From b1ec41a64f2def0ce7d5b2b35d9ef478a4a35d26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Apr 2017 02:26:45 +0200 Subject: [PATCH 0001/1764] add release notes based on release 3.3 Name suggestion was from Helmut K. C. Tessarek Signed-off-by: Michael Niedermayer (cherry picked from commit 07e7ebf52de9257fef1398c1dc5edb847b78ab21) Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 RELEASE_NOTES diff --git a/RELEASE_NOTES b/RELEASE_NOTES new file mode 100644 index 0000000000..d649c77bd5 --- /dev/null +++ b/RELEASE_NOTES @@ -0,0 +1,15 @@ + + ┌───────────────────────────────────────┐ + │ RELEASE NOTES for FFmpeg 3.4 "Cantor" │ + └───────────────────────────────────────┘ + + The FFmpeg Project proudly presents FFmpeg 3.4 "Cantor", about 6 + months after the release of FFmpeg 3.3. + + A complete Changelog is available at the root of the project, and the + complete Git history on http://source.ffmpeg.org. + + We hope you will like this release as much as we enjoyed working on it, and + as usual, if you have any questions about it, or any FFmpeg related topic, + feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + on the mailing-lists. From c8642473e0b3d2c2d644c72eb7e4de23fa3f79fa Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Tue, 10 Oct 2017 23:30:29 +0200 Subject: [PATCH 0002/1764] configure: remove libdl dependency from libndi_newtek We are not using dynamic loading for libndi. Reviewed-by: James Almer Signed-off-by: Marton Balint (cherry picked from commit 58143b15adda6391ec07f3eb19e80ed91d801edd) --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index e2ef54fb3b..259619cccd 100755 --- a/configure +++ b/configure @@ -3089,9 +3089,9 @@ decklink_indev_deps="decklink threads" decklink_indev_extralibs="-lstdc++" decklink_outdev_deps="decklink threads" decklink_outdev_extralibs="-lstdc++" -libndi_newtek_indev_deps="libndi_newtek libdl" +libndi_newtek_indev_deps="libndi_newtek" libndi_newtek_indev_extralibs="-lndi" -libndi_newtek_outdev_deps="libndi_newtek libdl" +libndi_newtek_outdev_deps="libndi_newtek" libndi_newtek_outdev_extralibs="-lndi" dshow_indev_deps="IBaseFilter" dshow_indev_extralibs="-lpsapi -lole32 -lstrmiids -luuid -loleaut32 -lshlwapi" From 7fb85ad3607a3fdde682ea74d6f6bcefe1f582dd Mon Sep 17 00:00:00 2001 From: Ivan Kalvachev Date: Mon, 9 Oct 2017 02:40:26 +0300 Subject: [PATCH 0003/1764] Fix crash if av_vdpau_bind_context() is not used. The public functions av_alloc_vdpaucontext() and av_vdpau_alloc_context() are allocating AVVDPAUContext structure that is supposed to be placed in avctx->hwaccel_context. However the rest of libavcodec/vdpau.c uses avctx->hwaccel_context as struct VDPAUHWContext, that is bigger and does contain AVVDPAUContext as first member. The usage includes write to the new variables in the bigger stuct, without checking for block size. Fix by always allocating the bigger structure. Signed-off-by: Ivan Kalvachev (cherry picked from commit 3a6ded7cfcb33e06ade98c5791eae06453f65668) --- libavcodec/vdpau.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vdpau.c b/libavcodec/vdpau.c index 42ebddbeee..4cc51cb79e 100644 --- a/libavcodec/vdpau.c +++ b/libavcodec/vdpau.c @@ -816,7 +816,7 @@ do { \ AVVDPAUContext *av_vdpau_alloc_context(void) { - return av_mallocz(sizeof(AVVDPAUContext)); + return av_mallocz(sizeof(VDPAUHWContext)); } int av_vdpau_bind_context(AVCodecContext *avctx, VdpDevice device, From 7deb7e6acd4fb8dd09c8e38eb2e07c86371bf94e Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 13 Oct 2017 12:34:34 -0300 Subject: [PATCH 0004/1764] configure: force erroring out in check_disable_warning() if an option doesn't exists Should prevent some options from being added to cflags when they don't exist and the compiler only warns about it. Reviewd-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit ad56e8057d8af0201ed0cb65acc12e5889d4afcc) --- configure | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 259619cccd..18d80ee87a 100755 --- a/configure +++ b/configure @@ -6309,9 +6309,14 @@ fi check_disable_warning(){ warning_flag=-W${1#-Wno-} - test_cflags $warning_flag && add_cflags $1 + test_cflags $unknown_warning_flags $warning_flag && add_cflags $1 } +test_cflags -Werror=unused-command-line-argument && + append unknown_warning_flags "-Werror=unused-command-line-argument" +test_cflags -Werror=unknown-warning-option && + append unknown_warning_flags "-Werror=unknown-warning-option" + check_disable_warning -Wno-parentheses check_disable_warning -Wno-switch check_disable_warning -Wno-format-zero-length From a11a18b284afd5ac58fd3b1835f8a3608c4ebc9f Mon Sep 17 00:00:00 2001 From: Ivan Kalvachev Date: Mon, 9 Oct 2017 01:25:00 +0300 Subject: [PATCH 0005/1764] Fix visual glitch with XvMC, caused by wrong idct permutation. In the past XvMC forced simple_idct since it was using FF_IDCT_PERM_NONE. However now we have SIMD variants of simple_idct that are using FF_IDCT_PERM_TRANSPOSE and if they are selected XvMC would get coefficients in the wrong order. The patch creates new FF_IDCT_NONE that is used only for this kind of hardware decoding and that fallbacks to the old C only simple idct. Signed-off-by: Ivan Kalvachev Signed-off-by: Michael Niedermayer (cherry picked from commit 9054439bad3307dafd9fbadc57e66c276baf22e2) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 1 + libavcodec/idctdsp.c | 1 + libavcodec/mpeg12dec.c | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 52cc5b0ca0..18c3e3ea1e 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -3146,6 +3146,7 @@ typedef struct AVCodecContext { #if FF_API_ARCH_ALPHA #define FF_IDCT_SIMPLEALPHA 23 #endif +#define FF_IDCT_NONE 24 /* Used by XvMC to extract IDCT coefficients with FF_IDCT_PERM_NONE */ #define FF_IDCT_SIMPLEAUTO 128 /** diff --git a/libavcodec/idctdsp.c b/libavcodec/idctdsp.c index d596aed1a9..0122d29efa 100644 --- a/libavcodec/idctdsp.c +++ b/libavcodec/idctdsp.c @@ -279,6 +279,7 @@ av_cold void ff_idctdsp_init(IDCTDSPContext *c, AVCodecContext *avctx) c->perm_type = FF_IDCT_PERM_NONE; #endif /* CONFIG_FAANIDCT */ } else { // accurate/default + /* Be sure FF_IDCT_NONE will select this one, since it uses FF_IDCT_PERM_NONE */ c->idct_put = ff_simple_idct_put_8; c->idct_add = ff_simple_idct_add_8; c->idct = ff_simple_idct_8; diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 22c29c1505..4e68be27f1 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1217,7 +1217,7 @@ static void setup_hwaccel_for_pixfmt(AVCodecContext *avctx) #endif ) if (avctx->idct_algo == FF_IDCT_AUTO) - avctx->idct_algo = FF_IDCT_SIMPLE; + avctx->idct_algo = FF_IDCT_NONE; if (avctx->hwaccel && avctx->pix_fmt == AV_PIX_FMT_XVMC) { Mpeg1Context *s1 = avctx->priv_data; From 8500de89ea9111e859c1ca8c51e7a3ed2ff76846 Mon Sep 17 00:00:00 2001 From: Sasi Inguva Date: Tue, 10 Oct 2017 10:36:58 -0700 Subject: [PATCH 0006/1764] ffmpeg.c: Fallback to duration_dts, when duration_pts can't be determined. This is required for FLV files, for which duration_pts comes out to be zero. Signed-off-by: Sasi Inguva Reviewed-by: Thomas Mundt Signed-off-by: Michael Niedermayer (cherry picked from commit 2b006ccf8318d84101ed83b75df4c9682a963217) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 6d64bc1043..3ee31473dc 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -2665,8 +2665,13 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt, int no_eo ist->next_dts = AV_NOPTS_VALUE; } - if (got_output) - ist->next_pts += av_rescale_q(duration_pts, ist->st->time_base, AV_TIME_BASE_Q); + if (got_output) { + if (duration_pts > 0) { + ist->next_pts += av_rescale_q(duration_pts, ist->st->time_base, AV_TIME_BASE_Q); + } else { + ist->next_pts += duration_dts; + } + } break; case AVMEDIA_TYPE_SUBTITLE: if (repeating) From 35e36046f1a3013f24cd2e90cff14295427dc3af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Oct 2017 03:06:53 +0200 Subject: [PATCH 0007/1764] avcodec/pafvideo: Check for bitstream end in decode_0() Fixes: Timeout Fixes: 3529/clusterfuzz-testcase-5057068371279872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c85329cd02e9284892bf263ce6133b2fc479792) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 91bfe16376..6980ae1b35 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -181,6 +181,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) dend = c->frame[page] + c->frame_size; offset = (x & 0x7F) * 2; j = bytestream2_get_le16(&c->gb) + offset; + if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16) + return AVERROR_INVALIDDATA; do { offset++; if (dst + 3 * c->width + 4 > dend) @@ -198,7 +200,8 @@ static int decode_0(PAFVideoDecContext *c, uint8_t *pkt, uint8_t code) do { set_src_position(c, &src, &send); if ((src + 3 * c->width + 4 > send) || - (dst + 3 * c->width + 4 > dend)) + (dst + 3 * c->width + 4 > dend) || + bytestream2_get_bytes_left(&c->gb) < 4) return AVERROR_INVALIDDATA; copy_block4(dst, src, c->width, c->width, 4); i++; From 46abeb1c322302ce6eba745c9efaf806f066298c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Oct 2017 03:06:54 +0200 Subject: [PATCH 0008/1764] avcodec/snowdec: Check mv_scale Fixes: runtime error: signed integer overflow: 2 * -1094995530 cannot be represented in type 'int' Fixes: 3512/clusterfuzz-testcase-minimized-4812747210489856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 393d6fc7395611a38792e3c271b2be42ac45e672) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index b74c468ce3..13668c2105 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -394,9 +394,10 @@ static int decode_header(SnowContext *s){ s->mv_scale += get_symbol(&s->c, s->header_state, 1); s->qbias += get_symbol(&s->c, s->header_state, 1); s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); - if(s->block_max_depth > 1 || s->block_max_depth < 0){ + if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; + s->mv_scale = 0; return AVERROR_INVALIDDATA; } if (FFABS(s->qbias) > 127) { From 03351cce88434f9a4ef3c7cc29e2bc5449c4646e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Oct 2017 02:30:15 +0200 Subject: [PATCH 0009/1764] Update versions for 3.4 release Signed-off-by: Michael Niedermayer --- Changelog | 2 +- RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index d6ec4ad1b5..a8d4c29e90 100644 --- a/Changelog +++ b/Changelog @@ -1,7 +1,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 3.4: - deflicker video filter - doubleweave video filter - lumakey video filter diff --git a/RELEASE b/RELEASE index 48ea63d180..2f4b60750d 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.git +3.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 0891899505..491db00b7e 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = +PROJECT_NUMBER = 3.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 01e291a592452f27b3a4e811536aaaf94096e244 Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sun, 15 Oct 2017 12:45:15 +0100 Subject: [PATCH 0010/1764] hwcontext_vaapi: Remove use of vaExportSurfaceHandle() It is not present in libva 2.0. --- libavutil/hwcontext_vaapi.c | 69 ------------------------------------- 1 file changed, 69 deletions(-) diff --git a/libavutil/hwcontext_vaapi.c b/libavutil/hwcontext_vaapi.c index 40a85d288c..cc961f12f8 100644 --- a/libavutil/hwcontext_vaapi.c +++ b/libavutil/hwcontext_vaapi.c @@ -1076,80 +1076,11 @@ static void vaapi_unmap_to_drm(AVHWFramesContext *dst_fc, static int vaapi_map_to_drm(AVHWFramesContext *hwfc, AVFrame *dst, const AVFrame *src, int flags) { -#if CONFIG_VAAPI_1 - AVVAAPIDeviceContext *hwctx = hwfc->device_ctx->hwctx; - VASurfaceID surface_id; - VAStatus vas; - VADRMPRIMESurfaceDescriptor va_desc; - AVDRMFrameDescriptor *drm_desc = NULL; - int err, i, j; - - surface_id = (VASurfaceID)(uintptr_t)src->data[3]; - - vas = vaExportSurfaceHandle(hwctx->display, surface_id, - VA_SURFACE_ATTRIB_MEM_TYPE_DRM_PRIME_2, - VA_EXPORT_SURFACE_READ_ONLY | - VA_EXPORT_SURFACE_SEPARATE_LAYERS, - &va_desc); - if (vas != VA_STATUS_SUCCESS) { - if (vas == VA_STATUS_ERROR_UNIMPLEMENTED) - return AVERROR(ENOSYS); - av_log(hwfc, AV_LOG_ERROR, "Failed to export surface %#x: " - "%d (%s).\n", surface_id, vas, vaErrorStr(vas)); - return AVERROR(EIO); - } - - drm_desc = av_mallocz(sizeof(*drm_desc)); - if (!drm_desc) { - err = AVERROR(ENOMEM); - goto fail; - } - - // By some bizarre coincidence, these structures are very similar... - drm_desc->nb_objects = va_desc.num_objects; - for (i = 0; i < va_desc.num_objects; i++) { - drm_desc->objects[i].fd = va_desc.objects[i].fd; - drm_desc->objects[i].size = va_desc.objects[i].size; - drm_desc->objects[i].format_modifier = - va_desc.objects[i].drm_format_modifier; - } - drm_desc->nb_layers = va_desc.num_layers; - for (i = 0; i < va_desc.num_layers; i++) { - drm_desc->layers[i].format = va_desc.layers[i].drm_format; - drm_desc->layers[i].nb_planes = va_desc.layers[i].num_planes; - for (j = 0; j < va_desc.layers[i].num_planes; j++) { - drm_desc->layers[i].planes[j].object_index = - va_desc.layers[i].object_index[j]; - drm_desc->layers[i].planes[j].offset = - va_desc.layers[i].offset[j]; - drm_desc->layers[i].planes[j].pitch = - va_desc.layers[i].pitch[j]; - } - } - - err = ff_hwframe_map_create(src->hw_frames_ctx, dst, src, - &vaapi_unmap_to_drm, drm_desc); - if (err < 0) - goto fail; - - dst->width = src->width; - dst->height = src->height; - dst->data[0] = (uint8_t*)drm_desc; - - return 0; - -fail: - for (i = 0; i < va_desc.num_objects; i++) - close(va_desc.objects[i].fd); - av_freep(&drm_desc); - return err; -#else // Older versions without vaExportSurfaceHandle() are not supported - // in theory this is possible with a combination of vaDeriveImage() // and vaAcquireBufferHandle(), but it doesn't carry enough metadata // to actually use the result in a generic way. return AVERROR(ENOSYS); -#endif } #endif From 587fadaef1e8163b3e56043e500a3724e7fc5379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 23 Oct 2017 10:48:02 +0300 Subject: [PATCH 0011/1764] lavu/arm: Check for have_vfp_vm instead of !have_vfpv3 for float_dsp_vfp This was missed in e754c8e8 / e2710e790c0 since those functions weren't exercised by checkasm. Fixes ticket #6766. (cherry picked from commit f1fd12ef858cf7efe843aa3063894a11b2d1e7d5) --- libavutil/arm/float_dsp_init_vfp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/arm/float_dsp_init_vfp.c b/libavutil/arm/float_dsp_init_vfp.c index e15abf3f54..05873e7e37 100644 --- a/libavutil/arm/float_dsp_init_vfp.c +++ b/libavutil/arm/float_dsp_init_vfp.c @@ -36,11 +36,11 @@ void ff_butterflies_float_vfp(float *av_restrict v1, float *av_restrict v2, int av_cold void ff_float_dsp_init_vfp(AVFloatDSPContext *fdsp, int cpu_flags) { - if (!have_vfpv3(cpu_flags)) { + if (have_vfp_vm(cpu_flags)) { fdsp->vector_fmul = ff_vector_fmul_vfp; fdsp->vector_fmul_window = ff_vector_fmul_window_vfp; } fdsp->vector_fmul_reverse = ff_vector_fmul_reverse_vfp; - if (!have_vfpv3(cpu_flags)) + if (have_vfp_vm(cpu_flags)) fdsp->butterflies_float = ff_butterflies_float_vfp; } From a94cb36ab2ad99d3a1331c9f91831ef593d94f74 Mon Sep 17 00:00:00 2001 From: Rostislav Pehlivanov Date: Wed, 8 Nov 2017 23:50:04 +0000 Subject: [PATCH 0012/1764] vc2enc_dwt: pad the temporary buffer by the slice size Since non-Haar wavelets need to look into pixels outside the frame, we need to pad the buffer. The old factor of two seemed to be a workaround that fact and only padded to the left and bottom. This correctly pads by the slice size and as such reduces memory usage and potential exploits. Reported by Liu Bingchang. Ideally, there should be no temporary buffer but the encoder is designed to deinterleave the coefficients into the classical wavelet structure with the lower frequency values in the top left corner. Signed-off-by: Rostislav Pehlivanov (cherry picked from commit 3228ac730c11eca49d5680d5550128e397061c85) --- libavcodec/vc2enc.c | 3 ++- libavcodec/vc2enc_dwt.c | 12 +++++++++--- libavcodec/vc2enc_dwt.h | 4 +++- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 96e27d93ed..1059f41b56 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1190,7 +1190,8 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx) /* DWT init */ if (ff_vc2enc_init_transforms(&s->transform_args[i].t, s->plane[i].coef_stride, - s->plane[i].dwt_height)) + s->plane[i].dwt_height, + s->slice_width, s->slice_height)) goto alloc_fail; } diff --git a/libavcodec/vc2enc_dwt.c b/libavcodec/vc2enc_dwt.c index c60b003a31..d22af8a313 100644 --- a/libavcodec/vc2enc_dwt.c +++ b/libavcodec/vc2enc_dwt.c @@ -255,21 +255,27 @@ static void vc2_subband_dwt_haar_shift(VC2TransformContext *t, dwtcoef *data, dwt_haar(t, data, stride, width, height, 1); } -av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_width, int p_height) +av_cold int ff_vc2enc_init_transforms(VC2TransformContext *s, int p_stride, + int p_height, int slice_w, int slice_h) { s->vc2_subband_dwt[VC2_TRANSFORM_9_7] = vc2_subband_dwt_97; s->vc2_subband_dwt[VC2_TRANSFORM_5_3] = vc2_subband_dwt_53; s->vc2_subband_dwt[VC2_TRANSFORM_HAAR] = vc2_subband_dwt_haar; s->vc2_subband_dwt[VC2_TRANSFORM_HAAR_S] = vc2_subband_dwt_haar_shift; - s->buffer = av_malloc(2*p_width*p_height*sizeof(dwtcoef)); + /* Pad by the slice size, only matters for non-Haar wavelets */ + s->buffer = av_calloc((p_stride + slice_w)*(p_height + slice_h), sizeof(dwtcoef)); if (!s->buffer) return 1; + s->padding = (slice_h >> 1)*p_stride + (slice_w >> 1); + s->buffer += s->padding; + return 0; } av_cold void ff_vc2enc_free_transforms(VC2TransformContext *s) { - av_freep(&s->buffer); + av_free(s->buffer - s->padding); + s->buffer = NULL; } diff --git a/libavcodec/vc2enc_dwt.h b/libavcodec/vc2enc_dwt.h index 7fbbfbe0ed..a6932bcdaf 100644 --- a/libavcodec/vc2enc_dwt.h +++ b/libavcodec/vc2enc_dwt.h @@ -41,12 +41,14 @@ enum VC2TransformType { typedef struct VC2TransformContext { dwtcoef *buffer; + int padding; void (*vc2_subband_dwt[VC2_TRANSFORMS_NB])(struct VC2TransformContext *t, dwtcoef *data, ptrdiff_t stride, int width, int height); } VC2TransformContext; -int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_width, int p_height); +int ff_vc2enc_init_transforms(VC2TransformContext *t, int p_stride, int p_height, + int slice_w, int slice_h); void ff_vc2enc_free_transforms(VC2TransformContext *t); #endif /* AVCODEC_VC2ENC_DWT_H */ From 0ca0ec26a62e7913ee725fa4cabf2deaa4e40bed Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Wed, 4 Oct 2017 00:43:30 +0200 Subject: [PATCH 0013/1764] ffmpeg: always init output stream before reaping filters Otherwise the frame size of the codec is not set in the buffersink. Fixes ticket #6603 and the following simpler case: ffmpeg -c aac -filter_complex "sine=d=0.1,asetnsamples=1025" out.aac Signed-off-by: Marton Balint (cherry picked from commit f4090940bd3024e69d236257d327f11d1e496229) --- fftools/ffmpeg.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 3ee31473dc..d581b40bf2 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -4536,6 +4536,15 @@ static int transcode_step(void) } if (ost->filter && ost->filter->graph->graph) { + if (!ost->initialized) { + char error[1024] = {0}; + ret = init_output_stream(ost, error, sizeof(error)); + if (ret < 0) { + av_log(NULL, AV_LOG_ERROR, "Error initializing output stream %d:%d -- %s\n", + ost->file_index, ost->index, error); + exit_program(1); + } + } if ((ret = transcode_from_filter(ost->filter->graph, &ist)) < 0) return ret; if (!ist) From 0158fd527691a8cd70863ee7326ede872a9b8725 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 28 Oct 2017 22:06:22 +0200 Subject: [PATCH 0014/1764] ffplay: create the window and the renderer before starting playback Signed-off-by: Marton Balint (cherry picked from commit 84d31e2475c41b0a69a11c4cba54755d034bb341) --- fftools/ffplay.c | 67 +++++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 32 deletions(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index 9f7774613c..c8f90d4f3b 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -361,6 +361,7 @@ static AVPacket flush_pkt; static SDL_Window *window; static SDL_Renderer *renderer; +static SDL_RendererInfo renderer_info = {0}; static const struct TextureFormatEntry { enum AVPixelFormat format; @@ -1320,38 +1321,15 @@ static int video_open(VideoState *is) h = default_height; } - if (!window) { - int flags = SDL_WINDOW_SHOWN; - if (!window_title) - window_title = input_filename; - if (is_full_screen) - flags |= SDL_WINDOW_FULLSCREEN_DESKTOP; - if (borderless) - flags |= SDL_WINDOW_BORDERLESS; - else - flags |= SDL_WINDOW_RESIZABLE; - window = SDL_CreateWindow(window_title, SDL_WINDOWPOS_UNDEFINED, SDL_WINDOWPOS_UNDEFINED, w, h, flags); - SDL_SetHint(SDL_HINT_RENDER_SCALE_QUALITY, "linear"); - if (window) { - SDL_RendererInfo info; - renderer = SDL_CreateRenderer(window, -1, SDL_RENDERER_ACCELERATED | SDL_RENDERER_PRESENTVSYNC); - if (!renderer) { - av_log(NULL, AV_LOG_WARNING, "Failed to initialize a hardware accelerated renderer: %s\n", SDL_GetError()); - renderer = SDL_CreateRenderer(window, -1, 0); - } - if (renderer) { - if (!SDL_GetRendererInfo(renderer, &info)) - av_log(NULL, AV_LOG_VERBOSE, "Initialized %s renderer.\n", info.name); - } - } - } else { - SDL_SetWindowSize(window, w, h); - } + if (!window_title) + window_title = input_filename; + SDL_SetWindowTitle(window, window_title); - if (!window || !renderer) { - av_log(NULL, AV_LOG_FATAL, "SDL: could not set video mode - exiting\n"); - do_exit(is); - } + SDL_SetWindowSize(window, w, h); + SDL_SetWindowPosition(window, SDL_WINDOWPOS_CENTERED, SDL_WINDOWPOS_CENTERED); + if (is_full_screen) + SDL_SetWindowFullscreen(window, SDL_WINDOW_FULLSCREEN_DESKTOP); + SDL_ShowWindow(window); is->width = w; is->height = h; @@ -1362,7 +1340,7 @@ static int video_open(VideoState *is) /* display the current picture, if any */ static void video_display(VideoState *is) { - if (!window) + if (!is->width) video_open(is); SDL_SetRenderDrawColor(renderer, 0, 0, 0, 255); @@ -3751,6 +3729,31 @@ int main(int argc, char **argv) av_init_packet(&flush_pkt); flush_pkt.data = (uint8_t *)&flush_pkt; + if (!display_disable) { + int flags = SDL_WINDOW_HIDDEN; + if (borderless) + flags |= SDL_WINDOW_BORDERLESS; + else + flags |= SDL_WINDOW_RESIZABLE; + window = SDL_CreateWindow(program_name, SDL_WINDOWPOS_UNDEFINED, SDL_WINDOWPOS_UNDEFINED, default_width, default_height, flags); + SDL_SetHint(SDL_HINT_RENDER_SCALE_QUALITY, "linear"); + if (window) { + renderer = SDL_CreateRenderer(window, -1, SDL_RENDERER_ACCELERATED | SDL_RENDERER_PRESENTVSYNC); + if (!renderer) { + av_log(NULL, AV_LOG_WARNING, "Failed to initialize a hardware accelerated renderer: %s\n", SDL_GetError()); + renderer = SDL_CreateRenderer(window, -1, 0); + } + if (renderer) { + if (!SDL_GetRendererInfo(renderer, &renderer_info)) + av_log(NULL, AV_LOG_VERBOSE, "Initialized %s renderer.\n", renderer_info.name); + } + } + if (!window || !renderer) { + av_log(NULL, AV_LOG_FATAL, "Failed to create window or renderer: %s", SDL_GetError()); + do_exit(NULL); + } + } + is = stream_open(input_filename, file_iformat); if (!is) { av_log(NULL, AV_LOG_FATAL, "Failed to initialize VideoState!\n"); From 46aa734646279ac481e5583d005c8c15b348a244 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 28 Oct 2017 22:46:08 +0200 Subject: [PATCH 0015/1764] ffplay: only use hardware accelerated SDL texture formats Typically only a small subset of the SDL texture formats are supported directly by the SDL renderer drivers, the rest is software emulated. It's better if libswscale does the format conversion to a hardware-accelerated texture format instead of SDL. This should fix video render slowdowns with some texture formats after 3bd2228d05a05eab5f91ac00b01efac9cb07649b. Signed-off-by: Marton Balint (cherry picked from commit 415038f2bd321a3b41564d4e0c6c17d7a096c397) --- fftools/ffplay.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index c8f90d4f3b..982340f073 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -1828,10 +1828,18 @@ static int configure_video_filters(AVFilterGraph *graph, VideoState *is, const c AVCodecParameters *codecpar = is->video_st->codecpar; AVRational fr = av_guess_frame_rate(is->ic, is->video_st, NULL); AVDictionaryEntry *e = NULL; - int i; + int nb_pix_fmts = 0; + int i, j; - for (i = 0; i < FF_ARRAY_ELEMS(pix_fmts); i++) - pix_fmts[i] = sdl_texture_format_map[i].format; + for (i = 0; i < renderer_info.num_texture_formats; i++) { + for (j = 0; j < FF_ARRAY_ELEMS(sdl_texture_format_map) - 1; j++) { + if (renderer_info.texture_formats[i] == sdl_texture_format_map[j].texture_fmt) { + pix_fmts[nb_pix_fmts++] = sdl_texture_format_map[j].format; + break; + } + } + } + pix_fmts[nb_pix_fmts] = AV_PIX_FMT_NONE; while ((e = av_dict_get(sws_dict, "", e, AV_DICT_IGNORE_SUFFIX))) { if (!strcmp(e->key, "sws_flags")) { @@ -3748,7 +3756,7 @@ int main(int argc, char **argv) av_log(NULL, AV_LOG_VERBOSE, "Initialized %s renderer.\n", renderer_info.name); } } - if (!window || !renderer) { + if (!window || !renderer || !renderer_info.num_texture_formats) { av_log(NULL, AV_LOG_FATAL, "Failed to create window or renderer: %s", SDL_GetError()); do_exit(NULL); } From 88a6fca74d247de5055bbbfbdbcc0a858170a882 Mon Sep 17 00:00:00 2001 From: Marton Balint Date: Sat, 4 Nov 2017 19:31:54 +0100 Subject: [PATCH 0016/1764] ffplay: use SDL2 audio API It allows us to specify what kind of audio parameter changes are allowed. Should fix ticket #6721. Signed-off-by: Marton Balint (cherry picked from commit d68a557df4937b695a5f6a14877d92647be95aaa) --- fftools/ffplay.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/fftools/ffplay.c b/fftools/ffplay.c index 982340f073..571dce31d2 100644 --- a/fftools/ffplay.c +++ b/fftools/ffplay.c @@ -362,6 +362,7 @@ static AVPacket flush_pkt; static SDL_Window *window; static SDL_Renderer *renderer; static SDL_RendererInfo renderer_info = {0}; +static SDL_AudioDeviceID audio_dev; static const struct TextureFormatEntry { enum AVPixelFormat format; @@ -1192,7 +1193,7 @@ static void stream_component_close(VideoState *is, int stream_index) switch (codecpar->codec_type) { case AVMEDIA_TYPE_AUDIO: decoder_abort(&is->auddec, &is->sampq); - SDL_CloseAudio(); + SDL_CloseAudioDevice(audio_dev); decoder_destroy(&is->auddec); swr_free(&is->swr_ctx); av_freep(&is->audio_buf1); @@ -2451,7 +2452,7 @@ static void sdl_audio_callback(void *opaque, Uint8 *stream, int len) else { memset(stream, 0, len1); if (!is->muted && is->audio_buf) - SDL_MixAudio(stream, (uint8_t *)is->audio_buf + is->audio_buf_index, len1, is->audio_volume); + SDL_MixAudioFormat(stream, (uint8_t *)is->audio_buf + is->audio_buf_index, AUDIO_S16SYS, len1, is->audio_volume); } len -= len1; stream += len1; @@ -2496,7 +2497,7 @@ static int audio_open(void *opaque, int64_t wanted_channel_layout, int wanted_nb wanted_spec.samples = FFMAX(SDL_AUDIO_MIN_BUFFER_SIZE, 2 << av_log2(wanted_spec.freq / SDL_AUDIO_MAX_CALLBACKS_PER_SEC)); wanted_spec.callback = sdl_audio_callback; wanted_spec.userdata = opaque; - while (SDL_OpenAudio(&wanted_spec, &spec) < 0) { + while (!(audio_dev = SDL_OpenAudioDevice(NULL, 0, &wanted_spec, &spec, SDL_AUDIO_ALLOW_FREQUENCY_CHANGE | SDL_AUDIO_ALLOW_CHANNELS_CHANGE))) { av_log(NULL, AV_LOG_WARNING, "SDL_OpenAudio (%d channels, %d Hz): %s\n", wanted_spec.channels, wanted_spec.freq, SDL_GetError()); wanted_spec.channels = next_nb_channels[FFMIN(7, wanted_spec.channels)]; @@ -2666,7 +2667,7 @@ static int stream_component_open(VideoState *is, int stream_index) } if ((ret = decoder_start(&is->auddec, audio_thread, is)) < 0) goto out; - SDL_PauseAudio(0); + SDL_PauseAudioDevice(audio_dev, 0); break; case AVMEDIA_TYPE_VIDEO: is->video_stream = stream_index; From d55794fafc9efb9ce3fe9f78362e6539d9fe7d94 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Sun, 29 Oct 2017 12:30:44 +0800 Subject: [PATCH 0017/1764] avformat/hlsenc: fix base_output_dirname is null when basename_size is 0 bug fix ticket id: #6777 when use argument hls_segment_filename, the basename_size will be 0 Signed-off-by: Steven Liu --- libavformat/hlsenc.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 418f153c6f..55ce800c5a 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -1335,6 +1335,7 @@ static int hls_write_header(AVFormatContext *s) AVDictionary *options = NULL; int basename_size = 0; int vtt_basename_size = 0; + int fmp4_init_filename_len = strlen(hls->fmp4_init_filename) + 1; if (hls->segment_type == SEGMENT_TYPE_FMP4) { pattern = "%d.m4s"; @@ -1445,7 +1446,6 @@ static int hls_write_header(AVFormatContext *s) } if (av_strcasecmp(hls->fmp4_init_filename, "init.mp4")) { - int fmp4_init_filename_len = strlen(hls->fmp4_init_filename) + 1; hls->base_output_dirname = av_malloc(fmp4_init_filename_len); if (!hls->base_output_dirname) { ret = AVERROR(ENOMEM); @@ -1453,19 +1453,25 @@ static int hls_write_header(AVFormatContext *s) } av_strlcpy(hls->base_output_dirname, hls->fmp4_init_filename, fmp4_init_filename_len); } else { - hls->base_output_dirname = av_malloc(basename_size); + if (basename_size > 0) { + hls->base_output_dirname = av_malloc(basename_size); + } else { + hls->base_output_dirname = av_malloc(strlen(hls->fmp4_init_filename)); + } if (!hls->base_output_dirname) { ret = AVERROR(ENOMEM); goto fail; } - av_strlcpy(hls->base_output_dirname, s->filename, basename_size); - p = strrchr(hls->base_output_dirname, '/'); + if (basename_size > 0) { + av_strlcpy(hls->base_output_dirname, s->filename, basename_size); + p = strrchr(hls->base_output_dirname, '/'); + } if (p) { *(p + 1) = '\0'; av_strlcat(hls->base_output_dirname, hls->fmp4_init_filename, basename_size); } else { - av_strlcpy(hls->base_output_dirname, hls->fmp4_init_filename, basename_size); + av_strlcpy(hls->base_output_dirname, hls->fmp4_init_filename, fmp4_init_filename_len); } } From 6ad4d3c92f091352645ebddd35d677aed079eb70 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Sun, 29 Oct 2017 12:31:49 +0800 Subject: [PATCH 0018/1764] avformat/hlsenc: fix missing first segment bug in fmp4 mode fix ticket id: #6776 fix code logic error, need not check first segment. Signed-off-by: Steven Liu --- libavformat/hlsenc.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 55ce800c5a..530fc11305 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -1080,7 +1080,7 @@ static int hls_window(AVFormatContext *s, int last) avio_printf(out, ",BYTERANGE=\"%"PRId64"@%"PRId64"\"", en->size, en->pos); } avio_printf(out, "\n"); - } else { + } if (hls->flags & HLS_ROUND_DURATIONS) avio_printf(out, "#EXTINF:%ld,\n", lrint(en->duration)); else @@ -1088,7 +1088,7 @@ static int hls_window(AVFormatContext *s, int last) if (byterange_mode) avio_printf(out, "#EXT-X-BYTERANGE:%"PRId64"@%"PRId64"\n", en->size, en->pos); - } + if (hls->flags & HLS_PROGRAM_DATE_TIME) { time_t tt, wrongsecs; int milli; @@ -1113,11 +1113,9 @@ static int hls_window(AVFormatContext *s, int last) avio_printf(out, "#EXT-X-PROGRAM-DATE-TIME:%s.%03d%s\n", buf0, milli, buf1); prog_date_time += en->duration; } - if (!((hls->segment_type == SEGMENT_TYPE_FMP4) && (en == hls->segments))) { if (hls->baseurl) avio_printf(out, "%s", hls->baseurl); avio_printf(out, "%s\n", en->filename); - } } if (last && (hls->flags & HLS_OMIT_ENDLIST)==0) From 9ccb6de56c6ffe5b649a20ce4930240248453a70 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Sun, 29 Oct 2017 12:32:24 +0800 Subject: [PATCH 0019/1764] avformat/hlsenc: reindent hlsenc code Signed-off-by: Steven Liu --- libavformat/hlsenc.