607b9a9db536a5760af29) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 4099d118e4..c6e2359b00 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -280,6 +280,16 @@ static int extract_header(AVCodecContext *const avctx, for (i = 0; i < 16; i++) s->tvdc[i] = bytestream_get_be16(&buf); + if (s->ham) { + if (s->bpp > 8) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham); + return AVERROR_INVALIDDATA; + } if (s->ham != (s->bpp > 6 ? 6 : 4)) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u, BPP: %u\n", s->ham, s->bpp); + return AVERROR_INVALIDDATA; + } + } + if (s->masking == MASK_HAS_MASK) { if (s->bpp >= 8 && !s->ham) { avctx->pix_fmt = AV_PIX_FMT_RGB32; @@ -307,9 +317,6 @@ static int extract_header(AVCodecContext *const avctx, if (!s->bpp || s->bpp > 32) { av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n", s->bpp); return AVERROR_INVALIDDATA; - } else if (s->ham >= 8) { - av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham); - return AVERROR_INVALIDDATA; } av_freep(&s->ham_buf); From dd59d92e942f0986d87a80ea69b570e804ed7106 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Jun 2019 23:42:43 +0200 Subject: [PATCH 0243/1383] avcodec/svq3: Use ff_set_dimension() Fixes: OOM Fixes: 15410/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5659464805384192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b114d76878f1a542bcb75456492cc43e6414f8b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 18a4448ffa..9cea9ac840 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1183,6 +1183,7 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) GetBitContext gb; int frame_size_code; int unk0, unk1, unk2, unk3, unk4; + int w,h; size = AV_RB32(&extradata[4]); if (size > extradata_end - extradata - 8) { @@ -1195,38 +1196,41 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) frame_size_code = get_bits(&gb, 3); switch (frame_size_code) { case 0: - avctx->width = 160; - avctx->height = 120; + w = 160; + h = 120; break; case 1: - avctx->width = 128; - avctx->height = 96; + w = 128; + h = 96; break; case 2: - avctx->width = 176; - avctx->height = 144; + w = 176; + h = 144; break; case 3: - avctx->width = 352; - avctx->height = 288; + w = 352; + h = 288; break; case 4: - avctx->width = 704; - avctx->height = 576; + w = 704; + h = 576; break; case 5: - avctx->width = 240; - avctx->height = 180; + w = 240; + h = 180; break; case 6: - avctx->width = 320; - avctx->height = 240; + w = 320; + h = 240; break; case 7: - avctx->width = get_bits(&gb, 12); - avctx->height = get_bits(&gb, 12); + w = get_bits(&gb, 12); + h = get_bits(&gb, 12); break; } + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + goto fail; s->halfpel_flag = get_bits1(&gb); s->thirdpel_flag = get_bits1(&gb); From e5c21ed6e35e1efc89b583c793fd64b8b53f93e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jun 2019 01:01:02 +0200 Subject: [PATCH 0244/1383] avcodec/qdm2: Do not read out of array in fix_coding_method_array() Instead we ask for a sample, its unclear what to do in this case. Fixes: index 30 out of bounds for type 'int8_t [30][64]' Fixes: 15339/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5749441484554240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae021c1239ec3bc0a30dc5a4720569071599ece4) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 1397218bdd..44ff4fa6c6 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -408,7 +408,12 @@ static int fix_coding_method_array(int sb, int channels, } for (k = 0; k < run; k++) { if (j + k < 128) { - if (coding_method[ch][sb + (j + k) / 64][(j + k) % 64] > coding_method[ch][sb][j]) { + int sbjk = sb + (j + k) / 64; + if (sbjk > 29) { + SAMPLES_NEEDED + continue; + } + if (coding_method[ch][sbjk][(j + k) % 64] > coding_method[ch][sb][j]) { if (k > 0) { SAMPLES_NEEDED //not debugged, almost never used From 07975e89d32642e588d7713feed5a949e976e50e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jun 2019 01:01:03 +0200 Subject: [PATCH 0245/1383] avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop Fixes: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: infinite loop Fixes: 15396/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5116605501014016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 694be24bd6c4cc9c62222f4583260bf79056e4c1) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 44ff4fa6c6..1e91f477e8 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1289,6 +1289,10 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration, } offset += (n - 2); } else { + if (local_int_10 <= 2) { + av_log(NULL, AV_LOG_ERROR, "qdm2_fft_decode_tones() stuck\n"); + return; + } offset += qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2); while (offset >= (local_int_10 - 1)) { offset += (1 - (local_int_10 - 1)); From 2424d0096e303786fdd4eb6663215f76f8e9da87 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jun 2019 01:01:04 +0200 Subject: [PATCH 0246/1383] avcodec/qdm2: Check checksum_size for 0 Fixes: Infinite loop Fixes: 15337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5757428949319680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b2ebf89a411d957ca999f1e7a919ff617fbfd56) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 1e91f477e8..eaffb36dcc 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1704,8 +1704,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->group_size = bytestream2_get_be32(&gb); s->fft_size = bytestream2_get_be32(&gb); s->checksum_size = bytestream2_get_be32(&gb); - if (s->checksum_size >= 1U << 28) { - av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size); + if (s->checksum_size >= 1U << 28 || !s->checksum_size) { + av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size); return AVERROR_INVALIDDATA; } From 4db3ec5e7b1ab08abbe08dbcb7c9de37e8b3dfe4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jun 2019 00:15:03 +0200 Subject: [PATCH 0247/1383] avcodec/4xm: Fix signed integer overflows in idct() Fixes: signed integer overflow: 20242 * 121095 cannot be represented in type 'int' Fixes: 15310/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5737051745419264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bbea155bf7c6ce6d5ae53cc41e44798cad2f39c) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 8e05a4c366..7e6a15e49f 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -158,7 +158,7 @@ typedef struct FourXContext { #define FIX_1_847759065 121095 #define FIX_2_613125930 171254 -#define MULTIPLY(var, const) (((var) * (const)) >> 16) +#define MULTIPLY(var, const) ((int)((var) * (unsigned)(const)) >> 16) static void idct(int16_t block[64]) { From 16f8e50f86ce6c9944f31045dae9639baaadf444 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jun 2019 19:20:43 +0200 Subject: [PATCH 0248/1383] avcodec/rv10: Fix integer overflow in aspect ratio compare Fixes: signed integer overflow: 2040 * 1187872 cannot be represented in type 'int' Fixes: 15368/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV20_fuzzer-5681657136283648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 14fcf42958608223a0be6558fb6e323419c9fc27) Signed-off-by: Michael Niedermayer --- libavcodec/rv10.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 595e217519..3b9ebbe8fa 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -388,9 +388,9 @@ static int rv20_decode_picture_header(RVDecContext *rv) // attempt to keep aspect during typical resolution switches if (!old_aspect.num) old_aspect = (AVRational){1, 1}; - if (2 * new_w * s->height == new_h * s->width) + if (2 * (int64_t)new_w * s->height == (int64_t)new_h * s->width) s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){2, 1}); - if (new_w * s->height == 2 * new_h * s->width) + if ((int64_t)new_w * s->height == 2 * (int64_t)new_h * s->width) s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){1, 2}); ret = ff_set_dimensions(s->avctx, new_w, new_h); From 3e3db69193809d5c1844b0e49f9f8da181492133 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jun 2019 21:53:09 +0200 Subject: [PATCH 0249/1383] avcodec/hq_hqa: Use ff_set_dimensions() Fixes: 15530/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5637370344374272 Fixes: signed integer overflow: 65312 * 65312 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6229fcd405d4135848c83df73634871260de59c) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index 90bafdc72a..eec2e980b3 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -254,10 +254,12 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size) width = bytestream2_get_be16(&ctx->gbc); height = bytestream2_get_be16(&ctx->gbc); + ret = ff_set_dimensions(ctx->avctx, width, height); + if (ret < 0) + return ret; + ctx->avctx->coded_width = FFALIGN(width, 16); ctx->avctx->coded_height = FFALIGN(height, 16); - ctx->avctx->width = width; - ctx->avctx->height = height; ctx->avctx->bits_per_raw_sample = 8; ctx->avctx->pix_fmt = AV_PIX_FMT_YUVA422P; From a1416c6c8d1234a53b7e52f45d7f5d613ff8cf10 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jun 2019 23:23:25 +0200 Subject: [PATCH 0250/1383] avformat/utils: Check timebase before use in estimate_timings() Fixes: division by 0 Fixes: 15480/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5746727434321920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f57e97dfd9539bc3f4f97a76ebc001f0b055cb88) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 93e588ee1e..8e53bf01c7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2953,6 +2953,7 @@ static void estimate_timings(AVFormatContext *ic, int64_t old_offset) AVStream av_unused *st; for (i = 0; i < ic->nb_streams; i++) { st = ic->streams[i]; + if (st->time_base.den) av_log(ic, AV_LOG_TRACE, "stream %d: start_time: %0.3f duration: %0.3f\n", i, (double) st->start_time * av_q2d(st->time_base), (double) st->duration * av_q2d(st->time_base)); From 6ddb253f79677e2e0594715b1b91720606b0e331 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2019 17:54:45 +0200 Subject: [PATCH 0251/1383] avcodec/golomb: Correct the doxy about get_ue_golomb() and errors Signed-off-by: Michael Niedermayer (cherry picked from commit 1bb3b3f11c6960e90bcfe685c0ad1e355a3e787e) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 5c25883626..6b11e48793 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -49,6 +49,8 @@ extern const uint8_t ff_interleaved_dirac_golomb_vlc_code[256]; /** * Read an unsigned Exp-Golomb code in the range 0 to 8190. + * + * @returns the read value or a negative error code. */ static inline int get_ue_golomb(GetBitContext *gb) { From 7654e5aa3b6e57f6cf161531af340ae41929fa70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2019 23:28:13 +0200 Subject: [PATCH 0252/1383] avcodec/ilbcdec: Simplify use of unsigned and fix more undefined overflows Fixes: signed integer overflow: 2147475672 + 8192 cannot be represented in type 'int' Fixes: 15415/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-5712074128228352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 019d729039aaa164152035864d65d77e53df1c98) Signed-off-by: Michael Niedermayer --- libavcodec/ilbcdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c index bba83a5896..a82a27525c 100644 --- a/libavcodec/ilbcdec.c +++ b/libavcodec/ilbcdec.c @@ -724,7 +724,7 @@ static void construct_vector ( int16_t cbvec0[SUBL]; int16_t cbvec1[SUBL]; int16_t cbvec2[SUBL]; - int32_t a32; + unsigned a32; int16_t *gainPtr; int j; @@ -745,9 +745,9 @@ static void construct_vector ( for (j = 0; j < veclen; j++) { a32 = SPL_MUL_16_16(*gainPtr++, cbvec0[j]); a32 += SPL_MUL_16_16(*gainPtr++, cbvec1[j]); - a32 += (unsigned)SPL_MUL_16_16(*gainPtr, cbvec2[j]); + a32 += SPL_MUL_16_16(*gainPtr, cbvec2[j]); gainPtr -= 2; - decvector[j] = (a32 + 8192) >> 14; + decvector[j] = (int)(a32 + 8192) >> 14; } } From 7d4e9074c6aba80a0e08fc26128e3603714ffaad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2019 11:53:46 +0200 Subject: [PATCH 0253/1383] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/Changelog b/Changelog index 5702f8b264..959a737033 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,42 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. versiob 4.1.4: + avcodec/ilbcdec: Simplify use of unsigned and fix more undefined overflows + avcodec/golomb: Correct the doxy about get_ue_golomb() and errors + avformat/utils: Check timebase before use in estimate_timings() + avcodec/hq_hqa: Use ff_set_dimensions() + avcodec/rv10: Fix integer overflow in aspect ratio compare + avcodec/4xm: Fix signed integer overflows in idct() + avcodec/qdm2: Check checksum_size for 0 + avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop + avcodec/qdm2: Do not read out of array in fix_coding_method_array() + avcodec/svq3: Use ff_set_dimension() + avcodec/iff: Check ham vs bpp + avcodec/ffwavesynth: use uint32_t to compute difference, it is enough + avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case + avcodec/ffwavesynth: Fix backward lcg_seek() + avcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP() + avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff() + avcodec/alac: Check lpc_quant + avcodec/dxv: Initialize tex_funct to NULL + avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP + avcodec/alsdec: Fix integer overflow with buffer number + avcodec/alsdec: Fixes signed integer overflow in LSB addition + avcodec/alsdec: Check opt_order / sb_length in ra_block handling + avcodec/alsdec: Fix integer overflow with shifting samples + avcodec/alsdec: Fix undefined behavior in decode_rice() + avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT() + avcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight + avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns + avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check + avformat/aviobuf: Delay buffer downsizing until asserts are met + avcodec/fitsdec: Check data_min/max + avcodec/m101: Fix off be 2 error + avcodec/qdm2: Move fft_order check up + avcodec/libvorbisdec: Check extradata size + avformat/vqf: Check header_size + avcodec/atrac9dec: Check q_unit_cnt in parse_band_ext() + avcodec/atrac9dec: Check that the reused block has succeeded initilization avcodec/utils: Check bits_per_coded_sample avcodec/videodsp_template: Fix overflow of addition avcodec/alsdec: Fix invalid shift in multiply() From 9d06c1f95ebe4f9c2cc05d041dbfd3de52d2518a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2019 20:10:55 +0200 Subject: [PATCH 0254/1383] Changelog: fix typo Signed-off-by: Michael Niedermayer --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 959a737033..84b557b1b7 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -versiob 4.1.4: +version 4.1.4: avcodec/ilbcdec: Simplify use of unsigned and fix more undefined overflows avcodec/golomb: Correct the doxy about get_ue_golomb() and errors avformat/utils: Check timebase before use in estimate_timings() From 2ac6315c7c3a0049b02d1d79f7944507fdc4c456 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 7 Nov 2018 04:47:51 +0100 Subject: [PATCH 0255/1383] cbs_h264: Fix handling of auxiliary pictures The earlier code used the most recent non-auxiliary slice to determine whether an auxiliary slice has the syntax of an IDR slice, even when the most recent slice was from a slice of a redundant frame. Now only slices of the primary coded picture are used, as the specifications mandate. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8d1cf2d89481ca986af893425188d065c0f8f857) --- libavcodec/cbs_h264_syntax_template.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c index dbf9ff1268..4da4c5da67 100644 --- a/libavcodec/cbs_h264_syntax_template.c +++ b/libavcodec/cbs_h264_syntax_template.c @@ -1190,11 +1190,10 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, "in the same access unit.\n"); return AVERROR_INVALIDDATA; } + idr_pic_flag = h264->last_slice_nal_unit_type == H264_NAL_IDR_SLICE; } else { - h264->last_slice_nal_unit_type = - current->nal_unit_header.nal_unit_type; + idr_pic_flag = current->nal_unit_header.nal_unit_type == H264_NAL_IDR_SLICE; } - idr_pic_flag = h264->last_slice_nal_unit_type == H264_NAL_IDR_SLICE; ue(first_mb_in_slice, 0, H264_MAX_MB_PIC_SIZE - 1); ue(slice_type, 0, 9); @@ -1272,6 +1271,13 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, if (pps->redundant_pic_cnt_present_flag) ue(redundant_pic_cnt, 0, 127); + else + infer(redundant_pic_cnt, 0); + + if (current->nal_unit_header.nal_unit_type != H264_NAL_AUXILIARY_SLICE + && !current->redundant_pic_cnt) + h264->last_slice_nal_unit_type = + current->nal_unit_header.nal_unit_type; if (slice_type_b) flag(direct_spatial_mv_pred_flag); From 7dc2366533d63df9d46be5ea3ec066e1977898d4 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 15 Apr 2019 17:46:53 -0300 Subject: [PATCH 0256/1383] avcodec/cbs: add helper functions and macros to read and write signed values Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 5006dcdf9af177444e3e0185640d7d84629e4215) --- libavcodec/cbs.c | 79 +++++++++++++++++++++++++++++++++++++++ libavcodec/cbs_internal.h | 20 +++++++++- 2 files changed, 98 insertions(+), 1 deletion(-) diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c index ecbf57c293..3152b13b1a 100644 --- a/libavcodec/cbs.c +++ b/libavcodec/cbs.c @@ -502,6 +502,85 @@ int ff_cbs_write_unsigned(CodedBitstreamContext *ctx, PutBitContext *pbc, return 0; } +int ff_cbs_read_signed(CodedBitstreamContext *ctx, GetBitContext *gbc, + int width, const char *name, + const int *subscripts, int32_t *write_to, + int32_t range_min, int32_t range_max) +{ + int32_t value; + int position; + + av_assert0(width > 0 && width <= 32); + + if (get_bits_left(gbc) < width) { + av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid value at " + "%s: bitstream ended.\n", name); + return AVERROR_INVALIDDATA; + } + + if (ctx->trace_enable) + position = get_bits_count(gbc); + + value = get_sbits_long(gbc, width); + + if (ctx->trace_enable) { + char bits[33]; + int i; + for (i = 0; i < width; i++) + bits[i] = value & (1U << (width - i - 1)) ? '1' : '0'; + bits[i] = 0; + + ff_cbs_trace_syntax_element(ctx, position, name, subscripts, + bits, value); + } + + if (value < range_min || value > range_max) { + av_log(ctx->log_ctx, AV_LOG_ERROR, "%s out of range: " + "%"PRId32", but must be in [%"PRId32",%"PRId32"].\n", + name, value, range_min, range_max); + return AVERROR_INVALIDDATA; + } + + *write_to = value; + return 0; +} + +int ff_cbs_write_signed(CodedBitstreamContext *ctx, PutBitContext *pbc, + int width, const char *name, + const int *subscripts, int32_t value, + int32_t range_min, int32_t range_max) +{ + av_assert0(width > 0 && width <= 32); + + if (value < range_min || value > range_max) { + av_log(ctx->log_ctx, AV_LOG_ERROR, "%s out of range: " + "%"PRId32", but must be in [%"PRId32",%"PRId32"].\n", + name, value, range_min, range_max); + return AVERROR_INVALIDDATA; + } + + if (put_bits_left(pbc) < width) + return AVERROR(ENOSPC); + + if (ctx->trace_enable) { + char bits[33]; + int i; + for (i = 0; i < width; i++) + bits[i] = value & (1U << (width - i - 1)) ? '1' : '0'; + bits[i] = 0; + + ff_cbs_trace_syntax_element(ctx, put_bits_count(pbc), + name, subscripts, bits, value); + } + + if (width < 32) + put_sbits(pbc, width, value); + else + put_bits32(pbc, value); + + return 0; +} + int ff_cbs_alloc_unit_content(CodedBitstreamContext *ctx, CodedBitstreamUnit *unit, diff --git a/libavcodec/cbs_internal.h b/libavcodec/cbs_internal.h index 53f2e5d187..dd4babf092 100644 --- a/libavcodec/cbs_internal.h +++ b/libavcodec/cbs_internal.h @@ -81,10 +81,28 @@ int ff_cbs_write_unsigned(CodedBitstreamContext *ctx, PutBitContext *pbc, const int *subscripts, uint32_t value, uint32_t range_min, uint32_t range_max); -// The largest value representable in N bits, suitable for use as +int ff_cbs_read_signed(CodedBitstreamContext *ctx, GetBitContext *gbc, + int width, const char *name, + const int *subscripts, int32_t *write_to, + int32_t range_min, int32_t range_max); + +int ff_cbs_write_signed(CodedBitstreamContext *ctx, PutBitContext *pbc, + int width, const char *name, + const int *subscripts, int32_t value, + int32_t range_min, int32_t range_max); + +// The largest unsigned value representable in N bits, suitable for use as // range_max in the above functions. #define MAX_UINT_BITS(length) ((UINT64_C(1) << (length)) - 1) +// The largest signed value representable in N bits, suitable for use as +// range_max in the above functions. +#define MAX_INT_BITS(length) ((INT64_C(1) << ((length) - 1)) - 1) + +// The smallest signed value representable in N bits, suitable for use as +// range_min in the above functions. +#define MIN_INT_BITS(length) (-(INT64_C(1) << ((length) - 1))) + extern const CodedBitstreamType ff_cbs_type_av1; extern const CodedBitstreamType ff_cbs_type_h264; From 94b1630b7ca34964aa873a59540ecd895a1bf9e6 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 15 Apr 2019 17:48:55 -0300 Subject: [PATCH 0257/1383] avcodec/cbs_h2645: add helper macros for signed values Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 3dc6adf326c8cd6c7fc830ccb8def8772835c676) --- libavcodec/cbs_h2645.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index e55bd00183..64f1e5813a 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -255,6 +255,8 @@ static int cbs_write_se_golomb(CodedBitstreamContext *ctx, PutBitContext *pbc, #define flag(name) u(1, name, 0, 1) #define ue(name, range_min, range_max) \ xue(name, current->name, range_min, range_max, 0) +#define i(width, name, range_min, range_max) \ + xi(width, name, current->name, range_min, range_max, 0) #define se(name, range_min, range_max) \ xse(name, current->name, range_min, range_max, 0) @@ -264,6 +266,8 @@ static int cbs_write_se_golomb(CodedBitstreamContext *ctx, PutBitContext *pbc, xu(1, name, current->name, 0, 1, subs, __VA_ARGS__) #define ues(name, range_min, range_max, subs, ...) \ xue(name, current->name, range_min, range_max, subs, __VA_ARGS__) +#define is(width, name, range_min, range_max, subs, ...) \ + xi(width, name, current->name, range_min, range_max, subs, __VA_ARGS__) #define ses(name, range_min, range_max, subs, ...) \ xse(name, current->name, range_min, range_max, subs, __VA_ARGS__) @@ -291,6 +295,13 @@ static int cbs_write_se_golomb(CodedBitstreamContext *ctx, PutBitContext *pbc, &value, range_min, range_max)); \ var = value; \ } while (0) +#define xi(width, name, var, range_min, range_max, subs, ...) do { \ + int32_t value = range_min; \ + CHECK(ff_cbs_read_signed(ctx, rw, width, #name, \ + SUBSCRIPTS(subs, __VA_ARGS__), \ + &value, range_min, range_max)); \ + var = value; \ + } while (0) #define xse(name, var, range_min, range_max, subs, ...) do { \ int32_t value = range_min; \ CHECK(cbs_read_se_golomb(ctx, rw, #name, \ @@ -338,6 +349,7 @@ static int cbs_h2645_read_more_rbsp_data(GetBitContext *gbc) #undef READWRITE #undef RWContext #undef xu +#undef xi #undef xue #undef xse #undef infer @@ -362,6 +374,12 @@ static int cbs_h2645_read_more_rbsp_data(GetBitContext *gbc) SUBSCRIPTS(subs, __VA_ARGS__), \ value, range_min, range_max)); \ } while (0) +#define xi(width, name, var, range_min, range_max, subs, ...) do { \ + int32_t value = var; \ + CHECK(ff_cbs_write_signed(ctx, rw, width, #name, \ + SUBSCRIPTS(subs, __VA_ARGS__), \ + value, range_min, range_max)); \ + } while (0) #define xse(name, var, range_min, range_max, subs, ...) do { \ int32_t value = var; \ CHECK(cbs_write_se_golomb(ctx, rw, #name, \ @@ -402,9 +420,11 @@ static int cbs_h2645_read_more_rbsp_data(GetBitContext *gbc) #undef READWRITE #undef RWContext #undef xu +#undef xi #undef xue #undef xse #undef u +#undef i #undef flag #undef ue #undef se From a2132139852c57e71c731d10e5dc20e97342c289 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 15 Apr 2019 17:50:01 -0300 Subject: [PATCH 0258/1383] avcodec/cbs_h264: fix storage type for time_offset in Pic Timing SEI The spec defines it as a signed value. Reviewed-by: Mark Thompson Signed-off-by: James Almer (cherry picked from commit 9bf520d04d6137d0772e019356356614bbf7ca82) --- libavcodec/cbs_h264.h | 2 +- libavcodec/cbs_h264_syntax_template.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_h264.h b/libavcodec/cbs_h264.h index 92277e4750..b5eee7c370 100644 --- a/libavcodec/cbs_h264.h +++ b/libavcodec/cbs_h264.h @@ -253,7 +253,7 @@ typedef struct H264RawSEIPicTimestamp { uint8_t minutes_value; uint8_t hours_flag; uint8_t hours_value; - uint32_t time_offset; + int32_t time_offset; } H264RawSEIPicTimestamp; typedef struct H264RawSEIPicTiming { diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c index 4da4c5da67..07b4cddb5e 100644 --- a/libavcodec/cbs_h264_syntax_template.c +++ b/libavcodec/cbs_h264_syntax_template.c @@ -592,8 +592,9 @@ static int FUNC(sei_pic_timestamp)(CodedBitstreamContext *ctx, RWContext *rw, time_offset_length = 24; if (time_offset_length > 0) - u(time_offset_length, time_offset, - 0, MAX_UINT_BITS(time_offset_length)); + i(time_offset_length, time_offset, + MIN_INT_BITS(time_offset_length), + MAX_INT_BITS(time_offset_length)); else infer(time_offset, 0); From 84b94fdd05d24f161f6559bfef63a8db049e0cc7 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 10 Dec 2018 02:18:56 +0100 Subject: [PATCH 0259/1383] lavc/cbs_vp9: Make variable prob unsigned. Silences a warning with clang: libavcodec/cbs_vp9_syntax_template.c:220:17: warning: implicit conversion from 'int' to 'int8_t' (aka 'signed char') changes value from 255 to -1 (cherry picked from commit de441ad52a4d9791d93c278b4cf6867815c28b92) --- libavcodec/cbs_vp9.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index c03ce986c0..f145694e22 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -305,7 +305,7 @@ static int cbs_vp9_write_le(CodedBitstreamContext *ctx, PutBitContext *pbc, #define prob(name, subs, ...) do { \ uint8_t prob_coded; \ - int8_t prob; \ + uint8_t prob; \ xf(1, name.prob_coded, prob_coded, subs, __VA_ARGS__); \ if (prob_coded) \ xf(8, name.prob, prob, subs, __VA_ARGS__); \ From b3b5941ec7b4c1dbb059b0cd85db3c659d5c8039 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 17 Dec 2018 14:39:41 +0100 Subject: [PATCH 0260/1383] lavc/cbs: Do not use format specifier "z" on Windows. (cherry picked from commit 0b7269e62d0345fec5f1ee9ee7b960e8d25c5dd1) --- libavcodec/cbs_av1.c | 10 +++++----- libavcodec/cbs_vp9.c | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index e4e3964118..80628c72ba 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -795,7 +795,7 @@ static int cbs_av1_split_fragment(CodedBitstreamContext *ctx, if (INT_MAX / 8 < size) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid fragment: " - "too large (%zu bytes).\n", size); + "too large (%"SIZE_SPECIFIER" bytes).\n", size); err = AVERROR_INVALIDDATA; goto fail; } @@ -819,7 +819,7 @@ static int cbs_av1_split_fragment(CodedBitstreamContext *ctx, if (get_bits_left(&gbc) < 8) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid OBU: fragment " - "too short (%zu bytes).\n", size); + "too short (%"SIZE_SPECIFIER" bytes).\n", size); err = AVERROR_INVALIDDATA; goto fail; } @@ -835,7 +835,7 @@ static int cbs_av1_split_fragment(CodedBitstreamContext *ctx, if (size < obu_length) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid OBU length: " - "%"PRIu64", but only %zu bytes remaining in fragment.\n", + "%"PRIu64", but only %"SIZE_SPECIFIER" bytes remaining in fragment.\n", obu_length, size); err = AVERROR_INVALIDDATA; goto fail; @@ -950,7 +950,7 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, } else { if (unit->data_size < 1 + obu->header.obu_extension_flag) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid OBU length: " - "unit too short (%zu).\n", unit->data_size); + "unit too short (%"SIZE_SPECIFIER").\n", unit->data_size); return AVERROR_INVALIDDATA; } obu->obu_size = unit->data_size - 1 - obu->header.obu_extension_flag; @@ -1256,7 +1256,7 @@ static int cbs_av1_write_unit(CodedBitstreamContext *ctx, if (err < 0) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " "sufficiently large write buffer (last attempt " - "%zu bytes).\n", priv->write_buffer_size); + "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); return err; } } diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index f145694e22..0b5f137ed8 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -457,7 +457,7 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, } if (pos + index_size != frag->data_size) { av_log(ctx->log_ctx, AV_LOG_WARNING, "Extra padding at " - "end of superframe: %zu bytes.\n", + "end of superframe: %"SIZE_SPECIFIER" bytes.\n", frag->data_size - (pos + index_size)); } @@ -538,7 +538,7 @@ static int cbs_vp9_write_unit(CodedBitstreamContext *ctx, if (err < 0) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Unable to allocate a " "sufficiently large write buffer (last attempt " - "%zu bytes).\n", priv->write_buffer_size); + "%"SIZE_SPECIFIER" bytes).\n", priv->write_buffer_size); return err; } } From ae5c80b9cae8716085eaacd887c28378ae99233b Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 22 May 2019 03:04:38 +0200 Subject: [PATCH 0261/1383] avcodec/cbs_mpeg2: fix leak of extra_information_slice buffer in cbs_mpeg2_read_slice_header() cbs_mpeg2_free_slice() calls av_buffer_unref() on extra_information_ref, meaning allocating with av_malloc() was not the intention. Signed-off-by: James Almer (cherry picked from commit d903c09d9a5c641223f0810d24161520e977544a) --- libavcodec/cbs_mpeg2_syntax_template.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_mpeg2_syntax_template.c b/libavcodec/cbs_mpeg2_syntax_template.c index 88cf453b17..672ff66141 100644 --- a/libavcodec/cbs_mpeg2_syntax_template.c +++ b/libavcodec/cbs_mpeg2_syntax_template.c @@ -361,10 +361,11 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, current->extra_information_length = k; if (k > 0) { *rw = start; - current->extra_information = - av_malloc(current->extra_information_length); - if (!current->extra_information) + current->extra_information_ref = + av_buffer_alloc(current->extra_information_length); + if (!current->extra_information_ref) return AVERROR(ENOMEM); + current->extra_information = current->extra_information_ref->data; for (k = 0; k < current->extra_information_length; k++) { xui(1, extra_bit_slice, bit, 0); xui(8, extra_information_slice[k], From b010caa6c9e85657c2032046773cb1a816a5b1da Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 22 May 2019 03:04:32 +0200 Subject: [PATCH 0262/1383] cbs_mpeg2: Improve checks for invalid values MPEG-2 contains several elements that mustn't be zero according to the specifications: horizontal/vertical_size_value, aspect_ratio_information, frame_rate_code, the quantiser matrices, the colour_description elements, picture_coding_type, the f_code[r][s] values and quantiser_scale_code. It is now checked that the invalid values don't occur. The colour_description elements are treated specially in this regard: Given that there are files in the wild which use illegal values for the colour_description elements (some of them created by mpeg2_metadata), they will be corrected to the value meaning "unknown" (namely 2) during reading. This has been done in such a way that trace_headers will nevertheless report the original value, together with a message about the fixup. Furthermore, the trace_headers output of user_data has been beautified. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9c3f2a8894a66d6b5b9285caa25f91fbfca7b3bc) --- libavcodec/cbs_mpeg2.c | 16 ++++--- libavcodec/cbs_mpeg2_syntax_template.c | 64 ++++++++++++++++---------- 2 files changed, 50 insertions(+), 30 deletions(-) diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index 0df4234b12..3e7bfb4610 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -41,20 +41,24 @@ #define SUBSCRIPTS(subs, ...) (subs > 0 ? ((int[subs + 1]){ subs, __VA_ARGS__ }) : NULL) #define ui(width, name) \ - xui(width, name, current->name, 0) + xui(width, name, current->name, 0, MAX_UINT_BITS(width), 0) +#define uir(width, name) \ + xui(width, name, current->name, 1, MAX_UINT_BITS(width), 0) #define uis(width, name, subs, ...) \ - xui(width, name, current->name, subs, __VA_ARGS__) + xui(width, name, current->name, 0, MAX_UINT_BITS(width), subs, __VA_ARGS__) +#define uirs(width, name, subs, ...) \ + xui(width, name, current->name, 1, MAX_UINT_BITS(width), subs, __VA_ARGS__) #define READ #define READWRITE read #define RWContext GetBitContext -#define xui(width, name, var, subs, ...) do { \ +#define xui(width, name, var, range_min, range_max, subs, ...) do { \ uint32_t value = 0; \ CHECK(ff_cbs_read_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ - &value, 0, (1 << width) - 1)); \ + &value, range_min, range_max)); \ var = value; \ } while (0) @@ -81,10 +85,10 @@ #define READWRITE write #define RWContext PutBitContext -#define xui(width, name, var, subs, ...) do { \ +#define xui(width, name, var, range_min, range_max, subs, ...) do { \ CHECK(ff_cbs_write_unsigned(ctx, rw, width, #name, \ SUBSCRIPTS(subs, __VA_ARGS__), \ - var, 0, (1 << width) - 1)); \ + var, range_min, range_max)); \ } while (0) #define marker_bit() do { \ diff --git a/libavcodec/cbs_mpeg2_syntax_template.c b/libavcodec/cbs_mpeg2_syntax_template.c index 672ff66141..98c44dd048 100644 --- a/libavcodec/cbs_mpeg2_syntax_template.c +++ b/libavcodec/cbs_mpeg2_syntax_template.c @@ -26,14 +26,14 @@ static int FUNC(sequence_header)(CodedBitstreamContext *ctx, RWContext *rw, ui(8, sequence_header_code); - ui(12, horizontal_size_value); - ui(12, vertical_size_value); + uir(12, horizontal_size_value); + uir(12, vertical_size_value); mpeg2->horizontal_size = current->horizontal_size_value; mpeg2->vertical_size = current->vertical_size_value; - ui(4, aspect_ratio_information); - ui(4, frame_rate_code); + uir(4, aspect_ratio_information); + uir(4, frame_rate_code); ui(18, bit_rate_value); marker_bit(); @@ -44,13 +44,13 @@ static int FUNC(sequence_header)(CodedBitstreamContext *ctx, RWContext *rw, ui(1, load_intra_quantiser_matrix); if (current->load_intra_quantiser_matrix) { for (i = 0; i < 64; i++) - uis(8, intra_quantiser_matrix[i], 1, i); + uirs(8, intra_quantiser_matrix[i], 1, i); } ui(1, load_non_intra_quantiser_matrix); if (current->load_non_intra_quantiser_matrix) { for (i = 0; i < 64; i++) - uis(8, non_intra_quantiser_matrix[i], 1, i); + uirs(8, non_intra_quantiser_matrix[i], 1, i); } return 0; @@ -79,7 +79,7 @@ static int FUNC(user_data)(CodedBitstreamContext *ctx, RWContext *rw, #endif for (k = 0; k < current->user_data_length; k++) - xui(8, user_data, current->user_data[k], 0); + uis(8, user_data[k], 1, k); return 0; } @@ -125,9 +125,25 @@ static int FUNC(sequence_display_extension)(CodedBitstreamContext *ctx, RWContex ui(1, colour_description); if (current->colour_description) { - ui(8, colour_primaries); - ui(8, transfer_characteristics); - ui(8, matrix_coefficients); +#ifdef READ +#define READ_AND_PATCH(name) do { \ + ui(8, name); \ + if (current->name == 0) { \ + current->name = 2; \ + av_log(ctx->log_ctx, AV_LOG_WARNING, "%s in a sequence display " \ + "extension had the invalid value 0. Setting it to 2 " \ + "(meaning unknown) instead.\n", #name); \ + } \ + } while (0) + READ_AND_PATCH(colour_primaries); + READ_AND_PATCH(transfer_characteristics); + READ_AND_PATCH(matrix_coefficients); +#undef READ_AND_PATCH +#else + uir(8, colour_primaries); + uir(8, transfer_characteristics); + uir(8, matrix_coefficients); +#endif } ui(14, display_horizontal_size); @@ -163,7 +179,7 @@ static int FUNC(picture_header)(CodedBitstreamContext *ctx, RWContext *rw, ui(8, picture_start_code); ui(10, temporal_reference); - ui(3, picture_coding_type); + uir(3, picture_coding_type); ui(16, vbv_delay); if (current->picture_coding_type == 2 || @@ -190,10 +206,10 @@ static int FUNC(picture_coding_extension)(CodedBitstreamContext *ctx, RWContext HEADER("Picture Coding Extension"); - ui(4, f_code[0][0]); - ui(4, f_code[0][1]); - ui(4, f_code[1][0]); - ui(4, f_code[1][1]); + uir(4, f_code[0][0]); + uir(4, f_code[0][1]); + uir(4, f_code[1][0]); + uir(4, f_code[1][1]); ui(2, intra_dc_precision); ui(2, picture_structure); @@ -250,25 +266,25 @@ static int FUNC(quant_matrix_extension)(CodedBitstreamContext *ctx, RWContext *r ui(1, load_intra_quantiser_matrix); if (current->load_intra_quantiser_matrix) { for (i = 0; i < 64; i++) - uis(8, intra_quantiser_matrix[i], 1, i); + uirs(8, intra_quantiser_matrix[i], 1, i); } ui(1, load_non_intra_quantiser_matrix); if (current->load_non_intra_quantiser_matrix) { for (i = 0; i < 64; i++) - uis(8, non_intra_quantiser_matrix[i], 1, i); + uirs(8, non_intra_quantiser_matrix[i], 1, i); } ui(1, load_chroma_intra_quantiser_matrix); if (current->load_chroma_intra_quantiser_matrix) { for (i = 0; i < 64; i++) - uis(8, intra_quantiser_matrix[i], 1, i); + uirs(8, intra_quantiser_matrix[i], 1, i); } ui(1, load_chroma_non_intra_quantiser_matrix); if (current->load_chroma_non_intra_quantiser_matrix) { for (i = 0; i < 64; i++) - uis(8, chroma_non_intra_quantiser_matrix[i], 1, i); + uirs(8, chroma_non_intra_quantiser_matrix[i], 1, i); } return 0; @@ -342,7 +358,7 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, ui(7, priority_breakpoint); } - ui(5, quantiser_scale_code); + uir(5, quantiser_scale_code); if (nextbits(1, 1, current->slice_extension_flag)) { ui(1, slice_extension_flag); @@ -367,16 +383,16 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, return AVERROR(ENOMEM); current->extra_information = current->extra_information_ref->data; for (k = 0; k < current->extra_information_length; k++) { - xui(1, extra_bit_slice, bit, 0); + xui(1, extra_bit_slice, bit, 1, 1, 0); xui(8, extra_information_slice[k], - current->extra_information[k], 1, k); + current->extra_information[k], 0, 255, 1, k); } } #else for (k = 0; k < current->extra_information_length; k++) { - xui(1, extra_bit_slice, 1, 0); + xui(1, extra_bit_slice, 1, 1, 1, 0); xui(8, extra_information_slice[k], - current->extra_information[k], 1, k); + current->extra_information[k], 0, 255, 1, k); } #endif } From 1b6bcee9fe6f59a2d8c11c18711d65d744b0b5aa Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 22 May 2019 03:04:34 +0200 Subject: [PATCH 0263/1383] cbs_mpeg2: Fix storage type for frame_centre_*_offset The frame_centre_horizontal/vertical_offset values contained in picture display extensions are actually signed values (i.e. it is possible to indicate that the display device should add black bars/pillars). The files sony-ct3.bs and tcela-6.bits (which are both used in fate tests for mpeg2_metadata) contain picture display extensions; the former even contains a negative frame_centre_vertical_offset. Fortunately, the old code did not damage the picture display extensions when one did a cycle of reading and writing. For the same reason the fate tests needn't be updated either. Furthermore these fields now use the trace output for matrices. Signed-off-by: Andreas Rheinhardt (cherry picked from commit de5880383967f44927c599ab16fa0f4f96b38365) --- libavcodec/cbs_mpeg2.c | 20 ++++++++++++++++++++ libavcodec/cbs_mpeg2.h | 4 ++-- libavcodec/cbs_mpeg2_syntax_template.c | 4 ++-- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/libavcodec/cbs_mpeg2.c b/libavcodec/cbs_mpeg2.c index 3e7bfb4610..5e0757e8ee 100644 --- a/libavcodec/cbs_mpeg2.c +++ b/libavcodec/cbs_mpeg2.c @@ -48,6 +48,8 @@ xui(width, name, current->name, 0, MAX_UINT_BITS(width), subs, __VA_ARGS__) #define uirs(width, name, subs, ...) \ xui(width, name, current->name, 1, MAX_UINT_BITS(width), subs, __VA_ARGS__) +#define sis(width, name, subs, ...) \ + xsi(width, name, current->name, subs, __VA_ARGS__) #define READ @@ -62,6 +64,15 @@ var = value; \ } while (0) +#define xsi(width, name, var, subs, ...) do { \ + int32_t value; \ + CHECK(ff_cbs_read_signed(ctx, rw, width, #name, \ + SUBSCRIPTS(subs, __VA_ARGS__), &value, \ + MIN_INT_BITS(width), \ + MAX_INT_BITS(width))); \ + var = value; \ + } while (0) + #define marker_bit() do { \ av_unused uint32_t one; \ CHECK(ff_cbs_read_unsigned(ctx, rw, 1, "marker_bit", NULL, &one, 1, 1)); \ @@ -77,6 +88,7 @@ #undef READWRITE #undef RWContext #undef xui +#undef xsi #undef marker_bit #undef nextbits @@ -91,6 +103,13 @@ var, range_min, range_max)); \ } while (0) +#define xsi(width, name, var, subs, ...) do { \ + CHECK(ff_cbs_write_signed(ctx, rw, width, #name, \ + SUBSCRIPTS(subs, __VA_ARGS__), var, \ + MIN_INT_BITS(width), \ + MAX_INT_BITS(width))); \ + } while (0) + #define marker_bit() do { \ CHECK(ff_cbs_write_unsigned(ctx, rw, 1, "marker_bit", NULL, 1, 1, 1)); \ } while (0) @@ -103,6 +122,7 @@ #undef READWRITE #undef RWContext #undef xui +#undef xsi #undef marker_bit #undef nextbits diff --git a/libavcodec/cbs_mpeg2.h b/libavcodec/cbs_mpeg2.h index 92caa99dc1..69eb10fc08 100644 --- a/libavcodec/cbs_mpeg2.h +++ b/libavcodec/cbs_mpeg2.h @@ -164,8 +164,8 @@ typedef struct MPEG2RawQuantMatrixExtension { } MPEG2RawQuantMatrixExtension; typedef struct MPEG2RawPictureDisplayExtension { - uint16_t frame_centre_horizontal_offset[3]; - uint16_t frame_centre_vertical_offset[3]; + int16_t frame_centre_horizontal_offset[3]; + int16_t frame_centre_vertical_offset[3]; } MPEG2RawPictureDisplayExtension; typedef struct MPEG2RawExtensionData { diff --git a/libavcodec/cbs_mpeg2_syntax_template.c b/libavcodec/cbs_mpeg2_syntax_template.c index 98c44dd048..1b5419d7c5 100644 --- a/libavcodec/cbs_mpeg2_syntax_template.c +++ b/libavcodec/cbs_mpeg2_syntax_template.c @@ -299,9 +299,9 @@ static int FUNC(picture_display_extension)(CodedBitstreamContext *ctx, RWContext HEADER("Picture Display Extension"); for (i = 0; i < mpeg2->number_of_frame_centre_offsets; i++) { - ui(16, frame_centre_horizontal_offset[i]); + sis(16, frame_centre_horizontal_offset[i], 1, i); marker_bit(); - ui(16, frame_centre_vertical_offset[i]); + sis(16, frame_centre_vertical_offset[i], 1, i); marker_bit(); } From 1fbe0286e4091dd4cdc0694965d92c42b98cacf1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 20 Jul 2019 10:13:08 -0300 Subject: [PATCH 0264/1383] avformat/aacdec: factorize the adts frame resync code Signed-off-by: James Almer (cherry picked from commit a38eab8b7501440f872ff1af8a0c5482b7b3e532) --- libavformat/aacdec.c | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c index e23abd0abf..66fa49ac26 100644 --- a/libavformat/aacdec.c +++ b/libavformat/aacdec.c @@ -80,10 +80,31 @@ static int adts_aac_probe(AVProbeData *p) return 0; } +static int adts_aac_resync(AVFormatContext *s) +{ + uint16_t state; + + // skip data until an ADTS frame is found + state = avio_r8(s->pb); + while (!avio_feof(s->pb) && avio_tell(s->pb) < s->probesize) { + state = (state << 8) | avio_r8(s->pb); + if ((state >> 4) != 0xFFF) + continue; + avio_seek(s->pb, -2, SEEK_CUR); + break; + } + if (s->pb->eof_reached) + return AVERROR_EOF; + if ((state >> 4) != 0xFFF) + return AVERROR_INVALIDDATA; + + return 0; +} + static int adts_aac_read_header(AVFormatContext *s) { AVStream *st; - uint16_t state; + int ret; st = avformat_new_stream(s, NULL); if (!st) @@ -101,17 +122,9 @@ static int adts_aac_read_header(AVFormatContext *s) avio_seek(s->pb, cur, SEEK_SET); } - // skip data until the first ADTS frame is found - state = avio_r8(s->pb); - while (!avio_feof(s->pb) && avio_tell(s->pb) < s->probesize) { - state = (state << 8) | avio_r8(s->pb); - if ((state >> 4) != 0xFFF) - continue; - avio_seek(s->pb, -2, SEEK_CUR); - break; - } - if ((state >> 4) != 0xFFF) - return AVERROR_INVALIDDATA; + ret = adts_aac_resync(s); + if (ret < 0) + return ret; // LCM of all possible ADTS sample rates avpriv_set_pts_info(st, 64, 1, 28224000); From a21a9c78637ac1d86dd272214b6fc2008aef4db1 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 20 Jul 2019 21:47:55 -0300 Subject: [PATCH 0265/1383] avformat/aacdec: resync to the next adts frame on invalid data instead of aborting Should fix ticket #6634 Signed-off-by: James Almer (cherry picked from commit 881e1f5a6227a6fbaf67083d4d4b6caf58ff9892) --- libavformat/aacdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c index 66fa49ac26..09fbab2766 100644 --- a/libavformat/aacdec.c +++ b/libavformat/aacdec.c @@ -190,9 +190,9 @@ retry: } if (!ff_id3v2_match(pkt->data, ID3v2_DEFAULT_MAGIC)) { av_packet_unref(pkt); - return AVERROR_INVALIDDATA; - } - ret = handle_id3(s, pkt); + ret = adts_aac_resync(s); + } else + ret = handle_id3(s, pkt); if (ret < 0) return ret; From 6e0cf9a9df4a21df89825427914e38bd4c6216ba Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 5 Jun 2019 04:18:54 +0200 Subject: [PATCH 0266/1383] cbs_h2645: Fix infinite loop in more_rbsp_data cbs_h2645_read_more_rbsp_data does not handle malformed input very well: 1. If there were <= 8 bits left in the bitreader, these bits were read via show_bits. But show_bits requires the number of bits to be read to be > 0 (internally it shifts by 32 - number of bits to be read which is undefined behaviour if said number is zero; there is also an assert for this, but it is only an av_assert2). Furthermore, in this case a shift by -1 was performed which is of course undefined behaviour, too. 2. If there were > 0 and <= 8 bits left and all of them were zero (this can only happen for defective input), it was reported that there was further RBSP data. This can lead to an infinite loop in H.265's cbs_h265_read_extension_data corresponding to the [vsp]ps_extension_data_flag syntax elements. If the relevant flag indicates the (potential) occurence of these syntax elements, while all bits after this flag are zero, cbs_h2645_read_more_rbsp_data always returns 1 on x86. Given that a checked bitstream reader is used, we are also not "saved" by an overflow in the bitstream reader's index. Signed-off-by: Andreas Rheinhardt (cherry picked from commit d4035ca849bdb90e95c87e2737a99ea657be0716) --- libavcodec/cbs_h2645.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 64f1e5813a..e929a8011d 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -320,9 +320,11 @@ static int cbs_h2645_read_more_rbsp_data(GetBitContext *gbc) int bits_left = get_bits_left(gbc); if (bits_left > 8) return 1; - if (show_bits(gbc, bits_left) == 1 << (bits_left - 1)) + if (bits_left == 0) return 0; - return 1; + if (show_bits(gbc, bits_left) & MAX_UINT_BITS(bits_left - 1)) + return 1; + return 0; } #define more_rbsp_data(var) ((var) = cbs_h2645_read_more_rbsp_data(rw)) From 0c904c0d3ff85ed5f634ff3e3202d5c1cd4a95d1 Mon Sep 17 00:00:00 2001 From: Mark Harris Date: Sat, 24 Nov 2018 13:02:02 -0800 Subject: [PATCH 0267/1383] avutil/mem: Fix invalid use of av_alloc_size The alloc_size attribute is valid only on functions that return a pointer. GCC 9 (not yet released) warns about invalid usage: ./libavutil/mem.h:342:1: warning: 'alloc_size' attribute ignored on a function returning int' [-Wattributes] 342 | av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); | ^~~~~~~~~~~~~ Signed-off-by: Michael Niedermayer (cherry picked from commit 4361293fcf59edb56879c36edcd25f0a91e0edf8) --- libavutil/mem.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mem.h b/libavutil/mem.h index 7e0b12a8a7..b5c637ecf3 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -339,7 +339,7 @@ av_alloc_size(2, 3) void *av_realloc_array(void *ptr, size_t nmemb, size_t size) * @warning Unlike av_malloc(), the allocated memory is not guaranteed to be * correctly aligned. */ -av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); +int av_reallocp_array(void *ptr, size_t nmemb, size_t size); /** * Reallocate the given buffer if it is not large enough, otherwise do nothing. From a12e40e0213fa221dd08f0bd09423afcc667313c Mon Sep 17 00:00:00 2001 From: Stefan Schoenefeld Date: Fri, 2 Aug 2019 09:18:10 +0000 Subject: [PATCH 0268/1383] avcodec/h263dec: fix hwaccel decoding Recently we encountered an issue when decoding a h.263 file: FFmpeg will freeze when decoding h.263 video with NVDEC. Turns out this is not directly related to NVDEC but is a problem that shows with several other HW decoders like VDPAU, though the exact kind of error is different (either error messages or freezing[1]). The root cause is that ff_thread_finish_setup() is called twice per frame from ff_h263_decode_frame(). This is not supported by ff_thread_finish_setup() and specifically checked for and warned against in the functions code. The issue is also specific to hw accelerated decoding only as the second call to ff_thread_finish_setup() is only issued when hw acceleration is on. The fix is simple: add a check that the first call is only send when hw acceleration is off, and the second call only when hw acceleration is on (see attached patch). This works fine as far as I was able to test with vdpau and nvdec/nvcuvid hw decoding. The patch also adds NVDEC to the hw config list if available. I also noticed a secondary issue when browsing through the code which is that, according to documentation, ff_thread_finish_setup() should only be called if the codec implements update_thread_context(), which h263dec does not. The patch does not address this and I'm not sure any action needs to be taken here at all. [1] This is depending on whether or not the hw decoder sets the HWACCEL_CAPS_ASYNC_SAFE flag Signed-off-by: Timo Rothenpieler --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 2cf01e3d98..2d136ff0db 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -614,7 +614,7 @@ retry: if ((ret = ff_mpv_frame_start(s, avctx)) < 0) return ret; - if (!s->divx_packed) + if (!s->divx_packed && !avctx->hwaccel) ff_thread_finish_setup(avctx); if (avctx->hwaccel) { From 02537719538b71cb2b51fdb4a59c99fd9dbd2d09 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 19 Jun 2019 13:41:01 +0200 Subject: [PATCH 0269/1383] lavc/tableprint_vlc: Remove avpriv_request_sample() from included files. Fixes compilation with --enable-hardcoded-tables. Fixes ticket #7962. (cherry picked from commit c8232e50074f6f9f9b0674d0a5433f49d73a4e50) --- libavcodec/tableprint_vlc.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tableprint_vlc.h b/libavcodec/tableprint_vlc.h index 3004be3f9c..b3ff36562b 100644 --- a/libavcodec/tableprint_vlc.h +++ b/libavcodec/tableprint_vlc.h @@ -36,6 +36,7 @@ #define AVCODEC_AVCODEC_H #define AVCODEC_INTERNAL_H #define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this +#define avpriv_request_sample(...) #include "tableprint.h" #include "get_bits.h" #include "mathtables.c" From 60094fc2f552aace794395648110408a6eb825ad Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 1 Jul 2019 00:37:08 +0200 Subject: [PATCH 0270/1383] lavf/rawenc: Only accept the appropriate stream type for raw muxers. This does not affect the rawvideo muxer. Fixes ticket #7979. (cherry picked from commit aef24efb0c1e65097ab77a4bf9264189bdf3ace3) --- libavformat/rawenc.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/rawenc.c b/libavformat/rawenc.c index 993d232b70..32704f9bfd 100644 --- a/libavformat/rawenc.c +++ b/libavformat/rawenc.c @@ -39,6 +39,18 @@ static int force_one_stream(AVFormatContext *s) s->oformat->name); return AVERROR(EINVAL); } + if ( s->oformat->audio_codec != AV_CODEC_ID_NONE + && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_AUDIO) { + av_log(s, AV_LOG_ERROR, "%s files have exactly one audio stream\n", + s->oformat->name); + return AVERROR(EINVAL); + } + if ( s->oformat->video_codec != AV_CODEC_ID_NONE + && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) { + av_log(s, AV_LOG_ERROR, "%s files have exactly one video stream\n", + s->oformat->name); + return AVERROR(EINVAL); + } return 0; } From 11cce24e04e186e29360fd0142db4f2af461c5b6 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 22 Sep 2019 23:55:49 -0300 Subject: [PATCH 0271/1383] avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it This can happen when av_bsf_free() is called on av_bsf_alloc() failure. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit d889ae33962e4ad2b24175418fe89d72ce712179) --- libavcodec/bsf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/bsf.c b/libavcodec/bsf.c index 03841da682..58c184e22a 100644 --- a/libavcodec/bsf.c +++ b/libavcodec/bsf.c @@ -47,7 +47,8 @@ void av_bsf_free(AVBSFContext **pctx) av_opt_free(ctx); - av_packet_free(&ctx->internal->buffer_pkt); + if (ctx->internal) + av_packet_free(&ctx->internal->buffer_pkt); av_freep(&ctx->internal); av_freep(&ctx->priv_data); From fe1064f7795415c47f4ca45717225e97f98262b7 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Mon, 23 Sep 2019 15:47:27 +0200 Subject: [PATCH 0272/1383] avcodec/nvenc: add driver version info for latest SDKs Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index e180d7b993..059bb71175 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -119,7 +119,27 @@ static int nvenc_print_error(void *log_ctx, NVENCSTATUS err, static void nvenc_print_driver_requirement(AVCodecContext *avctx, int level) { -#if NVENCAPI_CHECK_VERSION(8, 1) +#if NVENCAPI_CHECK_VERSION(9, 2) + const char *minver = "(unknown)"; +#elif NVENCAPI_CHECK_VERSION(9, 1) +# if defined(_WIN32) || defined(__CYGWIN__) + const char *minver = "436.15"; +# else + const char *minver = "435.21"; +# endif +#elif NVENCAPI_CHECK_VERSION(9, 0) +# if defined(_WIN32) || defined(__CYGWIN__) + const char *minver = "418.81"; +# else + const char *minver = "418.30"; +# endif +#elif NVENCAPI_CHECK_VERSION(8, 2) +# if defined(_WIN32) || defined(__CYGWIN__) + const char *minver = "397.93"; +# else + const char *minver = "396.24"; +#endif +#elif NVENCAPI_CHECK_VERSION(8, 1) # if defined(_WIN32) || defined(__CYGWIN__) const char *minver = "390.77"; # else From 3ecbb180ef3b0524459d9bea9260c94356055b0e Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 25 Sep 2019 14:21:07 -0300 Subject: [PATCH 0273/1383] aformat/movenc: add missing padding to output track extradata Fixes ticket #8183. Tested-by: Thierry Foucu Signed-off-by: James Almer (cherry picked from commit 58aa0ed8f10753ee90f4a4a1f4f3da803cf7c145) --- libavformat/movenc.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 2a45302ebb..1a1bd9eaad 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5298,12 +5298,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) !TAG_IS_AVCI(trk->tag) && (par->codec_id != AV_CODEC_ID_DNXHD)) { trk->vos_len = par->extradata_size; - trk->vos_data = av_malloc(trk->vos_len); + trk->vos_data = av_malloc(trk->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!trk->vos_data) { ret = AVERROR(ENOMEM); goto err; } memcpy(trk->vos_data, par->extradata, trk->vos_len); + memset(trk->vos_data + trk->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } if (par->codec_id == AV_CODEC_ID_AAC && pkt->size > 2 && @@ -5380,12 +5381,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) par->codec_id == AV_CODEC_ID_AC3) && !trk->vos_len) { /* copy frame to create needed atoms */ trk->vos_len = size; - trk->vos_data = av_malloc(size); + trk->vos_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!trk->vos_data) { ret = AVERROR(ENOMEM); goto err; } memcpy(trk->vos_data, pkt->data, size); + memset(trk->vos_data + size, 0, AV_INPUT_BUFFER_PADDING_SIZE); } if (trk->entry >= trk->cluster_capacity) { @@ -6007,12 +6009,13 @@ static int mov_create_dvd_sub_decoder_specific_info(MOVTrack *track, cur += strspn(cur, "\n\r"); } if (have_palette) { - track->vos_data = av_malloc(16*4); + track->vos_data = av_malloc(16*4 + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) return AVERROR(ENOMEM); for (i = 0; i < 16; i++) { AV_WB32(track->vos_data + i * 4, palette[i]); } + memset(track->vos_data + 16*4, 0, AV_INPUT_BUFFER_PADDING_SIZE); track->vos_len = 16 * 4; } st->codecpar->width = width; @@ -6364,11 +6367,12 @@ static int mov_write_header(AVFormatContext *s) mov_create_dvd_sub_decoder_specific_info(track, st); else if (!TAG_IS_AVCI(track->tag) && st->codecpar->codec_id != AV_CODEC_ID_DNXHD) { track->vos_len = st->codecpar->extradata_size; - track->vos_data = av_malloc(track->vos_len); + track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) { return AVERROR(ENOMEM); } memcpy(track->vos_data, st->codecpar->extradata, track->vos_len); + memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } } @@ -6624,10 +6628,11 @@ static int mov_write_trailer(AVFormatContext *s) AVCodecParameters *par = track->par; track->vos_len = par->extradata_size; - track->vos_data = av_malloc(track->vos_len); + track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) return AVERROR(ENOMEM); memcpy(track->vos_data, par->extradata, track->vos_len); + memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } mov->need_rewrite_extradata = 0; } From 4fbeaaa2208e723707bcc8bed7cac4e3a7da5359 Mon Sep 17 00:00:00 2001 From: Jun Zhao Date: Sat, 21 Sep 2019 19:29:47 +0800 Subject: [PATCH 0274/1383] lavc/mpeg4audio: add chan_config check to avoid indeterminate channels add chan_config check to avoid indeterminate channels. Signed-off-by: Jun Zhao Signed-off-by: James Almer (cherry picked from commit 333109f46961946d3c6fab05210a8d543697c91b) --- libavcodec/mpeg4audio.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mpeg4audio.c b/libavcodec/mpeg4audio.c index 219714752f..2dbd972eaf 100644 --- a/libavcodec/mpeg4audio.c +++ b/libavcodec/mpeg4audio.c @@ -93,6 +93,10 @@ int ff_mpeg4audio_get_config_gb(MPEG4AudioConfig *c, GetBitContext *gb, c->chan_config = get_bits(gb, 4); if (c->chan_config < FF_ARRAY_ELEMS(ff_mpeg4audio_channels)) c->channels = ff_mpeg4audio_channels[c->chan_config]; + else { + av_log(NULL, AV_LOG_ERROR, "Invalid chan_config %d\n", c->chan_config); + return AVERROR_INVALIDDATA; + } c->sbr = -1; c->ps = -1; if (c->object_type == AOT_SBR || (c->object_type == AOT_PS && From 4df5dfabcc1c2ff332ba3d9a6d68ec21df2c1ac4 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 17 Nov 2019 01:27:44 +0100 Subject: [PATCH 0275/1383] avcodec/nvenc: make sure newly allocated packets are refcounted Fixes ticket 8383 Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 059bb71175..fd13217738 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1856,7 +1856,11 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur goto error; } - if (res = ff_alloc_packet2(avctx, pkt, lock_params.bitstreamSizeInBytes,0)) { + res = pkt->data ? + ff_alloc_packet2(avctx, pkt, lock_params.bitstreamSizeInBytes, lock_params.bitstreamSizeInBytes) : + av_new_packet(pkt, lock_params.bitstreamSizeInBytes); + + if (res < 0) { p_nvenc->nvEncUnlockBitstream(ctx->nvencoder, tmpoutsurf->output_surface); goto error; } From 08d3cc2f1dafe406b257d1daaae82ccae5d5378e Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 19 Nov 2019 19:42:48 -0300 Subject: [PATCH 0276/1383] avcodec/amfnec: allocate packets using av_new_packet() This ensures they will be reference counted, as required by the AVCodec.receive_packet() API. Should fix ticket #8386. Signed-off-by: James Almer (cherry picked from commit fdf46b4a6b36dd8551adc29c455326b1a13b4acb) --- libavcodec/amfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amfenc.c b/libavcodec/amfenc.c index 384d8efc92..5af1cd002f 100644 --- a/libavcodec/amfenc.c +++ b/libavcodec/amfenc.c @@ -438,7 +438,7 @@ static int amf_copy_buffer(AVCodecContext *avctx, AVPacket *pkt, AMFBuffer *buff int64_t timestamp = AV_NOPTS_VALUE; int64_t size = buffer->pVtbl->GetSize(buffer); - if ((ret = ff_alloc_packet2(avctx, pkt, size, 0)) < 0) { + if ((ret = av_new_packet(pkt, size)) < 0) { return ret; } memcpy(pkt->data, buffer->pVtbl->GetNative(buffer), size); From 7c1b403365904c28e26b37db78eb3535eec79005 Mon Sep 17 00:00:00 2001 From: Cameron Cawley Date: Wed, 10 Jul 2019 10:27:02 +0200 Subject: [PATCH 0277/1383] avformat/rpl: Replace strcpy with av_strlcpy Signed-off-by: Michael Niedermayer (cherry picked from commit 94d45a13c7e893538ca59bf6605a772c13f64f95) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 6b45b35c30..2b099882cf 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -192,7 +192,7 @@ static int rpl_read_header(AVFormatContext *s) ast->codecpar->channels = read_line_and_int(pb, &error); // number of audio channels error |= read_line(pb, line, sizeof(line)); ast->codecpar->bits_per_coded_sample = read_int(line, &endptr, &error); // audio bits per sample - strcpy(audio_type, endptr); + av_strlcpy(audio_type, endptr, RPL_LINE_LENGTH); // At least one sample uses 0 for ADPCM, which is really 4 bits // per sample. if (ast->codecpar->bits_per_coded_sample == 0) From e8b0f20e515327949fa8e2ec56d4605c2f54dcc5 Mon Sep 17 00:00:00 2001 From: James Zern Date: Tue, 9 Jul 2019 19:03:58 -0700 Subject: [PATCH 0278/1383] avcodec/utils, avcodec_open2: close codec on failure after a successful init if the function fails for another reason close the codec without requiring FF_CODEC_CAP_INIT_CLEANUP which is meant to cover init failures themselves. fixes a memory leak in those cases. BUG=oss-fuzz:15529 Signed-off-by: James Zern Signed-off-by: Michael Niedermayer (cherry picked from commit b1febda061955c6f4bfbc1a75918b5e75e7d7f80) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index e82cb43dbb..d006794b1d 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -538,6 +538,7 @@ int attribute_align_arg ff_codec_open2_recursive(AVCodecContext *avctx, const AV int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *codec, AVDictionary **options) { int ret = 0; + int codec_init_ok = 0; AVDictionary *tmp = NULL; const AVPixFmtDescriptor *pixdesc; @@ -931,6 +932,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (ret < 0) { goto free_and_end; } + codec_init_ok = 1; } ret=0; @@ -1019,7 +1021,8 @@ end: return ret; free_and_end: if (avctx->codec && - (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP)) + (codec_init_ok || + (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) avctx->codec->close(avctx); if (codec->priv_class && codec->priv_data_size) From 41c9e6128cefff06d406d6c455e80bb3df4bed27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2019 20:02:24 +0200 Subject: [PATCH 0279/1383] avcodec/mpc8: Fixes invalid shift in mpc8_decode_frame() Fixes: left shift of negative value -456 Fixes: 15561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC8_fuzzer-5758130404720640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 1dbb67d39b21ed320edd2b1599b502518250cfd3) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 3be2f79a5a..d7baac2f04 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -364,8 +364,9 @@ static int mpc8_decode_frame(AVCodecContext * avctx, void *data, for(j = 0; j < SAMPLES_PER_BAND; j += SAMPLES_PER_BAND / 2){ cnt = get_vlc2(gb, q1_vlc.table, MPC8_Q1_BITS, 2); t = mpc8_get_mask(gb, 18, cnt); - for(k = 0; k < SAMPLES_PER_BAND / 2; k++, t <<= 1) - c->Q[ch][off + j + k] = (t & 0x20000) ? (get_bits1(gb) << 1) - 1 : 0; + for(k = 0; k < SAMPLES_PER_BAND / 2; k++) + c->Q[ch][off + j + k] = t & (1 << (SAMPLES_PER_BAND / 2 - k - 1)) + ? (get_bits1(gb) << 1) - 1 : 0; } break; case 2: From ec806c3da8fe7ff4fce7f0fc3c369dd974af3e79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jul 2019 23:25:07 +0200 Subject: [PATCH 0280/1383] avcodec/huffyuv: remove gray8a (the format is listed but not supported by the implementation) Fixes: null pointer dereference Fixes: 15464/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5681391150301184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6aaa01afe4fb774d0767684aa00f075b0ee5fca6) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 3 --- libavcodec/huffyuvenc.c | 2 -- 2 files changed, 5 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 66357bfb40..17c9679cb4 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -418,9 +418,6 @@ static av_cold int decode_init(AVCodecContext *avctx) case 0x0F0: avctx->pix_fmt = AV_PIX_FMT_GRAY16; break; - case 0x170: - avctx->pix_fmt = AV_PIX_FMT_GRAY8A; - break; case 0x470: avctx->pix_fmt = AV_PIX_FMT_GBRP; break; diff --git a/libavcodec/huffyuvenc.c b/libavcodec/huffyuvenc.c index 8be752844b..1b88826595 100644 --- a/libavcodec/huffyuvenc.c +++ b/libavcodec/huffyuvenc.c @@ -268,7 +268,6 @@ FF_ENABLE_DEPRECATION_WARNINGS case AV_PIX_FMT_YUVA420P: case AV_PIX_FMT_YUVA422P: case AV_PIX_FMT_GBRAP: - case AV_PIX_FMT_GRAY8A: case AV_PIX_FMT_YUV420P9: case AV_PIX_FMT_YUV420P10: case AV_PIX_FMT_YUV420P12: @@ -1122,7 +1121,6 @@ AVCodec ff_ffvhuff_encoder = { AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY16, AV_PIX_FMT_YUVA420P, AV_PIX_FMT_YUVA422P, AV_PIX_FMT_YUVA444P, AV_PIX_FMT_GBRAP, - AV_PIX_FMT_GRAY8A, AV_PIX_FMT_YUV420P9, AV_PIX_FMT_YUV420P10, AV_PIX_FMT_YUV420P12, AV_PIX_FMT_YUV420P14, AV_PIX_FMT_YUV420P16, AV_PIX_FMT_YUV422P9, AV_PIX_FMT_YUV422P10, AV_PIX_FMT_YUV422P12, AV_PIX_FMT_YUV422P14, AV_PIX_FMT_YUV422P16, AV_PIX_FMT_YUV444P9, AV_PIX_FMT_YUV444P10, AV_PIX_FMT_YUV444P12, AV_PIX_FMT_YUV444P14, AV_PIX_FMT_YUV444P16, From fe36a3005b11714d5f29fcdaa4aca3346aa03415 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2019 23:02:36 +0200 Subject: [PATCH 0281/1383] avcodec/pngdec: Check that previous_picture has same w/h/format Fixes: out of array access Fixes: 15540/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5684905029140480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 18c808ffbed81ea580fe6ddd6524dd7bea3f8d0e) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 189bb9a4c1..268312c572 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1391,6 +1391,9 @@ exit_loop: if (CONFIG_PNG_DECODER && avctx->codec_id != AV_CODEC_ID_APNG) handle_p_frame_png(s, p); else if (CONFIG_APNG_DECODER && + s->previous_picture.f->width == p->width && + s->previous_picture.f->height== p->height && + s->previous_picture.f->format== p->format && avctx->codec_id == AV_CODEC_ID_APNG && (ret = handle_p_frame_apng(avctx, s, p)) < 0) goto fail; From 24ed399e57bb0f65bff482eec4336938846652e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2019 20:12:41 +0200 Subject: [PATCH 0282/1383] avformat/xmv: Make bitrate 64bit Fixes: signed integer overflow: 32 * 538976288 cannot be represented in type 'int' Fixes: 15633/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5752273981931520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 39a6a79bcbe3c2d239ed207a34c5fb3ca7bfdaf0) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index b974e5a6e6..96c7f0372c 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -79,7 +79,7 @@ typedef struct XMVAudioPacket { uint16_t channels; ///< Number of channels. int32_t sample_rate; ///< Sampling rate. uint16_t bits_per_sample; ///< Bits per compressed sample. - uint32_t bit_rate; ///< Bits of compressed data per second. + uint64_t bit_rate; ///< Bits of compressed data per second. uint16_t flags; ///< Flags unsigned block_align; ///< Bytes per compressed block. uint16_t block_samples; ///< Decompressed samples per compressed block. @@ -191,7 +191,7 @@ static int xmv_read_header(AVFormatContext *s) packet->bits_per_sample = avio_rl16(pb); packet->flags = avio_rl16(pb); - packet->bit_rate = packet->bits_per_sample * + packet->bit_rate = (uint64_t)packet->bits_per_sample * packet->sample_rate * packet->channels; packet->block_align = XMV_BLOCK_ALIGN_SIZE * packet->channels; From 5c2cbf36ddcaf09a6b0e1a73950f0a6905837bba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jul 2019 19:57:08 +0200 Subject: [PATCH 0283/1383] avcodec/ivi: Ask for samples with odd tiles Fixes: Assertion failure Fixes: 15422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5676625481433088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a7e02cf3ad6f6eaae07fa68ecb93014e1dfd224e) Signed-off-by: Michael Niedermayer --- libavcodec/ivi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index 19a3798718..17ed53caac 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -429,6 +429,10 @@ av_cold int ff_ivi_init_tiles(IVIPlaneDesc *planes, t_height = !p ? tile_height : (tile_height + 3) >> 2; if (!p && planes[0].num_bands == 4) { + if (t_width % 2 || t_height % 2) { + avpriv_request_sample(NULL, "Odd tiles"); + return AVERROR_PATCHWELCOME; + } t_width >>= 1; t_height >>= 1; } From a6d1e2c40a47258991b20fbb82d675a3513f22ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jul 2019 09:21:52 +0200 Subject: [PATCH 0284/1383] avcodec/parser: Check next index validity in ff_combine_frame() Fixes: out of array access Fixes: 15522/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DNXHD_fuzzer-5747756078989312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15008db0fac6d97bb939fa7ef9e92d79bf1f7cb1) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 0a994a3f30..3e19810a94 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -245,6 +245,9 @@ int ff_combine_frame(ParseContext *pc, int next, for (; pc->overread > 0; pc->overread--) pc->buffer[pc->index++] = pc->buffer[pc->overread_index++]; + if (next > *buf_size) + return AVERROR(EINVAL); + /* flush remaining if EOF */ if (!*buf_size && next == END_NOT_FOUND) next = 0; From 6d3c6e8b961d02bead240a4f8f5a5201fe5102d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 21:34:18 +0200 Subject: [PATCH 0285/1383] avcodec/atrac9dec: Check conditions before apply_band_extension() to avoid out of array read in initialization of unused variables Fixes: global-buffer-overflow Fixes: 15247/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5671602181636096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c5f265bb2468c3e0996329ada11b2792dd9bd1a2) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index ff4991a573..0794b6d210 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -539,9 +539,6 @@ static inline void apply_band_extension(ATRAC9Context *s, ATRAC9BlockData *b, at9_q_unit_to_coeff_idx[g_units[3]], }; - if (!b->has_band_ext || !b->has_band_ext_data) - return; - for (int ch = 0; ch <= stereo; ch++) { ATRAC9ChannelData *c = &b->channel[ch]; @@ -751,7 +748,9 @@ static int atrac9_decode_block(ATRAC9Context *s, GetBitContext *gb, apply_intensity_stereo(s, b, stereo); apply_scalefactors (s, b, stereo); - apply_band_extension (s, b, stereo); + + if (b->has_band_ext && b->has_band_ext_data) + apply_band_extension (s, b, stereo); imdct: for (int i = 0; i <= stereo; i++) { From 6c821c1dee5a05da4daff5ffd219c1d30bf20617 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2019 22:19:22 +0200 Subject: [PATCH 0286/1383] avcodec/h264_refs: Also check reference in ff_h264_build_ref_list() Fixes: out of array read Fixes: 15409/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5758846959616000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d3581e6bbec309ca0cc617c37cf6e87547764ef) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index eaf965e43d..74087ff266 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -373,9 +373,11 @@ int ff_h264_build_ref_list(H264Context *h, H264SliceContext *sl) av_assert0(0); } - if (i < 0) { + if (i < 0 || mismatches_ref(h, ref)) { av_log(h->avctx, AV_LOG_ERROR, - "reference picture missing during reorder\n"); + i < 0 ? "reference picture missing during reorder\n" : + "mismatching reference\n" + ); memset(&sl->ref_list[list][index], 0, sizeof(sl->ref_list[0][0])); // FIXME } else { for (i = index; i + 1 < sl->ref_count[list]; i++) { From b60455c715a34951654a6aa742a3139e63aad2d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jul 2019 23:01:19 +0200 Subject: [PATCH 0287/1383] avformat/utils: Check rfps_duration_sum for overflow Fixes: signed integer overflow: 9151595917793558550 + 297519050751678697 cannot be represented in type 'long' Fixes: 15496/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5722866475073536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5c46fdf305caac8bf2f270e69e60ae3d614df468) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 8e53bf01c7..01f47caf1e 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3348,8 +3348,10 @@ int ff_rfps_add_frame(AVFormatContext *ic, AVStream *st, int64_t ts) } } } - st->info->duration_count++; - st->info->rfps_duration_sum += duration; + if (st->info->rfps_duration_sum <= INT64_MAX - duration) { + st->info->duration_count++; + st->info->rfps_duration_sum += duration; + } if (st->info->duration_count % 10 == 0) { int n = st->info->duration_count; From 01f9c1540ae8c56ab67200a3e6ec471e3b5febb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jul 2019 09:51:46 +0200 Subject: [PATCH 0288/1383] avcodec/dnxhd_parser: remove unneeded code Signed-off-by: Michael Niedermayer (cherry picked from commit 1707dbdf49b22021b0845482806b881093534f2f) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhd_parser.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c index 7c16e251a4..f657af8f41 100644 --- a/libavcodec/dnxhd_parser.c +++ b/libavcodec/dnxhd_parser.c @@ -81,8 +81,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, } dctx->remaining = remaining; if (buf_size - i + 47 >= dctx->remaining) { - int remaining = dctx->remaining; - pc->frame_start_found = 0; pc->state64 = -1; dctx->cur_byte = 0; From cacf998071dcf6f780bc8c8ca05c96adbecd2339 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jul 2019 11:51:09 +0200 Subject: [PATCH 0289/1383] avcodec/dnxhd_parser: Fix parser when input does not have nicely sized packets Fixes: out of array access Fixes: 15522/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DNXHD_fuzzer-5747756078989312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d900d8fe0aaf9c984e024956eb537ecdfe2c949) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhd_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c index f657af8f41..67a717db62 100644 --- a/libavcodec/dnxhd_parser.c +++ b/libavcodec/dnxhd_parser.c @@ -79,8 +79,9 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, if (remaining <= 0) continue; } + remaining += i - 47; dctx->remaining = remaining; - if (buf_size - i + 47 >= dctx->remaining) { + if (buf_size >= dctx->remaining) { pc->frame_start_found = 0; pc->state64 = -1; dctx->cur_byte = 0; From d69822bd9ac843c5f4e86bbff652366973bf1375 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 00:35:47 +0200 Subject: [PATCH 0290/1383] avcodec/ffwavesynth: Check sample rate before use Fixes: division by zero Fixes: 15725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5641231956180992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit c95857a4237d7a0c55378a44f51d2d809f3bc8f5) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 793eada7a5..1dbfaa5847 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -270,7 +270,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) dt = in->ts_end - in->ts_start; switch (in->type) { case WS_SINE: - if (edata_end - edata < 20) + if (edata_end - edata < 20 || avc->sample_rate <= 0) return AVERROR(EINVAL); f1 = AV_RL32(edata + 0); f2 = AV_RL32(edata + 4); From 8e2a5f951ff7346a2102a0a0a8d5e924cb8be859 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 00:35:48 +0200 Subject: [PATCH 0291/1383] avcodec/ffwavesynth: More correct cast in wavesynth_seek() Fixes: signed integer overflow: 553590816 - -9223372036315799520 cannot be represented in type 'long' Fixes: 15743/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5705835377852416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit f4605770af712dd9d7b0136fe298f8aa52101011) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 1dbfaa5847..94a843e3ca 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -215,7 +215,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) ws->next_inter = i; ws->next_ts = i < ws->nb_inter ? ws->inter[i].ts_start : INF_TS; *last = -1; - lcg_seek(&ws->dither_state, (uint32_t)ts - ws->cur_ts); + lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); if (ws->pink_need) { int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); From dda10a29952a60ce3e75572bbeb865f6974ecf6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 00:35:49 +0200 Subject: [PATCH 0292/1383] avcodec/ffwavesynth: Check if there is enough extradata before allocation Fixes: OOM Fixes: 15750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5702090367696896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 65bac4a7825e1f2bbf4112569ffa363cc1fdbce5) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 94a843e3ca..b319b3341a 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -247,7 +247,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) edata_end = edata + avc->extradata_size; ws->nb_inter = AV_RL32(edata); edata += 4; - if (ws->nb_inter < 0) + if (ws->nb_inter < 0 || (edata_end - edata) / 24 < ws->nb_inter) return AVERROR(EINVAL); ws->inter = av_calloc(ws->nb_inter, sizeof(*ws->inter)); if (!ws->inter) From ee2abfe7d4b9177102525a068821a2b523280bea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Jul 2019 00:07:59 +0200 Subject: [PATCH 0293/1383] avcodec/dvbsubdec: Use ff_set_dimensions() Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15740/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVBSUB_fuzzer-5641749164195840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5941b7f615b0c0cab0d8f8613b918de75d3c1222) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index bc4a17bde0..6e7e13b6eb 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1578,8 +1578,9 @@ static int dvbsub_parse_display_definition_segment(AVCodecContext *avctx, display_def->width = bytestream_get_be16(&buf) + 1; display_def->height = bytestream_get_be16(&buf) + 1; if (!avctx->width || !avctx->height) { - avctx->width = display_def->width; - avctx->height = display_def->height; + int ret = ff_set_dimensions(avctx, display_def->width, display_def->height); + if (ret < 0) + return ret; } if (info_byte & 1<<3) { // display_window_flag From 6a7e27f675e77297611137f0a5bd71454234e1e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 23:01:04 +0200 Subject: [PATCH 0294/1383] avcodec/flicvideo: Make line_packets int Fixes: signed integer overflow: -32768 * 196032 cannot be represented in type 'int' Fixes: 15300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5733319519502336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 54bd47f861e8cdc74aea816ebfbbaac25fefd0d1) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index c0e1e16bcd..99868f3ba3 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -175,7 +175,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, int lines; int compressed_lines; int starting_line; - signed short line_packets; + int line_packets; int y_ptr; int byte_run; int pixel_skip; @@ -274,7 +274,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, break; if (y_ptr > pixel_limit) return AVERROR_INVALIDDATA; - line_packets = bytestream2_get_le16(&g2); + line_packets = sign_extend(bytestream2_get_le16(&g2), 16); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; @@ -508,7 +508,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, int lines; int compressed_lines; - signed short line_packets; + int line_packets; int y_ptr; int byte_run; int pixel_skip; @@ -572,7 +572,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, break; if (y_ptr > pixel_limit) return AVERROR_INVALIDDATA; - line_packets = bytestream2_get_le16(&g2); + line_packets = sign_extend(bytestream2_get_le16(&g2), 16); if (line_packets < 0) { line_packets = -line_packets; if (line_packets > s->avctx->height) @@ -806,7 +806,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, int lines; int compressed_lines; - signed short line_packets; + int line_packets; int y_ptr; int byte_run; int pixel_skip; @@ -870,7 +870,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, break; if (y_ptr > pixel_limit) return AVERROR_INVALIDDATA; - line_packets = bytestream2_get_le16(&g2); + line_packets = sign_extend(bytestream2_get_le16(&g2), 16); if (line_packets < 0) { line_packets = -line_packets; if (line_packets > s->avctx->height) From 882dee37cc91466b3744e7d7bc60793b75fdd0e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jul 2019 23:20:30 +0200 Subject: [PATCH 0295/1383] avcodec/alsdec: Fix 2 integer overflows Fixes: signed integer overflow: 1270564968 + 904828220 cannot be represented in type 'int' Fixes: 15402/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5755426823471104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9cd0d94f59d05e7bfaae9690e827752e7717eda3) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 5eb2a58aaf..8201deb366 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -507,7 +507,7 @@ static void parcor_to_lpc(unsigned int k, const int32_t *par, int32_t *cof) int i, j; for (i = 0, j = k - 1; i < j; i++, j--) { - int tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20); + unsigned tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20); cof[j] += ((MUL64(par[k], cof[i]) + (1 << 19)) >> 20); cof[i] += tmp1; } @@ -980,7 +980,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 19; for (sb = -opt_order; sb < 0; sb++) - y += MUL64(lpc_cof[sb], raw_samples[sb]); + y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[sb]); *raw_samples -= y >> 20; } From aee5c9494de81c6d0fe17c258b87aa9f3f63d844 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2019 00:03:51 +0200 Subject: [PATCH 0296/1383] avcodec/alsdec: fix undefined shift in multiply() Fixes: left shift of negative value -6 Fixes: 15564/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5701655938465792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b880b3b236ddd00f85ea502b4c17a145fd26c790) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 8201deb366..6b5774175b 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1416,7 +1416,7 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) { return_val = 0x80000000U; } - return_val |= (a.exp + b.exp + bit_count - 47) << 23; + return_val |= ((unsigned)av_clip(a.exp + b.exp + bit_count - 47, -126, 127) << 23) & 0x7F800000; return_val |= mantissa; return av_bits2sf_ieee754(return_val); } From 14b5fa9e4e9076f92ec479a13bbc57baa7498663 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 10:54:13 +0200 Subject: [PATCH 0297/1383] avcodec/apedec: Fix multiple integer overflows in predictor_update_filter() Fixes: signed integer overflow: -829262115 + -1410750414 cannot be represented in type 'int' Fixes: 15251/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5651742252859392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0af08cb803844b9eba4ff3e552c26452ec6fa7d2) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index eb31fd70c1..63335f542c 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1142,7 +1142,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayB - 3] * p->coeffsB[filter][3] + p->buf[delayB - 4] * p->coeffsB[filter][4]; - p->lastA[filter] = decoded + ((predictionA + (predictionB >> 1)) >> 10); + p->lastA[filter] = decoded + ((int)((unsigned)predictionA + (predictionB >> 1)) >> 10); p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5); sign = APESIGN(decoded); From f02de2f599890d1e9df767eb9a68018be8197e6a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 11:32:10 +0200 Subject: [PATCH 0298/1383] avcodec/apedec: Fix various integer overflows Fixes: signed integer overflow: -538976267 * 31 cannot be represented in type 'int' Fixes: left shift of 65312 by 16 places cannot be represented in type 'int' Fixes: 15255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718831688843264 Fixes: 15547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5691384901664768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 240bf0e5960fca424e43b7ab1048897fdecabf26) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 63335f542c..7cf99a00b1 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -554,7 +554,7 @@ static inline int ape_decode_value_3990(APEContext *ctx, APERice *rice) overflow = range_get_symbol(ctx, counts_3980, counts_diff_3980); if (overflow == (MODEL_ELEMENTS - 1)) { - overflow = range_decode_bits(ctx, 16) << 16; + overflow = (unsigned)range_decode_bits(ctx, 16) << 16; overflow |= range_decode_bits(ctx, 16); } @@ -1130,7 +1130,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayA - 3] * p->coeffsA[filter][3]; /* Apply a scaled first-order filter compression */ - p->buf[delayB] = p->filterA[filter ^ 1] - ((p->filterB[filter] * 31) >> 5); + p->buf[delayB] = p->filterA[filter ^ 1] - ((int)(p->filterB[filter] * 31U) >> 5); p->buf[adaptB] = APESIGN(p->buf[delayB]); p->buf[delayB - 1] = p->buf[delayB] - p->buf[delayB - 1]; p->buf[adaptB - 1] = APESIGN(p->buf[delayB - 1]); @@ -1143,7 +1143,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayB - 4] * p->coeffsB[filter][4]; p->lastA[filter] = decoded + ((int)((unsigned)predictionA + (predictionB >> 1)) >> 10); - p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); p->coeffsA[filter][0] += p->buf[adaptA ] * sign; @@ -1229,7 +1229,7 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) p->buf = p->historybuffer; } - p->filterA[0] = currentA + ((p->filterA[0] * 31) >> 5); + p->filterA[0] = currentA + ((int)(p->filterA[0] * 31U) >> 5); *(decoded0++) = p->filterA[0]; } From 61632a78dba25482712a9402fdbbf2b66007ec4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2019 14:47:58 +0200 Subject: [PATCH 0299/1383] avutil/softfloat_ieee754: Fix odd bit position for exponent and sign in av_bits2sf_ieee754() Signed-off-by: Michael Niedermayer (cherry picked from commit 82e389d066923412dd945543418e8cb6c63d0997) Signed-off-by: Michael Niedermayer --- libavutil/softfloat_ieee754.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/softfloat_ieee754.h b/libavutil/softfloat_ieee754.h index b8957fb0a9..3398aa18be 100644 --- a/libavutil/softfloat_ieee754.h +++ b/libavutil/softfloat_ieee754.h @@ -64,7 +64,7 @@ static inline SoftFloat_IEEE754 av_int2sf_ieee754(int64_t n, int e) { * by the IEEE 754 spec. */ static inline SoftFloat_IEEE754 av_bits2sf_ieee754(uint32_t n) { - return ((SoftFloat_IEEE754) { (n & 0x80000000UL), (n & 0x7FFFFFUL), (n & 0x7F800000UL) }); + return ((SoftFloat_IEEE754) { (n & 0x80000000UL) >> 31, (n & 0x7FFFFFUL), (int8_t)((n & 0x7F800000UL) >> 23)}); } /** Convert the softfloat to integer From 19866e4d63d60d2f09e66e0ef38fe146ceb3f959 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2019 23:16:12 +0200 Subject: [PATCH 0300/1383] avcodec/vorbisdec: amplitude bits can be more than 25 bits Fixes: assertion failure, invalid shift Fixes: 15583/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5640157484548096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 308771a73870863d1b4f630234fbb5bc7aec8252) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 00e9cd8a13..7f2d27d1a2 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1097,13 +1097,14 @@ static int vorbis_floor0_decode(vorbis_context *vc, { vorbis_floor0 *vf = &vfu->t0; float *lsp = vf->lsp; - unsigned amplitude, book_idx; + unsigned book_idx; + uint64_t amplitude; unsigned blockflag = vc->modes[vc->mode_number].blockflag; if (!vf->amplitude_bits) return 1; - amplitude = get_bits(&vc->gb, vf->amplitude_bits); + amplitude = get_bits64(&vc->gb, vf->amplitude_bits); if (amplitude > 0) { float last = 0; unsigned idx, lsp_len = 0; @@ -1181,7 +1182,7 @@ static int vorbis_floor0_decode(vorbis_context *vc, /* calculate linear floor value */ q = exp((((amplitude*vf->amplitude_offset) / - (((1 << vf->amplitude_bits) - 1) * sqrt(p + q))) + (((1ULL << vf->amplitude_bits) - 1) * sqrt(p + q))) - vf->amplitude_offset) * .11512925f); /* fill vector */ From c24ff0743fdb7366e634a67f7d2f57c17ccda479 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2019 23:23:53 +0200 Subject: [PATCH 0301/1383] avcodec/vorbisdec: Check vlc for floor0 dec vector offset Fixes: out of array access Fixes: 15649/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5729191309344768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 99f95f39c6978f0d91e42b3bced126a98173dbef) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 7f2d27d1a2..a86d4c4c36 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1128,8 +1128,10 @@ static int vorbis_floor0_decode(vorbis_context *vc, ff_dlog(NULL, "floor0 dec: maximum depth: %d\n", codebook.maxdepth); /* read temp vector */ vec_off = get_vlc2(&vc->gb, codebook.vlc.table, - codebook.nb_bits, codebook.maxdepth) - * codebook.dimensions; + codebook.nb_bits, codebook.maxdepth); + if (vec_off < 0) + return AVERROR_INVALIDDATA; + vec_off *= codebook.dimensions; ff_dlog(NULL, "floor0 dec: vector offset: %d\n", vec_off); /* copy each vector component and add last to it */ for (idx = 0; idx < codebook.dimensions; ++idx) From 7cfc42151e235392562fcfb025b8da03287b5bda Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2019 22:50:42 +0200 Subject: [PATCH 0302/1383] tools/target_dec_fuzzer: Free parser in case of avcodec_open2() failure Fixes: memleak Fixes: part of 15529/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-5140143700180992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 508ce5839e0bf78ce8813eb1b38cce0d416a408e) Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index a94d5e6a92..d8b1a049ff 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -191,6 +191,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (res < 0) { av_free(ctx); av_free(parser_avctx); + av_parser_close(parser); return 0; // Failure of avcodec_open2() does not imply that a issue was found } parser_avctx->codec_id = ctx->codec_id; From f2c01cc90b36e0efa60cc335bc910746d53e46ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Jul 2019 00:08:55 +0200 Subject: [PATCH 0303/1383] avcodec/utils: Check close before calling it Fixes: NULL pointer dereference Fixes: 15733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IDF_fuzzer-5658616977162240 Reviewed-by: Paul B Mahol Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8df6884832ec413cf032dfaa45c23b1c7876670c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d006794b1d..d3ddcbca9d 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1020,7 +1020,7 @@ end: return ret; free_and_end: - if (avctx->codec && + if (avctx->codec && avctx->codec->close && (codec_init_ok || (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) avctx->codec->close(avctx); From bf28f5f36747290bd0c35f6b8751c800d7b1c750 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jul 2019 23:39:23 +0200 Subject: [PATCH 0304/1383] avcodec/utils: fix leak of subtitle_header on error path Fixes: memleak Fixes: 15528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_STL_fuzzer-5735993371525120 Fixes: 15792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SAMI_fuzzer-5737754232619008 Fixes: 16008/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SSA_fuzzer-5650582821404672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 923d5c489fd4ffd0b9dbfdc6c14f594bd134ab47) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d3ddcbca9d..2e2283ffea 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1037,6 +1037,7 @@ FF_ENABLE_DEPRECATION_WARNINGS av_dict_free(&tmp); av_freep(&avctx->priv_data); + av_freep(&avctx->subtitle_header); if (avctx->internal) { av_frame_free(&avctx->internal->to_free); av_frame_free(&avctx->internal->compat_decode_frame); From b68589b40a44cf4b933ba4a35fc4834a01116aef Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Thu, 25 Jul 2019 15:54:49 -0700 Subject: [PATCH 0305/1383] lafv/wavdec: Fail bext parsing on incomplete reads avio_read can successfully return even when less than the requested amount of input was read. wavdec's bext parsing mistakenly assumed a successful avio_read always read the full amount that was requested. The result could be dictionary tags populated with partially uninitialized values. This change also fixes a broken assertion in wav_parse_bext_string that was off-by-one, though no known current usage of that method hits that broken case. Chromium bug: 987270 Signed-off-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 052d41377a02f480f8e7135c0f7d418e9a405215) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index e280be4d44..08b6f27e9d 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -232,9 +232,9 @@ static inline int wav_parse_bext_string(AVFormatContext *s, const char *key, char temp[257]; int ret; - av_assert0(length <= sizeof(temp)); - if ((ret = avio_read(s->pb, temp, length)) < 0) - return ret; + av_assert0(length < sizeof(temp)); + if ((ret = avio_read(s->pb, temp, length)) != length) + return ret < 0 ? ret : AVERROR_INVALIDDATA; temp[length] = 0; @@ -303,8 +303,10 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size) if (!(coding_history = av_malloc(size + 1))) return AVERROR(ENOMEM); - if ((ret = avio_read(s->pb, coding_history, size)) < 0) - return ret; + if ((ret = avio_read(s->pb, coding_history, size)) != size) { + av_free(coding_history); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } coding_history[size] = 0; if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history, From 904a8616a598924baf1abf5ffb9dbc80da8f1f54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 14:16:16 +0200 Subject: [PATCH 0306/1383] avcodec/brenderpix: Check input size before allocating image An incomplete image is not supported prior to this and will not produce any output. This commit moves the failure before time consuming operations. Fixes: Timeout (81sec -> 76ms) Fixes: 15723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BRENDER_PIX_fuzzer-5147265653538816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 38b6c48c4300343f4703019a90a332773e64e11b) Signed-off-by: Michael Niedermayer --- libavcodec/brenderpix.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/brenderpix.c b/libavcodec/brenderpix.c index 0556858de1..46b7a59aa4 100644 --- a/libavcodec/brenderpix.c +++ b/libavcodec/brenderpix.c @@ -204,6 +204,10 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, avpriv_request_sample(avctx, "Format %d", hdr.format); return AVERROR_PATCHWELCOME; } + bytes_per_scanline = bytes_pp * hdr.width; + + if (bytestream2_get_bytes_left(&gb) < hdr.height * bytes_per_scanline) + return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, hdr.width, hdr.height)) < 0) return ret; @@ -261,7 +265,6 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(&gb, 8); // read the image data to the buffer - bytes_per_scanline = bytes_pp * hdr.width; bytes_left = bytestream2_get_bytes_left(&gb); if (chunk_type != IMAGE_DATA_CHUNK || data_len != bytes_left || From 16f98b9c29e01dc34fd7fffd8c4a9587fb9c5671 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jul 2019 22:55:15 +0200 Subject: [PATCH 0307/1383] avcodec/assdec: undefined use of memcpy() Fixes: null pointer passed as argument 2, which is declared to never be null Fixes: 16008/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SSA_fuzzer-5650582821404672 (this is a separate issue found in this testcase) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 47b6ca0b022a413e392707464f2423795aa89bfb) Signed-off-by: Michael Niedermayer --- libavcodec/assdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/assdec.c b/libavcodec/assdec.c index 3178f2953c..f0b1069cd2 100644 --- a/libavcodec/assdec.c +++ b/libavcodec/assdec.c @@ -31,7 +31,8 @@ static av_cold int ass_decode_init(AVCodecContext *avctx) avctx->subtitle_header = av_malloc(avctx->extradata_size + 1); if (!avctx->subtitle_header) return AVERROR(ENOMEM); - memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size); + if (avctx->extradata_size) + memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size); avctx->subtitle_header[avctx->extradata_size] = 0; avctx->subtitle_header_size = avctx->extradata_size; return 0; From 9738f204ce297db3cf8d7039b87d2122e440d46f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2019 21:09:14 +0200 Subject: [PATCH 0308/1383] avcodec/eatgv: Check remaining size after the keyframe header The minimal size which unpack() will not fail on is 5 bytes Fixes: Timeout (14sec -> 77ms) (testcase 15508) Fixes: 15508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGV_fuzzer-5700053513011200 Fixes: 15996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGV_fuzzer-5751353223151616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 009ec8dc3345353b1cd2316423918533fcb89552) Signed-off-by: Michael Niedermayer --- libavcodec/eatgv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index 93e291f053..f82f7b9cca 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -300,6 +300,9 @@ static int tgv_decode_frame(AVCodecContext *avctx, s->palette[i] = 0xFFU << 24 | AV_RB24(buf); buf += 3; } + if (buf_end - buf < 5) { + return AVERROR_INVALIDDATA; + } } if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) From 09d321d711a03eff76a6c7eb9a6d8e11fa51b850 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2019 22:29:57 +0200 Subject: [PATCH 0309/1383] avcodec/eatqi: Check for minimum frame size The minimum header is 8 bytes, the smallest bitstream that is passed to the MB decode code is 4 bytes Fixes: Timeout (35sec -> 18sec) Fixes: 15800/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATQI_fuzzer-5684154517159936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5ffb8e879389fb0642654e3233cfeca1f9841e52) Signed-off-by: Michael Niedermayer --- libavcodec/eatqi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 1a847a35da..2805bd00bb 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -131,6 +131,9 @@ static int tqi_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret, w, h; + if (buf_size < 12) + return AVERROR_INVALIDDATA; + t->avctx = avctx; w = AV_RL16(&buf[0]); From 7431c6224b6b974383863aa8d58dfd851183e195 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jul 2019 23:11:50 +0200 Subject: [PATCH 0310/1383] avformat/mpc: deallocate frames array on errors Fixes: memleak on error path Fixes: 15984/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5679918412726272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da5039415c2bd625085d15e6c92e0b64eefddcbf) Signed-off-by: Michael Niedermayer --- libavformat/mpc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc.c b/libavformat/mpc.c index af333746e3..a1e7878946 100644 --- a/libavformat/mpc.c +++ b/libavformat/mpc.c @@ -88,7 +88,7 @@ static int mpc_read_header(AVFormatContext *s) st = avformat_new_stream(s, NULL); if (!st) - return AVERROR(ENOMEM); + goto mem_error; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->codec_id = AV_CODEC_ID_MUSEPACK7; st->codecpar->channels = 2; @@ -96,7 +96,7 @@ static int mpc_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample = 16; if (ff_get_extradata(s, st->codecpar, s->pb, 16) < 0) - return AVERROR(ENOMEM); + goto mem_error; st->codecpar->sample_rate = mpc_rate[st->codecpar->extradata[2] & 3]; avpriv_set_pts_info(st, 32, MPC_FRAMESIZE, st->codecpar->sample_rate); /* scan for seekpoints */ @@ -113,6 +113,9 @@ static int mpc_read_header(AVFormatContext *s) } return 0; +mem_error: + av_freep(&c->frames); + return AVERROR(ENOMEM); } static int mpc_read_packet(AVFormatContext *s, AVPacket *pkt) From 102bc567317c8fb783251bbe60610b3240918e8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 11:39:15 +0200 Subject: [PATCH 0311/1383] avcodec/apedec: Fix multiple integer overflows and undefined behaviorin filter_3800() Fixes: left shift of negative value -4 Fixes: signed integer overflow: -15091694 * 167 cannot be represented in type 'int' Fixes: signed integer overflow: 1898547155 + 453967445 cannot be represented in type 'int' Fixes: 15258/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5759095564402688 Fixes: signed integer overflow: 962196438 * 31 cannot be represented in type 'int' Fixes: 15364/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718799845687296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 267eb2ab7f87696e1a156ca9a5ff1b1628d170c1) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7cf99a00b1..27425b17e6 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -859,9 +859,9 @@ static av_always_inline int filter_3800(APEPredictor *p, return predictionA; } d2 = p->buf[delayA]; - d1 = (p->buf[delayA] - p->buf[delayA - 1]) << 1; - d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) << 3); - d3 = p->buf[delayB] * 2 - p->buf[delayB - 1]; + d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U; + d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U); + d3 = p->buf[delayB] * 2U - p->buf[delayB - 1]; d4 = p->buf[delayB]; predictionA = d0 * p->coeffsA[filter][0] + @@ -881,7 +881,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); - p->filterA[filter] = p->filterB[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterA[filter] = p->filterB[filter] + ((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; } @@ -902,7 +902,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod = 0; sign = APESIGN(buffer[i]); for (j = 0; j < order; j++) { - dotprod += delay[j] * coeffs[j]; + dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } buffer[i] -= dotprod >> shift; From 7dbc888de69be8e482d61122a957fa22436417c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jul 2019 12:13:19 +0200 Subject: [PATCH 0312/1383] avcodec/apedec: make left/right unsigned to avoid undefined behavior Fixes: signed integer overflow: 755176387 + 1515360583 cannot be represented in type 'int' Fixes: 15506/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5706859232624640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf778af1493b0814696307432763246fb53c75e7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 27425b17e6..7a7097e7a4 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1376,7 +1376,7 @@ static void ape_unpack_mono(APEContext *ctx, int count) static void ape_unpack_stereo(APEContext *ctx, int count) { - int32_t left, right; + unsigned left, right; int32_t *decoded0 = ctx->decoded[0]; int32_t *decoded1 = ctx->decoded[1]; @@ -1393,7 +1393,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count) /* Decorrelate and scale to output depth */ while (count--) { - left = *decoded1 - (*decoded0 / 2); + left = *decoded1 - (unsigned)(*decoded0 / 2); right = left + *decoded0; *(decoded0++) = left; From 9431f39c91fd8cf2960e88800716b58b97a5edad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2019 23:00:09 +0200 Subject: [PATCH 0313/1383] avcodec/truemotion2: Fix several integer overflows in tm2_motion_block() Fixes: 15524/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5173148372172800 Fixes: signed integer overflow: 13701388 - -2134868270 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a353ea8766206bd302f3f12ca1d226237542908) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index e1e9f63397..6c15a5715b 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -755,10 +755,10 @@ static inline void tm2_motion_block(TM2Context *ctx, AVFrame *pic, int bx, int b } /* calculate deltas */ Y -= Ystride * 4; - ctx->D[0] = Y[3] - last[3]; - ctx->D[1] = Y[3 + Ystride] - Y[3]; - ctx->D[2] = Y[3 + Ystride * 2] - Y[3 + Ystride]; - ctx->D[3] = Y[3 + Ystride * 3] - Y[3 + Ystride * 2]; + ctx->D[0] = (unsigned)Y[3] - last[3]; + ctx->D[1] = (unsigned)Y[3 + Ystride] - Y[3]; + ctx->D[2] = (unsigned)Y[3 + Ystride * 2] - Y[3 + Ystride]; + ctx->D[3] = (unsigned)Y[3 + Ystride * 3] - Y[3 + Ystride * 2]; for (i = 0; i < 4; i++) last[i] = Y[i + Ystride * 3]; } From 38de5403c8536151b6c8a90d4dabfeba7b43d148 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jul 2019 23:13:13 +0200 Subject: [PATCH 0314/1383] avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc() Fixes: signed integer overflow: 32796 * 65536 cannot be represented in type 'int' Fixes: 15430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5735424087031808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f31ed8f3b00ec7afe87092798bf0b397f6e19ed5) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index ec5339d2f0..eda0b28964 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -430,12 +430,12 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, if (c_avail && (n != 1 && n != 3)) { q2 = FFABS(s->current_picture.qscale_table[mb_pos - 1]); if (q2 && q2 != q1) - c = (c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + c = (int)((unsigned)c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && (n != 2 && n != 3)) { q2 = FFABS(s->current_picture.qscale_table[mb_pos - s->mb_stride]); if (q2 && q2 != q1) - a = (a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + a = (int)((unsigned)a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && c_avail && (n != 3)) { int off = mb_pos; @@ -445,7 +445,7 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, off -= s->mb_stride; q2 = FFABS(s->current_picture.qscale_table[off]); if (q2 && q2 != q1) - b = (b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + b = (int)((unsigned)b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (c_avail && (!a_avail || abs(a - b) <= abs(b - c))) { From 46a1b4e8acccae5bbfb5aaac8ffdaf2ddf64d98e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2019 23:27:19 +0200 Subject: [PATCH 0315/1383] avcodec/vc1_pred: Fix invalid shift in scaleforsame() Fixes: left shift of negative value -1 Fixes: 15531/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5759556258365440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6dfda35dd29d2e2a86554d2c05d957a09ab79b0c) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_pred.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index de736ec775..ea9ccedac9 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -178,7 +178,7 @@ static av_always_inline int scaleforsame(VC1Context *v, int i, int n /* MV */, brfd = FFMIN(v->brfd, 3); scalesame = ff_vc1_b_field_mvpred_scales[0][brfd]; - n = (n * scalesame >> 8) << hpel; + n = (n * scalesame >> 8) * (1 << hpel); return n; } From 14df7f8cbcc04b3b63812e1d367c82049cf8815f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jul 2019 00:41:06 +0200 Subject: [PATCH 0316/1383] avcodec/vp3: Check that theora is theora Theora is forced to be non zero if it is zero and a sample is asked for, as suggested by reimar Fixes: Timeout (2min -> 600ms) Fixes: 15366/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5737849938247680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4bf7226aff28e9ca379c5a3dedf745a2d316739) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 9df2fda49d..df6782e3ab 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2315,6 +2315,10 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); + if (!s->theora) { + s->theora = 1; + avpriv_request_sample(s->avctx, "theora 0"); + } /* 3.2.0 aka alpha3 has the same frame orientation as original vp3 * but previous versions have the image flipped relative to vp3 */ From 4b335031d0cae89a2e2e7158409cc34baf3851ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2019 20:16:19 +0200 Subject: [PATCH 0317/1383] avcodec/clearvideo: fix invalid shift in tile size check Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 15631/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5690110605000704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5dc94924d0fbdedba4356c21ec7de0347b8e4757) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 82df8f3752..26cdfb2731 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -665,7 +665,7 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1 << c->tile_shift != c->tile_size) { + if (1U << c->tile_shift != c->tile_size) { av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size); return AVERROR_INVALIDDATA; } From 73302b0d9700524ac597c1abd8f67e566eef7aa8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Aug 2019 23:54:49 +0200 Subject: [PATCH 0318/1383] avcodec/hnm4video: Forward errors of decode_interframe_v4() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout (108sec -> 160ms) Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Reviewed-by: Tomas Härdin Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9af8ce754b705c36ad4d2b6fd0f73f87ca4381c4) Signed-off-by: Michael Niedermayer --- libavcodec/hnm4video.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index 9e1ac49ddc..95a284065e 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -143,7 +143,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame) } } -static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) +static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) { Hnm4VideoContext *hnm = avctx->priv_data; GetByteContext gb; @@ -162,7 +162,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (tag == 0) { if (writeoffset + 2 > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } hnm->current[writeoffset++] = bytestream2_get_byte(&gb); hnm->current[writeoffset++] = bytestream2_get_byte(&gb); @@ -176,7 +176,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s count = bytestream2_get_byte(&gb) * 2; if (writeoffset + count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } while (count > 0) { hnm->current[writeoffset++] = bytestream2_peek_byte(&gb); @@ -188,7 +188,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } if (writeoffset > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { previous = bytestream2_peek_byte(&gb) & 0x20; @@ -204,24 +204,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (!backward && offset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (backward && offset + 1 >= hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (writeoffset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to write out of bounds\n"); - break; + return AVERROR_INVALIDDATA; + } if(backward) { if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { if (offset < (!!backline)*(2 * hnm->width - 1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } @@ -268,6 +269,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } } } + return 0; } static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src, @@ -435,7 +437,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data, decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8); memcpy(hnm->processed, hnm->current, hnm->width * hnm->height); } else { - decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + if (ret < 0) + return ret; postprocess_current_frame(avctx); } copy_processed_frame(avctx, frame); From c1e67ca966ce7779054b79907c388e2a4a035cc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 00:45:20 +0200 Subject: [PATCH 0319/1383] avcodec/atrac9dec: Check grad_range[1] more tightly Alternatively the array could be made bigger but the extra values would not be read without other changes. Fixes: Out of array access Fixes: 15658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5738260074070016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 208225bd782207aaf2b380522f96fd4fe4dc3441) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 0794b6d210..87c9c51cd8 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -121,7 +121,7 @@ static inline int parse_gradient(ATRAC9Context *s, ATRAC9BlockData *b, } b->grad_boundary = get_bits(gb, 4); - if (grad_range[0] >= grad_range[1] || grad_range[1] > 47) + if (grad_range[0] >= grad_range[1] || grad_range[1] > 31) return AVERROR_INVALIDDATA; if (grad_value[0] > 31 || grad_value[1] > 31) From 1c5b4460b76c524ba65b04aa5b1412aeeceeb2c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 08:26:40 +0200 Subject: [PATCH 0320/1383] avcodec/apedec: Do not partially clear data array Fixes: Assertion failure and memleak Fixes: 15709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5182435093905408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e4b522c9146b9c14579ae7381fb1043b7423578) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7a7097e7a4..1a86ac1786 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1451,7 +1451,8 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, if (s->fileversion >= 3900) { if (offset > 3) { av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n"); - s->data = NULL; + av_freep(&s->data); + s->data_size = 0; return AVERROR_INVALIDDATA; } if (s->data_end - s->ptr < offset) { From 74788efadd822d1851958fddd01d0f79ae2e226b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 08:32:58 +0200 Subject: [PATCH 0321/1383] avcodec/vc1_block: Check get_vlc2() return before use Fixes: index -1 out of bounds for type 'const uint8_t [185][2]' Fixes: 15720/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS2_fuzzer-5666071933091840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2cb1f797350875ec45cb20d59dc0684fcbac20fc) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index eda0b28964..97c873f138 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -526,6 +526,8 @@ static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int escape = decode210(gb); if (escape != 2) { index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); + if (index < 0) + return AVERROR_INVALIDDATA; run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; lst = index >= vc1_last_decode_table[codingset]; From 747c23e4feb92e5a435b696487570e0ed5b4cfdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 09:33:45 +0200 Subject: [PATCH 0322/1383] avcodec/mss3: Check for the rac stream being invalid in rac_normalize() Fixes: out of array read Fixes: 15982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSA1_fuzzer-5630676251967488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 99a172f3f4d0bef024c6293f575caaaddce0b267) Signed-off-by: Michael Niedermayer --- libavcodec/mss3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 21226f9085..02bd360996 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -298,6 +298,10 @@ static void rac_normalise(RangeCoder *c) c->got_error = 1; c->low = 1; } + if (c->low > c->range) { + c->got_error = 1; + c->low = 1; + } if (c->range >= RAC_BOTTOM) return; } From 10198572ce72d4964edb70372c7f28e91b484b62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 09:46:34 +0200 Subject: [PATCH 0323/1383] avcodec/apedec: Fix 2 signed overflows Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: signed integer overflow: 2049431315 + 262759074 cannot be represented in type 'int' Fixes: 16012/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5719016003338240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 392c028cd23d128f33d93b2159eed5de42f72b4d) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 1a86ac1786..b9df8c6b12 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -589,7 +589,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, int32_t *out, APERice *rice, int blockstodecode) { int i; - int ksummax, ksummin; + unsigned ksummax, ksummin; rice->ksum = 0; for (i = 0; i < FFMIN(blockstodecode, 5); i++) { @@ -836,7 +836,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p, else p->coeffsA[filter][0]--; - p->filterA[filter] += p->lastA[filter]; + p->filterA[filter] += (unsigned)p->lastA[filter]; return p->filterA[filter]; } From 3f57ece8e6071eef1c71b90164b59ac1b12d8bae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 09:51:26 +0200 Subject: [PATCH 0324/1383] avcodec/cbs_av1_syntax_template: Check ref_frame_idx before use Fixes: index -1 out of bounds for type 'AV1ReferenceFrameState [8]' Fixes: 16079/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5758807440883712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer See: [FFmpeg-devel] [PATCH 05/13] avcodec/cbs_av1_syntax_template: Check ref_frame_idx before use Signed-off-by: Michael Niedermayer (cherry picked from commit 8174e5c77d8a94b57b6b1bcbb90728cf8b08ab6b) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1_syntax_template.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 76eb90b279..1ac0c1dcb9 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -419,16 +419,17 @@ static int FUNC(frame_size_with_refs)(CodedBitstreamContext *ctx, RWContext *rw, for (i = 0; i < AV1_REFS_PER_FRAME; i++) { flags(found_ref[i], 1, i); if (current->found_ref[i]) { - AV1ReferenceFrameState *ref = - &priv->ref[current->ref_frame_idx[i]]; + AV1ReferenceFrameState *ref; - if (!ref->valid) { + if (current->ref_frame_idx[i] < 0 || + !priv->ref[current->ref_frame_idx[i]].valid) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Missing reference frame needed for frame size " "(ref = %d, ref_frame_idx = %d).\n", i, current->ref_frame_idx[i]); return AVERROR_INVALIDDATA; } + ref = &priv->ref[current->ref_frame_idx[i]]; priv->upscaled_width = ref->upscaled_width; priv->frame_width = ref->frame_width; From 8108273941efbc2916af0cd3fe9ff1d9ec69977e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 12:21:51 +0200 Subject: [PATCH 0325/1383] avformat/realtextdec: Check for duplicate extradata in realtext_read_header() Fixes: memleak Fixes: 16140/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5684008052064256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652ea23cb34bc59b38c0088865600e2b86079815) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index 618d4f78ec..b33d5289f7 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -87,6 +87,10 @@ static int realtext_read_header(AVFormatContext *s) /* save header to extradata */ const char *p = ff_smil_get_attr_ptr(buf.str, "duration"); + if (st->codecpar->extradata) { + res = AVERROR_INVALIDDATA; + goto end; + } if (p) duration = read_ts(p); st->codecpar->extradata = av_strdup(buf.str); From c05d5ca80b75adddc08e595471cc6104cf78fffe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 12:28:55 +0200 Subject: [PATCH 0326/1383] avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divide Fixes: division by zero Fixes: 16183/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5688966782648320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aecc9b96d613f54d772e9475738bb54e0e1f182e) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index a86d4c4c36..793f079737 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1182,6 +1182,9 @@ static int vorbis_floor0_decode(vorbis_context *vc, q *= q; } + if (p + q == 0.0) + return AVERROR_INVALIDDATA; + /* calculate linear floor value */ q = exp((((amplitude*vf->amplitude_offset) / (((1ULL << vf->amplitude_bits) - 1) * sqrt(p + q))) From 55df48d7764d4d8b712a20fe401b284b0f128202 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 17:10:18 +0200 Subject: [PATCH 0327/1383] avcodec/vorbisdec: Implement vr->classifications = 1 It appears no valid file uses this, so this is not testable with a valid file. Fixes: assertion failure Fixes: 16187/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5638880618872832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a5f12e3b3f2177ede5839ff4141228666b8436f) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 793f079737..1045d574b1 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1361,8 +1361,12 @@ static av_always_inline int setup_classifs(vorbis_context *vc, return AVERROR_INVALIDDATA; } - av_assert0(vr->classifications > 1); //needed for inverse[] - + if (vr->classifications == 1) { + for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { + if (i < ptns_to_read) + vr->classifs[p + i] = 0; + } + } else { for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { temp2 = (((uint64_t)temp) * inverse_class) >> 32; @@ -1370,6 +1374,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, vr->classifs[p + i] = temp - temp2 * vr->classifications; temp = temp2; } + } } p += ptns_to_read; } From 092bc6201fe91101e550d7a64b691860b9b43002 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 17:20:45 +0200 Subject: [PATCH 0328/1383] avcodec/ralf: Fix integer overflow in apply_lpc() Fixes: signed integer overflow: 1603085316 + 1238786562 cannot be represented in type 'int' Fixes: 16203/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5086088934195200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ccca484324e04dff4cb81d0f9018ae828e6b5c89) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 3f7953c6db..0d6b57d652 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -323,7 +323,7 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits) acc = 0; for (j = 0; j < flen; j++) - acc += ctx->filter[j] * audio[i - j - 1]; + acc += (unsigned)ctx->filter[j] * audio[i - j - 1]; if (acc < 0) { acc = (acc + bias - 1) >> ctx->filter_bits; acc = FFMAX(acc, min_clip); From 9aa632c5305efbef99610b935e6264485cf904ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 17:25:55 +0200 Subject: [PATCH 0329/1383] avcodec/ralf: Fix undefined pointer in decode_channel() Fixes: 16203/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5086088934195200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c06ba171697b665ef4b2b47fe0008199b3eff86) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 0d6b57d652..619fd7126a 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -286,7 +286,7 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, add_bits--; range = 10; range2 = 21; - code_vlc = set->long_codes + code_params - 15; + code_vlc = set->long_codes + (code_params - 15); } else { add_bits = 0; range = 6; From 7235bd1008615fad75d6a2ca1478af1792444026 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2019 23:23:07 +0200 Subject: [PATCH 0330/1383] avcodec/dirac_parser: Fix overflow in dts Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 15568/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5634719611355136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 549fcba8fc83330763ccd3cc67233037c96bc6d9) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 1ade44a438..fbc7414c79 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -212,7 +212,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; - int pts = AV_RB32(cur_pu + 13); + int64_t pts = AV_RB32(cur_pu + 13); if (s->last_pts == 0 && s->last_dts == 0) s->dts = pts - 1; else From 145c923bfebc1cc037347fb05439f8d104b07f67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Aug 2019 22:14:22 +0200 Subject: [PATCH 0331/1383] avcodec/loco: Check for end of input in pixel decode Fixes: Timeout (100sec -> 5sec) Fixes: 15509/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5724297261219840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8305a4509af2908d88bb623deb816fdaa8056c83) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index e8c62b8178..5fb414b411 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -88,6 +88,8 @@ static inline int loco_get_rice(RICEContext *r) loco_update_rice_param(r, 0); return 0; } + if (get_bits_left(&r->gb) < 1) + return INT_MIN; v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0); loco_update_rice_param(r, (v + 1) >> 1); if (!v) { @@ -163,6 +165,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore all other pixels */ for (i = 1; i < width; i++) { val = loco_get_rice(&rc); + if (val == INT_MIN) + return -1; data[i] = loco_predict(&data[i], stride) + val; } data += stride; From 1bc9b64cf409d39d17e57279572c6dc9aaa93560 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2019 00:29:48 +0200 Subject: [PATCH 0332/1383] avcodec/mss1: check for overread and forward errors Fixes: Timeout (106sec -> 14ms) Fixes: 15576/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS1_fuzzer-5688080461201408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 43015afd7ce9055f1fa2d7648c3fcd9b7cfd7721) Signed-off-by: Michael Niedermayer --- libavcodec/mss1.c | 3 +++ libavcodec/mss12.c | 12 ++++++++++++ libavcodec/mss12.h | 2 ++ libavcodec/mss2.c | 1 + 4 files changed, 18 insertions(+) diff --git a/libavcodec/mss1.c b/libavcodec/mss1.c index a579d9d9a4..84b7a37007 100644 --- a/libavcodec/mss1.c +++ b/libavcodec/mss1.c @@ -56,6 +56,8 @@ static void arith_normalise(ArithCoder *c) c->low <<= 1; c->high <<= 1; c->high |= 1; + if (get_bits_left(c->gbc.gb) < 1) + c->overread++; c->value |= get_bits1(c->gbc.gb); } } @@ -112,6 +114,7 @@ static void arith_init(ArithCoder *c, GetBitContext *gb) c->low = 0; c->high = 0xFFFF; c->value = get_bits(gb, 16); + c->overread = 0; c->gbc.gb = gb; c->get_model_sym = arith_get_model_sym; c->get_number = arith_get_number; diff --git a/libavcodec/mss12.c b/libavcodec/mss12.c index 3b1a3029e0..5a5bd9a91b 100644 --- a/libavcodec/mss12.c +++ b/libavcodec/mss12.c @@ -161,6 +161,8 @@ static av_always_inline int decode_pixel(ArithCoder *acoder, PixContext *pctx, { int i, val, pix; + if (acoder->overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; val = acoder->get_model_sym(acoder, &pctx->cache_model); if (val < pctx->num_syms) { if (any_ngb) { @@ -306,6 +308,8 @@ static int decode_region(ArithCoder *acoder, uint8_t *dst, uint8_t *rgb_pic, else p = decode_pixel_in_context(acoder, pctx, dst + i, stride, i, j, width - i - 1); + if (p < 0) + return p; dst[i] = p; if (rgb_pic) @@ -398,6 +402,8 @@ static int decode_region_masked(MSS12Context const *c, ArithCoder *acoder, else p = decode_pixel_in_context(acoder, pctx, dst + i, stride, i, j, width - i - 1); + if (p < 0) + return p; dst[i] = p; if (c->rgb_pic) AV_WB24(rgb_dst + i * 3, c->pal[p]); @@ -473,6 +479,8 @@ static int decode_region_intra(SliceContext *sc, ArithCoder *acoder, uint8_t *rgb_dst = c->rgb_pic + x * 3 + y * rgb_stride; pix = decode_pixel(acoder, &sc->intra_pix_ctx, NULL, 0, 0); + if (pix < 0) + return pix; rgb_pix = c->pal[pix]; for (i = 0; i < height; i++, dst += stride, rgb_dst += rgb_stride) { memset(dst, pix, width); @@ -499,6 +507,8 @@ static int decode_region_inter(SliceContext *sc, ArithCoder *acoder, if (!mode) { mode = decode_pixel(acoder, &sc->inter_pix_ctx, NULL, 0, 0); + if (mode < 0) + return mode; if (c->avctx->err_recognition & AV_EF_EXPLODE && ( c->rgb_pic && mode != 0x01 && mode != 0x02 && mode != 0x04 || @@ -530,6 +540,8 @@ int ff_mss12_decode_rect(SliceContext *sc, ArithCoder *acoder, int x, int y, int width, int height) { int mode, pivot; + if (acoder->overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; mode = acoder->get_model_sym(acoder, &sc->split_mode); diff --git a/libavcodec/mss12.h b/libavcodec/mss12.h index 45c4074652..6f68fc3db6 100644 --- a/libavcodec/mss12.h +++ b/libavcodec/mss12.h @@ -47,6 +47,8 @@ typedef struct Model { typedef struct ArithCoder { int low, high, value; + int overread; +#define MAX_OVERREAD 16 union { GetBitContext *gb; GetByteContext *gB; diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index 3180af1d60..c9d3eb8c8d 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -152,6 +152,7 @@ static void arith2_init(ArithCoder *c, GetByteContext *gB) c->low = 0; c->high = 0xFFFFFF; c->value = bytestream2_get_be24(gB); + c->overread = 0; c->gbc.gB = gB; c->get_model_sym = arith2_get_model_sym; c->get_number = arith2_get_number; From e7c8bc5ae0195135b8750d549ed49cd9032335d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 23:26:05 +0200 Subject: [PATCH 0333/1383] avcodec/sanm: Check extradata_size before allocations Fixes: Leaks Fixes: 15349/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5102530557640704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 172a43ce36e671fdab63afe1c06876bba91445b3) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 811fd2188e..0f278d609d 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -491,6 +491,11 @@ static av_cold int decode_init(AVCodecContext *avctx) ctx->avctx = avctx; ctx->version = !avctx->extradata_size; + // early sanity check before allocations to avoid need for deallocation code. + if (!ctx->version && avctx->extradata_size < 1026) { + av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n"); + return AVERROR_INVALIDDATA; + } avctx->pix_fmt = ctx->version ? AV_PIX_FMT_RGB565 : AV_PIX_FMT_PAL8; @@ -506,11 +511,6 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!ctx->version) { int i; - if (avctx->extradata_size < 1026) { - av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n"); - return AVERROR_INVALIDDATA; - } - ctx->subversion = AV_RL16(avctx->extradata); for (i = 0; i < PALETTE_SIZE; i++) ctx->pal[i] = 0xFFU << 24 | AV_RL32(avctx->extradata + 2 + i * 4); From 731b4f7414b7ee5e2b90b55d6721c2df0dc4f160 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 00:35:32 +0200 Subject: [PATCH 0334/1383] avcodec/vqavideo: Set video size Fixes: out of array access Fixes: 15919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-5657368257363968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 02f909dc24b1f05cfbba75077c7707b905e63cd2) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 0e70be1000..b9743abda9 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -147,7 +147,7 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) } s->width = AV_RL16(&s->avctx->extradata[6]); s->height = AV_RL16(&s->avctx->extradata[8]); - if ((ret = av_image_check_size(s->width, s->height, 0, avctx)) < 0) { + if ((ret = ff_set_dimensions(avctx, s->width, s->height)) < 0) { s->width= s->height= 0; return ret; } From 0d019e23796d3dd57aadfb69aed73ac5cea9becd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 15:26:08 +0200 Subject: [PATCH 0335/1383] avcodec/alsdec: Check for block_length <= 0 in read_var_block_data() Fixes: left shift of negative value -1 Fixes: 15719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5685731105701888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be4fb282f9fb00d9c267dcc477745e2e468e758f) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 6b5774175b..d4451482a4 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -657,7 +657,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // do not continue in case of a damaged stream since // block_length must be evenly divisible by sub_blocks - if (bd->block_length & (sub_blocks - 1)) { + if (bd->block_length & (sub_blocks - 1) || bd->block_length <= 0) { av_log(avctx, AV_LOG_WARNING, "Block length is not evenly divisible by the number of subblocks.\n"); return AVERROR_INVALIDDATA; From f482c38273869fc8cd85b4249b48056d2cdb7348 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 2 Aug 2019 22:29:16 +0200 Subject: [PATCH 0336/1383] libavcodec/iff: Use unsigned to avoid undefined behaviour The initialization of the uint32_t plane32_lut matrix uses left shifts of the form 1 << plane; plane can be as big as 31 which means that this is undefined behaviour as 1 will be simply an int. So make it unsigned to avoid this. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f12e662a3d3f489eec887b5f2ab20a550caed9cf) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index c6e2359b00..459d5d4a55 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -111,23 +111,23 @@ static const uint64_t plane8_lut[8][256] = { LUT8(4), LUT8(5), LUT8(6), LUT8(7), }; -#define LUT32(plane) { \ - 0, 0, 0, 0, \ - 0, 0, 0, 1 << plane, \ - 0, 0, 1 << plane, 0, \ - 0, 0, 1 << plane, 1 << plane, \ - 0, 1 << plane, 0, 0, \ - 0, 1 << plane, 0, 1 << plane, \ - 0, 1 << plane, 1 << plane, 0, \ - 0, 1 << plane, 1 << plane, 1 << plane, \ - 1 << plane, 0, 0, 0, \ - 1 << plane, 0, 0, 1 << plane, \ - 1 << plane, 0, 1 << plane, 0, \ - 1 << plane, 0, 1 << plane, 1 << plane, \ - 1 << plane, 1 << plane, 0, 0, \ - 1 << plane, 1 << plane, 0, 1 << plane, \ - 1 << plane, 1 << plane, 1 << plane, 0, \ - 1 << plane, 1 << plane, 1 << plane, 1 << plane, \ +#define LUT32(plane) { \ + 0, 0, 0, 0, \ + 0, 0, 0, 1U << plane, \ + 0, 0, 1U << plane, 0, \ + 0, 0, 1U << plane, 1U << plane, \ + 0, 1U << plane, 0, 0, \ + 0, 1U << plane, 0, 1U << plane, \ + 0, 1U << plane, 1U << plane, 0, \ + 0, 1U << plane, 1U << plane, 1U << plane, \ + 1U << plane, 0, 0, 0, \ + 1U << plane, 0, 0, 1U << plane, \ + 1U << plane, 0, 1U << plane, 0, \ + 1U << plane, 0, 1U << plane, 1U << plane, \ + 1U << plane, 1U << plane, 0, 0, \ + 1U << plane, 1U << plane, 0, 1U << plane, \ + 1U << plane, 1U << plane, 1U << plane, 0, \ + 1U << plane, 1U << plane, 1U << plane, 1U << plane, \ } // 32 planes * 4-bit mask * 4 lookup tables each From 29ebbe8cfef680efd28db3e863a163d700ea05b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2019 00:04:02 +0200 Subject: [PATCH 0337/1383] avcodec/aacdec_template: fix integer overflow in imdct_and_windowing() Fixes: signed integer overflow: 2147483645 + 4 cannot be represented in type 'int' Fixes: 15418/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5685269069561856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da93e2b14218c4ab0fda60e21882a4633aac5748) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 05505c0359..f66ad02bfc 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2659,7 +2659,7 @@ static void imdct_and_windowing(AACContext *ac, SingleChannelElement *sce) ac->mdct.imdct_half(&ac->mdct, buf, in); #if USE_FIXED for (i=0; i<1024; i++) - buf[i] = (buf[i] + 4) >> 3; + buf[i] = (buf[i] + 4LL) >> 3; #endif /* USE_FIXED */ } From 62bcdd07b242baddaeef3ad14104b8b02ce11592 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 12:35:24 +0200 Subject: [PATCH 0338/1383] avcodec/vc1_block: fix invalid shift in vc1_decode_p_mb() Fixes: left shift of negative value -5 Fixes: 15294/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5733921754447872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b153ba1c2e03d3148766a3ebf0e9c485197f30de) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 97c873f138..7883e4f19c 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1378,7 +1378,7 @@ static int vc1_decode_p_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[i]][j] <<= 1; + v->block[v->cur_blk_idx][block_map[i]][j] *= 2; block_cbp |= 0xF << (i << 2); block_intra |= 1 << i; } else if (val) { From bfbe5fbda835ab5d729ca1961d2d1489ddcd3ebc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 14:21:43 +0200 Subject: [PATCH 0339/1383] avcodec/vc1_block: Fix invalid shifts in vc1_decode_i_blocks() Fixes: left shift of negative value -9 Fixes: 15299/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS2_fuzzer-5660922678345728 Fixes: 15557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5673351911047168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9415e815a996d287850a3572ce2c1d663b9f657) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 7883e4f19c..94184b0873 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -2602,13 +2602,13 @@ static void vc1_decode_i_blocks(VC1Context *v) if (v->rangeredfrm) for (k = 0; k < 6; k++) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[k]][j] <<= 1; + v->block[v->cur_blk_idx][block_map[k]][j] *= 2; vc1_put_blocks_clamped(v, 1); } else { if (v->rangeredfrm) for (k = 0; k < 6; k++) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[k]][j] = (v->block[v->cur_blk_idx][block_map[k]][j] - 64) << 1; + v->block[v->cur_blk_idx][block_map[k]][j] = (v->block[v->cur_blk_idx][block_map[k]][j] - 64) * 2; vc1_put_blocks_clamped(v, 0); } From e4ec2f5ab5f7514bac6a777a0fe735ad9329767f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 17:07:01 +0200 Subject: [PATCH 0340/1383] avcodec/alsdec: fix mantisse shift Fixes: shift exponent -1 is negative Fixes: 16039/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5656825657032704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 02346292a334a51f6da802146b782bdb01ae9b4e) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index d4451482a4..e1449a72a5 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1404,7 +1404,11 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) { } } - mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count); + if (cutoff_bit_count >= 0) { + mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count); + } else { + mantissa = (unsigned int)(mantissa_temp <<-cutoff_bit_count); + } // Need one more shift? if (mantissa & 0x01000000ul) { From 8b156fe2294efbd58b653d68a5f284b395850a8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 14:33:14 +0200 Subject: [PATCH 0341/1383] avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks() Fixes: signed integer overflow: 2147483424 - -1772303236 cannot be represented in type 'int' Fixes: 15708/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5067890362941440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce652324062a2c72f92e40699797630ef7f1ec5a) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e1449a72a5..b8e4b3dc81 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1175,10 +1175,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel pair.\n"); for (s = 0; s < div_blocks[b]; s++) - bd[0].raw_samples[s] = bd[1].raw_samples[s] - bd[0].raw_samples[s]; + bd[0].raw_samples[s] = bd[1].raw_samples[s] - (unsigned)bd[0].raw_samples[s]; } else if (bd[1].js_blocks) { for (s = 0; s < div_blocks[b]; s++) - bd[1].raw_samples[s] = bd[1].raw_samples[s] + bd[0].raw_samples[s]; + bd[1].raw_samples[s] = bd[1].raw_samples[s] + (unsigned)bd[0].raw_samples[s]; } offset += div_blocks[b]; From 2dcf33b9a9d0696fb2d4a99a084fc4332618f830 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 15:37:30 +0200 Subject: [PATCH 0342/1383] avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data() This also makes the code consistent with the existing similar MUL64() in decode_var_block_data() Fixes: signed integer overflow: -7277630735906765035 + -3272193951413647896 cannot be represented in type 'long' Fixes: 16015/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5666552818434048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fad3ec89b7a664b93b5e29bdb0db0cab0272a0c4) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index b8e4b3dc81..26c496c769 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -918,7 +918,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 6; for (base = begin; base < end; base++, tab++) - y += MUL64(bd->ltp_gain[tab], raw_samples[base]); + y += (uint64_t)MUL64(bd->ltp_gain[tab], raw_samples[base]); raw_samples[ltp_smp] += y >> 7; } @@ -930,7 +930,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 19; for (sb = 0; sb < smp; sb++) - y += MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]); + y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]); *raw_samples++ -= y >> 20; parcor_to_lpc(smp, quant_cof, lpc_cof); From ffe4a51e0db17e6500cca861251c49a4683187d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:42 +0200 Subject: [PATCH 0343/1383] avcodec/mpc8: Fix 32bit mask/enum Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 15817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC8_fuzzer-5636626409062400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e8bb949ade4078ca318a9b3475cb7a6cfc7e4639) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index d7baac2f04..03838a9351 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -62,7 +62,7 @@ static inline int mpc8_dec_enum(GetBitContext *gb, int k, int n) do { n--; if (code >= C[n]) { - bits |= 1 << n; + bits |= 1U << n; code -= C[n]; C -= 32; k--; From 40c0a5a5fac1564eac53140ef1f62868560cb407 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:49 +0200 Subject: [PATCH 0344/1383] avcodec/dds: Use ff_set_dimensions() Fixes: signed integer overflow: 2082471995 * 36 cannot be represented in type 'int' Fixes: 16025/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DDS_fuzzer-5136663778426880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9cd1e939cf26e7a53f28cbbda22d27535981b9db) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index f026f9cd5a..9154f692fa 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -613,6 +613,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, AVFrame *frame = data; int mipmap; int ret; + int width, height; ff_texturedsp_init(&ctx->texdsp); bytestream2_init(gbc, avpkt->data, avpkt->size); @@ -631,9 +632,9 @@ static int dds_decode(AVCodecContext *avctx, void *data, bytestream2_skip(gbc, 4); // flags - avctx->height = bytestream2_get_le32(gbc); - avctx->width = bytestream2_get_le32(gbc); - ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + height = bytestream2_get_le32(gbc); + width = bytestream2_get_le32(gbc); + ret = ff_set_dimensions(avctx, width, height); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n", avctx->width, avctx->height); From 21b72d8f6c9cb0cb96dab939b28523f9019f8aff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jul 2019 00:52:18 +0200 Subject: [PATCH 0345/1383] avcodec/scpr: Use av_memcpy_backptr() in type 17 and 33 This makes the changed code-path faster. Change not tested except with the fuzzer testcase as I found no other testcase. Improves: Timeout (136sec -> 74sec) Improves: 16040/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5705876062601216 Reviewed-by: Paul B Mahol Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 950a21e83c742714d6afbecd3e3fd1887e80fa40) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 5714e25170..297fb315e2 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -781,7 +781,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->current_frame->linesize[0] / 4); } else if (type == 17) { uint32_t clr, *dst = (uint32_t *)s->current_frame->data[0]; - int x, y; + int y; frame->key_frame = 1; bytestream2_skip(gb, 1); @@ -797,9 +797,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, clr = bytestream2_get_le24(gb); } for (y = 0; y < avctx->height; y++) { - for (x = 0; x < avctx->width; x++) { - dst[x] = clr; - } + dst[0] = clr; + av_memcpy_backptr((uint8_t*)(dst+1), 4, 4*avctx->width - 4); dst += s->current_frame->linesize[0] / 4; } } else if (type == 0 || type == 1) { From 7d4e27ca908d2ac97e7266debd44feb128974a5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2019 18:05:02 +0200 Subject: [PATCH 0346/1383] avcodec/hevc_refs: Optimize 16bit generate_missing_ref() Fixes: Timeout (86sec -> 8sec) [these numbers assume also "[FFmpeg-devel] [PATCH 2/5] [RFC] avcodec/hevcdec: Check for overread in hls_decode_entry()"] Fixes: 15702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657764929470464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da8936969fe695a042282d5686e12227745d299a) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_refs.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index 7cf3a55725..7870a72fd6 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -394,7 +394,7 @@ static void mark_ref(HEVCFrame *frame, int flag) static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) { HEVCFrame *frame; - int i, x, y; + int i, y; frame = alloc_frame(s); if (!frame) @@ -407,11 +407,11 @@ static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) frame->frame->buf[i]->size); } else { for (i = 0; frame->frame->data[i]; i++) - for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) - for (x = 0; x < (s->ps.sps->width >> s->ps.sps->hshift[i]); x++) { - AV_WN16(frame->frame->data[i] + y * frame->frame->linesize[i] + 2 * x, - 1 << (s->ps.sps->bit_depth - 1)); - } + for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) { + uint8_t *dst = frame->frame->data[i] + y * frame->frame->linesize[i]; + AV_WN16(dst, 1 << (s->ps.sps->bit_depth - 1)); + av_memcpy_backptr(dst + 2, 2, 2*(s->ps.sps->width >> s->ps.sps->hshift[i]) - 2); + } } } From cc0e1474f1b9fd581ecf73b1ce6ec717d0430d2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2019 01:49:55 +0200 Subject: [PATCH 0347/1383] avcodec/hnm4video: Optimize postprocess_current_frame() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Improves: Timeout (220sec -> 108sec) Improves: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit cd460f4da04c05d6ba93ccbbe294e948768f0937) Signed-off-by: Michael Niedermayer --- libavcodec/hnm4video.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index 95a284065e..177ce1d47a 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -117,14 +117,17 @@ static void unpack_intraframe(AVCodecContext *avctx, uint8_t *src, static void postprocess_current_frame(AVCodecContext *avctx) { Hnm4VideoContext *hnm = avctx->priv_data; - uint32_t x, y, src_x, src_y; + uint32_t x, y, src_y; + int width = hnm->width; for (y = 0; y < hnm->height; y++) { + uint8_t *dst = hnm->processed + y * width; + const uint8_t *src = hnm->current; src_y = y - (y % 2); - src_x = src_y * hnm->width + (y % 2); - for (x = 0; x < hnm->width; x++) { - hnm->processed[(y * hnm->width) + x] = hnm->current[src_x]; - src_x += 2; + src += src_y * width + (y % 2); + for (x = 0; x < width; x++) { + dst[x] = *src; + src += 2; } } } From a2be37ac9d1855b28ce41dec618d821dbf7001f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 02:17:15 +0200 Subject: [PATCH 0348/1383] avcodec/hevcdec: Check delta_luma_weight_l0/1 Fixes: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int' Fixes: 16041/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5685680656613376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 021f29506b493376d62cdb5b9cb66a6b85e5361f) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index afb3b1b554..bfdecf3ab2 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -182,6 +182,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) for (i = 0; i < s->sh.nb_refs[L0]; i++) { if (luma_weight_l0_flag[i]) { int delta_luma_weight_l0 = get_se_golomb(gb); + if ((int8_t)delta_luma_weight_l0 != delta_luma_weight_l0) + return AVERROR_INVALIDDATA; s->sh.luma_weight_l0[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l0; s->sh.luma_offset_l0[i] = get_se_golomb(gb); } @@ -224,6 +226,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) for (i = 0; i < s->sh.nb_refs[L1]; i++) { if (luma_weight_l1_flag[i]) { int delta_luma_weight_l1 = get_se_golomb(gb); + if ((int8_t)delta_luma_weight_l1 != delta_luma_weight_l1) + return AVERROR_INVALIDDATA; s->sh.luma_weight_l1[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l1; s->sh.luma_offset_l1[i] = get_se_golomb(gb); } From 4d523742e3fdc74c7eb2897a93dd03dbaca4562d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 02:17:18 +0200 Subject: [PATCH 0349/1383] avcodec/4xm: Check for end of input in decode_p_block() Fixes: Timeout (81sec -> 0.2sec) Fixes: 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8f92eb05e063e6c4d6e36521020620d4e6e1c21d) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 7e6a15e49f..5cfb9e735e 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -351,6 +351,8 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, const uint16_t *src, index = size2index[log2h][log2w]; av_assert0(index >= 0); + if (get_bits_left(&f->gb) < 1) + return AVERROR_INVALIDDATA; h = 1 << log2h; code = get_vlc2(&f->gb, block_type_vlc[1 - (f->version > 1)][index].table, BLOCK_TYPE_VLC_BITS, 1); From 9a4cec81dc3d0ca28d91fbe25037802a702e1e8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2019 23:30:02 +0200 Subject: [PATCH 0350/1383] avcodec/vp56: Consider the alpha start as end of the prior header Fixes: Timeout (23sec -> 71ms) Fixes: 15661/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6A_fuzzer-6257865947348992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit db78bc1297ebaa51cfe5c80775808ec11ed7512b) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index b69fe6c176..8ccad53e47 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -548,7 +548,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, VP56Context *s = avctx->priv_data; AVFrame *const p = s->frames[VP56_FRAME_CURRENT]; int remaining_buf_size = avpkt->size; - int av_uninit(alpha_offset); + int alpha_offset = remaining_buf_size; int i, res; int ret; @@ -561,7 +561,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_INVALIDDATA; } - res = s->parse_header(s, buf, remaining_buf_size); + res = s->parse_header(s, buf, alpha_offset); if (res < 0) return res; From 15219e369215e248514ea06b7d7ff6b259a2e593 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Aug 2019 01:49:47 +0200 Subject: [PATCH 0351/1383] avcodec/diracdec: Check that slices are fewer than pixels Fixes: Timeout (197sec ->144ms) Fixes: 15034/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5733549405110272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbbc8ba67f19d55380b1bc8b5f057328c266d747) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index a5489094cf..e80d4d1989 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1271,7 +1271,9 @@ static int dirac_unpack_idwt_params(DiracContext *s) s->num_y = get_interleaved_ue_golomb(gb); if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX || s->num_x * (uint64_t)s->avctx->width > INT_MAX || - s->num_y * (uint64_t)s->avctx->height > INT_MAX + s->num_y * (uint64_t)s->avctx->height > INT_MAX || + s->num_x > s->avctx->width || + s->num_y > s->avctx->height ) { av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); s->num_x = s->num_y = 0; From 28efd41bbcd86a08bf258cb57a68dcc636ad1ce4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Aug 2019 00:50:21 +0200 Subject: [PATCH 0352/1383] avcodec/indeo2: Check remaining input more often Fixes: Timeout (95sec -> 30ms) Fixes: 14765/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO2_fuzzer-5692455527120896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe Signed-off-by: Michael Niedermayer (cherry picked from commit 52939a2c5772ec00101d293695d0a96dcccf99d9) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 4971b84308..3c8934e377 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -79,10 +79,11 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; - if (get_bits_left(&ctx->gb) <= 0) - return AVERROR_INVALIDDATA; while (out < width) { - int c = ir2_get_code(&ctx->gb); + int c; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; + c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; if (out + c*2 > width) @@ -123,9 +124,9 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; - if (get_bits_left(&ctx->gb) <= 0) - return AVERROR_INVALIDDATA; while (out < width) { + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; From 3b011b34dcbe44ae6242b317c8520d874fbb79b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:44 +0200 Subject: [PATCH 0353/1383] avcodec/ffwavesynth: Fix integer overflow for some corner case values Fixes: left shift of negative value -14671840 Fixes: 16000/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5145977817661440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4a88fb546b64179aff12c169239285932e570ac) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index b319b3341a..e6d2606c2f 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -301,8 +301,8 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) default: return AVERROR(EINVAL); } - in->amp0 = (int64_t)a1 << 32; - in->damp = (((int64_t)a2 << 32) - ((int64_t)a1 << 32)) / dt; + in->amp0 = (uint64_t)a1 << 32; + in->damp = (int64_t)(((uint64_t)a2 << 32) - ((uint64_t)a1 << 32)) / dt; } if (edata != edata_end) return AVERROR(EINVAL); From 9c6c85f5397a907be3146a5dace2b295a19d3e23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:45 +0200 Subject: [PATCH 0354/1383] avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking Fixes: left shift of negative value -961533698048 Fixes: 16242/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5738550670131200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit cdea0206efeca83a0a9b57d0764b177b2e11ab7c) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index e6d2606c2f..cfd0951d8f 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -220,7 +220,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) << 1); + lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2); if (pos) { pink_fill(ws); ws->pink_pos = pos; From ec72482fc04c1d4cd94cb005c2513f155a6d4c4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 21:17:04 +0200 Subject: [PATCH 0355/1383] avcodec/loco: Check left column value Fixes: Timeout (42sec -> 379 ms) Fixes: 16323/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5679178099195904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c812db814ebd603106220854e343558ec1115e57) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 5fb414b411..d8bf68a100 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -161,6 +161,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh for (j = 1; j < height; j++) { /* restore left column */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = data[-stride] + val; /* restore all other pixels */ for (i = 1; i < width; i++) { From 3760c85b88893e00d0e65cd7536f6e2d78016d3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 21:17:05 +0200 Subject: [PATCH 0356/1383] avcodec/flicvideo: Optimize and Simplify FLI_COPY in flic_decode_frame_24BPP() by using bytestream2_get_buffer() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout (31sec -> 22sec) Fixes: 16217/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5658084189405184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit e301736862f18a449c317a47d0d60d3484e41667) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 99868f3ba3..bf8ffeba4f 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -1024,14 +1024,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { - pixel_countdown = s->avctx->width; - pixel_ptr = 0; - while (pixel_countdown > 0) { - pixel = bytestream2_get_le24(&g2); - AV_WL24(&pixels[y_ptr + pixel_ptr], pixel); - pixel_ptr += 3; - pixel_countdown--; - } + bytestream2_get_buffer(&g2, pixels + y_ptr, 3*s->avctx->width); if (s->avctx->width & 1) bytestream2_skip(&g2, 3); } From e31e1d75d1601ac3ebd8f135752fdd951355ae7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 21:00:54 +0200 Subject: [PATCH 0357/1383] avcodec/anm: Check input size for a frame with just a stop code Fixes: Timeout (11sec -> 6sec) Fixes: 16344/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ANM_fuzzer-5673032000995328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1965161ef6d2aac8d3b034570c3da69dabca9e71) Signed-off-by: Michael Niedermayer --- libavcodec/anm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/anm.c b/libavcodec/anm.c index ab6a3994e9..778f38413e 100644 --- a/libavcodec/anm.c +++ b/libavcodec/anm.c @@ -119,6 +119,9 @@ static int decode_frame(AVCodecContext *avctx, uint8_t *dst, *dst_end; int count, ret; + if (buf_size < 7) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; dst = s->frame->data[0]; From 600675e11b47125dcfeedeb4c9a672623b53bd2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2019 16:52:07 +0200 Subject: [PATCH 0358/1383] avcodec/alsdec: Limit maximum channels to 512 There seems to be no limit in the specification and upto 64k could be stored 512 is choosen as limit as thats the maximum in a conformance sample An alternative to this patch would be a max_channels variable Fixes: OOM Fixes: 16200/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5764788793114624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Thilo Borgmann Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit f51e4d026cc762ff2d47d6107658dbff42ba5ea8) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 26c496c769..1fdd0cb0fe 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -348,6 +348,11 @@ static av_cold int read_specific_config(ALSDecContext *ctx) if (als_id != MKBETAG('A','L','S','\0')) return AVERROR_INVALIDDATA; + if (avctx->channels > FF_SANE_NB_CHANNELS) { + avpriv_request_sample(avctx, "Huge number of channels\n"); + return AVERROR_PATCHWELCOME; + } + ctx->cur_frame_length = sconf->frame_length; // read channel config From 4e3e2788da900b7e629d7d67e3d2ac7917abc3d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2019 01:30:53 +0200 Subject: [PATCH 0359/1383] avcodec/alsdec: Fix integer overflow in decode_var_block_data() Fixes: signed integer overflow: 1927975249 - -514719744 cannot be represented in type 'int' Fixes: 16413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5651206856245248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit 661a9b274b0181b2e36ff21fd13840f35992bea6) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 1fdd0cb0fe..11bbd38f58 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -951,7 +951,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // reconstruct difference signal for prediction (joint-stereo) if (bd->js_blocks && bd->raw_other) { - int32_t *left, *right; + uint32_t *left, *right; if (bd->raw_other > raw_samples) { // D = R - L left = raw_samples; From 0f0d00e96e99b8540ce91856c028c8c91ced843c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2019 11:51:48 +0200 Subject: [PATCH 0360/1383] avcodec/vp5/6/8: use vpX_rac_is_end() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ab56e62e8f7e02760cfc883956511cab32393315) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 2 +- libavcodec/vp6.c | 2 +- libavcodec/vp8.c | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index cb08cec33f..db97e7f772 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -183,7 +183,7 @@ static int vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end <= c->buffer && c->bits >= 0) { + if (vpX_rac_is_end(c)) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 645fc5c690..61e790fa93 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -460,7 +460,7 @@ static int vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end <= c->buffer && c->bits >= 0) { + if (vpX_rac_is_end(c)) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index a06692c476..c434001b8d 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -661,7 +661,7 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->fade_present = vp8_rac_get(c); } - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; /* E. Fading information for previous frame */ if (s->fade_present && vp8_rac_get(c)) { @@ -2367,7 +2367,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; if (mb_y == 0) @@ -2398,7 +2398,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void td->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { From 4400d1b6e5dd3f8d085efc79bfe3b4542b461c46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Aug 2019 20:37:17 +0200 Subject: [PATCH 0361/1383] avformat/realtextdec: free queue on error Fixes: memleak Fixes: 16277/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5696629440512000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 493438fafc5c43b7b7c62bf0c21b7cc884034ce9) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index b33d5289f7..4f25754b9f 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -123,6 +123,8 @@ static int realtext_read_header(AVFormatContext *s) end: av_bprint_finalize(&buf, NULL); + if (res < 0) + ff_subtitles_queue_clean(&rt->q); return res; } From f3bb030fb978f5ff258a048f921f96f7147e6241 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2019 19:13:56 +0200 Subject: [PATCH 0362/1383] avcodec/idcinvideo: Add 320x240 default maximum resolution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout (128sec -> 2ms) Fixes: 16568/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IDCIN_fuzzer-5675004095627264 See: [FFmpeg-devel] [PATCH 4/4] tools/target_dec_fuzzer: Adjust max_pixels for IDCIN Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit c9fcf881e69e34a2acfa2bb7052ca200cab16740) Signed-off-by: Michael Niedermayer --- libavcodec/idcinvideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/idcinvideo.c b/libavcodec/idcinvideo.c index cff9ad31ac..6b2d8087ae 100644 --- a/libavcodec/idcinvideo.c +++ b/libavcodec/idcinvideo.c @@ -243,6 +243,11 @@ static int idcin_decode_frame(AVCodecContext *avctx, return buf_size; } +static const AVCodecDefault idcin_defaults[] = { + { "max_pixels", "320*240" }, + { NULL }, +}; + AVCodec ff_idcin_decoder = { .name = "idcinvideo", .long_name = NULL_IF_CONFIG_SMALL("id Quake II CIN video"), @@ -252,4 +257,5 @@ AVCodec ff_idcin_decoder = { .init = idcin_decode_init, .decode = idcin_decode_frame, .capabilities = AV_CODEC_CAP_DR1, + .defaults = idcin_defaults, }; From a05d2927568622da2797b8361fb5eff35dfc0b77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2019 23:43:48 +0200 Subject: [PATCH 0363/1383] avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP Fixes: memleaks Fixes: 16289/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5200695692623872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 48b86dd8a6bf50a7d8ab0343a1535bc4b0b5b196) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index d394700cdc..758c89e107 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -561,7 +561,7 @@ AVCodec ff_aac_decoder = { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, .channel_layouts = aac_channel_layout, .flush = flush, .priv_class = &aac_decoder_class, @@ -586,7 +586,7 @@ AVCodec ff_aac_latm_decoder = { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, .channel_layouts = aac_channel_layout, .flush = flush, .profiles = NULL_IF_CONFIG_SMALL(ff_aac_profiles), From f4319997ad1f6c2cda68ad6820ce2bc992ce5eba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jul 2019 23:24:35 +0200 Subject: [PATCH 0364/1383] avcodec/rl2: set dimensions The dimensions are always 320x200 they are hardcoded in the demuxer. Hardcode them instead in the decoder. Fixes: Timeout (16sec -> 400ms) Fixes: 15574/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RL2_fuzzer-5158614072819712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 965e766e4892cfc45c97cca88895248a7735e7d0) Signed-off-by: Michael Niedermayer --- libavcodec/rl2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rl2.c b/libavcodec/rl2.c index 6662979c52..2d336a61e5 100644 --- a/libavcodec/rl2.c +++ b/libavcodec/rl2.c @@ -134,10 +134,15 @@ static av_cold int rl2_decode_init(AVCodecContext *avctx) Rl2Context *s = avctx->priv_data; int back_size; int i; + int ret; s->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 320, 200); + if (ret < 0) + return ret; + /** parse extra data */ if (!avctx->extradata || avctx->extradata_size < EXTRADATA1_SIZE) { av_log(avctx, AV_LOG_ERROR, "invalid extradata size\n"); From d0563bdf5f5ed050fa65e022e807449698a4a113 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Aug 2019 19:48:19 +0200 Subject: [PATCH 0365/1383] avcodec/alac: Fix multiple integer overflows in lpc_prediction() Fixes: signed integer overflow: 2088795537 + 2147254401 cannot be represented in type 'int' Fixes: signed integer overflow: -1500363496 + -1295351808 cannot be represented in type 'int' Fixes: signed integer overflow: -79560 * 32640 cannot be represented in type 'int' Fixes: signed integer overflow: 2088910005 + 2088796058 cannot be represented in type 'int' Fixes: signed integer overflow: -117258064 - 2088725225 cannot be represented in type 'int' Fixes: signed integer overflow: 2088725225 - -117258064 cannot be represented in type 'int' Fixes: 15739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5630664122040320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae3d6a337ad25527bcd3172e3885e45fadf9908c) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 19e62ddbe0..e06bb14e34 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -171,12 +171,12 @@ static inline int sign_only(int v) return v ? FFSIGN(v) : 0; } -static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, +static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, int nb_samples, int bps, int16_t *lpc_coefs, int lpc_order, int lpc_quant) { int i; - int32_t *pred = buffer_out; + uint32_t *pred = buffer_out; /* first sample always copies */ *buffer_out = *error_buffer; @@ -208,7 +208,7 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, for (; i < nb_samples; i++) { int j; int val = 0; - int error_val = error_buffer[i]; + unsigned error_val = error_buffer[i]; int error_sign; int d = *pred++; @@ -222,7 +222,7 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, /* adapt LPC coefficients */ error_sign = sign_only(error_val); if (error_sign) { - for (j = 0; j < lpc_order && error_val * error_sign > 0; j++) { + for (j = 0; j < lpc_order && (int)error_val * error_sign > 0; j++) { int sign; val = d - pred[j]; sign = sign_only(val) * error_sign; From 95e414dc5dd3c1500bd531eaa886f27cd84640f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Aug 2019 01:23:49 +0200 Subject: [PATCH 0366/1383] avcodec/alac: Check for bps of 0 Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 15764/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5102101203517440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 8f49176e845fee8e4e0aaf06411636b46d1ae3ad) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index e06bb14e34..af486abf84 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -250,10 +250,12 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, alac->extra_bits = get_bits(&alac->gb, 2) << 3; bps = alac->sample_size - alac->extra_bits + channels - 1; - if (bps > 32U) { + if (bps > 32) { avpriv_report_missing_feature(avctx, "bps %d", bps); return AVERROR_PATCHWELCOME; } + if (bps < 1) + return AVERROR_INVALIDDATA; /* whether the frame is compressed */ is_compressed = !get_bits1(&alac->gb); From 14616c63df76ae0d8a97491d4a1be4eb0954e947 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2019 01:03:59 +0200 Subject: [PATCH 0367/1383] avcodec/atrac9dec: Check block_align Fixes: Infinite loop Fixes: 16260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5676365617037312 Fixes: 16260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5768093879500800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dead949a1fbf019647f5c8ea797d1c7be6615639) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 87c9c51cd8..b42bb07f23 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -842,6 +842,11 @@ static av_cold int atrac9_decode_init(AVCodecContext *avctx) av_lfg_init(&s->lfg, 0xFBADF00D); + if (avctx->block_align <= 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid block align\n"); + return AVERROR_INVALIDDATA; + } + if (avctx->extradata_size != 12) { av_log(avctx, AV_LOG_ERROR, "Invalid extradata length!