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 530fc11305..0ea93480a5 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -1081,13 +1081,13 @@ static int hls_window(AVFormatContext *s, int last) } avio_printf(out, "\n"); } - if (hls->flags & HLS_ROUND_DURATIONS) - avio_printf(out, "#EXTINF:%ld,\n", lrint(en->duration)); - else - avio_printf(out, "#EXTINF:%f,\n", en->duration); - if (byterange_mode) - avio_printf(out, "#EXT-X-BYTERANGE:%"PRId64"@%"PRId64"\n", - en->size, en->pos); + if (hls->flags & HLS_ROUND_DURATIONS) + avio_printf(out, "#EXTINF:%ld,\n", lrint(en->duration)); + else + avio_printf(out, "#EXTINF:%f,\n", en->duration); + if (byterange_mode) + avio_printf(out, "#EXT-X-BYTERANGE:%"PRId64"@%"PRId64"\n", + en->size, en->pos); if (hls->flags & HLS_PROGRAM_DATE_TIME) { time_t tt, wrongsecs; @@ -1113,9 +1113,9 @@ static int hls_window(AVFormatContext *s, int last) avio_printf(out, "#EXT-X-PROGRAM-DATE-TIME:%s.%03d%s\n", buf0, milli, buf1); prog_date_time += en->duration; } - if (hls->baseurl) - avio_printf(out, "%s", hls->baseurl); - avio_printf(out, "%s\n", en->filename); + if (hls->baseurl) + avio_printf(out, "%s", hls->baseurl); + avio_printf(out, "%s\n", en->filename); } if (last && (hls->flags & HLS_OMIT_ENDLIST)==0) From fac3cfb6c18e3940686bfd890d194235fb5994bc Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Thu, 2 Nov 2017 22:29:28 +0800 Subject: [PATCH 0020/1764] avformat/hlsenc: check hls segment mode for ignore the init filename ignore the fmp4_init_filename when in normal hls segment mode Signed-off-by: Steven Liu --- libavformat/hlsenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 0ea93480a5..6d573db094 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -1443,6 +1443,7 @@ static int hls_write_header(AVFormatContext *s) } } + if (hls->segment_type == SEGMENT_TYPE_FMP4) { if (av_strcasecmp(hls->fmp4_init_filename, "init.mp4")) { hls->base_output_dirname = av_malloc(fmp4_init_filename_len); if (!hls->base_output_dirname) { @@ -1472,6 +1473,7 @@ static int hls_write_header(AVFormatContext *s) av_strlcpy(hls->base_output_dirname, hls->fmp4_init_filename, fmp4_init_filename_len); } } + } if (!hls->use_localtime) { ret = sls_flag_check_duration_size_index(hls); From e3c09fb986183199c08aaf4bdc9ba1b0d7f8e171 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Thu, 2 Nov 2017 22:30:06 +0800 Subject: [PATCH 0021/1764] avformat/hlsenc: reindent hlsenc code Signed-off-by: Steven Liu --- libavformat/hlsenc.c | 54 ++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 6d573db094..5ea9d216a4 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -1444,36 +1444,36 @@ static int hls_write_header(AVFormatContext *s) } if (hls->segment_type == SEGMENT_TYPE_FMP4) { - if (av_strcasecmp(hls->fmp4_init_filename, "init.mp4")) { - hls->base_output_dirname = av_malloc(fmp4_init_filename_len); - if (!hls->base_output_dirname) { - ret = AVERROR(ENOMEM); - goto fail; - } - av_strlcpy(hls->base_output_dirname, hls->fmp4_init_filename, fmp4_init_filename_len); - } else { - if (basename_size > 0) { - hls->base_output_dirname = av_malloc(basename_size); - } else { - hls->base_output_dirname = av_malloc(strlen(hls->fmp4_init_filename)); - } - if (!hls->base_output_dirname) { - ret = AVERROR(ENOMEM); - goto fail; - } - - if (basename_size > 0) { - av_strlcpy(hls->base_output_dirname, s->filename, basename_size); - p = strrchr(hls->base_output_dirname, '/'); - } - if (p) { - *(p + 1) = '\0'; - av_strlcat(hls->base_output_dirname, hls->fmp4_init_filename, basename_size); - } else { + if (av_strcasecmp(hls->fmp4_init_filename, "init.mp4")) { + hls->base_output_dirname = av_malloc(fmp4_init_filename_len); + if (!hls->base_output_dirname) { + ret = AVERROR(ENOMEM); + goto fail; + } av_strlcpy(hls->base_output_dirname, hls->fmp4_init_filename, fmp4_init_filename_len); + } else { + if (basename_size > 0) { + hls->base_output_dirname = av_malloc(basename_size); + } else { + hls->base_output_dirname = av_malloc(strlen(hls->fmp4_init_filename)); + } + if (!hls->base_output_dirname) { + ret = AVERROR(ENOMEM); + goto fail; + } + + if (basename_size > 0) { + av_strlcpy(hls->base_output_dirname, s->filename, basename_size); + p = strrchr(hls->base_output_dirname, '/'); + } + if (p) { + *(p + 1) = '\0'; + av_strlcat(hls->base_output_dirname, hls->fmp4_init_filename, basename_size); + } else { + av_strlcpy(hls->base_output_dirname, hls->fmp4_init_filename, fmp4_init_filename_len); + } } } - } if (!hls->use_localtime) { ret = sls_flag_check_duration_size_index(hls); From 62e99f026aea5c5f6c523ed4e870738b99b9c7a4 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Mon, 13 Nov 2017 10:44:16 +0800 Subject: [PATCH 0022/1764] avformat/hlsenc: allocate space for terminating null Fixes CID #1420394 --- libavformat/hlsenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 5ea9d216a4..b571772f60 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -1455,7 +1455,7 @@ static int hls_write_header(AVFormatContext *s) if (basename_size > 0) { hls->base_output_dirname = av_malloc(basename_size); } else { - hls->base_output_dirname = av_malloc(strlen(hls->fmp4_init_filename)); + hls->base_output_dirname = av_malloc(strlen(hls->fmp4_init_filename) + 1); } if (!hls->base_output_dirname) { ret = AVERROR(ENOMEM); From 67c079383538e61deabd3fc0f504a12bfa0c6925 Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Tue, 14 Nov 2017 10:31:26 +0800 Subject: [PATCH 0023/1764] avformat/hlsenc: write fmp4 init header after first AV frame fix ticket id: 6825 Signed-off-by: Steven Liu Tested-by: Aman Gupta --- libavformat/hlsenc.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index b571772f60..e0cef8b879 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -108,6 +108,9 @@ typedef struct HLSContext { uint32_t start_sequence_source_type; // enum StartSequenceSourceType AVOutputFormat *oformat; AVOutputFormat *vtt_oformat; + AVIOContext *out; + int packets_written; + int init_range_length; AVFormatContext *avf; AVFormatContext *vtt_avf; @@ -598,6 +601,7 @@ static int hls_mux_init(AVFormatContext *s) st->time_base = s->streams[i]->time_base; av_dict_copy(&st->metadata, s->streams[i]->metadata, 0); } + hls->packets_written = 1; hls->start_pos = 0; hls->new_start = 1; hls->fmp4_init_mode = 0; @@ -607,9 +611,14 @@ static int hls_mux_init(AVFormatContext *s) av_log(s, AV_LOG_WARNING, "Multi-file byterange mode is currently unsupported in the HLS muxer.\n"); return AVERROR_PATCHWELCOME; } + hls->packets_written = 0; + hls->init_range_length = 0; hls->fmp4_init_mode = !byterange_mode; set_http_options(s, &options, hls); - if ((ret = s->io_open(s, &oc->pb, hls->base_output_dirname, AVIO_FLAG_WRITE, &options)) < 0) { + if ((ret = avio_open_dyn_buf(&oc->pb)) < 0) + return ret; + + if ((ret = s->io_open(s, &hls->out, hls->base_output_dirname, AVIO_FLAG_WRITE, &options)) < 0) { av_log(s, AV_LOG_ERROR, "Failed to open segment '%s'\n", hls->fmp4_init_filename); return ret; } @@ -634,6 +643,7 @@ static int hls_mux_init(AVFormatContext *s) av_dict_free(&options); return AVERROR(EINVAL); } + avio_flush(oc->pb); av_dict_free(&options); } return 0; @@ -1600,6 +1610,8 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) int is_ref_pkt = 1; int ret = 0, can_split = 1; int stream_index = 0; + int range_length = 0; + uint8_t *buffer = NULL; if (hls->sequence - hls->nb_entries > hls->start_sequence && hls->init_time > 0) { /* reset end_pts, hls->recording_time at end of the init hls list */ @@ -1645,7 +1657,7 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) } } - if (hls->fmp4_init_mode || can_split && av_compare_ts(pkt->pts - hls->start_pts, st->time_base, + if (hls->packets_written && can_split && av_compare_ts(pkt->pts - hls->start_pts, st->time_base, end_pts, AV_TIME_BASE_Q) >= 0) { int64_t new_start_pos; char *old_filename = av_strdup(hls->avf->filename); @@ -1661,7 +1673,17 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) hls->size = new_start_pos - hls->start_pos; if (!byterange_mode) { - ff_format_io_close(s, &oc->pb); + if (hls->segment_type == SEGMENT_TYPE_FMP4 && !hls->init_range_length) { + avio_flush(oc->pb); + range_length = avio_close_dyn_buf(oc->pb, &buffer); + avio_write(hls->out, buffer, range_length); + hls->init_range_length = range_length; + avio_open_dyn_buf(&oc->pb); + hls->packets_written = 0; + ff_format_io_close(s, &hls->out); + } else { + ff_format_io_close(s, &oc->pb); + } if (hls->vtt_avf) { ff_format_io_close(s, &hls->vtt_avf->pb); } @@ -1719,6 +1741,7 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) } } + hls->packets_written++; ret = ff_write_chained(oc, stream_index, pkt, s, 0); return ret; From 752659ff1e0f6d9de93321f8b7e7c4ff741d0c8e Mon Sep 17 00:00:00 2001 From: Michael Roitzsch Date: Sat, 18 Nov 2017 13:33:08 +0100 Subject: [PATCH 0024/1764] lavfi/af_pan: fix sign handling in channel coefficient parser When a channel formula ends with a subtraction, the next formula will otherwise have its first coefficient negated. (cherry picked from commit 4f4e19914ddca5096bf7639c7c99a9045e436e8b) --- libavfilter/af_pan.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index 23b29419b6..d8a63a7952 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -166,6 +166,7 @@ static av_cold int init(AVFilterContext *ctx) goto fail; } /* gains */ + sign = 1; while (1) { gain = 1; if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) From ceed79323cb0a3e37a044821d70ab7a3439e1880 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Tue, 28 Nov 2017 14:26:55 -0800 Subject: [PATCH 0025/1764] Don't manipulate duration when it's AV_NOPTS_VALUE. This leads to signed integer overflow. Signed-off-by: Dale Curtis Signed-off-by: James Almer (cherry picked from commit c5fd57f483d2ad8e34551b78509f1e14136f73c0) --- libavformat/oggparsevp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index c534ab117d..b76ac71cc5 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -125,7 +125,7 @@ static int vp8_packet(AVFormatContext *s, int idx) os->lastdts = vp8_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration && s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } From 5ab992cd3875a5a34d4c30a9d08f2eec95a3fd80 Mon Sep 17 00:00:00 2001 From: Jacob Trimble Date: Thu, 30 Nov 2017 14:58:59 -0800 Subject: [PATCH 0026/1764] configure: Fix dependencies of aac_at decoder. Signed-off-by: Jacob Trimble Signed-off-by: James Almer (cherry picked from commit 83ecdc9a920d7f0b69d1a25d63757adb887a1f25) --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 18d80ee87a..1797c5dd4f 100755 --- a/configure +++ b/configure @@ -2903,6 +2903,7 @@ mjpeg2jpeg_bsf_select="jpegtables" # external libraries aac_at_decoder_deps="audiotoolbox" +aac_at_decoder_select="aac_adtstoasc_bsf" ac3_at_decoder_deps="audiotoolbox" ac3_at_decoder_select="ac3_parser" adpcm_ima_qt_at_decoder_deps="audiotoolbox" From 8d51090dcb8be6acfa37fe43439218b278063f1c Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 27 Nov 2017 13:39:42 -0300 Subject: [PATCH 0027/1764] avformat/matroskaenc: actually enforce the stream limit Prevents out of array accesses. Adressess ticket #6873 Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 9d464dc3fccb53f1e7c83e3453084c1a7fb90503) --- libavformat/matroskaenc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 6f094c458c..3c6bb6816a 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1858,6 +1858,13 @@ static int mkv_write_header(AVFormatContext *s) av_dict_get(s->metadata, "alpha_mode", NULL, 0)) version = 4; + if (s->nb_streams > MAX_TRACKS) { + av_log(s, AV_LOG_ERROR, + "At most %d streams are supported for muxing in Matroska\n", + MAX_TRACKS); + return AVERROR(EINVAL); + } + for (i = 0; i < s->nb_streams; i++) { if (s->streams[i]->codecpar->codec_id == AV_CODEC_ID_ATRAC3 || s->streams[i]->codecpar->codec_id == AV_CODEC_ID_COOK || From 2940b3e17cd352fc22152909843867771922b4dd Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 28 Nov 2017 01:23:23 -0300 Subject: [PATCH 0028/1764] avformat/matroskaenc: add missing allocation failure checks for stream durations Signed-off-by: James Almer (cherry picked from commit 5f67073b4cb12abf21ed840948b271903d61bf3b) --- libavformat/matroskaenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 3c6bb6816a..3073fd8f77 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1982,6 +1982,10 @@ static int mkv_write_header(AVFormatContext *s) // initialize stream_duration fields mkv->stream_durations = av_mallocz(s->nb_streams * sizeof(int64_t)); mkv->stream_duration_offsets = av_mallocz(s->nb_streams * sizeof(int64_t)); + if (!mkv->stream_durations || !mkv->stream_duration_offsets) { + ret = AVERROR(ENOMEM); + goto fail; + } ret = mkv_write_tracks(s); if (ret < 0) From bcfbcbec481c26d4b4a815d390c594c8c13fd647 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 15 Nov 2017 21:13:07 -0300 Subject: [PATCH 0029/1764] avcodec/proresdec: align dequantization matrix buffers Should fix ticket #6838 Signed-off-by: James Almer (cherry picked from commit f399172d6e842fbdd05c599cdbbb1668c8c354be) --- libavcodec/proresdec2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 0f791de97b..2ebda78a7a 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -517,8 +517,8 @@ static int decode_slice_thread(AVCodecContext *avctx, void *arg, int jobnr, int int luma_stride, chroma_stride; int y_data_size, u_data_size, v_data_size, a_data_size; uint8_t *dest_y, *dest_u, *dest_v, *dest_a; - int16_t qmat_luma_scaled[64]; - int16_t qmat_chroma_scaled[64]; + LOCAL_ALIGNED_16(int16_t, qmat_luma_scaled, [64]); + LOCAL_ALIGNED_16(int16_t, qmat_chroma_scaled,[64]); int mb_x_shift; int ret; From 561e276899bb1e039ff868ac7471a3954b2ffeb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Oct 2017 17:11:20 +0200 Subject: [PATCH 0030/1764] ffserver: Fix off by 1 error in path Code suggested by ubitux Signed-off-by: Michael Niedermayer (cherry picked from commit 617f0c65e1bac8983a5b6521818c1b9b57f0804b) Signed-off-by: Michael Niedermayer --- fftools/ffserver.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/fftools/ffserver.c b/fftools/ffserver.c index d4885dfa0e..7f8b2387bd 100644 --- a/fftools/ffserver.c +++ b/fftools/ffserver.c @@ -476,7 +476,7 @@ static int compute_datarate(DataRateData *drd, int64_t count) static void start_children(FFServerStream *feed) { char *pathname; - char *slash; + char *dirname, *prog; int i; size_t cmd_length; @@ -495,22 +495,18 @@ static void start_children(FFServerStream *feed) return; } - slash = strrchr(my_program_name, '/'); - if (!slash) { - pathname = av_mallocz(sizeof("ffmpeg")); - } else { - pathname = av_mallocz(slash - my_program_name + sizeof("ffmpeg")); - if (pathname != NULL) { - memcpy(pathname, my_program_name, slash - my_program_name); - } + /* use "ffmpeg" in the path of current program. Ignore user provided path */ + prog = av_strdup(my_program_name); + if (prog) { + dirname = av_dirname(prog); + pathname = *dirname ? av_asprintf("%s/%s", dirname, "ffmpeg") + : av_asprintf("ffmpeg"); + av_free(prog); } - if (!pathname) { + if (!prog || !pathname) { http_log("Could not allocate memory for children cmd line\n"); return; } - /* use "ffmpeg" in the path of current program. Ignore user provided path */ - - strcat(pathname, "ffmpeg"); for (; feed; feed = feed->next) { From 7ff156b112857f25f85f657a51df9b3d928ae3ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Oct 2017 17:11:21 +0200 Subject: [PATCH 0031/1764] tests/ffserver.regression.ref: update checksums to what ffserver currently produces Signed-off-by: Michael Niedermayer (cherry picked from commit 431eccd61e155190a7762314938799076cffeb67) Signed-off-by: Michael Niedermayer --- tests/ffserver.regression.ref | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/ffserver.regression.ref b/tests/ffserver.regression.ref index 398c285156..fd8536c853 100644 --- a/tests/ffserver.regression.ref +++ b/tests/ffserver.regression.ref @@ -1,11 +1,11 @@ 0c9639f09decbc54c9f091dcf1ca0e8f *ff-test_h.avi e28ba75853caf975e06d92955c9f7f73 *ff-test_l.avi a767dbdf5d1bded3450279f812f97b37 *ff-test.swf -dc16f607e13328a832e73801cd21ec98 *ff-test_h.asf -69337d6c8cd7ac7e626338decdbf41d3 *ff-test_l.asf +ca209a0c67afbd3bc3bcde0840f313fc *ff-test_h.asf +f97a91609bfc8a1857455f17c5ec101c *ff-test_l.asf 06f5a6a4c5d1c6735f4d0068e825c91f *ff-test_h.rm 1f57580f02f0317407b3b82a3d5e093f *ff-test_l.rm -4c887dfc1dd0f6ea1a3a2be6dd32e495 *ff-test.jpg -1d04b73b04aad27793cc762d5afabac1 *ff-test_small.jpg -bc36c40ee34ebee6ffe50f3094aab733 *ff-test.mjpg +e04e6ebf9584654df131f5eec881ac38 *ff-test.jpg +f15d43e9d3630601b61a024023249bb8 *ff-test_small.jpg +4735c72cde67000f12e9d1dbfbd975a7 *ff-test.mjpg fd038af80560e15271ce42651093ee43 *ff-stat From 1c931d5ab99aaaaa599b0b1876777873c73ad665 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 00:02:56 +0200 Subject: [PATCH 0032/1764] avcodec/jpeglsdec: Check ilv for being a supported value Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe533628b9604e2f8e5179d5c5dd17c3cb764265) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 64505321af..cb2f89a88c 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -443,6 +443,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, avpriv_report_missing_feature(s->avctx, "Sample interleaved images"); ret = AVERROR_PATCHWELCOME; goto end; + } else { /* unknown interleaving */ + avpriv_report_missing_feature(s->avctx, "Unknown interleaved images"); + ret = AVERROR_PATCHWELCOME; + goto end; } if (s->xfrm && s->nb_components == 3) { From 7a23220bf9473b8918674e39281d2ee7e58cda92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Oct 2017 00:02:57 +0200 Subject: [PATCH 0033/1764] avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f80224ed19a4c012549fd460d529c7c04e68cf21) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index cb2f89a88c..5308b744df 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -233,6 +233,9 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, while (x < w) { int err, pred; + if (get_bits_left(&s->gb) <= 0) + return; + /* compute gradients */ Ra = x ? R(dst, x - stride) : R(last, x); Rb = R(last, x); From b3bdb0ddc15b9ecc83548dfe93a26087e415bc30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Oct 2017 02:23:20 +0200 Subject: [PATCH 0034/1764] avcodec/aacdec_fixed: Fix integer overflow in predict() Fixes: runtime error: signed integer overflow: -2110708110 + -82837504 cannot be represented in type 'int' Fixes: 3547/clusterfuzz-testcase-minimized-6009386439802880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0976752420706c0a8b3cb8fd61497a47c7d7270f) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index f6a533010f..5e9249ceea 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -307,9 +307,9 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (shift < 31) { if (shift > 0) { - *coef += (pv.mant + (1 << (shift - 1))) >> shift; + *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift); } else - *coef += pv.mant << -shift; + *coef += (unsigned)(pv.mant << -shift); } } From dccead84c658d8b11cd2b24b65ef5a394b993512 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Oct 2017 02:23:21 +0200 Subject: [PATCH 0035/1764] avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed() Fixes: runtime error: signed integer overflow: 623487 * 536870912 cannot be represented in type 'int' Fixes: 3594/clusterfuzz-testcase-minimized-4650622935629824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 41d96af2a74cb5df50346b160067facd43149667) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 5e9249ceea..d802f3834f 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -394,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += tmp * (1 << shift); + dest[group * 128 + k] += tmp * (1U << shift); } } } From 6be60aedcb76b4cdf7cf588fd7ecc0d805eddcbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Oct 2017 23:21:40 +0100 Subject: [PATCH 0036/1764] avcodec/xan: Improve overlapping check Fixes: memcpy-param-overlap Fixes: 3612/clusterfuzz-testcase-minimized-6393461273001984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e8fafef1db43ead4eae5a6301ccc300e73aa47da) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 4c01c0013f..8b4ec82405 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -263,7 +263,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, AVFrame *frame, prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - if (prev_palette_plane == palette_plane && FFABS(curframe_index - prevframe_index) < pixel_count) { + if (prev_palette_plane == palette_plane && FFABS(motion_x + width*motion_y) < pixel_count) { avpriv_request_sample(s->avctx, "Overlapping copy"); return ; } From 66e65e0a686a875fc4693e332bba6a2a221fe946 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Oct 2017 23:21:41 +0100 Subject: [PATCH 0037/1764] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() Fixes: runtime error: signed integer overflow: 924846844 + 1457520640 cannot be represented in type 'int' Fixes: 3416/clusterfuzz-testcase-minimized-6125587682820096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b739e1cb8f6ce8baead03ce5c999103ba78f24f) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index 3ad58c4a11..fbd07cb8d5 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -107,10 +107,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ } for( i = 0; i < 8; i++ ) { - const unsigned a0 = block[0+i*8] + block[4+i*8]; - const unsigned a2 = block[0+i*8] - block[4+i*8]; - const unsigned a4 = (block[2+i*8]>>1) - block[6+i*8]; - const unsigned a6 = (block[6+i*8]>>1) + block[2+i*8]; + const unsigned a0 = block[0+i*8] + (unsigned)block[4+i*8]; + const unsigned a2 = block[0+i*8] - (unsigned)block[4+i*8]; + const unsigned a4 = (block[2+i*8]>>1) - (unsigned)block[6+i*8]; + const unsigned a6 = (block[6+i*8]>>1) + (unsigned)block[2+i*8]; const unsigned b0 = a0 + a6; const unsigned b2 = a2 + a4; From 78b8aeee585b40c251bcf5686dcb635378ba3a44 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 12 Apr 2017 01:46:30 +0200 Subject: [PATCH 0038/1764] avformat: Free the internal codec context at the end Avoid a use after free in avformat_find_stream_info. (cherry picked from commit 9e4a5eb51b9f3b2bff0ef08e0074b7fe4893075d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 1a7996c4fd..881438a504 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3882,12 +3882,6 @@ FF_ENABLE_DEPRECATION_WARNINGS } } - // close codecs which were opened in try_decode_frame() - for (i = 0; i < ic->nb_streams; i++) { - st = ic->streams[i]; - avcodec_close(st->internal->avctx); - } - ff_rfps_calculate(ic); for (i = 0; i < ic->nb_streams; i++) { @@ -4078,6 +4072,7 @@ find_stream_info_err: st = ic->streams[i]; if (st->info) av_freep(&st->info->duration_error); + avcodec_close(ic->streams[i]->internal->avctx); av_freep(&ic->streams[i]->info); av_bsf_free(&ic->streams[i]->internal->extract_extradata.bsf); av_packet_free(&ic->streams[i]->internal->extract_extradata.pkt); From 0ee2cb866c023d72073408be0c117acf817a276a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Nov 2017 01:19:19 +0100 Subject: [PATCH 0039/1764] avcodec/exr: fix undefined shift in pxr24_uncompress() Fixes: runtime error: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 3787/clusterfuzz-testcase-minimized-5728764920070144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 66f0c958bfd5475658b432d1af4d2e174b2dfcda) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 0b755db3cb..b1ecde4ebd 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -855,7 +855,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, in = ptr[2] + td->xsize; for (j = 0; j < td->xsize; ++j) { - uint32_t diff = (*(ptr[0]++) << 24) | + uint32_t diff = ((unsigned)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8); pixel += diff; From 3ca4f1868d66b8bae61dbf0bd78071aca8d61bb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Nov 2017 17:48:29 +0100 Subject: [PATCH 0040/1764] avcodec/xan: Check for bitstream end in xan_huffman_decode() Fixes: Timeout Fixes: 3707/clusterfuzz-testcase-6465922706440192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4b51437dccd62fc5491280db44e3c21b44aeeb3f) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 8b4ec82405..1ccf164847 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -131,7 +131,10 @@ static int xan_huffman_decode(uint8_t *dest, int dest_len, return ret; while (val != 0x16) { - unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + unsigned idx; + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; + idx = val - 0x17 + get_bits1(&gb) * byte; if (idx >= 2 * byte) return AVERROR_INVALIDDATA; val = src[idx]; From 56ce961cc3dd3b8a708d66f40360adcefeee3a28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Nov 2017 01:19:20 +0100 Subject: [PATCH 0041/1764] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() Fixes: runtime error: signed integer overflow: -503316480 + -2013265038 cannot be represented in type 'int' Fixes: 3805/clusterfuzz-testcase-minimized-6578427831255040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e131b8cedb00043dcc97cc05ca04749ec8ff57de) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index fbd07cb8d5..7526bdd812 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ const int a5 = -block[i+1*8] + (unsigned)block[i+7*8] + block[i+5*8] + (block[i+5*8]>>1); const int a7 = block[i+3*8] + (unsigned)block[i+5*8] + block[i+1*8] + (block[i+1*8]>>1); - const int b1 = (a7>>2) + a1; - const int b3 = a3 + (a5>>2); - const int b5 = (a3>>2) - a5; - const int b7 = a7 - (a1>>2); + const int b1 = (a7>>2) + (unsigned)a1; + const int b3 = (unsigned)a3 + (a5>>2); + const int b5 = (a3>>2) - (unsigned)a5; + const int b7 = (unsigned)a7 - (a1>>2); block[i+0*8] = b0 + b7; block[i+7*8] = b0 - b7; From 3f2be02b4d77d81b678cb10dc54149c67f189899 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Nov 2017 14:00:18 +0100 Subject: [PATCH 0042/1764] avutil/softfloat: Add FLOAT_MIN Signed-off-by: Michael Niedermayer (cherry picked from commit e34fe61bf45331d2e6d2840604f799fa4b55c843) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index b13d728f30..a651406f74 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -43,6 +43,7 @@ static const SoftFloat FLOAT_EPSILON = { 0x29F16B12, -16}; static const SoftFloat FLOAT_1584893192 = { 0x32B771ED, 1}; ///< 1.584893192 (10^.2) static const SoftFloat FLOAT_100000 = { 0x30D40000, 17}; ///< 100000 static const SoftFloat FLOAT_0999999 = { 0x3FFFFBCE, 0}; ///< 0.999999 +static const SoftFloat FLOAT_MIN = { 0x20000000, MIN_EXP}; /** From 8ec1ff14fe8878fd74173c5bb0d6bc5355e67245 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Nov 2017 14:00:19 +0100 Subject: [PATCH 0043/1764] avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc() Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d1dec466895eed12f2c79b7ab5447f5390fe869) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 289bb86a81..3d5875a469 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -433,6 +433,7 @@ static void sbr_gain_calc(AACContext *ac, SpectralBandReplication *sbr, av_add_sf(FLOAT_1, sbr->e_curr[e][m]), av_add_sf(FLOAT_1, sbr->q_mapped[e][m])))); } + sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN); } for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 1] - sbr->kx[1]; m++) { sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]); From 87f39642f3292f2cb404de56f18ceceabc14730f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Nov 2017 14:00:20 +0100 Subject: [PATCH 0044/1764] avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c() Fixes: runtime error: shift exponent 66 is too large for 64-bit type 'long long' Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 981e99ab99986935affad7c164ebdfe28e8ea7f8) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 896b2d75c6..a0ef6859f1 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -244,12 +244,14 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], int64_t accu; for (m = 0; m < m_max; m++) { - int64_t r = 1LL << (22-g_filt[m].exp); - accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); - Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); + if (22 - g_filt[m].exp < 61) { + int64_t r = 1LL << (22-g_filt[m].exp); + accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); + Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); - accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); - Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); + accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); + Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); + } } } From ed87b8b61fcd5d3f32441c04a738998293745dde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Nov 2017 18:34:09 +0100 Subject: [PATCH 0045/1764] avcodec/cngdec: Fix integer clipping Fixes: runtime error: value -36211.7 is outside the range of representable values of type 'short' Fixes: 2992/clusterfuzz-testcase-6649611793989632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51090133b31bc719ea868db15d3ee38e9dbe90f1) Signed-off-by: Michael Niedermayer --- libavcodec/cngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 1e884f3c33..28432ac719 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -153,7 +153,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void *data, return ret; buf_out = (int16_t *)frame->data[0]; for (i = 0; i < avctx->frame_size; i++) - buf_out[i] = p->filter_out[i + p->order]; + buf_out[i] = av_clip_int16(p->filter_out[i + p->order]); memcpy(p->filter_out, p->filter_out + avctx->frame_size, p->order * sizeof(*p->filter_out)); From 3a143bfa19a39631d63081a0917446b14b89332a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:05 +0100 Subject: [PATCH 0046/1764] avcodec/snowdec: Fix integer overflow in header parsing Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576 Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c897a9285846b6a072b9650976afd4f091b7a71f) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 13668c2105..727e908fb5 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -374,7 +374,7 @@ static int decode_header(SnowContext *s){ } } - s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1); + s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->spatial_decomposition_type > 1U){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type); return AVERROR_INVALIDDATA; @@ -390,10 +390,10 @@ static int decode_header(SnowContext *s){ } - s->qlog += get_symbol(&s->c, s->header_state, 1); - s->mv_scale += get_symbol(&s->c, s->header_state, 1); - s->qbias += get_symbol(&s->c, s->header_state, 1); - s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); + s->qlog += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->mv_scale += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->qbias += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; From 168ee582559d904360261c8dab9eca2ba6490583 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:06 +0100 Subject: [PATCH 0047/1764] avcodec/mdct_*: Fix integer overflow in addition in RESCALE() Fixes: runtime error: signed integer overflow: 1219998458 - -1469874012 cannot be represented in type 'int' Fixes: 3443/clusterfuzz-testcase-minimized-5369987105554432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 770c934fa1635f4fadf5db4fc5cc5ad15d82455a) Signed-off-by: Michael Niedermayer --- libavcodec/mdct_fixed.c | 8 ++++---- libavcodec/mdct_template.c | 14 +++++++------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/libavcodec/mdct_fixed.c b/libavcodec/mdct_fixed.c index a32cb00ca0..aabf0c88f8 100644 --- a/libavcodec/mdct_fixed.c +++ b/libavcodec/mdct_fixed.c @@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const FFTSample *input) /* pre rotation */ for(i=0;i> 6) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6) #else /* FFT_FIXED_32 */ -# define RSCALE(x) ((x) >> 1) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1) #endif /* FFT_FIXED_32 */ #endif @@ -181,13 +181,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const FFTSample *input) /* pre rotation */ for(i=0;i Date: Sun, 5 Nov 2017 21:20:07 +0100 Subject: [PATCH 0048/1764] avcodec/aacdec_fixed: Fix undefined shift Fixes: runtime error: left shift of negative value -801112064 Fixes: 3492/clusterfuzz-testcase-minimized-5784775283441664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fca198fb5bf42ba6b765b3f75b11738e4b4fc2a9) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index d802f3834f..32bd1454bd 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -309,7 +309,7 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (shift > 0) { *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift); } else - *coef += (unsigned)(pv.mant << -shift); + *coef += (unsigned)pv.mant << -shift; } } From 44fb1201123e554ee07a58bca49d7250c5561fa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Nov 2017 21:20:08 +0100 Subject: [PATCH 0049/1764] avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c() Fixes: runtime error: signed integer overflow: 1939661764 - -454942263 cannot be represented in type 'int' Fixes: 3191/clusterfuzz-testcase-minimized-5688798451073024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2afe05402f05d485f0c356b04dc562f0510d317d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index e35e9699b0..19be200653 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -130,12 +130,12 @@ static void ps_decorrelate_c(INTFLOAT (*out)[2], INTFLOAT (*delay)[2], INTFLOAT apd_im = in_im; in_re = AAC_MSUB30(link_delay_re, fractional_delay_re, link_delay_im, fractional_delay_im); - in_re -= a_re; + in_re -= (UINTFLOAT)a_re; in_im = AAC_MADD30(link_delay_re, fractional_delay_im, link_delay_im, fractional_delay_re); - in_im -= a_im; - ap_delay[m][n+5][0] = apd_re + AAC_MUL31(ag[m], in_re); - ap_delay[m][n+5][1] = apd_im + AAC_MUL31(ag[m], in_im); + in_im -= (UINTFLOAT)a_im; + ap_delay[m][n+5][0] = apd_re + (UINTFLOAT)AAC_MUL31(ag[m], in_re); + ap_delay[m][n+5][1] = apd_im + (UINTFLOAT)AAC_MUL31(ag[m], in_im); } out[n][0] = AAC_MUL16(transient_gain[n], in_re); out[n][1] = AAC_MUL16(transient_gain[n], in_im); From 6ccf19198b360cfc3fe5cd274948cfde2fe305e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Nov 2017 20:47:48 +0100 Subject: [PATCH 0050/1764] avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu Fixes: out of array read Fixes: 3516/attachment-311488.dat Found-by: Insu Yun, Georgia Tech. Tested-by: wuninsu@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 58cf31cee7a456057f337b3102a03206d833d5e8) Signed-off-by: Michael Niedermayer --- libavcodec/x86/mpegvideodsp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/mpegvideodsp.c b/libavcodec/x86/mpegvideodsp.c index e0498f3849..6009b64e07 100644 --- a/libavcodec/x86/mpegvideodsp.c +++ b/libavcodec/x86/mpegvideodsp.c @@ -52,8 +52,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src, const int dyh = (dyy - (1 << (16 + shift))) * (h - 1); const int dxh = dxy * (h - 1); const int dyw = dyx * (w - 1); - int need_emu = (unsigned) ix >= width - w || - (unsigned) iy >= height - h; + int need_emu = (unsigned) ix >= width - w || width < w || + (unsigned) iy >= height - h || height< h + ; if ( // non-constant fullpel offset (3% of blocks) ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) | From d25736dc871b46f9e22e6b23b4b8e131e685a9c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Oct 2017 18:04:44 +0200 Subject: [PATCH 0051/1764] avcodec/h264dec: Fix potential array overread add padding before scantable arrays See: 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a Signed-off-by: Michael Niedermayer (cherry picked from commit 380b48fb9fdc7b0c40d67e026f9b3accb12794eb) Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264dec.h b/libavcodec/h264dec.h index 2106ba077e..de8b7c38b9 100644 --- a/libavcodec/h264dec.h +++ b/libavcodec/h264dec.h @@ -416,6 +416,7 @@ typedef struct H264Context { uint8_t (*mvd_table[2])[2]; uint8_t *direct_table; + uint8_t scan_padding[16]; uint8_t zigzag_scan[16]; uint8_t zigzag_scan8x8[64]; uint8_t zigzag_scan8x8_cavlc[64]; From 7b16eacf81dc55463934d7f45c600f0322d74f27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 16:53:34 +0100 Subject: [PATCH 0052/1764] avcodec/vc2enc: Clear coef_buf on allocation Fixes: Use of uninitialized memory Fixes: assertion failure Reviewed-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 6d00905f8134a2932e5c00dd1ec8b2a1f0a38035) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 1059f41b56..cdc7d4250d 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1171,7 +1171,7 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx) p->dwt_width = w = FFALIGN(p->width, (1 << s->wavelet_depth)); p->dwt_height = h = FFALIGN(p->height, (1 << s->wavelet_depth)); p->coef_stride = FFALIGN(p->dwt_width, 32); - p->coef_buf = av_malloc(p->coef_stride*p->dwt_height*sizeof(dwtcoef)); + p->coef_buf = av_mallocz(p->coef_stride*p->dwt_height*sizeof(dwtcoef)); if (!p->coef_buf) goto alloc_fail; for (level = s->wavelet_depth-1; level >= 0; level--) { From 53715eb13ee1f3197c4a211fdb063a264e17fe0a Mon Sep 17 00:00:00 2001 From: Fredrik Hubinette Date: Wed, 15 Nov 2017 17:24:30 -0800 Subject: [PATCH 0053/1764] avformat/mov: Check size of STSC allocation Signed-off-by: Michael Niedermayer (cherry picked from commit a6fdd75fe6440d2f4150cb456a9078aa68b00fdb) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 899690d920..fc2d59b51a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2422,6 +2422,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); + if ((uint64_t)entries * 12 + 4 > atom.size) + return AVERROR_INVALIDDATA; av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n", c->fc->nb_streams - 1, entries); From 77cfc820cfb5a7edad065c91a0f9650f0ce0dc90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 21:17:15 +0100 Subject: [PATCH 0054/1764] avcodec/snowdec: Check intra block dc differences. Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3b9bbcc6edf2d83fe4857484cfa0839872188c6) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 727e908fb5..a828769610 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -183,13 +183,22 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); type= get_rac(&s->c, &s->block_state[1 + left->type + top->type]) ? BLOCK_INTRA : 0; - if(type){ + int ld, cbd, crd; pred_mv(s, &mx, &my, 0, left, top, tr); - l += get_symbol(&s->c, &s->block_state[32], 1); + ld = get_symbol(&s->c, &s->block_state[32], 1); + if (ld < -255 || ld > 255) { + return AVERROR_INVALIDDATA; + } + l += ld; if (s->nb_planes > 2) { - cb+= get_symbol(&s->c, &s->block_state[64], 1); - cr+= get_symbol(&s->c, &s->block_state[96], 1); + cbd = get_symbol(&s->c, &s->block_state[64], 1); + crd = get_symbol(&s->c, &s->block_state[96], 1); + if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) { + return AVERROR_INVALIDDATA; + } + cb += cbd; + cr += crd; } }else{ if(s->ref_frames > 1) From 23d5f15b42fd63327c4ab938592832629a6b5980 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 21:17:16 +0100 Subject: [PATCH 0055/1764] avcodec/snowdec: Check for remaining bitstream in decode_blocks() Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4527ec2216109867498edc3ac8a17fd879b5d017) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index a828769610..a9bdb8da5e 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -437,6 +437,8 @@ static int decode_blocks(SnowContext *s){ for(y=0; yc.bytestream >= s->c.bytestream_end) + return AVERROR_INVALIDDATA; if ((res = decode_q_branch(s, 0, x, y)) < 0) return res; } From ecf2755a41b486c712b5637d423a20c5241125ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2017 01:28:07 +0200 Subject: [PATCH 0056/1764] avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() Fixes: Timeout Fixes: 3200/clusterfuzz-testcase-5750022136135680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65e0a7c473f23f1833538ffecf53c81fe500b5e4) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dec.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index 20dbee5703..225e30ab5a 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -30,7 +30,7 @@ #include "wmv2.h" -static void parse_mb_skip(Wmv2Context *w) +static int parse_mb_skip(Wmv2Context *w) { int mb_x, mb_y; MpegEncContext *const s = &w->s; @@ -45,6 +45,8 @@ static void parse_mb_skip(Wmv2Context *w) MB_TYPE_16x16 | MB_TYPE_L0; break; case SKIP_TYPE_MPEG: + if (get_bits_left(&s->gb) < s->mb_height * s->mb_width) + return AVERROR_INVALIDDATA; for (mb_y = 0; mb_y < s->mb_height; mb_y++) for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -52,6 +54,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_ROW: for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -65,6 +69,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_COL: for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_y = 0; mb_y < s->mb_height; mb_y++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -77,6 +83,7 @@ static void parse_mb_skip(Wmv2Context *w) } break; } + return 0; } static int decode_ext_header(Wmv2Context *w) @@ -170,9 +177,12 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } } else { int cbp_index; + int ret; w->j_type = 0; - parse_mb_skip(w); + ret = parse_mb_skip(w); + if (ret < 0) + return ret; cbp_index = decode012(&s->gb); w->cbp_table_index = wmv2_get_cbp_table_index(s, cbp_index); @@ -359,6 +369,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) w->hshift = 0; return 0; } + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_mb_non_intra_vlc[w->cbp_table_index].table, MB_NON_INTRA_VLC_BITS, 3); @@ -369,6 +381,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) cbp = code & 0x3f; } else { s->mb_intra = 1; + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2); if (code < 0) { av_log(s->avctx, AV_LOG_ERROR, From 0ba93614cf22b9b552002484750c99cff766aec6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Nov 2017 03:40:07 +0100 Subject: [PATCH 0057/1764] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() Fixes: 4035/clusterfuzz-testcase-minimized-6479308925173760 Fixes: runtime error: signed integer overflow: 9 * 402653183 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 73964680d7bce6d81ddc553a24d73e9a1c9156f9) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 35ed8857e9..f9a9e9e1b3 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -102,7 +102,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) + (b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) From cc9d1bb839229edf0f4e97e59d6e7f9d90603439 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 17:11:12 +0100 Subject: [PATCH 0058/1764] avcodec/zmbv: Check that the buffer is large enough for mvec Fixes: Timeout Fixes: 4143/clusterfuzz-testcase-4736864637419520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ab9568a2c3349039eec29fb960fe39de354b514) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index b09dc41ebd..f91d2e3931 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -539,6 +539,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } else { frame->key_frame = 0; frame->pict_type = AV_PICTURE_TYPE_P; + if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh)) + return AVERROR_INVALIDDATA; if (c->decomp_len) c->decode_xor(c); } From 4942de6f9385b5221fb5f230573e954709cb82d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Nov 2017 03:38:37 +0100 Subject: [PATCH 0059/1764] avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() Fixes: runtime error: left shift of negative value -7862264 Fixes: 4074/clusterfuzz-testcase-minimized-4516104123711488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f7f70738e8dd77a698a5e28bba552ea7064af21) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index fbafa92d72..4e3a16c781 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample << 8; + *data_32++ = sample * 256; else *data_16++ = sample >> 8; } From 2e58db3db00bca0e815c3f725fa1bb4eda918b19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Nov 2017 22:01:29 +0100 Subject: [PATCH 0060/1764] avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() Fixes: runtime error: left shift of negative value -255 Fixes: 4037/clusterfuzz-testcase-minimized-5290998163832832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d88586e4728e97349f98e07ff782bb168ab96c3) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index e09c661759..46a0da2045 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1407,7 +1407,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From 8aabc4fdb56cdd10ddc61dca8a995795721182f0 Mon Sep 17 00:00:00 2001 From: Jacob Trimble Date: Mon, 20 Nov 2017 12:05:02 -0800 Subject: [PATCH 0061/1764] avformat/mov: Propagate errors in mov_switch_root. Signed-off-by: Jacob Trimble Signed-off-by: Michael Niedermayer (cherry picked from commit 2d9cf3bf16b94cd9db10dabad695c69c5cff4f58) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index fc2d59b51a..5acac07d22 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6418,6 +6418,7 @@ static int should_retry(AVIOContext *pb, int error_code) { static int mov_switch_root(AVFormatContext *s, int64_t target) { + int ret; MOVContext *mov = s->priv_data; int i, j; int already_read = 0; @@ -6454,8 +6455,10 @@ static int mov_switch_root(AVFormatContext *s, int64_t target) mov->found_mdat = 0; - if (mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }) < 0 || - avio_feof(s->pb)) + ret = mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }); + if (ret < 0) + return ret; + if (avio_feof(s->pb)) return AVERROR_EOF; av_log(s, AV_LOG_TRACE, "read fragments, offset 0x%"PRIx64"\n", avio_tell(s->pb)); From 9a00ce0ff8643111711b932443255f365a26ee98 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 14:53:25 -0800 Subject: [PATCH 0062/1764] Fix leak of frame_duration_buffer in mov_fix_index(). Should be unconditionally freed at the end of mov_fix_index() in case it hasn't been used during the fix up. Signed-off-by: Dale Curtis Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit d073be2291e40129d107ca4573097d6d6d2dbf68) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5acac07d22..57cef83bba 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3329,6 +3329,7 @@ static void mov_fix_index(MOVContext *mov, AVStream *st) // Free the old index and the old CTTS structures av_free(e_old); av_free(ctts_data_old); + av_freep(&frame_duration_buffer); // Null terminate the index ranges array current_index_range++; From 50c93ce5ef71e39c5e49c8ae3873431d9d1753e1 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 14:51:09 -0800 Subject: [PATCH 0063/1764] Use ff_thread_once for fixed, float table init. These tables are static so they should only be initialized once instead of on every call to ff_mpadsp_init(). Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 5eaaffaf64d1854493f0fe9ec822eed1b3cd9fe1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudiodsp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodsp.c b/libavcodec/mpegaudiodsp.c index a5d20df629..3cafca27bf 100644 --- a/libavcodec/mpegaudiodsp.c +++ b/libavcodec/mpegaudiodsp.c @@ -20,17 +20,21 @@ #include "config.h" #include "libavutil/attributes.h" +#include "libavutil/thread.h" #include "mpegaudiodsp.h" #include "dct.h" #include "dct32.h" +static AVOnce mpadsp_float_table_init = AV_ONCE_INIT; +static AVOnce mpadsp_fixed_table_init = AV_ONCE_INIT; + av_cold void ff_mpadsp_init(MPADSPContext *s) { DCTContext dct; ff_dct_init(&dct, 5, DCT_II); - ff_init_mpadsp_tabs_float(); - ff_init_mpadsp_tabs_fixed(); + ff_thread_once(&mpadsp_float_table_init, &ff_init_mpadsp_tabs_float); + ff_thread_once(&mpadsp_fixed_table_init, &ff_init_mpadsp_tabs_fixed); s->apply_window_float = ff_mpadsp_apply_window_float; s->apply_window_fixed = ff_mpadsp_apply_window_fixed; From f8fcb6bbf0e64b9453ad85978dc4357e7afdd499 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 16:05:30 -0800 Subject: [PATCH 0064/1764] Fix undefined shift on assumed 8-bit input. decode_user_data() attempts to create an integer |build| value with 8 bits of spacing for 3 components. However each component is an int32_t, so shifting each component is undefined for values outside of the 8 bit range. This patch simply clamps input to 8-bits per component and prints out a warning that the values were clamped. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 7010dd98b575d2e39fca947e609b85be7490b269) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index cd39131d55..5ae724bed1 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2149,8 +2149,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", &ver, &ver2, &ver3, &build); if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; - if (e > 1) - build = (ver << 16) + (ver2 << 8) + ver3; + if (e > 1) { + if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { + av_log(s->avctx, AV_LOG_WARNING, + "Unknown Lavc version string encountered, %d.%d.%d; " + "clamping sub-version values to 8-bits.\n", + ver, ver2, ver3); + } + build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 0xFF); + } } if (e != 4) { if (strcmp(buf, "ffmpeg") == 0) From 35c7a1df8ae57b7c913f656f594a87bc9e7fab0c Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Mon, 20 Nov 2017 12:07:57 -0800 Subject: [PATCH 0065/1764] Close ogg stream upon error when using AV_EF_EXPLODE. Without this there can be multiple memory leaks for unrecognized ogg streams. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit bce8fc0754c4b31f574a4372c6d7996ed29f7c2a) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 97ad1a27d1..193a286e43 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -719,8 +719,10 @@ static int ogg_read_header(AVFormatContext *s) "Headers mismatch for stream %d: " "expected %d received %d.\n", i, os->codec->nb_header, os->nb_header); - if (s->error_recognition & AV_EF_EXPLODE) + if (s->error_recognition & AV_EF_EXPLODE) { + ogg_read_close(s); return AVERROR_INVALIDDATA; + } } if (os->start_granule != OGG_NOGRANULE_VALUE) os->lastpts = s->streams[i]->start_time = From 1549890035865c51174de66fcb57bde9853382c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Nov 2017 03:15:53 +0100 Subject: [PATCH 0066/1764] avcodec/mpeg4videodec: Check also for negative versions in the validity check Signed-off-by: Michael Niedermayer (cherry picked from commit 0e7865ce4152f8b04cda6a698bbee4fd4a94009d) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 5ae724bed1..8eafc783b8 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2150,7 +2150,7 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; if (e > 1) { - if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { + if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) { av_log(s->avctx, AV_LOG_WARNING, "Unknown Lavc version string encountered, %d.%d.%d; " "clamping sub-version values to 8-bits.\n", From de20dad15e42c499b22239867151f217b023c394 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Nov 2017 20:18:40 +0100 Subject: [PATCH 0067/1764] avcodec/sbrdsp_fixed: Fix integer overflow Fixes: signed integer overflow: 2147483598 + 64 cannot be represented in type 'int' Fixes: 4337/clusterfuzz-testcase-minimized-6192658616680448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12a511f2c265d6319b7fdc332a6aa8aca1535309) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index a0ef6859f1..57d98da979 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -133,7 +133,7 @@ static av_always_inline SoftFloat autocorr_calc(int64_t accu) round = 1U << (nz-1); mant = (int)((accu + round) >> nz); - mant = (mant + 0x40)>>7; + mant = (mant + 0x40LL)>>7; mant *= 64; expo = nz + 15; return av_int2sf(mant, 30 - expo); From f2f0273588ed17e7b3824bd541a6aabf3121e4b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Nov 2017 03:15:16 +0100 Subject: [PATCH 0068/1764] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* Fixes: runtime error: signed integer overflow: -2143827186 - 7404944 cannot be represented in type 'int' Fixes: 4354/clusterfuzz-testcase-minimized-4671122764201984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b6964f764382742bb052a1ee3b7167cac35332f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index f9a9e9e1b3..eb5aebc878 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) + ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) + ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) From 3ae71b648ad041cacd10db5be220eb2aeda2869b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Nov 2017 19:22:51 +0100 Subject: [PATCH 0069/1764] avformat/aacdec: Fix leak in adts_aac_read_packet() Fixes: chromium-773637/clusterfuzz-testcase-minimized-6418078673141760 Found-by: ossfuzz/chromium Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 2779d33ed99898675e0b3884fabe1ce6839f36d1) Signed-off-by: Michael Niedermayer --- libavformat/aacdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c index 364b33404f..36d558ff54 100644 --- a/libavformat/aacdec.c +++ b/libavformat/aacdec.c @@ -139,7 +139,11 @@ static int adts_aac_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR_INVALIDDATA; } - return av_append_packet(s->pb, pkt, fsize - ADTS_HEADER_SIZE); + ret = av_append_packet(s->pb, pkt, fsize - ADTS_HEADER_SIZE); + if (ret < 0) + av_packet_unref(pkt); + + return ret; } AVInputFormat ff_aac_demuxer = { From e56f691283f0a793c3ae00711e98e316649f9f49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Nov 2017 20:14:54 +0100 Subject: [PATCH 0070/1764] avcodec/kgv1dec: Check that there is enough input for maximum RLE compression Fixes: Timeout Fixes: 4271/clusterfuzz-testcase-4676667768307712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3aad94bf2b140cfba8ae69d018da05d4948ef37f) Signed-off-by: Michael Niedermayer --- libavcodec/kgv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 5359411c76..a6bd9400ac 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h = (buf[1] + 1) * 8; buf += 2; + if (avpkt->size < 2 + w*h / 513) + return AVERROR_INVALIDDATA; + if (w != avctx->width || h != avctx->height) { av_freep(&c->frame_buffer); av_freep(&c->last_frame_buffer); From 983d119c9b7342b9bf3dff737d520a426a6afd5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Nov 2017 03:08:20 +0100 Subject: [PATCH 0071/1764] avcodec/h264idct_template: Fix integer overflow in ff_h264_idct8_add Fixes: signed integer overflow: 452986184 - -2113885312 cannot be represented in type 'int' Fixes: 4196/clusterfuzz-testcase-minimized-5580648594014208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9cc926da7d9920d17b76584e7212309ab5c02387) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index 7526bdd812..5993ae2e6e 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -76,10 +76,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ for( i = 0; i < 8; i++ ) { - const unsigned int a0 = block[i+0*8] + block[i+4*8]; - const unsigned int a2 = block[i+0*8] - block[i+4*8]; - const unsigned int a4 = (block[i+2*8]>>1) - block[i+6*8]; - const unsigned int a6 = (block[i+6*8]>>1) + block[i+2*8]; + const unsigned int a0 = block[i+0*8] + (unsigned)block[i+4*8]; + const unsigned int a2 = block[i+0*8] - (unsigned)block[i+4*8]; + const unsigned int a4 = (block[i+2*8]>>1) - (unsigned)block[i+6*8]; + const unsigned int a6 = (block[i+6*8]>>1) + (unsigned)block[i+2*8]; const unsigned int b0 = a0 + a6; const unsigned int b2 = a2 + a4; From ed87667bd3d4bf45fb1bc173d2ba28b17add9145 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Nov 2017 18:45:45 +0100 Subject: [PATCH 0072/1764] avcodec/mlpdsp: Fix signed integer overflow, 2nd try The outputted bits should match what is used in the lossless check Fixes: runtime error: signed integer overflow: -538697856 * 256 cannot be represented in type 'int' Fixes: 4326/clusterfuzz-testcase-minimized-5689449645080576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97c00edaa043043c29d985653e7e1687b56dfa23) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 4e3a16c781..32a4503b64 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample * 256; + *data_32++ = sample * 256U; else *data_16++ = sample >> 8; } From f7357facd8334863fd665b58d9b5487df4e9f583 Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Sun, 26 Nov 2017 07:32:30 -0800 Subject: [PATCH 0073/1764] lavf/mov: fix huge alloc in mov_read_ctts An invalid file may cause huge alloc. Delay expansion of ctts entries until the number of samples is known in mov_build_index. Fixes: 23 Found-by: zhao dongzhuo, AD-lab of Venustech Signed-off-by: Michael Niedermayer (cherry picked from commit 2d015d3bf9fed59c65a3819a35fedbb8b7dde623) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 57cef83bba..9a6c3b3e46 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2716,7 +2716,7 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom) { AVStream *st; MOVStreamContext *sc; - unsigned int i, j, entries, ctts_count = 0; + unsigned int i, entries, ctts_count = 0; if (c->fc->nb_streams < 1) return 0; @@ -2749,9 +2749,8 @@ static int mov_read_ctts(MOVContext *c, AVIOContext *pb, MOVAtom atom) continue; } - /* Expand entries such that we have a 1-1 mapping with samples. */ - for (j = 0; j < count; j++) - add_ctts_entry(&sc->ctts_data, &ctts_count, &sc->ctts_allocated_size, 1, duration); + add_ctts_entry(&sc->ctts_data, &ctts_count, &sc->ctts_allocated_size, + count, duration); av_log(c->fc, AV_LOG_TRACE, "count=%d, duration=%d\n", count, duration); @@ -3349,6 +3348,8 @@ static void mov_build_index(MOVContext *mov, AVStream *st) unsigned int stps_index = 0; unsigned int i, j; uint64_t stream_size = 0; + MOVStts *ctts_data_old = sc->ctts_data; + unsigned int ctts_count_old = sc->ctts_count; if (sc->elst_count) { int i, edit_start_index = 0, multiple_edits = 0; @@ -3417,6 +3418,28 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } st->index_entries_allocated_size = (st->nb_index_entries + sc->sample_count) * sizeof(*st->index_entries); + if (ctts_data_old) { + // Expand ctts entries such that we have a 1-1 mapping with samples + if (sc->sample_count >= UINT_MAX / sizeof(*sc->ctts_data)) + return; + sc->ctts_count = 0; + sc->ctts_allocated_size = 0; + sc->ctts_data = av_fast_realloc(NULL, &sc->ctts_allocated_size, + sc->sample_count * sizeof(*sc->ctts_data)); + if (!sc->ctts_data) { + av_free(ctts_data_old); + return; + } + for (i = 0; i < ctts_count_old && + sc->ctts_count < sc->sample_count; i++) + for (j = 0; j < ctts_data_old[i].count && + sc->ctts_count < sc->sample_count; j++) + add_ctts_entry(&sc->ctts_data, &sc->ctts_count, + &sc->ctts_allocated_size, 1, + ctts_data_old[i].duration); + av_free(ctts_data_old); + } + for (i = 0; i < sc->chunk_count; i++) { int64_t next_offset = i+1 < sc->chunk_count ? sc->chunk_offsets[i+1] : INT64_MAX; current_offset = sc->chunk_offsets[i]; From 0ccbbf034dc0bc94b5b735e56e8d35d51c23920f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2017 21:27:37 +0100 Subject: [PATCH 0074/1764] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() Fixes: runtime error: left shift of negative value -127 Fixes: 4397/clusterfuzz-testcase-minimized-4779061080489984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0409d333115e623b5ccdbb364d64ca2a52fd8467) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 46a0da2045..0623cfad89 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1355,7 +1355,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From 17f05ff656ff39445c77e15f0dcd80c42ce24727 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Nov 2017 23:42:04 +0100 Subject: [PATCH 0075/1764] avcodec/j2kenc: Fix out of array access in encode_cblk() Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0674087004538599797688785f6ac82358abc23b) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index c8d3861732..baaf47422c 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -688,7 +688,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20 cblk->npasses = passno; cblk->ninclpasses = passno; - cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len); + if (passno) + cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len); } /* tier-2 routines: */ From 36db62ca984b0b77b9fe119f47f0a4caaaaa6e75 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Fri, 17 Nov 2017 13:35:56 -0800 Subject: [PATCH 0076/1764] avformat/utils: Prevent undefined shift with wrap_bits > 64. 2LL << (wrap_bits=64 - 1) does not fit in int64_t; change the code to use a uint64_t (2ULL) and add an av_assert2() to ensure wrap_bits <= 64. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 03fbc0daa7e37af024f8b017a28105c32bbe25ca) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 881438a504..b727f3d3be 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1735,13 +1735,14 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; + av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && - (av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2LL << (wrap_bits - 1)) < 0)) { - if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2LL << (wrap_bits - 1))) { + av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { + if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2ULL << (wrap_bits - 1))) { // not B-frame next_pkt->pts = pktl->pkt.dts; } From 23319f77645d7041fde3e33d981886bff52d2e47 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 22 Nov 2017 10:58:39 -0800 Subject: [PATCH 0077/1764] avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 9648cc6d7fdbb0a260bed1e3e23300569cff9579) Signed-off-by: Michael Niedermayer --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 399020eec5..f710c23450 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -91,7 +91,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) exit_at_level[i] = 0; // construct code (append 0s to end) and introduce new exits for (j = i + 1 ;j <= bits[p]; ++j) - exit_at_level[j] = code + (1 << (j - 1)); + exit_at_level[j] = code + (1u << (j - 1)); codes[p] = code; } From c147aefc3ecd30a9ee9dff126251179d93d064fd Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 30 Nov 2017 12:20:36 -0800 Subject: [PATCH 0078/1764] avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. Didn't notice this one when 9648cc6d was landed. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 95bacb521af8cd28f146f045437c9f75717a493a) Signed-off-by: Michael Niedermayer --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index f710c23450..aabd9bbd19 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -67,7 +67,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) if (bits[p] > 32) return AVERROR_INVALIDDATA; for (i = 0; i < bits[p]; ++i) - exit_at_level[i+1] = 1 << i; + exit_at_level[i+1] = 1u << i; ++p; From a749f4864e48ce31dff4028018bff84fb8fca218 Mon Sep 17 00:00:00 2001 From: Nikolas Bowe Date: Tue, 5 Dec 2017 15:11:26 -0800 Subject: [PATCH 0079/1764] avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing Signed-off-by: Michael Niedermayer (cherry picked from commit 5a412a5c3cc216ae1d15e6b884bda7214b73a5b0) Signed-off-by: Michael Niedermayer --- libavcodec/extract_extradata_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/extract_extradata_bsf.c b/libavcodec/extract_extradata_bsf.c index ed6509c681..d40907a675 100644 --- a/libavcodec/extract_extradata_bsf.c +++ b/libavcodec/extract_extradata_bsf.c @@ -78,7 +78,7 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt, ret = ff_h2645_packet_split(&h2645_pkt, pkt->data, pkt->size, ctx, 0, 0, ctx->par_in->codec_id, 1); if (ret < 0) - return ret; + goto fail; for (i = 0; i < h2645_pkt.nb_nals; i++) { H2645NAL *nal = &h2645_pkt.nals[i]; From 3a6140e4cf8955cf9314d6f0b0f6be3e18846fa7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2017 21:48:04 +0100 Subject: [PATCH 0080/1764] avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* Fixes: 4478/clusterfuzz-testcase-minimized-4752113767809024 Fixes: runtime error: signed integer overflow: -2147483626 + -319489 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e9a13a5a33bf7566591216e335f2529612100bb) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index eb5aebc878..50c8b1e394 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) + ((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ From b2169c8bcc4306b68ae67f71e4723a22c695266a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2017 21:53:22 +0100 Subject: [PATCH 0081/1764] avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() Fixes: runtime error: signed integer overflow: 2147483646 + 2048 cannot be represented in type 'int' Fixes: 4479/clusterfuzz-testcase-minimized-6529894147162112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 610dd74502a58e8bb0f1d8fcbc7015f86b78d70e) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 8bc79b788c..2dd56f83f3 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -159,10 +159,10 @@ static void put_signed_rect_clamped_ ## PX ## bit_c(uint8_t *_dst, int dst_strid int32_t *src = (int32_t *)_src; \ for (y = 0; y < height; y++) { \ for (x = 0; x < width; x+=4) { \ - dst[x ] = av_clip_uintp2(src[x ] + (1 << (PX - 1)), PX); \ - dst[x+1] = av_clip_uintp2(src[x+1] + (1 << (PX - 1)), PX); \ - dst[x+2] = av_clip_uintp2(src[x+2] + (1 << (PX - 1)), PX); \ - dst[x+3] = av_clip_uintp2(src[x+3] + (1 << (PX - 1)), PX); \ + dst[x ] = av_clip_uintp2(src[x ] + (1U << (PX - 1)), PX); \ + dst[x+1] = av_clip_uintp2(src[x+1] + (1U << (PX - 1)), PX); \ + dst[x+2] = av_clip_uintp2(src[x+2] + (1U << (PX - 1)), PX); \ + dst[x+3] = av_clip_uintp2(src[x+3] + (1U << (PX - 1)), PX); \ } \ dst += dst_stride >> 1; \ src += src_stride >> 2; \ From c741095eecee385905ec30e9698350d5dfb0b953 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Dec 2017 10:22:30 +0100 Subject: [PATCH 0082/1764] Update for 3.4.1 Signed-off-by: Michael Niedermayer --- Changelog | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 75 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index a8d4c29e90..2c90688610 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,79 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.1: +- avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() +- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* +- avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing +- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. +- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. +- avformat/utils: Prevent undefined shift with wrap_bits > 64. +- avcodec/j2kenc: Fix out of array access in encode_cblk() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() +- lavf/mov: fix huge alloc in mov_read_ctts +- avcodec/mlpdsp: Fix signed integer overflow, 2nd try +- avcodec/h264idct_template: Fix integer overflow in ff_h264_idct8_add +- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression +- avformat/aacdec: Fix leak in adts_aac_read_packet() +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* +- avcodec/sbrdsp_fixed: Fix integer overflow +- avcodec/mpeg4videodec: Check also for negative versions in the validity check +- Close ogg stream upon error when using AV_EF_EXPLODE. +- Fix undefined shift on assumed 8-bit input. +- Use ff_thread_once for fixed, float table init. +- Fix leak of frame_duration_buffer in mov_fix_index(). +- avformat/mov: Propagate errors in mov_switch_root. +- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() +- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() +- avcodec/zmbv: Check that the buffer is large enough for mvec +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() +- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() +- avcodec/snowdec: Check for remaining bitstream in decode_blocks() +- avcodec/snowdec: Check intra block dc differences. +- avformat/mov: Check size of STSC allocation +- avcodec/vc2enc: Clear coef_buf on allocation +- avcodec/h264dec: Fix potential array overread +- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu +- avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c() +- avcodec/aacdec_fixed: Fix undefined shift +- avcodec/mdct_*: Fix integer overflow in addition in RESCALE() +- avcodec/snowdec: Fix integer overflow in header parsing +- avcodec/cngdec: Fix integer clipping +- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c() +- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc() +- avutil/softfloat: Add FLOAT_MIN +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Check for bitstream end in xan_huffman_decode() +- avcodec/exr: fix undefined shift in pxr24_uncompress() +- avformat: Free the internal codec context at the end +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Improve overlapping check +- avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed() +- avcodec/aacdec_fixed: Fix integer overflow in predict() +- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() +- avcodec/jpeglsdec: Check ilv for being a supported value +- tests/ffserver.regression.ref: update checksums to what ffserver currently produces +- ffserver: Fix off by 1 error in path +- avcodec/proresdec: align dequantization matrix buffers +- avformat/matroskaenc: add missing allocation failure checks for stream durations +- avformat/matroskaenc: actually enforce the stream limit +- configure: Fix dependencies of aac_at decoder. +- Don't manipulate duration when it's AV_NOPTS_VALUE. +- lavfi/af_pan: fix sign handling in channel coefficient parser +- avformat/hlsenc: write fmp4 init header after first AV frame +- avformat/hlsenc: allocate space for terminating null +- avformat/hlsenc: reindent hlsenc code +- avformat/hlsenc: check hls segment mode for ignore the init filename +- avformat/hlsenc: reindent hlsenc code +- avformat/hlsenc: fix missing first segment bug in fmp4 mode +- avformat/hlsenc: fix base_output_dirname is null when basename_size is 0 bug +- ffplay: use SDL2 audio API +- ffplay: only use hardware accelerated SDL texture formats +- ffplay: create the window and the renderer before starting playback +- ffmpeg: always init output stream before reaping filters +- vc2enc_dwt: pad the temporary buffer by the slice size +- lavu/arm: Check for have_vfp_vm instead of !have_vfpv3 for float_dsp_vfp + version 3.4: - deflicker video filter - doubleweave video filter diff --git a/RELEASE b/RELEASE index 2f4b60750d..47b322c971 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4 +3.4.1 diff --git a/doc/Doxyfile b/doc/Doxyfile index 491db00b7e..ca68f1aad6 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4 +PROJECT_NUMBER = 3.4.1 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From d8d1689f929ca05a86300bc6e5d703961a567ae9 Mon Sep 17 00:00:00 2001 From: James Cowgill Date: Thu, 9 Nov 2017 12:21:23 +0000 Subject: [PATCH 0083/1764] avcodec/decode: reset codec on receiving packet after EOF in compat_decode In commit 061a0c14bb57 ("decode: restructure the core decoding code"), the deprecated avcodec_decode_* APIs were reworked so that they called into the new avcodec_send_packet / avcodec_receive_frame API. This had the side effect of prohibiting sending new packets containing data after a drain packet, but in previous versions of FFmpeg this "worked" and some applications relied on it. To restore some compatibility, reset the codec if we receive a new non-drain packet using the old API after draining has completed. While this does not give the same behaviour as the old API did, in the majority of cases it works and it does not require changes to any other part of the decoding code. Fixes ticket #6775 Signed-off-by: James Cowgill Signed-off-by: Marton Balint (cherry picked from commit 02ba4b91b5616ecbebee5c9565e1be7af2a6b980) --- Changelog | 1 + libavcodec/decode.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/Changelog b/Changelog index 2c90688610..c1e74af1af 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.4.1: +- avcodec/decode: reset codec on receiving packet after EOF in compat_decode - avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() - avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* - avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing diff --git a/libavcodec/decode.c b/libavcodec/decode.c index 1337ffb527..fb1824be1c 100644 --- a/libavcodec/decode.c +++ b/libavcodec/decode.c @@ -753,6 +753,11 @@ static int compat_decode(AVCodecContext *avctx, AVFrame *frame, av_assert0(avci->compat_decode_consumed == 0); + if (avci->draining_done && pkt && pkt->size != 0) { + av_log(avctx, AV_LOG_WARNING, "Got unexpected packet after EOF\n"); + avcodec_flush_buffers(avctx); + } + *got_frame = 0; avci->compat_decode = 1; From c5fd23879ac28122b4ea6adf188f4c82a4f3731e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Dec 2017 10:59:05 +0100 Subject: [PATCH 0084/1764] avformat/utils: Fix warning: ISO C90 forbids mixed declarations and code Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index b727f3d3be..93722e34b9 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1735,10 +1735,10 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; - av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; + av_assert2(wrap_bits <= 64); while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { From 60d250386bb1827dca82db622866a55061b3be2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Dec 2017 15:32:54 +0100 Subject: [PATCH 0085/1764] avcodec/amrwbdec: Fix division by 0 in voice_factor() The added value matches "Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code (3GPP TS 26.304 version 14.0.0 Release 14) Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code" Fixes: runtime error: division by zero Fixes: 4415/clusterfuzz-testcase-minimized-4677752314658816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d0817d56b66797118880358ea7d7a2acfdca429) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 57aed874cc..7f2874d35f 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -611,7 +611,7 @@ static float voice_factor(float *p_vector, float p_gain, AMRWB_SFR_SIZE) * f_gain * f_gain; - return (p_ener - f_ener) / (p_ener + f_ener); + return (p_ener - f_ener) / (p_ener + f_ener + 0.01); } /** From 1fab842fbb4363e885a5a4df524150ea539ddb59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Dec 2017 22:42:05 +0100 Subject: [PATCH 0086/1764] avcodec/vp9_superframe_split_bsf: Fix integer overflow in frame_size/total_size checks Fixes: signed integer overflow: -1698586465 + -551542752 cannot be represented in type 'int' Fixes: 4490/clusterfuzz-testcase-minimized-5210014592532480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eaff5fcb7cde8d1614755269773d471d3a3d1bfc) Signed-off-by: Michael Niedermayer --- libavcodec/vp9_superframe_split_bsf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c index 6d6d8e664d..0d2523ebf7 100644 --- a/libavcodec/vp9_superframe_split_bsf.c +++ b/libavcodec/vp9_superframe_split_bsf.c @@ -59,7 +59,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out) if (in->size >= idx_size && in->data[in->size - idx_size] == marker) { GetByteContext bc; - int total_size = 0; + int64_t total_size = 0; bytestream2_init(&bc, in->data + in->size + 1 - idx_size, nb_frames * length_size); @@ -70,7 +70,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out) frame_size |= bytestream2_get_byte(&bc) << (j * 8); total_size += frame_size; - if (total_size > in->size - idx_size) { + if (frame_size < 0 || total_size > in->size - idx_size) { av_log(ctx, AV_LOG_ERROR, "Invalid frame size in a superframe: %d\n", frame_size); ret = AVERROR(EINVAL); From bc839fb39dc376d462856863de2933f0b6b0351a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Dec 2017 21:20:05 +0100 Subject: [PATCH 0087/1764] Changelog: Update for the last 3 commits Signed-off-by: Michael Niedermayer --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index c1e74af1af..d9f6b8a87a 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.4.1: +- avcodec/vp9_superframe_split_bsf: Fix integer overflow in frame_size/total_size checks +- avcodec/amrwbdec: Fix division by 0 in voice_factor() +- avformat/utils: Fix warning: ISO C90 forbids mixed declarations and code - avcodec/decode: reset codec on receiving packet after EOF in compat_decode - avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() - avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* From 31d6f3df25eea5bece145ad01f8a089a3005ca84 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 25 Dec 2017 19:40:42 -0300 Subject: [PATCH 0088/1764] avcodec/libx264: use the pixfmt descriptor to check for high bit depths The x264_bit_depth constant has been removed in newer x264 builds. Signed-off-by: James Almer (cherry picked from commit 89f704cabab446afc8ba6ecea76714a51b1df32b) --- libavcodec/libx264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index b11ede6198..6764c045e7 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -272,6 +272,7 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, int *got_packet) { X264Context *x4 = ctx->priv_data; + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(ctx->pix_fmt); x264_nal_t *nal; int nnal, i, ret; x264_picture_t pic_out = {0}; @@ -279,7 +280,7 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, x264_picture_init( &x4->pic ); x4->pic.img.i_csp = x4->params.i_csp; - if (x264_bit_depth > 8) + if (desc->comp[0].depth > 8) x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH; x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt); From 650cb712efc47cf4c1f4f419ea220fcedc65f122 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 25 Dec 2017 19:41:09 -0300 Subject: [PATCH 0089/1764] avcodec/libx264: fix compilation with x264 builds >= 153 x264 now supports multibitdepth builds, with a slightly changed API to request bitdepth during initialization. Reviewed-by: Ricardo Constantino Signed-off-by: James Almer (cherry picked from commit 2a111c99a60fdf4fe5eea2b073901630190c6c93) --- libavcodec/libx264.c | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 6764c045e7..59cc0ab4a8 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -740,6 +740,9 @@ FF_ENABLE_DEPRECATION_WARNINGS x4->params.i_width = avctx->width; x4->params.i_height = avctx->height; +#if X264_BUILD >= 153 + x4->params.i_bitdepth = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth; +#endif av_reduce(&sw, &sh, avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 4096); x4->params.vui.i_sar_width = sw; x4->params.vui.i_sar_height = sh; @@ -853,6 +856,24 @@ FF_ENABLE_DEPRECATION_WARNINGS return 0; } +static const enum AVPixelFormat pix_fmts[] = { + AV_PIX_FMT_YUV420P, + AV_PIX_FMT_YUVJ420P, + AV_PIX_FMT_YUV422P, + AV_PIX_FMT_YUVJ422P, + AV_PIX_FMT_YUV444P, + AV_PIX_FMT_YUVJ444P, + AV_PIX_FMT_YUV420P10, + AV_PIX_FMT_YUV422P10, + AV_PIX_FMT_YUV444P10, + AV_PIX_FMT_NV12, + AV_PIX_FMT_NV16, + AV_PIX_FMT_NV20, +#ifdef X264_CSP_NV21 + AV_PIX_FMT_NV21, +#endif + AV_PIX_FMT_NONE +}; static const enum AVPixelFormat pix_fmts_8bit[] = { AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUVJ420P, @@ -890,12 +911,14 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { static av_cold void X264_init_static(AVCodec *codec) { - if (x264_bit_depth == 8) + if (X264_BIT_DEPTH == 8) codec->pix_fmts = pix_fmts_8bit; - else if (x264_bit_depth == 9) + else if (X264_BIT_DEPTH == 9) codec->pix_fmts = pix_fmts_9bit; - else if (x264_bit_depth == 10) + else if (X264_BIT_DEPTH == 10) codec->pix_fmts = pix_fmts_10bit; + else /* X264_BIT_DEPTH == 0 */ + codec->pix_fmts = pix_fmts; } #define OFFSET(x) offsetof(X264Context, x) From d8104977bbfaa91743bf983ff620f75f8c7684bc Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 26 Dec 2017 19:40:27 -0300 Subject: [PATCH 0090/1764] avcodec/libx264: set supported pix_fmts at runtime rather than build time This partially reverts a change in behavior introduced in 2a111c99a60fdf4fe5eea2b073901630190c6c93. Signed-off-by: James Almer (cherry picked from commit 7e60c74329353db28db00552028bc88cd2a52346) --- libavcodec/libx264.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index 59cc0ab4a8..6b05846365 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -911,14 +911,16 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { static av_cold void X264_init_static(AVCodec *codec) { - if (X264_BIT_DEPTH == 8) +#if X264_BUILD < 153 + if (x264_bit_depth == 8) codec->pix_fmts = pix_fmts_8bit; - else if (X264_BIT_DEPTH == 9) + else if (x264_bit_depth == 9) codec->pix_fmts = pix_fmts_9bit; - else if (X264_BIT_DEPTH == 10) + else if (x264_bit_depth == 10) codec->pix_fmts = pix_fmts_10bit; - else /* X264_BIT_DEPTH == 0 */ - codec->pix_fmts = pix_fmts; +#else + codec->pix_fmts = pix_fmts; +#endif } #define OFFSET(x) offsetof(X264Context, x) From 7c3d519df90f36ffb48436861e8b8028199ee0a8 Mon Sep 17 00:00:00 2001 From: Humberto Ribeiro Date: Wed, 3 Jan 2018 15:22:15 -0800 Subject: [PATCH 0091/1764] libavutil/hwcontext_dxva2: Add check for possible errors from GetAdapterDisplayModeEx This prevents a possible crash in CreateDeviceEx when using faulty response from GetAdapterDisplayModeEx and allows ffmpeg to fallback to classic d3d9. Signed-off-by: wm4 (cherry picked from commit 59b126f92225316e0cd77bb952d630553801dc85) --- libavutil/hwcontext_dxva2.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 2ddd4be7b1..44ebdbca95 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -485,7 +485,11 @@ static int dxva2_device_create9ex(AVHWDeviceContext *ctx, UINT adapter) if (FAILED(hr)) return AVERROR_UNKNOWN; - IDirect3D9Ex_GetAdapterDisplayModeEx(d3d9ex, adapter, &modeex, NULL); + hr = IDirect3D9Ex_GetAdapterDisplayModeEx(d3d9ex, adapter, &modeex, NULL); + if (FAILED(hr)) { + IDirect3D9Ex_Release(d3d9ex); + return AVERROR_UNKNOWN; + } d3dpp.BackBufferFormat = modeex.Format; From 4a53ecb12ead1a2e6735ad3365381516e6e2d3f6 Mon Sep 17 00:00:00 2001 From: wm4 Date: Thu, 4 Jan 2018 15:52:46 +0100 Subject: [PATCH 0092/1764] hwcontext_dxva2: initialize D3DDISPLAYMODEEX correctly (cherry picked from commit 18fbfd7bf86effb49c0341b37b9c1d73940d688e) --- libavutil/hwcontext_dxva2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 44ebdbca95..665c2d6d74 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -485,6 +485,7 @@ static int dxva2_device_create9ex(AVHWDeviceContext *ctx, UINT adapter) if (FAILED(hr)) return AVERROR_UNKNOWN; + modeex.Size = sizeof(D3DDISPLAYMODEEX); hr = IDirect3D9Ex_GetAdapterDisplayModeEx(d3d9ex, adapter, &modeex, NULL); if (FAILED(hr)) { IDirect3D9Ex_Release(d3d9ex); From ad85d9af13dbca29e4377a53c957ed97b8442fdd Mon Sep 17 00:00:00 2001 From: Rodger Combs Date: Thu, 25 Jan 2018 20:53:59 -0600 Subject: [PATCH 0093/1764] lavc/aarch64/sbrdsp_neon: fix build on old binutils (cherry picked from commit 77237504757b97c068796a4e9ef81b9653618616) --- libavcodec/aarch64/sbrdsp_neon.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aarch64/sbrdsp_neon.S b/libavcodec/aarch64/sbrdsp_neon.S index d1d79b749c..d23717e760 100644 --- a/libavcodec/aarch64/sbrdsp_neon.S +++ b/libavcodec/aarch64/sbrdsp_neon.S @@ -287,7 +287,7 @@ endfunc zip1 v4.4S, v4.4S, v4.4S fmla v6.4S, v1.4S, v3.4S fmla v2.4S, v5.4S, v4.4S - fcmeq v7.4S, v3.4S, #0.0 + fcmeq v7.4S, v3.4S, #0 bif v2.16B, v6.16B, v7.16B st1 {v2.4S}, [x0], #16 subs x5, x5, #2 From fbb27e2911839aaac7b460112eddfafe55b36d75 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Fri, 26 Jan 2018 20:16:53 +0100 Subject: [PATCH 0094/1764] avcodec/nvenc: refcount input frame mappings If some logic like vsync in ffmpeg.c duplicates frames, it might pass the same frame twice, which will result in a crash due it being effectively mapped and unmapped twice. Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 39 +++++++++++++++++++++++---------------- libavcodec/nvenc.h | 2 +- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index e1d3316de3..661da486f6 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1352,12 +1352,9 @@ av_cold int ff_nvenc_encode_close(AVCodecContext *avctx) av_fifo_freep(&ctx->unused_surface_queue); if (ctx->surfaces && avctx->pix_fmt == AV_PIX_FMT_CUDA) { - for (i = 0; i < ctx->nb_surfaces; ++i) { - if (ctx->surfaces[i].input_surface) { - p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->surfaces[i].in_map.mappedResource); - } - } for (i = 0; i < ctx->nb_registered_frames; i++) { + if (ctx->registered_frames[i].mapped) + p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[i].in_map.mappedResource); if (ctx->registered_frames[i].regptr) p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[i].regptr); } @@ -1572,19 +1569,23 @@ static int nvenc_upload_frame(AVCodecContext *avctx, const AVFrame *frame, if (res < 0) return res; - nvenc_frame->in_map.version = NV_ENC_MAP_INPUT_RESOURCE_VER; - nvenc_frame->in_map.registeredResource = ctx->registered_frames[reg_idx].regptr; - nv_status = p_nvenc->nvEncMapInputResource(ctx->nvencoder, &nvenc_frame->in_map); - if (nv_status != NV_ENC_SUCCESS) { - av_frame_unref(nvenc_frame->in_ref); - return nvenc_print_error(avctx, nv_status, "Error mapping an input resource"); + if (!ctx->registered_frames[reg_idx].mapped) { + ctx->registered_frames[reg_idx].in_map.version = NV_ENC_MAP_INPUT_RESOURCE_VER; + ctx->registered_frames[reg_idx].in_map.registeredResource = ctx->registered_frames[reg_idx].regptr; + nv_status = p_nvenc->nvEncMapInputResource(ctx->nvencoder, &ctx->registered_frames[reg_idx].in_map); + if (nv_status != NV_ENC_SUCCESS) { + av_frame_unref(nvenc_frame->in_ref); + return nvenc_print_error(avctx, nv_status, "Error mapping an input resource"); + } } - ctx->registered_frames[reg_idx].mapped = 1; + ctx->registered_frames[reg_idx].mapped += 1; + nvenc_frame->reg_idx = reg_idx; - nvenc_frame->input_surface = nvenc_frame->in_map.mappedResource; - nvenc_frame->format = nvenc_frame->in_map.mappedBufferFmt; + nvenc_frame->input_surface = ctx->registered_frames[reg_idx].in_map.mappedResource; + nvenc_frame->format = ctx->registered_frames[reg_idx].in_map.mappedBufferFmt; nvenc_frame->pitch = frame->linesize[0]; + return 0; } else { NV_ENC_LOCK_INPUT_BUFFER lockBufferParams = { 0 }; @@ -1734,9 +1735,15 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur if (avctx->pix_fmt == AV_PIX_FMT_CUDA) { - p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, tmpoutsurf->in_map.mappedResource); + ctx->registered_frames[tmpoutsurf->reg_idx].mapped -= 1; + if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped == 0) { + p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].in_map.mappedResource); + } else if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped < 0) { + res = AVERROR_BUG; + goto error; + } + av_frame_unref(tmpoutsurf->in_ref); - ctx->registered_frames[tmpoutsurf->reg_idx].mapped = 0; tmpoutsurf->input_surface = NULL; } diff --git a/libavcodec/nvenc.h b/libavcodec/nvenc.h index afb93cc22c..d8e23d0ccb 100644 --- a/libavcodec/nvenc.h +++ b/libavcodec/nvenc.h @@ -37,7 +37,6 @@ typedef struct NvencSurface { NV_ENC_INPUT_PTR input_surface; AVFrame *in_ref; - NV_ENC_MAP_INPUT_RESOURCE in_map; int reg_idx; int width; int height; @@ -122,6 +121,7 @@ typedef struct NvencContext CUdeviceptr ptr; NV_ENC_REGISTERED_PTR regptr; int mapped; + NV_ENC_MAP_INPUT_RESOURCE in_map; } registered_frames[MAX_REGISTERED_FRAMES]; int nb_registered_frames; From a7c60c5b7bc51289773a7e64ebeeeccb53943bdb Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 28 Jan 2018 12:39:03 +0100 Subject: [PATCH 0095/1764] avcodec/nvenc: unregister input resource when unmapping Currently the resource is only ever unregistered when the registered_frames array is fully in use and an unmapped entry is re-used and cleaned up. I'm pretty sure the frame will have been cleaned up before that happens, so I'm kinda surprised this never blew up. Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 661da486f6..ed36b582f8 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1738,6 +1738,8 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur ctx->registered_frames[tmpoutsurf->reg_idx].mapped -= 1; if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped == 0) { p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].in_map.mappedResource); + p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].regptr); + ctx->registered_frames[tmpoutsurf->reg_idx].regptr = NULL; } else if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped < 0) { res = AVERROR_BUG; goto error; From d36714f727026ffcdf84c21c5498ceaef862ee75 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 28 Jan 2018 12:51:20 +0100 Subject: [PATCH 0096/1764] avcodec/nvenc: add some more error case checks Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index ed36b582f8..43d2549fb5 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1482,6 +1482,7 @@ static int nvenc_find_free_reg_resource(AVCodecContext *avctx) NvencContext *ctx = avctx->priv_data; NvencDynLoadFunctions *dl_fn = &ctx->nvenc_dload_funcs; NV_ENCODE_API_FUNCTION_LIST *p_nvenc = &dl_fn->nvenc_funcs; + NVENCSTATUS nv_status; int i; @@ -1489,8 +1490,9 @@ static int nvenc_find_free_reg_resource(AVCodecContext *avctx) for (i = 0; i < ctx->nb_registered_frames; i++) { if (!ctx->registered_frames[i].mapped) { if (ctx->registered_frames[i].regptr) { - p_nvenc->nvEncUnregisterResource(ctx->nvencoder, - ctx->registered_frames[i].regptr); + nv_status = p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[i].regptr); + if (nv_status != NV_ENC_SUCCESS) + return nvenc_print_error(avctx, nv_status, "Failed unregistering unused input resource"); ctx->registered_frames[i].regptr = NULL; } return i; @@ -1730,15 +1732,25 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur memcpy(pkt->data, lock_params.bitstreamBufferPtr, lock_params.bitstreamSizeInBytes); nv_status = p_nvenc->nvEncUnlockBitstream(ctx->nvencoder, tmpoutsurf->output_surface); - if (nv_status != NV_ENC_SUCCESS) - nvenc_print_error(avctx, nv_status, "Failed unlocking bitstream buffer, expect the gates of mordor to open"); + if (nv_status != NV_ENC_SUCCESS) { + res = nvenc_print_error(avctx, nv_status, "Failed unlocking bitstream buffer, expect the gates of mordor to open"); + goto error; + } if (avctx->pix_fmt == AV_PIX_FMT_CUDA) { ctx->registered_frames[tmpoutsurf->reg_idx].mapped -= 1; if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped == 0) { - p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].in_map.mappedResource); - p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].regptr); + nv_status = p_nvenc->nvEncUnmapInputResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].in_map.mappedResource); + if (nv_status != NV_ENC_SUCCESS) { + res = nvenc_print_error(avctx, nv_status, "Failed unmapping input resource"); + goto error; + } + nv_status = p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[tmpoutsurf->reg_idx].regptr); + if (nv_status != NV_ENC_SUCCESS) { + res = nvenc_print_error(avctx, nv_status, "Failed unregistering input resource"); + goto error; + } ctx->registered_frames[tmpoutsurf->reg_idx].regptr = NULL; } else if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped < 0) { res = AVERROR_BUG; From 93c8720b914e7027d0e6401e6f64a9a4ce531d0c Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sun, 28 Jan 2018 13:05:09 +0100 Subject: [PATCH 0097/1764] avcodec/nvenc: also clear data pointer after unregistering a resource Signed-off-by: Timo Rothenpieler --- libavcodec/nvenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c index 43d2549fb5..d36fa2951b 100644 --- a/libavcodec/nvenc.c +++ b/libavcodec/nvenc.c @@ -1493,6 +1493,7 @@ static int nvenc_find_free_reg_resource(AVCodecContext *avctx) nv_status = p_nvenc->nvEncUnregisterResource(ctx->nvencoder, ctx->registered_frames[i].regptr); if (nv_status != NV_ENC_SUCCESS) return nvenc_print_error(avctx, nv_status, "Failed unregistering unused input resource"); + ctx->registered_frames[i].ptr = 0; ctx->registered_frames[i].regptr = NULL; } return i; @@ -1751,6 +1752,7 @@ static int process_output_surface(AVCodecContext *avctx, AVPacket *pkt, NvencSur res = nvenc_print_error(avctx, nv_status, "Failed unregistering input resource"); goto error; } + ctx->registered_frames[tmpoutsurf->reg_idx].ptr = 0; ctx->registered_frames[tmpoutsurf->reg_idx].regptr = NULL; } else if (ctx->registered_frames[tmpoutsurf->reg_idx].mapped < 0) { res = AVERROR_BUG; From 9aa0ed850b77fe46d5b766329f45deb9150cea10 Mon Sep 17 00:00:00 2001 From: Jun Zhao Date: Mon, 4 Dec 2017 12:50:34 +0800 Subject: [PATCH 0098/1764] avfilter/formats: fix wrong function name in error message Use perdefined micro __FUNCTION__ rather than hard coding function name to fix wrong function name in error message. Signed-off-by: Jun Zhao Signed-off-by: Michael Niedermayer (cherry picked from commit 4280948702bc256e21c375790b889c735d233b0d) Signed-off-by: Michael Niedermayer --- libavfilter/formats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index d4de862237..20a2c89719 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -72,7 +72,7 @@ do { for (j = 0; j < b->nb; j++) \ if (a->fmts[i] == b->fmts[j]) { \ if(k >= FFMIN(a->nb, b->nb)){ \ - av_log(NULL, AV_LOG_ERROR, "Duplicate formats in avfilter_merge_formats() detected\n"); \ + av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s detected\n", __FUNCTION__); \ av_free(ret->fmts); \ av_free(ret); \ return NULL; \ From a3832486e4f152d9f9660ecf812ee45b03d784f1 Mon Sep 17 00:00:00 2001 From: Kelly Ledford Date: Tue, 12 Dec 2017 11:31:23 -0800 Subject: [PATCH 0099/1764] libavfilter/af_dcshift.c: Fixed repeated spelling error 'threshhold' should be 'threshold' Signed-off-by: Kelly Ledford Signed-off-by: Michael Niedermayer (cherry picked from commit bc219082bb04b9a4725bfe7e78ce0950244e6e84) Signed-off-by: Michael Niedermayer --- libavfilter/af_dcshift.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavfilter/af_dcshift.c b/libavfilter/af_dcshift.c index 6d33daee0b..e007efe05e 100644 --- a/libavfilter/af_dcshift.c +++ b/libavfilter/af_dcshift.c @@ -28,7 +28,7 @@ typedef struct DCShiftContext { const AVClass *class; double dcshift; - double limiterthreshhold; + double limiterthreshold; double limitergain; } DCShiftContext; @@ -47,7 +47,7 @@ static av_cold int init(AVFilterContext *ctx) { DCShiftContext *s = ctx->priv; - s->limiterthreshhold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); + s->limiterthreshold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); return 0; } @@ -111,14 +111,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) d = src[j]; - if (d > s->limiterthreshhold && dcshift > 0) { - d = (d - s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) + - s->limiterthreshhold + dcshift; - } else if (d < -s->limiterthreshhold && dcshift < 0) { - d = (d + s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) - - s->limiterthreshhold + dcshift; + if (d > s->limiterthreshold && dcshift > 0) { + d = (d - s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) + + s->limiterthreshold + dcshift; + } else if (d < -s->limiterthreshold && dcshift < 0) { + d = (d + s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) - + s->limiterthreshold + dcshift; } else { d = dcshift * INT32_MAX + d; } From 0f0a2ff5a09d0372d9864c070859849654589ad0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Dec 2017 02:02:55 +0100 Subject: [PATCH 0100/1764] avcodec/vp9: mark frame as finished on decode_tiles() failure Fixes deadlock with framethreads Fixes: Netflix_Aerial_1080p_60fps_8bit_420.y4m.vp9.noaltref.webm.ivf.s69372_r01-05_b6-.ivf Fixes: Netflix_Aerial_1080p_60fps_10bit_420.y4m.vp9.noaltref.webm.ivf.s149104_r01-05_b6-.ivf Fixes: ducks_take_off_444_720p50.y4m.vp9.webm.ivf.s107375_r01-05_b6-.ivf Reported-by: James Zern Reviewed-by: James Zern Signed-off-by: Michael Niedermayer (cherry picked from commit 5e03eea673a9da2253ed15152e46b1422b35d145) Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 6b5de19266..f2cf194243 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -1634,8 +1634,10 @@ FF_ENABLE_DEPRECATION_WARNINGS #endif { ret = decode_tiles(avctx, data, size); - if (ret < 0) + if (ret < 0) { + ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0); return ret; + } } // Sum all counts fields into td[0].counts for tile threading From d6a13f031ced11ef291768a76c90d76e1b586526 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 25 Nov 2017 22:21:16 +0100 Subject: [PATCH 0101/1764] avcodec/h264_parse: Treat escaped and unescaped decoding error equal in decode_extradata_ps_mp4() Fixes: lorex.mp4 Fixes: ticket6762 Signed-off-by: Michael Niedermayer (cherry picked from commit 4bb7d72bcfb56ae4fe56055927cf53cf484f5df4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parse.