\n"); return AVERROR_INVALIDDATA; From f4431b6b0cfcefbc798d00502bc1172f93be5926 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 17:34:37 +0200 Subject: [PATCH 0368/1383] avcodec/cavsdec: Limit the number of access units per packet to 2 Fixes: Timeout (122sec -> 13ms) Fixes: 15978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5148925004087296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37bc8e3249c88b733bcc0d8c74cdf668292e4d63) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 5f3b354518..1c4f71824a 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1215,6 +1215,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int input_size, ret; const uint8_t *buf_end; const uint8_t *buf_ptr; + int frame_start = 0; if (buf_size == 0) { if (!h->low_delay && h->DPB[0].f->data[0]) { @@ -1248,6 +1249,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h->got_keyframe = 1; } case PIC_PB_START_CODE: + if (frame_start > 1) + return AVERROR_INVALIDDATA; + frame_start ++; if (*got_frame) av_frame_unref(data); *got_frame = 0; From db421282beb7c18f9a380a934338c7868cf1c3e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 00:21:49 +0200 Subject: [PATCH 0369/1383] avcodec/vb: Check input packet size to be large enough to contain flags Fixes: Timeout (->9sec) Fixes: 16292/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-5747063496638464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dea2591d4fbc989ca82bc8a8ad7d16aacdc89af1) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index c6dd6fb456..d9c6b93a73 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -199,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint32_t size; int offset = 0; + if (avpkt->size < 2) + return AVERROR_INVALIDDATA; + bytestream2_init(&c->stream, avpkt->data, avpkt->size); if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) From 70255c1e480b037b1fa4d044c795200c9f4cc71a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2019 20:56:44 +0200 Subject: [PATCH 0370/1383] avcodec/tta: Fix integer overflow in prediction Fixes: signed integer overflow: -395281576 + -1827578048 cannot be represented in type 'int' Fixes: 16038/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5646109705240576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e9aecc9f358901426c134978e764ee7beac4944) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index c7702610b6..afc4907432 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -227,7 +227,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, GetBitContext gb; int i, ret; int cur_chan = 0, framelen = s->frame_length; - int32_t *p; + uint32_t *p; if (avctx->err_recognition & AV_EF_CRCCHECK) { if (buf_size < 4 || @@ -261,7 +261,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, } i = 0; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) { + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) { int32_t *predictor = &s->ch_ctx[cur_chan].predictor; TTAFilter *filter = &s->ch_ctx[cur_chan].filter; TTARice *rice = &s->ch_ctx[cur_chan].rice; @@ -334,7 +334,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, // decorrelate in case of multiple channels if (s->channels > 1) { int32_t *r = p - 1; - for (*p += *r / 2; r > p - s->channels; r--) + for (*p += *r / 2; r > (int32_t*)p - s->channels; r--) *r = *(r + 1) - *r; } cur_chan = 0; @@ -358,13 +358,13 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, switch (s->bps) { case 1: { uint8_t *samples = (uint8_t *)frame->data[0]; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) *samples++ = *p + 0x80; break; } case 2: { int16_t *samples = (int16_t *)frame->data[0]; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) *samples++ = *p; break; } From 586a79190ccc56ab1ba682127a23e6b411d88c51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2019 01:18:05 +0200 Subject: [PATCH 0371/1383] avcodec/vorbisdec: Check get_vlc2() failure Fixes: out of array read Fixes: 16510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5754510382727168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 07b948fe60789064d7c784d47b8fe798a9a4d2b9) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 1045d574b1..104dc86a13 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1442,7 +1442,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, int vqbook = vr->books[vqclass][pass]; if (vqbook >= 0 && vc->codebooks[vqbook].codevectors) { - unsigned coffs; + int coffs; unsigned dim = vc->codebooks[vqbook].dimensions; unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; @@ -1451,14 +1451,20 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, voffs = voffset+j*vlen; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l) vec[voffs + k + l * step] += codebook.codevectors[coffs + l]; } } else if (vr_type == 1) { voffs = voffset + j * vlen; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l, ++voffs) { vec[voffs]+=codebook.codevectors[coffs+l]; @@ -1471,13 +1477,19 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, if (dim == 2) { for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 2; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= 2; vec[voffs + k ] += codebook.codevectors[coffs ]; vec[voffs + k + vlen] += codebook.codevectors[coffs + 1]; } } else if (dim == 4) { for (k = 0; k < step; ++k, voffs += 2) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 4; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= 4; vec[voffs ] += codebook.codevectors[coffs ]; vec[voffs + 1 ] += codebook.codevectors[coffs + 2]; vec[voffs + vlen ] += codebook.codevectors[coffs + 1]; @@ -1485,7 +1497,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, } } else for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; l += 2, voffs++) { vec[voffs ] += codebook.codevectors[coffs + l ]; vec[voffs + vlen] += codebook.codevectors[coffs + l + 1]; @@ -1502,7 +1517,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned voffs_mod = voffset - voffs_div * ch; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l) { vec[voffs_div + voffs_mod * vlen] += codebook.codevectors[coffs + l]; From 58a7f109a96cda2f461197f6ded4951387d7fee3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 18:47:54 +0200 Subject: [PATCH 0372/1383] avcodec/vc1_block: Check for double escapes Fixes: out of array read Fixes: 16331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5672735195267072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6962fd586e1a9a98828866dcfb4114af30c8c756) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 94184b0873..775e3c516b 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -526,7 +526,7 @@ static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int escape = decode210(gb); if (escape != 2) { index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); - if (index < 0) + if (index >= ff_vc1_ac_sizes[codingset] - 1U) return AVERROR_INVALIDDATA; run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; From 4b4586db12ea7c8e028e400572ed4fa135c92283 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 20:04:35 +0200 Subject: [PATCH 0373/1383] avcodec/vc1dec: Require res_sprite for wmv3images non res_sprite leads to decoder delay which leads to assertion failure Fixes: Assertion failure Fixes: 16402/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5704510034411520 Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 16425/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5692858838810624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c6b4004928ef41563b0e913666f8da27fdb2399) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 9519864c55..ac3198e4fd 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -450,6 +450,11 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if ((ret = ff_vc1_decode_sequence_header(avctx, v, &gb)) < 0) return ret; + if (avctx->codec_id == AV_CODEC_ID_WMV3IMAGE && !v->res_sprite) { + avpriv_request_sample(avctx, "Non sprite WMV3IMAGE"); + return AVERROR_PATCHWELCOME; + } + count = avctx->extradata_size*8 - get_bits_count(&gb); if (count > 0) { av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n", From 74836bb41b41fea3fe161cbc60ab1460e8de9cb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 20:15:20 +0200 Subject: [PATCH 0374/1383] avcodec/vc1_block: Check the return code from vc1_decode_p_block() Fixes: left shift of negative value -1 Fixes: 16424/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5656579055026176 Fixes: 16358/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5714436358144000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe536b6d9984d40f800a24a84032b99ebc9f680e) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 775e3c516b..514206f6d2 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1385,6 +1385,8 @@ static int vc1_decode_p_mb(VC1Context *v) pat = vc1_decode_p_block(v, v->block[v->cur_blk_idx][block_map[i]], i, mquant, ttmb, first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1488,6 +1490,8 @@ static int vc1_decode_p_mb(VC1Context *v) (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1698,6 +1702,8 @@ static int vc1_decode_p_mb_intfr(VC1Context *v) first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : (s->linesize << fieldtx), CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1834,6 +1840,8 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -1853,7 +1861,7 @@ static int vc1_decode_p_mb_intfi(VC1Context *v) /** Decode one B-frame MB (in Main profile) */ -static void vc1_decode_b_mb(VC1Context *v) +static int vc1_decode_b_mb(VC1Context *v) { MpegEncContext *s = &v->s; GetBitContext *gb = &s->gb; @@ -1919,7 +1927,7 @@ static void vc1_decode_b_mb(VC1Context *v) bmvtype = BMV_TYPE_INTERPOLATED; ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); vc1_b_mc(v, dmv_x, dmv_y, direct, bmvtype); - return; + return 0; } if (direct) { cbp = get_vlc2(&v->s.gb, v->cbpcy_vlc->table, VC1_CBPCY_P_VLC_BITS, 2); @@ -1936,7 +1944,7 @@ static void vc1_decode_b_mb(VC1Context *v) /* no coded blocks - effectively skipped */ ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); vc1_b_mc(v, dmv_x, dmv_y, direct, bmvtype); - return; + return 0; } if (s->mb_intra && !mb_has_coeffs) { GET_MQUANT(); @@ -1951,7 +1959,7 @@ static void vc1_decode_b_mb(VC1Context *v) /* interpolated skipped block */ ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); vc1_b_mc(v, dmv_x, dmv_y, direct, bmvtype); - return; + return 0; } } ff_vc1_pred_b_mv(v, dmv_x, dmv_y, direct, bmvtype); @@ -1995,20 +2003,23 @@ static void vc1_decode_b_mb(VC1Context *v) i & 4 ? s->uvlinesize : s->linesize); } else if (val) { - vc1_decode_p_block(v, s->block[i], i, mquant, ttmb, - first_block, s->dest[dst_idx] + off, - (i & 4) ? s->uvlinesize : s->linesize, - CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), NULL); + int pat = vc1_decode_p_block(v, s->block[i], i, mquant, ttmb, + first_block, s->dest[dst_idx] + off, + (i & 4) ? s->uvlinesize : s->linesize, + CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), NULL); + if (pat < 0) + return pat; if (!v->ttmbf && ttmb < 8) ttmb = -1; first_block = 0; } } + return 0; } /** Decode one B-frame MB (in interlaced field B picture) */ -static void vc1_decode_b_mb_intfi(VC1Context *v) +static int vc1_decode_b_mb_intfi(VC1Context *v) { MpegEncContext *s = &v->s; GetBitContext *gb = &s->gb; @@ -2113,7 +2124,7 @@ static void vc1_decode_b_mb_intfi(VC1Context *v) dmv_x[1] = dmv_y[1] = pred_flag[0] = 0; if (!s->next_picture_ptr->field_picture) { av_log(s->avctx, AV_LOG_ERROR, "Mixed field/frame direct mode not supported\n"); - return; + return AVERROR_INVALIDDATA; } } ff_vc1_pred_b_mv_intfi(v, 0, dmv_x, dmv_y, 1, pred_flag); @@ -2158,6 +2169,8 @@ static void vc1_decode_b_mb_intfi(VC1Context *v) first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : s->linesize, CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; @@ -2167,6 +2180,8 @@ static void vc1_decode_b_mb_intfi(VC1Context *v) } v->cbp[s->mb_x] = block_cbp; v->ttblk[s->mb_x] = block_tt; + + return 0; } /** Decode one B-frame MB (in interlaced frame B picture) @@ -2453,6 +2468,8 @@ static int vc1_decode_b_mb_intfr(VC1Context *v) first_block, s->dest[dst_idx] + off, (i & 4) ? s->uvlinesize : (s->linesize << fieldtx), CONFIG_GRAY && (i & 4) && (s->avctx->flags & AV_CODEC_FLAG_GRAY), &block_tt); + if (pat < 0) + return pat; block_cbp |= pat << (i << 2); if (!v->ttmbf && ttmb < 8) ttmb = -1; From 422d57feb2b119856f8edb29ada06ff4a8444748 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 23:22:50 +0200 Subject: [PATCH 0375/1383] avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block() Fixes: signed integer overflow: 1795032576 + 598344192 cannot be represented in type 'int' Fixes: 16196/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5636723419119616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cc78783ce5e8837d4f4ca43eedf2d299651e65ff) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 6c15a5715b..5e2e808587 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -610,7 +610,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int ct = ctx->D[0] + ctx->D[1] + ctx->D[2] + ctx->D[3]; if (bx > 0) - left = last[-1] - ct; + left = last[-1] - (unsigned)ct; else left = 0; @@ -621,7 +621,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int last[2] = right - (diff >> 2); last[3] = right; { - int tp = left; + unsigned tp = left; ctx->D[0] = (tp + (ct >> 2)) - left; left += ctx->D[0]; From a78128bf0a5f428f57750833ed906775af23c853 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Sep 2019 22:31:45 +0200 Subject: [PATCH 0376/1383] avcodec/bgmc: Check input space in ff_bgmc_decode_init() Fixes: Infinite loop Fixes: 16608/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5636229827133440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit b54031a6e93d1abc7fb2d0263e0f6c4b639e423f) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 +++- libavcodec/bgmc.c | 7 ++++++- libavcodec/bgmc.h | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 11bbd38f58..f8d10df8c6 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -821,7 +821,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) unsigned int low; unsigned int value; - ff_bgmc_decode_init(gb, &high, &low, &value); + int ret = ff_bgmc_decode_init(gb, &high, &low, &value); + if (ret < 0) + return ret; current_res = bd->raw_samples + start; diff --git a/libavcodec/bgmc.c b/libavcodec/bgmc.c index 1a6817b73f..2d59aa37ad 100644 --- a/libavcodec/bgmc.c +++ b/libavcodec/bgmc.c @@ -485,12 +485,17 @@ av_cold void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status) /** Initialize decoding and reads the first value */ -void ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, +int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, unsigned int *l, unsigned int *v) { + if (get_bits_left(gb) < VALUE_BITS) + return AVERROR_INVALIDDATA; + *h = TOP_VALUE; *l = 0; *v = get_bits_long(gb, VALUE_BITS); + + return 0; } diff --git a/libavcodec/bgmc.h b/libavcodec/bgmc.h index 4893736af5..466df31a2e 100644 --- a/libavcodec/bgmc.h +++ b/libavcodec/bgmc.h @@ -40,7 +40,7 @@ int ff_bgmc_init(AVCodecContext *avctx, uint8_t **cf_lut, int **cf_lut_status); void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status); -void ff_bgmc_decode_init(GetBitContext *gb, +int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, unsigned int *l, unsigned int *v); From 544ad51ad6c3f1a4de15c3a508615a65b83ad797 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2019 19:18:31 +0200 Subject: [PATCH 0377/1383] avcodec/ralf: fix undefined shift Fixes: left shift of negative value -2 Fixes: 16145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5146671058518016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ee886988e75b3c22cabc2ca0fadcf8e4f787640) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 619fd7126a..d2d803b0d4 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -300,8 +300,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2); code1 = t / range2; code2 = t % range2; - dst[i] = extend_code(gb, code1, range, 0) << add_bits; - dst[i + 1] = extend_code(gb, code2, range, 0) << add_bits; + dst[i] = extend_code(gb, code1, range, 0) * (1 << add_bits); + dst[i + 1] = extend_code(gb, code2, range, 0) * (1 << add_bits); if (add_bits) { dst[i] |= get_bits(gb, add_bits); dst[i + 1] |= get_bits(gb, add_bits); From e1a3eda6ccc20e4014d67a21d23be36989f92f67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2019 19:25:01 +0200 Subject: [PATCH 0378/1383] avcodec/ralf: fix undefined shift in extend_code() Fixes: left shift of negative value -3 Fixes: 16147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5658392722407424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4778407ab3b545c40def7e95a8f9dd4ae92a4e8e) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index d2d803b0d4..75c9371b95 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -220,7 +220,7 @@ static inline int extend_code(GetBitContext *gb, int val, int range, int bits) val -= range; } if (bits) - val = (val << bits) | get_bits(gb, bits); + val = ((unsigned)val << bits) | get_bits(gb, bits); return val; } From b7290b87ce004a256d36be7cf39406230f4c3934 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Sep 2019 22:44:50 +0200 Subject: [PATCH 0379/1383] avcodec/apedec: Fix 32bit int overflow in do_apply_filter() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 2147480546 + 4096 cannot be represented in type 'int' Fixes: 16280/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5123442566758400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 9d3ddef519e88c40c05be8cb94cd9e71c0957ec7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index b9df8c6b12..59e829ee5b 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1266,7 +1266,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, f->delay - order, f->adaptcoeffs - order, order, APESIGN(*data)); - res = (res + (1 << (fracbits - 1))) >> fracbits; + res = (int)(res + (1U << (fracbits - 1))) >> fracbits; res += *data; *data++ = res; From 6e0d6e373a562b1546140d082b106869da972991 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Aug 2019 23:22:39 +0200 Subject: [PATCH 0380/1383] avcodec/iff: Check for overlap in cmap_read_palette() Fixes: undefined memcpy() use Fixes: 16302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5678750575886336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dfa5d1a3667fa38e07373becc2401175b31d8228) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 459d5d4a55..1bb7924c98 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -180,6 +180,10 @@ static int cmap_read_palette(AVCodecContext *avctx, uint32_t *pal) pal[i] = 0xFF000000 | gray2rgb((i * 255) >> avctx->bits_per_coded_sample); } if (s->masking == MASK_HAS_MASK) { + if ((1 << avctx->bits_per_coded_sample) < count) { + avpriv_request_sample(avctx, "overlapping mask"); + return AVERROR_PATCHWELCOME; + } memcpy(pal + (1 << avctx->bits_per_coded_sample), pal, count * 4); for (i = 0; i < count; i++) pal[i] &= 0xFFFFFF; From d4442a25e1648eb488e2934fe871f96c50cb71f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 12:06:30 +0200 Subject: [PATCH 0381/1383] avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2 This reverts a hunk from f1ca40ee00402102046fc7e59606651930436b0e Fixes: out of array read Fixes: 16924/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5157893162139648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 722fd4696583cc984700eaec4745922ae177b2da) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 104dc86a13..be6d1b2d21 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1513,7 +1513,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, } } else if (vr_type == 2) { - unsigned voffs_div = FASTDIV(voffset << 1, ch <<1); + unsigned voffs_div = ch == 1 ? voffset : FASTDIV(voffset, ch); unsigned voffs_mod = voffset - voffs_div * ch; for (k = 0; k < step; ++k) { From 5e4d9b6bf098f20f600ba71fd4d3f692906fe88c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 22:12:38 +0200 Subject: [PATCH 0382/1383] avcodec/vc1_pred: Fix refdist in scaleforopp() Fixes: out of array access Fixes: 16601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5656105392275456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 413e0f2516eef678011cffd1ec6f0d92aa8bb96a) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_pred.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index ea9ccedac9..b5129483fe 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -197,9 +197,10 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */, return n; } if (v->s.pict_type != AV_PICTURE_TYPE_B) - refdist = FFMIN(v->refdist, 3); + refdist = v->refdist; else refdist = dir ? v->brfd : v->frfd; + refdist = FFMIN(refdist, 3); scaleopp = ff_vc1_field_mvpred_scales[dir ^ v->second_field][0][refdist]; n = (n * scaleopp >> 8) * (1 << hpel); From 7a3223ebefc17c6383608dc7b58e29fe8fc57c51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Aug 2019 21:26:43 +0200 Subject: [PATCH 0383/1383] avcodec/qdm2: Check frame size Fixes: index 2304 out of bounds for type 'float [2304]' Fixes: 16332/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5679142481166336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12b909ba319d32ed100d9b26021aa9b6976424d7) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index eaffb36dcc..ac8ae8cbbb 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1727,6 +1727,11 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->sub_sampling = s->fft_order - 7; s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); + if (s->frame_size * 4 >> s->sub_sampling > MPA_FRAME_SIZE) { + avpriv_request_sample(avctx, "large frames"); + return AVERROR_PATCHWELCOME; + } + switch ((s->sub_sampling * 2 + s->channels - 1)) { case 0: tmp = 40; break; case 1: tmp = 48; break; From 77c60f16d7fc1245f2852c07486909e3df8a0bcf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2019 09:16:40 +0200 Subject: [PATCH 0384/1383] avcodec/vp56rac: delay signaling an error on truncated input A threshold of 1 is sufficient for simple_dump_cut.webm, 10 is used just to be sure the next truncated file doesnt cause the same issue Obvious alternative fixes are to simply accept that the file is broken or to write some advanced error concealment or to simply accept that the decoder wont stop at the end of input. Fixes: Ticket 8069 (artifacts not the differing md5 which was there before 1afd246960202917e244c844c534e9c1e3c323f5) Fixes: simple_dump_cut.webm Fixes: regression of 1afd246960202917e244c844c534e9c1e3c323f5 fate-vp5 changes because the last frame is truncated and now handled differently. Signed-off-by: Michael Niedermayer (cherry picked from commit b6b9ac5698c8f911841b469af77199153278c55c) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.h | 5 ++++- libavcodec/vp56rac.c | 1 + tests/ref/fate/vp5 | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 70e1d38a83..0b9ecbb8f3 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -89,6 +89,7 @@ typedef struct VP56RangeCoder { const uint8_t *buffer; const uint8_t *end; unsigned int code_word; + int end_reached; } VP56RangeCoder; typedef struct VP56RefDc { @@ -232,7 +233,9 @@ int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_si */ static av_always_inline int vpX_rac_is_end(VP56RangeCoder *c) { - return c->end <= c->buffer && c->bits >= 0; + if (c->end <= c->buffer && c->bits >= 0) + c->end_reached ++; + return c->end_reached > 10; } static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index e70302bf85..64fb6a99b4 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -43,6 +43,7 @@ int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_si c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + c->end_reached = 0; if (buf_size < 1) return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 2469a3ec21..09ebe62b25 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -249,4 +249,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xbf73f1b7 +0, 246, 246, 1, 233472, 0x4f3ef38c From 12e035b6fa1c7e00886245bbf74b94817034493c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Aug 2019 00:23:52 +0200 Subject: [PATCH 0385/1383] avcodec/mpeg4videodec: Fix integer overflow in mpeg4_decode_studio_block() Fixes: signed integer overflow: 24023040 * 112 cannot be represented in type 'int' Fixes: 16570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5173275211071488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 0e4a0e962cb0e422d2a350b875fc1e38d7b842a3) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index bb9f1e3f2c..fd68295ee4 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1826,6 +1826,7 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n uint32_t flc; const int min = -1 * (1 << (s->avctx->bits_per_raw_sample + 6)); const int max = ((1 << (s->avctx->bits_per_raw_sample + 6)) - 1); + int shift = 3 - s->dct_precision; mismatch = 1; @@ -1921,7 +1922,7 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n else block[j] = flc; } - block[j] = ((8 * 2 * block[j] * quant_matrix[j] * s->qscale) >> s->dct_precision) / 32; + block[j] = ((block[j] * quant_matrix[j] * s->qscale) * (1 << shift)) / 16; block[j] = av_clip(block[j], min, max); mismatch ^= block[j]; } From 2348a24c363e5e3def0aa3ae5c19d11e5bf06a01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Aug 2019 00:11:02 +0200 Subject: [PATCH 0386/1383] avcodec/aacps: Fix integer overflows in hybrid_synthesis() Fixes: signed integer overflow: -822667928 + -1399761199 cannot be represented in type 'int' Fixes: 15756/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5645182051024896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec749ed2225e0c33f0910fc318c73da6f4ceb587) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index b16c3393d1..acfdfa6f0c 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -414,33 +414,33 @@ static void hybrid_synthesis(PSDSPContext *dsp, INTFLOAT out[2][38][64], memset(out[0][n], 0, 5*sizeof(out[0][n][0])); memset(out[1][n], 0, 5*sizeof(out[1][n][0])); for (i = 0; i < 12; i++) { - out[0][n][0] += in[ i][n][0]; - out[1][n][0] += in[ i][n][1]; + out[0][n][0] += (UINTFLOAT)in[ i][n][0]; + out[1][n][0] += (UINTFLOAT)in[ i][n][1]; } for (i = 0; i < 8; i++) { - out[0][n][1] += in[12+i][n][0]; - out[1][n][1] += in[12+i][n][1]; + out[0][n][1] += (UINTFLOAT)in[12+i][n][0]; + out[1][n][1] += (UINTFLOAT)in[12+i][n][1]; } for (i = 0; i < 4; i++) { - out[0][n][2] += in[20+i][n][0]; - out[1][n][2] += in[20+i][n][1]; - out[0][n][3] += in[24+i][n][0]; - out[1][n][3] += in[24+i][n][1]; - out[0][n][4] += in[28+i][n][0]; - out[1][n][4] += in[28+i][n][1]; + out[0][n][2] += (UINTFLOAT)in[20+i][n][0]; + out[1][n][2] += (UINTFLOAT)in[20+i][n][1]; + out[0][n][3] += (UINTFLOAT)in[24+i][n][0]; + out[1][n][3] += (UINTFLOAT)in[24+i][n][1]; + out[0][n][4] += (UINTFLOAT)in[28+i][n][0]; + out[1][n][4] += (UINTFLOAT)in[28+i][n][1]; } } dsp->hybrid_synthesis_deint(out, in + 27, 5, len); } else { for (n = 0; n < len; n++) { - out[0][n][0] = in[0][n][0] + in[1][n][0] + in[2][n][0] + - in[3][n][0] + in[4][n][0] + in[5][n][0]; - out[1][n][0] = in[0][n][1] + in[1][n][1] + in[2][n][1] + - in[3][n][1] + in[4][n][1] + in[5][n][1]; - out[0][n][1] = in[6][n][0] + in[7][n][0]; - out[1][n][1] = in[6][n][1] + in[7][n][1]; - out[0][n][2] = in[8][n][0] + in[9][n][0]; - out[1][n][2] = in[8][n][1] + in[9][n][1]; + out[0][n][0] = (UINTFLOAT)in[0][n][0] + in[1][n][0] + in[2][n][0] + + (UINTFLOAT)in[3][n][0] + in[4][n][0] + in[5][n][0]; + out[1][n][0] = (UINTFLOAT)in[0][n][1] + in[1][n][1] + in[2][n][1] + + (UINTFLOAT)in[3][n][1] + in[4][n][1] + in[5][n][1]; + out[0][n][1] = (UINTFLOAT)in[6][n][0] + in[7][n][0]; + out[1][n][1] = (UINTFLOAT)in[6][n][1] + in[7][n][1]; + out[0][n][2] = (UINTFLOAT)in[8][n][0] + in[9][n][0]; + out[1][n][2] = (UINTFLOAT)in[8][n][1] + in[9][n][1]; } dsp->hybrid_synthesis_deint(out, in + 7, 3, len); } From eec70d9fbeb7f7d0d060326e3f881bca27f99b17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Aug 2019 17:49:15 +0200 Subject: [PATCH 0387/1383] avcodec/takdec: Fix integer overflow in decorrelate() Fixes: signed integer overflow: -2424832 - 2145653689 cannot be represented in type 'int' Fixes: 16138/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5643451346976768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1192736494a5b16717de66da4a3d3c6af0e9a7a) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 0439a3ac9b..4fb5825532 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -653,7 +653,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) s->residues[i ] * s->filter[0]; } - v = av_clip_intp2(v >> 10, 13) * (1 << dshift) - *p1; + v = av_clip_intp2(v >> 10, 13) * (1U << dshift) - *p1; *p1++ = v; } From 81c2cf86468082485a34e27ace8290b6e9623b67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Aug 2019 18:22:50 +0200 Subject: [PATCH 0388/1383] avcodec/alsdec: Check k from being outside what our implementation can handle The specification does not seem to list what the maximum valid value is Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 16268/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5638164544225280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e1255789941d213a8e193469d0687946c9fa4a63) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index f8d10df8c6..a53c170d18 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -833,6 +833,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; + if (k[sb] >= 32) + return AVERROR_INVALIDDATA; + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); From ccad8e7175980ae71db11daf43b00f598930392b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 21:56:35 +0200 Subject: [PATCH 0389/1383] avcodec/htmlsubtitles: Avoid locale dependant isdigit() Signed-off-by: Michael Niedermayer (cherry picked from commit b94cf549e2d9e456d77f8539baca0fffa805ba69) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index d9221ba16b..8ce66e0b27 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -55,7 +55,7 @@ static int scanbraces(const char* in) { if (strncmp(in, "{\\an", 4) != 0) { return 0; } - if (!isdigit(in[4])) { + if (!av_isdigit(in[4])) { return 0; } if (in[5] != '}') { From 3b61a7732de31ac437222ea2c68e43a4eefefb32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Aug 2019 17:21:00 +0200 Subject: [PATCH 0390/1383] libavcodec/utils: Free threads on init failure Fixes: Multiple memleaks Fixes: ffmpeg-memory-leak Found-by: Francis Provencher Signed-off-by: Michael Niedermayer (cherry picked from commit 61b055bed0968d60eb24a5080fb4ba2bcf73b753) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 2e2283ffea..cfe40c59f7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1025,6 +1025,9 @@ free_and_end: (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) avctx->codec->close(avctx); + if (HAVE_THREADS && avctx->internal->thread_ctx) + ff_thread_free(avctx); + if (codec->priv_class && codec->priv_data_size) av_opt_free(avctx->priv_data); av_opt_free(avctx); From 1a224677d33913f037ec14b20a2a65e302c7a301 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 21:53:05 +0200 Subject: [PATCH 0391/1383] avcodec/gdv: Replace assert() checking bitstream by if() Signed-off-by: Michael Niedermayer (cherry picked from commit a9fae76370baf11a03b2c0ea590bb2d2f3f372ce) Signed-off-by: Michael Niedermayer --- libavcodec/gdv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index f46bc28210..d6952e9745 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -356,7 +356,8 @@ static int decompress_68(AVCodecContext *avctx, unsigned skip, unsigned use8) if (val != ((1 << lbits) - 1)) { break; } - assert(lbits < 16); + if (lbits >= 16) + return AVERROR_INVALIDDATA; } for (i = 0; i < len; i++) { bytestream2_put_byte(pb, bytestream2_get_byte(gb)); From b91ee0ce18e4ab3ab10efa6f041f13f6020f99cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 19:01:41 +0200 Subject: [PATCH 0392/1383] avcodec/hevcdec: repeat character in skiped Signed-off-by: Michael Niedermayer (cherry picked from commit d2d8e797cc4f3cea3470d464bd5f51cd097fe371) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index bfdecf3ab2..ba8f11ec58 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -491,7 +491,7 @@ static int hls_slice_header(HEVCContext *s) sh->first_slice_in_pic_flag = get_bits1(gb); if (s->ref && sh->first_slice_in_pic_flag) { av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); - return 1; // This slice will be skiped later, do not corrupt state + return 1; // This slice will be skipped later, do not corrupt state } if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { From 0801d3cfa251e758e35f7d8949cb35576b6787e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 00:20:39 +0200 Subject: [PATCH 0393/1383] avformat/cdxl: Fix integer overflow in intermediate Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac) Signed-off-by: Michael Niedermayer --- libavformat/cdxl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index 94a063c813..bd87c8d5d6 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -131,7 +131,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); - if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + if (cdxl->header[19] == 0 || + FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) return AVERROR_INVALIDDATA; if (format == 0x20) image_size = width * height * cdxl->header[19] / 8; From 93656080992b7871de4d28fcbf029d5cb7f05aa0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2019 19:40:37 +0200 Subject: [PATCH 0394/1383] avcodec/hevcdec: Fix memleak of a53_caption Fixes: 15295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5675655187922944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ef50cf7b32b91af303e37236f22e2e89971a84b7) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index ba8f11ec58..90c56924a0 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -3321,6 +3321,8 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx) ff_h2645_packet_uninit(&s->pkt); + ff_hevc_reset_sei(&s->sei); + return 0; } @@ -3514,6 +3516,7 @@ static void hevc_decode_flush(AVCodecContext *avctx) { HEVCContext *s = avctx->priv_data; ff_hevc_flush_dpb(s); + ff_hevc_reset_sei(&s->sei); s->max_ra = INT_MAX; s->eos = 1; } From a600c6fa02f982b4b5469ee5d91f2f433c8c2e86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 01:25:03 +0200 Subject: [PATCH 0395/1383] avformat/mov: Check for EOF in mov_read_meta() Fixes: Timeout (195sec -> 2ms) Fixes: 16735/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5090676403863552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 093d1f42507e07d9acb43a8a3135e4ebe3530fe2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 156454741c..4de31135b4 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4421,7 +4421,10 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) static int mov_read_meta(MOVContext *c, AVIOContext *pb, MOVAtom atom) { while (atom.size > 8) { - uint32_t tag = avio_rl32(pb); + uint32_t tag; + if (avio_feof(pb)) + return AVERROR_EOF; + tag = avio_rl32(pb); atom.size -= 4; if (tag == MKTAG('h','d','l','r')) { avio_seek(pb, -8, SEEK_CUR); From f34c2a9f941c1f7c13a3b54dd203618612674037 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Sep 2019 10:25:05 +0200 Subject: [PATCH 0396/1383] avcodec/utils: Check channels fully earlier Signed-off-by: Michael Niedermayer (cherry picked from commit 83f2555e5ff571cbf5c226a920602e91228039ab) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index cfe40c59f7..b7c47af89e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -674,8 +674,8 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code if (av_codec_is_decoder(codec)) av_freep(&avctx->subtitle_header); - if (avctx->channels > FF_SANE_NB_CHANNELS) { - av_log(avctx, AV_LOG_ERROR, "Too many channels: %d\n", avctx->channels); + if (avctx->channels > FF_SANE_NB_CHANNELS || avctx->channels < 0) { + av_log(avctx, AV_LOG_ERROR, "Too many or invalid channels: %d\n", avctx->channels); ret = AVERROR(EINVAL); goto free_and_end; } From 6579f1ac27115a2af6d9f7a6d3e7dc56ec3d43d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:06:02 +0200 Subject: [PATCH 0397/1383] avcodec/sunrast: Fix return type for "unsupported (compression) type" Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0e8b7709a92afd7c10b4b5861870f6e365f280c3) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 0af5626e35..883421202a 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -72,7 +72,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); - return -1; + return AVERROR_PATCHWELCOME; } switch (depth) { From c526fc591a96650489d6a0f365fb5249f15ac1bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:06:24 +0200 Subject: [PATCH 0398/1383] avcodec/sunrast: Fix indention Signed-off-by: Michael Niedermayer (cherry picked from commit 0728d644973c314785c26b3d0559ba829ca31641) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 883421202a..baf184968f 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -132,8 +132,8 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR(ENOMEM); stride = (w + 15 >> 3) * depth; } else { - ptr = p->data[0]; - stride = p->linesize[0]; + ptr = p->data[0]; + stride = p->linesize[0]; } /* scanlines are aligned on 16 bit boundaries */ From 3f2f2b18c832c206456e2ef08131fa9cc7e682a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2019 23:52:04 +0200 Subject: [PATCH 0399/1383] avcodec/adpcm: Check number of channels for MTAF Fixes: out of array access Fixes: 17608/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_MTAF_fuzzer-5074936267276288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 74bbf9bc8279e0b8eba89c8cca68e8ad7ff547ed) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index cd3bbd33c2..b0f8c11cb5 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -110,6 +110,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) case AV_CODEC_ID_ADPCM_MTAF: min_channels = 2; max_channels = 8; + if (avctx->channels & 1) { + avpriv_request_sample(avctx, "channel count %d\n", avctx->channels); + return AVERROR_PATCHWELCOME; + } break; case AV_CODEC_ID_ADPCM_PSX: max_channels = 8; From 07b6caa309be5a74b18fbf3723a3c54a246fbd07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jun 2019 00:29:06 +0200 Subject: [PATCH 0400/1383] avcodec/dxv: Check op_offset in both directions Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in type 'int' Fixes: 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c7d5fcfc32d65951039ab2bb78947a41bdd96c4) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index e28a6ba724..03e8270463 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -743,7 +743,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, int skip0, skip1, oi0 = 0, oi1 = 0; int ret, state0 = 0, state1 = 0; - if (op_offset < 12) + if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb)) return AVERROR_INVALIDDATA; dst = tex_data; From 718eab17338abdc8d75d6274998a0960527b4b05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Sep 2019 20:47:04 +0200 Subject: [PATCH 0401/1383] avcodec/ffwavesynth: Fix integer overflow in timestamps Fixes: signed integer overflow: 9223371075321077760 * 2 cannot be represented in type 'long' Fixes: 16447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5698937431785472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c7ccbf40edb81d40727cca3a7ffd1848d3ed880a) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index cfd0951d8f..6736587e32 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -220,7 +220,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2); + lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); if (pos) { pink_fill(ws); ws->pink_pos = pos; From 60993e367f05463464f2285aa00b749b7e4b394c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 10:36:43 +0200 Subject: [PATCH 0402/1383] avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction() Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 16786/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5632818851348480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0831cbfe099192098d91e049ed9cf03c5a9cb376) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index af486abf84..f7d791dc47 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -222,7 +222,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, /* adapt LPC coefficients */ error_sign = sign_only(error_val); if (error_sign) { - for (j = 0; j < lpc_order && (int)error_val * error_sign > 0; j++) { + for (j = 0; j < lpc_order && (int)(error_val * error_sign) > 0; j++) { int sign; val = d - pred[j]; sign = sign_only(val) * error_sign; From 24b0e33b8bbbc21b46fc49a47dcbed12f71580c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 10:46:38 +0200 Subject: [PATCH 0403/1383] avcodec/alac: Fix invalid shifts in 20/24 bps Fixes: left shift of negative value -256 Fixes: 16892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4880802642395136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b30c07cc2b9ee5bc52e1782eba9aa40e99085a7e) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index f7d791dc47..018248ef6a 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -397,13 +397,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, case 20: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] <<= 12; + alac->output_samples_buffer[ch][i] *= 1 << 12; }} break; case 24: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] <<= 8; + alac->output_samples_buffer[ch][i] *= 1 << 8; }} break; } From d07669ebc6e25e65a0f583255711141d10a85317 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 10:55:26 +0200 Subject: [PATCH 0404/1383] avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL Fixes: signed integer overflow: 238 * 16843009 cannot be represented in type 'int' Fixes: 16958/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5193905355620352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 033d2c4884eca3f4f80047bff93255b0cc4fa7a3) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 61e316916b..27da0bc97a 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -536,7 +536,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, while(run-- && blk < blocks){ uint32_t col; out = smk->pic->data[0] + (blk / bw) * (stride * 4) + (blk % bw) * 4; - col = mode * 0x01010101; + col = mode * 0x01010101U; for(i = 0; i < 4; i++) { *((uint32_t*)out) = col; out += stride; From 5d49cf9ac2f0ef27a9acb897ab8363300e41c59d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Sep 2019 17:25:07 +0200 Subject: [PATCH 0405/1383] avcodec/utils: Use av_memcpy_backptr() in ff_color_frame() Fixes: Timeout (191sec -> 53sec) Fixes: 16908/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5711207859748864 Fixes: 10709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5630617975259136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 340ab13504dddb71889f518983174d7bac7cfe96) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index b7c47af89e..41153d1c1c 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -408,7 +408,7 @@ int avcodec_fill_audio_frame(AVFrame *frame, int nb_channels, void ff_color_frame(AVFrame *frame, const int c[4]) { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(frame->format); - int p, y, x; + int p, y; av_assert0(desc->flags & AV_PIX_FMT_FLAG_PLANAR); @@ -419,8 +419,8 @@ void ff_color_frame(AVFrame *frame, const int c[4]) int height = is_chroma ? AV_CEIL_RSHIFT(frame->height, desc->log2_chroma_h) : frame->height; for (y = 0; y < height; y++) { if (desc->comp[0].depth >= 9) { - for (x = 0; xlinesize[p]; From e6cff05befb185642f4cd6d98e88faf076930ff5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Sep 2019 21:08:31 +0200 Subject: [PATCH 0406/1383] avcodec/aacdec: Check if we run out of input in read_stream_mux_config() Fixes: Infinite loop Fixes: 16920/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5653421289373696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3dce4d03d5a555bff2e11f97fb54701b22effeaf) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 758c89e107..cc97ff4389 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -411,6 +411,8 @@ static int read_stream_mux_config(struct LATMContext *latmctx, } else { int esc; do { + if (get_bits_left(gb) < 9) + return AVERROR_INVALIDDATA; esc = get_bits(gb, 1); skip_bits(gb, 8); } while (esc); From 18e5ce4d0d779d31858274d02851aa33ee831927 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Dec 2018 01:14:51 +0100 Subject: [PATCH 0407/1383] avcodec/utils: Optimize ff_color_frame() using memcpy() 4650975 -> 4493240 dezicycles This optimizes lines 2 and later. Line 1 still uses av_memcpy_backptr() This change originally fixed ossfuzz 10790 but this is now fixed by other optimizations already Signed-off-by: Michael Niedermayer (cherry picked from commit 95e5396919b13a00264466b5d766f80f1a4f7fdc) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 41153d1c1c..10259ba664 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -417,13 +417,19 @@ void ff_color_frame(AVFrame *frame, const int c[4]) int is_chroma = p == 1 || p == 2; int bytes = is_chroma ? AV_CEIL_RSHIFT(frame->width, desc->log2_chroma_w) : frame->width; int height = is_chroma ? AV_CEIL_RSHIFT(frame->height, desc->log2_chroma_h) : frame->height; - for (y = 0; y < height; y++) { - if (desc->comp[0].depth >= 9) { - ((uint16_t*)dst)[0] = c[p]; - av_memcpy_backptr(dst + 2, 2, bytes - 2); - }else - memset(dst, c[p], bytes); + if (desc->comp[0].depth >= 9) { + ((uint16_t*)dst)[0] = c[p]; + av_memcpy_backptr(dst + 2, 2, bytes - 2); dst += frame->linesize[p]; + for (y = 1; y < height; y++) { + memcpy(dst, frame->data[p], 2*bytes); + dst += frame->linesize[p]; + } + } else { + for (y = 0; y < height; y++) { + memset(dst, c[p], bytes); + dst += frame->linesize[p]; + } } } } From a3f6f2150649f7187e63136423c345b8ec532521 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 23:50:23 +0200 Subject: [PATCH 0408/1383] avcodec/sbcdec: Initialize number of channels Fixes: out of array access Fixes: 17609/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SBC_fuzzer-5758729319874560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Reviewed-by: Moritz Barsnick Signed-off-by: Michael Niedermayer (cherry picked from commit 02fb6a214717d40487cae2b06f13b14fabb6e101) Signed-off-by: Michael Niedermayer --- libavcodec/sbcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/sbcdec.c b/libavcodec/sbcdec.c index 546b38c106..937946e2d2 100644 --- a/libavcodec/sbcdec.c +++ b/libavcodec/sbcdec.c @@ -348,6 +348,7 @@ static int sbc_decode_frame(AVCodecContext *avctx, if (frame_length <= 0) return frame_length; + avctx->channels = frame->channels = sbc->frame.channels; frame->format = AV_SAMPLE_FMT_S16P; frame->nb_samples = sbc->frame.blocks * sbc->frame.subbands; From 86acbb0350d2d6a66fbae8fecdb66797666f9bf4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 01:07:34 +0200 Subject: [PATCH 0409/1383] avcodec/g729_parser: Check block_size Fixes: Infinite loop Fixes: 17611/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5765134928052224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 972a0a818ff7a9b33c7f37e08783f4b6082f9aa2) Signed-off-by: Michael Niedermayer --- libavcodec/g729_parser.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c index d13c990807..a2cecb7223 100644 --- a/libavcodec/g729_parser.c +++ b/libavcodec/g729_parser.c @@ -51,6 +51,12 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx, s->duration = avctx->frame_size; } + if (!s->block_size) { + *poutbuf = buf; + *poutbuf_size = buf_size; + return buf_size; + } + if (!s->remaining) s->remaining = s->block_size; if (s->remaining <= buf_size) { From 2567675f00a3f161d034cbef44bc42bc64326811 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 16:48:46 +0200 Subject: [PATCH 0410/1383] avcodec/dstdec: Fix integer overflow in samples_per_frame computation Fixes: Timeout (? -> 2ms) Fixes: 17616/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5198057947267072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7dc0943d4aa014e616e2f2a4802cb3da829f9420) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 368cb64931..10b89c3c1b 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -37,7 +37,7 @@ #define DST_MAX_CHANNELS 6 #define DST_MAX_ELEMENTS (2 * DST_MAX_CHANNELS) -#define DSD_FS44(sample_rate) (sample_rate * 8 / 44100) +#define DSD_FS44(sample_rate) (sample_rate * 8LL / 44100) #define DST_SAMPLES_PER_FRAME(sample_rate) (588 * DSD_FS44(sample_rate)) From 7e4d850a9f6c4b592072187c6da33997ed98462e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 23:42:42 +0200 Subject: [PATCH 0411/1383] avcodec/fitsdec: Prevent division by 0 with huge data_max Fixes: division by 0 Fixes: 15657/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5738154838982656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit cfa193779103c97bbfc28273a0ab12c114b6786d) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 4f452422ef..88b841a964 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -195,6 +195,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint8_t *dst8; uint16_t *dst16; uint64_t t; + double scale; FITSHeader header; FITSContext * fitsctx = avctx->priv_data; @@ -204,6 +205,12 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; + scale = header.data_max - header.data_min; + if (scale <= 0 || !isfinite(scale)) { + scale = 1; + } + scale = 1/scale; + if (header.rgb) { if (header.bitpix == 8) { if (header.naxisn[2] == 3) { @@ -272,7 +279,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < avctx->width; j++) { \ t = rd; \ if (!header.blank_found || t != header.blank) { \ - *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) / (header.data_max - header.data_min); \ + *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale; \ } else { \ *dst++ = fitsctx->blank_val; \ } \ From 559280043d60e78927b4d52f86ec835690929853 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 20:31:50 +0200 Subject: [PATCH 0412/1383] avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop This makes the decoder faster Improves/Fixes: Timeout (22sec -> 20sec) Testcase: 17619/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5078510820917248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 581a895c5c8b464a7fc7ebbaa6d9f565c10bae62) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index a53c170d18..56313d206c 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1815,15 +1815,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, #define INTERLEAVE_OUTPUT(bps) \ { \ int##bps##_t *dest = (int##bps##_t*)frame->data[0]; \ + int channels = avctx->channels; \ + int32_t **raw_samples = ctx->raw_samples; \ shift = bps - ctx->avctx->bits_per_raw_sample; \ if (!ctx->cs_switch) { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ - for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[c][sample] * (1U << shift); \ + for (c = 0; c < channels; c++) \ + *dest++ = raw_samples[c][sample] * (1U << shift); \ } else { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ - for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] * (1U << shift); \ + for (c = 0; c < channels; c++) \ + *dest++ = raw_samples[sconf->chan_pos[c]][sample] * (1U << shift);\ } \ } From ba148f232930a23984808f625439ed83c2161870 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 20:51:22 +0200 Subject: [PATCH 0413/1383] avcodec/atrac3: Check block_align Fixes: Infinite loop Fixes: 17620/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3_fuzzer-5086123012915200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2acbbe262325187d87e8881c2984d203fb54207e) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 6cdcdf1964..dc19a3863e 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -964,7 +964,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - if (avctx->block_align >= UINT_MAX / 2) + if (avctx->block_align >= UINT_MAX / 2 || avctx->block_align <= 0) return AVERROR(EINVAL); q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) + From b0c5ec9ab49069d3cd3701a689ac73888fc58231 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 21:48:26 +0200 Subject: [PATCH 0414/1383] avcodec/loco: Check for end of input in the first line Fixes: Timeout (85sec -> 0.1sec) Fixes: 17634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5666410809786368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c5a52eb5cd5613cfede81648a58cd95088d0a3a7) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index d8bf68a100..e891d83ece 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -155,6 +155,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore top line */ for (i = 1; i < width; i++) { val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[i] = data[i - 1] + val; } data += stride; From 9691f42ae972c574a4aba5d2bb792602ffe4e56e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Sep 2019 19:53:45 +0200 Subject: [PATCH 0415/1383] avcodec/4xm: Check index in decode_i_block() also in the path where its not used. Fixes: Infinite loop Fixes: signed integer overflow: 2147483644 + 16 cannot be represented in type 'int' Fixes: 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584 Fixes: 16782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5743163859271680 Fixes: 17641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5711603562971136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 87ddf9f1ef17726fd4235f2e7aed8334d0ff231b) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 5cfb9e735e..2ee742fccd 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -525,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block) break; if (code == 0xf0) { i += 16; + if (i >= 64) { + av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i); + return 0; + } } else { if (code & 0xf) { level = get_xbits(&f->gb, code & 0xf); From 588c735ce5ad74dce83dd7a6b20ec26f96509231 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2019 23:23:20 +0200 Subject: [PATCH 0416/1383] avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs() Values larger would fail subsequent tests. Fixes: signed integer overflow: 5 + 2147483646 cannot be represented in type 'int' Fixes: 16966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5695709549953024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f63cd1963e36bc70211e072bac7eb3606cf85f14) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index faa36d5459..8abb780dd7 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -642,11 +642,11 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) } if (prefix_val >= 5) { int k = 0; - while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { + while (k < 7 && get_cabac_bypass(&s->HEVClc->cc)) { suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) { + if (k == 7) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); return AVERROR_INVALIDDATA; } From fe51b4d5a0a41bb3c0b06134d8a13c2468841be3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Sep 2019 22:59:55 +0200 Subject: [PATCH 0417/1383] avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: signed integer overflow: -14527961 - 2147483425 cannot be represented in type 'int' Fixes: 16380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5645957131141120 Fixes: 16968/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5716169901735936 Fixes: 17074/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5198710497083392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e95a3e8a7250060befd9a5fba69151bb2a6690c) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 59e829ee5b..0e1336b832 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1121,7 +1121,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayA] = p->lastA[filter]; p->buf[adaptA] = APESIGN(p->buf[delayA]); - p->buf[delayA - 1] = p->buf[delayA] - p->buf[delayA - 1]; + p->buf[delayA - 1] = p->buf[delayA] - (unsigned)p->buf[delayA - 1]; p->buf[adaptA - 1] = APESIGN(p->buf[delayA - 1]); predictionA = p->buf[delayA ] * p->coeffsA[filter][0] + @@ -1132,7 +1132,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, /* Apply a scaled first-order filter compression */ p->buf[delayB] = p->filterA[filter ^ 1] - ((int)(p->filterB[filter] * 31U) >> 5); p->buf[adaptB] = APESIGN(p->buf[delayB]); - p->buf[delayB - 1] = p->buf[delayB] - p->buf[delayB - 1]; + p->buf[delayB - 1] = p->buf[delayB] - (unsigned)p->buf[delayB - 1]; p->buf[adaptB - 1] = APESIGN(p->buf[delayB - 1]); p->filterB[filter] = p->filterA[filter ^ 1]; @@ -1282,7 +1282,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, /* Version 3.98 and later files */ /* Update the adaption coefficients */ - absres = FFABS(res); + absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3))); From 79dffb7f2cada156022200ebde505d7f8a9f5866 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 22:00:35 +0200 Subject: [PATCH 0418/1383] avcodec/vc1: check REFDIST "9.1.1.43 P Reference Distance (REFDIST)" "The value of REFDIST shall be less than, or equal to, 16." Signed-off-by: Michael Niedermayer (cherry picked from commit 7f7af9e294f8bc00756922ab088430ea5b9d7498) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 3581d87b57..242a54069c 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -938,7 +938,9 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) else if ((v->s.pict_type != AV_PICTURE_TYPE_B) && (v->s.pict_type != AV_PICTURE_TYPE_BI)) { v->refdist = get_bits(gb, 2); if (v->refdist == 3) - v->refdist += get_unary(gb, 0, 16); + v->refdist += get_unary(gb, 0, 14); + if (v->refdist > 16) + return AVERROR_INVALIDDATA; } if ((v->s.pict_type == AV_PICTURE_TYPE_B) || (v->s.pict_type == AV_PICTURE_TYPE_BI)) { if (read_bfraction(v, gb) < 0) From cd949baefde3ea76eea7ba0d3a22739ec6f1ad2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Aug 2019 19:30:50 +0200 Subject: [PATCH 0419/1383] avcodec/vc1: Check for excessive resolution Fixes: overflow in aspect ratio calculation Fixes: signed integer overflow: 393215 * 14594 cannot be represented in type 'int' Fixes: 15728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5661588893204480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 181e138da7207523b387eabc28d24e74a46248bc) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 242a54069c..ad965b1fa0 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -456,7 +456,11 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb) h = get_bits(gb, 8) + 1; v->s.avctx->sample_aspect_ratio = (AVRational){w, h}; } else { - av_reduce(&v->s.avctx->sample_aspect_ratio.num, + if (v->s.avctx->width > v->max_coded_width || + v->s.avctx->height > v->max_coded_height) { + avpriv_request_sample(v->s.avctx, "Huge resolution"); + } else + av_reduce(&v->s.avctx->sample_aspect_ratio.num, &v->s.avctx->sample_aspect_ratio.den, v->s.avctx->height * w, v->s.avctx->width * h, From a9788d00eea1d6f3a3b4e9147d6b8b8c50e36dfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 17:39:45 +0200 Subject: [PATCH 0420/1383] avcodec/vc1_block: Fix invalid shift with rangeredfrm Fixes: left shift of negative value -7 Fixes: 16959/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5200360825683968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c722a69253a280b86b1d2a4ca00c89345a796781) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 514206f6d2..fe7dbf8b1d 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1997,7 +1997,7 @@ static int vc1_decode_b_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - s->block[i][j] <<= 1; + s->block[i][j] *= 2; s->idsp.put_signed_pixels_clamped(s->block[i], s->dest[dst_idx] + off, i & 4 ? s->uvlinesize From 26db773767cf66c3a696ae3651a300e3377233eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 18:57:25 +0200 Subject: [PATCH 0421/1383] avcodec/vc1_pred: Fix invalid shifts in scaleforopp() Fixes: left shift of negative value -2 Fixes: 16964/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5757853565976576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ced9a1cd0ab76a65e509b0d7c56965d61ea1df84) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_pred.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index b5129483fe..fe04c6cf08 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -191,9 +191,9 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */, n >>= hpel; if (v->s.pict_type == AV_PICTURE_TYPE_B && !v->second_field && dir == 1) { if (dim) - n = scaleforopp_y(v, n, dir) << hpel; + n = scaleforopp_y(v, n, dir) * (1 << hpel); else - n = scaleforopp_x(v, n) << hpel; + n = scaleforopp_x(v, n) * (1 << hpel); return n; } if (v->s.pict_type != AV_PICTURE_TYPE_B) From d3f88922496217491d7fa22b00fbe5f9b12e5494 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 20:20:31 +0200 Subject: [PATCH 0422/1383] vcodec/vc1: compute rangex/y only for P/B frames Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 16976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4847262047404032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e75e7fe1601b97c31e3ce90473ab71b9a0667573) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index ad965b1fa0..be5ff15262 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -1324,16 +1324,17 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) break; } - if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) { - v->range_x <<= 1; - v->range_y <<= 1; - } /* AC Syntax */ v->c_ac_table_index = decode012(gb); if (v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI) { v->y_ac_table_index = decode012(gb); } + else if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) { + v->range_x <<= 1; + v->range_y <<= 1; + } + /* DC Syntax */ v->s.dc_table_index = get_bits1(gb); if ((v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI) From 6b9a6088d6355819b0ab6e57d11100e7976511a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Sep 2019 14:26:49 +0200 Subject: [PATCH 0423/1383] avcodec/ralf: Fix integer overflow in decode_channel() Fixes: signed integer overflow: -1094995519 * 64 cannot be represented in type 'int' Fixes: 17030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5640695838146560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbb314b6f2c2b77608442966f28aac20343a1cae) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 75c9371b95..006ab46414 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -300,8 +300,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2); code1 = t / range2; code2 = t % range2; - dst[i] = extend_code(gb, code1, range, 0) * (1 << add_bits); - dst[i + 1] = extend_code(gb, code2, range, 0) * (1 << add_bits); + dst[i] = extend_code(gb, code1, range, 0) * (1U << add_bits); + dst[i + 1] = extend_code(gb, code2, range, 0) * (1U << add_bits); if (add_bits) { dst[i] |= get_bits(gb, add_bits); dst[i + 1] |= get_bits(gb, add_bits); From 20a923a3ae6ab60f902de79beaae22f6f7eafe67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Sep 2019 18:31:40 +0200 Subject: [PATCH 0424/1383] avcodec/ituh263dec: Make the condition for the studio slice start code match between ff_h263_resync() and ff_mpeg4_decode_studio_slice_header() If they mismatch an infinite loop can occur Fixes: Timeout (infinite loop) Fixes: 17043/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5695051748868096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8335ba8ae99941422bef0e16ea8cf1ebe2e9a7b3) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 1b57e53cad..8bedaac536 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -222,7 +222,7 @@ int ff_h263_resync(MpegEncContext *s){ get_bits(&s->gb, 8); } - if (show_bits_long(&s->gb, 32) == SLICE_START_CODE) + if (get_bits_left(&s->gb) >= 32 && show_bits_long(&s->gb, 32) == SLICE_START_CODE) return get_bits_count(&s->gb); else return -1; From dc5760a909e451a2cecdf7a42b87ea7ea3586da0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2019 22:28:09 +0200 Subject: [PATCH 0425/1383] avcodec/motionpixels: Mark 2 functions as always_inline Fixes: Timeout (30sec -> 25sec) Fixes: 17050/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-5719149803732992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 017884bdc3975528cacd5d23001558952cbdbabb) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 73977664a5..8750a4fa16 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -171,7 +171,7 @@ static int mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb) return 0; } -static int mp_gradient(MotionPixelsContext *mp, int component, int v) +static av_always_inline int mp_gradient(MotionPixelsContext *mp, int component, int v) { int delta; @@ -196,7 +196,7 @@ static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const Yuv *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2] = color; } -static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) +static av_always_inline int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) { int i; From 781a4a43b5986804f36fd872b8aeba752fddb6c2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 28 Sep 2019 23:11:06 -0300 Subject: [PATCH 0426/1383] avcodec/fitsdec: fix use of uninitialised values header.data_max and header.data_min are not necessarely set on all decoding scenarios. Fixes a Valgrind reported regression since cfa193779103c97bbfc28273a0ab12c114b6786d. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit e3f0ecfc57889de0e0a359ec30b77851d53cea87) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 88b841a964..a20b8faf9e 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -195,7 +195,6 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint8_t *dst8; uint16_t *dst16; uint64_t t; - double scale; FITSHeader header; FITSContext * fitsctx = avctx->priv_data; @@ -205,12 +204,6 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; - scale = header.data_max - header.data_min; - if (scale <= 0 || !isfinite(scale)) { - scale = 1; - } - scale = 1/scale; - if (header.rgb) { if (header.bitpix == 8) { if (header.naxisn[2] == 3) { @@ -271,6 +264,13 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, CASE_RGB(16, dst16, uint16_t, AV_RB16); } } else { + double scale = header.data_max - header.data_min; + + if (scale <= 0 || !isfinite(scale)) { + scale = 1; + } + scale = 1/scale; + switch (header.bitpix) { #define CASE_GRAY(cas, dst, type, t, rd) \ case cas: \ From f5636c5b200644117a65ac88ed702b65d80f5dae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 18:36:16 +0200 Subject: [PATCH 0427/1383] avcodec/aptx: Fix multiple shift anomalies Fixes: left shift of negative value -24576 Fixes: 17719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APTX_fuzzer-5710508002377728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 675f62a202be7cfe9576b48679b8e6bc1183e84e) Signed-off-by: Michael Niedermayer --- libavcodec/aptx.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/aptx.c b/libavcodec/aptx.c index 8750d8421f..e3fb064a6d 100644 --- a/libavcodec/aptx.c +++ b/libavcodec/aptx.c @@ -480,7 +480,7 @@ static void aptx_update_codeword_history(Channel *channel) int32_t cw = ((channel->quantize[0].quantized_sample & 3) << 0) + ((channel->quantize[1].quantized_sample & 2) << 1) + ((channel->quantize[2].quantized_sample & 1) << 3); - channel->codeword_history = (cw << 8) + (channel->codeword_history << 4); + channel->codeword_history = (cw << 8) + ((unsigned)channel->codeword_history << 4); } static void aptx_generate_dither(Channel *channel) @@ -492,9 +492,9 @@ static void aptx_generate_dither(Channel *channel) aptx_update_codeword_history(channel); m = (int64_t)5184443 * (channel->codeword_history >> 7); - d = (m << 2) + (m >> 22); + d = (m * 4) + (m >> 22); for (subband = 0; subband < NB_SUBBANDS; subband++) - channel->dither[subband] = d << (23 - 5*subband); + channel->dither[subband] = (unsigned)d << (23 - 5*subband); channel->dither_parity = (d >> 25) & 1; } @@ -759,12 +759,12 @@ static void aptx_invert_quantization(InvertQuantize *invert_quantize, if (quantized_sample < 0) qr = -qr; - qr = rshift64_clip24(((int64_t)qr<<32) + MUL64(dither, tables->invert_quantize_dither_factors[idx]), 32); + qr = rshift64_clip24((qr * (1LL<<32)) + MUL64(dither, tables->invert_quantize_dither_factors[idx]), 32); invert_quantize->reconstructed_difference = MUL64(invert_quantize->quantization_factor, qr) >> 19; /* update factor_select */ factor_select = 32620 * invert_quantize->factor_select; - factor_select = rshift32(factor_select + (tables->quantize_factor_select_offset[idx] << 15), 15); + factor_select = rshift32(factor_select + (tables->quantize_factor_select_offset[idx] * (1 << 15)), 15); invert_quantize->factor_select = av_clip(factor_select, 0, tables->factor_max); /* update quantization factor */ @@ -801,7 +801,7 @@ static void aptx_prediction_filtering(Prediction *prediction, prediction->previous_reconstructed_sample = reconstructed_sample; reconstructed_differences = aptx_reconstructed_differences_update(prediction, reconstructed_difference, order); - srd0 = FFDIFFSIGN(reconstructed_difference, 0) << 23; + srd0 = FFDIFFSIGN(reconstructed_difference, 0) * (1 << 23); for (i = 0; i < order; i++) { int32_t srd = FF_SIGNBIT(reconstructed_differences[-i-1]) | 1; prediction->d_weight[i] -= rshift32(prediction->d_weight[i] - srd*srd0, 8); @@ -830,7 +830,7 @@ static void aptx_process_subband(InvertQuantize *invert_quantize, range = 0x100000; sw1 = rshift32(-same_sign[1] * prediction->s_weight[1], 1); - sw1 = (av_clip(sw1, -range, range) & ~0xF) << 4; + sw1 = (av_clip(sw1, -range, range) & ~0xF) * 16; range = 0x300000; weight[0] = 254 * prediction->s_weight[0] + 0x800000*same_sign[0] + sw1; @@ -1044,7 +1044,7 @@ static int aptx_decode_frame(AVCodecContext *avctx, void *data, for (channel = 0; channel < NB_CHANNELS; channel++) for (sample = 0; sample < 4; sample++) AV_WN32A(&frame->data[channel][4*(opos+sample)], - samples[channel][sample] << 8); + samples[channel][sample] * 256); } *got_frame_ptr = 1; From 5e3a827e9dc49ad75d533ece396ecec81674f586 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 12:31:39 +0200 Subject: [PATCH 0428/1383] avcodec/utils: Check sample_rate before opening the decoder Fixes: signed integer overflow: 2 * -1306460384 cannot be represented in type 'int' Fixes: 17685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_fuzzer-5747390337777664 Fixes: 17688/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5739287210885120 Fixes: 17699/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5678394531905536 Fixes: 17738/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5763415733174272 Fixes: 17746/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5703008159006720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 75fefb1fb7ac8b423e08a8dca19b19884a325ebf) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 10259ba664..aa46a3f70c 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -685,6 +685,11 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code ret = AVERROR(EINVAL); goto free_and_end; } + if (avctx->sample_rate < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample rate: %d\n", avctx->sample_rate); + ret = AVERROR(EINVAL); + goto free_and_end; + } avctx->codec = codec; if ((avctx->codec_type == AVMEDIA_TYPE_UNKNOWN || avctx->codec_type == codec->type) && From 45836a60f5b6326c7896a413e651aa35c8cc45dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 08:02:11 +0200 Subject: [PATCH 0429/1383] avcodec/dxv: Check op_offset in dxv_decompress_yo() Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Fixes: 17745/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5734628463214592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 97450d2b6a08769cbc4665bc66f6db9e8c5da2a4) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 03e8270463..c6866f18e6 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -797,6 +797,9 @@ static int dxv_decompress_yo(DXVContext *ctx, GetByteContext *gb, uint8_t *dst, *table0[256] = { 0 }, *table1[256] = { 0 }; int ret, state = 0, skip, oi = 0, v, vv; + if (op_offset < 8 || op_offset - 8 > bytestream2_get_bytes_left(gb)) + return AVERROR_INVALIDDATA; + dst = tex_data; bytestream2_skip(gb, op_offset - 8); if (op_size > max_op_size) From e644b740749f9f577bf24e3b101354bec17fd82d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 23:42:41 +0200 Subject: [PATCH 0430/1383] avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet Fixes: Assertion failure Fixes: 17770/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5700606668308480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c4de49edc4652e2f17c8747a6dd9b36ff362017a) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index bfd3fed3a2..9ea4c5d708 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -574,11 +574,12 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) EaDemuxContext *ea = s->priv_data; AVIOContext *pb = s->pb; int partial_packet = 0; + int hit_end = 0; unsigned int chunk_type, chunk_size; int ret = 0, packet_read = 0, key = 0; int av_uninit(num_samples); - while (!packet_read || partial_packet) { + while ((!packet_read && !hit_end) || partial_packet) { chunk_type = avio_rl32(pb); chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); if (chunk_size < 8) @@ -676,7 +677,7 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) } if (avio_feof(pb)) ret = AVERROR_EOF; - packet_read = 1; + hit_end = 1; break; case MVIh_TAG: @@ -737,6 +738,9 @@ get_video_packet: if (ret < 0 && partial_packet) av_packet_unref(pkt); + if (ret >= 0 && hit_end && !packet_read) + return AVERROR(EAGAIN); + return ret; } From a547d59079b4d614730866cbae56c43926142d58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2019 20:05:09 +0200 Subject: [PATCH 0431/1383] avcodec/g2meet: Check if adjusted pixel was on the stack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This basically checks if a pixel that was coded with prediction and residual could have been stored using a previous case. This avoids basically a string of 0 symbols stored in less than 50 bytes to hit a O(n²) codepath. Fixes: Timeout (too slow to wait -> immediately) Fixes: 8668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-4895946310680576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c84c162e9f9f000ef47d4fcd07354805f38d455) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index a1dec8d823..19e1c130ce 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -854,6 +854,9 @@ static int epic_decode_tile(ePICContext *dc, uint8_t *out, int tile_height, uint32_t ref_pix = curr_row[x - 1]; if (!x || !epic_decode_from_cache(dc, ref_pix, &pix)) { pix = epic_decode_pixel_pred(dc, x, y, curr_row, above_row); + if (is_pixel_on_stack(dc, pix)) + return AVERROR_INVALIDDATA; + if (x) { int ret = epic_add_pixel_to_cache(&dc->hash, ref_pix, From c8823d4957cd4e78683e871ff3f64dfbfb88b03f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2019 20:30:32 +0200 Subject: [PATCH 0432/1383] avcodec/g2meet: Check for end of input in jpg_decode_block() Fixes: Timeout (100sec -> 0.7sec) Fixes: 8668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5174143888130048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61dd2e07be7ca636e1d3d868f90dde1b10985f4c) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 19e1c130ce..731d29a5d4 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -244,6 +244,9 @@ static int jpg_decode_block(JPGContext *c, GetBitContext *gb, const int is_chroma = !!plane; const uint8_t *qmat = is_chroma ? chroma_quant : luma_quant; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + c->bdsp.clear_block(block); dc = get_vlc2(gb, c->dc_vlc[is_chroma].table, 9, 3); if (dc < 0) From 3ae6eee2a79e3b7f596360b3495381065c5faf4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2019 19:26:51 +0200 Subject: [PATCH 0433/1383] avcodec/wmaprodec: Check if there is a stream Fixes: null pointer dereference Fixes: signed integer overflow: 512 * 2147483647 cannot be represented in type 'int' Fixes: 17809/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5634409947987968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9b533de28eb19c660c75823ff2af2f8549c4095a) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 9439bfa771..7af53dd02c 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1874,7 +1874,9 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) } /* encoder supports up to 64 streams / 64*2 channels (would have to alloc arrays) */ - if (avctx->channels > XMA_MAX_CHANNELS || s->num_streams > XMA_MAX_STREAMS) { + if (avctx->channels > XMA_MAX_CHANNELS || s->num_streams > XMA_MAX_STREAMS || + s->num_streams <= 0 + ) { avpriv_request_sample(avctx, "More than %d channels in %d streams", XMA_MAX_CHANNELS, s->num_streams); return AVERROR_PATCHWELCOME; } From 317c63d3f42d1ae9e5c4146408026ca6b9c26fa3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2019 19:53:44 +0200 Subject: [PATCH 0434/1383] avcodec/vc1_block: Fix invalid left shift in vc1_decode_p_mb() Fixes: left shift of negative value -6 Fixes: 17810/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5638541240958976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2f588ccfb70cba54a7ea8e740110953da604c0e6) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index fe7dbf8b1d..f1c9f41f30 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1481,7 +1481,7 @@ static int vc1_decode_p_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - v->block[v->cur_blk_idx][block_map[i]][j] <<= 1; + v->block[v->cur_blk_idx][block_map[i]][j] *= 2; block_cbp |= 0xF << (i << 2); block_intra |= 1 << i; } else if (is_coded[i]) { From 1da6cfeccb854b0e79addc18d6b4dfbd96fcbce5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 17:10:38 +0200 Subject: [PATCH 0435/1383] avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize() Fixes: null pointer dereference Fixes: 17828/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5645915116797952 Fixes: Ticket8147 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 81b53913bbb97234e22187d1122948c351a3466d) Signed-off-by: Michael Niedermayer --- libavformat/subtitles.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 93c9ef05cf..1230e34d08 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -194,6 +194,9 @@ void ff_subtitles_queue_finalize(void *log_ctx, FFDemuxSubtitlesQueue *q) { int i; + if (!q->nb_subs) + return; + qsort(q->subs, q->nb_subs, sizeof(*q->subs), q->sort == SUB_SORT_TS_POS ? cmp_pkt_sub_ts_pos : cmp_pkt_sub_pos_ts); From b1ae124919b557e417d2e8306e12f7c245dc5370 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:10:25 +0200 Subject: [PATCH 0436/1383] avcodec/sunrast: Check for availability of maplength before allocating image Signed-off-by: Michael Niedermayer (cherry picked from commit 711ad71aea7847883662bf95e01640d9745b313b) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index baf184968f..98bc4ffa63 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -100,14 +100,14 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; + if (buf_end - buf < maplength) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; p->pict_type = AV_PICTURE_TYPE_I; - if (buf_end - buf < maplength) - return AVERROR_INVALIDDATA; - if (depth > 8 && maplength) { av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n"); From 3a661be4c4e26e14e4a0bc8a0177e9ca795199a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:14:03 +0200 Subject: [PATCH 0437/1383] avcodec/sunrast: Check that the input is large enough for the maximally compressed image Fixes: Timeout (17sec -> 15ms) Fixes: 17224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SUNRAST_fuzzer-5663218491457536 Fixes: 17224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SUNRAST_fuzzer-5735590015795200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf0ba75c4a9231ed62afe60bed5bde2728971e30) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 98bc4ffa63..e1ec8a0832 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -100,7 +100,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; - if (buf_end - buf < maplength) + /* scanlines are aligned on 16 bit boundaries */ + len = (depth * w + 7) >> 3; + alen = len + (len & 1); + + if (buf_end - buf < maplength + (len * h) * 3 / 256) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) @@ -136,10 +140,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, stride = p->linesize[0]; } - /* scanlines are aligned on 16 bit boundaries */ - len = (depth * w + 7) >> 3; - alen = len + (len & 1); - if (type == RT_BYTE_ENCODED) { int value, run; uint8_t *end = ptr + h * stride; From e8206b63ad76dd1b71d2be5fc81645c2407f5376 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 13:43:19 +0200 Subject: [PATCH 0438/1383] avformat/mpsubdec: Clear queue on error Fixes: Memleaks Fixes: 17219/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5720539124989952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a0d36e562d53716cf000895c2f892fb1f48165d) Signed-off-by: Michael Niedermayer --- libavformat/mpsubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index 1236efa712..fc1731f26e 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -106,6 +106,9 @@ static int mpsub_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &mpsub->q); end: + if (res < 0) + ff_subtitles_queue_clean(&mpsub->q); + av_bprint_finalize(&buf, NULL); return res; } From cc2a9190861547b8a5a70505a5c51dcec58e2508 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 01:43:35 +0200 Subject: [PATCH 0439/1383] avcodec/truemotion1: Check that the input has enough space for a minimal index_stream Fixes: Timeout (18sec -> 0.4sec) Fixes: 17585/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5117015135617024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a660fac9899191d4121cde02f2a98977b1303b6) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index e1824384c5..602de99f10 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -444,6 +444,8 @@ static int truemotion1_decode_header(TrueMotion1Context *s) if (s->flags & FLAG_KEYFRAME) { /* no change bits specified for a keyframe; only index bytes */ s->index_stream = s->mb_change_bits; + if (s->avctx->width * s->avctx->height / 2048 + header.header_size > s->size) + return AVERROR_INVALIDDATA; } else { /* one change bit per 4x4 block */ s->index_stream = s->mb_change_bits + From 71e56b44ed558a7c7b46c2686c40d1ade2cfd95f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 00:42:04 +0200 Subject: [PATCH 0440/1383] avcodec/ituh263dec: Check input for minimal frame size Fixes: Timeout (28sec -> 3sec) Fixes: 17559/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H263_fuzzer-5681050776240128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f0498ed461987b62bb97ff6463b4df108d60d78) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 8bedaac536..6d1d771c16 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -1218,6 +1218,11 @@ int ff_h263_decode_picture_header(MpegEncContext *s) if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0) return ret; + if (!(s->avctx->flags2 & AV_CODEC_FLAG2_CHUNKS)) { + if ((s->width * s->height / 256 / 8) > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; + } + s->mb_width = (s->width + 15) / 16; s->mb_height = (s->height + 15) / 16; s->mb_num = s->mb_width * s->mb_height; From 97244c8c621ca33e440b7ae28c834b4ff3188ac9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 12:39:25 +0200 Subject: [PATCH 0441/1383] libavcodec/dxv: Remove redundant seek This seeks to the position the previous call to dxv_decompress_opcodes() positioned us in case of success Signed-off-by: Michael Niedermayer (cherry picked from commit c371e50b4f125361eb183ac3c226f4044ae64b08) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index c6866f18e6..7c0fc4567a 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -753,7 +753,6 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, skip0 = dxv_decompress_opcodes(gb, op_data0, op_size0); if (skip0 < 0) return skip0; - bytestream2_seek(gb, data_start + op_offset + skip0 - 12, SEEK_SET); if (op_size1 > max_op_size1) return AVERROR_INVALIDDATA; skip1 = dxv_decompress_opcodes(gb, op_data1, op_size1); From 39183277ef07f42cef67d5811e37abd76fe8ae36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 12:40:35 +0200 Subject: [PATCH 0442/1383] avcodec/dxv: Subtract 12 earlier in dxv_decompress_cocg() the data_start is after reading 12 bytes and if its subtracted at the very end the intermediate might overflow Signed-off-by: Michael Niedermayer (cherry picked from commit dd9e6d077ea3259cc6c1896334bbbc7f948979b7) Signed-off-by: Michael Niedermayer --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 7c0fc4567a..ed6ed3bb35 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -781,7 +781,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, return ret; } - bytestream2_seek(gb, data_start + op_offset + skip0 + skip1 - 12, SEEK_SET); + bytestream2_seek(gb, data_start - 12 + op_offset + skip0 + skip1, SEEK_SET); return 0; } From 9c2659f4abe6ddb3876edf46edd86854cd64a2e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 08:50:41 +0200 Subject: [PATCH 0443/1383] avcodec/fitsdec: Fail on 0 naxisn Fixes: Timeout (100+ sec -> 23ms) Fixes: 17769/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5678314672357376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4a3303d52096337dc109fbd523ecb4b46cddace1) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index a20b8faf9e..1f06754f8b 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -143,7 +143,7 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead size = abs(header->bitpix) >> 3; for (i = 0; i < header->naxis; i++) { - if (size && header->naxisn[i] > SIZE_MAX / size) { + if (size == 0 || header->naxisn[i] > SIZE_MAX / size) { av_log(avctx, AV_LOG_ERROR, "unsupported size of FITS image"); return AVERROR_INVALIDDATA; } From 25a7110651ee6c9913b027fe5460918bf8e3dbea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Sep 2019 15:40:30 +0200 Subject: [PATCH 0444/1383] avcodec/exr: Allow duplicate use of channel indexes Fixes: Ticket #8203 Reported-by: durandal_1707 Signed-off-by: Michael Niedermayer (cherry picked from commit 080819b3b4b59ef498511ac349414af85728349c) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 0f8b0fda9f..819837f024 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1307,6 +1307,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) int magic_number, version, i, flags, sar = 0; int layer_match = 0; int ret; + int dup_channels = 0; s->current_channel_offset = 0; s->xmin = ~0; @@ -1465,10 +1466,12 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; } else if (channel_index >= 0) { - av_log(s->avctx, AV_LOG_ERROR, + av_log(s->avctx, AV_LOG_WARNING, "Multiple channels with index %d.\n", channel_index); - ret = AVERROR_INVALIDDATA; - goto fail; + if (++dup_channels > 10) { + ret = AVERROR_INVALIDDATA; + goto fail; + } } s->channels = av_realloc(s->channels, From 3088c82476a6686b32d43e855d22a388724d7f23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Sep 2019 01:22:37 +0200 Subject: [PATCH 0445/1383] avcodec/pcm: Check bits_per_coded_sample Fixes: shift exponent -2 is negative Fixes: 17736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F16LE_fuzzer-5742815929171968 Fixes: 17998/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F24LE_fuzzer-5716980383875072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5de19160a3c0dedb3cefd00e863a8d8f74ca2ad0) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index ffcbccc77d..4112b694df 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -264,6 +264,9 @@ static av_cold int pcm_decode_init(AVCodecContext *avctx) break; case AV_CODEC_ID_PCM_F16LE: case AV_CODEC_ID_PCM_F24LE: + if (avctx->bits_per_coded_sample < 1 || avctx->bits_per_coded_sample > 24) + return AVERROR_INVALIDDATA; + s->scale = 1. / (1 << (avctx->bits_per_coded_sample - 1)); s->fdsp = avpriv_float_dsp_alloc(0); if (!s->fdsp) From 0240d56daf3250500885fd0ad82d07afd8cf7f7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Oct 2019 18:26:44 +0200 Subject: [PATCH 0446/1383] avcodec/qdmc: Check input space in qdmc_get_vlc() Fixes: Timeout (125sec -> 0.4sec) Fixes: 18059/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDMC_fuzzer-5656195825664000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c7975fe6f5c734fce9c59e8418c7f2de15a558d) Signed-off-by: Michael Niedermayer --- libavcodec/qdmc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdmc.c b/libavcodec/qdmc.c index 8bea1552e1..10ceb7aa55 100644 --- a/libavcodec/qdmc.c +++ b/libavcodec/qdmc.c @@ -367,6 +367,8 @@ static int qdmc_get_vlc(GetBitContext *gb, VLC *table, int flag) { int v; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; v = get_vlc2(gb, table->table, table->bits, 1); if (v < 0) return AVERROR_INVALIDDATA; From 6247243e071bed97ed9bbc9b8789101bb5a5893d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Oct 2019 18:32:08 +0200 Subject: [PATCH 0447/1383] avcodec/wmaprodec: Check that the streams channels do not exceed the overall channels Fixes: NULL pointer dereference Fixes: 18075/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5708262036471808 Fixes: 18087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5740627634946048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e418b315ddd0505e707860f8cc8b796ce06f3458) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 7af53dd02c..41628a6ddb 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -436,7 +436,7 @@ static av_cold int decode_init(WMAProDecodeCtx *s, AVCodecContext *avctx, int nu av_log(avctx, AV_LOG_ERROR, "invalid number of channels per XMA stream %d\n", s->nb_channels); return AVERROR_INVALIDDATA; - } else if (s->nb_channels > WMAPRO_MAX_CHANNELS) { + } else if (s->nb_channels > WMAPRO_MAX_CHANNELS || s->nb_channels > avctx->channels) { avpriv_request_sample(avctx, "More than %d channels", WMAPRO_MAX_CHANNELS); return AVERROR_PATCHWELCOME; From f238fcdb3e4053faa5063ae26e77bec4d6d025b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Oct 2019 13:46:04 +0200 Subject: [PATCH 0448/1383] avfilter/vf_geq: Use av_clipd() instead of av_clipf() With floats we cannot represent all 32bit integer dimensions Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c8813b1a984714f0027cabeea2394035df20cf38) Signed-off-by: Michael Niedermayer --- libavfilter/vf_geq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_geq.c b/libavfilter/vf_geq.c index 91eb9685f9..8b1c7726dc 100644 --- a/libavfilter/vf_geq.c +++ b/libavfilter/vf_geq.c @@ -88,8 +88,8 @@ static inline double getpix(void *priv, double x, double y, int plane) if (!src) return 0; - xi = x = av_clipf(x, 0, w - 2); - yi = y = av_clipf(y, 0, h - 2); + xi = x = av_clipd(x, 0, w - 2); + yi = y = av_clipd(y, 0, h - 2); x -= xi; y -= yi; From 881b3de55a4424641aa047aca8d6c346f6237e21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 22:52:03 +0200 Subject: [PATCH 0449/1383] avformat/shortendec: Check k in probe Fixes: Assertion failure Fixes: 17640/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5708767475269632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea770eb55941a6ed7b86828d6ea2f4e718a4b337) Signed-off-by: Michael Niedermayer --- libavformat/shortendec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/shortendec.c b/libavformat/shortendec.c index 42fcdf75c3..97f4d66130 100644 --- a/libavformat/shortendec.c +++ b/libavformat/shortendec.c @@ -40,12 +40,18 @@ static int shn_probe(AVProbeData *p) channels = get_ur_golomb_shorten(&gb, 0); blocksize = 256; } else { - int k; + unsigned k; k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; internal_ftype = get_ur_golomb_shorten(&gb, k); k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; channels = get_ur_golomb_shorten(&gb, k); k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; blocksize = get_ur_golomb_shorten(&gb, k); } From 17e355200834d741f2a778f7aea8dc84eb6b5f6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 12:04:57 +0200 Subject: [PATCH 0450/1383] avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA Fixes: left shift of negative value -1 Fixes: 17683/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_EA_R2_fuzzer-5111690013704192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8695fbec573b0d434cf2e703a0d45742a09a5d94) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index b0f8c11cb5..9eef7ad2b9 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1294,10 +1294,10 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (count2=0; count2<28; count2++) { if (count2 & 1) - next_sample = sign_extend(byte, 4) << shift; + next_sample = (unsigned)sign_extend(byte, 4) << shift; else { byte = bytestream2_get_byte(&gb); - next_sample = sign_extend(byte >> 4, 4) << shift; + next_sample = (unsigned)sign_extend(byte >> 4, 4) << shift; } next_sample += (current_sample * coeff1) + From b977836eda38e4025f44fa4f67f7b42976609e85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:01:38 +0200 Subject: [PATCH 0451/1383] avcodec/lsp: Fix undefined shifts in lsp2poly() Fixes: left shift of negative value -30635 Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b93f52cd635f372b7b22396939e840c63e8edf3) Signed-off-by: Michael Niedermayer --- libavcodec/lsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lsp.c b/libavcodec/lsp.c index 9aba020ebb..fb4da47894 100644 --- a/libavcodec/lsp.c +++ b/libavcodec/lsp.c @@ -108,7 +108,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order) int i, j; f[0] = 0x400000; // 1.0 in (3.22) - f[1] = -lsp[0] << 8; // *2 and (0.15) -> (3.22) + f[1] = -lsp[0] * 256; // *2 and (0.15) -> (3.22) for(i=2; i<=lp_half_order; i++) { @@ -116,7 +116,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order) for(j=i; j>1; j--) f[j] -= MULL(f[j-1], lsp[2*i-2], FRAC_BITS) - f[j-2]; - f[1] -= lsp[2*i-2] << 8; + f[1] -= lsp[2*i-2] * 256; } } From 45e31d6dd0ba65674354f9798efece6d09128fc6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:01:38 +0200 Subject: [PATCH 0452/1383] avcodec/g729postfilter: Fix undefined shifts Fixes: left shift of negative value -12 Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a4fdbf112385824fc9b7d7739685359213b579a) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index d9076ec735..e8e031a1ed 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -156,7 +156,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, sig_scaled[i] = residual[i] >> shift; else for (i = 0; i < subframe_size + RES_PREV_DATA_SIZE; i++) - sig_scaled[i] = residual[i] << -shift; + sig_scaled[i] = (unsigned)residual[i] << -shift; /* Start of best delay searching code */ gain_num = 0; @@ -500,14 +500,14 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, tmp = res_pst[subframe_size - 1]; for (i = subframe_size - 1; i >= 1; i--) { - tmp2 = (res_pst[i] << 15) + ((gt * res_pst[i-1]) << 1); - tmp2 = (tmp2 + 0x4000) >> 15; + tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000; + tmp2 = res_pst[i] + (tmp2 >> 15); tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; out[i] = tmp2; } - tmp2 = (res_pst[0] << 15) + ((gt * ht_prev_data) << 1); - tmp2 = (tmp2 + 0x4000) >> 15; + tmp2 = (gt * ht_prev_data) * 2 + 0x4000; + tmp2 = res_pst[0] + (tmp2 >> 15); tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; out[0] = tmp2; From fa9ca0b663c1768ab2a537f5a48a4eb35e66b447 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:01:38 +0200 Subject: [PATCH 0453/1383] avcodec/g729postfilter: Fix undefined intermediate pointers Fixes: index -49 out of bounds for type 'int16_t [192]' Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c61661a2cbe1b8b284c80ada1c2fdddf4992cad) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index e8e031a1ed..ef4fec4c95 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -201,8 +201,8 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, } if (corr_int_num) { /* Compute denominator of pseudo-normalized correlation R'(0). */ - corr_int_den = adsp->scalarproduct_int16(sig_scaled - best_delay_int + RES_PREV_DATA_SIZE, - sig_scaled - best_delay_int + RES_PREV_DATA_SIZE, + corr_int_den = adsp->scalarproduct_int16(sig_scaled + RES_PREV_DATA_SIZE - best_delay_int, + sig_scaled + RES_PREV_DATA_SIZE - best_delay_int, subframe_size); /* Compute signals with non-integer delay k (with 1/8 precision), From 4d392fc27ca805761cc4ee89147fbd0df6713f65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:19:36 +0200 Subject: [PATCH 0454/1383] avcodec/apedec: Fix integer overflow in predictor_update_3930() Fixes: signed integer overflow: -69555262 * 31 cannot be represented in type 'int' Fixes: 17698/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5728970447781888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5c072c9ed7c6f173b8a0a886fb7fe1e8e4c1fadd) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 0e1336b832..9f1e8123b7 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1051,7 +1051,7 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, d3 * p->coeffsA[filter][3]; p->lastA[filter] = decoded + (predictionA >> 9); - p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; From dfcd3ad2bcdf26152e32ac36d18946dbb434897d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:53:35 +0200 Subject: [PATCH 0455/1383] avcodec/g723_1dec: Fix overflow in shift Fixes: shift exponent 1008 is too large for 32-bit type 'int' Fixes: 17700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5707633436131328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 07732f12a43ac3048e44c086c9a8c811452ba31c) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index ab952ec66d..f92eb76ba0 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -668,6 +668,8 @@ static int estimate_sid_gain(G723_1_Context *p) else t = INT32_MAX; } else t = p->sid_gain << shift; + } else if(shift < -31) { + t = (p->sid_gain < 0) ? -1 : 0; }else t = p->sid_gain >> -shift; x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16); From c5ecfccb5f496ea6226b58ba550cce7695cc6799 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 18:02:17 +0200 Subject: [PATCH 0456/1383] avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS Fixes: signed integer overflow: -2147483360 - 631 cannot be represented in type 'int' Fixes: 17701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_EA_EACS_fuzzer-5711517319692288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f66e8436d89963362acf533a60ed4fedb42546e) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 9eef7ad2b9..4a5f104648 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1145,8 +1145,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } } - for (i=0; i<=st; i++) + for (i=0; i<=st; i++) { c->status[i].predictor = bytestream2_get_le32u(&gb); + if (FFABS(c->status[i].predictor) > (1<<16)) + return AVERROR_INVALIDDATA; + } for (n = nb_samples >> (1 - st); n > 0; n--) { int byte = bytestream2_get_byteu(&gb); From c7520f4825c8e69df44f6176c2a9437b6d5ef8cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 18:44:44 +0200 Subject: [PATCH 0457/1383] avcodec/sbcdec: Fix integer overflows in sbc_synthesize_eight() Fixes: signed integer overflow: 518484152 + 1868182638 cannot be represented in type 'int' Fixes: 17732/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SBC_fuzzer-5663738132168704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c70d547751cb3b536f9bca8b060d94f527695b71) Signed-off-by: Michael Niedermayer --- libavcodec/sbcdec.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/sbcdec.c b/libavcodec/sbcdec.c index 937946e2d2..23226d5155 100644 --- a/libavcodec/sbcdec.c +++ b/libavcodec/sbcdec.c @@ -270,14 +270,14 @@ static inline void sbc_synthesize_eight(struct sbc_decoder_state *state, /* Distribute the new matrix value to the shifted position */ v[offset[i]] = - ( ff_synmatrix8[i][0] * frame->sb_sample[blk][ch][0] + - ff_synmatrix8[i][1] * frame->sb_sample[blk][ch][1] + - ff_synmatrix8[i][2] * frame->sb_sample[blk][ch][2] + - ff_synmatrix8[i][3] * frame->sb_sample[blk][ch][3] + - ff_synmatrix8[i][4] * frame->sb_sample[blk][ch][4] + - ff_synmatrix8[i][5] * frame->sb_sample[blk][ch][5] + - ff_synmatrix8[i][6] * frame->sb_sample[blk][ch][6] + - ff_synmatrix8[i][7] * frame->sb_sample[blk][ch][7] ) >> 15; + (int)( (unsigned)ff_synmatrix8[i][0] * frame->sb_sample[blk][ch][0] + + (unsigned)ff_synmatrix8[i][1] * frame->sb_sample[blk][ch][1] + + (unsigned)ff_synmatrix8[i][2] * frame->sb_sample[blk][ch][2] + + (unsigned)ff_synmatrix8[i][3] * frame->sb_sample[blk][ch][3] + + (unsigned)ff_synmatrix8[i][4] * frame->sb_sample[blk][ch][4] + + (unsigned)ff_synmatrix8[i][5] * frame->sb_sample[blk][ch][5] + + (unsigned)ff_synmatrix8[i][6] * frame->sb_sample[blk][ch][6] + + (unsigned)ff_synmatrix8[i][7] * frame->sb_sample[blk][ch][7] ) >> 15; } /* Compute the samples */ @@ -286,16 +286,16 @@ static inline void sbc_synthesize_eight(struct sbc_decoder_state *state, /* Store in output, Q0 */ AV_WN16A(&output_frame->data[ch][blk * 16 + i * 2], av_clip_int16( - ( v[offset[i] + 0] * ff_sbc_proto_8_80m0[idx + 0] + - v[offset[k] + 1] * ff_sbc_proto_8_80m1[idx + 0] + - v[offset[i] + 2] * ff_sbc_proto_8_80m0[idx + 1] + - v[offset[k] + 3] * ff_sbc_proto_8_80m1[idx + 1] + - v[offset[i] + 4] * ff_sbc_proto_8_80m0[idx + 2] + - v[offset[k] + 5] * ff_sbc_proto_8_80m1[idx + 2] + - v[offset[i] + 6] * ff_sbc_proto_8_80m0[idx + 3] + - v[offset[k] + 7] * ff_sbc_proto_8_80m1[idx + 3] + - v[offset[i] + 8] * ff_sbc_proto_8_80m0[idx + 4] + - v[offset[k] + 9] * ff_sbc_proto_8_80m1[idx + 4] ) >> 15)); + (int)( (unsigned)v[offset[i] + 0] * ff_sbc_proto_8_80m0[idx + 0] + + (unsigned)v[offset[k] + 1] * ff_sbc_proto_8_80m1[idx + 0] + + (unsigned)v[offset[i] + 2] * ff_sbc_proto_8_80m0[idx + 1] + + (unsigned)v[offset[k] + 3] * ff_sbc_proto_8_80m1[idx + 1] + + (unsigned)v[offset[i] + 4] * ff_sbc_proto_8_80m0[idx + 2] + + (unsigned)v[offset[k] + 5] * ff_sbc_proto_8_80m1[idx + 2] + + (unsigned)v[offset[i] + 6] * ff_sbc_proto_8_80m0[idx + 3] + + (unsigned)v[offset[k] + 7] * ff_sbc_proto_8_80m1[idx + 3] + + (unsigned)v[offset[i] + 8] * ff_sbc_proto_8_80m0[idx + 4] + + (unsigned)v[offset[k] + 9] * ff_sbc_proto_8_80m1[idx + 4] ) >> 15)); } } From 7bf2546301249314e393fc29ba7b7c5dd98f605b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Oct 2019 00:40:07 +0200 Subject: [PATCH 0458/1383] avcodec/binkaudio: Check sample rate Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in type 'int' Fixes: 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 2fca09bce49c7de590560d9517fd2414b6c0c14f) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index e0f3d14eef..fd56d17ca2 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) { // audio is already interleaved for the RDFT format variant avctx->sample_fmt = AV_SAMPLE_FMT_FLT; + if (sample_rate > INT_MAX / avctx->channels) + return AVERROR_INVALIDDATA; sample_rate *= avctx->channels; s->channels = 1; if (!s->version_b) From a0c91fb0f0641f9f35f650281a176657907097cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 11:48:47 +0200 Subject: [PATCH 0459/1383] avcodec/g729postfilter: Fix left shift of negative value Fixes: Ticket8176 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0acc5064ed501cb40d4aaccae2b3ce5c4552fd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index ef4fec4c95..fc9a8d54cc 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -346,7 +346,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, L_temp1 = gain_long_num * gain_long_num; L_temp1 = MULL(L_temp1, gain_den, FRAC_BITS); - tmp = ((sh_gain_long_num - sh_gain_num) << 1) - (sh_gain_long_den - sh_gain_den); + tmp = ((sh_gain_long_num - sh_gain_num) * 2) - (sh_gain_long_den - sh_gain_den); if (tmp > 0) L_temp0 >>= tmp; else @@ -367,7 +367,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, /* Rescale selected signal to original value. */ if (shift > 0) for (i = 0; i < subframe_size; i++) - selected_signal[i] <<= shift; + selected_signal[i] *= 1 << shift; else for (i = 0; i < subframe_size; i++) selected_signal[i] >>= -shift; @@ -464,7 +464,7 @@ static int16_t get_tilt_comp(AudioDSPContext *adsp, int16_t *lp_gn, speech[i] = (speech[i] * temp + 0x4000) >> 15; } - return -(rh1 << 15) / rh0; + return -(rh1 * (1 << 15)) / rh0; } /** From a705362dbdd09d1cf82edcd6c28c0ecc75c849c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 19:18:18 +0200 Subject: [PATCH 0460/1383] avcodec/wmalosslessdec: Check block_align Fixes: NULL pointer dereference Fixes: 18331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5652847445671936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c1c799271eefb8afe22804a710baa5cbaad57d91) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index eb1db615ae..19bac949d4 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -184,8 +184,8 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int channel_mask; int i, log2_max_num_subframes; - if (!avctx->block_align) { - av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + if (avctx->block_align <= 0) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n"); return AVERROR(EINVAL); } From 15e0e6e87351c3bfcd23375d6a3ca6d5213f0ea6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Sep 2019 21:19:26 +0200 Subject: [PATCH 0461/1383] avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv() Fixes: signed integer overflow: 62220 * 262144 cannot be represented in type 'int' Fixes: 17145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5667394743173120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6fdeb208172dc95b29b965a0cc365ca0925e151e) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index f1c9f41f30..4c6dfaf6bf 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -846,7 +846,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - block[k << sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << sh] += (int)(ac_val[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } else { for (k = 1; k < 8; k++) block[k << sh] += ac_val[k]; From a62cb90385d85d2e55914def09a532c703cd26c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 00:35:15 +0200 Subject: [PATCH 0462/1383] avcodec/ffwavesynth: Fix integer overflows in pink noise addition Fixes: signed integer overflow: -1795675744 + -1926578528 cannot be represented in type 'int' Fixes: 17741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5131336402075648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7916b6863caec55d7e64758a1bfe436834f2faf6) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 6736587e32..3a6a057964 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -377,7 +377,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, in->dphi += in->ddphi; break; case WS_NOISE: - val = amp * pink; + val = amp * (unsigned)pink; break; default: val = 0; @@ -385,7 +385,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, all_ch |= in->channels; for (c = in->channels, cv = channels; c; c >>= 1, cv++) if (c & 1) - *cv += val; + *cv += (unsigned)val; } val = (int32_t)lcg_next(&ws->dither_state) >> 16; for (c = all_ch, cv = channels; c; c >>= 1, cv++) From b30d2683c47b4fe5f6e55d01c1fa3aa10c10d194 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:06:35 +0200 Subject: [PATCH 0463/1383] avcodec/aliaspixdec: Check input size against minimal picture size Fixes: Timeout (15sec -> 72ms) Fixes: 17774/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALIAS_PIX_fuzzer-5193929107963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c693104779830028bd5f76bf32a93e059c04d2c) Signed-off-by: Michael Niedermayer --- libavcodec/aliaspixdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aliaspixdec.c b/libavcodec/aliaspixdec.c index 087b18fb91..def7e17c0f 100644 --- a/libavcodec/aliaspixdec.c +++ b/libavcodec/aliaspixdec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; + if (bytestream2_get_bytes_left(&gb) < width*height / 255) + return AVERROR_INVALIDDATA; + ret = ff_get_buffer(avctx, f, 0); if (ret < 0) return ret; From c9be168ac103edf9610334276a1a20c97bc5d444 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:10:47 +0200 Subject: [PATCH 0464/1383] avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame() Fixes: signed integer overflow: -2147481503 + -32732 cannot be represented in type 'int' Fixes: 17782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-5769672225456128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76897e19ca96127e07f5acc5a773b904dcf6124) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 27da0bc97a..3e3eed9f7e 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -735,7 +735,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } val |= h[3].values[res] << 8; - pred[1] += sign_extend(val, 16); + pred[1] += (unsigned)sign_extend(val, 16); *samples++ = pred[1]; } else { if(vlc[0].table) @@ -756,7 +756,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } val |= h[1].values[res] << 8; - pred[0] += sign_extend(val, 16); + pred[0] += (unsigned)sign_extend(val, 16); *samples++ = pred[0]; } } From d08362ecbc5863fdea4e641baf3e996082db8c9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:16:20 +0200 Subject: [PATCH 0465/1383] avcodec/alac: Fix integer overflow in LPC Fixes: signed integer overflow: 2147483628 + 128 cannot be represented in type 'int' Fixes: 17783/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5146470595952640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44b73a0568f8ad5993ec79b29873151f316bf95c) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 018248ef6a..a6468b7137 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -215,7 +215,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, /* LPC prediction */ for (j = 0; j < lpc_order; j++) val += (pred[j] - d) * lpc_coefs[j]; - val = (val + (1 << (lpc_quant - 1))) >> lpc_quant; + val = (val + (1LL << (lpc_quant - 1))) >> lpc_quant; val += d + error_val; buffer_out[i] = sign_extend(val, bps); From 2c6beca3dc253fa11d243a3718aa7f1a139a08c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2019 22:05:52 +0200 Subject: [PATCH 0466/1383] avcodec/ptx: Check that the input contains at least one line Fixes: Timeout (19sec -> 44ms) Fixes: 17816/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PTX_fuzzer-5704459950227456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6ad328256fe6a6ace7d1e15f3515afccf1247fc) Signed-off-by: Michael Niedermayer --- libavcodec/ptx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c index 42147f4afc..19f9305cda 100644 --- a/libavcodec/ptx.c +++ b/libavcodec/ptx.c @@ -55,6 +55,9 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, buf += offset; + if (buf_end - buf < w * bytes_per_pixel) + return AVERROR_INVALIDDATA; + if ((ret = ff_set_dimensions(avctx, w, h)) < 0) return ret; From 551f84689fd2bf17aae4319a81b8a5d35b936f1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 17:10:38 +0200 Subject: [PATCH 0467/1383] avformat/pjsdec: Check duration for overflow Fixes: signed integer overflow: -3 - 9223372036854775807 cannot be represented in type 'long' Fixes: 17828/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5645915116797952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1efaac69328bdc17680924c71be7ec990f0e8f2c) Signed-off-by: Michael Niedermayer --- libavformat/pjsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c index bb587b569a..448962bf8a 100644 --- a/libavformat/pjsdec.c +++ b/libavformat/pjsdec.c @@ -55,6 +55,8 @@ static int64_t read_ts(char **line, int *duration) if (sscanf(*line, "%"SCNd64",%"SCNd64, &start, &end) == 2) { *line += strcspn(*line, "\""); *line += !!**line; + if (end < start || end - (uint64_t)start > INT_MAX) + return AV_NOPTS_VALUE; *duration = end - start; return start; } From d47c4185d5638eb5e99cf2a3a5b8796c13bab6a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 19:35:15 +0200 Subject: [PATCH 0468/1383] avcodec/alsdec: Check that input space for header exists in read_diff_float_data() Fixes: Timeout (21sec -> 8sec) Fixes: 17832/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5737092172218368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09581f7923ed9af7719762868e8f1ff626ea8374) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 56313d206c..3819307fbf 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1475,6 +1475,9 @@ static int read_diff_float_data(ALSDecContext *ctx, unsigned int ra_frame) { ff_mlz_flush_dict(ctx->mlz); } + if (avctx->channels * 8 > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + for (c = 0; c < avctx->channels; ++c) { if (use_acf) { //acf_flag From dfb5dc40734a22b51beb9bffa72997a1924c7c00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 00:22:46 +0200 Subject: [PATCH 0469/1383] avcodec/atrac9dec: Set channels Fixes: null pointer dereference Fixes: 18341/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5681203490848768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit e85eb7cb04cefa37c7f8e78aac381aa8377dea0f) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index b42bb07f23..f728f383d5 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -876,6 +876,7 @@ static av_cold int atrac9_decode_init(AVCodecContext *avctx) s->block_config = &at9_block_layout[block_config_idx]; avctx->channel_layout = s->block_config->channel_layout; + avctx->channels = av_get_channel_layout_nb_channels(avctx->channel_layout); avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (get_bits1(&gb)) { From e8043213674efdec8a086bbf829b7efedd051510 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Oct 2019 19:52:53 +0200 Subject: [PATCH 0470/1383] avcodec/takdec: Fix overflow with large sample rates Fixes: signed integer overflow: 2147483647 + 511 cannot be represented in type 'int' Fixes: 17899/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5719753322135552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 42eb78059d149abcd994f46c8b8a0dd98e86b594) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 4fb5825532..8ec87ab509 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -176,8 +176,8 @@ static void set_sample_rate_params(AVCodecContext *avctx) } else { shift = 0; } - s->uval = FFALIGN(avctx->sample_rate + 511 >> 9, 4) << shift; - s->subframe_scale = FFALIGN(avctx->sample_rate + 511 >> 9, 4) << 1; + s->uval = FFALIGN(avctx->sample_rate + 511LL >> 9, 4) << shift; + s->subframe_scale = FFALIGN(avctx->sample_rate + 511LL >> 9, 4) << 1; } static av_cold int tak_decode_init(AVCodecContext *avctx) From 385e71513847791c520c1a0abef5067046b4718c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Oct 2019 19:34:17 +0200 Subject: [PATCH 0471/1383] avcodec/ralf: Skip initializing unused filter variables Fixes: left shift of negative value -1 Fixes: 17890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5643307467669504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f4ecf6c39de9a7cc1dae70cf87c225771001e883) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 006ab46414..1d881cf7ae 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -234,8 +234,10 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, int *dst = ctx->channel_data[ch]; ctx->filter_params = get_vlc2(gb, set->filter_params.table, 9, 2); - ctx->filter_bits = (ctx->filter_params - 2) >> 6; - ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1; + if (ctx->filter_params > 1) { + ctx->filter_bits = (ctx->filter_params - 2) >> 6; + ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1; + } if (ctx->filter_params == FILTER_RAW) { for (i = 0; i < length; i++) From 7358e165c6a42e88bbf62930bd98f4a98d1c7279 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Oct 2019 16:14:32 +0200 Subject: [PATCH 0472/1383] avcodec/qdrw: Check input for header/skiped space before get_buffer() Fixes: Timeout (21sec -> 0.8sec) Fixes: 17990/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDRAW_fuzzer-5200374436200448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b63fbc19c09d0b42da4f83c21fcf362d6ed7c545) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 32ba410968..65279c9805 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -455,6 +455,8 @@ static int decode_frame(AVCodecContext *avctx, avpriv_request_sample(avctx, "Pack type %d", pack_type); return AVERROR_PATCHWELCOME; } + if (bytestream2_get_bytes_left(&gbc) < 30) + return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; From 56d708c57f1fd4e2582fae98e86b221de67ed321 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 20:57:12 +0200 Subject: [PATCH 0473/1383] avcodec/vp5: Check render_x/y Fixes: Timeout (15sec -> 91ms) Fixes: 18353/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP5_fuzzer-5704150326706176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 698e042c77ecb5b0d616de254adc783e8b61b9c4) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index db97e7f772..247225e0fa 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -48,6 +48,8 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); if (s->frames[VP56_FRAME_CURRENT]->key_frame) { + int render_x, render_y; + vp56_rac_gets(c, 8); if(vp56_rac_gets(c, 5) > 5) return AVERROR_INVALIDDATA; @@ -63,8 +65,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) cols << 4, rows << 4); return AVERROR_INVALIDDATA; } - vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ - vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ + render_y = vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ + render_x = vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ + if (render_x == 0 || render_x > cols || + render_y == 0 || render_y > rows) + return AVERROR_INVALIDDATA; vp56_rac_gets(c, 2); if (!s->macroblocks || /* first frame */ 16*cols != s->avctx->coded_width || From f860df25cca44957c5c600f912d154bda294be39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2019 21:56:03 +0200 Subject: [PATCH 0474/1383] avcodec/g723_1dec: fix invalid shift with negative sid_gain Fixes: left shift of negative value -1 Fixes: 18395/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5710313034350592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1850c3feaa1c7b5b63a55c61075029fa59c84e66) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index f92eb76ba0..d5a8e19f05 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -667,7 +667,7 @@ static int estimate_sid_gain(G723_1_Context *p) if (p->sid_gain < 0) t = INT32_MIN; else t = INT32_MAX; } else - t = p->sid_gain << shift; + t = p->sid_gain * (1 << shift); } else if(shift < -31) { t = (p->sid_gain < 0) ? -1 : 0; }else From a0d5f0ee3ba8e7c668901b8918221878611da235 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2019 23:58:02 +0200 Subject: [PATCH 0475/1383] avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads Fixes: 16144/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_fuzzer-5638618940440576 Fixes: out of array read Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 069be4aa5ddce4479b18896d80a852b144e680df) Signed-off-by: Michael Niedermayer --- libavcodec/libvorbisdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c index 89cbbb41b6..3c53b8fdaf 100644 --- a/libavcodec/libvorbisdec.c +++ b/libavcodec/libvorbisdec.c @@ -64,22 +64,25 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) { } } else if(*p == 2) { unsigned int offset = 1; + unsigned int sizesum = 1; p++; for(i=0; i<2; i++) { hsizes[i] = 0; - while((*p == 0xFF) && (offset < avccontext->extradata_size)) { + while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) { hsizes[i] += 0xFF; offset++; + sizesum += 1 + 0xFF; p++; } - if(offset >= avccontext->extradata_size - 1) { + hsizes[i] += *p; + offset++; + sizesum += 1 + *p; + if(sizesum > avccontext->extradata_size) { av_log(avccontext, AV_LOG_ERROR, "vorbis header sizes damaged\n"); ret = AVERROR_INVALIDDATA; goto error; } - hsizes[i] += *p; - offset++; p++; } hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset; From 2221f613ebb80dbc9af04242a7b1475a3f28ac4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2019 23:26:52 +0100 Subject: [PATCH 0476/1383] avcodec/apedec: Only clear the needed buffer space, instead of all Fixes: Timeout (15sec -> 0.4sec) Fixes: 18396/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5730080487112704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f17ea0200178a4dae446a6bec2f68312f41714a0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9f1e8123b7..9409a4727d 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1500,7 +1500,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); - memset(s->decoded_buffer, 0, s->decoded_size); + memset(s->decoded_buffer, 0, decoded_buffer_size); s->decoded[0] = s->decoded_buffer; s->decoded[1] = s->decoded_buffer + FFALIGN(blockstodecode, 8); From 43988fffd9eee4fe573574d5ce3136f9d1bf0ae9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2019 23:38:47 +0100 Subject: [PATCH 0477/1383] avcodec/adpcm: Fix invalid shifts in ADPCM DTK Fixes: left shift of negative value -1 Fixes: 18397/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_DTK_fuzzer-5675653487132672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 34e701ff93b664703e1bc1b1a6073fa058b02f34) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 4a5f104648..98cebb090d 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1637,7 +1637,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, else sampledat = sign_extend(byte >> 4, 4); - sampledat = (((sampledat << 12) >> (header & 0xf)) << 6) + prev; + sampledat = ((sampledat * (1 << 12)) >> (header & 0xf)) * (1 << 6) + prev; *samples++ = av_clip_int16(sampledat >> 6); c->status[channel].sample2 = c->status[channel].sample1; c->status[channel].sample1 = sampledat; From 873422489daede4a1cab6e2f956785675c5e11f1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Oct 2019 00:12:59 +0100 Subject: [PATCH 0478/1383] avcodec/wmalosslessdec: Fix some integer anomalies Fixes: left shift of negative value -341180 Fixes: 18401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5686380134400000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d3dee676b8a8ab6752c599e25c9b5461f06a3959) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 19bac949d4..d4f18b9841 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -766,7 +766,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ for (ilms = num_lms - 1; ilms >= 0; ilms--) { \ for (icoef = coef_begin; icoef < coef_end; icoef++) { \ int##bits##_t *prevvalues = (int##bits##_t *)s->cdlms[ch][ilms].lms_prevvalues; \ - pred = 1 << (s->cdlms[ch][ilms].scaling - 1); \ + pred = (1 << s->cdlms[ch][ilms].scaling) >> 1; \ residue = s->channel_residues[ch][icoef]; \ pred += s->dsp.scalarproduct_and_madd_int## bits (s->cdlms[ch][ilms].coefs, \ prevvalues + s->cdlms[ch][ilms].recent, \ @@ -987,9 +987,9 @@ static int decode_subframe(WmallDecodeCtx *s) for (j = 0; j < subframe_len; j++) { if (s->bits_per_sample == 16) { - *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] << padding_zeroes; + *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] * (1 << padding_zeroes); } else { - *s->samples_32[c]++ = s->channel_residues[c][j] << (padding_zeroes + 8); + *s->samples_32[c]++ = s->channel_residues[c][j] * (256 << padding_zeroes); } } } From e0571d455b0d225db52cb682439d6b6a62540117 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 09:31:22 +0100 Subject: [PATCH 0479/1383] avcodec/utils: Check block_align Fixes: out of array access Fixes: 18432/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5675574936207360 Fixes: 18326/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5071752362721280 Fixes: 18384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV1_fuzzer-5769439500304384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f011572e66c8dd2f0ac3cb147a769e91f24e0202) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index aa46a3f70c..cba04a2f59 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -690,6 +690,11 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code ret = AVERROR(EINVAL); goto free_and_end; } + if (avctx->block_align < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid block align: %d\n", avctx->block_align); + ret = AVERROR(EINVAL); + goto free_and_end; + } avctx->codec = codec; if ((avctx->codec_type == AVMEDIA_TYPE_UNKNOWN || avctx->codec_type == codec->type) && From 80f74d043beed2e40198c17f9ba4b2362ce2a7fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2019 21:39:41 +0200 Subject: [PATCH 0480/1383] avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block() Fixes: signed integer overflow: 1077952576 + 1355863565 cannot be represented in type 'int' Fixes: 16196/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5679842317565952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b655f55eaf09eb99b5e694dba2c0cf73fa2c646) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 5e2e808587..085c1b5261 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -572,10 +572,10 @@ static inline void tm2_low_res_block(TM2Context *ctx, AVFrame *pic, int bx, int deltas[10] = GET_TOK(ctx, TM2_L_LO); if (bx > 0) - last[0] = (last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1; + last[0] = (int)((unsigned)last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1; else - last[0] = (last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; - last[2] = (last[1] + last[3]) >> 1; + last[0] = (int)((unsigned)last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; + last[2] = (int)((unsigned)last[1] + last[3]) >> 1; t1 = ctx->D[0] + ctx->D[1]; ctx->D[0] = t1 >> 1; From e7999e95ec55c3506d12d2e73df250c484fe21b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Oct 2019 22:52:56 +0200 Subject: [PATCH 0481/1383] avcodec/aacdec_template: Check samplerate Fixes: signed integer overflow: 2 * 1881153568 cannot be represented in type 'int' Fixes: 17996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5687126468853760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7730bacb413fcb59f30acef0b2c6d50c5e6382d6) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index f66ad02bfc..921ba76cd7 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1157,6 +1157,9 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) AACContext *ac = avctx->priv_data; int ret; + if (avctx->sample_rate > 96000) + return AVERROR_INVALIDDATA; + ret = ff_thread_once(&aac_table_init, &aac_static_table_init); if (ret != 0) return AVERROR_UNKNOWN; From ec1c42405fe0a54b8e0c24f021797514b4335af9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2019 09:53:26 +0200 Subject: [PATCH 0482/1383] avcodec/aptx: Check the number of channels Fixes: store to null pointer of type 'uint32_t' (aka 'unsigned int') Fixes: 18021/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APTX_HD_fuzzer-5761738313564160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 98a257c3235bdc18151534134148845728418248) Signed-off-by: Michael Niedermayer --- libavcodec/aptx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aptx.c b/libavcodec/aptx.c index e3fb064a6d..a2620a9212 100644 --- a/libavcodec/aptx.c +++ b/libavcodec/aptx.c @@ -989,6 +989,9 @@ static av_cold int aptx_init(AVCodecContext *avctx) AptXContext *s = avctx->priv_data; int chan, subband; + if (avctx->channels != 2) + return AVERROR_INVALIDDATA; + s->hd = avctx->codec->id == AV_CODEC_ID_APTX_HD; s->block_size = s->hd ? 6 : 4; From 590c951857d8d62ab8189ab4d5c1ed668f3d7353 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Nov 2019 10:02:29 +0100 Subject: [PATCH 0483/1383] avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags() This compared to the other suggestions is cleaner and easier to understand keeping the condition in the if() simple. This affects alot of fate tests. See: [FFmpeg-devel] [PATCH 05/11] avformat/nutenc: Don't pass NULL to memcmp See: [FFmpeg-devel] [PATCH]lavf/nutenc: Do not call memcmp() with NULL argument Fixes: Ticket 7980 Signed-off-by: Michael Niedermayer (cherry picked from commit e4fdeb3fcefeb98f2225f7ccded156fb175959c5) Signed-off-by: Michael Niedermayer --- libavformat/nutenc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index e9a3bb49db..2c2334a69c 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -789,11 +789,12 @@ static int get_needed_flags(NUTContext *nut, StreamContext *nus, FrameCode *fc, flags |= FLAG_CHECKSUM; if (FFABS(pkt->pts - nus->last_pts) > nus->max_pts_distance) flags |= FLAG_CHECKSUM; - if (pkt->size < nut->header_len[fc->header_idx] || - (pkt->size > 4096 && fc->header_idx) || - memcmp(pkt->data, nut->header[fc->header_idx], - nut->header_len[fc->header_idx])) - flags |= FLAG_HEADER_IDX; + if (fc->header_idx) + if (pkt->size < nut->header_len[fc->header_idx] || + pkt->size > 4096 || + memcmp(pkt->data, nut->header [fc->header_idx], + nut->header_len[fc->header_idx])) + flags |= FLAG_HEADER_IDX; return flags | (fc->flags & FLAG_CODED); } From 1b375b5036f4e38e4d02b0acfea75dcc9be00d6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Oct 2019 22:51:57 +0200 Subject: [PATCH 0484/1383] avcodec/snowenc: Fix 2 undefined shifts Fixes: Ticket7990 Signed-off-by: Michael Niedermayer (cherry picked from commit 8802e329c8317ca5ceb929df48a23eb0f9e852b2) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 61a658fa44..b886be75dc 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -312,7 +312,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ if(P_LEFT[1] > (c->ymax<ymax< (c->xmax<xmax< (c->ymax<ymax<xmin<xmin<xmin * (1<xmin * (1< (c->xmax<xmax< (c->ymax<ymax<spatial_dwt_buffer[y*w + x]=s->spatial_idwt_buffer[y*w + x]<spatial_dwt_buffer[y*w + x]= s->spatial_idwt_buffer[y*w + x] * (1 << ENCODER_EXTRA_BITS); } } } From 22e645c56a4998c3aee669c491a696691793887e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Oct 2019 23:03:50 +0200 Subject: [PATCH 0485/1383] avcodec/snowenc: Set mb_num to avoid ratecontrol floating point divisions by 0.0 Fixes: Ticket7990 Signed-off-by: Michael Niedermayer (cherry picked from commit 55279d699fa64d8eb1185d8db04ab4ed92e8dea2) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index b886be75dc..75051dc87e 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -81,6 +81,7 @@ FF_ENABLE_DEPRECATION_WARNINGS s->m.bit_rate= avctx->bit_rate; s->m.lmin = avctx->mb_lmin; s->m.lmax = avctx->mb_lmax; + s->m.mb_num = (avctx->width * avctx->height + 255) / 256; // For ratecontrol s->m.me.temp = s->m.me.scratchpad= av_mallocz_array((avctx->width+64), 2*16*2*sizeof(uint8_t)); From f4bdb532fc5f06469701853931dbdaa7296b6d86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Oct 2019 23:40:21 +0200 Subject: [PATCH 0486/1383] avcodec/dstdec: Check read_table() for failure Fixes: Timeout (too long -> 42sec) Fixes: 18181/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5736646250594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 03ea8d8cd45e55eeb9675c38184dc2149710a557) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 10b89c3c1b..51ca810c05 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -298,11 +298,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, /* Filter Coef Sets (10.12) */ - read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0); + ret = read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0); + if (ret < 0) + return ret; /* Probability Tables (10.13) */ - read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1); + ret = read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1); + if (ret < 0) + return ret; /* Arithmetic Coded Data (10.11) */ From 8d5bde96ba5bfd68b1497eab3bea8702cdfa5e35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Oct 2019 23:42:50 +0200 Subject: [PATCH 0487/1383] avcodec/dstdec: Check that AC probabilities are within range ISO/IEC 14496-3:2005(E): "Each entry of P_one[ ][ ] is in the range of 1 to 128, corresponding to a probability of 1/256 to 128/256 of the next error bit (bit E, See Figure 10.5)..." Fixes: Timeout (42sec ->1sec) Fixes: 18181/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5736646250594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c3e1b395b47fac44397604b2a3343c4bd92561c) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 51ca810c05..daf906ba0c 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -161,6 +161,10 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[ c -= (x + 4) / 8; else c += (-x + 3) / 8; + if (!is_signed) { + if (c < offset || c >= offset + (1<coeff[i][j] = c; } } From 284680576c0be650fcf0f4f0489af742e1d7d4ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 20:56:23 +0200 Subject: [PATCH 0488/1383] avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() Fixes: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int' Fixes: 18281/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5692589180715008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d1719a44dd43b2d9d8ccd26e3b2854e675a7bd7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9409a4727d..315bd162d5 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -916,7 +916,8 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length) { int i, j; int32_t dotprod, sign; - int32_t coeffs[8] = { 0 }, delay[8] = { 0 }; + int32_t delay[8] = { 0 }; + uint32_t coeffs[8] = { 0 }; for (i = 0; i < length; i++) { dotprod = 0; From 456faf0ddff3e2c8deebc7c63a2cb822edebdddf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 23:22:22 +0200 Subject: [PATCH 0489/1383] avcodec/ffv1dec: Use a different error message for the slice level CRC This way they can be told apart easily Signed-off-by: Michael Niedermayer (cherry picked from commit df498cf544fd4690e5a246925e4de1125b57795b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 261e0cf70c..e465ed49d7 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -906,7 +906,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac unsigned crc = av_crc(av_crc_get_table(AV_CRC_32_IEEE), 0, buf_p, v); if (crc) { int64_t ts = avpkt->pts != AV_NOPTS_VALUE ? avpkt->pts : avpkt->dts; - av_log(f->avctx, AV_LOG_ERROR, "CRC mismatch %X!", crc); + av_log(f->avctx, AV_LOG_ERROR, "slice CRC mismatch %X!", crc); if (ts != AV_NOPTS_VALUE && avctx->pkt_timebase.num) { av_log(f->avctx, AV_LOG_ERROR, "at %f seconds\n", ts*av_q2d(avctx->pkt_timebase)); } else if (ts != AV_NOPTS_VALUE) { From 20459d3b103cd719da92412456f5a1f3b36368d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2019 12:12:12 +0200 Subject: [PATCH 0490/1383] avutil/lfg: Document the AVLFG struct Signed-off-by: Michael Niedermayer (cherry picked from commit d6fea2ef221a2f438cc55e82c61d0375750edf94) Signed-off-by: Michael Niedermayer --- libavutil/lfg.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavutil/lfg.h b/libavutil/lfg.h index 03f779ad8a..ab38a8a0df 100644 --- a/libavutil/lfg.h +++ b/libavutil/lfg.h @@ -24,6 +24,12 @@ #include +/** + * Context structure for the Lagged Fibonacci PRNG. + * The exact layout, types and content of this struct may change and should + * not be accessed directly. Only its sizeof() is guranteed to stay the same + * to allow easy instanciation. + */ typedef struct AVLFG { unsigned int state[64]; int index; From 585c67b02437be47e35f304d1b70686bc0d39241 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 00:26:25 +0200 Subject: [PATCH 0491/1383] avcodec/apedec: Fix integer overflow in filter_3800() Fixes: signed integer overflow: 2117181180 + 60483298 cannot be represented in type 'int' Fixes: 18344/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5685327791915008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c038c5c63375883a8a94332cffd701c4cb1301a) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 315bd162d5..0c0c22b18a 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -881,7 +881,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); - p->filterA[filter] = p->filterB[filter] + ((int)(p->filterA[filter] * 31U) >> 5); + p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; } From 960f93f36469255c470a8748c8a868097517bd33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 23:31:03 +0200 Subject: [PATCH 0492/1383] avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta() Fixes: Timeout (31sec -> 41ms) Fixes: 18380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5645210121404416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 32b3c8ce7d050210d210511cdb8c6644664a70ab) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 1bb7924c98..3d9ce9d29c 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1143,6 +1143,9 @@ static void decode_long_vertical_delta(uint8_t *dst, x = bytestream2_get_be32(&dgb); } + if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb)) + return; + while (opcode) { bytestream2_seek_p(&pb, ofsdst, SEEK_SET); if (h && (j == (ncolumns - 1))) { @@ -1283,6 +1286,9 @@ static void decode_long_vertical_delta2(uint8_t *dst, x = bytestream2_get_be32(&gb); } + if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb)) + return; + while (opcode && bytestream2_get_bytes_left_p(&pb) > 1) { bytestream2_seek_p(&pb, ofsdst, SEEK_SET); if (h && (j == ncolumns - 1)) From dfa089ccb3c6c39f8fb0a29637282ed8ce0c2581 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 22:08:37 +0200 Subject: [PATCH 0493/1383] avcodec/xsubdec: fix overflow in alpha handling Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 18368/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XSUB_fuzzer-5702665442426880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9ea997395909907f569787d4ba5b96352ad31a80) Signed-off-by: Michael Niedermayer --- libavcodec/xsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index 93fd0f4d50..05c4a64ee5 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -130,7 +130,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, ((uint32_t *)sub->rects[0]->data[1])[i] |= 0xff000000; } else { for (i = 0; i < sub->rects[0]->nb_colors; i++) - ((uint32_t *)sub->rects[0]->data[1])[i] |= *buf++ << 24; + ((uint32_t *)sub->rects[0]->data[1])[i] |= (unsigned)*buf++ << 24; } #if FF_API_AVPICTURE From d05aa7459f7ed3cc414957c254bab4505d2dae91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 22:32:47 +0200 Subject: [PATCH 0494/1383] avcodec/wmavoice: Check sample_rate Fixes: left shift of 538976288 by 8 places cannot be represented in type 'int' Fixes: 18376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5741645391200256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55c97a763783540ee48a326a3e82fbdea42f8280) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 444e303b0d..44cfc3bc61 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -433,6 +433,9 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) return AVERROR_INVALIDDATA; } + if (ctx->sample_rate >= INT_MAX / (256 * 37)) + return AVERROR_INVALIDDATA; + s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8; s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8; pitch_range = s->max_pitch_val - s->min_pitch_val; From 27b1e6cd86455a6f82dfc098760d50bd8481c50f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Oct 2019 22:02:32 +0200 Subject: [PATCH 0495/1383] avcodec/atrac3plus: Check split point in fill mode 3 Fixes: index 32 out of bounds for type 'int [32]' Fixes: 18350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3P_fuzzer-5643794862571520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de5102fd92de8d353fdf060375ed3ce859c83977) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3plus.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/atrac3plus.c b/libavcodec/atrac3plus.c index 3e3bba801b..f135606e2a 100644 --- a/libavcodec/atrac3plus.c +++ b/libavcodec/atrac3plus.c @@ -456,6 +456,10 @@ static int decode_channel_wordlen(GetBitContext *gb, Atrac3pChanUnitCtx *ctx, } else if (chan->fill_mode == 3) { pos = ch_num ? chan->num_coded_vals + chan->split_point : ctx->num_quant_units - chan->split_point; + if (pos > FF_ARRAY_ELEMS(chan->qu_wordlen)) { + av_log(avctx, AV_LOG_ERROR, "Split point beyond array\n"); + pos = FF_ARRAY_ELEMS(chan->qu_wordlen); + } for (i = chan->num_coded_vals; i < pos; i++) chan->qu_wordlen[i] = 1; } From a85bfe3a4f3001a688de5c0d29783b02b84b1d85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 19:41:27 +0200 Subject: [PATCH 0496/1383] avcodec/cook: Check samples_per_channel earlier Fixes: division by zero Fixes: 18362/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5653727679086592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57750bb629a145326e20b8760f21f1041464a937) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index c5f68c98ba..c1b61ae0c7 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1217,6 +1217,15 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } } + + /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ + if (q->samples_per_channel != 256 && q->samples_per_channel != 512 && + q->samples_per_channel != 1024) { + avpriv_request_sample(avctx, "samples_per_channel = %d", + q->samples_per_channel); + return AVERROR_PATCHWELCOME; + } + /* Generate tables */ init_pow2table(); init_gain_table(q); @@ -1252,14 +1261,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->saturate_output = saturate_output_float; } - /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ - if (q->samples_per_channel != 256 && q->samples_per_channel != 512 && - q->samples_per_channel != 1024) { - avpriv_request_sample(avctx, "samples_per_channel = %d", - q->samples_per_channel); - return AVERROR_PATCHWELCOME; - } - avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (channel_mask) avctx->channel_layout = channel_mask; From a2b7e3bacc8b5229be42faec9d5f2c05d7bc948e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 19:59:57 +0200 Subject: [PATCH 0497/1383] avcodec/cook: Enlarge gain table Fixes: index 25 out of bounds for type 'float [23]' Fixes: 18355/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5641398941908992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50001cd440ac89ed125f0154dedbcfa2718d2d68) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index c1b61ae0c7..501d27b132 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -143,7 +143,7 @@ typedef struct cook { /* generate tables and related variables */ int gain_size_factor; - float gain_table[23]; + float gain_table[31]; /* data buffers */ @@ -185,8 +185,8 @@ static av_cold void init_gain_table(COOKContext *q) { int i; q->gain_size_factor = q->samples_per_channel / 8; - for (i = 0; i < 23; i++) - q->gain_table[i] = pow(pow2tab[i + 52], + for (i = 0; i < 31; i++) + q->gain_table[i] = pow(pow2tab[i + 48], (1.0 / (double) q->gain_size_factor)); } @@ -670,7 +670,7 @@ static void interpolate_float(COOKContext *q, float *buffer, for (i = 0; i < q->gain_size_factor; i++) buffer[i] *= fc1; } else { // smooth gain - fc2 = q->gain_table[11 + (gain_index_next - gain_index)]; + fc2 = q->gain_table[15 + (gain_index_next - gain_index)]; for (i = 0; i < q->gain_size_factor; i++) { buffer[i] *= fc1; fc1 *= fc2; From 96e6ef9abeab5612030cd91e790ba7a9859450b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Oct 2019 15:41:51 +0200 Subject: [PATCH 0498/1383] avcodec/twinvq: Check block_align Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 18348/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_METASOUND_fuzzer-6681325716635648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97f778e9c55328e8b48f4b8b4171245e5f2232f6) Signed-off-by: Michael Niedermayer --- libavcodec/twinvq.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 7b2e19e536..34ca1846b9 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -771,23 +771,26 @@ av_cold int ff_twinvq_decode_init(AVCodecContext *avctx) { int ret; TwinVQContext *tctx = avctx->priv_data; + int64_t frames_per_packet; tctx->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (!avctx->block_align) { avctx->block_align = tctx->frame_size + 7 >> 3; - } else if (avctx->block_align * 8 < tctx->frame_size) { - av_log(avctx, AV_LOG_ERROR, "Block align is %d bits, expected %d\n", - avctx->block_align * 8, tctx->frame_size); + } + frames_per_packet = avctx->block_align * 8LL / tctx->frame_size; + if (frames_per_packet <= 0) { + av_log(avctx, AV_LOG_ERROR, "Block align is %"PRId64" bits, expected %d\n", + avctx->block_align * (int64_t)8, tctx->frame_size); return AVERROR_INVALIDDATA; } - tctx->frames_per_packet = avctx->block_align * 8 / tctx->frame_size; - if (tctx->frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) { - av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%d)\n", - tctx->frames_per_packet); + if (frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) { + av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%"PRId64")\n", + frames_per_packet); return AVERROR_INVALIDDATA; } + tctx->frames_per_packet = frames_per_packet; tctx->fdsp = avpriv_float_dsp_alloc(avctx->flags & AV_CODEC_FLAG_BITEXACT); if (!tctx->fdsp) { From 8a5236634931e8ac3a7d627ccca259aba426ca3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Oct 2019 00:09:11 +0200 Subject: [PATCH 0499/1383] avcodec/sbcdec: Fix integer overflows in sbc_synthesize_four() Fixes: signed integer overflow: 1494495519 + 1494495519 cannot be represented in type 'int' Fixes: 18347/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SBC_fuzzer-5711714661695488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 00e469fb6123df92ec3c54ab3b37f77e21d297be) Signed-off-by: Michael Niedermayer --- libavcodec/sbcdec.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/libavcodec/sbcdec.c b/libavcodec/sbcdec.c index 23226d5155..d8ea6855fe 100644 --- a/libavcodec/sbcdec.c +++ b/libavcodec/sbcdec.c @@ -227,10 +227,10 @@ static inline void sbc_synthesize_four(struct sbc_decoder_state *state, /* Distribute the new matrix value to the shifted position */ v[offset[i]] = - ( ff_synmatrix4[i][0] * frame->sb_sample[blk][ch][0] + - ff_synmatrix4[i][1] * frame->sb_sample[blk][ch][1] + - ff_synmatrix4[i][2] * frame->sb_sample[blk][ch][2] + - ff_synmatrix4[i][3] * frame->sb_sample[blk][ch][3] ) >> 15; + (int)( (unsigned)ff_synmatrix4[i][0] * frame->sb_sample[blk][ch][0] + + (unsigned)ff_synmatrix4[i][1] * frame->sb_sample[blk][ch][1] + + (unsigned)ff_synmatrix4[i][2] * frame->sb_sample[blk][ch][2] + + (unsigned)ff_synmatrix4[i][3] * frame->sb_sample[blk][ch][3] ) >> 15; } /* Compute the samples */ @@ -239,16 +239,16 @@ static inline void sbc_synthesize_four(struct sbc_decoder_state *state, /* Store in output, Q0 */ AV_WN16A(&output_frame->data[ch][blk * 8 + i * 2], av_clip_int16( - ( v[offset[i] + 0] * ff_sbc_proto_4_40m0[idx + 0] + - v[offset[k] + 1] * ff_sbc_proto_4_40m1[idx + 0] + - v[offset[i] + 2] * ff_sbc_proto_4_40m0[idx + 1] + - v[offset[k] + 3] * ff_sbc_proto_4_40m1[idx + 1] + - v[offset[i] + 4] * ff_sbc_proto_4_40m0[idx + 2] + - v[offset[k] + 5] * ff_sbc_proto_4_40m1[idx + 2] + - v[offset[i] + 6] * ff_sbc_proto_4_40m0[idx + 3] + - v[offset[k] + 7] * ff_sbc_proto_4_40m1[idx + 3] + - v[offset[i] + 8] * ff_sbc_proto_4_40m0[idx + 4] + - v[offset[k] + 9] * ff_sbc_proto_4_40m1[idx + 4] ) >> 15)); + (int)( (unsigned)v[offset[i] + 0] * ff_sbc_proto_4_40m0[idx + 0] + + (unsigned)v[offset[k] + 1] * ff_sbc_proto_4_40m1[idx + 0] + + (unsigned)v[offset[i] + 2] * ff_sbc_proto_4_40m0[idx + 1] + + (unsigned)v[offset[k] + 3] * ff_sbc_proto_4_40m1[idx + 1] + + (unsigned)v[offset[i] + 4] * ff_sbc_proto_4_40m0[idx + 2] + + (unsigned)v[offset[k] + 5] * ff_sbc_proto_4_40m1[idx + 2] + + (unsigned)v[offset[i] + 6] * ff_sbc_proto_4_40m0[idx + 3] + + (unsigned)v[offset[k] + 7] * ff_sbc_proto_4_40m1[idx + 3] + + (unsigned)v[offset[i] + 8] * ff_sbc_proto_4_40m0[idx + 4] + + (unsigned)v[offset[k] + 9] * ff_sbc_proto_4_40m1[idx + 4] ) >> 15)); } } From b7d552e222882974abcf6224af127bd1d45fc545 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2019 01:12:15 +0200 Subject: [PATCH 0500/1383] avcodec/cook: Move up and extend block_align check Fixes: signed integer overflow: 2046820356 * 8 cannot be represented in type 'int' Fixes: 18391/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5631674666188800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c63edcdd208bf18a3be66e94deb6ac115f6364e) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 501d27b132..90b22ecca7 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1075,6 +1075,9 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (avctx->block_align >= INT_MAX / 8) + return AVERROR(EINVAL); + /* Initialize RNG. */ av_lfg_init(&q->random_state, 0); @@ -1234,10 +1237,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) if ((ret = init_cook_vlc_tables(q))) return ret; - - if (avctx->block_align >= UINT_MAX / 2) - return AVERROR(EINVAL); - /* Pad the databuffer with: DECODE_BYTES_PAD1 or DECODE_BYTES_PAD2 for decode_bytes(), AV_INPUT_BUFFER_PADDING_SIZE, for the bitstreamreader. */ From a5636c1d4c08588629d4979f7154445463c66788 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2019 11:12:02 +0200 Subject: [PATCH 0501/1383] avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI Fixes: left shift of negative value -30 Fixes: 18392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_OKI_fuzzer-5631771831435264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7786f6c30e77a393b72ded01baa4250738925509) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 98cebb090d..5dc5704a4d 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -293,7 +293,7 @@ static inline int16_t adpcm_ima_oki_expand_nibble(ADPCMChannelStatus *c, int nib c->predictor = av_clip_intp2(predictor, 11); c->step_index = step_index; - return c->predictor << 4; + return c->predictor * 16; } static inline int16_t adpcm_ct_expand_nibble(ADPCMChannelStatus *c, int8_t nibble) From fdc350ec5f8aa0bdebad310753ac55eeaaeaf733 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2019 12:44:45 +0200 Subject: [PATCH 0502/1383] avcodec/interplayacm: Fix overflow of last unused value Fixes: signed integer overflow: -2147450880 - 65535 cannot be represented in type 'int' Fixes: 18393/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5667520110919680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10eabb8e40df0ad84470d750f903917f4a05cb1f) Signed-off-by: Michael Niedermayer --- libavcodec/interplayacm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index 5639d8de82..8692a75b5e 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -528,7 +528,7 @@ static int decode_block(InterplayACMContext *s) for (i = 1, x = -val; i <= count; i++) { s->midbuf[-i] = x; - x -= val; + x -= (unsigned)val; } ret = fill_block(s); From 88c81955266259a296c330c36abf497456a5d9f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 15:54:45 +0200 Subject: [PATCH 0503/1383] avcodec/wmaprodec: get frame during frame decode Fixes: memleak Fixes: 17615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5681306024804352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0f89a2293ea5f642a67700225d76948ed154418e) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 41628a6ddb..a5d8c91a1d 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1765,6 +1765,12 @@ static int xma_decode_packet(AVCodecContext *avctx, void *data, AVFrame *frame = data; int i, ret, offset = INT_MAX; + if (!s->frames[s->current_stream]->data[0]) { + s->frames[s->current_stream]->nb_samples = 512; + if ((ret = ff_get_buffer(avctx, s->frames[s->current_stream], 0)) < 0) { + return ret; + } + } /* decode current stream packet */ ret = decode_packet(avctx, &s->xma[s->current_stream], s->frames[s->current_stream], &got_stream_frame_ptr, avpkt); @@ -1889,10 +1895,6 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->frames[i] = av_frame_alloc(); if (!s->frames[i]) return AVERROR(ENOMEM); - s->frames[i]->nb_samples = 512; - if ((ret = ff_get_buffer(avctx, s->frames[i], 0)) < 0) { - return AVERROR(ENOMEM); - } s->start_channel[i] = start_channels; start_channels += s->xma[i].nb_channels; From cf6f4e0d68302c4e3f3974849013d529bac1b775 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Nov 2019 21:16:32 +0100 Subject: [PATCH 0504/1383] avformat/mp3dec: Check that the frame fits within the probe buffer Signed-off-by: Michael Niedermayer (cherry picked from commit e9a335150a62bb377a26ce096187b4476145d02b) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index ef884934e1..d0971741cd 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -91,7 +91,7 @@ static int mp3_read_probe(AVProbeData *p) header = AV_RB32(buf2); ret = avpriv_mpegaudio_decode_header(&h, header); - if (ret != 0) + if (ret != 0 || end - buf2 < h.frame_size) break; buf2 += h.frame_size; framesizes += h.frame_size; From 3ba76291044736167043373952487cabed18276b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 18:48:03 +0200 Subject: [PATCH 0505/1383] avcodec/atrac9dec: Check precision_fine/coarse Clipping is done as it was preferred in review See: [FFmpeg-devel] [PATCH 1/5] avcodec/atrac9dec: Check precision_fine/coarse Fixes: out of array access Fixes: 18330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5641113058148352 Signed-off-by: Michael Niedermayer (cherry picked from commit 19b8db2908bf0fd248da1b2126e2592ade66c40c) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index f728f383d5..f89f24dfba 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -190,7 +190,7 @@ static inline void calc_precision(ATRAC9Context *s, ATRAC9BlockData *b, for (int i = 0; i < b->q_unit_cnt; i++) { c->precision_fine[i] = 0; if (c->precision_coarse[i] > 15) { - c->precision_fine[i] = c->precision_coarse[i] - 15; + c->precision_fine[i] = FFMIN(c->precision_coarse[i], 30) - 15; c->precision_coarse[i] = 15; } } From 6778b3c9275bdbe73774230ee7f8e584b8c6c30f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 23:41:49 +0200 Subject: [PATCH 0506/1383] avcodec/sonic: Fix integer overflow in predictor_calc_error() Fixes: signed integer overflow: 5 * -1094995529 cannot be represented in type 'int' Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c8c17b8cef77dc052e8845e5fd86daf2983fd7dd) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 2e3ca79fdd..953c70fcd4 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -473,7 +473,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error) { int k_value = *k_ptr, state_value = *state_ptr; x -= shift_down(k_value * state_value, LATTICE_SHIFT); - state_ptr[1] = state_value + shift_down(k_value * x, LATTICE_SHIFT); + state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else for (i = order-2; i >= 0; i--) From 1baae1c8f1f2e54960b10b83f659cceb010c6639 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Oct 2019 18:30:07 +0100 Subject: [PATCH 0507/1383] avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter() Fixes: signed integer overflow: 7400 + 2147482786 cannot be represented in type 'int' Fixes: 18405/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5708834760294400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dc3f327e7403a34c88a900f0b8de55b4afd7cf6c) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 0c0c22b18a..7d07f5f8f1 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1268,7 +1268,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, f->adaptcoeffs - order, order, APESIGN(*data)); res = (int)(res + (1U << (fracbits - 1))) >> fracbits; - res += *data; + res += (unsigned)*data; *data++ = res; /* Update the output history */ From 65cda31ace22660c08444734661d1bb78d4629e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 15:22:53 +0100 Subject: [PATCH 0508/1383] avcodec/qdm2: The smallest header seems to have 2 bytes so treat 1 as invalid Fixes: Timeout (217sec -> 2ms) Fixes: 18488/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5708293662310400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e36ccb5048f052b8b2ef08281cb607fa53a7b7e4) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index ac8ae8cbbb..7b9d50b234 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1704,7 +1704,7 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->group_size = bytestream2_get_be32(&gb); s->fft_size = bytestream2_get_be32(&gb); s->checksum_size = bytestream2_get_be32(&gb); - if (s->checksum_size >= 1U << 28 || !s->checksum_size) { + if (s->checksum_size >= 1U << 28 || s->checksum_size <= 1) { av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size); return AVERROR_INVALIDDATA; } From 864649067b4b64494f283922fca861b1dc0a14fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 15:00:32 +0100 Subject: [PATCH 0509/1383] avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling The intermediates are required to fit in 12bit (8.1.3.9 Coefficient Scaling) See SMPTE 421M-2006 and Amendment 1-2007 Fixes: signed integer overflow: -20691 * 262144 cannot be represented in type 'int' Fixes: 18479/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5128912371187712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7fc1baf0ca83ef06014878290339a59735603959) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 4c6dfaf6bf..da0eee8cc7 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1036,10 +1036,10 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (q2 && q1 != q2) { if (dc_pred_dir) { // left for (k = 1; k < 8; k++) - block[k << v->left_blk_sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << v->left_blk_sh] += (int)(ac_val[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } else { //top for (k = 1; k < 8; k++) - block[k << v->top_blk_sh] += (ac_val[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << v->top_blk_sh] += (int)(ac_val[k + 8] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } else { if (dc_pred_dir) { // left From 7b81868a259dfc7be1f173a0693ac5ac23091f84 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 14:38:16 +0100 Subject: [PATCH 0510/1383] avcodec/wmadec: Require previous exponents for reuse Fixes: division by zero Fixes: 18474/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5764986962182144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c54b9fc42fee613e2c4c0dae2052ff94cd15e254) Signed-off-by: Michael Niedermayer --- libavcodec/wma.h | 1 + libavcodec/wmadec.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/libavcodec/wma.h b/libavcodec/wma.h index 325f03c44b..8344cb5b93 100644 --- a/libavcodec/wma.h +++ b/libavcodec/wma.h @@ -123,6 +123,7 @@ typedef struct WMACodecContext { uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; /* padding added */ int last_bitoffset; int last_superframe_len; + int exponents_initialized; float noise_table[NOISE_TAB_SIZE]; int noise_index; float noise_mult; /* XXX: suppress that and integrate it in the noise array */ diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 78b51e5871..bb9bc8d236 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -587,6 +587,9 @@ static int wma_decode_block(WMACodecContext *s) s->exponents_bsize[ch] = bsize; } } + s->exponents_initialized = 1; + }else if (!s->exponents_initialized) { + return AVERROR_INVALIDDATA; } /* parse spectral coefficients : just RLE encoding */ From 4d53c962ed53d959421f00859e9707a0f5701113 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 15:52:52 +0100 Subject: [PATCH 0511/1383] avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block() Fixes: left shift of negative value -249 Fixes: 18566/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5649394561187840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b7d02642b2096622cee6165fea1301bb9ad54ff) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 1d881cf7ae..ca8817aa21 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -408,7 +408,7 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, case 4: for (i = 0; i < len; i++) { t = ch1[i] + ctx->bias[1]; - t2 = ((ch0[i] + ctx->bias[0]) << 1) | (t & 1); + t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1); dst0[i] = (t2 + t) / 2; dst1[i] = (t2 - t) / 2; } From 71d17a2827195c5daf7acfe551f154bf5c5e1d22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2019 23:51:58 +0200 Subject: [PATCH 0512/1383] avcodec/atrac3: Check for huge block aligns The largest documented frame size = block align is 1024 bytes (https://wiki.multimedia.cx/index.php/ATRAC3) Without a limit this can allocate arbitrary memory and trigger OOM Fixes: OOM Fixes: 18337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3_fuzzer-5763861478637568 Fixes: 18556/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3AL_fuzzer-5646183334936576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f09151fff9c754fbc1d2560adf18b14957f8b181) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index dc19a3863e..067aa23f1f 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -964,7 +964,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - if (avctx->block_align >= UINT_MAX / 2 || avctx->block_align <= 0) + if (avctx->block_align > 1024 || avctx->block_align <= 0) return AVERROR(EINVAL); q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) + From 6783232dfeafbc387842a5cdb0b226cf820a0dc3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Oct 2019 19:12:23 +0100 Subject: [PATCH 0513/1383] avcodec/iff: Move index use after check in decodeplane8() Fixes: index 9 out of bounds for type 'const uint64_t [8][256]' Fixes: 18409/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5767030560522240 Fixes: 18720/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5651995784642560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1f8b36cc45406f66aac635a4db32d2a5cc29f43) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 3d9ce9d29c..8a2ae2542d 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -456,11 +456,12 @@ static av_cold int decode_init(AVCodecContext *avctx) */ static void decodeplane8(uint8_t *dst, const uint8_t *buf, int buf_size, int plane) { - const uint64_t *lut = plane8_lut[plane]; + const uint64_t *lut; if (plane >= 8) { av_log(NULL, AV_LOG_WARNING, "Ignoring extra planes beyond 8\n"); return; } + lut = plane8_lut[plane]; do { uint64_t v = AV_RN64A(dst) | lut[*buf++]; AV_WN64A(dst, v); From 084a3e582b4507dc8d7fc8c6bc7db4016187ed16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 21:58:26 +0200 Subject: [PATCH 0514/1383] avcodec/cngdec: Remove AV_CODEC_CAP_DELAY As is the decoder will never stop, it will cause an infinite loop. The RFC seems only to speak of non empty packets so endlessly generating noise from the last empty flush packets seems wrong. Fixes: infinite loop Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 327a968817a366c24d1513526258a3dbbcf888a7) Signed-off-by: Michael Niedermayer --- libavcodec/cngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 28432ac719..6b3e5ad7c8 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -174,5 +174,5 @@ AVCodec ff_comfortnoise_decoder = { .close = cng_decode_close, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, - .capabilities = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_DR1, + .capabilities = AV_CODEC_CAP_DR1, }; From 1109a736ef1f1720a2edb8f37b02d0df99826242 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 21:27:41 +0200 Subject: [PATCH 0515/1383] avutil/lfg: Correct index increment type to avoid undefined behavior Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6014bcf1b74e903f535461ade4aa5fb44dbf5d8b) Signed-off-by: Michael Niedermayer --- libavutil/lfg.