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index a7c71d9bbb..fee28d90d9 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -425,10 +425,9 @@ static int decode_extradata_ps_mp4(const uint8_t *buf, int buf_size, H264ParamSe escaped_buf_size = bytestream2_tell_p(&pbc); AV_WB16(escaped_buf, escaped_buf_size - 2); - ret = decode_extradata_ps(escaped_buf, escaped_buf_size, ps, 1, logctx); + (void)decode_extradata_ps(escaped_buf, escaped_buf_size, ps, 1, logctx); + // lorex.mp4 decodes ok even with extradata decoding failing av_freep(&escaped_buf); - if (ret < 0) - return ret; } return 0; From d147e2d55d2947742ec1d42a8b107f7131fdc383 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 13:06:30 +0100 Subject: [PATCH 0102/1764] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() Fixes: runtime error: left shift of negative value -3 Fixes: 4524/clusterfuzz-testcase-minimized-6055590120914944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 439fbb9c8b2a90e97c44c7c57245e01ca84c865d) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 0623cfad89..4017af8eb0 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1051,7 +1051,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; From 2e426fae43f3a543649a6b9bf3ed6c0ae6892ce5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 17:50:12 +0100 Subject: [PATCH 0103/1764] avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index d0f9966a29..4fae797251 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -324,11 +324,15 @@ static int decode_nal_sei_message(GetBitContext *gb, HEVCSEIContext *s, av_log(logctx, AV_LOG_DEBUG, "Decoding SEI\n"); while (byte == 0xFF) { + if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_type += byte; } byte = 0xFF; while (byte == 0xFF) { + if (get_bits_left(gb) < 8 + 8LL*payload_size) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_size += byte; } From 43c03866b23ab49ccdce014a55b601a25e5094cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Dec 2017 21:05:40 +0100 Subject: [PATCH 0104/1764] tests/audiomatch: Add missing return code at the end of main() Signed-off-by: Michael Niedermayer (cherry picked from commit 65da5c56e661a839e017db4c51c73d6f3d8a8fcb) Signed-off-by: Michael Niedermayer --- tests/audiomatch.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/audiomatch.c b/tests/audiomatch.c index ca56df09b3..9671789a37 100644 --- a/tests/audiomatch.c +++ b/tests/audiomatch.c @@ -107,4 +107,6 @@ int main(int argc, char **argv){ } } printf("presig: %d postsig:%d c:%7.4f lenerr:%d\n", bestpos, datlen - siglen - bestpos, bestc / sigamp, datlen - siglen); + + return 0; } From 0288d15cdded73991b72c1407e98654a295a09ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 18:17:13 +0100 Subject: [PATCH 0105/1764] avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() Fixes: signed integer overflow: 2147483647 + 1073741824 cannot be represented in type 'int' Fixes: 4555/clusterfuzz-testcase-minimized-4505532481142784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ee143558d55b590774dba69cff5a16eda089a4d) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 853fd3f722..5b5da1165a 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -646,8 +646,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return AVERROR_INVALIDDATA; + } while (k--) suffix_val += get_cabac_bypass(&s->HEVClc->cc) << k; From e55a6c5f055ccae4e64fe3bee96f53be9c15c708 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2017 03:06:14 +0100 Subject: [PATCH 0106/1764] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 33554433 cannot be represented in type 'int' Fixes: 4563/clusterfuzz-testcase-minimized-5438979567517696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4d70fbeec8cbab072b3a9b9f760b8deaaef240f2) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 50c8b1e394..f9828d95a4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) + (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) + (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) From 0e7d8ce37c2fd543bde32914ddb7ce54fc2f9220 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2017 03:12:03 +0100 Subject: [PATCH 0107/1764] avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) Fixes: runtime error: left shift of negative value -180 Fixes: 4626/clusterfuzz-testcase-minimized-5647837887987712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9ab5ef9c1ee852c80c859c9e07efe8730b57ed) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 4017af8eb0..903aa3fe95 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -121,7 +121,7 @@ static void FUNC(dequant)(int16_t *coeffs, int16_t log2_size) } else { for (y = 0; y < size; y++) { for (x = 0; x < size; x++) { - *coeffs = *coeffs << -shift; + *coeffs = *(uint16_t*)coeffs << -shift; coeffs++; } } From fb9560b366da69bd54011455c0c35303669e7ce6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:43 +0100 Subject: [PATCH 0108/1764] avcodec/flacdec: avoid undefined shift Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 4688/clusterfuzz-testcase-minimized-6572210748653568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 560daf88913b0de59a4d845bcd19254b406388dd) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 581c73efc8..5bbb8ee5b9 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -456,7 +456,7 @@ static inline int decode_subframe(FLACContext *s, int channel) return AVERROR_INVALIDDATA; } - if (wasted) { + if (wasted && wasted < 32) { int i; for (i = 0; i < s->blocksize; i++) decoded[i] = (unsigned)decoded[i] << wasted; From 7e402c31efd8fc332175121b2d901eb16ed5614a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:45 +0100 Subject: [PATCH 0109/1764] avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() Fixes: left shift of negative value -1 Fixes: 4690/clusterfuzz-testcase-minimized-6117482428366848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d135f3c514ac1723256c8e0f5cdd466fe98a2578) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 903aa3fe95..56cd9e605d 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -915,7 +915,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -970,7 +970,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; From 91f5a2b7b88aaba20800c5363aef49b14811b4c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Dec 2017 23:24:44 +0100 Subject: [PATCH 0110/1764] avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() Fixes: signed integer overflow: 2 * 1629495328 cannot be represented in type 'int' Fixes: 4716/clusterfuzz-testcase-minimized-5835915940331520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d23f7a0969bf76ad6dcdc2c4a5cd3ae884745a8) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 5bbb8ee5b9..3d41a1af7f 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -298,7 +298,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, if (pred_order > 2) c = b - decoded[pred_order-2] + decoded[pred_order-3]; if (pred_order > 3) - d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - decoded[pred_order-4]; + d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - decoded[pred_order-4]; switch (pred_order) { case 0: From 6abe1e06f5922a350a4f4f975bdf8809d5553203 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Dec 2017 03:00:19 +0100 Subject: [PATCH 0111/1764] avcodec/exr: Check buf_size more completely Fixes: Out of heap array read Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 903be5e4f66268273dc6e3c42a7fdeaab32066ef) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b1ecde4ebd..454dc74cfb 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1051,7 +1051,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, line_offset = AV_RL64(s->gb.buffer + jobnr * 8); if (s->is_tile) { - if (line_offset > buf_size - 20) + if (buf_size < 20 || line_offset > buf_size - 20) return AVERROR_INVALIDDATA; src = buf + line_offset + 20; @@ -1062,7 +1062,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, tile_level_y = AV_RL32(src - 8); data_size = AV_RL32(src - 4); - if (data_size <= 0 || data_size > buf_size) + if (data_size <= 0 || data_size > buf_size - line_offset - 20) return AVERROR_INVALIDDATA; if (tile_level_x || tile_level_y) { /* tile level, is not the full res level */ @@ -1095,7 +1095,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ } else { - if (line_offset > buf_size - 8) + if (buf_size < 8 || line_offset > buf_size - 8) return AVERROR_INVALIDDATA; src = buf + line_offset + 8; @@ -1105,7 +1105,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_INVALIDDATA; data_size = AV_RL32(src - 4); - if (data_size <= 0 || data_size > buf_size) + if (data_size <= 0 || data_size > buf_size - line_offset - 8) return AVERROR_INVALIDDATA; td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ From b1af55778b007c798d997735b607798b41149f00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jan 2018 23:42:00 +0100 Subject: [PATCH 0112/1764] avcodec/dnxhddec: Check dc vlc Fixes: signed integer overflow: 1024 + 2147483640 cannot be represented in type 'int' Fixes: 4671/clusterfuzz-testcase-minimized-6027464343027712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b2be76c0a472b729756ed7a91225c209d0dd1d2e) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index f46e41a456..1f93f9dfc2 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -381,6 +381,10 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx, UPDATE_CACHE(bs, &row->gb); GET_VLC(len, bs, &row->gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1); + if (len < 0) { + ret = len; + goto error; + } if (len) { level = GET_CACHE(bs, &row->gb); LAST_SKIP_BITS(bs, &row->gb, len); @@ -434,7 +438,7 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx, GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table, DNXHD_VLC_BITS, 2); } - +error: CLOSE_READER(bs, &row->gb); return ret; } From 62024c127798452f49b56c6dbeac81f7d19b6cbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jan 2018 23:42:01 +0100 Subject: [PATCH 0113/1764] avcodec/h264_slice: Do not attempt to render into frames already output Fixes: null pointer dereference Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112 This testcase does not reproduce the issue before 03b82b3ab9883cef017e513c7d0b3b986b3b3e7b Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 476665d4de989dba48ec1195215ccc8db54538f4) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 2577edd8a6..cf1b22fc32 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1577,6 +1577,12 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, * one except for reference purposes. */ h->first_field = 1; h->cur_pic_ptr = NULL; + } else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) { + /* This frame was already output, we cannot draw into it + * anymore. + */ + h->first_field = 1; + h->cur_pic_ptr = NULL; } else { /* Second field in complementary pair */ h->first_field = 0; From 5365904e964209d7d50af085abc16f40b3bf6010 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 04:12:57 +0100 Subject: [PATCH 0114/1764] avcodec/jpeg2000dsp: Fix integer overflows in ict_int() Fixes: signed integer overflow: 46802 * -71230 cannot be represented in type 'int' Fixes: 4756/clusterfuzz-testcase-minimized-4812495563784192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b3192c64b5bdcb0474cda437d2d5f9421d68811e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index 85a12d0e9b..90e73b1e20 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -64,9 +64,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) int i; for (i = 0; i < csize; i++) { - i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); + i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16); i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); + - ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15)) >> 16); i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; From a3add1924095150fa33a22e3ca58f7263253414f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jan 2018 22:12:07 +0100 Subject: [PATCH 0115/1764] avcodec/opus_parser: Check payload_len in parse_opus_ts_header() Fixes: clusterfuzz-testcase-minimized-6134545979277312 Fixes: crbug 797469 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1bcd7fefcb3c1ec47978fdc64a9e8dfb9512ae62) Signed-off-by: Michael Niedermayer --- libavcodec/opus_parser.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/libavcodec/opus_parser.c b/libavcodec/opus_parser.c index 893573eb82..28b0933900 100644 --- a/libavcodec/opus_parser.c +++ b/libavcodec/opus_parser.c @@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le const uint8_t *buf = start + 1; int start_trim_flag, end_trim_flag, control_extension_flag, control_extension_length; uint8_t flags; + uint64_t payload_len_tmp; GetByteContext gb; bytestream2_init(&gb, buf, buf_len); @@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le end_trim_flag = (flags >> 3) & 1; control_extension_flag = (flags >> 2) & 1; - *payload_len = 0; + payload_len_tmp = *payload_len = 0; while (bytestream2_peek_byte(&gb) == 0xff) - *payload_len += bytestream2_get_byte(&gb); + payload_len_tmp += bytestream2_get_byte(&gb); - *payload_len += bytestream2_get_byte(&gb); + payload_len_tmp += bytestream2_get_byte(&gb); if (start_trim_flag) bytestream2_skip(&gb, 2); @@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le bytestream2_skip(&gb, control_extension_length); } + if (bytestream2_tell(&gb) + payload_len_tmp > buf_len) + return NULL; + + *payload_len = payload_len_tmp; + return buf + bytestream2_tell(&gb); } @@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx, AVCodecContext *avctx, state = (state << 8) | payload[i]; if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) { payload = parse_opus_ts_header(payload, &payload_len, buf_size - i); + if (!payload) { + av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS header.\n"); + return AVERROR_INVALIDDATA; + } *header_len = payload - buf; start_found = 1; break; From 097bc4d32d59f8aed42e6d9923f65593f1138f81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 20:43:24 +0100 Subject: [PATCH 0116/1764] avcodec/diracdec: Fix integer overflow with quant Fixes: signed integer overflow: 2 + 2147483646 cannot be represented in type 'int' Fixes: 4792/clusterfuzz-testcase-minimized-6322450775146496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eaa93175895568ef6c2542b13104874907d9c4ef) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 0abb8b0599..7be7f33145 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -508,16 +508,16 @@ static inline void codeblock(DiracContext *s, SubBand *b, } if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) { - int quant = b->quant; + int quant; if (is_arith) - quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); + quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); else - quant += dirac_get_se_golomb(gb); - if (quant < 0) { + quant = dirac_get_se_golomb(gb); + if (quant > INT_MAX - b->quant || b->quant + quant < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n"); return; } - b->quant = quant; + b->quant += quant; } if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) { From 8263246ba8f627d8cfeefb3a83d062989e507e77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 20:58:49 +0100 Subject: [PATCH 0117/1764] avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 Fixes: 4830/clusterfuzz-testcase-minimized-5255392054476800 Fixes: signed integer overflow: 2147483646 - -7 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e62a2373475f58c72c0faf5568be00b26909585) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index f9828d95a4..1af41e0702 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -105,10 +105,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ - (b0 - ((b1 + 1) >> 1)) + ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) #define COMPOSE_HAARiH0(b0, b1)\ - (b0 + b1) + ((int)(b0 + (unsigned)(b1))) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) From 4715ef27a068df8c7c3d3b2e40ba1617dbafd5b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jan 2018 03:48:43 +0100 Subject: [PATCH 0118/1764] avcodec/h264addpx_template: Fixes integer overflows Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type 'int' Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6945aeee419a8417b8019c7c92227e12e45b7ad) Signed-off-by: Michael Niedermayer --- libavcodec/h264addpx_template.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264addpx_template.c b/libavcodec/h264addpx_template.c index b71aaea439..9a1e6a2f2f 100644 --- a/libavcodec/h264addpx_template.c +++ b/libavcodec/h264addpx_template.c @@ -35,10 +35,10 @@ static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst, int16_t *_src, int stride) stride /= sizeof(pixel); for (i = 0; i < 4; i++) { - dst[0] += src[0]; - dst[1] += src[1]; - dst[2] += src[2]; - dst[3] += src[3]; + dst[0] += (unsigned)src[0]; + dst[1] += (unsigned)src[1]; + dst[2] += (unsigned)src[2]; + dst[3] += (unsigned)src[3]; dst += stride; src += 4; @@ -55,14 +55,14 @@ static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst, int16_t *_src, int stride) stride /= sizeof(pixel); for (i = 0; i < 8; i++) { - dst[0] += src[0]; - dst[1] += src[1]; - dst[2] += src[2]; - dst[3] += src[3]; - dst[4] += src[4]; - dst[5] += src[5]; - dst[6] += src[6]; - dst[7] += src[7]; + dst[0] += (unsigned)src[0]; + dst[1] += (unsigned)src[1]; + dst[2] += (unsigned)src[2]; + dst[3] += (unsigned)src[3]; + dst[4] += (unsigned)src[4]; + dst[5] += (unsigned)src[5]; + dst[6] += (unsigned)src[6]; + dst[7] += (unsigned)src[7]; dst += stride; src += 8; From ece78799924977c8298078d9df6c5fcd59503268 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jan 2018 22:47:10 +0100 Subject: [PATCH 0119/1764] avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one Fixes high pitched shriek Fixes: 25420848_1478428308873746_4255813235963330560_n.mp4 Reported-by: Dale Curtis Reviewed-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 7dbbb75ee32f87108ca9e15f5551dbbe69fe2641) Signed-off-by: Michael Niedermayer --- libavcodec/arm/sbrdsp_neon.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/arm/sbrdsp_neon.S b/libavcodec/arm/sbrdsp_neon.S index e66abd682a..003b04ea05 100644 --- a/libavcodec/arm/sbrdsp_neon.S +++ b/libavcodec/arm/sbrdsp_neon.S @@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1 vld1.32 {d0}, [r0,:64] vld1.32 {d6}, [lr,:64] vld1.32 {d2[]}, [r1,:32]! - vld1.32 {d3[]}, [r2,:32]! + vld1.32 {d18[]}, [r2,:32]! vceq.f32 d4, d2, #0 veor d2, d2, d3 vmov d1, d0 - vmla.f32 d0, d6, d3 + vmla.f32 d0, d6, d18 vadd.f32 s2, s2, s4 vbif d0, d1, d4 vst1.32 {d0}, [r0,:64]! From 04949cc08ecea6eaf6615285f19c09517ae38d42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2017 01:53:58 +0200 Subject: [PATCH 0120/1764] avcodec/utils: Avoid hardcoding duplicated types in sizeof() Signed-off-by: Michael Niedermayer (cherry picked from commit 860d991fcd715233b5b9eb1f6c7bf0aadefb6061) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9551f312e7..0c47e761f6 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -655,7 +655,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code if (ret < 0) return ret; - avctx->internal = av_mallocz(sizeof(AVCodecInternal)); + avctx->internal = av_mallocz(sizeof(*avctx->internal)); if (!avctx->internal) { ret = AVERROR(ENOMEM); goto end; @@ -1157,7 +1157,7 @@ void avsubtitle_free(AVSubtitle *sub) av_freep(&sub->rects); - memset(sub, 0, sizeof(AVSubtitle)); + memset(sub, 0, sizeof(*sub)); } av_cold int avcodec_close(AVCodecContext *avctx) From 092febb2add69463e84bc2409cb9c5c4081989b6 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 1 Jan 2018 18:05:55 +0100 Subject: [PATCH 0121/1764] configure: bump year Happy new year! (cherry picked from commit bddf31ba7570325dd2c8d033eae3d0dd74127f96) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 1797c5dd4f..231c6c371c 100755 --- a/configure +++ b/configure @@ -7000,7 +7000,7 @@ cat > $TMPH < Date: Tue, 16 Jan 2018 22:44:02 +0800 Subject: [PATCH 0122/1764] lavfi/deinterlace_vaapi: fix can't show full option information. use ffmpeg -h filter=deinterlace_vaapi can't get full help information, the root cause is not setting the flags fileld in options. Signed-off-by: Jun Zhao Signed-off-by: Michael Niedermayer (cherry picked from commit 383804edd812410219a097e2bf3efac8a8b4562a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_deinterlace_vaapi.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavfilter/vf_deinterlace_vaapi.c b/libavfilter/vf_deinterlace_vaapi.c index 44c5ae7642..a38da5d57b 100644 --- a/libavfilter/vf_deinterlace_vaapi.c +++ b/libavfilter/vf_deinterlace_vaapi.c @@ -615,22 +615,22 @@ static const AVOption deint_vaapi_options[] = { OFFSET(mode), AV_OPT_TYPE_INT, { .i64 = VAProcDeinterlacingNone }, VAProcDeinterlacingNone, VAProcDeinterlacingCount - 1, FLAGS, "mode" }, { "default", "Use the highest-numbered (and therefore possibly most advanced) deinterlacing algorithm", - 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingNone }, .unit = "mode" }, + 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingNone }, 0, 0, FLAGS, "mode" }, { "bob", "Use the bob deinterlacing algorithm", - 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingBob }, .unit = "mode" }, + 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingBob }, 0, 0, FLAGS, "mode" }, { "weave", "Use the weave deinterlacing algorithm", - 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingWeave }, .unit = "mode" }, + 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingWeave }, 0, 0, FLAGS, "mode" }, { "motion_adaptive", "Use the motion adaptive deinterlacing algorithm", - 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingMotionAdaptive }, .unit = "mode" }, + 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingMotionAdaptive }, 0, 0, FLAGS, "mode" }, { "motion_compensated", "Use the motion compensated deinterlacing algorithm", - 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingMotionCompensated }, .unit = "mode" }, + 0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingMotionCompensated }, 0, 0, FLAGS, "mode" }, { "rate", "Generate output at frame rate or field rate", OFFSET(field_rate), AV_OPT_TYPE_INT, { .i64 = 1 }, 1, 2, FLAGS, "rate" }, { "frame", "Output at frame rate (one frame of output for each field-pair)", - 0, AV_OPT_TYPE_CONST, { .i64 = 1 }, .unit = "rate" }, + 0, AV_OPT_TYPE_CONST, { .i64 = 1 }, 0, 0, FLAGS, "rate" }, { "field", "Output at field rate (one frame of output for each field)", - 0, AV_OPT_TYPE_CONST, { .i64 = 2 }, .unit = "rate" }, + 0, AV_OPT_TYPE_CONST, { .i64 = 2 }, 0, 0, FLAGS, "rate" }, { "auto", "Only deinterlace fields, passing frames through unchanged", OFFSET(auto_enable), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, FLAGS }, From facd0521e44063f8d8b57b11a4803ae82c0c123b Mon Sep 17 00:00:00 2001 From: Nikolas Bowe Date: Thu, 18 Jan 2018 15:21:56 -0800 Subject: [PATCH 0123/1764] avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks() Signed-off-by: Michael Niedermayer (cherry picked from commit e07649e618caedc07eaf2f4d09253de7f77d14f0) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 94a56ebfa7..e6631097b8 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2089,8 +2089,16 @@ static int matroska_parse_tracks(AVFormatContext *s) } if (track->type == MATROSKA_TRACK_TYPE_VIDEO) { - if (!track->default_duration && track->video.frame_rate > 0) - track->default_duration = 1000000000 / track->video.frame_rate; + if (!track->default_duration && track->video.frame_rate > 0) { + double default_duration = 1000000000 / track->video.frame_rate; + if (default_duration > UINT64_MAX || default_duration < 0) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Invalid frame rate %e. Cannot calculate default duration.\n", + track->video.frame_rate); + } else { + track->default_duration = default_duration; + } + } if (track->video.display_width == -1) track->video.display_width = track->video.pixel_width; if (track->video.display_height == -1) From e755482d367a256f03758a1bb6358f1c7bd68edc Mon Sep 17 00:00:00 2001 From: Nikolas Bowe Date: Fri, 19 Jan 2018 13:17:07 -0800 Subject: [PATCH 0124/1764] avformat/lrcdec: Fix memory leak in lrc_read_header() Signed-off-by: Michael Niedermayer (cherry picked from commit ef5994e09d07ace62a672fcdc84761231288edad) Signed-off-by: Michael Niedermayer --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index 12f74b22a0..f4e9a4efa9 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -212,6 +212,7 @@ static int lrc_read_header(AVFormatContext *s) } ff_subtitles_queue_finalize(s, &lrc->q); ff_metadata_conv_ctx(s, NULL, ff_lrc_metadata_conv); + av_bprint_finalize(&line, NULL); return 0; } From 56b0179b6a030f1d3b0bcad101d05d01583aad38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jan 2018 00:39:39 +0100 Subject: [PATCH 0125/1764] avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs() Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be represented in type 'int' Fixes: 4800/clusterfuzz-testcase-minimized-6110372403609600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1f38c75893c852cf19dcf3e4553549ba1e70950) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 9a6d7a08b1..bd66175d50 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -64,8 +64,8 @@ static void scale_coefs ( int dynrng, int len) { - int i, shift, round; - unsigned mul; + int i, shift; + unsigned mul, round; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; From f56215d3ff63c5b8d4de890901df6778fd897757 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jan 2018 00:39:40 +0100 Subject: [PATCH 0126/1764] avcodec/jpeg2000: Check sum of sizes of band->prec before allocating Fixes: OOM Fixes: 4810/clusterfuzz-testcase-minimized-6034253235093504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6887e412434776eb260ad3904f565be491dd5726) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index afeb9df27c..026b2db56f 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -543,6 +543,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, if (!reslevel->band) return AVERROR(ENOMEM); + if (reslevel->num_precincts_x * (uint64_t)reslevel->num_precincts_y * reslevel->nbands > avctx->max_pixels / sizeof(*reslevel->band->prec)) + return AVERROR(ENOMEM); + for (bandno = 0; bandno < reslevel->nbands; bandno++, gbandno++) { ret = init_band(avctx, reslevel, comp, codsty, qntsty, From bae4d39437fea9a7bd3bb30d161f0a23dc862c55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jan 2018 00:39:41 +0100 Subject: [PATCH 0127/1764] avcodec/wavpack: Fix integer overflows in wv_unpack_stereo / mono Fixes: runtime error: signed integer overflow: 2146276249 + 1487583 cannot be represented in type 'int' Fixes: 4823/clusterfuzz-testcase-minimized-4551896611160064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 83e34ae3c2b36e7b20169a8866e3f49294db1f5a) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index a117e8aa81..d5e1e07b74 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -433,8 +433,8 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, L2 = L + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); R2 = R + ((s->decorr[i].weightB * (int64_t)B + 512) >> 10); } else { - L2 = L + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); - R2 = R + ((int)(s->decorr[i].weightB * (unsigned)B + 512) >> 10); + L2 = L + (unsigned)((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); + R2 = R + (unsigned)((int)(s->decorr[i].weightB * (unsigned)B + 512) >> 10); } if (A && L) s->decorr[i].weightA -= ((((L ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; @@ -446,7 +446,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) L2 = L + ((s->decorr[i].weightA * (int64_t)s->decorr[i].samplesA[0] + 512) >> 10); else - L2 = L + ((int)(s->decorr[i].weightA * (unsigned)s->decorr[i].samplesA[0] + 512) >> 10); + L2 = L + (unsigned)((int)(s->decorr[i].weightA * (unsigned)s->decorr[i].samplesA[0] + 512) >> 10); UPDATE_WEIGHT_CLIP(s->decorr[i].weightA, s->decorr[i].delta, s->decorr[i].samplesA[0], L); L = L2; if (type != AV_SAMPLE_FMT_S16P) @@ -460,7 +460,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) R2 = R + ((s->decorr[i].weightB * (int64_t)s->decorr[i].samplesB[0] + 512) >> 10); else - R2 = R + ((int)(s->decorr[i].weightB * (unsigned)s->decorr[i].samplesB[0] + 512) >> 10); + R2 = R + (unsigned)((int)(s->decorr[i].weightB * (unsigned)s->decorr[i].samplesB[0] + 512) >> 10); UPDATE_WEIGHT_CLIP(s->decorr[i].weightB, s->decorr[i].delta, s->decorr[i].samplesB[0], R); R = R2; @@ -472,7 +472,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) L2 = L + ((s->decorr[i].weightA * (int64_t)R2 + 512) >> 10); else - L2 = L + ((int)(s->decorr[i].weightA * (unsigned)R2 + 512) >> 10); + L2 = L + (unsigned)((int)(s->decorr[i].weightA * (unsigned)R2 + 512) >> 10); UPDATE_WEIGHT_CLIP(s->decorr[i].weightA, s->decorr[i].delta, R2, L); L = L2; s->decorr[i].samplesB[0] = L; @@ -554,7 +554,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); else - S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); + S = T + (unsigned)((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); if (A && T) s->decorr[i].weightA -= ((((T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; s->decorr[i].samplesA[j] = T = S; From 540f4467c8258b29c52be4dc0506a83ac29888bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 19:03:48 +0100 Subject: [PATCH 0128/1764] avcodec/ulti: Check number of blocks at init Fixes: Timeout Fixes: 4832/clusterfuzz-testcase-4699096590843904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 725353525e73bbe5b6b4d01528252675f2417a02) Signed-off-by: Michael Niedermayer --- libavcodec/ulti.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c index e6f4374981..9e4c088b10 100644 --- a/libavcodec/ulti.c +++ b/libavcodec/ulti.c @@ -50,6 +50,8 @@ static av_cold int ulti_decode_init(AVCodecContext *avctx) s->width = avctx->width; s->height = avctx->height; s->blocks = (s->width / 8) * (s->height / 8); + if (s->blocks == 0) + return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_YUV410P; s->ulti_codebook = ulti_codebook; From aed915b8a62cd7be2a8eb5261cc29df824f8d874 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 03:03:36 +0100 Subject: [PATCH 0129/1764] avcodec/snowdec: Fix integer overflow before htaps check Fixes: runtime error: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int' Fixes: 4828/clusterfuzz-testcase-minimized-5100849937252352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2eecf3cf8eeae67697934df326e98df2149881e5) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index a9bdb8da5e..0146a2a4c9 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -363,9 +363,10 @@ static int decode_header(SnowContext *s){ int htaps, i, sum=0; Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); - htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps >= HTAPS_MAX || htaps==0) + htaps= get_symbol(&s->c, s->header_state, 0); + if((unsigned)htaps >= HTAPS_MAX/2 - 1) return AVERROR_INVALIDDATA; + htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1)); From 6ed5e44998ed59d8525661c8d6443e371b13c62d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Jan 2018 04:10:50 +0100 Subject: [PATCH 0130/1764] avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK() Fixes: signed integer overflow: 1477974040 - -1877995504 cannot be represented in type 'int' Fixes: 4861/clusterfuzz-testcase-minimized-4570316383715328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 56a53340ed4cc55898e49c07081311ebb2816630) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index f077f0e4bd..97c38f7f08 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -441,8 +441,8 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* recalculate last and delta values for next blocks */ #define TM2_RECALC_BLOCK(CHR, stride, last, CD) {\ - CD[0] = CHR[1] - last[1];\ - CD[1] = (int)CHR[stride + 1] - (int)CHR[1];\ + CD[0] = (unsigned)CHR[ 1] - (unsigned)last[1];\ + CD[1] = (unsigned)CHR[stride + 1] - (unsigned) CHR[1];\ last[0] = (int)CHR[stride + 0];\ last[1] = (int)CHR[stride + 1];} From edf200e2bc9a98de57782fe0b611a4666e2d66d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 23:42:57 +0100 Subject: [PATCH 0131/1764] avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down Signed-off-by: Michael Niedermayer (cherry picked from commit 94d4237a7a294ce80e1e577b38e9c93e8882aff9) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 5b5da1165a..743168500c 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -990,16 +990,19 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) { - av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); - return 0; - } + if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix; } else { int prefix_minus3 = prefix - 3; + + if (prefix == CABAC_MAX_BIN) { + av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } + for (i = 0; i < prefix_minus3 + rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1) From c1b74d608c6e0c0a9fcd3ae6c4a21e96026ac905 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jan 2018 14:02:59 +0100 Subject: [PATCH 0132/1764] avcodec/dxtory: Fix bits left checks Fixes: Timeout Fixes: 4863/clusterfuzz-testcase-6347354178322432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e1a167c5564085385488b4f579e9efb987d4bfa) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 6f8652ad49..e736cec8db 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -326,7 +326,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { b = decode_sym_565(gb, lru[0], 5); g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5); @@ -392,7 +392,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { dst[x * 3 + 0] = decode_sym(gb, lru[0]); dst[x * 3 + 1] = decode_sym(gb, lru[1]); @@ -437,7 +437,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + (ustride >> 2) * line; uint8_t *V = frame->data[2] + (vstride >> 2) * line; - for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) { + for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) { for (x = 0; x < width; x += 4) { for (j = 0; j < 4; j++) for (i = 0; i < 4; i++) @@ -481,7 +481,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, uint8_t *V = frame->data[2] + (vstride >> 1) * line; - for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) { + for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) { for (x = 0; x < width; x += 2) { Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]); Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]); @@ -524,7 +524,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + ustride * line; uint8_t *V = frame->data[2] + vstride * line; - for (y = 0; y < left && get_bits_left(gb) > 16; y++) { + for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { Y[x] = decode_sym(gb, lru[0]); U[x] = decode_sym(gb, lru[1]) ^ 0x80; From 2fdb27b5123d9a74d819ea8b019be878df5942ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jan 2018 03:28:49 +0100 Subject: [PATCH 0133/1764] avcodec/mjpegdec: Fix integer overflow in DC dequantization Fixes: runtime error: signed integer overflow: -65535 * 65312 cannot be represented in type 'int' Fixes: 4900/clusterfuzz-testcase-minimized-5769019744321536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1bfc1aa004950c5ad527d823a08b8a19eef34eb0) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5b2409755c..3455126cac 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -715,7 +715,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component, av_log(s->avctx, AV_LOG_ERROR, "error dc\n"); return AVERROR_INVALIDDATA; } - val = val * quant_matrix[0] + s->last_dc[component]; + val = val * (unsigned)quant_matrix[0] + s->last_dc[component]; val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; From 11498c22a0db9ed08027405e5d6a4ba7c1e41418 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jan 2018 23:46:44 +0100 Subject: [PATCH 0134/1764] avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode() I suspect that this can be limited tighter, but i failed to find anything in the spec that would confirm that. Fixes: 4833/clusterfuzz-testcase-minimized-5302840101699584 Fixes: runtime error: left shift of 134217730 by 4 places cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a026a3efaeb9c2026668dccbbda339a21ab3206b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 743168500c..faa36d5459 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int } else { int prefix_minus3 = prefix - 3; - if (prefix == CABAC_MAX_BIN) { + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); return 0; } From 2980b95fafb39148cfade120eab5c75b46bfffc6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jan 2018 19:38:05 +0100 Subject: [PATCH 0135/1764] avfilter/vf_transpose: Fix used plane count. Fixes out of array access Fixes: poc.mp4 Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit c6939f65a116b1ffed345d29d8621ee4ffb32235) (cherry picked from commit 3f621455d62e46745453568d915badd5b1e5bcd5) Signed-off-by: Michael Niedermayer --- libavfilter/vf_transpose.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index 982fb0c8ca..3ff4cb4249 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -27,6 +27,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -54,6 +55,7 @@ enum TransposeDir { typedef struct TransContext { const AVClass *class; int hsub, vsub; + int planes; int pixsteps[4]; int passthrough; ///< PassthroughType, landscape passthrough mode enabled @@ -215,6 +217,10 @@ static int config_props_output(AVFilterLink *outlink) s->hsub = desc_in->log2_chroma_w; s->vsub = desc_in->log2_chroma_h; + s->planes = av_pix_fmt_count_planes(outlink->format); + + av_assert0(desc_in->nb_components == desc_out->nb_components); + av_image_fill_max_pixsteps(s->pixsteps, NULL, desc_out); @@ -272,7 +278,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, AVFrame *in = td->in; int plane; - for (plane = 0; out->data[plane]; plane++) { + for (plane = 0; plane < s->planes; plane++) { int hsub = plane == 1 || plane == 2 ? s->hsub : 0; int vsub = plane == 1 || plane == 2 ? s->vsub : 0; int pixstep = s->pixsteps[plane]; From 6723a436095f76f6d1edec4de21b2a0b47954067 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jan 2018 02:29:00 +0100 Subject: [PATCH 0136/1764] avcodec/mpeg4videodec: Check mb_num also against 0 The spec implies that 0 is invalid in addition to the existing checks Found-by: Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 05f4703a168a336363750e32bcfdd6f303fbdbc3) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 8eafc783b8..afa41a8641 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -460,7 +460,7 @@ int ff_mpeg4_decode_video_packet_header(Mpeg4DecContext *ctx) } mb_num = get_bits(&s->gb, mb_num_bits); - if (mb_num >= s->mb_num) { + if (mb_num >= s->mb_num || !mb_num) { av_log(s->avctx, AV_LOG_ERROR, "illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num); return -1; From cd478122b0a05abaf82d96da2c9eb2d00635f72e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jan 2018 02:29:01 +0100 Subject: [PATCH 0137/1764] avcodec/get_bits: Document the return code of get_vlc2() Found-by: kierank Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 4a94ff4ccd4f2329c599e37cabe4152dae60359e) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index c530015169..0c7f5ff0c6 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -550,6 +550,7 @@ static inline const uint8_t *align_get_bits(GetBitContext *s) * @param max_depth is the number of times bits bits must be read to completely * read the longest vlc code * = (max_vlc_length + bits - 1) / bits + * @returns the code parsed or -1 if no vlc matches */ static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2], int bits, int max_depth) From d07f78ae726bbc8cde010f530676e53468acfa53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jan 2018 02:29:02 +0100 Subject: [PATCH 0138/1764] avcodec/mpeg4videodec: Avoid possibly aliasing violating casts Found-by: kierank Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit d4967c04e040b3b2f937cad88599af825147ec94) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index afa41a8641..d0162d1074 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1251,10 +1251,12 @@ not_coded: */ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64]) { - Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; + Mpeg4DecContext *ctx = s->avctx->priv_data; int cbp, mb_type; const int xy = s->mb_x + s->mb_y * s->mb_stride; + av_assert2(s == (void*)ctx); + mb_type = s->current_picture.mb_type[xy]; cbp = s->cbp_table[xy]; @@ -1336,12 +1338,13 @@ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64]) static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64]) { - Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; + Mpeg4DecContext *ctx = s->avctx->priv_data; int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant; int16_t *mot_val; static const int8_t quant_tab[4] = { -1, -2, 1, 2 }; const int xy = s->mb_x + s->mb_y * s->mb_stride; + av_assert2(s == (void*)ctx); av_assert2(s->h263_pred); if (s->pict_type == AV_PICTURE_TYPE_P || From 93437a18d878f3924199a3dba5082aa3d09a3094 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jan 2018 03:15:23 +0100 Subject: [PATCH 0139/1764] avcodec/hevc_ps: Check log2_sao_offset_scale_* Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768 Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a75a75c62efc645ec28444e4675c325b8f2bb1a) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 902917d4dd..2ab4c34013 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1324,6 +1324,11 @@ static int pps_range_extensions(GetBitContext *gb, AVCodecContext *avctx, pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb); pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb); + if ( pps->log2_sao_offset_scale_luma > FFMAX(sps->bit_depth - 10, 0) + || pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 10, 0) + ) + return AVERROR_INVALIDDATA; + return(0); } From d06972535e4890f503e82ffe245cc0f859b762ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jan 2018 00:24:49 +0100 Subject: [PATCH 0140/1764] avcodec/indeo5: Do not leave frame_type set to an invalid value Fixes: null pointer dereference Fixes: 5264/clusterfuzz-testcase-minimized-4621956621008896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ff9f178519b68d4d1d606eb5451ad81da948efc) Signed-off-by: Michael Niedermayer --- libavcodec/indeo5.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 81b4514038..b39cffd9a9 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) ctx->frame_type = get_bits(&ctx->gb, 3); if (ctx->frame_type >= 5) { av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type); + ctx->frame_type = FRAMETYPE_INTRA; return AVERROR_INVALIDDATA; } From c1c50fc4a75492b97ac616ea3d393627b9648795 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Jan 2018 23:14:37 +0100 Subject: [PATCH 0141/1764] avcodec/dirac_dwt: Fix several integer overflows Fixes: runtime error: signed integer overflow: -2146071175 + -268479557 cannot be represented in type 'int' Fixes: 5237/clusterfuzz-testcase-minimized-4569895275593728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe1e6c06d03432c3e9208f019533c1d701f485d0) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- libavcodec/dirac_dwt_template.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 1af41e0702..68ebd19560 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ - (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) + (b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ - (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) + (b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index e436c247a1..e68cc4d530 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) - b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; + b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2); } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, From dd93df46a618c442ead15cc90d8b236d5e1894a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 01:09:12 +0100 Subject: [PATCH 0142/1764] Update for 3.4.2 Signed-off-by: Michael Niedermayer --- Changelog | 46 ++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index d9f6b8a87a..98943a4bf6 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,52 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.2: +- avcodec/dirac_dwt: Fix several integer overflows +- avcodec/indeo5: Do not leave frame_type set to an invalid value +- avcodec/hevc_ps: Check log2_sao_offset_scale_* +- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts +- avcodec/get_bits: Document the return code of get_vlc2() +- avcodec/mpeg4videodec: Check mb_num also against 0 +- avfilter/vf_transpose: Fix used plane count. +- avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode() +- avcodec/mjpegdec: Fix integer overflow in DC dequantization +- avcodec/dxtory: Fix bits left checks +- avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down +- avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK() +- avcodec/snowdec: Fix integer overflow before htaps check +- avcodec/ulti: Check number of blocks at init +- avcodec/wavpack: Fix integer overflows in wv_unpack_stereo / mono +- avcodec/jpeg2000: Check sum of sizes of band->prec before allocating +- avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs() +- avformat/lrcdec: Fix memory leak in lrc_read_header() +- avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks() +- lavfi/deinterlace_vaapi: fix can't show full option information. +- configure:version 3.4.1: bump year +- avcodec/utils: Avoid hardcoding duplicated types in sizeof() +- avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one +- avcodec/h264addpx_template: Fixes integer overflows +- avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 +- avcodec/diracdec: Fix integer overflow with quant +- avcodec/opus_parser: Check payload_len in parse_opus_ts_header() +- avcodec/jpeg2000dsp: Fix integer overflows in ict_int() +- avcodec/h264_slice: Do not attempt to render into frames already output +- avcodec/dnxhddec: Check dc vlc +- avcodec/exr: Check buf_size more completely +- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() +- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() +- avcodec/flacdec: avoid undefined shift +- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() +- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() +- tests/audiomatch: Add missing return code at the end of main() +- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() +- avcodec/h264_parse: Treat escaped and unescaped decoding error equal in decode_extradata_ps_mp4() +- avcodec/vp9: mark frame as finished on decode_tiles() failure +- libavfilter/af_dcshift.c: Fixed repeated spelling error +- avfilter/formats: fix wrong function name in error message + version 3.4.1: - avcodec/vp9_superframe_split_bsf: Fix integer overflow in frame_size/total_size checks - avcodec/amrwbdec: Fix division by 0 in voice_factor() diff --git a/RELEASE b/RELEASE index 47b322c971..4d9d11cf50 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.1 +3.4.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index ca68f1aad6..4f0c5ab628 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.1 +PROJECT_NUMBER = 3.4.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 64f0fd599845fb9e4db9ba51012792abaf38a9ea Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 20 Jan 2018 16:54:15 -0300 Subject: [PATCH 0143/1764] avcodec/hevc_ps: add a function to uninitialize parameter set buffers Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 9462b2b8205397ea5972b2365c2e8db6872ef3e9) --- libavcodec/hevc_ps.c | 16 ++++++++++++++++ libavcodec/hevc_ps.h | 2 ++ 2 files changed, 18 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 2ab4c34013..6f3af2daec 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1709,6 +1709,22 @@ err: return ret; } +void ff_hevc_ps_uninit(HEVCParamSets *ps) +{ + int i; + + for (i = 0; i < FF_ARRAY_ELEMS(ps->vps_list); i++) + av_buffer_unref(&ps->vps_list[i]); + for (i = 0; i < FF_ARRAY_ELEMS(ps->sps_list); i++) + av_buffer_unref(&ps->sps_list[i]); + for (i = 0; i < FF_ARRAY_ELEMS(ps->pps_list); i++) + av_buffer_unref(&ps->pps_list[i]); + + ps->sps = NULL; + ps->pps = NULL; + ps->vps = NULL; +} + int ff_hevc_compute_poc(const HEVCSPS *sps, int pocTid0, int poc_lsb, int nal_unit_type) { int max_poc_lsb = 1 << sps->log2_max_poc_lsb; diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h index 76f8eb31e6..f19d022469 100644 --- a/libavcodec/hevc_ps.h +++ b/libavcodec/hevc_ps.h @@ -421,6 +421,8 @@ int ff_hevc_decode_nal_sps(GetBitContext *gb, AVCodecContext *avctx, int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, HEVCParamSets *ps); +void ff_hevc_ps_uninit(HEVCParamSets *ps); + int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, ShortTermRPS *rps, const HEVCSPS *sps, int is_slice_header); From d7d5a3379dfe35422b894d7ce1039c4cff0581f6 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 20 Jan 2018 16:54:51 -0300 Subject: [PATCH 0144/1764] avcodec/hevcdec: use ff_hevc_uninit_parameter_sets() Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 1f0cf1b2f4ef6304c343d53508193ac4b5d9c1d2) --- libavcodec/hevcdec.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 2e4add2ae3..67ac9ab262 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -3215,15 +3215,7 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx) av_frame_free(&s->DPB[i].frame); } - for (i = 0; i < FF_ARRAY_ELEMS(s->ps.vps_list); i++) - av_buffer_unref(&s->ps.vps_list[i]); - for (i = 0; i < FF_ARRAY_ELEMS(s->ps.sps_list); i++) - av_buffer_unref(&s->ps.sps_list[i]); - for (i = 0; i < FF_ARRAY_ELEMS(s->ps.pps_list); i++) - av_buffer_unref(&s->ps.pps_list[i]); - s->ps.sps = NULL; - s->ps.pps = NULL; - s->ps.vps = NULL; + ff_hevc_ps_uninit(&s->ps); av_freep(&s->sh.entry_point_offset); av_freep(&s->sh.offset); From e5bbb52194411320209f95ac9cac5bd6c34b575a Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 20 Jan 2018 16:55:00 -0300 Subject: [PATCH 0145/1764] avcodec/hevc_parser: use ff_hevc_uninit_parameter_sets() Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 2159d4bbc3e69d04242e87bac13ebea8b942d94d) --- libavcodec/hevc_parser.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c index dc63c6b954..3bef236983 100644 --- a/libavcodec/hevc_parser.c +++ b/libavcodec/hevc_parser.c @@ -359,17 +359,8 @@ static int hevc_split(AVCodecContext *avctx, const uint8_t *buf, int buf_size) static void hevc_parser_close(AVCodecParserContext *s) { HEVCParserContext *ctx = s->priv_data; - int i; - - for (i = 0; i < FF_ARRAY_ELEMS(ctx->ps.vps_list); i++) - av_buffer_unref(&ctx->ps.vps_list[i]); - for (i = 0; i < FF_ARRAY_ELEMS(ctx->ps.sps_list); i++) - av_buffer_unref(&ctx->ps.sps_list[i]); - for (i = 0; i < FF_ARRAY_ELEMS(ctx->ps.pps_list); i++) - av_buffer_unref(&ctx->ps.pps_list[i]); - - ctx->ps.sps = NULL; + ff_hevc_ps_uninit(&ctx->ps); ff_h2645_packet_uninit(&ctx->pkt); ff_hevc_reset_sei(&ctx->sei); From af54886de8ab5845bef6f67431f1ef8f68b9f58d Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 20 Jan 2018 16:55:17 -0300 Subject: [PATCH 0146/1764] avcodec/mediacodecdec: use ff_hevc_ps_uninit() Fixes memleaks. Signed-off-by: James Almer (cherry picked from commit 782e066e3e3d8015d6d64c47cda0925c10aebe08) --- libavcodec/mediacodecdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mediacodecdec.c b/libavcodec/mediacodecdec.c index 6962ce2474..366c039de4 100644 --- a/libavcodec/mediacodecdec.c +++ b/libavcodec/mediacodecdec.c @@ -256,6 +256,8 @@ static int hevc_set_extradata(AVCodecContext *avctx, FFAMediaFormat *format) } done: + ff_hevc_ps_uninit(&ps); + av_freep(&vps_data); av_freep(&sps_data); av_freep(&pps_data); From 9b97afe7ad065fc840609c5302e594538026befc Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 30 Jan 2018 22:13:05 -0300 Subject: [PATCH 0147/1764] Changelog: update for the previous four commits Signed-off-by: James Almer --- Changelog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog b/Changelog index 98943a4bf6..45572de937 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,10 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.4.2: +- avcodec/mediacodecdec: use ff_hevc_ps_uninit() +- avcodec/hevc_parser: use ff_hevc_uninit_parameter_sets() +- avcodec/hevcdec: use ff_hevc_uninit_parameter_sets() +- avcodec/hevc_ps: add a function to uninitialize parameter set buffers - avcodec/dirac_dwt: Fix several integer overflows - avcodec/indeo5: Do not leave frame_type set to an invalid value - avcodec/hevc_ps: Check log2_sao_offset_scale_* From ce7f65be6ecb29f4270d128f01dc63f8ba4f6f74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 17:50:21 +0100 Subject: [PATCH 0148/1764] avcodec/exr: Fix memleaks in decode_header() Fixes: 4793/clusterfuzz-testcase-minimized-5707366629638144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a2560a9775be7c5df09c85c9908b05e711a54a3) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 82 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 56 insertions(+), 26 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 454dc74cfb..f08576af22 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1306,6 +1306,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) AVDictionary *metadata = NULL; int magic_number, version, i, flags, sar = 0; int layer_match = 0; + int ret; s->current_channel_offset = 0; s->xmin = ~0; @@ -1364,8 +1365,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) if ((var_size = check_header_variable(s, "channels", "chlist", 38)) >= 0) { GetByteContext ch_gb; - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } bytestream2_init(&ch_gb, s->gb.buffer, var_size); @@ -1424,14 +1427,16 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (bytestream2_get_bytes_left(&ch_gb) < 4) { av_log(s->avctx, AV_LOG_ERROR, "Incomplete header.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } current_pixel_type = bytestream2_get_le32(&ch_gb); if (current_pixel_type >= EXR_UNKNOWN) { avpriv_report_missing_feature(s->avctx, "Pixel type %d", current_pixel_type); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } bytestream2_skip(&ch_gb, 4); @@ -1442,7 +1447,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) avpriv_report_missing_feature(s->avctx, "Subsampling %dx%d", xsub, ysub); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */ @@ -1450,7 +1456,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->pixel_type != current_pixel_type) { av_log(s->avctx, AV_LOG_ERROR, "RGB channels not of the same depth.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; @@ -1458,8 +1465,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->channels = av_realloc(s->channels, ++s->nb_channels * sizeof(EXRChannel)); - if (!s->channels) - return AVERROR(ENOMEM); + if (!s->channels) { + ret = AVERROR(ENOMEM); + goto fail; + } channel = &s->channels[s->nb_channels - 1]; channel->pixel_type = current_pixel_type; channel->xsub = xsub; @@ -1484,7 +1493,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) av_log(s->avctx, AV_LOG_ERROR, "Missing green channel.\n"); if (s->channel_offsets[2] < 0) av_log(s->avctx, AV_LOG_ERROR, "Missing blue channel.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } } @@ -1493,8 +1503,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "dataWindow", "box2i", 31)) >= 0) { - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } s->xmin = bytestream2_get_le32(&s->gb); s->ymin = bytestream2_get_le32(&s->gb); @@ -1506,8 +1518,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "displayWindow", "box2i", 34)) >= 0) { - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } bytestream2_skip(&s->gb, 8); s->w = bytestream2_get_le32(&s->gb) + 1; @@ -1517,29 +1531,36 @@ static int decode_header(EXRContext *s, AVFrame *frame) } else if ((var_size = check_header_variable(s, "lineOrder", "lineOrder", 25)) >= 0) { int line_order; - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } line_order = bytestream2_get_byte(&s->gb); av_log(s->avctx, AV_LOG_DEBUG, "line order: %d.\n", line_order); if (line_order > 2) { av_log(s->avctx, AV_LOG_ERROR, "Unknown line order.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } continue; } else if ((var_size = check_header_variable(s, "pixelAspectRatio", "float", 31)) >= 0) { - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } sar = bytestream2_get_le32(&s->gb); continue; } else if ((var_size = check_header_variable(s, "compression", "compression", 29)) >= 0) { - if (!var_size) - return AVERROR_INVALIDDATA; + if (!var_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } if (s->compression == EXR_UNKN) s->compression = bytestream2_get_byte(&s->gb); @@ -1566,13 +1587,15 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (s->tile_attr.level_mode >= EXR_TILE_LEVEL_UNKNOWN){ avpriv_report_missing_feature(s->avctx, "Tile level mode %d", s->tile_attr.level_mode); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } if (s->tile_attr.level_round >= EXR_TILE_ROUND_UNKNOWN) { avpriv_report_missing_feature(s->avctx, "Tile level round %d", s->tile_attr.level_round); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } continue; @@ -1589,7 +1612,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) // Check if there are enough bytes for a header if (bytestream2_get_bytes_left(&s->gb) <= 9) { av_log(s->avctx, AV_LOG_ERROR, "Incomplete header\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } // Process unknown variables @@ -1604,19 +1628,22 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (s->compression == EXR_UNKN) { av_log(s->avctx, AV_LOG_ERROR, "Missing compression attribute.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (s->is_tile) { if (s->tile_attr.xSize < 1 || s->tile_attr.ySize < 1) { av_log(s->avctx, AV_LOG_ERROR, "Invalid tile attribute.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } } if (bytestream2_get_bytes_left(&s->gb) <= 0) { av_log(s->avctx, AV_LOG_ERROR, "Incomplete frame.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } frame->metadata = metadata; @@ -1624,6 +1651,9 @@ static int decode_header(EXRContext *s, AVFrame *frame) // aaand we are done bytestream2_skip(&s->gb, 1); return 0; +fail: + av_dict_free(&metadata); + return ret; } static int decode_frame(AVCodecContext *avctx, void *data, From 9efd80dc0996eb0b4c9cde22f96ed7a1f3411cd4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 18:13:07 +0100 Subject: [PATCH 0149/1764] avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int' Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1bef755f617af9685b592d866b3eb7f3c4b02b1) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 3d5875a469..eeada0b9f2 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -568,7 +568,8 @@ static void sbr_hf_assemble(int Y1[38][64][2], int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; int *out = &Y1[i][kx][idx]; - int shift, round; + int shift; + unsigned round; SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { @@ -581,12 +582,12 @@ static void sbr_hf_assemble(int Y1[38][64][2], } if (shift < 32) { round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + out[2*m ] += (int)(in[m ].mant * A + round) >> shift; } if (shift2 < 32) { round = 1 << (shift2-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift2; + out[2*m+2] += (int)(in[m+1].mant * B + round) >> shift2; } } if(m_max&1) @@ -597,7 +598,7 @@ static void sbr_hf_assemble(int Y1[38][64][2], return; } else if (shift < 32) { round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; + out[2*m ] += (int)(in[m ].mant * A + round) >> shift; } } } From 5e67a2e13a942a2a84718f354f8f092149fe12bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 02:50:18 +0100 Subject: [PATCH 0150/1764] avcodec/wavpack: Fix integer overflow in FFABS Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 5396/clusterfuzz-testcase-minimized-6558555529281536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e50bd61e4ff97bd7fc6cbd7ec4ca514e17a70c4) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index d5e1e07b74..0e40b29879 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -480,7 +480,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, } if (type == AV_SAMPLE_FMT_S16P) { - if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { + if (FFABS((int64_t)L) + FFABS((int64_t)R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } From 342f1da13489de6650349fff2206a81442d6c668 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Feb 2018 21:44:57 +0100 Subject: [PATCH 0151/1764] avcodec/utvideodec: Fix bytes left check in decode_frame() Fixes: out of array read Fixes: poc-2017.avi Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 118e1b0b3370dd1c0da442901b486689efd1654b) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 40c12772b3..d888cc3cdf 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -561,7 +561,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < c->slices; j++) { slice_end = bytestream2_get_le32u(&gb); if (slice_end < 0 || slice_end < slice_start || - bytestream2_get_bytes_left(&gb) < slice_end) { + bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) { av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); return AVERROR_INVALIDDATA; } From 86296fe24d6fcb94cd69f087c87e10203370a6bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2018 19:20:10 +0100 Subject: [PATCH 0152/1764] avcodec/huffyuvdec: Check input buffer size Fixes: Timeout Fixes: 5487/clusterfuzz-testcase-4696837035393024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 08c220d26cff51ca2f6896b65aebfa3accc67290) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 979c4b9d5c..66357bfb40 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -919,6 +919,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVFrame *const p = data; int table_size = 0, ret; + if (buf_size < (width * height + 7)/8) + return AVERROR_INVALIDDATA; + av_fast_padded_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size, buf_size); From cc0d2f110d9424b0240ac31599e70949169106e1 Mon Sep 17 00:00:00 2001 From: Nekopanda Date: Sat, 10 Feb 2018 18:36:32 +0900 Subject: [PATCH 0153/1764] avcodec/mpeg2dec: Fix field selection for skipped macroblocks For B field pictures, the spec says, > The prediction shall be made from the field of the same parity as the field being predicted. I did it. Signed-off-by: Michael Niedermayer (cherry picked from commit 8b154cb3e90a3e599cadf477d815a9854b7bb4e1) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 + tests/ref/fate/mpeg2-ticket186 | 328 ++++++++++++++++----------------- 2 files changed, 166 insertions(+), 164 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 4e68be27f1..4b76428f53 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1984,6 +1984,8 