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/lfg.h b/libavutil/lfg.h index ab38a8a0df..2b669205d1 100644 --- a/libavutil/lfg.h +++ b/libavutil/lfg.h @@ -51,8 +51,9 @@ int av_lfg_init_from_data(AVLFG *c, const uint8_t *data, unsigned int length); * it may be good enough and faster for your specific use case. */ static inline unsigned int av_lfg_get(AVLFG *c){ - c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; - return c->state[c->index++ & 63]; + unsigned a = c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; + c->index += 1U; + return a; } /** @@ -63,7 +64,9 @@ static inline unsigned int av_lfg_get(AVLFG *c){ static inline unsigned int av_mlfg_get(AVLFG *c){ unsigned int a= c->state[(c->index-55) & 63]; unsigned int b= c->state[(c->index-24) & 63]; - return c->state[c->index++ & 63] = 2*a*b+a+b; + a = c->state[c->index & 63] = 2*a*b+a+b; + c->index += 1U; + return a; } /** From 5574daa6905331125b241f7c9532ea3a43d6420f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2019 23:02:27 +0200 Subject: [PATCH 0516/1383] avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases Fixes: shift exponent -14 is negative Fixes: 18335/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RAWVIDEO_fuzzer-5723267192586240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5634e2052533fcce46f20c2720b0c8d5f55143ce) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 53f5b76e93..0b2d8708e6 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -223,7 +223,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, FFALIGN(avctx->width, 16), avctx->height, 1); } else { - context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample && avctx->bits_per_coded_sample < 16; + context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample > 8 && avctx->bits_per_coded_sample < 16; context->frame_size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); } From 4edd992a65ae6621db396497e84d0a13d7dfe685 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 15:15:46 +0100 Subject: [PATCH 0517/1383] avcodec/wmavoice: Fix integer overflow in synth_frame() Fixes: left shift of negative value -3 Fixes: 18518/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-6560514359951360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf323f4d38f5756ecdb8fb4f72c80a8069da832e) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 44cfc3bc61..bb7950be47 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1523,7 +1523,7 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* "pitch-diff-per-sample" for calculation of pitch per sample */ s->pitch_diff_sh16 = - ((cur_pitch_val - s->last_pitch_val) << 16) / MAX_FRAMESIZE; + (cur_pitch_val - s->last_pitch_val) * (1 << 16) / MAX_FRAMESIZE; } /* Global gain (if silence) and pitch-adaptive window coordinates */ From 132344fcba7d06233afd7a866597cd587d8c89fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 14:14:44 +0100 Subject: [PATCH 0518/1383] avcodec/nuv: Move comptype check up Fixes: Timeout (23sec -> 5ms) Fixes: 18517/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5753135536013312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1138cdecbe0164ab1f07768418e794fddfdc636d) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 32ed65899b..6192a70c74 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -217,6 +217,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case NUV_RTJPEG: minsize = c->width/16 * (c->height/16) * 6; break; + case NUV_BLACK: + case NUV_COPY_LAST: + case NUV_LZO: + case NUV_RTJPEG_IN_LZO: + break; + default: + av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); + return AVERROR_INVALIDDATA; } if (buf_size < minsize / 4) return AVERROR_INVALIDDATA; @@ -305,9 +313,6 @@ retry: case NUV_COPY_LAST: /* nothing more to do here */ break; - default: - av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); - return AVERROR_INVALIDDATA; } if ((result = av_frame_ref(picture, c->pic)) < 0) From 34e6544424f74cb71e0e0d3426c511b11995e741 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2019 12:20:14 +0100 Subject: [PATCH 0519/1383] avcodec/mxpegdec: Check for multiple SOF Fixes: Timeout (14sec -> 9ms) Fixes: 18598/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5726095261564928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75b64e5aa36e7796a0460415a1f3fd7372029525) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 2e3ebe6e70..55ec6e928e 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -199,6 +199,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, buf_end = buf + buf_size; jpg->got_picture = 0; s->got_mxm_bitmask = 0; + s->got_sof_data = !!s->got_sof_data; while (buf_ptr < buf_end) { start_code = ff_mjpeg_find_marker(jpg, &buf_ptr, buf_end, &unescaped_buf_ptr, &unescaped_buf_size); @@ -241,6 +242,11 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, return ret; break; case SOF0: + if (s->got_sof_data > 1) { + av_log(avctx, AV_LOG_ERROR, + "Multiple SOF in a frame\n"); + return AVERROR_INVALIDDATA; + } s->got_sof_data = 0; ret = ff_mjpeg_decode_sof(jpg); if (ret < 0) { @@ -253,7 +259,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, "Interlaced mode not supported in MxPEG\n"); return AVERROR(EINVAL); } - s->got_sof_data = 1; + s->got_sof_data ++; break; case SOS: if (!s->got_sof_data) { From 2f5dbf9b150baa72bd914d65e0a69d362874ab75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 23:28:35 +0100 Subject: [PATCH 0520/1383] avcodec/g729dec: Use 64bit and clip in scalar product The G729 reference decoder clips after each individual operation and keeps track if overflow occurred (in the fixed point implementation), this here is simpler and faster but not 1:1 the same what the reference does. Non fuzzed samples which trigger any such overflow are welcome, so the need and impact of different clipping solutions can be evaluated. Fixes: signed integer overflow: 1271483721 + 1073676289 cannot be represented in type 'int' Fixes: 18617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5137705679978496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf9c4a12750e593d753011166b066efce208d9e0) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 2e1bf18e4e..32218e5989 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -328,11 +328,14 @@ static int16_t g729d_voice_decision(int onset, int prev_voice_decision, const in static int32_t scalarproduct_int16_c(const int16_t * v1, const int16_t * v2, int order) { - int res = 0; + int64_t res = 0; while (order--) res += *v1++ * *v2++; + if (res > INT32_MAX) return INT32_MAX; + else if (res < INT32_MIN) return INT32_MIN; + return res; } From aaec28913f96bc5cfb8478877cccaf7889029f43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 22:27:04 +0100 Subject: [PATCH 0521/1383] avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel() Fixes: signed integer overflow: 1145975808 - -1146173210 cannot be represented in type 'int' Fixes: 18616/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5121296757424128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 721624c2f67545989626ba4413f7b8dbd7dff678) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index ca8817aa21..d8f1803086 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -264,8 +264,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, vlc[cmode].table, vlc[cmode].bits, 2); t = extend_code(gb, t, 21, add_bits); if (!cmode) - coeff -= 12 << add_bits; - coeff = t - coeff; + coeff -= 12U << add_bits; + coeff = (unsigned)t - coeff; ctx->filter[i] = coeff; cmode = coeff >> add_bits; From 03d5c402f05775939845919a4321a5512fac5b90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 22:11:52 +0100 Subject: [PATCH 0522/1383] avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next Fixes: signed integer overflow: 6175076100092079360 - -5034989061050195840 cannot be represented in type 'long' Fixes: 18614/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5704508847423488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d82ab96e76bfec6568d059df7c8591dda4317c62) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 3a6a057964..349b45534d 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -217,8 +217,8 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) *last = -1; lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); if (ws->pink_need) { - int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); - int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); + uint64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); + uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); if (pos) { From ad3c8540f877f0eee8a1561c42a582c8fed822d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Nov 2019 09:29:58 +0100 Subject: [PATCH 0523/1383] avcodec/nuv: Use ff_set_dimensions() Fixes: OOM Fixes: 18956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5766505644163072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1ca978d6366f3c7d7df6b3d50566e892f8da605a) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 6192a70c74..39f4e79ba0 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -131,10 +131,10 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, + RTJPEG_HEADER_SIZE; if (buf_size > INT_MAX/8) return -1; - if ((ret = av_image_check_size(height, width, 0, avctx)) < 0) + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - avctx->width = c->width = width; - avctx->height = c->height = height; + c->width = width; + c->height = height; av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size); if (!c->decomp_buf) { From 3b8512ae09f7552fce1d7896af8d52ce36be8520 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 13:32:55 +0100 Subject: [PATCH 0524/1383] avformat/mxfdec: Clear metadata_sets_count in mxf_read_close() This avoids problems if the function is called twice Signed-off-by: Michael Niedermayer (cherry picked from commit 13816a1d085fdb6598ea6dc92ed3a1e6aff0cc1f) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f49890e140..c3ee7617f9 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3542,6 +3542,7 @@ static int mxf_read_close(AVFormatContext *s) for (i = 0; i < mxf->metadata_sets_count; i++) { mxf_free_metadataset(mxf->metadata_sets + i, 1); } + mxf->metadata_sets_count = 0; av_freep(&mxf->partitions); av_freep(&mxf->metadata_sets); av_freep(&mxf->aesc); From 600e1df9a58cb19c184c97189bce103ce8eb1124 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 17:28:27 +0100 Subject: [PATCH 0525/1383] avcodec/vmdaudio: Check chunk counts to avoid integer overflow Fixes: signed integer overflow: 4 * 538976288 cannot be represented in type 'int' Fixes: 18622/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5092166174507008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47d963335eb2c36c0e6615d7971c762458e813dd) Signed-off-by: Michael Niedermayer --- libavcodec/vmdaudio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vmdaudio.c b/libavcodec/vmdaudio.c index e8c8a064c7..c7826fa3ce 100644 --- a/libavcodec/vmdaudio.c +++ b/libavcodec/vmdaudio.c @@ -179,6 +179,9 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* drop incomplete chunks */ buf_size = audio_chunks * s->chunk_size; + if (silent_chunks + audio_chunks >= INT_MAX / avctx->block_align) + return AVERROR_INVALIDDATA; + /* get output buffer */ frame->nb_samples = ((silent_chunks + audio_chunks) * avctx->block_align) / avctx->channels; From 54c0706a2de6c7fc35c694f3e231be165c1599fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 18:31:02 +0100 Subject: [PATCH 0526/1383] avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv() Fixes: signed integer overflow: 50176 * 262144 cannot be represented in type 'int' Fixes: 18629/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5182370286403584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e010e489b70c044a67c47083cf8eb03209ee89f) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index da0eee8cc7..5fbf7b3b4b 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -889,7 +889,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k] = (int)(ac_val2[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } for (k = 1; k < 8; k++) { block[k << sh] = ac_val2[k] * scale; From e9fa01eb600d658a728c2e9b049be07c737e5398 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 19:20:31 +0100 Subject: [PATCH 0527/1383] avcodec/wmaprodec: Fix buflen computation in save_bits() Fixes: Assertion failure Fixes: 18630/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5201588654440448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 589cb44498b5e9683c95746255a2abd6d1e74f94) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index a5d8c91a1d..b3960c2761 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1564,9 +1564,9 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, s->frame_offset = get_bits_count(gb) & 7; s->num_saved_bits = s->frame_offset; init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); - } - - buflen = (put_bits_count(&s->pb) + len + 8) >> 3; + buflen = (s->num_saved_bits + len + 7) >> 3; + } else + buflen = (put_bits_count(&s->pb) + len + 7) >> 3; if (len <= 0 || buflen > MAX_FRAMESIZE) { avpriv_request_sample(s->avctx, "Too small input buffer"); From 1792310910761b7be98fbff23231770f9f976bdb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 20:40:46 +0100 Subject: [PATCH 0528/1383] avcodec/alac: Fix integer overflow in lpc_prediction() with sign Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 18643/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5672182449700864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7686ba1f149a94c3bac235589de8aa8db92be4e5) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index a6468b7137..c9ca025186 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -227,7 +227,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, val = d - pred[j]; sign = sign_only(val) * error_sign; lpc_coefs[j] -= sign; - val *= sign; + val *= (unsigned)sign; error_val -= (val >> lpc_quant) * (j + 1); } } From 0667c14ad61d9fbfac7c92000278be769420fa9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Nov 2019 21:19:24 +0100 Subject: [PATCH 0529/1383] avcodec/g729dec: require buf_size to be non 0 The 0 case was added with the support for multiple packets. It appears unintended and causes extra complexity and out of array accesses (though within padding) No testcase Signed-off-by: Michael Niedermayer (cherry picked from commit f64be9da4c8b16071ec84056a61d1fc0d5d6728c) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 32218e5989..908c12a73a 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -416,7 +416,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, return ret; out_frame = (int16_t*) frame->data[0]; - if (buf_size % 10 == 0) { + if (buf_size && buf_size % 10 == 0) { packet_type = FORMAT_G729_8K; format = &format_g729_8k; //Reset voice decision From 9c026dd94d3fe921b180a917309334e3c43f614f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 18:30:26 +0200 Subject: [PATCH 0530/1383] avcodec/fitsdec: Use lrint() Fixes: fate-fitsdec-bitpix-64 Possibly Fixes: -nan is outside the range of representable values of type 'unsigned short' Possibly Fixes: 17769/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5678314672357376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37f31f4e509fe4ccc56a64edaa6fa3d95ee20466) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 2 +- tests/ref/fate/fitsdec-bitpix-32 | 2 +- tests/ref/fate/fitsdec-bitpix-64 | 2 +- tests/ref/fate/fitsdec-blank_bitpix32 | 2 +- tests/ref/fate/fitsdec-ext_data_min_max | 2 +- tests/ref/fate/fitsdec-gray | 2 +- tests/ref/lavf/fits | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 1f06754f8b..32a79cdd0d 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -279,7 +279,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < avctx->width; j++) { \ t = rd; \ if (!header.blank_found || t != header.blank) { \ - *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale; \ + *dst++ = lrint(((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale); \ } else { \ *dst++ = fitsctx->blank_val; \ } \ diff --git a/tests/ref/fate/fitsdec-bitpix-32 b/tests/ref/fate/fitsdec-bitpix-32 index 9bce361555..b3a51401d4 100644 --- a/tests/ref/fate/fitsdec-bitpix-32 +++ b/tests/ref/fate/fitsdec-bitpix-32 @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 102x109 #sar 0: 0/1 -0, 0, 0, 1, 22236, 0x34490902 +0, 0, 0, 1, 22236, 0x24634517 diff --git a/tests/ref/fate/fitsdec-bitpix-64 b/tests/ref/fate/fitsdec-bitpix-64 index 9febdd68f4..e50d5e029c 100644 --- a/tests/ref/fate/fitsdec-bitpix-64 +++ b/tests/ref/fate/fitsdec-bitpix-64 @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 77x173 #sar 0: 0/1 -0, 0, 0, 1, 26642, 0x0ad2a46a +0, 0, 0, 1, 26642, 0xa9eec634 diff --git a/tests/ref/fate/fitsdec-blank_bitpix32 b/tests/ref/fate/fitsdec-blank_bitpix32 index 184fd41c59..330d6710ca 100644 --- a/tests/ref/fate/fitsdec-blank_bitpix32 +++ b/tests/ref/fate/fitsdec-blank_bitpix32 @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 256x256 #sar 0: 0/1 -0, 0, 0, 1, 131072, 0x7fb22427 +0, 0, 0, 1, 131072, 0x3ecd0739 diff --git a/tests/ref/fate/fitsdec-ext_data_min_max b/tests/ref/fate/fitsdec-ext_data_min_max index 9009a4efb3..006d8d6250 100644 --- a/tests/ref/fate/fitsdec-ext_data_min_max +++ b/tests/ref/fate/fitsdec-ext_data_min_max @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 512x512 #sar 0: 0/1 -0, 0, 0, 1, 524288, 0xc327ed23 +0, 0, 0, 1, 524288, 0x6567ecb3 diff --git a/tests/ref/fate/fitsdec-gray b/tests/ref/fate/fitsdec-gray index 425b31fc0f..d080732452 100644 --- a/tests/ref/fate/fitsdec-gray +++ b/tests/ref/fate/fitsdec-gray @@ -3,4 +3,4 @@ #codec_id 0: rawvideo #dimensions 0: 128x128 #sar 0: 0/1 -0, 0, 0, 1, 16384, 0xd788a2d2 +0, 0, 0, 1, 16384, 0x353dbacd diff --git a/tests/ref/lavf/fits b/tests/ref/lavf/fits index 489542b32b..50b5fb78a2 100644 --- a/tests/ref/lavf/fits +++ b/tests/ref/lavf/fits @@ -3,7 +3,7 @@ ed9fd697d0d782df6201f6a2db184552 *./tests/data/lavf/graylavf.fits ./tests/data/lavf/graylavf.fits CRC=0xbacf446c 48e6caf6a59e32f9a8a39979c9183a7f *./tests/data/lavf/gray16belavf.fits 10368000 ./tests/data/lavf/gray16belavf.fits -./tests/data/lavf/gray16belavf.fits CRC=0xae2b58d4 +./tests/data/lavf/gray16belavf.fits CRC=0xce89ed97 be2f7112fd193c9a909304c81e662769 *./tests/data/lavf/gbrplavf.fits 15408000 ./tests/data/lavf/gbrplavf.fits ./tests/data/lavf/gbrplavf.fits CRC=0x04ed3828 From 53a03d98bd020cfceaccff01dc381bc84c7fdc8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Dec 2019 21:33:18 +0100 Subject: [PATCH 0531/1383] avcodec/atrac9dec: Check q_unit_cnt more completely before using it to access at9_tab_band_ext_group Fixes: index 8 out of bounds for type 'const uint8_t [8][3]' Fixes: 19127/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5709394985091072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit e1d836d2375c93cbc44a2b0d34e404682c1e8436) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index f89f24dfba..1586e85f26 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -202,7 +202,7 @@ static inline int parse_band_ext(ATRAC9Context *s, ATRAC9BlockData *b, int ext_band = 0; if (b->has_band_ext) { - if (b->q_unit_cnt < 13) + if (b->q_unit_cnt < 13 || b->q_unit_cnt > 20) return AVERROR_INVALIDDATA; ext_band = at9_tab_band_ext_group[b->q_unit_cnt - 13][2]; if (stereo) { From 745040d269bf642620a2046924caf43cd7572079 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 18:39:08 +0100 Subject: [PATCH 0532/1383] avcodec/wmaprodec: Check if the channel sum of all internal contexts match the external Fixes: NULL pointer dereference Fixes: 18689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5715114640015360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 090ac5799751c6f52358da4e5201a3845760db93) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index b3960c2761..c8ae9608ff 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1899,6 +1899,8 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->start_channel[i] = start_channels; start_channels += s->xma[i].nb_channels; } + if (start_channels != avctx->channels) + return AVERROR_INVALIDDATA; return ret; } From b26f303865f3edd0055386d2b5c6a96d8eec8a37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 18:47:52 +0100 Subject: [PATCH 0533/1383] avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block() Fixes: signed integer overflow: 1778647621 + 574372924 cannot be represented in type 'int' Fixes: 18692/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-6248679635943424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93d52a181ec050d3a4fb68f526604d39cd006be5) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 085c1b5261..4279ef9ef9 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -577,10 +577,10 @@ static inline void tm2_low_res_block(TM2Context *ctx, AVFrame *pic, int bx, int last[0] = (int)((unsigned)last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; last[2] = (int)((unsigned)last[1] + last[3]) >> 1; - t1 = ctx->D[0] + ctx->D[1]; + t1 = ctx->D[0] + (unsigned)ctx->D[1]; ctx->D[0] = t1 >> 1; ctx->D[1] = t1 - (t1 >> 1); - t2 = ctx->D[2] + ctx->D[3]; + t2 = ctx->D[2] + (unsigned)ctx->D[3]; ctx->D[2] = t2 >> 1; ctx->D[3] = t2 - (t2 >> 1); From 2b5abf94de1741bcd1ed68bbd3fd674398a43f3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 20:06:35 +0100 Subject: [PATCH 0534/1383] avcodec/wmaprodec: Check offset Fixes: index 33280 out of bounds for type 'float [32768]' Fixes: 18718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5635373899710464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5473c7825ea627a115155313a56a907d67a0d0c1) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index c8ae9608ff..71d8c24658 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1775,6 +1775,11 @@ static int xma_decode_packet(AVCodecContext *avctx, void *data, ret = decode_packet(avctx, &s->xma[s->current_stream], s->frames[s->current_stream], &got_stream_frame_ptr, avpkt); + if (got_stream_frame_ptr && s->offset[s->current_stream] >= 64) { + got_stream_frame_ptr = 0; + ret = AVERROR_INVALIDDATA; + } + /* copy stream samples (1/2ch) to sample buffer (Nch) */ if (got_stream_frame_ptr) { int start_ch = s->start_channel[s->current_stream]; From caa7f10047c7aa4b25b774c821db07a4236a6b72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 20:25:00 +0100 Subject: [PATCH 0535/1383] avcodec/wmaprodec: Set packet_loss when we error out on a sanity check Fixes: left shift of negative value -34 Fixes: 18719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5642658173419520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a9cbd25d89dbdf72f7b616fdf672d7da36143cfe) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 71d8c24658..7e9d4348b4 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1616,6 +1616,7 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s, if (avctx->codec_id == AV_CODEC_ID_WMAPRO && buf_size < avctx->block_align) { av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n", buf_size, avctx->block_align); + s->packet_loss = 1; return AVERROR_INVALIDDATA; } From 6770f0906686586f9a5f2c58ae12ea264558ada0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 10 Nov 2019 05:07:28 +0100 Subject: [PATCH 0536/1383] avformat/id3v2: Fix double-free on error ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both key and value are freed on error (and owned by the destination dictionary on success), so that freeing them again on error is a double-free and therefore forbidden. But it nevertheless happened. Fixes CID 1452489 and 1452421. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 67d4940a7795aa3afc8d1e624de33b030e0be51e) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 5fe055b591..bec3300ad6 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -1262,8 +1262,6 @@ int ff_id3v2_parse_priv_dict(AVDictionary **metadata, ID3v2ExtraMeta **extra_met } if ((ret = av_dict_set(metadata, key, escaped, dict_flags)) < 0) { - av_free(key); - av_free(escaped); return ret; } } From 6355dde5563d9aee4b7a569180436835fabac638 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Nov 2019 16:38:36 +0100 Subject: [PATCH 0537/1383] avcodec/apedec: Fix 2 integer overflows Fixes: signed integer overflow: 2119056926 - -134217728 cannot be represented in type 'int' Fixes: 18728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5747539563511808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e15ba2d1f688c61759001839811b11903de9ce0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7d07f5f8f1..95bcc0c413 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1230,7 +1230,7 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) p->buf = p->historybuffer; } - p->filterA[0] = currentA + ((int)(p->filterA[0] * 31U) >> 5); + p->filterA[0] = currentA + (unsigned)((int)(p->filterA[0] * 31U) >> 5); *(decoded0++) = p->filterA[0]; } @@ -1298,7 +1298,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, else *f->adaptcoeffs = 0; - f->avg += (absres - f->avg) / 16; + f->avg += (int)(absres - (unsigned)f->avg) / 16; f->adaptcoeffs[-1] >>= 1; f->adaptcoeffs[-2] >>= 1; From 5ce0c254ddf3608fcab0733d06e16cc0d4c28a55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Nov 2019 23:00:51 +0100 Subject: [PATCH 0538/1383] avformat/rmdec: Initialize and sanity check offset in ivr_read_header() Fixes: signed integer overflow: -9223372036854775808 - 17 cannot be represented in type 'long' Fixes: 18768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5674385247830016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e665e4a81e2e96eb45138a1dfa38617de2631a4) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index f26c5b4d90..5af5beccb3 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1174,7 +1174,7 @@ static int ivr_read_header(AVFormatContext *s) uint8_t key[256], val[256]; AVIOContext *pb = s->pb; AVStream *st; - int64_t pos, offset, temp; + int64_t pos, offset=0, temp; pos = avio_tell(pb); tag = avio_rl32(pb); @@ -1191,6 +1191,8 @@ static int ivr_read_header(AVFormatContext *s) offset = temp; temp = avio_rb64(pb); } + if (offset <= 0) + return AVERROR_INVALIDDATA; avio_skip(pb, offset - avio_tell(pb)); if (avio_r8(pb) != 1) return AVERROR_INVALIDDATA; From 6850c5e4cdcae5ee049f35ef244f1c3a83c30621 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 11 Dec 2019 18:54:38 -0300 Subject: [PATCH 0539/1383] avcodec/cbs_av1: fix array size for ar_coeffs_cb_plus_128 and ar_coeffs_cr_plus_128 Taking into account the code fb(2, ar_coeff_lag); num_pos_luma = 2 * current->ar_coeff_lag * (current->ar_coeff_lag + 1); if (current->num_y_points) num_pos_chroma = num_pos_luma + 1; else num_pos_chroma = num_pos_luma; Max value for ar_coeff_lag is 3 (two bits), for num_pos_luma 24, and for num_pos_chroma 25. Both ar_coeffs_cb_plus_128 and ar_coeffs_cr_plus_128 may have up to num_pos_chroma values. Reviewed-by: Ronald S. Bultje Signed-off-by: James Almer (cherry picked from commit a23dd33606d5a711fd632383d81a1d6c60082e0f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index 71ceff9427..e3ba4bbd39 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -268,8 +268,8 @@ typedef struct AV1RawFrameHeader { uint8_t grain_scaling_minus_8; uint8_t ar_coeff_lag; uint8_t ar_coeffs_y_plus_128[24]; - uint8_t ar_coeffs_cb_plus_128[24]; - uint8_t ar_coeffs_cr_plus_128[24]; + uint8_t ar_coeffs_cb_plus_128[25]; + uint8_t ar_coeffs_cr_plus_128[25]; uint8_t ar_coeff_shift_minus_6; uint8_t grain_scale_shift; uint8_t cb_mult; From 627d5ff890a32437236e41047878c41404467e0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2019 22:03:50 +0100 Subject: [PATCH 0540/1383] avcodec/cbs_av1_syntax_template: Check num_y_points "It is a requirement of bitstream conformance that num_y_points is less than or equal to 14." Fixes: index 24 out of bounds for type 'uint8_t [24]' Fixes: 19282/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_MERGE_fuzzer-5747424845103104 Note, also needs a23dd33606d5 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit bbe27890ff7e31e74d024a17123cb073720f2486) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.h | 4 ++-- libavcodec/cbs_av1_syntax_template.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index e3ba4bbd39..0546623bea 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -256,8 +256,8 @@ typedef struct AV1RawFrameHeader { uint8_t update_grain; uint8_t film_grain_params_ref_idx; uint8_t num_y_points; - uint8_t point_y_value[16]; - uint8_t point_y_scaling[16]; + uint8_t point_y_value[14]; + uint8_t point_y_scaling[14]; uint8_t chroma_scaling_from_luma; uint8_t num_cb_points; uint8_t point_cb_value[16]; diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 1ac0c1dcb9..2dfdc81d95 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1045,7 +1045,7 @@ static int FUNC(film_grain_params)(CodedBitstreamContext *ctx, RWContext *rw, return 0; } - fb(4, num_y_points); + fc(4, num_y_points, 0, 14); for (i = 0; i < current->num_y_points; i++) { fbs(8, point_y_value[i], 1, i); fbs(8, point_y_scaling[i], 1, i); From 8bdb8b56890bd86fe735590ae740df2fcc789f39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 00:37:27 +0100 Subject: [PATCH 0541/1383] avcodec/mp3_header_decompress_bsf: Check sample_rate_index Fixes: out of array read Fixes: 19309/clusterfuzz-testcase-minimized-ffmpeg_BSF_MP3_HEADER_DECOMPRESS_fuzzer-5651002950942720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f064c7c449f162a9011ad890f26ceeca26934d22) Signed-off-by: Michael Niedermayer --- libavcodec/mp3_header_decompress_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mp3_header_decompress_bsf.c b/libavcodec/mp3_header_decompress_bsf.c index 294858953c..ab3d420300 100644 --- a/libavcodec/mp3_header_decompress_bsf.c +++ b/libavcodec/mp3_header_decompress_bsf.c @@ -62,6 +62,11 @@ static int mp3_header_decompress(AVBSFContext *ctx, AVPacket *out) lsf = sample_rate < (24000+32000)/2; mpeg25 = sample_rate < (12000+16000)/2; sample_rate_index= (header>>10)&3; + if (sample_rate_index == 3) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + sample_rate= avpriv_mpa_freq_tab[sample_rate_index] >> (lsf + mpeg25); //in case sample rate is a little off for(bitrate_index=2; bitrate_index<30; bitrate_index++){ From 4b521929cf739127b544d02bbcf45c1598cc085e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 19:19:57 +0100 Subject: [PATCH 0542/1383] avcodec/pnm: Check that the header is not truncated Fixes: Ticket8430 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c94cb8d9b21baeeecef962c72965dbedc4e0b0e1) Signed-off-by: Michael Niedermayer --- libavcodec/pnm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index b06a6e81b5..b5d074f1f8 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -108,6 +108,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) return AVERROR_INVALIDDATA; } } + if (!pnm_space(s->bytestream[-1])) + return AVERROR_INVALIDDATA; + /* check that all tags are present */ if (w <= 0 || h <= 0 || maxval <= 0 || maxval > UINT16_MAX || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) @@ -188,6 +191,10 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) } }else s->maxval=1; + + if (!pnm_space(s->bytestream[-1])) + return AVERROR_INVALIDDATA; + /* more check if YUV420 */ if (av_pix_fmt_desc_get(avctx->pix_fmt)->flags & AV_PIX_FMT_FLAG_PLANAR) { if ((avctx->width & 1) != 0) From e6f31fa16c0aa9c99a185bd683d2edce26e2bdcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2019 09:45:29 +0100 Subject: [PATCH 0543/1383] avcodec/iff: Skip overflowing runs in decode_delta_d() Fixes: Timeout (107sec - 75ms> Fixes: 18812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6295585225441280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 185f441ba26a2112725db1e8f218e54ac8068bbb) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 8a2ae2542d..eac873c9da 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1359,6 +1359,8 @@ static void decode_delta_d(uint8_t *dst, bytestream2_seek_p(&pb, (offset / planepitch_byte) * pitch + (offset % planepitch_byte) + k * planepitch, SEEK_SET); if (opcode >= 0) { uint32_t x = bytestream2_get_be32(&gb); + if (opcode && 4 + (opcode - 1LL) * pitch > bytestream2_get_bytes_left_p(&pb)) + continue; while (opcode && bytestream2_get_bytes_left_p(&pb) > 0) { bytestream2_put_be32(&pb, x); bytestream2_skip_p(&pb, pitch - 4); From 0de012a9e7a1dc638f68df7024451f305b683379 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2019 12:49:25 +0100 Subject: [PATCH 0544/1383] avcodec/wmalosslessdec: Check that padding bits is not more than sample bits Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 18817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5713317180211200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d428265808255ad2fc60355fe641aaa4fd3dae4) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index d4f18b9841..45740a090b 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -950,6 +950,8 @@ static int decode_subframe(WmallDecodeCtx *s) for (j = 0; j < subframe_len; j++) s->channel_residues[i][j] = get_sbits_long(&s->gb, bits); } else { + if (s->bits_per_sample < padding_zeroes) + return AVERROR_INVALIDDATA; for (i = 0; i < s->num_channels; i++) { if (s->is_channel_coded[i]) { decode_channel_residues(s, i, subframe_len); From 7417d4f90833a89fcf9d612384e1c36b1c33490c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2019 14:22:57 +0100 Subject: [PATCH 0545/1383] avcodec/wmalosslessdec: Fix several integer issues Fixes: shift exponent -1 is negative (and others) Fixes: 18852/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5660855295541248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec3fe67074ad0a6a3a817f6f42175ea63a98092b) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 45740a090b..c8c941c31a 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -678,7 +678,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) for (i = 0; i < ich; i++) pred[ich] += (uint32_t)s->channel_residues[i][icoef] * s->mclms_coeffs_cur[i + num_channels * ich]; - pred[ich] += 1 << s->mclms_scaling - 1; + pred[ich] += (1 << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; s->channel_residues[ich][icoef] += pred[ich]; } @@ -811,19 +811,19 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size) pred = 0; for (j = 0; j < order; j++) { if (i <= j) - pred += filter_coeffs[j] * prevvalues[j - i]; + pred += (uint32_t)filter_coeffs[j] * prevvalues[j - i]; else - pred += s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; + pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; } pred >>= scaling; - s->channel_residues[ich][i] += pred; + s->channel_residues[ich][i] += (unsigned)pred; } for (i = order; i < tile_size; i++) { pred = 0; for (j = 0; j < order; j++) pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; pred >>= scaling; - s->channel_residues[ich][i] += pred; + s->channel_residues[ich][i] += (unsigned)pred; } for (j = 0; j < order; j++) prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; From 6f2f504d3e4c8116f8f97a064c0795fc89d5d04d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Nov 2019 19:13:09 +0100 Subject: [PATCH 0546/1383] avcodec/adpcm: Fix invalid shift in xa_decode() Fixes: left shift of negative value -1 Fixes: 18859/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5748474213040128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50db30b47d016fc4e7b47067545b15d22d4faddf) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 5dc5704a4d..ee0de58a62 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -392,7 +392,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, d = in[16+i+j*4]; t = sign_extend(d, 4); - s = ( t<>6); + s = t*(1<>6); s_2 = s_1; s_1 = av_clip_int16(s); out0[j] = s_1; @@ -419,7 +419,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, d = in[16+i+j*4]; t = sign_extend(d >> 4, 4); - s = ( t<>6); + s = t*(1<>6); s_2 = s_1; s_1 = av_clip_int16(s); out1[j] = s_1; From 8065e6022021bc13d081fbd8159df90f5f7f6c90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Nov 2019 20:34:55 +0100 Subject: [PATCH 0547/1383] avcodec/wmaprodec: Fixes integer overflow with 32bit samples Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 18860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5755223125786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a9cc69c0d59057ea172a107e0308fdf5fd8fc04e) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 7e9d4348b4..f79f0f2750 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -543,7 +543,7 @@ static av_cold int decode_init(WMAProDecodeCtx *s, AVCodecContext *avctx, int nu for (i = 0; i < WMAPRO_BLOCK_SIZES; i++) ff_mdct_init(&s->mdct_ctx[i], WMAPRO_BLOCK_MIN_BITS+1+i, 1, 1.0 / (1 << (WMAPRO_BLOCK_MIN_BITS + i - 1)) - / (1 << (s->bits_per_sample - 1))); + / (1ll << (s->bits_per_sample - 1))); /** init MDCT windows: simple sine window */ for (i = 0; i < WMAPRO_BLOCK_SIZES; i++) { From 66582e349e3c26740658b5ef4a9c8820a9dfb465 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Nov 2019 22:05:40 +0100 Subject: [PATCH 0548/1383] avcodec/wmalosslessdec: Fix 2 overflows in mclms Fixes: signed integer overflow: 2038337026 + 109343477 cannot be represented in type 'int' Fixes: 18886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5673660505653248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 92455c8c65c403ea696cb8c63d474d386d631bbd) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c8c941c31a..7de93f241f 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -628,7 +628,7 @@ static void mclms_update(WmallDecodeCtx *s, int icoef, int *pred) int range = 1 << (s->bits_per_sample - 1); for (ich = 0; ich < num_channels; ich++) { - pred_error = s->channel_residues[ich][icoef] - pred[ich]; + pred_error = s->channel_residues[ich][icoef] - (unsigned)pred[ich]; if (pred_error > 0) { for (i = 0; i < order * num_channels; i++) s->mclms_coeffs[i + ich * order * num_channels] += @@ -680,7 +680,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) s->mclms_coeffs_cur[i + num_channels * ich]; pred[ich] += (1 << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; - s->channel_residues[ich][icoef] += pred[ich]; + s->channel_residues[ich][icoef] += (unsigned)pred[ich]; } } From a08a0c97a49837f728f6e12b12e5829ef6b987c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Nov 2019 09:18:12 +0100 Subject: [PATCH 0549/1383] avcodec/wmavoice: Check remaining input in parse_packet_header() Fixes: Infinite loop Fixes: 18914/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5731902946541568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19c41969b26d07519fff8182a0d3266cdb712078) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index bb7950be47..8df67de65b 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1843,6 +1843,9 @@ static int parse_packet_header(WMAVoiceContext *s) skip_bits(gb, 4); // packet sequence number s->has_residual_lsps = get_bits1(gb); do { + if (get_bits_left(gb) < 6 + s->spillover_bitsize) + return AVERROR_INVALIDDATA; + res = get_bits(gb, 6); // number of superframes per packet // (minus first one if there is spillover) n_superframes += res; From bc94b45e9475409e9cfd31666985521a4ebeabf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:43:03 +0200 Subject: [PATCH 0550/1383] avcodec/dstdec: Use get_ur_golomb_jpegls() Fixes: shift exponent -4 is negative Fixes: 17793/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5766088435957760 Fixes: 18989/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5175008116867072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76690c02b4fd12d7fac6f753af8bad72c82d55c) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index daf906ba0c..c548174331 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -120,7 +120,7 @@ static int read_map(GetBitContext *gb, Table *t, unsigned int map[DST_MAX_CHANNE static av_always_inline int get_sr_golomb_dst(GetBitContext *gb, unsigned int k) { - int v = get_ur_golomb(gb, k, get_bits_left(gb), 0); + int v = get_ur_golomb_jpegls(gb, k, get_bits_left(gb), 0); if (v && get_bits1(gb)) v = -v; return v; From 6537cb9b48f6cc822cb1a0785df51aa8f773c25f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Nov 2019 22:43:01 +0100 Subject: [PATCH 0551/1383] avcodec/targa: Check colors vs. available space Fixes: Timeout (37sec -> 52ms) Fixes: 18892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5739537854889984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01593278cef06dbb4491d50d03b72198d2848adf) Signed-off-by: Michael Niedermayer --- libavcodec/targa.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/targa.c b/libavcodec/targa.c index 93e0ef7905..a61fef1d7b 100644 --- a/libavcodec/targa.c +++ b/libavcodec/targa.c @@ -132,12 +132,6 @@ static int decode_frame(AVCodecContext *avctx, h = bytestream2_get_le16(&s->gb); bpp = bytestream2_get_byte(&s->gb); - if (bytestream2_get_bytes_left(&s->gb) <= idlen) { - av_log(avctx, AV_LOG_ERROR, - "Not enough data to read header\n"); - return AVERROR_INVALIDDATA; - } - flags = bytestream2_get_byte(&s->gb); if (!pal && (first_clr || colors || csize)) { @@ -146,6 +140,12 @@ static int decode_frame(AVCodecContext *avctx, first_clr = colors = csize = 0; } + if (bytestream2_get_bytes_left(&s->gb) < idlen + 2*colors) { + av_log(avctx, AV_LOG_ERROR, + "Not enough data to read header\n"); + return AVERROR_INVALIDDATA; + } + // skip identifier if any bytestream2_skip(&s->gb, idlen); From 8d4ab4e66de27de2a8638ae034d6e8a790bde0cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Nov 2019 23:02:56 +0100 Subject: [PATCH 0552/1383] avcodec/adpcm: Clip predictor for APC Fixes: signed integer overflow: -2147483648 - 13 cannot be represented in type 'int' Fixes: 18893/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_APC_fuzzer-5630760442920960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9fe07908c3f67d59cf4db5668d61b34506189590) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index ee0de58a62..edd5912b67 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -139,8 +139,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) break; case AV_CODEC_ID_ADPCM_IMA_APC: if (avctx->extradata && avctx->extradata_size >= 8) { - c->status[0].predictor = AV_RL32(avctx->extradata); - c->status[1].predictor = AV_RL32(avctx->extradata + 4); + c->status[0].predictor = av_clip_intp2(AV_RL32(avctx->extradata ), 18); + c->status[1].predictor = av_clip_intp2(AV_RL32(avctx->extradata + 4), 18); } break; case AV_CODEC_ID_ADPCM_IMA_WS: From 98e15ff21b85e7ba5464e710bb013d2c76140887 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 00:27:09 +0100 Subject: [PATCH 0553/1383] avcodec/cbs_vp9: Check index_size Fixes: out of array read Fixes: 19300/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-5653911730126848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit d6553e2e60a389296dd2f83a96f944ccfa5877a0) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_vp9.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 0b5f137ed8..d70a542d8f 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -428,6 +428,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, index_size = 2 + (((superframe_header & 0x18) >> 3) + 1) * ((superframe_header & 0x07) + 1); + if (index_size > frag->data_size) + return AVERROR_INVALIDDATA; + err = init_get_bits(&gbc, frag->data + frag->data_size - index_size, 8 * index_size); if (err < 0) From 780e8ac273ee8208c3dddcad54561674a7f6ba25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2019 00:57:07 +0100 Subject: [PATCH 0554/1383] avcodec/cbs_vp9: Check data_size Fixes: out of array access Fixes: 19542/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5659498341728256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 4fa2d5a692f40c398a299acf2c6a20f5b98a3708) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_vp9.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index d70a542d8f..aab4cc8331 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -416,6 +416,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, uint8_t superframe_header; int err; + if (frag->data_size == 0) + return AVERROR_INVALIDDATA; + // Last byte in the packet. superframe_header = frag->data[frag->data_size - 1]; From 8e75a698501495bc4a65e9ccd202ea491275f746 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2019 12:22:25 +0100 Subject: [PATCH 0555/1383] avcodec/iff: Check that video_size is large enough for the read parameters video is allocated before parameters like bpp are read. Fixes: out of array access Fixes: 19084/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5718556033679360 Fixes: 19465/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5759908398235648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1b97f62f86d5dca35d01d7a5ebbc5dca2a88ae6) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index eac873c9da..a03f80ce53 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -322,6 +322,8 @@ static int extract_header(AVCodecContext *const avctx, av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n", s->bpp); return AVERROR_INVALIDDATA; } + if (s->video_size && s->planesize * s->bpp * avctx->height > s->video_size) + return AVERROR_INVALIDDATA; av_freep(&s->ham_buf); av_freep(&s->ham_palbuf); From 332f7a4c0086348820d288a91753237bada762d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2019 16:46:46 +0100 Subject: [PATCH 0556/1383] avcodec/wmadec: Keep track of exponent initialization per channel Fixes: division by 0 Fixes: 19123/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5655493121146880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf5c850b795126d4f60dd9498c06f0492f5726a7) Signed-off-by: Michael Niedermayer --- libavcodec/wma.h | 2 +- libavcodec/wmadec.c | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/wma.h b/libavcodec/wma.h index 8344cb5b93..c7fcf5047c 100644 --- a/libavcodec/wma.h +++ b/libavcodec/wma.h @@ -123,7 +123,7 @@ typedef struct WMACodecContext { uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; /* padding added */ int last_bitoffset; int last_superframe_len; - int exponents_initialized; + int exponents_initialized[MAX_CHANNELS]; float noise_table[NOISE_TAB_SIZE]; int noise_index; float noise_mult; /* XXX: suppress that and integrate it in the noise array */ diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index bb9bc8d236..6365fe7f47 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -585,11 +585,14 @@ static int wma_decode_block(WMACodecContext *s) decode_exp_lsp(s, ch); } s->exponents_bsize[ch] = bsize; + s->exponents_initialized[ch] = 1; } } - s->exponents_initialized = 1; - }else if (!s->exponents_initialized) { - return AVERROR_INVALIDDATA; + } + + for (ch = 0; ch < s->avctx->channels; ch++) { + if (s->channel_coded[ch] && !s->exponents_initialized[ch]) + return AVERROR_INVALIDDATA; } /* parse spectral coefficients : just RLE encoding */ From f8dc85589e419e8be61ad4dd3fb4f955be135ad9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Dec 2019 00:19:42 +0100 Subject: [PATCH 0557/1383] avcodec/atrac9dec: Clamp band_ext_data to max that can be read if skipped. Fixes: out of array read Fixes: 19327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5679823087468544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 18ff210efb8d158f3e8c79508d99a52eaebf9d48) Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 1586e85f26..061f2e7ceb 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -226,8 +226,18 @@ static inline int parse_band_ext(ATRAC9Context *s, ATRAC9BlockData *b, b->channel[0].band_ext = get_bits(gb, 2); b->channel[0].band_ext = ext_band > 2 ? b->channel[0].band_ext : 4; - if (!get_bits(gb, 5)) + if (!get_bits(gb, 5)) { + for (int i = 0; i <= stereo; i++) { + ATRAC9ChannelData *c = &b->channel[i]; + const int count = at9_tab_band_ext_cnt[c->band_ext][ext_band]; + for (int j = 0; j < count; j++) { + int len = at9_tab_band_ext_lengths[c->band_ext][ext_band][j]; + c->band_ext_data[j] = av_clip_uintp2_c(c->band_ext_data[j], len); + } + } + return 0; + } for (int i = 0; i <= stereo; i++) { ATRAC9ChannelData *c = &b->channel[i]; From 6f3967255d998d86dc7764645ff0f33ce25523b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Dec 2019 23:31:22 +0100 Subject: [PATCH 0558/1383] avcodec/vc1dec: Free sprite_output_frame on error Fixes: memleaks Fixes: 19471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5688035714269184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3ee9240be3e4044ae9e60a9a3a68820bf8075299) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index ac3198e4fd..d2f25fabec 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -576,14 +576,21 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if (v->sprite_width > 1 << 14 || v->sprite_height > 1 << 14 || v->output_width > 1 << 14 || - v->output_height > 1 << 14) return -1; + v->output_height > 1 << 14) { + ret = -1; + goto error; + } if ((v->sprite_width&1) || (v->sprite_height&1)) { avpriv_request_sample(avctx, "odd sprites support"); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto error; } } return 0; +error: + av_frame_free(&v->sprite_output_frame); + return ret; } /** Close a VC1/WMV3 decoder From 99e424546c121680ee9d04734a1d6ec2974332ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Dec 2019 00:04:23 +0100 Subject: [PATCH 0559/1383] avcodec/vc1dec: Fix "return -1" cases Reviewed-by: "mypopy@gmail.com" Signed-off-by: Michael Niedermayer (cherry picked from commit 26f040bcb4a1db78d1311af2e69de6984ecb43e5) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index d2f25fabec..fcc482e7eb 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -431,7 +431,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) v->output_height = avctx->height; if (!avctx->extradata_size || !avctx->extradata) - return -1; + return AVERROR_INVALIDDATA; v->s.avctx = avctx; if ((ret = ff_vc1_init_common(v)) < 0) @@ -472,7 +472,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if (avctx->extradata_size < 16) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small: %i\n", avctx->extradata_size); - return -1; + return AVERROR_INVALIDDATA; } buf2 = av_mallocz(avctx->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); @@ -508,7 +508,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) av_free(buf2); if (!seq_initialized || !ep_initialized) { av_log(avctx, AV_LOG_ERROR, "Incomplete extradata\n"); - return -1; + return AVERROR_INVALIDDATA; } v->res_sprite = (avctx->codec_id == AV_CODEC_ID_VC1IMAGE); } @@ -577,7 +577,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) v->sprite_height > 1 << 14 || v->output_width > 1 << 14 || v->output_height > 1 << 14) { - ret = -1; + ret = AVERROR_INVALIDDATA; goto error; } From 5a485d052a5ac5440334db3fe4153cce283bd808 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Dec 2019 19:48:46 +0100 Subject: [PATCH 0560/1383] avcodec/twinvqdec: Correct overflow in block align check Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 19126/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TWINVQ_fuzzer-5687464110325760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dc93ae3d725e892927f04002021337c2f90252a) Signed-off-by: Michael Niedermayer --- libavcodec/twinvqdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/twinvqdec.c b/libavcodec/twinvqdec.c index c2353f51b5..c00ebb2ad5 100644 --- a/libavcodec/twinvqdec.c +++ b/libavcodec/twinvqdec.c @@ -404,7 +404,7 @@ static av_cold int twinvq_decode_init(AVCodecContext *avctx) tctx->frame_size = avctx->bit_rate * tctx->mtab->size / avctx->sample_rate + 8; tctx->is_6kbps = 0; - if (avctx->block_align && avctx->block_align * 8 / tctx->frame_size > 1) { + if (avctx->block_align && avctx->block_align * 8LL / tctx->frame_size > 1) { av_log(avctx, AV_LOG_ERROR, "VQF TwinVQ should have only one frame per packet\n"); return AVERROR_INVALIDDATA; From 7f4c5ede99a374af011631c9bcf9db8f181ee618 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 23:22:05 +0200 Subject: [PATCH 0561/1383] avcodec/sonic: Check e in get_symbol() Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be represented in type 'int' Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176 Fixes: 18753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5663299131932672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aea67556116330d3151e4cd3ef1e266b5d90f388) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 953c70fcd4..1b16825403 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; } a= 1; From 74ef2ddbdb5ed4d6a4ffc0b7a20ba4b6fa6e14fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Nov 2019 22:45:07 +0100 Subject: [PATCH 0562/1383] avcodec/wmalosslessdec: Fixes undefined overflow in dequantization in decode_subframe() Fixes: signed integer overflow: 47875596 * 45 cannot be represented in type 'int' Fixes: 19082/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5687766512041984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53efab44a9d0971c6c12d9b3d1af855ca863c847) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 7de93f241f..d47fd89c52 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -979,7 +979,7 @@ static int decode_subframe(WmallDecodeCtx *s) if (s->quant_stepsize != 1) for (i = 0; i < s->num_channels; i++) for (j = 0; j < subframe_len; j++) - s->channel_residues[i][j] *= s->quant_stepsize; + s->channel_residues[i][j] *= (unsigned)s->quant_stepsize; } /* Write to proper output buffer depending on bit-depth */ From 36f5f748b746fd38f0f718b96c1403590fecb3cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Nov 2019 21:39:48 +0100 Subject: [PATCH 0563/1383] avcodec/cook: Use 3 stage VLC decoding for channel_coupling Fixes: shift exponent -1 is negative Fixes: out of array read Fixes: 19028/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5759766471376896 Fixes: 19037/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5734106625474560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89fd76db71d9d4f87c51fee2a2edf99662444df7) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 90b22ecca7..f7b2461a2b 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -759,7 +759,7 @@ static int decouple_info(COOKContext *q, COOKSubpacket *p, int *decouple_tab) for (i = 0; i < length; i++) decouple_tab[start + i] = get_vlc2(&q->gb, p->channel_coupling.table, - p->channel_coupling.bits, 2); + p->channel_coupling.bits, 3); else for (i = 0; i < length; i++) { int v = get_bits(&q->gb, p->js_vlc_bits); From d79db0e0a1d161e7c6497ccaf42a79eb7998784e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Nov 2019 21:50:57 +0100 Subject: [PATCH 0564/1383] avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample() Fixes: signed integer overflow: 2147464192 + 21176 cannot be represented in type 'int' Fixes: 19042/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5719828090585088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fa47f6412dbf93b4865adf8c66618906a3274330) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 349b45534d..b9c63abb8d 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -350,7 +350,8 @@ fail: static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, int32_t *channels) { - int32_t amp, val, *cv; + int32_t amp, *cv; + unsigned val; struct ws_interval *in; int i, *last, pink; uint32_t c, all_ch = 0; From d46875ce545b4baa81060c2587c3a97ac012bd85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Jan 2020 21:58:28 +0100 Subject: [PATCH 0565/1383] avcodec/pgssubdec: Free subtitle on error Fixes: Assertion failure Fixes: 19753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5688461843759104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b0a718923bb4a75b0c1cbf283fb17a319b840346) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 8c10f6d573..7fadcb8b4b 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -691,8 +691,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size, ret = AVERROR_INVALIDDATA; break; } - if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) + if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) { + avsubtitle_free(data); + *data_size = 0; return ret; + } buf += segment_length; } From 9a992aadf0edf128a5773436f4cc7bdefa01595a Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Wed, 1 Jan 2020 12:14:30 +0530 Subject: [PATCH 0566/1383] configure: bump year (cherry picked from commit 7b58702cbdce097f32f62c87cd537ab28c04ffb2) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index a9644e211b..c9666891af 100755 --- a/configure +++ b/configure @@ -7243,7 +7243,7 @@ cat > $TMPH < Date: Fri, 15 Nov 2019 15:12:14 -0300 Subject: [PATCH 0567/1383] avcodec/cbs_av1: fix reading reference order hint in skip_mode_params() Reviewed-by: Ronald S. Bultje Signed-off-by: James Almer (cherry picked from commit 2703068110dce2c145a2d3a0f380f8e0de79b632) --- libavcodec/cbs_av1_syntax_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 2dfdc81d95..12b6564a26 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -882,7 +882,7 @@ static int FUNC(skip_mode_params)(CodedBitstreamContext *ctx, RWContext *rw, forward_idx = -1; backward_idx = -1; for (i = 0; i < AV1_REFS_PER_FRAME; i++) { - ref_hint = priv->ref[i].order_hint; + ref_hint = priv->ref[current->ref_frame_idx[i]].order_hint; dist = cbs_av1_get_relative_dist(seq, ref_hint, current->order_hint); if (dist < 0) { @@ -913,7 +913,7 @@ static int FUNC(skip_mode_params)(CodedBitstreamContext *ctx, RWContext *rw, second_forward_idx = -1; for (i = 0; i < AV1_REFS_PER_FRAME; i++) { - ref_hint = priv->ref[i].order_hint; + ref_hint = priv->ref[current->ref_frame_idx[i]].order_hint; if (cbs_av1_get_relative_dist(seq, ref_hint, forward_hint) < 0) { if (second_forward_idx < 0 || From 1ad341851968bd41980531e4c00fb9592399cfcd Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 17 Nov 2019 21:08:56 -0300 Subject: [PATCH 0568/1383] avcodec/cbs_av1: keep separate reference frame state for reading and writing In scearios where a Temporal Unit is written right after reading it using the same CBS context (av1_metadata, av1_frame_merge, etc), the reference frame state used by the writer must not be the state that's the result of the reader having already parsed the current frame in question. This fixes writing Switch frames, and frames using short ref signaling. Signed-off-by: James Almer (cherry picked from commit 4e2bef6a82b356772a5919c51c9be1530268bd79) --- libavcodec/cbs_av1.c | 4 ++++ libavcodec/cbs_av1.h | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 80628c72ba..c680b34f17 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -978,6 +978,8 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, priv->spatial_id = 0; } + priv->ref = (AV1ReferenceFrameState *)&priv->read_ref; + switch (obu->header.obu_type) { case AV1_OBU_SEQUENCE_HEADER: { @@ -1114,6 +1116,8 @@ static int cbs_av1_write_obu(CodedBitstreamContext *ctx, td = NULL; start_pos = put_bits_count(pbc); + priv->ref = (AV1ReferenceFrameState *)&priv->write_ref; + switch (obu->header.obu_type) { case AV1_OBU_SEQUENCE_HEADER: { diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h index 0546623bea..144d1ebbf7 100644 --- a/libavcodec/cbs_av1.h +++ b/libavcodec/cbs_av1.h @@ -421,7 +421,9 @@ typedef struct CodedBitstreamAV1Context { int tile_cols; int tile_rows; - AV1ReferenceFrameState ref[AV1_NUM_REF_FRAMES]; + AV1ReferenceFrameState *ref; + AV1ReferenceFrameState read_ref[AV1_NUM_REF_FRAMES]; + AV1ReferenceFrameState write_ref[AV1_NUM_REF_FRAMES]; // Write buffer. uint8_t *write_buffer; From 07afe2e3ca2e33a52acd142ba0595e495589de96 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 28 Jul 2019 19:23:15 +0100 Subject: [PATCH 0569/1383] cbs_h264: Fix missing inferred colour description fields With video_signal_type_present_flag set but colour_description_present_flag unset the colour fields would not have had their correct values inferred. (cherry picked from commit f9b8503639c0ff90846f07c92e2fe7836690dd0c) --- libavcodec/cbs_h264_syntax_template.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c index 07b4cddb5e..57fc02082c 100644 --- a/libavcodec/cbs_h264_syntax_template.c +++ b/libavcodec/cbs_h264_syntax_template.c @@ -137,6 +137,10 @@ static int FUNC(vui_parameters)(CodedBitstreamContext *ctx, RWContext *rw, u(8, colour_primaries, 0, 255); u(8, transfer_characteristics, 0, 255); u(8, matrix_coefficients, 0, 255); + } else { + infer(colour_primaries, 2); + infer(transfer_characteristics, 2); + infer(matrix_coefficients, 2); } } else { infer(video_format, 5); From 3413eb6091d44386dea9e31fa56e34120766ec53 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 2 Dec 2019 14:38:52 -0300 Subject: [PATCH 0570/1383] avcodec/av1_parser: skip frames with spatial_id > 0 This fixes marking keyframes in svc samples. Signed-off-by: James Almer (cherry picked from commit 5985ca0436f26483f37259357bf34bbf743252ed) --- libavcodec/av1_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/av1_parser.c b/libavcodec/av1_parser.c index 0390de0b36..18c6b94caf 100644 --- a/libavcodec/av1_parser.c +++ b/libavcodec/av1_parser.c @@ -100,6 +100,9 @@ static int av1_parser_parse(AVCodecParserContext *ctx, else continue; + if (obu->header.spatial_id > 0) + continue; + if (frame->show_existing_frame) { AV1ReferenceFrameState *ref = &av1->ref[frame->frame_to_show_map_idx]; From c96a52b7146244a0515b8bdd67fa3b6a0a143974 Mon Sep 17 00:00:00 2001 From: Fei Wang Date: Wed, 11 Dec 2019 09:37:40 +0800 Subject: [PATCH 0571/1383] avcodec/cbs_av1: avoid reading trailing bits when obu type is OBU_TILE_LIST Signed-off-by: Fei Wang Signed-off-by: James Almer (cherry picked from commit 1ea44178f5fff7eb600026a09a0ce7d477ed0240) --- libavcodec/cbs_av1.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index c680b34f17..8e962b8721 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -1072,6 +1072,7 @@ static int cbs_av1_read_unit(CodedBitstreamContext *ctx, if (obu->obu_size > 0 && obu->header.obu_type != AV1_OBU_TILE_GROUP && + obu->header.obu_type != AV1_OBU_TILE_LIST && obu->header.obu_type != AV1_OBU_FRAME) { int nb_bits = obu->obu_size * 8 + start_pos - end_pos; From 4062a67d9d5ad44a29ad4d2d24ed4e1f35767853 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2020 15:46:50 +0100 Subject: [PATCH 0572/1383] Changelog: Fix formating for 4.1.4 --- Changelog | 210 +++++++++++++++++++++++++++--------------------------- 1 file changed, 105 insertions(+), 105 deletions(-) diff --git a/Changelog b/Changelog index 84b557b1b7..beb6a6f729 100644 --- a/Changelog +++ b/Changelog @@ -2,111 +2,111 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.1.4: - avcodec/ilbcdec: Simplify use of unsigned and fix more undefined overflows - avcodec/golomb: Correct the doxy about get_ue_golomb() and errors - avformat/utils: Check timebase before use in estimate_timings() - avcodec/hq_hqa: Use ff_set_dimensions() - avcodec/rv10: Fix integer overflow in aspect ratio compare - avcodec/4xm: Fix signed integer overflows in idct() - avcodec/qdm2: Check checksum_size for 0 - avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop - avcodec/qdm2: Do not read out of array in fix_coding_method_array() - avcodec/svq3: Use ff_set_dimension() - avcodec/iff: Check ham vs bpp - avcodec/ffwavesynth: use uint32_t to compute difference, it is enough - avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case - avcodec/ffwavesynth: Fix backward lcg_seek() - avcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP() - avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff() - avcodec/alac: Check lpc_quant - avcodec/dxv: Initialize tex_funct to NULL - avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP - avcodec/alsdec: Fix integer overflow with buffer number - avcodec/alsdec: Fixes signed integer overflow in LSB addition - avcodec/alsdec: Check opt_order / sb_length in ra_block handling - avcodec/alsdec: Fix integer overflow with shifting samples - avcodec/alsdec: Fix undefined behavior in decode_rice() - avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT() - avcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight - avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns - avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check - avformat/aviobuf: Delay buffer downsizing until asserts are met - avcodec/fitsdec: Check data_min/max - avcodec/m101: Fix off be 2 error - avcodec/qdm2: Move fft_order check up - avcodec/libvorbisdec: Check extradata size - avformat/vqf: Check header_size - avcodec/atrac9dec: Check q_unit_cnt in parse_band_ext() - avcodec/atrac9dec: Check that the reused block has succeeded initilization - avcodec/utils: Check bits_per_coded_sample - avcodec/videodsp_template: Fix overflow of addition - avcodec/alsdec: Fix invalid shift in multiply() - avcodec/ffwavesynth: Check ts_end - ts_start for overflow - avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c - avcodec/tta: Fix undefined shift - avcodec/qdmc: Fix integer overflows in PRNG - avcodec/bintext: Check font height - avcodec/binkdsp: Fix integer overflows in idct - avcodec/bink: Fix integer overflow in unquantize_dct_coeffs() - avcodec/motionpixels: Check for vlc error in mp_get_vlc() - avcodec/loco: Limit lossy parameter so it is sane and does not overflow - avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed - avcodec/xpmdec: Do not use context dimensions as temporary variables - avcodec/fitsdec: Fix division by 0 in size check - avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c() - avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block() - avcodec/iff: finetune the palette size check in the mask case - avcodec/iff: Fix mask_buf / mask_palbuf leak - avformat/icodec: Free ico->images on error paths - avformat/wsddec: Fix undefined shift - avcodec/fmvc: Check if header fields are available before allocating the image - avcodec/bink: Reorder operations in init to avoid memleak on error - avformat/wtvdec: Avoid (32bit signed) sectors - avcodec/bitstream: Check for more conflicting codes in build_table() - avcodec/bitstream: Check for integer code truncation in build_table() - avformat/sbgdec: Fixes integer overflow in str_to_time() with hours - avformat/vpk: Check offset for validity - avformat/vpk: Fix integer overflow in samples_per_block computation - avcodec/mjpegdec: Check for non ls PAL8 - avcodec/interplayvideo: check decoding_map_size with video_data_size - avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle - avcodec/mss4: Check input size against skip bits - avcodec/dxv: Check op_offset in dxv_decompress_cocg() - avcodec/diracdec: Fix integer overflow in global_mv() - avcodec/vmnc: Check available space against chunks before reget_buffer() - avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure) - avcodec/aacdec_fixed: Handle more extreem cases in noise_scale() - avcodec/aacdec_template: Merge 3 #ifs related to noise handling - avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify - avformat/mp3enc: Avoid SEEK_END as it is unsupported - avcodec/truemotion2: Fix several integer overflows in tm2_update_block() - avformat/webm_chunk: Specify expected argument length of get_chunk_filename() - avformat/webm_chunk: Check header filename length - avcodec/cpia: Check input size also against linesizes and EOL - swscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes - libswcale: Fix possible string overflow in test. - avcodec/hq_hqa: Check available space before reading slice offsets - lavf/webm_chunk: Respect buffer size - avcodec/fits: Check bitpix - avcodec/jvdec: Use ff_get_buffer() when the content is not reused - avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block() - avcodec/gdv: Check input palette size before rescale() - avcodec/jpeg2000: Check stepsize before using it - avcodec/aacdec_fixed: Fix undefined shift in noise_scale() - avutil/avstring: Fix bug and undefined behavior in av_strncasecmp() - avformat/mov: Skip stsd adjustment without chunks - avformat/aadec: Check for scanf() failure - avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside - avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform() - avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation - avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks() - movsub_bsf: Fix mov2textsub regression - lavc/libaomenc: Add a maximum constraint of 64 encoder threads. - avformat/aacdec: fix demuxing of small frames - avcodec/cuviddec: improve progressive frame detection - avformat/matroskaenc: fix leak on error - avformat/av1: Initialize padding in ff_isom_write_av1c - avcodec/cbs_av1: fix parsing spatial_id +- avcodec/ilbcdec: Simplify use of unsigned and fix more undefined overflows +- avcodec/golomb: Correct the doxy about get_ue_golomb() and errors +- avformat/utils: Check timebase before use in estimate_timings() +- avcodec/hq_hqa: Use ff_set_dimensions() +- avcodec/rv10: Fix integer overflow in aspect ratio compare +- avcodec/4xm: Fix signed integer overflows in idct() +- avcodec/qdm2: Check checksum_size for 0 +- avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop +- avcodec/qdm2: Do not read out of array in fix_coding_method_array() +- avcodec/svq3: Use ff_set_dimension() +- avcodec/iff: Check ham vs bpp +- avcodec/ffwavesynth: use uint32_t to compute difference, it is enough +- avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case +- avcodec/ffwavesynth: Fix backward lcg_seek() +- avcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP() +- avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff() +- avcodec/alac: Check lpc_quant +- avcodec/dxv: Initialize tex_funct to NULL +- avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP +- avcodec/alsdec: Fix integer overflow with buffer number +- avcodec/alsdec: Fixes signed integer overflow in LSB addition +- avcodec/alsdec: Check opt_order / sb_length in ra_block handling +- avcodec/alsdec: Fix integer overflow with shifting samples +- avcodec/alsdec: Fix undefined behavior in decode_rice() +- avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT() +- avcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight +- avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns +- avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check +- avformat/aviobuf: Delay buffer downsizing until asserts are met +- avcodec/fitsdec: Check data_min/max +- avcodec/m101: Fix off be 2 error +- avcodec/qdm2: Move fft_order check up +- avcodec/libvorbisdec: Check extradata size +- avformat/vqf: Check header_size +- avcodec/atrac9dec: Check q_unit_cnt in parse_band_ext() +- avcodec/atrac9dec: Check that the reused block has succeeded initilization +- avcodec/utils: Check bits_per_coded_sample +- avcodec/videodsp_template: Fix overflow of addition +- avcodec/alsdec: Fix invalid shift in multiply() +- avcodec/ffwavesynth: Check ts_end - ts_start for overflow +- avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c +- avcodec/tta: Fix undefined shift +- avcodec/qdmc: Fix integer overflows in PRNG +- avcodec/bintext: Check font height +- avcodec/binkdsp: Fix integer overflows in idct +- avcodec/bink: Fix integer overflow in unquantize_dct_coeffs() +- avcodec/motionpixels: Check for vlc error in mp_get_vlc() +- avcodec/loco: Limit lossy parameter so it is sane and does not overflow +- avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed +- avcodec/xpmdec: Do not use context dimensions as temporary variables +- avcodec/fitsdec: Fix division by 0 in size check +- avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c() +- avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block() +- avcodec/iff: finetune the palette size check in the mask case +- avcodec/iff: Fix mask_buf / mask_palbuf leak +- avformat/icodec: Free ico->images on error paths +- avformat/wsddec: Fix undefined shift +- avcodec/fmvc: Check if header fields are available before allocating the image +- avcodec/bink: Reorder operations in init to avoid memleak on error +- avformat/wtvdec: Avoid (32bit signed) sectors +- avcodec/bitstream: Check for more conflicting codes in build_table() +- avcodec/bitstream: Check for integer code truncation in build_table() +- avformat/sbgdec: Fixes integer overflow in str_to_time() with hours +- avformat/vpk: Check offset for validity +- avformat/vpk: Fix integer overflow in samples_per_block computation +- avcodec/mjpegdec: Check for non ls PAL8 +- avcodec/interplayvideo: check decoding_map_size with video_data_size +- avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle +- avcodec/mss4: Check input size against skip bits +- avcodec/dxv: Check op_offset in dxv_decompress_cocg() +- avcodec/diracdec: Fix integer overflow in global_mv() +- avcodec/vmnc: Check available space against chunks before reget_buffer() +- avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure) +- avcodec/aacdec_fixed: Handle more extreem cases in noise_scale() +- avcodec/aacdec_template: Merge 3 #ifs related to noise handling +- avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify +- avformat/mp3enc: Avoid SEEK_END as it is unsupported +- avcodec/truemotion2: Fix several integer overflows in tm2_update_block() +- avformat/webm_chunk: Specify expected argument length of get_chunk_filename() +- avformat/webm_chunk: Check header filename length +- avcodec/cpia: Check input size also against linesizes and EOL +- swscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes +- libswcale: Fix possible string overflow in test. +- avcodec/hq_hqa: Check available space before reading slice offsets +- lavf/webm_chunk: Respect buffer size +- avcodec/fits: Check bitpix +- avcodec/jvdec: Use ff_get_buffer() when the content is not reused +- avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block() +- avcodec/gdv: Check input palette size before rescale() +- avcodec/jpeg2000: Check stepsize before using it +- avcodec/aacdec_fixed: Fix undefined shift in noise_scale() +- avutil/avstring: Fix bug and undefined behavior in av_strncasecmp() +- avformat/mov: Skip stsd adjustment without chunks +- avformat/aadec: Check for scanf() failure +- avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside +- avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform() +- avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation +- avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks() +- movsub_bsf: Fix mov2textsub regression +- lavc/libaomenc: Add a maximum constraint of 64 encoder threads. +- avformat/aacdec: fix demuxing of small frames +- avcodec/cuviddec: improve progressive frame detection +- avformat/matroskaenc: fix leak on error +- avformat/av1: Initialize padding in ff_isom_write_av1c +- avcodec/cbs_av1: fix parsing spatial_id version 4.1.3: - avcodec/rscc: Check that the to be uncompressed input is large enough From 2f54cd9548e2a8fe0ecba9a345b66f0798dd243e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2020 15:45:33 +0100 Subject: [PATCH 0573/1383] Update for FFmpeg 4.1.5 --- Changelog | 320 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 322 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index beb6a6f729..b4d7bd2c9e 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,326 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.1.5: +- Changelog: Fix formating for 4.1.4 +- avcodec/cbs_av1: avoid reading trailing bits when obu type is OBU_TILE_LIST +- avcodec/av1_parser: skip frames with spatial_id > 0 +- cbs_h264: Fix missing inferred colour description fields +- avcodec/cbs_av1: keep separate reference frame state for reading and writing +- avcodec/cbs_av1: fix reading reference order hint in skip_mode_params() +- configure: bump year +- avcodec/pgssubdec: Free subtitle on error +- avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample() +- avcodec/cook: Use 3 stage VLC decoding for channel_coupling +- avcodec/wmalosslessdec: Fixes undefined overflow in dequantization in decode_subframe() +- avcodec/sonic: Check e in get_symbol() +- avcodec/twinvqdec: Correct overflow in block align check +- avcodec/vc1dec: Fix "return -1" cases +- avcodec/vc1dec: Free sprite_output_frame on error +- avcodec/atrac9dec: Clamp band_ext_data to max that can be read if skipped. +- avcodec/wmadec: Keep track of exponent initialization per channel +- avcodec/iff: Check that video_size is large enough for the read parameters +- avcodec/cbs_vp9: Check data_size +- avcodec/cbs_vp9: Check index_size +- avcodec/adpcm: Clip predictor for APC +- avcodec/targa: Check colors vs. available space +- avcodec/dstdec: Use get_ur_golomb_jpegls() +- avcodec/wmavoice: Check remaining input in parse_packet_header() +- avcodec/wmalosslessdec: Fix 2 overflows in mclms +- avcodec/wmaprodec: Fixes integer overflow with 32bit samples +- avcodec/adpcm: Fix invalid shift in xa_decode() +- avcodec/wmalosslessdec: Fix several integer issues +- avcodec/wmalosslessdec: Check that padding bits is not more than sample bits +- avcodec/iff: Skip overflowing runs in decode_delta_d() +- avcodec/pnm: Check that the header is not truncated +- avcodec/mp3_header_decompress_bsf: Check sample_rate_index +- avcodec/cbs_av1_syntax_template: Check num_y_points +- avcodec/cbs_av1: fix array size for ar_coeffs_cb_plus_128 and ar_coeffs_cr_plus_128 +- avformat/rmdec: Initialize and sanity check offset in ivr_read_header() +- avcodec/apedec: Fix 2 integer overflows +- avformat/id3v2: Fix double-free on error +- avcodec/wmaprodec: Set packet_loss when we error out on a sanity check +- avcodec/wmaprodec: Check offset +- avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block() +- avcodec/wmaprodec: Check if the channel sum of all internal contexts match the external +- avcodec/atrac9dec: Check q_unit_cnt more completely before using it to access at9_tab_band_ext_group +- avcodec/fitsdec: Use lrint() +- avcodec/g729dec: require buf_size to be non 0 +- avcodec/alac: Fix integer overflow in lpc_prediction() with sign +- avcodec/wmaprodec: Fix buflen computation in save_bits() +- avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv() +- avcodec/vmdaudio: Check chunk counts to avoid integer overflow +- avformat/mxfdec: Clear metadata_sets_count in mxf_read_close() +- avcodec/nuv: Use ff_set_dimensions() +- avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next +- avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel() +- avcodec/g729dec: Use 64bit and clip in scalar product +- avcodec/mxpegdec: Check for multiple SOF +- avcodec/nuv: Move comptype check up +- avcodec/wmavoice: Fix integer overflow in synth_frame() +- avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases +- avutil/lfg: Correct index increment type to avoid undefined behavior +- avcodec/cngdec: Remove AV_CODEC_CAP_DELAY +- avcodec/iff: Move index use after check in decodeplane8() +- avcodec/atrac3: Check for huge block aligns +- avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block() +- avcodec/wmadec: Require previous exponents for reuse +- avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling +- avcodec/qdm2: The smallest header seems to have 2 bytes so treat 1 as invalid +- avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter() +- avcodec/sonic: Fix integer overflow in predictor_calc_error() +- avcodec/atrac9dec: Check precision_fine/coarse +- avformat/mp3dec: Check that the frame fits within the probe buffer +- avcodec/wmaprodec: get frame during frame decode +- avcodec/interplayacm: Fix overflow of last unused value +- avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI +- avcodec/cook: Move up and extend block_align check +- avcodec/sbcdec: Fix integer overflows in sbc_synthesize_four() +- avcodec/twinvq: Check block_align +- avcodec/cook: Enlarge gain table +- avcodec/cook: Check samples_per_channel earlier +- avcodec/atrac3plus: Check split point in fill mode 3 +- avcodec/wmavoice: Check sample_rate +- avcodec/xsubdec: fix overflow in alpha handling +- avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta() +- avcodec/apedec: Fix integer overflow in filter_3800() +- avutil/lfg: Document the AVLFG struct +- avcodec/ffv1dec: Use a different error message for the slice level CRC +- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() +- avcodec/dstdec: Check that AC probabilities are within range +- avcodec/dstdec: Check read_table() for failure +- avcodec/snowenc: Set mb_num to avoid ratecontrol floating point divisions by 0.0 +- avcodec/snowenc: Fix 2 undefined shifts +- avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags() +- avcodec/aptx: Check the number of channels +- avcodec/aacdec_template: Check samplerate +- avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block() +- avcodec/utils: Check block_align +- avcodec/wmalosslessdec: Fix some integer anomalies +- avcodec/adpcm: Fix invalid shifts in ADPCM DTK +- avcodec/apedec: Only clear the needed buffer space, instead of all +- avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads +- avcodec/g723_1dec: fix invalid shift with negative sid_gain +- avcodec/vp5: Check render_x/y +- avcodec/qdrw: Check input for header/skiped space before get_buffer() +- avcodec/ralf: Skip initializing unused filter variables +- avcodec/takdec: Fix overflow with large sample rates +- avcodec/atrac9dec: Set channels +- avcodec/alsdec: Check that input space for header exists in read_diff_float_data() +- avformat/pjsdec: Check duration for overflow +- avcodec/ptx: Check that the input contains at least one line +- avcodec/alac: Fix integer overflow in LPC +- avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame() +- avcodec/aliaspixdec: Check input size against minimal picture size +- avcodec/ffwavesynth: Fix integer overflows in pink noise addition +- avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv() +- avcodec/wmalosslessdec: Check block_align +- avcodec/g729postfilter: Fix left shift of negative value +- avcodec/binkaudio: Check sample rate +- avcodec/sbcdec: Fix integer overflows in sbc_synthesize_eight() +- avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS +- avcodec/g723_1dec: Fix overflow in shift +- avcodec/apedec: Fix integer overflow in predictor_update_3930() +- avcodec/g729postfilter: Fix undefined intermediate pointers +- avcodec/g729postfilter: Fix undefined shifts +- avcodec/lsp: Fix undefined shifts in lsp2poly() +- avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA +- avformat/shortendec: Check k in probe +- avfilter/vf_geq: Use av_clipd() instead of av_clipf() +- avcodec/wmaprodec: Check that the streams channels do not exceed the overall channels +- avcodec/qdmc: Check input space in qdmc_get_vlc() +- avcodec/pcm: Check bits_per_coded_sample +- avcodec/exr: Allow duplicate use of channel indexes +- avcodec/fitsdec: Fail on 0 naxisn +- avcodec/dxv: Subtract 12 earlier in dxv_decompress_cocg() +- libavcodec/dxv: Remove redundant seek +- avcodec/ituh263dec: Check input for minimal frame size +- avcodec/truemotion1: Check that the input has enough space for a minimal index_stream +- avformat/mpsubdec: Clear queue on error +- avcodec/sunrast: Check that the input is large enough for the maximally compressed image +- avcodec/sunrast: Check for availability of maplength before allocating image +- avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize() +- avcodec/vc1_block: Fix invalid left shift in vc1_decode_p_mb() +- avcodec/wmaprodec: Check if there is a stream +- avcodec/g2meet: Check for end of input in jpg_decode_block() +- avcodec/g2meet: Check if adjusted pixel was on the stack +- avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet +- avcodec/dxv: Check op_offset in dxv_decompress_yo() +- avcodec/utils: Check sample_rate before opening the decoder +- avcodec/aptx: Fix multiple shift anomalies +- avcodec/fitsdec: fix use of uninitialised values +- avcodec/motionpixels: Mark 2 functions as always_inline +- avcodec/ituh263dec: Make the condition for the studio slice start code match between ff_h263_resync() and ff_mpeg4_decode_studio_slice_header() +- avcodec/ralf: Fix integer overflow in decode_channel() +- vcodec/vc1: compute rangex/y only for P/B frames +- avcodec/vc1_pred: Fix invalid shifts in scaleforopp() +- avcodec/vc1_block: Fix invalid shift with rangeredfrm +- avcodec/vc1: Check for excessive resolution +- avcodec/vc1: check REFDIST +- avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter() +- avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs() +- avcodec/4xm: Check index in decode_i_block() also in the path where its not used. +- avcodec/loco: Check for end of input in the first line +- avcodec/atrac3: Check block_align +- avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop +- avcodec/fitsdec: Prevent division by 0 with huge data_max +- avcodec/dstdec: Fix integer overflow in samples_per_frame computation +- avcodec/g729_parser: Check block_size +- avcodec/sbcdec: Initialize number of channels +- avcodec/utils: Optimize ff_color_frame() using memcpy() +- avcodec/aacdec: Check if we run out of input in read_stream_mux_config() +- avcodec/utils: Use av_memcpy_backptr() in ff_color_frame() +- avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL +- avcodec/alac: Fix invalid shifts in 20/24 bps +- avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction() +- avcodec/ffwavesynth: Fix integer overflow in timestamps +- avcodec/dxv: Check op_offset in both directions +- avcodec/adpcm: Check number of channels for MTAF +- avcodec/sunrast: Fix indention +- avcodec/sunrast: Fix return type for "unsupported (compression) type" +- avcodec/utils: Check channels fully earlier +- avformat/mov: Check for EOF in mov_read_meta() +- avcodec/hevcdec: Fix memleak of a53_caption +- avformat/cdxl: Fix integer overflow in intermediate +- avcodec/hevcdec: repeat character in skiped +- avcodec/gdv: Replace assert() checking bitstream by if() +- libavcodec/utils: Free threads on init failure +- avcodec/htmlsubtitles: Avoid locale dependant isdigit() +- avcodec/alsdec: Check k from being outside what our implementation can handle +- avcodec/takdec: Fix integer overflow in decorrelate() +- avcodec/aacps: Fix integer overflows in hybrid_synthesis() +- avcodec/mpeg4videodec: Fix integer overflow in mpeg4_decode_studio_block() +- avcodec/vp56rac: delay signaling an error on truncated input +- avcodec/qdm2: Check frame size +- avcodec/vc1_pred: Fix refdist in scaleforopp() +- avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2 +- avcodec/iff: Check for overlap in cmap_read_palette() +- avcodec/apedec: Fix 32bit int overflow in do_apply_filter() +- avcodec/ralf: fix undefined shift in extend_code() +- avcodec/ralf: fix undefined shift +- avcodec/bgmc: Check input space in ff_bgmc_decode_init() +- avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block() +- avcodec/vc1_block: Check the return code from vc1_decode_p_block() +- avcodec/vc1dec: Require res_sprite for wmv3images +- avcodec/vc1_block: Check for double escapes +- avcodec/vorbisdec: Check get_vlc2() failure +- avcodec/tta: Fix integer overflow in prediction +- avcodec/vb: Check input packet size to be large enough to contain flags +- avcodec/cavsdec: Limit the number of access units per packet to 2 +- avcodec/atrac9dec: Check block_align +- avcodec/alac: Check for bps of 0 +- avcodec/alac: Fix multiple integer overflows in lpc_prediction() +- avcodec/rl2: set dimensions +- avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP +- avcodec/idcinvideo: Add 320x240 default maximum resolution +- avformat/realtextdec: free queue on error +- avcodec/vp5/6/8: use vpX_rac_is_end() +- avcodec/alsdec: Fix integer overflow in decode_var_block_data() +- avcodec/alsdec: Limit maximum channels to 512 +- avcodec/anm: Check input size for a frame with just a stop code +- avcodec/flicvideo: Optimize and Simplify FLI_COPY in flic_decode_frame_24BPP() by using bytestream2_get_buffer() +- avcodec/loco: Check left column value +- avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking +- avcodec/ffwavesynth: Fix integer overflow for some corner case values +- avcodec/indeo2: Check remaining input more often +- avcodec/diracdec: Check that slices are fewer than pixels +- avcodec/vp56: Consider the alpha start as end of the prior header +- avcodec/4xm: Check for end of input in decode_p_block() +- avcodec/hevcdec: Check delta_luma_weight_l0/1 +- avcodec/hnm4video: Optimize postprocess_current_frame() +- avcodec/hevc_refs: Optimize 16bit generate_missing_ref() +- avcodec/scpr: Use av_memcpy_backptr() in type 17 and 33 +- avcodec/dds: Use ff_set_dimensions() +- avcodec/mpc8: Fix 32bit mask/enum +- avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data() +- avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks() +- avcodec/alsdec: fix mantisse shift +- avcodec/vc1_block: Fix invalid shifts in vc1_decode_i_blocks() +- avcodec/vc1_block: fix invalid shift in vc1_decode_p_mb() +- avcodec/aacdec_template: fix integer overflow in imdct_and_windowing() +- libavcodec/iff: Use unsigned to avoid undefined behaviour +- avcodec/alsdec: Check for block_length <= 0 in read_var_block_data() +- avcodec/vqavideo: Set video size +- avcodec/sanm: Check extradata_size before allocations +- avcodec/mss1: check for overread and forward errors +- avcodec/loco: Check for end of input in pixel decode +- avcodec/dirac_parser: Fix overflow in dts +- avcodec/ralf: Fix undefined pointer in decode_channel() +- avcodec/ralf: Fix integer overflow in apply_lpc() +- avcodec/vorbisdec: Implement vr->classifications = 1 +- avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divide +- avformat/realtextdec: Check for duplicate extradata in realtext_read_header() +- avcodec/cbs_av1_syntax_template: Check ref_frame_idx before use +- avcodec/apedec: Fix 2 signed overflows +- avcodec/mss3: Check for the rac stream being invalid in rac_normalize() +- avcodec/vc1_block: Check get_vlc2() return before use +- avcodec/apedec: Do not partially clear data array +- avcodec/atrac9dec: Check grad_range[1] more tightly +- avcodec/hnm4video: Forward errors of decode_interframe_v4() +- avcodec/clearvideo: fix invalid shift in tile size check +- avcodec/vp3: Check that theora is theora +- avcodec/vc1_pred: Fix invalid shift in scaleforsame() +- avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc() +- avcodec/truemotion2: Fix several integer overflows in tm2_motion_block() +- avcodec/apedec: make left/right unsigned to avoid undefined behavior +- avcodec/apedec: Fix multiple integer overflows and undefined behaviorin filter_3800() +- avformat/mpc: deallocate frames array on errors +- avcodec/eatqi: Check for minimum frame size +- avcodec/eatgv: Check remaining size after the keyframe header +- avcodec/assdec: undefined use of memcpy() +- avcodec/brenderpix: Check input size before allocating image +- lafv/wavdec: Fail bext parsing on incomplete reads +- avcodec/utils: fix leak of subtitle_header on error path +- avcodec/utils: Check close before calling it +- tools/target_dec_fuzzer: Free parser in case of avcodec_open2() failure +- avcodec/vorbisdec: Check vlc for floor0 dec vector offset +- avcodec/vorbisdec: amplitude bits can be more than 25 bits +- avutil/softfloat_ieee754: Fix odd bit position for exponent and sign in av_bits2sf_ieee754() +- avcodec/apedec: Fix various integer overflows +- avcodec/apedec: Fix multiple integer overflows in predictor_update_filter() +- avcodec/alsdec: fix undefined shift in multiply() +- avcodec/alsdec: Fix 2 integer overflows +- avcodec/flicvideo: Make line_packets int +- avcodec/dvbsubdec: Use ff_set_dimensions() +- avcodec/ffwavesynth: Check if there is enough extradata before allocation +- avcodec/ffwavesynth: More correct cast in wavesynth_seek() +- avcodec/ffwavesynth: Check sample rate before use +- avcodec/dnxhd_parser: Fix parser when input does not have nicely sized packets +- avcodec/dnxhd_parser: remove unneeded code +- avformat/utils: Check rfps_duration_sum for overflow +- avcodec/h264_refs: Also check reference in ff_h264_build_ref_list() +- avcodec/atrac9dec: Check conditions before apply_band_extension() to avoid out of array read in initialization of unused variables +- avcodec/parser: Check next index validity in ff_combine_frame() +- avcodec/ivi: Ask for samples with odd tiles +- avformat/xmv: Make bitrate 64bit +- avcodec/pngdec: Check that previous_picture has same w/h/format +- avcodec/huffyuv: remove gray8a (the format is listed but not supported by the implementation) +- avcodec/mpc8: Fixes invalid shift in mpc8_decode_frame() +- avcodec/utils, avcodec_open2: close codec on failure +- avformat/rpl: Replace strcpy with av_strlcpy +- avcodec/amfnec: allocate packets using av_new_packet() +- avcodec/nvenc: make sure newly allocated packets are refcounted +- lavc/mpeg4audio: add chan_config check to avoid indeterminate channels +- aformat/movenc: add missing padding to output track extradata +- avcodec/nvenc: add driver version info for latest SDKs +- avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it +- lavf/rawenc: Only accept the appropriate stream type for raw muxers. +- lavc/tableprint_vlc: Remove avpriv_request_sample() from included files. +- avcodec/h263dec: fix hwaccel decoding +- avutil/mem: Fix invalid use of av_alloc_size +- cbs_h2645: Fix infinite loop in more_rbsp_data +- avformat/aacdec: resync to the next adts frame on invalid data instead of aborting +- avformat/aacdec: factorize the adts frame resync code +- cbs_mpeg2: Fix storage type for frame_centre_*_offset +- cbs_mpeg2: Improve checks for invalid values +- avcodec/cbs_mpeg2: fix leak of extra_information_slice buffer in cbs_mpeg2_read_slice_header() +- lavc/cbs: Do not use format specifier "z" on Windows. +- lavc/cbs_vp9: Make variable prob unsigned. +- avcodec/cbs_h264: fix storage type for time_offset in Pic Timing SEI +- avcodec/cbs_h2645: add helper macros for signed values +- avcodec/cbs: add helper functions and macros to read and write signed values +- cbs_h264: Fix handling of auxiliary pictures + version 4.1.4: - avcodec/ilbcdec: Simplify use of unsigned and fix more undefined overflows - avcodec/golomb: Correct the doxy about get_ue_golomb() and errors diff --git a/RELEASE b/RELEASE index a95f288444..b1cbc1fcd2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.4 +4.1.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index f04da164f5..4de2cbcca9 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1.4 +PROJECT_NUMBER = 4.1.5 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 4521700f295f35da4768f88b570e0836a858ce7b Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 16 Nov 2018 22:03:37 +0100 Subject: [PATCH 0574/1383] lavf/hlsenc: Do not mix declarations and code. Fixes the following warnings: libavformat/hlsenc.c: In function 'hls_write_trailer': libavformat/hlsenc.c:2364:17: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement] uint8_t *buffer = NULL; ^~~~~~~ libavformat/hlsenc.c:2372:17: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement] int byterange_mode = (hls->flags & HLS_SINGLE_FILE) || (hls->max_seg_size > 0); ^~~ libavformat/hlsenc.c:2379:13: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement] int range_length = 0; ^~~ (cherry picked from commit fc94e9704e056a2dc85745ffec685ffb6fcd142e) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index f8f060d065..fa45a62844 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -2348,26 +2348,26 @@ static int hls_write_trailer(struct AVFormatContext *s) return AVERROR(ENOMEM); } if ( hls->segment_type == SEGMENT_TYPE_FMP4) { + int range_length = 0; if (!vs->init_range_length) { + uint8_t *buffer = NULL; + int range_length, byterange_mode; av_write_frame(vs->avf, NULL); /* Flush any buffered data */ avio_flush(oc->pb); - uint8_t *buffer = NULL; - int range_length = avio_close_dyn_buf(oc->pb, &buffer); + range_length = avio_close_dyn_buf(oc->pb, &buffer); avio_write(vs->out, buffer, range_length); av_free(buffer); vs->init_range_length = range_length; avio_open_dyn_buf(&oc->pb); vs->packets_written = 0; vs->start_pos = range_length; - int byterange_mode = (hls->flags & HLS_SINGLE_FILE) || (hls->max_seg_size > 0); + byterange_mode = (hls->flags & HLS_SINGLE_FILE) || (hls->max_seg_size > 0); if (!byterange_mode) { ff_format_io_close(s, &vs->out); hlsenc_io_close(s, &vs->out, vs->base_output_dirname); } } - - int range_length = 0; if (!(hls->flags & HLS_SINGLE_FILE)) { ret = hlsenc_io_open(s, &vs->out, vs->avf->url, NULL); if (ret < 0) { From de3d708dbf6dd2982dfde48c002463759ca6945b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 29 Mar 2020 01:32:34 +0100 Subject: [PATCH 0575/1383] avformat/dashdec: Don't allocate and leak strings that are never used Since commit e134c203 strdups of several elements of a manifest are kept in the DASHContext; but said commit completely forgot to free these strings again (with xmlFree()). Given that these strings are never used at all, this commit closes this leak by reverting said commit. This reverts commit e134c20374ee3cbc6d04885d306b02c9871683a2. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3c138e5ceb487490f88015b1694ce34c1393736c) --- libavformat/dashdec.c | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 497e7e469c..2283b2438a 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -122,19 +122,6 @@ struct representation { typedef struct DASHContext { const AVClass *class; char *base_url; - char *adaptionset_contenttype_val; - char *adaptionset_par_val; - char *adaptionset_lang_val; - char *adaptionset_minbw_val; - char *adaptionset_maxbw_val; - char *adaptionset_minwidth_val; - char *adaptionset_maxwidth_val; - char *adaptionset_minheight_val; - char *adaptionset_maxheight_val; - char *adaptionset_minframerate_val; - char *adaptionset_maxframerate_val; - char *adaptionset_segmentalignment_val; - char *adaptionset_bitstreamswitching_val; int n_videos; struct representation **videos; @@ -1080,26 +1067,12 @@ static int parse_manifest_adaptationset(AVFormatContext *s, const char *url, xmlNodePtr period_segmentlist_node) { int ret = 0; - DASHContext *c = s->priv_data; xmlNodePtr fragment_template_node = NULL; xmlNodePtr content_component_node = NULL; xmlNodePtr adaptionset_baseurl_node = NULL; xmlNodePtr adaptionset_segmentlist_node = NULL; xmlNodePtr adaptionset_supplementalproperty_node = NULL; xmlNodePtr node = NULL; - c->adaptionset_contenttype_val = xmlGetProp(adaptionset_node, "contentType"); - c->adaptionset_par_val = xmlGetProp(adaptionset_node, "par"); - c->adaptionset_lang_val = xmlGetProp(adaptionset_node, "lang"); - c->adaptionset_minbw_val = xmlGetProp(adaptionset_node, "minBandwidth"); - c->adaptionset_maxbw_val = xmlGetProp(adaptionset_node, "maxBandwidth"); - c->adaptionset_minwidth_val = xmlGetProp(adaptionset_node, "minWidth"); - c->adaptionset_maxwidth_val = xmlGetProp(adaptionset_node, "maxWidth"); - c->adaptionset_minheight_val = xmlGetProp(adaptionset_node, "minHeight"); - c->adaptionset_maxheight_val = xmlGetProp(adaptionset_node, "maxHeight"); - c->adaptionset_minframerate_val = xmlGetProp(adaptionset_node, "minFrameRate"); - c->adaptionset_maxframerate_val = xmlGetProp(adaptionset_node, "maxFrameRate"); - c->adaptionset_segmentalignment_val = xmlGetProp(adaptionset_node, "segmentAlignment"); - c->adaptionset_bitstreamswitching_val = xmlGetProp(adaptionset_node, "bitstreamSwitching"); node = xmlFirstElementChild(adaptionset_node); while (node) { From 41b03de299307f3683dc0ed63cea2e14fb158ef8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 20 Nov 2019 13:26:59 +0100 Subject: [PATCH 0576/1383] avformat/matroskadec: Fix default value of BlockAddID Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit dbc50f8a935043243232b2e01f3c012ab6d49928) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2b42cff9a8..87ff2db86d 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -684,7 +684,7 @@ static const EbmlSyntax matroska_segments[] = { }; static const EbmlSyntax matroska_blockmore[] = { - { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id) }, + { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id), { .u = 1 } }, { MATROSKA_ID_BLOCKADDITIONAL, EBML_BIN, 0, offsetof(MatroskaBlock,additional) }, { 0 } }; From 6376b6b00ba3d4705de077a0b6f6de3aefe33ff4 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 20 Apr 2020 15:25:58 -0300 Subject: [PATCH 0577/1383] avcodec/cbs_h265: fix writing extension_data bits We only care about the right most bit. Signed-off-by: James Almer (cherry picked from commit 38d1815cc65dd447de80760895ee008cfc9a0091) --- libavcodec/cbs_h265_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index e43f3caf99..52e45aa6db 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -80,7 +80,7 @@ static int FUNC(extension_data)(CodedBitstreamContext *ctx, RWContext *rw, } #else for (k = 0; k < current->bit_length; k++) - xu(1, extension_data, current->data[k / 8] >> (7 - k % 8), 0, 1, 0); + xu(1, extension_data, current->data[k / 8] >> (7 - k % 8) & 1, 0, 1, 0); #endif return 0; } From 8efc398218b11b48abc9e3ed6d3eb81218332dd8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 11:40:23 +0200 Subject: [PATCH 0578/1383] avcodec/libopusenc: Don't free user-provided AVPacket Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit b803993b6d99423c8c1e01e7e206e3916a98d5d5) --- libavcodec/libopusenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 7c025a66d7..13017ac323 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -503,7 +503,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, // Check if subtraction resulted in an overflow if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if (discard_padding > 0) { @@ -512,7 +511,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } AV_WL32(side_data + 4, discard_padding); From 68f5905f3cf6e98a3b7ab1ea9f2d84556be83c10 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:11:30 +0200 Subject: [PATCH 0579/1383] libavcodec/libmp3lame: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7e6941e185649409f44fb5aa31207bd7b00d23cd) --- libavcodec/libmp3lame.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index ecdd2e334c..2beb28e569 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -279,7 +279,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if ((discard_padding < avctx->frame_size) != (avpkt->duration > 0)) { av_log(avctx, AV_LOG_ERROR, "discard padding overflow\n"); av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if ((!s->delay_sent && avctx->initial_padding > 0) || discard_padding > 0) { @@ -288,7 +287,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } if (!s->delay_sent) { From dc8443017203989d9a7bdc95f60177df1e7c71f4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:13:26 +0200 Subject: [PATCH 0580/1383] libavcodec/libvpxenc: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 26b45096906097a73ba587bf3b98dada4e795224) --- libavcodec/libvpxenc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 09f7a88452..547c0c5d57 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -849,7 +849,6 @@ FF_ENABLE_DEPRECATION_WARNINGS cx_frame->sz_alpha + 8); if(!side_data) { av_packet_unref(pkt); - av_free(pkt); return AVERROR(ENOMEM); } AV_WB64(side_data, 1); From 0df1210631532319e7a60b35c3c82580bce6893f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 25 Jun 2020 15:10:35 +0200 Subject: [PATCH 0581/1383] avcodec/bitstream: Don't check for undefined behaviour after it happened Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5e196dac22cc510db104922f99626a03b453ef4a) Signed-off-by: Andreas Rheinhardt --- libavcodec/bitstream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index 32f3055a6f..de3acf0838 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, uint32_t code; volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2 - table_size = 1 << table_nb_bits; if (table_nb_bits > 30) return -1; + table_size = 1 << table_nb_bits; table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC); ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size); if (table_index < 0) From 8d90a8cb37c1ec2596d6b2e0cdfeb0975b87bfee Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 18 Jun 2020 14:37:38 +0200 Subject: [PATCH 0582/1383] avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX Fixes: assertion failure Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 23264/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-6308429248593920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6f06c17a55137855c67ba4a7b6778ca34ddbbe6b) Signed-off-by: Andreas Rheinhardt --- libavcodec/cbs_av1.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index 8e962b8721..ff1323de3d 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -125,8 +125,9 @@ static int cbs_av1_write_uvlc(CodedBitstreamContext *ctx, PutBitContext *pbc, put_bits(pbc, 1, 1); } else { zeroes = av_log2(value + 1); - v = value - (1 << zeroes) + 1; - put_bits(pbc, zeroes + 1, 1); + v = value - (1U << zeroes) + 1; + put_bits(pbc, zeroes, 0); + put_bits(pbc, 1, 1); put_bits(pbc, zeroes, v); } From 458d0dea90c8e9756658d5931463421fc6974fc6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 20 Apr 2019 00:03:15 +0200 Subject: [PATCH 0583/1383] lavf/webm_chunk: Fix NULL dereference The earlier version of the webm_chunk muxer had several bugs: 1. If the first packet of an audio stream didn't have a PTS of zero, then no chunk will be started before a packet is delivered to the underlying Matroska/WebM muxer, i.e. the AVFormatContext used to write these packets had a NULL as AVIOContext for output. This is behind the crash in ticket #5752. 2. If an error happens during writing a packet, the underlyimg Matroska/WebM muxer context is freed. This leads to a use-after-free coupled with a double-free in webm_chunk_write_trailer (which supposes that the underlying AVFormatContext is still valid). 3. Even when no error occurs at all, webm_chunk_write_trailer is still buggy: After the underlying Matroska/WebM muxer has written its trailer, ending the chunk implicitly flushes it again which is illegal at this point. These bugs have been fixed. Fixes #5752. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8c6ee7626bcce7c270360f33b60dc7ef99939fc3) Signed-off-by: Andreas Rheinhardt --- libavformat/webm_chunk.c | 44 +++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index 5590e1d5bb..f443747027 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -173,7 +173,7 @@ static int chunk_start(AVFormatContext *s) return 0; } -static int chunk_end(AVFormatContext *s) +static int chunk_end(AVFormatContext *s, int flush) { WebMChunkContext *wc = s->priv_data; AVFormatContext *oc = wc->avf; @@ -184,11 +184,14 @@ static int chunk_end(AVFormatContext *s) char filename[MAX_FILENAME_SIZE]; AVDictionary *options = NULL; - if (wc->chunk_start_index == wc->chunk_index) + if (!oc->pb) return 0; - // Flush the cluster in WebM muxer. - oc->oformat->write_packet(oc, NULL); + + if (flush) + // Flush the cluster in WebM muxer. + oc->oformat->write_packet(oc, NULL); buffer_size = avio_close_dyn_buf(oc->pb, &buffer); + oc->pb = NULL; ret = get_chunk_filename(s, 0, filename); if (ret < 0) goto fail; @@ -199,7 +202,6 @@ static int chunk_end(AVFormatContext *s) goto fail; avio_write(pb, buffer, buffer_size); ff_format_io_close(s, &pb); - oc->pb = NULL; fail: av_dict_free(&options); av_free(buffer); @@ -221,27 +223,19 @@ static int webm_chunk_write_packet(AVFormatContext *s, AVPacket *pkt) } // For video, a new chunk is started only on key frames. For audio, a new - // chunk is started based on chunk_duration. - if ((st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && + // chunk is started based on chunk_duration. Also, a new chunk is started + // unconditionally if there is no currently open chunk. + if (!oc->pb || (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && (pkt->flags & AV_PKT_FLAG_KEY)) || (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO && - (pkt->pts == 0 || wc->duration_written >= wc->chunk_duration))) { + wc->duration_written >= wc->chunk_duration)) { wc->duration_written = 0; - if ((ret = chunk_end(s)) < 0 || (ret = chunk_start(s)) < 0) { - goto fail; + if ((ret = chunk_end(s, 1)) < 0 || (ret = chunk_start(s)) < 0) { + return ret; } } ret = oc->oformat->write_packet(oc, pkt); - if (ret < 0) - goto fail; - -fail: - if (ret < 0) { - oc->streams = NULL; - oc->nb_streams = 0; - avformat_free_context(oc); - } return ret; } @@ -250,12 +244,20 @@ static int webm_chunk_write_trailer(AVFormatContext *s) { WebMChunkContext *wc = s->priv_data; AVFormatContext *oc = wc->avf; + int ret; + + if (!oc->pb) { + ret = chunk_start(s); + if (ret < 0) + goto fail; + } oc->oformat->write_trailer(oc); - chunk_end(s); + ret = chunk_end(s, 0); +fail: oc->streams = NULL; oc->nb_streams = 0; avformat_free_context(oc); - return 0; + return ret; } #define OFFSET(x) offsetof(WebMChunkContext, x) From 9a3edef421ad245d450b57d6ce9dd8fd2be6920a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 15 Sep 2019 22:01:20 +0200 Subject: [PATCH 0584/1383] avcodec/ttaenc: Fix undefined shift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ttaenc contained (1 << unary) - 1 as an argument for a function expecting an unsigned int. unary can be as big as 31 in this case. The type of the shift and the whole expression is int, because 1 fits into an integer, so that the behaviour is undefined if unary == 31 as the result of the shift can't be represented in an int §. Subtraction by 1 (which makes the result of the whole expression representable in an int) doesn't change that this is undefined (it usually leads to signed integer overflow which is undefined, too). The solution is simple: Make 1 unsigned to change the type of the whole expression to unsigned int (as the function expects anyway). Fixes ticket #8153. §: This of course presupposes the common int range of -2^31..2^31-1 Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3ab488a5407f833ecc66e8fa4c537dc4852db720) Signed-off-by: Andreas Rheinhardt --- libavcodec/ttaenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index 3cc54d78c5..08a0d0483a 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -164,7 +164,7 @@ pkt_alloc: put_bits(&pb, 31, 0x7FFFFFFF); unary -= 31; } else { - put_bits(&pb, unary, (1 << unary) - 1); + put_bits(&pb, unary, (1U << unary) - 1); unary = 0; } } while (unary); From 8ee6b52db0e68f897d9829e51407fb35a90dfe48 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 17:54:59 +0200 Subject: [PATCH 0585/1383] avformat/mov: Fix memleak When the mov/mp4 demuxer encounters an error during decrypting a packet, it returns the error, yet doesn't free the packet, so that the packet leaks. This has been fixed in this commit. Fixes the memleaks from ticket #8150. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 34bd293b014efc816bd7aab068d7f9e4a6d3011a) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4de31135b4..9467370cce 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7819,8 +7819,10 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) aax_filter(pkt->data, pkt->size, mov); ret = cenc_filter(mov, st, sc, pkt, current_index); - if (ret < 0) + if (ret < 0) { + av_packet_unref(pkt); return ret; + } return 0; } From 9744ed6e52ed006e99447a7b4fd53c0057d0d7f1 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 17:55:01 +0200 Subject: [PATCH 0586/1383] fftools/ffmpeg_opt: Fix signed integer overflow Fixes ticket #8154. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 2b1fcba8ddcb7d29299ea28403fb597640a7288b) Signed-off-by: Andreas Rheinhardt --- fftools/ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index d4851a2cd8..1893234789 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -1,3 +1,4 @@ + /* * ffmpeg option parsing * @@ -2729,13 +2730,14 @@ static int opt_target(void *optctx, const char *opt, const char *arg) } else { /* Try to determine PAL/NTSC by peeking in the input files */ if (nb_input_files) { - int i, j, fr; + int i, j; for (j = 0; j < nb_input_files; j++) { for (i = 0; i < input_files[j]->nb_streams; i++) { AVStream *st = input_files[j]->ctx->streams[i]; + int64_t fr; if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) continue; - fr = st->time_base.den * 1000 / st->time_base.num; + fr = st->time_base.den * 1000LL / st->time_base.num; if (fr == 25000) { norm = PAL; break; From 0284b72c8acbc19b78baec78c58b08a2b313e7f4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:16:59 +0200 Subject: [PATCH 0587/1383] avcodec/tdsc: Fix undefined shifts Fixes the tdsc FATE-test. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 86bef10e7aee338a4df60c57904c16e33509e76e) Signed-off-by: Andreas Rheinhardt --- libavcodec/tdsc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index 4182404cf0..e9ea41ef55 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -187,7 +187,7 @@ static void tdsc_paint_cursor(AVCodecContext *avctx, uint8_t *dst, int stride) static int tdsc_load_cursor(AVCodecContext *avctx) { TDSCContext *ctx = avctx->priv_data; - int i, j, k, ret, bits, cursor_fmt; + int i, j, k, ret, cursor_fmt; uint8_t *dst; ctx->cursor_hot_x = bytestream2_get_le16(&ctx->gbc); @@ -231,7 +231,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) case CUR_FMT_MONO: for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { dst[0] = !!(bits & 0x80000000); dst += 4; @@ -244,7 +244,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) dst = ctx->cursor; for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { int mask_bit = !!(bits & 0x80000000); switch (dst[0] * 2 + mask_bit) { From 9083b1054aba65726aa92197b6e9e99cab5e04ba Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:06 +0200 Subject: [PATCH 0588/1383] avcodec/ac3enc: Fix invalid shift Fixes the FATE-tests unknown_layout-ac3, ac3-fixed-encode, ac3-encode and eac3-encode. It furthermore fixes the ac3-encoder bugs mentioned in tickets #7994, #8144 and #8159. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 2f289ec914cc7e8133858d4f9e8d91dab685ae44) Signed-off-by: Andreas Rheinhardt --- libavcodec/ac3enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c index 636ca72050..032881724b 100644 --- a/libavcodec/ac3enc.c +++ b/libavcodec/ac3enc.c @@ -1065,7 +1065,7 @@ static int bit_alloc(AC3EncodeContext *s, int snr_offset) { int blk, ch; - snr_offset = (snr_offset - 240) << 2; + snr_offset = (snr_offset - 240) * 4; reset_block_bap(s); for (blk = 0; blk < s->num_blocks; blk++) { From 5dc4b3209f55131e9746954ca6d47f050512ad29 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 18 Sep 2019 02:03:58 +0200 Subject: [PATCH 0589/1383] avutil/encryption_info: Don't pass NULL to memcpy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The pointer arguments to memcpy (and several other functions of the C standard library) are not allowed to be NULL, not even when the number of bytes to copy is zero. An AVEncryptionInitInfo's data pointer is explicitly allowed to be NULL and yet av_encryption_init_info_add_side_data unconditionally used it as a source pointer to copy from. This commit changes this so that copying is only done if the number of bytes to copy is > 0. Fixes ticket #8141 as well as a part of ticket #8150. Signed-off-by: Andreas Rheinhardt Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit e6018fda14d7cfe2c890fb336c9264c4ea0b6c5c) Signed-off-by: Andreas Rheinhardt --- libavutil/encryption_info.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/encryption_info.c b/libavutil/encryption_info.c index 812c704776..dd3fa71a44 100644 --- a/libavutil/encryption_info.c +++ b/libavutil/encryption_info.c @@ -331,8 +331,10 @@ uint8_t *av_encryption_init_info_add_side_data(const AVEncryptionInitInfo *info, memcpy(cur_buffer, cur_info->key_ids[i], cur_info->key_id_size); cur_buffer += cur_info->key_id_size; } - memcpy(cur_buffer, cur_info->data, cur_info->data_size); - cur_buffer += cur_info->data_size; + if (cur_info->data_size > 0) { + memcpy(cur_buffer, cur_info->data, cur_info->data_size); + cur_buffer += cur_info->data_size; + } } return buffer; From 3497fd2dd7342257efd3f4e1bc60c7d5d657a65a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:16:58 +0200 Subject: [PATCH 0590/1383] avcodec/wavpackenc: Fix undefined shifts Fixes ticket #8161 and the acodec-wavpack FATE-test. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 84974c6fb542cf019904016c2165d9a62db9f312) Signed-off-by: Andreas Rheinhardt --- libavcodec/wavpackenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 979b92165b..bc896f15e5 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -529,9 +529,9 @@ static int8_t store_weight(int weight) static int restore_weight(int8_t weight) { - int result; + int result = 8 * weight; - if ((result = (int) weight << 3) > 0) + if (result > 0) result += (result + 64) >> 7; return result; @@ -2571,7 +2571,7 @@ static int wavpack_encode_block(WavPackEncodeContext *s, ret = wv_mono(s, samples_l, !s->num_terms, 1); } else { for (i = 0; i < nb_samples; i++) - crc += (crc << 3) + (samples_l[i] << 1) + samples_l[i] + samples_r[i]; + crc += (crc << 3) + ((uint32_t)samples_l[i] << 1) + samples_l[i] + samples_r[i]; if (s->num_passes) ret = wv_stereo(s, samples_l, samples_r, !s->num_terms, 1); From 2b9ddde1d027f316c2a064fcf61e94a6c9dda981 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:01 +0200 Subject: [PATCH 0591/1383] avcodec/pcm: Fix undefined shifts Fixes the acodec-pcm-u16[lb]e FATE-tests. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 69473bec6f38fefc9a433d95f8e00de101299592) Signed-off-by: Andreas Rheinhardt --- libavcodec/pcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 4112b694df..41f749c946 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -306,7 +306,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) #define DECODE(size, endian, src, dst, n, shift, offset) \ for (; n > 0; n--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ## _t)(v - offset) << shift); \ dst += size / 8; \ } @@ -317,7 +317,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) dst = frame->extended_data[c]; \ for (i = n; i > 0; i--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ##_t)(v - offset) << shift); \ dst += size / 8; \ } \ } From 62df14c7fe1c33a972506105b61bb458833b8df4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:03 +0200 Subject: [PATCH 0592/1383] avformat/movenc: Fix undefined shift Fixes the movenc FATE-test. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 646799b42fd59ee79920e472795bf881b78bb5ce) Signed-off-by: Andreas Rheinhardt --- libavformat/movenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 1a1bd9eaad..1028138a5e 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4453,7 +4453,8 @@ static int mov_write_sidx_tag(AVIOContext *pb, { int64_t pos = avio_tell(pb), offset_pos, end_pos; int64_t presentation_time, duration, offset; - int starts_with_SAP, i, entries; + unsigned starts_with_SAP; + int i, entries; if (track->entry) { entries = 1; From 438773db5106573f533989d2e67a52c509608ed9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 25 Sep 2019 00:03:07 +0200 Subject: [PATCH 0593/1383] avcodec/exr: Fix undefined left shifts of negative numbers Affected the FATE-tests exr-rgb-scanline-pxr24-half-uint32-13x9 and exr-rgb-scanline-pxr24-uint32. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0f949906116c40b6f1e55a1bce4447ada3219c) Signed-off-by: Andreas Rheinhardt --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 819837f024..ba6e3fdcb6 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -881,7 +881,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, in = ptr[3] + s->xdelta; for (j = 0; j < s->xdelta; ++j) { - uint32_t diff = (*(ptr[0]++) << 24) | + uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8 ) | (*(ptr[3]++)); From a79bfc2222f16763ebc0c709e18eb39088f456d7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:58 +0200 Subject: [PATCH 0594/1383] swscale/x86/swscale: Fix undefined left shifts of negative numbers This affected many FATE-tests: The number of failing tests went down from 663 to 344. (Both numbers exclude tests that failed because of unaligned accesses in code that is inside #if HAVE_FAST_UNALIGNED.) Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 736c7c20e7819811dc59f43490563789b192eb6e) Signed-off-by: Andreas Rheinhardt --- libswscale/x86/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index 7dc2d70574..0eed4f18d5 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -160,7 +160,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&lumMmxFilter[s*i+APCK_PTR2/4 ]= lumSrcPtr[i+(vLumFilterSize>1)]; lumMmxFilter[s*i+APCK_COEF/4 ]= lumMmxFilter[s*i+APCK_COEF/4+1]= vLumFilter[dstY*vLumFilterSize + i ] - + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1]<<16 : 0); + + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1] * (1 << 16) : 0); if (CONFIG_SWSCALE_ALPHA && hasAlpha) { *(const void**)&alpMmxFilter[s*i ]= alpSrcPtr[i ]; *(const void**)&alpMmxFilter[s*i+APCK_PTR2/4 ]= alpSrcPtr[i+(vLumFilterSize>1)]; @@ -173,7 +173,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&chrMmxFilter[s*i+APCK_PTR2/4 ]= chrUSrcPtr[i+(vChrFilterSize>1)]; chrMmxFilter[s*i+APCK_COEF/4 ]= chrMmxFilter[s*i+APCK_COEF/4+1]= vChrFilter[chrDstY*vChrFilterSize + i ] - + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1]<<16 : 0); + + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1] * (1 << 16) : 0); } } else { for (i=0; i Date: Sat, 28 Sep 2019 04:26:02 +0200 Subject: [PATCH 0595/1383] swscale/utils: Fix invalid left shifts of negative numbers Affected the FATE-tests vsynth_lena-dv-411, vsynth1-dv-411, vsynth2-dv-411 and hevc-paramchange-yuv420p.yuv420p10. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit e2646e23be69bdef1e41d4decee1a4298701b8d1) Signed-off-by: Andreas Rheinhardt --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index d5913ed733..2484cdf8d7 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -384,7 +384,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, (*filterPos)[i] = xx; // bilinear upscale / linear interpolate / area averaging for (j = 0; j < filterSize; j++) { - int64_t coeff= fone - FFABS(((int64_t)xx<<16) - xDstInSrc)*(fone>>16); + int64_t coeff = fone - FFABS((int64_t)xx * (1 << 16) - xDstInSrc) * (fone >> 16); if (coeff < 0) coeff = 0; filter[i * filterSize + j] = coeff; From ab3b008dad8e43b64d35779d74a5b06eaad30849 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:06 +0200 Subject: [PATCH 0596/1383] avcodec/dnxhdenc: Fix undefined left shifts of negative numbers Affected 61 FATE-tests: 60 vsynth tests and lavf-mxf_opatom. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit b7f156e8cbdf3256c7860c62ebb7a6c3002cbb03) Signed-off-by: Andreas Rheinhardt --- libavcodec/dnxhdenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 41b8079a09..59bda860de 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -220,7 +220,7 @@ static av_cold int dnxhd_init_vlc(DNXHDEncContext *ctx) ctx->vlc_bits = ctx->orig_vlc_bits + max_level * 2; for (level = -max_level; level < max_level; level++) { for (run = 0; run < 2; run++) { - int index = (level << 1) | run; + int index = level * (1 << 1) | run; int sign, offset = 0, alevel = level; MASK_ABS(sign, alevel); @@ -616,7 +616,7 @@ void dnxhd_encode_block(DNXHDEncContext *ctx, int16_t *block, slevel = block[j]; if (slevel) { int run_level = i - last_non_zero - 1; - int rlevel = (slevel << 1) | !!run_level; + int rlevel = slevel * (1 << 1) | !!run_level; put_bits(&ctx->m.pb, ctx->vlc_bits[rlevel], ctx->vlc_codes[rlevel]); if (run_level) put_bits(&ctx->m.pb, ctx->run_bits[run_level], @@ -696,7 +696,7 @@ int dnxhd_calc_ac_bits(DNXHDEncContext *ctx, int16_t *block, int last_index) level = block[j]; if (level) { int run_level = i - last_non_zero - 1; - bits += ctx->vlc_bits[(level << 1) | + bits += ctx->vlc_bits[level * (1 << 1) | !!run_level] + ctx->run_bits[run_level]; last_non_zero = i; } From ceed3603e16fa25104e656e80dbc7fc1093e93d6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:07 +0200 Subject: [PATCH 0597/1383] avcodec/ituh263dec: Fix undefined left shift of negative number Fixes ticket #8160. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 324487b596fbcda0a5753c7bb7b2e96e9d512479) Signed-off-by: Andreas Rheinhardt --- libavcodec/ituh263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 6d1d771c16..c1005b0994 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -1286,7 +1286,7 @@ int ff_h263_decode_picture_header(MpegEncContext *s) for(i=0; i<13; i++){ for(j=0; j<3; j++){ int v= get_bits(&s->gb, 8); - v |= get_sbits(&s->gb, 8)<<8; + v |= get_sbits(&s->gb, 8) * (1 << 8); av_log(s->avctx, AV_LOG_DEBUG, " %5d", v); } av_log(s->avctx, AV_LOG_DEBUG, "\n"); From 02d9561eabb5afeec5f47bbb50d93dde07e9e06c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:10 +0200 Subject: [PATCH 0598/1383] avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers Affected the vsynth*-jpeg2000 and the vsynth*-jpeg2000-97 FATE tests (where * ranges over { 1, 2, 3, _lena }) as well as ticket #7983. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5cf593adcd79a7c9502dc2725e1f0681ada36aef) Signed-off-by: Andreas Rheinhardt --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index badf0f8cd0..f418454ee9 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -255,7 +255,7 @@ static void dwt_encode97_int(DWTContext *s, int *t) line += 5; for (i = 0; i < w * h; i++) - t[i] <<= I_PRESHIFT; + t[i] *= 1 << I_PRESHIFT; for (lev = s->ndeclevels-1; lev >= 0; lev--){ int lh = s->linelen[lev][0], From 7cb41481ea13facf737556d2fce823e8c7c807f7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:57 +0200 Subject: [PATCH 0599/1383] avfilter/vf_hqx: Fix undefined left shifts of negative numbers Affected every usage of this filter; in particular, it affected the FATE-tests filter-2xbr, filter-3xbr and filter-4xbr. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fa211943265ca991548a4cc2f85a6df9cedcd092) Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_hqx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_hqx.c b/libavfilter/vf_hqx.c index 16a1be7bd4..4f768c7a13 100644 --- a/libavfilter/vf_hqx.c +++ b/libavfilter/vf_hqx.c @@ -523,7 +523,7 @@ static av_cold int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { hqx->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; From 63383aaf535aa0f29715b3a4f5abfdbcdb70bc41 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:56 +0200 Subject: [PATCH 0600/1383] avfilter/vf_xbr: Fix left shift of negative number Affected every usage of vf_xbr, e.g. the FATE-tests filter-2xbr, filter-3xbr, filter-4xbr. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4294dc3589a3ab973b10a85b576ff15e3ffb000d) Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_xbr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_xbr.c b/libavfilter/vf_xbr.c index 2c71871d22..87810c88f1 100644 --- a/libavfilter/vf_xbr.c +++ b/libavfilter/vf_xbr.c @@ -395,7 +395,7 @@ static int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { s->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; From d2b434001fb73bb6b5ee4fb3180d8a57c788395b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 24 Oct 2019 15:36:35 +0200 Subject: [PATCH 0601/1383] fftools/ffmpeg: Free swresample dictionary during cleanup Freeing this was forgotten in ad899522. Fixes #8315 and #8316. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6f2a3958cfac135c60b509a61a4fd39432d8f9a9) Signed-off-by: Andreas Rheinhardt --- fftools/ffmpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index f502961196..c743a2a6fa 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -567,6 +567,7 @@ static void ffmpeg_cleanup(int ret) ost->audio_channels_mapped = 0; av_dict_free(&ost->sws_dict); + av_dict_free(&ost->swr_opts); avcodec_free_context(&ost->enc_ctx); avcodec_parameters_free(&ost->ref_par); From 26ceb54a28d5d3c411e5eab6ba7a18571d3e076c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 21 Nov 2019 07:17:19 +0100 Subject: [PATCH 0602/1383] avformat/av1: Fix leak of dynamic buffer in case of parsing failure Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 27c6c925344e00c1a72ba8bb2b5cdd32cb1a2655) Signed-off-by: Andreas Rheinhardt --- libavformat/av1.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/av1.c b/libavformat/av1.c index 5fde8df97e..8d80682b24 100644 --- a/libavformat/av1.c +++ b/libavformat/av1.c @@ -26,6 +26,7 @@ #include "libavcodec/put_bits.h" #include "av1.h" #include "avio.h" +#include "avio_internal.h" int ff_av1_filter_obus(AVIOContext *pb, const uint8_t *buf, int size) { @@ -67,8 +68,10 @@ int ff_av1_filter_obus_buf(const uint8_t *buf, uint8_t **out, int *size) return ret; ret = ff_av1_filter_obus(pb, buf, *size); - if (ret < 0) + if (ret < 0) { + ffio_free_dyn_buf(&pb); return ret; + } av_freep(out); *size = avio_close_dyn_buf(pb, out); From 901048ad96264622489c8d7d8f0db375a080285b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 19:54:25 +0200 Subject: [PATCH 0603/1383] avformat/matroskadec: Fix demuxing ProRes The structure of a ProRes frame in mov/mp4 is that of a typical atom: First a 32 bit BE size field, then a tag detailling the content. Said size field includes the eight bytes of the atom header. This header is actually redundant, as the size of the atom is already known from the containing atom. It is therefore stripped away when muxed into Matroska and so the Matroska demuxer has to recreate upon demuxing. But it did not account for the fact that the size field includes the size of the header and this can lead to problems when a decoder uses the in-band size field. Fixes ticket #8210. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 581419ea39de6619c3389b8d10ac2cbe212c62a0) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 87ff2db86d..2bec9f6a8e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3051,15 +3051,16 @@ static int matroska_parse_prores(MatroskaTrack *track, uint8_t *src, int dstlen = *size; if (AV_RB32(&src[4]) != MKBETAG('i', 'c', 'p', 'f')) { - dst = av_malloc(dstlen + 8 + AV_INPUT_BUFFER_PADDING_SIZE); + dstlen += 8; + + dst = av_malloc(dstlen + AV_INPUT_BUFFER_PADDING_SIZE); if (!dst) return AVERROR(ENOMEM); AV_WB32(dst, dstlen); AV_WB32(dst + 4, MKBETAG('i', 'c', 'p', 'f')); - memcpy(dst + 8, src, dstlen); - memset(dst + 8 + dstlen, 0, AV_INPUT_BUFFER_PADDING_SIZE); - dstlen += 8; + memcpy(dst + 8, src, dstlen - 8); + memset(dst + dstlen, 0, AV_INPUT_BUFFER_PADDING_SIZE); } *pdst = dst; From 88a19d6b4df69f419381fbc5690cf38e4a55f97f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 7 Dec 2019 00:16:19 +0100 Subject: [PATCH 0604/1383] avformat/matroskadec: Fix use-after-free when demuxing ProRes ProRes in Matroska is supposed to not contain the first atom header (containing a size field and the tag "icpf") and therefore the Matroska demuxer has to recreate it; this involves an allocation and copy, of course. Whether the old buffer (containing the data without the atom header) needs to be freed or not depends upon whether it is what was directly read (in which case it is owned by an AVBuffer) or whether it has been allocated when reversing the track's content compression (e.g. zlib compression) that Matroska supports. So there are three pointers involved: The one pointing to the directly read data (owned by the AVBuffer), the one pointing to the currently valid data (which coincides with the former if no content compression needed to be reverted) and the one pointing to the new data with the first atom header. The check for whether to free the second of these is simply whether the first two are different. This works mostly, but there is a complication: Some muxers don't strip the first atom header away and in this case, it is also not reinserted and no new buffer is allocated; instead, the second and the third pointers agree. In this case, one must never free the second buffer. Yet it is currently done if the track is e.g. zlib compressed. This commit fixes this. This is a regression since b8e75a2a. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit af50f0a515d8096fece9776e2d3034fe990a1373) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2bec9f6a8e..061d0cb8cf 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3047,11 +3047,8 @@ fail: static int matroska_parse_prores(MatroskaTrack *track, uint8_t *src, uint8_t **pdst, int *size) { - uint8_t *dst = src; - int dstlen = *size; - - if (AV_RB32(&src[4]) != MKBETAG('i', 'c', 'p', 'f')) { - dstlen += 8; + uint8_t *dst; + int dstlen = *size + 8; dst = av_malloc(dstlen + AV_INPUT_BUFFER_PADDING_SIZE); if (!dst) @@ -3061,7 +3058,6 @@ static int matroska_parse_prores(MatroskaTrack *track, uint8_t *src, AV_WB32(dst + 4, MKBETAG('i', 'c', 'p', 'f')); memcpy(dst + 8, src, dstlen - 8); memset(dst + dstlen, 0, AV_INPUT_BUFFER_PADDING_SIZE); - } *pdst = dst; *size = dstlen; @@ -3216,7 +3212,8 @@ static int matroska_parse_frame(MatroskaDemuxContext *matroska, pkt_data = wv_data; } - if (st->codecpar->codec_id == AV_CODEC_ID_PRORES) { + if (st->codecpar->codec_id == AV_CODEC_ID_PRORES && + AV_RB32(pkt_data + 4) != MKBETAG('i', 'c', 'p', 'f')) { uint8_t *pr_data; res = matroska_parse_prores(track, pkt_data, &pr_data, &pkt_size); if (res < 0) { From 57dca5213ba40e6ed5ff70782f8ecefd30915fc7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:42 +0100 Subject: [PATCH 0605/1383] avformat/fitsdec: Fix potential leak of string in AVBPrint by freeing it a bit earlier. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit bb20f3dd730689c3a99f7820cff8b74b06992fff) Signed-off-by: Andreas Rheinhardt --- libavformat/fitsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/fitsdec.c b/libavformat/fitsdec.c index 4b288b3903..e5f152fd68 100644 --- a/libavformat/fitsdec.c +++ b/libavformat/fitsdec.c @@ -157,11 +157,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt) av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED); while ((ret = is_image(s, fits, &header, &avbuf, &size)) == 0) { + av_bprint_finalize(&avbuf, NULL); pos = avio_skip(s->pb, size); if (pos < 0) return pos; - av_bprint_finalize(&avbuf, NULL); av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED); avpriv_fits_header_init(&header, STATE_XTENSION); } From e848b20ef0e2106b682f233d527da4cd71d7e6c0 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:48 +0100 Subject: [PATCH 0606/1383] avformat/wtvdec: Fix memleak when reading header fails Fixes #8314. Signed-off-by: Andreas Rheinhardt Reviewed-by: Peter Ross Signed-off-by: James Almer (cherry picked from commit 373c1c9b691fd4c6831b3a114a006b639304c2af) Signed-off-by: Andreas Rheinhardt --- libavformat/wtvdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index b9648c02d6..7971026db6 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -993,8 +993,10 @@ static int read_header(AVFormatContext *s) } ret = parse_chunks(s, SEEK_TO_DATA, 0, 0); - if (ret < 0) + if (ret < 0) { + wtvfile_close(wtv->pb); return ret; + } avio_seek(wtv->pb, -32, SEEK_CUR); timeline_pos = avio_tell(s->pb); // save before opening another file From 02368962f583877dcc136cc21fee4cb97458e979 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 8 Jan 2020 19:29:13 +0100 Subject: [PATCH 0607/1383] avcodec/proresenc_anatoliy: Fix invalid left shift of negative number This fixes ticket #7997 as well as the vsynth*-prores_# FATE-tests (where * ranges over { 1, 2, 3, _lena } and # over { , _int, _444, _444_int }). (Given that prev_dc is in the range -0xC000..0x3FFF, no overflow can happen upon multiplication with 2.) Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 198081efb7c7343349f0a7acc836f001c511e990) Signed-off-by: Andreas Rheinhardt --- libavcodec/proresenc_anatoliy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index 6b9ce4a59a..97caa92676 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -196,7 +196,7 @@ static void encode_codeword(PutBitContext *pb, int val, int codebook) } #define QSCALE(qmat,ind,val) ((val) / ((qmat)[ind])) -#define TO_GOLOMB(val) (((val) << 1) ^ ((val) >> 31)) +#define TO_GOLOMB(val) (((val) * 2) ^ ((val) >> 31)) #define DIFF_SIGN(val, sign) (((val) >> 31) ^ (sign)) #define IS_NEGATIVE(val) ((((val) >> 31) ^ -1) + 1) #define TO_GOLOMB2(val,sign) ((val)==0 ? 0 : ((val) << 1) + (sign)) From 84abf2ee322a31774ec9a6935892900af7244cfe Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 14 Jan 2020 04:13:30 +0100 Subject: [PATCH 0608/1383] avformat/segafilmenc: Fix undefined left shift of 1 by 31 places by changing the type to unsigned. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 8ae026d74f599b2d00b91798af1c1067a879007c) Signed-off-by: Andreas Rheinhardt --- libavformat/segafilmenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/segafilmenc.c b/libavformat/segafilmenc.c index 524230e461..7aad8084a5 100644 --- a/libavformat/segafilmenc.c +++ b/libavformat/segafilmenc.c @@ -70,7 +70,7 @@ static int film_write_packet_to_header(AVFormatContext *format_context, FILMPack info2 = pkt->duration; /* The top bit being set indicates a key frame */ if (!pkt->keyframe) - info1 |= (1 << 31); + info1 |= 1U << 31; } /* Write the 16-byte sample info packet to the STAB chunk in the header */ From d620f2eeb4087ece55bd70fbd9f3f1665f61e77c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jan 2020 16:56:55 +0100 Subject: [PATCH 0609/1383] avcodec/adpcm: Fix undefined left shifts of negative numbers Affected the adpcm-afc, adpcm-ea-1, adpcm-ea-2, adpcm-ea-maxis-xa, adpcm-thp and ea-cdata FATE-tests. Also fixes ticket #8487. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 3ad8af51b7c0a968ac3fd62964780d4ff9136c5a) Signed-off-by: Andreas Rheinhardt --- libavcodec/adpcm.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index edd5912b67..4c3886a457 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1196,8 +1196,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (count2 = 0; count2 < 28; count2++) { byte = bytestream2_get_byteu(&gb); - next_left_sample = sign_extend(byte >> 4, 4) << shift_left; - next_right_sample = sign_extend(byte, 4) << shift_right; + next_left_sample = sign_extend(byte >> 4, 4) * (1 << shift_left); + next_right_sample = sign_extend(byte, 4) * (1 << shift_right); next_left_sample = (next_left_sample + (current_left_sample * coeff1l) + @@ -1236,7 +1236,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, if (st) byte[1] = bytestream2_get_byteu(&gb); for(i = 4; i >= 0; i-=4) { /* Pairwise samples LL RR (st) or LL LL (mono) */ for(channel = 0; channel < avctx->channels; channel++) { - int sample = sign_extend(byte[channel] >> i, 4) << shift[channel]; + int sample = sign_extend(byte[channel] >> i, 4) * (1 << shift[channel]); sample = (sample + c->status[channel].sample1 * coeff[channel][0] + c->status[channel].sample2 * coeff[channel][1] + 0x80) >> 8; @@ -1351,11 +1351,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, int level, pred; int byte = bytestream2_get_byteu(&gb); - level = sign_extend(byte >> 4, 4) << shift[n]; + level = sign_extend(byte >> 4, 4) * (1 << shift[n]); pred = s[-1] * coeff[0][n] + s[-2] * coeff[1][n]; s[0] = av_clip_int16((level + pred + 0x80) >> 8); - level = sign_extend(byte, 4) << shift[n]; + level = sign_extend(byte, 4) * (1 << shift[n]); pred = s[0] * coeff[0][n] + s[-1] * coeff[1][n]; s[1] = av_clip_int16((level + pred + 0x80) >> 8); } @@ -1512,8 +1512,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, sampledat = sign_extend(byte >> 4, 4); } - sampledat = ((prev1 * factor1 + prev2 * factor2) + - ((sampledat * scale) << 11)) >> 11; + sampledat = ((prev1 * factor1 + prev2 * factor2) >> 11) + + sampledat * scale; *samples = av_clip_int16(sampledat); prev2 = prev1; prev1 = *samples++; @@ -1590,7 +1590,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, } sampledat = ((c->status[ch].sample1 * factor1 - + c->status[ch].sample2 * factor2) >> 11) + (sampledat << exp); + + c->status[ch].sample2 * factor2) >> 11) + sampledat * (1 << exp); *samples = av_clip_int16(sampledat); c->status[ch].sample2 = c->status[ch].sample1; c->status[ch].sample1 = *samples++; From 68e67bb187657173354c233edd4db5f81ffdbf80 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jan 2020 20:20:42 +0100 Subject: [PATCH 0610/1383] avcodec/adxenc: Avoid undefined left shift of negative numbers Replace "((a << shift) + b) >> shift" by "a + (b >> shift)". This avoids a left shift which also happens to trigger undefined behaviour in case "a" is negative. This affected the FATE-tests acodec-adpcm-adx and acodec-adpcm-adx-trellis; it also fixes ticket #8008. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 59a9d65e0d790821f88527a82569f56eb2f8a9be) Signed-off-by: Andreas Rheinhardt --- libavcodec/adxenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/adxenc.c b/libavcodec/adxenc.c index f1ba5911b3..77f6bf0487 100644 --- a/libavcodec/adxenc.c +++ b/libavcodec/adxenc.c @@ -48,7 +48,7 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { s0 = wav[i]; - d = ((s0 << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = s0 + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); if (max < d) max = d; if (min > d) @@ -79,13 +79,13 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s1 = prev->s1; s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { - d = ((wav[i] << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = wav[i] + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); d = av_clip_intp2(ROUNDED_DIV(d, scale), 3); put_sbits(&pb, 4, d); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = d * scale + ((c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS); s2 = s1; s1 = s0; } From d9e4783f0629cd99bcdd6a844a83015df3006b38 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 22 Jan 2020 15:52:10 +0100 Subject: [PATCH 0611/1383] avcodec/ra144enc: Fix invalid left shift of negative number by replacing it with a multiplication. Said multiplication can't overflow an int32_t because lpc_coefs is limited to 16 bit precision. Fixes the FACE-test acodec-ra144 as well as part of #8217. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit e3fb9af6f1353f30855eaa1cbd5befaf06e303b8) Signed-off-by: Andreas Rheinhardt --- libavcodec/ra144enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144enc.c b/libavcodec/ra144enc.c index cc4f381606..059f582334 100644 --- a/libavcodec/ra144enc.c +++ b/libavcodec/ra144enc.c @@ -477,8 +477,8 @@ static int ra144_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, LPC_ORDER, 16, lpc_coefs, shift, FF_LPC_TYPE_LEVINSON, 0, ORDER_METHOD_EST, 0, 12, 0); for (i = 0; i < LPC_ORDER; i++) - block_coefs[NBLOCKS - 1][i] = -(lpc_coefs[LPC_ORDER - 1][i] << - (12 - shift[LPC_ORDER - 1])); + block_coefs[NBLOCKS - 1][i] = -lpc_coefs[LPC_ORDER - 1][i] + * (1 << (12 - shift[LPC_ORDER - 1])); /** * TODO: apply perceptual weighting of the input speech through bandwidth From 31fa5fb84e816bf220c216367c99f9350af62256 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 23 Jan 2020 17:08:27 +0100 Subject: [PATCH 0612/1383] avformat/matroskaenc: Check for reformatting errors This is needed especially for AV1: If a reformatting error happens (e.g. if the length field of an OBU contained in the current packet indicates that said OBU extends beyond the current packet), the data pointer is still NULL, yet the size is unchanged, so that writing the data leads to a segmentation fault. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 58428bef4b2c053f47dce35157fb96833ba8efea) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index ff1cba0145..1da95ada8b 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2118,13 +2118,13 @@ fail: return ret; } -static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, - unsigned int blockid, AVPacket *pkt, int keyframe) +static int mkv_write_block(AVFormatContext *s, AVIOContext *pb, + uint32_t blockid, AVPacket *pkt, int keyframe) { MatroskaMuxContext *mkv = s->priv_data; AVCodecParameters *par = s->streams[pkt->stream_index]->codecpar; uint8_t *data = NULL, *side_data = NULL; - int offset = 0, size = pkt->size, side_data_size = 0; + int err = 0, offset = 0, size = pkt->size, side_data_size = 0; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; uint64_t additional_id = 0; int64_t discard_padding = 0; @@ -2139,22 +2139,24 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, keyframe != 0); if (par->codec_id == AV_CODEC_ID_H264 && par->extradata_size > 0 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) - ff_avc_parse_nal_units_buf(pkt->data, &data, &size); + err = ff_avc_parse_nal_units_buf(pkt->data, &data, &size); else if (par->codec_id == AV_CODEC_ID_HEVC && par->extradata_size > 6 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) /* extradata is Annex B, assume the bitstream is too and convert it */ - ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); + err = ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); else if (par->codec_id == AV_CODEC_ID_AV1) - ff_av1_filter_obus_buf(pkt->data, &data, &size); + err = ff_av1_filter_obus_buf(pkt->data, &data, &size); else if (par->codec_id == AV_CODEC_ID_WAVPACK) { - int ret = mkv_strip_wavpack(pkt->data, &data, &size); - if (ret < 0) { - av_log(s, AV_LOG_ERROR, "Error stripping a WavPack packet.\n"); - return; - } + err = mkv_strip_wavpack(pkt->data, &data, &size); } else data = pkt->data; + if (err < 0) { + av_log(s, AV_LOG_ERROR, "Error when reformatting data of " + "a packet from stream %d.\n", pkt->stream_index); + return err; + } + if (par->codec_id == AV_CODEC_ID_PRORES && size >= 8) { /* Matroska specification requires to remove the first QuickTime atom */ @@ -2219,6 +2221,8 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, if ((side_data_size && additional_id == 1) || discard_padding) { end_ebml_master(pb, block_group); } + + return 0; } static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) @@ -2424,7 +2428,9 @@ static int mkv_write_packet_internal(AVFormatContext *s, AVPacket *pkt, int add_ relative_packet_pos = avio_tell(pb); if (par->codec_type != AVMEDIA_TYPE_SUBTITLE) { - mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + ret = mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + if (ret < 0) + return ret; if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && (par->codec_type == AVMEDIA_TYPE_VIDEO && keyframe || add_cue)) { ret = mkv_add_cuepoint(mkv->cues, pkt->stream_index, dash_tracknum, ts, mkv->cluster_pos, relative_packet_pos, -1); if (ret < 0) return ret; From 9b605dcdde36a2b6459fd714b26f797b10ee04ba Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 23 Jan 2020 17:08:29 +0100 Subject: [PATCH 0613/1383] avformat/hevc: Fix potential leak in case of ff_hevc_annexb2mp4_buf failure ff_hevc_annexb2mp4_buf() could indicate an error, yet leave cleaning after itself to the caller, so that a caller could not simply return the error, but had to free the buffer first. (Given that all current callers have set filter_ps = 0, this error can currently not be triggered.) Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 680cd59bb21c7bce92789ff885c018207b0b90bc) Signed-off-by: Andreas Rheinhardt --- libavformat/hevc.c | 6 ++++++ libavformat/hevc.h | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 3628d5a028..8b7ed3e721 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -25,6 +25,7 @@ #include "libavutil/intreadwrite.h" #include "avc.h" #include "avio.h" +#include "avio_internal.h" #include "hevc.h" #define MAX_SPATIAL_SEGMENTATION 4096 // max. value of u(12) field @@ -1088,6 +1089,11 @@ int ff_hevc_annexb2mp4_buf(const uint8_t *buf_in, uint8_t **buf_out, return ret; ret = ff_hevc_annexb2mp4(pb, buf_in, *size, filter_ps, ps_count); + if (ret < 0) { + ffio_free_dyn_buf(&pb); + return ret; + } + *size = avio_close_dyn_buf(pb, buf_out); return ret; diff --git a/libavformat/hevc.h b/libavformat/hevc.h index 796eaf40b1..1e355cd34a 100644 --- a/libavformat/hevc.h +++ b/libavformat/hevc.h @@ -60,13 +60,13 @@ int ff_hevc_annexb2mp4(AVIOContext *pb, const uint8_t *buf_in, * If filter_ps is non-zero, any HEVC parameter sets found in the input will be * discarded, and *ps_count will be set to the number of discarded PS NAL units. * - * On output, *size holds the size (in bytes) of the output data buffer. + * On success, *size holds the size (in bytes) of the output data buffer. * * @param buf_in address of the buffer holding the input data * @param size address of the variable holding the size (in bytes) of the input - * buffer (on input) and of the output buffer (on output) - * @param buf_out address of the variable holding the address of the output - * buffer + * buffer (on input) and of the output buffer (on success) + * @param buf_out on success, address of the variable holding the address of + * the output buffer * @param filter_ps whether to write parameter set NAL units to the output (0) * or to discard them (non-zero) * @param ps_count address of the variable where the number of discarded From 7a13d99e6e350afe79b17382f7ac293bb4eef3c9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 27 Jan 2020 09:28:18 +0100 Subject: [PATCH 0614/1383] avformat/mov: Free encryption data on error Fixes memleak and Coverity issue #1439587. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 3999c4b374c2f3786137bd7e820dd1555fc20d90) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9467370cce..358369b74b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6308,8 +6308,10 @@ static int mov_read_pssh(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (version > 0) { kid_count = avio_rb32(pb); - if (kid_count >= INT_MAX / sizeof(*key_ids)) - return AVERROR(ENOMEM); + if (kid_count >= INT_MAX / sizeof(*key_ids)) { + ret = AVERROR(ENOMEM); + goto finish; + } for (unsigned int i = 0; i < kid_count && !pb->eof_reached; i++) { unsigned int min_kid_count = FFMIN(FFMAX(i + 1, 1024), kid_count); From b9a667c00d0fa4a5bd7a0d1f00f393482b98c729 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 27 Jan 2020 09:28:19 +0100 Subject: [PATCH 0615/1383] avformat/mov: Don't leak MOVFragmentStreamInfo on error Fixes Coverity issue #1441933. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 43f58f2354bfab3819e44c1a97b0af75cc091226) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 358369b74b..6d41823553 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1330,8 +1330,10 @@ static int update_frag_index(MOVContext *c, int64_t offset) for (i = 0; i < c->fc->nb_streams; i++) { // Avoid building frag index if streams lack track id. - if (c->fc->streams[i]->id < 0) + if (c->fc->streams[i]->id < 0) { + av_free(frag_stream_info); return AVERROR_INVALIDDATA; + } frag_stream_info[i].id = c->fc->streams[i]->id; frag_stream_info[i].sidx_pts = AV_NOPTS_VALUE; From 2b35185006c965a0478b5dbcf2c11469d1b0c2f3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:00 +0200 Subject: [PATCH 0616/1383] avcodec/cavsdsp: Fix undefined left shifts of negative numbers Affected the ffmpeg-filter_colorkey FATE-test (but only if the C version of idct8_add is used and not e.g. the x86 SSE2 version). Signed-off-by: Andreas Rheinhardt Fixes: left shift of negative value -107 Fixes: 20398/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5725389278412800 Signed-off-by: Michael Niedermayer (cherry picked from commit 0f0f2ab0c3b3d04e904db97b07ae829c72c91778) Signed-off-by: Andreas Rheinhardt --- libavcodec/cavsdsp.c | 48 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 90a67e910c..ba92121cc9 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -201,20 +201,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[0][0] += 8; for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[i][1] - (src[i][7]<<1); - const int a1 = 3*src[i][3] + (src[i][5]<<1); - const int a2 = (src[i][3]<<1) - 3*src[i][5]; - const int a3 = (src[i][1]<<1) + 3*src[i][7]; + const int a0 = 3 * src[i][1] - 2 * src[i][7]; + const int a1 = 3 * src[i][3] + 2 * src[i][5]; + const int a2 = 2 * src[i][3] - 3 * src[i][5]; + const int a3 = 2 * src[i][1] + 3 * src[i][7]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[i][2]<<2) - 10*src[i][6]; - const int a6 = (src[i][6]<<2) + 10*src[i][2]; - const int a5 = ((src[i][0] - src[i][4]) << 3) + 4; - const int a4 = ((src[i][0] + src[i][4]) << 3) + 4; + const int a7 = 4 * src[i][2] - 10 * src[i][6]; + const int a6 = 4 * src[i][6] + 10 * src[i][2]; + const int a5 = 8 * (src[i][0] - src[i][4]) + 4; + const int a4 = 8 * (src[i][0] + src[i][4]) + 4; const int b0 = a4 + a6; const int b1 = a5 + a7; @@ -231,20 +231,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[i][7] = (b0 - b4) >> 3; } for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[1][i] - (src[7][i]<<1); - const int a1 = 3*src[3][i] + (src[5][i]<<1); - const int a2 = (src[3][i]<<1) - 3*src[5][i]; - const int a3 = (src[1][i]<<1) + 3*src[7][i]; + const int a0 = 3 * src[1][i] - 2 * src[7][i]; + const int a1 = 3 * src[3][i] + 2 * src[5][i]; + const int a2 = 2 * src[3][i] - 3 * src[5][i]; + const int a3 = 2 * src[1][i] + 3 * src[7][i]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[2][i]<<2) - 10*src[6][i]; - const int a6 = (src[6][i]<<2) + 10*src[2][i]; - const int a5 = (src[0][i] - src[4][i]) << 3; - const int a4 = (src[0][i] + src[4][i]) << 3; + const int a7 = 4 * src[2][i] - 10 * src[6][i]; + const int a6 = 4 * src[6][i] + 10 * src[2][i]; + const int a5 = 8 * (src[0][i] - src[4][i]); + const int a4 = 8 * (src[0][i] + src[4][i]); const int b0 = a4 + a6; const int b1 = a5 + a7; From 39c249d75e8cf7deb7967c48eeea3215d57bb517 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:47 +0100 Subject: [PATCH 0617/1383] avformat/utils: Fix memleaks in avformat_open_input() A demuxer might have allocated memory while reading the header. If reading the header was successfull and an error happens before returning (e.g. when queueing the attached pictures), the read_close function would have never been called, so that all those allocations would leak. This commit changes this. Furthermore, there would be even more memleaks if the error level was set to AV_EF_EXPLODE in case there is both metadata and id3v2 metadata. This has been fixed, too. Signed-off-by: Andreas Rheinhardt Signed-off-by: Marton Balint (cherry picked from commit e2307f4ff197646a7feee0edbcdd2d3262932676) Signed-off-by: Andreas Rheinhardt --- libavformat/utils.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 01f47caf1e..09169881ce 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -640,26 +640,28 @@ FF_ENABLE_DEPRECATION_WARNINGS level = AV_LOG_ERROR; av_log(s, level, "Discarding ID3 tags because more suitable tags were found.\n"); av_dict_free(&s->internal->id3v2_meta); - if (s->error_recognition & AV_EF_EXPLODE) - return AVERROR_INVALIDDATA; + if (s->error_recognition & AV_EF_EXPLODE) { + ret = AVERROR_INVALIDDATA; + goto close; + } } if (id3v2_extra_meta) { if (!strcmp(s->iformat->name, "mp3") || !strcmp(s->iformat->name, "aac") || !strcmp(s->iformat->name, "tta")) { if ((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; if ((ret = ff_id3v2_parse_chapters(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; if ((ret = ff_id3v2_parse_priv(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; } else av_log(s, AV_LOG_DEBUG, "demuxer does not support additional id3 data, skipping\n"); } ff_id3v2_free_extra_meta(&id3v2_extra_meta); if ((ret = avformat_queue_attached_pictures(s)) < 0) - goto fail; + goto close; if (!(s->flags&AVFMT_FLAG_PRIV_OPT) && s->pb && !s->internal->data_offset) s->internal->data_offset = avio_tell(s->pb); @@ -678,6 +680,9 @@ FF_ENABLE_DEPRECATION_WARNINGS *ps = s; return 0; +close: + if (s->iformat->read_close) + s->iformat->read_close(s); fail: ff_id3v2_free_extra_meta(&id3v2_extra_meta); av_dict_free(&tmp); From 190e2cb02bd7180c027c334619e5c52b66ead83f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 26 Jan 2020 06:10:27 +0100 Subject: [PATCH 0618/1383] avformat/matroskaenc: Check BlockAdditional size before use Don't read a 64bit number before having checked that the data is at least 8 bytes long. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6e9cc964293bf1e0cca6a52b2938a20d711e4146) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 1da95ada8b..67741cfba6 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2178,9 +2178,13 @@ static int mkv_write_block(AVFormatContext *s, AVIOContext *pb, AV_PKT_DATA_MATROSKA_BLOCKADDITIONAL, &side_data_size); if (side_data) { - additional_id = AV_RB64(side_data); - side_data += 8; - side_data_size -= 8; + if (side_data_size < 8) { + side_data_size = 0; + } else { + additional_id = AV_RB64(side_data); + side_data += 8; + side_data_size -= 8; + } } if ((side_data_size && additional_id == 1) || discard_padding) { From cfb42ce4155f10b94c31cb08eaa0582a4333eaeb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Dec 2019 11:53:28 +0100 Subject: [PATCH 0619/1383] avformat/smoothstreaming: Fix memleaks on errors If an AVFormatContext could be allocated, but white-/blacklists couldn't be copied, the AVFormatContext would leak as it was only accessible through a local variable that goes out of scope when one goes to fail. Furthermore, in case writing a header of a submuxer failed, the options used for said call could leak. Both of these memleaks have been fixed. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit abbb466368c51285ca27d5e3959a16a9591e9a4c) Signed-off-by: Andreas Rheinhardt --- libavformat/smoothstreamingenc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/smoothstreamingenc.c b/libavformat/smoothstreamingenc.c index 094712af27..b0687a85f8 100644 --- a/libavformat/smoothstreamingenc.c +++ b/libavformat/smoothstreamingenc.c @@ -331,12 +331,11 @@ static int ism_write_header(AVFormatContext *s) goto fail; } - ctx = avformat_alloc_context(); + os->ctx = ctx = avformat_alloc_context(); if (!ctx || ff_copy_whiteblacklists(ctx, s) < 0) { ret = AVERROR(ENOMEM); goto fail; } - os->ctx = ctx; ctx->oformat = oformat; ctx->interrupt_callback = s->interrupt_callback; @@ -356,12 +355,13 @@ static int ism_write_header(AVFormatContext *s) av_dict_set_int(&opts, "ism_lookahead", c->lookahead_count, 0); av_dict_set(&opts, "movflags", "frag_custom", 0); - if ((ret = avformat_write_header(ctx, &opts)) < 0) { + ret = avformat_write_header(ctx, &opts); + av_dict_free(&opts); + if (ret < 0) { goto fail; } os->ctx_inited = 1; avio_flush(ctx->pb); - av_dict_free(&opts); s->streams[i]->time_base = st->time_base; if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { c->has_video = 1; From 54d2f9518814fce97453e8cc074a4675765693dc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 03:57:32 +0100 Subject: [PATCH 0620/1383] avformat/bethsoftvid: Fix potential memleak upon reallocation failure The classical ptr = av_realloc(ptr, size), just with av_fast_realloc(). Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5acef1206144554a48f699b421e8d739e752d8ab) Signed-off-by: Andreas Rheinhardt --- libavformat/bethsoftvid.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/bethsoftvid.c b/libavformat/bethsoftvid.c index f516806d91..752e05236d 100644 --- a/libavformat/bethsoftvid.c +++ b/libavformat/bethsoftvid.c @@ -146,9 +146,13 @@ static int read_frame(BVID_DemuxContext *vid, AVIOContext *pb, AVPacket *pkt, } do{ - vidbuf_start = av_fast_realloc(vidbuf_start, &vidbuf_capacity, vidbuf_nbytes + BUFFER_PADDING_SIZE); - if(!vidbuf_start) - return AVERROR(ENOMEM); + uint8_t *tmp = av_fast_realloc(vidbuf_start, &vidbuf_capacity, + vidbuf_nbytes + BUFFER_PADDING_SIZE); + if (!tmp) { + ret = AVERROR(ENOMEM); + goto fail; + } + vidbuf_start = tmp; code = avio_r8(pb); vidbuf_start[vidbuf_nbytes++] = code; From f411e3aede1f17599d02d1ab8d92a3c6d99e6676 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 04:50:20 +0100 Subject: [PATCH 0621/1383] avformat/subtitles: Don't increment packet counter prematurely Do it only if the packet has been successfully allocated in av_new_packet() -- otherwise on error a completely uninitialized packet would be unreferenced later. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6bd8bcc2ac4c64577d964552317989e61db794d8) Signed-off-by: Andreas Rheinhardt --- libavformat/subtitles.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 1230e34d08..bbc4e3e356 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -132,9 +132,10 @@ AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, if (!subs) return NULL; q->subs = subs; - sub = &subs[q->nb_subs++]; + sub = &subs[q->nb_subs]; if (av_new_packet(sub, len) < 0) return NULL; + q->nb_subs++; sub->flags |= AV_PKT_FLAG_KEY; sub->pts = sub->dts = 0; memcpy(sub->data, event, len); From deb796ae42c6f266ea2bca48f406e7ad04746b3a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 07:31:17 +0100 Subject: [PATCH 0622/1383] avformat/hnm: Check for extradata allocation failure and also add padding to it; moreover, don't use memcpy to write one byte to extradata. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9e0f3352d1f37a739d98df4347a2b60a396a56fe) Signed-off-by: Andreas Rheinhardt --- libavformat/hnm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 24d4e808a5..9ad457ac83 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -70,6 +70,7 @@ static int hnm_read_header(AVFormatContext *s) Hnm4DemuxContext *hnm = s->priv_data; AVIOContext *pb = s->pb; AVStream *vst; + int ret; /* default context members */ hnm->pts = 0; @@ -113,10 +114,10 @@ static int hnm_read_header(AVFormatContext *s) vst->codecpar->codec_tag = 0; vst->codecpar->width = hnm->width; vst->codecpar->height = hnm->height; - vst->codecpar->extradata = av_mallocz(1); + if ((ret = ff_alloc_extradata(vst->codecpar, 1)) < 0) + return ret; - vst->codecpar->extradata_size = 1; - memcpy(vst->codecpar->extradata, &hnm->version, 1); + vst->codecpar->extradata[0] = hnm->version; vst->start_time = 0; From 9ad4088674811132de230e1b8bc78b0d99f8edb3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Dec 2019 04:17:24 +0100 Subject: [PATCH 0623/1383] avformat/matroskadec: Don't discard the upper 32bits of TrackNumber Signed-off-by: Andreas Rheinhardt (cherry picked from commit ba36a077342c01faa3f3deb841e8cdcc1379ea3d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 061d0cb8cf..6d30f9e27b 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1324,7 +1324,7 @@ static int matroska_probe(AVProbeData *p) } static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, - int num) + uint64_t num) { MatroskaTrack *tracks = matroska->tracks.elem; int i; @@ -1333,7 +1333,7 @@ static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, if (tracks[i].num == num) return &tracks[i]; - av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %d\n", num); + av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %"PRIu64"\n", num); return NULL; } From 81e1872b478dc79e853a9f6175f0d57c70ccbfab Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Dec 2019 21:21:59 +0100 Subject: [PATCH 0624/1383] avformat/webmdashenc: Fix memleak upon realloc failure The classical ptr = av_realloc(ptr, size). Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 418e468699868a0265f8b439beedf64bb643b088) Signed-off-by: Andreas Rheinhardt --- libavformat/webmdashenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 26b8727304..14c3888b1e 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -489,11 +489,12 @@ static int parse_adaptation_sets(AVFormatContext *s) state = parsing_streams; } else if (state == parsing_streams) { struct AdaptationSet *as = &w->as[w->nb_as - 1]; + int ret = av_reallocp_array(&as->streams, ++as->nb_streams, + sizeof(*as->streams)); + if (ret < 0) + return ret; q = p; while (*q != '\0' && *q != ',' && *q != ' ') q++; - as->streams = av_realloc(as->streams, sizeof(*as->streams) * ++as->nb_streams); - if (as->streams == NULL) - return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); if (as->streams[as->nb_streams - 1] < 0 || as->streams[as->nb_streams - 1] >= s->nb_streams) { From ebe90fbb742bb6e23a7df5cb8b10d7f1ded5a54b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 27 Mar 2020 08:31:29 +0100 Subject: [PATCH 0625/1383] avformat/avidec: Fix memleak with embedded GAB2 subtitles The code for GAB2 subtitles predates refcounting AVPackets. So in order to transfer the ownership of a packet's data pkt->data was simply stored and the packet zeroed; in the end (i.e. in the read_close-function) this data was then simply freed with av_freep(). This of course leads to a leak of an AVBufferRef and an AVBuffer. It has been fixed by keeping and eventually unreferencing the packet's buf instead. Additionally, the packet is now reset via av_packet_unref(). Signed-off-by: Andreas Rheinhardt (cherry picked from commit da44bbefaabeb2fdb58a03fe533a44aa150486fc) Signed-off-by: Andreas Rheinhardt --- libavformat/avidec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 3f074795a7..ea99e95386 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -61,7 +61,7 @@ typedef struct AVIStream { AVFormatContext *sub_ctx; AVPacket sub_pkt; - uint8_t *sub_buffer; + AVBufferRef *sub_buffer; int64_t seek_pos; } AVIStream; @@ -1118,8 +1118,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) time_base = ast->sub_ctx->streams[0]->time_base; avpriv_set_pts_info(st, 64, time_base.num, time_base.den); } - ast->sub_buffer = pkt->data; - memset(pkt, 0, sizeof(*pkt)); + ast->sub_buffer = pkt->buf; + pkt->buf = NULL; + av_packet_unref(pkt); return 1; error: @@ -1910,7 +1911,7 @@ static int avi_read_close(AVFormatContext *s) av_freep(&ast->sub_ctx->pb); avformat_close_input(&ast->sub_ctx); } - av_freep(&ast->sub_buffer); + av_buffer_unref(&ast->sub_buffer); av_packet_unref(&ast->sub_pkt); } } From cd4d57fe1ca5aa992d14fdc4f4f87b9c57dbfb90 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 30 Mar 2020 02:50:02 +0200 Subject: [PATCH 0626/1383] avformat/webmdashenc: Check codec types The WebM DASH Manifest muxer only supports VP8, VP9, Vorbis and Opus, but there was no check for this. The codec type is used to get a pointer to a string containing the codec name or NULL if it is not one of those four codecs. Said pointer has then been used without further checks as string for the %s conversion specifier in an avio_printf()) call which is undefined behaviour. This commit adds a check for the supported codec types. Signed-off-by: Andreas Rheinhardt (cherry picked from commit cbea58b2b35c6409e062c929f0b2ab763b8661eb) Signed-off-by: Andreas Rheinhardt --- libavformat/webmdashenc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 14c3888b1e..542410f26b 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -517,6 +517,14 @@ static int webm_dash_manifest_write_header(AVFormatContext *s) double start = 0.0; int ret; WebMDashMuxContext *w = s->priv_data; + + for (unsigned i = 0; i < s->nb_streams; i++) { + enum AVCodecID codec_id = s->streams[i]->codecpar->codec_id; + if (codec_id != AV_CODEC_ID_VP8 && codec_id != AV_CODEC_ID_VP9 && + codec_id != AV_CODEC_ID_VORBIS && codec_id != AV_CODEC_ID_OPUS) + return AVERROR(EINVAL); + } + ret = parse_adaptation_sets(s); if (ret < 0) { goto fail; From 259edd9293c382299ad04f6133a34f9844fa0f2f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 15 Apr 2020 20:54:42 +0200 Subject: [PATCH 0627/1383] fftools/ffmpeg_opt: Check attachment filesize The data of an attachment file is put into an AVCodecParameter's extradata. The corresponding size field has type int, yet there was no check for the size to fit into an int. As a consequence, it was possible to create extradata with negative size (by using a big enough max_alloc). Other errors were also possible: If SIZE_MAX < INT64_MAX (e.g. on 32bit systems) then the file size might be truncated before the allocation; and avio_read() takes an int, too, so one would not have read as much as one desired. Furthermore, the extradata is now padded as is required. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 889ad93c8839e5ac1ec28bc8e1fea6df71b9bf80) Signed-off-by: Andreas Rheinhardt --- fftools/ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index 1893234789..618f0f22cd 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -2333,12 +2333,14 @@ loop_end: o->attachments[i]); exit_program(1); } - if (!(attachment = av_malloc(len))) { - av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n", + if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE || + !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) { + av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n", o->attachments[i]); exit_program(1); } avio_read(pb, attachment, len); + memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); ost = new_attachment_stream(o, oc, -1); ost->stream_copy = 0; From b568b4683ec12a553c82437811814afd6fcb3a90 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 27 Apr 2020 05:42:09 +0200 Subject: [PATCH 0628/1383] avformat/matroskaenc: Fix memleak upon encountering bogus chapter Signed-off-by: Andreas Rheinhardt (cherry picked from commit cb255b616cf1ebc6bc89b3538b6b7465dc2c526b) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 67741cfba6..e2f5e8d26f 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1513,6 +1513,7 @@ static int mkv_write_chapters(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid chapter start (%"PRId64") or end (%"PRId64").\n", chapterstart, chapterend); + ffio_free_dyn_buf(&dyn_cp); return AVERROR_INVALIDDATA; } From aec8b1fa0bfa000ec27c8ac71a3c4035278c0b8e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 24 May 2020 03:14:00 +0200 Subject: [PATCH 0629/1383] avformat/aviobuf: Don't check for overflow after it happened If adding two ints overflows, it doesn't matter whether the result will be stored in an unsigned or not; and checking afterwards does not make it retroactively defined. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 28a078eded1c29985ed078b59d48ff59cf00394b) Signed-off-by: Andreas Rheinhardt --- libavformat/aviobuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 6a5cd97b0a..c2d4872886 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1309,7 +1309,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) unsigned new_size, new_allocated_size; /* reallocate buffer if needed */ - new_size = d->pos + buf_size; + new_size = (unsigned)d->pos + buf_size; new_allocated_size = d->allocated_size; if (new_size < d->pos || new_size > INT_MAX/2) return -1; From 5db4c91ef57927213adc5e4e0a5006f7bddde195 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 9 Nov 2018 06:31:36 +0100 Subject: [PATCH 0630/1383] h264_redundant_pps: Fix memleak in case of errors Now the fragment is uninitialized and the input packet freed in case of errors. Signed-off-by: Andreas Rheinhardt Signed-off-by: Mark Thompson (cherry picked from commit 40b74abfca39bf514333c3ebb6d6e946975057c3) Signed-off-by: Andreas Rheinhardt --- libavcodec/h264_redundant_pps_bsf.c | 40 +++++++++++++++++++---------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/libavcodec/h264_redundant_pps_bsf.c b/libavcodec/h264_redundant_pps_bsf.c index af247eef21..0b7888c97e 100644 --- a/libavcodec/h264_redundant_pps_bsf.c +++ b/libavcodec/h264_redundant_pps_bsf.c @@ -80,7 +80,7 @@ static int h264_redundant_pps_filter(AVBSFContext *bsf, AVPacket *out) err = ff_cbs_read_packet(ctx->input, au, in); if (err < 0) - return err; + goto fail; au_has_sps = 0; for (i = 0; i < au->nb_units; i++) { @@ -89,11 +89,15 @@ static int h264_redundant_pps_filter(AVBSFContext *bsf, AVPacket *out) if (nal->type == H264_NAL_SPS) au_has_sps = 1; if (nal->type == H264_NAL_PPS) { - h264_redundant_pps_fixup_pps(ctx, nal->content); + err = h264_redundant_pps_fixup_pps(ctx, nal->content); + if (err < 0) + goto fail; if (!au_has_sps) { av_log(bsf, AV_LOG_VERBOSE, "Deleting redundant PPS " "at %"PRId64".\n", in->pts); - ff_cbs_delete_unit(ctx->input, au, i); + err = ff_cbs_delete_unit(ctx->input, au, i); + if (err < 0) + goto fail; } } if (nal->type == H264_NAL_SLICE || @@ -105,17 +109,21 @@ static int h264_redundant_pps_filter(AVBSFContext *bsf, AVPacket *out) err = ff_cbs_write_packet(ctx->output, out, au); if (err < 0) - return err; + goto fail; - ff_cbs_fragment_uninit(ctx->output, au); err = av_packet_copy_props(out, in); if (err < 0) - return err; + goto fail; + err = 0; +fail: + ff_cbs_fragment_uninit(ctx->output, au); av_packet_free(&in); + if (err < 0) + av_packet_unref(out); - return 0; + return err; } static int h264_redundant_pps_init(AVBSFContext *bsf) @@ -138,25 +146,29 @@ static int h264_redundant_pps_init(AVBSFContext *bsf) err = ff_cbs_read_extradata(ctx->input, au, bsf->par_in); if (err < 0) { av_log(bsf, AV_LOG_ERROR, "Failed to read extradata.\n"); - return err; + goto fail; } for (i = 0; i < au->nb_units; i++) { - if (au->units[i].type == H264_NAL_PPS) - h264_redundant_pps_fixup_pps(ctx, au->units[i].content); + if (au->units[i].type == H264_NAL_PPS) { + err = h264_redundant_pps_fixup_pps(ctx, au->units[i].content); + if (err < 0) + goto fail; + } } ctx->extradata_pic_init_qp = ctx->current_pic_init_qp; err = ff_cbs_write_extradata(ctx->output, bsf->par_out, au); if (err < 0) { av_log(bsf, AV_LOG_ERROR, "Failed to write extradata.\n"); - return err; + goto fail; } - - ff_cbs_fragment_uninit(ctx->output, au); } - return 0; + err = 0; +fail: + ff_cbs_fragment_uninit(ctx->output, au); + return err; } static void h264_redundant_pps_flush(AVBSFContext *bsf) From 946d2893a918b8e4178c7623c1e224ea87d23654 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 18 Sep 2019 05:25:58 +0200 Subject: [PATCH 0631/1383] avcodec/cbs_h2645: Fix potential out-of-bounds array access The maximum allowed index for an array access is FF_ARRAY_ELEMS - 1; yet the current code allowed FF_ARRAY_ELEMS. This wasn't dangerous in practice, as parameter sets with invalid ids were already filtered out during reading. Found via PVS-Studio (see ticket #8156). Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3333c3c67e8825a4468120bb8aa0943c72c03f3) Signed-off-by: Andreas Rheinhardt --- libavcodec/cbs_h2645.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index e929a8011d..e44b683b61 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -729,7 +729,7 @@ static int cbs_h26 ## h26n ## _replace_ ## ps_var(CodedBitstreamContext *ctx, \ CodedBitstreamH26 ## h26n ## Context *priv = ctx->priv_data; \ H26 ## h26n ## Raw ## ps_name *ps_var = unit->content; \ unsigned int id = ps_var->id_element; \ - if (id > FF_ARRAY_ELEMS(priv->ps_var)) { \ + if (id >= FF_ARRAY_ELEMS(priv->ps_var)) { \ av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid " #ps_name \ " id : %d.\n", id); \ return AVERROR_INVALIDDATA; \ From 96f18b64276b1172f344d729833bdb982d9d800f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 6 Oct 2019 07:23:14 +0200 Subject: [PATCH 0632/1383] avcodec/cinepakenc: Fix invalid shifts Fixes: left shift of 1 by 31 places cannot be represented in type 'int'. Affected the FATE-tests vsynth1-cinepak, vsynth2-cinepak and vsynth_lena-cinepak. Also fixes ticket #8220. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e3650dcfc9cde6ceccf7bbc225962da196e2a386) Signed-off-by: Andreas Rheinhardt --- libavcodec/cinepakenc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/cinepakenc.c b/libavcodec/cinepakenc.c index 93917fafe8..6024df0fba 100644 --- a/libavcodec/cinepakenc.c +++ b/libavcodec/cinepakenc.c @@ -544,8 +544,9 @@ static int encode_mode(CinepakEncContext *s, int h, uint8_t *last_data[4], int last_linesize[4], strip_info *info, unsigned char *buf) { - int x, y, z, flags, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA; + int x, y, z, bits, temp_size, header_ofs, ret = 0, mb_count = s->w * h / MB_AREA; int needs_extra_bit, should_write_temp; + uint32_t flags; unsigned char temp[64]; // 32/2 = 16 V4 blocks at 4 B each -> 64 B mb_info *mb; uint8_t *sub_scratch_data[4] = { 0 }, *sub_last_data[4] = { 0 }; @@ -599,7 +600,7 @@ static int encode_mode(CinepakEncContext *s, int h, flags = 0; for (y = x; y < FFMIN(x + 32, mb_count); y++) if (s->mb[y].best_encoding == ENC_V4) - flags |= 1 << (31 - y + x); + flags |= 1U << (31 - y + x); AV_WB32(&buf[ret], flags); ret += 4; @@ -626,13 +627,13 @@ static int encode_mode(CinepakEncContext *s, int h, for (x = 0; x < mb_count; x++) { mb = &s->mb[x]; - flags |= (mb->best_encoding != ENC_SKIP) << (31 - bits++); + flags |= (uint32_t)(mb->best_encoding != ENC_SKIP) << (31 - bits++); needs_extra_bit = 0; should_write_temp = 0; if (mb->best_encoding != ENC_SKIP) { if (bits < 32) - flags |= (mb->best_encoding == ENC_V4) << (31 - bits++); + flags |= (uint32_t)(mb->best_encoding == ENC_V4) << (31 - bits++); else needs_extra_bit = 1; } @@ -651,7 +652,7 @@ static int encode_mode(CinepakEncContext *s, int h, } if (needs_extra_bit) { - flags = (mb->best_encoding == ENC_V4) << 31; + flags = (uint32_t)(mb->best_encoding == ENC_V4) << 31; bits = 1; } From 325498af97b2104070fbea974281a393a898672c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 4 Sep 2019 00:50:11 +0200 Subject: [PATCH 0633/1383] avformat/matroskadec: Fix handling gigantic durations matroska_parse_block currently asserts that the duration is not equal to AV_NOPTS_VALUE, but there is nothing that actually guarantees this. It is easy to create (spec-compliant) files which run into this assert; so replace it and instead cap the duration to INT64_MAX, as the duration field of an AVPacket is an int64_t. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3714d452b894821591a2fbafdd1b8ef15abe4be6) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 6d30f9e27b..9f7d76f8ac 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3335,7 +3335,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, AVBufferRef *buf st = track->stream; if (st->discard >= AVDISCARD_ALL) return res; - av_assert1(block_duration != AV_NOPTS_VALUE); + if (block_duration > INT64_MAX) + block_duration = INT64_MAX; block_time = sign_extend(AV_RB16(data), 16); data += 2; From 7e8ce331a0f19ac9bbf39085a41d580eb8244b9d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 30 Aug 2019 15:18:29 +0200 Subject: [PATCH 0634/1383] avformat/matroskadec: Use right number of tracks When demuxing a Matroska/WebM file, streams are added for tracks and for attachments, so that the array containing the former can be NULL even when the corresponding AVFormatContext has streams. So check for there to be tracks in the MatroskaDemuxContext instead of just streams in the AVFormatContext before dereferencing the pointer to the tracks. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 1ef30571a0a7150cb20c580bfc52af2a7101c20d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 9f7d76f8ac..78a463ba4f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3964,9 +3964,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Failed to read file headers\n"); return -1; } - if (!s->nb_streams) { + if (!matroska->tracks.nb_elem || !s->nb_streams) { matroska_read_close(s); - av_log(s, AV_LOG_ERROR, "No streams found\n"); + av_log(s, AV_LOG_ERROR, "No track found\n"); return AVERROR_INVALIDDATA; } From 1553fe1f72033719ac3f53e336856bd137a1a122 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 13 Jun 2020 23:58:32 +0200 Subject: [PATCH 0635/1383] avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer In certain error scenarios, the underlying Matroska demuxer was not properly closed, causing leaks. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0841063ce6a2e664fb3986b0a255c57392cd9f02) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 78a463ba4f..2604f74bbd 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3965,14 +3965,17 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) return -1; } if (!matroska->tracks.nb_elem || !s->nb_streams) { - matroska_read_close(s); av_log(s, AV_LOG_ERROR, "No track found\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (!matroska->is_live) { buf = av_asprintf("%g", matroska->duration); - if (!buf) return AVERROR(ENOMEM); + if (!buf) { + ret = AVERROR(ENOMEM); + goto fail; + } av_dict_set(&s->streams[0]->metadata, DURATION, buf, 0); av_free(buf); @@ -3995,7 +3998,7 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) ret = webm_dash_manifest_cues(s, init_range); if (ret < 0) { av_log(s, AV_LOG_ERROR, "Error parsing Cues\n"); - return ret; + goto fail; } } @@ -4005,6 +4008,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) matroska->bandwidth, 0); } return 0; +fail: + matroska_read_close(s); + return ret; } static int webm_dash_manifest_read_packet(AVFormatContext *s, AVPacket *pkt) From 33985333ef34e7e630c4d88494583f0b531eaf30 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:24:55 +0200 Subject: [PATCH 0636/1383] avformat/omadec: Fix memleaks upon read_header failure Fixes possible leaks of id3v2 metadata as well as an AVDES struct in case the content is encrypted and an error happens lateron. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3d3ba43bc68ca90fe72d0fc390c9e5f5c7de1513) Signed-off-by: Andreas Rheinhardt --- libavformat/omadec.c | 44 ++++++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 423d52b3aa..e6e855eb67 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -79,6 +79,13 @@ typedef struct OMAContext { int (*read_packet)(AVFormatContext *s, AVPacket *pkt); } OMAContext; +static int oma_read_close(AVFormatContext *s) +{ + OMAContext *oc = s->priv_data; + av_freep(&oc->av_des); + return 0; +} + static void hex_log(AVFormatContext *s, int level, const char *name, const uint8_t *value, int len) { @@ -403,11 +410,14 @@ static int oma_read_header(AVFormatContext *s) } ret = avio_read(s->pb, buf, EA3_HEADER_SIZE); - if (ret < EA3_HEADER_SIZE) + if (ret < EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); return -1; + } if (memcmp(buf, ((const uint8_t[]){'E', 'A', '3'}), 3) || buf[4] != 0 || buf[5] != EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); av_log(s, AV_LOG_ERROR, "Couldn't find the EA3 header !\n"); return AVERROR_INVALIDDATA; } @@ -426,8 +436,10 @@ static int oma_read_header(AVFormatContext *s) codec_params = AV_RB24(&buf[33]); st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } st->start_time = 0; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -442,7 +454,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (samplerate != 44100) avpriv_request_sample(s, "Sample rate %d", samplerate); @@ -459,8 +472,8 @@ static int oma_read_header(AVFormatContext *s) /* fake the ATRAC3 extradata * (wav format, makes stream copy to wav work) */ - if (ff_alloc_extradata(st->codecpar, 14)) - return AVERROR(ENOMEM); + if ((ret = ff_alloc_extradata(st->codecpar, 14)) < 0) + goto fail; edata = st->codecpar->extradata; AV_WL16(&edata[0], 1); // always 1 @@ -477,7 +490,8 @@ static int oma_read_header(AVFormatContext *s) if (!channel_id) { av_log(s, AV_LOG_ERROR, "Invalid ATRAC-X channel id: %"PRIu32"\n", channel_id); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->channel_layout = ff_oma_chid_to_native_layout[channel_id - 1]; st->codecpar->channels = ff_oma_chid_to_num_channels[channel_id - 1]; @@ -485,7 +499,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->sample_rate = samplerate; st->codecpar->bit_rate = samplerate * framesize / (2048 / 8); @@ -525,12 +540,16 @@ static int oma_read_header(AVFormatContext *s) break; default: av_log(s, AV_LOG_ERROR, "Unsupported codec %d!\n", buf[32]); - return AVERROR(ENOSYS); + ret = AVERROR(ENOSYS); + goto fail; } st->codecpar->block_align = framesize; return 0; +fail: + oma_read_close(s); + return ret; } static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) @@ -592,13 +611,6 @@ wipe: return err; } -static int oma_read_close(AVFormatContext *s) -{ - OMAContext *oc = s->priv_data; - av_free(oc->av_des); - return 0; -} - AVInputFormat ff_oma_demuxer = { .name = "oma", .long_name = NULL_IF_CONFIG_SMALL("Sony OpenMG audio"), From 430cf25553666adb28b6a54f9a535ef1d7debe9d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:37:40 +0200 Subject: [PATCH 0637/1383] avformat/mov: Fix memleaks upon read_header failure By default, a demuxer's read_close function is not called automatically if an error happens when reading the header; instead it is up to the demuxer to clean up after itself in this case. The mov demuxer did this by calling its read_close function when it encountered some errors when reading the header. Yet for other errors (mostly adding side-data to streams) this has been forgotten, so that all the internal structures of the demuxer leak. This commit fixes this by making sure mov_read_close is called when necessary. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ac378c535be907ee383dafb430be7216a2920982) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6d41823553..8825f2982b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7422,14 +7422,13 @@ static int mov_read_header(AVFormatContext *s) avio_seek(pb, 0, SEEK_SET); if ((err = mov_read_default(mov, pb, atom)) < 0) { av_log(s, AV_LOG_ERROR, "error reading header\n"); - mov_read_close(s); - return err; + goto fail; } } while ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mov->found_moov && !mov->moov_retry++); if (!mov->found_moov) { av_log(s, AV_LOG_ERROR, "moov atom not found\n"); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } av_log(mov->fc, AV_LOG_TRACE, "on_parse_exit_offset=%"PRId64"\n", avio_tell(pb)); @@ -7482,7 +7481,7 @@ static int mov_read_header(AVFormatContext *s) } if (st->codecpar->codec_id == AV_CODEC_ID_DVD_SUBTITLE) { if ((err = mov_rewrite_dvd_sub_extradata(st)) < 0) - return err; + goto fail; } } if (mov->handbrake_version && @@ -7502,8 +7501,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } @@ -7518,8 +7517,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / sc->duration_for_fps; @@ -7543,8 +7542,7 @@ static int mov_read_header(AVFormatContext *s) case AVMEDIA_TYPE_AUDIO: err = ff_replaygain_export(st, s->metadata); if (err < 0) { - mov_read_close(s); - return err; + goto fail; } break; case AVMEDIA_TYPE_VIDEO: @@ -7552,7 +7550,7 @@ static int mov_read_header(AVFormatContext *s) err = av_stream_add_side_data(st, AV_PKT_DATA_DISPLAYMATRIX, (uint8_t*)sc->display_matrix, sizeof(int32_t) * 9); if (err < 0) - return err; + goto fail; sc->display_matrix = NULL; } @@ -7561,7 +7559,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->stereo3d, sizeof(*sc->stereo3d)); if (err < 0) - return err; + goto fail; sc->stereo3d = NULL; } @@ -7570,7 +7568,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->spherical, sc->spherical_size); if (err < 0) - return err; + goto fail; sc->spherical = NULL; } @@ -7579,7 +7577,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->mastering, sizeof(*sc->mastering)); if (err < 0) - return err; + goto fail; sc->mastering = NULL; } @@ -7588,7 +7586,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->coll, sc->coll_size); if (err < 0) - return err; + goto fail; sc->coll = NULL; } @@ -7602,6 +7600,9 @@ static int mov_read_header(AVFormatContext *s) mov->frag_index.item[i].headers_read = 1; return 0; +fail: + mov_read_close(s); + return err; } static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) From b9be0b6fe869d4045da0e78a7d3f92255f8eb680 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:04:29 +0200 Subject: [PATCH 0638/1383] avformat/aqtitledec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a86a5d06d8967d01964833456df1df9fc186f125) Signed-off-by: Andreas Rheinhardt --- libavformat/aqtitledec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index f0e840b0f7..317547c4f4 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -81,11 +81,11 @@ static int aqt_read_header(AVFormatContext *s) if (!new_event) { sub = ff_subtitles_queue_insert(&aqt->q, "\n", 1, 1); if (!sub) - return AVERROR(ENOMEM); + goto fail; } sub = ff_subtitles_queue_insert(&aqt->q, line, strlen(line), !new_event); if (!sub) - return AVERROR(ENOMEM); + goto fail; if (new_event) { sub->pts = frame; sub->duration = -1; @@ -97,6 +97,9 @@ static int aqt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &aqt->q); return 0; +fail: + ff_subtitles_queue_clean(&aqt->q); + return AVERROR(ENOMEM); } static int aqt_read_packet(AVFormatContext *s, AVPacket *pkt) From be57a2ce9efaa7ce5ed4d7e2d4d873f2a71137b4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:07:28 +0200 Subject: [PATCH 0639/1383] avformat/assdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or if creating the extradata failed. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5ab39c2d8c1e5e00b48d758eee7d5ae435a99ef7) Signed-off-by: Andreas Rheinhardt --- libavformat/assdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/assdec.c b/libavformat/assdec.c index d89c14e5b8..3b580fc4d2 100644 --- a/libavformat/assdec.c +++ b/libavformat/assdec.c @@ -160,6 +160,8 @@ static int ass_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &ass->q); end: + if (res < 0) + ass_read_close(s); av_bprint_finalize(&header, NULL); av_bprint_finalize(&line, NULL); av_bprint_finalize(&rline, NULL); From aad3e8af01ba88f5c53673896eb2188de5823009 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:09:08 +0200 Subject: [PATCH 0640/1383] avformat/jacosubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c13a752733a9af955b032c55f704b748fe37dd19) Signed-off-by: Andreas Rheinhardt --- libavformat/jacosubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 520c435cc5..87dc649485 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -187,8 +187,10 @@ static int jacosub_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&jacosub->q, line, len, merge_line); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; merge_line = len > 1 && !strcmp(&line[len - 2], "\\\n"); continue; From 8201fd9a8a716eeba5a3a19530b4a3bb64d0da3c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:12:00 +0200 Subject: [PATCH 0641/1383] avformat/lrcdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit d38694cea9f289b3f9dcce1a2f07746d029b35f3) Signed-off-by: Andreas Rheinhardt --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index f4e9a4efa9..45f0bf24a7 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -202,6 +202,7 @@ static int lrc_read_header(AVFormatContext *s) sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); if(!sub) { + ff_subtitles_queue_clean(&lrc->q); return AVERROR(ENOMEM); } sub->pos = pos; From f6b9f7531c3701af2f0c1a55eb367523d4ced4ff Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:16:15 +0200 Subject: [PATCH 0642/1383] avformat/microdvddec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when allocating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit b12014a5b861959fd41a32ba3ff4cb139c56efcd) Signed-off-by: Andreas Rheinhardt --- libavformat/microdvddec.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index c2f1ac45cd..3c4727e325 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -81,7 +81,7 @@ static int microdvd_read_header(AVFormatContext *s) AVRational pts_info = (AVRational){ 2997, 125 }; /* default: 23.976 fps */ MicroDVDContext *microdvd = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); - int i = 0; + int i = 0, ret; char line_buf[MAX_LINESIZE]; int has_real_fps = 0; @@ -116,8 +116,10 @@ static int microdvd_read_header(AVFormatContext *s) } if (!st->codecpar->extradata && sscanf(line, "{DEFAULT}{}%c", &c) == 1) { st->codecpar->extradata = av_strdup(line + 11); - if (!st->codecpar->extradata) - return AVERROR(ENOMEM); + if (!st->codecpar->extradata) { + ret = AVERROR(ENOMEM); + goto fail; + } st->codecpar->extradata_size = strlen(st->codecpar->extradata) + 1; continue; } @@ -135,8 +137,10 @@ static int microdvd_read_header(AVFormatContext *s) if (!*p) continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; sub->pts = get_pts(line); sub->duration = get_duration(line); @@ -153,6 +157,9 @@ static int microdvd_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_MICRODVD; return 0; +fail: + ff_subtitles_queue_clean(µdvd->q); + return ret; } static int microdvd_read_packet(AVFormatContext *s, AVPacket *pkt) From b6986da62c9a6abc1b8874ea9a376af9b6c1dd07 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:19:32 +0200 Subject: [PATCH 0643/1383] avformat/mpl2dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 331799747e7e995710f5dfc4d413cda35eb01289) Signed-off-by: Andreas Rheinhardt --- libavformat/mpl2dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index dfcdf5a564..0c111e9dc1 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -108,8 +108,10 @@ static int mpl2_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&mpl2->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&mpl2->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From 368aa756c4019b4b2de01354f96efd6cbbff8ebc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:20:09 +0200 Subject: [PATCH 0644/1383] avformat/mpsubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon creating an AVStream. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a5ed8aeea4f4199e89520c3fdbd9d07ae7fc3c3f) Signed-off-by: Andreas Rheinhardt --- libavformat/mpsubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index fc1731f26e..4e6e2cb09c 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -97,8 +97,10 @@ static int mpsub_read_header(AVFormatContext *s) } st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + res = AVERROR(ENOMEM); + goto end; + } avpriv_set_pts_info(st, 64, pts_info.den, pts_info.num); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; From 1e13ef6c902c6ee74940e1ec385979775c85a349 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:03 +0200 Subject: [PATCH 0645/1383] avformat/pjsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9df560e8986640e20c62286f0baee2a80540accd) Signed-off-by: Andreas Rheinhardt --- libavformat/pjsdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c index 448962bf8a..b4ae1fa10f 100644 --- a/libavformat/pjsdec.c +++ b/libavformat/pjsdec.c @@ -94,8 +94,10 @@ static int pjs_read_header(AVFormatContext *s) p[strcspn(p, "\"")] = 0; sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&pjs->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From a7ce7e09787d482c676c60e37d8df7688f99f7e3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:46 +0200 Subject: [PATCH 0646/1383] avformat/samidec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when creating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f161f8e4ad10c8ae5b2e97870e09bc6a421408eb) Signed-off-by: Andreas Rheinhardt --- libavformat/samidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/samidec.c b/libavformat/samidec.c index 7ea1bdfdd9..678fac0e17 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -108,6 +108,8 @@ static int sami_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &sami->q); end: + if (res < 0) + ff_subtitles_queue_clean(&sami->q); av_bprint_finalize(&buf, NULL); return res; } From 572da6c5c0c1f3f4fc690b4dd47f22338b361fa4 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:22:32 +0200 Subject: [PATCH 0647/1383] avformat/sccdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3c63e67bb00fa7d96595203d01a576df651e275) Signed-off-by: Andreas Rheinhardt --- libavformat/sccdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sccdec.c b/libavformat/sccdec.c index 89d21b9c1f..371d2d9d13 100644 --- a/libavformat/sccdec.c +++ b/libavformat/sccdec.c @@ -132,7 +132,7 @@ static int scc_read_header(AVFormatContext *s) sub = ff_subtitles_queue_insert(&scc->q, out, i, 0); if (!sub) - return AVERROR(ENOMEM); + goto fail; sub->pos = pos; sub->pts = ts_start; @@ -144,6 +144,9 @@ static int scc_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &scc->q); return ret; +fail: + ff_subtitles_queue_clean(&scc->q); + return AVERROR(ENOMEM); } static int scc_read_packet(AVFormatContext *s, AVPacket *pkt) From 7186f4dd6329473bd8c0d1a29eed36f19cc5872c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:23:27 +0200 Subject: [PATCH 0648/1383] avformat/srtdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c70409957c7332971f0e147729d769f6d2f95390) Signed-off-by: Andreas Rheinhardt --- libavformat/srtdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index 56bd0c43f6..67b245a123 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -207,6 +207,8 @@ static int srt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &srt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&srt->q); av_bprint_finalize(&buf, NULL); return res; } From 2b387fb64ba6e1c42f51f6cda9fff97816f37451 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:24:23 +0200 Subject: [PATCH 0649/1383] avformat/stldec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit e13874b9eae4e156ca1c478e6d59d3461bbdc09f) Signed-off-by: Andreas Rheinhardt --- libavformat/stldec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/stldec.c b/libavformat/stldec.c index 35de49322c..87bf0724a9 100644 --- a/libavformat/stldec.c +++ b/libavformat/stldec.c @@ -97,8 +97,10 @@ static int stl_read_header(AVFormatContext *s) if (pts_start != AV_NOPTS_VALUE) { AVPacket *sub; sub = ff_subtitles_queue_insert(&stl->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&stl->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From ad723acc4354d23dd76598bd955bcf0d216c486f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:26:40 +0200 Subject: [PATCH 0650/1383] avformat/subviewer1dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9751d7515222c7b58d0c6fb31aec6e0464c0f338) Signed-off-by: Andreas Rheinhardt --- libavformat/subviewer1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/subviewer1dec.c b/libavformat/subviewer1dec.c index e579d1ca9a..90a430404b 100644 --- a/libavformat/subviewer1dec.c +++ b/libavformat/subviewer1dec.c @@ -77,8 +77,10 @@ static int subviewer1_read_header(AVFormatContext *s) sub->duration = pts_start - sub->pts; } else { sub = ff_subtitles_queue_insert(&subviewer1->q, line, len, 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&subviewer1->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From 4880156ea49e2462192653208e6cb99a6b170f3d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:11 +0200 Subject: [PATCH 0651/1383] avformat/subviewerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a708f652737eba08607df84394ca4bec6b458736) Signed-off-by: Andreas Rheinhardt --- libavformat/subviewerdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index af084f4856..e8d1eb6c96 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -156,6 +156,8 @@ static int subviewer_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &subviewer->q); end: + if (res < 0) + ff_subtitles_queue_clean(&subviewer->q); av_bprint_finalize(&header, NULL); return res; } From e7d4683e4bb30572381d074a3eb0f8d9588c9481 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:43 +0200 Subject: [PATCH 0652/1383] avformat/tedcaptionsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if allocating the AVStream for the subtitles fails. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 337783b118d4cc265759c103b672dd5d5d3e7cb8) Signed-off-by: Andreas Rheinhardt --- libavformat/tedcaptionsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index cd6ab0c24b..527fe598e6 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -275,10 +275,13 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) static av_cold int tedcaptions_read_header(AVFormatContext *avf) { TEDCaptionsDemuxer *tc = avf->priv_data; - AVStream *st; + AVStream *st = avformat_new_stream(avf, NULL); int ret, i; AVPacket *last; + if (!st) + return AVERROR(ENOMEM); + ret = parse_file(avf->pb, &tc->subs); if (ret < 0) { if (ret == AVERROR_INVALIDDATA) @@ -292,9 +295,6 @@ static av_cold int tedcaptions_read_header(AVFormatContext *avf) tc->subs.subs[i].pts += tc->start_time; last = &tc->subs.subs[tc->subs.nb_subs - 1]; - st = avformat_new_stream(avf, NULL); - if (!st) - return AVERROR(ENOMEM); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; avpriv_set_pts_info(st, 64, 1, 1000); From db822733687c270a37200f25e7c4c8aa53438435 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:28:56 +0200 Subject: [PATCH 0653/1383] avformat/vplayerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 67434afa7fcb2b411b10a4d09fb30cd3a5907c2c) Signed-off-by: Andreas Rheinhardt --- libavformat/vplayerdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/vplayerdec.c b/libavformat/vplayerdec.c index 49943d0d0e..feee9af873 100644 --- a/libavformat/vplayerdec.c +++ b/libavformat/vplayerdec.c @@ -83,8 +83,10 @@ static int vplayer_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&vplayer->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&vplayer->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From 1f09053c79aa65eb6729730ff5309b26f87e79a7 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:29:17 +0200 Subject: [PATCH 0654/1383] avformat/webvttdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c784fe8b867e42a1c8d2c48d7046e3e0cce7ec31) Signed-off-by: Andreas Rheinhardt --- libavformat/webvttdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/webvttdec.c b/libavformat/webvttdec.c index 0aeb8a63f4..8e9c562683 100644 --- a/libavformat/webvttdec.c +++ b/libavformat/webvttdec.c @@ -165,6 +165,8 @@ static int webvtt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &webvtt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&webvtt->q); av_bprint_finalize(&cue, NULL); av_bprint_finalize(&header, NULL); return res; From e041c0111f2abdeabb6af87127e52ce6199b1813 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:35:41 +0200 Subject: [PATCH 0655/1383] avformat/matroskaenc: Don't use NULL for %s format string The argument pertaining to a printf %s conversion specifier must not be NULL, even if the precision (i.e. the number of characters to write) is zero. If it is NULL, it is undefined behaviour. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6de6ce7bc80e874099895b6c73977bc2efb06a4d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index e2f5e8d26f..98ffc10dff 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2235,17 +2235,19 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *p MatroskaMuxContext *mkv = s->priv_data; ebml_master blockgroup; int id_size, settings_size, size; - uint8_t *id, *settings; + const char *id, *settings; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; const int flags = 0; id_size = 0; id = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_IDENTIFIER, &id_size); + id = id ? id : ""; settings_size = 0; settings = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_SETTINGS, &settings_size); + settings = settings ? settings : ""; size = id_size + 1 + settings_size + 1 + pkt->size; From 0e36bf6bb5799b97c3c23bd8df93f985435e5c37 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 09:19:38 +0200 Subject: [PATCH 0656/1383] avformat/mov: Fix memleak upon encountering repeating tags mov_read_custom tries to read three strings belonging to three different tags. When an already encountered tag is encountered again, a new buffer for the string to be read is allocated and stored in the pointer destined for this particular tag. But in this scenario, said pointer already holds the address of the string read earlier, leading to a leak. This commit therefore aborts the reading process upon encountering an already encountered tag. Signed-off-by: Andreas Rheinhardt (cherry picked from commit dfef1d5e3cd4dfead84416a01e6c9ff0da50b34d) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8825f2982b..203bc8fd8d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4382,6 +4382,9 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) } else break; + if (*p) + break; + *p = av_malloc(len + 1); if (!*p) { ret = AVERROR(ENOMEM); From 327ec8723def3707a200a450a45b3fff386684dd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 20:54:46 +0200 Subject: [PATCH 0657/1383] avformat/mov: Fix reel_name size check Only read str_size bytes from offset 30 of extradata if the extradata is indeed at least 30 + str_size bytes long. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ff3fad6b0edb13dd664403b01bc00309f035b110) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 203bc8fd8d..48c74eb8aa 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2329,7 +2329,7 @@ FF_ENABLE_DEPRECATION_WARNINGS uint32_t format = AV_RB32(st->codecpar->extradata + 22); if (format == AV_RB32("name") && (int64_t)size >= (int64_t)len + 18) { uint16_t str_size = AV_RB16(st->codecpar->extradata + 26); /* string length */ - if (str_size > 0 && size >= (int)str_size + 26) { + if (str_size > 0 && size >= (int)str_size + 30) { char *reel_name = av_malloc(str_size + 1); if (!reel_name) return AVERROR(ENOMEM); From 2fdd500efef80abc594dc104378c5b6a838aea4d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 15:48:31 +0200 Subject: [PATCH 0658/1383] libavformat/mov: Fix memleaks when demuxing DV audio The code for demuxing DV audio predates the introduction of refcounted packets and when the latter was added, changes to the former were forgotten. This meant that when avpriv_dv_produce_packet initialized the packet containing the AVBufferRef, the AVBufferRef as well as the underlying AVBuffer leaked; the actual packet data didn't leak: They were directly freed, but not via their AVBuffer's free function. https://samples.ffmpeg.org/ffmpeg-bugs/trac/ticket4671/dir1.tar.bz2 contains samples for this (enable_drefs needs to be enabled for them). Moreover, errors in avpriv_dv_produce_packet were ignored; this has been changed, too. Furthermore, in the hypothetical scenario that the track has a palette, this would leak, too, so reorder the code so that the palette code appears after the DV audio code. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 61f5c6ab06fc61e0f9f8f8dab5595b8bb202df73) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 48c74eb8aa..10dd3e2378 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7750,6 +7750,19 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } return ret; } +#if CONFIG_DV_DEMUXER + if (mov->dv_demux && sc->dv_audio_container) { + AVBufferRef *buf = pkt->buf; + ret = avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); + pkt->buf = buf; + av_packet_unref(pkt); + if (ret < 0) + return ret; + ret = avpriv_dv_get_packet(mov->dv_demux, pkt); + if (ret < 0) + return ret; + } +#endif if (sc->has_palette) { uint8_t *pal; @@ -7761,16 +7774,6 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) sc->has_palette = 0; } } -#if CONFIG_DV_DEMUXER - if (mov->dv_demux && sc->dv_audio_container) { - avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); - av_freep(&pkt->data); - pkt->size = 0; - ret = avpriv_dv_get_packet(mov->dv_demux, pkt); - if (ret < 0) - return ret; - } -#endif if (st->codecpar->codec_id == AV_CODEC_ID_MP3 && !st->need_parsing && pkt->size > 4) { if (ff_mpa_check_header(AV_RB32(pkt->data)) < 0) st->need_parsing = AVSTREAM_PARSE_FULL; From 5b1270a1f7830db1fcfa874a5d24a75fc0a7c280 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 28 Jun 2020 11:15:39 +0800 Subject: [PATCH 0659/1383] avformat/mov: fix memleaks Fix two cases of memleaks: 1. The leak of dv_demux 2. The leak of dv_fctx upon dv_demux allocate failure Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3dc38a186b2326ce03e50969897ea703817ddb0) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 10dd3e2378..9f3e2a8688 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7233,10 +7233,9 @@ static int mov_read_close(AVFormatContext *s) av_freep(&sc->coll); } - if (mov->dv_demux) { - avformat_free_context(mov->dv_fctx); - mov->dv_fctx = NULL; - } + av_freep(&mov->dv_demux); + avformat_free_context(mov->dv_fctx); + mov->dv_fctx = NULL; if (mov->meta_keys) { for (i = 1; i < mov->meta_keys_count; i++) { From f061fe9aa1845183a6f4e3b119f310771bb2774f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2020 01:38:21 +0100 Subject: [PATCH 0660/1383] avcodec/vmdaudio: Check block_align more Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 19788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5743379690553344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 06f6857b54a7fbbd087b0803f75bed44abed50d9) Signed-off-by: Michael Niedermayer --- libavcodec/vmdaudio.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vmdaudio.c b/libavcodec/vmdaudio.c index c7826fa3ce..dfbd49fd84 100644 --- a/libavcodec/vmdaudio.c +++ b/libavcodec/vmdaudio.c @@ -76,7 +76,9 @@ static av_cold int vmdaudio_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n"); return AVERROR(EINVAL); } - if (avctx->block_align < 1 || avctx->block_align % avctx->channels) { + if (avctx->block_align < 1 || avctx->block_align % avctx->channels || + avctx->block_align > INT_MAX - avctx->channels + ) { av_log(avctx, AV_LOG_ERROR, "invalid block align\n"); return AVERROR(EINVAL); } From f2a0bde8f3008a737f22cce80656cfddc79fdbe6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2019 19:37:46 +0100 Subject: [PATCH 0661/1383] avcodec/vc1dec: Limit bits by the actual bitstream size Fixes: Timeout (350 ->19sec) Fixes: 19249/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6566896438870016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c56a52a82c0a4039e606e82b948a8abfe417f35f) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index fcc482e7eb..7f62099626 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1033,7 +1033,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ff_mpeg_er_frame_start(s); - v->bits = buf_size * 8; + v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits); v->end_mb_x = s->mb_width; if (v->field_mode) { s->current_picture.f->linesize[0] <<= 1; @@ -1107,8 +1107,10 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, continue; } ff_vc1_decode_blocks(v); - if (i != n_slices) + if (i != n_slices) { s->gb = slices[i].gb; + v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits); + } } if (v->field_mode) { v->second_field = 0; From fabd42043a833f65328d36114b2366cb9905e576 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2019 20:18:07 +0100 Subject: [PATCH 0662/1383] avcodec/vc1dec: Check field_mode for sprites Fixes: Out of array read Fixes: 19263/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5389219325542400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 32fb9198360402941e49aa878b9d33737b654f62) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 7f62099626..26cacc662c 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -854,7 +854,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto err; } - + if ((avctx->codec_id == AV_CODEC_ID_WMV3IMAGE || avctx->codec_id == AV_CODEC_ID_VC1IMAGE) + && v->field_mode) { + av_log(v->s.avctx, AV_LOG_ERROR, "Sprite decoder: expected Frames not Fields\n"); + ret = AVERROR_INVALIDDATA; + goto err; + } if ((s->mb_height >> v->field_mode) == 0) { av_log(v->s.avctx, AV_LOG_ERROR, "image too short\n"); ret = AVERROR_INVALIDDATA; From 84048cf37f518ab79e1a43b7acbe031f112685c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 20:38:13 +0100 Subject: [PATCH 0663/1383] avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp() Fixes: signed integer overflow: -1114392282 * 2 cannot be represented in type 'int' Fixes: 19236/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5741678938030080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0bd5fa43d193aa389bea7c5176b2fe23f6eeddd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index fc9a8d54cc..ab668594d2 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -486,14 +486,14 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, if (refl_coeff > 0) { gt = (refl_coeff * G729_TILT_FACTOR_PLUS + 0x4000) >> 15; - fact = 0x4000; // 0.5 in (0.15) - sh_fact = 15; + fact = 0x2000; // 0.5 in (0.15) + sh_fact = 14; } else { gt = (refl_coeff * G729_TILT_FACTOR_MINUS + 0x4000) >> 15; - fact = 0x800; // 0.5 in (3.12) - sh_fact = 12; + fact = 0x400; // 0.5 in (3.12) + sh_fact = 11; } - ga = (fact << 15) / av_clip_int16(32768 - FFABS(gt)); + ga = (fact << 16) / av_clip_int16(32768 - FFABS(gt)); gt >>= 1; /* Apply tilt compensation filter to signal. */ @@ -503,12 +503,12 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000; tmp2 = res_pst[i] + (tmp2 >> 15); - tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; + tmp2 = (tmp2 * ga + fact) >> sh_fact; out[i] = tmp2; } tmp2 = (gt * ht_prev_data) * 2 + 0x4000; tmp2 = res_pst[0] + (tmp2 >> 15); - tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; + tmp2 = (tmp2 * ga + fact) >> sh_fact; out[0] = tmp2; return tmp; From b36592ce07fb81b5035f9b6cfbeab5c7c5e2c36e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 20:42:54 +0100 Subject: [PATCH 0664/1383] avcodec/alac: Fix integer overflow in LPC coefficient adaption Fixes: signed integer overflow: 267693597 * 10 cannot be represented in type 'int' Fixes: 19237/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5755407700328448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a865cec5e7584ef476f394fc55c1fc91cec1a14) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index c9ca025186..cf0f4fc147 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -228,7 +228,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, sign = sign_only(val) * error_sign; lpc_coefs[j] -= sign; val *= (unsigned)sign; - error_val -= (val >> lpc_quant) * (j + 1); + error_val -= (val >> lpc_quant) * (j + 1U); } } } From 7be077fcf88d1cb0c81e1ba761288ab82e4d7bc9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 00:14:16 +0100 Subject: [PATCH 0665/1383] avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 19235/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_EA_EACS_fuzzer-5680878952382464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 794352ae9d1cb32b4b9e45d3affb83763f4ee12e) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 4c3886a457..f7995d7bac 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1147,7 +1147,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, } for (i=0; i<=st; i++) { c->status[i].predictor = bytestream2_get_le32u(&gb); - if (FFABS(c->status[i].predictor) > (1<<16)) + if (FFABS((int64_t)c->status[i].predictor) > (1<<16)) return AVERROR_INVALIDDATA; } From 94a1280fb0b1a1cf34c7f28d2c2d2e42c42840b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2019 19:19:49 +0100 Subject: [PATCH 0666/1383] avcodec/cbs_h2645: Skip all 0 NAL units Fixes: assertion failure Fixes: 19286/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-5707990724509696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 285138ef14327ec71f356e3a923c4adde0874dc6) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h2645.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index e44b683b61..54a593464b 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -544,7 +544,10 @@ static int cbs_h2645_fragment_add_nals(CodedBitstreamContext *ctx, // Remove trailing zeroes. while (size > 0 && nal->data[size - 1] == 0) --size; - av_assert0(size > 0); + if (size == 0) { + av_log(ctx->log_ctx, AV_LOG_VERBOSE, "Discarding empty 0 NAL unit\n"); + continue; + } data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!data) From 623ecb2ec855fbf0cf5e75928d063a07aa705e3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jan 2020 00:32:55 +0100 Subject: [PATCH 0667/1383] avcodec/wmalosslessdec: move channel check up Fixes: out of array access Fixes: 2nd part of 18429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-6210814364614656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 891bcc4acc93e0c5a75ab7a9da668df84a0edba7) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index d47fd89c52..220488df3c 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -189,6 +189,16 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR(EINVAL); } + if (avctx->channels < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", + avctx->channels); + return AVERROR_INVALIDDATA; + } else if (avctx->channels > WMALL_MAX_CHANNELS) { + avpriv_request_sample(avctx, + "More than %d channels", WMALL_MAX_CHANNELS); + return AVERROR_PATCHWELCOME; + } + s->max_frame_size = MAX_FRAMESIZE * avctx->channels; s->frame_data = av_mallocz(s->max_frame_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->frame_data) @@ -267,16 +277,6 @@ static av_cold int decode_init(AVCodecContext *avctx) ++s->lfe_channel; } - if (s->num_channels < 0) { - av_log(avctx, AV_LOG_ERROR, "invalid number of channels %"PRId8"\n", - s->num_channels); - return AVERROR_INVALIDDATA; - } else if (s->num_channels > WMALL_MAX_CHANNELS) { - avpriv_request_sample(avctx, - "More than %d channels", WMALL_MAX_CHANNELS); - return AVERROR_PATCHWELCOME; - } - s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From 831ac9ad46c63267493ab3557f00a17fa7797c73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Dec 2019 23:50:27 +0100 Subject: [PATCH 0668/1383] avcodec/cbs_av1: Check leb128 values read "It is a requirement of bitstream conformance that the value returned from the leb128 parsing process is less than or equal to (1 << 32) - 1." Fixes: assertion failure Fixes: 19293/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5749508361420800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a70d8363648fdd380df7f2ed39eaccf08d406e6a) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c index ff1323de3d..e805b4c043 100644 --- a/libavcodec/cbs_av1.c +++ b/libavcodec/cbs_av1.c @@ -171,6 +171,9 @@ static int cbs_av1_read_leb128(CodedBitstreamContext *ctx, GetBitContext *gbc, break; } + if (value > UINT32_MAX) + return AVERROR_INVALIDDATA; + if (ctx->trace_enable) ff_cbs_trace_syntax_element(ctx, position, name, NULL, "", value); From a0d0e9b245b9f654b719d7c665dd9f2f4f5d16e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Dec 2019 00:38:29 +0100 Subject: [PATCH 0669/1383] avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy() Fixes: invalid memcpy use Fixes: 19299/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5169193398042624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e23b5a706cd378ed07a200dfee656b38504f165) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index 09bce5b34c..d0f1b94f0e 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -164,7 +164,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) if (ret < 0) goto fail; - if (add_extradata) + if (extra_size) memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size); AV_WB32(out->data + prev_size + extra_size, 1); bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size); From 88326e29dc683b6168cb697773abf1fd9059cadf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Dec 2019 00:50:21 +0100 Subject: [PATCH 0670/1383] avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow Fixes: Out of array access Fixes: 19299/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5169193398042624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8ceb2a72fa1bef4ab5f1ec6cdc7ce74fffda19d) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_mp4toannexb_bsf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index d0f1b94f0e..baa93628ed 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -152,8 +152,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) extra_size = add_extradata * ctx->par_out->extradata_size; got_irap |= is_irap; - if (SIZE_MAX - nalu_size < 4 || - SIZE_MAX - 4 - nalu_size < extra_size) { + if (FFMIN(INT_MAX, SIZE_MAX) < 4ULL + nalu_size + extra_size) { ret = AVERROR_INVALIDDATA; goto fail; } From 0ec11133d928f0d64531528c8bf4c04d9b314046 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jan 2020 22:52:19 +0100 Subject: [PATCH 0671/1383] swscale/swscale: Fix several invalid shifts related to vChrDrop Fixes: Invalid shifts Fixes: #8166 Fixes: filter-crop_scale_vflip FATE-test Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit a6ca22c11834c0ff075592e3f051d41068c407db) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 40695503ad..36f7aa9a03 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -300,8 +300,8 @@ static int swscale(SwsContext *c, const uint8_t *src[], srcStride[2] = srcStride[3] = srcStride[0]; } - srcStride[1] <<= c->vChrDrop; - srcStride[2] <<= c->vChrDrop; + srcStride[1] *= 1 << c->vChrDrop; + srcStride[2] *= 1 << c->vChrDrop; DEBUG_BUFFERS("swscale() %p[%d] %p[%d] %p[%d] %p[%d] -> %p[%d] %p[%d] %p[%d] %p[%d]\n", src[0], srcStride[0], src[1], srcStride[1], From f541744f735d0773177f40da81e64f3401cadbc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jan 2020 22:52:19 +0100 Subject: [PATCH 0672/1383] swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template() Fixes: Invalid shifts Fixes: #8320 Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 7b7f97532b2ac8836d8d8e3c71dd026e35ae1ca7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index d7c53e60d9..86ead1fc94 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -2099,7 +2099,7 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0, if (uvalpha < 2048) { int A = 0; //init to silence warning for (i = 0; i < dstW; i++) { - int Y = buf0[i] << 2; + int Y = buf0[i] * 4; int U = (ubuf0[i] - (128<<7)) * 4; int V = (vbuf0[i] - (128<<7)) * 4; @@ -2116,9 +2116,9 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0, const int16_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0; //init to silence warning for (i = 0; i < dstW; i++) { - int Y = buf0[i] << 2; - int U = (ubuf0[i] + ubuf1[i] - (128<<8)) << 1; - int V = (vbuf0[i] + vbuf1[i] - (128<<8)) << 1; + int Y = buf0[i] * 4; + int U = (ubuf0[i] + ubuf1[i] - (128<<8)) * 2; + int V = (vbuf0[i] + vbuf1[i] - (128<<8)) * 2; if (hasAlpha) { A = (abuf0[i] + 64) >> 7; From cfd165dda7c0914de592a9d13efdb5640ae8ee8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jan 2020 22:52:19 +0100 Subject: [PATCH 0673/1383] swscale/input: Fix several invalid shifts related to rgb2yuv constants Fixes: Invalid shifts Fixes: #8140 Fixes: #8146 Signed-off-by: Michael Niedermayer (cherry picked from commit d48e510124d0fea24e2ec27271687c92e4428a18) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index 4099c19c2b..172f5b2b0f 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -286,8 +286,8 @@ static av_always_inline void rgb16_32ToUV_c_template(int16_t *dstU, int gsh, int bsh, int S, int32_t *rgb2yuv) { - const int ru = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh, - rv = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh; + const int ru = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh), + rv = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh); const unsigned rnd = (256u<<((S)-1)) + (1<<(S-7)); int i; @@ -314,8 +314,8 @@ static av_always_inline void rgb16_32ToUV_half_c_template(int16_t *dstU, int gsh, int bsh, int S, int32_t *rgb2yuv) { - const int ru = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh, - rv = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh, + const int ru = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh), + rv = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh), maskgx = ~(maskr | maskb); const unsigned rnd = (256U<<(S)) + (1<<(S-6)); int i; From b7b8aeef138c1e0425fc803dead0c9022e9cde5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jan 2020 20:45:06 +0100 Subject: [PATCH 0674/1383] avfilter/vf_find_rect: Increase worst case score score could be 1.0 which lead to uninitialized values Signed-off-by: Michael Niedermayer (cherry picked from commit 6ff2474e02200dce7abdea3fd211fcaf49691c2c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_find_rect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c index d7e6579af7..458252a7ba 100644 --- a/libavfilter/vf_find_rect.c +++ b/libavfilter/vf_find_rect.c @@ -159,7 +159,7 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax, if (pass + 1 <= maxpass) { int sub_x, sub_y; - search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 1.0); + search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 2.0); xmin = FFMAX(xmin, 2*sub_x - 4); xmax = FFMIN(xmax, 2*sub_x + 4); ymin = FFMAX(ymin, 2*sub_y - 4); @@ -198,7 +198,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) FFMIN(foc->xmax, foc->last_x + 8), FFMAX(foc->ymin, foc->last_y - 8), FFMIN(foc->ymax, foc->last_y + 8), - &best_x, &best_y, 1.0); + &best_x, &best_y, 2.0); best_score = search(foc, 0, foc->mipmaps - 1, foc->xmin, foc->xmax, foc->ymin, foc->ymax, &best_x, &best_y, best_score); From 7a7be53ac5330ba86e573f47a998478cb455cf92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jan 2020 20:45:07 +0100 Subject: [PATCH 0675/1383] avfilter/vf_find_rect: Remove assert A score of 0 is possible Fixes: Ticket8500 Reviewed-by: Paul B Mahol Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit dfc471488675aa257183745502d0074055db3bd2) Signed-off-by: Michael Niedermayer --- libavfilter/vf_find_rect.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c index 458252a7ba..706e59cefe 100644 --- a/libavfilter/vf_find_rect.c +++ b/libavfilter/vf_find_rect.c @@ -22,7 +22,6 @@ * @todo switch to dualinput */ -#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/opt.h" #include "internal.h" @@ -169,7 +168,6 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax, for (y = ymin; y <= ymax; y++) { for (x = xmin; x <= xmax; x++) { float score = compare(foc->haystack_frame[pass], foc->needle_frame[pass], x, y); - av_assert0(score != 0); if (score < best_score) { best_score = score; *best_x = x; From e1bea6d4121801f5b42112246754d7d2efd97cb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Jan 2020 22:11:45 +0100 Subject: [PATCH 0676/1383] avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32() Fixes: Segfault (not reproducable with asm, which made this hard to debug) Fixes: decoding errors Fixes: 19854/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5729372837511168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0694b60b7b4892eac1d6e2aca64de9e0cb096486) Signed-off-by: Michael Niedermayer --- libavcodec/x86/diracdsp.asm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/x86/diracdsp.asm b/libavcodec/x86/diracdsp.asm index cc8a26fca5..a18bda113e 100644 --- a/libavcodec/x86/diracdsp.asm +++ b/libavcodec/x86/diracdsp.asm @@ -294,8 +294,9 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h add srcq, mmsize add dstq, mmsize - sub tot_hd, 4 + sub tot_hq, 4 jg .loop_h + lea srcq, [srcq + 4*tot_hq] add r3, strideq dec tot_vd From 57278dac15cba65b34717ff3e2c97c4303bb6581 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Jan 2020 23:24:15 +0100 Subject: [PATCH 0677/1383] avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM IFF-PBM-HAM6 can read out of array without this overallocation Fixes: Out of array read Fixes: 19752/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5675331403120640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8652f4e7a15e56fadf9697188c1ed42c9981db82) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index a03f80ce53..72e3ae73b2 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -332,13 +332,17 @@ static int extract_header(AVCodecContext *const avctx, int i, count = FFMIN(palette_size / 3, 1 << s->ham); int ham_count; const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata); + int extra_space = 1; + + if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4) + extra_space = 4; s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->ham_buf) return AVERROR(ENOMEM); ham_count = 8 * (1 << s->ham); - s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE); + s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->ham_palbuf) { av_freep(&s->ham_buf); return AVERROR(ENOMEM); From 3f42af03427100d38657b0940c50c89d0c9cc812 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2020 22:32:04 +0100 Subject: [PATCH 0678/1383] avcodec/rawdec: Use linesize in b64a Fixes: out of array access Fixes: 19750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RAWVIDEO_fuzzer-5074834119983104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b5b9d5dac9a3525d7330662724c0e9045078bfb) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 0b2d8708e6..a110a690f5 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -467,10 +467,13 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, avctx->pix_fmt == AV_PIX_FMT_RGBA64BE) { uint8_t *dst = frame->data[0]; uint64_t v; - int x; - for (x = 0; x >> 3 < avctx->width * avctx->height; x += 8) { - v = AV_RB64(&dst[x]); - AV_WB64(&dst[x], v << 16 | v >> 48); + int x, y; + for (y = 0; y < avctx->height; y++) { + for (x = 0; x >> 3 < avctx->width; x += 8) { + v = AV_RB64(&dst[x]); + AV_WB64(&dst[x], v << 16 | v >> 48); + } + dst += frame->linesize[0]; } } From b7c2f4d298f31c38c97b9249837c567f3bd5ff43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2020 20:43:05 +0100 Subject: [PATCH 0679/1383] avcodec/smacker: Check space before decoding type Fixes: Timeout (232sec -> 280ms) Fixes: 19682/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5654129649385472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6f5c18da5977a3214e1ea30e6b0c0d9d858ce83d) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 3e3eed9f7e..e9810b1be7 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -391,6 +391,8 @@ static av_always_inline int smk_get_code(GetBitContext *gb, int *recode, int *la int v; while(*table & SMK_NODE) { + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if(get_bits1(gb)) table += (*table) & (~SMK_NODE); table++; @@ -455,6 +457,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint16_t pix; type = smk_get_code(&gb, smk->type_tbl, smk->type_last); + if (type < 0) + return type; run = block_runs[(type >> 2) & 0x3F]; switch(type & 3){ case SMK_BLK_MONO: From 109cab14878f5e71606d56231c0a6028cfe95875 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 20:55:16 +0100 Subject: [PATCH 0680/1383] avcodec/apedec: Fix undefined integer overflow in decode_array_0000() Fixes: signed integer overflow: -2143289344 - 6246400 cannot be represented in type 'int' Fixes: 19239/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5173755680915456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3655bb02c21e70573335e9396632f64b2589536) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 95bcc0c413..19678a3ef0 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -610,7 +610,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, ksummin = rice->k ? (1 << rice->k + 6) : 0; for (; i < blockstodecode; i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); - rice->ksum += out[i] - out[i - 64]; + rice->ksum += out[i] - (unsigned)out[i - 64]; while (rice->ksum < ksummin) { rice->k--; ksummin = rice->k ? ksummin >> 1 : 0; From 862c0048ec39085bc43bdc61b22e012466147e21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2020 02:06:36 +0100 Subject: [PATCH 0681/1383] avcodec/wmalosslessdec: Fix multiple integer overflows Fixes: left shift of 3329 by 20 places cannot be represented in type 'int' Fixes: signed integer overflow: -199378355 + -1948950833 cannot be represented in type 'int' Fixes: 19837/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5752565837070336 Fixes: 19839/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5767483265122304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 422202516cfb6239abb4e20db9f628f3899a76e2) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 220488df3c..c72b9fdc05 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -535,7 +535,8 @@ static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size) i++; } for (; i < tile_size; i++) { - int quo = 0, rem, rem_bits, residue; + int rem, rem_bits; + unsigned quo = 0, residue; while(get_bits1(&s->gb)) { quo++; if (get_bits_left(&s->gb) <= 0) @@ -774,7 +775,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ s->cdlms[ch][ilms].recent, \ FFALIGN(s->cdlms[ch][ilms].order, ROUND), \ WMASIGN(residue)); \ - input = residue + (pred >> s->cdlms[ch][ilms].scaling); \ + input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \ lms_update ## bits(s, ch, ilms, input); \ s->channel_residues[ch][icoef] = input; \ } \ From e1146c8b7255f18e3768a0332b9f0f30ce26af06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Jan 2020 12:09:08 +0100 Subject: [PATCH 0682/1383] avformat/mov: Check STCO location Fixes: bypassing of checks and assertion failure Fixes: asan_1003879.mp4 Found-by: Clusterfuzz + asan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 1cd41840208bce7e690a4ccc48077567418a0aa8) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9f3e2a8688..8ca2e90bdb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1980,6 +1980,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; unsigned int i, entries; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "STCO outside TRAK\n"); + return 0; + } if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; From 9ed9c8cc51051c6a234b08853aafbbddd1478ca0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jan 2020 22:04:06 +0100 Subject: [PATCH 0683/1383] avcodec/x86/diracdsp: Fix high bits on Windows x86_64 Found-by: james (cherry picked from commit 24af459d1e568fd134476f305f4fba23bf2c386a) Signed-off-by: Michael Niedermayer --- libavcodec/x86/diracdsp.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/diracdsp.asm b/libavcodec/x86/diracdsp.asm index a18bda113e..17145baf87 100644 --- a/libavcodec/x86/diracdsp.asm +++ b/libavcodec/x86/diracdsp.asm @@ -274,7 +274,7 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h movd m3, qsd SPLATD m2 SPLATD m3 - mov r4, tot_hq + mov r4d, tot_hd mov r3, dstq .loop_v: From 51c084bf728e7900c0606d54257ac7474b2db6fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Jan 2020 21:54:22 +0100 Subject: [PATCH 0684/1383] avcodec/avdct: Clear IDCTDSPContext context Fixes use of uninitialized variable and segfault Reviewed-by: Paul B Mahol Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit b82825eba837f7cbb24c1d66e93285d029307417) Signed-off-by: Michael Niedermayer --- libavcodec/avdct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avdct.c b/libavcodec/avdct.c index 47e5f7134e..7c761cf39a 100644 --- a/libavcodec/avdct.c +++ b/libavcodec/avdct.c @@ -100,7 +100,7 @@ int avcodec_dct_init(AVDCT *dsp) #if CONFIG_IDCTDSP { - IDCTDSPContext idsp; + IDCTDSPContext idsp = {0}; ff_idctdsp_init(&idsp, avctx); COPY(idsp, idct); COPY(idsp, idct_permutation); From 5e83098085edfdbbb5b5595c66e48081f6ada374 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2020 23:25:42 +0100 Subject: [PATCH 0685/1383] avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel() Fixes: left shift of negative value -2 Fixes: 20305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5677196618498048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Jai Luthra Signed-off-by: Michael Niedermayer (cherry picked from commit fcc9f13717c8c3fe08ca5caf957c39e76ea35e4f) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 32a4503b64..12bef3a721 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -79,7 +79,7 @@ void ff_mlp_rematrix_channel(int32_t *samples, if (matrix_noise_shift) { index &= access_unit_size_pow2 - 1; - accum += noise_buffer[index] << (matrix_noise_shift + 7); + accum += noise_buffer[index] * (1 << (matrix_noise_shift + 7)); index += index2; } From bc77d29d9ea3a3b360779f25bcd3fa8b1c9a95cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jan 2020 21:51:11 +0100 Subject: [PATCH 0686/1383] avcodec/snappy: Sanity check bytestream2_get_levarint() Fixes: left shift of 79 by 28 places cannot be represented in type 'int' Fixes: 20202/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5719004081815552 Fixes: 20219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5641738677125120 Fixes: 20389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5680721517871104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be54da2117a6f58c14283f2511e71fda8d3bfe9d) Signed-off-by: Michael Niedermayer --- libavcodec/snappy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/snappy.c b/libavcodec/snappy.c index 7900b0f978..f5c4c6578b 100644 --- a/libavcodec/snappy.c +++ b/libavcodec/snappy.c @@ -39,6 +39,8 @@ static int64_t bytestream2_get_levarint(GetByteContext *gb) do { tmp = bytestream2_get_byte(gb); + if (shift > 31 || ((tmp & 127LL) << shift) > INT_MAX) + return AVERROR_INVALIDDATA; val |= (tmp & 127) << shift; shift += 7; } while (tmp & 128); From 958db2c43895e2cc58eea1203601746519c2e3e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Dec 2019 00:07:50 +0100 Subject: [PATCH 0687/1383] avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF Fixes: left shift of 32 by 28 places cannot be represented in type 'int' Fixes: 19472/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_LXF_fuzzer-5704364320096256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 985d3666f672781152f4b68093740ea6a9888194) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 41f749c946..9a0f4b2da5 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -515,7 +515,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, dst_int32_t = (int32_t *)frame->extended_data[c]; for (i = 0; i < n; i++) { // extract low 20 bits and expand to 32 bits - *dst_int32_t++ = (src[2] << 28) | + *dst_int32_t++ = ((uint32_t)src[2]<<28) | (src[1] << 20) | (src[0] << 12) | ((src[2] & 0x0F) << 8) | From 20c0ea160ec7cd71cf766236ccf212ba5883a342 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Dec 2019 22:27:37 +0100 Subject: [PATCH 0688/1383] avcodec/wmavoice: sanity check block_align This limit is roughly based on the bitreader limit, its likely a much tighter limit could be used Fixes: left shift of 1965039647 by 1 places cannot be represented in type 'int' Fixes: 19545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5695391899320320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6847e22c8c85b80bf1d25ec66f77f7ccbcf43aed) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 8df67de65b..8c27ed7db8 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -386,7 +386,7 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) ctx->extradata_size); return AVERROR_INVALIDDATA; } - if (ctx->block_align <= 0) { + if (ctx->block_align <= 0 || ctx->block_align > (1<<22)) { av_log(ctx, AV_LOG_ERROR, "Invalid block alignment %d.\n", ctx->block_align); return AVERROR_INVALIDDATA; } From 9f3047384674217bc988128b5ebbe7a397fca741 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 15:27:44 +0100 Subject: [PATCH 0689/1383] avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response() Fixes: out of array access Fixes: inf is outside the range of representable values of type 'int' Fixes: signed integer overflow: -9223372036854775808 - 1 cannot be represented in type 'long' Fixes: 19316/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5677369365102592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38d37584448731f90977132b838d50ff1a28811b) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 8c27ed7db8..43a1d055a7 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -636,12 +636,14 @@ static void calc_input_response(WMAVoiceContext *s, float *lpcs, for (n = 0; n <= 64; n++) { float pwr; - idx = FFMAX(0, lrint((max - lpcs[n]) * irange) - 1); + idx = lrint((max - lpcs[n]) * irange - 1); + idx = FFMAX(0, idx); pwr = wmavoice_denoise_power_table[s->denoise_strength][idx]; lpcs[n] = angle_mul * pwr; /* 70.57 =~ 1/log10(1.0331663) */ - idx = (pwr * gain_mul - 0.0295) * 70.570526123; + idx = av_clipf((pwr * gain_mul - 0.0295) * 70.570526123, 0, INT_MAX / 2); + if (idx > 127) { // fall back if index falls outside table range coeffs[n] = wmavoice_energy_table[127] * powf(1.0331663, idx - 127); From af1bfe5bc3102cebb35c64a69e115268a2b42fc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Jan 2020 23:01:12 +0100 Subject: [PATCH 0690/1383] avcodec/dca_lbr: Fix some error codes and error passing Signed-off-by: Michael Niedermayer (cherry picked from commit bfea054a75f17d140f2f171056a801c4c89f6d26) Signed-off-by: Michael Niedermayer --- libavcodec/dca_lbr.c | 162 +++++++++++++++++++++++++------------------ 1 file changed, 93 insertions(+), 69 deletions(-) diff --git a/libavcodec/dca_lbr.c b/libavcodec/dca_lbr.c index 3b50a99cf6..747fdafd3e 100644 --- a/libavcodec/dca_lbr.c +++ b/libavcodec/dca_lbr.c @@ -154,7 +154,7 @@ static int parse_lfe_24(DCALbrDecoder *s) step_i = get_bits(&s->gb, 8); if (step_i > step_max) { av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n"); - return -1; + return AVERROR_INVALIDDATA; } step = ff_dca_lfe_step_size_24[step_i]; @@ -208,7 +208,7 @@ static int parse_lfe_16(DCALbrDecoder *s) step_i = get_bits(&s->gb, 8); if (step_i > step_max) { av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n"); - return -1; + return AVERROR_INVALIDDATA; } step = ff_dca_lfe_step_size_16[step_i]; @@ -246,14 +246,17 @@ static int parse_lfe_16(DCALbrDecoder *s) static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk) { + int ret; + if (!(s->flags & LBR_FLAG_LFE_PRESENT)) return 0; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Determine bit depth from chunk size if (chunk->len >= 52) @@ -262,7 +265,7 @@ static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk) return parse_lfe_16(s); av_log(s->avctx, AV_LOG_ERROR, "LFE chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } static inline int parse_vlc(GetBitContext *s, VLC *vlc, int max_depth) @@ -291,13 +294,13 @@ static int parse_tonal(DCALbrDecoder *s, int group) for (freq = 1;; freq++) { if (get_bits_left(&s->gb) < 1) { av_log(s->avctx, AV_LOG_ERROR, "Tonal group chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } diff = parse_vlc(&s->gb, &ff_dca_vlc_tnl_grp[group], 2); if (diff >= FF_ARRAY_ELEMS(ff_dca_fst_amp)) { av_log(s->avctx, AV_LOG_ERROR, "Invalid tonal frequency diff\n"); - return -1; + return AVERROR_INVALIDDATA; } diff = get_bitsz(&s->gb, diff >> 2) + ff_dca_fst_amp[diff]; @@ -307,7 +310,7 @@ static int parse_tonal(DCALbrDecoder *s, int group) freq += diff - 2; if (freq >> (5 - group) > s->nsubbands * 4 - 6) { av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n"); - return -1; + return AVERROR_INVALIDDATA; } // Main channel @@ -358,19 +361,21 @@ static int parse_tonal(DCALbrDecoder *s, int group) static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk) { - int sb, group; + int sb, group, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + + if (ret < 0) + return ret; // Scale factors if (chunk->id == LBR_CHUNK_SCF || chunk->id == LBR_CHUNK_TONAL_SCF) { if (get_bits_left(&s->gb) < 36) { av_log(s->avctx, AV_LOG_ERROR, "Tonal scale factor chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } for (sb = 0; sb < 6; sb++) s->tonal_scf[sb] = get_bits(&s->gb, 6); @@ -378,20 +383,25 @@ static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk) // Tonal groups if (chunk->id == LBR_CHUNK_TONAL || chunk->id == LBR_CHUNK_TONAL_SCF) - for (group = 0; group < 5; group++) - if (parse_tonal(s, group) < 0) - return -1; + for (group = 0; group < 5; group++) { + ret = parse_tonal(s, group); + if (ret < 0) + return ret; + } return 0; } static int parse_tonal_group(DCALbrDecoder *s, LBRChunk *chunk) { + int ret; + if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; return parse_tonal(s, chunk->id); } @@ -404,7 +414,7 @@ static int ensure_bits(GetBitContext *s, int n) { int left = get_bits_left(s); if (left < 0) - return -1; + return AVERROR_INVALIDDATA; if (left < n) { skip_bits_long(s, left); return 1; @@ -433,7 +443,7 @@ static int parse_scale_factors(DCALbrDecoder *s, uint8_t *scf) dist = parse_vlc(&s->gb, &ff_dca_vlc_rsd_apprx, 1) + 1; if (dist > 7 - sf) { av_log(s->avctx, AV_LOG_ERROR, "Invalid scale factor distance\n"); - return -1; + return AVERROR_INVALIDDATA; } if (ensure_bits(&s->gb, 20)) @@ -498,22 +508,26 @@ static int parse_st_code(GetBitContext *s, int min_v) static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { - int ch, sb, sf, nsubbands; + int ch, sb, sf, nsubbands, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Scale factors nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1; for (sb = 2; sb < nsubbands; sb++) { - if (parse_scale_factors(s, s->grid_1_scf[ch1][sb]) < 0) - return -1; - if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband - && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0) - return -1; + ret = parse_scale_factors(s, s->grid_1_scf[ch1][sb]); + if (ret < 0) + return ret; + if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband) { + ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]); + if (ret < 0) + return ret; + } } if (get_bits_left(&s->gb) < 1) @@ -532,7 +546,7 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch if (get_bits_left(&s->gb) < 0) { av_log(s->avctx, AV_LOG_ERROR, "First grid chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } // Stereo image for partial mono mode @@ -562,14 +576,16 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch static int parse_grid_1_sec_ch(DCALbrDecoder *s, int ch2) { - int sb, nsubbands; + int sb, nsubbands, ret; // Scale factors nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1; for (sb = 2; sb < nsubbands; sb++) { - if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband - && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0) - return -1; + if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband) { + ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]); + if (ret < 0) + return ret; + } } // Average values for third grid @@ -709,7 +725,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2, s->sb_indices[sb] = sb_reorder; } if (sb_reorder >= s->nsubbands) - return -1; + return AVERROR_INVALIDDATA; // Third grid scale factors if (sb == 12) { @@ -731,7 +747,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2, quant_level = s->quant_levels[ch1 / 2][sb]; if (!quant_level) - return -1; + return AVERROR_INVALIDDATA; // Time samples for one or both channels if (sb < s->max_mono_subband && sb_reorder >= s->min_mono_subband) { @@ -792,13 +808,14 @@ static int parse_lpc(DCALbrDecoder *s, int ch1, int ch2, int start_sb, int end_s static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { int quant_levels[DCA_LBR_SUBBANDS]; - int sb, ch, ol, st, max_sb, profile; + int sb, ch, ol, st, max_sb, profile, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Quantizer profile profile = get_bits(&s->gb, 8); @@ -832,18 +849,20 @@ static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int c s->quant_levels[ch1 / 2][sb] = quant_levels[sb]; // LPC for the first two subbands - if (parse_lpc(s, ch1, ch2, 0, 2) < 0) - return -1; + ret = parse_lpc(s, ch1, ch2, 0, 2); + if (ret < 0) + return ret; // Time-samples for the first two subbands of main channel - if (parse_ts(s, ch1, ch2, 0, 2, 0) < 0) - return -1; + ret = parse_ts(s, ch1, ch2, 0, 2, 0); + if (ret < 0) + return ret; // First two bands of the first grid for (sb = 0; sb < 2; sb++) for (ch = ch1; ch <= ch2; ch++) - if (parse_scale_factors(s, s->grid_1_scf[ch][sb]) < 0) - return -1; + if ((ret = parse_scale_factors(s, s->grid_1_scf[ch][sb])) < 0) + return ret; return 0; } @@ -892,39 +911,42 @@ static int parse_grid_2(DCALbrDecoder *s, int ch1, int ch2, static int parse_ts1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { + int ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; - if (parse_lpc(s, ch1, ch2, 2, 3) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 2, 4, 0) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 0, 1, 0) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 4, 6, 0) < 0) - return -1; + if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0) + return ret; + if ((ret = parse_lpc(s, ch1, ch2, 2, 3)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 2, 4, 0)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 0, 1, 0)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 4, 6, 0)) < 0) + return ret; return 0; } static int parse_ts2_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { + int ret; + if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 1, 3, 0) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0) < 0) - return -1; + if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 1, 3, 0)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0)) < 0) + return ret; if (ch1 != ch2) { - if (parse_grid_1_sec_ch(s, ch2) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 0, 3, 1) < 0) - return -1; + if ((ret = parse_grid_1_sec_ch(s, ch2)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 0, 3, 1)) < 0) + return ret; } - if (parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1) < 0) - return -1; + if ((ret = parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1)) < 0) + return ret; return 0; } @@ -932,11 +954,13 @@ static int init_sample_rate(DCALbrDecoder *s) { double scale = (-1.0 / (1 << 17)) * sqrt(1 << (2 - s->limited_range)); int i, br_per_ch = s->bit_rate_scaled / s->nchannels_total; + int ret; ff_mdct_end(&s->imdct); - if (ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale) < 0) - return -1; + ret = ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale); + if (ret < 0) + return ret; for (i = 0; i < 32 << s->freq_range; i++) s->window[i] = ff_dca_long_window[i << (2 - s->freq_range)]; @@ -975,7 +999,7 @@ static int alloc_sample_buffer(DCALbrDecoder *s) // Reallocate time sample buffer av_fast_mallocz(&s->ts_buffer, &s->ts_size, nsamples * sizeof(float)); if (!s->ts_buffer) - return -1; + return AVERROR(ENOMEM); ptr = s->ts_buffer + DCA_LBR_TIME_HISTORY; for (ch = 0; ch < s->nchannels; ch++) { @@ -1796,7 +1820,7 @@ av_cold int ff_dca_lbr_init(DCALbrDecoder *s) init_tables(); if (!(s->fdsp = avpriv_float_dsp_alloc(0))) - return -1; + return AVERROR(ENOMEM); s->lbr_rand = 1; return 0; From 9f30a1694c6c1cc92df5777b6a17032e19250bbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2019 13:48:45 +0100 Subject: [PATCH 0691/1383] avcodec/ralf: Fix integer overflow in apply_lpc() Fixes: signed integer overflow: 2147482897 + 2048 cannot be represented in type 'int' Fixes: 19240/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5743240326414336 Fixes: 19869/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5150136636538880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fd313d8cf8368918882b6de0880e44ae25cc7394) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index d8f1803086..15be19b526 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -330,7 +330,7 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits) acc = (acc + bias - 1) >> ctx->filter_bits; acc = FFMAX(acc, min_clip); } else { - acc = (acc + bias) >> ctx->filter_bits; + acc = ((unsigned)acc + bias) >> ctx->filter_bits; acc = FFMIN(acc, max_clip); } audio[i] += acc; From d75d754b84d4fc8df3bdb98d3e3bbdcc9a13f0db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2020 18:35:43 +0100 Subject: [PATCH 0692/1383] avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() Fixes: signed integer overflow: -2147407150 + -1871606 cannot be represented in type 'int' Fixes: 18702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679095417667584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb64a5c6f94981e4a68ad65a6e445557e11c08fc) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 19678a3ef0..3f9a2ce656 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1203,14 +1203,14 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) A = *decoded0; p->buf[YDELAYA] = currentA; - p->buf[YDELAYA - 1] = p->buf[YDELAYA] - p->buf[YDELAYA - 1]; + p->buf[YDELAYA - 1] = p->buf[YDELAYA] - (unsigned)p->buf[YDELAYA - 1]; predictionA = p->buf[YDELAYA ] * p->coeffsA[0][0] + p->buf[YDELAYA - 1] * p->coeffsA[0][1] + p->buf[YDELAYA - 2] * p->coeffsA[0][2] + p->buf[YDELAYA - 3] * p->coeffsA[0][3]; - currentA = A + (predictionA >> 10); + currentA = A + (unsigned)(predictionA >> 10); p->buf[YADAPTCOEFFSA] = APESIGN(p->buf[YDELAYA ]); p->buf[YADAPTCOEFFSA - 1] = APESIGN(p->buf[YDELAYA - 1]); From c4dccb509dea86fb3b0c9cc0ced325d269649836 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2020 20:12:25 +0100 Subject: [PATCH 0693/1383] avcodec/lagarith: Sanity check scale A value of 24 and above can collaps the range to 0 which would not work. Fixes: Timeout (75sec -> 21sec) Fixes: 18707/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5708950892969984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fb3855342b9e4c577c63b38a7a5a574830a21934) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 5763504b71..1342c98961 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -226,6 +226,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } } + if (scale_factor > 23) + return AVERROR_INVALIDDATA; + rac->scale = scale_factor; /* Fill probability array with cumulative probability for each symbol. */ From 3653108a5c1abe8a0dc8a0e4b7124475c1a5728e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jan 2020 19:28:36 +0100 Subject: [PATCH 0694/1383] avcodec/wmalosslessdec: Fix loop in revert_acfilter() Fixes: out of array read Fixes: 20059/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5691776237305856 No testcase except the fuzzed one. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5584c0bb945d6010a9d8c22ef3270792022e1761) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c72b9fdc05..b3446cf49a 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -826,8 +826,11 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size) pred >>= scaling; s->channel_residues[ich][i] += (unsigned)pred; } - for (j = 0; j < order; j++) - prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; + for (j = order - 1; j >= 0; j--) + if (tile_size <= j) { + prevvalues[j] = prevvalues[j - tile_size]; + }else + prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; } } From 52b9e7f530f88a73f6c5d96d9a38c75631294c38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jan 2020 19:55:23 +0100 Subject: [PATCH 0695/1383] avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits Fixes: signed integer overflow: -53716100 * 256 cannot be represented in type 'int' Fixes: 20143/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5716604000403456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b8a0be93528187721a2414f66abbc252a258afa3) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index b3446cf49a..c02b156f0f 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -995,7 +995,7 @@ static int decode_subframe(WmallDecodeCtx *s) if (s->bits_per_sample == 16) { *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] * (1 << padding_zeroes); } else { - *s->samples_32[c]++ = s->channel_residues[c][j] * (256 << padding_zeroes); + *s->samples_32[c]++ = s->channel_residues[c][j] * (256U << padding_zeroes); } } } From 27db9c828890af9e986df979b558a11308fc4002 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Jan 2020 23:11:47 +0100 Subject: [PATCH 0696/1383] avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM Fixes: signed integer overflow: -2147479324 + -32568 cannot be represented in type 'int' Fixes: 20103/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GREMLIN_DPCM_fuzzer-5667667579240448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1aecad9eae900b9c3054392994d150d5ae572c5) Signed-off-by: Michael Niedermayer --- libavcodec/dpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 7d3934ee35..5958081b66 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -367,7 +367,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, while (output_samples < samples_end) { uint8_t n = bytestream2_get_byteu(&gb); - *output_samples++ = s->sample[idx] += s->array[n]; + *output_samples++ = s->sample[idx] += (unsigned)s->array[n]; idx ^= 1; } } From b89759ea54652544d916cd78a6fe63dfa65386cf Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Tue, 28 Jan 2020 16:49:14 -0800 Subject: [PATCH 0697/1383] avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index() When e2_pts == INT64_MIN and e1_pts >= 0 the calculation of e2_pts - e1_pts will overflow an int64_t. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit f15007afa90a3eb3639848d9702c1cc3ac3e896b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 09169881ce..a7abf4ec17 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2101,6 +2101,8 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance) //We could use URLProtocol flags here but as many user applications do not use URLProtocols this would be unreliable const char *proto = avio_find_protocol_name(s->url); + av_assert0(time_tolerance >= 0); + if (!proto) { av_log(s, AV_LOG_INFO, "Protocol name not provided, cannot determine if input is local or " @@ -2128,7 +2130,7 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance) for (; i2 < st2->nb_index_entries; i2++) { AVIndexEntry *e2 = &st2->index_entries[i2]; int64_t e2_pts = av_rescale_q(e2->timestamp, st2->time_base, AV_TIME_BASE_Q); - if (e2_pts - e1_pts < time_tolerance) + if (e2_pts < e1_pts || e2_pts - (uint64_t)e1_pts < time_tolerance) continue; pos_delta = FFMAX(pos_delta, e1->pos - e2->pos); break; From 55f147c2bae989242735487d618b2d26f3d6beed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Feb 2020 23:56:45 +0100 Subject: [PATCH 0698/1383] avcodec/apedec: Fix invalid shift with 24 bps Fixes: left shift of negative value -463 Fixes: 20542/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5688714435231744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8e278672294f28a3feaba0a38460afd51f0fadda) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 3f9a2ce656..93e9a18e5d 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1543,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample24 = (int32_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample24++ = s->decoded[ch][i] << 8; + *sample24++ = s->decoded[ch][i] * 256; } break; } From 555d2ab5a5685b369b27609cbafe6ea5bf5c8ed3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 22:35:37 +0100 Subject: [PATCH 0699/1383] avfilter/vf_aspect: Fix integer overflow in compute_dar() Fixes: signed integer overflow: 1562273630 * 17 cannot be represented in type 'int' Fixes: Ticket8323 Found-by: Suhwan Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0c0ca0f244b823238e5a4f5584168e620da84899) Signed-off-by: Michael Niedermayer --- libavfilter/vf_aspect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_aspect.c b/libavfilter/vf_aspect.c index c042698ef7..70e7fedc97 100644 --- a/libavfilter/vf_aspect.c +++ b/libavfilter/vf_aspect.c @@ -78,7 +78,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *frame) static inline void compute_dar(AVRational *dar, AVRational sar, int w, int h) { if (sar.num && sar.den) { - av_reduce(&dar->num, &dar->den, sar.num * w, sar.den * h, INT_MAX); + av_reduce(&dar->num, &dar->den, sar.num * (int64_t)w, sar.den * (int64_t)h, INT_MAX); } else { av_reduce(&dar->num, &dar->den, w, h, INT_MAX); } From 6a300f6a9079d2c3156d8c1f03f50fdad0cee0af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 22:56:18 +0100 Subject: [PATCH 0700/1383] fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start() Fixes: signed integer overflow: -9223372036854775808 - 9223372036854775807 cannot be represented in type 'long' Fixes: Ticket8142 Found-by: Suhwan Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4f4ad33d96a01d82edf56d58599017cb0ae5bfa8) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index c743a2a6fa..24307c3cae 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -4242,7 +4242,8 @@ static int seek_to_start(InputFile *ifile, AVFormatContext *is) ifile->time_base = ist->st->time_base; /* the total duration of the stream, max_pts - min_pts is * the duration of the stream without the last frame */ - duration += ist->max_pts - ist->min_pts; + if (ist->max_pts > ist->min_pts && ist->max_pts - (uint64_t)ist->min_pts < INT64_MAX - duration) + duration += ist->max_pts - ist->min_pts; ifile->time_base = duration_max(duration, &ifile->duration, ist->st->time_base, ifile->time_base); } From 4b7a304b6ebcce5e47e27294da2894327b4173cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 23:18:25 +0100 Subject: [PATCH 0701/1383] avformat/avidec: Avoid integer overflow in NI switch check Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: Ticket8149 Found-by: Suhwan Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 347920ca2102d762e4713f101a2e75811791e2b3) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ea99e95386..8362c32bdd 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1529,11 +1529,12 @@ resync: if (!avi->non_interleaved && st->nb_index_entries>1 && avi->index_loaded>1) { int64_t dts= av_rescale_q(pkt->dts, st->time_base, AV_TIME_BASE_Q); - if (avi->dts_max - dts > 2*AV_TIME_BASE) { + if (avi->dts_max < dts) { + avi->dts_max = dts; + } else if (avi->dts_max - (uint64_t)dts > 2*AV_TIME_BASE) { avi->non_interleaved= 1; av_log(s, AV_LOG_INFO, "Switching to NI mode, due to poor interleaving\n"); - }else if (avi->dts_max < dts) - avi->dts_max = dts; + } } return 0; From 31098af56df68147408568f8bea2dec3666390eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 23:23:55 +0100 Subject: [PATCH 0702/1383] avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info() Fixes: signed integer overflow: 2045163756 * 2 cannot be represented in type 'int' Fixes: Ticket5132 Found-by: tsmith Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f3d8f517dbc42de8e2f97cc01bf5171bb05fbcc7) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a7abf4ec17..0c898db2eb 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4024,7 +4024,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!st->r_frame_rate.num) { if ( avctx->time_base.den * (int64_t) st->time_base.num - <= avctx->time_base.num * avctx->ticks_per_frame * (int64_t) st->time_base.den) { + <= avctx->time_base.num * avctx->ticks_per_frame * (uint64_t) st->time_base.den) { av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den, avctx->time_base.den, (int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX); } else { From 4e2dd06d27da7f9e5d4af7e69da542d643ad04da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2020 22:58:12 +0100 Subject: [PATCH 0703/1383] avcodec/qdm2: Check fft_coefs_index Fixes: out of array access Fixes: 20660/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5658290216501248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9fc73bf022eb781eea7f685e2d2e9de4ba8898ca) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 7b9d50b234..657b2da64d 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1334,6 +1334,9 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration, if (q->frequency_range > (local_int_14 + 1)) { int sub_packet = (local_int_20 + local_int_28); + if (q->fft_coefs_index + stereo >= FF_ARRAY_ELEMS(q->fft_coefs)) + return; + qdm2_fft_init_coefficient(q, sub_packet, offset, duration, channel, exp, phase); if (stereo) From a7dabc18ea2eff1fd827dcbba1a7296b5ecc132b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Feb 2020 22:26:18 +0100 Subject: [PATCH 0704/1383] avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF Fixes: left shift of 233 by 24 places cannot be represented in type 'int' Fixes: 20736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_LXF_fuzzer-4829212685107200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 051d11f659455f38be7ce40e2dc9d03b082dcd4d) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 9a0f4b2da5..7178c988bd 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -521,7 +521,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, ((src[2] & 0x0F) << 8) | src[1]; // extract high 20 bits and expand to 32 bits - *dst_int32_t++ = (src[4] << 24) | + *dst_int32_t++ = ((uint32_t)src[4]<<24) | (src[3] << 16) | ((src[2] & 0xF0) << 8) | (src[4] << 4) | From 366929ab4e9f7b4d9cdbe721987a1d04bab7db15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Feb 2020 09:27:27 +0100 Subject: [PATCH 0705/1383] avformat/mvdec: Check stream numbers Fixes: null pointer dereference Fixes: 20768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5638648978735104.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 618a9bea65112a27a106e02ada3ae475cc8ac1ac) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index fa596179ed..afa942ca5f 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -361,6 +361,12 @@ static int mv_read_header(AVFormatContext *avctx) if ((ret = read_table(avctx, NULL, parse_global_var)) < 0) return ret; + if (mv->nb_audio_tracks < 0 || mv->nb_video_tracks < 0 || + (mv->nb_audio_tracks == 0 && mv->nb_video_tracks == 0)) { + av_log(avctx, AV_LOG_ERROR, "Stream count is invalid.\n"); + return AVERROR_INVALIDDATA; + } + if (mv->nb_audio_tracks > 1) { avpriv_request_sample(avctx, "Multiple audio streams support"); return AVERROR_PATCHWELCOME; From 59a4a990fc395b092a65faae44b421b9cfeead3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Feb 2020 00:42:30 +0100 Subject: [PATCH 0706/1383] avcodec/magicyuv: Check that there are enough lines for interlacing to be possible Fixes: out of array access Fixes: 20763/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5759562508664832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f8a0e9f9f71cf5650bdc250ff7475e0f7d8e8420) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 1a129c2619..54a5ce0192 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -670,6 +670,17 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + if (s->interlaced) { + if ((s->slice_height >> s->vshift[1]) < 2) { + av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); + return AVERROR_INVALIDDATA; + } + if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) < 2) { + av_log(avctx, AV_LOG_ERROR, "impossible height\n"); + return AVERROR_INVALIDDATA; + } + } + for (i = 0; i < s->planes; i++) { av_fast_malloc(&s->slices[i], &s->slices_size[i], s->nb_slices * sizeof(Slice)); if (!s->slices[i]) From 6faa32dd6cc9d83586bcd4a0fc3b02451f05e9a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Jan 2020 19:07:00 +0100 Subject: [PATCH 0707/1383] avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet() Fixes: assertion failure Fixes: Ticket 8005 Signed-off-by: Michael Niedermayer (cherry picked from commit e5bb48ae5990347dff22fc38ff5a1c1f7f60a1c5) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index a5e850e121..3fc374cbf4 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2454,13 +2454,12 @@ static int parse_pcr(int64_t *ppcr_high, int *ppcr_low, const uint8_t *packet); /* handle one TS packet */ -static int handle_packet(MpegTSContext *ts, const uint8_t *packet) +static int handle_packet(MpegTSContext *ts, const uint8_t *packet, int64_t pos) { MpegTSFilter *tss; int len, pid, cc, expected_cc, cc_ok, afc, is_start, is_discontinuity, has_adaptation, has_payload; const uint8_t *p, *p_end; - int64_t pos; pid = AV_RB16(packet + 1) & 0x1fff; if (pid && discard_pid(ts, pid)) @@ -2525,7 +2524,6 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) if (p >= p_end || !has_payload) return 0; - pos = avio_tell(ts->stream->pb); if (pos >= 0) { av_assert0(pos >= TS_PACKET_SIZE); ts->pos47_full = pos - TS_PACKET_SIZE; @@ -2736,7 +2734,7 @@ static int handle_packets(MpegTSContext *ts, int64_t nb_packets) ret = read_packet(s, packet, ts->raw_packet_size, &data); if (ret != 0) break; - ret = handle_packet(ts, data); + ret = handle_packet(ts, data, avio_tell(s->pb)); finished_reading_packet(s, ts->raw_packet_size); if (ret != 0) break; @@ -3133,7 +3131,7 @@ int avpriv_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt, buf++; len--; } else { - handle_packet(ts, buf); + handle_packet(ts, buf, len1 - len + TS_PACKET_SIZE); buf += TS_PACKET_SIZE; len -= TS_PACKET_SIZE; if (ts->stop_parse == 1) From 1170ec748bb3ac4672321218ee2389329191bbe3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jan 2020 22:19:48 +0100 Subject: [PATCH 0708/1383] libavformat/avienc: Check bits per sample for PAL8 Fixes: assertion failure Fixes: Ticket 8172 Signed-off-by: Michael Niedermayer (cherry picked from commit 35958782819c00211e247332ab18fbf2f28267e1) Signed-off-by: Michael Niedermayer --- libavformat/avienc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/avienc.c b/libavformat/avienc.c index ac0f04c354..1b8904fa40 100644 --- a/libavformat/avienc.c +++ b/libavformat/avienc.c @@ -459,6 +459,14 @@ static int avi_write_header(AVFormatContext *s) && par->format != AV_PIX_FMT_NONE) av_log(s, AV_LOG_ERROR, "%s rawvideo cannot be written to avi, output file will be unreadable\n", av_get_pix_fmt_name(par->format)); + + if (par->format == AV_PIX_FMT_PAL8) { + if (par->bits_per_coded_sample < 0 || par->bits_per_coded_sample > 8) { + av_log(s, AV_LOG_ERROR, "PAL8 with %d bps is not allowed\n", par->bits_per_coded_sample); + return AVERROR(EINVAL); + } + } + break; case AVMEDIA_TYPE_AUDIO: flags = (avi->write_channel_mask == 0) ? FF_PUT_WAV_HEADER_SKIP_CHANNELMASK : 0; From eb64c10a4ba6d64c54b8f6c51be65b5c20395f66 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jan 2020 12:50:30 +0100 Subject: [PATCH 0709/1383] avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search() Fixes: Ticket8167 Signed-off-by: Michael Niedermayer (cherry picked from commit e13eee37ee3268b0a985ddc74a9bde0179bd553c) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/motion_est_template.c b/libavcodec/motion_est_template.c index 0c21bbfe1a..63d3301a5b 100644 --- a/libavcodec/motion_est_template.c +++ b/libavcodec/motion_est_template.c @@ -157,8 +157,8 @@ static int no_sub_motion_search(MpegEncContext * s, int src_index, int ref_index, int size, int h) { - (*mx_ptr)<<=1; - (*my_ptr)<<=1; + (*mx_ptr) *= 2; + (*my_ptr) *= 2; return dmin; } From c5419a53ac179a5005d68ff0c6a1cf1d53a03e09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jan 2020 12:41:41 +0100 Subject: [PATCH 0710/1383] avcodec/mpegaudioenc_template: fix invalid shift of sample Fixes: Ticket8010 Signed-off-by: Michael Niedermayer (cherry picked from commit a2c97a8342fab6393280cc2f0e2ffb39c381d29c) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudioenc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudioenc_template.c b/libavcodec/mpegaudioenc_template.c index 93363fe1d2..12f7a098e6 100644 --- a/libavcodec/mpegaudioenc_template.c +++ b/libavcodec/mpegaudioenc_template.c @@ -701,7 +701,7 @@ static void encode_frame(MpegAudioContext *s, /* normalize to P bits */ if (shift < 0) - q1 = sample << (-shift); + q1 = sample * (1 << -shift); else q1 = sample >> shift; q1 = (q1 * mult) >> P; From f94ca27470ac4124cec4f98b7362bb65e29e080e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 18:43:24 +0100 Subject: [PATCH 0711/1383] avcodec/cbs_av1_syntax_template: Set seen_frame_header only after successfull uncompressed_header() Fixes: assertion failure Fixes: 19301/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_MERGE_fuzzer-5743212006473728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a2e4879432b9de6aa899b85aebbc0eb6a8b5f37f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_av1_syntax_template.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/cbs_av1_syntax_template.c b/libavcodec/cbs_av1_syntax_template.c index 12b6564a26..2f38a80e42 100644 --- a/libavcodec/cbs_av1_syntax_template.c +++ b/libavcodec/cbs_av1_syntax_template.c @@ -1500,8 +1500,6 @@ static int FUNC(frame_header_obu)(CodedBitstreamContext *ctx, RWContext *rw, else HEADER("Frame Header"); - priv->seen_frame_header = 1; - #ifdef READ start_pos = get_bits_count(rw); #else From 107345d0a1162f4a0aa8cb413d15150ead849587 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 9 Dec 2019 23:26:02 +0100 Subject: [PATCH 0712/1383] avcodec/cbs_h2645: Remove dead code to delete trailing zeroes Trailing zeroes are already discarded when splitting a fragment, which makes the code to remove them when decomposing slices dead code. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 8f701932b39a6345f2a8bab85f48d555a98802e3) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h2645.c | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 54a593464b..58aa65aeb1 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -841,13 +841,6 @@ static int cbs_h264_read_nal_unit(CodedBitstreamContext *ctx, pos = get_bits_count(&gbc); len = unit->data_size; - if (!unit->data[len - 1]) { - int z; - for (z = 0; z < len && !unit->data[len - z - 1]; z++); - av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes " - "from slice data.\n", z); - len -= z; - } slice->data_size = len - pos / 8; slice->data_ref = av_buffer_ref(unit->data_ref); @@ -1023,13 +1016,6 @@ static int cbs_h265_read_nal_unit(CodedBitstreamContext *ctx, pos = get_bits_count(&gbc); len = unit->data_size; - if (!unit->data[len - 1]) { - int z; - for (z = 0; z < len && !unit->data[len - z - 1]; z++); - av_log(ctx->log_ctx, AV_LOG_DEBUG, "Deleted %d trailing zeroes " - "from slice data.\n", z); - len -= z; - } slice->data_size = len - pos / 8; slice->data_ref = av_buffer_ref(unit->data_ref); From 73374013ffe73dbeb964a4061d89f60d8d025d77 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 9 Dec 2019 23:26:03 +0100 Subject: [PATCH 0713/1383] avcodec/cbs_h2645: Treat slices without data as invalid Slices that end after their header (meaning slices after the header without any data before the rbsp_stop_one_bit or possibly without any rbsp_stop_one_bit at all) are invalid and are now dropped. This ensures that one doesn't run into two asserts in cbs_h2645_write_slice_data(). Signed-off-by: Andreas Rheinhardt Fixes: 19629/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-5676822528524288 Signed-off-by: Michael Niedermayer (cherry picked from commit 66fac1ff7ccbc4fb6a3aa6b9a95de7b6bc31d14e) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h2645.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 58aa65aeb1..4470ee02a2 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -839,6 +839,9 @@ static int cbs_h264_read_nal_unit(CodedBitstreamContext *ctx, if (err < 0) return err; + if (!cbs_h2645_read_more_rbsp_data(&gbc)) + return AVERROR_INVALIDDATA; + pos = get_bits_count(&gbc); len = unit->data_size; @@ -1014,6 +1017,9 @@ static int cbs_h265_read_nal_unit(CodedBitstreamContext *ctx, if (err < 0) return err; + if (!cbs_h2645_read_more_rbsp_data(&gbc)) + return AVERROR_INVALIDDATA; + pos = get_bits_count(&gbc); len = unit->data_size; From b66f444683206ca318572c3da5bc017d1b780cb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Dec 2019 22:35:03 +0100 Subject: [PATCH 0714/1383] avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra() Fixes: left shift of negative value -695 Fixes: 19232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5702856963522560 Fixes: 19555/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5741218147598336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c40df2166c7925fc81e1ef22563c2e32124cf1d6) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 83e537884b..b352023461 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -586,7 +586,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, dc = s->last_dc[component]; dc += diff; s->last_dc[component] = dc; - block[0] = dc << (3 - s->intra_dc_precision); + block[0] = dc * (1 << (3 - s->intra_dc_precision)); i = 0; if (s->intra_vlc_format) rl = &ff_rl_mpeg2; From 8640db14e70fa7f52397dbb6e54a62e5e1f0d2c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Mar 2020 22:46:34 +0100 Subject: [PATCH 0715/1383] avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX Fixes: left shift of negative value -1 Fixes: 20859/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_PSX_fuzzer-5720391507247104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a11ef68f0a85905e704e503b433f5aa645d59ac) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index f7995d7bac..0cd4dc5b54 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1674,7 +1674,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, scale = sign_extend(byte, 4); } - scale = scale << 12; + scale = scale * (1 << 12); sample = (int)((scale >> shift) + (c->status[channel].sample1 * xa_adpcm_table[filter][0] + c->status[channel].sample2 * xa_adpcm_table[filter][1]) / 64); } *samples++ = av_clip_int16(sample); From a3a3730b5456ca00587455004d40c047f7b20a99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Mar 2020 15:42:58 +0100 Subject: [PATCH 0716/1383] avcodec/cbs_jpeg: Check length for SOS Fixes: out of array access Fixes: 19734/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5673507031875584 Fixes: 19353/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5703944462663680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1812352d767ccf5431aa440123e2e260a4db2726) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index 5a72f0e2e7..f4e40862e2 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -197,6 +197,9 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, if (marker == JPEG_MARKER_SOS) { length = AV_RB16(frag->data + start); + if (length > end - start) + return AVERROR_INVALIDDATA; + data_ref = NULL; data = av_malloc(end - start + AV_INPUT_BUFFER_PADDING_SIZE); From e121488dc85e11ae59e608e5d62e946e916ade18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Mar 2020 18:25:56 +0100 Subject: [PATCH 0717/1383] avcodec/ffwavesynth: Fix integer overflow in computation of ddphi Fixes: signed integer overflow: 1302123111085380114 - -8319005078741256972 cannot be represented in type 'long' Fixes: 20991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5148554161291264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit c85bf1631823e9089e59a474d5c6c0efc708c507) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index b9c63abb8d..998e1a4ad6 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -281,7 +281,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) dphi1 = frac64(f1, (int64_t)avc->sample_rate << 16); dphi2 = frac64(f2, (int64_t)avc->sample_rate << 16); in->dphi0 = dphi1; - in->ddphi = (dphi2 - dphi1) / dt; + in->ddphi = (int64_t)(dphi2 - (uint64_t)dphi1) / dt; if (phi & 0x80000000) { phi &= ~0x80000000; if (phi >= i) From dee744a8c4ab2c2b13b821b0cb4533db20863e6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Mar 2020 20:20:44 +0100 Subject: [PATCH 0718/1383] avformat/nsvdec: Fix memleaks on errors while reading the header Fixes: memleaks Fixes: 21084/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5655975492321280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 96c04694550999cc214cae8c4a16d2d7ac0958bc) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 92f7d178f6..4ec0a0e488 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -211,6 +211,7 @@ static const AVCodecTag nsv_codec_audio_tags[] = { //static int nsv_load_index(AVFormatContext *s); static int nsv_read_chunk(AVFormatContext *s, int fill_header); +static int nsv_read_close(AVFormatContext *s); /* try to find something we recognize, and set the state accordingly */ static int nsv_resync(AVFormatContext *s) @@ -492,25 +493,32 @@ static int nsv_read_header(AVFormatContext *s) nsv->ahead[0].data = nsv->ahead[1].data = NULL; for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) { - if (nsv_resync(s) < 0) - return -1; + err = nsv_resync(s); + if (err < 0) + goto fail; if (nsv->state == NSV_FOUND_NSVF) { err = nsv_parse_NSVf_header(s); if (err < 0) - return err; + goto fail; } /* we need the first NSVs also... */ if (nsv->state == NSV_FOUND_NSVS) { err = nsv_parse_NSVs_header(s); if (err < 0) - return err; + goto fail; break; /* we just want the first one */ } } - if (s->nb_streams < 1) /* no luck so far */ - return -1; + if (s->nb_streams < 1) { /* no luck so far */ + err = AVERROR_INVALIDDATA; + goto fail; + } + /* now read the first chunk, so we can attempt to decode more info */ err = nsv_read_chunk(s, 1); +fail: + if (err < 0) + nsv_read_close(s); av_log(s, AV_LOG_TRACE, "parsed header\n"); return err; From 12a53bf6731f6d56b61571f68154b83ad30c565c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Mar 2020 17:26:51 +0100 Subject: [PATCH 0719/1383] avformat/asfdec_f: Fix overflow check in get_tag() Fixes: signed integer overflow: 2 * 1210064928 cannot be represented in type 'int' Fixes: 20873/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5761116909338624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit c8140fe7324f264faacf7395b27e12531d1f13f7) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 64a0b9d7f2..1d62d4e05e 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -321,8 +321,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int int64_t off = avio_tell(s->pb); #define LEN 22 - if ((unsigned)len >= (UINT_MAX - LEN) / 2) - return; + av_assert0((unsigned)len < (INT_MAX - LEN) / 2); if (!asf->export_xmp && !strncmp(key, "xmp", 3)) goto finish; @@ -712,6 +711,9 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) value_type = avio_rl16(pb); /* value_type */ value_len = avio_rl32(pb); + if (value_len < 0 || value_len > UINT16_MAX) + return AVERROR_INVALIDDATA; + name_len_utf8 = 2*name_len_utf16 + 1; name = av_malloc(name_len_utf8); if (!name) @@ -857,11 +859,20 @@ static int asf_read_header(AVFormatContext *s) return ret; av_hex_dump_log(s, AV_LOG_DEBUG, pkt.data, pkt.size); av_packet_unref(&pkt); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_Protection_Type", -1, len, 32); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_Key_ID", -1, len, 32); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_License_URL", -1, len, 32); } else if (!ff_guidcmp(&g, &ff_asf_ext_content_encryption)) { av_log(s, AV_LOG_WARNING, From cd655e4c0dc75a5de43d66af664d9347a82c2059 Mon Sep 17 00:00:00 2001 From: John Rummell Date: Mon, 30 Mar 2020 14:56:11 -0700 Subject: [PATCH 0720/1383] libavformat/oggdec.c: Check return value from avio_read() If the buffer doesn't contain enough bytes when reading a stream, fail rather than continuing on with unitialized data. Caught by Chromium fuzzers (crbug.com/1054229). Signed-off-by: Michael Niedermayer (cherry picked from commit b7c67b1ae3657058b32b9235119d07529ad5cce1) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 27d16a3e4e..81cfb3c243 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -216,7 +216,8 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, int nsegs) uint8_t magic[8]; int64_t pos = avio_tell(s->pb); avio_skip(s->pb, nsegs); - avio_read(s->pb, magic, sizeof(magic)); + if (avio_read(s->pb, magic, sizeof(magic)) != sizeof(magic)) + return AVERROR_INVALIDDATA; avio_seek(s->pb, pos, SEEK_SET); codec = ogg_find_codec(magic, sizeof(magic)); if (!codec) { From 7f8e9d9b7716b1193e40dd8029268ed994ed18a5 Mon Sep 17 00:00:00 2001 From: John Rummell Date: Mon, 30 Mar 2020 14:08:01 -0700 Subject: [PATCH 0721/1383] libavformat/mov.c: Free aes_decrypt to avoid leaking memory Found by Chromium fuzzers (crbug.com/1057205). Signed-off-by: Michael Niedermayer (cherry picked from commit ad91cf1f2f5793db5c6dd7ab9947fcc6d7832607) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8ca2e90bdb..512f6a076a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1004,6 +1004,7 @@ static int mov_read_adrm(MOVContext *c, AVIOContext *pb, MOVAtom atom) sha = av_sha_alloc(); if (!sha) return AVERROR(ENOMEM); + av_free(c->aes_decrypt); c->aes_decrypt = av_aes_alloc(); if (!c->aes_decrypt) { ret = AVERROR(ENOMEM); From a09b223cd2a102313fc0ac6edf3a32dd1912b7f4 Mon Sep 17 00:00:00 2001 From: John Rummell Date: Mon, 30 Mar 2020 21:30:33 -0700 Subject: [PATCH 0722/1383] libavformat/amr.c: Check return value from avio_read() If the buffer doesn't contain enough bytes when reading a stream, fail rather than continuing on with initialized data. Caught by Chromium fuzzeras (crbug.com/1065731). Signed-off-by: Michael Niedermayer (cherry picked from commit 5b967f56b6d85f62446836fc8ef64d0dcfcbda17) Signed-off-by: Michael Niedermayer --- libavformat/amr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/amr.c b/libavformat/amr.c index de347058f3..6b24130076 100644 --- a/libavformat/amr.c +++ b/libavformat/amr.c @@ -90,13 +90,15 @@ static int amr_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 6); + if (avio_read(pb, header, 6) != 6) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); if (memcmp(header, AMR_header, 6)) { - avio_read(pb, header + 6, 3); + if (avio_read(pb, header + 6, 3) != 3) + return AVERROR_INVALIDDATA; if (memcmp(header, AMRWB_header, 9)) { return -1; } From 4cdf6dc9088dc7bc5112d9ae2e91b29c17ad45cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 20:18:11 +0100 Subject: [PATCH 0723/1383] swscale/output: Fix integer overflow in alpha computation in yuv2gbrp16_full_X_c() Fixes: signed integer overflow: 524280 * 4432 cannot be represented in type 'int' Fixes: ticket8322 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit 49ba1879add99d3f64d70d34fb0255c8a49d4b28) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/output.c b/libswscale/output.c index 86ead1fc94..ba9cda29f1 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -2284,7 +2284,7 @@ yuv2gbrp16_full_X_c(SwsContext *c, const int16_t *lumFilter, A = -0x40000000; for (j = 0; j < lumFilterSize; j++) - A += alpSrc[j][i] * lumFilter[j]; + A += alpSrc[j][i] * (unsigned)lumFilter[j]; A >>= 1; A += 0x20002000; From 0a308576bf83db4c5c1728b634b951a7ce6f9b54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 20:11:52 +0100 Subject: [PATCH 0724/1383] swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input Fixes: signed integer overflow: 1169365504 + 981452800 cannot be represented in type 'int' Fixes: ticket8293 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit e057e83a4ff4c0eeeb78dffe58e21af951c056b6) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index ba9cda29f1..bf2e67e476 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1856,9 +1856,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = Y + V*c->yuv2rgb_v2r_coeff; - G = Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); From f49374b47d82db83f0cbb8682ba354e095b174dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Mar 2020 16:38:24 +0100 Subject: [PATCH 0725/1383] avcodec/cbs_h264_syntax_template: fix off by 1 error with slice_group_change_cycle Fixes: assertion failure Fixes: 20390/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-5683400772157440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 741565a1e69c45ce4848f01e45be5e66a68efa2f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h264_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h264_syntax_template.c b/libavcodec/cbs_h264_syntax_template.c index 57fc02082c..6a14b55708 100644 --- a/libavcodec/cbs_h264_syntax_template.c +++ b/libavcodec/cbs_h264_syntax_template.c @@ -1355,7 +1355,7 @@ static int FUNC(slice_header)(CodedBitstreamContext *ctx, RWContext *rw, (sps->pic_height_in_map_units_minus1 + 1); max = (pic_size + pps->slice_group_change_rate_minus1) / (pps->slice_group_change_rate_minus1 + 1); - bits = av_log2(2 * max - 1); + bits = av_ceil_log2(max + 1); u(bits, slice_group_change_cycle, 0, max); } From e5f325a1ddd7702f8f302709a0578009c58ddad0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jan 2020 23:42:08 +0100 Subject: [PATCH 0726/1383] avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT Fixes: signed integer overflow: 9223372036854775775 + 128 cannot be represented in type 'long' Fixes: 20054/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5686385113825280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 187161d62f35c8b613c4a6739b0a6dfa9a24da60) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 998e1a4ad6..a446aa2fdf 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -217,7 +217,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) *last = -1; lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); if (ws->pink_need) { - uint64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); + uint64_t pink_ts_cur = (ws->cur_ts + (uint64_t)PINK_UNIT - 1) & ~(PINK_UNIT - 1); uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); From 092f21af2b57871fc0b255093b975359fd50d8ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jan 2020 23:43:57 +0100 Subject: [PATCH 0727/1383] avcodec/xvididct: Fix integer overflow in MULT() Fixes: signed integer overflow: 23170 * 95058 cannot be represented in type 'int' Fixes: 20295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5800212870463488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ccb576191e91b393041b14917f1b681ec75ed3b) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index d8f3dd7072..14116bd6d3 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -142,7 +142,7 @@ static int idct_row(short *in, const int *const tab, int rnd) #define TAN3 0xAB0E #define SQRT2 0x5A82 -#define MULT(c, x, n) (((c) * (x)) >> (n)) +#define MULT(c, x, n) ((unsigned)((int)((c) * (unsigned)(x)) >> (n))) // 12b version => #define MULT(c,x, n) ((((c) >> 3) * (x)) >> ((n) - 3)) // 12b zero-testing version: From 01167ee6d5186e0f5cc798760efe82bb3ab7e3cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2020 22:52:13 +0100 Subject: [PATCH 0728/1383] avcodec/flacdsp_template: Fix invalid shifts in decorrelate Fixes: left shift of negative value -2 Fixes: 20303/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5096829297623040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3935c891e96c0819439da43d1b862652bbbdf065) Signed-off-by: Michael Niedermayer --- libavcodec/flacdsp_template.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/flacdsp_template.c b/libavcodec/flacdsp_template.c index 776c78da71..892418cddc 100644 --- a/libavcodec/flacdsp_template.c +++ b/libavcodec/flacdsp_template.c @@ -66,8 +66,8 @@ static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; - int b = in[1][i]; + unsigned a = in[0][i]; + unsigned b = in[1][i]; S(samples, 0, i) = a << shift; S(samples, 1, i) = (a - b) << shift; } @@ -80,8 +80,8 @@ static void FUNC(flac_decorrelate_rs_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; - int b = in[1][i]; + unsigned a = in[0][i]; + unsigned b = in[1][i]; S(samples, 0, i) = (a + b) << shift; S(samples, 1, i) = b << shift; } @@ -94,7 +94,7 @@ static void FUNC(flac_decorrelate_ms_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; + unsigned a = in[0][i]; int b = in[1][i]; a -= b >> 1; S(samples, 0, i) = (a + b) << shift; From 64f6581129aa8041288b57ab758fe402aa958874 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Apr 2020 15:37:55 +0200 Subject: [PATCH 0729/1383] avcodec/dpcm: clip exponent into supported range in XAN DPCM Fixes: shift exponent 32 is too large for 32-bit type 'int' Fixes: 21200/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XAN_DPCM_fuzzer-5754704894361600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 20ade59d9633def4ebf84ec170f56367bfb6aa6c) Signed-off-by: Michael Niedermayer --- libavcodec/dpcm.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 5958081b66..c7712ad412 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -305,9 +305,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, shift[ch] -= (2 * n); diff = sign_extend((diff &~ 3) << 8, 16); - /* saturate the shifter to a lower limit of 0 */ - if (shift[ch] < 0) - shift[ch] = 0; + /* saturate the shifter to 0..31 */ + shift[ch] = av_clip_uintp2(shift[ch], 5); diff >>= shift[ch]; predictor[ch] += diff; From e55bcedae9b7b4d7fbec581e3ee18fe2d8fd72ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Apr 2020 22:38:46 +0200 Subject: [PATCH 0730/1383] swscale/yuv2rgb: Fix vertical dither offset with slices Signed-off-by: Michael Niedermayer (cherry picked from commit be3c29e3795cb2499e3b96335286d6a8423c0bcf) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 737cbb06c8..9604019464 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -138,10 +138,11 @@ const int *sws_getCoefficients(int colorspace) srcStride[2] *= 2; \ } \ for (y = 0; y < srcSliceH; y += 2) { \ + int yd = y + srcSliceY; \ dst_type *dst_1 = \ - (dst_type *)(dst[0] + (y + srcSliceY) * dstStride[0]); \ + (dst_type *)(dst[0] + (yd) * dstStride[0]); \ dst_type *dst_2 = \ - (dst_type *)(dst[0] + (y + srcSliceY + 1) * dstStride[0]); \ + (dst_type *)(dst[0] + (yd + 1) * dstStride[0]); \ dst_type av_unused *r, *g, *b; \ const uint8_t *py_1 = src[0] + y * srcStride[0]; \ const uint8_t *py_2 = py_1 + srcStride[0]; \ @@ -498,8 +499,8 @@ CLOSEYUV2RGBFUNC(8) // r, g, b, dst_1, dst_2 YUV2RGBFUNC(yuv2rgb_c_8_ordered_dither, uint8_t, 0) - const uint8_t *d32 = ff_dither_8x8_32[y & 7]; - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; + const uint8_t *d32 = ff_dither_8x8_32[yd & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; #define PUTRGB8(dst, src, i, o) \ Y = src[2 * i]; \ @@ -528,8 +529,8 @@ YUV2RGBFUNC(yuv2rgb_c_8_ordered_dither, uint8_t, 0) PUTRGB8(dst_1, py_1, 3, 6); ENDYUV2RGBLINE(8, 0) - const uint8_t *d32 = ff_dither_8x8_32[y & 7]; - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; + const uint8_t *d32 = ff_dither_8x8_32[yd & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; LOADCHROMA(0); PUTRGB8(dst_1, py_1, 0, 0); PUTRGB8(dst_2, py_2, 0, 0 + 8); @@ -539,8 +540,8 @@ ENDYUV2RGBLINE(8, 0) PUTRGB8(dst_1, py_1, 1, 2); ENDYUV2RGBLINE(8, 1) - const uint8_t *d32 = ff_dither_8x8_32[y & 7]; - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; + const uint8_t *d32 = ff_dither_8x8_32[yd & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; LOADCHROMA(0); PUTRGB8(dst_1, py_1, 0, 0); PUTRGB8(dst_2, py_2, 0, 0 + 8); @@ -549,8 +550,8 @@ ENDYUV2RGBFUNC() YUV2RGBFUNC(yuv2rgb_c_4_ordered_dither, uint8_t, 0) - const uint8_t * d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t * d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; int acc; #define PUTRGB4D(dst, src, i, o) \ @@ -581,8 +582,8 @@ YUV2RGBFUNC(yuv2rgb_c_4_ordered_dither, uint8_t, 0) PUTRGB4D(dst_1, py_1, 3, 6); ENDYUV2RGBLINE(4, 0) - const uint8_t * d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t * d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; int acc; LOADCHROMA(0); PUTRGB4D(dst_1, py_1, 0, 0); @@ -593,8 +594,8 @@ ENDYUV2RGBLINE(4, 0) PUTRGB4D(dst_1, py_1, 1, 2); ENDYUV2RGBLINE(4, 1) - const uint8_t * d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t * d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; int acc; LOADCHROMA(0); PUTRGB4D(dst_1, py_1, 0, 0); @@ -602,8 +603,8 @@ ENDYUV2RGBLINE(4, 1) ENDYUV2RGBFUNC() YUV2RGBFUNC(yuv2rgb_c_4b_ordered_dither, uint8_t, 0) - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; #define PUTRGB4DB(dst, src, i, o) \ Y = src[2 * i]; \ @@ -631,8 +632,8 @@ YUV2RGBFUNC(yuv2rgb_c_4b_ordered_dither, uint8_t, 0) PUTRGB4DB(dst_2, py_2, 3, 6 + 8); PUTRGB4DB(dst_1, py_1, 3, 6); ENDYUV2RGBLINE(8, 0) - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; LOADCHROMA(0); PUTRGB4DB(dst_1, py_1, 0, 0); PUTRGB4DB(dst_2, py_2, 0, 0 + 8); @@ -641,15 +642,15 @@ ENDYUV2RGBLINE(8, 0) PUTRGB4DB(dst_2, py_2, 1, 2 + 8); PUTRGB4DB(dst_1, py_1, 1, 2); ENDYUV2RGBLINE(8, 1) - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; LOADCHROMA(0); PUTRGB4DB(dst_1, py_1, 0, 0); PUTRGB4DB(dst_2, py_2, 0, 0 + 8); ENDYUV2RGBFUNC() YUV2RGBFUNC(yuv2rgb_c_1_ordered_dither, uint8_t, 0) - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; char out_1 = 0, out_2 = 0; g = c->table_gU[128 + YUVRGB_TABLE_HEADROOM] + c->table_gV[128 + YUVRGB_TABLE_HEADROOM]; From a99bcee917d63b39e44a175aaa9e647d43d9e779 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Apr 2020 20:58:52 +0200 Subject: [PATCH 0731/1383] avformat/oggdec: Check for EOF after page header Fixes: Infinite loop Fixes: Ticket8594 Signed-off-by: Michael Niedermayer (cherry picked from commit f1589be9fda00c417f9bcccb55dbbea998ee08ac) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 81cfb3c243..c31ebc2d10 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -389,6 +389,9 @@ static int ogg_read_page(AVFormatContext *s, int *sid) avio_skip(bc, 8); /* seq, crc */ nsegs = avio_r8(bc); + if (avio_feof(bc)) + return AVERROR_EOF; + idx = ogg_find_stream(ogg, serial); if (idx < 0) { if (data_packets_seen(ogg)) From 20283b395e208afc154aacf96753fde3fc396c25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2020 21:38:55 +0200 Subject: [PATCH 0732/1383] avcodec/cbs_jpeg_syntax_template: Check table index before use in dht() Fixes: out of array access Fixes: 21515/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5766121576988672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d31862c2b1b1fd07dcdc503193056d6c9ad28ccb) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg_syntax_template.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cbs_jpeg_syntax_template.c b/libavcodec/cbs_jpeg_syntax_template.c index d3cd9ff62e..1ffb77d231 100644 --- a/libavcodec/cbs_jpeg_syntax_template.c +++ b/libavcodec/cbs_jpeg_syntax_template.c @@ -108,6 +108,9 @@ static int FUNC(dht)(CodedBitstreamContext *ctx, RWContext *rw, n = 2; for (i = 0; n < current->Lh; i++) { + if (i >= 8) + return AVERROR_INVALIDDATA; + CHECK(FUNC(huffman_table)(ctx, rw, ¤t->table[i])); ++n; From cfc2633c7531a03c1f8578dec3e23d89a11e71b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Apr 2020 22:06:10 +0200 Subject: [PATCH 0733/1383] avcodec/cbs_jpeg_syntax_template: Check array index in huffman_table() Fixes: index 224 out of bounds for type 'uint8_t [224]' Fixes: 21534/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6291612167831552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 18f5256c0dc6cfb41e649ab80b0577ba33852d76) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg_syntax_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cbs_jpeg_syntax_template.c b/libavcodec/cbs_jpeg_syntax_template.c index 1ffb77d231..6eda56d623 100644 --- a/libavcodec/cbs_jpeg_syntax_template.c +++ b/libavcodec/cbs_jpeg_syntax_template.c @@ -89,6 +89,8 @@ static int FUNC(huffman_table)(CodedBitstreamContext *ctx, RWContext *rw, ij = 0; for (i = 0; i < 16; i++) { for (j = 0; j < current->L[i]; j++) { + if (ij >= 224) + return AVERROR_INVALIDDATA; us(8, V[ij], ij, 0, 255); ++ij; } From cde8c90a3d3e59c737e450597ae613eab60fc6a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Feb 2020 20:02:55 +0100 Subject: [PATCH 0734/1383] avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c() Fixes: signed integer overflow: 2145417478 + 76702564 cannot be represented in type 'int' Fixes: 20313/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734487724130304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit abb5762e985f4ce34e97c1b2fa6d1108ce8a881f) Signed-off-by: Michael Niedermayer --- libavcodec/audiodsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/audiodsp.c b/libavcodec/audiodsp.c index 3c7a3a7583..efcb0a8e8a 100644 --- a/libavcodec/audiodsp.c +++ b/libavcodec/audiodsp.c @@ -79,7 +79,7 @@ static void vector_clipf_c(float *dst, const float *src, int len, static int32_t scalarproduct_int16_c(const int16_t *v1, const int16_t *v2, int order) { - int res = 0; + unsigned res = 0; while (order--) res += *v1++ **v2++; From 9494b1bc91fa03d090faea0485b0acba0eaa59b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Feb 2020 23:20:23 +0100 Subject: [PATCH 0735/1383] avcodec/flac_parser: Do not lose header count in find_headers_search() Fixes: Timeout Fixes: out of array access Fixes: 20274/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5649631988154368 Fixes: 19275/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5757535722405888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55f9683cf6be97f4b398a7a35ee5bfd1208ac2a5) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 2721286464..fed33087e8 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -216,16 +216,20 @@ static int find_headers_search(FLACParseContext *fpc, uint8_t *buf, int buf_size uint32_t x; for (i = 0; i < mod_offset; i++) { - if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) - size = find_headers_search_validate(fpc, search_start + i); + if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) { + int ret = find_headers_search_validate(fpc, search_start + i); + size = FFMAX(size, ret); + } } for (; i < buf_size - 1; i += 4) { x = AV_RB32(buf + i); if (((x & ~(x + 0x01010101)) & 0x80808080)) { for (j = 0; j < 4; j++) { - if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) - size = find_headers_search_validate(fpc, search_start + i + j); + if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) { + int ret = find_headers_search_validate(fpc, search_start + i + j); + size = FFMAX(size, ret); + } } } } From a5ff87551d6814593b83693786a2393ea68e58c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2020 21:25:33 +0100 Subject: [PATCH 0736/1383] avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs() Fixes: left shift of negative value -14336 Fixes: 20298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-5675484201615360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e30502abe62f741cfef1e7b75048ae86a99a50f) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index bd66175d50..1e1edc8964 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -107,29 +107,30 @@ static void scale_coefs ( } } else { shift = -shift; + mul <<= shift; for (i=0; i Date: Sun, 2 Feb 2020 21:01:12 +0100 Subject: [PATCH 0737/1383] avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*() Fixes: signed integer overflow: 40550400 * 128 cannot be represented in type 'int' Fixes: 20331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV40_fuzzer-5676685725007872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 13171ad2e304b2a7d959429527b98c68ec5ea320) Signed-off-by: Michael Niedermayer --- libavcodec/rv40dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 5579bd9bed..2ac791d674 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -385,7 +385,7 @@ static void rv40_weight_func_rnd_ ## size (uint8_t *dst, uint8_t *src1, uint8_t \ for (j = 0; j < size; j++) {\ for (i = 0; i < size; i++)\ - dst[i] = (((w2 * src1[i]) >> 9) + ((w1 * src2[i]) >> 9) + 0x10) >> 5;\ + dst[i] = ((((unsigned)w2 * src1[i]) >> 9) + (((unsigned)w1 * src2[i]) >> 9) + 0x10) >> 5;\ src1 += stride;\ src2 += stride;\ dst += stride;\ @@ -397,7 +397,7 @@ static void rv40_weight_func_nornd_ ## size (uint8_t *dst, uint8_t *src1, uint8_ \ for (j = 0; j < size; j++) {\ for (i = 0; i < size; i++)\ - dst[i] = (w2 * src1[i] + w1 * src2[i] + 0x10) >> 5;\ + dst[i] = ((unsigned)w2 * src1[i] + (unsigned)w1 * src2[i] + 0x10) >> 5;\ src1 += stride;\ src2 += stride;\ dst += stride;\ From d55c05368f6877a753507861f346eea41ec6610a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Apr 2020 01:48:47 +0200 Subject: [PATCH 0738/1383] avcodec/pngdec: Pass ret from decode_iccp_chunk() Found while reviewing a patch fixing a similar issue Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 4c7bcaa385e5e5fda0084de2fb823ac25c0deba0) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 268312c572..cd7cd46798 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1290,7 +1290,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, break; } case MKTAG('i', 'C', 'C', 'P'): { - if (decode_iccp_chunk(s, length, p) < 0) + if ((ret = decode_iccp_chunk(s, length, p)) < 0) goto fail; break; } From fac6bc92f7a94a167645a18272ae5b4faa9f1dbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Apr 2020 00:03:39 +0200 Subject: [PATCH 0739/1383] avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit bc41a29a5aa3c3dedba0a85b4aeb79a07eeeb1b4) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 72e3ae73b2..76ad63d102 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -715,7 +715,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in { const uint8_t *src_end = src + src_size; int x = 0, y = 0, i; - while (src + 5 <= src_end) { + while (src_end - src >= 5) { int opcode; opcode = *(int8_t *)src++; if (opcode >= 0) { From fc559ce561e1208661b1ac4f138396071d030339 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Apr 2020 00:03:40 +0200 Subject: [PATCH 0740/1383] avcodec/iff: Check length before memcpy() in decode_deep_rle32() Fixes: out of array read Fixes: 20796/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5111364702175232.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4a33387cb1cd3f4c5036e65e0fdd953c6b5012f) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 76ad63d102..83d0ee524d 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -722,6 +722,8 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in int size = opcode + 1; for (i = 0; i < size; i++) { int length = FFMIN(size - i, width); + if (src_end - src < length * 4) + return; memcpy(dst + y*linesize + x * 4, src, length * 4); src += length * 4; x += length; From 1e7bbb3600b4d596a16bcf3c79be42b1fb2100ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Apr 2020 18:24:55 +0200 Subject: [PATCH 0741/1383] avcodec/hevc_mp4toannexb_bsf: Check nalu_size Fixes: Timeout (29sec -> 5ms) Fixes: 20237/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5165615044362240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae2537f53e8ebfa36345241b5b70c0b1aef66dd2) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_mp4toannexb_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index baa93628ed..30f733d775 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -144,6 +144,11 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); + if (nalu_size < 2) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + nalu_type = (bytestream2_peek_byte(&gb) >> 1) & 0x3f; /* prepend extradata to IRAP frames */ From 7dc86d9a4d889479412ab20552e51610ba1ab768 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Feb 2020 00:33:40 +0100 Subject: [PATCH 0742/1383] avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture() Fixes: Timeout (105sec -> 1sec) Fixes: 20479/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5769846937878528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a9ccc2514da82812584b0e49a30625151d225e9) Signed-off-by: Michael Niedermayer --- libavcodec/intrax8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/intrax8.c b/libavcodec/intrax8.c index d46f97c7a4..f385423dc1 100644 --- a/libavcodec/intrax8.c +++ b/libavcodec/intrax8.c @@ -801,6 +801,8 @@ int ff_intrax8_decode_picture(IntraX8Context *w, Picture *pict, for (w->mb_y = 0; w->mb_y < w->mb_height * 2; w->mb_y++) { x8_init_block_index(w, w->frame); mb_xy = (w->mb_y >> 1) * (w->mb_width + 1); + if (get_bits_left(gb) < 1) + goto error; for (w->mb_x = 0; w->mb_x < w->mb_width * 2; w->mb_x++) { x8_get_prediction(w); if (x8_setup_spatial_predictor(w, 0)) From 231a5e4528872e148aa2528aff51ccbba4603e8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Apr 2020 00:11:15 +0200 Subject: [PATCH 0743/1383] avcodec/cbs_h265_syntax_template: Check num_negative/positive_pics when inter_ref_pic_set_prediction_flag is set Fixes: out of array access Fixes: 20446/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5707770718584832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 588114cea4ee434c9c61353ed91ffc817d2965f5) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h265_syntax_template.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 52e45aa6db..7977c22daa 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -547,6 +547,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw, } } + if (i > 15) + return AVERROR_INVALIDDATA; infer(num_negative_pics, i); for (i = 0; i < current->num_negative_pics; i++) { infer(delta_poc_s0_minus1[i], @@ -576,6 +578,8 @@ static int FUNC(st_ref_pic_set)(CodedBitstreamContext *ctx, RWContext *rw, } } + if (i + current->num_negative_pics > 15) + return AVERROR_INVALIDDATA; infer(num_positive_pics, i); for (i = 0; i < current->num_positive_pics; i++) { infer(delta_poc_s1_minus1[i], From 33440bd53b13ab651c681300f24a0ff701cd36fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2020 23:28:33 +0100 Subject: [PATCH 0744/1383] avcodec/svq1dec: Check that there is data left after the header Fixes: Timeout (21sec -> 255ms) Fixes: 20709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ1_fuzzer-5085075089915904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55e344ee5aa6f6e04e50bbac457e0ca53433ab75) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index d3e60c3a4a..b61ae348d2 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -602,6 +602,8 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) if (skip_1stop_8data_bits(bitbuf) < 0) return AVERROR_INVALIDDATA; } + if (get_bits_left(bitbuf) <= 0) + return AVERROR_INVALIDDATA; s->width = width; s->height = height; From 778965d30d3a6932ea48fd5bf9aca980d53f98da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2020 23:14:16 +0100 Subject: [PATCH 0745/1383] avcodec/txd: Check for input size against the header size. Fixes: Timeout (21sec -> 80ms) Fixes: 20673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TXD_fuzzer-5177453863763968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aeb4e435847e0c970bcb1a835fe5eda17a4e1ce3) Signed-off-by: Michael Niedermayer --- libavcodec/txd.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/txd.c b/libavcodec/txd.c index 8b20475d39..f00ba89e82 100644 --- a/libavcodec/txd.c +++ b/libavcodec/txd.c @@ -43,6 +43,9 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int i, j; int ret; + if (avpkt->size < 88) + return AVERROR_INVALIDDATA; + ff_texturedsp_init(&dxtc); bytestream2_init(&gb, avpkt->data, avpkt->size); From 2d7a83457e95dc938d19ca73839e7503df26b592 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2020 00:23:14 +0100 Subject: [PATCH 0746/1383] avcodec/dstdec: Fix integer overflow in read_table() Fixes: signed integer overflow: -16 * 134217879 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5639509530378240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d465a401dd790e2ca126ecb9cbda43f898a492f) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index c548174331..b70e0d27ec 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -155,7 +155,7 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[ for (j = method + 1; j < t->length[i]; j++) { int c, x = 0; for (k = 0; k < method + 1; k++) - x += code_pred_coeff[method][k] * t->coeff[i][j - k - 1]; + x += code_pred_coeff[method][k] * (unsigned)t->coeff[i][j - k - 1]; c = get_sr_golomb_dst(gb, lsb_size); if (x >= 0) c -= (x + 4) / 8; From 4f0893fefa4ef405c13565506bbd1d8e7687b064 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2020 18:09:24 +0100 Subject: [PATCH 0747/1383] libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative Fixes: left shift of negative value -8321365 Fixes: 20506/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-4798062906310656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62e4003780cad60ac1371fef892da08c27069964) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c02b156f0f..22596bd5f8 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -164,7 +164,7 @@ typedef struct WmallDecodeCtx { int transient_pos[WMALL_MAX_CHANNELS]; int seekable_tile; - int ave_sum[WMALL_MAX_CHANNELS]; + unsigned ave_sum[WMALL_MAX_CHANNELS]; int channel_residues[WMALL_MAX_CHANNELS][WMALL_BLOCK_MAX_SIZE]; From f5d9e8af89be4127f3100337485806a5845b3aac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Apr 2020 19:29:39 +0200 Subject: [PATCH 0748/1383] avcodec/alacdsp: Fix invalid shift in append_extra_bits() Fixes: left shift of negative value -1 Fixes: 21390/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-6242539519868928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49ae034b42234486712a02f9b00253a0975cea02) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index ecbaedb067..9996eb4319 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -49,7 +49,7 @@ static void append_extra_bits(int32_t *buffer[2], int32_t *extra_bits_buffer[2], for (ch = 0; ch < channels; ch++) for (i = 0; i < nb_samples; i++) - buffer[ch][i] = (buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i]; + buffer[ch][i] = ((unsigned)buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i]; } av_cold void ff_alacdsp_init(ALACDSPContext *c) From ff3b195470a6b4056fbd6df3ef9173e7356814f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Feb 2020 22:58:08 +0100 Subject: [PATCH 0749/1383] avcodec/vp9dsp_template: Fix integer overflows in idct32_1d() Fixes: signed integer overflow: -193177 * 11585 cannot be represented in type 'int' Fixes: 20557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5704852816789504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e16e3e63f0a96b4e0ec32972c975bc0e339a49d1) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 132 +++++++++++++++++------------------ 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index bb54561a60..c3273dd726 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1479,38 +1479,38 @@ itxfm_wrap(16, 6) static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, dctcoef *out, int pass) { - dctint t0a = ((IN(0) + IN(16)) * 11585 + (1 << 13)) >> 14; - dctint t1a = ((IN(0) - IN(16)) * 11585 + (1 << 13)) >> 14; - dctint t2a = (IN( 8) * 6270 - IN(24) * 15137 + (1 << 13)) >> 14; - dctint t3a = (IN( 8) * 15137 + IN(24) * 6270 + (1 << 13)) >> 14; - dctint t4a = (IN( 4) * 3196 - IN(28) * 16069 + (1 << 13)) >> 14; - dctint t7a = (IN( 4) * 16069 + IN(28) * 3196 + (1 << 13)) >> 14; - dctint t5a = (IN(20) * 13623 - IN(12) * 9102 + (1 << 13)) >> 14; - dctint t6a = (IN(20) * 9102 + IN(12) * 13623 + (1 << 13)) >> 14; - dctint t8a = (IN( 2) * 1606 - IN(30) * 16305 + (1 << 13)) >> 14; - dctint t15a = (IN( 2) * 16305 + IN(30) * 1606 + (1 << 13)) >> 14; - dctint t9a = (IN(18) * 12665 - IN(14) * 10394 + (1 << 13)) >> 14; - dctint t14a = (IN(18) * 10394 + IN(14) * 12665 + (1 << 13)) >> 14; - dctint t10a = (IN(10) * 7723 - IN(22) * 14449 + (1 << 13)) >> 14; - dctint t13a = (IN(10) * 14449 + IN(22) * 7723 + (1 << 13)) >> 14; - dctint t11a = (IN(26) * 15679 - IN( 6) * 4756 + (1 << 13)) >> 14; - dctint t12a = (IN(26) * 4756 + IN( 6) * 15679 + (1 << 13)) >> 14; - dctint t16a = (IN( 1) * 804 - IN(31) * 16364 + (1 << 13)) >> 14; - dctint t31a = (IN( 1) * 16364 + IN(31) * 804 + (1 << 13)) >> 14; - dctint t17a = (IN(17) * 12140 - IN(15) * 11003 + (1 << 13)) >> 14; - dctint t30a = (IN(17) * 11003 + IN(15) * 12140 + (1 << 13)) >> 14; - dctint t18a = (IN( 9) * 7005 - IN(23) * 14811 + (1 << 13)) >> 14; - dctint t29a = (IN( 9) * 14811 + IN(23) * 7005 + (1 << 13)) >> 14; - dctint t19a = (IN(25) * 15426 - IN( 7) * 5520 + (1 << 13)) >> 14; - dctint t28a = (IN(25) * 5520 + IN( 7) * 15426 + (1 << 13)) >> 14; - dctint t20a = (IN( 5) * 3981 - IN(27) * 15893 + (1 << 13)) >> 14; - dctint t27a = (IN( 5) * 15893 + IN(27) * 3981 + (1 << 13)) >> 14; - dctint t21a = (IN(21) * 14053 - IN(11) * 8423 + (1 << 13)) >> 14; - dctint t26a = (IN(21) * 8423 + IN(11) * 14053 + (1 << 13)) >> 14; - dctint t22a = (IN(13) * 9760 - IN(19) * 13160 + (1 << 13)) >> 14; - dctint t25a = (IN(13) * 13160 + IN(19) * 9760 + (1 << 13)) >> 14; - dctint t23a = (IN(29) * 16207 - IN( 3) * 2404 + (1 << 13)) >> 14; - dctint t24a = (IN(29) * 2404 + IN( 3) * 16207 + (1 << 13)) >> 14; + dctint t0a = (dctint)((IN(0) + IN(16)) * 11585U + (1 << 13)) >> 14; + dctint t1a = (dctint)((IN(0) - IN(16)) * 11585U + (1 << 13)) >> 14; + dctint t2a = (dctint)(IN( 8) * 6270U - IN(24) * 15137U + (1 << 13)) >> 14; + dctint t3a = (dctint)(IN( 8) * 15137U + IN(24) * 6270U + (1 << 13)) >> 14; + dctint t4a = (dctint)(IN( 4) * 3196U - IN(28) * 16069U + (1 << 13)) >> 14; + dctint t7a = (dctint)(IN( 4) * 16069U + IN(28) * 3196U + (1 << 13)) >> 14; + dctint t5a = (dctint)(IN(20) * 13623U - IN(12) * 9102U + (1 << 13)) >> 14; + dctint t6a = (dctint)(IN(20) * 9102U + IN(12) * 13623U + (1 << 13)) >> 14; + dctint t8a = (dctint)(IN( 2) * 1606U - IN(30) * 16305U + (1 << 13)) >> 14; + dctint t15a = (dctint)(IN( 2) * 16305U + IN(30) * 1606U + (1 << 13)) >> 14; + dctint t9a = (dctint)(IN(18) * 12665U - IN(14) * 10394U + (1 << 13)) >> 14; + dctint t14a = (dctint)(IN(18) * 10394U + IN(14) * 12665U + (1 << 13)) >> 14; + dctint t10a = (dctint)(IN(10) * 7723U - IN(22) * 14449U + (1 << 13)) >> 14; + dctint t13a = (dctint)(IN(10) * 14449U + IN(22) * 7723U + (1 << 13)) >> 14; + dctint t11a = (dctint)(IN(26) * 15679U - IN( 6) * 4756U + (1 << 13)) >> 14; + dctint t12a = (dctint)(IN(26) * 4756U + IN( 6) * 15679U + (1 << 13)) >> 14; + dctint t16a = (dctint)(IN( 1) * 804U - IN(31) * 16364U + (1 << 13)) >> 14; + dctint t31a = (dctint)(IN( 1) * 16364U + IN(31) * 804U + (1 << 13)) >> 14; + dctint t17a = (dctint)(IN(17) * 12140U - IN(15) * 11003U + (1 << 13)) >> 14; + dctint t30a = (dctint)(IN(17) * 11003U + IN(15) * 12140U + (1 << 13)) >> 14; + dctint t18a = (dctint)(IN( 9) * 7005U - IN(23) * 14811U + (1 << 13)) >> 14; + dctint t29a = (dctint)(IN( 9) * 14811U + IN(23) * 7005U + (1 << 13)) >> 14; + dctint t19a = (dctint)(IN(25) * 15426U - IN( 7) * 5520U + (1 << 13)) >> 14; + dctint t28a = (dctint)(IN(25) * 5520U + IN( 7) * 15426U + (1 << 13)) >> 14; + dctint t20a = (dctint)(IN( 5) * 3981U - IN(27) * 15893U + (1 << 13)) >> 14; + dctint t27a = (dctint)(IN( 5) * 15893U + IN(27) * 3981U + (1 << 13)) >> 14; + dctint t21a = (dctint)(IN(21) * 14053U - IN(11) * 8423U + (1 << 13)) >> 14; + dctint t26a = (dctint)(IN(21) * 8423U + IN(11) * 14053U + (1 << 13)) >> 14; + dctint t22a = (dctint)(IN(13) * 9760U - IN(19) * 13160U + (1 << 13)) >> 14; + dctint t25a = (dctint)(IN(13) * 13160U + IN(19) * 9760U + (1 << 13)) >> 14; + dctint t23a = (dctint)(IN(29) * 16207U - IN( 3) * 2404U + (1 << 13)) >> 14; + dctint t24a = (dctint)(IN(29) * 2404U + IN( 3) * 16207U + (1 << 13)) >> 14; dctint t0 = t0a + t3a; dctint t1 = t1a + t2a; @@ -1545,20 +1545,20 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, dctint t30 = t31a - t30a; dctint t31 = t31a + t30a; - t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14; - t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14; - t9a = ( t14 * 6270 - t9 * 15137 + (1 << 13)) >> 14; - t14a = ( t14 * 15137 + t9 * 6270 + (1 << 13)) >> 14; - t10a = (-(t13 * 15137 + t10 * 6270) + (1 << 13)) >> 14; - t13a = ( t13 * 6270 - t10 * 15137 + (1 << 13)) >> 14; - t17a = ( t30 * 3196 - t17 * 16069 + (1 << 13)) >> 14; - t30a = ( t30 * 16069 + t17 * 3196 + (1 << 13)) >> 14; - t18a = (-(t29 * 16069 + t18 * 3196) + (1 << 13)) >> 14; - t29a = ( t29 * 3196 - t18 * 16069 + (1 << 13)) >> 14; - t21a = ( t26 * 13623 - t21 * 9102 + (1 << 13)) >> 14; - t26a = ( t26 * 9102 + t21 * 13623 + (1 << 13)) >> 14; - t22a = (-(t25 * 9102 + t22 * 13623) + (1 << 13)) >> 14; - t25a = ( t25 * 13623 - t22 * 9102 + (1 << 13)) >> 14; + t5a = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14; + t6a = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14; + t9a = (dctint)( t14 * 6270U - t9 * 15137U + (1 << 13)) >> 14; + t14a = (dctint)( t14 * 15137U + t9 * 6270U + (1 << 13)) >> 14; + t10a = (dctint)(-(t13 * 15137U + t10 * 6270U) + (1 << 13)) >> 14; + t13a = (dctint)( t13 * 6270U - t10 * 15137U + (1 << 13)) >> 14; + t17a = (dctint)( t30 * 3196U - t17 * 16069U + (1 << 13)) >> 14; + t30a = (dctint)( t30 * 16069U + t17 * 3196U + (1 << 13)) >> 14; + t18a = (dctint)(-(t29 * 16069U + t18 * 3196U) + (1 << 13)) >> 14; + t29a = (dctint)( t29 * 3196U - t18 * 16069U + (1 << 13)) >> 14; + t21a = (dctint)( t26 * 13623U - t21 * 9102U + (1 << 13)) >> 14; + t26a = (dctint)( t26 * 9102U + t21 * 13623U + (1 << 13)) >> 14; + t22a = (dctint)(-(t25 * 9102U + t22 * 13623U) + (1 << 13)) >> 14; + t25a = (dctint)( t25 * 13623U - t22 * 9102U + (1 << 13)) >> 14; t0a = t0 + t7; t1a = t1 + t6a; @@ -1593,18 +1593,18 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, t30 = t30a + t29a; t31a = t31 + t28; - t10a = ((t13 - t10) * 11585 + (1 << 13)) >> 14; - t13a = ((t13 + t10) * 11585 + (1 << 13)) >> 14; - t11 = ((t12a - t11a) * 11585 + (1 << 13)) >> 14; - t12 = ((t12a + t11a) * 11585 + (1 << 13)) >> 14; - t18a = ( t29 * 6270 - t18 * 15137 + (1 << 13)) >> 14; - t29a = ( t29 * 15137 + t18 * 6270 + (1 << 13)) >> 14; - t19 = ( t28a * 6270 - t19a * 15137 + (1 << 13)) >> 14; - t28 = ( t28a * 15137 + t19a * 6270 + (1 << 13)) >> 14; - t20 = (-(t27a * 15137 + t20a * 6270) + (1 << 13)) >> 14; - t27 = ( t27a * 6270 - t20a * 15137 + (1 << 13)) >> 14; - t21a = (-(t26 * 15137 + t21 * 6270) + (1 << 13)) >> 14; - t26a = ( t26 * 6270 - t21 * 15137 + (1 << 13)) >> 14; + t10a = (dctint)((t13 - t10) * 11585U + (1 << 13)) >> 14; + t13a = (dctint)((t13 + t10) * 11585U + (1 << 13)) >> 14; + t11 = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14; + t12 = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14; + t18a = (dctint)( t29 * 6270U - t18 * 15137U + (1 << 13)) >> 14; + t29a = (dctint)( t29 * 15137U + t18 * 6270U + (1 << 13)) >> 14; + t19 = (dctint)( t28a * 6270U - t19a * 15137U + (1 << 13)) >> 14; + t28 = (dctint)( t28a * 15137U + t19a * 6270U + (1 << 13)) >> 14; + t20 = (dctint)(-(t27a * 15137U + t20a * 6270U) + (1 << 13)) >> 14; + t27 = (dctint)( t27a * 6270U - t20a * 15137U + (1 << 13)) >> 14; + t21a = (dctint)(-(t26 * 15137U + t21 * 6270U) + (1 << 13)) >> 14; + t26a = (dctint)( t26 * 6270U - t21 * 15137U + (1 << 13)) >> 14; t0 = t0a + t15a; t1 = t1a + t14; @@ -1639,14 +1639,14 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, t30a = t30 + t25; t31 = t31a + t24a; - t20 = ((t27a - t20a) * 11585 + (1 << 13)) >> 14; - t27 = ((t27a + t20a) * 11585 + (1 << 13)) >> 14; - t21a = ((t26 - t21 ) * 11585 + (1 << 13)) >> 14; - t26a = ((t26 + t21 ) * 11585 + (1 << 13)) >> 14; - t22 = ((t25a - t22a) * 11585 + (1 << 13)) >> 14; - t25 = ((t25a + t22a) * 11585 + (1 << 13)) >> 14; - t23a = ((t24 - t23 ) * 11585 + (1 << 13)) >> 14; - t24a = ((t24 + t23 ) * 11585 + (1 << 13)) >> 14; + t20 = (dctint)((t27a - t20a) * 11585U + (1 << 13)) >> 14; + t27 = (dctint)((t27a + t20a) * 11585U + (1 << 13)) >> 14; + t21a = (dctint)((t26 - t21 ) * 11585U + (1 << 13)) >> 14; + t26a = (dctint)((t26 + t21 ) * 11585U + (1 << 13)) >> 14; + t22 = (dctint)((t25a - t22a) * 11585U + (1 << 13)) >> 14; + t25 = (dctint)((t25a + t22a) * 11585U + (1 << 13)) >> 14; + t23a = (dctint)((t24 - t23 ) * 11585U + (1 << 13)) >> 14; + t24a = (dctint)((t24 + t23 ) * 11585U + (1 << 13)) >> 14; out[ 0] = t0 + t31; out[ 1] = t1 + t30a; From 35af336ccbe8893c9c49a64e1fd4a93a504eb8a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Mar 2020 20:36:00 +0100 Subject: [PATCH 0750/1383] avcodec/hapdec: Check tex_size more strictly and before using it Fixes: OOM Fixes: 20774/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5678608951803904 Fixes: 20956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5713643025203200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 81fe316ad9852a3dfe46b4dc919ed1709b217671) Signed-off-by: Michael Niedermayer --- libavcodec/hapdec.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index 8c845770cf..5ae182d7a4 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -305,7 +305,6 @@ static int hap_decode(AVCodecContext *avctx, void *data, HapContext *ctx = avctx->priv_data; ThreadFrame tframe; int ret, i, t; - int tex_size; int section_size; enum HapSectionType section_type; int start_texture_section = 0; @@ -342,6 +341,13 @@ static int hap_decode(AVCodecContext *avctx, void *data, if (ret < 0) return ret; + if (ctx->tex_size != (avctx->coded_width / TEXTURE_BLOCK_W) + *(avctx->coded_height / TEXTURE_BLOCK_H) + *tex_rat[t]) { + av_log(avctx, AV_LOG_ERROR, "uncompressed size mismatches\n"); + return AVERROR_INVALIDDATA; + } + start_texture_section += ctx->texture_section_size + 4; if (avctx->codec->update_thread_context) @@ -349,9 +355,16 @@ static int hap_decode(AVCodecContext *avctx, void *data, /* Unpack the DXT texture */ if (hap_can_use_tex_in_place(ctx)) { + int tex_size; /* Only DXTC texture compression in a contiguous block */ ctx->tex_data = ctx->gbc.buffer; tex_size = FFMIN(ctx->texture_section_size, bytestream2_get_bytes_left(&ctx->gbc)); + if (tex_size < (avctx->coded_width / TEXTURE_BLOCK_W) + *(avctx->coded_height / TEXTURE_BLOCK_H) + *tex_rat[t]) { + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n"); + return AVERROR_INVALIDDATA; + } } else { /* Perform the second-stage decompression */ ret = av_reallocp(&ctx->tex_buf, ctx->tex_size); @@ -367,14 +380,6 @@ static int hap_decode(AVCodecContext *avctx, void *data, } ctx->tex_data = ctx->tex_buf; - tex_size = ctx->tex_size; - } - - if (tex_size < (avctx->coded_width / TEXTURE_BLOCK_W) - *(avctx->coded_height / TEXTURE_BLOCK_H) - *tex_rat[t]) { - av_log(avctx, AV_LOG_ERROR, "Insufficient data\n"); - return AVERROR_INVALIDDATA; } /* Use the decompress function on the texture, one block per thread */ From 9e8e8a630e96389b118e7241adb597cbf013e3bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Apr 2020 22:58:29 +0200 Subject: [PATCH 0751/1383] avcodec/g2meet: Check tile_width in epic_jb_decode_tile() Fixes: out of array access Fixes: 21469/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5199357982015488 Alternatively the arrays can be made bigger or the index can be clipped. In case a real file with such huge tiles exist we ask the user to upload it. Signed-off-by: Michael Niedermayer (cherry picked from commit 5501bb28ddfa6441dcbf8ea0a964a13aa33f66fe) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 731d29a5d4..7ef275c9fe 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -917,6 +917,11 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, awidth = FFALIGN(tile_width, 16); aheight = FFALIGN(tile_height, 16); + if (tile_width > (1 << FF_ARRAY_ELEMS(c->ec.prev_row_rung))) { + avpriv_request_sample(avctx, "large tile width"); + return AVERROR_INVALIDDATA; + } + if (els_dsize) { int ret, i, j, k; uint8_t tr_r, tr_g, tr_b, *buf; From d303f28c57f98992e8f1c056057ab49f933c4c86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2020 19:29:44 +0200 Subject: [PATCH 0752/1383] avcodec/pngdec: Check length in fdAT Fixes: 21089/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5135981419429888 Fixes: out of array read Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79e5c2ee2bbdf462cabd2113c723dfb613d735c2) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index cd7cd46798..1be0e245cb 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1242,7 +1242,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, case MKTAG('f', 'd', 'A', 'T'): if (!CONFIG_APNG_DECODER || avctx->codec_id != AV_CODEC_ID_APNG) goto skip_tag; - if (!decode_next_dat) { + if (!decode_next_dat || length < 4) { ret = AVERROR_INVALIDDATA; goto fail; } From e81e27ffd02bfb2d5f33aee08326733e9f0fddef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Apr 2020 00:03:30 +0200 Subject: [PATCH 0753/1383] avformat/mpeg: Decrease score by 1 for files with very little valid data Fixes: 8233/PPY6574574605_cut.mp3 Signed-off-by: Michael Niedermayer (cherry picked from commit 20f7b4dfc9640c910655bd153c6996e9edd42ff0) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index d4369b49c2..7d523e5fc2 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -107,7 +107,7 @@ static int mpegps_probe(AVProbeData *p) if (sys > invalid && sys * 9 <= pspack * 10) return (audio > 12 || vid > 3 || pspack > 2) ? AVPROBE_SCORE_EXTENSION + 2 - : AVPROBE_SCORE_EXTENSION / 2 + 1; // 1 more than mp3 + : AVPROBE_SCORE_EXTENSION / 2 + (audio + vid + pspack > 1); // 1 more than mp3 if (pspack > invalid && (priv1 + vid + audio) * 10 >= pspack * 9) return pspack > 2 ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg From 5cdbb2a977964f879cd059c903cee611b8fbcc6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Apr 2020 20:27:27 +0200 Subject: [PATCH 0754/1383] avformat/thp: Require a video stream The demuxer code assumes the existence of a video stream Fixes: assertion failure Fixes: 21512/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5699660783288320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97c78caf3e8f7ec4df3d3123b5e8d0e7541319e6) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 76b9b3820c..38db4da89a 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -145,6 +145,9 @@ static int thp_read_header(AVFormatContext *s) } } + if (!thp->vst) + return AVERROR_INVALIDDATA; + return 0; } From f65d68abd966f4c59f31cdcf042cef2c98a619a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Feb 2020 20:56:56 +0100 Subject: [PATCH 0755/1383] avcodec/dstdec: Check sample rate Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5735812071424000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5727b1f13f36c4db30d5d0de51640f740edf01e8) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index b70e0d27ec..d8f80bd114 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -85,6 +85,10 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) { + return AVERROR_PATCHWELCOME; + } + avctx->sample_fmt = AV_SAMPLE_FMT_FLT; for (i = 0; i < avctx->channels; i++) From 5325e60e47b207caa58bdade9f1ded2cdc061923 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 11:08:28 +0200 Subject: [PATCH 0756/1383] avcodec/alac: Fix integer overflow with 24/20bps samples Fixes: signed integer overflow: 1020048 * 4096 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5753877751660544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 22e51e95ac97864b3d7b21124eaf8fcce147f61e) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index cf0f4fc147..bb0619a2d0 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -397,13 +397,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, case 20: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] *= 1 << 12; + alac->output_samples_buffer[ch][i] *= 1U << 12; }} break; case 24: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] *= 1 << 8; + alac->output_samples_buffer[ch][i] *= 1U << 8; }} break; } From dd835730435a625e0f2414d154906cb0b6fece2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 11:34:53 +0200 Subject: [PATCH 0757/1383] avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1 The fixed point integer reference specifies the multiplication used to have 16bit input and clips so we need to clip the input The floating point implementation does not seem to do that. Fixes: signed integer overflow: 6317568 * 410 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5700189272932352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 82d4c7b95ed98d38aa834ef5a8fb1d2ef3901698) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index ab668594d2..617744ec8e 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -600,6 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t * gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000; gain = bidir_sal(gain, exp_after - exp_before); } + gain = av_clip_int16(gain); gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875) } else gain = 0; From 240b5f73f13b8f57e018d26965d573ed13bf09a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 12:04:05 +0200 Subject: [PATCH 0758/1383] avcodec/iff: Fix several integer overflows Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int32_t' (aka 'int') Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5764066459254784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7a92147f87129851c1cc2c15f4ba714b8cf23f71) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 83d0ee524d..fcc5c67430 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1375,11 +1375,10 @@ static void decode_delta_d(uint8_t *dst, opcode--; } } else { - opcode = -opcode; while (opcode && bytestream2_get_bytes_left(&gb) > 0) { bytestream2_put_be32(&pb, bytestream2_get_be32(&gb)); bytestream2_skip_p(&pb, pitch - 4); - opcode--; + opcode++; } } entries--; From 428c542b45bbfa03cdb7f6cbf5a6144fe6d11cbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 19:09:47 +0200 Subject: [PATCH 0759/1383] avcodec/nuv: widen buf_size type Fixes: signed integer overflow: 65312 * 65312 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5740176118906880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ac106bf5625de6aec31a34319298032e988f349) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 39f4e79ba0..c4e44b7200 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -126,7 +126,7 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, get_quant_quality(c, quality); if (width != c->width || height != c->height) { // also reserve space for a possible additional header - int buf_size = height * width * 3 / 2 + int64_t buf_size = height * (int64_t)width * 3 / 2 + FFMAX(AV_LZO_OUTPUT_PADDING, AV_INPUT_BUFFER_PADDING_SIZE) + RTJPEG_HEADER_SIZE; if (buf_size > INT_MAX/8) From c04b6048f5ef2b114043149311986da759b90dd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 20:15:11 +0200 Subject: [PATCH 0760/1383] avcodec/ralf: Fix integer overflow in decode_block() Fixes: signed integer overflow: 289082077 - -2003141111 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5196077752123392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c4330847c104fcf3ef929c1acee33b5b34c20db) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 15be19b526..a57966a298 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -344,7 +344,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, int len, ch, ret; int dmode, mode[2], bits[2]; int *ch0, *ch1; - int i, t, t2; + int i; + unsigned int t, t2; len = 12 - get_unary(gb, 0, 6); @@ -409,8 +410,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, for (i = 0; i < len; i++) { t = ch1[i] + ctx->bias[1]; t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1); - dst0[i] = (t2 + t) / 2; - dst1[i] = (t2 - t) / 2; + dst0[i] = (int)(t2 + t) / 2; + dst1[i] = (int)(t2 - t) / 2; } break; } From d01f5a4dc68e5d5267fd501e692ccabeac1ff4a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 21:12:22 +0200 Subject: [PATCH 0761/1383] avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c() Fixes: signed integer overflow: 1931744255 + 252497024 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5763348114440192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8627885172cc54db95f86529d134308d4d095054) Signed-off-by: Michael Niedermayer --- libavcodec/ttadsp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ttadsp.c b/libavcodec/ttadsp.c index 056a2c7ef1..1d1443aee0 100644 --- a/libavcodec/ttadsp.c +++ b/libavcodec/ttadsp.c @@ -20,9 +20,11 @@ #include "ttadsp.h" #include "config.h" -static void tta_filter_process_c(int32_t *qm, int32_t *dx, int32_t *dl, +static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl, int32_t *error, int32_t *in, int32_t shift, int32_t round) { + uint32_t *qm = qmi; + if (*error < 0) { qm[0] -= dx[0]; qm[1] -= dx[1]; qm[2] -= dx[2]; qm[3] -= dx[3]; qm[4] -= dx[4]; qm[5] -= dx[5]; qm[6] -= dx[6]; qm[7] -= dx[7]; From 75fb0d8276ceda5d00410c40e7cfc53c8bf38a44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 21:16:59 +0200 Subject: [PATCH 0762/1383] avcodec/utvideodec: Fix integer overflow in decode_plane() Fixes: signed integer overflow: 2147483594 + 142 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-5658568101724160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 876cfa67f37e944b0f42cb67b2de4e2e06f52e82) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 3891df3570..6c9fb0ce22 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -317,7 +317,7 @@ static int decode_plane(UtvideoContext *c, int plane_no, for (i = 0; i < width; i++) { pix = fsym; if (use_pred) { - prev += pix; + prev += (unsigned)pix; pix = prev; } dest[i] = pix; From 36ea0ddc75ee83e6dd7f9dcdb82b8fcab08dd19e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2020 21:18:58 +0200 Subject: [PATCH 0763/1383] avcodec/iff: Test video_size being non zero Fixes: Out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5658548592967680 Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723561177382912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a035fd88ae7341a05c01f3b393921933e4ea9665) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index fcc5c67430..f094b4b548 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -440,6 +440,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->codec_tag == MKTAG('A', 'N', 'I', 'M')) { s->video_size = FFALIGN(avctx->width, 2) * avctx->height * s->bpp; + if (!s->video_size) + return AVERROR_INVALIDDATA; s->video[0] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp); s->video[1] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp); s->pal = av_calloc(256, sizeof(*s->pal)); From 1e31295ea2c4d8ecef5cbb1c98bff3d187223311 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2020 22:17:43 +0200 Subject: [PATCH 0764/1383] avcodec/ralf: Check num_blocks before use Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0c0471075fe52ed31c46e038df4280aef5b67a1) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index a57966a298..406326779a 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -482,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, init_get_bits(&gb, src + 2, table_size); ctx->num_blocks = 0; while (get_bits_left(&gb) > 0) { + if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size)) + return AVERROR_INVALIDDATA; ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels); if (get_bits1(&gb)) { ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9); From a19dd37e2d3e26c0749fb12d24866a9c1ee6bbd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Feb 2020 21:30:08 +0100 Subject: [PATCH 0765/1383] avcodec/adpcm: Fix integer overflow in ADPCM THP The reference (thp.txt) uses floats so wrap around would seem incorrect. Fixes: signed integer overflow: 1073741824 + 1073741824 cannot be represented in type 'int' Fixes: 20658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_THP_fuzzer-5646302555930624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12b05374f7025167e2c43449ceb8ba3f0a6083f) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 0cd4dc5b54..44af74fd38 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1575,8 +1575,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, int byte = bytestream2_get_byteu(&gb); int index = (byte >> 4) & 7; unsigned int exp = byte & 0x0F; - int factor1 = table[ch][index * 2]; - int factor2 = table[ch][index * 2 + 1]; + int64_t factor1 = table[ch][index * 2]; + int64_t factor2 = table[ch][index * 2 + 1]; /* Decode 14 samples. */ for (n = 0; n < 14 && (i * 14 + n < nb_samples); n++) { From ddaee77e3c4d07e2f1a242ddc6ea17760b4be9fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Apr 2020 17:05:53 +0200 Subject: [PATCH 0766/1383] avcodec/binkaudio: Fix 2Ghz sample_rate Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 19950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_DCT_fuzzer-5765514337189888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Paul Signed-off-by: Michael Niedermayer (cherry picked from commit f603d10b1e6bb2fbf4dcccc43d3ea2fb911b36ba) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index fd56d17ca2..21145d4bbe 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -109,7 +109,7 @@ static av_cold int decode_init(AVCodecContext *avctx) s->frame_len = 1 << frame_len_bits; s->overlap_len = s->frame_len / 16; s->block_size = (s->frame_len - s->overlap_len) * s->channels; - sample_rate_half = (sample_rate + 1) / 2; + sample_rate_half = (sample_rate + 1LL) / 2; if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) s->root = 2.0 / (sqrt(s->frame_len) * 32768.0); else From 71fefa15c061cebceddaa2e2c0b2df999770c1a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 May 2020 12:38:26 +0200 Subject: [PATCH 0767/1383] avformat/mpegts: Shuffle avio_seek This avoids accessing an old, no longer valid buffer. Fixes: out of array access Fixes: crash_audio-2020 Found-by: le wu Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit cd74af14162c803f18e90bb12b52135e893d990c) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 3fc374cbf4..fe502ae77e 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2631,15 +2631,16 @@ static int mpegts_resync(AVFormatContext *s, int seekback, const uint8_t *curren AVIOContext *pb = s->pb; int c, i; uint64_t pos = avio_tell(pb); - - avio_seek(pb, -FFMIN(seekback, pos), SEEK_CUR); + int64_t back = FFMIN(seekback, pos); //Special case for files like 01c56b0dc1.ts if (current_packet[0] == 0x80 && current_packet[12] == 0x47) { - avio_seek(pb, 12, SEEK_CUR); + avio_seek(pb, 12 - back, SEEK_CUR); return 0; } + avio_seek(pb, -back, SEEK_CUR); + for (i = 0; i < ts->resync_size; i++) { c = avio_r8(pb); if (avio_feof(pb)) From 13adaa31a9afb419f3d13cbf83beec5832212001 Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Tue, 21 Apr 2020 21:34:19 -0700 Subject: [PATCH 0768/1383] mpeg4videoenc: Don't crash with -fsanitize=bounds Also the patch makes this code consistent with mpeg4videodec.c Signed-off-by: Michael Niedermayer (cherry picked from commit f163d30de2090a7275f1fb8ad69258576f12c1a2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index f6a5992df7..2cd5a8c015 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -104,7 +104,7 @@ static inline void restore_ac_coeffs(MpegEncContext *s, int16_t block[6][64], memcpy(s->block_last_index, zigzag_last_index, sizeof(int) * 6); for (n = 0; n < 6; n++) { - int16_t *ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + int16_t *ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16; st[n] = s->intra_scantable.permutated; if (dir[n]) { @@ -143,7 +143,7 @@ static inline int decide_ac_pred(MpegEncContext *s, int16_t block[6][64], score -= get_block_rate(s, block[n], s->block_last_index[n], s->intra_scantable.permutated); - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16; ac_val1 = ac_val; if (dir[n]) { const int xy = s->mb_x + s->mb_y * s->mb_stride - s->mb_stride; From b2116b438e7ff9fca8272abb9f6ac2dfdb8f2cd4 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 14 May 2020 15:31:55 -0700 Subject: [PATCH 0769/1383] avformat/mov: Don't allow negative sample sizes. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8d554f15a7a27cfeca81467cc9341a86f784e2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 512f6a076a..ae33ba382c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2873,6 +2873,10 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) { sc->sample_sizes[i] = get_bits_long(&gb, field_size); + if (sc->sample_sizes[i] < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid sample size %d\n", sc->sample_sizes[i]); + return AVERROR_INVALIDDATA; + } sc->data_size += sc->sample_sizes[i]; } From 6f582f69dff5f497ad8c51d5b3abc78e19789844 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Apr 2020 23:27:04 +0200 Subject: [PATCH 0770/1383] avcodec/cbs_h265_syntax_template: Limit num_long_term_pics more strictly The limit is based on hevcdec.c Fixes: 20854/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5160442882424832 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 435fa373d1f5045b17de74934e44863e2fb3071f) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h265_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 7977c22daa..52a81a4019 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -1321,7 +1321,7 @@ static int FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw, infer(num_long_term_sps, 0); idx_size = 0; } - ue(num_long_term_pics, 0, HEVC_MAX_LONG_TERM_REF_PICS); + ue(num_long_term_pics, 0, HEVC_MAX_REFS - current->num_long_term_sps); for (i = 0; i < current->num_long_term_sps + current->num_long_term_pics; i++) { From 862801c68ce2d6f18fda31a5b851f18997e6d54e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2020 12:04:25 +0200 Subject: [PATCH 0771/1383] avformat/aadec: Check toc_size to contain the minimum to demuxer uses Fixes: out of array access Fixes: stack-buffer-overflow-READ-0x0831fff1 Found-by: GalyCannon Signed-off-by: Michael Niedermayer (cherry picked from commit daa2482871dffa9af12fa6d874a3d2dedd73f42e) Signed-off-by: Michael Niedermayer --- libavformat/aadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aadec.c b/libavformat/aadec.c index e8a6b33e30..df0310c5ac 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s) avio_skip(pb, 4); // magic string toc_size = avio_rb32(pb); // TOC size avio_skip(pb, 4); // unidentified integer - if (toc_size > MAX_TOC_ENTRIES) + if (toc_size > MAX_TOC_ENTRIES || toc_size < 2) return AVERROR_INVALIDDATA; for (i = 0; i < toc_size; i++) { // read TOC avio_skip(pb, 4); // TOC entry index From 6ffdc413d631a555b3b2db5d0df453657276510c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 18:32:31 +0100 Subject: [PATCH 0772/1383] avformat/swfenc: Fix integer overflow in frame rate handling Fixes: signed integer overflow: 30000299 * 256 cannot be represented in type 'int' Fixes: ticket8184 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit 31f956acadd994b8c4e22b714aaffee0f527c827) Signed-off-by: Michael Niedermayer --- libavformat/swfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index f53db0fb2b..877dcfa9cb 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -256,7 +256,7 @@ static int swf_write_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid (too large) frame rate %d/%d\n", rate, rate_base); return AVERROR(EINVAL); } - avio_wl16(pb, (rate * 256) / rate_base); /* frame rate */ + avio_wl16(pb, (rate * 256LL) / rate_base); /* frame rate */ swf->duration_pos = avio_tell(pb); avio_wl16(pb, (uint16_t)(DUMMY_DURATION * (int64_t)rate / rate_base)); /* frame count */ From 60b78cd99d920b9b71e20569d44416e4a170d66b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 18:51:52 +0100 Subject: [PATCH 0773/1383] avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE Fixes: signed integer overflow: -9223372036854775808 - 45000 cannot be represented in type 'long' Fixes: ticket8187 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit 9874815b1aadadd7fd19aa6aabb7d9193f2f43d5) Signed-off-by: Michael Niedermayer --- libavformat/mpegenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index 4c6fa67fb8..e9b53ba1e0 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -1190,7 +1190,7 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) if (s->is_dvd) { // min VOBU length 0.4 seconds (mpucoder) if (is_iframe && - (s->packet_number == 0 || + (s->packet_number == 0 || pts != AV_NOPTS_VALUE && (pts - stream->vobu_start_pts >= 36000))) { stream->bytes_to_iframe = av_fifo_size(stream->fifo); stream->align_iframe = 1; From 02656f557081a1f117b6ffef5104226f6af5f31f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Mar 2020 22:05:42 +0100 Subject: [PATCH 0774/1383] avcodec/cbs_jpeg: Fix infinite loop in cbs_jpeg_split_fragment() Fixes: Timeout Fixes: 21104/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5129580475318272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3dc67c9840f6ba6cdf6233248897146e9171cc8) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index f4e40862e2..b78c305551 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -148,15 +148,14 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, if (marker == JPEG_MARKER_EOI) { break; } else if (marker == JPEG_MARKER_SOS) { + next_marker = -1; for (i = start; i + 1 < frag->data_size; i++) { if (frag->data[i] != 0xff) continue; end = i; for (++i; i + 1 < frag->data_size && frag->data[i] == 0xff; i++); - if (i + 1 >= frag->data_size) { - next_marker = -1; - } else { + if (i + 1 < frag->data_size) { if (frag->data[i] == 0x00) continue; next_marker = frag->data[i]; From 296d4bf22e296345794e406f7d84b6e0d6d8b2a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Apr 2020 21:19:13 +0200 Subject: [PATCH 0775/1383] avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr() Fixes: signed integer overflow: -717241856 + -1434459904 cannot be represented in type 'int' Fixes: 21405/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5677143666458624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e9a4c4fe9918220be492a4a9d74c2293fd706be3) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 22596bd5f8..8eb473e3ba 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -793,8 +793,8 @@ static void revert_inter_ch_decorr(WmallDecodeCtx *s, int tile_size) else if (s->is_channel_coded[0] || s->is_channel_coded[1]) { int icoef; for (icoef = 0; icoef < tile_size; icoef++) { - s->channel_residues[0][icoef] -= s->channel_residues[1][icoef] >> 1; - s->channel_residues[1][icoef] += s->channel_residues[0][icoef]; + s->channel_residues[0][icoef] -= (unsigned)(s->channel_residues[1][icoef] >> 1); + s->channel_residues[1][icoef] += (unsigned) s->channel_residues[0][icoef]; } } } From 05e2de829122a5ff47b6aaf51ed98a08f9d2c386 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 May 2020 21:25:17 +0200 Subject: [PATCH 0776/1383] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: -1238335488 + -1003634688 cannot be represented in type 'int' Fixes: 21649/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5112005765890048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 620236e4d2ac46821911b99fa4551868675d4ed9) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 14116bd6d3..360deb3244 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -115,24 +115,24 @@ static int idct_row(short *in, const int *const tab, int rnd) in[6] = a1; } else { const int k = c4 * in[0] + rnd; - const int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; - const int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; - const int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; - const int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6]; + const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; + const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; + const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; + const unsigned int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6]; - const int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7]; - const int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7]; - const int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7]; - const int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7]; + const unsigned int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7]; + const unsigned int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7]; + const unsigned int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7]; + const unsigned int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7]; - in[0] = (a0 + b0) >> ROW_SHIFT; - in[1] = (a1 + b1) >> ROW_SHIFT; - in[2] = (a2 + b2) >> ROW_SHIFT; - in[3] = (a3 + b3) >> ROW_SHIFT; - in[4] = (a3 - b3) >> ROW_SHIFT; - in[5] = (a2 - b2) >> ROW_SHIFT; - in[6] = (a1 - b1) >> ROW_SHIFT; - in[7] = (a0 - b0) >> ROW_SHIFT; + in[0] = (int)(a0 + b0) >> ROW_SHIFT; + in[1] = (int)(a1 + b1) >> ROW_SHIFT; + in[2] = (int)(a2 + b2) >> ROW_SHIFT; + in[3] = (int)(a3 + b3) >> ROW_SHIFT; + in[4] = (int)(a3 - b3) >> ROW_SHIFT; + in[5] = (int)(a2 - b2) >> ROW_SHIFT; + in[6] = (int)(a1 - b1) >> ROW_SHIFT; + in[7] = (int)(a0 - b0) >> ROW_SHIFT; } return 1; } From e7262c1f19fc300f34e09824c9097e15d1137ed7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2020 00:04:49 +0200 Subject: [PATCH 0777/1383] avcodec/dsddec: Check channels Fixes: division by zero Fixes: 21677/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSD_MSBF_fuzzer-5712547983654912 Fixes: 21751/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSD_LSBF_fuzzer-5197097180856320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2570a8777e7095358b10f679d35641e114a2ab33) Signed-off-by: Michael Niedermayer --- libavcodec/dsddec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dsddec.c b/libavcodec/dsddec.c index 2c5c357acc..a2e038419f 100644 --- a/libavcodec/dsddec.c +++ b/libavcodec/dsddec.c @@ -44,6 +44,9 @@ static av_cold int decode_init(AVCodecContext *avctx) int i; uint8_t silence; + if (!avctx->channels) + return AVERROR_INVALIDDATA; + ff_init_dsd_data(); s = av_malloc_array(sizeof(DSDContext), avctx->channels); From dad19158aa220c0a0c584367f91c5f26e192bae8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2020 00:11:37 +0200 Subject: [PATCH 0778/1383] avcodec/ivi: Clear got_p_frame before decoding a new frame using it Fixes: assertion failure Fixes: 21666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5706468994318336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d633e6a0a61118c9b2d1785d96bdebaa8c38592) Signed-off-by: Michael Niedermayer --- libavcodec/ivi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index 17ed53caac..b963d15053 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -1182,6 +1182,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket pkt; pkt.data = avpkt->data + (get_bits_count(&ctx->gb) >> 3); pkt.size = get_bits_left(&ctx->gb) >> 3; + ctx->got_p_frame = 0; + av_frame_unref(ctx->p_frame); ff_ivi_decode_frame(avctx, ctx->p_frame, &ctx->got_p_frame, &pkt); } } From d1eb5516bb5bed1ecd2cc4483a743e0b8727fc45 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 May 2020 00:31:23 +0200 Subject: [PATCH 0779/1383] avcodec/pnmdec: Use unsigned for maxval rescaling Fixes: signed integer overflow: 65535 * 55335 cannot be represented in type 'int' Fixes: 21955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5669206981083136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49459aca47d4803b2188fbf12b758bd2b01e91d7) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index 958c5e43b0..2c98e26934 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -132,7 +132,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, init_put_bits(&pb, ptr, linesize); for(j=0; jwidth * components; j++){ unsigned int c=0; - int v=0; + unsigned v=0; if(s->type < 4) while(s->bytestream < s->bytestream_end && (*s->bytestream < '0' || *s->bytestream > '9' )) s->bytestream++; From 083e0314b5cfd917ccea6871c6584660d4543c59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Apr 2020 17:05:52 +0200 Subject: [PATCH 0780/1383] avformat/oggparsevorbis: Error out on double init of vp Fixes: memleak Fixes: 19949/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5743636058210304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a3bbc0086aa608cc0465dd14901178d41cfe113) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevorbis.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index bcfd246b8d..2a91add85a 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -387,7 +387,12 @@ static int vorbis_header(AVFormatContext *s, int idx) } } } else { - int ret = fixup_vorbis_headers(s, priv, &st->codecpar->extradata); + int ret; + + if (priv->vp) + return AVERROR_INVALIDDATA; + + ret = fixup_vorbis_headers(s, priv, &st->codecpar->extradata); if (ret < 0) { st->codecpar->extradata_size = 0; return ret; From 6be68e6994b043e9043673a615f30166e3a5d704 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2020 14:33:58 +0200 Subject: [PATCH 0781/1383] avcodec/h264dec: Disable forced small_padding on flag2 fast Fixes: 20978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5746381832847360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index 00d922fbe9..0e189da61a 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -623,7 +623,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) } ret = ff_h2645_packet_split(&h->pkt, buf, buf_size, avctx, h->is_avc, - h->nal_length_size, avctx->codec_id, avctx->flags2 & AV_CODEC_FLAG2_FAST); + h->nal_length_size, avctx->codec_id, 0); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Error splitting the input into NAL units.\n"); From 1ba97da44b40b5d3b779bc8da396cb82495ed07e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 May 2020 00:24:40 +0200 Subject: [PATCH 0782/1383] avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d() Fixes: signed integer overflow: 1080285923 - -1130879337 cannot be represented in type 'int' Fixes: 22002/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-6260237310099456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 071e2937236945c168ab99d3e3b01539194466dd) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 144 +++++++++++++++++------------------ 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index c3273dd726..c6944f5ce3 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1378,48 +1378,48 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride, dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a; dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a; - t0 = IN(15) * 16364 + IN(0) * 804; - t1 = IN(15) * 804 - IN(0) * 16364; - t2 = IN(13) * 15893 + IN(2) * 3981; - t3 = IN(13) * 3981 - IN(2) * 15893; - t4 = IN(11) * 14811 + IN(4) * 7005; - t5 = IN(11) * 7005 - IN(4) * 14811; - t6 = IN(9) * 13160 + IN(6) * 9760; - t7 = IN(9) * 9760 - IN(6) * 13160; - t8 = IN(7) * 11003 + IN(8) * 12140; - t9 = IN(7) * 12140 - IN(8) * 11003; - t10 = IN(5) * 8423 + IN(10) * 14053; - t11 = IN(5) * 14053 - IN(10) * 8423; - t12 = IN(3) * 5520 + IN(12) * 15426; - t13 = IN(3) * 15426 - IN(12) * 5520; - t14 = IN(1) * 2404 + IN(14) * 16207; - t15 = IN(1) * 16207 - IN(14) * 2404; + t0 = IN(15) * 16364U + IN(0) * 804U; + t1 = IN(15) * 804U - IN(0) * 16364U; + t2 = IN(13) * 15893U + IN(2) * 3981U; + t3 = IN(13) * 3981U - IN(2) * 15893U; + t4 = IN(11) * 14811U + IN(4) * 7005U; + t5 = IN(11) * 7005U - IN(4) * 14811U; + t6 = IN(9) * 13160U + IN(6) * 9760U; + t7 = IN(9) * 9760U - IN(6) * 13160U; + t8 = IN(7) * 11003U + IN(8) * 12140U; + t9 = IN(7) * 12140U - IN(8) * 11003U; + t10 = IN(5) * 8423U + IN(10) * 14053U; + t11 = IN(5) * 14053U - IN(10) * 8423U; + t12 = IN(3) * 5520U + IN(12) * 15426U; + t13 = IN(3) * 15426U - IN(12) * 5520U; + t14 = IN(1) * 2404U + IN(14) * 16207U; + t15 = IN(1) * 16207U - IN(14) * 2404U; - t0a = (t0 + t8 + (1 << 13)) >> 14; - t1a = (t1 + t9 + (1 << 13)) >> 14; - t2a = (t2 + t10 + (1 << 13)) >> 14; - t3a = (t3 + t11 + (1 << 13)) >> 14; - t4a = (t4 + t12 + (1 << 13)) >> 14; - t5a = (t5 + t13 + (1 << 13)) >> 14; - t6a = (t6 + t14 + (1 << 13)) >> 14; - t7a = (t7 + t15 + (1 << 13)) >> 14; - t8a = (t0 - t8 + (1 << 13)) >> 14; - t9a = (t1 - t9 + (1 << 13)) >> 14; - t10a = (t2 - t10 + (1 << 13)) >> 14; - t11a = (t3 - t11 + (1 << 13)) >> 14; - t12a = (t4 - t12 + (1 << 13)) >> 14; - t13a = (t5 - t13 + (1 << 13)) >> 14; - t14a = (t6 - t14 + (1 << 13)) >> 14; - t15a = (t7 - t15 + (1 << 13)) >> 14; + t0a = (dctint)((1U << 13) + t0 + t8 ) >> 14; + t1a = (dctint)((1U << 13) + t1 + t9 ) >> 14; + t2a = (dctint)((1U << 13) + t2 + t10) >> 14; + t3a = (dctint)((1U << 13) + t3 + t11) >> 14; + t4a = (dctint)((1U << 13) + t4 + t12) >> 14; + t5a = (dctint)((1U << 13) + t5 + t13) >> 14; + t6a = (dctint)((1U << 13) + t6 + t14) >> 14; + t7a = (dctint)((1U << 13) + t7 + t15) >> 14; + t8a = (dctint)((1U << 13) + t0 - t8 ) >> 14; + t9a = (dctint)((1U << 13) + t1 - t9 ) >> 14; + t10a = (dctint)((1U << 13) + t2 - t10) >> 14; + t11a = (dctint)((1U << 13) + t3 - t11) >> 14; + t12a = (dctint)((1U << 13) + t4 - t12) >> 14; + t13a = (dctint)((1U << 13) + t5 - t13) >> 14; + t14a = (dctint)((1U << 13) + t6 - t14) >> 14; + t15a = (dctint)((1U << 13) + t7 - t15) >> 14; - t8 = t8a * 16069 + t9a * 3196; - t9 = t8a * 3196 - t9a * 16069; - t10 = t10a * 9102 + t11a * 13623; - t11 = t10a * 13623 - t11a * 9102; - t12 = t13a * 16069 - t12a * 3196; - t13 = t13a * 3196 + t12a * 16069; - t14 = t15a * 9102 - t14a * 13623; - t15 = t15a * 13623 + t14a * 9102; + t8 = t8a * 16069U + t9a * 3196U; + t9 = t8a * 3196U - t9a * 16069U; + t10 = t10a * 9102U + t11a * 13623U; + t11 = t10a * 13623U - t11a * 9102U; + t12 = t13a * 16069U - t12a * 3196U; + t13 = t13a * 3196U + t12a * 16069U; + t14 = t15a * 9102U - t14a * 13623U; + t15 = t15a * 13623U + t14a * 9102U; t0 = t0a + t4a; t1 = t1a + t5a; @@ -1429,49 +1429,49 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride, t5 = t1a - t5a; t6 = t2a - t6a; t7 = t3a - t7a; - t8a = (t8 + t12 + (1 << 13)) >> 14; - t9a = (t9 + t13 + (1 << 13)) >> 14; - t10a = (t10 + t14 + (1 << 13)) >> 14; - t11a = (t11 + t15 + (1 << 13)) >> 14; - t12a = (t8 - t12 + (1 << 13)) >> 14; - t13a = (t9 - t13 + (1 << 13)) >> 14; - t14a = (t10 - t14 + (1 << 13)) >> 14; - t15a = (t11 - t15 + (1 << 13)) >> 14; + t8a = (dctint)((1U << 13) + t8 + t12) >> 14; + t9a = (dctint)((1U << 13) + t9 + t13) >> 14; + t10a = (dctint)((1U << 13) + t10 + t14) >> 14; + t11a = (dctint)((1U << 13) + t11 + t15) >> 14; + t12a = (dctint)((1U << 13) + t8 - t12) >> 14; + t13a = (dctint)((1U << 13) + t9 - t13) >> 14; + t14a = (dctint)((1U << 13) + t10 - t14) >> 14; + t15a = (dctint)((1U << 13) + t11 - t15) >> 14; - t4a = t4 * 15137 + t5 * 6270; - t5a = t4 * 6270 - t5 * 15137; - t6a = t7 * 15137 - t6 * 6270; - t7a = t7 * 6270 + t6 * 15137; - t12 = t12a * 15137 + t13a * 6270; - t13 = t12a * 6270 - t13a * 15137; - t14 = t15a * 15137 - t14a * 6270; - t15 = t15a * 6270 + t14a * 15137; + t4a = t4 * 15137U + t5 * 6270U; + t5a = t4 * 6270U - t5 * 15137U; + t6a = t7 * 15137U - t6 * 6270U; + t7a = t7 * 6270U + t6 * 15137U; + t12 = t12a * 15137U + t13a * 6270U; + t13 = t12a * 6270U - t13a * 15137U; + t14 = t15a * 15137U - t14a * 6270U; + t15 = t15a * 6270U + t14a * 15137U; out[ 0] = t0 + t2; out[15] = -(t1 + t3); t2a = t0 - t2; t3a = t1 - t3; - out[ 3] = -((t4a + t6a + (1 << 13)) >> 14); - out[12] = (t5a + t7a + (1 << 13)) >> 14; - t6 = (t4a - t6a + (1 << 13)) >> 14; - t7 = (t5a - t7a + (1 << 13)) >> 14; + out[ 3] = -((dctint)((1U << 13) + t4a + t6a) >> 14); + out[12] = (dctint)((1U << 13) + t5a + t7a) >> 14; + t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; + t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; out[ 1] = -(t8a + t10a); out[14] = t9a + t11a; t10 = t8a - t10a; t11 = t9a - t11a; - out[ 2] = (t12 + t14 + (1 << 13)) >> 14; - out[13] = -((t13 + t15 + (1 << 13)) >> 14); - t14a = (t12 - t14 + (1 << 13)) >> 14; - t15a = (t13 - t15 + (1 << 13)) >> 14; + out[ 2] = (dctint)((1U << 13) + t12 + t14) >> 14; + out[13] = -((dctint)((1U << 13) + t13 + t15) >> 14); + t14a = (dctint)((1U << 13) + t12 - t14) >> 14; + t15a = (dctint)((1U << 13) + t13 - t15) >> 14; - out[ 7] = ((t2a + t3a) * -11585 + (1 << 13)) >> 14; - out[ 8] = ((t2a - t3a) * 11585 + (1 << 13)) >> 14; - out[ 4] = ((t7 + t6) * 11585 + (1 << 13)) >> 14; - out[11] = ((t7 - t6) * 11585 + (1 << 13)) >> 14; - out[ 6] = ((t11 + t10) * 11585 + (1 << 13)) >> 14; - out[ 9] = ((t11 - t10) * 11585 + (1 << 13)) >> 14; - out[ 5] = ((t14a + t15a) * -11585 + (1 << 13)) >> 14; - out[10] = ((t14a - t15a) * 11585 + (1 << 13)) >> 14; + out[ 7] = (dctint)(-(t2a + t3a) * 11585U + (1 << 13)) >> 14; + out[ 8] = (dctint)( (t2a - t3a) * 11585U + (1 << 13)) >> 14; + out[ 4] = (dctint)( (t7 + t6) * 11585U + (1 << 13)) >> 14; + out[11] = (dctint)( (t7 - t6) * 11585U + (1 << 13)) >> 14; + out[ 6] = (dctint)( (t11 + t10) * 11585U + (1 << 13)) >> 14; + out[ 9] = (dctint)( (t11 - t10) * 11585U + (1 << 13)) >> 14; + out[ 5] = (dctint)(-(t14a + t15a) * 11585U + (1 << 13)) >> 14; + out[10] = (dctint)( (t14a - t15a) * 11585U + (1 << 13)) >> 14; } itxfm_wrap(16, 6) From 9ff5fd653767d553c8b8cc3bf672dbccaa50cfad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 May 2020 22:02:56 +0200 Subject: [PATCH 0783/1383] avcodec/wmalosslessdec: Fix integer overflow in mclms_predict() Fixes: signed integer overflow: 2147483636 + 2048 cannot be represented in type 'int' Fixes: 22016/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5109395618004992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c42ed06695848617350a94543823e850f190b3ab) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8eb473e3ba..78b9b5c1fd 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -679,7 +679,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) for (i = 0; i < ich; i++) pred[ich] += (uint32_t)s->channel_residues[i][icoef] * s->mclms_coeffs_cur[i + num_channels * ich]; - pred[ich] += (1 << s->mclms_scaling) >> 1; + pred[ich] += (1U << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; s->channel_residues[ich][icoef] += (unsigned)pred[ich]; } From 011c9cfab171e48b88ce85e922abadaec4e59ce4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 May 2020 00:43:46 +0200 Subject: [PATCH 0784/1383] avcodec/hq_hqa: Check info size Fixes: assertion failure Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf28521fee22dbe2f7eeb8ab0306c0fd0802c48a) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index eec2e980b3..8404e80ec8 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data, int info_size; bytestream2_skip(&ctx->gbc, 4); info_size = bytestream2_get_le32(&ctx->gbc); - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) { av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size); return AVERROR_INVALIDDATA; } From 8935ae4395d592ea697fd0f2d1a238fd1d3a8f54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jun 2020 22:05:27 +0200 Subject: [PATCH 0785/1383] avcodec/huffyuvdec: Test vertical coordinate more often Fixes: out of array access Fixes: 22892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5135996772679680.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit a1223ddc5692772198a02600ecff2545f32b37be) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 17c9679cb4..f6a51c3320 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -988,12 +988,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, left= left_prediction(s, p->data[plane], s->temp[0], w, 0); y = 1; + if (y >= h) + break; /* second line is left predicted for interlaced case */ if (s->interlaced) { decode_plane_bitstream(s, w, plane); left = left_prediction(s, p->data[plane] + p->linesize[plane], s->temp[0], w, left); y++; + if (y >= h) + break; } lefttop = p->data[plane][0]; @@ -1105,6 +1109,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } cy = y = 1; + if (y >= height) + break; /* second line is left predicted for interlaced case */ if (s->interlaced) { @@ -1117,6 +1123,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } y++; cy++; + if (y >= height) + break; } /* next 4 pixels are left predicted too */ From dd6147888c5e17d54c018706a04fad7c4206f7bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 May 2020 14:59:02 +0200 Subject: [PATCH 0786/1383] avcodec/adpcm: XA: Check shift similar to filter Fixes: negative shift Fixes: 22499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5765452130418688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d96bae9c480e020e9f51fabd5642d7ae6020943) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 44af74fd38..d3e5758817 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -382,6 +382,10 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); filter=0; } + if (shift < 0) { + avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift); + shift = 0; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; @@ -407,10 +411,14 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, shift = 12 - (in[5+i*2] & 15); filter = in[5+i*2] >> 4; - if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table)) { + if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table) || shift < 0) { avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); filter=0; } + if (shift < 0) { + avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift); + shift = 0; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; From be9e89efcde74635e120505c7f1bd0071e292011 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 May 2020 14:24:04 +0200 Subject: [PATCH 0787/1383] avformat/thp: Check compcount Fixes: out of array access Fixes: 22520/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5100297658826752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ba8484559661dfdbca36dbc17b203f33f62e26c) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 38db4da89a..249c767b20 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -93,6 +93,9 @@ static int thp_read_header(AVFormatContext *s) avio_seek (pb, thp->compoff, SEEK_SET); thp->compcount = avio_rb32(pb); + if (thp->compcount > FF_ARRAY_ELEMS(thp->components)) + return AVERROR_INVALIDDATA; + /* Read the list of component types. */ avio_read(pb, thp->components, 16); From e01d07c781df95bc4096832415debfb1c4c7ad88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 May 2020 14:30:43 +0200 Subject: [PATCH 0788/1383] avformat/mlvdec: fail reading a packet with 0 streams Fixes: NULL pointer dereference Fixes: 22604/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5667739074297856.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5bd5c3108786bf69f108c55c375f1956f67ca7a4) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index ded8196af2..d6614908b9 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -393,10 +393,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) { MlvContext *mlv = avctx->priv_data; AVIOContext *pb; - AVStream *st = avctx->streams[mlv->stream_index]; + AVStream *st; int index, ret; unsigned int size, space; + if (!avctx->nb_streams) + return AVERROR_EOF; + + st = avctx->streams[mlv->stream_index]; if (mlv->pts >= st->duration) return AVERROR_EOF; From c3eaff820ab2cde6bfaed7e1e05a30668fb0e128 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2020 18:08:57 +0200 Subject: [PATCH 0789/1383] avcodec/lzf: Consider the needed size in reallocation Fixes: NULL pointer dereference Fixes: 22381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-5659879921680384.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 292b9b93a50aa0622e33013de9f2ddc130bef671) Signed-off-by: Michael Niedermayer --- libavcodec/lzf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 5b7526ef18..1e3c86c88c 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -49,7 +49,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) if (s < LZF_LITERAL_MAX) { s++; if (s > *size - len) { - *size += *size /2; + *size += s + *size /2; ret = av_reallocp(buf, *size); if (ret < 0) return ret; @@ -72,7 +72,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) return AVERROR_INVALIDDATA; if (l > *size - len) { - *size += *size / 2; + *size += l + *size / 2; ret = av_reallocp(buf, *size); if (ret < 0) return ret; From a621600f667524c8720a38012392512fbe274654 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2020 21:35:43 +0200 Subject: [PATCH 0790/1383] avformat/4xm: Cleanup on GET_LIST_HEADER() failure Fixes: memleak Fixes: 23142/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5932860820422656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit a5313ce6542a4ee4112acd260e59bff698f3dddd) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index ead6d2b424..39b30413cf 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -59,8 +59,10 @@ #define GET_LIST_HEADER() \ fourcc_tag = avio_rl32(pb); \ size = avio_rl32(pb); \ - if (fourcc_tag != LIST_TAG) \ - return AVERROR_INVALIDDATA; \ + if (fourcc_tag != LIST_TAG) { \ + ret = AVERROR_INVALIDDATA; \ + goto fail; \ + } \ fourcc_tag = avio_rl32(pb); typedef struct AudioTrack { @@ -210,7 +212,7 @@ static int fourxm_read_header(AVFormatContext *s) unsigned int size; int header_size; FourxmDemuxContext *fourxm = s->priv_data; - unsigned char *header; + unsigned char *header = NULL; int i, ret; fourxm->track_count = 0; From 4fdf23df7d2607be23445a044f68798e6448d2fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2020 00:19:56 +0200 Subject: [PATCH 0791/1383] avcodec/mpeg12dec: Fix got_output This makes got_output consistent with the code in slice_end() which sets the output in slice_end() if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { int ret = av_frame_ref(pict, s->current_picture_ptr->f); ... } else { Fixes: assertion failure Fixes: 22178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5664234440753152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f33a9803a3068ce2d52289fc1db60375dc8b7a5) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index b352023461..2af8b4e2c2 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2483,7 +2483,7 @@ static int decode_chunks(AVCodecContext *avctx, AVFrame *picture, return ret; else if (ret) { // FIXME: merge with the stuff in mpeg_decode_slice - if (s2->last_picture_ptr || s2->low_delay) + if (s2->last_picture_ptr || s2->low_delay || s2->pict_type == AV_PICTURE_TYPE_B) *got_output = 1; } } From f377de64131391e0ded0d52b51ecd60eaddd81c7 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 14 May 2020 14:38:07 -0700 Subject: [PATCH 0792/1383] avformat/mov: Check if DTS is AV_NOPTS_VALUE in mov_find_next_sample(). Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit bf446711bc8b7f316771870b8d4dc4dd65f5d94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ae33ba382c..71af75764e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7630,7 +7630,7 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && - ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && + ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; From 86ae1ff10f40397fbc2f67e8f0501d03b580b54e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2020 17:45:39 +0200 Subject: [PATCH 0793/1383] avcodec/snowdec: Avoid integer overflow with huge qlog Fixes: integer overflow Fixes: 22285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5682428762128384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38fbf33c7255b503453052c32ab5ae4fb151b29e) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 59bd24e881..504382f589 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -117,7 +117,7 @@ static av_always_inline void predict_slice_buffered(SnowContext *s, slice_buffer static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, slice_buffer * sb, int start_y, int h, int save_state[1]){ const int w= b->width; int y; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int new_index = 0; @@ -224,7 +224,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand *b, IDWTELEM *src, int stride, int start_y, int end_y){ const int w= b->width; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); const int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); const int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int x,y; From c5535532f80226bab203e156af0f43e44dba114d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2020 19:42:07 +0200 Subject: [PATCH 0794/1383] avcodec/mpeg12dec: remove outdated comments Found-by: Kieran Signed-off-by: Michael Niedermayer (cherry picked from commit 48de8f5816aa54dc584aeb2dbbf63a0e880279e2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 2af8b4e2c2..9dafd38294 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -220,7 +220,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -396,7 +395,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -558,7 +556,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ From 38af60a4542ec29dde5843d852cb2e71381f3943 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jun 2020 09:47:41 +0200 Subject: [PATCH 0795/1383] avformat/mpl2dec: Fix integer overflow with duration Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 23167/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6425051741290496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a42a67c5ca198a3879b7f3663cc44ccbcaf0bd3) Signed-off-by: Michael Niedermayer --- libavformat/mpl2dec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index 0c111e9dc1..c25f85e0e3 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -55,7 +55,7 @@ static int mpl2_probe(AVProbeData *p) return AVPROBE_SCORE_MAX; } -static int read_ts(char **line, int64_t *pts_start, int *duration) +static int read_ts(char **line, int64_t *pts_start, int64_t *duration) { char c; int len; @@ -69,7 +69,10 @@ static int read_ts(char **line, int64_t *pts_start, int *duration) } if (sscanf(*line, "[%"SCNd64"][%"SCNd64"]%c%n", pts_start, &end, &c, &len) >= 3) { - *duration = end - *pts_start; + if (end < *pts_start || end - (uint64_t)*pts_start > INT64_MAX) { + *duration = -1; + } else + *duration = end - *pts_start; *line += len - 1; return 0; } @@ -97,7 +100,7 @@ static int mpl2_read_header(AVFormatContext *s) const int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line, sizeof(line)); int64_t pts_start; - int duration; + int64_t duration; if (!len) break; From d31345a880cd1d3f6479b7850f9d84c20befc2b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jun 2020 09:28:55 +0200 Subject: [PATCH 0796/1383] avformat/thp: Check fps Fixes: division by zero Fixes: 23162/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4856420817436672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e15b01b4e463d12128db2c15de7741637548347) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 249c767b20..dcf02d4a04 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -75,6 +75,8 @@ static int thp_read_header(AVFormatContext *s) avio_rb32(pb); /* Max samples. */ thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX); + if (thp->fps.den <= 0 || thp->fps.num < 0) + return AVERROR_INVALIDDATA; thp->framecnt = avio_rb32(pb); thp->first_framesz = avio_rb32(pb); pb->maxsize = avio_rb32(pb); From 24fd6136df039d3b6f727d2e7dfe617526a8133b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2020 22:14:59 +0200 Subject: [PATCH 0797/1383] avcodec/loco: Fix signed integer overflow in loco_get_rice() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 22975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5658160970072064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa88cdfd90f5da0683cd6556c75a5ba5740a1c27) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index e891d83ece..d0cedf577d 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -82,7 +82,7 @@ static inline void loco_update_rice_param(RICEContext *r, int val) static inline int loco_get_rice(RICEContext *r) { - int v; + unsigned v; if (r->run > 0) { /* we have zero run */ r->run--; loco_update_rice_param(r, 0); From c15b6bfd79aad440a19ca8e7ab3f06c37d882e6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2020 22:11:23 +0200 Subject: [PATCH 0798/1383] avcodec/wmalosslessdec: Check block_align maximum Fixes: Assertion failure Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 314d10f7a60f1786c85da30a569be61e2b906fef) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 78b9b5c1fd..7251bc0d32 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -184,7 +184,7 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int channel_mask; int i, log2_max_num_subframes; - if (avctx->block_align <= 0) { + if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) { av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n"); return AVERROR(EINVAL); } From 99d2024b18771ca9b6db4e917386b7775101fd1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 10:48:14 +0200 Subject: [PATCH 0799/1383] avcodec/iff: Fix off by x error Fixes: out of array access Fixes: 23245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723121327013888.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51225dee0a6266780d26d43bd6802bbcf736327e) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index f094b4b548..6ec2dd60ad 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -723,7 +723,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in if (opcode >= 0) { int size = opcode + 1; for (i = 0; i < size; i++) { - int length = FFMIN(size - i, width); + int length = FFMIN(size - i, width - x); if (src_end - src < length * 4) return; memcpy(dst + y*linesize + x * 4, src, length * 4); From b02ff154022fe275b8cf3fecd55485d502fdec11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 11:21:52 +0200 Subject: [PATCH 0800/1383] avcodec/pixlet: Fix log(0) check Fixes: passing zero to clz(), which is not a valid argument Fixes: 23337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5179131989065728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd0f81526d3f4c23ecd0a399829103be2445c011) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 03a2cdacc8..6cb6516227 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -221,7 +221,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, length = 25 - nbits; while (i < size) { - if (state >> 8 != -3) + if (((state >> 8) + 3) & 0xFFFFFFF) value = ff_clz((state >> 8) + 3) ^ 0x1F; else value = -1; From f1e0ca37092b825401b5bbc8ec2af16e6aed862e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 11:56:01 +0200 Subject: [PATCH 0801/1383] avcodec/mpeg4videodec: avoid invalid values and reinitialize in format changes for studio profile Fixes: out of array access Fixes: 23327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5134822992510976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e53235f06c229a23d3241b47e32647019161fb7c) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index fd68295ee4..8081d29d00 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -3134,6 +3134,7 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) MpegEncContext *s = &ctx->m; int width, height; int bits_per_raw_sample; + int rgb, chroma_format; // random_accessible_vol and video_object_type_indication have already // been read by the caller decode_vol_header() @@ -3141,28 +3142,36 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) ctx->shape = get_bits(gb, 2); /* video_object_layer_shape */ skip_bits(gb, 4); /* video_object_layer_shape_extension */ skip_bits1(gb); /* progressive_sequence */ + if (ctx->shape != RECT_SHAPE) { + avpriv_request_sample(s->avctx, "MPEG-4 Studio profile non rectangular shape"); + return AVERROR_PATCHWELCOME; + } if (ctx->shape != BIN_ONLY_SHAPE) { - ctx->rgb = get_bits1(gb); /* rgb_components */ - s->chroma_format = get_bits(gb, 2); /* chroma_format */ - if (!s->chroma_format) { + rgb = get_bits1(gb); /* rgb_components */ + chroma_format = get_bits(gb, 2); /* chroma_format */ + if (!chroma_format || chroma_format == CHROMA_420 || (rgb && chroma_format == CHROMA_422)) { av_log(s->avctx, AV_LOG_ERROR, "illegal chroma format\n"); return AVERROR_INVALIDDATA; } bits_per_raw_sample = get_bits(gb, 4); /* bit_depth */ if (bits_per_raw_sample == 10) { - if (ctx->rgb) { + if (rgb) { s->avctx->pix_fmt = AV_PIX_FMT_GBRP10; } else { - s->avctx->pix_fmt = s->chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; + s->avctx->pix_fmt = chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; } } else { avpriv_request_sample(s->avctx, "MPEG-4 Studio profile bit-depth %u", bits_per_raw_sample); return AVERROR_PATCHWELCOME; } + if (rgb != ctx->rgb || s->chroma_format != chroma_format) + s->context_reinit = 1; s->avctx->bits_per_raw_sample = bits_per_raw_sample; + ctx->rgb = rgb; + s->chroma_format = chroma_format; } if (ctx->shape == RECT_SHAPE) { check_marker(s->avctx, gb, "before video_object_layer_width"); From ba6fc75d5a83cc941ab8230e53102a4b37120679 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Feb 2020 19:56:39 +0100 Subject: [PATCH 0802/1383] avcodec/sonic: Fix several integer overflows Fixes: signed integer overflow: 2129689466 + 2129689466 cannot be represented in type 'int' Fixes: 20715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5155263109922816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75d520e33704447f1b29ac47fd9e40994a6bc659) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 1b16825403..f1bc3409bf 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -140,7 +140,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; @@ -474,7 +475,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error) for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { int k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * state_value, LATTICE_SHIFT); + x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else @@ -1044,7 +1045,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, x += s->channels; } - s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * quant); + s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * (unsigned)quant); x += s->channels; } From 0c0c9d15ce6dd30f4288fd1c00b5a75c1881d3af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2020 19:24:10 +0200 Subject: [PATCH 0803/1383] avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c() Fixes: signed integer overflow: 2142077091 + 6881070 cannot be represented in type 'int' Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0dfe134beefde4070d43910518b1f4a58f01794) Signed-off-by: Michael Niedermayer --- libavcodec/lossless_audiodsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lossless_audiodsp.c b/libavcodec/lossless_audiodsp.c index 3a9f9b20bb..378165924d 100644 --- a/libavcodec/lossless_audiodsp.c +++ b/libavcodec/lossless_audiodsp.c @@ -27,7 +27,7 @@ static int32_t scalarproduct_and_madd_int16_c(int16_t *v1, const int16_t *v2, const int16_t *v3, int order, int mul) { - int res = 0; + unsigned res = 0; do { res += *v1 * *v2++; From 0e5ac35745939510f8511a40651540a1c4a50784 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jun 2020 22:22:57 +0200 Subject: [PATCH 0804/1383] avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv() Fixes: signed integer overflow: -144876608 * 16 cannot be represented in type 'int' Fixes: 22782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-6039584977977344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e361785ee05cc75d3caacf2f254160b0336f5358) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 8081d29d00..69ab446b59 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -610,7 +610,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) dy -= 1 << (shift + a + 1); else dx -= 1 << (shift + a + 1); - mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16; + mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U; sum = 0; for (y = 0; y < 16; y++) { From 1f64119c8a52f7230615fd487bf66a596c6516ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 21:47:03 +0200 Subject: [PATCH 0805/1383] avcodec/ffwavesynth: Avoid undefined operation on ts overflow Alternatively these conditions could be treated as errors Fixes: 23147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5639254549200896 Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'int64_t' (aka 'long') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 584d334afd59714ed04637a9227a4f1368c26166) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index a446aa2fdf..8d3ac81aef 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -444,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, if (r < 0) return r; pcm = (int16_t *)frame->data[0]; - for (s = 0; s < duration; s++, ts++) { + for (s = 0; s < duration; s++, ts+=(uint64_t)1) { memset(channels, 0, avc->channels * sizeof(*channels)); if (ts >= ws->next_ts) wavesynth_enter_intervals(ws, ts); @@ -452,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, for (c = 0; c < avc->channels; c++) *(pcm++) = channels[c] >> 16; } - ws->cur_ts += duration; + ws->cur_ts += (uint64_t)duration; *rgot_frame = 1; return packet->size; } From 0b124172d831afc76fb5c3b30a1c74319f1a8abf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jun 2020 19:51:23 +0200 Subject: [PATCH 0806/1383] avformat/4xm: Check that a video stream was created before returning packets for it Fixes: assertion failure Fixes: 23434/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5227750851084288.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c517c3f4741b6897ea952d1fba199c93c5217cfe) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 39b30413cf..e93095cb09 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -218,6 +218,7 @@ static int fourxm_read_header(AVFormatContext *s) fourxm->track_count = 0; fourxm->tracks = NULL; fourxm->fps = (AVRational){1,1}; + fourxm->video_stream_index = -1; /* skip the first 3 32-bit numbers */ avio_skip(pb, 12); @@ -323,6 +324,8 @@ static int fourxm_read_packet(AVFormatContext *s, case cfr2_TAG: /* allocate 8 more bytes than 'size' to account for fourcc * and size */ + if (fourxm->video_stream_index < 0) + return AVERROR_INVALIDDATA; if (size + 8 < size || av_new_packet(pkt, size + 8)) return AVERROR(EIO); pkt->stream_index = fourxm->video_stream_index; From 1f7af6a9464159f957296b16c3286160a4a17e0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jun 2020 19:45:05 +0200 Subject: [PATCH 0807/1383] avformat/mxfdec: free duplicated utf16 strings Fixes: memleak Fixes: 23415/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5124814510751744 Suggested-by: Marton Balint Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0aa2768cb275bda9e9e1331ed95adc7cd686eafe) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c3ee7617f9..1e09950b0d 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -859,6 +859,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i return AVERROR(EINVAL); buf_size = size + size / 2 + 1; + av_free(*str); *str = av_malloc(buf_size); if (!*str) return AVERROR(ENOMEM); From f62bbddde2a63bac01629f88ae0394e35c7bd88c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2020 01:43:14 +0200 Subject: [PATCH 0808/1383] avformat/microdvddec: skip malformed lines without frame number. Fixes: signed integer overflow: 1 - -9223372036854775808 cannot be represented in type 'long' Fixes: 23490/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5133490093031424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a8fb7612a97530bdd0b2549dacf91dcf71a3187a) Signed-off-by: Michael Niedermayer --- libavformat/microdvddec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index 3c4727e325..4ba32fd3d9 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -94,6 +94,7 @@ static int microdvd_read_header(AVFormatContext *s) int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line_buf, sizeof(line_buf)); char *line = line_buf; + int64_t pts; if (!strncmp(line, bom, 3)) line += 3; @@ -136,13 +137,16 @@ static int microdvd_read_header(AVFormatContext *s) SKIP_FRAME_ID; if (!*p) continue; + pts = get_pts(line); + if (pts == AV_NOPTS_VALUE) + continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); if (!sub) { ret = AVERROR(ENOMEM); goto fail; } sub->pos = pos; - sub->pts = get_pts(line); + sub->pts = pts; sub->duration = get_duration(line); } ff_subtitles_queue_finalize(s, µdvd->q); From 2f0a00fb3dba9ad4efa2f96c0820ca7cbd91ef7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2020 01:01:53 +0200 Subject: [PATCH 0809/1383] avformat/mvdec: Fix integer overflow with billions of channels Fixes: signed integer overflow: 1394614304 * 2 cannot be represented in type 'int' Fixes: 23491/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5697377020411904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b6fbbe08c325415cc784df296058beb6604f0b9c) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index afa942ca5f..69d9914fc1 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -266,7 +266,7 @@ static void read_index(AVIOContext *pb, AVStream *st) avio_skip(pb, 8); av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME); if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { - timestamp += size / (st->codecpar->channels * 2); + timestamp += size / (st->codecpar->channels * 2LL); } else { timestamp++; } @@ -353,7 +353,7 @@ static int mv_read_header(AVFormatContext *avctx) avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); - timestamp += asize / (ast->codecpar->channels * 2); + timestamp += asize / (ast->codecpar->channels * 2LL); } } else if (!version && avio_rb16(pb) == 3) { avio_skip(pb, 4); From 55e76ddb7a7e15bc9e4e1c040a1c1b1c7e2b4a6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jun 2020 00:10:19 +0200 Subject: [PATCH 0810/1383] avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms Fixes: signed integer overflow: 2048 + 2147483646 cannot be represented in type 'int' Fixes: 23538/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5227567073460224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 21598d711d894081d0566282473044ba4f378f33) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 7251bc0d32..2228eecd96 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -761,7 +761,8 @@ static void lms_update ## bits (WmallDecodeCtx *s, int ich, int ilms, int input) static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ int coef_begin, int coef_end) \ { \ - int icoef, pred, ilms, num_lms, residue, input; \ + int icoef, ilms, num_lms, residue, input; \ + unsigned pred;\ \ num_lms = s->cdlms_ttl[ch]; \ for (ilms = num_lms - 1; ilms >= 0; ilms--) { \ @@ -775,7 +776,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ s->cdlms[ch][ilms].recent, \ FFALIGN(s->cdlms[ch][ilms].order, ROUND), \ WMASIGN(residue)); \ - input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \ + input = residue + (unsigned)((int)pred >> s->cdlms[ch][ilms].scaling); \ lms_update ## bits(s, ch, ilms, input); \ s->channel_residues[ch][icoef] = input; \ } \ From cb438cf8899444e9f8d033199488ae8f7ceb1e7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jun 2020 00:21:09 +0200 Subject: [PATCH 0811/1383] avutil/common: Fix integer overflow in av_ceil_log2_c() Fixes: left shift of 1913647649 by 1 places cannot be represented in type 'int' Fixes: 23572/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5082619795734528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e409262837712016097c187e97bf99aadf6a4cdf) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/common.h b/libavutil/common.h index 8db0291170..bad43e426e 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -331,7 +331,7 @@ static av_always_inline av_const double av_clipd_c(double a, double amin, double */ static av_always_inline av_const int av_ceil_log2_c(int x) { - return av_log2((x - 1) << 1); + return av_log2((x - 1U) << 1); } /** From c229e5e80f1b67b2120f317e815fec29ca1390a5 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Fri, 29 May 2020 11:39:05 +0800 Subject: [PATCH 0812/1383] avformat/hls: check segment duration value of EXTINF fix ticket: 8673 set the default EXTINF duration to 1ms if duration is smaller than 1ms Signed-off-by: Steven Liu (cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc) --- libavformat/hls.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 8ad08baaed..40ccaffff2 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -867,8 +867,6 @@ static int parse_playlist(HLSContext *c, const char *url, ret = AVERROR(ENOMEM); goto fail; } - seg->duration = duration; - seg->key_type = key_type; if (has_iv) { memcpy(seg->iv, iv, sizeof(iv)); } else { @@ -898,6 +896,13 @@ static int parse_playlist(HLSContext *c, const char *url, goto fail; } + if (duration < 0.001 * AV_TIME_BASE) { + av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," + " set to default value to 1ms.\n", seg->url); + duration = 0.001 * AV_TIME_BASE; + } + seg->duration = duration; + seg->key_type = key_type; dynarray_add(&pls->segments, &pls->n_segments, seg); is_segment = 0; From 7dc5dfad31d1bc6cec5f4eb1f9033ce3b715425d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2020 19:49:41 +0200 Subject: [PATCH 0813/1383] avformat/hls: Pass a copy of the URL for probing The segments / url can be modified by the io read when reloading This may be an alternative or additional fix for Ticket8673 as a further alternative the reload stuff could be disabled during probing Signed-off-by: Michael Niedermayer (cherry picked from commit b5e39880fb7269b1b3577cee288e06aa3dc1dfa2) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 40ccaffff2..67ed691ae0 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1873,6 +1873,7 @@ static int hls_read_header(AVFormatContext *s) for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; AVInputFormat *in_fmt = NULL; + char *url; if (!(pls->ctx = avformat_alloc_context())) { ret = AVERROR(ENOMEM); @@ -1908,8 +1909,9 @@ static int hls_read_header(AVFormatContext *s) ffio_init_context(&pls->pb, pls->read_buffer, INITIAL_BUFFER_SIZE, 0, pls, read_data, NULL, NULL); pls->pb.seekable = 0; - ret = av_probe_input_buffer(&pls->pb, &in_fmt, pls->segments[0]->url, - NULL, 0, 0); + url = av_strdup(pls->segments[0]->url); + ret = av_probe_input_buffer(&pls->pb, &in_fmt, url, NULL, 0, 0); + av_free(url); if (ret < 0) { /* Free the ctx - it isn't initialized properly at this point, * so avformat_close_input shouldn't be called. If From c095e870d86775f983eb796489df30e5a6797b52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Jun 2020 19:22:01 +0200 Subject: [PATCH 0814/1383] avcodec/pngdec: Check for fctl after idat Fixes: out of array access Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b1ba680fb67902a9c876a49d0146eaae5a1c3d) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 1be0e245cb..62ecf45903 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -973,6 +973,11 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } + if (s->pic_state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "fctl after IDAT\n"); + return AVERROR_INVALIDDATA; + } + s->last_w = s->cur_w; s->last_h = s->cur_h; s->last_x_offset = s->x_offset; From 7b3b3119d548e6057df87880c7cd6e1e38971245 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Jun 2020 12:24:04 +0200 Subject: [PATCH 0815/1383] avformat/utils: reorder duration computation to avoid overflow Fixes: signed integer overflow: 8 * 9223372036854774783 cannot be represented in type 'long' Fixes: 23381/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4818340509122560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10cc82c35baabbb07ffec3faccb04d8928c39e4c) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0c898db2eb..3857e85f30 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2775,7 +2775,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) st = ic->streams[i]; if ( st->time_base.num <= INT64_MAX / ic->bit_rate && st->duration == AV_NOPTS_VALUE) { - duration = av_rescale(8 * filesize, st->time_base.den, + duration = av_rescale(filesize, 8LL * st->time_base.den, ic->bit_rate * (int64_t) st->time_base.num); st->duration = duration; From 850bbc0f7802cfd5822b4d351d781f876e4640f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2020 21:27:23 +0200 Subject: [PATCH 0816/1383] avcodec/dstdec: Replace AC overread check by sample rate check Real files do skip coding 0 bits at the end, thus this kind of check does not work reliable. Fixes: Ticket 8770 Fixes: dst-256fs44-6ch-refdstencoder.dff The samplerate is specified in ISO/IEC 14496-3:2005(E) as one of 3 fixed values, this also can be used to limit the duration and avoid the timeout This reverts commit f6df99dba1ae64b05d08fba8160d13eb9795042f. (cherry picked from commit 1679f23beb3cfc3639352b3cbe7c08c00189c6b0) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index d8f80bd114..d7a82f34ec 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -85,6 +85,12 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + // the sample rate is only allowed to be 64,128,256 * 44100 by ISO/IEC 14496-3:2005(E) + // We are a bit more tolerant here, but this check is needed to bound the size and duration + if (avctx->sample_rate > 512 * 44100) + return AVERROR_INVALIDDATA; + + if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) { return AVERROR_PATCHWELCOME; } From fd43c6dc0e8e77c894f5373a2ad5924a7632b2cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Jul 2020 17:03:14 +0200 Subject: [PATCH 0817/1383] Update for 4.1.6 Signed-off-by: Michael Niedermayer --- Changelog | 245 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 247 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index b4d7bd2c9e..0f418c8d1a 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,251 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 4.1.6: + avcodec/dstdec: Replace AC overread check by sample rate check + avformat/utils: reorder duration computation to avoid overflow + avcodec/pngdec: Check for fctl after idat + avformat/hls: Pass a copy of the URL for probing + avformat/hls: check segment duration value of EXTINF + avutil/common: Fix integer overflow in av_ceil_log2_c() + avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms + avformat/mvdec: Fix integer overflow with billions of channels + avformat/microdvddec: skip malformed lines without frame number. + avformat/mxfdec: free duplicated utf16 strings + avformat/4xm: Check that a video stream was created before returning packets for it + avcodec/ffwavesynth: Avoid undefined operation on ts overflow + avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv() + avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c() + avcodec/sonic: Fix several integer overflows + avcodec/mpeg4videodec: avoid invalid values and reinitialize in format changes for studio profile + avcodec/pixlet: Fix log(0) check + avcodec/iff: Fix off by x error + avcodec/wmalosslessdec: Check block_align maximum + avcodec/loco: Fix signed integer overflow in loco_get_rice() + avformat/thp: Check fps + avformat/mpl2dec: Fix integer overflow with duration + avcodec/mpeg12dec: remove outdated comments + avcodec/snowdec: Avoid integer overflow with huge qlog + avformat/mov: Check if DTS is AV_NOPTS_VALUE in mov_find_next_sample(). + avcodec/mpeg12dec: Fix got_output + avformat/4xm: Cleanup on GET_LIST_HEADER() failure + avcodec/lzf: Consider the needed size in reallocation + avformat/mlvdec: fail reading a packet with 0 streams + avformat/thp: Check compcount + avcodec/adpcm: XA: Check shift similar to filter + avcodec/huffyuvdec: Test vertical coordinate more often + avcodec/hq_hqa: Check info size + avcodec/wmalosslessdec: Fix integer overflow in mclms_predict() + avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d() + avcodec/h264dec: Disable forced small_padding on flag2 fast + avformat/oggparsevorbis: Error out on double init of vp + avcodec/pnmdec: Use unsigned for maxval rescaling + avcodec/ivi: Clear got_p_frame before decoding a new frame using it + avcodec/dsddec: Check channels + avcodec/xvididct: Fix integer overflow in idct_row() + avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr() + avcodec/cbs_jpeg: Fix infinite loop in cbs_jpeg_split_fragment() + avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE + avformat/swfenc: Fix integer overflow in frame rate handling + avformat/aadec: Check toc_size to contain the minimum to demuxer uses + avcodec/cbs_h265_syntax_template: Limit num_long_term_pics more strictly + avformat/mov: Don't allow negative sample sizes. + mpeg4videoenc: Don't crash with -fsanitize=bounds + avformat/mpegts: Shuffle avio_seek + avcodec/binkaudio: Fix 2Ghz sample_rate + avcodec/adpcm: Fix integer overflow in ADPCM THP + avcodec/ralf: Check num_blocks before use + avcodec/iff: Test video_size being non zero + avcodec/utvideodec: Fix integer overflow in decode_plane() + avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c() + avcodec/ralf: Fix integer overflow in decode_block() + avcodec/nuv: widen buf_size type + avcodec/iff: Fix several integer overflows + avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1 + avcodec/alac: Fix integer overflow with 24/20bps samples + avcodec/dstdec: Check sample rate + avformat/thp: Require a video stream + avformat/mpeg: Decrease score by 1 for files with very little valid data + avcodec/pngdec: Check length in fdAT + avcodec/g2meet: Check tile_width in epic_jb_decode_tile() + avcodec/hapdec: Check tex_size more strictly and before using it + avcodec/vp9dsp_template: Fix integer overflows in idct32_1d() + avcodec/alacdsp: Fix invalid shift in append_extra_bits() + libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative + avcodec/dstdec: Fix integer overflow in read_table() + avcodec/txd: Check for input size against the header size. + avcodec/svq1dec: Check that there is data left after the header + avcodec/cbs_h265_syntax_template: Check num_negative/positive_pics when inter_ref_pic_set_prediction_flag is set + avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture() + avcodec/hevc_mp4toannexb_bsf: Check nalu_size + avcodec/iff: Check length before memcpy() in decode_deep_rle32() + avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32() + avcodec/pngdec: Pass ret from decode_iccp_chunk() + avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*() + avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs() + avcodec/flac_parser: Do not lose header count in find_headers_search() + avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c() + avcodec/cbs_jpeg_syntax_template: Check array index in huffman_table() + avcodec/cbs_jpeg_syntax_template: Check table index before use in dht() + avformat/oggdec: Check for EOF after page header + swscale/yuv2rgb: Fix vertical dither offset with slices + avcodec/dpcm: clip exponent into supported range in XAN DPCM + avcodec/flacdsp_template: Fix invalid shifts in decorrelate + avcodec/xvididct: Fix integer overflow in MULT() + avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT + avcodec/cbs_h264_syntax_template: fix off by 1 error with slice_group_change_cycle + swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input + swscale/output: Fix integer overflow in alpha computation in yuv2gbrp16_full_X_c() + libavformat/amr.c: Check return value from avio_read() + libavformat/mov.c: Free aes_decrypt to avoid leaking memory + libavformat/oggdec.c: Check return value from avio_read() + avformat/asfdec_f: Fix overflow check in get_tag() + avformat/nsvdec: Fix memleaks on errors while reading the header + avcodec/ffwavesynth: Fix integer overflow in computation of ddphi + avcodec/cbs_jpeg: Check length for SOS + avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX + avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra() + avcodec/cbs_h2645: Treat slices without data as invalid + avcodec/cbs_h2645: Remove dead code to delete trailing zeroes + avcodec/cbs_av1_syntax_template: Set seen_frame_header only after successfull uncompressed_header() + avcodec/mpegaudioenc_template: fix invalid shift of sample + avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search() + libavformat/avienc: Check bits per sample for PAL8 + avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet() + avcodec/magicyuv: Check that there are enough lines for interlacing to be possible + avformat/mvdec: Check stream numbers + avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF + avcodec/qdm2: Check fft_coefs_index + avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info() + avformat/avidec: Avoid integer overflow in NI switch check + fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start() + avfilter/vf_aspect: Fix integer overflow in compute_dar() + avcodec/apedec: Fix invalid shift with 24 bps + avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index() + avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM + avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits + avcodec/wmalosslessdec: Fix loop in revert_acfilter() + avcodec/lagarith: Sanity check scale + avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() + avcodec/ralf: Fix integer overflow in apply_lpc() + avcodec/dca_lbr: Fix some error codes and error passing + avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response() + avcodec/wmavoice: sanity check block_align + avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF + avcodec/snappy: Sanity check bytestream2_get_levarint() + avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel() + avcodec/avdct: Clear IDCTDSPContext context + avcodec/x86/diracdsp: Fix high bits on Windows x86_64 + avformat/mov: Check STCO location + avcodec/wmalosslessdec: Fix multiple integer overflows + avcodec/apedec: Fix undefined integer overflow in decode_array_0000() + avcodec/smacker: Check space before decoding type + avcodec/rawdec: Use linesize in b64a + avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM + avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32() + avfilter/vf_find_rect: Remove assert + avfilter/vf_find_rect: Increase worst case score + swscale/input: Fix several invalid shifts related to rgb2yuv constants + swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template() + swscale/swscale: Fix several invalid shifts related to vChrDrop + avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow + avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy() + avcodec/cbs_av1: Check leb128 values read + avcodec/wmalosslessdec: move channel check up + avcodec/cbs_h2645: Skip all 0 NAL units + avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS + avcodec/alac: Fix integer overflow in LPC coefficient adaption + avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp() + avcodec/vc1dec: Check field_mode for sprites + avcodec/vc1dec: Limit bits by the actual bitstream size + avcodec/vmdaudio: Check block_align more + avformat/mov: fix memleaks + libavformat/mov: Fix memleaks when demuxing DV audio + avformat/mov: Fix reel_name size check + avformat/mov: Fix memleak upon encountering repeating tags + avformat/matroskaenc: Don't use NULL for %s format string + avformat/webvttdec: Fix memleak upon read header failure + avformat/vplayerdec: Fix memleak upon read header failure + avformat/tedcaptionsdec: Fix memleak upon read header failure + avformat/subviewerdec: Fix memleak upon read header failure + avformat/subviewer1dec: Fix memleak upon read header failure + avformat/stldec: Fix memleak upon read header failure + avformat/srtdec: Fix memleak upon read header failure + avformat/sccdec: Fix memleak upon read header failure + avformat/samidec: Fix memleak upon read header failure + avformat/pjsdec: Fix memleak upon read header failure + avformat/mpsubdec: Fix memleak upon read header failure + avformat/mpl2dec: Fix memleak upon read header failure + avformat/microdvddec: Fix memleak upon read header failure + avformat/lrcdec: Fix memleak upon read header failure + avformat/jacosubdec: Fix memleak upon read header failure + avformat/assdec: Fix memleak upon read header failure + avformat/aqtitledec: Fix memleak upon read header failure + avformat/mov: Fix memleaks upon read_header failure + avformat/omadec: Fix memleaks upon read_header failure + avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer + avformat/matroskadec: Use right number of tracks + avformat/matroskadec: Fix handling gigantic durations + avcodec/cinepakenc: Fix invalid shifts + avcodec/cbs_h2645: Fix potential out-of-bounds array access + h264_redundant_pps: Fix memleak in case of errors + avformat/aviobuf: Don't check for overflow after it happened + avformat/matroskaenc: Fix memleak upon encountering bogus chapter + fftools/ffmpeg_opt: Check attachment filesize + avformat/webmdashenc: Check codec types + avformat/avidec: Fix memleak with embedded GAB2 subtitles + avformat/webmdashenc: Fix memleak upon realloc failure + avformat/matroskadec: Don't discard the upper 32bits of TrackNumber + avformat/hnm: Check for extradata allocation failure + avformat/subtitles: Don't increment packet counter prematurely + avformat/bethsoftvid: Fix potential memleak upon reallocation failure + avformat/smoothstreaming: Fix memleaks on errors + avformat/matroskaenc: Check BlockAdditional size before use + avformat/utils: Fix memleaks in avformat_open_input() + avcodec/cavsdsp: Fix undefined left shifts of negative numbers + avformat/mov: Don't leak MOVFragmentStreamInfo on error + avformat/mov: Free encryption data on error + avformat/hevc: Fix potential leak in case of ff_hevc_annexb2mp4_buf failure + avformat/matroskaenc: Check for reformatting errors + avcodec/ra144enc: Fix invalid left shift of negative number + avcodec/adxenc: Avoid undefined left shift of negative numbers + avcodec/adpcm: Fix undefined left shifts of negative numbers + avformat/segafilmenc: Fix undefined left shift of 1 by 31 places + avcodec/proresenc_anatoliy: Fix invalid left shift of negative number + avformat/wtvdec: Fix memleak when reading header fails + avformat/fitsdec: Fix potential leak of string in AVBPrint + avformat/matroskadec: Fix use-after-free when demuxing ProRes + avformat/matroskadec: Fix demuxing ProRes + avformat/av1: Fix leak of dynamic buffer in case of parsing failure + fftools/ffmpeg: Free swresample dictionary during cleanup + avfilter/vf_xbr: Fix left shift of negative number + avfilter/vf_hqx: Fix undefined left shifts of negative numbers + avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers + avcodec/ituh263dec: Fix undefined left shift of negative number + avcodec/dnxhdenc: Fix undefined left shifts of negative numbers + swscale/utils: Fix invalid left shifts of negative numbers + swscale/x86/swscale: Fix undefined left shifts of negative numbers + avcodec/exr: Fix undefined left shifts of negative numbers + avformat/movenc: Fix undefined shift + avcodec/pcm: Fix undefined shifts + avcodec/wavpackenc: Fix undefined shifts + avutil/encryption_info: Don't pass NULL to memcpy + avcodec/ac3enc: Fix invalid shift + avcodec/tdsc: Fix undefined shifts + fftools/ffmpeg_opt: Fix signed integer overflow + avformat/mov: Fix memleak + avcodec/ttaenc: Fix undefined shift + lavf/webm_chunk: Fix NULL dereference + avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX + avcodec/bitstream: Don't check for undefined behaviour after it happened + libavcodec/libvpxenc: Don't free user-provided AVPacket + libavcodec/libmp3lame: Don't free user-provided AVPacket + avcodec/libopusenc: Don't free user-provided AVPacket + avcodec/cbs_h265: fix writing extension_data bits + avformat/matroskadec: Fix default value of BlockAddID + avformat/dashdec: Don't allocate and leak strings that are never used + version 4.1.5: - Changelog: Fix formating for 4.1.4 - avcodec/cbs_av1: avoid reading trailing bits when obu type is OBU_TILE_LIST diff --git a/RELEASE b/RELEASE index b1cbc1fcd2..561ad3349b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.5 +4.1.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4de2cbcca9..6df9ec57b7 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1.5 +PROJECT_NUMBER = 4.1.6 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 3df2eab778418120d727bf9a2a05969a367d40d8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 27 May 2020 19:09:14 +0200 Subject: [PATCH 0818/1383] avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit is so big that it extends beyond the end of the input packet; it does so only implicitly by using the checked version of the bytestream2 API. But this has downsides compared to real checks: It can lead to huge allocations (up to 2GiB) even when the input packet is just a few bytes. And furthermore it leads to uninitialized data being output. So add a check to error out early if it happens. Also check directly whether there is enough data for the length field. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ea1b71e82f5a1752d59d3bfb9704092a79eba6b5) Signed-off-by: Andreas Rheinhardt --- libavcodec/hevc_mp4toannexb_bsf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index 30f733d775..477d86d9fd 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -141,10 +141,14 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) int nalu_type; int is_irap, add_extradata, extra_size, prev_size; + if (bytestream2_get_bytes_left(&gb) < s->length_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); - if (nalu_size < 2) { + if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) { ret = AVERROR_INVALIDDATA; goto fail; } From 918a41d40e8459aee8c415d2f8692bb8a54dfef0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Jul 2020 00:31:07 +0200 Subject: [PATCH 0819/1383] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 0f418c8d1a..81c344f3e4 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,7 @@ releases are sorted from youngest to oldest. version 4.1.6: + avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input avcodec/dstdec: Replace AC overread check by sample rate check avformat/utils: reorder duration computation to avoid overflow avcodec/pngdec: Check for fctl after idat From 0adddc08c6fd995b4ba236e9bfda5c5f9ab1f697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Wed, 13 May 2020 00:27:58 +0300 Subject: [PATCH 0820/1383] avformat/tls_schannel: always decrypt all received data The dec_buf seems to be properly managed between read calls, and we have no logic to decrypt before attempting socket I/O. Thus - until now - such data would not be decrypted in case of connections such as HTTP keep-alive, as the recv call would always get executed first, block until rw_timeout, and then get retried by retry_transfer_wrapper. Thus - if data is received - decrypt all of it right away. This way it is available for the following requests in case they can be satisfied with it. (cherry picked from commit 39977fff20048f1798a95c593d6034a0e73ebbe5) --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index 4f0badcb8d..7a8842e7fe 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -424,7 +424,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) c->enc_buf_offset += ret; } - while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK && c->dec_buf_offset < len) { + while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK) { /* input buffer */ init_sec_buffer(&inbuf[0], SECBUFFER_DATA, c->enc_buf, c->enc_buf_offset); From dce15293dadedd1ee308ed62027208c2aecc6cff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Wed, 13 May 2020 00:31:03 +0300 Subject: [PATCH 0821/1383] avformat/tls_schannel: immediately return decrypted data if available Until now, we would have only attempted to utilize already decrypted data if it was enough to fill the size of buffer requested, that could very well be up to 32 kilobytes. With keep-alive connections this would just lead to recv blocking until rw_timeout had been reached, as the connection would not be officially closed after each transfer. This would also lead to a loop, as such timed out I/O request would just be attempted again. By just returning the available decrypted data, keep-alive based connectivity such as HLS playback is fixed with schannel. (cherry picked from commit 6f8826e4aaddf1ee6cf3f333ed0e392a748382fe) --- libavformat/tls_schannel.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index 7a8842e7fe..fec43ffafd 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -392,7 +392,12 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) int size, ret; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; - if (len <= c->dec_buf_offset) + /* If we have some left-over data from previous network activity, + * return it first in case it is enough. It may contain + * data that is required to know whether this connection + * is still required or not, esp. in case of HTTP keep-alive + * connections. */ + if (c->dec_buf_offset > 0) goto cleanup; if (c->sspi_close_notify) From 082dfc8bd55237562f8335cecf04a2c932f40eea Mon Sep 17 00:00:00 2001 From: Remita Amine Date: Wed, 27 Mar 2019 13:03:07 +0100 Subject: [PATCH 0822/1383] lavf/tls_gnutls: retry gnutls_handshake on non fatal errors fixes #7801 Signed-off-by: Remita Amine (cherry picked from commit bc1749c6e46099ec85110361dbe6f7994a63040d) --- libavformat/tls_gnutls.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c index e3c43683be..f32bc2821b 100644 --- a/libavformat/tls_gnutls.c +++ b/libavformat/tls_gnutls.c @@ -182,11 +182,13 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op gnutls_transport_set_push_function(p->session, gnutls_url_push); gnutls_transport_set_ptr(p->session, c->tcp); gnutls_priority_set_direct(p->session, "NORMAL", NULL); - ret = gnutls_handshake(p->session); - if (ret) { - ret = print_tls_error(h, ret); - goto fail; - } + do { + ret = gnutls_handshake(p->session); + if (gnutls_error_is_fatal(ret)) { + ret = print_tls_error(h, ret); + goto fail; + } + } while (ret); p->need_shutdown = 1; if (c->verify) { unsigned int status, cert_list_size; From 3dd24b0f708ae5c68607de0828480b09c8f95004 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?B=C5=82a=C5=BCej=20Szczygie=C5=82?= Date: Fri, 16 Aug 2019 10:38:46 +0200 Subject: [PATCH 0823/1383] lavf/tls_gnutls: check for interrupt inside handshake loop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fixes #8080 Signed-off-by: Błażej Szczygieł (cherry picked from commit 561ba15c973120c9565a8f75a7439f3e8a10e04d) --- libavformat/tls_gnutls.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/tls_gnutls.c b/libavformat/tls_gnutls.c index f32bc2821b..e41156cc30 100644 --- a/libavformat/tls_gnutls.c +++ b/libavformat/tls_gnutls.c @@ -183,6 +183,11 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op gnutls_transport_set_ptr(p->session, c->tcp); gnutls_priority_set_direct(p->session, "NORMAL", NULL); do { + if (ff_check_interrupt(&h->interrupt_callback)) { + ret = AVERROR_EXIT; + goto fail; + } + ret = gnutls_handshake(p->session); if (gnutls_error_is_fatal(ret)) { ret = print_tls_error(h, ret); From 7f0db52c534edfb6bf7f8f008b87dc27caac9455 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Tue, 29 Sep 2020 23:19:23 +0200 Subject: [PATCH 0824/1383] avcodec/cuviddec: handle arbitrarily sized extradata --- libavcodec/cuviddec.c | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/libavcodec/cuviddec.c b/libavcodec/cuviddec.c index 67e39ac719..fef72385ed 100644 --- a/libavcodec/cuviddec.c +++ b/libavcodec/cuviddec.c @@ -83,7 +83,7 @@ typedef struct CuvidContext CUVIDDECODECAPS caps8, caps10, caps12; CUVIDPARSERPARAMS cuparseinfo; - CUVIDEOFORMATEX cuparse_ext; + CUVIDEOFORMATEX *cuparse_ext; CudaFunctions *cudl; CuvidFunctions *cvdl; @@ -713,6 +713,7 @@ static av_cold int cuvid_decode_end(AVCodecContext *avctx) av_buffer_unref(&ctx->hwdevice); av_freep(&ctx->key_frame); + av_freep(&ctx->cuparse_ext); cuvid_free_functions(&ctx->cvdl); @@ -817,6 +818,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) CUcontext cuda_ctx = NULL; CUcontext dummy; const AVBitStreamFilter *bsf; + uint8_t *extradata; + uint32_t extradata_size; int ret = 0; enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA, @@ -913,11 +916,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) ctx->cudl = device_hwctx->internal->cuda_dl; memset(&ctx->cuparseinfo, 0, sizeof(ctx->cuparseinfo)); - memset(&ctx->cuparse_ext, 0, sizeof(ctx->cuparse_ext)); memset(&seq_pkt, 0, sizeof(seq_pkt)); - ctx->cuparseinfo.pExtVideoInfo = &ctx->cuparse_ext; - switch (avctx->codec->id) { #if CONFIG_H264_CUVID_DECODER case AV_CODEC_ID_H264: @@ -987,17 +987,25 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) goto error; } - ctx->cuparse_ext.format.seqhdr_data_length = ctx->bsf->par_out->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - ctx->bsf->par_out->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), ctx->bsf->par_out->extradata_size)); + extradata = ctx->bsf->par_out->extradata; + extradata_size = ctx->bsf->par_out->extradata_size; } else if (avctx->extradata_size > 0) { - ctx->cuparse_ext.format.seqhdr_data_length = avctx->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - avctx->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), avctx->extradata_size)); + extradata = avctx->extradata; + extradata_size = avctx->extradata_size; } + ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext) + + FFMAX(extradata_size - sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); + if (!ctx->cuparse_ext) { + ret = AVERROR(ENOMEM); + goto error; + } + + ctx->cuparse_ext->format.seqhdr_data_length = avctx->extradata_size; + memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + + ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext; + ctx->key_frame = av_mallocz(ctx->nb_surfaces * sizeof(int)); if (!ctx->key_frame) { ret = AVERROR(ENOMEM); @@ -1026,8 +1034,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); @@ -1086,8 +1094,8 @@ static void cuvid_flush(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); From d44da66fac3127b655b316711b8f1e57b7ed1acf Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Thu, 1 Oct 2020 20:20:48 +0200 Subject: [PATCH 0825/1383] avcodec/cuviddec: backport extradata fixes --- libavcodec/cuviddec.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/cuviddec.c b/libavcodec/cuviddec.c index fef72385ed..35e6fe38e7 100644 --- a/libavcodec/cuviddec.c +++ b/libavcodec/cuviddec.c @@ -819,7 +819,7 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) CUcontext dummy; const AVBitStreamFilter *bsf; uint8_t *extradata; - uint32_t extradata_size; + int extradata_size; int ret = 0; enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA, @@ -989,20 +989,21 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) extradata = ctx->bsf->par_out->extradata; extradata_size = ctx->bsf->par_out->extradata_size; - } else if (avctx->extradata_size > 0) { + } else { extradata = avctx->extradata; extradata_size = avctx->extradata_size; } ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext) - + FFMAX(extradata_size - sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); + + FFMAX(extradata_size - (int)sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); if (!ctx->cuparse_ext) { ret = AVERROR(ENOMEM); goto error; } - ctx->cuparse_ext->format.seqhdr_data_length = avctx->extradata_size; - memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + if (extradata_size > 0) + memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + ctx->cuparse_ext->format.seqhdr_data_length = extradata_size; ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext; From 347bcf6054890f19dd67f53b33489bc5c3c40471 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 8 Aug 2021 15:30:26 -0300 Subject: [PATCH 0826/1383] avcodec/h264_slice: clear old slice POC values on parsing failure If a slice header fails to parse, and the next one uses different Sequence and Picture parameter sets, certain values may not be read if they are not coded, resulting in the previous slice values being used. Signed-off-by: James Almer (cherry picked from commit ce4a31cd1ff0348d279af74d49556d0315171e94) --- libavcodec/h264_slice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 1c9a270fb6..272f3b00a4 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1821,6 +1821,8 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, if (nal->type == H264_NAL_IDR_SLICE) get_ue_golomb_long(&sl->gb); /* idr_pic_id */ + sl->poc_lsb = 0; + sl->delta_poc_bottom = 0; if (sps->poc_type == 0) { sl->poc_lsb = get_bits(&sl->gb, sps->log2_max_poc_lsb); @@ -1828,6 +1830,7 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, sl->delta_poc_bottom = get_se_golomb(&sl->gb); } + sl->delta_poc[0] = sl->delta_poc[1] = 0; if (sps->poc_type == 1 && !sps->delta_pic_order_always_zero_flag) { sl->delta_poc[0] = get_se_golomb(&sl->gb); From 34f9c735ad5edb9be107dfef55394cc9e6bc6e5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Jul 2020 23:55:50 +0200 Subject: [PATCH 0827/1383] avcodec/pnmdec: Fix misaligned reads Found-by: "Steinar H. Gunderson" Signed-off-by: Michael Niedermayer (cherry picked from commit ea28ce9bc13803ccef97850388ddc9a73998a23e) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index 2c98e26934..b625d8d3c4 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -172,7 +172,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, } else if (upgrade == 2) { unsigned int j, v, f = (65535 * 32768 + s->maxval / 2) / s->maxval; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } } @@ -226,7 +226,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; for (i = 0; i < avctx->height; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } s->bytestream += n; @@ -238,13 +238,13 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, h = avctx->height >> 1; for (i = 0; i < h; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr1[j] = (v * f + 16384) >> 15; } s->bytestream += n; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr2[j] = (v * f + 16384) >> 15; } s->bytestream += n; From 32815740f7bc5c6566d8369a849c8a164ed594f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jul 2020 20:18:42 +0200 Subject: [PATCH 0828/1383] avformat/smjpegdec: Check the existence of referred streams Fixes: Assertion failure Fixes: 23758/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5160954605338624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 321ea59dac6538f92206bab0a2688fa24a25c4d2) Signed-off-by: Michael Niedermayer --- libavformat/smjpegdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/smjpegdec.c b/libavformat/smjpegdec.c index c184c0d9fd..ec5f2957e5 100644 --- a/libavformat/smjpegdec.c +++ b/libavformat/smjpegdec.c @@ -51,6 +51,9 @@ static int smjpeg_read_header(AVFormatContext *s) uint32_t version, htype, hlength, duration; char *comment; + sc->audio_stream_index = + sc->video_stream_index = -1; + avio_skip(pb, 8); // magic version = avio_rb32(pb); if (version) @@ -147,6 +150,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) dtype = avio_rl32(s->pb); switch (dtype) { case SMJPEG_SNDD: + if (sc->audio_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); @@ -155,6 +160,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->pos = pos; break; case SMJPEG_VIDD: + if (sc->video_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); From bf0b15d76a91b1f885dc17b776246986399a1933 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2020 21:11:25 +0200 Subject: [PATCH 0829/1383] avcodec/loco: Fix integer overflow with large values from loco_get_rice() Fixes: signed integer overflow: 155 + 2147483647 cannot be represented in type 'int' Fixes: 23421/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5652849097965568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3ddc5e1f3cebca25ade54ee68159d305f210bf5f) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index d0cedf577d..25dd1575ba 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -131,7 +131,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh int stride, const uint8_t *buf, int buf_size) { RICEContext rc; - int val; + unsigned val; int ret; int i, j; From 41049b0d76decc07dc36f1158c748be9f1c19093 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2020 22:01:22 +0200 Subject: [PATCH 0830/1383] avcodec/apedec: Fix undefined integer overflow with 24bit Fixes: signed integer overflow: 8683744 * 256 cannot be represented in type 'int' Fixes: 23527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679885932822528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9f7b252cdf2d0e0f79d16dc7cd575d1884239863) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 93e9a18e5d..3bec1eee68 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1543,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample24 = (int32_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample24++ = s->decoded[ch][i] * 256; + *sample24++ = s->decoded[ch][i] * 256U; } break; } From 02fd603a182f589128aa7e951d218ad1dd35dd8b Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 5 Jul 2020 00:51:53 +0800 Subject: [PATCH 0831/1383] avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 806a4d5187aeb82b97898683242886ed1e84f894) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 71af75764e..ea3013df2b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6830,13 +6830,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) a.size >= 8 && c->fc->strict_std_compliance < FF_COMPLIANCE_STRICT && c->moov_retry) { - uint8_t buf[8]; - uint32_t *type = (uint32_t *)buf + 1; - if (avio_read(pb, buf, 8) != 8) - return AVERROR_INVALIDDATA; + uint32_t type; + avio_skip(pb, 4); + type = avio_rl32(pb); avio_seek(pb, -8, SEEK_CUR); - if (*type == MKTAG('m','v','h','d') || - *type == MKTAG('c','m','o','v')) { + if (type == MKTAG('m','v','h','d') || + type == MKTAG('c','m','o','v')) { av_log(c->fc, AV_LOG_ERROR, "Detected moov in a free atom.\n"); a.type = MKTAG('m','o','o','v'); } From 14a4be8fb4800fbac9e3e9a884527a7b582591a1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jul 2020 19:37:57 +0200 Subject: [PATCH 0832/1383] avcodec/cbs_jpeg: Fix uninitialized end index in cbs_jpeg_split_fragment() Fixes: Out of array read Fixes: 24043/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5084566275751936.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a10bc8f6f5d600c44ecb9b43cd9abf13bf3bfae) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_jpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cbs_jpeg.c b/libavcodec/cbs_jpeg.c index b78c305551..bb1b3f0c87 100644 --- a/libavcodec/cbs_jpeg.c +++ b/libavcodec/cbs_jpeg.c @@ -149,6 +149,7 @@ static int cbs_jpeg_split_fragment(CodedBitstreamContext *ctx, break; } else if (marker == JPEG_MARKER_SOS) { next_marker = -1; + end = start; for (i = start; i + 1 < frag->data_size; i++) { if (frag->data[i] != 0xff) continue; From 4646f94b9cc83facb651a4540f342014cb75f937 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 9 Jul 2020 12:07:28 +0200 Subject: [PATCH 0833/1383] avformat/mm: Check for existence of audio stream No audio stream is created unconditionally and if none has been created, no packet with stream_index 1 may be returned. This fixes an assert in ff_read_packet() in libavformat/utils reported in ticket #8782. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ec59dc73f0cc8930bf5dae389cd76d049d537ca7) Signed-off-by: Andreas Rheinhardt --- libavformat/mm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mm.c b/libavformat/mm.c index 8a1382e03c..de5f9d6161 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -174,6 +174,8 @@ static int read_packet(AVFormatContext *s, return 0; case MM_TYPE_AUDIO : + if (s->nb_streams < 2) + return AVERROR_INVALIDDATA; if (av_get_packet(s->pb, pkt, length)<0) return AVERROR(ENOMEM); pkt->stream_index = 1; From bd5e97fd6b64838851769c61c4d64fb8ea6bdc69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jul 2020 22:47:50 +0200 Subject: [PATCH 0834/1383] avcodec/tdsc: Fix tile checks Fixes: out of array access Fixes: crash.asf Found-by: anton listov Reviewed-by: anton listov Signed-off-by: Michael Niedermayer (cherry picked from commit 081e3001edb67dcd55fe0f68505df1fce667476d) Signed-off-by: Michael Niedermayer --- libavcodec/tdsc.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index e9ea41ef55..854e7e0510 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -390,7 +390,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) for (i = 0; i < number_tiles; i++) { int tile_size; int tile_mode; - int x, y, w, h; + int x, y, x2, y2, w, h; int ret; if (bytestream2_get_bytes_left(&ctx->gbc) < 4 || @@ -408,20 +408,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) bytestream2_skip(&ctx->gbc, 4); // unknown x = bytestream2_get_le32(&ctx->gbc); y = bytestream2_get_le32(&ctx->gbc); - w = bytestream2_get_le32(&ctx->gbc) - x; - h = bytestream2_get_le32(&ctx->gbc) - y; + x2 = bytestream2_get_le32(&ctx->gbc); + y2 = bytestream2_get_le32(&ctx->gbc); - if (x >= ctx->width || y >= ctx->height) { + if (x < 0 || y < 0 || x2 <= x || y2 <= y || + x2 > ctx->width || y2 > ctx->height + ) { av_log(avctx, AV_LOG_ERROR, - "Invalid tile position (%d.%d outside %dx%d).\n", - x, y, ctx->width, ctx->height); - return AVERROR_INVALIDDATA; - } - if (x + w > ctx->width || y + h > ctx->height) { - av_log(avctx, AV_LOG_ERROR, - "Invalid tile size %dx%d\n", w, h); + "Invalid tile position (%d.%d %d.%d outside %dx%d).\n", + x, y, x2, y2, ctx->width, ctx->height); return AVERROR_INVALIDDATA; } + w = x2 - x; + h = y2 - y; ret = av_reallocp(&ctx->tilebuffer, tile_size); if (!ctx->tilebuffer) From 8636ff4bdfd3a6d6a58b73d9bb259e4487a88aaa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jul 2020 23:41:27 +0200 Subject: [PATCH 0835/1383] avcodec/alac: Check decorr_shift to avoid invalid shift Later the decorrelate_stereo call is guarded by channels == 2 and non-zero decorr_left_weight. Make sure decorr_shift is in the expected shift range for that case. Fixes: shift exponent 128 is too large for 32-bit type 'int' Fixes: 23860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5751138914402304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 4333718b357a9ad195031e5d0ea080d37677b795) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index bb0619a2d0..de366e73f6 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -302,6 +302,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); + if (channels == 2 && decorr_left_weight && decorr_shift > 31) + return AVERROR_INVALIDDATA; + for (ch = 0; ch < channels; ch++) { prediction_type[ch] = get_bits(&alac->gb, 4); lpc_quant[ch] = get_bits(&alac->gb, 4); From 301801bfd23c463ba5dd5a989a8fae5813a9ddeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Aug 2020 00:51:12 +0200 Subject: [PATCH 0836/1383] avformat/mov: Check comp_brand_size Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 24457/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5760093644390400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ffa6072fc727a14680a85449259f6b49b47587e6) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ea3013df2b..26226beb76 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1117,7 +1117,7 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dict_set_int(&c->fc->metadata, "minor_version", minor_ver, 0); comp_brand_size = atom.size - 8; - if (comp_brand_size < 0) + if (comp_brand_size < 0 || comp_brand_size == INT_MAX) return AVERROR_INVALIDDATA; comp_brands_str = av_malloc(comp_brand_size + 1); /* Add null terminator */ if (!comp_brands_str) From 2dc9462462ac160ea0345dfe256d85b934de19a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Aug 2020 21:35:06 +0200 Subject: [PATCH 0837/1383] avcodec/snowdec: Sanity check hcoeff Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 24011/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5486376610168832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d51d569cf68f78aaea8464a156c847a0e294726a) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 504382f589..dfbb9686da 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -369,7 +369,10 @@ static int decode_header(SnowContext *s){ htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ - p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1)); + unsigned hcoeff = get_symbol(&s->c, s->header_state, 0); + if (hcoeff > 127) + return AVERROR_INVALIDDATA; + p->hcoeff[i]= hcoeff * (1-2*(i&1)); sum += p->hcoeff[i]; } p->hcoeff[0]= 32-sum; From b0fd8d6b1523f4f89f20e3a34ffa6a39156a2d56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Aug 2020 21:42:43 +0200 Subject: [PATCH 0838/1383] avcodec/tiff: Check bpp/bppcount for 0 Fixes: division by zero Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be090da25f734460f3105075456877b8a66185c1) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index bf17d9fe60..a9f93494ed 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -831,7 +831,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->height = value; break; case TIFF_BPP: - if (count > 4U) { + if (count > 4 || count <= 0) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", value, count); @@ -862,9 +862,9 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) "Samples per pixel requires a single value, many provided\n"); return AVERROR_INVALIDDATA; } - if (value > 4U) { + if (value > 4 || value <= 0) { av_log(s->avctx, AV_LOG_ERROR, - "Samples per pixel %d is too large\n", value); + "Invalid samples per pixel %d\n", value); return AVERROR_INVALIDDATA; } if (s->bppcount == 1) From f13fb1cfb8e1d367224f8ab6a99cde05285af849 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2020 01:07:44 +0200 Subject: [PATCH 0839/1383] avformat/mpeg: Check avio_read() return value in get_pts() Found-by: Thierry Foucu Fixes: Use-of-uninitialized-value Reviewed-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit e8a88a16f78e66c8d7645b5f71dc8390b033fa70) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 7d523e5fc2..8d5f22790e 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -161,9 +161,12 @@ static int mpegps_read_header(AVFormatContext *s) static int64_t get_pts(AVIOContext *pb, int c) { uint8_t buf[5]; + int ret; buf[0] = c < 0 ? avio_r8(pb) : c; - avio_read(pb, buf + 1, 4); + ret = avio_read(pb, buf + 1, 4); + if (ret < 4) + return AV_NOPTS_VALUE; return ff_parse_pes_pts(buf); } From 2e9d90680d2ca8911525de59d464ac3796844fb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Aug 2020 14:41:13 +0200 Subject: [PATCH 0840/1383] avformat/siff: Reject audio packets without audio stream Fixes: Assertion failure Fixes: 24612/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6600899842277376.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8931c55789a69f717b4a6954c5bb7acf5475a134) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/siff.c b/libavformat/siff.c index ddd1715680..e4da95ee0b 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -200,6 +200,8 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->curstrm == -1) { c->pktsize = avio_rl32(s->pb) - 4; c->flags = avio_rl16(s->pb); + if (c->flags & VB_HAS_AUDIO && !c->has_audio) + return AVERROR_INVALIDDATA; c->gmcsize = (c->flags & VB_HAS_GMC) ? 4 : 0; if (c->gmcsize) avio_read(s->pb, c->gmc, c->gmcsize); From a4f01dfad9f4294f7393f67b0d7bbb45e9c46f23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2020 01:05:35 +0200 Subject: [PATCH 0841/1383] avcodec/tiff: Restrict tag order based on specification "The entries in an IFD must be sorted in ascending order by Tag. Note that this is not the order in which the fields are described in this document." This way various dimensions, sample and bit sizes cannot be changed at arbitrary times which reduces the potential for bugs. The tag reading code also on various places assumes that numerically previous tags have already been parsed, so this needs to be enforced one way or another. If this commit causes problems with real world files which are not easy to fix then some other form of checks are needed to ensure the various dependencies in the tag reading are not violated. Fixes: out of array access Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad29f9e47cb848e11ee1d358d2bae15cd35ef04b) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index a9f93494ed..088584b686 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -64,6 +64,7 @@ typedef struct TiffContext { int predictor; int fill_order; uint32_t res[4]; + unsigned last_tag; int strips, rps, sstype; int sot; @@ -801,6 +802,12 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (ret < 0) { goto end; } + if (tag <= s->last_tag) + return AVERROR_INVALIDDATA; + + // We ignore TIFF_STRIP_SIZE as it is sometimes in the logic but wrong order around TIFF_STRIP_OFFS + if (tag != TIFF_STRIP_SIZE) + s->last_tag = tag; off = bytestream2_tell(&s->gb); if (count == 1) { @@ -1239,6 +1246,7 @@ static int decode_frame(AVCodecContext *avctx, s->photometric = TIFF_PHOTOMETRIC_NONE; s->compr = TIFF_RAW; s->fill_order = 0; + s->last_tag = 0; free_geotags(s); // Reset these offsets so we can tell if they were set this frame From 9474d161c254d7f1c7d79d91da4209acc3c722fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Aug 2020 00:17:41 +0200 Subject: [PATCH 0842/1383] avcodec/cfhd: Check transform type Fixes: out of array access Fixes: 24823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4855119863349248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 659658d08bb2e7219001795c78efd24f381446e2) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 846d334b9b..5f2cda8327 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -444,6 +444,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, avpriv_report_missing_feature(avctx, "Transform type of %"PRIu16, data); ret = AVERROR_PATCHWELCOME; break; + } else if (data == 1) { + av_log(avctx, AV_LOG_ERROR, "unsupported transform type\n"); + ret = AVERROR_PATCHWELCOME; + break; } av_log(avctx, AV_LOG_DEBUG, "Transform-type? %"PRIu16"\n", data); } else if (abstag >= 0x4000 && abstag <= 0x40ff) { From ca689b00023c07fde16b0cb599b6b6c601a063e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2020 00:09:05 +0200 Subject: [PATCH 0843/1383] avformat/avidec: Fix io_fsize overflow Fixes: signed integer overflow: 7958120835074169528 * 9 cannot be represented in type 'long long' Fixes: 23382/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6230683226996736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf0c700b0c25f5d9fe50dd27086a06812822f11a) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 8362c32bdd..bd4cb1ff98 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -438,7 +438,7 @@ static int calculate_bitrate(AVFormatContext *s) maxpos = FFMAX(maxpos, st->index_entries[j-1].pos); lensum += len; } - if (maxpos < avi->io_fsize*9/10) // index does not cover the whole file + if (maxpos < av_rescale(avi->io_fsize, 9, 10)) // index does not cover the whole file return 0; if (lensum*9/10 > maxpos || lensum < maxpos*9/10) // frame sum and filesize mismatch return 0; From de79966a44145408f781cd89e764472b6ba1e343 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2020 00:24:55 +0200 Subject: [PATCH 0844/1383] avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d() Fixes: signed integer overflow: 998938090 + 1169275991 cannot be represented in type 'int' Fixes: 23411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-4644692330545152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d182d8f10cf69c59ef9c21df4b06e5478df063ef) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index c6944f5ce3..8d00e77d70 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1260,20 +1260,20 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (t2a - t6a + (1 << 13)) >> 14; t7 = (t3a - t7a + (1 << 13)) >> 14; - t4a = 15137 * t4 + 6270 * t5; - t5a = 6270 * t4 - 15137 * t5; - t6a = 15137 * t7 - 6270 * t6; - t7a = 6270 * t7 + 15137 * t6; + t4a = 15137U * t4 + 6270U * t5; + t5a = 6270U * t4 - 15137U * t5; + t6a = 15137U * t7 - 6270U * t6; + t7a = 6270U * t7 + 15137U * t6; out[0] = t0 + t2; out[7] = -(t1 + t3); t2 = t0 - t2; t3 = t1 - t3; - out[1] = -((t4a + t6a + (1 << 13)) >> 14); - out[6] = (t5a + t7a + (1 << 13)) >> 14; - t6 = (t4a - t6a + (1 << 13)) >> 14; - t7 = (t5a - t7a + (1 << 13)) >> 14; + out[1] = -((dctint)((1U << 13) + t4a + t6a) >> 14); + out[6] = (dctint)((1U << 13) + t5a + t7a) >> 14; + t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; + t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; From df6725090355db9505035d3ba248902077873565 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Sep 2020 17:58:53 +0200 Subject: [PATCH 0845/1383] avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINE Fixes: signed integer overflow: -1429092 * -32596 cannot be represented in type 'int' Fixes: 24419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5157849974702080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a0da95df77a528251a326fc8b7e2ff48c60e41d0) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 8d3ac81aef..d92bb38c45 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -373,7 +373,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, in->amp += in->damp; switch (in->type) { case WS_SINE: - val = amp * ws->sin[in->phi >> (64 - SIN_BITS)]; + val = amp * (unsigned)ws->sin[in->phi >> (64 - SIN_BITS)]; in->phi += in->dphi; in->dphi += in->ddphi; break; From ca56067055f7ef1e26be58c951dfb9b5f33d5d68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Sep 2020 00:09:33 +0200 Subject: [PATCH 0846/1383] avformat/electronicarts: Check if there are any streams Fixes: Assertion failure (invalid stream index) Fixes: 25120/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6565251898933248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 39a98623edbbdcf9d9b76e9d7aff3ce086ebfbfe) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 9ea4c5d708..87c7f0cf70 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -530,20 +530,17 @@ static int ea_read_header(AVFormatContext *s) if (ea->num_channels <= 0 || ea->num_channels > 2) { av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->sample_rate <= 0) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate: %d\n", ea->sample_rate); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->bytes <= 0 || ea->bytes > 2) { av_log(s, AV_LOG_ERROR, "Invalid number of bytes per sample: %d\n", ea->bytes); - ea->audio_codec = AV_CODEC_ID_NONE; - return 1; + goto no_audio; } /* initialize the audio decoder stream */ @@ -564,8 +561,13 @@ static int ea_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample; ea->audio_stream_index = st->index; st->start_time = 0; + return 1; } +no_audio: + ea->audio_codec = AV_CODEC_ID_NONE; + if (!ea->video.codec) + return AVERROR_INVALIDDATA; return 1; } From d5e57e749684f4937cb9fc32386a5b0bd4687ecd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 19:04:23 +0200 Subject: [PATCH 0847/1383] avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth() Fixes: -2.4187e+09 is outside the range of representable values of type 'int' Fixes: signed integer overflow: -14512205 + -2147483648 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Fixes: 23528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b9f39689ab19c68ff37b5a4ac71e8fb7f58c487) Signed-off-by: Michael Niedermayer --- libavcodec/mpc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpc.c b/libavcodec/mpc.c index 6cf9b9d520..e56b608d8c 100644 --- a/libavcodec/mpc.c +++ b/libavcodec/mpc.c @@ -75,17 +75,17 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, int16_t **out, j = 0; mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0] & 0xFF]; for(; j < 12; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1] & 0xFF]; for(; j < 24; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2] & 0xFF]; for(; j < 36; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); } } if(bands[i].msf){ - int t1, t2; + unsigned t1, t2; for(j = 0; j < SAMPLES_PER_BAND; j++){ t1 = c->sb_samples[0][j][i]; t2 = c->sb_samples[1][j][i]; From b9c0480f175be26fda2d84b61af6d5637e34fe0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 16:54:28 +0200 Subject: [PATCH 0848/1383] avformat/cdg: Fix integer overflow in duration computation Fixes: signed integer overflow: 8398407 * 300 cannot be represented in type 'int' Fixes: 23914/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4702539290509312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa8935b395162f8438d1f055e671e92685ed1586) Signed-off-by: Michael Niedermayer --- libavformat/cdg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cdg.c b/libavformat/cdg.c index 05cac6e528..f933819d57 100644 --- a/libavformat/cdg.c +++ b/libavformat/cdg.c @@ -49,7 +49,7 @@ static int read_header(AVFormatContext *s) if (ret < 0) { av_log(s, AV_LOG_WARNING, "Cannot calculate duration as file size cannot be determined\n"); } else - vst->duration = (ret * vst->time_base.den) / (CDG_PACKET_SIZE * 300); + vst->duration = (ret * (int64_t)vst->time_base.den) / (CDG_PACKET_SIZE * 300); return 0; } From 2fee883f527ad0fdc3bf3b69143f8d1c161c1dab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Sep 2020 21:12:17 +0200 Subject: [PATCH 0849/1383] avcodec/wmalosslessdec: Check remaining space before padding and channel residue Fixes: Timeout (1101sec -> 0.4sec) Fixes: 24491/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5725337036783616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c467adf3bf9bb4b7fd28956ec698d884e63f145d) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 2228eecd96..5afc0544d5 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -935,6 +935,8 @@ static int decode_subframe(WmallDecodeCtx *s) s->do_lpc = 0; } + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) padding_zeroes = get_bits(&s->gb, 5); From d3bbc76f8e4f5c314668515cb8ad7ceb9dc087b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jul 2020 22:58:13 +0200 Subject: [PATCH 0850/1383] avutil/fixed_dsp: Fix integer overflows in butterflies_fixed_c() Fixes: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Fixes: 23646/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5480991098667008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a02ae49c26395fc3ae2d38c733a2a13bd3080e7) Signed-off-by: Michael Niedermayer --- libavutil/fixed_dsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/fixed_dsp.c b/libavutil/fixed_dsp.c index 8c018581df..f1b195f184 100644 --- a/libavutil/fixed_dsp.c +++ b/libavutil/fixed_dsp.c @@ -134,9 +134,10 @@ static int scalarproduct_fixed_c(const int *v1, const int *v2, int len) return (int)(p >> 31); } -static void butterflies_fixed_c(int *v1, int *v2, int len) +static void butterflies_fixed_c(int *v1s, int *v2, int len) { int i; + unsigned int *v1 = v1s; for (i = 0; i < len; i++){ int t = v1[i] - v2[i]; From 6afbda6ce89c7c3347b2262d2e9c004a30833be4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2020 14:30:19 +0200 Subject: [PATCH 0851/1383] avcodec/diracdsp: Fix integer anomaly in dequant_subband_* Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 23760/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-604209011412172 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca3c6c981aa5b0af8a5576020b79fdd3cdf9ae9e) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 2dd56f83f3..4e08d3817e 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -198,9 +198,9 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst; \ for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ - sign = FFSIGN(c)*(!!c); \ - c = (FFABS(c)*(unsigned)qf + qs) >> 2; \ - *dst_r++ = c*sign; \ + if (c < 0) c = -((-(unsigned)c*qf + qs) >> 2); \ + else if(c > 0) c = (( (unsigned)c*qf + qs) >> 2); \ + *dst_r++ = c; \ } \ src += tot_h << (sizeof(PX) >> 1); \ dst += stride; \ From 124a433d159bcba054afc01459b7c71ecdff30ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 15:20:14 +0200 Subject: [PATCH 0852/1383] avformat/wc3movie: Move wc3_read_close() up Signed-off-by: Michael Niedermayer (cherry picked from commit 0c635f2ce6c18d448e77605ee83b55bd8250f812) Signed-off-by: Michael Niedermayer --- libavformat/wc3movie.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c index cb4d4d933b..a4c6c0d3ba 100644 --- a/libavformat/wc3movie.c +++ b/libavformat/wc3movie.c @@ -73,6 +73,16 @@ typedef struct Wc3DemuxContext { } Wc3DemuxContext; +static int wc3_read_close(AVFormatContext *s) +{ + Wc3DemuxContext *wc3 = s->priv_data; + + if (wc3->vpkt.size > 0) + av_packet_unref(&wc3->vpkt); + + return 0; +} + static int wc3_probe(AVProbeData *p) { if (p->buf_size < 12) @@ -284,16 +294,6 @@ static int wc3_read_packet(AVFormatContext *s, return ret; } -static int wc3_read_close(AVFormatContext *s) -{ - Wc3DemuxContext *wc3 = s->priv_data; - - if (wc3->vpkt.size > 0) - av_packet_unref(&wc3->vpkt); - - return 0; -} - AVInputFormat ff_wc3_demuxer = { .name = "wc3movie", .long_name = NULL_IF_CONFIG_SMALL("Wing Commander III movie"), From f4d75810b4575a35fd02ede8137f4bb3e8488aba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 20:48:38 +0200 Subject: [PATCH 0853/1383] avcodec/ansi: Check nb_args for overflow Fixes: Integer overflow (no testcase) Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit bc0e776c9aaf06f437bf21e05a713fd54dc85400) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index f1fafab771..c42d6d3dba 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -430,7 +430,8 @@ static int decode_frame(AVCodecContext *avctx, s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0'; break; case ';': - s->nb_args++; + if (s->nb_args < MAX_NB_ARGS) + s->nb_args++; if (s->nb_args < MAX_NB_ARGS) s->args[s->nb_args] = 0; break; From b81d1379c296de48ebcc7ead0b3f22a4265b0ea1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Sep 2020 20:53:31 +0200 Subject: [PATCH 0854/1383] avformat/wvdec: Check rate for overflow Fixes: signed integer overflow: 6000 * -2147483648 cannot be represented in type 'int' Fixes: 25700/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6578316302352384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 688c1175ba91d0477cc461e5bfda210d6659a3b8) Signed-off-by: Michael Niedermayer --- libavformat/wvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wvdec.c b/libavformat/wvdec.c index 2060523c3b..8ddebf8033 100644 --- a/libavformat/wvdec.c +++ b/libavformat/wvdec.c @@ -81,6 +81,7 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb) int ret; int rate, bpp, chan; uint32_t chmask, flags; + unsigned rate_x; wc->pos = avio_tell(pb); @@ -179,7 +180,7 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb) if (id & 0x40) avio_skip(pb, 1); } - if (rate == -1) { + if (rate == -1 || rate * (uint64_t)rate_x >= INT_MAX) { av_log(ctx, AV_LOG_ERROR, "Cannot determine custom sampling rate\n"); return AVERROR_INVALIDDATA; From 91f7983a8959b6c5d14eed21bb575ecd88065bd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2020 22:20:39 +0200 Subject: [PATCH 0855/1383] avcodec/sonic: Check channels before deallocating Fixes: heap-buffer-overflow Fixes: 25744/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5172961169113088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit f249981976b18438cfb646183d4c21fb051e1ad4) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index f1bc3409bf..ad1552a434 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -980,9 +980,7 @@ static av_cold int sonic_decode_close(AVCodecContext *avctx) av_freep(&s->int_samples); av_freep(&s->tap_quant); av_freep(&s->predictor_k); - - for (i = 0; i < s->channels; i++) - { + for (i = 0; i < MAX_CHANNELS; i++) { av_freep(&s->predictor_state[i]); av_freep(&s->coded_samples[i]); } From 8b84fcb78f9ab25dbe1949433b58a33861118629 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Sep 2020 20:08:37 +0200 Subject: [PATCH 0856/1383] avcodec/dxtory: Fix negative shift in dx2_decode_slice_410() Fixes: left shift of negative value -768 Fixes: 25574/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-6012596027916288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit abebd87764992dc22c82802bdc75d40aac14ab86) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 285ca38efb..b2daaa7cc2 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -442,7 +442,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, V[x >> 2] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 2; + Y += ystride * 4; U += ustride; V += vstride; } From c242e3efe0a512855356147c46ddc0c8cc7746f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Sep 2020 22:20:52 +0200 Subject: [PATCH 0857/1383] avformat/iff: Check data_size not overflowing int64 Fixes: Infinite loop Fixes: 25844/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5660803318153216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 24352ca79207d3311ee544fcba908a64004763ef) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 4cf17f6e1a..aa2d9dd48c 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -449,6 +449,9 @@ static int iff_read_header(AVFormatContext *s) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); orig_pos = avio_tell(pb); + if (data_size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(chunk_id) { case ID_VHDR: st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; From cb6cdd3f84b9a7ed1a83e78d76ec0fc13025b384 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Sep 2020 22:42:05 +0200 Subject: [PATCH 0858/1383] avcodec/vc1_block: Fix integer overflow in ac value Fixes: signed integer overflow: 25488 * 87381 cannot be represented in type 'int' Fixes: 24765/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5108259565076480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3056e19e68122b9464b24870488f8faca4e78ea8) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 5fbf7b3b4b..f128f696d5 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1080,7 +1080,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k] = (int)(ac_val2[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } else { // top @@ -1093,7 +1093,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1; if (q2 && q1 != q2) { for (k = 1; k < 8; k++) - ac_val2[k + 8] = (ac_val2[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k + 8] = (int)(ac_val2[k + 8] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } From 5a86c28a73a39a200310b1fee47be7ad78795599 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Sep 2020 23:13:00 +0200 Subject: [PATCH 0859/1383] avformat/dxa: Use av_rescale() for duration computation Fixes: signed integer overflow: 8224000000 * 1629552639 cannot be represented in type 'long' Fixes: 24908/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4658478506049536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c313089fbe1df71b5406dd9d7e4d36361051c620) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 50193907be..bdb93b0835 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -143,7 +143,7 @@ static int dxa_read_header(AVFormatContext *s) c->readvid = !c->has_sound; c->vidpos = avio_tell(pb); s->start_time = 0; - s->duration = (int64_t)c->frames * AV_TIME_BASE * num / den; + s->duration = av_rescale(c->frames, AV_TIME_BASE * (int64_t)num, den); av_log(s, AV_LOG_DEBUG, "%d frame(s)\n",c->frames); return 0; From 6bbc565af821104ffbbd9b03cdf752fc5de257da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Sep 2020 19:44:35 +0200 Subject: [PATCH 0860/1383] avformat/asfdec_f: Change order or operations slightly Fixes: signed integer overflow: 20 * 5184056935931942919 cannot be represented in type 'long' Fixes: 25466/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4798660247552000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 686f0151901849de3b2073fa73265472073e0208) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 1d62d4e05e..ae36aeab28 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -424,7 +424,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) if (!(asf->hdr.flags & 0x01)) { // if we aren't streaming... int64_t fsize = avio_size(pb); if (fsize <= 0 || (int64_t)asf->hdr.file_size <= 0 || - 20*FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)) + FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)/20) st->duration = asf->hdr.play_time / (10000000 / 1000) - start_time; } From d8359218a27a7419eced067d4f4089c035b3b543 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Oct 2020 14:59:13 +0200 Subject: [PATCH 0861/1383] avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420() Fixes: left shift of negative value -640 Fixes: 26044/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-5631057602543616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3291d994b76db4b6e67c8467367ce68f79785e60) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index b2daaa7cc2..7731d05f25 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -487,7 +487,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, V[x >> 1] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 1; + Y += ystride * 2; U += ustride; V += vstride; } From dc12287307d87ac25a9307c6de2844cd558c71bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2020 21:59:04 +0200 Subject: [PATCH 0862/1383] avcodec/takdsp: Fix negative shift in decorrelate_sf() Fixes: left shift of negative value -4 Fixes: 25723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6250580752990208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f54f530039db149808478796e8389c14eb73095) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 2441c2baa6..9cb8052596 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = dfactor * (b >> dshift) + 128 >> 8 << dshift; + b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; p1[i] = b - a; } } From c275fefad981f5875101d044b1cefa57f87e53e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Sep 2020 23:31:59 +0200 Subject: [PATCH 0863/1383] avcodec/celp_filters: Avoid invalid negation in ff_celp_lp_synthesis_filter() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 25675/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-4786580731199488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 11a6347f9e544a1b9fba059ae02c30c0e512c195) Signed-off-by: Michael Niedermayer --- libavcodec/celp_filters.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index fafedd99a3..40ff7427df 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -65,11 +65,11 @@ int ff_celp_lp_synthesis_filter(int16_t *out, const int16_t *filter_coeffs, int i,n; for (n = 0; n < buffer_length; n++) { - int sum = -rounder, sum1; + int sum = rounder, sum1; for (i = 1; i <= filter_length; i++) - sum += (unsigned)(filter_coeffs[i-1] * out[n-i]); + sum -= (unsigned)(filter_coeffs[i-1] * out[n-i]); - sum1 = ((-sum >> 12) + in[n]) >> shift; + sum1 = ((sum >> 12) + in[n]) >> shift; sum = av_clip_int16(sum1); if (stop_on_overflow && sum != sum1) From 8a4aab7f0f3d61bc58c1d547192389ced0295c23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 21:54:36 +0200 Subject: [PATCH 0864/1383] avcodec/exr: Check xdelta, ydelta Fixes: assertion failure Fixes: 25617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5648746061496320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6949df35d0c69ae91bb0f49069e0703deb9bd676) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index ba6e3fdcb6..4b417013f9 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1739,7 +1739,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, s->ymin > s->ymax || s->xdelta != s->xmax - s->xmin + 1 || s->xmax >= s->w || - s->ymax >= s->h) { + s->ymax >= s->h || + s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF + ) { av_log(avctx, AV_LOG_ERROR, "Wrong or missing size information.\n"); return AVERROR_INVALIDDATA; } From 13a10e107a6dd8e7b0a0319b0d53bf0b05b39abb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 22:04:16 +0200 Subject: [PATCH 0865/1383] avcodec/exr: Check line size for overflow Fixes: signed integer overflow: 570425356 * 6 cannot be represented in type 'int Fixes: 25929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5099197739827200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b72cea4463dd2fabcd9ba1454a0855e521d0148) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 4b417013f9..e35e4bfd7e 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1092,6 +1092,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, if ((col + td->xsize) != s->xdelta)/* not the last tile of the line */ axmax = 0; /* doesn't add pixel at the right of the datawindow */ + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ } else { @@ -1111,6 +1114,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ td->xsize = s->xdelta; + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ From db94bff82687a55b7ec86db5b927c04008ad8756 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 17:13:10 +0200 Subject: [PATCH 0866/1383] avformat/subviewerdec: fail on AV_NOPTS_VALUE Such values are not supported by ff_subtitles_queue* Fixes: signed integer overflow: 10 - -9223372036854775808 cannot be represented in type 'long' Fixes: 24193/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5714901855895552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7f51428b1c73ab5840485ce537ce098a85d0881) Signed-off-by: Michael Niedermayer --- libavformat/subviewerdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index e8d1eb6c96..19a39f227f 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -132,6 +132,10 @@ static int subviewer_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); } else if (*line) { + if (pts_start == AV_NOPTS_VALUE) { + res = AVERROR_INVALIDDATA; + goto end; + } if (!new_event) { sub = ff_subtitles_queue_insert(&subviewer->q, "\n", 1, 1); if (!sub) { From d859b40bf2b074cd5be69e978177a5cec4ce65be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 11:29:01 +0200 Subject: [PATCH 0867/1383] avcodec/sonic: Check for overread Fixes: Timeout (too long -> 1.3 sec) Fixes: 24358/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5107284099989504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eeabdef1bf96cdecf80aeb8d0478d008457b048c) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index ad1552a434..2dc04846ab 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1031,6 +1031,9 @@ static int sonic_decode_frame(AVCodecContext *avctx, { int x = ch; + if (c.overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; + predictor_init_state(s->predictor_k, s->predictor_state[ch], s->num_taps); intlist_read(&c, state, s->coded_samples[ch], s->block_align, 1); From 4b6bcdd9973bb97e3b57afc742a596d5f46f40de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 16:29:15 +0200 Subject: [PATCH 0868/1383] avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset Fixes: signed integer overflow: 29 + 2147483640 cannot be represented in type 'int' Fixes: 25413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5697909331591168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 106f11f68af643ad1f372b840d38a0a30c6e9bcf) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 90c56924a0..97f9def809 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -763,6 +763,11 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) { sh->slice_cb_qp_offset = get_se_golomb(gb); sh->slice_cr_qp_offset = get_se_golomb(gb); + if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 || + sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n"); + return AVERROR_INVALIDDATA; + } } else { sh->slice_cb_qp_offset = 0; sh->slice_cr_qp_offset = 0; From c58f0345b89d2eaa9e692717a2c71ecd79237105 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 21:17:32 +0200 Subject: [PATCH 0869/1383] avcodec/ansi: Check initial dimensions Fixes: Timeout (minutes to less than 1sec) Fixes: 25682/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ANSI_fuzzer-6320712032452608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 949f0a6be974e4083f8e130c2d6870ef26f0eece) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index c42d6d3dba..e4106dcf72 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -474,6 +474,11 @@ static av_cold int decode_close(AVCodecContext *avctx) return 0; } +static const AVCodecDefault ansi_defaults[] = { + { "max_pixels", "640*480" }, + { NULL }, +}; + AVCodec ff_ansi_decoder = { .name = "ansi", .long_name = NULL_IF_CONFIG_SMALL("ASCII/ANSI art"), @@ -485,4 +490,5 @@ AVCodec ff_ansi_decoder = { .decode = decode_frame, .capabilities = AV_CODEC_CAP_DR1, .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .defaults = ansi_defaults, }; From f2025f4ed7551ad2692754d16594137abb370270 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 16:40:22 +0200 Subject: [PATCH 0870/1383] avcodec/vp9dsp_template: Fix integer overflows in idct16_1d() Fixes: signed integer overflow: -190760 * 11585 cannot be represented in type 'int' Fixes: 25471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5743354917421056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 394e8bb385a351091cb1ba0be986f3bbb15039fd) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 52 ++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index 8d00e77d70..bfabe63536 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1290,22 +1290,22 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a; dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a; - t0a = ((IN(0) + IN(8)) * 11585 + (1 << 13)) >> 14; - t1a = ((IN(0) - IN(8)) * 11585 + (1 << 13)) >> 14; - t2a = (IN(4) * 6270 - IN(12) * 15137 + (1 << 13)) >> 14; - t3a = (IN(4) * 15137 + IN(12) * 6270 + (1 << 13)) >> 14; - t4a = (IN(2) * 3196 - IN(14) * 16069 + (1 << 13)) >> 14; - t7a = (IN(2) * 16069 + IN(14) * 3196 + (1 << 13)) >> 14; - t5a = (IN(10) * 13623 - IN(6) * 9102 + (1 << 13)) >> 14; - t6a = (IN(10) * 9102 + IN(6) * 13623 + (1 << 13)) >> 14; - t8a = (IN(1) * 1606 - IN(15) * 16305 + (1 << 13)) >> 14; - t15a = (IN(1) * 16305 + IN(15) * 1606 + (1 << 13)) >> 14; - t9a = (IN(9) * 12665 - IN(7) * 10394 + (1 << 13)) >> 14; - t14a = (IN(9) * 10394 + IN(7) * 12665 + (1 << 13)) >> 14; - t10a = (IN(5) * 7723 - IN(11) * 14449 + (1 << 13)) >> 14; - t13a = (IN(5) * 14449 + IN(11) * 7723 + (1 << 13)) >> 14; - t11a = (IN(13) * 15679 - IN(3) * 4756 + (1 << 13)) >> 14; - t12a = (IN(13) * 4756 + IN(3) * 15679 + (1 << 13)) >> 14; + t0a = (dctint)((IN(0) + IN(8)) * 11585U + (1 << 13)) >> 14; + t1a = (dctint)((IN(0) - IN(8)) * 11585U + (1 << 13)) >> 14; + t2a = (dctint)(IN(4) * 6270U - IN(12) * 15137U + (1 << 13)) >> 14; + t3a = (dctint)(IN(4) * 15137U + IN(12) * 6270U + (1 << 13)) >> 14; + t4a = (dctint)(IN(2) * 3196U - IN(14) * 16069U + (1 << 13)) >> 14; + t7a = (dctint)(IN(2) * 16069U + IN(14) * 3196U + (1 << 13)) >> 14; + t5a = (dctint)(IN(10) * 13623U - IN(6) * 9102U + (1 << 13)) >> 14; + t6a = (dctint)(IN(10) * 9102U + IN(6) * 13623U + (1 << 13)) >> 14; + t8a = (dctint)(IN(1) * 1606U - IN(15) * 16305U + (1 << 13)) >> 14; + t15a = (dctint)(IN(1) * 16305U + IN(15) * 1606U + (1 << 13)) >> 14; + t9a = (dctint)(IN(9) * 12665U - IN(7) * 10394U + (1 << 13)) >> 14; + t14a = (dctint)(IN(9) * 10394U + IN(7) * 12665U + (1 << 13)) >> 14; + t10a = (dctint)(IN(5) * 7723U - IN(11) * 14449U + (1 << 13)) >> 14; + t13a = (dctint)(IN(5) * 14449U + IN(11) * 7723U + (1 << 13)) >> 14; + t11a = (dctint)(IN(13) * 15679U - IN(3) * 4756U + (1 << 13)) >> 14; + t12a = (dctint)(IN(13) * 4756U + IN(3) * 15679U + (1 << 13)) >> 14; t0 = t0a + t3a; t1 = t1a + t2a; @@ -1324,12 +1324,12 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t15a - t14a; t15 = t15a + t14a; - t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14; - t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14; - t9a = ( t14 * 6270 - t9 * 15137 + (1 << 13)) >> 14; - t14a = ( t14 * 15137 + t9 * 6270 + (1 << 13)) >> 14; - t10a = (-(t13 * 15137 + t10 * 6270) + (1 << 13)) >> 14; - t13a = ( t13 * 6270 - t10 * 15137 + (1 << 13)) >> 14; + t5a = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14; + t6a = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14; + t9a = (dctint)( t14 * 6270U - t9 * 15137U + (1 << 13)) >> 14; + t14a = (dctint)( t14 * 15137U + t9 * 6270U + (1 << 13)) >> 14; + t10a = (dctint)(-(t13 * 15137U + t10 * 6270U) + (1 << 13)) >> 14; + t13a = (dctint)( t13 * 6270U - t10 * 15137U + (1 << 13)) >> 14; t0a = t0 + t7; t1a = t1 + t6a; @@ -1348,10 +1348,10 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t14a + t13a; t15a = t15 + t12; - t10a = ((t13 - t10) * 11585 + (1 << 13)) >> 14; - t13a = ((t13 + t10) * 11585 + (1 << 13)) >> 14; - t11 = ((t12a - t11a) * 11585 + (1 << 13)) >> 14; - t12 = ((t12a + t11a) * 11585 + (1 << 13)) >> 14; + t10a = (dctint)((t13 - t10) * 11585U + (1 << 13)) >> 14; + t13a = (dctint)((t13 + t10) * 11585U + (1 << 13)) >> 14; + t11 = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14; + t12 = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14; out[ 0] = t0a + t15a; out[ 1] = t1a + t14; From 8bcad00e41869840aaf55dc52cff252671dbb8c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 21:58:37 +0200 Subject: [PATCH 0871/1383] avcodec/exr: Fix overflow with many blocks Fixes: signed integer overflow: 1073741827 * 8 cannot be represented in type 'int' Fixes: 25621/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6304841641754624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7265b7d904f86ec1c681222310c739f92ba55e5e) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index e35e4bfd7e..6e896d9760 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1771,7 +1771,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) return ret; - if (bytestream2_get_bytes_left(&s->gb) < nb_blocks * 8) + if (bytestream2_get_bytes_left(&s->gb)/8 < nb_blocks) return AVERROR_INVALIDDATA; // check offset table and recreate it if need From d7fd7eb2974f6bb5ef8db7e1ee6404345267f83d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 19:05:23 +0200 Subject: [PATCH 0872/1383] avformat/icodec: Change order of operations to avoid NULL dereference Fixes: SEGV on unknown address 0x000000000000 Fixes: 26379/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5709011753893888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 3300f5c133650ba25f94531d40ecc94c79b84457) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 00c03d409c..59e5416116 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -156,12 +156,14 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) IcoDemuxContext *ico = s->priv_data; IcoImage *image; AVIOContext *pb = s->pb; - AVStream *st = s->streams[0]; + AVStream *st; int ret; if (ico->current_image >= ico->nb_images) return AVERROR_EOF; + st = s->streams[0]; + image = &ico->images[ico->current_image]; if ((ret = avio_seek(pb, image->offset, SEEK_SET)) < 0) From 85cf8124426ad9e5ab981aa1525aadd4e623f073 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 13:30:28 +0200 Subject: [PATCH 0873/1383] avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge case in intra_pred Fixes: pixel decode issue.ts Fixes: raw frame.hevc Signed-off-by: Michael Niedermayer (cherry picked from commit 3fbf8737923ac49754946a2505367630544b87f1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcpred_template.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 6fe33546b1..f1a1f4c1f0 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -83,6 +83,7 @@ do { \ int y = y0 >> vshift; int x_tb = (x0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; int y_tb = (y0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; + int spin = c_idx && !size_in_tbs_v && ((2 * y0) & (1 << s->ps.sps->log2_min_tb_size)); int cur_tb_addr = MIN_TB_ADDR_ZS(x_tb, y_tb); @@ -103,11 +104,11 @@ do { \ pixel *top = top_array + 1; pixel *filtered_left = filtered_left_array + 1; pixel *filtered_top = filtered_top_array + 1; - int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v) & s->ps.sps->tb_mask); + int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v + spin) & s->ps.sps->tb_mask); int cand_left = lc->na.cand_left; int cand_up_left = lc->na.cand_up_left; int cand_up = lc->na.cand_up; - int cand_up_right = lc->na.cand_up_right && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); + int cand_up_right = lc->na.cand_up_right && !spin && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); int bottom_left_size = (FFMIN(y0 + 2 * size_in_luma_v, s->ps.sps->height) - (y0 + size_in_luma_v)) >> vshift; From 6778e41252a4c4f78f30638c9e66447d8d3ed2ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 13:30:29 +0200 Subject: [PATCH 0874/1383] avcodec/utils: Check for overflow with ATRAC* in get_audio_frame_duration() Fixes: signed integer overflow: 1024 * 13129048 cannot be represented in type 'int' Fixes: 26378/clusterfuzz-testcase-minimized-ffmpeg_dem_CODEC2RAW_fuzzer-5634018353348608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01bb12f883dccc419317516e093fdc6dfa41bc31) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index cba04a2f59..830bebc8c7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1573,7 +1573,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_MP1: return 384; case AV_CODEC_ID_ATRAC1: return 512; case AV_CODEC_ID_ATRAC9: - case AV_CODEC_ID_ATRAC3: return 1024 * framecount; + case AV_CODEC_ID_ATRAC3: + if (framecount > INT_MAX/1024) + return 0; + return 1024 * framecount; case AV_CODEC_ID_ATRAC3P: return 2048; case AV_CODEC_ID_MP2: case AV_CODEC_ID_MUSEPACK7: return 1152; From 1f8aa084ea9011307d322eb399aaeaf51c929794 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Sep 2020 20:23:10 +0200 Subject: [PATCH 0875/1383] avcodec/cook: Check subpacket index against max Fixes: off by 1 error Fixes: index 5 out of bounds for type 'COOKSubpacket [5]' Fixes: 25772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5762459498184704.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a2a7604da5f7a2fc498d1d5c90bd892edac9ce8) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index f7b2461a2b..451eef9609 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1084,6 +1084,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) ff_audiodsp_init(&q->adsp); while (bytestream2_get_bytes_left(&gb)) { + if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) { + avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); + return AVERROR_PATCHWELCOME; + } /* 8 for mono, 16 for stereo, ? for multichannel Swap to right endianness so we don't need to care later on. */ q->subpacket[s].cookversion = bytestream2_get_be32(&gb); @@ -1215,10 +1219,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->num_subpackets++; s++; - if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) { - avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); - return AVERROR_PATCHWELCOME; - } } /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ From 29dade5fea9d207112fccc089085fd5db7cff8d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Oct 2020 10:54:31 +0200 Subject: [PATCH 0876/1383] avcodec/smacker: Check remaining bits in SMK_BLK_FULL Fixes: out of array access Fixes: 26047/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5083031667474432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 42ded4d1e6fb0086a235dc584118414ae2bf30c9) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e9810b1be7..b42d71b1c0 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -484,6 +484,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case SMK_BLK_FULL: mode = 0; if(avctx->codec_tag == MKTAG('S', 'M', 'K', '4')) { // In case of Smacker v4 we have three modes + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; if(get_bits1(&gb)) mode = 1; else if(get_bits1(&gb)) mode = 2; } From 13de14d44da9d224152620b39040dbf01cb94f86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Oct 2020 20:44:23 +0200 Subject: [PATCH 0877/1383] avformat/flvdec: Check for EOF in amf_parse_object() Fixes: Timeout (too long -> 1ms) Fixes: 26108/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5653887668977664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 33624f4f2e1feb08f277126e637d4a28016eb07a) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index a2dea464e3..0dd14e1c39 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -469,6 +469,8 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, num_val = 0; ioc = s->pb; + if (avio_feof(ioc)) + return AVERROR_EOF; amf_type = avio_r8(ioc); switch (amf_type) { From 75ce842d7c3de47ffbe86b3c1f6c1cbc912daf14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Aug 2020 18:05:34 +0200 Subject: [PATCH 0878/1383] avformat/rmdec: sanity check coded_framesize Fixes: signed integer overflow: -14671840 * 8224 cannot be represented in type 'int' Fixes: 24793/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5101884323659776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aee8477c6ba20469ebe531448d31c642717b5f48) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 5af5beccb3..1b4a298bc6 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -164,7 +164,11 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_rb16(pb); /* version2 */ avio_rb32(pb); /* header size */ flavor= avio_rb16(pb); /* add codec info / flavor */ - ast->coded_framesize = coded_framesize = avio_rb32(pb); /* coded frame size */ + coded_framesize = avio_rb32(pb); /* coded frame size */ + if (coded_framesize < 0) + return AVERROR_INVALIDDATA; + ast->coded_framesize = coded_framesize; + avio_rb32(pb); /* ??? */ bytes_per_minute = avio_rb32(pb); if (version == 4) { From 92b8c0a8c102a25cc117b9853ced649c709c3a8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Oct 2020 17:11:27 +0200 Subject: [PATCH 0879/1383] avcodec/aacdec_fixed: Limit index in vector_pow43() Fixes: out of array access Fixes: 26087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5724825462767616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f83a536384afda45acb6d7cdd22017c8c314f9e) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 411d96d5a6..e0fe504b8e 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -155,9 +155,9 @@ static void vector_pow43(int *coefs, int len) for (i=0; i Date: Thu, 15 Oct 2020 21:35:43 +0200 Subject: [PATCH 0880/1383] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct() Fixes: signed integer overflow: 241173056 + 1953511200 cannot be represented in type 'int' Fixes: 26086/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5068366420901888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d1983628394e076001cc67d85656f9842b7282a3) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index 5993ae2e6e..f19579a47c 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -278,7 +278,7 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ const int stride= 16*2; const int xStride= 16; int i; - int temp[8]; + unsigned temp[8]; static const uint8_t x_offset[2]={0, 16}; dctcoef *block = (dctcoef*)_block; From 31517647e5dda2990f524e04bddf08ab2075e8aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Oct 2020 22:04:56 +0200 Subject: [PATCH 0881/1383] avformat/asfdec_f: Check name_len for overflow Fixes: signed integer overflow: -1172299744 * 2 cannot be represented in type 'int' Fixes: 26258/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5672758488596480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0d088a47ca0243576078f109fff20617d1fac382) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index ae36aeab28..2964384430 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -769,6 +769,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) avio_rl32(pb); // send time avio_rl32(pb); // flags name_len = avio_rl32(pb); // name length + if ((unsigned)name_len > INT_MAX / 2) + return AVERROR_INVALIDDATA; if ((ret = avio_get_str16le(pb, name_len * 2, name, sizeof(name))) < name_len) avio_skip(pb, name_len - ret); From 253b1ed27ef5a5b2a61d616d80a28d939972d3ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 19:09:37 +0200 Subject: [PATCH 0882/1383] avformat/boadec: Check that channels and block_align are set Fixes: Infinite loop Fixes: 26381/clusterfuzz-testcase-minimized-ffmpeg_dem_BOA_fuzzer-5745789089087488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44ff5a1bff424b1576dff366ccd246805b4e5567) Signed-off-by: Michael Niedermayer --- libavformat/boadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/boadec.c b/libavformat/boadec.c index 730e9573d5..70b4955a7b 100644 --- a/libavformat/boadec.c +++ b/libavformat/boadec.c @@ -54,12 +54,12 @@ static int read_header(AVFormatContext *s) avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); st->codecpar->channels = avio_rl32(s->pb); - if (st->codecpar->channels > FF_SANE_NB_CHANNELS) + if (st->codecpar->channels > FF_SANE_NB_CHANNELS || st->codecpar->channels <= 0) return AVERROR(ENOSYS); s->internal->data_offset = avio_rl32(s->pb); avio_r8(s->pb); st->codecpar->block_align = avio_rl32(s->pb); - if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS) + if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS || st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; st->codecpar->block_align *= st->codecpar->channels; From c8c0ed9e2bf8c26eec22bd2fb8c4daa1cf6f3e2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 18:08:37 +0200 Subject: [PATCH 0883/1383] avcodec/exr: Check limits to avoid overflow in delta computation Fixes: signed integer overflow: 553590816 - -2145378049 cannot be represented in type 'int' Fixes: 26315/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5938755121446912 Fixes: 26340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5644316208529408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6910e0f4e5c40b5b902e4dd87256327d860d53f5) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 6e896d9760..4c70e7b054 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1520,15 +1520,27 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "dataWindow", "box2i", 31)) >= 0) { + int xmin, ymin, xmax, ymax; if (!var_size) { ret = AVERROR_INVALIDDATA; goto fail; } - s->xmin = bytestream2_get_le32(&s->gb); - s->ymin = bytestream2_get_le32(&s->gb); - s->xmax = bytestream2_get_le32(&s->gb); - s->ymax = bytestream2_get_le32(&s->gb); + xmin = bytestream2_get_le32(&s->gb); + ymin = bytestream2_get_le32(&s->gb); + xmax = bytestream2_get_le32(&s->gb); + ymax = bytestream2_get_le32(&s->gb); + + if (xmin > xmax || ymin > ymax || + (unsigned)xmax - xmin >= INT_MAX || + (unsigned)ymax - ymin >= INT_MAX) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + s->xmin = xmin; + s->xmax = xmax; + s->ymin = ymin; + s->ymax = ymax; s->xdelta = (s->xmax - s->xmin) + 1; s->ydelta = (s->ymax - s->ymin) + 1; From d2cefe21e1d61e940c11e64233d3ceaf46c40c3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Oct 2020 23:01:38 +0200 Subject: [PATCH 0884/1383] avcodec/decode/ff_get_buffer: Check for overflow in FFALIGN() Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 26218/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-5734075396259840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 939b72b02e40a7db440b68f31ab23bd550785344) Signed-off-by: Michael Niedermayer --- libavcodec/decode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/decode.c b/libavcodec/decode.c index c89c77c43a..9f11feb4c5 100644 --- a/libavcodec/decode.c +++ b/libavcodec/decode.c @@ -1864,7 +1864,8 @@ static int get_buffer_internal(AVCodecContext *avctx, AVFrame *frame, int flags) int ret; if (avctx->codec_type == AVMEDIA_TYPE_VIDEO) { - if ((ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) { + if ((unsigned)avctx->width > INT_MAX - STRIDE_ALIGN || + (ret = av_image_check_size2(FFALIGN(avctx->width, STRIDE_ALIGN), avctx->height, avctx->max_pixels, AV_PIX_FMT_NONE, 0, avctx)) < 0 || avctx->pix_fmt<0) { av_log(avctx, AV_LOG_ERROR, "video_get_buffer: image parameters invalid\n"); return AVERROR(EINVAL); } From 0ee0f51886ad30a6247875c6654b15d4563185ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:59:53 +0200 Subject: [PATCH 0885/1383] avformat/wtvdec: Check dir_length Fixes: Infinite loop Fixes: 26445/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5125558331244544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1868cb731660490beb750389266adb6e68e9123d) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 7971026db6..ed3ebb3d89 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -274,6 +274,11 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b "bad filename length, remaining directory entries ignored\n"); break; } + if (dir_length == 0) { + av_log(s, AV_LOG_ERROR, + "bad dir length, remaining directory entries ignored\n"); + break; + } if (48 + (int64_t)name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; From 5fc65636a7ae89aedcdfab10a023f4ce0f65409c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 00:37:25 +0200 Subject: [PATCH 0886/1383] avformat/segafilm: Check that there is a stream Fixes: assertion failure Fixes: 26472/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-5759751591559168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit c0d7fd269beed030fc767fee28d9dbe111bc4427) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index b0c6c419ce..df9f08e624 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -144,6 +144,9 @@ static int film_read_header(AVFormatContext *s) film->video_type = AV_CODEC_ID_NONE; } + if (!film->video_type && !film->audio_type) + return AVERROR_INVALIDDATA; + /* initialize the decoder streams */ if (film->video_type) { st = avformat_new_stream(s, NULL); From 5aaf7f46460f6811a41623d36112abfb80b80257 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 18:18:43 +0200 Subject: [PATCH 0887/1383] avformat/segafilm: Do not assume AV_CODEC_ID_NONE is 0 Suggested-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit d34e4904cd6d965693b285713660f4e84200d60b) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index df9f08e624..3d64e42707 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -144,11 +144,11 @@ static int film_read_header(AVFormatContext *s) film->video_type = AV_CODEC_ID_NONE; } - if (!film->video_type && !film->audio_type) + if (film->video_type == AV_CODEC_ID_NONE && film->audio_type == AV_CODEC_ID_NONE) return AVERROR_INVALIDDATA; /* initialize the decoder streams */ - if (film->video_type) { + if (film->video_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -169,7 +169,7 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) { + if (film->audio_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -244,7 +244,7 @@ static int film_read_header(AVFormatContext *s) film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; film->sample_table[i].keyframe = (scratch[8] & 0x80) ? 0 : AVINDEX_KEYFRAME; video_frame_counter++; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) av_add_index_entry(s->streams[film->video_stream_index], film->sample_table[i].sample_offset, film->sample_table[i].pts, @@ -253,10 +253,10 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) + if (film->audio_type != AV_CODEC_ID_NONE) s->streams[film->audio_stream_index]->duration = audio_frame_counter; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) s->streams[film->video_stream_index]->duration = video_frame_counter; film->current_sample = 0; From 5be63051e7ba70afc8660ecb81071679695af255 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Oct 2020 22:19:32 +0200 Subject: [PATCH 0888/1383] avformat/au: Check for EOF in au_read_annotation() Fixes: Timeout (too looong -> 1 ms) Fixes: 26366/clusterfuzz-testcase-minimized-ffmpeg_dem_SDX_fuzzer-5655584843759616 Fixes: 26391/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-5484026133217280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e680d50eb4feddafb2d8575b21fc5fc8764f4801) Signed-off-by: Michael Niedermayer --- libavformat/au.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/au.c b/libavformat/au.c index 520824fc12..a414292894 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -86,6 +86,8 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { + if (avio_feof(pb)) + return AVERROR_EOF; c = avio_r8(pb); switch(state) { case PARSE_KEY: From cb961b232229415afc3d06826db788e6ad6cde1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:40:57 +0200 Subject: [PATCH 0889/1383] avformat/genh: Check block_align for how it will be used in SDX2_DPCM Fixes: signed integer overflow: 19922944 * 1024 cannot be represented in type 'int' Fixes: 26402/clusterfuzz-testcase-minimized-ffmpeg_dem_VMD_fuzzer-5745470053548032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c95b47e18fdb43a4c667ae22a5d3a5ee6cf7782d) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/genh.c b/libavformat/genh.c index dd4e76d3d9..2582151df0 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -87,7 +87,9 @@ static int genh_read_header(AVFormatContext *s) case 5: st->codecpar->codec_id = st->codecpar->block_align > 0 ? AV_CODEC_ID_PCM_S8_PLANAR : AV_CODEC_ID_PCM_S8; break; - case 6: st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; + case 6: if (st->codecpar->block_align > INT_MAX/1024) + return AVERROR_INVALIDDATA; + st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; case 7: ret = ff_alloc_extradata(st->codecpar, 2); if (ret < 0) return ret; From 6cc18dca5547099c924736cbbe7a47eb5d75ca19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 22:19:58 +0200 Subject: [PATCH 0890/1383] avformat/bethsoftvid: Check image dimensions before use Fixes: signed integer overflow: 55255 * 53207 cannot be represented in type 'int' Fixes: 26387/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS2_fuzzer-5684222226071552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50b29f081e9620dc39727adef707c2c323a8c095) Signed-off-by: Michael Niedermayer --- libavformat/bethsoftvid.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/bethsoftvid.c b/libavformat/bethsoftvid.c index 752e05236d..5ecd26c5a9 100644 --- a/libavformat/bethsoftvid.c +++ b/libavformat/bethsoftvid.c @@ -28,6 +28,7 @@ */ #include "libavutil/channel_layout.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "avformat.h" #include "internal.h" @@ -71,6 +72,7 @@ static int vid_read_header(AVFormatContext *s) { BVID_DemuxContext *vid = s->priv_data; AVIOContext *pb = s->pb; + int ret; /* load main header. Contents: * bytes: 'V' 'I' 'D' @@ -83,6 +85,10 @@ static int vid_read_header(AVFormatContext *s) vid->bethsoft_global_delay = avio_rl16(pb); avio_rl16(pb); + ret = av_image_check_size(vid->width, vid->height, 0, s); + if (ret < 0) + return ret; + // wait until the first packet to create each stream vid->video_index = -1; vid->audio_index = -1; From c7fd8744b5861eb908e9a4d28e6450a331056e96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 11:13:19 +0200 Subject: [PATCH 0891/1383] avformat/asfdec_f: Check for negative ext_len Fixes: Infinite loop Fixes: 26376/clusterfuzz-testcase-minimized-ffmpeg_dem_PCM_U32LE_fuzzer-6050518830678016 Fixes: 26377/clusterfuzz-testcase-minimized-ffmpeg_dem_TY_fuzzer-4838195726123008 Fixes: 26384/clusterfuzz-testcase-minimized-ffmpeg_dem_G729_fuzzer-5173450337157120 Fixes: 26396/clusterfuzz-testcase-minimized-ffmpeg_dem_PCM_S24BE_fuzzer-5071092206796800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 209b9ff5c3f337da4a3d82e59b8815eca2737ffa) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 2964384430..3439bcbd51 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -607,6 +607,8 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) ff_get_guid(pb, &g); size = avio_rl16(pb); ext_len = avio_rl32(pb); + if (ext_len < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, ext_len); if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) { ASFPayload *p = &asf->streams[stream_num].payload[i]; From be62e519435b7995cc551740e3dd81c7d3c96ef4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 20:39:33 +0200 Subject: [PATCH 0892/1383] avcodec/magicyuv: Check slice size before reading flags and pred Fixes: heap-buffer-overflow Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 0dc42147b6843b133d4fa46bf1c2568a837b4bec) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 54a5ce0192..e41de1d608 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -706,6 +706,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data, s->slices[i][j].start = offset + header_size; s->slices[i][j].size = avpkt->size - s->slices[i][j].start; + + if (s->slices[i][j].size < 2) + return AVERROR_INVALIDDATA; } if (bytestream2_get_byte(&gbyte) != s->planes) From afb0664623c7b345f8ae5e57a07801c937be114b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:39:30 +0200 Subject: [PATCH 0893/1383] avformat/mvi: Check count for overflow Fixes: left shift of 21378748 by 10 places cannot be represented in type 'int' Fixes: 26449/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5680463374712832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a413ed98632127342ad04b26e0ba0dc26adb70c9) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 9f90faf56b..1e2a08b44c 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -122,6 +122,8 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; + if ((int64_t)count << MVI_FRAC_BITS > INT_MAX) + return AVERROR_INVALIDDATA; if ((ret = av_get_packet(pb, pkt, count)) < 0) return ret; pkt->stream_index = MVI_AUDIO_STREAM_INDEX; From a090f4cf0ca714eb64095acf6b8b98e56757002b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:05:01 +0200 Subject: [PATCH 0894/1383] avformat/genh: Check block_align Fixes: infinite loop Fixes: 26440/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5632134020333568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37396e9ba85d8969a3b5e3314ab99ff604845628) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index 2582151df0..cbdd53324b 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -146,6 +146,9 @@ static int genh_read_header(AVFormatContext *s) } } + if (st->codecpar->block_align <= 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, start_offset - avio_tell(s->pb)); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From b7b6f4c557c7306c1aab56a3fb6632aa7b88de8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:29:01 +0200 Subject: [PATCH 0895/1383] avformat/jacosubdec: Use 64bit inside get_shift() Fixes: signed integer overflow: 111111111 * 30 cannot be represented in type 'int' Fixes: 26448/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5638440374501376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 715ff75e5dbbbefff7337351db596a9b7a5d4379) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 87dc649485..85840d8529 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -135,6 +135,7 @@ static int get_shift(int timeres, const char *buf) { int sign = 1; int a = 0, b = 0, c = 0, d = 0; + int64_t ret; #define SSEP "%*1[.:]" int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP @@ -144,13 +145,16 @@ static int get_shift(int timeres, const char *buf) a = FFABS(a); } + ret = 0; switch (n) { - case 4: return sign * ((a*3600 + b*60 + c) * timeres + d); - case 3: return sign * (( a*60 + b) * timeres + c); - case 2: return sign * (( a) * timeres + b); + case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); + case 2: ret = sign * (( (int64_t)a) * timeres + b); } + if ((int)ret != ret) + ret = 0; - return 0; + return ret; } static int jacosub_read_header(AVFormatContext *s) From f608e7801634f0ac9b661a22033be06ab5f5180b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 10:53:31 +0200 Subject: [PATCH 0896/1383] avformat/nistspheredec: Check bps Fixes: left shift of 1111111190 by 3 places cannot be represented in type 'int' Fixes: 26437/clusterfuzz-testcase-minimized-ffmpeg_dem_NISTSPHERE_fuzzer-4886896091856896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c144b363e67bef7651108c88687b38155172c1f) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 55f22ebcf4..dbf031f3e3 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -109,6 +109,8 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); + if (bps > INT_MAX/8U) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) { From 3ce851aab3acdee92ca0a8d3149de3e3878e28bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Oct 2020 21:54:14 +0200 Subject: [PATCH 0897/1383] avcodec/fits: Check bscale Fixes: division by 0 Fixes: 26208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-6270472117026816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2ccd76fd000f69e355280b487213fb63821c8aa) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index ad73ab70de..25c33e06c8 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -187,6 +187,8 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t header->blank = t; header->blank_found = 1; } else if (!strcmp(keyword, "BSCALE") && sscanf(value, "%lf", &d) == 1) { + if (d <= 0) + return AVERROR_INVALIDDATA; header->bscale = d; } else if (!strcmp(keyword, "BZERO") && sscanf(value, "%lf", &d) == 1) { header->bzero = d; From 57396f97ca37b5a94d723a9c888f7129ec2fe901 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Oct 2020 22:04:14 +0200 Subject: [PATCH 0898/1383] avcodec/vp9dsp_template: Fix some overflows in iadst8_1d() Fixes: signed integer overflow: 190587 * 11585 cannot be represented in type 'int' Fixes: 26407/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5086348408782848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bca0735be52e471b1906aed34c60028d90646d90) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index bfabe63536..3acf94c583 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1275,10 +1275,10 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; - out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); - out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; - out[2] = ((t6 + t7) * 11585 + (1 << 13)) >> 14; - out[5] = -(((t6 - t7) * 11585 + (1 << 13)) >> 14); + out[3] = -((dctint)((t2 + t3) * 11585U + (1 << 13)) >> 14); + out[4] = (dctint)((t2 - t3) * 11585U + (1 << 13)) >> 14; + out[2] = (dctint)((t6 + t7) * 11585U + (1 << 13)) >> 14; + out[5] = -((dctint)((t6 - t7) * 11585U + (1 << 13)) >> 14); } itxfm_wrap(8, 5) From ce445adcbd8abcc3d22af8752f6a792e09cbca3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 19:24:30 +0200 Subject: [PATCH 0899/1383] avformat/electronicarts: Check for EOF in each iteration of the loop in ea_read_packet() Fixes: timeout(>20sec -> 1ms) Fixes: 26526/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-5672328069120000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 857aba7c45faf0335ad91ecabc0bce8b94320758) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 87c7f0cf70..eddc81b8ee 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -582,6 +582,8 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) int av_uninit(num_samples); while ((!packet_read && !hit_end) || partial_packet) { + if (avio_feof(pb)) + return AVERROR_EOF; chunk_type = avio_rl32(pb); chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); if (chunk_size < 8) From c7a3dacf539c45157b4f763c95f61c4f8311db0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:55:13 +0200 Subject: [PATCH 0900/1383] avformat/lrcdec: Clip timestamps Fixes: signed integer overflow: 7111111111111531010 - -7335632962598013506 cannot be represented in type 'long' Fixes: 26463/clusterfuzz-testcase-minimized-ffmpeg_dem_LRC_fuzzer-6015558333759488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 80bc2ac3c06319cf85428c58c471d105d25ae987) Signed-off-by: Michael Niedermayer --- libavformat/lrcdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index 45f0bf24a7..fa379372a1 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -185,6 +185,8 @@ static int lrc_read_header(AVFormatContext *s) sscanf(comma_offset + 1, "%"SCNd64, &lrc->ts_offset) != 1) { av_dict_set(&s->metadata, line.str + 1, comma_offset + 1, 0); } + lrc->ts_offset = av_clip64(lrc->ts_offset, INT64_MIN/4, INT64_MAX/4); + *comma_offset = ':'; *right_bracket_offset = ']'; } @@ -198,6 +200,7 @@ static int lrc_read_header(AVFormatContext *s) while((ts_stroffset_incr = read_ts(line.str + ts_stroffset, &ts_start)) != 0) { + ts_start = av_clip64(ts_start, INT64_MIN/4, INT64_MAX/4); ts_stroffset += ts_stroffset_incr; sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); From d608ea00275f9f7110b1616026f774814d291df7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:44:32 +0200 Subject: [PATCH 0901/1383] avformat/pcm: Check block_align Fixes: signed integer overflow: 321 * 8746632 cannot be represented in type 'int' Fixes: 26461/clusterfuzz-testcase-minimized-ffmpeg_dem_PVF_fuzzer-6326427831762944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b23a619c132a8ad5282a5fd02bfe8b253101c79d) Signed-off-by: Michael Niedermayer --- libavformat/pcm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/pcm.c b/libavformat/pcm.c index 767bbd045a..1effc0b6f8 100644 --- a/libavformat/pcm.c +++ b/libavformat/pcm.c @@ -39,7 +39,11 @@ int ff_pcm_read_packet(AVFormatContext *s, AVPacket *pkt) * Clamp to RAW_SAMPLES if larger. */ size = FFMAX(par->sample_rate/25, 1); - size = FFMIN(size, RAW_SAMPLES) * par->block_align; + if (par->block_align <= INT_MAX / RAW_SAMPLES) { + size = FFMIN(size, RAW_SAMPLES) * par->block_align; + } else { + size = par->block_align; + } ret = av_get_packet(s->pb, pkt, size); From 7487e6b6a74726c9f1371a2f84f84f12908923e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:32:59 +0200 Subject: [PATCH 0902/1383] avformat/rmdec: Make expected_len 64bit Fixes: signed integer overflow: 1347551268 * 14 cannot be represented in type 'int' Fixes: 26458/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5655364324032512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 728330462cadb765307cc132377b6b5d177a225c) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 1b4a298bc6..ba50839103 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -700,17 +700,19 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre state= (state<<8) + avio_r8(pb); if(state == MKBETAG('I', 'N', 'D', 'X')){ - int n_pkts, expected_len; + int n_pkts; + int64_t expected_len; len = avio_rb32(pb); avio_skip(pb, 2); n_pkts = avio_rb32(pb); - expected_len = 20 + n_pkts * 14; - if (len == 20) + expected_len = 20 + n_pkts * 14LL; + + if (len == 20 && expected_len <= INT_MAX) /* some files don't add index entries to chunk size... */ len = expected_len; else if (len != expected_len) av_log(s, AV_LOG_WARNING, - "Index size %d (%d pkts) is wrong, should be %d.\n", + "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); len -= 14; // we already read part of the index header if(len<0) From 8d46937051b282a0fdb49c09ad2a3970d37becbb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 20:29:50 +0200 Subject: [PATCH 0903/1383] avcodec/dirac_parser: do not offset AV_NOPTS_OFFSET Fixes: signed integer overflow: -9223372036854775807 - 48000 cannot be represented in type 'long long' Fixes: 26521/clusterfuzz-testcase-minimized-ffmpeg_dem_DIRAC_fuzzer-5635536506847232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 343c3149ab3d77be76f035d3b18bb2b2da48ce1f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index fbc7414c79..8e68b4a9da 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -215,7 +215,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, int64_t pts = AV_RB32(cur_pu + 13); if (s->last_pts == 0 && s->last_dts == 0) s->dts = pts - 1; - else + else if (s->last_dts != AV_NOPTS_VALUE) s->dts = s->last_dts + 1; s->pts = pts; if (!avctx->has_b_frames && (cur_pu[4] & 0x03)) From c07661c8cd9508d4db1ea8cd408ecc078acc7d0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Oct 2020 17:21:19 +0100 Subject: [PATCH 0904/1383] avcodec/utils: Check sample rate before use for AV_CODEC_ID_BINKAUDIO_DCT in get_audio_frame_duration() Fixes: shift exponent 95 is too large for 32-bit type 'int' Fixes: 26590/clusterfuzz-testcase-minimized-ffmpeg_dem_SMACKER_fuzzer-5120609937522688 Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ec7e0d42884b40ce93b6b5e94de5f7849310f8a0) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 830bebc8c7..cdd6f9f0b8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1592,8 +1592,11 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ch > 0) { /* calc from sample rate and channels */ - if (id == AV_CODEC_ID_BINKAUDIO_DCT) + if (id == AV_CODEC_ID_BINKAUDIO_DCT) { + if (sr / 22050 > 22) + return 0; return (480 << (sr / 22050)) / ch; + } } if (id == AV_CODEC_ID_MP3) From bb88c223d6b414cf939dc8143f41a36da332ab30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 19:37:45 +0200 Subject: [PATCH 0905/1383] avformat/xwma: Check for EOF in dpds_table read code Fixes: Timeout (>30 -> 140ms) Fixes: 26478/clusterfuzz-testcase-minimized-ffmpeg_dem_XWMA_fuzzer-5918147066200064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44b18a76b8d4e01c7ce62474aaf196857e75e976) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index f357c3e881..ffe0bb7012 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -211,6 +211,10 @@ static int xwma_read_header(AVFormatContext *s) } for (i = 0; i < dpds_table_size; ++i) { + if (avio_feof(pb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } dpds_table[i] = avio_rl32(pb); size -= 4; } From 36ff07fd0281f6b5b9ed6466d23b82c1e91c4906 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 22:56:17 +0200 Subject: [PATCH 0906/1383] avformat/iff: More completely check body_size Fixes: infinite loop Fixes: 26485/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5126561373880320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3588e2e6b05ba92f0907e9ffe263c2e65d53e346) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index aa2d9dd48c..d1c99fe9ce 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -837,7 +837,7 @@ static int iff_read_packet(AVFormatContext *s, } else if (st->codecpar->codec_tag == ID_DST) { return read_dst_frame(s, pkt); } else { - if (iff->body_size > INT_MAX) + if (iff->body_size > INT_MAX || !iff->body_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); } @@ -873,6 +873,8 @@ static int iff_read_packet(AVFormatContext *s, pkt->flags |= AV_PKT_FLAG_KEY; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st->codecpar->codec_tag != ID_ANIM) { + if (iff->body_size > INT_MAX || !iff->body_size) + return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); pkt->pos = pos; if (pos == iff->body_pos) From c07f2cfaec7eb96aeacd948c8979e7983cfa1f8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 18:15:53 +0200 Subject: [PATCH 0907/1383] avformat/rsd: Check size and start before computing duration Fixes: signed integer overflow: 100794754 * 28 cannot be represented in type 'int' Fixes: 26474/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5181797606096896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c79d8a685182a8d8735887399bf0f3742b020597) Signed-off-by: Michael Niedermayer --- libavformat/rsd.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index 1c99f8c21c..f3833d5145 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -104,13 +104,9 @@ static int rsd_read_header(AVFormatContext *s) break; case AV_CODEC_ID_ADPCM_PSX: par->block_align = 16 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_RAD: par->block_align = 20 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_WAV: if (version == 2) @@ -118,8 +114,6 @@ static int rsd_read_header(AVFormatContext *s) par->bits_per_coded_sample = 4; par->block_align = 36 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP_LE: /* RSD3GADP is mono, so only alloc enough memory @@ -129,8 +123,6 @@ static int rsd_read_header(AVFormatContext *s) if ((ret = ff_get_extradata(s, par, s->pb, 32)) < 0) return ret; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP: par->block_align = 8 * par->channels; @@ -143,18 +135,36 @@ static int rsd_read_header(AVFormatContext *s) avio_read(s->pb, st->codecpar->extradata + 32 * i, 32); avio_skip(s->pb, 8); } - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / (8 * par->channels) * 14; break; case AV_CODEC_ID_PCM_S16LE: case AV_CODEC_ID_PCM_S16BE: if (version != 4) start = avio_rl32(pb); - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / 2 / par->channels; break; } + if (start < 0) + return AVERROR_INVALIDDATA; + + if (pb->seekable & AVIO_SEEKABLE_NORMAL) { + int64_t remaining = avio_size(pb); + + if (remaining >= start && remaining - start <= INT_MAX) + switch (par->codec_id) { + case AV_CODEC_ID_ADPCM_PSX: + case AV_CODEC_ID_ADPCM_IMA_RAD: + case AV_CODEC_ID_ADPCM_IMA_WAV: + case AV_CODEC_ID_ADPCM_THP_LE: + st->duration = av_get_audio_frame_duration2(par, remaining - start); + break; + case AV_CODEC_ID_ADPCM_THP: + st->duration = (remaining - start) / (8 * par->channels) * 14; + break; + case AV_CODEC_ID_PCM_S16LE: + case AV_CODEC_ID_PCM_S16BE: + st->duration = (remaining - start) / 2 / par->channels; + } + } avio_skip(pb, start - avio_tell(pb)); if (par->codec_id == AV_CODEC_ID_XMA2) { From 26db6eccce82d3e44c3d0d0257f8f579b3326018 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:50:57 +0200 Subject: [PATCH 0908/1383] avformat/wavdec: Refuse to read chunks bigger than the filesize in w64_read_header() Fixes: OOM Fixes: 26414/clusterfuzz-testcase-minimized-ffmpeg_dem_FWSE_fuzzer-5070632544632832 Fixes: 26475/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5770207722995712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b2244565ac8cb1eddd085e1a382a893ac03bfb4) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 08b6f27e9d..1975a6ffb6 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -836,6 +836,7 @@ static int w64_read_header(AVFormatContext *s) } else if (!memcmp(guid, ff_w64_guid_summarylist, 16)) { int64_t start, end, cur; uint32_t count, chunk_size, i; + int64_t filesize = avio_size(s->pb); start = avio_tell(pb); end = start + FFALIGN(size, INT64_C(8)) - 24; @@ -850,7 +851,7 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); - if (chunk_size == UINT32_MAX) + if (chunk_size == UINT32_MAX || (filesize >= 0 && chunk_size > filesize)) return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); From 4ed66956584c881c29b1381fbd573adeaa5c4338 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 23:46:33 +0100 Subject: [PATCH 0909/1383] avformat/concatdec: use av_strstart() Fixes: out array read Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 2610acb49a140901dacbd36c598a5514cf9ade0d) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index bbe13136fa..9284476de4 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -112,7 +112,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, ConcatFile *file; char *url = NULL; const char *proto; - size_t url_len, proto_len; + const char *ptr; + size_t url_len; int ret; if (cat->safe > 0 && !safe_filename(filename)) { @@ -121,9 +122,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, } proto = avio_find_protocol_name(filename); - proto_len = proto ? strlen(proto) : 0; - if (proto && !memcmp(filename, proto, proto_len) && - (filename[proto_len] == ':' || filename[proto_len] == ',')) { + if (proto && av_strstart(filename, proto, &ptr) && + (*ptr == ':' || *ptr == ',')) { url = filename; filename = NULL; } else { From 5a76224c8826b3b7719a97e47ac9d2120a0fc419 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 20:55:31 +0100 Subject: [PATCH 0910/1383] avformat/aiffdec: Check packet size Fixes: Fixes infinite loop Fixes: 26575/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5727522236661760 Signed-off-by: Michael Niedermayer (cherry picked from commit 0ba71a72d3a617b255b71988a000d5093222f779) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 7c701e0c70..413ae54748 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -398,6 +398,8 @@ static int aiff_read_packet(AVFormatContext *s, break; default: size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE; + if (!size) + return AVERROR_INVALIDDATA; } size = FFMIN(max_size, size); res = av_get_packet(s->pb, pkt, size); From da5220bc06bf53725f3bfe58e384780584b7e9c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 21:08:55 +0100 Subject: [PATCH 0911/1383] avformat/gxf: Check pkt_len Fixes: Infinite loop Fixes: 26576/clusterfuzz-testcase-minimized-ffmpeg_dem_GXF_fuzzer-4823080360476672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dad9a86ca7bf912289aafb33d96980630e6ec53a) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 399f745bc7..640a2bacb4 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -285,9 +285,12 @@ static void gxf_track_tags(AVIOContext *pb, int *len, struct gxf_stream_info *si static void gxf_read_index(AVFormatContext *s, int pkt_len) { AVIOContext *pb = s->pb; AVStream *st; - uint32_t fields_per_map = avio_rl32(pb); - uint32_t map_cnt = avio_rl32(pb); + uint32_t fields_per_map, map_cnt; int i; + if (pkt_len < 8) + return; + fields_per_map = avio_rl32(pb); + map_cnt = avio_rl32(pb); pkt_len -= 8; if ((s->flags & AVFMT_FLAG_IGNIDX) || !s->streams) { avio_skip(pb, pkt_len); From 72a8fb594d3954c64bd2a8e477fe56921ec089d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 20:30:48 +0200 Subject: [PATCH 0912/1383] avformat/paf: Check for EOF in read_table() Fixes: OOM Fixes: 26528/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5081929248145408 Fixes: 26584/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5172661183053824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 437b7302b09a04e0fbfcd594114b52c5c6d89d32) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavformat/paf.c b/libavformat/paf.c index fa30cdd72a..a2d411c2f6 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -75,14 +75,18 @@ static int read_close(AVFormatContext *s) return 0; } -static void read_table(AVFormatContext *s, uint32_t *table, uint32_t count) +static int read_table(AVFormatContext *s, uint32_t *table, uint32_t count) { int i; - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; table[i] = avio_rl32(s->pb); + } avio_skip(s->pb, 4 * (FFALIGN(count, 512) - count)); + return 0; } static int read_header(AVFormatContext *s) @@ -171,9 +175,15 @@ static int read_header(AVFormatContext *s) avio_seek(pb, p->buffer_size, SEEK_SET); - read_table(s, p->blocks_count_table, p->nb_frames); - read_table(s, p->frames_offset_table, p->nb_frames); - read_table(s, p->blocks_offset_table, p->frame_blks); + ret = read_table(s, p->blocks_count_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->frames_offset_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->blocks_offset_table, p->frame_blks); + if (ret < 0) + goto fail; p->got_audio = 0; p->current_frame = 0; From 9d2df3050e6e76aeec5b6403c6dde0b2cba91170 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Oct 2020 21:51:08 +0100 Subject: [PATCH 0913/1383] avformat/iff: check size against INT64_MAX Bigger sizes are misinterpreted as negative numbers by the API Fixes: infinite loop Fixes: 26611/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4890614975692800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f291cd681b1235e150464ad83974d60d6879b492) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index d1c99fe9ce..dd434de2d4 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -223,6 +223,9 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t orig_pos = avio_tell(pb); const char * metadata_tag = NULL; + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('D','I','A','R'): metadata_tag = "artist"; break; case MKTAG('D','I','T','I'): metadata_tag = "title"; break; From c2221da01937dc79080a38ca75115e65af6a5623 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 13:51:47 +0100 Subject: [PATCH 0914/1383] avformat/bintext: Check width in idf_read_header() Fixes: division by 0 Fixes: 26802/clusterfuzz-testcase-minimized-ffmpeg_dem_IDF_fuzzer-5180591554953216.