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y, s->mv[0][0][1] = s->last_mv[0][0][1]; s->mv[1][0][0] = s->last_mv[1][0][0]; s->mv[1][0][1] = s->last_mv[1][0][1]; + s->field_select[0][0] = (s->picture_structure - 1) & 1; + s->field_select[1][0] = (s->picture_structure - 1) & 1; } } } diff --git a/tests/ref/fate/mpeg2-ticket186 b/tests/ref/fate/mpeg2-ticket186 index b716ca5611..31afda15e8 100644 --- a/tests/ref/fate/mpeg2-ticket186 +++ b/tests/ref/fate/mpeg2-ticket186 @@ -3,354 +3,354 @@ #codec_id 0: rawvideo #dimensions 0: 352x288 #sar 0: 12/11 -0, 0, 0, 1, 152064, 0xd23ffc59 +0, 0, 0, 1, 152064, 0x8f9d00c1 0, 1, 1, 1, 152064, 0x899fb8b1 -0, 2, 2, 1, 152064, 0x5958d070 +0, 2, 2, 1, 152064, 0x7225cb39 0, 3, 3, 1, 152064, 0xf2becd8f -0, 4, 4, 1, 152064, 0xb47bbed7 +0, 4, 4, 1, 152064, 0xd56bc556 0, 5, 5, 1, 152064, 0x7ca54f36 -0, 6, 6, 1, 152064, 0x02389610 +0, 6, 6, 1, 152064, 0x06d7805c 0, 7, 7, 1, 152064, 0x469f3f87 -0, 8, 8, 1, 152064, 0x935a780e +0, 8, 8, 1, 152064, 0xdb2f57d5 0, 9, 9, 1, 152064, 0x3876c20c -0, 10, 10, 1, 152064, 0x49df265f +0, 10, 10, 1, 152064, 0x5b670e79 0, 11, 11, 1, 152064, 0xdfe420e0 -0, 12, 12, 1, 152064, 0x6e34a0c4 +0, 12, 12, 1, 152064, 0x17578222 0, 13, 13, 1, 152064, 0x47e1cb26 -0, 14, 14, 1, 152064, 0x68e74188 +0, 14, 14, 1, 152064, 0x168e35d6 0, 15, 15, 1, 152064, 0xe9d34b4e -0, 16, 16, 1, 152064, 0xa8665e1a +0, 16, 16, 1, 152064, 0x5e395308 0, 17, 17, 1, 152064, 0x88e3b39f -0, 18, 18, 1, 152064, 0x1c1ab2c3 +0, 18, 18, 1, 152064, 0x6b099c51 0, 19, 19, 1, 152064, 0xb1a24ddf -0, 20, 20, 1, 152064, 0x030d5afc +0, 20, 20, 1, 152064, 0xcea840fc 0, 21, 21, 1, 152064, 0x98306d64 -0, 22, 22, 1, 152064, 0x5ce0548d +0, 22, 22, 1, 152064, 0xb05354d3 0, 23, 23, 1, 152064, 0xacac26f3 -0, 24, 24, 1, 152064, 0xf167f698 +0, 24, 24, 1, 152064, 0xbccdf14b 0, 25, 25, 1, 152064, 0xd9398539 -0, 26, 26, 1, 152064, 0xd7aec2c4 +0, 26, 26, 1, 152064, 0x07aec13a 0, 27, 27, 1, 152064, 0xa6ef9440 -0, 28, 28, 1, 152064, 0xc289b278 +0, 28, 28, 1, 152064, 0x0e7ab64e 0, 29, 29, 1, 152064, 0x3796939d -0, 30, 30, 1, 152064, 0x48c09366 +0, 30, 30, 1, 152064, 0xcc219365 0, 31, 31, 1, 152064, 0xf4cc815a -0, 32, 32, 1, 152064, 0x1c63cdc2 +0, 32, 32, 1, 152064, 0x8b91c622 0, 33, 33, 1, 152064, 0xd3a8ad8e -0, 34, 34, 1, 152064, 0x70f94bc0 +0, 34, 34, 1, 152064, 0x658e498f 0, 35, 35, 1, 152064, 0xf9c115ea -0, 36, 36, 1, 152064, 0x44a2f607 +0, 36, 36, 1, 152064, 0xb639f8d2 0, 37, 37, 1, 152064, 0x7e9eaa64 -0, 38, 38, 1, 152064, 0x37b86b68 +0, 38, 38, 1, 152064, 0x8a546bcf 0, 39, 39, 1, 152064, 0x59d22dd4 -0, 40, 40, 1, 152064, 0x5d0d0e8d +0, 40, 40, 1, 152064, 0x80a10edc 0, 41, 41, 1, 152064, 0x5c97d4a1 -0, 42, 42, 1, 152064, 0xd44ef54d +0, 42, 42, 1, 152064, 0x4f1bf025 0, 43, 43, 1, 152064, 0x42721789 -0, 44, 44, 1, 152064, 0x27597277 +0, 44, 44, 1, 152064, 0x39e6700d 0, 45, 45, 1, 152064, 0xdf4af8b4 -0, 46, 46, 1, 152064, 0x5df7390c +0, 46, 46, 1, 152064, 0xacf839bb 0, 47, 47, 1, 152064, 0xbebfbf7c -0, 48, 48, 1, 152064, 0x753959bb +0, 48, 48, 1, 152064, 0x09c7630d 0, 49, 49, 1, 152064, 0x3331ab18 -0, 50, 50, 1, 152064, 0xec4a0f33 +0, 50, 50, 1, 152064, 0xae0f0f28 0, 51, 51, 1, 152064, 0xbb085737 -0, 52, 52, 1, 152064, 0x3938abf4 +0, 52, 52, 1, 152064, 0x1e23ad39 0, 53, 53, 1, 152064, 0x18d46683 -0, 54, 54, 1, 152064, 0xb12ace0c +0, 54, 54, 1, 152064, 0x4eadd0a0 0, 55, 55, 1, 152064, 0x09b13430 -0, 56, 56, 1, 152064, 0x85bd5e88 +0, 56, 56, 1, 152064, 0x240a607b 0, 57, 57, 1, 152064, 0xec0f8a67 -0, 58, 58, 1, 152064, 0x51a4fc74 +0, 58, 58, 1, 152064, 0x6c37fc08 0, 59, 59, 1, 152064, 0xded4cda7 -0, 60, 60, 1, 152064, 0xb69412a9 +0, 60, 60, 1, 152064, 0xc5df1477 0, 61, 61, 1, 152064, 0x3c9de6f9 -0, 62, 62, 1, 152064, 0x223fcc41 +0, 62, 62, 1, 152064, 0xefd1cdbd 0, 63, 63, 1, 152064, 0x5df7b89c -0, 64, 64, 1, 152064, 0x1e58b37a +0, 64, 64, 1, 152064, 0x1b04af5f 0, 65, 65, 1, 152064, 0xbbff2c09 -0, 66, 66, 1, 152064, 0x4e0f4d4a +0, 66, 66, 1, 152064, 0x23b04553 0, 67, 67, 1, 152064, 0x3d99caa3 -0, 68, 68, 1, 152064, 0xcc329c2f +0, 68, 68, 1, 152064, 0x35139bf8 0, 69, 69, 1, 152064, 0x49207c0a -0, 70, 70, 1, 152064, 0x489f2d50 +0, 70, 70, 1, 152064, 0xa78e2efa 0, 71, 71, 1, 152064, 0x5a50b0df -0, 72, 72, 1, 152064, 0x509eb79e +0, 72, 72, 1, 152064, 0x3255b306 0, 73, 73, 1, 152064, 0x60622c61 0, 74, 74, 1, 152064, 0x8c8cde9f 0, 75, 75, 1, 152064, 0xe8c0bb6c -0, 76, 76, 1, 152064, 0xb03581b6 +0, 76, 76, 1, 152064, 0xbc698473 0, 77, 77, 1, 152064, 0x398525c2 0, 78, 78, 1, 152064, 0x87983ab0 0, 79, 79, 1, 152064, 0x032af6b5 -0, 80, 80, 1, 152064, 0x7434baa4 +0, 80, 80, 1, 152064, 0x4878bb11 0, 81, 81, 1, 152064, 0xff5dd044 -0, 82, 82, 1, 152064, 0x45b2bb36 +0, 82, 82, 1, 152064, 0xe675bfe0 0, 83, 83, 1, 152064, 0x1af29008 0, 84, 84, 1, 152064, 0x07aa8975 0, 85, 85, 1, 152064, 0x17957756 0, 86, 86, 1, 152064, 0x48b5825e 0, 87, 87, 1, 152064, 0x169d70bc -0, 88, 88, 1, 152064, 0x803b30c6 +0, 88, 88, 1, 152064, 0x326730c8 0, 89, 89, 1, 152064, 0x6158c971 -0, 90, 90, 1, 152064, 0xb126e53e +0, 90, 90, 1, 152064, 0x1035e3ee 0, 91, 91, 1, 152064, 0xef49ba53 -0, 92, 92, 1, 152064, 0xfcfd7f17 +0, 92, 92, 1, 152064, 0x261081fa 0, 93, 93, 1, 152064, 0x5280779e -0, 94, 94, 1, 152064, 0x638d6f48 +0, 94, 94, 1, 152064, 0x8a6d6df3 0, 95, 95, 1, 152064, 0xdb0f1ed5 -0, 96, 96, 1, 152064, 0x2cb959b0 +0, 96, 96, 1, 152064, 0x5162570a 0, 97, 97, 1, 152064, 0x0841547c -0, 98, 98, 1, 152064, 0x412a555b +0, 98, 98, 1, 152064, 0xf0694fcd 0, 99, 99, 1, 152064, 0xfe525057 -0, 100, 100, 1, 152064, 0xa8cf0cbc +0, 100, 100, 1, 152064, 0xb4ec0c96 0, 101, 101, 1, 152064, 0xbf2dcaee -0, 102, 102, 1, 152064, 0x636cc494 +0, 102, 102, 1, 152064, 0x7860c418 0, 103, 103, 1, 152064, 0xc9e288bc -0, 104, 104, 1, 152064, 0xe77f4d03 +0, 104, 104, 1, 152064, 0xb0514dc3 0, 105, 105, 1, 152064, 0x722a4bd0 -0, 106, 106, 1, 152064, 0x5271f5ef +0, 106, 106, 1, 152064, 0x5277f52d 0, 107, 107, 1, 152064, 0x05208e75 -0, 108, 108, 1, 152064, 0xb8845f88 +0, 108, 108, 1, 152064, 0x0b596089 0, 109, 109, 1, 152064, 0x47aa117c -0, 110, 110, 1, 152064, 0xe695fe27 +0, 110, 110, 1, 152064, 0x12edfe8b 0, 111, 111, 1, 152064, 0x2e50f864 -0, 112, 112, 1, 152064, 0x52d2b719 +0, 112, 112, 1, 152064, 0x4cedb882 0, 113, 113, 1, 152064, 0xdbf48285 -0, 114, 114, 1, 152064, 0xe0b2ba93 +0, 114, 114, 1, 152064, 0x9071b0e6 0, 115, 115, 1, 152064, 0x1c85a5ce 0, 116, 116, 1, 152064, 0x8ef9a8e8 0, 117, 117, 1, 152064, 0x41e8ae26 0, 118, 118, 1, 152064, 0x3328d571 0, 119, 119, 1, 152064, 0xce7d4da2 -0, 120, 120, 1, 152064, 0x7a6f7416 +0, 120, 120, 1, 152064, 0x032d7575 0, 121, 121, 1, 152064, 0xb3fc65a6 -0, 122, 122, 1, 152064, 0xc5a261e9 +0, 122, 122, 1, 152064, 0xe5a266b4 0, 123, 123, 1, 152064, 0x943c5925 -0, 124, 124, 1, 152064, 0x259180b2 +0, 124, 124, 1, 152064, 0xe6138024 0, 125, 125, 1, 152064, 0x3acd4e1b -0, 126, 126, 1, 152064, 0x692090b4 +0, 126, 126, 1, 152064, 0x9de7903e 0, 127, 127, 1, 152064, 0xea1184d0 -0, 128, 128, 1, 152064, 0x3e0038d5 +0, 128, 128, 1, 152064, 0x9e323818 0, 129, 129, 1, 152064, 0xf77872a2 -0, 130, 130, 1, 152064, 0xe4cb7bb5 +0, 130, 130, 1, 152064, 0x8f7c75c7 0, 131, 131, 1, 152064, 0x9d6d2623 -0, 132, 132, 1, 152064, 0xb9056247 +0, 132, 132, 1, 152064, 0x3d8e62ab 0, 133, 133, 1, 152064, 0xcd8b3dc5 -0, 134, 134, 1, 152064, 0x13ea1b6d +0, 134, 134, 1, 152064, 0x57681ebc 0, 135, 135, 1, 152064, 0x764f3233 -0, 136, 136, 1, 152064, 0x54c00ba8 +0, 136, 136, 1, 152064, 0x8c8b0a4b 0, 137, 137, 1, 152064, 0x2d9aedac -0, 138, 138, 1, 152064, 0x1af00532 +0, 138, 138, 1, 152064, 0x0afe03ae 0, 139, 139, 1, 152064, 0xcecae31b 0, 140, 140, 1, 152064, 0x0e6ea17f 0, 141, 141, 1, 152064, 0x66b0b8c4 -0, 142, 142, 1, 152064, 0x0ee879bb +0, 142, 142, 1, 152064, 0xd44f7976 0, 143, 143, 1, 152064, 0xf7f029cc -0, 144, 144, 1, 152064, 0xdd5d08d6 +0, 144, 144, 1, 152064, 0xada307a9 0, 145, 145, 1, 152064, 0x936ae367 -0, 146, 146, 1, 152064, 0xf0f4aba0 +0, 146, 146, 1, 152064, 0xa019ad8a 0, 147, 147, 1, 152064, 0x5233a9e7 -0, 148, 148, 1, 152064, 0x02af732b +0, 148, 148, 1, 152064, 0x6fd5737f 0, 149, 149, 1, 152064, 0xb2eb2476 -0, 150, 150, 1, 152064, 0x998732b4 +0, 150, 150, 1, 152064, 0x36a53280 0, 151, 151, 1, 152064, 0xf025230f -0, 152, 152, 1, 152064, 0x474f3b12 +0, 152, 152, 1, 152064, 0x48373a3e 0, 153, 153, 1, 152064, 0xe4e950e2 -0, 154, 154, 1, 152064, 0xa3f87fb3 +0, 154, 154, 1, 152064, 0x63d37fc4 0, 155, 155, 1, 152064, 0x1e465fda -0, 156, 156, 1, 152064, 0x9e8caab2 +0, 156, 156, 1, 152064, 0xc47ea97e 0, 157, 157, 1, 152064, 0x0224aca7 -0, 158, 158, 1, 152064, 0x24fcec49 +0, 158, 158, 1, 152064, 0x909dedcc 0, 159, 159, 1, 152064, 0x1c1df7ea -0, 160, 160, 1, 152064, 0xc466f68f +0, 160, 160, 1, 152064, 0x5e43f7f1 0, 161, 161, 1, 152064, 0xdb11d8fa -0, 162, 162, 1, 152064, 0xa0f61157 +0, 162, 162, 1, 152064, 0xa66710f5 0, 163, 163, 1, 152064, 0x352013b0 -0, 164, 164, 1, 152064, 0xc14243c7 +0, 164, 164, 1, 152064, 0xc8e745f1 0, 165, 165, 1, 152064, 0xb18b6810 -0, 166, 166, 1, 152064, 0x040942e6 +0, 166, 166, 1, 152064, 0xb1c243e2 0, 167, 167, 1, 152064, 0x6fe129f9 -0, 168, 168, 1, 152064, 0xc3d64c5f +0, 168, 168, 1, 152064, 0x92814bde 0, 169, 169, 1, 152064, 0x50954752 -0, 170, 170, 1, 152064, 0xa4d24c64 +0, 170, 170, 1, 152064, 0x48634df3 0, 171, 171, 1, 152064, 0x3af254c0 0, 172, 172, 1, 152064, 0x6fde4801 0, 173, 173, 1, 152064, 0xf8fe19b4 -0, 174, 174, 1, 152064, 0x97b34958 +0, 174, 174, 1, 152064, 0x57004906 0, 175, 175, 1, 152064, 0x916e2ff4 -0, 176, 176, 1, 152064, 0x60c528e2 +0, 176, 176, 1, 152064, 0xbc0d28f0 0, 177, 177, 1, 152064, 0x4522435e 0, 178, 178, 1, 152064, 0x861f5d1b 0, 179, 179, 1, 152064, 0x42c3bf28 -0, 180, 180, 1, 152064, 0x9772db11 +0, 180, 180, 1, 152064, 0xbd6adb19 0, 181, 181, 1, 152064, 0x0692f5b8 -0, 182, 182, 1, 152064, 0xb06b4aed +0, 182, 182, 1, 152064, 0x1e1e4bfb 0, 183, 183, 1, 152064, 0xdc852986 -0, 184, 184, 1, 152064, 0xa7a025fb +0, 184, 184, 1, 152064, 0x61c5259e 0, 185, 185, 1, 152064, 0xe28f365a -0, 186, 186, 1, 152064, 0xcbf3830e +0, 186, 186, 1, 152064, 0x19388308 0, 187, 187, 1, 152064, 0x043bace9 -0, 188, 188, 1, 152064, 0x5dd0b5df +0, 188, 188, 1, 152064, 0x4bebb678 0, 189, 189, 1, 152064, 0x6bd6d112 -0, 190, 190, 1, 152064, 0xa585ceb6 +0, 190, 190, 1, 152064, 0x3c9dc401 0, 191, 191, 1, 152064, 0x91e7556a -0, 192, 192, 1, 152064, 0x8f2a0404 +0, 192, 192, 1, 152064, 0xae60f7e7 0, 193, 193, 1, 152064, 0x14066893 -0, 194, 194, 1, 152064, 0x8f715862 +0, 194, 194, 1, 152064, 0x7f5a5f0a 0, 195, 195, 1, 152064, 0xb1063958 -0, 196, 196, 1, 152064, 0x014c40f0 +0, 196, 196, 1, 152064, 0xadf13b9f 0, 197, 197, 1, 152064, 0x7ddcf94d -0, 198, 198, 1, 152064, 0x25473a22 +0, 198, 198, 1, 152064, 0x91393730 0, 199, 199, 1, 152064, 0xcd150536 -0, 200, 200, 1, 152064, 0x2d24d974 +0, 200, 200, 1, 152064, 0x52e0d7bd 0, 201, 201, 1, 152064, 0x9130b2ce -0, 202, 202, 1, 152064, 0x9450a62a +0, 202, 202, 1, 152064, 0xa07fa62a 0, 203, 203, 1, 152064, 0x7da258cd -0, 204, 204, 1, 152064, 0x6c2770de +0, 204, 204, 1, 152064, 0x984071a6 0, 205, 205, 1, 152064, 0xd5fa731a -0, 206, 206, 1, 152064, 0x93757c14 +0, 206, 206, 1, 152064, 0x593d7910 0, 207, 207, 1, 152064, 0x4b754c71 0, 208, 208, 1, 152064, 0x51544841 0, 209, 209, 1, 152064, 0xf466910e -0, 210, 210, 1, 152064, 0xe818c675 +0, 210, 210, 1, 152064, 0x6535c9c4 0, 211, 211, 1, 152064, 0x6d45b6d8 -0, 212, 212, 1, 152064, 0xa3de9aec +0, 212, 212, 1, 152064, 0xe77998a2 0, 213, 213, 1, 152064, 0x56023275 -0, 214, 214, 1, 152064, 0xa1af21cb +0, 214, 214, 1, 152064, 0x779b20cc 0, 215, 215, 1, 152064, 0x1ff1b05e -0, 216, 216, 1, 152064, 0x142ecbdb +0, 216, 216, 1, 152064, 0xb9e2c3f0 0, 217, 217, 1, 152064, 0xdfc6d541 -0, 218, 218, 1, 152064, 0x8d8f7a4c +0, 218, 218, 1, 152064, 0x301a7948 0, 219, 219, 1, 152064, 0x03d611ca -0, 220, 220, 1, 152064, 0x999e6d3f +0, 220, 220, 1, 152064, 0xe9426f2a 0, 221, 221, 1, 152064, 0x304c95df -0, 222, 222, 1, 152064, 0xbdcff306 +0, 222, 222, 1, 152064, 0x60e7f924 0, 223, 223, 1, 152064, 0x6408670c -0, 224, 224, 1, 152064, 0xa6d4d038 +0, 224, 224, 1, 152064, 0xbf09ca74 0, 225, 225, 1, 152064, 0xf2d13572 -0, 226, 226, 1, 152064, 0x2fa8b357 +0, 226, 226, 1, 152064, 0x90ccb47d 0, 227, 227, 1, 152064, 0x24bbd269 -0, 228, 228, 1, 152064, 0x23dd31f2 +0, 228, 228, 1, 152064, 0x7ae333dd 0, 229, 229, 1, 152064, 0x90913fe2 -0, 230, 230, 1, 152064, 0x855efbca +0, 230, 230, 1, 152064, 0xc994007c 0, 231, 231, 1, 152064, 0x45a123c0 -0, 232, 232, 1, 152064, 0xec465cb2 +0, 232, 232, 1, 152064, 0xa0335bbf 0, 233, 233, 1, 152064, 0x3e79c4e9 -0, 234, 234, 1, 152064, 0xaeac4476 +0, 234, 234, 1, 152064, 0x05cf4479 0, 235, 235, 1, 152064, 0x2146392c -0, 236, 236, 1, 152064, 0x7a186239 +0, 236, 236, 1, 152064, 0x68ac5d0a 0, 237, 237, 1, 152064, 0x9d26fed8 -0, 238, 238, 1, 152064, 0x88f090ba +0, 238, 238, 1, 152064, 0x047c9082 0, 239, 239, 1, 152064, 0x518bd9f8 -0, 240, 240, 1, 152064, 0x70013bdd +0, 240, 240, 1, 152064, 0xfbd03b16 0, 241, 241, 1, 152064, 0x5317601a -0, 242, 242, 1, 152064, 0x97e91795 +0, 242, 242, 1, 152064, 0x450118c5 0, 243, 243, 1, 152064, 0x1058915b -0, 244, 244, 1, 152064, 0x3549ffeb +0, 244, 244, 1, 152064, 0x0a4a000a 0, 245, 245, 1, 152064, 0xa277707d -0, 246, 246, 1, 152064, 0xdcb6287d +0, 246, 246, 1, 152064, 0xc7cb29b2 0, 247, 247, 1, 152064, 0x371344fc -0, 248, 248, 1, 152064, 0xb7ea75c7 +0, 248, 248, 1, 152064, 0xbc9375a9 0, 249, 249, 1, 152064, 0x70c2fa2f -0, 250, 250, 1, 152064, 0x8dbec050 +0, 250, 250, 1, 152064, 0x41fbc057 0, 251, 251, 1, 152064, 0xc21a77fe -0, 252, 252, 1, 152064, 0xf7c7678e +0, 252, 252, 1, 152064, 0x51e06384 0, 253, 253, 1, 152064, 0xbee83fcb -0, 254, 254, 1, 152064, 0x6627efd7 +0, 254, 254, 1, 152064, 0xce2befdf 0, 255, 255, 1, 152064, 0x4f139865 -0, 256, 256, 1, 152064, 0x76fa5435 +0, 256, 256, 1, 152064, 0x4e0f5372 0, 257, 257, 1, 152064, 0xf0701fd6 -0, 258, 258, 1, 152064, 0x153e3763 +0, 258, 258, 1, 152064, 0x746c35f4 0, 259, 259, 1, 152064, 0xf5211469 -0, 260, 260, 1, 152064, 0xc19d24b8 +0, 260, 260, 1, 152064, 0xae8f1c2f 0, 261, 261, 1, 152064, 0xc2483a75 -0, 262, 262, 1, 152064, 0x67a149ee +0, 262, 262, 1, 152064, 0x2da24ae6 0, 263, 263, 1, 152064, 0x86f70e3a -0, 264, 264, 1, 152064, 0x281b166b +0, 264, 264, 1, 152064, 0x52b8172a 0, 265, 265, 1, 152064, 0xca810f3b -0, 266, 266, 1, 152064, 0x91c90741 +0, 266, 266, 1, 152064, 0x6d9504c4 0, 267, 267, 1, 152064, 0x4edcfbfa -0, 268, 268, 1, 152064, 0x0ca40c66 +0, 268, 268, 1, 152064, 0x292c0bfd 0, 269, 269, 1, 152064, 0xee998e3d 0, 270, 270, 1, 152064, 0xe4b6c1b2 0, 271, 271, 1, 152064, 0xbbe0a4cc -0, 272, 272, 1, 152064, 0xd080bcfd +0, 272, 272, 1, 152064, 0xcd88bcf2 0, 273, 273, 1, 152064, 0x365df7c5 -0, 274, 274, 1, 152064, 0x934f071f +0, 274, 274, 1, 152064, 0x01cd06a4 0, 275, 275, 1, 152064, 0xcfaefeef -0, 276, 276, 1, 152064, 0xedd8263e +0, 276, 276, 1, 152064, 0xe615289d 0, 277, 277, 1, 152064, 0x1d5243de -0, 278, 278, 1, 152064, 0xc0d87e50 +0, 278, 278, 1, 152064, 0x7c397dfe 0, 279, 279, 1, 152064, 0xe25845b1 -0, 280, 280, 1, 152064, 0x47006123 +0, 280, 280, 1, 152064, 0x2d6a60a8 0, 281, 281, 1, 152064, 0xf1926203 -0, 282, 282, 1, 152064, 0x494b8b9c +0, 282, 282, 1, 152064, 0x634a88c9 0, 283, 283, 1, 152064, 0xc50aa1b7 -0, 284, 284, 1, 152064, 0xb82da5e2 +0, 284, 284, 1, 152064, 0x972fa713 0, 285, 285, 1, 152064, 0xa11cd0f6 -0, 286, 286, 1, 152064, 0x7ebff98d +0, 286, 286, 1, 152064, 0xbff8f90e 0, 287, 287, 1, 152064, 0x00902e76 -0, 288, 288, 1, 152064, 0xdee41ea2 +0, 288, 288, 1, 152064, 0x5cf31cb1 0, 289, 289, 1, 152064, 0x2b026058 -0, 290, 290, 1, 152064, 0xce81051f +0, 290, 290, 1, 152064, 0x258002cc 0, 291, 291, 1, 152064, 0x0d708815 -0, 292, 292, 1, 152064, 0xd7719e35 +0, 292, 292, 1, 152064, 0xe3809ce0 0, 293, 293, 1, 152064, 0xf0239467 -0, 294, 294, 1, 152064, 0x466d98b4 +0, 294, 294, 1, 152064, 0x6e71916a 0, 295, 295, 1, 152064, 0xc1fb36e1 -0, 296, 296, 1, 152064, 0x26bc139e +0, 296, 296, 1, 152064, 0xd47f07c9 0, 297, 297, 1, 152064, 0x7fd111ea -0, 298, 298, 1, 152064, 0xa39737cb +0, 298, 298, 1, 152064, 0xc4023a80 0, 299, 299, 1, 152064, 0x8f5851ba -0, 300, 300, 1, 152064, 0xa971f6e2 +0, 300, 300, 1, 152064, 0x9982f47b 0, 301, 301, 1, 152064, 0x0e5f6f80 -0, 302, 302, 1, 152064, 0xdb8b5e06 +0, 302, 302, 1, 152064, 0x49925e53 0, 303, 303, 1, 152064, 0xf6006bcc -0, 304, 304, 1, 152064, 0x060cd1a6 +0, 304, 304, 1, 152064, 0xd4b5d0f7 0, 305, 305, 1, 152064, 0x419ef0a4 -0, 306, 306, 1, 152064, 0xe79f0b93 +0, 306, 306, 1, 152064, 0x4e610934 0, 307, 307, 1, 152064, 0x1919e999 -0, 308, 308, 1, 152064, 0xacb715bc +0, 308, 308, 1, 152064, 0x3a750d80 0, 309, 309, 1, 152064, 0x16616075 -0, 310, 310, 1, 152064, 0x09aa4f10 +0, 310, 310, 1, 152064, 0x3284519f 0, 311, 311, 1, 152064, 0x976cdd70 -0, 312, 312, 1, 152064, 0x4811dc21 +0, 312, 312, 1, 152064, 0x4ec5d1e3 0, 313, 313, 1, 152064, 0x30d31172 -0, 314, 314, 1, 152064, 0x2db60b70 +0, 314, 314, 1, 152064, 0xe33609b5 0, 315, 315, 1, 152064, 0x5377bb89 -0, 316, 316, 1, 152064, 0x6c20cab3 +0, 316, 316, 1, 152064, 0x5479cd3d 0, 317, 317, 1, 152064, 0x964dad60 -0, 318, 318, 1, 152064, 0x514df2c3 +0, 318, 318, 1, 152064, 0x3a7deaf4 0, 319, 319, 1, 152064, 0xced22332 -0, 320, 320, 1, 152064, 0x1c64bc82 +0, 320, 320, 1, 152064, 0x3b36b53f 0, 321, 321, 1, 152064, 0x10c38662 -0, 322, 322, 1, 152064, 0xe6c7ff46 +0, 322, 322, 1, 152064, 0x45d4fceb 0, 323, 323, 1, 152064, 0x359da948 -0, 324, 324, 1, 152064, 0x5a9458ee +0, 324, 324, 1, 152064, 0x60625190 0, 325, 325, 1, 152064, 0x1cda9888 -0, 326, 326, 1, 152064, 0xbd081682 +0, 326, 326, 1, 152064, 0x77ad1d8c 0, 327, 327, 1, 152064, 0x20f1510f -0, 328, 328, 1, 152064, 0x6bc261a9 +0, 328, 328, 1, 152064, 0xd11d52c6 0, 329, 329, 1, 152064, 0x9f0e5797 -0, 330, 330, 1, 152064, 0xd14ca712 +0, 330, 330, 1, 152064, 0x174ca55b 0, 331, 331, 1, 152064, 0x8df79054 -0, 332, 332, 1, 152064, 0x34efa950 +0, 332, 332, 1, 152064, 0x3844a495 0, 333, 333, 1, 152064, 0x268d9d12 -0, 334, 334, 1, 152064, 0xad91b2ed +0, 334, 334, 1, 152064, 0xf672b44f 0, 335, 335, 1, 152064, 0xe0ac87cf -0, 336, 336, 1, 152064, 0xba4cfd8e +0, 336, 336, 1, 152064, 0xbc99fd7d 0, 337, 337, 1, 152064, 0x876ef9e3 -0, 338, 338, 1, 152064, 0x45ab6684 +0, 338, 338, 1, 152064, 0xef8066f7 0, 339, 339, 1, 152064, 0x72a99564 -0, 340, 340, 1, 152064, 0xdfc8be01 +0, 340, 340, 1, 152064, 0x5921c088 0, 341, 341, 1, 152064, 0x3a6b9e74 -0, 342, 342, 1, 152064, 0xca1be9c6 +0, 342, 342, 1, 152064, 0xfb03e9b5 0, 343, 343, 1, 152064, 0xc351bfc6 -0, 344, 344, 1, 152064, 0xef30c978 +0, 344, 344, 1, 152064, 0x2faec717 0, 345, 345, 1, 152064, 0x062fc6f3 -0, 346, 346, 1, 152064, 0x8731a9ec +0, 346, 346, 1, 152064, 0xede7a97f 0, 347, 347, 1, 152064, 0x19874144 0, 348, 348, 1, 152064, 0x929650eb 0, 349, 349, 1, 152064, 0x082557a1 -0, 350, 350, 1, 152064, 0xb80510ae +0, 350, 350, 1, 152064, 0x2b25104b From c4153d40d5d8a38a9762fbc9626728beba5887e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Feb 2018 18:49:07 +0100 Subject: [PATCH 0154/1764] avcodec/scpr: Fix reading a pixel before the first Fixes: 5540/clusterfuzz-testcase-minimized-6122458273808384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0fb33a82890753233225c61863fff1fcc9d970d4) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index cbe1bc40d9..ad6073dbf0 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -681,6 +681,8 @@ static int decompress_p(AVCodecContext *avctx, return AVERROR_INVALIDDATA; if (bx == 0) { + if (by < 2) + return AVERROR_INVALIDDATA; z = backstep; } else { z = 0; @@ -710,6 +712,8 @@ static int decompress_p(AVCodecContext *avctx, return AVERROR_INVALIDDATA; if (bx == 0) { + if (by < 2) + return AVERROR_INVALIDDATA; z = backstep; } else { z = 0; From 4423cbf1b4c195ca595379737225c3cf7b22233b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Feb 2018 02:14:49 +0100 Subject: [PATCH 0155/1764] avcodec/pafvideo: Check allocated frame size Fixes: OOM Fixes: 5549/clusterfuzz-testcase-minimized-5390553567985664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66acb630286cf1bf03bfbdab6c7c784ff20bde61) Signed-off-by: Michael Niedermayer --- libavcodec/pafvideo.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 6980ae1b35..7c5861dfaf 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -78,6 +78,7 @@ static av_cold int paf_video_init(AVCodecContext *avctx) { PAFVideoDecContext *c = avctx->priv_data; int i; + int ret; c->width = avctx->width; c->height = avctx->height; @@ -90,6 +91,9 @@ static av_cold int paf_video_init(AVCodecContext *avctx) } avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = av_image_check_size2(avctx->width, FFALIGN(avctx->height, 256), avctx->max_pixels, avctx->pix_fmt, 0, avctx); + if (ret < 0) + return ret; c->pic = av_frame_alloc(); if (!c->pic) From 0ff1825ea354ae145110bd80401cf76a306d7fde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Feb 2018 04:17:16 +0100 Subject: [PATCH 0156/1764] avcodec/vp3: Check eob_run Fixes: out of array access Fixes: 5919/clusterfuzz-testcase-minimized-5859311382167552 Fixes: special case for theora (untested due to lack of sample) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 570023eab3e2962b4ad8345a157c1e18ca1a6eca) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index f167acf4ee..fdffc88486 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -978,6 +978,9 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); + if (!eob_run) + eob_run = INT_MAX; + // record only the number of blocks ended in this plane, // any spill will be recorded in the next plane. if (eob_run > num_coeffs - coeff_i) { From cec38382dbc8c876186c98c80823619ad6a6c41b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Feb 2018 22:24:58 +0100 Subject: [PATCH 0157/1764] avcodec/mpeg4videodec: Ignore multiple VOL headers Fixes: Ticket7005 Signed-off-by: Michael Niedermayer (cherry picked from commit 63a4bdbf3b732504e54cc2b9ec0886e6242a90bc) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index d0162d1074..319a3809ea 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2670,8 +2670,8 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (startcode >= 0x120 && startcode <= 0x12F) { if (vol) { - av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers"); - return AVERROR_INVALIDDATA; + av_log(s->avctx, AV_LOG_WARNING, "Ignoring multiple VOL headers\n"); + continue; } vol++; if ((ret = decode_vol_header(ctx, gb)) < 0) From 2ad23b93b513d3a36af53d90dfc9ebfac80b4e3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Feb 2018 03:38:54 +0100 Subject: [PATCH 0158/1764] avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() This fixes a hypothetical integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f2318aee8ca8df1c84092f7d6691a2d0df02c474) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index fdffc88486..e9bb7dcb38 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -951,9 +951,11 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, Vp3Fragment *all_fragments = s->all_fragments; VLC_TYPE(*vlc_table)[2] = table->table; - if (num_coeffs < 0) + if (num_coeffs < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of coefficients at level %d\n", coeff_index); + return AVERROR_INVALIDDATA; + } if (eob_run > num_coeffs) { coeff_i = From 6a97ba521558ce131fe839eed2d51ff745280e1d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Feb 2018 22:30:54 +0100 Subject: [PATCH 0159/1764] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Changelog b/Changelog index 45572de937..5db7b0a8a7 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,17 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.4.2: +- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() +- avcodec/mpeg4videodec: Ignore multiple VOL headers +- avcodec/vp3: Check eob_run +- avcodec/pafvideo: Check allocated frame size +- avcodec/scpr: Fix reading a pixel before the first +- avcodec/mpeg2dec: Fix field selection for skipped macroblocks +- avcodec/huffyuvdec: Check input buffer size +- avcodec/utvideodec: Fix bytes left check in decode_frame() +- avcodec/wavpack: Fix integer overflow in FFABS +- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() +- avcodec/exr: Fix memleaks in decode_header() - avcodec/mediacodecdec: use ff_hevc_ps_uninit() - avcodec/hevc_parser: use ff_hevc_uninit_parameter_sets() - avcodec/hevcdec: use ff_hevc_uninit_parameter_sets() From 3fdff40a32e31b8bfe9127841f75472f20e30354 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 13 Jan 2018 16:04:21 -0300 Subject: [PATCH 0160/1764] avformat/matroskadec: ignore CodecPrivate if the stream is VP9 Defined in a recent revision of https://www.webmproject.org/docs/container/ This prevents storing the contents of CodecPrivate into extradata for a codec that doesn't need nor expect any. It will among other things prevent matroska specific binary data from being dumped onto other formats during remuxing. Signed-off-by: James Almer (cherry picked from commit acdea9e7c56b74b05c56b4733acc855b959ba073) --- libavformat/matroskadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index e6631097b8..95189525e3 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2390,6 +2390,10 @@ static int matroska_parse_tracks(AVFormatContext *s) return ret; } else if (codec_id == AV_CODEC_ID_PRORES && track->codec_priv.size == 4) { fourcc = AV_RL32(track->codec_priv.data); + } else if (codec_id == AV_CODEC_ID_VP9 && track->codec_priv.size) { + /* we don't need any value stored in CodecPrivate. + make sure that it's not exported as extradata. */ + track->codec_priv.size = 0; } track->codec_priv.size -= extradata_offset; From 8be1edf47ba9dcfaf6fccb1e01eeb8610ba97aff Mon Sep 17 00:00:00 2001 From: Tobias Rapp Date: Wed, 14 Feb 2018 17:01:08 +0100 Subject: [PATCH 0161/1764] swresample/rematrix: fix update of channel matrix if input or output layout is undefined Prefer direct in/out channel count values over channel layout, when available. Fixes a pan filter bug (ticket #6790). Signed-off-by: Tobias Rapp (cherry picked from commit 6325bd3717348615adafb52e4da2fd01a3007d0a) --- libswresample/rematrix.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c index 66a43c16c1..dacace93d0 100644 --- a/libswresample/rematrix.c +++ b/libswresample/rematrix.c @@ -69,8 +69,10 @@ int swr_set_matrix(struct SwrContext *s, const double *matrix, int stride) return AVERROR(EINVAL); memset(s->matrix, 0, sizeof(s->matrix)); memset(s->matrix_flt, 0, sizeof(s->matrix_flt)); - nb_in = av_get_channel_layout_nb_channels(s->user_in_ch_layout); - nb_out = av_get_channel_layout_nb_channels(s->user_out_ch_layout); + nb_in = (s->user_in_ch_count > 0) ? s->user_in_ch_count : + av_get_channel_layout_nb_channels(s->user_in_ch_layout); + nb_out = (s->user_out_ch_count > 0) ? s->user_out_ch_count : + av_get_channel_layout_nb_channels(s->user_out_ch_layout); for (out = 0; out < nb_out; out++) { for (in = 0; in < nb_in; in++) s->matrix_flt[out][in] = s->matrix[out][in] = matrix[in]; From e4b95f710ba4df47e0437d6f90065cc6d4b92c1d Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 23 Feb 2018 00:03:15 -0300 Subject: [PATCH 0162/1764] avformat/hvcc: zero initialize the nal buffers past the last written byte Prevents use of uninitialized values. Fixes ticket #7038. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 9482ec1b203e4cf51d7f60c85d261cc13f9a9d2f) --- libavformat/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 1a2d6cdd2b..25898937a5 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -669,6 +669,8 @@ static uint8_t *nal_unit_extract_rbsp(const uint8_t *src, uint32_t src_len, while (i < src_len) dst[len++] = src[i++]; + memset(dst + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); + *dst_len = len; return dst; } From c289f4b6c9390d5b2b6388b0d82d40af62ea7ce2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 9 Mar 2018 13:00:55 -0300 Subject: [PATCH 0163/1764] avcodec/extract_extradata: zero initalize the padding bytes in all allocated buffers Reviewed-by: Derek Buitenhuis Signed-off-by: James Almer (cherry picked from commit d168e78effd170377ec57f67bca05c9f0de91bca) --- libavcodec/extract_extradata_bsf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/extract_extradata_bsf.c b/libavcodec/extract_extradata_bsf.c index d40907a675..fbfd12aeef 100644 --- a/libavcodec/extract_extradata_bsf.c +++ b/libavcodec/extract_extradata_bsf.c @@ -114,6 +114,7 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt, ret = AVERROR(ENOMEM); goto fail; } + memset(extradata + extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); *data = extradata; *size = extradata_size; @@ -137,6 +138,8 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt, pkt->buf = filtered_buf; pkt->data = filtered_buf->data; pkt->size = filtered_data - filtered_buf->data; + + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); } } @@ -169,6 +172,7 @@ static int extract_extradata_vc1(AVBSFContext *ctx, AVPacket *pkt, return AVERROR(ENOMEM); memcpy(*data, pkt->data, extradata_size); + memset(*data + extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); *size = extradata_size; if (s->remove) { @@ -199,6 +203,7 @@ static int extract_extradata_mpeg12(AVBSFContext *ctx, AVPacket *pkt, return AVERROR(ENOMEM); memcpy(*data, pkt->data, *size); + memset(*data + *size, 0, AV_INPUT_BUFFER_PADDING_SIZE); if (s->remove) { pkt->data += *size; @@ -228,6 +233,7 @@ static int extract_extradata_mpeg4(AVBSFContext *ctx, AVPacket *pkt, return AVERROR(ENOMEM); memcpy(*data, pkt->data, *size); + memset(*data + *size, 0, AV_INPUT_BUFFER_PADDING_SIZE); if (s->remove) { pkt->data += *size; From a45ba0881c937e7b3c8000c9d06b031517dfe2ec Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 19 Mar 2018 00:21:19 -0300 Subject: [PATCH 0164/1764] avcodec/mp3_header_decompress: don't free the user provided packet on error It's owned by the caller. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit f18f9734694ea0761f94d57685f342b690d563b0) --- libavcodec/mp3_header_decompress_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mp3_header_decompress_bsf.c b/libavcodec/mp3_header_decompress_bsf.c index 22c1ef0220..294858953c 100644 --- a/libavcodec/mp3_header_decompress_bsf.c +++ b/libavcodec/mp3_header_decompress_bsf.c @@ -87,7 +87,7 @@ static int mp3_header_decompress(AVBSFContext *ctx, AVPacket *out) goto fail; ret = av_packet_copy_props(out, in); if (ret < 0) { - av_packet_free(&out); + av_packet_unref(out); goto fail; } memcpy(out->data + frame_size - buf_size, buf, buf_size + AV_INPUT_BUFFER_PADDING_SIZE); From 1b9b469cdb1f2dbf7692b8c1a63257899f6c8f19 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 28 Mar 2018 01:42:33 -0300 Subject: [PATCH 0165/1764] avcodec/mpeg4_unpack_bframes: make sure the packet is writable when data needs to be changed Nothing currently guarantees that the packet passed to the bsf will be writable. Based on commit 4f2ff3a53e170d77e1dd231d7246a74e186011c9 Signed-off-by: James Almer --- libavcodec/mpeg4_unpack_bframes_bsf.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4_unpack_bframes_bsf.c b/libavcodec/mpeg4_unpack_bframes_bsf.c index e227f58ec6..8be5c462b5 100644 --- a/libavcodec/mpeg4_unpack_bframes_bsf.c +++ b/libavcodec/mpeg4_unpack_bframes_bsf.c @@ -152,8 +152,16 @@ static int mpeg4_unpack_bframes_filter(AVBSFContext *ctx, AVPacket *out) av_packet_move_ref(out, in); out->size = pos_vop2; } else if (pos_p >= 0) { + ret = av_new_packet(out, in->size); + if (ret < 0) + return ret; + ret = av_packet_copy_props(out, in); + if (ret < 0) { + av_packet_unref(out); + return ret; + } + memcpy(out->data, in->data, in->size); av_log(ctx, AV_LOG_DEBUG, "Updating DivX userdata (remove trailing 'p').