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 442d53f409c8d84c7db120227caac00af54aa884) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index 0b499d9555..599e4e3e3e 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -340,6 +340,8 @@ static int idf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 12 - 4096 - 48; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 12, SEEK_SET); From f9cde79ca7f984e47e29d414cdc58a83793f55eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:47 +0100 Subject: [PATCH 0915/1383] avformat/mpegts: Limit copied data to space Fixes: out of array access Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 79cf7c71910a69b9f22b3e7ee6508a771262abaf) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index fe502ae77e..ba98bba0d3 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2949,7 +2949,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; } if (data != pkt->data) - memcpy(pkt->data, data, ts->raw_packet_size); + memcpy(pkt->data, data, TS_PACKET_SIZE); finished_reading_packet(s, ts->raw_packet_size); if (ts->mpeg2ts_compute_pcr) { /* compute exact PCR for each packet */ From 5d0d405d6c34ff83c19c387802e540bc890c699a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 20:23:54 +0100 Subject: [PATCH 0916/1383] avformat/au: cleanup on EOF return in au_read_annotation() Fixes: memleak Fixes: 26841/clusterfuzz-testcase-minimized-ffmpeg_dem_AU_fuzzer-5174166309044224 Regression since: e680d50eb4feddafb2d8575b21fc5fc8764f4801 Reviewed-by: Andreas Rheinhardt Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d16974c3dd3a05900aa080ea0729284aea358d10) Signed-off-by: Michael Niedermayer --- libavformat/au.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/au.c b/libavformat/au.c index a414292894..55c73015e8 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -86,8 +86,11 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { - if (avio_feof(pb)) + if (avio_feof(pb)) { + av_bprint_finalize(&bprint, NULL); + av_freep(&key); return AVERROR_EOF; + } c = avio_r8(pb); switch(state) { case PARSE_KEY: From a675945380498ffa2a8ac511a2b70602c6308388 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Nov 2020 00:17:09 +0100 Subject: [PATCH 0917/1383] avformat/lvfdec: Check stream_index before use Fixes: assertion failure Fixes: 26905/clusterfuzz-testcase-minimized-ffmpeg_dem_LVF_fuzzer-5724267599364096.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b1d99ab14f2fd273e678dcb618dabfb38aab91b6) Signed-off-by: Michael Niedermayer --- libavformat/lvfdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/lvfdec.c b/libavformat/lvfdec.c index b8af25609f..0ff531ddde 100644 --- a/libavformat/lvfdec.c +++ b/libavformat/lvfdec.c @@ -106,6 +106,7 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) unsigned size, flags, timestamp, id; int64_t pos; int ret, is_video = 0; + int stream_index; pos = avio_tell(s->pb); while (!avio_feof(s->pb)) { @@ -121,12 +122,15 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) case MKTAG('0', '1', 'w', 'b'): if (size < 8) return AVERROR_INVALIDDATA; + stream_index = is_video ? 0 : 1; + if (stream_index >= s->nb_streams) + return AVERROR_INVALIDDATA; timestamp = avio_rl32(s->pb); flags = avio_rl32(s->pb); ret = av_get_packet(s->pb, pkt, size - 8); if (flags & (1 << 12)) pkt->flags |= AV_PKT_FLAG_KEY; - pkt->stream_index = is_video ? 0 : 1; + pkt->stream_index = stream_index; pkt->pts = timestamp; pkt->pos = pos; return ret; From 82728dee12b1261af1d28920f450039c52716cb3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 00:04:50 +0100 Subject: [PATCH 0918/1383] avformat/sbgdec: Check that end is not before start Fixes: signed integer overflow: -9223372036854775808 + -5279949906739200 cannot be represented in type 'long' Fixes: 26908/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6329610851319808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 9ef60a66f1f155605049402415bd901c8baf1a24) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 1541836439..86d8418f62 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1411,6 +1411,11 @@ static av_cold int sbg_read_header(AVFormatContext *avf) if (r < 0) goto fail; + if (script.end_ts != AV_NOPTS_VALUE && script.end_ts < script.start_ts) { + r = AVERROR_INVALIDDATA; + goto fail; + } + st = avformat_new_stream(avf, NULL); if (!st) return AVERROR(ENOMEM); From 158f357b1070bc86af09ab2d78da1b7c8b23ac83 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 13:51:47 +0100 Subject: [PATCH 0919/1383] avformat/bintext: Check width Fixes: division by 0 Fixes: 26780/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5117945027756032 Fixes: 26998/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5119352359354368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f6dc285fb5f30406b275b968ee438a738da799d1) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index 599e4e3e3e..944966e7f6 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -289,6 +289,8 @@ static int adf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 1 - 192 - 4096; st->codecpar->width = 80<<3; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 1 + 192 + 4096, SEEK_SET); From 2781ce1ea95734d9ba25d1efc922e2f6a888a4ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:45 +0100 Subject: [PATCH 0920/1383] avformat/icodec: Factor failure code out in read_header() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 27ee67c00f4402030af3b7477dd5088464d31d80) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 59e5416116..4d93b74a1d 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -113,8 +113,7 @@ static int read_header(AVFormatContext *s) ico->images[i].size = avio_rl32(pb); if (ico->images[i].size <= 0) { av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } ico->images[i].offset = avio_rl32(pb); @@ -130,8 +129,7 @@ static int read_header(AVFormatContext *s) break; case 40: if (ico->images[i].size < 40) { - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } st->codecpar->codec_id = AV_CODEC_ID_BMP; tmp = avio_rl32(pb); @@ -143,12 +141,14 @@ static int read_header(AVFormatContext *s) break; default: avpriv_request_sample(s, "codec %d", codec); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } } return 0; +fail: + av_freep(&ico->images); + return AVERROR_INVALIDDATA; } static int read_packet(AVFormatContext *s, AVPacket *pkt) From 0dc749187972332d26e13405df3b5a82da0fde2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:46 +0100 Subject: [PATCH 0921/1383] avformat/icodec: Check for zero streams and stream creation failure Fixes: NULL pointer dereference Fixes: 26814/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5758487797432320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit b33233bd53f74f94f4cd7be0645a99a9549a913e) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 4d93b74a1d..d86b85099d 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -84,6 +84,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); ico->nb_images = avio_rl16(pb); + if (!ico->nb_images) + return AVERROR_INVALIDDATA; + ico->images = av_malloc_array(ico->nb_images, sizeof(IcoImage)); if (!ico->images) return AVERROR(ENOMEM); @@ -93,7 +96,7 @@ static int read_header(AVFormatContext *s) int tmp; if (avio_seek(pb, 6 + i * 16, SEEK_SET) < 0) - break; + goto fail; st = avformat_new_stream(s, NULL); if (!st) { @@ -118,7 +121,7 @@ static int read_header(AVFormatContext *s) ico->images[i].offset = avio_rl32(pb); if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) - break; + goto fail; codec = avio_rl32(pb); switch (codec) { From 680f50938f22384bc33c19dfb401c8a87421c17f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Nov 2020 23:30:47 +0100 Subject: [PATCH 0922/1383] avformat/rmdec: Check for EOF in index packet reading Fixes: Timeout(>10sec -> 1ms) Fixes: 27284/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6304211110985728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebf4bc629e6d0dbb4bb6725849bdd06456e4c8af) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index ba50839103..805d83dcc3 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -457,6 +457,8 @@ static int rm_read_index(AVFormatContext *s) } for (n = 0; n < n_pkts; n++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 2); pts = avio_rb32(pb); pos = avio_rb32(pb); From 71411669cd5f4f2c21e7821eec8ac0e2263ac255 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2020 20:59:01 +0100 Subject: [PATCH 0923/1383] avformat/iff: Check size before skip Fixes: Infinite loop Fixes: 27292/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5731168991051776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b50e8bc2975fad85e0713e05940ee9ecb5e8a18) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index dd434de2d4..643ca71dca 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -259,6 +259,9 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('A','B','S','S'): if (size < 8) From 56789d3ea3ffcda6696677197a6a3d41f1b17aca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2020 22:13:52 +0100 Subject: [PATCH 0924/1383] avformat/wavdec: More complete size check in find_guid() Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long' Fixes: 27341/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5442833206738944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a207df2acb92d6366ab2f0f18ba35709066b8eec) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 1975a6ffb6..547ebd306b 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -599,7 +599,7 @@ static int64_t find_guid(AVIOContext *pb, const uint8_t guid1[16]) while (!avio_feof(pb)) { avio_read(pb, guid, 16); size = avio_rl64(pb); - if (size <= 24) + if (size <= 24 || size > INT64_MAX - 8) return AVERROR_INVALIDDATA; if (!memcmp(guid, guid1, 16)) return size; From f149875325cd1d3f8d0f0fa28971e8acccb390d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 00:23:10 +0200 Subject: [PATCH 0925/1383] avformat/avs: Use 64bit for the avio_tell() output Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 26549/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4844306424397824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1278f117d75ab9238ef181ba29b31c6ea569571b) Signed-off-by: Michael Niedermayer --- libavformat/avs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avs.c b/libavformat/avs.c index 62f5a42ac9..2aa8ca05e3 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -129,7 +129,8 @@ avs_read_video_packet(AVFormatContext * s, AVPacket * pkt, static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) { AvsFormat *avs = s->priv_data; - int ret, size; + int ret; + int64_t size; size = avio_tell(s->pb); ret = ff_voc_get_packet(s, pkt, avs->st_audio, avs->remaining_audio_size); From 40f056abed4e0b0bc8e037da8b56bcb93d5660f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 22:21:48 +0200 Subject: [PATCH 0926/1383] avcodec/exr: Check ymin vs. h Fixes: out of array access Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3e5959b3457f7f1856d997261e6ac672bba49e8b) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 4c70e7b054..ec1967ad0c 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1811,7 +1811,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, ptr = picture->data[0]; // Zero out the start if ymin is not 0 - for (y = 0; y < s->ymin; y++) { + for (y = 0; y < FFMIN(s->ymin, s->h); y++) { memset(ptr, 0, out_line_size); ptr += picture->linesize[0]; } From 2cb42f5cc077b2c3d2e6cfe9e7c82c7a34352f85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 01:14:26 +0100 Subject: [PATCH 0927/1383] avformat/mpc8: correct 32bit timestamp truncation Fixes: left shift of 65536 by 15 places cannot be represented in type 'int' Fixes: 26801/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-5164313092030464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad3e495657eaa24cba9251c2379797c208998201) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 79e5f6a9ab..c5dabeb499 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -182,7 +182,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) if(t & 1) t = -(t & ~1); pos = (t >> 1) + ppos[0]*2 - ppos[1]; - av_add_index_entry(s->streams[0], pos, i << seekd, 0, 0, AVINDEX_KEYFRAME); + av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; } @@ -257,7 +257,7 @@ static int mpc8_read_header(AVFormatContext *s) st->codecpar->channels = (st->codecpar->extradata[1] >> 4) + 1; st->codecpar->sample_rate = mpc8_rate[st->codecpar->extradata[0] >> 5]; - avpriv_set_pts_info(st, 32, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); + avpriv_set_pts_info(st, 64, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); st->start_time = 0; st->duration = c->samples / (1152 << (st->codecpar->extradata[1]&3)*2); size -= avio_tell(pb) - pos; From 6379a6f34325c4e359bb0cafe09e7af9f3ca2789 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 21:50:32 +0100 Subject: [PATCH 0928/1383] avformat/mpc8: correct integer overflow in mpc8_parse_seektable() Fixes: signed integer overflow: -4683718486770919638 * 2 cannot be represented in type 'long' Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208 Fixes: 27550/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6259212652642304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0897402ac8a2045691395380a9fd2ea88c0d3798) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index c5dabeb499..5def974564 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -181,7 +181,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) t += get_bits(&gb, 12); if(t & 1) t = -(t & ~1); - pos = (t >> 1) + ppos[0]*2 - ppos[1]; + pos = (t >> 1) + (uint64_t)ppos[0]*2 - ppos[1]; av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; From 6723d6db9bbc506bf42ba0d4d51bf0c220391a3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 23:08:13 +0200 Subject: [PATCH 0929/1383] avformat/cafdec: Check that bytes_per_packet and frames_per_packet are non negative These fields are not signed in the spec (1.0) so they cannot be negative Changing bytes_per_packet to unsigned would not solve this as it is exported as block_align which is signed Fixes: Infinite loop Fixes: 26492/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5632087614554112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5eed718087f2ba307a3d1d294016d2ebae9230f3) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 7652d9e238..5b1abc4f47 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -79,6 +79,9 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) + return AVERROR_INVALIDDATA; + /* calculate bit rate for constant size packets */ if (caf->frames_per_packet > 0 && caf->bytes_per_packet > 0) { st->codecpar->bit_rate = (uint64_t)st->codecpar->sample_rate * (uint64_t)caf->bytes_per_packet * 8 From aeef24785a82362fdeeebf0969a938c309a6d533 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2020 00:58:37 +0100 Subject: [PATCH 0930/1383] avformat/cafdec: Check for EOF in index read loop Fixes: OOM Fixes: 27398/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-541296033975500 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb46939e3ab3e0e4df69486b1a037bffc50493bd) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 5b1abc4f47..dc87bb4502 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -207,6 +207,8 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) st->duration = 0; for (i = 0; i < num_packets; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); From 44e692bb0a54d39b08bdbb2c0692bf1a06592194 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 23:13:16 +0200 Subject: [PATCH 0931/1383] avformat/cafdec: Check the return code from av_add_index_entry() Signed-off-by: Michael Niedermayer (cherry picked from commit 9dc3301745d8271ae3ba0f1b998d8e6a0aa01bc1) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index dc87bb4502..a063549561 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -194,6 +194,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) CafContext *caf = s->priv_data; int64_t pos = 0, ccount, num_packets; int i; + int ret; ccount = avio_tell(pb); @@ -209,7 +210,9 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) for (i = 0; i < num_packets; i++) { if (avio_feof(pb)) return AVERROR_INVALIDDATA; - av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + if (ret < 0) + return ret; pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); } From bb81e6eb55bc4ce702b8926dd3d32f9b3c202520 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 00:24:01 +0200 Subject: [PATCH 0932/1383] avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter The max depth is 16bps, the max allowed coefficient depth is depth+6 Fixes: signed integer overflow: 1074266112 + 1073725439 cannot be represented in type 'int' Fixes: 26493/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657763331702784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf852b03c3ae6b61f89614371d2cb308d0b7f86) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 8abb780dd7..12fc9f9fdc 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int } else { int prefix_minus3 = prefix - 3; - if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); return 0; } From a290ea51274a46faa095bc71c32bdc806c45e059 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Nov 2020 20:20:02 +0100 Subject: [PATCH 0933/1383] avformat/vqf: Check len for COMM chunks Fixes: Infinite loop Fixes: 26696/clusterfuzz-testcase-minimized-ffmpeg_dem_VQF_fuzzer-5648269168082944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a834af133b1fe8f29b4075808710ffd98abcac40) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index ff38a3d1ca..f43a20d6fc 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -132,6 +132,9 @@ static int vqf_read_header(AVFormatContext *s) switch(chunk_tag){ case MKTAG('C','O','M','M'): + if (len < 12) + return AVERROR_INVALIDDATA; + avio_read(s->pb, comm_chunk, 12); st->codecpar->channels = AV_RB32(comm_chunk ) + 1; read_bitrate = AV_RB32(comm_chunk + 4); From 1e4a9d64d1f361aa2f475f3006524d2526c5a359 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2020 21:39:21 +0100 Subject: [PATCH 0934/1383] avformat/id3v2: Sanity check tlen before alloc and uncompress Fixes: Timeout (>20sec -> 65ms) Fixes: 26896/clusterfuzz-testcase-minimized-ffmpeg_dem_DAUD_fuzzer-5691024049176576 Fixes: 27627/clusterfuzz-testcase-minimized-ffmpeg_dem_AEA_fuzzer-4907019324358656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7f87a4b9ef18a9846439b7787874cc11e5940de) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index bec3300ad6..63df4c21c4 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -1005,6 +1005,9 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_log(s, AV_LOG_DEBUG, "Compresssed frame %s tlen=%d dlen=%ld\n", tag, tlen, dlen); + if (tlen <= 0) + goto seek; + av_fast_malloc(&uncompressed_buffer, &uncompressed_buffer_size, dlen); if (!uncompressed_buffer) { av_log(s, AV_LOG_ERROR, "Failed to alloc %ld bytes\n", dlen); From 6eba6551b81b36e7233601f5a1f8b4c184a16890 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 21:50:32 +0100 Subject: [PATCH 0935/1383] avformat/mpc8: Check remaining space in mpc8_parse_seektable() Fixes: Fixes infinite loop Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f66dd13d08d063e2748d172239df595078ff624) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 5def974564..10a7d9b54b 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -177,6 +177,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME); } for(; i < size; i++){ + if (get_bits_left(&gb) < 13) { + av_free(buf); + return; + } t = get_unary(&gb, 1, 33) << 12; t += get_bits(&gb, 12); if(t & 1) From 471c8ae5b6eb632930585590fafbd74b7d39b74e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 21:22:13 +0100 Subject: [PATCH 0936/1383] avformat/dsfdec: Check block_align more completely Fixes: infinite loop Fixes: 26865/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-5649473830912000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b8974d54455adc7a462f0f7385b76e1d08101c) Signed-off-by: Michael Niedermayer --- libavformat/dsfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dsfdec.c b/libavformat/dsfdec.c index 5e06fd63a5..e0a8f7212c 100644 --- a/libavformat/dsfdec.c +++ b/libavformat/dsfdec.c @@ -124,8 +124,8 @@ static int dsf_read_header(AVFormatContext *s) dsf->audio_size = avio_rl64(pb) / 8 * st->codecpar->channels; st->codecpar->block_align = avio_rl32(pb); - if (st->codecpar->block_align > INT_MAX / st->codecpar->channels) { - avpriv_request_sample(s, "block_align overflow"); + if (st->codecpar->block_align > INT_MAX / st->codecpar->channels || st->codecpar->block_align <= 0) { + avpriv_request_sample(s, "block_align invalid"); return AVERROR_INVALIDDATA; } st->codecpar->block_align *= st->codecpar->channels; From 57c8136d6c14bc3f41bfd4c5cc0f9db159f4fcf5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 22:14:21 +0100 Subject: [PATCH 0937/1383] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct() Fixes: signed integer overflow: -2105540608 - 2105540608 cannot be represented in type 'int' Fixes: 26870/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5656647567147008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51dfd6f1bdb03bfc7574b12e921fb3b8639ba5cf) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index f19579a47c..ce66ed3ab8 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -283,8 +283,8 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ dctcoef *block = (dctcoef*)_block; for(i=0; i<4; i++){ - temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1]; - temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1]; + temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1]; + temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1]; } for(i=0; i<2; i++){ From 9ca2abb90c20d31ad39641af8a20dd3d4cd38f46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2020 00:49:29 +0100 Subject: [PATCH 0938/1383] avformat/rpl: Check the number of streams Fixes: out of memory access Fixes: 27787/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4743666463408128.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0677bdb1f522d0d25b47bca3d8e09ece83083678) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 2b099882cf..df5109dc70 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -245,6 +245,9 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); } + if (s->nb_streams == 0) + return AVERROR_INVALIDDATA; + rpl->frames_per_chunk = read_line_and_int(pb, &error); // video frames per chunk if (rpl->frames_per_chunk > 1 && vst->codecpar->codec_tag != 124) av_log(s, AV_LOG_WARNING, From b12ef6f7acd4573c0b2d7a26e26c29b147479456 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Dec 2020 00:37:25 +0100 Subject: [PATCH 0939/1383] avformat/matroskadec: Sanity check codec_id/track type Fixes: memleak Fixes: 27766/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5198300814508032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b88dd8f0cb48b46f3178d274a9117a3d2307f4e) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2604f74bbd..98913dfdb6 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2096,6 +2096,15 @@ static int matroska_parse_tracks(AVFormatContext *s) if (!track->codec_id) continue; + if ( track->type == MATROSKA_TRACK_TYPE_AUDIO && track->codec_id[0] != 'A' + || track->type == MATROSKA_TRACK_TYPE_VIDEO && track->codec_id[0] != 'V' + || track->type == MATROSKA_TRACK_TYPE_SUBTITLE && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + || track->type == MATROSKA_TRACK_TYPE_METADATA && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + ) { + av_log(matroska->ctx, AV_LOG_INFO, "Inconsistent track type\n"); + continue; + } + if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX || isnan(track->audio.samplerate)) { av_log(matroska->ctx, AV_LOG_WARNING, From 6c57a7ce4d96a14707f8c5f82222d14da7dc2928 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Dec 2020 00:49:23 +0100 Subject: [PATCH 0940/1383] avformat/iff: Check data_size Fixes: infinite loop Fixes: 27834/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5694930919620608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 001bc594d82f3df67a6e96c6ea022f4e39002385) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 643ca71dca..45dbdc4d88 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -368,7 +368,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); data_pos = avio_tell(pb); - if (data_size < 1) + if (data_size < 1 || data_size >= INT64_MAX) return AVERROR_INVALIDDATA; switch (chunk_id) { From cb1f3b5fc6158a8c119340332a6fba2a00456b96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 23:05:22 +0100 Subject: [PATCH 0941/1383] avcodec/hevc_ps: check scaling_list_dc_coef Fixes: signed integer overflow: 2147483640 + 8 cannot be represented in type 'int' Fixes: 28449/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5686013259284480 Reviewed-by: James Almer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1700bd8bb983bb3b56c3a1f8b9078cb62a44f65) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 9b6cc49355..8d8a668e9c 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -786,7 +786,11 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi next_coef = 8; coef_num = FFMIN(64, 1 << (4 + (size_id << 1))); if (size_id > 1) { - scaling_list_dc_coef[size_id - 2][matrix_id] = get_se_golomb(gb) + 8; + int scaling_list_coeff_minus8 = get_se_golomb(gb); + if (scaling_list_coeff_minus8 < -7 || + scaling_list_coeff_minus8 > 247) + return AVERROR_INVALIDDATA; + scaling_list_dc_coef[size_id - 2][matrix_id] = scaling_list_coeff_minus8 + 8; next_coef = scaling_list_dc_coef[size_id - 2][matrix_id]; sl->sl_dc[size_id - 2][matrix_id] = next_coef; } From 7c36b9496626255df69302156e2bf985bd927faf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 18:39:45 +0100 Subject: [PATCH 0942/1383] avformat/mov: Check if hoov is at the end Fixes: Timeout, probably infinite loop Fixes: 26559/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5391165484171264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0afbaabdca2730d3f8d88719d64802d50b92d351) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 26226beb76..dc3c22c14d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6833,6 +6833,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) uint32_t type; avio_skip(pb, 4); type = avio_rl32(pb); + if (avio_feof(pb)) + break; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('m','v','h','d') || type == MKTAG('c','m','o','v')) { From 85cdb58efb53b92509148341dd13df950b4460f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 19:19:54 +0100 Subject: [PATCH 0943/1383] avcodec/utils: Check bitrate for overflow in get_bit_rate() Fixes: signed integer overflow: 617890810133996544 * 16 cannot be represented in type 'long' Fixes: 26565/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5092054700654592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8aadae670f28b88e94770262cd1136562bdb2f45) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index cdd6f9f0b8..c0b1aa4f17 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -507,7 +507,14 @@ static int64_t get_bit_rate(AVCodecContext *ctx) break; case AVMEDIA_TYPE_AUDIO: bits_per_sample = av_get_bits_per_sample(ctx->codec_id); - bit_rate = bits_per_sample ? ctx->sample_rate * (int64_t)ctx->channels * bits_per_sample : ctx->bit_rate; + if (bits_per_sample) { + bit_rate = ctx->sample_rate * (int64_t)ctx->channels; + if (bit_rate > INT64_MAX / bits_per_sample) { + bit_rate = 0; + } else + bit_rate *= bits_per_sample; + } else + bit_rate = ctx->bit_rate; break; default: bit_rate = 0; From 5d4d2910a543b090e78ff2261bac68ea461c44fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:22:01 +0100 Subject: [PATCH 0944/1383] avformat/mpegts: Increase pcr_incr width to 64bit Fixes: division by zero Fixes: 26459/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5666350112178176 Fixes: 28154/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5195728439476224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit ef7b117b7be8a81d6b245cadf096cbe4b1a12987) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index ba98bba0d3..4080d5a8db 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -131,7 +131,7 @@ struct MpegTSContext { int fix_teletext_pts; int64_t cur_pcr; /**< used to estimate the exact PCR */ - int pcr_incr; /**< used to estimate the exact PCR */ + int64_t pcr_incr; /**< used to estimate the exact PCR */ /* data needed to handle file based ts */ /** stop parsing loop */ From ed4e706190342fce2c8e8e2d8933e749189315a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:22:04 +0100 Subject: [PATCH 0945/1383] avcodec/ffv1dec: Fix off by 1 error with quant tables Fixes: assertion failure Fixes: 28447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5369575948550144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5cae71d2b722d0beed4d46f189db42fbb57d877b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index e465ed49d7..07933d6f9f 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -789,7 +789,7 @@ static int read_header(FFV1Context *f) if (f->version == 2) { int idx = get_symbol(c, state, 0); - if (idx > (unsigned)f->quant_table_count) { + if (idx >= (unsigned)f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n"); return AVERROR_INVALIDDATA; From 1e015c01a2f536fcc26229e4363feb5a94e0ff81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2020 00:48:26 +0100 Subject: [PATCH 0946/1383] avformat/cafdec: clip sample rate Fixes: 1.21126e+111 is outside the range of representable values of type 'int' Fixes: 27398/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5412960339755008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 684aec6a6872c9e3bb0afee1979f1cd3edd1f8ce) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index a063549561..70005aa3d0 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -70,7 +70,7 @@ static int read_desc_chunk(AVFormatContext *s) /* parse format description */ st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; - st->codecpar->sample_rate = av_int2double(avio_rb64(pb)); + st->codecpar->sample_rate = av_clipd(av_int2double(avio_rb64(pb)), 0, INT_MAX); st->codecpar->codec_tag = avio_rl32(pb); flags = avio_rb32(pb); caf->bytes_per_packet = avio_rb32(pb); From 94fbe523eebd15b0469323a8154680d3de3c89d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Dec 2020 18:47:44 +0100 Subject: [PATCH 0947/1383] avformat/mpegts: Fix argument type for av_log Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 654b21ef176a807bf4e8359a4ed52c629d766100) --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 4080d5a8db..3441e238dc 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2921,7 +2921,7 @@ static int mpegts_read_header(AVFormatContext *s) s->bit_rate = TS_PACKET_SIZE * 8 * 27000000LL / ts->pcr_incr; st->codecpar->bit_rate = s->bit_rate; st->start_time = ts->cur_pcr; - av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%d\n", + av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%"PRId64"\n", st->start_time / 1000000.0, pcrs[0] / 27e6, ts->pcr_incr); } From f8940d51047c1adce67c30a2f274dd9d08272664 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Dec 2020 18:55:08 +0100 Subject: [PATCH 0948/1383] avcodec/alsdec: Fix integer overflow with quant_cof Fixes: signed integer overflow: -210824 * 16384 cannot be represented in type 'int' Fixes: 28670/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5682310846480384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ce40dde03ea56684f2cb6b40991a90bc38c3ad9) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 3819307fbf..0fd7278ad8 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -761,7 +761,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) } for (k = 2; k < opt_order; k++) - quant_cof[k] = (quant_cof[k] * (1 << 14)) + (add_base << 13); + quant_cof[k] = (quant_cof[k] * (1U << 14)) + (add_base << 13); } } From 62dd7e3dc06d12364b820317ce301b9c6684595c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 23:41:10 +0100 Subject: [PATCH 0949/1383] avcodec/rasc: Check frame before clearing Fixes: null pointer dereference Fixes: 27737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5769028685266944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 380a3a0adfae7aa898d2ec8a5b0d5cd949a11111) Signed-off-by: Michael Niedermayer --- libavcodec/rasc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rasc.c b/libavcodec/rasc.c index 21fc43f325..598bb395b4 100644 --- a/libavcodec/rasc.c +++ b/libavcodec/rasc.c @@ -70,6 +70,9 @@ static void clear_plane(AVCodecContext *avctx, AVFrame *frame) RASCContext *s = avctx->priv_data; uint8_t *dst = frame->data[0]; + if (!dst) + return; + for (int y = 0; y < avctx->height; y++) { memset(dst, 0, avctx->width * s->bpp); dst += frame->linesize[0]; From 35729e0fdb47ca6aeb8cec33b8a35a9448b8b873 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2020 00:52:47 +0100 Subject: [PATCH 0950/1383] avcodec/wmaprodec: Check packet size Fixes: left shift of negative value -25824 Fixes: 27754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5760255962906624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69aeba8a19ac2fa6e1c9bdfb19229b513f314bb1) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index f79f0f2750..9208a9113b 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1691,6 +1691,12 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s, } } else { int frame_size; + + if (avpkt->size < s->next_packet_start) { + s->packet_loss = 1; + return AVERROR_INVALIDDATA; + } + s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; init_get_bits(gb, avpkt->data, s->buf_bit_size); skip_bits(gb, s->packet_offset); From 4520a4efa413a67bf18c049f50934a04e08a00d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 18:01:11 +0200 Subject: [PATCH 0951/1383] uavformat/rsd: check for EOF in extradata Fixes: OOM Fixes: 26503/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6530816735444992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7186ec88b98bc589f1403985ab10cc7f77461ec8) Signed-off-by: Michael Niedermayer --- libavformat/rsd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index f3833d5145..325c696798 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -132,6 +132,8 @@ static int rsd_read_header(AVFormatContext *s) return ret; for (i = 0; i < par->channels; i++) { + if (avio_feof(pb)) + return AVERROR_EOF; avio_read(s->pb, st->codecpar->extradata + 32 * i, 32); avio_skip(s->pb, 8); } From d7566366ffc26feb6e5099ef144103b7b3312ff5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 20:22:48 +0200 Subject: [PATCH 0952/1383] avformat/mxfdec: Free all types for both Descriptors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: memleak Fixes: 26352/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5201158714687488 Suggested-by: Tomas Härdin Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 88519be8db66811e203408b413d9039ac9c3fe91) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 1e09950b0d..961b5d4384 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -330,9 +330,8 @@ static void mxf_free_metadataset(MXFMetadataSet **ctx, int freectx) MXFIndexTableSegment *seg; switch ((*ctx)->type) { case Descriptor: - av_freep(&((MXFDescriptor *)*ctx)->extradata); - break; case MultipleDescriptor: + av_freep(&((MXFDescriptor *)*ctx)->extradata); av_freep(&((MXFDescriptor *)*ctx)->sub_descriptors_refs); break; case Sequence: From 3df814c73540be949993bf1185b1388dda92d4bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 00:07:29 +0100 Subject: [PATCH 0953/1383] avformat/sbgdec: Reduce the amount of floating point in str_to_time() Fixes: 1e+75 is outside the range of representable values of type 'long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6626834808700928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit ac6c8993f79eaefb76e1fdf0eef5373ab3a46a4e) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 86d8418f62..646c141ab4 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -181,6 +181,7 @@ static int str_to_time(const char *str, int64_t *rtime) char *end; int hours, minutes; double seconds = 0; + int64_t ts = 0; if (*cur < '0' || *cur > '9') return 0; @@ -196,8 +197,9 @@ static int str_to_time(const char *str, int64_t *rtime) seconds = strtod(cur + 1, &end); if (end > cur + 1) cur = end; + ts = av_clipd(seconds * AV_TIME_BASE, INT64_MIN/2, INT64_MAX/2); } - *rtime = (hours * 3600LL + minutes * 60LL + seconds) * AV_TIME_BASE; + *rtime = (hours * 3600LL + minutes * 60LL) * AV_TIME_BASE + ts; return cur - str; } From 0c45348beffde91fc5a702273d79b5b4437c014f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2020 21:20:43 +0100 Subject: [PATCH 0954/1383] avformat/mov: Check a.size before computing next_root_atom Fixes: signed integer overflow: 64 + 9223372036854775799 cannot be represented in type 'long' Fixes: 27563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6244650163372032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c9a5a0fe9f27be35332a2b8f604dc85d219a056) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index dc3c22c14d..18b8d8f609 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6898,7 +6898,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->atom_depth --; return err; } - if (c->found_moov && c->found_mdat && + if (c->found_moov && c->found_mdat && a.size <= INT64_MAX - start_pos && ((!(pb->seekable & AVIO_SEEKABLE_NORMAL) || c->fc->flags & AVFMT_FLAG_IGNIDX || c->frag_index.complete) || start_pos + a.size == avio_size(pb))) { if (!(pb->seekable & AVIO_SEEKABLE_NORMAL) || c->fc->flags & AVFMT_FLAG_IGNIDX || c->frag_index.complete) From a8d260b66ac0f71c2092e632bd9521698aca620b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2020 21:31:16 +0100 Subject: [PATCH 0955/1383] avutil/timecode: Avoid undefined behavior with large framenum Fixes: signed integer overflow: 2147462079 + 2149596 cannot be represented in type 'int' Fixes: 27565/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5091972813160448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1905739638c22b476c99c679b41f29fa00bf07) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 60077ba0c0..76163d5553 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -49,7 +49,7 @@ int av_timecode_adjust_ntsc_framenum2(int framenum, int fps) d = framenum / frames_per_10mins; m = framenum % frames_per_10mins; - return framenum + 9 * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); + return framenum + 9U * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); } uint32_t av_timecode_get_smpte_from_framenum(const AVTimecode *tc, int framenum) From b9570ed6f3a159ee8b354af9dfb770bcb3518fd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2020 22:52:42 +0200 Subject: [PATCH 0956/1383] avformat/utils: check for integer overflow in av_get_frame_filename2() Fixes: signed integer overflow: 317316873 * 10 cannot be represented in type 'int' Fixes: 24708/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5731180885049344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 03c479ce236955fc329c7f9f4765ee1ec256bb73) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 3857e85f30..2195db5b0b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4691,8 +4691,11 @@ int av_get_frame_filename2(char *buf, int buf_size, const char *path, int number if (c == '%') { do { nd = 0; - while (av_isdigit(*p)) + while (av_isdigit(*p)) { + if (nd >= INT_MAX / 10 - 255) + goto fail; nd = nd * 10 + *p++ - '0'; + } c = *p++; } while (av_isdigit(c)); From d31c6fdf3522f715fec601995a60a8972c24245a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 21:17:18 +0100 Subject: [PATCH 0957/1383] avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject() Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long' Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800 Alternatively this could be ignored but then the end condition of the loop would be hard to reach as avio_tell() is int64_t Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bee216ad454dd7238a03dd9a76428cc6c3233cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index b4b2698368..6174cfae2c 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1679,6 +1679,9 @@ static int detect_unknown_subobject(AVFormatContext *s, int64_t offset, int64_t ff_asf_guid guid; int ret; + if (offset > INT64_MAX - size) + return AVERROR_INVALIDDATA; + while (avio_tell(pb) <= offset + size) { if (avio_tell(pb) == asf->offset) break; From 32e5b0ab99b5004c7506b0cb3d37dfd57c56b914 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 00:07:26 +0100 Subject: [PATCH 0958/1383] avformat/nistspheredec: Check bits_per_coded_sample and channels Fixes: signed integer overflow: 80 * 92233009 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_NISTSPHERE_fuzzer-6669100654919680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 60770a50fba0d47203d417b048b37d314918085d) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index dbf031f3e3..ea59f3eb25 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -90,6 +90,8 @@ static int nist_read_header(AVFormatContext *s) return 0; } else if (!memcmp(buffer, "channel_count", 13)) { sscanf(buffer, "%*s %*s %u", &st->codecpar->channels); + if (st->codecpar->channels <= 0 || st->codecpar->channels > INT16_MAX) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_byte_format", 18)) { sscanf(buffer, "%*s %*s %31s", format); @@ -109,12 +111,14 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); - if (bps > INT_MAX/8U) + if (bps > INT16_MAX/8U) return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->bits_per_coded_sample); + if (st->codecpar->bits_per_coded_sample <= 0 || st->codecpar->bits_per_coded_sample > INT16_MAX) + return AVERROR_INVALIDDATA; } else { char key[32], value[32]; if (sscanf(buffer, "%31s %*s %31s", key, value) == 2) { From 387e0b3359c81bbc9f7334790c6bd1f13b0fb706 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Nov 2020 19:58:20 +0100 Subject: [PATCH 0959/1383] libavformat/utils: consider avio_size() failure in ffio_limit() Fixes: Timeout (>20sec -> 3ms) Fixes: 26918/clusterfuzz-testcase-minimized-ffmpeg_dem_THP_fuzzer-5750425191710720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1dac2716d713dfd6949b7eb4a3c18c16f1faf6) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2195db5b0b..42d42aa452 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -247,13 +247,16 @@ int av_format_get_probe_score(const AVFormatContext *s) int ffio_limit(AVIOContext *s, int size) { if (s->maxsize>= 0) { - int64_t remaining= s->maxsize - avio_tell(s); + int64_t pos = avio_tell(s); + int64_t remaining= s->maxsize - pos; if (remaining < size) { int64_t newsize = avio_size(s); if (!s->maxsize || s->maxsizemaxsize = newsize - !newsize; - remaining= s->maxsize - avio_tell(s); - remaining= FFMAX(remaining, 0); + if (pos > s->maxsize && s->maxsize >= 0) + s->maxsize = AVERROR(EIO); + if (s->maxsize >= 0) + remaining = s->maxsize - pos; } if (s->maxsize>= 0 && remaining+1 < size) { From 661d36175b5b143122da822dca7e4caf7e9da105 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Nov 2020 21:48:31 +0100 Subject: [PATCH 0960/1383] avformat/avidec: dv does not support palettes Fixes: memleak Fixes: 26937/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5763003338981376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b373b41d940e3058cdfb3d17703e23ed665353c) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index bd4cb1ff98..a0aad5065f 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1424,6 +1424,7 @@ resync: if (avi->stream_index >= 0) { AVStream *st = s->streams[avi->stream_index]; AVIStream *ast = st->priv_data; + int dv_demux = CONFIG_DV_DEMUXER && avi->dv_demux; int size, err; if (get_subtitle_pkt(s, st, pkt)) @@ -1446,7 +1447,7 @@ resync: return err; size = err; - if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2) { + if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2 && !dv_demux) { uint8_t *pal; pal = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, @@ -1460,7 +1461,7 @@ resync: } } - if (CONFIG_DV_DEMUXER && avi->dv_demux) { + if (dv_demux) { AVBufferRef *avbuf = pkt->buf; size = avpriv_dv_produce_packet(avi->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); From b0edf37cb2f17cc3661992d63236fa750eb18913 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2021 21:41:41 +0100 Subject: [PATCH 0961/1383] avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags() Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long' Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d3d9b1fc8e2dfc8b4d66c9916ab7221062ff4660) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 961b5d4384..99d5b65436 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2701,8 +2701,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF int ret; int tag = avio_rb16(pb); int size = avio_rb16(pb); /* KLV specified by 0x53 */ - uint64_t next = avio_tell(pb) + size; + int64_t next = avio_tell(pb); UID uid = {0}; + if (next < 0 || next > INT64_MAX - size) + return next < 0 ? next : AVERROR_INVALIDDATA; + next += size; av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size); if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */ From 8f5cce4b17ea6bc2e94bc7143df3bd5b56cc516c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 23:41:36 +0100 Subject: [PATCH 0962/1383] avformat/fitsdec: Better size checks Fixes: out of array access Fixes: 26819/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5634559355650048 Fixes: 26820/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5760774955597824 Fixes: 27379/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5129775942991872.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 14bbb6bb30a6053e82f865c2d69d1a4dd2297fc1) Signed-off-by: Michael Niedermayer --- libavformat/fitsdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/fitsdec.c b/libavformat/fitsdec.c index e5f152fd68..d571ab9d36 100644 --- a/libavformat/fitsdec.c +++ b/libavformat/fitsdec.c @@ -24,6 +24,7 @@ * FITS demuxer. */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "internal.h" #include "libavutil/opt.h" @@ -125,14 +126,14 @@ static int64_t is_image(AVFormatContext *s, FITSContext *fits, FITSHeader *heade size += header->pcount; t = (abs(header->bitpix) >> 3) * ((int64_t) header->gcount); - if(size && t > UINT64_MAX / size) + if(size && t > INT64_MAX / size) return AVERROR_INVALIDDATA; size *= t; if (!size) { image = 0; } else { - if(FITS_BLOCK_SIZE - 1 > UINT64_MAX - size) + if(FITS_BLOCK_SIZE - 1 > INT64_MAX - size) return AVERROR_INVALIDDATA; size = ((size + FITS_BLOCK_SIZE - 1) / FITS_BLOCK_SIZE) * FITS_BLOCK_SIZE; } @@ -173,6 +174,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt) goto fail; } + av_assert0(avbuf.len <= INT64_MAX && size <= INT64_MAX); + if (avbuf.len + size > INT_MAX - 80) { + ret = AVERROR_INVALIDDATA; + goto fail; + } // Header is sent with the first line removed... ret = av_new_packet(pkt, avbuf.len - 80 + size); if (ret < 0) From 567c02a19aee51158702d6647615dab421b0c1fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 19:21:18 +0100 Subject: [PATCH 0963/1383] avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK Fixes: signed integer overflow: 131203586 * 28 cannot be represented in type 'int' Fixes: 26817/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6296902548848640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2488ba85a0fa5ee4125888258d3d95ce3f03bbb6) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index c0b1aa4f17..b9db5f6465 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1651,7 +1651,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, return frame_bytes / (9 * ch) * 16; case AV_CODEC_ID_ADPCM_PSX: case AV_CODEC_ID_ADPCM_DTK: - return frame_bytes / (16 * ch) * 28; + frame_bytes /= 16 * ch; + if (frame_bytes > INT_MAX / 28) + return 0; + return frame_bytes * 28; case AV_CODEC_ID_ADPCM_4XM: case AV_CODEC_ID_ADPCM_IMA_DAT4: case AV_CODEC_ID_ADPCM_IMA_ISS: From a39c4ce6b15f8f7f1dcc1ab242c11a4f78be858e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Jan 2021 00:58:42 +0100 Subject: [PATCH 0964/1383] avformat/iff: Check block align also for ID_MAUD Fixes: Timeout & OOM Fixes: 28701/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5185094964871168 Fixes: 29116/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4874284795297792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b17ffe8f8f30ba03901bcf7caa6c523e874e8fde) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 45dbdc4d88..05e79ace75 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -760,7 +760,7 @@ static int iff_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample = av_get_bits_per_sample(st->codecpar->codec_id); st->codecpar->bit_rate = (int64_t)st->codecpar->channels * st->codecpar->sample_rate * st->codecpar->bits_per_coded_sample; st->codecpar->block_align = st->codecpar->channels * st->codecpar->bits_per_coded_sample; - if (st->codecpar->codec_tag == ID_DSD && st->codecpar->block_align <= 0) + if ((st->codecpar->codec_tag == ID_DSD || st->codecpar->codec_tag == ID_MAUD) && st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; break; From d72a06402c2de9bb8b319f460258efaee8300425 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 18:38:16 +0100 Subject: [PATCH 0965/1383] avformat/ads: Check size Fixes: signed integer overflow: -2147483616 - 64 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_ADS_fuzzer-6617769344892928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c78b2b138ce222de2f4cecac8fd4361f05ee9428) Signed-off-by: Michael Niedermayer --- libavformat/ads.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/ads.c b/libavformat/ads.c index 73ea7c7d54..45c21a33d4 100644 --- a/libavformat/ads.c +++ b/libavformat/ads.c @@ -34,8 +34,9 @@ static int ads_probe(AVProbeData *p) static int ads_read_header(AVFormatContext *s) { - int align, codec, size; + int align, codec; AVStream *st; + int64_t size; st = avformat_new_stream(s, NULL); if (!st) @@ -62,7 +63,7 @@ static int ads_read_header(AVFormatContext *s) st->codecpar->block_align = st->codecpar->channels * align; avio_skip(s->pb, 12); size = avio_rl32(s->pb); - if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX) + if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX && size >= 0x40) st->duration = (size - 0x40) / 16 / st->codecpar->channels * 28; avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 268f25c7744c7a0cc79d6baf18ff6af600826fad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 18:41:41 +0100 Subject: [PATCH 0966/1383] avformat/bfi: Check chunk_header Fixes: signed integer overflow: -2147483648 - 3 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_BFI_fuzzer-6665764123836416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 638a151a877c27a46c15643db26c9ba726feecde) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 6c98e33ab4..9d88533acf 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -69,6 +69,9 @@ static int bfi_read_header(AVFormatContext * s) /* Set the total number of frames. */ avio_skip(pb, 8); chunk_header = avio_rl32(pb); + if (chunk_header < 3) + return AVERROR_INVALIDDATA; + bfi->nframes = avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); From b53629bef13722aa6a8b180cf0f4ff2e52451317 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 21:29:01 +0100 Subject: [PATCH 0967/1383] avformat/utils: Check dts - (1< (cherry picked from commit d82ee907d6caafbc1212c4b63ecac2dcd30f23b0) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 42d42aa452..4752553d80 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1287,7 +1287,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << (st->pts_wrap_bits - 1)) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; From 0f5f93d498df2e3bbc6d7cf16e6a69d5de48e066 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 00:00:27 +0100 Subject: [PATCH 0968/1383] avformat/asfdec_o: Check for EOF in asf_read_marker() Fixes: Timeout Fixes: 26460/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5710884393189376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e3d09f435f83f9653056b2fecc4d03ac45f3ffd) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 6174cfae2c..7d60b37b21 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -245,6 +245,9 @@ static int asf_read_marker(AVFormatContext *s, const GUIDParseTable *g) avio_skip(pb, 4); // flags len = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if ((ret = avio_get_str16le(pb, len, name, sizeof(name))) < len) avio_skip(pb, len - ret); From a280136c7a1cfdce11216ab02b0195d9ce2ce772 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2021 21:20:57 +0100 Subject: [PATCH 0969/1383] avformat/flvdec: Check for nesting depth in amf_parse_object() Fixes: out of array access Fixes: 29202/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5112845840809984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 074e204b42acdacc0a055671481e00914524af93) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 0dd14e1c39..fb2d0bac4a 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -41,6 +41,8 @@ #define RESYNC_BUFFER_SIZE (1<<20) +#define MAX_DEPTH 16 ///< arbitrary limit to prevent unbounded recursion + typedef struct FLVContext { const AVClass *class; ///< Class for private options. int trust_metadata; ///< configure streams according onMetaData @@ -467,6 +469,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, char str_val[1024]; double num_val; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + num_val = 0; ioc = s->pb; if (avio_feof(ioc)) From 6a3f5c9d76d0b64f1e08b12f6cd4502d092efef7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2021 22:00:40 +0100 Subject: [PATCH 0970/1383] avformat/flvdec: Check for nesting depth in amf_skip_tag() Fixes: out of array access Fixes: 29440/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5985279812960256.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ef522c918d48b9f101548b2cadce02003cb3510) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index fb2d0bac4a..350931cd42 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -802,10 +802,13 @@ static void clear_index_entries(AVFormatContext *s, int64_t pos) } } -static int amf_skip_tag(AVIOContext *pb, AMFDataType type) +static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) { int nb = -1, ret, parse_name = 1; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + switch (type) { case AMF_DATA_TYPE_NUMBER: avio_skip(pb, 8); @@ -830,7 +833,7 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type) } avio_skip(pb, size); } - if ((ret = amf_skip_tag(pb, avio_r8(pb))) < 0) + if ((ret = amf_skip_tag(pb, avio_r8(pb), depth + 1)) < 0) return ret; } break; @@ -874,7 +877,7 @@ static int flv_data_packet(AVFormatContext *s, AVPacket *pkt, else break; } else { - if ((ret = amf_skip_tag(pb, type)) < 0) + if ((ret = amf_skip_tag(pb, type, 0)) < 0) goto skip; } } From 2f0ae564600475eed5342e3de7cc07822c60d623 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Jan 2021 17:41:28 +0100 Subject: [PATCH 0971/1383] avformat/flvdec: Check for avio_read() failure in amf_get_string() Suggested-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit cb316676112c01e8d66420908b6b3d06b3b498e3) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 350931cd42..9a2cf01271 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -359,13 +359,18 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize) { + int ret; int length = avio_rb16(ioc); if (length >= buffsize) { avio_skip(ioc, length); return -1; } - avio_read(ioc, buffer, length); + ret = avio_read(ioc, buffer, length); + if (ret < 0) + return ret; + if (ret < length) + return AVERROR_INVALIDDATA; buffer[length] = '\0'; From 6202f716dc30c966e1e6fc2be6ac2a1c4170fc88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:05:53 +0100 Subject: [PATCH 0972/1383] avformat/utils: Check dts in update_initial_timestamps() more Fixes: signed integer overflow: -9223372036853488158 - 90000000 cannot be represented in type 'long long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MPSUB_fuzzer-6696625298866176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29851cb840c176d514573914799ca6c95f3f4e8e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 4752553d80..c237b1f0da 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1138,6 +1138,7 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index, dts == AV_NOPTS_VALUE || st->cur_dts == AV_NOPTS_VALUE || st->cur_dts < INT_MIN + RELATIVE_TS_BASE || + dts < INT_MIN + (st->cur_dts - RELATIVE_TS_BASE) || is_relative(dts)) return; From 51cd4084420378c69fec221164a81a5d5a20202f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:20:37 +0100 Subject: [PATCH 0973/1383] avformat/mvi: Use 64bit for testing dimensions Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-6649291124899840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 48fb752767086a48e599f9e86d87096f66cc7590) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 1e2a08b44c..0b53473671 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -93,7 +93,7 @@ static int read_header(AVFormatContext *s) vst->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; vst->codecpar->codec_id = AV_CODEC_ID_MOTIONPIXELS; - mvi->get_int = (vst->codecpar->width * vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; + mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { From b9b7d76f8ca6cd21b158fcf9f19c67c4b08133e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:44:33 +0100 Subject: [PATCH 0974/1383] avformat/nutdec: Fix integer overflow in count computation Note, the value is checked a few lines later already Fixes: signed integer overflow: -440402016 - 1879048064 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6603876618469376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0014249fd92132515b3ff0ce034dd65e745cb400) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 27440c88d4..0f6e4b21bb 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -260,7 +260,7 @@ static int decode_main_header(NUTContext *nut) if (tmp_fields > 5) count = ffio_read_varlen(bc); else - count = tmp_mul - tmp_size; + count = tmp_mul - (unsigned)tmp_size; if (tmp_fields > 6) get_s(bc); if (tmp_fields > 7) From c79401d76ebef1dd7705a9b0d0182d6fca883458 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Dec 2020 20:42:27 +0100 Subject: [PATCH 0975/1383] avformat/mpc8: Check size before implicitly converting to int Fixes: Timeout Fixes: 28551/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6229183210586112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78d6d8ddb571ecca54616517defbf894a45ea9c3) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 10a7d9b54b..bdab7fe91f 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -291,7 +291,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR_EOF; mpc8_get_chunk_header(s->pb, &tag, &size); - if (size < 0) + if (size < 0 || size > INT_MAX) return -1; if(tag == TAG_AUDIOPACKET){ if(av_get_packet(s->pb, pkt, size) < 0) From aff85abab4ed97a13b0e50f4d8f40756d8fb756d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jan 2021 23:42:39 +0100 Subject: [PATCH 0976/1383] avformat/nuv: Check channels Fixes: signed integer overflow: -3468545475927866368 * 4 cannot be represented in type 'long' Fixes: 28879/clusterfuzz-testcase-minimized-ffmpeg_dem_NUV_fuzzer-6303367307591680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc45d924d7ff6be80e90870540ba35efc290e428) Signed-off-by: Michael Niedermayer --- libavformat/nuv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 9bdea4ab55..2be22f9f51 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -121,6 +121,10 @@ static int get_codec_data(AVFormatContext *s, AVIOContext *pb, AVStream *vst, ast->codecpar->bits_per_coded_sample = avio_rl32(pb); ast->codecpar->channels = avio_rl32(pb); ast->codecpar->channel_layout = 0; + if (ast->codecpar->channels <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid channels %d\n", ast->codecpar->channels); + return AVERROR_INVALIDDATA; + } id = ff_wav_codec_get_id(ast->codecpar->codec_tag, ast->codecpar->bits_per_coded_sample); From 0dcc435972db32a7750ec7c456ec96e74cfa606e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2020 21:11:32 +0100 Subject: [PATCH 0977/1383] avformat/tedcaptionsdec: Check for overflow in parse_int() Fixes: signed integer overflow: 1111111111111111111 * 10 cannot be represented in type 'long' Fixes: 26892/clusterfuzz-testcase-minimized-ffmpeg_dem_TEDCAPTIONS_fuzzer-5756045055754240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b0f8586ca9853ab3d324ccd3c42bad4375000b0a) Signed-off-by: Michael Niedermayer --- libavformat/tedcaptionsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 527fe598e6..b0a9cfa2d7 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -181,6 +181,8 @@ static int parse_int(AVIOContext *pb, int *cur_byte, int64_t *result) if ((unsigned)*cur_byte - '0' > 9) return AVERROR_INVALIDDATA; while (BETWEEN(*cur_byte, '0', '9')) { + if (val > INT_MAX/10 - (*cur_byte - '0')) + return AVERROR_INVALIDDATA; val = val * 10 + (*cur_byte - '0'); next_byte(pb, cur_byte); } From 20b13122ec42398936f9e97c88b827792d583bc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Nov 2020 00:08:35 +0100 Subject: [PATCH 0978/1383] avcodec/cfhd: check peak.offset Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 386faeda5ff1924c17766248ce19528dbf90cf15) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 5f2cda8327..cbc16f8424 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -550,6 +550,12 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->peak.level = 0; } else if (tag == -74 && s->peak.offset) { s->peak.level = data; + if (s->peak.offset < 4 - bytestream2_tell(&s->peak.base) || + s->peak.offset > 4 + bytestream2_get_bytes_left(&s->peak.base) + ) { + ret = AVERROR_INVALIDDATA; + goto end; + } bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR); } else av_log(avctx, AV_LOG_DEBUG, "Unknown tag %i data %x\n", tag, data); From 4db70e21390abadc6087ebad7b1ff80a06209af8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 22:18:59 +0100 Subject: [PATCH 0979/1383] avformat/electronicarts: More chunk_size checks Fixes: Timeout Fixes: 26909/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-6489496553783296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d03f0ec9a1ce9903ae533059d30758bede238e40) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index eddc81b8ee..4c1b64cca9 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -607,10 +607,14 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) break; } else if (ea->audio_codec == AV_CODEC_ID_PCM_S16LE_PLANAR || ea->audio_codec == AV_CODEC_ID_MP3) { + if (chunk_size < 12) + return AVERROR_INVALIDDATA; num_samples = avio_rl32(pb); avio_skip(pb, 8); chunk_size -= 12; } else if (ea->audio_codec == AV_CODEC_ID_ADPCM_PSX) { + if (chunk_size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); chunk_size -= 8; } @@ -694,6 +698,8 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) case fVGT_TAG: case MADm_TAG: case MADe_TAG: + if (chunk_size > INT_MAX - 8) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); // include chunk preamble chunk_size += 8; goto get_video_packet; From 67dff50ad857c8b888e311cc6ca7f1e95a350be3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 23:01:12 +0100 Subject: [PATCH 0980/1383] avformat/aiffdec: Check size before subtraction in get_aiff_header() Fixes: Infinite loop Fixes: 27235/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5761398380167168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8af299acde9601e64740b75430960503615873b4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 413ae54748..82cfa22881 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -119,6 +119,8 @@ static int get_aiff_header(AVFormatContext *s, int size, else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; par->sample_rate = sample_rate; + if (size < 18) + return AVERROR_INVALIDDATA; size -= 18; /* get codec id for AIFF-C */ From dcd5b364fb8e4f26caa2cd53e7c8df15b13867d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 21:54:31 +0100 Subject: [PATCH 0981/1383] avformat/flvdec: Check for EOF in amf_skip_tag() Fixes: Timeout Fixes: 29070/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5650106766458880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9725d07a1770fbfafe5f7b3f7d95a2a513308538) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 9a2cf01271..7eb85dde96 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -814,6 +814,9 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) if (depth > MAX_DEPTH) return AVERROR_PATCHWELCOME; + if (avio_feof(pb)) + return AVERROR_EOF; + switch (type) { case AMF_DATA_TYPE_NUMBER: avio_skip(pb, 8); From 624afab90a276459b465246c8bba101abb1b7e70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Jan 2021 23:58:04 +0100 Subject: [PATCH 0982/1383] avformat/wavdec: Check avio_get_str16le() for failure Fixes: out of array access Fixes: 29195/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5037853281222656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d7594ee751e621f6c7ef4d4977c4a3ce169ae0af) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 547ebd306b..a825c0f7c7 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -859,6 +859,10 @@ static int w64_read_header(AVFormatContext *s) return AVERROR(ENOMEM); ret = avio_get_str16le(pb, chunk_size, value, chunk_size); + if (ret < 0) { + av_free(value); + return ret; + } avio_skip(pb, chunk_size - ret); av_dict_set(&s->metadata, chunk_key, value, AV_DICT_DONT_STRDUP_VAL); From 4a7cfa5a89c671386aa75d833f1a219527070271 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 00:46:26 +0100 Subject: [PATCH 0983/1383] avcodec/vp3: Check input amount in theora_decode_header() Fixes: Timeout Fixes: 29226/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-6195092572471296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 869fe41d1088c4badcd98ee1ca2490451a07b173) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index df6782e3ab..25d0bbb758 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2312,6 +2312,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + if (get_bits_left(gb) < 206) + return AVERROR_INVALIDDATA; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); From ef8ece49acfa8ef5af56d712672d9804265f3efa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Nov 2020 23:17:50 +0100 Subject: [PATCH 0984/1383] avcodec/cscd: Check output len in zlib as in lzo Fixes: Timeout (>10sec -> 134ms) Fixes: 27245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-575318210772992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6de039823c2ffcf88e8bfff0d4e3ed9d5601a122) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 8781df110c..e2d868353f 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -93,7 +93,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) { + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK || dlen != c->decomp_size) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); return AVERROR_INVALIDDATA; } From 9bb8a4f773ca65fe924863ddc539cd2a1c1fcfb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 22:52:59 +0100 Subject: [PATCH 0985/1383] avformat/soxdec: Check channels to be positive Fixes: signed integer overflow: 32 * -1795162112 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SOX_fuzzer-6724151473340416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b0588b73daeb0e6a0741f39b33943c67eac71619) Signed-off-by: Michael Niedermayer --- libavformat/soxdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/soxdec.c b/libavformat/soxdec.c index 12a94c8ffa..2801c3e239 100644 --- a/libavformat/soxdec.c +++ b/libavformat/soxdec.c @@ -90,7 +90,7 @@ static int sox_read_header(AVFormatContext *s) sample_rate_frac); if ((header_size + 4) & 7 || header_size < SOX_FIXED_HDR + comment_size - || st->codecpar->channels > 65535) /* Reserve top 16 bits */ { + || st->codecpar->channels > 65535 || st->codecpar->channels <= 0) /* Reserve top 16 bits */ { av_log(s, AV_LOG_ERROR, "invalid header\n"); return AVERROR_INVALIDDATA; } From 305ae7fc02b5331995a7694ceef2d818c96c7d37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 22:57:28 +0100 Subject: [PATCH 0986/1383] avformat/tta: Use 64bit intermediate for index Fixes: signed integer overflow: 42032 * 51092 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6679539648430080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fd61b42b4c8709a7888fa5c9cce0c19d754e39fc) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index ae90a85544..c50f029d66 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -119,7 +119,7 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; - if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; framepos += size; From 2e26851dcd11b79152870dc9a2921920edf7655d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 00:31:08 +0100 Subject: [PATCH 0987/1383] avcodec/simple_idct: Fix undefined integer overflow in idct4row() Fixes: signed integer overflow: -1498310196 - 902891776 cannot be represented in type 'int' Fixes: 28445/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5075163389493248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57f7e5caa324fd760aa9e134ee963e9936083c59) Signed-off-by: Michael Niedermayer --- libavcodec/simple_idct.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/simple_idct.c b/libavcodec/simple_idct.c index 78b29c0fe3..a6f38abfb7 100644 --- a/libavcodec/simple_idct.c +++ b/libavcodec/simple_idct.c @@ -175,7 +175,8 @@ static inline void idct4col_add(uint8_t *dest, ptrdiff_t line_size, const int16_ #define R_SHIFT 11 static inline void idct4row(int16_t *row) { - int c0, c1, c2, c3, a0, a1, a2, a3; + unsigned c0, c1, c2, c3; + int a0, a1, a2, a3; a0 = row[0]; a1 = row[1]; From 5267cf2084493e949af544d873448438cf1efa28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 23:13:58 +0100 Subject: [PATCH 0988/1383] avformat/rmdec: Fix codecdata_length overflow check Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 28509/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6310969680723968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c41d0bfd6041890b394a3e6eb2f8da92b83416b) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 805d83dcc3..e0c2ec314a 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -253,7 +253,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } From 26e5301458ea47f9ed7bba20f86bef08a6aab832 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 20:47:10 +0100 Subject: [PATCH 0989/1383] avformat/mvdec: Sanity check SAMPLE_WIDTH Fixes: signed integer overflow: 999999999 * 8 cannot be represented in type 'int' Fixes: 30048/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5864289917337600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ab82c105787fa81d1e35b9209f3d53e98be936a4) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 69d9914fc1..713c666025 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -159,7 +159,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, st->codecpar->sample_rate = var_read_int(pb, size); avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { - st->codecpar->bits_per_coded_sample = var_read_int(pb, size) * 8; + uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; + if (bpc > 16) + return AVERROR_INVALIDDATA; + st->codecpar->bits_per_coded_sample = bpc; } else return AVERROR_INVALIDDATA; From 95ffb56c6c75ef7958d7e70a5df493d13452ed95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 00:31:47 +0100 Subject: [PATCH 0990/1383] avcodec/rscc: Check inflated_buf size whan it is used Fixes: out of array access Fixes: 27434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5196757675540480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit a5ed6da9bdbe32408aabe1c75e4b55fcaeec1e9b) Signed-off-by: Michael Niedermayer --- libavcodec/rscc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index 69cb702777..99544762d9 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -299,6 +299,10 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto end; } + if (ctx->inflated_size < pixel_size) { + ret = AVERROR_INVALIDDATA; + goto end; + } ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size); if (ret) { av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret); From 16f0553a56bd066935229ea8442a87ca38e50cf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 00:31:07 +0100 Subject: [PATCH 0991/1383] avcodec/mxpegdec: fix SOF counting Fixes: Timeout (>10sec -> 15ms) Fixes: 27652/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5125920868007936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 401495def62638a205569cac0f7861c7faba4d18) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 55ec6e928e..f89226fefa 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -247,16 +247,17 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, "Multiple SOF in a frame\n"); return AVERROR_INVALIDDATA; } - s->got_sof_data = 0; ret = ff_mjpeg_decode_sof(jpg); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "SOF data decode error\n"); + s->got_sof_data = 0; return ret; } if (jpg->interlaced) { av_log(avctx, AV_LOG_ERROR, "Interlaced mode not supported in MxPEG\n"); + s->got_sof_data = 0; return AVERROR(EINVAL); } s->got_sof_data ++; From 7d3c6b4f059de972591dfca1491b893ff6773fd1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 00:54:46 +0100 Subject: [PATCH 0992/1383] avformat/rmdec: Reorder operations to avoid overflow Fixes: signed integer overflow: -2147483648 - 14 cannot be represented in type 'int' Fixes: 27659/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5697250168406016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12e713b8061cc6a71ec69da946552bc593d5fa7) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index e0c2ec314a..4bcf8e59c0 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -716,9 +716,9 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre av_log(s, AV_LOG_WARNING, "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); - len -= 14; // we already read part of the index header - if(len<0) + if(len < 14) continue; + len -= 14; // we already read part of the index header goto skip; } else if (state == MKBETAG('D','A','T','A')) { av_log(s, AV_LOG_WARNING, From b8b7cf353eb7769d9e858e95b496666ce3212f5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 17:55:12 +0100 Subject: [PATCH 0993/1383] avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper Fixes: signed integer overflow: 2147483641 + 32 cannot be represented in type 'int' Fixes: 27452/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5078752576667648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dfb7ff528c02afbafba14676c139ecb82164c44) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index 3acf94c583..9b11661704 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1138,7 +1138,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (t + (1 << (bits - 1))) >> bits : \ + (int)(t + (1U << (bits - 1))) >> bits : \ t)); \ dst++; \ } \ @@ -1153,7 +1153,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (out[j] + (1 << (bits - 1))) >> bits : \ + (int)(out[j] + (1U << (bits - 1))) >> bits : \ out[j])); \ dst++; \ } \ From 7186342a505d9617fdd1a80dac702a4b5da5462e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 19:13:01 +0100 Subject: [PATCH 0994/1383] avformat/mov: Use av_mul_q() to avoid integer overflows Fixes: signed integer overflow: 538976288 * 538976288 cannot be represented in type 'int' Fixes: 27473/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5758978289827840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f70e1ec0cfa8ae24b224faf522c1d6ca95a42f6) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 18b8d8f609..afbc16bd77 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2320,12 +2320,10 @@ FF_ENABLE_DEPRECATION_WARNINGS if (tmcd_ctx->tmcd_flags & 0x0008) { int timescale = AV_RB32(st->codecpar->extradata + 8); int framedur = AV_RB32(st->codecpar->extradata + 12); - st->avg_frame_rate.num *= timescale; - st->avg_frame_rate.den *= framedur; + st->avg_frame_rate = av_mul_q(st->avg_frame_rate, (AVRational){timescale, framedur}); #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS - st->codec->time_base.den *= timescale; - st->codec->time_base.num *= framedur; + st->codec->time_base = av_mul_q(st->codec->time_base , (AVRational){framedur, timescale}); FF_ENABLE_DEPRECATION_WARNINGS #endif } From 8bcf54cf72d517e8a9cdc275acc33e8cc492d001 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 20:41:56 +0100 Subject: [PATCH 0995/1383] avformat/4xm: Make audio_frame_count 64bit Fixes: signed integer overflow: 2099257366 * 2 cannot be represented in type 'int' Fixes: 27486/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-5112179134824448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 842c268c6436c9e90e689402be138c2e539f7059) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index e93095cb09..8e2d305b24 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -298,7 +298,7 @@ static int fourxm_read_packet(AVFormatContext *s, unsigned int track_number; int packet_read = 0; unsigned char header[8]; - int audio_frame_count; + int64_t audio_frame_count; while (!packet_read) { if ((ret = avio_read(s->pb, header, 8)) < 0) From 99a5e67fe3b786602291b80a28e8e518ce1102d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Feb 2021 14:29:02 +0100 Subject: [PATCH 0996/1383] avformat/3dostr: Check sample_rate Fixes: signed integer overflow: -1268324762623155200 * 8 cannot be represented in type 'long' Fixes: 30123/clusterfuzz-testcase-minimized-ffmpeg_dem_THREEDOSTR_fuzzer-6710765123928064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7e5034f97e41d3f8112c1f8da3b5274ab99ef6f8) Signed-off-by: Michael Niedermayer --- libavformat/3dostr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/3dostr.c b/libavformat/3dostr.c index 3668e5f613..fd08265c08 100644 --- a/libavformat/3dostr.c +++ b/libavformat/3dostr.c @@ -64,7 +64,7 @@ static int threedostr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->sample_rate = avio_rb32(s->pb); st->codecpar->channels = avio_rb32(s->pb); - if (st->codecpar->channels <= 0) + if (st->codecpar->channels <= 0 || st->codecpar->sample_rate <= 0) return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); avio_skip(s->pb, 4); From a4c627df67ce6d1fc5a52c830d270485cf205249 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Feb 2021 21:50:03 +0100 Subject: [PATCH 0997/1383] avformat/asfdec_f: Add an additional check for the extradata size Fixes: OOM Fixes: 30066/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6182309126602752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c8cd4490a6ab2742e6ad1ce059b4f4957b39500) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 3439bcbd51..922ad3c29f 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -516,6 +516,8 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { + if (size < sizeX - 40) + return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); From f083f20fd215ef8c0b7fa9f4abf885df6d322b8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Feb 2021 14:29:01 +0100 Subject: [PATCH 0998/1383] avformat/wtvdec: Check len in parse_chunks() to avoid overflow Fixes: signed integer overflow: 2147483647 + 7 cannot be represented in type 'int' Fixes: 30084/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6192261941559296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 5552ceaf568915e668679f9581e07eb5507cafc4) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index ed3ebb3d89..6f4d266992 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -795,7 +795,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p ff_get_guid(pb, &g); len = avio_rl32(pb); - if (len < 32) { + if (len < 32 || len > INT_MAX - 7) { int ret; if (avio_feof(pb)) return AVERROR_EOF; From afc9f2c236f2289b83610b723513f68fc162abd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:22:53 +0100 Subject: [PATCH 0999/1383] libavutil/eval: Remove CONFIG_TRAPV special handling Fixes: division by zero Fixes: 29555/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-5149951447400448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8574fcbfc7784173347418e09035ff8121574571) Signed-off-by: Michael Niedermayer --- libavutil/eval.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/eval.c b/libavutil/eval.c index 5da9a6d83b..7a3f4f9aa9 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -304,7 +304,7 @@ static double eval_expr(Parser *p, AVExpr *e) double d = eval_expr(p, e->param[0]); double d2 = eval_expr(p, e->param[1]); switch (e->type) { - case e_mod: return e->value * (d - floor((!CONFIG_FTRAPV || d2) ? d / d2 : d * INFINITY) * d2); + case e_mod: return e->value * (d - floor(d2 ? d / d2 : d * INFINITY) * d2); case e_gcd: return e->value * av_gcd(d,d2); case e_max: return e->value * (d > d2 ? d : d2); case e_min: return e->value * (d < d2 ? d : d2); From fec6a5d940f7b792cf86ddaa38bf16926f873882 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 14:59:27 +0100 Subject: [PATCH 1000/1383] avcodec/hevc_sei: Check payload size in decode_nal_sei_message() Fixes: out of array access Fixes: 29392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4821602850177024.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0791a515d38fd35c1e2a309ec8f4015153687b8c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index c59bd4321e..752ad59ddc 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -336,6 +336,8 @@ static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s, byte = get_bits(gb, 8); payload_size += byte; } + if (get_bits_left(gb) < 8LL*payload_size) + return AVERROR_INVALIDDATA; if (nal_unit_type == HEVC_NAL_SEI_PREFIX) { return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size); } else { /* nal_unit_type == NAL_SEI_SUFFIX */ From 9ab85e03ca9b4ec8e918b46466a18301da96d471 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:14:03 +0100 Subject: [PATCH 1001/1383] avformat/id3v2: Check the return from avio_get_str() Fixes: out of array access Fixes: 29446/clusterfuzz-testcase-minimized-ffmpeg_dem_AAC_fuzzer-5096222622875648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25f240fcb398eb499ca4b70c026a8bb9f2a32731) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 63df4c21c4..3aa88a59f0 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -610,7 +610,10 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, /* mimetype */ if (isv34) { - taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + int ret = avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + if (ret < 0 || ret >= taglen) + goto fail; + taglen -= ret; } else { if (avio_read(pb, mimetype, 3) < 0) goto fail; From eb1dc002c6d661652afbedc9e8b942a7b961b4c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 19:37:52 +0100 Subject: [PATCH 1002/1383] avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular() Fixes: Timeout Fixes: left shift of 33046 by 16 places cannot be represented in type 'int' Fixes: 29258/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-4889231489105920 Fixes: 29515/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-6161940391002112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 980900d991606cbc3747b37d6e83c7aae98cbecc) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 5308b744df..de1875ce30 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -149,7 +149,7 @@ static inline int ls_get_code_regular(GetBitContext *gb, JLSState *state, int Q) { int k, ret; - for (k = 0; (state->N[Q] << k) < state->A[Q]; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < state->A[Q]; k++) ; #ifdef JLS_BROKEN From 4d977e643de5070b4dc8f8485b4b6c6853641250 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:19:42 +0100 Subject: [PATCH 1003/1383] avformat/mvdec: Check for EOF in read_index() Fixes: Timeout Fixes: 29550/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5094307193290752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6c64351bb1f4dc148069a37754b746fcd4c784cf) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 713c666025..1c786814ec 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -267,6 +267,8 @@ static void read_index(AVIOContext *pb, AVStream *st) uint32_t pos = avio_rb32(pb); uint32_t size = avio_rb32(pb); avio_skip(pb, 8); + if (avio_feof(pb)) + return ; av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME); if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { timestamp += size / (st->codecpar->channels * 2LL); From 3c20077e753ee474d1fc86833c2b776191c76858 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:28:08 +0100 Subject: [PATCH 1004/1383] avformat/mov: Check for duplicate st3d Fixes: memleak Fixes: 29585/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6594188688490496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 658f0606cba0f866714cbe09af30ec40c4168930) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index afbc16bd77..5a1191a197 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5465,6 +5465,10 @@ static int mov_read_st3d(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_ERROR, "Empty stereoscopic video box\n"); return AVERROR_INVALIDDATA; } + + if (sc->stereo3d) + return AVERROR_INVALIDDATA; + avio_skip(pb, 4); /* version + flags */ mode = avio_r8(pb); From 1d6055972e50ef8757c8d2a3408a9a84bf6838fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:30:59 +0100 Subject: [PATCH 1005/1383] avformat/avidec: Use 64bit in get_duration() Fixes: signed integer overflow: 2147483424 + 8224 cannot be represented in type 'int' Fixes: 29619/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5191424373030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0ceb0cdd41b56241697cd8f83e22cdb4822d2d9) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index a0aad5065f..5d67707994 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -126,7 +126,7 @@ static inline int get_duration(AVIStream *ast, int len) if (ast->sample_size) return len; else if (ast->dshow_block_align) - return (len + ast->dshow_block_align - 1) / ast->dshow_block_align; + return (len + (int64_t)ast->dshow_block_align - 1) / ast->dshow_block_align; else return 1; } From b79830a53a1300dea8ea44f6a3a1de71ece2418a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:54:06 +0100 Subject: [PATCH 1006/1383] avcodec/jpeg2000dec: Check atom_size in jp2_find_codestream() Fixes: Infinite loop Fixes: 29722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6412228041506816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a2082a41bca9dbb22c45288972f2da309443cf8) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 5b07f07aa9..f892a40265 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -2025,8 +2025,12 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) return 0; } atom_size = bytestream2_get_be32u(&s->g); + if (atom_size < 16 || (int64_t)bytestream2_tell(&s->g) + atom_size - 16 > INT_MAX) + return AVERROR_INVALIDDATA; atom_end = bytestream2_tell(&s->g) + atom_size - 16; } else { + if (atom_size < 8 || (int64_t)bytestream2_tell(&s->g) + atom_size - 8 > INT_MAX) + return AVERROR_INVALIDDATA; atom_end = bytestream2_tell(&s->g) + atom_size - 8; } From fa4ee8600805b063437ccf374697a2745a8c72e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 17:00:38 +0100 Subject: [PATCH 1007/1383] avformat/samidec: Sanity check pts Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: 29743/clusterfuzz-testcase-minimized-ffmpeg_dem_SAMI_fuzzer-5499256859394048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2014b0135293c41d261757bfa1aaba51653bab8e) Signed-off-by: Michael Niedermayer --- libavformat/samidec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/samidec.c b/libavformat/samidec.c index 678fac0e17..0824aee741 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -95,6 +95,11 @@ static int sami_read_header(AVFormatContext *s) const char *p = ff_smil_get_attr_ptr(buf.str, "Start"); sub->pos = pos; sub->pts = p ? strtol(p, NULL, 10) : 0; + if (sub->pts <= INT64_MIN/2 || sub->pts >= INT64_MAX/2) { + res = AVERROR_PATCHWELCOME; + goto end; + } + sub->duration = -1; } } From b4317e0a2b77f9ddebd7590baa3fe42990630b71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Nov 2020 21:42:23 +0100 Subject: [PATCH 1008/1383] avformat/flvdec: Treat high ts byte as unsigned Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 27516/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5152854660349952 Signed-off-by: Michael Niedermayer (cherry picked from commit f514113cfa9fc44d80086bb2a2b783e8026dc3a9) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 7eb85dde96..76d41b0c9b 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -1116,7 +1116,7 @@ retry_duration: avio_seek(s->pb, fsize - 3 - size, SEEK_SET); if (size == avio_rb24(s->pb) + 11) { uint32_t ts = avio_rb24(s->pb); - ts |= avio_r8(s->pb) << 24; + ts |= (unsigned)avio_r8(s->pb) << 24; if (ts) s->duration = ts * (int64_t)AV_TIME_BASE / 1000; else if (fsize >= 8 && fsize - 8 >= size) { From 47047bf6850fc98cad0024b1de4fd6509c22ef2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 22:04:37 +0100 Subject: [PATCH 1009/1383] avformat/rmdec: Check remaining space in debug av_log() loop Fixes: Timeout (long -> 2 ms) Fixes: 26709/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5665833403285504 Fixes: 27522/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6321071221112832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8fe78decd700afec461f06df4ce0d36f3e9cc4b) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 4bcf8e59c0..dfc512e52c 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1291,8 +1291,11 @@ static int ivr_read_header(AVFormatContext *s) int j; av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "Duration", tlen)) { st->duration = avio_rb32(pb); From d4dc6d2041395dddf05f1e0cf62316577864297f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Nov 2020 00:22:39 +0100 Subject: [PATCH 1010/1383] avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif() The buffer is read by using the bit reader Fixes: out of array read Fixes: 27539/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5650565572591616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a7c648e2d85a59975cc88079975cf9f3306ed0a) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index a825c0f7c7..8abe07df61 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -68,7 +68,7 @@ static void set_spdif(AVFormatContext *s, WAVDemuxContext *wav) int ret = ffio_ensure_seekback(s->pb, len); if (ret >= 0) { - uint8_t *buf = av_malloc(len); + uint8_t *buf = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE); if (!buf) { ret = AVERROR(ENOMEM); } else { From b713f01bb3b11eeea4c9f76959d15594fd8718c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 22:28:20 +0100 Subject: [PATCH 1011/1383] avcodec/pnm_parser: Check av_image_get_buffer_size() for failure Fixes: out of array access Fixes: 30135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-4997145650397184 Fixes: 30208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5605891665690624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5314a4996cc76e2a8534c74a66f5181e95ac64fc) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index 9bf1fdcece..0d6c592b26 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -62,8 +62,10 @@ retry: } else if (pnmctx.type < 4) { next = END_NOT_FOUND; } else { - next = pnmctx.bytestream - pnmctx.bytestream_start + skip - + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + next = pnmctx.bytestream - pnmctx.bytestream_start + skip; + if (ret >= 0) + next += ret; if (pnmctx.bytestream_start != buf + skip) next -= pc->index; if (next > buf_size) From a32db8ce15875d58c19c202ecf0bf203e6ffa4d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 23:21:53 +0100 Subject: [PATCH 1012/1383] avformat/r3d: Check samples before computing duration Fixes: signed integer overflow: -4611686024827895807 + -4611686016279904256 cannot be represented in type 'long' Fixes: 30161/clusterfuzz-testcase-minimized-ffmpeg_dem_R3D_fuzzer-5694406713802752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7a2aa5dc2af6c4fc66aaedd341b0886fbc746f0d) Signed-off-by: Michael Niedermayer --- libavformat/r3d.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/r3d.c b/libavformat/r3d.c index 1f53d847e9..f4a5a99670 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -326,7 +326,8 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) pkt->stream_index = 1; pkt->dts = dts; - if (st->codecpar->sample_rate) + + if (st->codecpar->sample_rate && samples > 0) pkt->duration = av_rescale(samples, st->time_base.den, st->codecpar->sample_rate); av_log(s, AV_LOG_TRACE, "pkt dts %"PRId64" duration %"PRId64" samples %d sample rate %d\n", pkt->dts, pkt->duration, samples, st->codecpar->sample_rate); From 3d2dd0eaa7be4cbb21aeb7b828d0b8f99bbce43e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:40:21 +0100 Subject: [PATCH 1013/1383] avformat/electronicarts: Clear partial_packet on error Fixes: Infinite loop Fixes: 30165/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-6224642371092480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 59bb9dc2a670cbe5d659585392b6d79f7bb6d40f) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 4c1b64cca9..2cfee81b6c 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -729,6 +729,7 @@ get_video_packet: ret = av_get_packet(pb, pkt, chunk_size); if (ret < 0) { packet_read = 1; + partial_packet = 0; break; } partial_packet = chunk_type == MVIh_TAG; From 245b7cd4c9f1e48de9ee8cc6fe7f7acab996895a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:00:40 +0100 Subject: [PATCH 1014/1383] avformat/nutdec: Check timebase count against main header length Fixes: Timeout (long -> 3ms) Fixes: 28514/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6078669009321984 Fixes: 30095/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-5074433016463360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c425198558826795d94af45eeb9d94e4436c9a0f) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 0f6e4b21bb..e14d118bb8 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -193,13 +193,13 @@ static int decode_main_header(NUTContext *nut) { AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; - uint64_t tmp, end; + uint64_t tmp, end, length; unsigned int stream_count; int i, j, count, ret; int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; - end = get_packetheader(nut, bc, 1, MAIN_STARTCODE); - end += avio_tell(bc); + length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); if (nut->version < NUT_MIN_VERSION || @@ -219,7 +219,7 @@ static int decode_main_header(NUTContext *nut) nut->max_distance = 65536; } - GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational)); + GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational) && tmp < length/2); nut->time_base = av_malloc_array(nut->time_base_count, sizeof(AVRational)); if (!nut->time_base) return AVERROR(ENOMEM); From 3b6a33b6606ec572e895d86be7d2436c30fe0056 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 19:28:15 +0100 Subject: [PATCH 1015/1383] avcodec/fits: Check gcount and pcount being non negative Fixes: signed integer overflow: 9223372036854775807 - -30069403896 cannot be represented in type 'long' Fixes: 30046/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5807144773484544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c000a9128815e7cee4316dc45605259bbaa138ff) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index 25c33e06c8..97fa7abe80 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -205,8 +205,12 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t } else if (!strcmp(keyword, "GROUPS") && sscanf(value, "%c", &c) == 1) { header->groups = (c == 'T'); } else if (!strcmp(keyword, "GCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->gcount = t; } else if (!strcmp(keyword, "PCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->pcount = t; } dict_set_if_not_null(metadata, keyword, value); From 7b9e1a5fcf6ed6465ae7b772e2967c71b7778344 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 20:41:31 +0100 Subject: [PATCH 1016/1383] avformat/mov: Check element count in mov_metadata_hmmt() Fixes: Timeout Fixes: 30325/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6048395703746560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d277b92fa4c149d589e6828d4e18ad578406f1f) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5a1191a197..73c8ac952a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -288,6 +288,8 @@ static int mov_metadata_hmmt(MOVContext *c, AVIOContext *pb, unsigned len) return 0; n_hmmt = avio_rb32(pb); + if (n_hmmt > len / 4) + return AVERROR_INVALIDDATA; for (i = 0; i < n_hmmt && !pb->eof_reached; i++) { int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); From 2273d721f526b16ccf9a5f4b16b9a6d30735db9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 20:52:17 +0100 Subject: [PATCH 1017/1383] avformat/rmdec: Check codec_length without overflow Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 30333/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5175286983426048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d558c9f2375fd2136d20422cb1119cfbf872abeb) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index dfc512e52c..29c83731cf 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -222,7 +222,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } From a53c0d14ae2e9328cfb1a43b1cc481469fc59e2d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2021 21:16:25 +0100 Subject: [PATCH 1018/1383] avcodec/hapdec: Change compressed_offset to unsigned 32bit Fixes: out of array access Fixes: 29345/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5401813482340352 Fixes: 30745/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5762798221131776 Suggested-by: Anton Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 89fe1935b18621af06587c76bcde6adcdc8f2249) Signed-off-by: Michael Niedermayer --- libavcodec/hap.h | 2 +- libavcodec/hapdec.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hap.h b/libavcodec/hap.h index bbeed11e32..00c3dbb32d 100644 --- a/libavcodec/hap.h +++ b/libavcodec/hap.h @@ -52,7 +52,7 @@ enum HapSectionType { typedef struct HapChunk { enum HapCompressor compressor; - int compressed_offset; + uint32_t compressed_offset; size_t compressed_size; int uncompressed_offset; size_t uncompressed_size; diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index 5ae182d7a4..c01fa8b4b9 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -105,6 +105,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size) size_t running_size = 0; for (i = 0; i < ctx->chunk_count; i++) { ctx->chunks[i].compressed_offset = running_size; + if (ctx->chunks[i].compressed_size > UINT32_MAX - running_size) + return AVERROR_INVALIDDATA; running_size += ctx->chunks[i].compressed_size; } } @@ -186,7 +188,7 @@ static int hap_parse_frame_header(AVCodecContext *avctx) HapChunk *chunk = &ctx->chunks[i]; /* Check the compressed buffer is valid */ - if (chunk->compressed_offset + chunk->compressed_size > bytestream2_get_bytes_left(gbc)) + if (chunk->compressed_offset + (uint64_t)chunk->compressed_size > bytestream2_get_bytes_left(gbc)) return AVERROR_INVALIDDATA; /* Chunks are unpacked sequentially, ctx->tex_size is the uncompressed From 1506eb092b45245a0bab1b7be0d856649dc38dff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Dec 2020 01:06:46 +0100 Subject: [PATCH 1019/1383] avformat/microdvddec: use 64bit for durations Fixes: signed integer overflow: 7 - -2147483647 cannot be represented in type 'int' Fixes: 28036/clusterfuzz-testcase-minimized-ffmpeg_dem_MICRODVD_fuzzer-5171698751766528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f569ac4ce0514bf4e0dd768c5ed007c82548d326) Signed-off-by: Michael Niedermayer --- libavformat/microdvddec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index 4ba32fd3d9..ab2a64f1a5 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -65,12 +65,12 @@ static int64_t get_pts(const char *buf) return AV_NOPTS_VALUE; } -static int get_duration(const char *buf) +static int64_t get_duration(const char *buf) { int frame_start, frame_end; if (sscanf(buf, "{%d}{%d}", &frame_start, &frame_end) == 2) - return frame_end - frame_start; + return frame_end - (int64_t)frame_start; return -1; } From 0fb1a9f6ecfc753824b707a4c251b5abe37acd0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Dec 2020 01:24:42 +0100 Subject: [PATCH 1020/1383] avformat/voc_packet: Add a basic check on max_size Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 28127/clusterfuzz-testcase-minimized-ffmpeg_dem_VOC_fuzzer-4880586455646208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 52f75181bfada2b4b127e744674591c7753c4b7d) Signed-off-by: Michael Niedermayer --- libavformat/voc_packet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 1e2e19e1c3..9d7d2025cd 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -44,6 +44,8 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) AVINDEX_KEYFRAME); while (!voc->remaining_size) { + if (max_size < 4) + max_size = 0; type = avio_r8(pb); if (type == VOC_TYPE_EOF) return AVERROR_EOF; From ec231f9662235405fe6d19e12b4d2d4d983d1623 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Dec 2020 22:19:22 +0100 Subject: [PATCH 1021/1383] avformat/aadec: Check for EOF while reading chapters Fixes: timeout Fixes: 28199/clusterfuzz-testcase-minimized-ffmpeg_dem_AA_fuzzer-4896162657861632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcc7d14453ea2bafa6569a07002943808f2a396a) Signed-off-by: Michael Niedermayer --- libavformat/aadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aadec.c b/libavformat/aadec.c index df0310c5ac..ed5fed063c 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -223,7 +223,8 @@ static int aa_read_header(AVFormatContext *s) while ((chapter_pos = avio_tell(pb)) >= 0 && chapter_pos < c->content_end) { int chapter_idx = s->nb_chapters; uint32_t chapter_size = avio_rb32(pb); - if (chapter_size == 0) break; + if (chapter_size == 0 || avio_feof(pb)) + break; chapter_pos -= start + CHAPTER_HEADER_SIZE * chapter_idx; avio_skip(pb, 4 + chapter_size); if (!avpriv_new_chapter(s, chapter_idx, st->time_base, From 9a797b31d0f913f1ac5c52ccf6e9e20c8f5e7ff4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Dec 2020 00:08:46 +0100 Subject: [PATCH 1022/1383] avformat/mov: Extend data_size check in mov_read_udta_string() Fixes: signed integer overflow: -2147483634 - 16 cannot be represented in type 'int' Fixes: 28322/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5711888402612224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74c4c539538e36d8df02de2484b045010d292f2c) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 73c8ac952a..7e392b8001 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -404,7 +404,7 @@ retry: if (c->itunes_metadata && atom.size > 8) { int data_size = avio_rb32(pb); int tag = avio_rl32(pb); - if (tag == MKTAG('d','a','t','a') && data_size <= atom.size) { + if (tag == MKTAG('d','a','t','a') && data_size <= atom.size && data_size >= 16) { data_type = avio_rb32(pb); // type avio_rb32(pb); // unknown str_size = data_size - 16; From b14418c0cb8b7246800ef4240013327c53702c21 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Mar 2021 23:24:37 +0100 Subject: [PATCH 1023/1383] avcodec/alsdec: Check bitstream input in read_block() Fixes: Timeout Fixes: 28110/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5036338973507584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53d739db4e528388fae89459e887a633ffbce12c) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 0fd7278ad8..6f3311356d 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1015,6 +1015,10 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) ALSSpecificConfig *sconf = &ctx->sconf; *bd->shift_lsbs = 0; + + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + // read block type flag and read the samples accordingly if (get_bits1(gb)) { ret = read_var_block_data(ctx, bd); From f48e4903fb82a38dff61a8df884da3c869d01697 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Mar 2021 10:49:03 +0100 Subject: [PATCH 1024/1383] avformat/dcstr: Check sample rate Fixes: signed integer overflow: -1300248894420254720 * 16 cannot be represented in type 'long' Fixes: 30879/clusterfuzz-testcase-minimized-ffmpeg_dem_DCSTR_fuzzer-5094464215449600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fdcb966f4a3c6f872891b8dd554e3652b9e02d4f) Signed-off-by: Michael Niedermayer --- libavformat/dcstr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c index 6035dd4334..8bcafc7663 100644 --- a/libavformat/dcstr.c +++ b/libavformat/dcstr.c @@ -43,6 +43,8 @@ static int dcstr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); align = avio_rl32(s->pb); avio_skip(s->pb, 4); From 584afd367824e65064bb7c8b2f2bd26a7c7546c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Mar 2021 10:49:04 +0100 Subject: [PATCH 1025/1383] avformat/aiffdec: Check that SSND is at least 8 bytes Fixes: Infinite loop Fixes: 30874/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5933710488764416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 460d3dc41f57a6dcefbd72db6e2e368fee05340b) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 82cfa22881..39343dab0f 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -284,6 +284,8 @@ static int aiff_read_header(AVFormatContext *s) get_meta(s, "comment" , size); break; case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */ + if (size < 8) + return AVERROR_INVALIDDATA; aiff->data_end = avio_tell(pb) + size; offset = avio_rb32(pb); /* Offset of sound data */ avio_rb32(pb); /* BlockSize... don't care */ From 3366136aeb8faf54bc5d71dc917dc52931b15e27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 21:11:05 +0100 Subject: [PATCH 1026/1383] avutil/parseutils: Check sign in av_parse_time() Fixes: signed integer overflow: -9223372053736 * 1000000 cannot be represented in type 'long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6607924558430208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d7f17e885ef3a7aae2035bed54604938d83e98d) Signed-off-by: Michael Niedermayer --- libavutil/parseutils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavutil/parseutils.c b/libavutil/parseutils.c index 59bec6cc9d..c5cf717f30 100644 --- a/libavutil/parseutils.c +++ b/libavutil/parseutils.c @@ -736,12 +736,14 @@ int av_parse_time(int64_t *timeval, const char *timestr, int duration) if (*q) return AVERROR(EINVAL); - if (INT64_MAX / suffix < t) + if (INT64_MAX / suffix < t || t < INT64_MIN / suffix) return AVERROR(ERANGE); t *= suffix; if (INT64_MAX - microseconds < t) return AVERROR(ERANGE); t += microseconds; + if (t == INT64_MIN && negative) + return AVERROR(ERANGE); *timeval = negative ? -t : t; return 0; } From 183fca09b08c56cbd8a27a80996170537f0c2a6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 00:23:12 +0200 Subject: [PATCH 1027/1383] avcodec/exr: skip bottom clearing loop when its outside the image Fixes: signed integer overflow: 1633771809 * 32960 cannot be represented in type 'int' Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index ec1967ad0c..6e3e84d175 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1821,10 +1821,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks); // Zero out the end if ymax+1 is not h - ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]); - for (y = s->ymax + 1; y < avctx->height; y++) { - memset(ptr, 0, out_line_size); - ptr += picture->linesize[0]; + if ((s->ymax+1) < avctx->height) { + ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]); + for (y = s->ymax + 1; y < avctx->height; y++) { + memset(ptr, 0, out_line_size); + ptr += picture->linesize[0]; + } } picture->pict_type = AV_PICTURE_TYPE_I; From d958e1bd1c303efc5ec0757237b9a9975f669ecc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 22:08:25 +0100 Subject: [PATCH 1028/1383] avformat/lxfdec: Fix multiple integer overflows related to track_size Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_LXF_fuzzer-6634030636335104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7819412f4468514a2bab924291d79806a569388c) Signed-off-by: Michael Niedermayer --- libavformat/lxfdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/lxfdec.c b/libavformat/lxfdec.c index 9b3eb6a650..b544966f5a 100644 --- a/libavformat/lxfdec.c +++ b/libavformat/lxfdec.c @@ -195,7 +195,7 @@ static int get_packet_header(AVFormatContext *s) return AVERROR_PATCHWELCOME; } - samples = track_size * 8 / st->codecpar->bits_per_coded_sample; + samples = track_size * 8LL / st->codecpar->bits_per_coded_sample; //use audio packet size to determine video standard //for NTSC we have one 8008-sample audio frame per five video frames @@ -210,6 +210,8 @@ static int get_packet_header(AVFormatContext *s) avpriv_set_pts_info(s->streams[0], 64, 1, 25); } + if (av_popcount(channels) * (uint64_t)track_size > INT_MAX) + return AVERROR_INVALIDDATA; //TODO: warning if track mask != (1 << channels) - 1? ret = av_popcount(channels) * track_size; From 90205d2107316e9d68b19f4d450cdbd2546fffaf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 23:56:43 +0100 Subject: [PATCH 1029/1383] avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld() Fixes: negation of -2147483648 cannot be represented in type 'INTFLOAT' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 29057/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5642758933053440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 633924539aae73714facf31aa7001d01e8be48a1) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 921ba76cd7..fd7c005c20 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2807,7 +2807,7 @@ static void imdct_and_windowing_ld(AACContext *ac, SingleChannelElement *sce) static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce) { - INTFLOAT *in = sce->coeffs; + UINTFLOAT *in = sce->coeffs; INTFLOAT *out = sce->ret; INTFLOAT *saved = sce->saved; INTFLOAT *buf = ac->buf_mdct; From c7476379197ec5acd288ad616418037bccecaf17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 00:11:34 +0100 Subject: [PATCH 1030/1383] avformat/paf: Check for EOF before allocation in read_header() Fixes: OOM Fixes: 26584/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5172661183053824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb1e9d3b9b97359e01e5978067c8ee558efa8b4) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/paf.c b/libavformat/paf.c index a2d411c2f6..47b61c226a 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -136,6 +136,10 @@ static int read_header(AVFormatContext *s) p->start_offset = avio_rl32(pb); p->max_video_blks = avio_rl32(pb); p->max_audio_blks = avio_rl32(pb); + + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if (p->buffer_size < 175 || p->max_audio_blks < 2 || p->max_video_blks < 1 || From b2c3461b57dbe6f5f0a5e74d69b31b4b4a2b71bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Jan 2021 16:50:10 +0100 Subject: [PATCH 1031/1383] avformat/flvdec: Check double before cast in parse_keyframes_index() Fixes: -2.21166e+304 is outside the range of representable values of type 'long' Fixes: 29169/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5725452796821504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09e5e406c7b9d7c1ee97ebae1476a2f68e6a90d1) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 76d41b0c9b..d2d9b5bd43 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -428,9 +428,13 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m } for (i = 0; i < arraylen && avio_tell(ioc) < max_pos - 1; i++) { + double d; if (avio_r8(ioc) != AMF_DATA_TYPE_NUMBER) goto invalid; - current_array[0][i] = av_int2double(avio_rb64(ioc)); + d = av_int2double(avio_rb64(ioc)); + if (isnan(d) || d < INT64_MIN || d > INT64_MAX) + goto invalid; + current_array[0][i] = d; } if (times && filepositions) { // All done, exiting at a position allowing amf_parse_object From a0bda2923b0426984c6ed9d9ce127c6a165f9361 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 19:09:36 +0100 Subject: [PATCH 1032/1383] avcodec/dcadsp: Fix integer overflow in dmix_add_c() Fixes: signed integer overflow: 1515225320 + 759416059 cannot be represented in type 'int' Fixes: 29256/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DCA_fuzzer-5719088561258496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4ebf483bcbf2e5db6bd29607142741f62598b4e) Signed-off-by: Michael Niedermayer --- libavcodec/dcadsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index fade1a6c02..f97874fbe6 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -328,7 +328,7 @@ static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] += mul15(src[i], coeff); + dst[i] += (unsigned)mul15(src[i], coeff); } static void dmix_scale_c(int32_t *dst, int scale, ptrdiff_t len) From 6505b2f7a80a6a10f4f19fbed195d16fc4d350f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Mar 2021 21:39:30 +0100 Subject: [PATCH 1033/1383] avcodec/4xm: Check pre_gb in decode_i_block() Fixes: Timeout Fixes: 31257/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5150866229297152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b87781649e2862d07fcb8d322289d89b47a530b6) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 2ee742fccd..5321b103af 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -498,8 +498,8 @@ static int decode_i_block(FourXContext *f, int16_t *block) { int code, i, j, level, val; - if (get_bits_left(&f->gb) < 2){ - av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb)); + if (get_bits_left(&f->pre_gb) < 2) { + av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->pre_gb)); return AVERROR_INVALIDDATA; } From 4393c27e190a921a6b3b7922435cad8cf6daf6ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 21:22:11 +0100 Subject: [PATCH 1034/1383] avcodec/ffv1dec: Check if trailer is available Fixes: out of array read Fixes: 29750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4808377272238080.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 36ad2f41e30ad9f2a8ead76e0b1526b9712f0925) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 07933d6f9f..2ff749ffa4 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -893,8 +893,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int trailer = 3 + 5*!!f->ec; int v; - if (i || f->version > 2) v = AV_RB24(buf_p-trailer) + trailer; - else v = buf_p - c->bytestream_start; + if (i || f->version > 2) { + if (trailer > buf_p - buf) v = INT_MAX; + else v = AV_RB24(buf_p-trailer) + trailer; + } else v = buf_p - c->bytestream_start; if (buf_p - c->bytestream_start < v) { av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n"); ff_thread_report_progress(&f->picture, INT_MAX, 0); From 161717ee5aaec312d683f1cc9832b510135f16b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Mar 2021 00:55:38 +0100 Subject: [PATCH 1035/1383] avcodec/flacdec: Avoid undefined shift in error case Fixes: flac_1040988 Reported-by: Thomas Guilbert Reviewed-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit bd525e2876bef428e896b8da5e5b5507451f4ed5) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index c8eb456049..8de8ebd80e 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -262,7 +262,7 @@ static int decode_residuals(FLACContext *s, int32_t *decoded, int pred_order) } else { int real_limit = tmp ? (INT_MAX >> tmp) + 2 : INT_MAX; for (; i < samples; i++) { - int v = get_sr_golomb_flac(&gb, tmp, real_limit, 0); + int v = get_sr_golomb_flac(&gb, tmp, real_limit, 1); if (v == 0x80000000){ av_log(s->avctx, AV_LOG_ERROR, "invalid residual\n"); return AVERROR_INVALIDDATA; From 7560bd30bad9529e89f9bfd8308039bbee2c9edd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Feb 2021 20:20:48 +0100 Subject: [PATCH 1036/1383] avformat/mvi: Check audio size for more overflows Fixes: left shift of negative value -352256000 Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 403b35e16e16a8c4a13e531ccdc23598f685ca20) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 0b53473671..6aad6cb86a 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -119,6 +119,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) mvi->video_frame_size = (mvi->get_int)(pb); if (mvi->audio_size_left == 0) return AVERROR(EIO); + if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size || + mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS) + return AVERROR_INVALIDDATA; + count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; From 4f813f7f132dca891d805936e730295953b598e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Mar 2021 13:44:12 +0100 Subject: [PATCH 1037/1383] avutil/timecode: Avoid fps overflow Fixes: Integer overflow and division by 0 Fixes: poc-202102-div.mov Found-by: 1vanChen of NSFOCUS Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c94875471e3ba3dc396c6919ff3ec9b14539cd71) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 76163d5553..f029f25839 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -96,8 +96,8 @@ char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum) } ff = framenum % fps; ss = framenum / fps % 60; - mm = framenum / (fps*60) % 60; - hh = framenum / (fps*3600); + mm = framenum / (fps*60LL) % 60; + hh = framenum / (fps*3600LL); if (tc->flags & AV_TIMECODE_FLAG_24HOURSMAX) hh = hh % 24; snprintf(buf, AV_TIMECODE_STR_SIZE, "%s%02d:%02d:%02d%c%02d", From 6f711672d6e7204a81de614a242e933fad94ed12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Mar 2021 20:47:06 +0100 Subject: [PATCH 1038/1383] avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet() Fixes: memleak Fixes: 30909/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4886284057313280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 337984c13327bc67e1e9e3e9bfd743cfbfbc42f8) Signed-off-by: Michael Niedermayer --- libavformat/voc_packet.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 9d7d2025cd..e5ae0be1de 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -51,14 +51,22 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) return AVERROR_EOF; voc->remaining_size = avio_rl24(pb); if (!voc->remaining_size) { + int64_t filesize; if (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); - voc->remaining_size = avio_size(pb) - avio_tell(pb); + filesize = avio_size(pb); + if (filesize - avio_tell(pb) > INT_MAX) + return AVERROR_INVALIDDATA; + voc->remaining_size = filesize - avio_tell(pb); } max_size -= 4; switch (type) { case VOC_TYPE_VOICE_DATA: + if (voc->remaining_size < 2) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = 1000000 / (256 - avio_r8(pb)); if (sample_rate) @@ -87,6 +95,10 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) break; case VOC_TYPE_NEW_VOICE_DATA: + if (voc->remaining_size < 12) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = avio_rl32(pb); avpriv_set_pts_info(st, 64, 1, par->sample_rate); From 4c0931688683348201d1c4434787f359a4d05e0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Mar 2021 20:07:13 +0100 Subject: [PATCH 1039/1383] avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() Fixes: Timeout Fixes: 30912/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5556235476795392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a3fea802a3e4274dbe084d372ec8aeab3932b3e) Signed-off-by: Michael Niedermayer --- libavcodec/jpegls.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpegls.h b/libavcodec/jpegls.h index 6b89b2afa3..a317871225 100644 --- a/libavcodec/jpegls.h +++ b/libavcodec/jpegls.h @@ -99,7 +99,7 @@ static inline void ff_jpegls_downscale_state(JLSState *state, int Q) static inline int ff_jpegls_update_state_regular(JLSState *state, int Q, int err) { - if(FFABS(err) > 0xFFFF) + if(FFABS(err) > 0xFFFF || FFABS(err) > INT_MAX - state->A[Q]) return -0x10000; state->A[Q] += FFABS(err); err *= state->twonear; From 727711d842ceb8490d37cc4f6b0080f185f748b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Feb 2021 19:55:03 +0100 Subject: [PATCH 1040/1383] avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS Fixes: signed integer overflow: 1172577312 * 2 cannot be represented in type 'int' Fixes: 29924/clusterfuzz-testcase-minimized-ffmpeg_dem_BOA_fuzzer-4882912874594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f441b9063281d8ef5d4c30b10379d08aad8924f) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index b9db5f6465..959e50eaab 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1712,7 +1712,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_IMA_RAD: return blocks * ((ba - 4 * ch) * 2 / ch); case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2 / ch); + return blocks * (2 + (ba - 7 * ch) * 2LL / ch); case AV_CODEC_ID_ADPCM_MTAF: return blocks * (ba - 16) * 2 / ch; } From 7b660aa875dcedaca8cf01066a7f03e3ef9ccdb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Jan 2021 21:18:36 +0100 Subject: [PATCH 1041/1383] avformat/matroskadec: Check for EOF in resync loop Fixes: Timeout (too long -> instantly) Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672 Reviewed-by: Andreas Rheinhardt Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5282147d0c92ac821e85b93e2db6704f4720e0c1) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 98913dfdb6..5a83e8af89 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2653,6 +2653,8 @@ static int matroska_read_header(AVFormatContext *s) goto fail; pos = avio_tell(matroska->ctx->pb); res = ebml_parse(matroska, matroska_segment, matroska); + if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF + goto fail; } matroska_execute_seekhead(matroska); From 4760b9d04849c5138f0beb59d3397460a5998eba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Mar 2021 13:14:39 +0100 Subject: [PATCH 1042/1383] avcodec/speedhq: Width < 8 is not supported Fixes: out of array access Fixes: 31733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4704307963363328 Fixes: 31736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6190960292790272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 462b8261aa3c4f9844b2e050c74b9a2018e3649d) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 890b8253cd..948b813f7f 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -424,7 +424,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, uint32_t second_field_offset; int ret; - if (buf_size < 4) + if (buf_size < 4 || avctx->width < 8) return AVERROR_INVALIDDATA; quality = buf[0]; From 6bb271c52675de962dfe9660da555c599a77d2bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Mar 2021 16:30:08 +0100 Subject: [PATCH 1043/1383] avcodec/mpeg4videoenc: Check extradata malloc() Fixes: Null pointer dereference Fixes: any mpeg4 testcase which fails the malloc at that exact spot Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 33a1687bf623cdd5c6ffe8f63024d22ed20b4ead) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 2cd5a8c015..2d9d6cd654 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1306,6 +1306,8 @@ static av_cold int encode_init(AVCodecContext *avctx) if (s->avctx->flags & AV_CODEC_FLAG_GLOBAL_HEADER) { s->avctx->extradata = av_malloc(1024); + if (!s->avctx->extradata) + return AVERROR(ENOMEM); init_put_bits(&s->pb, s->avctx->extradata, 1024); if (!(s->workaround_bugs & FF_BUG_MS)) From 64a715b5ed457bf4533a5fe717256088d5959cae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Mar 2021 20:27:50 +0100 Subject: [PATCH 1044/1383] avcodec/ffwavesynth: Avoid signed integer overflow in phi_at() Fixes: signed integer overflow: 2314885530818453536 - -9070214327174160352 cannot be represented in type 'long' Fixes: 31000/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-6558389742206976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit be08b84f8bb7acc0c45800c7f488399327a22961) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index d92bb38c45..a7bb351ee5 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -188,7 +188,7 @@ static uint64_t frac64(uint64_t a, uint64_t b) static uint64_t phi_at(struct ws_interval *in, int64_t ts) { - uint64_t dt = ts - in->ts_start; + uint64_t dt = ts - (uint64_t)in->ts_start; uint64_t dt2 = dt & 1 ? /* dt * (dt - 1) / 2 without overflow */ dt * ((dt - 1) >> 1) : (dt >> 1) * (dt - 1); return in->phi0 + dt * in->dphi0 + dt2 * in->ddphi; From c450dcc5e2b95eb54f6a702b853958fe5b5f72da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Mar 2021 23:39:04 +0100 Subject: [PATCH 1045/1383] avformat/mov: Check sample size for overflow in mov_parse_stsd_audio() Fixes: signed integer overflow: 2 * 1914708000 cannot be represented in type 'int' Fixes: 31639/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6303428239294464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d35677736a59ec6579b4da63d9b1444986ba339e) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7e392b8001..370fbc8e78 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2222,7 +2222,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, } bits_per_sample = av_get_bits_per_sample(st->codecpar->codec_id); - if (bits_per_sample) { + if (bits_per_sample && (bits_per_sample >> 3) * (uint64_t)st->codecpar->channels <= INT_MAX) { st->codecpar->bits_per_coded_sample = bits_per_sample; sc->sample_size = (bits_per_sample >> 3) * st->codecpar->channels; } From d4d9c117ebd99123a55025c605c33c8a321876b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Mar 2021 10:59:19 +0100 Subject: [PATCH 1046/1383] avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb Fixes: null pointer dereference Fixes: 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit f733688d30021587c3f3a1b280d6ece8b04f26ff) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 5d67707994..17adc94228 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1256,7 +1256,7 @@ start_sync: AVStream *st1 = s->streams[1]; AVIStream *ast1 = st1->priv_data; // workaround for broken small-file-bug402.avi - if ( d[2] == 'w' && d[3] == 'b' + if (ast1 && d[2] == 'w' && d[3] == 'b' && n == 0 && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO From 61f87c7207b5d468b540526baa483bb3ee91f00f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Mar 2021 18:01:52 +0100 Subject: [PATCH 1047/1383] avformat/movenc: Avoid loosing cluster array on failure Fixes: crash Fixes: check_pkt.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 5c2ff44f915d6ceeea36a2f99e534562764218dd) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 1028138a5e..1117781a28 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5393,11 +5393,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (trk->entry >= trk->cluster_capacity) { unsigned new_capacity = 2 * (trk->entry + MOV_INDEX_CLUSTER_SIZE); - if (av_reallocp_array(&trk->cluster, new_capacity, - sizeof(*trk->cluster))) { + void *cluster = av_realloc_array(trk->cluster, new_capacity, sizeof(*trk->cluster)); + if (!cluster) { ret = AVERROR(ENOMEM); goto err; } + trk->cluster = cluster; trk->cluster_capacity = new_capacity; } From 322a0a6dd2a2a5f3df10b8b2453ee0494d03741a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Mar 2021 17:02:36 +0100 Subject: [PATCH 1048/1383] avcodec/h264_slice: Check sps in h264_slice_header_init() Fixes: null pointer dereference Fixes: h264_slice_header_init.mp4 Found-by: Rafael Dutra Tested-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 80472438996ed1928b30f6ac4e0d17a492de2cdf) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 272f3b00a4..3037ce1c69 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -920,6 +920,11 @@ static int h264_slice_header_init(H264Context *h) const SPS *sps = h->ps.sps; int i, ret; + if (!sps) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + ff_set_sar(h->avctx, sps->sar); av_pix_fmt_get_chroma_sub_sample(h->avctx->pix_fmt, &h->chroma_x_shift, &h->chroma_y_shift); From a8cfab28cbe59df847749fb6ee8a4bc096ff6bbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:58:53 +0100 Subject: [PATCH 1049/1383] avformat/flvdec: Check array entry number Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5d8fe1c874947ca67ee8117b18f8052f0e590fc) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index d2d9b5bd43..a2fa275b7e 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -835,6 +835,8 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) parse_name = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = avio_rb32(pb); + if (nb < 0) + return AVERROR_INVALIDDATA; case AMF_DATA_TYPE_OBJECT: while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) { if (parse_name) { From 7d5b285e73de83867169299ab4e8a38823a8e8b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 23:05:17 +0100 Subject: [PATCH 1050/1383] avcodec/sonic: Use unsigned temporary in predictor_calc_error() Fixes: signed integer overflow: -2147471366 - 18638 cannot be represented in type 'int' Fixes: 30157/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5171199746506752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 075d793ba87635b77f8302d8a454fa681f90d267) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 2dc04846ab..9498919d2f 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -475,13 +475,13 @@ static int predictor_calc_error(int *k, int *state, int order, int error) for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { int k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); + x -= (unsigned)shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else for (i = order-2; i >= 0; i--) { - x -= shift_down(k[i] * state[i], LATTICE_SHIFT); + x -= (unsigned)shift_down(k[i] * state[i], LATTICE_SHIFT); state[i+1] = state[i] + shift_down(k[i] * x, LATTICE_SHIFT); } #endif From 0a8717e4b3a2b545a58b69ece8c097277b6eaf26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Mar 2021 19:21:35 +0100 Subject: [PATCH 1051/1383] avformat/cafdec: Do not build an index if all packets are the same Fixes: Timeout Fixes: 28214/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6495999421579264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea12590c8ecc1e3c4c7732e5adced21fb5feffa6) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 70005aa3d0..197001667c 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -206,15 +206,20 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) st->nb_frames += avio_rb32(pb); /* priming frames */ st->nb_frames += avio_rb32(pb); /* remainder frames */ - st->duration = 0; - for (i = 0; i < num_packets; i++) { - if (avio_feof(pb)) - return AVERROR_INVALIDDATA; - ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); - if (ret < 0) - return ret; - pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); - st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { + st->duration = caf->frames_per_packet * num_packets; + pos = caf-> bytes_per_packet * num_packets; + } else { + st->duration = 0; + for (i = 0; i < num_packets; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + if (ret < 0) + return ret; + pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); + st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + } } if (avio_tell(pb) - ccount > size) { From 4779c0ea924e13f66558d02eb42e9f645ac476ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Mar 2021 00:30:45 +0100 Subject: [PATCH 1052/1383] avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid Fixes: signed integer overflow: 539033600 - -1910497124 cannot be represented in type 'int' Fixes: 30928/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5922630966312960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f74661543c0c336e88846f90608fda7bd12deac) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 6f4d266992..babe49dcac 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -818,6 +818,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 92) + return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; } @@ -832,6 +834,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 76) + return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; } From fb9905d7eb3d57c5b06d75ea80af82ef397b39ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Mar 2021 09:47:43 +0100 Subject: [PATCH 1053/1383] avutil/common: Add FF_PTR_ADD() Suggested-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 522a5259e9cc17faf1f83c9cfb93c960a2ecf8a2) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/internal.h b/libavutil/internal.h index 06bd561e82..2ff87d46a4 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -173,6 +173,8 @@ }\ } +#define FF_PTR_ADD(ptr, off) ((off) ? (ptr) + (off) : (ptr)) + #include "libm.h" /** From 2d99005df746c27a28f14645f4080e03c65c616b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2021 21:43:45 +0100 Subject: [PATCH 1054/1383] avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice() Found-by: Jeremy Leconte Signed-off-by: Michael Niedermayer (cherry picked from commit 1cf96ce269364e3c2b4ec2097f121ad42b336839) Signed-off-by: Michael Niedermayer --- libavfilter/vf_scale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index f741419e7e..4182e115ff 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -388,8 +388,8 @@ static int scale_slice(AVFilterLink *link, AVFrame *out_buf, AVFrame *cur_pic, s int vsub= ((i+1)&2) ? scale->vsub : 0; in_stride[i] = cur_pic->linesize[i] * mul; out_stride[i] = out_buf->linesize[i] * mul; - in[i] = cur_pic->data[i] + ((y>>vsub)+field) * cur_pic->linesize[i]; - out[i] = out_buf->data[i] + field * out_buf->linesize[i]; + in[i] = FF_PTR_ADD(cur_pic->data[i], ((y>>vsub)+field) * cur_pic->linesize[i]); + out[i] = FF_PTR_ADD(out_buf->data[i], field * out_buf->linesize[i]); } if(scale->input_is_pal) in[1] = cur_pic->data[1]; From 930f1fcccd502a74fecb4650781dcd788ba6b4c6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 17:29:23 +0100 Subject: [PATCH 1055/1383] avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() Fixes: signed integer overflow: -9223372032574480351 - 4294967296 cannot be represented in type 'long long' Fixes: 30022/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5568610275819520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b37ff29e0e093b15585e9fb44bbd82bdf14b5230) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index c237b1f0da..0b628ceeaa 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1288,7 +1288,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << (st->pts_wrap_bits - 1)) && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << st->pts_wrap_bits) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; From cf8fa41490698922020a54152c6889fc0b2a8c0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Mar 2021 17:03:08 +0100 Subject: [PATCH 1056/1383] avformat/mov: Ignore multiple STSC / STCO Fixes: STSC / STCO inconsistency and assertion failure Fixes: crbug1184666.mp4 Found-by: Chromium ASAN fuzzer Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 2611d20d353026f996cb9aaced8b35db37f490d4) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 370fbc8e78..63fb813654 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2000,8 +2000,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->chunk_offsets) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STCO atom\n"); + if (sc->chunk_offsets) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STCO atom\n"); + return 0; + } av_free(sc->chunk_offsets); sc->chunk_count = 0; sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); @@ -2647,8 +2649,10 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->stsc_data) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STSC atom\n"); + if (sc->stsc_data) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STSC atom\n"); + return 0; + } av_free(sc->stsc_data); sc->stsc_count = 0; sc->stsc_data = av_malloc_array(entries, sizeof(*sc->stsc_data)); From f46a15a82dc5d479bbf8e6e8e01754b5c5cd9daa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Mar 2021 15:22:35 +0100 Subject: [PATCH 1057/1383] avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change() Fixes: out of array access Fixes: 31201/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4627865612189696.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87d87e6587deec1fa8ed5f5c6901535becdb0358) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index d4d3bea649..f85a75ade8 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1087,6 +1087,13 @@ int ff_mpv_common_frame_size_change(MpegEncContext *s) (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) goto fail; + /* set chroma shifts */ + err = av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, + &s->chroma_x_shift, + &s->chroma_y_shift); + if (err < 0) + return err; + if ((err = init_context_frame(s))) goto fail; From 3d7e6dbaf3c650f247d9e93a0236b885c049e5f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Mar 2021 14:36:28 +0100 Subject: [PATCH 1058/1383] avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context() Fixes: crash Fixes: check_pkt.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit ceae92cb291c2536a93482cdf3c1ae3f7330b924) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 3037ce1c69..129bb38c4a 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -296,9 +296,8 @@ int ff_h264_update_thread_context(AVCodecContext *dst, if (dst == src) return 0; - // We can't fail if SPS isn't set at it breaks current skip_frame code - //if (!h1->ps.sps) - // return AVERROR_INVALIDDATA; + if (inited && !h1->ps.sps) + return AVERROR_INVALIDDATA; if (inited && (h->width != h1->width || From 7274684a29091a99cb68abe0de8dfbbd9acd8fd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 11:03:56 +0200 Subject: [PATCH 1059/1383] avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' Fixes: 31406/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5024692843970560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf2fd9204b3c707d9e414583b043ee88b8e8c52e) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 29c83731cf..12c656879e 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -295,7 +295,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, ast->deint_id == DEINT_ID_GENR || ast->deint_id == DEINT_ID_SIPR) { if (st->codecpar->block_align <= 0 || - ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX || + ast->audio_framesize * (uint64_t)sub_packet_h > (unsigned)INT_MAX || ast->audio_framesize * sub_packet_h < st->codecpar->block_align) return AVERROR_INVALIDDATA; if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0) From 54d921f1594e2e739477f5706fe05b179b44fd67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 12:36:08 +0200 Subject: [PATCH 1060/1383] avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment() Fixes: null pointer dereference Fixes: 32113/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-4803262287052800 Same as 0c48c332eeb2866d9353125f701e099c48889463 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 497ea04dbda78d4eb9cffd208737b676f838725c) Signed-off-by: Michael Niedermayer --- libavcodec/h265_metadata_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h265_metadata_bsf.c b/libavcodec/h265_metadata_bsf.c index 26eb2d05d0..daf0b9e7ce 100644 --- a/libavcodec/h265_metadata_bsf.c +++ b/libavcodec/h265_metadata_bsf.c @@ -254,7 +254,7 @@ static int h265_metadata_filter(AVBSFContext *bsf, AVPacket *out) } // If an AUD is present, it must be the first NAL unit. - if (au->units[0].type == HEVC_NAL_AUD) { + if (au->nb_units && au->units[0].type == HEVC_NAL_AUD) { if (ctx->aud == REMOVE) ff_cbs_delete_unit(ctx->cbc, au, 0); } else { From 5213143514001604562590e6cf2e8c030948e9ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 13:22:14 +0200 Subject: [PATCH 1061/1383] avcodec/pnm_parser: Check image size addition for overflow Fixes: assertion failure Fixes: out of array access Fixes: 32664/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6533642202513408.fuzz Fixes: 32669/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6001928875147264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79ac8d55468adc9cb9a0908e671807a2a789b7d0) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index 0d6c592b26..efaee6c2c3 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -64,7 +64,7 @@ retry: } else { int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); next = pnmctx.bytestream - pnmctx.bytestream_start + skip; - if (ret >= 0) + if (ret >= 0 && next + (uint64_t)ret <= INT_MAX) next += ret; if (pnmctx.bytestream_start != buf + skip) next -= pc->index; From 1630c9e0b6e62a2ec03533a95d8bea7b4fc72183 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Apr 2021 21:04:12 +0200 Subject: [PATCH 1062/1383] avcodec/dpx: Check bits_per_color earlier Fixes: shift exponent 251 is too large for 32-bit type 'int' Fixes: 32147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5519111675314176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c093eb30311b7148a4da1c7555498187c8cdf0db) Signed-off-by: Michael Niedermayer --- libavcodec/dpx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index cf23bb6ba1..5f47b9e341 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -175,6 +175,9 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if (bits_per_color > 32) + return AVERROR_INVALIDDATA; + buf += 820; avctx->sample_aspect_ratio.num = read32(&buf, endian); avctx->sample_aspect_ratio.den = read32(&buf, endian); From 05954971bae8700ab7961156d04b8ad6cefa4467 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Apr 2021 22:46:13 +0200 Subject: [PATCH 1063/1383] avformat/cafdec: Check channels Fixes: signed integer overflow: -1184429040541376544 * 32 cannot be represented in type 'long' Fixes: 31788/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6236746338664448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 641c1db22bb27752b925293ad93f68843baa43bf) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 197001667c..4817b90b0b 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -79,7 +79,7 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); - if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0 || st->codecpar->channels < 0) return AVERROR_INVALIDDATA; /* calculate bit rate for constant size packets */ From dcdb7d2dabed024f1a56a7f8b7b58739c6e20dbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Apr 2021 20:32:55 +0200 Subject: [PATCH 1064/1383] avcodec/utils: Check ima wav duration for overflow Fixes: signed integer overflow: 44331634 * 65 cannot be represented in type 'int' Fixes: 32120/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5760221223583744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f40e9b13554d88cbdd6cd2b4a3da2cbea9590f5d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 959e50eaab..43af7fbc36 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1700,11 +1700,15 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; + int64_t tmp; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - return blocks * (1 + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + if (tmp != (int)tmp) + return 0; + return tmp; case AV_CODEC_ID_ADPCM_IMA_DK3: return blocks * (((ba - 16) * 2 / 3 * 4) / ch); case AV_CODEC_ID_ADPCM_IMA_DK4: From b655cebd913d24a9e304f843103268eba2c4ce99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Apr 2021 20:08:22 +0200 Subject: [PATCH 1065/1383] avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() Fixes: Timeout Fixes: 32886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4779761466474496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b3881f0da6da00cb6b5b123328e2fbfca936c47) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 2a1d2bc3f6..400458b994 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -224,7 +224,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, run = 0; mode = !mode; } else if ((int)t == -1) { - if (show_bits(gb, 12) == 15) { + if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) { int ret; skip_bits(gb, 12); ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode); From 06342bca35e7963c03414ddd8e1670566eecfc0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 20:23:41 +0200 Subject: [PATCH 1066/1383] avformat/wtvdec: Improve size overflow checks in parse_chunks() Fixes: signed integer overflow: 32 + 2147483647 cannot be represented in type 'int Fixes: 32967/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5132856218222592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit f8ec1da8ac8e3daf2403e744f166ea9557b2d333) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index babe49dcac..9ec20c1d37 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -818,7 +818,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 92) + if (size < 0 || size > INT_MAX - 92 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; @@ -834,7 +834,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 76) + if (size < 0 || size > INT_MAX - 76 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; From 588c22d057e9469c46af042408facd8b07e5a4aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 20:23:44 +0200 Subject: [PATCH 1067/1383] avformat/id3v2: Check end for overflow in id3v2_parse() Fixes: signed integer overflow: 9223372036840103978 + 67637280 cannot be represented in type 'long' Fixes: 33341/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6408154041679872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit efdb56450418933965dc6e27f0b1625d25e44a8c) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 3aa88a59f0..b99ea60533 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -828,7 +828,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, int isv34, unsync; unsigned tlen; char tag[5]; - int64_t next, end = avio_tell(pb) + len; + int64_t next, end = avio_tell(pb); int taghdrlen; const char *reason = NULL; AVIOContext pb_local; @@ -840,6 +840,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_unused int uncompressed_buffer_size = 0; const char *comm_frame; + if (end > INT64_MAX - len - 10) + return; + end += len; + av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len); switch (version) { From c1d8652b5bcb33e5f08cbfdba51bde0faac8e482 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:16:20 +0200 Subject: [PATCH 1068/1383] avformat/asfdec_o: Use ff_get_extradata() Fixes: OOM Fixes: 27240/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5937469859823616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 098314e1e5142aa2b53dc5371a9d01eb09ddd30f) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 7d60b37b21..40a24b15df 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -694,7 +694,7 @@ static int asf_read_properties(AVFormatContext *s, const GUIDParseTable *g) return 0; } -static int parse_video_info(AVIOContext *pb, AVStream *st) +static int parse_video_info(AVFormatContext *avfmt, AVIOContext *pb, AVStream *st) { uint16_t size_asf; // ASF-specific Format Data size uint32_t size_bmp; // BMP_HEADER-specific Format Data size @@ -709,19 +709,10 @@ static int parse_video_info(AVIOContext *pb, AVStream *st) st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); size_bmp = FFMAX(size_asf, size_bmp); - if (size_bmp > BMP_HEADER_SIZE && - size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { - int ret; - st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE; - if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size + - AV_INPUT_BUFFER_PADDING_SIZE))) { - st->codecpar->extradata_size = 0; - return AVERROR(ENOMEM); - } - memset(st->codecpar->extradata + st->codecpar->extradata_size , 0, - AV_INPUT_BUFFER_PADDING_SIZE); - if ((ret = avio_read(pb, st->codecpar->extradata, - st->codecpar->extradata_size)) < 0) + if (size_bmp > BMP_HEADER_SIZE) { + int ret = ff_get_extradata(avfmt, st->codecpar, pb, size_bmp - BMP_HEADER_SIZE); + + if (ret < 0) return ret; } return 0; @@ -802,7 +793,7 @@ static int asf_read_stream_properties(AVFormatContext *s, const GUIDParseTable * break; case AVMEDIA_TYPE_VIDEO: asf_st->type = AVMEDIA_TYPE_VIDEO; - if ((ret = parse_video_info(pb, st)) < 0) + if ((ret = parse_video_info(s, pb, st)) < 0) return ret; break; default: From 93506a7bf7a4461cb5fe1e5f507ee3cfa8653be3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 May 2021 15:49:55 +0200 Subject: [PATCH 1069/1383] avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent Fixes: tickets/3933/128.jls Signed-off-by: Michael Niedermayer (cherry picked from commit 011006874cb46325b6bc83234f81879ff421c05f) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index de1875ce30..a8d9eaa18a 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->avctx->pix_fmt = AV_PIX_FMT_PAL8; for (i=s->palette_index; i<=maxtab; i++) { uint8_t k = i << shift; - pal[k] = 0; + pal[k] = wt < 4 ? 0xFF000000 : 0; for (j=0; jgb, 8) << (8*(wt-j-1)); } From 3767b14c7ee4344c8ab805ccb4f6411efd442c58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Apr 2021 21:21:27 +0200 Subject: [PATCH 1070/1383] avcodec/utils: treat PAL8 for jpegs similar to other colorspaces Fixes: out of array access Fixes: 33713/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5778775641030656 Fixes: 33717/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4960397238075392 Fixes: 33718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-5314270096130048.fuzz Fixes: 33719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5352721864589312 Fixes: 33721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5938892055379968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0ce023ddb8863d16ab650fcc0731851a55db084) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 43af7fbc36..2998bd458b 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -288,6 +288,16 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 8; h_align = 8; } + if (s->codec_id == AV_CODEC_ID_MJPEG || + s->codec_id == AV_CODEC_ID_MJPEGB || + s->codec_id == AV_CODEC_ID_LJPEG || + s->codec_id == AV_CODEC_ID_SMVJPEG || + s->codec_id == AV_CODEC_ID_AMV || + s->codec_id == AV_CODEC_ID_SP5X || + s->codec_id == AV_CODEC_ID_JPEGLS) { + w_align = 8; + h_align = 2*8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || From 0d633d2fd4d79fa0c34371e6c2479d24adfe5def Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:58:50 +0200 Subject: [PATCH 1071/1383] avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() Fixes: infinite loop Fixes: 33674/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4816457818046464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 08d2df41538b583932c1a6772e3c8978a2334107) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 400458b994..469999e046 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -206,6 +206,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int run = 0; unsigned int t; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); run += t; if (t < 64) { @@ -251,7 +253,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int offs = 0, run = 0; while (offs < width) { - int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); + int cmode; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); if (cmode == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n"); return AVERROR_INVALIDDATA; From 80937873d5cb61a2b9ee8f1c06f76cb340678c03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:44:13 +0200 Subject: [PATCH 1072/1383] avformat/mvdec: Check sample rate in parse_audio_var() Fixes: signed integer overflow: -635424002382840000 * 16 cannot be represented in type 'long' Fixes: 33612/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5704741108711424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 0ff60249a57cba00ab679ca6190a802cc0c7b9c7) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 1c786814ec..abd0516702 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -157,6 +157,8 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { st->codecpar->sample_rate = var_read_int(pb, size); + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; From 3dd661bf7b04a2d6dd20173f47376c470caafd02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Apr 2021 22:33:06 +0200 Subject: [PATCH 1073/1383] avformat/utils: Use 64bit earlier in r_frame_rate check Fixes: signed integer overflow: 1406796319 * 2 cannot be represented in type 'int' Fixes: 32777/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5632576913014784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 578633fc1ac8c02a36a706bd71f775550412d1e1) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0b628ceeaa..be3e776291 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4028,7 +4028,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!st->r_frame_rate.num) { if ( avctx->time_base.den * (int64_t) st->time_base.num - <= avctx->time_base.num * avctx->ticks_per_frame * (uint64_t) st->time_base.den) { + <= avctx->time_base.num * (uint64_t)avctx->ticks_per_frame * st->time_base.den) { av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den, avctx->time_base.den, (int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX); } else { From e7dc9e1d25d3b9e93f685cfb0b7d30bf050f895d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 13:30:17 +0200 Subject: [PATCH 1074/1383] avformat/mov: Limit nb_chapter_tracks to input size Fixes: Timeout (15k loop iterations instead of 400m) Fixes: 31368/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6601583174483968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 299a56c9006b2eb8807c3e3efefb91a78fe6b3b2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 63fb813654..7dc9108a5e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4637,6 +4637,8 @@ static int mov_read_chap(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < num && !pb->eof_reached; i++) c->chapter_tracks[i] = avio_rb32(pb); + c->nb_chapter_tracks = i; + return 0; } From ed99d350bca70dd758770e616050139e9c764bb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 13:37:26 +0200 Subject: [PATCH 1075/1383] avformat/mov: Ignore duplicate CoLL Fixes: memleak Fixes: 32146/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5377612845285376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9548dc74d8db2bc002e1195dbd076f621f5c3ea1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7dc9108a5e..0f991cbb42 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5422,6 +5422,11 @@ static int mov_read_coll(MOVContext *c, AVIOContext *pb, MOVAtom atom) } avio_skip(pb, 3); /* flags */ + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); From 9ce7856341294dae8940ce44157a044d87f468f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 15:50:43 +0200 Subject: [PATCH 1076/1383] avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() Fixes: Timeout Fixes: 33156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-6259655027326976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38c47615880357314ba30727a85bf7b00989706a) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index be5ff15262..88b56de514 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -676,6 +676,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) if (v->s.pict_type == AV_PICTURE_TYPE_P) v->rnd ^= 1; + if (get_bits_left(gb) < 5) + return AVERROR_INVALIDDATA; /* Quantizer stuff */ pqindex = get_bits(gb, 5); if (!pqindex) @@ -768,6 +770,9 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) av_log(v->s.avctx, AV_LOG_DEBUG, "MB Skip plane encoding: " "Imode: %i, Invert: %i\n", status>>1, status&1); + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; + /* Hopefully this is correct for P-frames */ v->s.mv_table_index = get_bits(gb, 2); //but using ff_vc1_ tables v->cbptab = get_bits(gb, 2); From f2685c9ec30b25a5e1618de0d0698fc3a33ffabc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 16:46:08 +0200 Subject: [PATCH 1077/1383] avcodec/clearvideo: Check for 0 tile_shift Fixes: shift exponent -1 is negative Fixes: 33401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5908683596890112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63e75e09aef5836330a2786f0a9229ed82239e6b) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 26cdfb2731..551867bc11 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -665,8 +665,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1U << c->tile_shift != c->tile_size) { - av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size); + if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1) { + av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1\n", c->tile_size); return AVERROR_INVALIDDATA; } From 69ef25f012e592b241229b7f885cefc13b3df672 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 May 2021 21:16:52 +0200 Subject: [PATCH 1078/1383] avformat/avio: Check av_opt_copy() for failure Fixes: CID1477416 Unchecked return value Signed-off-by: Michael Niedermayer (cherry picked from commit f8611ae1efc47fbe1aff140c89bee4fd1d62d3e1) Signed-off-by: Michael Niedermayer --- libavformat/avio.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 663789ec02..810268641b 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -314,8 +314,11 @@ int ffurl_open_whitelist(URLContext **puc, const char *filename, int flags, int ret = ffurl_alloc(puc, filename, flags, int_cb); if (ret < 0) return ret; - if (parent) - av_opt_copy(*puc, parent); + if (parent) { + ret = av_opt_copy(*puc, parent); + if (ret < 0) + goto fail; + } if (options && (ret = av_opt_set_dict(*puc, options)) < 0) goto fail; From 892f0ac5b235a630b50670a9a74500f224fd0abf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Apr 2021 20:24:21 +0200 Subject: [PATCH 1079/1383] avcodec/exr: x/ymax cannot be INT_MAX The code uses x/ymax + 1 so the maximum is INT_MAX-1 Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 33158/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5545462457303040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 48342aa0750f83006582d1598b5f22297f6dbf83) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 6e3e84d175..0489e302d4 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1532,6 +1532,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) ymax = bytestream2_get_le32(&s->gb); if (xmin > xmax || ymin > ymax || + ymax == INT_MAX || xmax == INT_MAX || (unsigned)xmax - xmin >= INT_MAX || (unsigned)ymax - ymin >= INT_MAX) { ret = AVERROR_INVALIDDATA; From e431babf71b620197bc7f642c0b030598bf99928 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 21:37:26 +0200 Subject: [PATCH 1080/1383] avcodec/aacenc: Avoid 0 lambda Fixes: Ticket8003 Fixes: CVE-2020-20453 Signed-off-by: Michael Niedermayer (cherry picked from commit a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 4d0abb107f..fb6229930f 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -28,6 +28,7 @@ * TODOs: * add sane pulse detection ***********************************/ +#include #include "libavutil/libm.h" #include "libavutil/thread.h" @@ -855,7 +856,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = FFMIN(s->lambda * ratio, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { From b290d6b41e446aa0e56584bacf26317797bf643f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 20:18:25 +0200 Subject: [PATCH 1081/1383] avcodec/aacpsy: Avoid floating point division by 0 of norm_fac Fixes: Ticket7995 Fixes: CVE-2020-20446 Signed-off-by: Michael Niedermayer (cherry picked from commit 223b5e8ac9f6461bb13ed365419ec485c5b2b002) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index fca692cb15..bd444fecdc 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -794,7 +794,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, if (pe < 1.15f * desired_pe) { /* 6.6.1.3.6 "Final threshold modification by linearization" */ - norm_fac = 1.0f / norm_fac; + norm_fac = norm_fac ? 1.0f / norm_fac : 0; for (w = 0; w < wi->num_windows*16; w += 16) { for (g = 0; g < num_bands; g++) { AacPsyBand *band = &pch->band[w+g]; From 9dd54c28df57821b1afb81d00928ed9bba71c691 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 20:31:19 +0200 Subject: [PATCH 1082/1383] avcodec/lpc: Avoid floating point division by 0 Fixes: Ticket7996 Fixes: CVE-2020-20445 Signed-off-by: Michael Niedermayer (cherry picked from commit 38d18fb57863bb9c54e68ae44aa780c5c282a184) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 2 +- libavcodec/lpc.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index f8da1e1266..c990cfc6c3 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -188,7 +188,7 @@ double ff_lpc_calc_ref_coefs_f(LPCContext *s, const float *samples, int len, compute_ref_coefs(autoc, order, ref, error); for (i = 0; i < order; i++) avg_err = (avg_err + error[i])/2.0f; - return signal/avg_err; + return avg_err ? signal/avg_err : NAN; } /** diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 88ca247f87..52170fd623 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -143,7 +143,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen0[i] = gen1[i] = autoc[i + 1]; err = autoc[0]; - ref[0] = -gen1[0] / err; + ref[0] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[0]; if (error) error[0] = err; @@ -152,7 +152,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j]; gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j]; } - ref[i] = -gen1[0] / err; + ref[i] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[i]; if (error) error[i] = err; From 14e172600e65817144be48a774c9b699b9563653 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 09:22:27 +0200 Subject: [PATCH 1083/1383] avformat/movenc: Check pal_size before use Fixes: assertion failure Fixes: out of array read Fixes: Ticket8190 Fixes: CVE-2020-22015 Signed-off-by: Michael Niedermayer (cherry picked from commit 4c1afa292520329eecd1cc7631bc59a8cca95c46) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 1117781a28..5e58c74fb0 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1988,11 +1988,13 @@ static int mov_write_video_tag(AVIOContext *pb, MOVMuxContext *mov, MOVTrack *tr avio_wb16(pb, 0x18); /* Reserved */ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { - int pal_size = 1 << track->par->bits_per_coded_sample; - int i; + int pal_size, i; avio_wb16(pb, 0); /* Color table ID */ avio_wb32(pb, 0); /* Color table seed */ avio_wb16(pb, 0x8000); /* Color table flags */ + if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) + return AVERROR(EINVAL); + pal_size = 1 << track->par->bits_per_coded_sample; avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ for (i = 0; i < pal_size; i++) { uint32_t rgb = track->palette[i]; From c7da0dad1f17856a12c98135eae9824f771e8f3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 09:58:31 +0200 Subject: [PATCH 1084/1383] avfilter/vf_vmafmotion: Check dimensions Fixes: out of array access Fixes: Ticket8241 Fixes: Ticket8246 Fixes: CVE-2020-22019 Fixes: CVE-2020-22033 Signed-off-by: Michael Niedermayer (cherry picked from commit 82ad1b76751bcfad5005440db48c46a4de5d6f02) Signed-off-by: Michael Niedermayer --- libavfilter/vf_vmafmotion.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c index 9bcc4ff16f..3dc031ae16 100644 --- a/libavfilter/vf_vmafmotion.c +++ b/libavfilter/vf_vmafmotion.c @@ -239,6 +239,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + if (w < 3 || h < 3) + return AVERROR(EINVAL); + s->width = w; s->height = h; s->stride = FFALIGN(w * sizeof(uint16_t), 32); From b5ffefdd61c94eb98b1ca555b855e2c0bdd953d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 11:17:35 +0200 Subject: [PATCH 1085/1383] avfilter/vf_yadif: Fix handing of tiny images Fixes: out of array access Fixes: Ticket8240 Fixes: CVE-2020-22021 Signed-off-by: Michael Niedermayer (cherry picked from commit 7971f62120a55c141ec437aa3f0bacc1c1a3526b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_yadif.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index 3107924932..a3f0c1a97f 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, uint8_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN - 1; + int offset = FFMAX(w - edge, 3); /* Only edge pixels need to be processed here. A constant value of false * for is_not_edge should let the compiler ignore the whole branch. */ - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint8_t*)dst1 + w - edge; - prev = (uint8_t*)prev1 + w - edge; - cur = (uint8_t*)cur1 + w - edge; - next = (uint8_t*)next1 + w - edge; + dst = (uint8_t*)dst1 + offset; + prev = (uint8_t*)prev1 + offset; + cur = (uint8_t*)cur1 + offset; + next = (uint8_t*)next1 + offset; prev2 = (uint8_t*)(parity ? prev : cur); next2 = (uint8_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } @@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, uint16_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN / 2 - 1; + int offset = FFMAX(w - edge, 3); mrefs /= 2; prefs /= 2; - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint16_t*)dst1 + w - edge; - prev = (uint16_t*)prev1 + w - edge; - cur = (uint16_t*)cur1 + w - edge; - next = (uint16_t*)next1 + w - edge; + dst = (uint16_t*)dst1 + offset; + prev = (uint16_t*)prev1 + offset; + cur = (uint16_t*)cur1 + offset; + next = (uint16_t*)next1 + offset; prev2 = (uint16_t*)(parity ? prev : cur); next2 = (uint16_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) From 5b15e02fa45f2a6f4fdeb2a8d7e5e8f328c08a53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 22:42:54 +0100 Subject: [PATCH 1086/1383] avformat/cinedec: Fix index_entries size check Fixes: out of array access Fixes: 29868/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5692001957445632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/cinedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index de34fb9638..8ed2fde35e 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -284,7 +284,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVIOContext *pb = avctx->pb; int n, size, ret; - if (cine->pts >= st->duration) + if (cine->pts >= st->nb_index_entries) return AVERROR_EOF; avio_seek(pb, st->index_entries[cine->pts].pos, SEEK_SET); From 9546b0a9d30d5cf5214fea76be8bec5f3b805dc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Jun 2021 10:07:05 +0200 Subject: [PATCH 1087/1383] avcodec/aacenc: Use FLT_EPSILON for lambda minimum (cherry picked from commit 4b89cf7aa49191c7f8a5ae6e9cf6cfc79ff4ee5e) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index fb6229930f..179791bd2a 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -856,7 +856,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { From 8b67497df009518a9f6a5632a1dd8acf3b644dfe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 17:49:22 +0200 Subject: [PATCH 1088/1383] avcodec/aacenc: Do not divide by lambda_count if it is 0 Avoids Floating point division by 0 Fixes: Ticket8011 Signed-off-by: Michael Niedermayer (cherry picked from commit c520b986915a3fdf3a20f6ce0ad5833eccfb7a91) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 179791bd2a..8da26d795c 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -901,7 +901,7 @@ static av_cold int aac_encode_end(AVCodecContext *avctx) { AACEncContext *s = avctx->priv_data; - av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum / s->lambda_count); + av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum / s->lambda_count : NAN); ff_mdct_end(&s->mdct1024); ff_mdct_end(&s->mdct128); From b2094c54151f147185c8dfde69ef6386a3d6b0a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 17:50:27 +0200 Subject: [PATCH 1089/1383] avcodec/aacpsy: Check bandwidth Fixes: Ticket8011 Signed-off-by: Michael Niedermayer (cherry picked from commit 36dead4bc28ca8aab13c61661f28c68bdefa5e9d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index bd444fecdc..76458783ce 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -308,6 +308,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) { const int bandwidth = ctx->cutoff ? ctx->cutoff : AAC_CUTOFF(ctx->avctx); const float num_bark = calc_bark((float)bandwidth); + if (bandwidth <= 0) + return AVERROR(EINVAL); + ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext)); if (!ctx->model_priv_data) return AVERROR(ENOMEM); From d2e90cde299d0ba0cf41287c5ae33f2e9c9900ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 May 2021 18:09:37 +0200 Subject: [PATCH 1090/1383] avcodec/svq1enc: Do not print debug RD value before it has been computed Avoids floating point division by 0 Fixes: Ticket8191 Signed-off-by: Michael Niedermayer (cherry picked from commit c297f7e57a223da9f0d350e30456d60c8c87f902) Signed-off-by: Michael Niedermayer --- libavcodec/svq1enc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 80a8af1ef7..398625ff97 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -486,9 +486,10 @@ static av_cold int svq1_encode_end(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int i; - av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", - s->rd_total / (double)(avctx->width * avctx->height * - avctx->frame_number)); + if (avctx->frame_number) + av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", + s->rd_total / (double)(avctx->width * avctx->height * + avctx->frame_number)); s->m.mb_type = NULL; ff_mpv_common_end(&s->m); From 97d0d3ae61683b000faa67d1260c4bb33fa42f73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Apr 2021 22:43:51 +0200 Subject: [PATCH 1091/1383] avformat/rpl: Use 64bit in bitrate computation and check it Fixes: signed integer overflow: 777777776 * 4 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6726188921913344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29b244ffc15abe2c24d2145f63048e8b3bdaa303) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index df5109dc70..1b91cf4385 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -199,8 +199,10 @@ static int rpl_read_header(AVFormatContext *s) ast->codecpar->bits_per_coded_sample = 4; ast->codecpar->bit_rate = ast->codecpar->sample_rate * - ast->codecpar->bits_per_coded_sample * - ast->codecpar->channels; + (int64_t)ast->codecpar->channels; + if (ast->codecpar->bit_rate > INT64_MAX / ast->codecpar->bits_per_coded_sample) + return AVERROR_INVALIDDATA; + ast->codecpar->bit_rate *= ast->codecpar->bits_per_coded_sample; ast->codecpar->codec_id = AV_CODEC_ID_NONE; switch (audio_format) { From 68765c25cd1534e685477c7bc21dbed5be979a8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 21:40:17 +0200 Subject: [PATCH 1092/1383] avcodec/vc2enc: Check for non negative slice bounds Fixes: invalid shifts Fixes: Ticket 8221 Signed-off-by: Michael Niedermayer (cherry picked from commit f7862e82686b347eb6a9e64fa7ccdf25d5a76b4b) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index d0101e01e4..e83442ed55 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -981,6 +981,8 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); + if (s->slice_min_bytes < 0) + return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); if (ret) From d9c4cfba9f3d8634cfb9ecbc33a7771871885c01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Jun 2021 22:46:05 +0200 Subject: [PATCH 1093/1383] avformat/rpl: Check for EOF and zero framesize Fixes: Infinite loop Fixes: 34751/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5439330800762880 Fixes: 34774/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5851571660390400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0a4a527c3b0819368d9b148542bb7663f39df79) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 1b91cf4385..6b83c355a8 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -324,7 +324,7 @@ static int rpl_read_packet(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 4); /* flags */ frame_size = avio_rl32(pb); - if (avio_seek(pb, -8, SEEK_CUR) < 0) + if (avio_feof(pb) || avio_seek(pb, -8, SEEK_CUR) < 0 || !frame_size) return AVERROR(EIO); ret = av_get_packet(pb, pkt, frame_size); From 5625dc1f3234020cddf3e7217ecc455249f3f647 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 19:54:45 +0200 Subject: [PATCH 1094/1383] avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black Fixes: floating point division by 0 Fixes: undefined behavior in handling NaN Fixes: Ticket 8268 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d500e62f6206ad11308b18976246366aed8c1a5) Signed-off-by: Michael Niedermayer --- libavfilter/vf_ciescope.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_ciescope.c b/libavfilter/vf_ciescope.c index 7c0cfed061..311696817d 100644 --- a/libavfilter/vf_ciescope.c +++ b/libavfilter/vf_ciescope.c @@ -842,7 +842,8 @@ rgb_to_xy(double rc, *z = m[2][0] * rc + m[2][1] * gc + m[2][2] * bc; sum = *x + *y + *z; - + if (sum == 0) + sum = 1; *x = *x / sum; *y = *y / sum; } From 5498836d7da25342b0595e4908a529d169a22fb9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:00:38 +0200 Subject: [PATCH 1095/1383] avfilter/vf_dctdnoiz: Check threads Fixes: floating point division by 0 Fixes: Ticket 8269 Signed-off-by: Michael Niedermayer (cherry picked from commit 4a3917c02c428b11128ac3d4a01b780ea44aa53c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_dctdnoiz.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_dctdnoiz.c b/libavfilter/vf_dctdnoiz.c index cdbe5f853f..3fbea473ed 100644 --- a/libavfilter/vf_dctdnoiz.c +++ b/libavfilter/vf_dctdnoiz.c @@ -563,6 +563,9 @@ static int config_input(AVFilterLink *inlink) inlink->h - s->pr_height); max_slice_h = s->pr_height / ((s->bsize - 1) * 2); + if (max_slice_h == 0) + return AVERROR(EINVAL); + s->nb_threads = FFMIN3(MAX_THREADS, ff_filter_get_nb_threads(ctx), max_slice_h); av_log(ctx, AV_LOG_DEBUG, "threads: [max=%d hmax=%d user=%d] => %d\n", MAX_THREADS, max_slice_h, ff_filter_get_nb_threads(ctx), s->nb_threads); From c9b39340f954de5c6d42c2a4c61fe1fe2857f95e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Jun 2021 18:14:21 +0200 Subject: [PATCH 1096/1383] avformat/mov: Check for duplicate mdcv Fixes: memleak Fixes: 34932/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5456227658235904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f54d85cee64b98bca5d2bee703f2a266ea75dce7) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0f991cbb42..f48ed602f5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5374,7 +5374,7 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data; - if (atom.size < 24) { + if (atom.size < 24 || sc->mastering) { av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n"); return AVERROR_INVALIDDATA; } From e6799156d87c384ce31dbc8d3f204774cbbabf86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Jun 2021 20:10:56 +0200 Subject: [PATCH 1097/1383] avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 Fixes: out of array access Fixes: 34933/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5629322560929792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dbbcfbcc4e4f0e91f814f2e13ced7b6d99069518) Signed-off-by: Michael Niedermayer --- libavcodec/ttadata.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ttadata.c b/libavcodec/ttadata.c index bf793a4cc8..aa9f418a7d 100644 --- a/libavcodec/ttadata.c +++ b/libavcodec/ttadata.c @@ -30,7 +30,8 @@ const uint32_t ff_tta_shift_1[] = { 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, 0x20000000, 0x40000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, - 0x80000000, 0x80000000, 0x80000000, 0x80000000 + 0x80000000, 0x80000000, 0x80000000, 0x80000000, + 0xFFFFFFFF }; const uint32_t * const ff_tta_shift_16 = ff_tta_shift_1 + 4; From b2c565a40c712f91078404b22f3f61619f8338b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:50:13 +0200 Subject: [PATCH 1098/1383] avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit Fixes: signed integer overflow: 104962766 * 32 cannot be represented in type 'int' Fixes: 33614/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6252129036664832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3447979d08d701581a65f7275425cb1a59302319) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 2998bd458b..2dda3483ae 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1710,25 +1710,33 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; - int64_t tmp; + int64_t tmp = 0; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + break; + case AV_CODEC_ID_ADPCM_IMA_DK3: + tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); + break; + case AV_CODEC_ID_ADPCM_IMA_DK4: + tmp = blocks * (1 + (ba - 4LL * ch) * 2 / ch); + break; + case AV_CODEC_ID_ADPCM_IMA_RAD: + tmp = blocks * ((ba - 4LL * ch) * 2 / ch); + break; + case AV_CODEC_ID_ADPCM_MS: + tmp = blocks * (2 + (ba - 7LL * ch) * 2LL / ch); + break; + case AV_CODEC_ID_ADPCM_MTAF: + tmp = blocks * (ba - 16LL) * 2 / ch; + break; + } + if (tmp) { if (tmp != (int)tmp) return 0; return tmp; - case AV_CODEC_ID_ADPCM_IMA_DK3: - return blocks * (((ba - 16) * 2 / 3 * 4) / ch); - case AV_CODEC_ID_ADPCM_IMA_DK4: - return blocks * (1 + (ba - 4 * ch) * 2 / ch); - case AV_CODEC_ID_ADPCM_IMA_RAD: - return blocks * ((ba - 4 * ch) * 2 / ch); - case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2LL / ch); - case AV_CODEC_ID_ADPCM_MTAF: - return blocks * (ba - 16) * 2 / ch; } } From 791d33c57aef14864b7ae1377fb94b584b65e3b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Jun 2021 21:20:04 +0200 Subject: [PATCH 1099/1383] avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 Fixes: Timeout Fixes: 34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d8421e3d5bc1300687a65384baccbcb3874b7ac) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 469999e046..7febcaa763 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -301,7 +301,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, mode = !mode; } } else if (cmode == 9 || cmode == 10) { - int xxx = get_bits(gb, 3); + int xxx; + if (get_bits_left(gb) < 3) + return AVERROR_INVALIDDATA; + xxx = get_bits(gb, 3); if (cmode == 9 && xxx == 7) { int ret; int pix_left = width - offs; From 386190d873d0eb23e41cf941d009f99214a5b120 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Jun 2021 21:25:58 +0200 Subject: [PATCH 1100/1383] avcodec/faxcompr: Check available bits in decode_uncompressed() Fixes: Timeout Fixes: 34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112 Fixes: 34966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4587409334468608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ff56c139e07a4de2803b974b6595f6b71fbf53bd) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 7febcaa763..0392c72519 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -141,6 +141,8 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb, return AVERROR_INVALIDDATA; } cwi = 10 - av_log2(cwi); + if (get_bits_left(gb) < cwi + 1) + return AVERROR_INVALIDDATA; skip_bits(gb, cwi + 1); if (cwi > 5) { newmode = get_bits1(gb); From 81a32fe24e15e79e5248a8c45b8a1bd051d4500f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Jun 2021 20:35:43 +0200 Subject: [PATCH 1101/1383] avformat/rpl: The associative law doesnt hold for signed integers in C Add () to avoid undefined behavior Fixes: signed integer overflow: 9223372036854775790 + 57 cannot be represented in type 'long' Fixes: 34983/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5765822923538432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 480f11bdd713c15e4964093be7ef0adf5b619cc1) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 6b83c355a8..a214424e48 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -103,7 +103,7 @@ static AVRational read_fps(const char* line, int* error) // Truncate any numerator too large to fit into an int64_t if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) break; - num = 10 * num + *line - '0'; + num = 10 * num + (*line - '0'); den *= 10; } if (!num) From 37449dfb9241253ccaeb007dcd2c8b4639a5ec34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Jun 2021 18:37:01 +0200 Subject: [PATCH 1102/1383] Update missed irc links Signed-off-by: Michael Niedermayer (cherry picked from commit c067d20177613e9cf74bcbd2a26e729ef7ababdb) Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 2 +- configure | 2 +- doc/writing_filters.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index a24c9e6f44..3f0f39320d 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -11,5 +11,5 @@ We hope you will like this release as much as we enjoyed working on it, and as usual, if you have any questions about it, or any FFmpeg related topic, - feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask on the mailing-lists. diff --git a/configure b/configure index c9666891af..9bfb41ce74 100755 --- a/configure +++ b/configure @@ -518,7 +518,7 @@ die(){ If you think configure made a mistake, make sure you are using the latest version from Git. If the latest version fails, report the problem to the -ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net. +ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat. EOF if disabled logging; then cat < Date: Tue, 4 May 2021 18:34:44 +0200 Subject: [PATCH 1103/1383] avformat/tta: Check for EOF in index reading loop Fixes: OOM Fixes: 33585/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-4564665830080512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b72d657b73b2aa4a2a2f72f613199e6080ad48c0) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/tta.c b/libavformat/tta.c index c50f029d66..82869f5d8e 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -119,6 +119,8 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; From 459a60c3b1cd33bb22896b0091aa0cbf4a46bd49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 May 2021 22:52:41 +0200 Subject: [PATCH 1104/1383] avcodec/iff: Only write palette to plane 1 if its PAL8 Fixes: null pointer passed as argument 1, which is declared to never be null Fixes: 33791/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5107575256383488.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 216eb60b853e9a230c1238ab7d1c63d3fa892d34) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 6ec2dd60ad..dbd51cb895 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1845,7 +1845,8 @@ static int decode_frame(AVCodecContext *avctx, buf += s->planesize; } } - memcpy(frame->data[1], s->pal, 256 * 4); + if (avctx->pix_fmt == AV_PIX_FMT_PAL8) + memcpy(frame->data[1], s->pal, 256 * 4); } else if (s->ham) { int i, count = 1 << s->ham; From a059124e849abf06707652f0a0a4ef7fd89a9927 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 13:08:24 +0200 Subject: [PATCH 1105/1383] avformat/dxa: Check fps to be within the supported range more precissely Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: assertion failure Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6744985740378112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ea494befcb5d944ce8275e6f59de1a24c25ffb6) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index bdb93b0835..a616f8f74b 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -79,7 +79,7 @@ static int dxa_read_header(AVFormatContext *s) if(fps > 0){ den = 1000; num = fps; - }else if (fps < 0){ + }else if (fps < 0 && fps > INT_MIN){ den = 100000; num = -fps; }else{ From b38d513080b0013430e6333912a7df93c6c641ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 15:41:16 +0200 Subject: [PATCH 1106/1383] avformat/iff: Use 64bit in duration computation Fixes: signed integer overflow: 588 * 16719904 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6748331936186368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93d964689c3b2bae26e6e3f502c1ffc4c2e46989) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 05e79ace75..5be0eb55b7 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -385,7 +385,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588 * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); From dea3933dd57ad14f91f78ded26309b7b39c69aa9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 17:42:19 +0200 Subject: [PATCH 1107/1383] avformat/mpc8: Check for position overflow in mpc8_handle_chunk() Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208 Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ef25d118246bf443900033fb3588dba628d11b0) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index bdab7fe91f..b685b64998 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -200,8 +200,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in switch(tag){ case TAG_SEEKTBLOFF: - pos = avio_tell(pb) + size; + pos = avio_tell(pb); off = ffio_read_varlen(pb); + if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos) + return; + pos += size; mpc8_parse_seektable(s, chunk_pos + off); avio_seek(pb, pos, SEEK_SET); break; From 2b11977c9ed728f50dd70db646472552044aed6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 19:54:19 +0200 Subject: [PATCH 1108/1383] avformat/msf: Check that channels doesnt overflow during extradata construction Fixes: signed integer overflow: 2048 * 1122336 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6726959600107520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1a277926b49dad60d9e78c6c7a8c6b5d0d6d7c9) Signed-off-by: Michael Niedermayer --- libavformat/msf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/msf.c b/libavformat/msf.c index 6bd18f29bd..9b9d43b4c4 100644 --- a/libavformat/msf.c +++ b/libavformat/msf.c @@ -70,6 +70,8 @@ static int msf_read_header(AVFormatContext *s) case 4: case 5: case 6: st->codecpar->block_align = (codec == 4 ? 96 : codec == 5 ? 152 : 192) * st->codecpar->channels; + if (st->codecpar->channels > UINT16_MAX / 2048) + return AVERROR_INVALIDDATA; ret = ff_alloc_extradata(st->codecpar, 14); if (ret < 0) return ret; From 2c9e43e7f8b24acdf840758c093119d00ee9a8b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:01:03 +0200 Subject: [PATCH 1109/1383] avformat/nutdec: Check tmp_size Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6739990530883584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ca00b5e44f21840b608e238fa135a1aab6e576b) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index e14d118bb8..e86d8222d0 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -286,6 +286,11 @@ static int decode_main_header(NUTContext *nut) ret = AVERROR_INVALIDDATA; goto fail; } + if (tmp_size < 0 || tmp_size > INT_MAX - count) { + av_log(s, AV_LOG_ERROR, "illegal size\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } for (j = 0; j < count; j++, i++) { if (i == 'N') { From 14b04b9fd6e1d35b1d04d67b09e7e05365e52651 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:16:38 +0200 Subject: [PATCH 1110/1383] avformat/qcp: Avoid negative nb_rates Fixes: signed integer overflow: 2 * -1725947872 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_QCP_fuzzer-6726807632084992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b865cc703d29cb307e1fa628aa02940d54eb42a) Signed-off-by: Michael Niedermayer --- libavformat/qcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/qcp.c b/libavformat/qcp.c index b842e2633c..90954a39e9 100644 --- a/libavformat/qcp.c +++ b/libavformat/qcp.c @@ -93,7 +93,8 @@ static int qcp_read_header(AVFormatContext *s) QCPContext *c = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); uint8_t buf[16]; - int i, nb_rates; + int i; + unsigned nb_rates; if (!st) return AVERROR(ENOMEM); From c7678193cf111d6128d8ca88b7b8be646f442b17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:45:10 +0200 Subject: [PATCH 1111/1383] avformat/realtextdec: Check the pts difference before using it for the duration computation Fixes: signed integer overflow: 5404200000 - -9223372031709351616 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_REALTEXT_fuzzer-6737340551790592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe12aa689003db9b07a6e1b837031dcc57a71435) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index 4f25754b9f..ba8cdfd196 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -111,10 +111,11 @@ static int realtext_read_header(AVFormatContext *s) if (!merge) { const char *begin = ff_smil_get_attr_ptr(buf.str, "begin"); const char *end = ff_smil_get_attr_ptr(buf.str, "end"); + int64_t endi = end ? read_ts(end) : 0; sub->pos = pos; sub->pts = begin ? read_ts(begin) : 0; - sub->duration = end ? (read_ts(end) - sub->pts) : duration; + sub->duration = (end && endi > sub->pts && endi - (uint64_t)sub->pts <= INT64_MAX) ? endi - sub->pts : duration; } } av_bprint_clear(&buf); From fd21f6a0cc5f5cb732757679ce3ab94f081ca803 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Apr 2021 22:35:37 +0200 Subject: [PATCH 1112/1383] avformat/rmdec: Check old_format len for overflow Maybe such large values could be disallowed earlier and closer to where they are set. Fixes: signed integer overflow: 538976288 * 8224 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6704350354341888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06d174e289eb185f03a34a738965f0042f39c038) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 12c656879e..8c91989505 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1011,8 +1011,8 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) { RMDemuxContext *rm = s->priv_data; AVStream *st = NULL; // init to silence compiler warning - int i, len, res, seq = 1; - int64_t timestamp, pos; + int i, res, seq = 1; + int64_t timestamp, pos, len; int flags; for (;;) { @@ -1031,7 +1031,9 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) ast = st->priv_data; timestamp = AV_NOPTS_VALUE; len = !ast->audio_framesize ? RAW_PACKET_SIZE : - ast->coded_framesize * ast->sub_packet_h / 2; + ast->coded_framesize * (int64_t)ast->sub_packet_h / 2; + if (len > INT_MAX) + return AVERROR_INVALIDDATA; flags = (seq++ == 1) ? 2 : 0; pos = avio_tell(s->pb); } else { From 2beb60777f3bea20d71a0dbc9453004898040790 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jun 2021 20:00:05 +0200 Subject: [PATCH 1113/1383] avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation Fixes: signed integer overflow: 486539264 * 14 cannot be represented in type 'int' Fixes: 35281/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6068262742917120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 00ae9b77ef757f82660b4b3d2f490374a4f209fd) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 2dda3483ae..c45f5f63f0 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1676,7 +1676,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_THP: case AV_CODEC_ID_ADPCM_THP_LE: if (extradata) - return frame_bytes * 14 / (8 * ch); + return frame_bytes * 14LL / (8 * ch); break; case AV_CODEC_ID_ADPCM_XA: return (frame_bytes / 128) * 224 / ch; From 9b6158958c75c35e71be817a34fdc62493abdb1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Jun 2021 21:02:39 +0200 Subject: [PATCH 1114/1383] avcodec/clearvideo: Check tile_size to be not too large Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 35023/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-6740166587842560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 11fac9613e6a340d4d9968e2d8a43c3726ab57d3) Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 551867bc11..6f6af2edc6 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -665,8 +665,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1) { - av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1\n", c->tile_size); + if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1 || c->tile_shift > 30) { + av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1 and < 2^31\n", c->tile_size); return AVERROR_INVALIDDATA; } From 5246201182eedc3e002e3314b6f478d1452414aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Jun 2021 22:59:04 +0200 Subject: [PATCH 1115/1383] avcodec/cpia: Fix missing src_size update Fixes: out of array read Fixes: 35210/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CPIA_fuzzer-5669199688105984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cea05864e65db9a2dc8af82b2c63fb8f03c5f876) Signed-off-by: Michael Niedermayer --- libavcodec/cpia.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cpia.c b/libavcodec/cpia.c index f6d7332606..1be47cf5d2 100644 --- a/libavcodec/cpia.c +++ b/libavcodec/cpia.c @@ -111,6 +111,7 @@ static int cpia_decode_frame(AVCodecContext *avctx, // Read line length, two byte little endian linelength = AV_RL16(src); src += 2; + src_size -= 2; if (src_size < linelength) { frame->decode_error_flags = FF_DECODE_ERROR_INVALID_BITSTREAM; From 5878ac10079d858ed6597ef2c19666a102e2584a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 May 2021 20:36:46 +0200 Subject: [PATCH 1116/1383] tools/cws2fws: Check read() for failure Fixes: CID1452579 Argument cannot be negative Signed-off-by: Michael Niedermayer (cherry picked from commit 0b3cdd7cc2c63969e144cc3eb39d0c61260509ee) Signed-off-by: Michael Niedermayer --- tools/cws2fws.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/cws2fws.c b/tools/cws2fws.c index 7046b69957..9ce321fe20 100644 --- a/tools/cws2fws.c +++ b/tools/cws2fws.c @@ -89,6 +89,12 @@ int main(int argc, char *argv[]) for (i = 0; i < comp_len - 8;) { int ret, len = read(fd_in, &buf_in, 1024); + if (len == -1) { + printf("read failure\n"); + inflateEnd(&zstream); + goto out; + } + dbgprintf("read %d bytes\n", len); last_out = zstream.total_out; From fdff986dc493dc383d8e7dd711c388b06ff9e5b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 May 2021 22:38:40 +0200 Subject: [PATCH 1117/1383] avformat/ftp: Check for av_strtok() failure Fixes: CID1396258 Dereference null return value Signed-off-by: Michael Niedermayer (cherry picked from commit 9d40782088cf969fbadc881e4a97ec22b8ae0177) Signed-off-by: Michael Niedermayer --- libavformat/ftp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 3adc04ee1f..a98b0acbcb 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -949,6 +949,8 @@ static int ftp_parse_entry_mlsd(char *mlsd, AVIODirEntry *next) continue; } fact = av_strtok(fact, "=", &value); + if (!fact) + continue; if (!av_strcasecmp(fact, "type")) { if (!av_strcasecmp(value, "cdir") || !av_strcasecmp(value, "pdir")) return 1; From 3631197f67515be61f249c9feee67661d4c7d24d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 15:27:18 +0200 Subject: [PATCH 1118/1383] avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() Fixes: floating point division by 0 Fixes: Ticket8213 Signed-off-by: Michael Niedermayer (cherry picked from commit 70874e024a6eae0f95bd8dd4b9b4367ffd937f41) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 52170fd623..e1b41bfd9b 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -186,7 +186,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o for(j=0; j Date: Tue, 11 May 2021 18:40:32 +0200 Subject: [PATCH 1119/1383] avformat/matroskadec: Fix handling of huge default durations Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself Fixes: 33997/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6752039691485184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 343d950a4a8a8c32f5f7d9d4ac1fbe317cb9cc80) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 5a83e8af89..2aa686af44 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2506,8 +2506,9 @@ static int matroska_parse_tracks(AVFormatContext *s) st->need_parsing = AVSTREAM_PARSE_HEADERS; if (track->default_duration) { + int div = track->default_duration <= INT64_MAX ? 1 : 2; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, - 1000000000, track->default_duration, 30000); + 1000000000 / div, track->default_duration / div, 30000); #if FF_API_R_FRAME_RATE if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL) From 39085528404933317ee9faae99e2e3450f84cf5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Jul 2021 14:05:26 +0200 Subject: [PATCH 1120/1383] swscale/slice: Check slice for allocation failure Fixes: null pointer dereference Fixes: alloc_slice.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 997f9cfc1295769be8d3180860ceebbc16f59069) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index db4fa874ff..6599f88373 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -286,7 +286,8 @@ int ff_init_filters(SwsContext * c) if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - + if (!c->slice) + goto cleanup; res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; From ffc6af3157126aa22bd87feff2217d098d671f59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Jul 2021 15:20:47 +0200 Subject: [PATCH 1121/1383] swscale/slice: Fix wrong return on error Signed-off-by: Michael Niedermayer (cherry picked from commit 7874d40f10cca922797a8da14189a53ee52f0156) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index 6599f88373..f242c04a40 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -286,8 +286,10 @@ int ff_init_filters(SwsContext * c) if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - if (!c->slice) + if (!c->slice) { + res = AVERROR(ENOMEM); goto cleanup; + } res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; From ff3ae6999959150ef488b170bbcc2fb6610b3572 Mon Sep 17 00:00:00 2001 From: maryam ebr Date: Tue, 3 Aug 2021 01:05:47 -0400 Subject: [PATCH 1122/1383] avcodec/dnxhddec: check and propagate function return value Similar to CVE-2013-0868, here return value check for 'init_vlc' is needed. crafted DNxHD data can cause unspecified impact. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit 7150f9575671f898382c370acae35f9087a30ba1) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index ae8b0ffafa..06d611e29c 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -111,6 +111,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx) static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) { + int ret; if (cid != ctx->cid) { int index; @@ -130,19 +131,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) ff_free_vlc(&ctx->dc_vlc); ff_free_vlc(&ctx->run_vlc); - init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, + if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ctx->cid_table->ac_bits, 1, 1, - ctx->cid_table->ac_codes, 2, 2, 0); - init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, + ctx->cid_table->ac_codes, 2, 2, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ctx->cid_table->dc_bits, 1, 1, - ctx->cid_table->dc_codes, 1, 1, 0); - init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, + ctx->cid_table->dc_codes, 1, 1, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, ctx->cid_table->run_bits, 1, 1, - ctx->cid_table->run_codes, 2, 2, 0); + ctx->cid_table->run_codes, 2, 2, 0)) < 0) + goto out; ctx->cid = cid; } - return 0; + ret = 0; +out: + if (ret < 0) + av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n"); + return ret; } static av_cold int dnxhd_decode_init_thread_copy(AVCodecContext *avctx) From c9784a783be17dc1c80e3d0f9fe9e0dceff38204 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jul 2021 12:39:34 +0200 Subject: [PATCH 1123/1383] avformat/mxfdec: Check size for shrinking av_shrink_packet() takes int size, so size must fit in int Fixes: out of array access Fixes: 35607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4875541323841536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b862ab59c4bfaae98be596b84a072f52444398) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 99d5b65436..e0465e6f50 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -600,7 +600,7 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv return AVERROR_INVALIDDATA; // enc. code size = klv_decode_ber_length(pb); - if (size < 32 || size - 32 < orig_size) + if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); avio_read(pb, tmpbuf, 16); From fb7379f7ef2bf3df27c8e889573b6b0b08da848b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jul 2021 14:27:22 +0200 Subject: [PATCH 1124/1383] avformat/mov: do not ignore errors in mov_metadata_hmmt() Fixes: Timeout Fixes: 35637/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6311060272447488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c52c99a18f6e40973e52d99d4bb29e34a66c695a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index f48ed602f5..348c648d60 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -294,6 +294,8 @@ static int mov_metadata_hmmt(MOVContext *c, AVIOContext *pb, unsigned len) int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); } + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; return 0; } From 6ce4989432d6ac71ad05c5e82f551545258c0b3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:04:45 +0200 Subject: [PATCH 1125/1383] avfilter/vf_mestimate: Check b_count Fixes: left shift of negative value -1 Fixes: Ticket8270 Signed-off-by: Michael Niedermayer (cherry picked from commit 06af6e101bbd04e8ecc5337bc3b6894a5e058e14) Signed-off-by: Michael Niedermayer --- libavfilter/vf_mestimate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_mestimate.c b/libavfilter/vf_mestimate.c index 7ecfe7da60..9a2865a0cb 100644 --- a/libavfilter/vf_mestimate.c +++ b/libavfilter/vf_mestimate.c @@ -100,6 +100,9 @@ static int config_input(AVFilterLink *inlink) s->b_height = inlink->h >> s->log2_mb_size; s->b_count = s->b_width * s->b_height; + if (s->b_count == 0) + return AVERROR(EINVAL); + for (i = 0; i < 3; i++) { s->mv_table[i] = av_mallocz_array(s->b_count, sizeof(*s->mv_table[0])); if (!s->mv_table[i]) From d71d3cc9f6bc3012c06e7b6ef7215b1857242a0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:28:24 +0200 Subject: [PATCH 1126/1383] avfilter/af_drmeter: Check that there is data Fixes: floating point division by 0 Fixes: -nan is outside the range of representable values of type 'int' Fixes: Ticket8307 Signed-off-by: Michael Niedermayer (cherry picked from commit 4f49fa6abe89e2fca2585cac4c63190315972cf0) Signed-off-by: Michael Niedermayer --- libavfilter/af_drmeter.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/af_drmeter.c b/libavfilter/af_drmeter.c index ecccb65186..425c25ae87 100644 --- a/libavfilter/af_drmeter.c +++ b/libavfilter/af_drmeter.c @@ -167,6 +167,11 @@ static void print_stats(AVFilterContext *ctx) float chdr, secondpeak, rmssum = 0; int i, j, first = 0; + if (!p->nb_samples) { + av_log(ctx, AV_LOG_INFO, "No data, dynamic range not meassurable\n"); + return; + } + finish_block(p); for (i = 0; i <= 10000; i++) { From 7cf552af041988d81c79757dd945c8181bf43bf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 21:00:32 +0200 Subject: [PATCH 1127/1383] avcodec/aaccoder: Add minimal bias in search_for_ms() Fixes: floating point division by 0 Fixes: Ticket8218 Signed-off-by: Michael Niedermayer (cherry picked from commit 75a099fc734a4ee2b1347d0a3d8c53d883b95174) Signed-off-by: Michael Niedermayer --- libavcodec/aaccoder.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index baa82489b1..11b0559e1c 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -843,25 +843,25 @@ static void search_for_ms(AACEncContext *s, ChannelElement *cpe) sce0->ics.swb_sizes[g], sce0->sf_idx[w*16+g], sce0->band_type[w*16+g], - lambda / band0->threshold, INFINITY, &b1, NULL, 0); + lambda / (band0->threshold + FLT_MIN), INFINITY, &b1, NULL, 0); dist1 += quantize_band_cost(s, &sce1->coeffs[start + (w+w2)*128], R34, sce1->ics.swb_sizes[g], sce1->sf_idx[w*16+g], sce1->band_type[w*16+g], - lambda / band1->threshold, INFINITY, &b2, NULL, 0); + lambda / (band1->threshold + FLT_MIN), INFINITY, &b2, NULL, 0); dist2 += quantize_band_cost(s, M, M34, sce0->ics.swb_sizes[g], mididx, midcb, - lambda / minthr, INFINITY, &b3, NULL, 0); + lambda / (minthr + FLT_MIN), INFINITY, &b3, NULL, 0); dist2 += quantize_band_cost(s, S, S34, sce1->ics.swb_sizes[g], sididx, sidcb, - mslambda / (minthr * bmax), INFINITY, &b4, NULL, 0); + mslambda / (minthr * bmax + FLT_MIN), INFINITY, &b4, NULL, 0); B0 += b1+b2; B1 += b3+b4; dist1 -= b1+b2; From 150642566c84a92070ddf7d0bbdbec52b2a77cbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:28:29 +0200 Subject: [PATCH 1128/1383] avformat/aiffdec: Check for size overflow in header parsing Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6723467048255488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bae2e1977744f42d56b85193d4910811de829714) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 39343dab0f..6e14df0328 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -101,6 +101,9 @@ static int get_aiff_header(AVFormatContext *s, int size, int sample_rate; unsigned int num_frames; + if (size == INT_MAX) + return AVERROR_INVALIDDATA; + if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; From c064645bdf08977b3e17335747493aa53cb64daa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:35:20 +0200 Subject: [PATCH 1129/1383] avformat/asfdec_f: Check sizeX against padding Fixes: signed integer overflow: 2147483607 + 64 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6753897878257664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f034c2e36acb7d0c11dc1849ddf8a67bde44eff4) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 922ad3c29f..81bf9d83e9 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -516,7 +516,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { - if (size < sizeX - 40) + if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + From a7c6df6df0ef1b5fdc92ebb395ac11b82b66eb6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:11:03 +0200 Subject: [PATCH 1130/1383] avformat/avidec: fix position overflow in avi_load_index() Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 527821a2dd6f19d9a4d2abe05833346ae86c66c6) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 17adc94228..d56a1ba4f8 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1750,7 +1750,10 @@ static int avi_load_index(AVFormatContext *s) size = avio_rl32(pb); if (avio_feof(pb)) break; - next = avio_tell(pb) + size + (size & 1); + next = avio_tell(pb); + if (next < 0 || next > INT64_MAX - size - (size & 1)) + break; + next += size + (size & 1LL); if (tag == MKTAG('i', 'd', 'x', '1') && avi_read_idx1(s, size) >= 0) { From 8cacdaf8197222a04ce40c37b2f56c4516cb1a92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:33:58 +0200 Subject: [PATCH 1131/1383] avformat/bfi: check nframes Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_BFI_fuzzer-6737028768202752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4e77dfca1c2970446f79277034d8e60c3fe3f4e) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 9d88533acf..f32a2cf8ce 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -73,6 +73,8 @@ static int bfi_read_header(AVFormatContext * s) return AVERROR_INVALIDDATA; bfi->nframes = avio_rl32(pb); + if (bfi->nframes < 0) + return AVERROR_INVALIDDATA; avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); From d92939f984ccd28f361599c6f8ebe80f0c41a7fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:44:08 +0200 Subject: [PATCH 1132/1383] avformat/dsicin: Check packet size for overflow Fixes: signed integer overflow: 24672 + 2147483424 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DSICIN_fuzzer-6731325979623424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d1c47ec033d038e04578eaf0767c8983250d03d) Signed-off-by: Michael Niedermayer --- libavformat/dsicin.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/dsicin.c b/libavformat/dsicin.c index bd4f3ad03a..a1ecd64939 100644 --- a/libavformat/dsicin.c +++ b/libavformat/dsicin.c @@ -166,7 +166,8 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) CinDemuxContext *cin = s->priv_data; AVIOContext *pb = s->pb; CinFrameHeader *hdr = &cin->frame_header; - int rc, palette_type, pkt_size; + int rc, palette_type; + int64_t pkt_size; int ret; if (cin->audio_buffer_size == 0) { @@ -182,7 +183,9 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) } /* palette and video packet */ - pkt_size = (palette_type + 3) * hdr->pal_colors_count + hdr->video_frame_size; + pkt_size = (palette_type + 3LL) * hdr->pal_colors_count + hdr->video_frame_size; + if (pkt_size + 4 > INT_MAX) + return AVERROR_INVALIDDATA; pkt_size = ffio_limit(pb, pkt_size); From 55922a70d9fc074ac143842e19e93ee63b7cb8bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Apr 2021 20:53:32 +0200 Subject: [PATCH 1133/1383] avformat/sbgdec: Check for overflow in timestamp preparation Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6731040263634944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9dbed908403b0d97ae70881fab68020f148b6b11) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 646c141ab4..586a0c58f8 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1281,6 +1281,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, ev1 = &s->events[i]; ev2 = &s->events[(i + 1) % s->nb_events]; ev1->ts_int = ev1->ts; + + if (!ev1->fade.slide && ev1 >= ev2 && ev2->ts > INT64_MAX - period) + return AVERROR_INVALIDDATA; + ev1->ts_trans = ev1->fade.slide ? ev1->ts : ev2->ts + (ev1 < ev2 ? 0 : period); } From cb253316a86d6a0202b214ab95082984d57c5099 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Apr 2021 20:57:02 +0200 Subject: [PATCH 1134/1383] avformat/wavdec: Use 64bit in new_pos computation Fixes: signed integer overflow: 129 * 16711680 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6742285317439488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b57d2f0a967195dc1c72fda8f3a983a0132a243) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 8abe07df61..051b3a5d23 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -639,7 +639,7 @@ smv_retry: if (wav->smv_last_stream) { uint64_t old_pos = avio_tell(s->pb); uint64_t new_pos = wav->smv_data_ofs + - wav->smv_block * wav->smv_block_size; + wav->smv_block * (int64_t)wav->smv_block_size; if (avio_seek(s->pb, new_pos, SEEK_SET) < 0) { ret = AVERROR_EOF; goto smv_out; From f32abd61b93d23c2d63034eecfdedef70cc0cc28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Aug 2021 20:42:53 +0200 Subject: [PATCH 1135/1383] avformat/wtvdec: Check for EOF before seeking back in parse_media_type() Fixes: Infinite loop Fixes: 36311/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-4889181296918528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 89505d38de989bddd579ce3b841f1c011f1d7bf2) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 9ec20c1d37..b46e408eef 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -661,6 +661,8 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid, avio_skip(pb, size - 32); ff_get_guid(pb, &actual_subtype); ff_get_guid(pb, &actual_formattype); + if (avio_feof(pb)) + return NULL; avio_seek(pb, -size, SEEK_CUR); st = parse_media_type(s, st, sid, mediatype, actual_subtype, actual_formattype, size - 32); From 8c9f389083eb2f210867bc48c86c54a746c57735 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Jul 2021 23:04:08 +0200 Subject: [PATCH 1136/1383] avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 35593/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5182217725804544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8f2856a1daa4e3d5767b6efe7a70ec86926dba47) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 91fa664c08..43fcc90ae5 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -87,7 +87,7 @@ static void sbr_neg_odd_64_c(int *x) { int i; for (i = 1; i < 64; i += 2) - x[i] = -x[i]; + x[i] = -(unsigned)x[i]; } static void sbr_qmf_pre_shuffle_c(int *z) From 0b63cee7a09c1490d26ccc4dd14f3cf5a233f443 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Jul 2021 00:01:53 +0200 Subject: [PATCH 1137/1383] avcodec/vc1dec: Disable error concealment for *IMAGE The existing error concealment makes no sense for the image formats, they use transformed source images which is different from keyframe + MC+difference for which the error concealment is designed. Of course feel free to re-enable this if you have a case where it works and improves vissual results Fixes: Timeout Fixes: 36234/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6300306743885824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 643b2d49bf52d5a3205ce3db732e0c4c396bd457) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 26cacc662c..3dfe524c07 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1137,7 +1137,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto err; } - if (!v->field_mode) + if ( !v->field_mode + && avctx->codec_id != AV_CODEC_ID_WMV3IMAGE + && avctx->codec_id != AV_CODEC_ID_VC1IMAGE) ff_er_frame_end(&s->er); } From 907273ca20457107ef1b9b5891e8a8e109831756 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Jul 2021 21:17:23 +0200 Subject: [PATCH 1138/1383] avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() Fixes: Infinite loop Fixes: 35591/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4503764022198272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f803635c4fac761ac68b39a369272d4c26433dc1) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 0392c72519..5393fcf82b 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -280,6 +280,8 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, for (k = 0; k < 2; k++) { run = 0; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); if (t == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect code\n"); From 51292064a2ce71b2adfc090ed7302b0ed3f0eab9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Aug 2021 09:55:00 +0200 Subject: [PATCH 1139/1383] avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init Fixes: MemLeak Fixes: 8281 Fixes: PoC_option158.jpg Fixes: CVE-2020-22037 Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 7bba0dd6382e30d646cb406034a66199e071d713) Signed-off-by: Michael Niedermayer --- libavcodec/frame_thread_encoder.c | 11 +++++++---- libavcodec/frame_thread_encoder.h | 4 ++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/frame_thread_encoder.c b/libavcodec/frame_thread_encoder.c index 55756c4c54..d85b14e946 100644 --- a/libavcodec/frame_thread_encoder.c +++ b/libavcodec/frame_thread_encoder.c @@ -117,7 +117,7 @@ end: int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ int i=0; ThreadContext *c; - + AVCodecContext *thread_avctx = NULL; if( !(avctx->thread_type & FF_THREAD_FRAME) || !(avctx->codec->capabilities & AV_CODEC_CAP_INTRA_ONLY)) @@ -195,16 +195,17 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ AVDictionary *tmp = NULL; int ret; void *tmpv; - AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec); + thread_avctx = avcodec_alloc_context3(avctx->codec); if(!thread_avctx) goto fail; tmpv = thread_avctx->priv_data; *thread_avctx = *avctx; + thread_avctx->priv_data = tmpv; + thread_avctx->internal = NULL; + thread_avctx->hw_frames_ctx = NULL; ret = av_opt_copy(thread_avctx, avctx); if (ret < 0) goto fail; - thread_avctx->priv_data = tmpv; - thread_avctx->internal = NULL; if (avctx->codec->priv_class) { int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data); if (ret < 0) @@ -232,6 +233,8 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ return 0; fail: + avcodec_close(thread_avctx); + av_freep(&thread_avctx); avctx->thread_count = i; av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n"); ff_frame_thread_encoder_free(avctx); diff --git a/libavcodec/frame_thread_encoder.h b/libavcodec/frame_thread_encoder.h index 1f79553f20..fc85ba48b8 100644 --- a/libavcodec/frame_thread_encoder.h +++ b/libavcodec/frame_thread_encoder.h @@ -23,6 +23,10 @@ #include "avcodec.h" +/** + * Initialize frame thread encoder. + * @note hardware encoders are not supported + */ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options); void ff_frame_thread_encoder_free(AVCodecContext *avctx); int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet_ptr); From d6d46907c6a23671115d0ab6be6c138ee89183cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Aug 2021 20:46:32 +0200 Subject: [PATCH 1140/1383] avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode Fixes: out of array read Fixes: 36331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5140494328922112.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c59b5e3d1e0121ea23b5b326529f5bdca44cf982) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 3dfe524c07..402bf2c404 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1162,12 +1162,14 @@ image: if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { if ((ret = av_frame_ref(pict, s->current_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->current_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->current_picture_ptr, pict); *got_frame = 1; } else if (s->last_picture_ptr) { if ((ret = av_frame_ref(pict, s->last_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->last_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->last_picture_ptr, pict); *got_frame = 1; } } From ad3df92f538abae3578e6be4991879b56f02d6cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jul 2021 15:50:54 +0200 Subject: [PATCH 1141/1383] avcodec/webp: Check available space in loop in decode_entropy_coded_image() Fixes: Timeout Fixes: 35401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5714401821851648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e00eab61112c52f27a09fe77d50e6fc508f9c53) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 077bb06f85..5486deee58 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -665,6 +665,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, while (y < img->frame->height) { int v; + if (get_bits_left(&s->gb) < 0) + return AVERROR_INVALIDDATA; + hg = get_huffman_group(s, img, x, y); v = huff_reader_get_symbol(&hg[HUFF_IDX_GREEN], &s->gb); if (v < NUM_LITERAL_CODES) { From db3dd0545cdf690ee22f8b9807096d580bb8eb24 Mon Sep 17 00:00:00 2001 From: maryam ebrahimzadeh Date: Wed, 4 Aug 2021 16:15:18 -0400 Subject: [PATCH 1142/1383] avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata As the second argument for init_get_bits (buf) can be crafted, a return value check for this function call is necessary. 'buf' is part of 'AVPacket pkt'. replace init_get_bits with init_get_bits8. Signed-off-by: Michael Niedermayer (cherry picked from commit 9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6) Signed-off-by: Michael Niedermayer --- libavformat/adtsenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c index 3c2840c6ab..3807d67517 100644 --- a/libavformat/adtsenc.c +++ b/libavformat/adtsenc.c @@ -50,9 +50,11 @@ static int adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, const ui GetBitContext gb; PutBitContext pb; MPEG4AudioConfig m4ac; - int off; + int off, ret; - init_get_bits(&gb, buf, size * 8); + ret = init_get_bits8(&gb, buf, size); + if (ret < 0) + return ret; off = avpriv_mpeg4audio_get_config(&m4ac, buf, size * 8, 1); if (off < 0) return off; From 772e8bf0e79bdd81359634c10e4ac402b4e6ae1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Aug 2021 20:47:00 +0200 Subject: [PATCH 1143/1383] avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() Fixes: Timeout Fixes: 36262/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4969052454912000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 909faca929cf30dcd439fa33479177e76fb5121d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d61a69b437..73d748e509 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1501,6 +1501,9 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, else ret = decode_block_progressive(s, *block, last_nnz, s->ac_index[0], quant_matrix, ss, se, Al, &EOBRUN); + + if (ret >= 0 && get_bits_left(&s->gb) < 0) + ret = AVERROR_INVALIDDATA; if (ret < 0) { av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); From 3837ebef6ebcdd9ebbbd49a37d902a8e00f0cb86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 May 2021 18:54:53 +0200 Subject: [PATCH 1144/1383] avformat/avidec: Use 64bit for frame number in odml index parsing Fixes: signed integer overflow: 1179337772 + 1392508928 cannot be represented in type 'int' Fixes: 34088/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5846945303232512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a4c98c507ed3c729fc92d641b974385f8aa37b33) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index d56a1ba4f8..b1c0325a19 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -156,7 +156,7 @@ static int get_riff(AVFormatContext *s, AVIOContext *pb) return 0; } -static int read_odml_index(AVFormatContext *s, int frame_num) +static int read_odml_index(AVFormatContext *s, int64_t frame_num) { AVIContext *avi = s->priv_data; AVIOContext *pb = s->pb; @@ -176,7 +176,7 @@ static int read_odml_index(AVFormatContext *s, int frame_num) av_log(s, AV_LOG_TRACE, "longs_per_entry:%d index_type:%d entries_in_use:%d " - "chunk_id:%X base:%16"PRIX64" frame_num:%d\n", + "chunk_id:%X base:%16"PRIX64" frame_num:%"PRId64"\n", longs_per_entry, index_type, entries_in_use, From feba3d29be7b0da1e4ae2fd65bb91616afaa51a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Dec 2019 14:18:43 +0200 Subject: [PATCH 1145/1383] network: Define ENOTCONN as WSAENOTCONN if not defined MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes compilation with old mingw.org toolchains, which has got much fewer errno.h entries. Signed-off-by: Martin Storsjö (cherry picked from commit 6569e9505c781468092c15fa84d034c9e37d26ca) Signed-off-by: Michael Niedermayer --- libavformat/network.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/network.h b/libavformat/network.h index 7f467304a8..71347e815b 100644 --- a/libavformat/network.h +++ b/libavformat/network.h @@ -50,6 +50,9 @@ #ifndef EINPROGRESS #define EINPROGRESS WSAEINPROGRESS #endif +#ifndef ENOTCONN +#define ENOTCONN WSAENOTCONN +#endif #define getsockopt(a, b, c, d, e) getsockopt(a, b, c, (char*) d, e) #define setsockopt(a, b, c, d, e) setsockopt(a, b, c, (const char*) d, e) From 29d6be42d1f4a79dbec05d0dee67bc7ef8d878e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Sep 2021 18:54:08 +0200 Subject: [PATCH 1146/1383] avcodec/xpmdec: Move allocations down after more error checks Fixes: Timeout Fixes: 37035/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5142718576721920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e58692837c20c8484a23cd9beb63ac422f82458a) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 82a484dabb..8aee89dd30 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -337,9 +337,6 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - if ((ret = ff_get_buffer(avctx, p, 0)) < 0) - return ret; - if (cpp <= 0 || cpp >= 5) { av_log(avctx, AV_LOG_ERROR, "unsupported/invalid number of chars per pixel: %d\n", cpp); return AVERROR_INVALIDDATA; @@ -356,14 +353,17 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, size *= 4; - av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); - if (!x->pixels) - return AVERROR(ENOMEM); - ptr += mod_strcspn(ptr, ",") + 1; if (end - ptr < 1) return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) + return ret; + + av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); + if (!x->pixels) + return AVERROR(ENOMEM); + for (i = 0; i < ncolors; i++) { const uint8_t *index; int len; From 5240beb4c591994282107af8aceea133e21de233 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Sep 2021 19:55:28 +0200 Subject: [PATCH 1147/1383] avcodec/apedec: Fix 2 integer overflows in filter_3800() Fixes: signed integer overflow: 1683879955 - -466265224 cannot be represented in type 'int' Fixes: 37419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6074294407921664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 33feb527fff9bf547c4118147434869875cf0c3d) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 3bec1eee68..e11ee0a708 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -859,8 +859,8 @@ static av_always_inline int filter_3800(APEPredictor *p, return predictionA; } d2 = p->buf[delayA]; - d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U; - d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U); + d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2; + d0 = p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8); d3 = p->buf[delayB] * 2U - p->buf[delayB - 1]; d4 = p->buf[delayB]; From 608be8437b70ef672901be1fe80dfc5bed43ad11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Sep 2021 21:00:38 +0200 Subject: [PATCH 1148/1383] avcodec/jpeg2000dec: Check that atom header is within bytsetream Fixes: Infinite loop Fixes: 36666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5912760671141888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3c659f861856d751fe3aa1358b1cccff3117f948) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index f892a40265..bdc52f7854 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -2044,6 +2044,8 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom_size >= 16) { uint32_t atom2_size, atom2, atom2_end; do { + if (bytestream2_get_bytes_left(&s->g) < 8) + break; atom2_size = bytestream2_get_be32u(&s->g); atom2 = bytestream2_get_be32u(&s->g); atom2_end = bytestream2_tell(&s->g) + atom2_size - 8; From dfb9a3f7f3ca35eb2dbedb79d117bf14a796e709 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 21 Jul 2021 01:02:44 -0300 Subject: [PATCH 1149/1383] avcodec/utils: don't return negative values in av_get_audio_frame_duration() In some extrme cases, like with adpcm_ms samples with an extremely high channel count, get_audio_frame_duration() may return a negative frame duration value. Don't propagate it, and instead return 0, signaling that a duration could not be determined. Fixes ticket #9312 Signed-off-by: James Almer (cherry picked from commit e01d306c647b5827102260b885faa223b646d2d1) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index c45f5f63f0..60ed1b07df 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1774,20 +1774,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) { - return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, + int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, avctx->channels, avctx->block_align, avctx->codec_tag, avctx->bits_per_coded_sample, avctx->bit_rate, avctx->extradata, avctx->frame_size, frame_bytes); + return FFMAX(0, duration); } int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes) { - return get_audio_frame_duration(par->codec_id, par->sample_rate, + int duration = get_audio_frame_duration(par->codec_id, par->sample_rate, par->channels, par->block_align, par->codec_tag, par->bits_per_coded_sample, par->bit_rate, par->extradata, par->frame_size, frame_bytes); + return FFMAX(0, duration); } #if !HAVE_THREADS From add3d4048d135bc1a6b883a350115823916a54a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Sep 2021 21:03:35 +0200 Subject: [PATCH 1150/1383] Update for 4.1.7 Signed-off-by: Michael Niedermayer --- Changelog | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 334 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 81c344f3e4..a1c454e21e 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,338 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.1.7: +- avcodec/utils: don't return negative values in av_get_audio_frame_duration() +- avcodec/jpeg2000dec: Check that atom header is within bytsetream +- avcodec/apedec: Fix 2 integer overflows in filter_3800() +- avcodec/xpmdec: Move allocations down after more error checks +- network: Define ENOTCONN as WSAENOTCONN if not defined +- avformat/avidec: Use 64bit for frame number in odml index parsing +- avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() +- avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata +- avcodec/webp: Check available space in loop in decode_entropy_coded_image() +- avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode +- avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init +- avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() +- avcodec/vc1dec: Disable error concealment for *IMAGE +- avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() +- avformat/wtvdec: Check for EOF before seeking back in parse_media_type() +- avformat/wavdec: Use 64bit in new_pos computation +- avformat/sbgdec: Check for overflow in timestamp preparation +- avformat/dsicin: Check packet size for overflow +- avformat/bfi: check nframes +- avformat/avidec: fix position overflow in avi_load_index() +- avformat/asfdec_f: Check sizeX against padding +- avformat/aiffdec: Check for size overflow in header parsing +- avcodec/aaccoder: Add minimal bias in search_for_ms() +- avfilter/af_drmeter: Check that there is data +- avfilter/vf_mestimate: Check b_count +- avformat/mov: do not ignore errors in mov_metadata_hmmt() +- avformat/mxfdec: Check size for shrinking +- avcodec/dnxhddec: check and propagate function return value +- swscale/slice: Fix wrong return on error +- swscale/slice: Check slice for allocation failure +- avformat/matroskadec: Fix handling of huge default durations +- avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() +- avformat/ftp: Check for av_strtok() failure +- tools/cws2fws: Check read() for failure +- avcodec/cpia: Fix missing src_size update +- avcodec/clearvideo: Check tile_size to be not too large +- avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation +- avformat/rmdec: Check old_format len for overflow +- avformat/realtextdec: Check the pts difference before using it for the duration computation +- avformat/qcp: Avoid negative nb_rates +- avformat/nutdec: Check tmp_size +- avformat/msf: Check that channels doesnt overflow during extradata construction +- avformat/mpc8: Check for position overflow in mpc8_handle_chunk() +- avformat/iff: Use 64bit in duration computation +- avformat/dxa: Check fps to be within the supported range more precissely +- avcodec/iff: Only write palette to plane 1 if its PAL8 +- avformat/tta: Check for EOF in index reading loop +- Update missed irc links +- avformat/rpl: The associative law doesnt hold for signed integers in C +- avcodec/faxcompr: Check available bits in decode_uncompressed() +- avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 +- avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit +- avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 +- avformat/mov: Check for duplicate mdcv +- avfilter/vf_dctdnoiz: Check threads +- avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black +- avformat/rpl: Check for EOF and zero framesize +- avcodec/vc2enc: Check for non negative slice bounds +- avformat/rpl: Use 64bit in bitrate computation and check it +- avcodec/svq1enc: Do not print debug RD value before it has been computed +- avcodec/aacpsy: Check bandwidth +- avcodec/aacenc: Do not divide by lambda_count if it is 0 +- avcodec/aacenc: Use FLT_EPSILON for lambda minimum +- avformat/cinedec: Fix index_entries size check +- avfilter/vf_yadif: Fix handing of tiny images +- avfilter/vf_vmafmotion: Check dimensions +- avformat/movenc: Check pal_size before use +- avcodec/lpc: Avoid floating point division by 0 +- avcodec/aacpsy: Avoid floating point division by 0 of norm_fac +- avcodec/aacenc: Avoid 0 lambda +- avcodec/exr: x/ymax cannot be INT_MAX +- avformat/avio: Check av_opt_copy() for failure +- avcodec/clearvideo: Check for 0 tile_shift +- avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() +- avformat/mov: Ignore duplicate CoLL +- avformat/mov: Limit nb_chapter_tracks to input size +- avformat/utils: Use 64bit earlier in r_frame_rate check +- avformat/mvdec: Check sample rate in parse_audio_var() +- avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() +- avcodec/utils: treat PAL8 for jpegs similar to other colorspaces +- avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent +- avformat/asfdec_o: Use ff_get_extradata() +- avformat/id3v2: Check end for overflow in id3v2_parse() +- avformat/wtvdec: Improve size overflow checks in parse_chunks() +- avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() +- avcodec/utils: Check ima wav duration for overflow +- avformat/cafdec: Check channels +- avcodec/dpx: Check bits_per_color earlier +- avcodec/pnm_parser: Check image size addition for overflow +- avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment() +- avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check +- avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context() +- avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change() +- avformat/mov: Ignore multiple STSC / STCO +- avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() +- avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice() +- avutil/common: Add FF_PTR_ADD() +- avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid +- avformat/cafdec: Do not build an index if all packets are the same +- avcodec/sonic: Use unsigned temporary in predictor_calc_error() +- avformat/flvdec: Check array entry number +- avcodec/h264_slice: Check sps in h264_slice_header_init() +- avformat/movenc: Avoid loosing cluster array on failure +- avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb +- avformat/mov: Check sample size for overflow in mov_parse_stsd_audio() +- avcodec/ffwavesynth: Avoid signed integer overflow in phi_at() +- avcodec/mpeg4videoenc: Check extradata malloc() +- avcodec/speedhq: Width < 8 is not supported +- avformat/matroskadec: Check for EOF in resync loop +- avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS +- avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() +- avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet() +- avutil/timecode: Avoid fps overflow +- avformat/mvi: Check audio size for more overflows +- avcodec/flacdec: Avoid undefined shift in error case +- avcodec/ffv1dec: Check if trailer is available +- avcodec/4xm: Check pre_gb in decode_i_block() +- avcodec/dcadsp: Fix integer overflow in dmix_add_c() +- avformat/flvdec: Check double before cast in parse_keyframes_index() +- avformat/paf: Check for EOF before allocation in read_header() +- avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld() +- avformat/lxfdec: Fix multiple integer overflows related to track_size +- avcodec/exr: skip bottom clearing loop when its outside the image +- avutil/parseutils: Check sign in av_parse_time() +- avformat/aiffdec: Check that SSND is at least 8 bytes +- avformat/dcstr: Check sample rate +- avcodec/alsdec: Check bitstream input in read_block() +- avformat/mov: Extend data_size check in mov_read_udta_string() +- avformat/aadec: Check for EOF while reading chapters +- avformat/voc_packet: Add a basic check on max_size +- avformat/microdvddec: use 64bit for durations +- avcodec/hapdec: Change compressed_offset to unsigned 32bit +- avformat/rmdec: Check codec_length without overflow +- avformat/mov: Check element count in mov_metadata_hmmt() +- avcodec/fits: Check gcount and pcount being non negative +- avformat/nutdec: Check timebase count against main header length +- avformat/electronicarts: Clear partial_packet on error +- avformat/r3d: Check samples before computing duration +- avcodec/pnm_parser: Check av_image_get_buffer_size() for failure +- avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif() +- avformat/rmdec: Check remaining space in debug av_log() loop +- avformat/flvdec: Treat high ts byte as unsigned +- avformat/samidec: Sanity check pts +- avcodec/jpeg2000dec: Check atom_size in jp2_find_codestream() +- avformat/avidec: Use 64bit in get_duration() +- avformat/mov: Check for duplicate st3d +- avformat/mvdec: Check for EOF in read_index() +- avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular() +- avformat/id3v2: Check the return from avio_get_str() +- avcodec/hevc_sei: Check payload size in decode_nal_sei_message() +- libavutil/eval: Remove CONFIG_TRAPV special handling +- avformat/wtvdec: Check len in parse_chunks() to avoid overflow +- avformat/asfdec_f: Add an additional check for the extradata size +- avformat/3dostr: Check sample_rate +- avformat/4xm: Make audio_frame_count 64bit +- avformat/mov: Use av_mul_q() to avoid integer overflows +- avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper +- avformat/rmdec: Reorder operations to avoid overflow +- avcodec/mxpegdec: fix SOF counting +- avcodec/rscc: Check inflated_buf size whan it is used +- avformat/mvdec: Sanity check SAMPLE_WIDTH +- avformat/rmdec: Fix codecdata_length overflow check +- avcodec/simple_idct: Fix undefined integer overflow in idct4row() +- avformat/tta: Use 64bit intermediate for index +- avformat/soxdec: Check channels to be positive +- avcodec/cscd: Check output len in zlib as in lzo +- avcodec/vp3: Check input amount in theora_decode_header() +- avformat/wavdec: Check avio_get_str16le() for failure +- avformat/flvdec: Check for EOF in amf_skip_tag() +- avformat/aiffdec: Check size before subtraction in get_aiff_header() +- avformat/electronicarts: More chunk_size checks +- avcodec/cfhd: check peak.offset +- avformat/tedcaptionsdec: Check for overflow in parse_int() +- avformat/nuv: Check channels +- avformat/mpc8: Check size before implicitly converting to int +- avformat/nutdec: Fix integer overflow in count computation +- avformat/mvi: Use 64bit for testing dimensions +- avformat/utils: Check dts in update_initial_timestamps() more +- avformat/flvdec: Check for avio_read() failure in amf_get_string() +- avformat/flvdec: Check for nesting depth in amf_skip_tag() +- avformat/flvdec: Check for nesting depth in amf_parse_object() +- avformat/asfdec_o: Check for EOF in asf_read_marker() +- avformat/utils: Check dts - (1< Date: Fri, 10 Sep 2021 16:00:00 +0200 Subject: [PATCH 1151/1383] Revert "avformat/wvdec: Check rate for overflow" The code this fixes is not in release/4.1 Found-by: This reverts commit b81d1379c296de48ebcc7ead0b3f22a4265b0ea1. --- libavformat/wvdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/wvdec.c b/libavformat/wvdec.c index 8ddebf8033..2060523c3b 100644 --- a/libavformat/wvdec.c +++ b/libavformat/wvdec.c @@ -81,7 +81,6 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb) int ret; int rate, bpp, chan; uint32_t chmask, flags; - unsigned rate_x; wc->pos = avio_tell(pb); @@ -180,7 +179,7 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb) if (id & 0x40) avio_skip(pb, 1); } - if (rate == -1 || rate * (uint64_t)rate_x >= INT_MAX) { + if (rate == -1) { av_log(ctx, AV_LOG_ERROR, "Cannot determine custom sampling rate\n"); return AVERROR_INVALIDDATA; From 01f3824f6c46ef19025059752a4381daa2443097 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 15 Oct 2019 16:31:15 +0200 Subject: [PATCH 1152/1383] avfilter/vf_avgblur: fix heap-buffer overflow Fixes #8274 (cherry picked from commit f069a9c2a65bc20c3462127623127df6dfd06c5b) Signed-off-by: James Almer --- libavfilter/vf_avgblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index c7b88427fd..b813237258 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -149,7 +149,7 @@ static int filter_vertically_##name(AVFilterContext *ctx, void *arg, int jobnr, \ src = s->buffer + x; \ ptr = buffer + x; \ - for (i = 0; i <= radius; i++) { \ + for (i = 0; i + radius < height && i <= radius; i++) { \ acc += src[(i + radius) * width]; \ count++; \ ptr[i * linesize] = acc / count; \ From f5da6cff3504978bf6e713996988dcef0691d800 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 11 Oct 2019 06:18:10 -0300 Subject: [PATCH 1153/1383] avfilter/vf_neighbor: check if width is 1 Fixes #8242 (cherry picked from commit e787f8fd7ee99ba0c3e0f086ce2ce59eea7ed86c) Signed-off-by: James Almer --- libavfilter/vf_neighbor.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_neighbor.c b/libavfilter/vf_neighbor.c index 2db1e5e57c..f84a33ef75 100644 --- a/libavfilter/vf_neighbor.c +++ b/libavfilter/vf_neighbor.c @@ -285,9 +285,11 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) src + (width - 2) * bpc, src + (width - 2) * bpc, src + (width - 2) * bpc + ph * stride, src + (width - 1) * bpc + ph * stride, src + (width - 2) * bpc + ph * stride}; - s->filter(dst, src, 1, threshold, coordinateslb, s->coordinates); - s->filter(dst + 1 * bpc, src + 1 * bpc, width - 2, threshold, coordinates, s->coordinates); - s->filter(dst + (width - 1) * bpc, src + (width - 1) * bpc, 1, threshold, coordinatesrb, s->coordinates); + s->filter(dst, src, 1, threshold, coordinateslb, s->coordinates); + if (width > 1) { + s->filter(dst + 1 * bpc, src + 1 * bpc, width - 2, threshold, coordinates, s->coordinates); + s->filter(dst + (width - 1) * bpc, src + (width - 1) * bpc, 1, threshold, coordinatesrb, s->coordinates); + } src += stride; dst += dstride; From 3a9f384225cb6e5720d36d0b01dd446cfd6f1772 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 19 Oct 2019 19:34:47 +0200 Subject: [PATCH 1154/1383] avfilter/af_tremolo: fix heap-buffer overflow Fixes #8317 (cherry picked from commit 58bb9d3a3a6ede1c6cfb82bf671a5f138e6b2144) Signed-off-by: James Almer --- libavfilter/af_tremolo.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_tremolo.c b/libavfilter/af_tremolo.c index 8cbc79892d..f55e8e2b09 100644 --- a/libavfilter/af_tremolo.c +++ b/libavfilter/af_tremolo.c @@ -28,6 +28,7 @@ typedef struct TremoloContext { double freq; double depth; double *table; + int table_size; int index; } TremoloContext; @@ -72,7 +73,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) dst += channels; src += channels; s->index++; - if (s->index >= inlink->sample_rate / s->freq) + if (s->index >= s->table_size) s->index = 0; } @@ -125,11 +126,12 @@ static int config_input(AVFilterLink *inlink) const double offset = 1. - s->depth / 2.; int i; - s->table = av_malloc_array(inlink->sample_rate / s->freq, sizeof(*s->table)); + s->table_size = inlink->sample_rate / s->freq; + s->table = av_malloc_array(s->table_size, sizeof(*s->table)); if (!s->table) return AVERROR(ENOMEM); - for (i = 0; i < inlink->sample_rate / s->freq; i++) { + for (i = 0; i < s->table_size; i++) { double env = s->freq * i / inlink->sample_rate; env = sin(2 * M_PI * fmod(env + 0.25, 1.0)); s->table[i] = env * (1 - fabs(offset)) + offset; From 540047eda8391da511142d782c4145b23fdad173 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 17:23:10 +0200 Subject: [PATCH 1155/1383] avfilter/vf_edgedetect: check if height is big enough Fixes #8260 (cherry picked from commit ccf4ab8c9aca0aee66bcc2914031a9c97ac0eeb8) Signed-off-by: James Almer --- libavfilter/vf_edgedetect.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_edgedetect.c b/libavfilter/vf_edgedetect.c index a0ddcbbf5c..11a31fa4ff 100644 --- a/libavfilter/vf_edgedetect.c +++ b/libavfilter/vf_edgedetect.c @@ -150,7 +150,8 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, int i, j; memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; + if (h > 1) + memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; for (j = 2; j < h - 2; j++) { dst[0] = src[0]; dst[1] = src[1]; @@ -180,8 +181,10 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, dst += dst_linesize; src += src_linesize; } - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); + if (h > 2) + memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; + if (h > 3) + memcpy(dst, src, w); } enum { From 69f5d4b7fdcb93c2948255193870f5ea7605028c Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 11 Oct 2019 12:42:13 +0200 Subject: [PATCH 1156/1383] avfilter/vf_bitplanenoise: fix overreads Fixes #8244 (cherry picked from commit 0b567238741854b41f84f7457686b044eadfe29c) Signed-off-by: James Almer --- libavfilter/vf_bitplanenoise.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_bitplanenoise.c b/libavfilter/vf_bitplanenoise.c index 4ec3a22572..94aa24abec 100644 --- a/libavfilter/vf_bitplanenoise.c +++ b/libavfilter/vf_bitplanenoise.c @@ -122,7 +122,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) if (s->depth <= 8) { for (plane = 0; plane < s->nb_planes; plane++) { - const int linesize = in->linesize[plane]; + const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] : 0; const int dlinesize = out->linesize[plane]; uint8_t *val = in->data[plane]; uint8_t *dst = s->filter ? out->data[plane]: NULL; @@ -151,7 +151,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } } else { for (plane = 0; plane < s->nb_planes; plane++) { - const int linesize = in->linesize[plane] / 2; + const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] / 2 : 0; const int dlinesize = out->linesize[plane] / 2; uint16_t *val = (uint16_t *)in->data[plane]; uint16_t *dst = s->filter ? (uint16_t *)out->data[plane] : NULL; From c79606f233fed20a6d31e6cd5f24466021eaf94b Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 23:10:16 +0200 Subject: [PATCH 1157/1383] avfilter/vf_fieldorder: fix heap-buffer overflow Fixes #8264 (cherry picked from commit 07050d7bdc32d82e53ee5bb727f5882323d00dba) Signed-off-by: James Almer --- libavfilter/vf_fieldorder.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_fieldorder.c b/libavfilter/vf_fieldorder.c index ca55ff1f66..5707151f1b 100644 --- a/libavfilter/vf_fieldorder.c +++ b/libavfilter/vf_fieldorder.c @@ -108,8 +108,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) s->dst_tff ? "up" : "down"); h = frame->height; for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { - dst_line_step = out->linesize[plane]; - src_line_step = frame->linesize[plane]; + dst_line_step = out->linesize[plane] * (h > 2); + src_line_step = frame->linesize[plane] * (h > 2); line_size = s->line_size[plane]; dst = out->data[plane]; src = frame->data[plane]; From d60effdf83eddcdb18c84d339a526fb0318723fe Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 19 Oct 2019 11:56:02 +0200 Subject: [PATCH 1158/1383] avfilter/vf_fieldmatch: fix heap-buffer overflow Also fix use of uninitialized values. Fixes #8239 (cherry picked from commit ce5274c1385d55892a692998923802023526b765) Signed-off-by: James Almer --- libavfilter/vf_fieldmatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_fieldmatch.c b/libavfilter/vf_fieldmatch.c index 5a73eb43b8..8d1e68b85f 100644 --- a/libavfilter/vf_fieldmatch.c +++ b/libavfilter/vf_fieldmatch.c @@ -938,7 +938,7 @@ static int config_input(AVFilterLink *inlink) fm->tpitchy = FFALIGN(w, 16); fm->tpitchuv = FFALIGN(w >> 1, 16); - fm->tbuffer = av_malloc(h/2 * fm->tpitchy); + fm->tbuffer = av_calloc((h/2 + 4) * fm->tpitchy, sizeof(*fm->tbuffer)); fm->c_array = av_malloc((((w + fm->blockx/2)/fm->blockx)+1) * (((h + fm->blocky/2)/fm->blocky)+1) * 4 * sizeof(*fm->c_array)); From aef4cbec696ae4e349a72521fba1180b96a97fab Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 19 Oct 2019 09:50:53 +0200 Subject: [PATCH 1159/1383] avfilter/vf_datascope: fix heap buffer overflow Fixes #8309 (cherry picked from commit d4d6b7b0355f3597cad3b8d12911790c73b5f96d) Signed-off-by: James Almer --- libavfilter/vf_datascope.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_datascope.c b/libavfilter/vf_datascope.c index c9039a60f6..83f90f07ba 100644 --- a/libavfilter/vf_datascope.c +++ b/libavfilter/vf_datascope.c @@ -973,7 +973,7 @@ static int oscilloscope_filter_frame(AVFilterLink *inlink, AVFrame *frame) frame->width, frame->height, s->ox, s->oy, s->width, s->height + 20 * s->statistics); - if (s->grid) { + if (s->grid && outlink->h >= 10) { ff_fill_rectangle(&s->draw, &s->gray, frame->data, frame->linesize, s->ox, s->oy, s->width - 1, 1); From e06e89f6275c62316da489c567fce3d2ef6f594a Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 14 Feb 2021 17:20:03 +0100 Subject: [PATCH 1160/1383] avcodec/pngenc: remove monowhite from apng formats Monowhite pixel format is not supported, and it does not make sense to add support for it. Fixes #7989 (cherry picked from commit 5d9f44da460f781a1604d537d0555b78e29438ba) Signed-off-by: James Almer --- libavcodec/pngenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index 69b4495404..dfc8eb58e6 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = { AV_PIX_FMT_PAL8, AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A, AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE, - AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE + AV_PIX_FMT_NONE }, .priv_class = &apngenc_class, }; From 29f1cf0c0f5d90e81a438dc12a4782dc424bf5ec Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 12 Oct 2019 11:07:54 +0200 Subject: [PATCH 1161/1383] avfilter/vf_colorconstancy: fix overreads in gauss array Fixes #8250 (cherry picked from commit a7fd1279703683ebb548ef7baa2f1519994496ae) Signed-off-by: James Almer --- libavfilter/vf_colorconstancy.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_colorconstancy.c b/libavfilter/vf_colorconstancy.c index e3bb39e51b..cc081e957f 100644 --- a/libavfilter/vf_colorconstancy.c +++ b/libavfilter/vf_colorconstancy.c @@ -280,7 +280,7 @@ static int slice_get_derivative(AVFilterContext* ctx, void* arg, int jobnr, int dst[INDX2D(r, c, width)] = 0; for (g = 0; g < filtersize; ++g) { dst[INDX2D(r, c, width)] += GAUSS(src, r, c + GINDX(filtersize, g), - in_linesize, height, width, gauss[GINDX(filtersize, g)]); + in_linesize, height, width, gauss[g]); } } } @@ -295,7 +295,7 @@ static int slice_get_derivative(AVFilterContext* ctx, void* arg, int jobnr, int dst[INDX2D(r, c, width)] = 0; for (g = 0; g < filtersize; ++g) { dst[INDX2D(r, c, width)] += GAUSS(src, r + GINDX(filtersize, g), c, - width, height, width, gauss[GINDX(filtersize, g)]); + width, height, width, gauss[g]); } } } From df5e01770900f11eec0c500ccbaddcc6a9d0963d Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 15 Oct 2019 16:55:13 +0200 Subject: [PATCH 1162/1383] avfilter/af_afade: fix heap-buffer overflow Fixes #8276 (cherry picked from commit e1b89c76f66343d1b495165664647317c66764bb) Signed-off-by: James Almer --- libavfilter/af_afade.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_afade.c b/libavfilter/af_afade.c index 8d9ba916bf..d1135ee16b 100644 --- a/libavfilter/af_afade.c +++ b/libavfilter/af_afade.c @@ -484,7 +484,8 @@ static int activate(AVFilterContext *ctx) s->pts += av_rescale_q(in->nb_samples, (AVRational){ 1, outlink->sample_rate }, outlink->time_base); return ff_filter_frame(outlink, in); - } else if (ff_framequeue_queued_samples(&ctx->inputs[1]->fifo) >= s->nb_samples) { + } else if (ff_framequeue_queued_samples(&ctx->inputs[0]->fifo) >= s->nb_samples && + ff_framequeue_queued_samples(&ctx->inputs[1]->fifo) >= s->nb_samples) { if (s->overlap) { out = ff_get_audio_buffer(outlink, s->nb_samples); if (!out) From da3d6068f3fbbe89c57b6c68c178a54dee168d95 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 11 Oct 2019 12:55:13 +0200 Subject: [PATCH 1163/1383] avfilter/vf_w3fdif: deny processing small videos Fixes #8243 (cherry picked from commit 0e68e8c93f9068596484ec8ba725586860e06fc8) Signed-off-by: James Almer --- libavfilter/vf_w3fdif.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_w3fdif.c b/libavfilter/vf_w3fdif.c index c6a6550778..b84052e8c7 100644 --- a/libavfilter/vf_w3fdif.c +++ b/libavfilter/vf_w3fdif.c @@ -274,6 +274,11 @@ static int config_input(AVFilterLink *inlink) s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + if (inlink->h < 3) { + av_log(ctx, AV_LOG_ERROR, "Video of less than 3 lines is not supported\n"); + return AVERROR(EINVAL); + } + s->nb_planes = av_pix_fmt_count_planes(inlink->format); s->nb_threads = ff_filter_get_nb_threads(ctx); s->work_line = av_calloc(s->nb_threads, sizeof(*s->work_line)); From ac5a7d5a67afb6b26460412d51f026ecf22c2193 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 15 Oct 2019 16:38:40 +0200 Subject: [PATCH 1164/1383] avfilter/vf_edgedetect: fix heap-buffer overflow Fixes #8275 (cherry picked from commit de598f82f8c3f8000e1948548e8088148e2b1f44) Signed-off-by: James Almer --- libavfilter/vf_edgedetect.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_edgedetect.c b/libavfilter/vf_edgedetect.c index 11a31fa4ff..25ae6dfacc 100644 --- a/libavfilter/vf_edgedetect.c +++ b/libavfilter/vf_edgedetect.c @@ -154,7 +154,8 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; for (j = 2; j < h - 2; j++) { dst[0] = src[0]; - dst[1] = src[1]; + if (w > 1) + dst[1] = src[1]; for (i = 2; i < w - 2; i++) { /* Gaussian mask of size 5x5 with sigma = 1.4 */ dst[i] = ((src[-2*src_linesize + i-2] + src[2*src_linesize + i-2]) * 2 @@ -175,8 +176,10 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, + src[i+1] * 12 + src[i+2] * 5) / 159; } - dst[i ] = src[i ]; - dst[i + 1] = src[i + 1]; + if (w > 2) + dst[i ] = src[i ]; + if (w > 3) + dst[i + 1] = src[i + 1]; dst += dst_linesize; src += src_linesize; From f1fc3fe3179109328229421451e3219de1ab9521 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 10 Oct 2019 21:50:03 +0200 Subject: [PATCH 1165/1383] avfilter/vf_floodfill: finish early if source and destination fill matches Fixes #8236 (cherry picked from commit 1331e001796c656a4a3c770a16121c15ec1db2ac) Signed-off-by: James Almer --- libavfilter/vf_floodfill.c | 58 ++++++++++++++++++++++---------------- 1 file changed, 34 insertions(+), 24 deletions(-) diff --git a/libavfilter/vf_floodfill.c b/libavfilter/vf_floodfill.c index 323dd0e2fa..cf8f689559 100644 --- a/libavfilter/vf_floodfill.c +++ b/libavfilter/vf_floodfill.c @@ -34,9 +34,10 @@ typedef struct FloodfillContext { const AVClass *class; int x, y; - int s0, s1, s2, s3; - int d0, d1, d2, d3; + int s[4]; + int d[4]; + int nb_planes; int back, front; Points *points; @@ -238,12 +239,12 @@ static int config_input(AVFilterLink *inlink) const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(inlink->format); AVFilterContext *ctx = inlink->dst; FloodfillContext *s = ctx->priv; - int nb_planes = av_pix_fmt_count_planes(inlink->format); int depth; + s->nb_planes = av_pix_fmt_count_planes(inlink->format); depth = desc->comp[0].depth; if (depth == 8) { - switch (nb_planes) { + switch (s->nb_planes) { case 1: s->set_pixel = set_pixel1; s->is_same = is_same1; s->pick_pixel = pick_pixel1; break; @@ -255,7 +256,7 @@ static int config_input(AVFilterLink *inlink) s->pick_pixel = pick_pixel4; break; } } else { - switch (nb_planes) { + switch (s->nb_planes) { case 1: s->set_pixel = set_pixel1_16; s->is_same = is_same1_16; s->pick_pixel = pick_pixel1_16; break; @@ -280,17 +281,25 @@ static int filter_frame(AVFilterLink *link, AVFrame *frame) { AVFilterContext *ctx = link->dst; FloodfillContext *s = ctx->priv; - const unsigned d0 = s->d0; - const unsigned d1 = s->d1; - const unsigned d2 = s->d2; - const unsigned d3 = s->d3; - int s0 = s->s0; - int s1 = s->s1; - int s2 = s->s2; - int s3 = s->s3; + const unsigned d0 = s->d[0]; + const unsigned d1 = s->d[1]; + const unsigned d2 = s->d[2]; + const unsigned d3 = s->d[3]; + int s0 = s->s[0]; + int s1 = s->s[1]; + int s2 = s->s[2]; + int s3 = s->s[3]; const int w = frame->width; const int h = frame->height; - int ret; + int i, ret; + + for (i = 0; i < s->nb_planes; i++) { + if (s->s[i] != s->d[i]) + break; + } + + if (i == s->nb_planes) + goto end; if (ret = av_frame_make_writable(frame)) return ret; @@ -337,6 +346,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *frame) } } +end: return ff_filter_frame(ctx->outputs[0], frame); } @@ -405,16 +415,16 @@ static const AVFilterPad floodfill_outputs[] = { #define FLAGS AV_OPT_FLAG_FILTERING_PARAM|AV_OPT_FLAG_VIDEO_PARAM static const AVOption floodfill_options[] = { - { "x", "set pixel x coordinate", OFFSET(x), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, - { "y", "set pixel y coordinate", OFFSET(y), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, - { "s0", "set source #0 component value", OFFSET(s0), AV_OPT_TYPE_INT, {.i64=0},-1, UINT16_MAX, FLAGS }, - { "s1", "set source #1 component value", OFFSET(s1), AV_OPT_TYPE_INT, {.i64=0},-1, UINT16_MAX, FLAGS }, - { "s2", "set source #2 component value", OFFSET(s2), AV_OPT_TYPE_INT, {.i64=0},-1, UINT16_MAX, FLAGS }, - { "s3", "set source #3 component value", OFFSET(s3), AV_OPT_TYPE_INT, {.i64=0},-1, UINT16_MAX, FLAGS }, - { "d0", "set destination #0 component value", OFFSET(d0), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, - { "d1", "set destination #1 component value", OFFSET(d1), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, - { "d2", "set destination #2 component value", OFFSET(d2), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, - { "d3", "set destination #3 component value", OFFSET(d3), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, + { "x", "set pixel x coordinate", OFFSET(x), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, + { "y", "set pixel y coordinate", OFFSET(y), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, + { "s0", "set source #0 component value", OFFSET(s[0]), AV_OPT_TYPE_INT, {.i64=0},-1, UINT16_MAX, FLAGS }, + { "s1", "set source #1 component value", OFFSET(s[1]), AV_OPT_TYPE_INT, {.i64=0},-1, UINT16_MAX, FLAGS }, + { "s2", "set source #2 component value", OFFSET(s[2]), AV_OPT_TYPE_INT, {.i64=0},-1, UINT16_MAX, FLAGS }, + { "s3", "set source #3 component value", OFFSET(s[3]), AV_OPT_TYPE_INT, {.i64=0},-1, UINT16_MAX, FLAGS }, + { "d0", "set destination #0 component value", OFFSET(d[0]), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, + { "d1", "set destination #1 component value", OFFSET(d[1]), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, + { "d2", "set destination #2 component value", OFFSET(d[2]), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, + { "d3", "set destination #3 component value", OFFSET(d[3]), AV_OPT_TYPE_INT, {.i64=0}, 0, UINT16_MAX, FLAGS }, { NULL } }; From 8c9ff740a35d6f46935f70e4a9533dddaaf33788 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 18:10:38 +0200 Subject: [PATCH 1166/1383] avfilter/vf_bm3d: fix heap-buffer overflows Fixes #8262 (cherry picked from commit 0749082eb93ea02fa4b770da86597450cec84054) Signed-off-by: James Almer --- libavfilter/vf_bm3d.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_bm3d.c b/libavfilter/vf_bm3d.c index 75c356728e..04cc19ccee 100644 --- a/libavfilter/vf_bm3d.c +++ b/libavfilter/vf_bm3d.c @@ -706,8 +706,8 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) const int plane = td->plane; const int width = s->planewidth[plane]; const int height = s->planeheight[plane]; - const int block_pos_bottom = height - s->block_size; - const int block_pos_right = width - s->block_size; + const int block_pos_bottom = FFMAX(0, height - s->block_size); + const int block_pos_right = FFMAX(0, width - s->block_size); const int slice_start = (((height + block_step - 1) / block_step) * jobnr / nb_jobs) * block_step; const int slice_end = (jobnr == nb_jobs - 1) ? block_pos_bottom + block_step : (((height + block_step - 1) / block_step) * (jobnr + 1) / nb_jobs) * block_step; @@ -796,8 +796,8 @@ static int config_input(AVFilterLink *inlink) for (i = 0; i < s->nb_threads; i++) { SliceContext *sc = &s->slices[i]; - sc->num = av_calloc(s->planewidth[0] * s->planeheight[0], sizeof(FFTSample)); - sc->den = av_calloc(s->planewidth[0] * s->planeheight[0], sizeof(FFTSample)); + sc->num = av_calloc(FFALIGN(s->planewidth[0], s->block_size) * FFALIGN(s->planeheight[0], s->block_size), sizeof(FFTSample)); + sc->den = av_calloc(FFALIGN(s->planewidth[0], s->block_size) * FFALIGN(s->planeheight[0], s->block_size), sizeof(FFTSample)); if (!sc->num || !sc->den) return AVERROR(ENOMEM); From d7490ef341e253294aa0abf1e4ed8381c1b0ea91 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 23:21:35 +0200 Subject: [PATCH 1167/1383] avfilter/vf_bwdif: fix heap-buffer overflow Fixes #8261 (cherry picked from commit 8c3166e1c302c3ba80d9742ae46161c0fa8e2606) Signed-off-by: James Almer --- libavfilter/vf_bwdif.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index b691983611..7290c9a4a2 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -505,8 +505,8 @@ static int config_props(AVFilterLink *link) if(s->mode&1) link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); - if (link->w < 3 || link->h < 3) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n"); + if (link->w < 3 || link->h < 4) { + av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } From 6992f5f665b4f1898af92b7f721be7907717d283 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Sep 2021 21:24:15 +0200 Subject: [PATCH 1168/1383] avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Out of array access Fixes: 37030/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5387719147651072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 3dd5a8a13510d08a4e25e8f138d718672a0fed4a) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index e0465e6f50..2b0b4e89f8 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -541,6 +541,10 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ + + if (st->codecpar->channels > 8) + return AVERROR_INVALIDDATA; + for (; end_ptr - buf_ptr >= st->codecpar->channels * 4; ) { for (i = 0; i < st->codecpar->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); From f997f890716cc5b965545a10eebaaecfcf82e9d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Jun 2021 22:26:41 +0200 Subject: [PATCH 1169/1383] avformat/jacosubdec: Check for min in t overflow in get_shift() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 34651/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5157941012463616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 989febfbd0c986e9e3e0f269a6b22778bf79147b) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 85840d8529..3037085d9c 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -140,6 +140,9 @@ static int get_shift(int timeres, const char *buf) int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP + if (a == INT_MIN) + return 0; + if (*buf == '-' || a < 0) { sign = -1; a = FFABS(a); From ecb7f15b7bd2bc4902a9ca98084624472aedbd1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Sep 2021 23:04:13 +0200 Subject: [PATCH 1170/1383] avformat/mov: Check for duplicate clli Fixes: memleak Fixes: 35261/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4869656287510528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a222f140e2674ac936b2f41c480487bc666dd95) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 348c648d60..5d1e29c429 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5453,6 +5453,11 @@ static int mov_read_clli(MOVContext *c, AVIOContext *pb, MOVAtom atom) return AVERROR_INVALIDDATA; } + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate CLLI/COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); From a214f6e238b96b054e8cee342d77912e50681f67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Apr 2021 22:44:19 +0200 Subject: [PATCH 1171/1383] avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 Fixes: runtime error: signed integer overflow: 65312 * 65535 cannot be represented in type 'int' Fixes: 32832/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-4817710040088576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e2c2872393f25253aa40861a9707934c4b83a3af) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 8c91989505..8f31c4717c 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -268,9 +268,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From ea9fc9676cde4b6ee969e830e7e1e50344d97195 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 22:00:46 +0200 Subject: [PATCH 1172/1383] avformat/mvdec: Do not set invalid sample rate Fixes: signed integer overflow: -682581959642593728 * 16 cannot be represented in type 'long' Fixes: 37883/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5311691517198336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 737e6bf2162b89d396f4d477bfe8c99f1dd885de) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index abd0516702..b4ed82f25c 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -156,9 +156,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, } else if (!strcmp(name, "NUM_CHANNELS")) { return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { - st->codecpar->sample_rate = var_read_int(pb, size); - if (st->codecpar->sample_rate <= 0) + int sample_rate = var_read_int(pb, size); + if (sample_rate <= 0) return AVERROR_INVALIDDATA; + st->codecpar->sample_rate = sample_rate; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; From 25f9794e5633d423796c871669472d97da17e0d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 22:00:47 +0200 Subject: [PATCH 1173/1383] avcodec/apedec: Fix integer overflow in intermediate Fixes: signed integer overflow: 559334865 * 4 cannot be represented in type 'int' Fixes: 37929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6751932295806976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90da43557f7257d72e95504f63ae6504406d6eab) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index e11ee0a708..7db1196d3f 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1286,7 +1286,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3))); + (8 << ((absres > f->avg * 3) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; From 552430993d2dbf482643d3e9f811fe46ed3cb0b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 May 2021 18:38:23 +0200 Subject: [PATCH 1174/1383] avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable Fixes: error: 1.66789e+11 is outside the range of representable values of type 'int' Fixes: Ticket8201 Signed-off-by: Michael Niedermayer (cherry picked from commit 245017ec8a87d6e4c764d06afeca37100b980d85) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 9fdab31a25..41661bae52 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -492,9 +492,13 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!s->fixed_qscale && avctx->bit_rate * av_q2d(avctx->time_base) > avctx->bit_rate_tolerance) { + double nbt = avctx->bit_rate * av_q2d(avctx->time_base) * 5; av_log(avctx, AV_LOG_WARNING, "bitrate tolerance %d too small for bitrate %"PRId64", overriding\n", avctx->bit_rate_tolerance, avctx->bit_rate); - avctx->bit_rate_tolerance = 5 * avctx->bit_rate * av_q2d(avctx->time_base); + if (nbt <= INT_MAX) { + avctx->bit_rate_tolerance = nbt; + } else + avctx->bit_rate_tolerance = INT_MAX; } if (s->avctx->rc_max_rate && From 448e9ce5e55b370de7217d45da30c597626f523e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 Aug 2021 20:15:09 +0200 Subject: [PATCH 1175/1383] avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return Fixes: invalid shift Fixes: 37018/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-5290280902328320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a95abcce4d93f979e4b53f2220f7a54edd03312) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 9dafd38294..8d9c62a2fa 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1537,6 +1537,10 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->mpeg_f_code[0][1] = get_bits(&s->gb, 4); s->mpeg_f_code[1][0] = get_bits(&s->gb, 4); s->mpeg_f_code[1][1] = get_bits(&s->gb, 4); + s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; + s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; + s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; + s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; if (!s->pict_type && s1->mpeg_enc_ctx_allocated) { av_log(s->avctx, AV_LOG_ERROR, "Missing picture start code, guessing missing values\n"); @@ -1550,10 +1554,6 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->current_picture.f->pict_type = s->pict_type; s->current_picture.f->key_frame = s->pict_type == AV_PICTURE_TYPE_I; } - s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; - s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; - s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; - s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; s->intra_dc_precision = get_bits(&s->gb, 2); s->picture_structure = get_bits(&s->gb, 2); From 512a132e4c0747521561eba56b1dc299eb8cae48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Sep 2021 22:35:36 +0200 Subject: [PATCH 1176/1383] avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127 Fixes: index 128 out of bounds for type 'uint16_t [128]' Fixes: 38651/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6296416058736640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 85413a5ae6948a1d6e4e947a4fca984b8c686016) Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h265_syntax_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 52a81a4019..ce9e9494b2 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -668,7 +668,7 @@ static int FUNC(sps_scc_extension)(CodedBitstreamContext *ctx, RWContext *rw, flag(sps_palette_predictor_initializer_present_flag); if (current->sps_palette_predictor_initializer_present_flag) { - ue(sps_num_palette_predictor_initializer_minus1, 0, 128); + ue(sps_num_palette_predictor_initializer_minus1, 0, 127); for (comp = 0; comp < (current->chroma_format_idc ? 3 : 1); comp++) { int bit_depth = comp == 0 ? current->bit_depth_luma_minus8 + 8 : current->bit_depth_chroma_minus8 + 8; From 800e7d83e8e4d87d935d7da50037f2d5f931fcee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Sep 2021 20:31:39 +0200 Subject: [PATCH 1177/1383] avcodec/flicvideo: Check remaining bytes in FLI*COPY Fixes: Timeout Fixes: 37795/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4846536543043584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f835efbca874ad42cb954e6788588f52a57a7a2) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index bf8ffeba4f..bf095f7461 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -735,6 +735,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, bytestream2_skip(&g2, chunk_size - 6); } else { + if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height ) + return AVERROR_INVALIDDATA; for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { From c59e2d2f03eb6ee83d72aa06a1509380541d5fef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Sep 2021 20:16:27 +0200 Subject: [PATCH 1178/1383] avcodec/mxpegdec: Check for AVDISCARD_ALL Fixes: Fixes NULL pointer dereference Fixes: 36610/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6052641783283712 Fixes: 37907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-4725170850365440 Fixes: 37904/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6367889262247936 Fixes: 38085/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5175270823297024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 20afd3a63a75a160f61a98a8dcfe06f527ea19b4) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index f89226fefa..ea73bd4a10 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -195,6 +195,9 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, int start_code; int ret; + if (avctx->skip_frame == AVDISCARD_ALL) + return AVERROR_PATCHWELCOME; + buf_ptr = buf; buf_end = buf + buf_size; jpg->got_picture = 0; From ff48f4aad70031a689bc8f136e78e8bb71cdd69f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Sep 2021 19:00:56 +0200 Subject: [PATCH 1179/1383] swscale/alphablend: Fix slice handling Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 06d67265881249566f385309e2fb5a9449720b6e) Signed-off-by: Michael Niedermayer --- libswscale/alphablend.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/libswscale/alphablend.c b/libswscale/alphablend.c index b5686599c0..b5967c889b 100644 --- a/libswscale/alphablend.c +++ b/libswscale/alphablend.c @@ -26,7 +26,7 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(c->srcFormat); int nb_components = desc->nb_components; - int plane, x, y; + int plane, x, ysrc; int plane_count = isGray(c->srcFormat) ? 1 : 3; int sixteen_bits = desc->comp[0].depth >= 9; unsigned off = 1<<(desc->comp[0].depth - 1); @@ -50,14 +50,15 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], int w = plane ? c->chrSrcW : c->srcW; int x_subsample = plane ? desc->log2_chroma_w: 0; int y_subsample = plane ? desc->log2_chroma_h: 0; - for (y = srcSliceY >> y_subsample; y < AV_CEIL_RSHIFT(srcSliceH, y_subsample); y++) { + for (ysrc = 0; ysrc < AV_CEIL_RSHIFT(srcSliceH, y_subsample); ysrc++) { + int y = ysrc + (srcSliceY >> y_subsample); if (x_subsample || y_subsample) { int alpha; unsigned u; if (sixteen_bits) { ptrdiff_t alpha_step = srcStride[plane_count] >> 1; - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * y << y_subsample)); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample)); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -82,8 +83,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { ptrdiff_t alpha_step = srcStride[plane_count]; - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + (srcStride[plane_count] * y << y_subsample); + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample); uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { if (y_subsample) { @@ -97,8 +98,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * y); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * ysrc); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -113,8 +114,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + srcStride[plane_count] * y; + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + srcStride[plane_count] * ysrc; uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { unsigned u = s[x]*a[x] + target_table[((x^y)>>5)&1][plane]*(255-a[x]) + 128; @@ -127,10 +128,11 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } else { int alpha_pos = desc->comp[plane_count].offset; int w = c->srcW; - for (y = srcSliceY; y < srcSliceH; y++) { + for (ysrc = 0; ysrc < srcSliceH; ysrc++) { + int y = ysrc + srcSliceY; if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * y + 2*!alpha_pos); - const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * y + alpha_pos); + const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * ysrc + 2*!alpha_pos); + const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * ysrc + alpha_pos); uint16_t *d = ( uint16_t *)(dst[0] + dstStride[0] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -151,8 +153,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[0] + srcStride[0] * y + !alpha_pos; - const uint8_t *a = src[0] + srcStride[0] * y + alpha_pos; + const uint8_t *s = src[0] + srcStride[0] * ysrc + !alpha_pos; + const uint8_t *a = src[0] + srcStride[0] * ysrc + alpha_pos; uint8_t *d = dst[0] + dstStride[0] * y; for (x = 0; x < w; x++) { for (plane = 0; plane < plane_count; plane++) { From ef2efaa78bef4fdd1885d6fbb8968482666f6eb2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Oct 2021 13:43:40 +0200 Subject: [PATCH 1180/1383] Update for 4.1.8 --- Changelog | 29 +++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index a1c454e21e..2a25eb2c68 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,35 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.1.8: +- swscale/alphablend: Fix slice handling +- avcodec/mxpegdec: Check for AVDISCARD_ALL +- avcodec/flicvideo: Check remaining bytes in FLI*COPY +- avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127 +- avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return +- avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable +- avcodec/apedec: Fix integer overflow in intermediate +- avformat/mvdec: Do not set invalid sample rate +- avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 +- avformat/mov: Check for duplicate clli +- avformat/jacosubdec: Check for min in t overflow in get_shift() +- avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() +- avfilter/vf_bwdif: fix heap-buffer overflow +- avfilter/vf_bm3d: fix heap-buffer overflows +- avfilter/vf_floodfill: finish early if source and destination fill matches +- avfilter/vf_edgedetect: fix heap-buffer overflow +- avfilter/vf_w3fdif: deny processing small videos +- avfilter/af_afade: fix heap-buffer overflow +- avfilter/vf_colorconstancy: fix overreads in gauss array +- avcodec/pngenc: remove monowhite from apng formats +- avfilter/vf_datascope: fix heap buffer overflow +- avfilter/vf_fieldmatch: fix heap-buffer overflow +- avfilter/vf_fieldorder: fix heap-buffer overflow +- avfilter/vf_bitplanenoise: fix overreads +- avfilter/vf_edgedetect: check if height is big enough +- avfilter/af_tremolo: fix heap-buffer overflow +- avfilter/vf_neighbor: check if width is 1 +- avfilter/vf_avgblur: fix heap-buffer overflow version 4.1.7: - avcodec/utils: don't return negative values in av_get_audio_frame_duration() diff --git a/RELEASE b/RELEASE index 9edf2a44f4..a7c00da34f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.7 +4.1.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index 043bbdcb27..d390f42743 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1.7 +PROJECT_NUMBER = 4.1.8 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 0699b0836d00dd2b6d7e6161babaea9e2c1bd709 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Thu, 7 Oct 2021 17:41:44 +0200 Subject: [PATCH 1181/1383] avfilter/scale_npp: fix non-aligned output frame dimensions --- libavfilter/vf_scale_npp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_scale_npp.c b/libavfilter/vf_scale_npp.c index 8a277ce8e1..86279f5b36 100644 --- a/libavfilter/vf_scale_npp.c +++ b/libavfilter/vf_scale_npp.c @@ -472,13 +472,16 @@ static int nppscale_scale(AVFilterContext *ctx, AVFrame *out, AVFrame *in) src = s->stages[i].frame; last_stage = i; } - if (last_stage < 0) return AVERROR_BUG; + ret = av_hwframe_get_buffer(src->hw_frames_ctx, s->tmp_frame, 0); if (ret < 0) return ret; + s->tmp_frame->width = src->width; + s->tmp_frame->height = src->height; + av_frame_move_ref(out, src); av_frame_move_ref(src, s->tmp_frame); From e295b5f3d38f66ba65d3df144fadf57a474de711 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Sep 2021 23:12:42 +0200 Subject: [PATCH 1182/1383] avformat/mpegts: use actually read packet size in mpegts_resync special case Fixes: infinite loop Fixes: 37986/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5292311517462528 - Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 83b2e4c8f15a00f037040131e26e20de83f0d842) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 3441e238dc..70b71c2a70 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2634,8 +2634,8 @@ static int mpegts_resync(AVFormatContext *s, int seekback, const uint8_t *curren int64_t back = FFMIN(seekback, pos); //Special case for files like 01c56b0dc1.ts - if (current_packet[0] == 0x80 && current_packet[12] == 0x47) { - avio_seek(pb, 12 - back, SEEK_CUR); + if (current_packet[0] == 0x80 && current_packet[12] == 0x47 && pos >= TS_PACKET_SIZE) { + avio_seek(pb, 12 - TS_PACKET_SIZE, SEEK_CUR); return 0; } From 186222fa567e7e361b9a497d810a0c4c5241c50b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Sep 2021 21:51:28 +0200 Subject: [PATCH 1183/1383] oavformat/avidec: Check offset in odml Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long' Fixes: 38787/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4859845799444480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 255a7b423ed5e07536bdc72e993056daa4efe009) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index b1c0325a19..f588e971ea 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -236,7 +236,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) avio_rl32(pb); /* size */ duration = avio_rl32(pb); - if (avio_feof(pb)) + if (avio_feof(pb) || offset > INT64_MAX - 8) return AVERROR_INVALIDDATA; pos = avio_tell(pb); From 9236882745e9ac0658657a05a7edebdea3fa41b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Sep 2021 00:11:50 +0200 Subject: [PATCH 1184/1383] avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() Fixes: signed integer overflow: -2145648640 - 3357696 cannot be represented in type 'int' Fixes: 38899/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5358815017566208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad517ee6e44f093e28021ffd51c7eb2e1394b1a9) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7db1196d3f..8a7ba73815 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -929,7 +929,7 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length) for (j = 7; j > 0; j--) delay[j] = delay[j - 1]; delay[0] = buffer[i]; - buffer[i] -= dotprod >> 9; + buffer[i] -= (unsigned)(dotprod >> 9); } } From 3c81d7025e9b6282b3e843b3eb9a4d71466d9f95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Sep 2021 20:53:53 +0200 Subject: [PATCH 1185/1383] avcodec/apedec: Use 64bit to avoid overflow Fixes: runtime error: signed integer overflow: 727298502 * 3 cannot be represented in type 'int' Fixes: 39172/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-638602483033702 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f059b56195da9c0e2c11a5f7f357a3d6101e6bf0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8a7ba73815..d05aa741ef 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1286,7 +1286,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > (f->avg + f->avg / 3)))); + (8 << ((absres > f->avg * 3LL) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; From 770b4de8d14700490ef7c52f14492ad9d13bb2b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Sep 2021 20:49:27 +0200 Subject: [PATCH 1186/1383] avformat/rmdec: Check for multiple audio_stream_info Fixes: memleak Fixes: 39166/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5153276690038784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8fe3566b8fdf4bcf5eed419c1aab6eb848287ff3) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 8f31c4717c..f435ba0f83 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -127,6 +127,10 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; + // Duplicate tags + if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) + return AVERROR_INVALIDDATA; + /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { From 9d8945bd4949033dc4f2d21b5919fc3e91f06f0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Oct 2021 23:54:46 +0200 Subject: [PATCH 1187/1383] avformat/wavdec: Check smv_block_size Fixes: Timeout Fixes: 39554/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-4915221701984256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 849138f476f4b08656681bfc3aec5beac47777fb) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 051b3a5d23..4d2524f126 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -480,6 +480,8 @@ static int wav_read_header(AVFormatContext *s) wav->smv_data_ofs = avio_tell(pb) + (size - 5) * 3; avio_rl24(pb); wav->smv_block_size = avio_rl24(pb); + if (!wav->smv_block_size) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(vst, 32, 1, avio_rl24(pb)); vst->duration = avio_rl24(pb); avio_rl24(pb); From d7bd4f73a792a875e473a4e33a9ab23e13c9e83a Mon Sep 17 00:00:00 2001 From: Lynne Date: Fri, 1 Jan 2021 00:00:00 +0100 Subject: [PATCH 1188/1383] configure: update copyright year (cherry picked from commit 63505fc60a8031ebea824a3e78a07b73c6dc049f) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 9bfb41ce74..d7efa3627e 100755 --- a/configure +++ b/configure @@ -7243,7 +7243,7 @@ cat > $TMPH < Date: Sun, 17 Oct 2021 19:42:14 +0200 Subject: [PATCH 1189/1383] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Changelog b/Changelog index 2a25eb2c68..ba5a49d133 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,15 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.1.8: +- configure: update copyright year +- avformat/wavdec: Check smv_block_size +- avformat/rmdec: Check for multiple audio_stream_info +- avcodec/apedec: Use 64bit to avoid overflow +- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() +- oavformat/avidec: Check offset in odml +- avformat/mpegts: use actually read packet size in mpegts_resync special case +- avfilter/scale_npp: fix non-aligned output frame dimensions +- Update for 4.1.8 - swscale/alphablend: Fix slice handling - avcodec/mxpegdec: Check for AVDISCARD_ALL - avcodec/flicvideo: Check remaining bytes in FLI*COPY From 3c4e1a56e352d406dc5ab9525db016c3b8e11c22 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Thu, 18 Jul 2019 10:35:00 -0700 Subject: [PATCH 1190/1383] avformat/mxfenc: fix index byte count in partition header --- libavformat/mxfenc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 3549b4137d..a94adecffe 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1857,8 +1857,7 @@ static int mxf_write_partition(AVFormatContext *s, int bodysid, index_byte_count = 80; if (index_byte_count) { - // add encoded ber length - index_byte_count += 16 + klv_ber_length(index_byte_count); + index_byte_count += 16 + 4; // add encoded ber4 length index_byte_count += klv_fill_size(index_byte_count); } From f7c9b1ed56b98eede5756d6865a10305982b4570 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 29 Sep 2020 10:21:34 +0200 Subject: [PATCH 1191/1383] avformat/movenc: Fix segfault when remuxing rtp hint stream When remuxing an rtp hint stream (or any stream with the tag "rtp "), the mov muxer treats this as one of the rtp hint tracks it creates internally when ordered to do so; yet this track lacks the AVFormatContext for the hinting rtp muxer, leading to segfaults in mov_write_udta_sdp() if a "trak" atom is written for this stream; if not, the stream's codecpar is freed by mov_free() as if the mov muxer owned it (it does for the internally created "rtp " tracks), but without resetting st->codecpar, leading to double-frees lateron. This commit therefore ignores said tag which makes rtp hint streams unremuxable. This fixes tickets #8181 and #8186. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 22c3cd176079dd104ec7610ead697235b04396f1) --- libavformat/movenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 5e58c74fb0..9126ed95ba 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1534,6 +1534,10 @@ static unsigned int mov_get_codec_tag(AVFormatContext *s, MOVTrack *track) { unsigned int tag = track->par->codec_tag; + // "rtp " is used to distinguish internally created RTP-hint tracks + // (with rtp_ctx) from other tracks. + if (tag == MKTAG('r','t','p',' ')) + tag = 0; if (!tag || (s->strict_std_compliance >= FF_COMPLIANCE_NORMAL && (track->par->codec_id == AV_CODEC_ID_DVVIDEO || track->par->codec_id == AV_CODEC_ID_RAWVIDEO || From 010281ed230454042abf8b88696678c669a0f279 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 15 Feb 2021 03:26:04 +0100 Subject: [PATCH 1192/1383] avformat/mpegenc: Ensure packet queue stays valid The MPEG-PS muxer uses a custom queue of custom packets. To keep track of it, it has a pointer (named predecode_packet) to the head of the queue and a pointer to where the next packet is to be added (it points to the next-pointer of the last element of the queue); furthermore, there is also a pointer that points into the queue (called premux_packet). The exact behaviour was as follows: If premux_packet was NULL when a packet is received, it is taken to mean that the old queue is empty and a new queue is started. premux_packet will point to the head of said queue and the next_packet-pointer points to its next pointer. If predecode_packet is NULL, it will also made to point to the newly allocated element. But if premux_packet is NULL and predecode_packet is not, then there will be two queues with head elements premux_packet and predecode_packet. Yet only elements reachable from predecode_packet are ever freed, so the premux_packet queue leaks. Worse yet, when the predecode_packet queue will be eventually exhausted, predecode_packet will be made to point into the other queue and when predecode_packet will be freed, the next pointer of the preceding element of the queue will still point to the element just freed. This element might very well be still reachable from premux_packet which leads to use-after-frees lateron. This happened in the tickets mentioned below. Fix this by never creating two queues in the first place by checking for predecode_packet to know whether the queue is empty. If premux_packet is NULL, then it is set to the newly allocated element of the queue. Fixes tickets #6887, #8188 and #8266. Signed-off-by: Andreas Rheinhardt (cherry picked from commit cfce16449cb815132f829d5a07beb138dfb2cba6) --- libavformat/mpegenc.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index e9b53ba1e0..0e23fe9936 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -48,9 +48,9 @@ typedef struct StreamInfo { uint8_t id; int max_buffer_size; /* in bytes */ int buffer_index; - PacketDesc *predecode_packet; + PacketDesc *predecode_packet; /* start of packet queue */ + PacketDesc *last_packet; /* end of packet queue */ PacketDesc *premux_packet; - PacketDesc **next_packet; int packet_number; uint8_t lpcm_header[3]; int lpcm_align; @@ -966,6 +966,8 @@ static int remove_decoded_packets(AVFormatContext *ctx, int64_t scr) } stream->buffer_index -= pkt_desc->size; stream->predecode_packet = pkt_desc->next; + if (!stream->predecode_packet) + stream->last_packet = NULL; av_freep(&pkt_desc); } } @@ -1157,12 +1159,16 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) av_log(ctx, AV_LOG_TRACE, "dts:%f pts:%f flags:%d stream:%d nopts:%d\n", dts / 90000.0, pts / 90000.0, pkt->flags, pkt->stream_index, pts != AV_NOPTS_VALUE); - if (!stream->premux_packet) - stream->next_packet = &stream->premux_packet; - *stream->next_packet = pkt_desc = av_mallocz(sizeof(PacketDesc)); if (!pkt_desc) return AVERROR(ENOMEM); + if (!stream->predecode_packet) { + stream->predecode_packet = pkt_desc; + } else + stream->last_packet->next = pkt_desc; + stream->last_packet = pkt_desc; + if (!stream->premux_packet) + stream->premux_packet = pkt_desc; pkt_desc->pts = pts; pkt_desc->dts = dts; @@ -1180,9 +1186,6 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) pkt_desc->unwritten_size = pkt_desc->size = size; - if (!stream->predecode_packet) - stream->predecode_packet = pkt_desc; - stream->next_packet = &pkt_desc->next; if (av_fifo_realloc2(stream->fifo, av_fifo_size(stream->fifo) + size) < 0) return -1; From aa3b2c3883480f5e31382d5f9ce4f32cc6c5ec5a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 5 Jan 2022 19:57:58 +0100 Subject: [PATCH 1193/1383] configure: Add missing libshine->mpegaudioheader dependency Signed-off-by: Andreas Rheinhardt (cherry picked from commit e228d7b0db7d6cb02a73bee6d3bf4f6ecf92d0bf) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index d7efa3627e..88ea656f4f 100755 --- a/configure +++ b/configure @@ -3121,7 +3121,7 @@ libopus_encoder_deps="libopus" libopus_encoder_select="audio_frame_queue" librsvg_decoder_deps="librsvg" libshine_encoder_deps="libshine" -libshine_encoder_select="audio_frame_queue" +libshine_encoder_select="audio_frame_queue mpegaudioheader" libspeex_decoder_deps="libspeex" libspeex_encoder_deps="libspeex" libspeex_encoder_select="audio_frame_queue" From ad26796f4e24ee49eba17852c12f1941dd82bfd3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 7 Apr 2022 21:57:42 -0300 Subject: [PATCH 1194/1383] avformat/webmdashenc: fix on-demand profile string Fixes ticket #9596 Signed-off-by: James Almer (cherry picked from commit 487b49d8f2e1e81dce86230fc957ca2ee9de00ee) --- libavformat/webmdashenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 542410f26b..3a2504795e 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -104,7 +104,7 @@ static int write_header(AVFormatContext *s) } avio_printf(s->pb, " minBufferTime=\"PT%gS\"\n", min_buffer_time); avio_printf(s->pb, " profiles=\"%s\"%s", - w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:webm:dash:profile:webm-on-demand:2012", + w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:mpeg:dash:profile:webm-on-demand:2012", w->is_live ? "\n" : ">\n"); if (w->is_live) { time_t local_time = time(NULL); From 746f3fc1655f543a9b3cf94c1558d3839259e2b0 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 8 Apr 2022 16:08:53 -0300 Subject: [PATCH 1195/1383] fate: update reference files after the recent dash manifest muxer changes Missed in 487b49d8f2e1e81dce86230fc957ca2ee9de00ee. Signed-off-by: James Almer (cherry picked from commit aa0829d834232b13e513fb88b2b9a2b74918e05c) --- tests/ref/fate/webm-dash-manifest | 2 +- tests/ref/fate/webm-dash-manifest-representations | 2 +- tests/ref/fate/webm-dash-manifest-unaligned-audio-streams | 2 +- tests/ref/fate/webm-dash-manifest-unaligned-video-streams | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/ref/fate/webm-dash-manifest b/tests/ref/fate/webm-dash-manifest index f5fc9121da..3a557fc39f 100644 --- a/tests/ref/fate/webm-dash-manifest +++ b/tests/ref/fate/webm-dash-manifest @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-representations b/tests/ref/fate/webm-dash-manifest-representations index 8556ecebee..41713bb367 100644 --- a/tests/ref/fate/webm-dash-manifest-representations +++ b/tests/ref/fate/webm-dash-manifest-representations @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams b/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams index 6e9de211fb..b1bc7ecea1 100644 --- a/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams +++ b/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff --git a/tests/ref/fate/webm-dash-manifest-unaligned-video-streams b/tests/ref/fate/webm-dash-manifest-unaligned-video-streams index ce205638b6..690c2aabe3 100644 --- a/tests/ref/fate/webm-dash-manifest-unaligned-video-streams +++ b/tests/ref/fate/webm-dash-manifest-unaligned-video-streams @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> From fbdeea91025b44954e37056ef5be62a0efe3528c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Oct 2021 19:51:08 +0200 Subject: [PATCH 1196/1383] avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit e154353fdb73dc1b3c1519350244d5346f761850) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/mathematics.h b/libavutil/mathematics.h index 54901800ba..64d4137a60 100644 --- a/libavutil/mathematics.h +++ b/libavutil/mathematics.h @@ -134,6 +134,7 @@ int64_t av_rescale(int64_t a, int64_t b, int64_t c) av_const; * * The operation is mathematically equivalent to `a * b / c`, but writing that * directly can overflow, and does not support different rounding methods. + * If the result is not representable then INT64_MIN is returned. * * @see av_rescale(), av_rescale_q(), av_rescale_q_rnd() */ From f3f575e3950b7a800f3fc7018ddbba24abb5d607 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Oct 2021 00:04:59 +0200 Subject: [PATCH 1197/1383] avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() Fixes: signed integer overflow: 822841647 + 1647055738 cannot be represented in type 'int' Fixes: 39935/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-4592657142251520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f24028c798397af720acb838357785aa705a8122) Signed-off-by: Michael Niedermayer --- libavcodec/ttadsp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/ttadsp.c b/libavcodec/ttadsp.c index 1d1443aee0..99dd66a0c2 100644 --- a/libavcodec/ttadsp.c +++ b/libavcodec/ttadsp.c @@ -47,9 +47,9 @@ static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl, *error = *in; *in += (round >> shift); - dl[4] = -dl[5]; dl[5] = -dl[6]; - dl[6] = *in - dl[7]; dl[7] = *in; - dl[5] += dl[6]; dl[4] += dl[5]; + dl[4] = -(unsigned)dl[5]; dl[5] = -(unsigned)dl[6]; + dl[6] = *in -(unsigned)dl[7]; dl[7] = *in; + dl[5] += (unsigned)dl[6]; dl[4] += (unsigned)dl[5]; } av_cold void ff_ttadsp_init(TTADSPContext *c) From 422cec5088489cf41185d32373a715fdc849c20e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Oct 2021 13:25:59 +0200 Subject: [PATCH 1198/1383] avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE Fixes: out if array read Fixes: 40109/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-4805686811295744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Mattias Wadman Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index fed33087e8..db6765f34c 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -55,6 +55,7 @@ /** largest possible size of flac header */ #define MAX_FRAME_HEADER_SIZE 16 +#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE) typedef struct FLACHeaderMarker { int offset; /**< byte offset from start of FLACParseContext->buffer */ @@ -169,7 +170,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset) uint8_t *header_buf; int size = 0; header_buf = flac_fifo_read_wrap(fpc, offset, - MAX_FRAME_HEADER_SIZE, + MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE, &fpc->wrap_buf, &fpc->wrap_buf_allocated_size); if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) { From 97ee4a451b5b1eb0010664b4a8c048d6c8c06a8a Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Jan 2020 21:53:08 +0100 Subject: [PATCH 1199/1383] avformat/tty: add probe function (cherry picked from commit 3bce9e9b3ea35c54bacccc793d7da99ea5157532) --- libavformat/tty.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/libavformat/tty.c b/libavformat/tty.c index 8d48f2c45c..60f7e9f87e 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -34,6 +34,13 @@ #include "internal.h" #include "sauce.h" +static int isansicode(int x) +{ + return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f); +} + +static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt"; + typedef struct TtyDemuxContext { AVClass *class; int chars_per_frame; @@ -42,6 +49,17 @@ typedef struct TtyDemuxContext { AVRational framerate; /**< Set by a private option. */ } TtyDemuxContext; +static int read_probe(const AVProbeData *p) +{ + int cnt = 0; + + for (int i = 0; i < p->buf_size; i++) + cnt += !!isansicode(p->buf[i]); + + return (cnt * 100LL / p->buf_size) * (cnt > 400) * + !!av_match_ext(p->filename, tty_extensions); +} + /** * Parse EFI header */ @@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = { .name = "tty", .long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"), .priv_data_size = sizeof(TtyDemuxContext), + .read_probe = read_probe, .read_header = read_header, .read_packet = read_packet, - .extensions = "ans,art,asc,diz,ice,nfo,txt,vt", + .extensions = tty_extensions, .priv_class = &tty_demuxer_class, }; From d38c8064d448e9190db311dc525cfdc674051901 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 11:54:12 +0200 Subject: [PATCH 1200/1383] avcodec/g729dec: Avoid computing invalid temporary pointers for ff_acelp_weighted_vector_sum() Fixes: Ticket8176 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c78a76cb0443f8a12a5eadc3b58373aa2f4ab22) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 908c12a73a..943ddf5297 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -536,12 +536,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, fc_v[i] = < \ fc_v[i] + gain_pitch * fc_v[i-pitch_delay], i >= pitch_delay */ - ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i], - fc + pitch_delay_int[i], - fc, 1 << 14, - av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX), - 0, 14, - SUBFRAME_SIZE - pitch_delay_int[i]); + if (SUBFRAME_SIZE > pitch_delay_int[i]) + ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i], + fc + pitch_delay_int[i], + fc, 1 << 14, + av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX), + 0, 14, + SUBFRAME_SIZE - pitch_delay_int[i]); memmove(ctx->past_gain_pitch+1, ctx->past_gain_pitch, 5 * sizeof(int16_t)); ctx->past_gain_code[1] = ctx->past_gain_code[0]; From 6fe33489be72eee8010c28165f4b12870df4c600 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 15 Oct 2019 11:38:23 -0300 Subject: [PATCH 1201/1383] avformat/latmenc: abort if no extradata is available Fixes ticket #8273. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit dd01947397b98e94c3f2a79d5820aaf4594f4d3b) Signed-off-by: Michael Niedermayer --- libavformat/latmenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c index 273197bb54..4fbbd037e4 100644 --- a/libavformat/latmenc.c +++ b/libavformat/latmenc.c @@ -172,7 +172,8 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; memcpy(par->extradata, side_data, side_data_size); - } + } else + return AVERROR_INVALIDDATA; } } From 439645004bb672a29145621549cb87acdb2f84db Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 23:28:16 +0200 Subject: [PATCH 1202/1383] avfilter/vf_lenscorrection: fix division by zero Fixes #8265 (cherry picked from commit 19587c9332f5be4f6bc6d7b2b8ef3fd21dfeaa01) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lenscorrection.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_lenscorrection.c b/libavfilter/vf_lenscorrection.c index 239fe195bd..43f3c1b7d0 100644 --- a/libavfilter/vf_lenscorrection.c +++ b/libavfilter/vf_lenscorrection.c @@ -155,10 +155,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) for (plane = 0; plane < rect->nb_planes; ++plane) { int hsub = plane == 1 || plane == 2 ? rect->hsub : 0; int vsub = plane == 1 || plane == 2 ? rect->vsub : 0; - int hdiv = 1 << hsub; - int vdiv = 1 << vsub; - int w = rect->width / hdiv; - int h = rect->height / vdiv; + int w = AV_CEIL_RSHIFT(rect->width, hsub); + int h = AV_CEIL_RSHIFT(rect->height, vsub); int xcenter = rect->cx * w; int ycenter = rect->cy * h; int k1 = rect->k1 * (1<<24); From d5cb859665d62658d7859f345650fcb38528c4ab Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 16 Oct 2019 12:13:04 +0200 Subject: [PATCH 1203/1383] avfilter/vf_gblur: fix heap-buffer overflow Fixes #8282 (cherry picked from commit 64a805883d7223c868a683f0030837d859edd2ab) Signed-off-by: Michael Niedermayer --- libavfilter/vf_gblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_gblur.c b/libavfilter/vf_gblur.c index f77a3fffc3..6c0ae78d01 100644 --- a/libavfilter/vf_gblur.c +++ b/libavfilter/vf_gblur.c @@ -222,7 +222,7 @@ static int config_input(AVFilterLink *inlink) s->nb_planes = av_pix_fmt_count_planes(inlink->format); - s->buffer = av_malloc_array(inlink->w, inlink->h * sizeof(*s->buffer)); + s->buffer = av_malloc_array(FFALIGN(inlink->w, 16), FFALIGN(inlink->h, 16) * sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); From 078bbcde0ea2fdae8c347ef2f30717eee7210237 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:02:04 +0200 Subject: [PATCH 1204/1383] avformat/aiffdec: Check sample_rate Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1b04836dff9958e8bfdbed2746b8c40b1e119ecc) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 6e14df0328..8d66cda701 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -121,6 +121,9 @@ static int get_aiff_header(AVFormatContext *s, int size, sample_rate = val << exp; else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; + if (sample_rate <= 0) + return AVERROR_INVALIDDATA; + par->sample_rate = sample_rate; if (size < 18) return AVERROR_INVALIDDATA; From 8876c70ee82181a9f5c46415ed499dad4b08e82d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:10:39 +0200 Subject: [PATCH 1205/1383] avformat/aiffdec: sanity check block_align Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 93f7776921ed8c5219732210067016c3457e864d) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 8d66cda701..6a5a2a3f5b 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -362,7 +362,7 @@ got_sound: if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) { av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n"); st->codecpar->block_align = 35; - } else if (!st->codecpar->block_align) { + } else if (st->codecpar->block_align <= 0) { av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } From 9a44dc209bf4034190cb66ed58c60d0561163e7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:11:23 +0200 Subject: [PATCH 1206/1383] avformat/aiffdec: Use av_rescale() for bitrate Fixes: integer overflow Fixes: 40313/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4814761406103552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 905588df975071c03c00b2e923c311b4de65a8f4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 6a5a2a3f5b..1040f3257d 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -186,8 +186,10 @@ static int get_aiff_header(AVFormatContext *s, int size, par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3; if (aiff->block_duration) { - par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) / - aiff->block_duration; + par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL, + aiff->block_duration); + if (par->bit_rate < 0) + par->bit_rate = 0; } /* Chunk is over */ From 0afc4fb2e91ef8f58dc419e93468154ef77afe30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Nov 2021 18:23:24 +0100 Subject: [PATCH 1207/1383] avformat/avidec: Check read_odml_index() for failure Fixes: Timeout Fixes: 40950/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6478873068437504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57adb26d058490daf2c5d6ddd3cf0cf2d2212256) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index f588e971ea..b27278dbcd 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -232,6 +232,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } else { int64_t offset, pos; int duration; + int ret; + offset = avio_rl64(pb); avio_rl32(pb); /* size */ duration = avio_rl32(pb); @@ -249,7 +251,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) if (avio_seek(pb, offset + 8, SEEK_SET) < 0) return -1; avi->odml_depth++; - read_odml_index(s, frame_num); + ret = read_odml_index(s, frame_num); avi->odml_depth--; frame_num += duration; @@ -257,7 +259,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n"); return -1; } - + if (ret < 0) + return ret; } } avi->index_loaded = 2; From 12d125e787423a45f36a24db872fa7b63f40fc05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Nov 2021 13:48:24 +0100 Subject: [PATCH 1208/1383] avformat/mov: Check channels for mov_parse_stsd_audio() Fixes: signed integer overflow: -776522110086937600 * 16 cannot be represented in type 'long' Fixes: 40563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6644829447127040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a64a4c58255d45e05eff80c9464ad3bdc2d6463) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5d1e29c429..4037a135c6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2524,6 +2524,10 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext *pb, int entries) av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate); return AVERROR_INVALIDDATA; } + if (st->codecpar->channels < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", st->codecpar->channels); + return AVERROR_INVALIDDATA; + } } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){ mov_parse_stsd_subtitle(c, pb, st, sc, size - (avio_tell(pb) - start_pos)); From 0d8300a960764814805df925c1e700aa3dd7de34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Dec 2021 20:11:35 +0100 Subject: [PATCH 1209/1383] avformat/mov: Check for EOF in mov_read_glbl() Fixes: Infinite loop Fixes: 41351/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5433895854669824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59b4e7cbd87889c0bac710ac7f62782b637419a1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4037a135c6..72da3123e0 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1907,6 +1907,8 @@ static int mov_read_glbl(MOVContext *c, AVIOContext *pb, MOVAtom atom) // wrap a whole fiel atom inside of a glbl atom. unsigned size = avio_rb32(pb); unsigned type = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('f','i','e','l') && size == atom.size) return mov_read_default(c, pb, atom); From b4392d045e7be11b5104115f434693d59456830a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Dec 2021 17:42:22 +0100 Subject: [PATCH 1210/1383] avformat/mov: Disallow duplicate smdm Fixes: memleak Fixes: 39879/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5327819907923968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5ba74053c1ef9f38d9e7b3a036675f06d2b2714) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 72da3123e0..8fe647b2d2 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5345,6 +5345,9 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } + if (sc->mastering) + return AVERROR_INVALIDDATA; + avio_skip(pb, 3); /* flags */ sc->mastering = av_mastering_display_metadata_alloc(); From 531eeb81cecda95ee0ac984646f91d907a4ad3d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Dec 2021 17:58:50 +0100 Subject: [PATCH 1211/1383] avcodec/apedec: Change avg to uint32_t Fixes: Integer overflow Fixes: 40973/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6739312704618496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 0ec75723a484405eb2f2ec2f9e58161b168ed8b0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index d05aa741ef..9e3756fc32 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -101,7 +101,7 @@ typedef struct APEFilter { int16_t *historybuffer; ///< filter memory int16_t *delay; ///< filtered values - int avg; + uint32_t avg; } APEFilter; typedef struct APERice { From f433faed1e31cdc62d379fc5c18985703625f823 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Dec 2021 22:19:05 +0100 Subject: [PATCH 1212/1383] avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: memleak Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4f44a218e53cd92e64ba10a935bc1e7583c3e218) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 2b0b4e89f8..b54fc4be2c 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1060,6 +1060,9 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg { int i, length; + if (segment->temporal_offset_entries) + return AVERROR_INVALIDDATA; + segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); From f80d5425aed4397654a97abf48a6b78fcd92d6d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Dec 2021 20:48:54 +0100 Subject: [PATCH 1213/1383] avformat/mov: Check next offset in mov_read_dref() Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long' Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8fe647b2d2..dfbd94dfc6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -603,11 +603,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); - int64_t next = avio_tell(pb) + size - 4; + int64_t next = avio_tell(pb); - if (size < 12) + if (size < 12 || next < 0 || next > INT64_MAX - size) return AVERROR_INVALIDDATA; + next += size - 4; + dref->type = avio_rl32(pb); avio_rb32(pb); // version + flags From ea318a1fcdd17b015ce0d153549b479219350651 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Dec 2021 09:14:08 +0100 Subject: [PATCH 1214/1383] avformat/4xm: Consider max_streams on reallocating tracks array Fixes: OOM Fixes: 41595/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-6355979363549184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0dcd95ef8a2e16ed930296567ab1044e33602a34) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 8e2d305b24..bce2727d79 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s, return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); - if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { + if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 || + track >= s->max_streams) { av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } From 0e6f3166ce39e02e7c533854353a394f3824d362 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Dec 2021 09:14:09 +0100 Subject: [PATCH 1215/1383] avformat/4xm: Check for duplicate track ids Signed-off-by: Michael Niedermayer (cherry picked from commit dd949124793c722ed55dead9da245574ace81968) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index bce2727d79..fd224f9ad5 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -149,6 +149,9 @@ static int parse_strk(AVFormatContext *s, memset(&fourxm->tracks[fourxm->track_count], 0, sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); fourxm->track_count = track + 1; + } else { + if (fourxm->tracks[track].bits) + return AVERROR_INVALIDDATA; } fourxm->tracks[track].adpcm = AV_RL32(buf + 12); fourxm->tracks[track].channels = AV_RL32(buf + 36); From e546e9c5b45ee139993a7bcf1963f90a5aa43205 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jul 2020 23:34:15 +0200 Subject: [PATCH 1216/1383] avcodec/alacdsp: fix integer overflow in decorrelate_stereo() Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 'int' Fixes: 23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336 Fixes: 41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 68457c1e85122ffcadb0c909070dd210095fd2cd) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 9996eb4319..8718d1b6b1 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, a = buffer[0][i]; b = buffer[1][i]; - a -= (b * decorr_left_weight) >> decorr_shift; + a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; From 7caa166ac307e062410f51c76385fa1c5e379135 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Dec 2021 22:26:00 +0100 Subject: [PATCH 1217/1383] avcodec/vqavideo: reset accounting on error Fixes: Timeout (same growing chunk is decoded to failure repeatedly) Fixes: 42582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6531195591065600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8ea7a67ba62f5d4520e75e56b9954d80e7ff223) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index b9743abda9..8df3ab3c2b 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame) if (s->partial_countdown <= 0) { bytestream2_init(&s->gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ - if ((res = decode_format80(s, s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0)) < 0) - return res; + res = decode_format80(s, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0); /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; + if (res < 0) + return res; } } From a5b213a89e22e91b2d47544b2300e1819b47ad63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Dec 2021 20:36:16 +0100 Subject: [PATCH 1218/1383] avformat/flvdec: timestamps cannot use the full int64 range We do not support this as we multiply by 1000 Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented in type 'long' Fixes: 42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c217ca7718c8e24905d7ba9ede719ae040899476) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index a2fa275b7e..29e9bdd735 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -434,6 +434,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m d = av_int2double(avio_rb64(ioc)); if (isnan(d) || d < INT64_MIN || d > INT64_MAX) goto invalid; + if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { From 254ebed4d57a37911561ac2578d879a75a1de06d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Dec 2021 20:39:14 +0100 Subject: [PATCH 1219/1383] avcodec/apedec: fix integer overflow in 8bit samples Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 'int' Fixes: 42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cee3b37187dbf61dbebff023f07ceedfc0129bb) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9e3756fc32..8a54c750b5 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1529,7 +1529,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample8 = (uint8_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff; + *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff; } break; case 16: From 210b4b9871c21f1e9cdcaa8daeb9d4c64564a0dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jan 2022 19:15:18 +0100 Subject: [PATCH 1220/1383] avcodec/apedec: Fix integer overflows in predictor_update_3930() Fixes: signed integer overflow: 1074134419 - -1075212485 cannot be represented in type 'int' Fixes: 43273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4706880883130368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9c9bbd01bd82c35b6a908592d9dd6d9f4bd4a0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8a54c750b5..87d704e600 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1038,13 +1038,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, const int delayA) { int32_t predictionA, sign; - int32_t d0, d1, d2, d3; + uint32_t d0, d1, d2, d3; p->buf[delayA] = p->lastA[filter]; d0 = p->buf[delayA ]; - d1 = p->buf[delayA ] - p->buf[delayA - 1]; - d2 = p->buf[delayA - 1] - p->buf[delayA - 2]; - d3 = p->buf[delayA - 2] - p->buf[delayA - 3]; + d1 = p->buf[delayA ] - (unsigned)p->buf[delayA - 1]; + d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2]; + d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3]; predictionA = d0 * p->coeffsA[filter][0] + d1 * p->coeffsA[filter][1] + @@ -1055,10 +1055,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); - p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; - p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign; - p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign; - p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign; + p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign; + p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign; + p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign; + p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign; return p->filterA[filter]; } From 423a3b685f318d989842959d30088f49bd2124ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jan 2022 14:26:05 +0100 Subject: [PATCH 1221/1383] avformat/mov: Check size before subtraction Fixes: signed integer overflow: -9223372036854775808 - 8 cannot be represented in type 'long' Fixes: 43542/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5237670148702208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d9d506a3de976b647bcbb8f76c7b8d30eff576) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index dfbd94dfc6..b266687656 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6897,6 +6897,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (a.size == 0) { a.size = atom.size - total_size + 8; } + if (a.size < 0) + break; a.size -= 8; if (a.size < 0) break; From 893c4f11512465be2e6a0efa542904bf7ad54062 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Feb 2022 22:46:55 +0100 Subject: [PATCH 1222/1383] avformat/matroskadec: Fix infinite loop with bz decompression The same check is added to zlib too, it seems not needed there though Fixes: Infinite loop Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 9c3d2cbb510674226b0c8fa6b146bf891f83786c) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2aa686af44..2ffd8e62fb 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1399,7 +1399,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_ZLIB: { z_stream zstream = { 0 }; - if (inflateInit(&zstream) != Z_OK) + if (!pkt_size || inflateInit(&zstream) != Z_OK) return -1; zstream.next_in = data; zstream.avail_in = isize; @@ -1432,7 +1432,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_BZLIB: { bz_stream bzstream = { 0 }; - if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) + if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) return -1; bzstream.next_in = data; bzstream.avail_in = isize; From 2edb75382528b2e736c5ddd069a62ff10eb244a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Feb 2022 00:44:32 +0100 Subject: [PATCH 1223/1383] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() Fixes: pointer index expression with base 0x000000000000 overflowed to 0xffffffffffffffff Fixes: 44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59328aabd2c789ae053e18a62a20a7addfd4d069) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index be3e776291..a33f8f956e 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4951,7 +4951,7 @@ void ff_parse_key_value(const char *str, ff_parse_key_val_cb callback_get_buf, key_len = ptr - key; callback_get_buf(context, key, key_len, &dest, &dest_len); - dest_end = dest + dest_len - 1; + dest_end = dest ? dest + dest_len - 1 : NULL; if (*ptr == '\"') { ptr++; From 7eebf00ff08ff842ddb3707b30f9d439800ccdcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Feb 2022 20:37:22 +0100 Subject: [PATCH 1224/1383] avformat/matroskadec: Check desc_bytes Fixes: Division by 0 Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5038933977d06d1048b41d71e0ada4d1ac536ddc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2ffd8e62fb..4cca0fe4d6 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3850,12 +3850,16 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t do { int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; - double desc_sec = desc_ns / nano_seconds_per_second; - double calc_bits_per_second = (desc_bytes * 8) / desc_sec; + double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; + if (desc_bytes <= 0) + return -1; + + desc_sec = desc_ns / nano_seconds_per_second; + calc_bits_per_second = (desc_bytes * 8) / desc_sec; // Drop the bps by the percentage of bytes buffered. - double percent = (desc_bytes - prebuffer_bytes) / desc_bytes; - double mod_bits_per_second = calc_bits_per_second * percent; + percent = (desc_bytes - prebuffer_bytes) / desc_bytes; + mod_bits_per_second = calc_bits_per_second * percent; if (prebuffer < desc_sec) { double search_sec = From c7c714719ea1f913e42a4f69b4cf00265bcdaf1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Feb 2022 20:41:08 +0100 Subject: [PATCH 1225/1383] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned Fixes: left shift of 32768 by 16 places cannot be represented in type 'int' Fixes: Timeout Fixes: 44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520 Fixes: 44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ee283d7d001cfcfec94a023e172bca731e96514) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index a8d9eaa18a..0cb40cc0f1 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, if (RItype) temp += state->N[Q] >> 1; - for (k = 0; (state->N[Q] << k) < temp; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++) ; #ifdef JLS_BROKEN From 2262e53f965ded2049bc52b2cb4f912764a437f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Feb 2022 21:38:50 +0100 Subject: [PATCH 1226/1383] avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() This codepath seems untested, no testcases change Found-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 634312a70f4d5afd40058c52b4d8eade1da07a70) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 8b5ce2117a..8fd5af1497 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) for(y=0; ymb_height; y++){ int x; int xy= y*s->mb_stride; - for(x=0; xmb_width; x++){ + for(x=0; xmb_width; x++, xy++){ if(s->mb_type[xy] & type){ int mx= mv_table[xy][0]; int my= mv_table[xy][1]; @@ -1631,7 +1631,6 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) score[j]-= 170; } } - xy++; } } From 87297d5021cfa33b22a7c22d3c81b686186fba58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Feb 2022 10:31:34 +0100 Subject: [PATCH 1227/1383] avcodec/motion_est: fix indention of ff_get_best_fcode() Signed-off-by: Michael Niedermayer (cherry picked from commit ce43e1c581b4ed539ab366cc3df458779e8a44b8) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 8fd5af1497..9c9611cbfc 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1622,9 +1622,9 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) fcode_tab[my + MAX_MV]); int j; - if(mx >= range || mx < -range || - my >= range || my < -range) - continue; + if (mx >= range || mx < -range || + my >= range || my < -range) + continue; for(j=0; jpict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy]) From b6061e3d8e8be72a9f6293032427738865179eec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Feb 2022 22:02:13 +0100 Subject: [PATCH 1228/1383] avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error Fixes: Timeout Fixes: Invalid shift Fixes: 44548/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-556487680891289 Fixes: 44569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-6302543246917632 Fixes: 44570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-4550196556595200 Fixes: 44592/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5651610385121280 Fixes: 44571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5094698987945984 Fixes: 44607/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5341352013987840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 151f83584eeb1912c8bdcd0c1ab1296e8664a0de) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 0cb40cc0f1..11b2ff71a8 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, #endif ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1, state->qbpp); + if (ret < 0) + return -0x10000; /* decode mapped error */ map = 0; From 76e56f0006382189bdc0892791478f996278ac05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Feb 2022 21:01:06 +0100 Subject: [PATCH 1229/1383] avcodec/jpeglsdec: Fix if( code style Signed-off-by: Michael Niedermayer (cherry picked from commit f306b8e80ab04cfd8f6cd577a4484cb791d6e765) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 11b2ff71a8..615c9e5068 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->t3 = get_bits(&s->gb, 16); s->reset = get_bits(&s->gb, 16); - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n", s->maxval, s->t1, s->t2, s->t3, s->reset); } @@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) else maxtab = 65530/wt - 1; - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab); } if (maxtab >= 256) { @@ -211,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, ret = ret >> 1; } - if(FFABS(ret) > 0xFFFF) + if (FFABS(ret) > 0xFFFF) return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; From b7a305ab6bd9b450d1e01e1f27b94fe089632a26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Feb 2022 22:01:03 +0100 Subject: [PATCH 1230/1383] avformat/mov: Corner case encryption error cleanup in mov_read_senc() Fixes: memleak Fixes: 42341/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4566632823914496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee0e4abcb8af36cae4eb24d4d6229461c1e3333) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index b266687656..67dcbd5b7a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6049,6 +6049,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } if (pb->eof_reached) { av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n"); + if (ret >= 0) + av_encryption_info_free(encryption_index->encrypted_samples[i]); ret = AVERROR_INVALIDDATA; } From 34b6731e78355b649a2082d7e75fe559b14e1798 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Feb 2022 20:01:35 +0100 Subject: [PATCH 1231/1383] avformat/matroskadec: Check duration Fixes: -nan is outside the range of representable values of type 'long' Fixes: 44614/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6216204841254912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 36680078ca3302496d9b0b8a8d7168ce9eabb2bc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 4cca0fe4d6..327eade88d 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2661,6 +2661,8 @@ static int matroska_read_header(AVFormatContext *s) if (!matroska->time_scale) matroska->time_scale = 1000000; + if (isnan(matroska->duration)) + matroska->duration = 0; if (matroska->duration) matroska->ctx->duration = matroska->duration * matroska->time_scale * 1000 / AV_TIME_BASE; From 5a67ee57970b198d0417af30ca8a21ca6cd98d38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Mar 2022 13:01:53 +0100 Subject: [PATCH 1232/1383] avformat/mov: Disallow empty sidx It appears this is not allowed "Each Segment Index box documents how a (sub)segment is divided into one or more subsegments (which may themselves be further subdivided using Segment Index boxes)." Fixes: Null pointer dereference Fixes: Ticket9517 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4419433d77278cb742944c4514be5f72a04103c0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 67dcbd5b7a..24c85e43bb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5041,6 +5041,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb16(pb); // reserved item_count = avio_rb16(pb); + if (item_count == 0) + return AVERROR_INVALIDDATA; for (i = 0; i < item_count; i++) { int index; From 7f094e829ed0bda085cf6daec5821276cdc957d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Feb 2022 00:26:08 +0100 Subject: [PATCH 1233/1383] avformat/rmdec: Better duplicate tags check Fixes: memleaks Fixes: 44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15a646e5018078a0954918f510f819a5599f0445) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index f435ba0f83..773073064d 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -127,10 +127,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; - // Duplicate tags - if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) - return AVERROR_INVALIDDATA; - /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { @@ -330,6 +326,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, if (codec_data_size == 0) return 0; + // Duplicate tags + if ( st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN + && st->codecpar->codec_type != AVMEDIA_TYPE_DATA) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); From 362f55733bcceae34a7f100ae9fcda8ab8310e2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Feb 2022 21:44:29 +0100 Subject: [PATCH 1234/1383] avformat/avidec: Check height Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: Ticket8486 Signed-off-by: Michael Niedermayer (cherry picked from commit ec8ff659f57786c4cb089b07dfeab7e5cbab8d52) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index b27278dbcd..282f4635fb 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -843,6 +843,8 @@ FF_ENABLE_DEPRECATION_WARNINGS memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9, "BottomUp", 9); } + if (st->codecpar->height == INT_MIN) + return AVERROR_INVALIDDATA; st->codecpar->height = FFABS(st->codecpar->height); // avio_skip(pb, size - 5 * 4); From a8a8fda5cfeaa544a03050a5e2fc66fe9601604f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Mar 2022 23:24:49 +0100 Subject: [PATCH 1235/1383] avformat/matroskadec: Use rounded down duration in get_cue_desc() check Floating point is evil, it would be better if duration was not a double Fixes: Infinite loop Fixes: 45123/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6725052291219456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd3a03db9aef72ee36a7cc964171e9f52967f4bc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 327eade88d..f2794f41b8 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3659,7 +3659,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t ts, int64_t cues_start) int i; int nb_index_entries = s->streams[0]->nb_index_entries; AVIndexEntry *index_entries = s->streams[0]->index_entries; - if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1}; + + if (ts >= (int64_t)(matroska->duration * matroska->time_scale)) + return (CueDesc) {-1, -1, -1, -1}; for (i = 1; i < nb_index_entries; i++) { if (index_entries[i - 1].timestamp * matroska->time_scale <= ts && index_entries[i].timestamp * matroska->time_scale > ts) { From 12e26cffcf965bf0b090aac5f9ab00ea4f71efbf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Feb 2022 00:43:56 +0100 Subject: [PATCH 1236/1383] avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior Fixes: signed integer overflow: -1094995529 * 24 cannot be represented in type 'int' Fixes: 44436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-4874459459223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28008bf95ed9b2ab5945ae6658358ad7c7f1df35) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 9498919d2f..d902beb501 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1018,7 +1018,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, // dequantize for (i = 0; i < s->num_taps; i++) - s->predictor_k[i] *= s->tap_quant[i]; + s->predictor_k[i] *= (unsigned) s->tap_quant[i]; if (s->lossless) quant = 1; From 4fcf69dd9e0515aa247edef9b7a87d65ac9099ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Feb 2022 15:20:02 +0100 Subject: [PATCH 1237/1383] avformat/matroskadec: Check pre_ns Fixes: division by 0 Fixes: 44615/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6681108677263360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 710e51677a6f3a5c2b37dc31a597957a22a5e531) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index f2794f41b8..3b8681de4b 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3843,6 +3843,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; + if (pre_ns <= 0) + return -1; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); From ab70bfcbdd23916b9ee975197c387ed8f1897395 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 21:30:19 +0100 Subject: [PATCH 1238/1383] avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() Fixes: signed integer overflow: 11494 * 1073741824000000 cannot be represented in type 'long' Fixes: 26586/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5752633970917376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c1f20c6c858b753effda274b58ef635d1924915) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 6cb6516227..937076b126 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -404,7 +404,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) low [i - 1] * -INT64_C(325392907) + (int64_t) high[i + 0] * INT64_C(1518500249) + (int64_t) high[i - 1] * INT64_C(1518500249); - dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } for (i = 0; i < hsize; i++) { @@ -415,7 +415,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) high[i + 1] * INT64_C(303700064) + (int64_t) high[i + 0] * -INT64_C(3644400640) + (int64_t) high[i - 1] * INT64_C(303700064); - dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } } From 0402ac6f59d2e79d5ee5be234555fd3d2f8776ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 22:54:31 +0100 Subject: [PATCH 1239/1383] avformat/hls: Check target_duration Fixes: signed integer overflow: 77777777777777 * 1000000 cannot be represented in type 'long long' Fixes: 45545/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6438101247983616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit a8fd3f7fab83e1beea1c441e1a2e538e7aa431a5) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 67ed691ae0..22fd6f1f1b 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -786,10 +786,16 @@ static int parse_playlist(HLSContext *c, const char *url, &info); new_rendition(c, &info, url); } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", &ptr)) { + int64_t t; ret = ensure_playlist(c, &pls, url); if (ret < 0) goto fail; - pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; + t = strtoll(ptr, NULL, 10); + if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + pls->target_duration = t * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) { ret = ensure_playlist(c, &pls, url); if (ret < 0) From bbdb02a73c215857ba9ed2bd59746e0f8af76eb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Mar 2022 23:36:22 +0100 Subject: [PATCH 1240/1383] avformat/cafdec: Do not store empty keys in read_info_chunk() Fixes: Timeout Fixes: 45543/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5684953164152832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec28e1d4cef723485f50f7a08859752b79b570c) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 4817b90b0b..b9e70ea2fb 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -243,6 +243,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t size) char value[1024]; avio_get_str(pb, INT_MAX, key, sizeof(key)); avio_get_str(pb, INT_MAX, value, sizeof(value)); + if (!*key) + continue; av_dict_set(&s->metadata, key, value, 0); } } From d09beec591e00b87089c3dc81a2d1404271bdcdf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 00:07:50 +0100 Subject: [PATCH 1241/1383] avformat/aqtitledec: Skip unrepresentable durations Fixes: signed integer overflow: -5 - 9223372036854775807 cannot be represented in type 'long' Fixes: 45665/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-475618463934054 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2d1597a8a6470045a8da241d4f65c81f26c3107) Signed-off-by: Michael Niedermayer --- libavformat/aqtitledec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index 317547c4f4..01b4fd7b93 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); if (sub) { - sub->duration = frame - sub->pts; + if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX) + sub->duration = frame - sub->pts; sub = NULL; } } else if (*line) { From d985ec070c1757d6d81db3d95422b4b0cd092a44 Mon Sep 17 00:00:00 2001 From: Oneric Date: Wed, 23 Mar 2022 20:43:54 +0100 Subject: [PATCH 1242/1383] avfilter/vf_subtitles: pass storage size to libass Due to a quirk of the ASS format some tags depend on the exact storage resolution of the video, so tell libass via ass_set_storage_size. --- libavfilter/vf_subtitles.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c index a7b02461f2..2f0608ad90 100644 --- a/libavfilter/vf_subtitles.c +++ b/libavfilter/vf_subtitles.c @@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink) ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0); ass_set_frame_size (ass->renderer, inlink->w, inlink->h); - if (ass->original_w && ass->original_h) + if (ass->original_w && ass->original_h) { ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h, (double)ass->original_w / ass->original_h); +#if LIBASS_VERSION > 0x01010000 + ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h); + } else { + ass_set_storage_size(ass->renderer, inlink->w, inlink->h); +#endif + } + if (ass->shaping != -1) ass_set_shaper(ass->renderer, ass->shaping); From b3843ee24e8708d331b788894a3ecb0e9a09382f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Mar 2022 00:12:17 +0200 Subject: [PATCH 1243/1383] avcodec/apedec: fix a integer overflow in long_filter_high_3800() Fixes: signed integer overflow: -2146549696 - 3923884 cannot be represented in type 'int' Fixes: 45907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5992380584558592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b085b400becb93ccc68d786ab738b1fc50408b89) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 87d704e600..035fa9a434 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -905,7 +905,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } - buffer[i] -= dotprod >> shift; + buffer[i] -= (unsigned)(dotprod >> shift); for (j = 0; j < order - 1; j++) delay[j] = delay[j + 1]; delay[order - 1] = buffer[i]; From 61f4c4fc4265a170e9b789fe2e7e0acf11396129 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Mar 2022 00:26:06 +0200 Subject: [PATCH 1244/1383] avcodec/takdsp: Fix integer overflow in decorrelate_sf() Fixes: signed integer overflow: -101 * 71041254 cannot be represented in type 'int' Fixes: 45938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4687974320701440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01d8c887f63bcb1f870034ed441504b3daffc645) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 9cb8052596..a8f9dba342 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; + b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; } } From c8ca479572d3dc710f2b1d5dcc12bb2ec6f798e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Mar 2022 20:51:47 +0100 Subject: [PATCH 1245/1383] avcodec/diracdec: avoid signed integer overflow in global mv Fixes: signed integer overflow: -128275513086 * -76056576 cannot be represented in type 'long' Fixes: 45818/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5129799149944832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f1279684e8e1e33c78577b7f0265c062e4e6232) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index e80d4d1989..008e4d2e56 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1430,8 +1430,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int64_t m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From 293f75b58197ef35fee49de5c7212ec09a48a7c8 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 14 Oct 2019 20:14:03 +0200 Subject: [PATCH 1246/1383] avfilter/vf_lenscorrection: make width/height int Somehow previous correct fix broke usage. (cherry picked from commit 79522411fa53b68743302d16d28156db95466a21) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lenscorrection.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_lenscorrection.c b/libavfilter/vf_lenscorrection.c index 43f3c1b7d0..754b8f5ada 100644 --- a/libavfilter/vf_lenscorrection.c +++ b/libavfilter/vf_lenscorrection.c @@ -36,8 +36,8 @@ typedef struct LenscorrectionCtx { const AVClass *av_class; - unsigned int width; - unsigned int height; + int width; + int height; int hsub, vsub; int nb_planes; double cx, cy, k1, k2; From 6506a60eb0d91796ea9bf2440aaa24464f594b03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Apr 2022 22:22:41 +0200 Subject: [PATCH 1247/1383] Update for FFmpeg 4.1.9 Signed-off-by: Michael Niedermayer --- Changelog | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 61 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index ba5a49d133..d840cdf4c5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,65 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.1.9: + avfilter/vf_lenscorrection: make width/height int + avcodec/diracdec: avoid signed integer overflow in global mv + avcodec/takdsp: Fix integer overflow in decorrelate_sf() + avcodec/apedec: fix a integer overflow in long_filter_high_3800() + avfilter/vf_subtitles: pass storage size to libass + avformat/aqtitledec: Skip unrepresentable durations + avformat/cafdec: Do not store empty keys in read_info_chunk() + avformat/hls: Check target_duration + avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() + avformat/matroskadec: Check pre_ns + avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior + avformat/matroskadec: Use rounded down duration in get_cue_desc() check + avformat/avidec: Check height + avformat/rmdec: Better duplicate tags check + avformat/mov: Disallow empty sidx + avformat/matroskadec: Check duration + avformat/mov: Corner case encryption error cleanup in mov_read_senc() + avcodec/jpeglsdec: Fix if( code style + avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error + avcodec/motion_est: fix indention of ff_get_best_fcode() + avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() + avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned + avformat/matroskadec: Check desc_bytes + avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() + avformat/matroskadec: Fix infinite loop with bz decompression + avformat/mov: Check size before subtraction + avcodec/apedec: Fix integer overflows in predictor_update_3930() + avcodec/apedec: fix integer overflow in 8bit samples + avformat/flvdec: timestamps cannot use the full int64 range + avcodec/vqavideo: reset accounting on error + avcodec/alacdsp: fix integer overflow in decorrelate_stereo() + avformat/4xm: Check for duplicate track ids + avformat/4xm: Consider max_streams on reallocating tracks array + avformat/mov: Check next offset in mov_read_dref() + avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() + avcodec/apedec: Change avg to uint32_t + avformat/mov: Disallow duplicate smdm + avformat/mov: Check for EOF in mov_read_glbl() + avformat/mov: Check channels for mov_parse_stsd_audio() + avformat/avidec: Check read_odml_index() for failure + avformat/aiffdec: Use av_rescale() for bitrate + avformat/aiffdec: sanity check block_align + avformat/aiffdec: Check sample_rate + avfilter/vf_gblur: fix heap-buffer overflow + avfilter/vf_lenscorrection: fix division by zero + avformat/latmenc: abort if no extradata is available + avcodec/g729dec: Avoid computing invalid temporary pointers for ff_acelp_weighted_vector_sum() + avformat/tty: add probe function + avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE + avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() + avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results + fate: update reference files after the recent dash manifest muxer changes + avformat/webmdashenc: fix on-demand profile string + configure: Add missing libshine->mpegaudioheader dependency + avformat/mpegenc: Ensure packet queue stays valid + avformat/movenc: Fix segfault when remuxing rtp hint stream + avformat/mxfenc: fix index byte count in partition header + version 4.1.8: - configure: update copyright year - avformat/wavdec: Check smv_block_size diff --git a/RELEASE b/RELEASE index a7c00da34f..18837e703d 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.8 +4.1.9 diff --git a/doc/Doxyfile b/doc/Doxyfile index d390f42743..5cdab61c44 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1.8 +PROJECT_NUMBER = 4.1.9 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From d8416843327813c44fbecd7a4314122cdabe1ff3 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sat, 1 Jan 2022 00:29:41 +0530 Subject: [PATCH 1248/1383] configure: bump year (cherry picked from commit 2f6360ff21a98f9db6af3e0932d39f1dc7b47d6c) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 88ea656f4f..9a8a368a12 100755 --- a/configure +++ b/configure @@ -7243,7 +7243,7 @@ cat > $TMPH < Date: Sun, 24 Apr 2022 01:02:14 +0200 Subject: [PATCH 1249/1383] lavf/tls_mbedtls: add support for mbedtls version 3 - certs.h is gone. Only contains test data, and was not used at all. - config.h is renamed. Was seemingly not used, so can be removed. - MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE is gone, instead MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE will be thrown. - mbedtls_pk_parse_keyfile now needs to be passed a properly seeded RNG. Hence, move the call to after RNG seeding. Signed-off-by: Timo Rothenpieler --- libavformat/tls_mbedtls.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavformat/tls_mbedtls.c b/libavformat/tls_mbedtls.c index 9b80a1e3c7..9f1679b15b 100644 --- a/libavformat/tls_mbedtls.c +++ b/libavformat/tls_mbedtls.c @@ -19,8 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#include -#include +#include #include #include #include @@ -129,9 +128,15 @@ static void handle_pk_parse_error(URLContext *h, int ret) static void handle_handshake_error(URLContext *h, int ret) { switch (ret) { +#if MBEDTLS_VERSION_MAJOR < 3 case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n"); break; +#else + case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: + av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); + break; +#endif case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); break; @@ -194,16 +199,6 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op } } - // load key file - if (shr->key_file) { - if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, - shr->key_file, - tls_ctx->priv_key_pw)) != 0) { - handle_pk_parse_error(h, ret); - goto fail; - } - } - // seed the random number generator if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context, mbedtls_entropy_func, @@ -213,6 +208,21 @@ static int tls_open(URLContext *h, const char *uri, int flags, AVDictionary **op goto fail; } + // load key file + if (shr->key_file) { + if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, + shr->key_file, + tls_ctx->priv_key_pw +#if MBEDTLS_VERSION_MAJOR >= 3 + , mbedtls_ctr_drbg_random, + &tls_ctx->ctr_drbg_context +#endif + )) != 0) { + handle_pk_parse_error(h, ret); + goto fail; + } + } + if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config, shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, From 2ce253708826fb41922da963d395160a1522b770 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 28 Feb 2020 22:06:29 +0100 Subject: [PATCH 1250/1383] fftools/ffmpeg_opt: Fix leak of options when parsing options fails Fixes #8094. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 21265f42ecb265debe9fec1dbfd0cb7de5a8aefb) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg_opt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index 618f0f22cd..3a15e97acb 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -3232,6 +3232,7 @@ static int open_files(OptionGroupList *l, const char *inout, if (ret < 0) { av_log(NULL, AV_LOG_ERROR, "Error parsing options for %s file " "%s.\n", inout, g->arg); + uninit_options(&o); return ret; } From a0307736e70b2f02f0886bc7864f604692aac401 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 17 Oct 2019 11:28:55 +0200 Subject: [PATCH 1251/1383] avfilter/vf_random: fix memory leaks Fixes #8296 (cherry picked from commit 3488e0977c671568731afa12b811adce9d4d807f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_random.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavfilter/vf_random.c b/libavfilter/vf_random.c index 373a7db053..c7c9ff09c0 100644 --- a/libavfilter/vf_random.c +++ b/libavfilter/vf_random.c @@ -108,6 +108,14 @@ static int request_frame(AVFilterLink *outlink) return ret; } +static av_cold void uninit(AVFilterContext *ctx) +{ + RandomContext *s = ctx->priv; + + for (int i = 0; i < s->nb_frames; i++) + av_frame_free(&s->frames[i]); +} + static const AVFilterPad random_inputs[] = { { .name = "default", @@ -132,6 +140,7 @@ AVFilter ff_vf_random = { .priv_size = sizeof(RandomContext), .priv_class = &random_class, .init = init, + .uninit = uninit, .inputs = random_inputs, .outputs = random_outputs, }; From 525d855c60acfa9868acd0b2a9d5ddcfd767e935 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 18 Oct 2019 20:53:10 -0300 Subject: [PATCH 1252/1383] avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written Fixes ticket #8295 Signed-off-by: James Almer (cherry picked from commit 1d479300cbe0522c233b7d51148aea2b29bd29ad) Signed-off-by: Michael Niedermayer --- libavformat/nutenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index 2c2334a69c..7405dc28cc 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -1171,8 +1171,11 @@ static int nut_write_trailer(AVFormatContext *s) while (nut->header_count < 3) write_headers(s, bc); + if (!nut->sp_count) + return 0; + ret = avio_open_dyn_buf(&dyn_bc); - if (ret >= 0 && nut->sp_count) { + if (ret >= 0) { av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written write_index(nut, dyn_bc); put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE); From 48722306331bfa60096a2699f8b2a51c57f9a951 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 17 Oct 2019 11:11:55 +0200 Subject: [PATCH 1253/1383] avcodec/ac3enc: Fix memleak Fixes ticket #8294. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 097c917c147661f5378dae8fe3f7e46f43236426) Signed-off-by: Michael Niedermayer --- libavcodec/ac3enc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c index 032881724b..4d83c398bf 100644 --- a/libavcodec/ac3enc.c +++ b/libavcodec/ac3enc.c @@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx) av_freep(&block->cpl_coord_mant); } - s->mdct_end(s); + if (s->mdct_end) + s->mdct_end(s); return 0; } @@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx) ret = validate_options(s); if (ret) - return ret; + goto init_fail; avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks; avctx->initial_padding = AC3_BLOCK_SIZE; From e7dbee00f0d356aaa4a2033b9caf8173a32afd4d Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 18 Oct 2019 10:48:22 +0200 Subject: [PATCH 1254/1383] avfilter/vf_colorspace: fix memmory leaks Fixes #8303 (cherry picked from commit fddef964e8aa4a2c123e470db1436a082ff6bcf3) Signed-off-by: Michael Niedermayer --- libavfilter/vf_colorspace.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_colorspace.c b/libavfilter/vf_colorspace.c index f8d1ecdf4a..d067bc1a23 100644 --- a/libavfilter/vf_colorspace.c +++ b/libavfilter/vf_colorspace.c @@ -852,6 +852,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) res = av_frame_copy_props(out, in); if (res < 0) { av_frame_free(&in); + av_frame_free(&out); return res; } @@ -911,13 +912,18 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) !s->dither_scratch_base[1][0] || !s->dither_scratch_base[1][1] || !s->dither_scratch_base[2][0] || !s->dither_scratch_base[2][1]) { uninit(ctx); + av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } s->rgb_sz = rgb_sz; } res = create_filtergraph(ctx, in, out); - if (res < 0) + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } s->rgb_stride = rgb_stride / sizeof(int16_t); td.in = in; td.out = out; @@ -931,8 +937,11 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) td.out_ss_h = av_pix_fmt_desc_get(out->format)->log2_chroma_h; if (s->yuv2yuv_passthrough) { res = av_frame_copy(out, in); - if (res < 0) + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } } else { ctx->internal->execute(ctx, convert, &td, NULL, FFMIN((in->height + 1) >> 1, ff_filter_get_nb_threads(ctx))); From 742e66f4421ed523a1ada0646feb51e3224494f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 May 2022 01:29:47 +0200 Subject: [PATCH 1255/1383] FFmpeg 4.1.10 release Signed-off-by: Michael Niedermayer --- Changelog | 8 ++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index d840cdf4c5..1c9b240397 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,14 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.1.10: + avfilter/vf_colorspace: fix memmory leaks + avcodec/ac3enc: Fix memleak + avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written + avfilter/vf_random: fix memory leaks + fftools/ffmpeg_opt: Fix leak of options when parsing options fails + lavf/tls_mbedtls: add support for mbedtls version 3 + version 4.1.9: avfilter/vf_lenscorrection: make width/height int avcodec/diracdec: avoid signed integer overflow in global mv diff --git a/RELEASE b/RELEASE index 18837e703d..5d30083e95 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.9 +4.1.10 diff --git a/doc/Doxyfile b/doc/Doxyfile index 5cdab61c44..db0452e1ee 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1.9 +PROJECT_NUMBER = 4.1.10 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From dcf25ec8859f39bb7f94b141ad5e323c58aa28c6 Mon Sep 17 00:00:00 2001 From: Christopher Degawa Date: Wed, 11 May 2022 15:11:04 -0500 Subject: [PATCH 1256/1383] configure: extend SDL check to accept all 2.x versions sdl2 recently changed their versioning, moving the patch level to minor level https://github.com/libsdl-org/SDL/commit/cd7c2f1de7d9e418bb554047d714dd7cacc020ff and have said that they will instead ship sdl3.pc for 3.0.0 Fixes ticket 9768 Signed-off-by: Christopher Degawa Signed-off-by: Gyan Doshi --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 9a8a368a12..e317ca54ce 100755 --- a/configure +++ b/configure @@ -6256,7 +6256,7 @@ fi if enabled sdl2; then SDL2_CONFIG="${cross_prefix}sdl2-config" - test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 2.1.0" SDL_events.h SDL_PollEvent + test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 3.0.0" SDL_events.h SDL_PollEvent if disabled sdl2 && "${SDL2_CONFIG}" --version > /dev/null 2>&1; then sdl2_cflags=$("${SDL2_CONFIG}" --cflags) sdl2_extralibs=$("${SDL2_CONFIG}" --libs) From ffea4ba051d8aed87ed2897515defa1da7228e9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 22:00:52 +0200 Subject: [PATCH 1257/1383] avformat/genh: Check sample rate Fixes: signed integer overflow: -2515507630940093440 * 4 cannot be represented in type 'long' Fixes: 46318/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5009637474172928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit a3d790f1977ed6c326eb93bb61757297a7905dcc) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index cbdd53324b..c7d7b371f0 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -67,6 +67,9 @@ static int genh_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate < 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); From 504a2bc6d9fc3d782d31dfa09688afb0c044a594 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 22:40:59 +0200 Subject: [PATCH 1258/1383] avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d74078270198b97fdda258840f0d501a3ffcc693) Signed-off-by: Michael Niedermayer --- libavfilter/video.c | 7 ++++++- libavfilter/video.h | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/video.c b/libavfilter/video.c index 7a8e587798..b049804419 100644 --- a/libavfilter/video.c +++ b/libavfilter/video.c @@ -41,7 +41,7 @@ AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h) return ff_get_video_buffer(link->dst->outputs[0], w, h); } -AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align) { AVFrame *frame = NULL; int pool_width = 0; @@ -96,6 +96,11 @@ AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) return frame; } +AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +{ + return ff_default_get_video_buffer2(link, w, h, av_cpu_max_align()); +} + AVFrame *ff_get_video_buffer(AVFilterLink *link, int w, int h) { AVFrame *ret = NULL; diff --git a/libavfilter/video.h b/libavfilter/video.h index 56c58d6766..f9174a4a0b 100644 --- a/libavfilter/video.h +++ b/libavfilter/video.h @@ -24,6 +24,7 @@ #include "avfilter.h" AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h); +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align); AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h); /** From 3ba52211293f094e819b0a349129980508f0be57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 13:49:05 +0200 Subject: [PATCH 1259/1383] avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements Fixes: issues with non trivial linesize Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d353909e773ba8a8201fa13d6c35251351dd567a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_frei0r.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/libavfilter/vf_frei0r.c b/libavfilter/vf_frei0r.c index c775ed1d99..3f8e61c28a 100644 --- a/libavfilter/vf_frei0r.c +++ b/libavfilter/vf_frei0r.c @@ -353,15 +353,21 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) { Frei0rContext *s = inlink->dst->priv; AVFilterLink *outlink = inlink->dst->outputs[0]; - AVFrame *out; + AVFrame *out = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!out) + goto fail; - out = ff_get_video_buffer(outlink, outlink->w, outlink->h); - if (!out) { - av_frame_free(&in); - return AVERROR(ENOMEM); - } av_frame_copy_props(out, in); + if (in->linesize[0] != out->linesize[0]) { + AVFrame *in2 = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!in2) + goto fail; + av_frame_copy(in2, in); + av_frame_free(&in); + in = in2; + } + s->update(s->instance, in->pts * av_q2d(inlink->time_base) * 1000, (const uint32_t *)in->data[0], (uint32_t *)out->data[0]); @@ -369,6 +375,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) av_frame_free(&in); return ff_filter_frame(outlink, out); +fail: + av_frame_free(&in); + av_frame_free(&out); + return AVERROR(ENOMEM); } #define OFFSET(x) offsetof(Frei0rContext, x) @@ -451,7 +461,7 @@ static int source_config_props(AVFilterLink *outlink) static int source_request_frame(AVFilterLink *outlink) { Frei0rContext *s = outlink->src->priv; - AVFrame *frame = ff_get_video_buffer(outlink, outlink->w, outlink->h); + AVFrame *frame = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); if (!frame) return AVERROR(ENOMEM); From 7315e3ced5a1d02835a6b35b3670b0c89e3262ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Apr 2022 22:45:12 +0200 Subject: [PATCH 1260/1383] avfilter/vsrc_mandelbrot: Check for malloc failure Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fbd22504c4148d2a01ccfe38df26c144f56db76b) Signed-off-by: Michael Niedermayer --- libavfilter/vsrc_mandelbrot.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vsrc_mandelbrot.c b/libavfilter/vsrc_mandelbrot.c index 6ad108151f..11650e36f7 100644 --- a/libavfilter/vsrc_mandelbrot.c +++ b/libavfilter/vsrc_mandelbrot.c @@ -134,6 +134,9 @@ static av_cold int init(AVFilterContext *ctx) s-> next_cache= av_malloc_array(s->cache_allocated, sizeof(*s-> next_cache)); s-> zyklus = av_malloc_array(s->maxiter + 16, sizeof(*s->zyklus)); + if (!s->point_cache || !s->next_cache || !s->zyklus) + return AVERROR(ENOMEM); + return 0; } From 62dab58b9486d5e036c53dcce3bd78db57ac439b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 May 2022 22:55:12 +0200 Subject: [PATCH 1261/1383] avformat/act: Check ff_get_wav_header() for failure Fixes: missing error check Fixes: CID717495 Signed-off-by: Michael Niedermayer (cherry picked from commit 5982da87e3464e7df529a169352748560d70ba80) Signed-off-by: Michael Niedermayer --- libavformat/act.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/act.c b/libavformat/act.c index fe67411787..7cbffbfd05 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -66,6 +66,7 @@ static int read_header(AVFormatContext *s) AVIOContext *pb = s->pb; int size; AVStream* st; + int ret; int min,sec,msec; @@ -75,7 +76,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(s, pb, st->codecpar, size, 0); + ret = ff_get_wav_header(s, pb, st->codecpar, size, 0); + if (ret < 0) + return ret; /* 8000Hz (Fine-rec) file format has 10 bytes long From dc4d0f630bcd6f0654e633851176aeb1633ef711 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jan 2017 00:28:33 +0100 Subject: [PATCH 1262/1383] avcodec/texturedspenc: Fix indexing in color distribution determination Fixes CID1396405 MSE and PSNR is slightly improved, and some noticable corruptions disappear as well. Signed-off-by: Michael Niedermayer Signed-off-by: Marton Balint (cherry picked from commit ade36d61de8ea5a5acb30a05a0cbcda069127143) Signed-off-by: Michael Niedermayer --- libavcodec/texturedspenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/texturedspenc.c b/libavcodec/texturedspenc.c index 3d68e0cf39..5ce72cbd1e 100644 --- a/libavcodec/texturedspenc.c +++ b/libavcodec/texturedspenc.c @@ -255,11 +255,11 @@ static void optimize_colors(const uint8_t *block, ptrdiff_t stride, muv = minv = maxv = bp[0]; for (y = 0; y < 4; y++) { - for (x = 4; x < 4; x += 4) { + for (x = 0; x < 4; x++) { muv += bp[x * 4 + y * stride]; - if (bp[x] < minv) + if (bp[x * 4 + y * stride] < minv) minv = bp[x * 4 + y * stride]; - else if (bp[x] > maxv) + else if (bp[x * 4 + y * stride] > maxv) maxv = bp[x * 4 + y * stride]; } } From 12794ff1e49bc409f668484840b721871ab9bca6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 23:13:16 +0100 Subject: [PATCH 1263/1383] avformat/asfdec_f: Check packet_frag_timestamp Fixes: signed integer overflow: -9223372036854775808 - 4607 cannot be represented in type 'long' Fixes: 45685/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5280102802391040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ffc877215056e8f0feb1ff23ba7dc4c19277b94b) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 81bf9d83e9..2d7c0a7a5e 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1315,10 +1315,12 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) if ((ret = av_new_packet(&asf_st->pkt, asf_st->packet_obj_size)) < 0) return ret; asf_st->seq = asf->packet_seq; - if (asf->ts_is_pts) { - asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; - } else - asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + if (asf->packet_frag_timestamp != AV_NOPTS_VALUE) { + if (asf->ts_is_pts) { + asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; + } else + asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + } asf_st->pkt.stream_index = asf->stream_index; asf_st->pkt.pos = asf_st->packet_pos = asf->packet_pos; asf_st->pkt_clean = 0; From 0487f8e95e5f1e90d12729db4c16392970b4b3ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 23:24:40 +0100 Subject: [PATCH 1264/1383] avformat/bfi: Check offsets better Fixes: signed integer overflow: -2145378272 - 538976288 cannot be represented in type 'int' Fixes: 45690/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5015496544616448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 35dc93ab44a57d78956414624c4e011414220e98) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index f32a2cf8ce..a226101f76 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -143,12 +143,12 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) audio_offset = avio_rl32(pb); avio_rl32(pb); video_offset = avio_rl32(pb); - audio_size = video_offset - audio_offset; - bfi->video_size = chunk_size - video_offset; - if (audio_size < 0 || bfi->video_size < 0) { + if (audio_offset < 0 || video_offset < audio_offset || chunk_size < video_offset) { av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); return AVERROR_INVALIDDATA; } + audio_size = video_offset - audio_offset; + bfi->video_size = chunk_size - video_offset; //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); From 93145eaeba6cb83ea7270b2c35116b91abd17632 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Apr 2022 22:18:49 +0200 Subject: [PATCH 1265/1383] avformat/ape: more bits in size for less overflows Fixes: signed integer overflow: 2147483647 + 3 cannot be represented in type 'int' Fixes: 46184/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-4678059519770624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e5f6707a7b91664491041526ef3cce7412258b89) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index c06db78480..3a3b91283e 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -42,8 +42,8 @@ typedef struct APEFrame { int64_t pos; + int64_t size; int nblocks; - int size; int skip; int64_t pts; } APEFrame; @@ -146,7 +146,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext * ape_ctx) av_log(s, AV_LOG_DEBUG, "\nFrames\n\n"); for (i = 0; i < ape_ctx->totalframes; i++) - av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8d (%d samples)\n", i, + av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8"PRId64" (%d samples)\n", i, ape_ctx->frames[i].pos, ape_ctx->frames[i].size, ape_ctx->frames[i].nblocks); @@ -164,7 +164,8 @@ static int ape_read_header(AVFormatContext * s) AVStream *st; uint32_t tag; int i; - int total_blocks, final_size = 0; + int total_blocks; + int64_t final_size = 0; int64_t pts, file_size; /* Skip any leading junk such as id3v2 tags */ @@ -403,7 +404,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt) if (ape->frames[ape->currentframe].size <= 0 || ape->frames[ape->currentframe].size > INT_MAX - extra_size) { - av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n", + av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n", ape->frames[ape->currentframe].size); ape->currentframe++; return AVERROR(EIO); From 4d7a4f66f8bb3c8ec3c11388fd60bdf874d66df2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2022 01:08:56 +0100 Subject: [PATCH 1266/1383] avformat/aiffdec: avoid integer overflow in get_meta() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a02de21278ec3bea1d2c62665f2629d5a62210f) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 1040f3257d..9e56d80156 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -73,7 +73,7 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) /* Metadata string read */ static void get_meta(AVFormatContext *s, const char *key, int size) { - uint8_t *str = av_malloc(size+1); + uint8_t *str = av_malloc(size+1U); if (str) { int res = avio_read(s->pb, str, size); From d5d3f80e1740c1ef30153fd200892b7115bdb575 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 22:36:00 +0200 Subject: [PATCH 1267/1383] avcodec/cdgraphics: limit scrolling to the line Fixes: out of array access Fixes: 47877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5690504626438144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7e30a13d4e4557b87f977b76a6bb5e3cbe5ac78) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index cf3f01a417..1341669a34 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -239,7 +239,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data, for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++) memcpy(out + FFMAX(0, hinc) + stride * y, in + FFMAX(0, hinc) - hinc + (y - vinc) * stride, - FFMIN(stride + hinc, stride)); + FFABS(stride) - FFABS(hinc)); if (vinc > 0) cdg_fill_wrapper(0, 0, out, From 36fdafb16d75230ea139e26e522cb0573841b15c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 21:13:59 +0200 Subject: [PATCH 1268/1383] avcodec/jpeglsdec: fix end check for xfrm Fixes: out of array access Fixes: 47871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-5646305956855808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a82412bf33108111eb3f63076fd5a51349ae114) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 615c9e5068..59fb304a83 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -465,19 +465,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, for (i = 0; i < s->height; i++) { switch(s->xfrm) { case 1: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += src[x+1] + 128; } break; case 2: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += ((src[x ] + src[x+1])>>1) + 128; } break; case 3: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64; src[x+0] = src[x+2] + g + 128; src[x+2] = src[x+1] + g + 128; @@ -485,7 +485,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, } break; case 4: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int r = src[x+0] - (( 359 * (src[x+2]-128) + 490) >> 8); int g = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) + 30) >> 8); int b = src[x+0] + ((454 * (src[x+1]-128) + 574) >> 8); From cc2357f36fc225c1612a531d6ef2bb06735610aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2022 14:30:42 +0100 Subject: [PATCH 1269/1383] avformat/aiffdec: cleanup size handling for extreem cases Signed-off-by: Michael Niedermayer (cherry picked from commit c6f1e48b86471b1cc91c468e78a065075ed409bd) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 9e56d80156..5f3172dc93 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -54,9 +54,9 @@ static enum AVCodecID aiff_codec_get_id(int bps) } /* returns the size of the found tag */ -static int get_tag(AVIOContext *pb, uint32_t * tag) +static int64_t get_tag(AVIOContext *pb, uint32_t * tag) { - int size; + int64_t size; if (avio_feof(pb)) return AVERROR(EIO); @@ -64,16 +64,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) *tag = avio_rl32(pb); size = avio_rb32(pb); - if (size < 0) - size = 0x7fffffff; - return size; } /* Metadata string read */ -static void get_meta(AVFormatContext *s, const char *key, int size) +static void get_meta(AVFormatContext *s, const char *key, int64_t size) { - uint8_t *str = av_malloc(size+1U); + uint8_t *str = NULL; + + if (size < SIZE_MAX) + str = av_malloc(size+1); if (str) { int res = avio_read(s->pb, str, size); @@ -90,7 +90,7 @@ static void get_meta(AVFormatContext *s, const char *key, int size) } /* Returns the number of sound data frames or negative on error */ -static int get_aiff_header(AVFormatContext *s, int size, +static int get_aiff_header(AVFormatContext *s, int64_t size, unsigned version) { AVIOContext *pb = s->pb; @@ -101,9 +101,6 @@ static int get_aiff_header(AVFormatContext *s, int size, int sample_rate; unsigned int num_frames; - if (size == INT_MAX) - return AVERROR_INVALIDDATA; - if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; @@ -214,7 +211,8 @@ static int aiff_probe(AVProbeData *p) /* aiff input */ static int aiff_read_header(AVFormatContext *s) { - int ret, size, filesize; + int ret; + int64_t filesize, size; int64_t offset = 0, position; uint32_t tag; unsigned version = AIFF_C_VERSION1; @@ -225,7 +223,7 @@ static int aiff_read_header(AVFormatContext *s) /* check FORM header */ filesize = get_tag(pb, &tag); - if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M')) + if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M')) return AVERROR_INVALIDDATA; /* AIFF data type */ From b6c471ab4ea04b55662c9446bd57c63946239133 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2022 23:34:53 +0200 Subject: [PATCH 1270/1383] avcodec/alacdsp: Make intermediates unsigned Fixes: signed integer overflow: -14914387 + -2147418648 cannot be represented in type 'int' Fixes: 46464/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-474307197311385 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8709f4c10a216cb3e11564bc392841e832f8e3b1) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 8718d1b6b1..b3c1c424f3 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -29,12 +29,12 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, int i; for (i = 0; i < nb_samples; i++) { - int32_t a, b; + uint32_t a, b; a = buffer[0][i]; b = buffer[1][i]; - a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; + a -= (int)(b * decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; From 9be645c544a12277e974e268702c6a24d01f9150 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 00:43:21 +0200 Subject: [PATCH 1271/1383] avcodec/qdrw: adjust max colors to array size Fixes: out of array access Fixes: 48429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDRAW_fuzzer-4608329791438848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit cd847f86d31f87f0f7733ca6ab7a2c022a1398bd) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 65279c9805..c04c756d71 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -369,7 +369,7 @@ static int decode_frame(AVCodecContext *avctx, bytestream2_skip(&gbc, 18); colors = bytestream2_get_be16(&gbc); - if (colors < 0 || colors > 256) { + if (colors < 0 || colors > 255) { av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return AVERROR_INVALIDDATA; From 0e8b1a8b449d54a8443e71d2f3154395b2f766c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jun 2022 20:54:36 +0200 Subject: [PATCH 1272/1383] avcodec/aasc: Fix indention Signed-off-by: Michael Niedermayer (cherry picked from commit af2ed09220fe82e0aa479d1b93be6aadc4930efc) Signed-off-by: Michael Niedermayer --- libavcodec/aasc.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 58cc3c85ba..bf1555e72c 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -104,26 +104,26 @@ static int aasc_decode_frame(AVCodecContext *avctx, ff_msrle_decode(avctx, s->frame, 8, &s->gb); break; case MKTAG('A', 'A', 'S', 'C'): - switch (compr) { - case 0: - stride = (avctx->width * psize + psize) & ~psize; - if (buf_size < stride * avctx->height) + switch (compr) { + case 0: + stride = (avctx->width * psize + psize) & ~psize; + if (buf_size < stride * avctx->height) + return AVERROR_INVALIDDATA; + for (i = avctx->height - 1; i >= 0; i--) { + memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); + buf += stride; + buf_size -= stride; + } + break; + case 1: + bytestream2_init(&s->gb, buf, buf_size); + ff_msrle_decode(avctx, s->frame, 8, &s->gb); + break; + default: + av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); return AVERROR_INVALIDDATA; - for (i = avctx->height - 1; i >= 0; i--) { - memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); - buf += stride; - buf_size -= stride; } break; - case 1: - bytestream2_init(&s->gb, buf, buf_size); - ff_msrle_decode(avctx, s->frame, 8, &s->gb); - break; - default: - av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); - return AVERROR_INVALIDDATA; - } - break; default: av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag); return -1; From 2bfc334441916bdef90874b1f6a452485b8715ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 May 2022 01:23:22 +0200 Subject: [PATCH 1273/1383] avformat/sctp: close socket on errors This is untested as i have no testcase Fixes: CID1302709 Signed-off-by: Michael Niedermayer (cherry picked from commit c9a2996544187f67e533bc24f4cf773e50d2362b) Signed-off-by: Michael Niedermayer --- libavformat/sctp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/sctp.c b/libavformat/sctp.c index 9a80e9b015..be0cb47865 100644 --- a/libavformat/sctp.c +++ b/libavformat/sctp.c @@ -282,6 +282,8 @@ fail: goto restart; } fail1: + if (fd >= 0) + closesocket(fd); ret = AVERROR(EIO); freeaddrinfo(ai); return ret; From c065971bf8c2a0ad060296443d0f5be52131d44b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 02:31:47 +0200 Subject: [PATCH 1274/1383] avcodec/wnv1: Check for width =1 The decoder only outputs pixels for width >1 images, fail early Fixes: Timeout Fixes: 48298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WNV1_fuzzer-6198626319204352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d98d5a436aa70d3cef8f914c0467ef2fb2dd1dfc) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 915e9c7dc9..291be78cc8 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -136,6 +136,9 @@ static av_cold int decode_init(AVCodecContext *avctx) { static VLC_TYPE code_table[1 << CODE_VLC_BITS][2]; + if (avctx->width <= 1) + return AVERROR_INVALIDDATA; + avctx->pix_fmt = AV_PIX_FMT_YUV422P; code_vlc.table = code_table; From aedff4dc8b35de5f0c46ca28a49a5b14bad247ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Jul 2022 23:32:40 +0200 Subject: [PATCH 1275/1383] avformat/iff: simplify duration calculation Fixes: signed integer overflow: 315680096256 * 134215943 cannot be represented in type 'long long' Fixes: 48713/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5886272312311808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0740641e932551342cc1737d981e950ecffa3b63) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 5be0eb55b7..1a1c80551a 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -385,7 +385,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = s->streams[0]->codecpar->sample_rate / 75; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); @@ -398,7 +398,8 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) case ID_FRTE: if (data_size < 4) return AVERROR_INVALIDDATA; - s->streams[0]->duration = avio_rb32(pb) * 588LL * s->streams[0]->codecpar->sample_rate / 44100; + s->streams[0]->duration = avio_rb32(pb) * (uint64_t)s->streams[0]->codecpar->sample_rate / 75; + break; } From f7b403bba6fd10aaf6bdf9dffd786d95a1748236 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 13:31:19 +0200 Subject: [PATCH 1276/1383] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M This limit is possibly not reachable due to other restrictions on buffers but the decoder run table is too small beyond this, so explicitly check for it. Signed-off-by: Michael Niedermayer (cherry picked from commit b4431399ec1e10afff458cf1ffae2a75987d725a) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 2ff749ffa4..dddfaed4d5 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -188,6 +188,9 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) return -1; + if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) + return AVERROR_INVALIDDATA; + for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0); From f9afd5caccc33e8c82c12346b7b5e08db2192fee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jun 2022 00:59:15 +0200 Subject: [PATCH 1277/1383] avcodec/qpeldsp: copy less for the mc0x cases Fixes: out of array access Fixes: 47936/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5745039940124672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e690d4edf581c42dbd907c0fafe53fba86a00812) Signed-off-by: Michael Niedermayer --- libavcodec/qpeldsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/qpeldsp.c b/libavcodec/qpeldsp.c index 6e52b33657..d99b8fd0ba 100644 --- a/libavcodec/qpeldsp.c +++ b/libavcodec/qpeldsp.c @@ -198,7 +198,7 @@ static void OPNAME ## qpel8_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8); \ } \ @@ -208,7 +208,7 @@ static void OPNAME ## qpel8_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[16 * 9]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16); \ } \ \ @@ -218,7 +218,7 @@ static void OPNAME ## qpel8_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8); \ } \ @@ -458,7 +458,7 @@ static void OPNAME ## qpel16_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16); \ } \ @@ -468,7 +468,7 @@ static void OPNAME ## qpel16_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[24 * 17]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24); \ } \ \ @@ -478,7 +478,7 @@ static void OPNAME ## qpel16_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full + 24, half, stride, 24, 16, 16); \ } \ From 8a4e3bc1c5c62df3434573adfd254cc68c826f7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 22:21:55 +0200 Subject: [PATCH 1278/1383] avcodec/hevcdsp_template: stay within tables in sao_band_filter() Fixes: out of array read Fixes: 47875/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5719393113341952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c5250a5612d4b32d79108de0c03945b2017963e) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 56cd9e605d..61425975cd 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -313,7 +313,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t *_src, offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1]; for (y = 0; y < height; y++) { for (x = 0; x < width; x++) - dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]); + dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) & 31]); dst += stride_dst; src += stride_src; } From 6c1a7a829d5c1dc57f0411c7116effc5e8e6b1f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 May 2022 00:50:33 +0200 Subject: [PATCH 1279/1383] avformat/rtsp: break on unknown protocols This function needs more cleanup and it lacks error handling Fixes: use of uninitialized memory Fixes: CID700776 Signed-off-by: Michael Niedermayer (cherry picked from commit 73c0fd27c5c53c42e5060fb3a0c1fc5708b6f670) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 975637cf54..7e0a20e7d8 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -928,6 +928,8 @@ static void rtsp_parse_transport(AVFormatContext *s, ";,", &p); } th->transport = RTSP_TRANSPORT_RAW; + } else { + break; } if (!av_strcasecmp(lower_transport, "TCP")) th->lower_transport = RTSP_LOWER_TRANSPORT_TCP; From b3fdcaca7be89d9d133f0ff4e23eb8ed863dcff8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 May 2022 02:10:52 +0200 Subject: [PATCH 1280/1383] avfilter/vf_signature: Fix integer overflow in filter_frame() Fixes: CID1403233 The second of the 2 changes may be unneeded but will help coverity Signed-off-by: Michael Niedermayer (cherry picked from commit dd6040675ec18d19429f882caea6bb306ed6677a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index d07b213f31..8bdd7f55a2 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -223,7 +223,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) dw1 = inlink->w / 32; if (inlink->w % 32) dw2 = dw1 + 1; - denom = (sc->divide) ? dh1 * dh2 * dw1 * dw2 : 1; + denom = (sc->divide) ? dh1 * (int64_t)dh2 * dw1 * dw2 : 1; for (i = 0; i < 32; i++) { rowcount = 0; @@ -249,7 +249,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) } } - denom = (sc->divide) ? 1 : dh1 * dh2 * dw1 * dw2; + denom = (sc->divide) ? 1 : dh1 * (int64_t)dh2 * dw1 * dw2; for (i = 0; i < ELEMENT_COUNT; i++) { const ElemCat* elemcat = elements[i]; From 5deba24c221bc6c2222fd8a7007360ad40901a8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2022 00:51:12 +0200 Subject: [PATCH 1281/1383] avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() Fixes: signed integer overflow: 2147483645 + 16 cannot be represented in type 'int' Fixes: 46993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4759025234870272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1537f40516d625fc5fa57db4fdfb737312fbc500) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 43fcc90ae5..0d34a2a710 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -114,8 +114,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src) { int i; for (i = 0; i < 32; i++) { - v[ i] = ( src[63 - 2*i ] + 0x10) >> 5; - v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5; + v[ i] = (int)(0x10U + src[63 - 2*i ]) >> 5; + v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5; } } From 99f1f07b78c7a73f1e1eea5678b88c2b9d5bac3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Apr 2022 22:16:51 +0200 Subject: [PATCH 1282/1383] avcodec/h264dec: Skip late SEI Fixes: Race condition Fixes: clusterfuzz-testcase-minimized-mediasource_MP2T_AVC_pipeline_integration_fuzzer-6282675434094592 Found-by: google ClusterFuzz Tested-by: Dan Sanders Signed-off-by: Michael Niedermayer (cherry picked from commit f7dd408d64013ae177c1f8d0e04418e5075db5bc) Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index 0e189da61a..dc259ceff2 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -699,6 +699,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) avpriv_request_sample(avctx, "data partitioning"); break; case H264_NAL_SEI: + if (h->setup_finished) { + avpriv_request_sample(avctx, "Late SEI"); + break; + } ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx); h->has_recovery_point = h->has_recovery_point || h->sei.recovery_point.recovery_frame_cnt != -1; if (avctx->debug & FF_DEBUG_GREEN_MD) From 85d59a6a987b47717651e488dcf8a0de861c3b1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jul 2022 20:43:20 +0200 Subject: [PATCH 1283/1383] avcodec/lagarith: Check dst/src in zero run code Fixes: out of array access Fixes: 48799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4764457825337344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9450f759748d02d1d284d2e4afd741cb0fe0c04a) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 1342c98961..54153c6a69 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -408,6 +408,9 @@ output_zeros: if (zero_run) { zero_run = 0; i += esc_count; + if (i > end - dst || + i >= src_end - src) + return AVERROR_INVALIDDATA; memcpy(dst, src, i); dst += i; l->zeros_rem = lag_calc_zero_run(src[i]); From c9d8271274e70ee34e44b246c8c79e0e39918c88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jul 2022 00:32:18 +0200 Subject: [PATCH 1284/1383] avformat/asfdec_f: Use 64bit for packet start time Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ed78486fcb065b5b459f14d4b1c3242f6d21ec7) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 2d7c0a7a5e..91104c19dc 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -104,7 +104,7 @@ typedef struct ASFContext { int ts_is_pts; int packet_multi_size; int packet_time_delta; - int packet_time_start; + int64_t packet_time_start; int64_t packet_pos; int stream_index; From 5cefe5d304cf6f717f8ab07c8a6b4311c6f35351 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jul 2022 23:54:49 +0200 Subject: [PATCH 1285/1383] avformat/nutdec: Check get_packetheader() in mainheader Fixes; Timeout Fixes: 48794/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6524604713140224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5de084aa63b79586bc445e6a7fea837688b3941) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index e86d8222d0..0b04aaad3e 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -199,6 +199,8 @@ static int decode_main_header(NUTContext *nut) int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + if (length == (uint64_t)-1) + return AVERROR_INVALIDDATA; end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); From f198ffcf38a2372b31603163698b3dd180c6115f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jun 2022 01:36:29 +0200 Subject: [PATCH 1286/1383] avformat/flvdec: Check for EOF in index reading Fixes: Timeout Fixes: 47992/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6020443879899136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ceff5d7b74cd9ae6055957979d27d289c70a9e1b) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 29e9bdd735..db3b99ca05 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -436,6 +436,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m goto invalid; if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) goto invalid; + if (avio_feof(ioc)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { From 0bea6b5d5025227bde1db5e94b17d74567a1ffdd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jul 2022 00:51:32 +0200 Subject: [PATCH 1287/1383] avcodec/hevc_filter: copy_CTB() only within width&height Fixes: out of array access Fixes: 49271/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5424984922652672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 009ef35d384c3df22d8a8be7416dc9d532e91c52) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_filter.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index 6b9824088c..a45cb6f0fb 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -145,11 +145,22 @@ int i, j; if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) { for (i = 0; i < height; i++) { - for (j = 0; j < width; j+=8) + for (j = 0; j < width - 7; j+=8) AV_COPY64U(dst+j, src+j); dst += stride_dst; src += stride_src; } + if (width&7) { + dst += ((width>>3)<<3) - stride_dst * height; + src += ((width>>3)<<3) - stride_src * height; + width &= 7; + for (i = 0; i < height; i++) { + for (j = 0; j < width; j++) + dst[j] = src[j]; + dst += stride_dst; + src += stride_src; + } + } } else { for (i = 0; i < height; i++) { for (j = 0; j < width; j+=16) From 8229f4327f8501f52fb821cec37985e09180541e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:53:32 +0200 Subject: [PATCH 1288/1383] MAINTAINERS: Add ED25519 key for signing my commits in the future Signed-off-by: Michael Niedermayer (cherry picked from commit 05225180bea208dfd81efac327e429711a963697) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index bc2ae13320..7cd7e2050c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -598,6 +598,7 @@ Jean Delvare 7CA6 9F44 60F1 BDC4 1FD2 C858 A552 6B9B B3CD 4E6A Loren Merritt ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE Lou Logan (llogan) 7D68 DC73 CBEF EABB 671A B6CF 621C 2E28 82F8 DC3A Michael Niedermayer 9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB + DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64 Nicolas George 24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93 Nikolay Aleksandrov 8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1 Panagiotis Issaris 6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029 From ec9af84dc5445d272092e91452fa67d796729e1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Aug 2022 23:39:56 +0200 Subject: [PATCH 1289/1383] avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel This is somewhat redundant with the is_decoded check. Maybe there is a nicer solution Fixes: Null pointer dereference Fixes: 49584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5297367351427072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b51e1992289383aa9f083c88e153e34b6412c89) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 97f9def809..1960c6a202 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -3221,7 +3221,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, void *data, int *got_output, } } else { /* verify the SEI checksum */ - if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded && + if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded && s->sei.picture_hash.is_md5) { ret = verify_md5(s, s->ref->frame); if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) { From 4d537913e546d3db4db5ad7c0b93df091b2969af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Aug 2022 00:02:37 +0200 Subject: [PATCH 1290/1383] avcodec/h263dec: Sanity check against minimal I/P frame size Fixes: Timeout Fixes: 49718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4874987894341632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca4ff9c21cb77e024fa4ff5889826a8bee4d0e0a) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 2d136ff0db..edde8bef5c 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -544,6 +544,8 @@ retry: avctx->has_b_frames = !s->low_delay; if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) { + if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; if (ff_mpeg4_workaround_bugs(avctx) == 1) goto retry; if (s->studio_profile != (s->idsp.idct == NULL)) From 2f2a3397ccf9132237babf9257943bcbe72c315b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 00:22:41 +0200 Subject: [PATCH 1291/1383] avformat/avidec: Prevent entity expansion attacks Fixes: Timeout Fixes no testcase, this is the same idea as similar attacks against XML parsers Signed-off-by: Michael Niedermayer (cherry picked from commit f3e823c2aa04d4f5571a5e04c27a244890704c8d) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 282f4635fb..c1dfd6cf25 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -80,6 +80,8 @@ typedef struct AVIContext { int stream_index; DVDemuxContext *dv_demux; int odml_depth; + int64_t odml_read; + int64_t odml_max_pos; int use_odml; #define MAX_ODML_DEPTH 1000 int64_t dts_max; @@ -189,7 +191,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) st = s->streams[stream_id]; ast = st->priv_data; - if (index_sub_type) + if (index_sub_type || entries_in_use < 0) return AVERROR_INVALIDDATA; avio_rl32(pb); @@ -210,11 +212,18 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } for (i = 0; i < entries_in_use; i++) { + avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb)); + + // If we read more than there are bytes then we must have been reading something twice + if (avi->odml_read > avi->odml_max_pos) + return AVERROR_INVALIDDATA; + if (index_type) { int64_t pos = avio_rl32(pb) + base - 8; int len = avio_rl32(pb); int key = len >= 0; len &= 0x7FFFFFFF; + avi->odml_read += 8; av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len); @@ -233,6 +242,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) int64_t offset, pos; int duration; int ret; + avi->odml_read += 16; offset = avio_rl64(pb); avio_rl32(pb); /* size */ From 37139adfbfcc5daea7d04be6294c2511c1e1e4e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 20:31:32 +0200 Subject: [PATCH 1292/1383] libavformat/iff: Check for overflow in body_end calculation Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long' Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 1a1c80551a..52bc8c99c9 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -502,6 +502,9 @@ static int iff_read_header(AVFormatContext *s) case ID_DST: case ID_MDAT: iff->body_pos = avio_tell(pb); + if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX) + return AVERROR_INVALIDDATA; + iff->body_end = iff->body_pos + data_size; iff->body_size = data_size; if (chunk_id == ID_DST) { From 82e77e0dece2ef75fbcc8ae4c51bd44d51e912d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 22:10:09 +0200 Subject: [PATCH 1293/1383] libavcodec/8bps: Check that line lengths fit within the buffer Fixes: Timeout Fixes: undefined pointer arithmetic Fixes: 50330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5436287485607936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2316d5ec1a95b13ff9a0ce80409fa367a041966d) Signed-off-by: Michael Niedermayer --- libavcodec/8bps.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index aa2318fa2d..655c62725b 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -70,6 +70,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *planemap = c->planemap; int ret; + if (buf_size < planes * height *2) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; From 8f443328c05b694f79d7d3ec8f6fd9a9e4956419 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:49:04 +0200 Subject: [PATCH 1294/1383] doc/git-howto.texi: Document commit signing Signed-off-by: Michael Niedermayer (cherry picked from commit ced0dc807eb67516b341d68f04ce5a87b02820de) Signed-off-by: Michael Niedermayer --- doc/git-howto.texi | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/doc/git-howto.texi b/doc/git-howto.texi index 2b4fb80233..bd26fcb259 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions. git add [-i|-p|-A] @end example -Make sure you have told Git your name and email address +Make sure you have told Git your name, email address and GPG key @example git config --global user.name "My Name" git config --global user.email my@@email.invalid +git config --global user.signingkey ABCDEF0123245 +@end example + +Enable signing all commits or use -S + +@example +git config --global commit.gpgsign true @end example Use @option{--global} to set the global configuration for all your Git checkouts. @@ -393,6 +400,19 @@ git checkout -b svn_23456 $SHA1 where @var{$SHA1} is the commit hash from the @command{git log} output. +@chapter gpg key generation + +If you have no gpg key yet, we recommend that you create a ed25519 based key as it +is small, fast and secure. Especially it results in small signatures in git. + +@example +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com" +@end example + +When generating a key, make sure the email specified matches the email used in git as some sites like +github consider mismatches a reason to declare such commits unverified. After generating a key you +can add it to the MAINTAINER file and upload it to a keyserver. + @chapter Pre-push checklist Once you have a set of commits that you feel are ready for pushing, From bf29c080b1e03d88fa617acaffc2f7c7a734093d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Aug 2022 01:21:38 +0200 Subject: [PATCH 1295/1383] avformat/asfdec_o: limit recursion depth in asf_read_unknown() The threshold of 5 is arbitrary, both smaller and larger should work fine Fixes: Stack overflow Fixes: 50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f1a368169ef9d945dc4b4764f5c60ba9bbc9134) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 40a24b15df..edd139ab9e 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -113,6 +113,7 @@ typedef struct ASFContext { int64_t data_offset; int64_t first_packet_offset; // packet offset int64_t unknown_offset; // for top level header objects or subobjects without specified behavior + int in_asf_read_unknown; // ASF file must not contain more than 128 streams according to the specification ASFStream *asf_st[ASF_MAX_STREAMS]; @@ -177,7 +178,7 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) uint64_t size = avio_rl64(pb); int ret; - if (size > INT64_MAX) + if (size > INT64_MAX || asf->in_asf_read_unknown > 5) return AVERROR_INVALIDDATA; if (asf->is_header) @@ -186,8 +187,11 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) if (!g->is_subobject) { if (!(ret = strcmp(g->name, "Header Extension"))) avio_skip(pb, 22); // skip reserved fields and Data Size - if ((ret = detect_unknown_subobject(s, asf->unknown_offset, - asf->unknown_size)) < 0) + asf->in_asf_read_unknown ++; + ret = detect_unknown_subobject(s, asf->unknown_offset, + asf->unknown_size); + asf->in_asf_read_unknown --; + if (ret < 0) return ret; } else { if (size < 24) { From b2222721245cfbba2d3f6917f0ab316aaeb76db3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jun 2022 02:01:20 +0200 Subject: [PATCH 1296/1383] avcodec/bink: disallow odd positioned scaled blocks Fixes: out of array access Fixes: 47911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6194020855971840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit b14104a6376cd774b08cbe5fda56b34320a41b2e) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index ca10a0ce81..bc4fe7e163 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -1054,7 +1054,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it - if ((by & 1) && blk == SCALED_BLOCK) { + if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) { bx++; dst += 8; prev += 8; From c2633805587feca1c2d87b8ef2b14aba3106a4a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 23:41:57 +0200 Subject: [PATCH 1297/1383] avcodec/speedhq: Check width Fixes: out of array access Fixes: 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400 Alternatively the buffer size can be increased Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0395f9ef6051315973f1fdded1804f81458566d) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 948b813f7f..a3b0bc4649 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -424,7 +424,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, uint32_t second_field_offset; int ret; - if (buf_size < 4 || avctx->width < 8) + if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; quality = buf[0]; From f0fb070286d5e44d49121cbdd1413c17ae13f670 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jun 2022 23:09:09 +0200 Subject: [PATCH 1298/1383] avcodec/fmvc: Move frame allocation to a later stage This way more things are checked before allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 9783749c66bf6ca2ce7a6db4c74957fe77cbe803) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 5bee96a18d..8f5b59da22 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -401,20 +401,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, PutByteContext *pb = &s->pb; AVFrame *frame = data; int ret, y, x; + int key_frame; if (avpkt->size < 8) return AVERROR_INVALIDDATA; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - bytestream2_init(gb, avpkt->data, avpkt->size); bytestream2_skip(gb, 2); - frame->key_frame = !!bytestream2_get_le16(gb); - frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + key_frame = !!bytestream2_get_le16(gb); - if (frame->key_frame) { + if (key_frame) { const uint8_t *src; unsigned type, size; uint8_t *dst; @@ -434,6 +431,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, return AVERROR_PATCHWELCOME; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 1; + frame->pict_type = AV_PICTURE_TYPE_I; + src = s->buffer; dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { @@ -512,6 +515,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, dst = &rect[block_h * s->stride]; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 0; + frame->pict_type = AV_PICTURE_TYPE_P; + ssrc = s->buffer; ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { From 53f3a25107616a7f07a6de3f1f3ecc2336d24fbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2022 00:32:23 +0200 Subject: [PATCH 1299/1383] libavformat/hls: Free keys Fixes: memleak Fixes: 50703/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6399058578636800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit d32a9f3137c91de86547601a38fea0693c3497f1) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 22fd6f1f1b..4869ad4000 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -232,6 +232,7 @@ static void free_init_section_list(struct playlist *pls) { int i; for (i = 0; i < pls->n_init_sections; i++) { + av_freep(&pls->init_sections[i]->key); av_freep(&pls->init_sections[i]->url); av_freep(&pls->init_sections[i]); } From 7d5e8bdb0add4de41b175572aa955ac26e3b123d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:11:20 +0200 Subject: [PATCH 1300/1383] avcodec/tta: Check 24bit scaling for overflow Fixes: signed integer overflow: -8427924 * 256 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5409428670644224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3993345f915bccceee315f44d412445346990e14) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index afc4907432..593cb6629a 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -371,8 +371,15 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, case 3: { // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; - for (i = 0; i < framelen * s->channels; i++) - *samples++ *= 256; + int overflow = 0; + + for (i = 0; i < framelen * s->channels; i++) { + int scaled = *samples * 256U; + overflow += (scaled >> 8 != *samples); + *samples++ = scaled; + } + if (overflow) + av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow); // reset decode buffer s->decode_buffer = NULL; break; From a101c977826985adcc478d1f2f6f686679805826 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:30:42 +0200 Subject: [PATCH 1301/1383] avcodec/apedec: Fix integer overflow in filter_3800() Fixes: signed integer overflow: -2147448926 + -198321 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5739619273015296 Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6744428485672960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f05247f6a4698c14f1cd523daa90188f50dcf6ad) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 035fa9a434..5a769a3ea9 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -880,7 +880,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign; p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; - p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); + p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift); p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; From 045ed347fb6216386b04f5a7a0e9ab37761af29b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:28:03 +0200 Subject: [PATCH 1302/1383] avformat/mxfdec: Check run_in is within 65536 Fixes: signed integer overflow: 9223372036854775807 - -2146905566 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6570996594769920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7786097825d9e3f02b4574c1924c28818eb83340) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index b54fc4be2c..dbd34e3588 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -58,6 +58,7 @@ #include "mxf.h" #define MXF_MAX_CHUNK_SIZE (32 << 20) +#define RUN_IN_MAX (65535+1) // S377m-2004 section 5.5 and S377-1-2009 section 6.5, the +1 is to be slightly more tolerant typedef enum { Header, @@ -3135,6 +3136,7 @@ static int mxf_read_header(AVFormatContext *s) KLVPacket klv; int64_t essence_offset = 0; int ret; + int64_t run_in; mxf->last_forward_tell = INT64_MAX; @@ -3144,7 +3146,10 @@ static int mxf_read_header(AVFormatContext *s) } avio_seek(s->pb, -14, SEEK_CUR); mxf->fc = s; - mxf->run_in = avio_tell(s->pb); + run_in = avio_tell(s->pb); + if (run_in < 0 || run_in > RUN_IN_MAX) + return AVERROR_INVALIDDATA; + mxf->run_in = run_in; mxf_read_random_index_pack(s); From e55980d3bf3599cb940390220681d3186391a7f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Sep 2022 18:23:30 +0200 Subject: [PATCH 1303/1383] avformat/mxfdec: only probe max run in MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 1182bbb2c3226260ed672920251e3410bde8c6c9) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index dbd34e3588..56680e258e 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3578,7 +3578,7 @@ static int mxf_read_close(AVFormatContext *s) static int mxf_probe(AVProbeData *p) { const uint8_t *bufp = p->buf; - const uint8_t *end = p->buf + p->buf_size; + const uint8_t *end = p->buf + FFMIN(p->buf_size, RUN_IN_MAX + 1 + sizeof(mxf_header_partition_pack_key)); if (p->buf_size < sizeof(mxf_header_partition_pack_key)) return 0; From 9959b6e2eb57fe696e591ffded5c2dfeb70c9e79 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:08 +0200 Subject: [PATCH 1304/1383] avformat/aiffdec: Check block_duration Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1c2b6265c87417033f990fa4a14da9d4008320a4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 5f3172dc93..e3a228551d 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -366,6 +366,8 @@ got_sound: av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } + if (aiff->block_duration < 0) + return AVERROR_INVALIDDATA; /* Now positioned, get the sound data start and end */ avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From d52ed1be9e073e082c960b703a1129dfb7cf4b22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:09 +0200 Subject: [PATCH 1305/1383] avformat/aiffdec: Use 64bit for block_duration use Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9303ba272e988d87084880c57056b750cc5ffd08) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index e3a228551d..aa45424934 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -422,7 +422,7 @@ static int aiff_read_packet(AVFormatContext *s, pkt->flags &= ~AV_PKT_FLAG_CORRUPT; /* Only one stream in an AIFF file */ pkt->stream_index = 0; - pkt->duration = (res / st->codecpar->block_align) * aiff->block_duration; + pkt->duration = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration; return 0; } From 80ec0ca973587ff8f72141d4bbb09a12aca91b90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 23:15:56 +0200 Subject: [PATCH 1306/1383] avformat/icodec: Check nb_pal Fixes: signed integer overflow: 538976288 * 4 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-6690068904935424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit db73ae0dc114aa6fae08e69f977944f056a24995) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index d86b85099d..23cd91412d 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -204,6 +204,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } + if (image->nb_pal > INT_MAX / 4 - 14 - 40) + return AVERROR_INVALIDDATA; + AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); AV_WL32(buf + 8, AV_RL32(buf + 8) / 2); } From 3e208ef0886f3e45931357f2c2a7b26c65f2352b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:19:53 +0200 Subject: [PATCH 1307/1383] avformat/ape: Check frames size Fixes: signed integer overflow: 9223372036854775806 + 3 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APE_fuzzer-6389264140599296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d0349c9929e2891c90011a83152624d5cf18e628) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index 3a3b91283e..c3cc7b6445 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -323,6 +323,8 @@ static int ape_read_header(AVFormatContext * s) ape->frames[i].pos -= ape->frames[i].skip; ape->frames[i].size += ape->frames[i].skip; } + if (ape->frames[i].size > INT_MAX - 3) + return AVERROR_INVALIDDATA; ape->frames[i].size = (ape->frames[i].size + 3) & ~3; } if (ape->fileversion < 3810) { From 955ed9b64195acf6bb715ddbaa30a690b9eb606f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:30:55 +0200 Subject: [PATCH 1308/1383] avformat/asfdec_o: Limit packet offset avoids overflows with it Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136 Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 736e9e69d5dbbe1d81885dfef59917eb915d2f96) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index edd139ab9e..303ee71cd5 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1361,6 +1361,8 @@ static int asf_read_packet_header(AVFormatContext *s) unsigned char error_flags, len_flags, pay_flags; asf->packet_offset = avio_tell(pb); + if (asf->packet_offset > INT64_MAX/2) + asf->packet_offset = 0; error_flags = avio_r8(pb); // read Error Correction Flags if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) { if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) { From 9fb728dd1c3bc2114d1153a8b61f38b1980747f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:48:43 +0200 Subject: [PATCH 1309/1383] avformat/cafdec: Check that nb_frasmes fits within 64bit Fixes: signed integer overflow: 1099511693312 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6565048815845376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d4bb4e375975dc0d31d5309106cf6ee0ed75140f) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index b9e70ea2fb..3c6d6922a0 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -341,7 +341,7 @@ static int read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { - if (caf->data_size > 0) + if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet) st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet; } else if (st->nb_index_entries && st->duration > 0) { if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) { From 167c0dcfdcb7b55a85ae6aa04ae1636622d798b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 22:40:47 +0200 Subject: [PATCH 1310/1383] avformat/dxa: avoid bpc overflows Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93db0f0740cacd64ae07b5e8606b70021e48d364) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index a616f8f74b..0d820c7413 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s) if(tag == MKTAG('d', 'a', 't', 'a')) break; avio_skip(pb, fsize); } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) + c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); avio_seek(pb, c->vidpos, SEEK_SET); From e474173f47756f392a47d8d647cb4be398228a25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:47:25 +0200 Subject: [PATCH 1311/1383] avformat/nutdec: Check fields Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6566001610719232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c146406eac06f3d3cd3d981c29e7affd834cb4d) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 0b04aaad3e..7bde16be9c 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -244,6 +244,11 @@ static int decode_main_header(NUTContext *nut) for (i = 0; i < 256;) { int tmp_flags = ffio_read_varlen(bc); int tmp_fields = ffio_read_varlen(bc); + if (tmp_fields < 0) { + av_log(s, AV_LOG_ERROR, "fields %d is invalid\n", tmp_fields); + ret = AVERROR_INVALIDDATA; + goto fail; + } if (tmp_fields > 0) tmp_pts = get_s(bc); From 74b61efa914a07866a1f7237010f5af083a8a5bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 15:06:25 +0200 Subject: [PATCH 1312/1383] avformat/rmdec: check tag_size Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6598073725353984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2cb7ee8a36bddd3425897135db514ca62fec6e44) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 773073064d..d3e41e5996 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -564,6 +564,8 @@ static int rm_read_header(AVFormatContext *s) } tag_size = avio_rb32(pb); + if (tag_size < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, tag_size - 8); for(;;) { From 02402b49aff9b4456db4560e572647ed0e404320 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:42:21 +0200 Subject: [PATCH 1313/1383] avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation Fixes: signed integer overflow: 72128794995445727 * 240 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_SDS_fuzzer-6628185583779840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa8eb1bed075931b0ce0a8bc9a8ff5882830044c) Signed-off-by: Michael Niedermayer --- libavformat/sdsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sdsdec.c b/libavformat/sdsdec.c index 081bb4ca2d..bc8b08446a 100644 --- a/libavformat/sdsdec.c +++ b/libavformat/sdsdec.c @@ -112,7 +112,7 @@ static int sds_read_header(AVFormatContext *ctx) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = 1; st->codecpar->sample_rate = sample_period ? 1000000000 / sample_period : 16000; - st->duration = (avio_size(pb) - 21) / (127) * s->size / 4; + st->duration = av_rescale((avio_size(pb) - 21) / 127, s->size, 4); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From ae5b1998e38699297930f44e135a64da32e55ea5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:45:30 +0200 Subject: [PATCH 1314/1383] avformat/xwma: Use av_rescale() for duration computation Fixes: signed integer overflow: 34242363648 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6577923913547776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c789f753c3657be9041307f9c03749f5ba5a6bb) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index ffe0bb7012..c467af9fac 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -278,7 +278,7 @@ static int xwma_read_header(AVFormatContext *s) * the total duration using the average bits per sample and the * total data length. */ - st->duration = (size<<3) * st->codecpar->sample_rate / st->codecpar->bit_rate; + st->duration = av_rescale((size<<3), st->codecpar->sample_rate, st->codecpar->bit_rate); } fail: From 056695bf43b04b16c3c9d71cf1d136dca5f48fb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 18:12:11 +0200 Subject: [PATCH 1315/1383] avformat/spdifdec: Use 64bit to compute bit rate Fixes: signed integer overflow: 32 * 553590816 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6564974517944320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4075f0cec1830a7ac081b1a23bd3f5c4e266fe26) Signed-off-by: Michael Niedermayer --- libavformat/spdifdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/spdifdec.c b/libavformat/spdifdec.c index 21bfce4226..428ed71431 100644 --- a/libavformat/spdifdec.c +++ b/libavformat/spdifdec.c @@ -229,7 +229,7 @@ int ff_spdif_read_packet(AVFormatContext *s, AVPacket *pkt) if (!s->bit_rate && s->streams[0]->codecpar->sample_rate) /* stream bitrate matches 16-bit stereo PCM bitrate for currently supported codecs */ - s->bit_rate = 2 * 16 * s->streams[0]->codecpar->sample_rate; + s->bit_rate = 2 * 16LL * s->streams[0]->codecpar->sample_rate; return 0; } From c814c2a1ff3c3659ca21488b77e861bb3cba9a59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2022 23:49:28 +0200 Subject: [PATCH 1316/1383] avcodec/dstdec: Check for overflow in build_filter() Fixes: signed integer overflow: 1917019860 + 265558963 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-4833165046317056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8008940da5aa43895fd4574114309c3324249eab) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index d7a82f34ec..7a51f6772a 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -214,7 +214,7 @@ static uint8_t prob_dst_x_bit(int c) return (ff_reverse[c & 127] >> 1) + 1; } -static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) +static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) { int i, j, k, l; @@ -225,14 +225,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table * int total = av_clip(length - j * 8, 0, 8); for (k = 0; k < 256; k++) { - int v = 0; + int64_t v = 0; for (l = 0; l < total; l++) v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l]; + if ((int16_t)v != v) + return AVERROR_INVALIDDATA; table[i][j][k] = v; } } } + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, @@ -328,7 +331,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; ac_init(ac, gb); - build_filter(s->filter, &s->fsets); + ret = build_filter(s->filter, &s->fsets); + if (ret < 0) + return ret; memset(s->status, 0xAA, sizeof(s->status)); memset(dsd, 0, frame->nb_samples * 4 * avctx->channels); From a2e14839dcf04e03110bc3a7c7b154eb7cbacfaf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Oct 2022 16:05:50 +0200 Subject: [PATCH 1317/1383] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/Changelog b/Changelog index 1c9b240397..239db874e2 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,74 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.1.10: + avcodec/dstdec: Check for overflow in build_filter() + avformat/spdifdec: Use 64bit to compute bit rate + avformat/xwma: Use av_rescale() for duration computation + avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation + avformat/rmdec: check tag_size + avformat/nutdec: Check fields + avformat/dxa: avoid bpc overflows + avformat/cafdec: Check that nb_frasmes fits within 64bit + avformat/asfdec_o: Limit packet offset + avformat/ape: Check frames size + avformat/icodec: Check nb_pal + avformat/aiffdec: Use 64bit for block_duration use + avformat/aiffdec: Check block_duration + avformat/mxfdec: only probe max run in + avformat/mxfdec: Check run_in is within 65536 + avcodec/apedec: Fix integer overflow in filter_3800() + avcodec/tta: Check 24bit scaling for overflow + libavformat/hls: Free keys + avcodec/fmvc: Move frame allocation to a later stage + avcodec/speedhq: Check width + avcodec/bink: disallow odd positioned scaled blocks + avformat/asfdec_o: limit recursion depth in asf_read_unknown() + doc/git-howto.texi: Document commit signing + libavcodec/8bps: Check that line lengths fit within the buffer + libavformat/iff: Check for overflow in body_end calculation + avformat/avidec: Prevent entity expansion attacks + avcodec/h263dec: Sanity check against minimal I/P frame size + avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel + MAINTAINERS: Add ED25519 key for signing my commits in the future + avcodec/hevc_filter: copy_CTB() only within width&height + avformat/flvdec: Check for EOF in index reading + avformat/nutdec: Check get_packetheader() in mainheader + avformat/asfdec_f: Use 64bit for packet start time + avcodec/lagarith: Check dst/src in zero run code + avcodec/h264dec: Skip late SEI + avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() + avfilter/vf_signature: Fix integer overflow in filter_frame() + avformat/rtsp: break on unknown protocols + avcodec/hevcdsp_template: stay within tables in sao_band_filter() + avcodec/qpeldsp: copy less for the mc0x cases + avcodec/ffv1dec: Limit golomb rice coded slices to width 8M + avformat/iff: simplify duration calculation + avcodec/wnv1: Check for width =1 + avformat/sctp: close socket on errors + avcodec/aasc: Fix indention + avcodec/qdrw: adjust max colors to array size + avcodec/alacdsp: Make intermediates unsigned + avformat/aiffdec: cleanup size handling for extreem cases + avcodec/jpeglsdec: fix end check for xfrm + avcodec/cdgraphics: limit scrolling to the line + avformat/aiffdec: avoid integer overflow in get_meta() + avformat/ape: more bits in size for less overflows + avformat/bfi: Check offsets better + avformat/asfdec_f: Check packet_frag_timestamp + avcodec/texturedspenc: Fix indexing in color distribution determination + avformat/act: Check ff_get_wav_header() for failure + avfilter/vsrc_mandelbrot: Check for malloc failure + avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements + avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment + avformat/genh: Check sample rate + configure: extend SDL check to accept all 2.x versions + FFmpeg 4.1.10 release + avfilter/vf_colorspace: fix memmory leaks + avcodec/ac3enc: Fix memleak + avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written + avfilter/vf_random: fix memory leaks + fftools/ffmpeg_opt: Fix leak of options when parsing options fails + lavf/tls_mbedtls: add support for mbedtls version 3 avfilter/vf_colorspace: fix memmory leaks avcodec/ac3enc: Fix memleak avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written From a4ba6e7d2c398bf6bccca85c5819b52ec579e89b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 25 Oct 2022 13:13:34 +0300 Subject: [PATCH 1318/1383] swscale: aarch64: Fix yuv2rgb with negative strides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treat the 32 bit stride registers as signed. Alternatively, we could make the stride arguments ptrdiff_t instead of int, and changing all of the assembly to operate on these registers with their full 64 bit width, but that's a much larger and more intrusive change (and risks missing some operation, which would clamp the intermediates to 32 bit still). Fixes: https://trac.ffmpeg.org/ticket/9985 Signed-off-by: Martin Storsjö (cherry picked from commit cb803a0072cb98945dcd3f1660bd2a975650ce42) Signed-off-by: Martin Storsjö --- libswscale/aarch64/yuv2rgb_neon.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/aarch64/yuv2rgb_neon.S b/libswscale/aarch64/yuv2rgb_neon.S index b7446aa105..10bd1f7480 100644 --- a/libswscale/aarch64/yuv2rgb_neon.S +++ b/libswscale/aarch64/yuv2rgb_neon.S @@ -118,8 +118,8 @@ .endm .macro increment_yuv422p - add x6, x6, w7, UXTW // srcU += incU - add x13, x13, w14, UXTW // srcV += incV + add x6, x6, w7, SXTW // srcU += incU + add x13, x13, w14, SXTW // srcV += incV .endm .macro compute_rgba r1 g1 b1 a1 r2 g2 b2 a2 @@ -188,8 +188,8 @@ function ff_\ifmt\()_to_\ofmt\()_neon, export=1 st4 {v16.8B,v17.8B,v18.8B,v19.8B}, [x2], #32 subs w8, w8, #16 // width -= 16 b.gt 2b - add x2, x2, w3, UXTW // dst += padding - add x4, x4, w5, UXTW // srcY += paddingY + add x2, x2, w3, SXTW // dst += padding + add x4, x4, w5, SXTW // srcY += paddingY increment_\ifmt subs w1, w1, #1 // height -= 1 b.gt 1b From f442a376a1d9cde5a7bc31aca056b0c2a57e2a48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 10 Dec 2019 14:39:02 +0200 Subject: [PATCH 1319/1383] checkasm: float_dsp: Scale FLT/DBL_EPSILON sufficiently when comparing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As the values generated by av_bmg_get can be arbitrarily large (only the stddev is specified), we can't use a fixed tolerance. This matches what was done for test_vector_dmul_scalar in 38f966b2222db. This fixes the float_dsp checkasm test for some seeds, when built with clang for mingw/x86_32. Signed-off-by: Martin Storsjö (cherry picked from commit 8f70e261fa6ff1f3efda5dbcebf02dcf6dea13b4) Fixes ticket #10010 --- tests/checkasm/float_dsp.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/checkasm/float_dsp.c b/tests/checkasm/float_dsp.c index 2abe4eccbd..a1616a61a8 100644 --- a/tests/checkasm/float_dsp.c +++ b/tests/checkasm/float_dsp.c @@ -51,7 +51,8 @@ static void test_vector_fmul(const float *src0, const float *src1) call_ref(cdst, src0, src1, LEN); call_new(odst, src0, src1, LEN); for (i = 0; i < LEN; i++) { - if (!float_near_abs_eps(cdst[i], odst[i], FLT_EPSILON)) { + double t = fabs(src0[i]) + fabs(src1[i]) + fabs(src0[i] * src1[i]) + 1.0; + if (!float_near_abs_eps(cdst[i], odst[i], t * 2 * FLT_EPSILON)) { fprintf(stderr, "%d: %- .12f - %- .12f = % .12g\n", i, cdst[i], odst[i], cdst[i] - odst[i]); fail(); @@ -73,7 +74,8 @@ static void test_vector_dmul(const double *src0, const double *src1) call_ref(cdst, src0, src1, LEN); call_new(odst, src0, src1, LEN); for (i = 0; i < LEN; i++) { - if (!double_near_abs_eps(cdst[i], odst[i], DBL_EPSILON)) { + double t = fabs(src0[i]) + fabs(src1[i]) + fabs(src0[i] * src1[i]) + 1.0; + if (!double_near_abs_eps(cdst[i], odst[i], t * 2 * DBL_EPSILON)) { fprintf(stderr, "%d: %- .12f - %- .12f = % .12g\n", i, cdst[i], odst[i], cdst[i] - odst[i]); fail(); @@ -117,7 +119,8 @@ static void test_vector_fmul_scalar(const float *src0, const float *src1) call_ref(cdst, src0, src1[0], LEN); call_new(odst, src0, src1[0], LEN); for (i = 0; i < LEN; i++) { - if (!float_near_abs_eps(cdst[i], odst[i], FLT_EPSILON)) { + double t = fabs(src0[i]) + fabs(src1[0]) + fabs(src0[i] * src1[0]) + 1.0; + if (!float_near_abs_eps(cdst[i], odst[i], t * 2 * FLT_EPSILON)) { fprintf(stderr, "%d: %- .12f - %- .12f = % .12g\n", i, cdst[i], odst[i], cdst[i] - odst[i]); fail(); From a8a208b123e0704ff187b0dc21eeb63f440692aa Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 24 Nov 2022 20:00:18 -0300 Subject: [PATCH 1320/1383] avcodec/mjpegenc: take into account component count when writing the SOF header size Fixes ticket #10069 Signed-off-by: James Almer (cherry picked from commit 100939695307743396e30e6310d2ea9cf42f9aab) --- libavcodec/mjpegenc_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegenc_common.c b/libavcodec/mjpegenc_common.c index 31868c9bed..37c15367a4 100644 --- a/libavcodec/mjpegenc_common.c +++ b/libavcodec/mjpegenc_common.c @@ -275,7 +275,7 @@ void ff_mjpeg_encode_picture_header(AVCodecContext *avctx, PutBitContext *pb, default: av_assert0(0); } - put_bits(pb, 16, 17); + put_bits(pb, 16, 8 + 3 * components); if (lossless && ( avctx->pix_fmt == AV_PIX_FMT_BGR0 || avctx->pix_fmt == AV_PIX_FMT_BGRA || avctx->pix_fmt == AV_PIX_FMT_BGR24)) From 51efa68ec0b4f42b5b124b8987fb68f60a929c4f Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang Date: Tue, 15 Feb 2022 17:58:08 +0800 Subject: [PATCH 1321/1383] avcodec/vp3: Add missing check for av_malloc Since the av_malloc() may fail and return NULL pointer, it is needed that the 's->edge_emu_buffer' should be checked whether the new allocation is success. Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") Reviewed-by: Peter Ross Signed-off-by: Jiasheng Jiang (cherry picked from commit 656cb0450aeb73b25d7d26980af342b37ac4c568) --- libavcodec/vp3.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 25d0bbb758..76d2ef70d6 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2136,8 +2136,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0) goto error; - if (!s->edge_emu_buffer) + if (!s->edge_emu_buffer) { s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); + if (!s->edge_emu_buffer) { + ret = AVERROR(ENOMEM); + goto error; + } + } if (s->keyframe) { if (!s->theora) { From 97c9af0cc9dae4c7bc4b08f700585ed9ecbe2aa4 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 12:49:21 +0200 Subject: [PATCH 1322/1383] avcodec/nvdec_mpeg2: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/nvdec_mpeg12.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvdec_mpeg12.c b/libavcodec/nvdec_mpeg12.c index 7293d50555..230d65d83a 100644 --- a/libavcodec/nvdec_mpeg12.c +++ b/libavcodec/nvdec_mpeg12.c @@ -76,8 +76,9 @@ static int nvdec_mpeg12_start_frame(AVCodecContext *avctx, const uint8_t *buffer }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } return 0; From ab9b4ea207120c565ca78b8fc304b6e2cd7f0cdf Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:33:18 +0200 Subject: [PATCH 1323/1383] avcodec/nvdec_mpeg4: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/nvdec_mpeg4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/nvdec_mpeg4.c b/libavcodec/nvdec_mpeg4.c index 907af1391a..a3e2d27150 100644 --- a/libavcodec/nvdec_mpeg4.c +++ b/libavcodec/nvdec_mpeg4.c @@ -86,8 +86,9 @@ static int nvdec_mpeg4_start_frame(AVCodecContext *avctx, const uint8_t *buffer, }; for (i = 0; i < 64; ++i) { - ppc->QuantMatrixIntra[i] = s->intra_matrix[i]; - ppc->QuantMatrixInter[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + ppc->QuantMatrixIntra[i] = s->intra_matrix[n]; + ppc->QuantMatrixInter[i] = s->inter_matrix[n]; } // We need to pass the full frame buffer and not just the slice From 419248dd19f98e244e704641d010faa0b3cca4bb Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:35:13 +0200 Subject: [PATCH 1324/1383] avcodec/vdpau_mpeg12: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/vdpau_mpeg12.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vdpau_mpeg12.c b/libavcodec/vdpau_mpeg12.c index d286e7e57d..41b3fd8641 100644 --- a/libavcodec/vdpau_mpeg12.c +++ b/libavcodec/vdpau_mpeg12.c @@ -73,8 +73,9 @@ static int vdpau_mpeg_start_frame(AVCodecContext *avctx, info->f_code[1][0] = s->mpeg_f_code[1][0]; info->f_code[1][1] = s->mpeg_f_code[1][1]; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } return ff_vdpau_common_start_frame(pic_ctx, buffer, size); From d12e316dbd0375f3269a6ba8f3a09a11e6f65bd7 Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Mon, 15 May 2023 13:35:42 +0200 Subject: [PATCH 1325/1383] avcodec/vdpau_mpeg4: fix order of quant matrix coefficients The matrix coefficients are stored permutated for the IDCT, rather then in plain raster order, and need to be un-permutated for the hardware. --- libavcodec/vdpau_mpeg4.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/vdpau_mpeg4.c b/libavcodec/vdpau_mpeg4.c index 96f83026a8..5bf82dc9fa 100644 --- a/libavcodec/vdpau_mpeg4.c +++ b/libavcodec/vdpau_mpeg4.c @@ -74,8 +74,9 @@ static int vdpau_mpeg4_start_frame(AVCodecContext *avctx, info->alternate_vertical_scan_flag = s->alternate_scan; info->top_field_first = s->top_field_first; for (i = 0; i < 64; ++i) { - info->intra_quantizer_matrix[i] = s->intra_matrix[i]; - info->non_intra_quantizer_matrix[i] = s->inter_matrix[i]; + int n = s->idsp.idct_permutation[i]; + info->intra_quantizer_matrix[i] = s->intra_matrix[n]; + info->non_intra_quantizer_matrix[i] = s->inter_matrix[n]; } ff_vdpau_common_start_frame(pic_ctx, buffer, size); From 03758674e2657a61c0931df2c785f71a03712b49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:04:48 +0200 Subject: [PATCH 1326/1383] avcodec/ffv1dec: Fail earlier if prior context is corrupted Signed-off-by: Michael Niedermayer (cherry picked from commit 4df91e2215a79546a7f08faa457c05182646b302) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index dddfaed4d5..5700b1b4de 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -304,8 +304,11 @@ static int decode_slice(AVCodecContext *c, void *arg) } if ((ret = ff_ffv1_init_slice_state(f, fs)) < 0) return ret; - if (f->cur->key_frame || fs->slice_reset_contexts) + if (f->cur->key_frame || fs->slice_reset_contexts) { ff_ffv1_clear_slice_state(f, fs); + } else if (fs->slice_damaged) { + return AVERROR_INVALIDDATA; + } width = fs->slice_width; height = fs->slice_height; From 0bc8a2c295aeee83330a5b45cf133e6149e8272d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:28:33 +0200 Subject: [PATCH 1327/1383] avcodec/speedhq: Check buf_size to be big enough for DC Fixes: Timeout Fixes: 51919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6023716480090112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9184d3d7b64459e975f26284a7b2e26cbf76480b) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index a3b0bc4649..27aab11903 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -426,6 +426,8 @@ static int speedhq_decode_frame(AVCodecContext *avctx, if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; + if (buf_size < avctx->width*avctx->height / 64 / 4) + return AVERROR_INVALIDDATA; quality = buf[0]; if (quality >= 100) { From 5da206d3a5b7ae869710cf0ffdf43af9cebfa77a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Nov 2022 20:00:38 +0100 Subject: [PATCH 1328/1383] swscale/output: Bias 16bps output calculations to improve non overflowing range Fixes: integer overflow Fixes: ./ffmpeg -f rawvideo -video_size 66x64 -pixel_format yuva420p10le -i ~/videos/overflow_input_w66h64.yuva420p10le -filter_complex "scale=flags=bicubic+full_chroma_int+full_chroma_inp+bitexact+accurate_rnd:in_color_matrix=bt2020:out_color_matrix=bt2020:in_range=full:out_range=full,format=rgba64[out]" -pixel_format rgba64 -map '[out]' -y overflow_w66h64.png Found-by: Drew Dunne Tested-by: Drew Dunne Signed-off-by: Michael Niedermayer (cherry picked from commit 0f0afc7fb5d30c40108d81b320823d8f5c9fbedc) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 120 ++++++++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index bf2e67e476..d07b48fe1a 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1047,8 +1047,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; // 21 - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); // 21 + Y2 += (1 << 13) - (1 << 29); // 8 bits: 17 + 13 bits = 30 bits, 16 bits: 17 + 13 bits = 30 bits R = V * c->yuv2rgb_v2r_coeff; @@ -1056,20 +1056,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1106,8 +1106,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1121,20 +1121,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1162,8 +1162,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -1177,20 +1177,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1208,8 +1208,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -1223,20 +1223,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1287,7 +1287,7 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, // 8bit: 27 -> 17bit, 16bit: 31 - 14 = 17bit Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; // 21 + Y += (1 << 13) - (1<<29); // 21 // 8bit: 17 + 13bit = 30bit, 16bit: 17 + 13bit = 30bit R = V * c->yuv2rgb_v2r_coeff; @@ -1295,9 +1295,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1335,7 +1335,7 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1347,9 +1347,9 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], A += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1378,7 +1378,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1390,9 +1390,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1411,7 +1411,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1423,9 +1423,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From ffeb46560fbc93315116f47021f0fea6f14fe1a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Oct 2022 23:28:59 +0200 Subject: [PATCH 1329/1383] avformat/replaygain: avoid undefined / negative abs Fixes: signed integer overflow: -2147483648 * 100000 cannot be represented in type 'int' Fixes: 52060/clusterfuzz-testcase-minimized-ffmpeg_dem_MP3_fuzzer-5131616708329472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2532b20b17ec557f1b925bfc41c00e7d4e17356c) Signed-off-by: Michael Niedermayer --- libavformat/replaygain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/replaygain.c b/libavformat/replaygain.c index 707d3cd4f1..01db483257 100644 --- a/libavformat/replaygain.c +++ b/libavformat/replaygain.c @@ -61,7 +61,7 @@ static int32_t parse_value(const char *value, int32_t min) } } - if (abs(db) > (INT32_MAX - mb) / 100000) + if (llabs(db) > (INT32_MAX - mb) / 100000) return min; return db * 100000 + sign * mb; From ae61a4ca68a76aac9def0652dab222a607c7b1fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Oct 2022 18:41:24 +0200 Subject: [PATCH 1330/1383] avcodec/alsdec: The minimal block is at least 7 bits Signed-off-by: Michael Niedermayer (cherry picked from commit 5280947fb6db37063334eae5b467cecd2417b063) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 6f3311356d..e37d4c33bc 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1016,7 +1016,7 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) *bd->shift_lsbs = 0; - if (get_bits_left(gb) < 1) + if (get_bits_left(gb) < 7) return AVERROR_INVALIDDATA; // read block type flag and read the samples accordingly From 1818f9f4dc4825a4434303358b636a5af3900265 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2022 23:10:02 +0100 Subject: [PATCH 1331/1383] swscale/input: Use more unsigned intermediates Same principle as previous commit, with sufficiently huge rgb2yuv table values this produces wrong results and undefined behavior. The unsigned produces the same incorrect results. That is probably ok as these cases with huge values seem not to occur in any real use case. Fixes: signed integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit ba209e3d5142fd31bb6c3e05c5b183118a278afc) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index 172f5b2b0f..45806ac281 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -84,9 +84,9 @@ rgb64ToUV_half_c_template(uint16_t *dstU, uint16_t *dstV, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1==src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; - int g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; - int b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; + unsigned g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; dstU[i]= (ru*r + gu*g + bu*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; dstV[i]= (rv*r + gv*g + bv*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; @@ -156,9 +156,9 @@ static av_always_inline void rgb48ToUV_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = input_pixel(&src1[i * 3 + 0]); - int g = input_pixel(&src1[i * 3 + 1]); - int b_r = input_pixel(&src1[i * 3 + 2]); + unsigned r_b = input_pixel(&src1[i * 3 + 0]); + unsigned g = input_pixel(&src1[i * 3 + 1]); + unsigned b_r = input_pixel(&src1[i * 3 + 2]); dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; @@ -178,12 +178,12 @@ static av_always_inline void rgb48ToUV_half_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[6 * i + 0]) + - input_pixel(&src1[6 * i + 3]) + 1) >> 1; - int g = (input_pixel(&src1[6 * i + 1]) + - input_pixel(&src1[6 * i + 4]) + 1) >> 1; - int b_r = (input_pixel(&src1[6 * i + 2]) + - input_pixel(&src1[6 * i + 5]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[6 * i + 0]) + + input_pixel(&src1[6 * i + 3]) + 1) >> 1; + unsigned g = (input_pixel(&src1[6 * i + 1]) + + input_pixel(&src1[6 * i + 4]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[6 * i + 2]) + + input_pixel(&src1[6 * i + 5]) + 1) >> 1; dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; From 82dc3224b74d53a56e3a3bfe9bff5a3c1c6eaed5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Nov 2022 22:59:55 +0100 Subject: [PATCH 1332/1383] avcodec/mlpdec: Check max matrix instead of max channel in noise check This is a regression since: adaa06581c5444c94eef72d61b8166f096e2687a Before this, max_channel and max_matrix_channel where compared for equality Fixes: out of array access Fixes: 53340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-514959011885875 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa79560de5e9596ada0345e5d12aa00dbeddaaa6) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 3139a0172f..bbb6be0996 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -520,7 +520,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ - if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { + if (max_matrix_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", From 6c4135ae350425074d6cebf978252c94419678f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Nov 2022 23:34:22 +0100 Subject: [PATCH 1333/1383] avcodec/ffv1dec: restructure slice coordinate reading a bit Fixes: signed integer overflow: -1094995528 * 8224 cannot be represented in type 'int' Fixes: 53508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-474551033462784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74b6ac7ebb5c1e06a5fdfa29f79a18599942dbfa) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 61 ++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 25 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 5700b1b4de..0c6b545211 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -169,24 +169,31 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) RangeCoder *c = &fs->c; uint8_t state[CONTEXT_SIZE]; unsigned ps, i, context_count; + int sx, sy, sw, sh; + memset(state, 128, sizeof(state)); + sx = get_symbol(c, state, 0); + sy = get_symbol(c, state, 0); + sw = get_symbol(c, state, 0) + 1U; + sh = get_symbol(c, state, 0) + 1U; av_assert0(f->version > 2); - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width /f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height/f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height) - return -1; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) - return -1; + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) + return AVERROR_INVALIDDATA; + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) + return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) return AVERROR_INVALIDDATA; @@ -773,21 +780,25 @@ static int read_header(FFV1Context *f) fs->slice_damaged = 0; if (f->version == 2) { - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; + int sx = get_symbol(c, state, 0); + int sy = get_symbol(c, state, 0); + int sw = get_symbol(c, state, 0) + 1U; + int sh = get_symbol(c, state, 0) + 1U; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width / f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || - (unsigned)fs->slice_height > f->height) + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) return AVERROR_INVALIDDATA; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); } for (i = 0; i < f->plane_count; i++) { From ba9e8fa53ae4da9cfefb9cd4e8d238579c4c6027 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2022 19:04:47 +0100 Subject: [PATCH 1334/1383] avformat/id3v2: Check taglen in read_uslt() Fixes: Timeout (read mostly the same data repeatly) Fixes: 52457/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-6610706313379840 Fixes: 53098/clusterfuzz-testcase-minimized-ffmpeg_dem_SOL_fuzzer-6481382981632000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a798af91d7d1fc31cfc1ae09cc6ab3907304f44f) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index b99ea60533..1fc28b67a4 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -376,10 +376,10 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, lang[3] = '\0'; taglen -= 3; - if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0) + if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0 || taglen < 0) goto error; - if (decode_str(s, pb, encoding, &text, &taglen) < 0) + if (decode_str(s, pb, encoding, &text, &taglen) < 0 || taglen < 0) goto error; // FFmpeg does not support hierarchical metadata, so concatenate the keys. From 662c3060b98467b1063172e79432e9a321339aa4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Dec 2022 17:55:09 +0100 Subject: [PATCH 1335/1383] avcodec/wavpack: Avoid undefined shift in get_tail() Fixes: left shift of 1208485947 by 1 places cannot be represented in type 'int' Fixes: 54058/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5827521084260352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8374a747af247d45eb466fcb4aee90f3ae798aad) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 8306ec020f..916a556346 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -95,7 +95,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, int k) e = (1 << (p + 1)) - k - 1; res = get_bitsz(gb, p); if (res >= e) - res = (res << 1) - e + get_bits1(gb); + res = res * 2U - e + get_bits1(gb); return res; } From cae611f86407ed7001437f59792f6ea18d3064da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Dec 2022 00:31:00 +0100 Subject: [PATCH 1336/1383] avcodec/sunrast: Fix maplength check Fixes: out of bounds read Found-by: Ibrahim Mohamed Reviewed-by; Ibrahim Mohamed Signed-off-by: Michael Niedermayer (cherry picked from commit f8a2a65078eaac37eae4a0d7ef440849a9d8f5b5) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index e1ec8a0832..991915fa62 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" @@ -75,6 +76,12 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_PATCHWELCOME; } + if (maplength > 768) { + av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); + return AVERROR_INVALIDDATA; + } + + // This also checks depth to be valid switch (depth) { case 1: avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_MONOWHITE; @@ -96,15 +103,23 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + // This checks w and h to be valid in the sense that bytes of a padded bitmap are addressable with 32bit int ret = ff_set_dimensions(avctx, w, h); if (ret < 0) return ret; + // ensured by ff_set_dimensions() + av_assert0(w <= (INT32_MAX - 7) / depth); + /* scanlines are aligned on 16 bit boundaries */ len = (depth * w + 7) >> 3; alen = len + (len & 1); - if (buf_end - buf < maplength + (len * h) * 3 / 256) + // ensured by ff_set_dimensions() + av_assert0(h <= INT32_MAX / (3 * len)); + + // maplength is limited to 768 and the right term is limited to INT32_MAX / 256 so the add needs no check + if (buf_end - buf < (uint64_t)maplength + (len * h) * 3 / 256) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) @@ -118,7 +133,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } else if (maplength) { unsigned int len = maplength / 3; - if (maplength % 3 || maplength > 768) { + if (maplength % 3) { av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); return AVERROR_INVALIDDATA; } From dd507e4c8f1596ae3d84eec2477532fef0d046df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jan 2023 20:03:40 +0100 Subject: [PATCH 1337/1383] avcodec/scpr: Test bx before use Fixes: out of array access on 32bit Fixes: 54850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5302669294305280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b59de3770b2e3f7f44ec4adba27c88b79adaaec) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 297fb315e2..a2d5bb6514 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -592,6 +592,9 @@ static int decompress_p(AVCodecContext *avctx, int run, z, bx = x * 16 + sx1, by = y * 16 + sy1; unsigned r, g, b, clr, ptype = 0; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value(s, s->op_model[ptype], 6, 1000, &ptype); if (ret < 0) From c23ef5b345887c3cd7c4a431881c4e8316e24426 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:05:55 +0100 Subject: [PATCH 1338/1383] avcodec/eatgq: : Check index increments in tgq_decode_block() Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7755b433e913e32bb061f17d5ecfcbcfef995b7) Signed-off-by: Michael Niedermayer --- libavcodec/eatgq.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 1308c07cff..46bf226f6a 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -58,7 +58,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) return 0; } -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) { uint8_t *perm = s->scantable.permutated; int i, j, value; @@ -66,6 +66,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb for (i = 1; i < 64;) { switch (show_bits(gb, 3)) { case 4: + if (i >= 63) + return AVERROR_INVALIDDATA; block[perm[i++]] = 0; case 0: block[perm[i++]] = 0; @@ -75,6 +77,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb case 1: skip_bits(gb, 2); value = get_bits(gb, 6); + if (value > 64 - i) + return AVERROR_INVALIDDATA; for (j = 0; j < value; j++) block[perm[i++]] = 0; break; @@ -102,6 +106,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb } } block[0] += 128 << 4; + return 0; } static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, @@ -161,8 +166,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x) if (ret < 0) return ret; - for (i = 0; i < 6; i++) - tgq_decode_block(s, s->block[i], &gb); + for (i = 0; i < 6; i++) { + int ret = tgq_decode_block(s, s->block[i], &gb); + if (ret < 0) + return ret; + } tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); bytestream2_skip(&s->gb, mode); } else { From 306e38ae90a62a1cb68c5f6eed228e7f895f49c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jan 2023 01:01:36 +0100 Subject: [PATCH 1339/1383] avcodec/012v: Order operations for odd size handling Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6714182078955520.fuzz Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6698145212137472.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4d42d82563d806b5610c0c91497e24ef7f37d4cf) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index b5a4066656..41d9e2708e 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); memcpy(y, y_temp, sizeof(*y) * (width - x)); - memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); - memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2)); + memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2)); } line_end += stride; From 9fc2c82006d4effcb74895cf034dcc64de4cf75d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jan 2023 00:32:44 +0100 Subject: [PATCH 1340/1383] avcodec/utils: use 32pixel alignment for bink bink supports 16x16 blocks in chroma planes thus we need to allocate enough. Fixes: out of array access Fixes: 55026/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6013915371012096 Reviewed-by: Peter Ross Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b95b2c8492fc1b52afd8fbe67b3be3cd518485d6) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 60ed1b07df..98408ee617 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -252,6 +252,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_GBRAP16BE: w_align = 16; //FIXME assume 16 pixel per macroblock h_align = 16 * 2; // interlaced needs 2 macroblocks height + if (s->codec_id == AV_CODEC_ID_BINKVIDEO) + w_align = 16*2; break; case AV_PIX_FMT_YUV411P: case AV_PIX_FMT_YUVJ411P: From ee9cec25662a8b15f7bb8e01eef0f617f14d4e8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jan 2023 23:36:12 +0100 Subject: [PATCH 1341/1383] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Fixes: 2.28595e+09 is outside the range of representable values of type 'int' Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f48d227c153fa6f0a2156f3e8d18ea1bfedf18d) Signed-off-by: Michael Niedermayer --- libavcodec/ac3.h | 2 ++ libavcodec/eac3dec.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h index f8f6a81f45..9737337806 100644 --- a/libavcodec/ac3.h +++ b/libavcodec/ac3.h @@ -75,6 +75,7 @@ #define AC3_DYNAMIC_RANGE1 0 typedef int INTFLOAT; +typedef unsigned int UINTFLOAT; typedef int16_t SHORTFLOAT; #else /* USE_FIXED */ @@ -94,6 +95,7 @@ typedef int16_t SHORTFLOAT; #define AC3_DYNAMIC_RANGE1 1.0f typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float SHORTFLOAT; #endif /* USE_FIXED */ diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 73067ded9d..7558d787fb 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -145,9 +145,11 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) // spx_noise_blend and spx_signal_blend are both FP.23 nscale *= 1.0 / (1<<23); sscale *= 1.0 / (1<<23); + if (nscale < -1.0) + nscale = -1.0; #endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { - float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); + UINTFLOAT noise = (INTFLOAT)(nscale * (int32_t)av_lfg_get(&s->dith_state)); s->transform_coeffs[ch][bin] *= sscale; s->transform_coeffs[ch][bin++] += noise; } From 3b7a0e2b8f5c91e55b6be2beb9c75df585bffe9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Nov 2022 14:29:32 +0100 Subject: [PATCH 1342/1383] avcodec/pictordec: Remove mid exit branch This causes the RLE decoder to exit before applying the last RLE run All images i tested with are unchanged, this makes the special case for handling the last run unused for non truncated images. Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 88f0e05c72f0de0cae3d9f0c5644f1965632b641) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index b29a484534..42fbf9489b 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -223,8 +223,6 @@ static int decode_frame(AVCodecContext *avctx, run = bytestream2_get_le16(&s->g); val = bytestream2_get_byte(&s->g); } - if (!bytestream2_get_bytes_left(&s->g)) - break; if (bits_per_plane == 8) { picmemset_8bpp(s, frame, val, run, &x, &y); From 042e207e9b1bea4188a0941a8d5440fdc7f4bdef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2023 19:19:32 +0100 Subject: [PATCH 1343/1383] avformat/mov: Check samplesize and offset to avoid integer overflow Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long' Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c1f5c2e28e54ea8174b196d5cf4a158907395a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 24c85e43bb..0e37b99c86 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3901,6 +3901,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; + if (current_offset > INT64_MAX - sample_size) { + av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n", + current_offset, + sample_size); + return; + } + if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { AVIndexEntry *e; From d5eef2fb857ea1d36699612741ad135f6e702895 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Feb 2023 22:33:02 +0100 Subject: [PATCH 1344/1383] avcodec/ffv1dec: Check that num h/v slices is supported Fixes: out of array access Fixes: 55597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4898293416329216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ead0ae68eb64ad325efafd686c434727f3d666a) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 0c6b545211..69aa898521 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -478,6 +478,11 @@ static int read_extra_header(FFV1Context *f) return AVERROR_INVALIDDATA; } + if (f->num_h_slices > MAX_SLICES / f->num_v_slices) { + av_log(f->avctx, AV_LOG_ERROR, "slice count unsupported\n"); + return AVERROR_PATCHWELCOME; + } + f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); From 205c8feeef4ed4ebf7786dabeb15466815d9a78d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:26:06 +0100 Subject: [PATCH 1345/1383] avcodec/pngdec: Check deloco index more exactly Fixes: out of array access: Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6716193709096960 Alternatively it should be possible to limit this to 3 plane RGB 8 /16bit to ensure the size is what it should be Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5bae704068dc37191280e024eecb8d02b762b28) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 62ecf45903..8e666f648c 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -309,7 +309,7 @@ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \ { \ int i; \ - for (i = 0; i < size; i += 3 + alpha) { \ + for (i = 0; i < size - 2; i += 3 + alpha) { \ int g = dst [i + 1]; \ dst[i + 0] += g; \ dst[i + 2] += g; \ From fc682a1077d3c4dcce85180df1c7ead5d3f1f6c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 00:29:02 +0100 Subject: [PATCH 1346/1383] avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things Fixes: subtraction of unsigned offset from 0xf6602770 overflowed to 0xf6638c80 Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-495074400600064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0150cd41c2d3c01050a6c4f3df1de511a217913) Signed-off-by: Michael Niedermayer --- libavcodec/videodsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c index 55123a5844..8743d725c6 100644 --- a/libavcodec/videodsp_template.c +++ b/libavcodec/videodsp_template.c @@ -60,7 +60,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, av_assert2(start_x < end_x && block_w); w = end_x - start_x; - src += start_y * src_linesize + start_x * sizeof(pixel); + src += start_y * src_linesize + start_x * (ptrdiff_t)sizeof(pixel); buf += start_x * sizeof(pixel); // top @@ -83,7 +83,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, buf += buf_linesize; } - buf -= block_h * buf_linesize + start_x * sizeof(pixel); + buf -= block_h * buf_linesize + start_x * (ptrdiff_t)sizeof(pixel); while (block_h--) { pixel *bufp = (pixel *) buf; From ca1b6608f5f8eeb012089ce01498268b4fdefe99 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 18:59:16 +0100 Subject: [PATCH 1347/1383] avcodec/utils: allocate a line more for VC1 and WMV3 Fixes: out of array read on 32bit Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848 The chroma MC code reads over the currently allocated frame. Alternative fixes would be allocating a few bytes more at the end instead of a whole line extra or to adjust the threshold where the edge emu code is activated Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01636a63d452c592ece35af6f72bb7affcad58f2) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 98408ee617..3c8a240c67 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -325,6 +325,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || + s->codec_id == AV_CODEC_ID_VC1 || s->codec_id == AV_CODEC_ID_WMV3 || s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A ) { From fd6043ac2813a19e0e34107d81264a7c9774bc55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 19:39:38 +0100 Subject: [PATCH 1348/1383] avcodec/utils: Ensure linesize for SVQ3 Fixes: Assertion block_w * sizeof(uint8_t) <= ((buf_linesize) >= 0 ? (buf_linesize) : (-(buf_linesize)) Fixes: 54861/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5352418248622080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4eef658ca59d3d6ba46ab52a36d7faf5fe820874) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 3c8a240c67..5266a652c7 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -339,6 +339,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, // the next rounded up width is 32 *width = FFMAX(*width, 32); } + if (s->codec_id == AV_CODEC_ID_SVQ3) { + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; From abe5bab7b52275a46cba33e65a0e0e30d135b854 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:42:23 +0100 Subject: [PATCH 1349/1383] avcodec/bink: Fix off by 1 error in ref end Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6657932926517248 Alterantivly to this it is possibly to allocate a bigger array Note: oss-fuzz assigned this issue to a unrelated theora bug so the bug number matches that Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49487045dde6f69194332aac51fd4e598e19c7b6) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index bc4fe7e163..d2ab4d29c9 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -838,7 +838,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw) * 8; + ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; From e82a3c05a4e9134da5487f0473e668910acda467 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:50:39 +0100 Subject: [PATCH 1350/1383] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() Signed-off-by: Michael Niedermayer (cherry picked from commit ea9deafd3b13233802c4548c4c58a707d76805a3) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index d2ab4d29c9..6b9dba3112 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -838,7 +838,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; + ref_end = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; @@ -894,7 +894,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8*stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -910,7 +910,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -942,7 +942,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); From 3c982fc61c8a24d7b9f71c3900ae2e114a98b880 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 22:05:07 +0100 Subject: [PATCH 1351/1383] avcodec/xpmdec: Check size before allocation to avoid truncation Fixes:OOM Fixes:out of array access (no testcase) Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 95f0f84dae4f040d91f1e60dc5438612c58e8906) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 8aee89dd30..64f13e83f0 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -351,6 +351,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + if (size > SIZE_MAX / 4) + return AVERROR(ENOMEM); + size *= 4; ptr += mod_strcspn(ptr, ",") + 1; From d8e1d8063e609556fa9ee450d4a6494afb16c80f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 23:42:59 +0100 Subject: [PATCH 1352/1383] avcodec/motionpixels: Mask pixels to valid values Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-6724203352555520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac6eec1fc258efce219e4fccb84312a1b13a7a23) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 8750a4fa16..85b0056e48 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -185,7 +185,7 @@ static YuvPixel mp_get_yuv_from_rgb(MotionPixelsContext *mp, int x, int y) int color; color = *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2]; - return mp_rgb_yuv_table[color]; + return mp_rgb_yuv_table[color & 0x7FFF]; } static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const YuvPixel *p) From c02752bf7cc61503d7315d079569ba4c133927b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2023 20:24:26 +0100 Subject: [PATCH 1353/1383] Use https for repository links Reviewed-by: Stefano Sabatini Signed-off-by: Michael Niedermayer (cherry picked from commit 011f30fc8205eff8e775d04afb98e02685cd8a7a) Signed-off-by: Michael Niedermayer --- CREDITS | 4 ++-- doc/authors.texi | 4 ++-- doc/git-howto.texi | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CREDITS b/CREDITS index e29f0b853c..f1aea93d6b 100644 --- a/CREDITS +++ b/CREDITS @@ -1,6 +1,6 @@ -See the Git history of the project (git://source.ffmpeg.org/ffmpeg) to +See the Git history of the project (https://git.ffmpeg.org/ffmpeg) to get the names of people who have contributed to FFmpeg. To check the log, you can type the command "git log" in the FFmpeg source directory, or browse the online repository at -http://source.ffmpeg.org. +https://git.ffmpeg.org/ffmpeg diff --git a/doc/authors.texi b/doc/authors.texi index 6c8c1d7efa..ce088392f8 100644 --- a/doc/authors.texi +++ b/doc/authors.texi @@ -3,9 +3,9 @@ The FFmpeg developers. For details about the authorship, see the Git history of the project -(git://source.ffmpeg.org/ffmpeg), e.g. by typing the command +(https://git.ffmpeg.org/ffmpeg), e.g. by typing the command @command{git log} in the FFmpeg source directory, or browsing the -online repository at @url{http://source.ffmpeg.org}. +online repository at @url{https://git.ffmpeg.org/ffmpeg}. Maintainers for the specific components are listed in the file @file{MAINTAINERS} in the source code tree. diff --git a/doc/git-howto.texi b/doc/git-howto.texi index bd26fcb259..a6723931ce 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -53,7 +53,7 @@ Most distribution and operating system provide a package for it. @section Cloning the source tree @example -git clone git://source.ffmpeg.org/ffmpeg +git clone https://git.ffmpeg.org/ffmpeg.git @end example This will put the FFmpeg sources into the directory @var{}. From 31206a077fac6f69fb7676c8c2b66fbdbaaddb4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:25:04 +0100 Subject: [PATCH 1354/1383] avcodec/escape124: fix signdness of end of input check Fixes: Timeout Fixes: 56561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5560363635834880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87ad0a5dd7d12c91badc215c3b5d6745fa7acb02) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index cffd3e12b1..c6d90280ce 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -88,7 +88,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < size * 34) + if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) return cb; if (size >= INT_MAX / sizeof(MacroBlock)) From cff7e3636e698559d0d3cf3eb152ec176e3cf14c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:37:44 +0100 Subject: [PATCH 1355/1383] avcodec/escape124: Fix some return codes Signed-off-by: Michael Niedermayer (cherry picked from commit 98df605f7a8e80471a113f7beb0983c90aa84525) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index c6d90280ce..50fa882255 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -88,11 +88,6 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) - return cb; - - if (size >= INT_MAX / sizeof(MacroBlock)) - return cb; cb.blocks = av_malloc(size ? size * sizeof(MacroBlock) : 1); if (!cb.blocks) return cb; @@ -226,7 +221,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, // represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) - return -1; + return AVERROR_INVALIDDATA; frame_flags = get_bits_long(&gb, 32); frame_size = get_bits_long(&gb, 32); @@ -277,9 +272,14 @@ static int escape124_decode_frame(AVCodecContext *avctx, } av_freep(&s->codebooks[i].blocks); + if (cb_size >= INT_MAX / 34 || get_bits_left(&gb) < (int)cb_size * 34) + return AVERROR_INVALIDDATA; + + if (cb_size >= INT_MAX / sizeof(MacroBlock)) + return AVERROR_INVALIDDATA; s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size); if (!s->codebooks[i].blocks) - return -1; + return AVERROR(ENOMEM); } } From 55d2d09a1eb47e0b8e6eb27b1458191dfc3a59a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Mar 2023 19:07:47 +0100 Subject: [PATCH 1356/1383] avcodec/tests/snowenc: unbreak DWT tests the IDWT data type mismatched current code Signed-off-by: Michael Niedermayer (cherry picked from commit 8b3351bbead47f7f306621b45c8f2391b6bd23d2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index d5f94e8a61..4d9c12947b 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -31,6 +31,7 @@ int main(void){ #define width 256 #define height 256 int buffer[2][width*height]; + short obuffer[width*height]; SnowContext s; int i; AVLFG prng; @@ -49,24 +50,28 @@ int main(void){ printf("testing 5/3 DWT\n"); for(i=0; i20) printf("fsck: %6d %12d %7d\n",i, buffer[0][i], buffer[1][i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); { int level, orientation, x, y; @@ -87,12 +92,12 @@ int main(void){ if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; - memset(buffer[0], 0, sizeof(int)*width*height); + memset(obuffer, 0, sizeof(short)*width*height); buf[w/2 + h/2*stride]= 256*256; - ff_spatial_idwt((IDWTELEM*)buffer[0], s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); + ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Fri, 24 Mar 2023 00:18:06 +0100 Subject: [PATCH 1357/1383] avcodec/snowenc: Fix visual weight calculation Signed-off-by: Michael Niedermayer (cherry picked from commit 5b5fcadea059ab458a886261a5b7a1cc134b517a) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 8 ++++++-- tests/ref/seek/vsynth_lena-snow | 28 +++++++++++++------------- tests/ref/vsynth/vsynth1-snow | 8 ++++---- tests/ref/vsynth/vsynth1-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth2-snow | 8 ++++---- tests/ref/vsynth/vsynth2-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow-hpel | 8 ++++---- 8 files changed, 44 insertions(+), 40 deletions(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 75051dc87e..5abbade81f 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -1543,10 +1543,10 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ int level, orientation, x, y; for(level=0; levelspatial_decomposition_count; level++){ + int64_t error=0; for(orientation=level ? 1 : 0; orientation<4; orientation++){ SubBand *b= &p->band[level][orientation]; IDWTELEM *ibuf= b->ibuf; - int64_t error=0; memset(s->spatial_idwt_buffer, 0, sizeof(*s->spatial_idwt_buffer)*width*height); ibuf[b->width/2 + b->height/2*b->stride]= 256*16; @@ -1557,9 +1557,13 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ error += d*d; } } - + if (orientation == 2) + error /= 2; b->qlog= (int)(QROOT * log2(352256.0/sqrt(error)) + 0.5); + if (orientation != 1) + error = 0; } + p->band[level][1].qlog = p->band[level][2].qlog; } } diff --git a/tests/ref/seek/vsynth_lena-snow b/tests/ref/seek/vsynth_lena-snow index 33d6c27463..b2d2d22cda 100644 --- a/tests/ref/seek/vsynth_lena-snow +++ b/tests/ref/seek/vsynth_lena-snow @@ -2,45 +2,45 @@ ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:0 ts:-1.000000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret: 0 st: 0 flags:0 ts:-0.040000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:1 ts: 0.200839 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:0 ts:-0.920000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/vsynth/vsynth1-snow b/tests/ref/vsynth/vsynth1-snow index f20abd2ee4..b0e3a0bfd7 100644 --- a/tests/ref/vsynth/vsynth1-snow +++ b/tests/ref/vsynth/vsynth1-snow @@ -1,4 +1,4 @@ -67c10f8d52fcd1103caa675a1408bf6e *tests/data/fate/vsynth1-snow.avi -136088 tests/data/fate/vsynth1-snow.avi -bfc0bcc4bc7b956933aa58acc587018d *tests/data/fate/vsynth1-snow.out.rawvideo -stddev: 22.77 PSNR: 20.98 MAXDIFF: 175 bytes: 7603200/ 7603200 +c4c77a6fb926b89fe6591c398f5cd4db *tests/data/fate/vsynth1-snow.avi +136160 tests/data/fate/vsynth1-snow.avi +dcf8b3f62d9c3ae2b2d0fbbacbf83e4e *tests/data/fate/vsynth1-snow.out.rawvideo +stddev: 22.74 PSNR: 20.99 MAXDIFF: 173 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth1-snow-hpel b/tests/ref/vsynth/vsynth1-snow-hpel index 39780ad8a2..72b082b2ce 100644 --- a/tests/ref/vsynth/vsynth1-snow-hpel +++ b/tests/ref/vsynth/vsynth1-snow-hpel @@ -1,4 +1,4 @@ -e62ae25d5040d04622a965bcb27fdb1e *tests/data/fate/vsynth1-snow-hpel.avi -138446 tests/data/fate/vsynth1-snow-hpel.avi -57c914cd150f8fc260b5989ce3e5884c *tests/data/fate/vsynth1-snow-hpel.out.rawvideo -stddev: 22.74 PSNR: 20.99 MAXDIFF: 172 bytes: 7603200/ 7603200 +5c9eb93646eb0e5570d37e9adc9625e4 *tests/data/fate/vsynth1-snow-hpel.avi +138580 tests/data/fate/vsynth1-snow-hpel.avi +3382bdde624d8bb4af206a5ac6614605 *tests/data/fate/vsynth1-snow-hpel.out.rawvideo +stddev: 22.71 PSNR: 21.00 MAXDIFF: 171 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow b/tests/ref/vsynth/vsynth2-snow index e9607bb7d0..355f89d5f4 100644 --- a/tests/ref/vsynth/vsynth2-snow +++ b/tests/ref/vsynth/vsynth2-snow @@ -1,4 +1,4 @@ -0a41e73ddd2f54936490655b46dad4a3 *tests/data/fate/vsynth2-snow.avi -72868 tests/data/fate/vsynth2-snow.avi -34a75f5cf8a71159f1a572d9cedcfef9 *tests/data/fate/vsynth2-snow.out.rawvideo -stddev: 13.73 PSNR: 25.37 MAXDIFF: 162 bytes: 7603200/ 7603200 +5e130d6a48b69348eee7f7c76c5869a3 *tests/data/fate/vsynth2-snow.avi +72942 tests/data/fate/vsynth2-snow.avi +9b6cee60e3ec0d1f312a8a25a7878fcc *tests/data/fate/vsynth2-snow.out.rawvideo +stddev: 13.39 PSNR: 25.59 MAXDIFF: 154 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow-hpel b/tests/ref/vsynth/vsynth2-snow-hpel index 66839fd6f6..ec3b5dfad2 100644 --- a/tests/ref/vsynth/vsynth2-snow-hpel +++ b/tests/ref/vsynth/vsynth2-snow-hpel @@ -1,4 +1,4 @@ -9bc409e4794ee50691a26c9c836d31a7 *tests/data/fate/vsynth2-snow-hpel.avi -79728 tests/data/fate/vsynth2-snow-hpel.avi -2cc64d8171175a1532fd7d3ed3011fbf *tests/data/fate/vsynth2-snow-hpel.out.rawvideo -stddev: 13.70 PSNR: 25.39 MAXDIFF: 162 bytes: 7603200/ 7603200 +8edcf0fd7f066972ff77d5b891ed6dde *tests/data/fate/vsynth2-snow-hpel.avi +79798 tests/data/fate/vsynth2-snow-hpel.avi +7e0f2a24feda6fb3e54b85511a28c45f *tests/data/fate/vsynth2-snow-hpel.out.rawvideo +stddev: 13.35 PSNR: 25.62 MAXDIFF: 157 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow b/tests/ref/vsynth/vsynth_lena-snow index ec29a78483..582c294531 100644 --- a/tests/ref/vsynth/vsynth_lena-snow +++ b/tests/ref/vsynth/vsynth_lena-snow @@ -1,4 +1,4 @@ -8e96f337e8f4ccac7d72ef517e1d2208 *tests/data/fate/vsynth_lena-snow.avi -57680 tests/data/fate/vsynth_lena-snow.avi -90963cfd2359d460001c94d94256dc2b *tests/data/fate/vsynth_lena-snow.out.rawvideo -stddev: 10.48 PSNR: 27.72 MAXDIFF: 119 bytes: 7603200/ 7603200 +bf2cf9cacc1d98388798be98872049ee *tests/data/fate/vsynth_lena-snow.avi +57604 tests/data/fate/vsynth_lena-snow.avi +707a42eb20195913be55ba8dfadf72fb *tests/data/fate/vsynth_lena-snow.out.rawvideo +stddev: 10.37 PSNR: 27.81 MAXDIFF: 120 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow-hpel b/tests/ref/vsynth/vsynth_lena-snow-hpel index 2d6edd8a79..67effebc8a 100644 --- a/tests/ref/vsynth/vsynth_lena-snow-hpel +++ b/tests/ref/vsynth/vsynth_lena-snow-hpel @@ -1,4 +1,4 @@ -56b14cb1cbb637536233982e87f7ac3e *tests/data/fate/vsynth_lena-snow-hpel.avi -61764 tests/data/fate/vsynth_lena-snow-hpel.avi -244b0266127fa354d8485234b2c388e4 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo -stddev: 10.45 PSNR: 27.74 MAXDIFF: 119 bytes: 7603200/ 7603200 +c6ec87a11415a99b1a781f9f5bacb722 *tests/data/fate/vsynth_lena-snow-hpel.avi +61814 tests/data/fate/vsynth_lena-snow-hpel.avi +40f330397b7acf6bdbb3ec6d908be451 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo +stddev: 10.34 PSNR: 27.83 MAXDIFF: 118 bytes: 7603200/ 7603200 From 75c8967329b42b3b1d83ac87950ae793547d47d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:31:40 +0100 Subject: [PATCH 1358/1383] avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches Signed-off-by: Michael Niedermayer (cherry picked from commit 771c266c0be29e6a1001fbd6795dd343147da1f2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index 4d9c12947b..b484f3a145 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -37,6 +37,7 @@ int main(void){ AVLFG prng; s.spatial_decomposition_count=6; s.spatial_decomposition_type=1; + int ret = 0; s.temp_dwt_buffer = av_mallocz_array(width, sizeof(DWTELEM)); s.temp_idwt_buffer = av_mallocz_array(width, sizeof(IDWTELEM)); @@ -58,7 +59,10 @@ int main(void){ ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(i=0; i20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) { + printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + ret = 1; + } { int level, orientation, x, y; @@ -148,5 +155,5 @@ int main(void){ } } - return 0; + return ret; } From b06620b9be2aa7bbb3a99812ca11879521718e03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:48:56 +0100 Subject: [PATCH 1359/1383] avcodec/tests/snowenc: Fix 2nd test (cherry picked from commit 163013c72452621624f634c706824c77222b77c5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index b484f3a145..65699158ca 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -93,14 +93,14 @@ int main(void){ int w= width >> (s.spatial_decomposition_count-level); int h= height >> (s.spatial_decomposition_count-level); int stride= width << (s.spatial_decomposition_count-level); - DWTELEM *buf= buffer[0]; + IDWTELEM *buf= obuffer; int64_t error=0; if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; memset(obuffer, 0, sizeof(short)*width*height); - buf[w/2 + h/2*stride]= 256*256; + buf[w/2 + h/2*stride]= 8*256; ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Sun, 1 Jan 2023 00:00:00 +0100 Subject: [PATCH 1360/1383] configure: update copyright year (cherry picked from commit 62da0b4a741a064f118a0eece496d6bcc437ec91) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index e317ca54ce..d2b65d25de 100755 --- a/configure +++ b/configure @@ -7243,7 +7243,7 @@ cat > $TMPH < Date: Sun, 26 Mar 2023 21:34:03 +0200 Subject: [PATCH 1361/1383] avcodec/g729postfilter: Limit shift in long term filter Fixes: shift exponent 34 is too large for 32-bit type 'int' Fixes: 57389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6229522659016704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d1d8609ac1054017ea3d11b325ed94a1205e9fd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index 617744ec8e..668177c843 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -350,7 +350,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, if (tmp > 0) L_temp0 >>= tmp; else - L_temp1 >>= -tmp; + L_temp1 >>= FFMIN(-tmp, 31); /* Check if longer filter increases the values of R'(k). */ if (L_temp1 > L_temp0) { From d82fb8b68957df10a036082eb8b7fe757af956f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Mar 2023 22:35:50 +0200 Subject: [PATCH 1362/1383] avcodec/vp3: Check width to avoid assertion failure Fixes: Assertion failure on x86-32 av_assert2(block_w * sizeof(pixel) <= FFABS(buf_linesize)); in ff_emulated_edge_mc() Fixes: 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dab1cd2dc0471d497f481736059b2023c5b7986a) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 76d2ef70d6..b13b934719 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1782,6 +1782,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) s->avctx = avctx; s->width = FFALIGN(avctx->coded_width, 16); s->height = FFALIGN(avctx->coded_height, 16); + if (s->width < 18) + return AVERROR_PATCHWELCOME; if (avctx->codec_id != AV_CODEC_ID_THEORA) avctx->pix_fmt = AV_PIX_FMT_YUV420P; avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; @@ -2352,7 +2354,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) /* sanity check */ if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 || visible_width + offset_x > s->width || - visible_height + offset_y > s->height) { + visible_height + offset_y > s->height || + visible_width < 18 + ) { av_log(avctx, AV_LOG_ERROR, "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n", visible_width, visible_height, offset_x, offset_y, @@ -2398,6 +2402,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) } else avctx->pix_fmt = AV_PIX_FMT_YUV420P; + if (s->width < 18) + return AVERROR_PATCHWELCOME; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; From 008e01a2de4a01b81bb99535a1d81bb48e140ec0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:15:36 +0200 Subject: [PATCH 1363/1383] avcodec/j2kenc: fix 5/3 DWT identifer Signed-off-by: Michael Niedermayer (cherry picked from commit f6955b6df4b599ff5604e82987b96957414f8dd5) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index e91d932bb7..434c93f712 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1229,7 +1229,7 @@ static const AVOption options[] = { { "tile_height", "Tile Height", OFFSET(tile_height), AV_OPT_TYPE_INT, { .i64 = 256 }, 1, 1<<30, VE, }, { "pred", "DWT Type", OFFSET(pred), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE, "pred" }, { "dwt97int", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, - { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, + { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 1 }, INT_MIN, INT_MAX, VE, "pred" }, { NULL } }; From 78efab9bedea3fefbaac9d66e5fd18df602241fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:18:05 +0200 Subject: [PATCH 1364/1383] avcodec/j2kenc: remove misleading pred value This field is only checked for being 0 or not and not zero means 5/3 Signed-off-by: Michael Niedermayer (cherry picked from commit 0adb375377f369b69b24d86bbfe674b7693ccf3c) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 434c93f712..1931def765 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1151,7 +1151,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && (s->pred != FF_DWT97_INT || s->format != CODEC_JP2)) { av_log(s->avctx, AV_LOG_WARNING, "Forcing lossless jp2 for pal8\n"); - s->pred = FF_DWT97_INT; + s->pred = 1; s->format = CODEC_JP2; } From a6676288e468cc7d2b3fee633432b39e6bba881b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:57:56 +0200 Subject: [PATCH 1365/1383] avcodec/j2kenc: Replace RGB24 special case by generic test This fixes RGB48 with libavcodec as decoder Signed-off-by: Michael Niedermayer (cherry picked from commit ad4d647591dbd953a5cf3a32a779ee5e42465bbb) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index 1931def765..df55c9c62e 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1003,6 +1003,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, int tileno, ret; Jpeg2000EncoderContext *s = avctx->priv_data; uint8_t *chunkstart, *jp2cstart, *jp2hstart; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); if ((ret = ff_alloc_packet2(avctx, pkt, avctx->width*avctx->height*9 + AV_INPUT_BUFFER_MIN_SIZE, 0)) < 0) return ret; @@ -1055,7 +1056,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream_put_byte(&s->buf, 1); bytestream_put_byte(&s->buf, 0); bytestream_put_byte(&s->buf, 0); - if (avctx->pix_fmt == AV_PIX_FMT_RGB24 || avctx->pix_fmt == AV_PIX_FMT_PAL8) { + if ((desc->flags & AV_PIX_FMT_FLAG_RGB) || avctx->pix_fmt == AV_PIX_FMT_PAL8) { bytestream_put_be32(&s->buf, 16); } else if (s->ncomponents == 1) { bytestream_put_be32(&s->buf, 17); From 17163b57bd5c057d92b061885457b629dec73d6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 13:18:42 +0200 Subject: [PATCH 1366/1383] avcodec/huffyuvdec: Fix undefined behavior with shift Fixes: left shift of negative value -1 Fixes: 57554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFVHUFF_fuzzer-4853603839115264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27e7857bd1127974ffe1512293abee83b1035194) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index f6a51c3320..4b8bc5b858 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -691,9 +691,9 @@ static void decode_422_bitstream(HYuvContext *s, int count) /* TODO instead of restarting the read when the code isn't in the first level * of the joint table, jump into the 2nd level of the individual table. */ #define READ_2PIX_PLANE16(dst0, dst1, plane){\ - dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst0 += get_bits(&s->gb, 2);\ - dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst1 += get_bits(&s->gb, 2);\ } static void decode_plane_bitstream(HYuvContext *s, int width, int plane) From c536ee212a4db70803fcc517d804e5641ef3c13f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 15:18:55 +0200 Subject: [PATCH 1367/1383] avcodec/escape124: Check that blocks are allocated before use Fixes: NULL pointer dereference Fixes: 57819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5077280228769792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5366ae12b9ba60404822f6b39b41f6c0d98a7c8a) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 50fa882255..5e4e57bf90 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -157,7 +157,7 @@ static MacroBlock decode_macroblock(Escape124Context* s, GetBitContext* gb, // This condition can occur with invalid bitstreams and // *codebook_index == 2 - if (block_index >= s->codebooks[*codebook_index].size) + if (block_index >= s->codebooks[*codebook_index].size || !s->codebooks[*codebook_index].blocks) return (MacroBlock) { { 0 } }; return s->codebooks[*codebook_index].blocks[block_index]; From 161740d99ffc40e649a1ae07e20e08b087ae6b60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:14 +0100 Subject: [PATCH 1368/1383] libavcodec/lcldec: width and height should not be unsigned Computations like col < width - 3 will not work with unsigned width=1 Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb4e28c26c3bce608214f392ab1fe6ee28ec1df) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 104defa5f5..ed87e6179b 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -166,8 +166,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int row, col; unsigned char *encoded = avpkt->data, *outptr; uint8_t *y_out, *u_out, *v_out; - unsigned int width = avctx->width; // Real image width - unsigned int height = avctx->height; // Real image height + int width = avctx->width; // Real image width + int height = avctx->height; // Real image height unsigned int mszh_dlen; unsigned char yq, y1q, uq, vq; int uqvq, ret; From 60b30ede0596fe9c412480dfae3665534900e40b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:15 +0100 Subject: [PATCH 1369/1383] avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width Fixes: Ticket10240 Fixes: zlib_306_306_yuv422.avi Fixes: zlib_306_306_yuv411.avi Signed-off-by: Michael Niedermayer (cherry picked from commit 0cf1ac905d2d97355a389c3baa4e132824b29f21) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index ed87e6179b..97813b0e00 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -399,6 +399,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac v_out[ col >> 1 ] = *encoded++ + 128; v_out[(col >> 1) + 1] = *encoded++ + 128; } + if (col && col < width) { + u_out[ col >> 1 ] = u_out[(col>>1) - 1]; + v_out[ col >> 1 ] = v_out[(col>>1) - 1]; + } + y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -420,6 +425,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac u_out[col >> 2] = *encoded++ + 128; v_out[col >> 2] = *encoded++ + 128; } + if (col && col < width) { + u_out[col >> 2] = u_out[(col>>2) - 1]; + v_out[col >> 2] = v_out[(col>>2) - 1]; + } y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -477,6 +486,7 @@ static av_cold int decode_init(AVCodecContext *avctx) FFALIGN(avctx->height, 4); unsigned int max_decomp_size; int subsample_h, subsample_v; + int partial_h_supported = 0; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n"); @@ -498,14 +508,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 1:1:1.\n"); break; case IMGTYPE_YUV422: - c->decomp_size = basesize * 2; + c->decomp_size = (avctx->width & ~3) * avctx->height * 2; max_decomp_size = max_basesize * 2; avctx->pix_fmt = AV_PIX_FMT_YUV422P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n"); - if (avctx->width % 4) { - avpriv_request_sample(avctx, "Unsupported dimensions"); - return AVERROR_INVALIDDATA; - } + partial_h_supported = 1; break; case IMGTYPE_RGB24: c->decomp_size = basesize * 3; @@ -514,10 +521,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); break; case IMGTYPE_YUV411: - c->decomp_size = basesize / 2 * 3; + c->decomp_size = (avctx->width & ~3) * avctx->height / 2 * 3; max_decomp_size = max_basesize / 2 * 3; avctx->pix_fmt = AV_PIX_FMT_YUV411P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:1:1.\n"); + partial_h_supported = 1; break; case IMGTYPE_YUV211: c->decomp_size = basesize * 2; @@ -537,7 +545,7 @@ static av_cold int decode_init(AVCodecContext *avctx) } av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v); - if (avctx->width % (1<height % (1<width % (1<height % (1< Date: Thu, 9 Mar 2023 13:57:17 +0100 Subject: [PATCH 1370/1383] avcodec/lcldec: More space for rgb24 Fixes: Ticket 10239 Fixes: zlib_306_306_rgb24.av Signed-off-by: Michael Niedermayer (cherry picked from commit e2c3aa8e2b800c5b860315277b3ea426b8b23393) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 97813b0e00..c29a884701 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -148,6 +148,8 @@ static int zlib_decomp(AVCodecContext *avctx, const uint8_t *src, int src_len, i if (expected != (unsigned int)c->zstream.total_out) { av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n", expected, c->zstream.total_out); + if (expected > (unsigned int)c->zstream.total_out) + return (unsigned int)c->zstream.total_out; return AVERROR_UNKNOWN; } return c->zstream.total_out; @@ -274,12 +276,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac ret = zlib_decomp(avctx, buf + 8 + mthread_inlen, len - 8 - mthread_inlen, mthread_outlen, mthread_outlen); if (ret < 0) return ret; + len = c->decomp_size; } else { int ret = zlib_decomp(avctx, buf, len, 0, c->decomp_size); if (ret < 0) return ret; + len = ret; } encoded = c->decomp_buf; - len = c->decomp_size; break; #endif default: @@ -515,7 +518,7 @@ static av_cold int decode_init(AVCodecContext *avctx) partial_h_supported = 1; break; case IMGTYPE_RGB24: - c->decomp_size = basesize * 3; + c->decomp_size = FFALIGN(avctx->width*3, 4) * avctx->height; max_decomp_size = max_basesize * 3; avctx->pix_fmt = AV_PIX_FMT_BGR24; av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); From 67128a952c88227bf2b2db2337b50bc403568aa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2023 22:48:46 +0100 Subject: [PATCH 1371/1383] avcodec/g2meet: Replace fake allocation avoidance for framebuf framebuf is only allocated when the new width/height are larger than the old but nothing sets the old so its always allocated. Use av_fast_mallocz() instead. Fixes: Timeout Fixes: 55094/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5116909932904448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38adbc6eebd7f2f34ecf1b0b18019e88bad9d9f4) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 7ef275c9fe..5856d51783 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -143,7 +143,8 @@ typedef struct G2MContext { int got_header; uint8_t *framebuf; - int framebuf_stride, old_width, old_height; + int framebuf_stride; + unsigned int framebuf_allocated; uint8_t *synth_tile, *jpeg_tile, *epic_buf, *epic_buf_base; int tile_stride, epic_buf_stride, old_tile_w, old_tile_h; @@ -1179,14 +1180,13 @@ static int g2m_init_buffers(G2MContext *c) { int aligned_height; - if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) { - c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; - aligned_height = c->height + 15; - av_free(c->framebuf); - c->framebuf = av_mallocz_array(c->framebuf_stride, aligned_height); - if (!c->framebuf) - return AVERROR(ENOMEM); - } + c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; + aligned_height = c->height + 15; + + av_fast_mallocz(&c->framebuf, &c->framebuf_allocated, c->framebuf_stride * aligned_height); + if (!c->framebuf) + return AVERROR(ENOMEM); + if (!c->synth_tile || !c->jpeg_tile || (c->compression == 2 && !c->epic_buf_base) || c->old_tile_w < c->tile_width || @@ -1638,6 +1638,7 @@ static av_cold int g2m_decode_end(AVCodecContext *avctx) av_freep(&c->jpeg_tile); av_freep(&c->cursor); av_freep(&c->framebuf); + c->framebuf_allocated = 0; return 0; } From 4443cdbc92d36d65fedfdb709a8cf74bef6a64e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Feb 2023 22:49:01 +0100 Subject: [PATCH 1372/1383] avcodec/vorbisdec: Check codebook float values to be finite Fixes: Timeout Fixes: 55116/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-4572159970508800 Signed-off-by: Michael Niedermayer (cherry picked from commit cadd7e7a7589b5c118ad1648a09c629a6b65a3be) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index be6d1b2d21..c748aa574f 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -363,6 +363,10 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc) unsigned codebook_value_bits = get_bits(gb, 4) + 1; unsigned codebook_sequence_p = get_bits1(gb); + if (!isfinite(codebook_minimum_value) || !isfinite(codebook_delta_value)) { + ret = AVERROR_INVALIDDATA; + goto error; + } ff_dlog(NULL, " We expect %d numbers for building the codevectors. \n", codebook_lookup_values); ff_dlog(NULL, " delta %f minmum %f \n", From a207fbcdff47394761dcae94fee65ed45cbc5e50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 15:06:59 +0200 Subject: [PATCH 1373/1383] avcodec/pngdec: Do not pass AVFrame into global header decode The global header should not contain a frame, and decoding it would result in leaks Fixes: memleak Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-6603443149340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d31d4f32283f765c79d6e127d31ee2c37a0acef7) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 8e666f648c..6de80f6314 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -621,6 +621,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, int ret; size_t byte_depth = s->bit_depth > 8 ? 2 : 1; + if (!p) + return AVERROR_INVALIDDATA; if (!(s->hdr_state & PNG_IHDR)) { av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n"); return AVERROR_INVALIDDATA; @@ -1295,6 +1297,8 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, break; } case MKTAG('i', 'C', 'C', 'P'): { + if (!p) + return AVERROR_INVALIDDATA; if ((ret = decode_iccp_chunk(s, length, p)) < 0) goto fail; break; @@ -1353,6 +1357,9 @@ skip_tag: } exit_loop: + if (!p) + return AVERROR_INVALIDDATA; + if (avctx->codec_id == AV_CODEC_ID_PNG && avctx->skip_frame == AVDISCARD_ALL) { return 0; @@ -1499,7 +1506,7 @@ static int decode_frame_apng(AVCodecContext *avctx, s->zstream.zfree = ff_png_zfree; bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size); - if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0) + if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0) goto end; } From 1cf4afaeab9d192154de7bdd484683c3cbd38f41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 16:56:40 +0200 Subject: [PATCH 1374/1383] avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5124452659888128 Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6362836707442688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 34056a94eab5f8fbc7e0b8510f7c9851931f23b7) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 5266a652c7..d70320d09d 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -319,7 +319,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } if (s->codec_id == AV_CODEC_ID_IFF_ILBM) { - w_align = FFMAX(w_align, 8); + w_align = FFMAX(w_align, 16); } *width = FFALIGN(*width, w_align); From bb34d18e33e17c15f9188b7d2a587d85ee5166c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 17:34:16 +0200 Subject: [PATCH 1375/1383] avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6682195323650048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19b66b89da4b4ff086dc1fc79bbf540e82bdbcb4) Signed-off-by: Michael Niedermayer --- libavcodec/tak.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tak.c b/libavcodec/tak.c index 8aa956b661..7989afbd97 100644 --- a/libavcodec/tak.c +++ b/libavcodec/tak.c @@ -167,6 +167,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb, if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA) return AVERROR_INVALIDDATA; + if (get_bits_left(gb) < 24) + return AVERROR_INVALIDDATA; + skip_bits(gb, 24); return 0; From 4e377ec8dcd1e93be630b1e15815e935e47e55f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 00:51:38 +0100 Subject: [PATCH 1376/1383] avformat/wavdec: Check that smv block fits in available space Fixes: OOM Fixes: 56271/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5290810045497344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76efafdb9be966ae3ad52b32370dc644dd582bf) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 4d2524f126..396ec30dab 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -647,6 +647,10 @@ smv_retry: goto smv_out; } size = avio_rl24(s->pb); + if (size > wav->smv_block_size) { + ret = AVERROR_EOF; + goto smv_out; + } ret = av_get_packet(s->pb, pkt, size); if (ret < 0) goto smv_out; From e14e7579f9db93753cb83fa13d81ff5ba496454f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 May 2023 00:08:19 +0200 Subject: [PATCH 1377/1383] Update for 4.1.11 Signed-off-by: Michael Niedermayer --- Changelog | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 63 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 239db874e2..37ec018b32 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,67 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.1.11: + avformat/wavdec: Check that smv block fits in available space + avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() + avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated + avcodec/pngdec: Do not pass AVFrame into global header decode + avcodec/vorbisdec: Check codebook float values to be finite + avcodec/g2meet: Replace fake allocation avoidance for framebuf + avcodec/lcldec: More space for rgb24 + avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width + libavcodec/lcldec: width and height should not be unsigned + avcodec/escape124: Check that blocks are allocated before use + avcodec/huffyuvdec: Fix undefined behavior with shift + avcodec/j2kenc: Replace RGB24 special case by generic test + avcodec/j2kenc: remove misleading pred value + avcodec/j2kenc: fix 5/3 DWT identifer + avcodec/vp3: Check width to avoid assertion failure + avcodec/g729postfilter: Limit shift in long term filter + configure: update copyright year + avcodec/tests/snowenc: Fix 2nd test + avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches + avcodec/snowenc: Fix visual weight calculation + avcodec/tests/snowenc: unbreak DWT tests + avcodec/escape124: Fix some return codes + avcodec/escape124: fix signdness of end of input check + Use https for repository links + avcodec/motionpixels: Mask pixels to valid values + avcodec/xpmdec: Check size before allocation to avoid truncation + avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() + avcodec/bink: Fix off by 1 error in ref end + avcodec/utils: Ensure linesize for SVQ3 + avcodec/utils: allocate a line more for VC1 and WMV3 + avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things + avcodec/pngdec: Check deloco index more exactly + avcodec/ffv1dec: Check that num h/v slices is supported + avformat/mov: Check samplesize and offset to avoid integer overflow + avcodec/pictordec: Remove mid exit branch + avcodec/eac3dec: avoid float noise in fixed mode addition to overflow + avcodec/utils: use 32pixel alignment for bink + avcodec/012v: Order operations for odd size handling + avcodec/eatgq: : Check index increments in tgq_decode_block() + avcodec/scpr: Test bx before use + avcodec/sunrast: Fix maplength check + avcodec/wavpack: Avoid undefined shift in get_tail() + avformat/id3v2: Check taglen in read_uslt() + avcodec/ffv1dec: restructure slice coordinate reading a bit + avcodec/mlpdec: Check max matrix instead of max channel in noise check + swscale/input: Use more unsigned intermediates + avcodec/alsdec: The minimal block is at least 7 bits + avformat/replaygain: avoid undefined / negative abs + swscale/output: Bias 16bps output calculations to improve non overflowing range + avcodec/speedhq: Check buf_size to be big enough for DC + avcodec/ffv1dec: Fail earlier if prior context is corrupted + (origin/release/4.1) avcodec/vdpau_mpeg4: fix order of quant matrix coefficients + avcodec/vdpau_mpeg12: fix order of quant matrix coefficients + avcodec/nvdec_mpeg4: fix order of quant matrix coefficients + avcodec/nvdec_mpeg2: fix order of quant matrix coefficients + avcodec/vp3: Add missing check for av_malloc + avcodec/mjpegenc: take into account component count when writing the SOF header size + checkasm: float_dsp: Scale FLT/DBL_EPSILON sufficiently when comparing + swscale: aarch64: Fix yuv2rgb with negative strides + version 4.1.10: avcodec/dstdec: Check for overflow in build_filter() avformat/spdifdec: Use 64bit to compute bit rate diff --git a/RELEASE b/RELEASE index 5d30083e95..152e4522ca 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.1.10 +4.1.11 diff --git a/doc/Doxyfile b/doc/Doxyfile index db0452e1ee..78b73a03e5 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.1.10 +PROJECT_NUMBER = 4.1.11 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 08f0a18c3488b2fb8297ebba3684792da8a6606e Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang Date: Wed, 23 Feb 2022 10:31:59 +0800 Subject: [PATCH 1378/1383] avformat/nutdec: Add check for avformat_new_stream Check for failure of avformat_new_stream() and propagate the error code. Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 7bde16be9c..23a7ba04b1 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -358,8 +358,12 @@ static int decode_main_header(NUTContext *nut) ret = AVERROR(ENOMEM); goto fail; } - for (i = 0; i < stream_count; i++) - avformat_new_stream(s, NULL); + for (i = 0; i < stream_count; i++) { + if (!avformat_new_stream(s, NULL)) { + ret = AVERROR(ENOMEM); + goto fail; + } + } return 0; fail: @@ -805,19 +809,23 @@ static int nut_read_header(AVFormatContext *s) NUTContext *nut = s->priv_data; AVIOContext *bc = s->pb; int64_t pos; - int initialized_stream_count; + int initialized_stream_count, ret; nut->avf = s; /* main header */ pos = 0; + ret = 0; do { + if (ret == AVERROR(ENOMEM)) + return ret; + pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; if (pos < 0 + 1) { av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); goto fail; } - } while (decode_main_header(nut) < 0); + } while ((ret = decode_main_header(nut)) < 0); /* stream headers */ pos = 0; From a957d604a20f7de66afd676c07b047c97da2393a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2023 18:35:46 +0200 Subject: [PATCH 1379/1383] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 37ec018b32..f535d80b9d 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.1.11: + avformat/nutdec: Add check for avformat_new_stream avformat/wavdec: Check that smv block fits in available space avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated From 76ee3e41df5157317ee209d3e6cc0829af5f963f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2023 19:59:40 +0200 Subject: [PATCH 1380/1383] avcodec/noise_bsf: Check for wrapped frames Wrapped frames contain pointers so they need specific code to noise them, the generic code would lead to segfaults Signed-off-by: Michael Niedermayer (cherry picked from commit 0889ebc577749ee6abc620bc9030d2002487935f) Signed-off-by: Michael Niedermayer --- libavcodec/noise_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/noise_bsf.c b/libavcodec/noise_bsf.c index d79f63b777..42533c6df9 100644 --- a/libavcodec/noise_bsf.c +++ b/libavcodec/noise_bsf.c @@ -44,6 +44,11 @@ static int noise(AVBSFContext *ctx, AVPacket *pkt) if (amount <= 0) return AVERROR(EINVAL); + if (ctx->par_in->codec_id == AV_CODEC_ID_WRAPPED_AVFRAME) { + av_log(ctx, AV_LOG_ERROR, "Wrapped AVFrame noising is unsupported\n"); + return AVERROR_PATCHWELCOME; + } + ret = ff_bsf_get_packet_ref(ctx, pkt); if (ret < 0) return ret; From 835453fbd8a91cb1ebdb750efcf2a33bdb4801b7 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 30 Mar 2024 00:12:03 +0100 Subject: [PATCH 1381/1383] avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer --- libavcodec/nvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvdec.c b/libavcodec/nvdec.c index 0426c9b319..d0e3cd3df6 100644 --- a/libavcodec/nvdec.c +++ b/libavcodec/nvdec.c @@ -539,6 +539,8 @@ int ff_nvdec_simple_end_frame(AVCodecContext *avctx) NVDECContext *ctx = avctx->internal->hwaccel_priv_data; int ret = ff_nvdec_end_frame(avctx); ctx->bitstream = NULL; + ctx->bitstream_len = 0; + ctx->nb_slices = 0; return ret; } From cdd355e08734f73425d11deee9496b57c5765368 Mon Sep 17 00:00:00 2001 From: Eugene Zemtsov Date: Mon, 1 Apr 2024 19:28:03 -0700 Subject: [PATCH 1382/1383] avformat/mov: Check if a key is longer than the atom containing it Stop reading keys and return AVERROR_INVALIDDATA if key_size is larger than the amount of space left in the atom. Bug: https://crbug.com/41496983 Signed-off-by: Eugene Zemtsov Signed-off-by: James Almer (cherry picked from commit 8a23a145d85964950123952d897b89c2c2b1b8c5) --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 0e37b99c86..b62eecdd80 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4353,12 +4353,13 @@ static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 1; i <= count; ++i) { uint32_t key_size = avio_rb32(pb); uint32_t type = avio_rl32(pb); - if (key_size < 8) { + if (key_size < 8 || key_size > atom.size) { av_log(c->fc, AV_LOG_ERROR, "The key# %"PRIu32" in meta has invalid size:" "%"PRIu32"\n", i, key_size); return AVERROR_INVALIDDATA; } + atom.size -= key_size; key_size -= 8; if (type != MKTAG('m','d','t','a')) { avio_skip(pb, key_size); From 7ef6f317f8f90eb34d97e016af02905898827dc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Sun, 16 Jul 2023 18:18:02 +0300 Subject: [PATCH 1383/1383] avcodec/x86/mathops: clip constants used with shift instructions within inline assembly Fixes assembling with binutil as >= 2.41 Signed-off-by: James Almer (cherry picked from commit effadce6c756247ea8bae32dc13bb3e6f464f0eb) --- libavcodec/x86/mathops.h | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index 6298f5ed19..ca7e2dffc1 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -35,12 +35,20 @@ static av_always_inline av_const int MULL(int a, int b, unsigned shift) { int rt, dummy; + if (__builtin_constant_p(shift)) __asm__ ( "imull %3 \n\t" "shrdl %4, %%edx, %%eax \n\t" :"=a"(rt), "=d"(dummy) - :"a"(a), "rm"(b), "ci"((uint8_t)shift) + :"a"(a), "rm"(b), "i"(shift & 0x1F) ); + else + __asm__ ( + "imull %3 \n\t" + "shrdl %4, %%edx, %%eax \n\t" + :"=a"(rt), "=d"(dummy) + :"a"(a), "rm"(b), "c"((uint8_t)shift) + ); return rt; } @@ -113,19 +121,31 @@ __asm__ volatile(\ // avoid +32 for shift optimization (gcc should do that ...) #define NEG_SSR32 NEG_SSR32 static inline int32_t NEG_SSR32( int32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("sarl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("sarl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } #define NEG_USR32 NEG_USR32 static inline uint32_t NEG_USR32(uint32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("shrl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("shrl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; }