\n"); - av_packet_move_ref(out, in); /* remove 'p' (packed) from the end of the (DivX) userdata string */ out->data[pos_p] = '\0'; } else { From 4faa01f20c17543628f74413a0cc19b1f3783db8 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Mon, 16 Apr 2018 22:35:23 +0200 Subject: [PATCH 0166/1764] configure: add nvcc to CMDLINE_SET This was somehow forgotten and nobody noticed until now. --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 231c6c371c..7377046d0a 100755 --- a/configure +++ b/configure @@ -2277,6 +2277,7 @@ CMDLINE_SET=" malloc_prefix nm optflags + nvcc nvccflags pkg_config pkg_config_flags From 4264723b0eba4ce1febe4a0934d65a726f6a1f90 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 18 Apr 2018 15:19:40 -0300 Subject: [PATCH 0167/1764] avdevice/iec61883: return reference counted packets Fixes part of ticket #7146, dealing with leaks of packet data since commit 87c88122703f2befcf96383d05bdf14373c22df9. Signed-off-by: James Almer (cherry picked from commit b8629654c6460a28c507f816a977914e3a6f2520) --- libavdevice/iec61883.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index 721dca38ee..aeca7616df 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -118,7 +118,7 @@ static int iec61883_callback(unsigned char *data, int length, goto exit; } - packet->buf = av_malloc(length); + packet->buf = av_malloc(length + AV_INPUT_BUFFER_PADDING_SIZE); if (!packet->buf) { av_free(packet); ret = -1; @@ -127,6 +127,7 @@ static int iec61883_callback(unsigned char *data, int length, packet->len = length; memcpy(packet->buf, data, length); + memset(packet->buf + length, 0, AV_INPUT_BUFFER_PADDING_SIZE); if (dv->queue_first) { dv->queue_last->next = packet; @@ -200,13 +201,21 @@ static int iec61883_parse_queue_dv(struct iec61883_data *dv, AVPacket *pkt) size = avpriv_dv_produce_packet(dv->dv_demux, pkt, packet->buf, packet->len, -1); dv->queue_first = packet->next; + if (size < 0) + av_free(packet->buf); av_free(packet); dv->packets--; - if (size > 0) - return size; + if (size < 0) + return -1; - return -1; + if (av_packet_from_data(pkt, pkt->data, pkt->size) < 0) { + av_freep(&pkt->data); + av_packet_unref(pkt); + return -1; + } + + return size; } static int iec61883_parse_queue_hdv(struct iec61883_data *dv, AVPacket *pkt) From a877ab75eb8faa2de33c9118053f44b0d4548f09 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 18 Apr 2018 15:32:10 -0300 Subject: [PATCH 0168/1764] avdevice/iec61883: free the private context at the end Fixes part of ticket #7146. Signed-off-by: James Almer (cherry picked from commit 5079e96bcc7aaa9cae82a58397ce986e124028e4) --- libavdevice/iec61883.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index aeca7616df..382b989fb1 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -463,6 +463,7 @@ static int iec61883_close(AVFormatContext *context) } else { iec61883_dv_fb_stop(dv->iec61883_dv); iec61883_dv_fb_close(dv->iec61883_dv); + av_freep(&dv->dv_demux); } while (dv->queue_first) { DVPacket *packet = dv->queue_first; From 988e7a8feaf355e8f008e1065e6903bd06d69df2 Mon Sep 17 00:00:00 2001 From: Xiaohan Wang Date: Sat, 3 Feb 2018 01:43:35 -0800 Subject: [PATCH 0169/1764] avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() When ff_h264_decode_mb_cavlc() failed due to wrong sl->qscale values, e.g. dquant out of range, set the qscale to be a valid value before returning -1 and exiting the function. The qscale value can be used later e.g. in loop filter. BUG=806122 Signed-off-by: Michael Niedermayer (cherry picked from commit 71f39de2a57efc8db1d607b09c162c3b806cd45d) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 187b1c64e2..5e6a20304a 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1111,6 +1111,7 @@ decode_intra_mb: else sl->qscale -= max_qp+1; if (((unsigned)sl->qscale) > max_qp){ av_log(h->avctx, AV_LOG_ERROR, "dquant out of range (%d) at %d %d\n", dquant, sl->mb_x, sl->mb_y); + sl->qscale = max_qp; return -1; } } From a1e983111ee3a39b245f9c04e62b95f051b47944 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Feb 2018 00:32:30 +0100 Subject: [PATCH 0170/1764] avcodec/h264_cabac: Tighten allowed coeff_abs range MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: integer overflows Reported-by: "Xiaohan Wang (王消寒)" Based on limits in "8.5 Transform coefficient decoding process and picture construction process prior to deblocking filter process" Signed-off-by: Michael Niedermayer (cherry picked from commit f26a63c4ee1bdbe21d7ab462cd66f8ba20b14244) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 345834645c..2dd6d955d9 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1735,7 +1735,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl, \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while (get_cabac_bypass(CC) && j < 30) { \ + while (get_cabac_bypass(CC) && j < 16+7) { \ j++; \ } \ \ From 1a8265487b89790920b8eae85ad36cdd3f73feff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Feb 2018 13:48:52 +0100 Subject: [PATCH 0171/1764] avdevice/decklink_dec: Fix ;; Signed-off-by: Michael Niedermayer (cherry picked from commit 75027066d8e85ccf42b83f6cf1c3085221148f42) Signed-off-by: Michael Niedermayer --- libavdevice/decklink_dec.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/decklink_dec.cpp b/libavdevice/decklink_dec.cpp index d9ac01ac91..979637cba8 100644 --- a/libavdevice/decklink_dec.cpp +++ b/libavdevice/decklink_dec.cpp @@ -965,7 +965,7 @@ av_cold int ff_decklink_read_header(AVFormatContext *avctx) break; case bmdFormat8BitARGB: st->codecpar->codec_id = AV_CODEC_ID_RAWVIDEO; - st->codecpar->codec_tag = avcodec_pix_fmt_to_codec_tag((enum AVPixelFormat)st->codecpar->format);; + st->codecpar->codec_tag = avcodec_pix_fmt_to_codec_tag((enum AVPixelFormat)st->codecpar->format); st->codecpar->format = AV_PIX_FMT_0RGB; st->codecpar->bit_rate = av_rescale(ctx->bmd_width * ctx->bmd_height * 32, st->time_base.den, st->time_base.num); break; From 3c001b18cea759fa8b727aae33c31f9d55d59999 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Feb 2018 03:54:13 +0100 Subject: [PATCH 0172/1764] avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() Fixes: 5567/clusterfuzz-testcase-minimized-5769966247739392 Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ab6f571ef71967da7c7c1cfba483d3597c7357d5) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/common.h b/libavutil/common.h index 8142b31fdb..53e43feb3a 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -158,7 +158,7 @@ static av_always_inline av_const int64_t av_clip64_c(int64_t a, int64_t amin, in */ static av_always_inline av_const uint8_t av_clip_uint8_c(int a) { - if (a&(~0xFF)) return (-a)>>31; + if (a&(~0xFF)) return (~a)>>31; else return a; } @@ -180,7 +180,7 @@ static av_always_inline av_const int8_t av_clip_int8_c(int a) */ static av_always_inline av_const uint16_t av_clip_uint16_c(int a) { - if (a&(~0xFFFF)) return (-a)>>31; + if (a&(~0xFFFF)) return (~a)>>31; else return a; } From fe435d11fb595b997f297986efce3f32ca56ed0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Feb 2018 13:01:46 +0100 Subject: [PATCH 0173/1764] avcodec/exr: Check remaining bits in last get code loop Fixes: runtime error: shift exponent -7 is negative Fixes: 3902/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6081926122176512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dd8351b1184b8054925c28ecc5fcb6dbbc177fad) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index f08576af22..47f59bd638 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -558,7 +558,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, while (lc > 0) { const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK]; - if (pl.len) { + if (pl.len && lc >= pl.len) { lc -= pl.len; get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { From 3f6f1c24ebeeb9af552d8ec889c3a699402150b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 04:20:52 +0100 Subject: [PATCH 0174/1764] avcodec/vp8: Check for bitstream end before vp7_fade_frame() Fixes: Timeout Fixes: 5653/clusterfuzz-testcase-5497680018014208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de675648cef7e451ca82fabaee0d8ec1fe653311) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 7841a9d964..dbe3da0842 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -606,6 +606,8 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->fade_present = vp8_rac_get(c); } + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; /* E. Fading information for previous frame */ if (s->fade_present && vp8_rac_get(c)) { if ((ret = vp7_fade_frame(s ,c)) < 0) From fcc6932e098445f081530f2251ccd3dc81ffc630 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 04:20:53 +0100 Subject: [PATCH 0175/1764] avcodec/jpeg2000dec: Use av_image_check_size2() Fixes: OOM Fixes: 5733/clusterfuzz-testcase-minimized-4906757966004224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01370b31aced784593f2bc0836f4ba6fd8e7f6b3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 9a5e64e854..9d895ce55f 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -284,7 +284,7 @@ static int get_siz(Jpeg2000DecoderContext *s) avpriv_request_sample(s->avctx, "Support for image offsets"); return AVERROR_PATCHWELCOME; } - if (av_image_check_size(s->width, s->height, 0, s->avctx)) { + if (av_image_check_size2(s->width, s->height, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx)) { avpriv_request_sample(s->avctx, "Large Dimensions"); return AVERROR_PATCHWELCOME; } From 4597b51e8a43c40fabf834904a9f0d376427c8ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 21:42:34 +0100 Subject: [PATCH 0176/1764] avcodec/hevcdec: Check luma/chroma_log2_weight_denom Fixes: signed integer overflow: 3 + 2147483647 cannot be represented in type 'int' Fixes: 5888/clusterfuzz-testcase-minimized-5634701067812864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f82dd4c09b2decb033f1e339d4be81efd38554f1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 67ac9ab262..89b121d2f0 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -150,12 +150,18 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) int luma_log2_weight_denom; luma_log2_weight_denom = get_ue_golomb_long(gb); - if (luma_log2_weight_denom < 0 || luma_log2_weight_denom > 7) + if (luma_log2_weight_denom < 0 || luma_log2_weight_denom > 7) { av_log(s->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is invalid\n", luma_log2_weight_denom); + return AVERROR_INVALIDDATA; + } s->sh.luma_log2_weight_denom = av_clip_uintp2(luma_log2_weight_denom, 3); if (s->ps.sps->chroma_format_idc != 0) { - int delta = get_se_golomb(gb); - s->sh.chroma_log2_weight_denom = av_clip_uintp2(s->sh.luma_log2_weight_denom + delta, 3); + int64_t chroma_log2_weight_denom = luma_log2_weight_denom + (int64_t)get_se_golomb(gb); + if (chroma_log2_weight_denom < 0 || chroma_log2_weight_denom > 7) { + av_log(s->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %"PRId64" is invalid\n", chroma_log2_weight_denom); + return AVERROR_INVALIDDATA; + } + s->sh.chroma_log2_weight_denom = chroma_log2_weight_denom; } for (i = 0; i < s->sh.nb_refs[L0]; i++) { From ad3ef9e89609a1d277cfaf80f4b231637b98149d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 21:47:09 +0100 Subject: [PATCH 0177/1764] avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() Fixes: 5894/clusterfuzz-testcase-minimized-5315325420634112 Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 647fa49495c39a48b7ccb92acd8fb975b1575456) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index e68cc4d530..8c25c1f822 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -95,8 +95,8 @@ static void RENAME(horizontal_compose_dd97i)(uint8_t *_b, uint8_t *_tmp, int w) tmp[w2+1] = tmp[w2] = tmp[w2-1]; for (x = 0; x < w2; x++) { - b[2*x ] = (tmp[x] + 1)>>1; - b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1; + b[2*x ] = ((int)(tmp[x] + 1U))>>1; + b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1; } } @@ -118,8 +118,8 @@ static void RENAME(horizontal_compose_dd137i)(uint8_t *_b, uint8_t *_tmp, int w) tmp[w2+1] = tmp[w2] = tmp[w2-1]; for (x = 0; x < w2; x++) { - b[2*x ] = (tmp[x] + 1)>>1; - b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1; + b[2*x ] = ((int)(tmp[x] + 1U))>>1; + b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1; } } From 3fc7e88bfd8f9f57bea9dbdc5f8b1a5d6cca6d82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 21:27:16 +0100 Subject: [PATCH 0178/1764] avcodec/dxtory: Remove code that corrupts dimensions Fixes: Timeout Fixes: 5796/clusterfuzz-testcase-minimized-5206729085157376 Does someone have a valid sample that triggers this path ? Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3748746a4d6988484d34516f7a3c6febf7bdf488) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index e736cec8db..285ca38efb 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -305,11 +305,7 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame *pic, } if (avctx->height - line) { - av_log(avctx, AV_LOG_VERBOSE, - "Not enough slice data available, " - "cropping the frame by %d pixels\n", - avctx->height - line); - avctx->height = line; + avpriv_request_sample(avctx, "Not enough slice data available"); } return 0; From 5c2e61f1f527142db5238e7c9c345eebe3724ec3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2018 23:54:44 +0100 Subject: [PATCH 0179/1764] avcodec/diracdec: Use int64 in global mv to prevent overflow Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be represented in type 'int' Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cbcbefdc3b4cbc917d2f8b2dd216fb12121a838b) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 7be7f33145..1197cfb87e 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1398,8 +1398,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From c8f54bf87cde21b20ba6d01ff61fdede6156a2fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 00:11:33 +0100 Subject: [PATCH 0180/1764] avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53() Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 793347a54579ee954b58d336b82eed4a1786de21) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 55dd5e89b5..ce1678a3d7 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t) t[i] = (t[i] + ((1<>1)) >> I_PRESHIFT; } -static void sr_1d53(int *p, int i0, int i1) +static void sr_1d53(unsigned *p, int i0, int i1) { int i; if (i1 <= i0 + 1) { if (i0 == 1) - p[1] >>= 1; + p[1] = (int)p[1] >> 1; return; } extend53(p, i0, i1); for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++) - p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; + p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; for (i = (i0 >> 1); i < (i1 >> 1); i++) - p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1; + p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1; } static void dwt_decode53(DWTContext *s, int *t) From 28398a70a975813f8a110bf83172e3bbc825adde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 16:55:52 +0100 Subject: [PATCH 0181/1764] avcodec/aacdec_templat: Fix integer overflow in apply_ltp() Fixes: signed integer overflow: -1625276744 + -1041893960 cannot be represented in type 'int' Fixes: 5948/clusterfuzz-testcase-minimized-5791479856365568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 33fe17bdc88d51a8e0c87aa1e8011aaaf38a7a90) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 082cc908d2..10de02b34c 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2561,7 +2561,7 @@ static void apply_ltp(AACContext *ac, SingleChannelElement *sce) for (sfb = 0; sfb < FFMIN(sce->ics.max_sfb, MAX_LTP_LONG_SFB); sfb++) if (ltp->used[sfb]) for (i = offsets[sfb]; i < offsets[sfb + 1]; i++) - sce->coeffs[i] += predFreq[i]; + sce->coeffs[i] += (UINTFLOAT)predFreq[i]; } } From bc194927e4aec708851b540c29b973ac5c3d5bec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 17:12:28 +0100 Subject: [PATCH 0182/1764] avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table() Fixes: 6037/clusterfuzz-testcase-minimized-5030249784934400 Fixes: signed integer overflow: 256 * 16992036 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 85c85fffff3f9c75301db3eba1bd5f2fb1e6285d) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parse.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index fee28d90d9..dc643009ec 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -82,8 +82,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, pwt->chroma_weight[i][list][j][0] = get_se_golomb(gb); pwt->chroma_weight[i][list][j][1] = get_se_golomb(gb); if ((int8_t)pwt->chroma_weight[i][list][j][0] != pwt->chroma_weight[i][list][j][0] || - (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1]) + (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1]) { + pwt->chroma_weight[i][list][j][0] = chroma_def; + pwt->chroma_weight[i][list][j][1] = 0; goto out_range_weight; + } if (pwt->chroma_weight[i][list][j][0] != chroma_def || pwt->chroma_weight[i][list][j][1] != 0) { pwt->use_weight_chroma = 1; From 2b5c0fdaaca56408ab394b093d8e766f976d79a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Feb 2018 21:51:38 +0100 Subject: [PATCH 0183/1764] avcodec/diracdec: Fix integer overflow in mv computation Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in type 'int' Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47e65ad63b3d067445c4de41a7718b83fc07767c) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 1197cfb87e..2c8d94758c 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1436,8 +1436,8 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock global_mv(s, block, x, y, i); } else { pred_mv(block, stride, x, y, i); - block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); - block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); + block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); + block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); } } } From 411310659591107409d1211e00a005c2cef2d08a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Feb 2018 23:11:01 +0100 Subject: [PATCH 0184/1764] avcodec/cavsdec: Check alpha/beta offset Fixes: Integer overflow Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 06c752735e..c7fff67c06 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1067,6 +1067,11 @@ static int decode_pic(AVSContext *h) if (!h->loop_filter_disable && get_bits1(&h->gb)) { h->alpha_offset = get_se_golomb(&h->gb); h->beta_offset = get_se_golomb(&h->gb); + if ( h->alpha_offset < -64 || h->alpha_offset > 64 + || h-> beta_offset < -64 || h-> beta_offset > 64) { + h->alpha_offset = h->beta_offset = 0; + return AVERROR_INVALIDDATA; + } } else { h->alpha_offset = h->beta_offset = 0; } From 30a718c38b62250ef191c8ce040c6c6666ae928c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Feb 2018 03:40:02 +0100 Subject: [PATCH 0185/1764] avcodec/smc: Check input packet size Fixes: Timeout Fixes: 6261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5811309653262336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0293663483ab5dbfff23602a62800d84e021b33c) Signed-off-by: Michael Niedermayer --- libavcodec/smc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 79f9a757a0..3cb4834737 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -438,6 +438,10 @@ static int smc_decode_frame(AVCodecContext *avctx, int pal_size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &pal_size); int ret; + int total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); + + if (total_blocks / 1024 > avpkt->size) + return AVERROR_INVALIDDATA; bytestream2_init(&s->gb, buf, buf_size); From ae49cc73f265a155e5c4b1715570aab3d9741b4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Feb 2018 03:02:48 +0100 Subject: [PATCH 0186/1764] avcodec/utvideodec: Check subsample factors Fixes: Out of array read Fixes: heap_poc Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index d888cc3cdf..ebd9d55cf2 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -30,6 +30,7 @@ #define UNCHECKED_BITSTREAM_READER 1 #include "libavutil/intreadwrite.h" +#include "libavutil/pixdesc.h" #include "avcodec.h" #include "bswapdsp.h" #include "bytestream.h" @@ -789,6 +790,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, static av_cold int decode_init(AVCodecContext *avctx) { UtvideoContext * const c = avctx->priv_data; + int h_shift, v_shift; c->avctx = avctx; @@ -886,6 +888,13 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &h_shift, &v_shift); + if ((avctx->width & ((1<height & ((1< Date: Mon, 26 Feb 2018 21:17:08 +0100 Subject: [PATCH 0187/1764] avcodec/bintext: sanity check dimensions Fixes: Timeout Fixes: 6277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-6047202288861184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 090c0abff9c8b27304614f15d9464dbf4ea59833) Signed-off-by: Michael Niedermayer --- libavcodec/bintext.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c index 90bbe67b59..d967317671 100644 --- a/libavcodec/bintext.c +++ b/libavcodec/bintext.c @@ -35,6 +35,8 @@ #include "bintext.h" #include "internal.h" +#define FONT_WIDTH 8 + typedef struct XbinContext { AVFrame *frame; int palette[16]; @@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx) break; } } + if (avctx->width < FONT_WIDTH || avctx->height < s->font_height) + return AVERROR_INVALIDDATA; + s->frame = av_frame_alloc(); if (!s->frame) @@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx) } } -#define FONT_WIDTH 8 - /** * Draw character to screen */ From 60bd8316db4643cf0faf3f0d4c38796c215ec92d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Feb 2018 04:29:44 +0100 Subject: [PATCH 0188/1764] avcodec/exr: fix invalid shift in unpack_14() Fixes: 6154/clusterfuzz-testcase-minimized-5762231061970944 Fixes: runtime error: shift exponent 63 is too large for 32-bit type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49062a90174b6e4104876c0257dc673a0da854ca) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 47f59bd638..ff31d7267c 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -899,7 +899,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, static void unpack_14(const uint8_t b[14], uint16_t s[16]) { - unsigned short shift = (b[ 2] >> 2); + unsigned short shift = (b[ 2] >> 2) & 15; unsigned short bias = (0x20 << shift); int i; From 9cc83b94a1f8df0ee68c24545ca307f526e29a7f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Feb 2018 02:34:05 +0100 Subject: [PATCH 0189/1764] avcodec/g2meet: Check tile dimensions with av_image_check_size2() Fixes: OOM Fixes: 6216/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-4983807968018432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3981fb8d2a03cdb3399590da8621a7bcc22e2964) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 842095ba3b..a46157218f 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -28,6 +28,7 @@ #include #include +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -1451,7 +1452,8 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, c->tile_height = bytestream2_get_be32(&bc); if (c->tile_width <= 0 || c->tile_height <= 0 || ((c->tile_width | c->tile_height) & 0xF) || - c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 + c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 || + av_image_check_size2(c->tile_width, c->tile_height, avctx->max_pixels, avctx->pix_fmt, 0, avctx) < 0 ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", From 8456bba36297cf743d388debb610e0ee864e18b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Feb 2018 03:04:40 +0100 Subject: [PATCH 0190/1764] avcodec/truemotion2rt: Check input buffer size Fixes: Timeout Fixes: 6250/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2RT_fuzzer-5479814011027456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b5c29b6c2ab00f8fb545475238a99f575b5d81d) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2rt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/truemotion2rt.c b/libavcodec/truemotion2rt.c index d63918742d..9df0b527bb 100644 --- a/libavcodec/truemotion2rt.c +++ b/libavcodec/truemotion2rt.c @@ -116,6 +116,9 @@ static int truemotion2rt_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; + if (avctx->width / s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4) + return AVERROR_INVALIDDATA; + ret = init_get_bits8(gb, avpkt->data + ret, avpkt->size - ret); if (ret < 0) return ret; From 7a713cea22f477be3dfc4ab740f805e5b8ed02c0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Mar 2018 23:12:57 +0100 Subject: [PATCH 0191/1764] avformat/mov: Fix integer overflow in mov_get_stsc_samples() Fixes: runtime error: signed integer overflow: 5 * -2147483647 cannot be represented in type 'int' Fixes: Chromium bug 817338 Reviewed-by: Matt Wolenetz Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 367929bed9def1ccdd9a0f4ac5b7b98d1993782d) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9a6c3b3e46..f91a006639 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2457,7 +2457,7 @@ static inline int mov_stsc_index_valid(unsigned int index, unsigned int count) } /* Compute the samples value for the stsc entry at the given index. */ -static inline int mov_get_stsc_samples(MOVStreamContext *sc, unsigned int index) +static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc, unsigned int index) { int chunk_count; @@ -2466,7 +2466,7 @@ static inline int mov_get_stsc_samples(MOVStreamContext *sc, unsigned int index) else chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1); - return sc->stsc_data[index].count * chunk_count; + return sc->stsc_data[index].count * (int64_t)chunk_count; } static int mov_read_stps(MOVContext *c, AVIOContext *pb, MOVAtom atom) @@ -6708,12 +6708,13 @@ static int mov_seek_stream(AVFormatContext *s, AVStream *st, int64_t timestamp, /* adjust stsd index */ time_sample = 0; for (i = 0; i < sc->stsc_count; i++) { - int next = time_sample + mov_get_stsc_samples(sc, i); + int64_t next = time_sample + mov_get_stsc_samples(sc, i); if (next > sc->current_sample) { sc->stsc_index = i; sc->stsc_sample = sc->current_sample - time_sample; break; } + av_assert0(next == (int)next); time_sample = next; } From a05d5770682d64cd09cb119bdd8346c0aa21a192 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Mar 2018 18:14:12 +0100 Subject: [PATCH 0192/1764] libavformat/oggparsevorbis: Fix memleak on multiple headers Fixes: Chromium bug 800123 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3934aa495d786845d9f541c84ee405c096938f76) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevorbis.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 65b1998a02..572e5169ca 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -230,6 +230,10 @@ static int fixup_vorbis_headers(AVFormatContext *as, len = priv->len[0] + priv->len[1] + priv->len[2]; buf_len = len + len / 255 + 64; + + if (*buf) + return AVERROR_INVALIDDATA; + ptr = *buf = av_realloc(NULL, buf_len); if (!ptr) return AVERROR(ENOMEM); From cd7a2954ae74ff30ad84932a81f57f2e06ba51ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Mar 2018 18:14:12 +0100 Subject: [PATCH 0193/1764] avformat/oggdec: Fix metadata memleak on multiple headers Fixes: Chromium bug 800123 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit da069e9c68ec1a54e618940dcb9ebae9bf179a32) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 193a286e43..6a05278b52 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -128,7 +128,10 @@ static int ogg_restore(AVFormatContext *s) ogg->state = ost->next; for (i = 0; i < ogg->nstreams; i++) { - av_freep(&ogg->streams[i].buf); + struct ogg_stream *stream = &ogg->streams[i]; + av_freep(&stream->buf); + av_freep(&stream->new_metadata); + if (i >= ost->nstreams || !ost->streams[i].private) { free_stream(s, i); } From fea47f6941a58fce2c22d522c7d338208c4571d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Mar 2018 00:10:11 +0100 Subject: [PATCH 0194/1764] avformat/utils: Fix integer overflow of fps_first/last_dts Fixes: runtime error: signed integer overflow: 7738135736989908991 - -7898362169240453118 cannot be represented in type 'long' Fixes: Chromium bug 796778 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1362e408cd6acb63fef126b814b0d16562aa8e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 93722e34b9..2ca80e0925 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3748,7 +3748,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && (pkt->dts - st->info->fps_last_dts) / 1000 > - (st->info->fps_last_dts - st->info->fps_first_dts) / + (st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, "DTS discontinuity in stream %d: packet %d with DTS " From 60f6767126002f8fe8a8926e43e5aa44c466a312 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 17:28:36 +0100 Subject: [PATCH 0195/1764] avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE Fixes: Chromium bug 795653 Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 02ecda4aba69670ca744ccc640391b7621f01fb0) Signed-off-by: Michael Niedermayer --- libavformat/oggparsetheora.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c index b14f9f0669..b0c0edc7a5 100644 --- a/libavformat/oggparsetheora.c +++ b/libavformat/oggparsetheora.c @@ -181,6 +181,7 @@ static int theora_packet(AVFormatContext *s, int idx) if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & OGG_FLAG_EOS)) { int seg; + int64_t pts; duration = 1; for (seg = os->segp; seg < os->nsegs; seg++) { @@ -188,7 +189,10 @@ static int theora_packet(AVFormatContext *s, int idx) duration ++; } - os->lastpts = os->lastdts = theora_gptopts(s, idx, os->granule, NULL) - duration; + pts = theora_gptopts(s, idx, os->granule, NULL); + if (pts != AV_NOPTS_VALUE) + pts -= duration; + os->lastpts = os->lastdts = pts; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration > 0) From 79efbd547ea3a023c241453ea6f6ea07fa57092d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 22:40:50 +0100 Subject: [PATCH 0196/1764] avformat/avidec: Fix integer overflow in cum_len check Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long' Fixes: Chromium bug 791237 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index b8a31dcff2..f55d0694fa 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -670,7 +670,7 @@ FF_ENABLE_DEPRECATION_WARNINGS st->start_time = 0; avio_rl32(pb); /* buffer size */ avio_rl32(pb); /* quality */ - if (ast->cum_len*ast->scale/ast->rate > 3600) { + if (ast->cum_len > 3600LL * ast->rate / ast->scale) { av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving up\n"); ast->cum_len = 0; } From a376fcaa39d0b75146637f799999736c5f98cc58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 23:14:04 +0100 Subject: [PATCH 0197/1764] avformat/oggparseogm: Fix undefined shift in ogm_packet() Fixes: shift exponent 48 is too large for 32-bit type 'int' Fixes: Chromium bug 786793 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 010b7b30b721b90993e05e9ee6338e88bb8debb3) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index e7a501b5a7..4d09d174b8 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -181,7 +181,7 @@ ogm_packet(AVFormatContext *s, int idx) os->psize -= lb + 1; while (lb--) - os->pduration += p[lb+1] << (lb*8); + os->pduration += (uint64_t)p[lb+1] << (lb*8); return 0; } From 0cdc3e05cbc800c1777a9b9bdb9d3b9f4303c93d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Mar 2018 01:05:20 +0100 Subject: [PATCH 0198/1764] avformat/oggparseogm: Check lb against psize No testcase, this was found during code review Found-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7c847aaf5a298b62afae12b4ecfb8e12385998) Signed-off-by: Michael Niedermayer --- libavformat/oggparseogm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index 4d09d174b8..03499486f7 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -177,6 +177,9 @@ ogm_packet(AVFormatContext *s, int idx) os->pflags |= AV_PKT_FLAG_KEY; lb = ((*p & 2) << 1) | ((*p >> 6) & 3); + if (os->psize < lb + 1) + return AVERROR_INVALIDDATA; + os->pstart += lb + 1; os->psize -= lb + 1; From 24c627a90099c74db713cd0682f7c11c6e27c50c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Mar 2018 17:28:36 +0100 Subject: [PATCH 0199/1764] avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE Fixes: potential signed integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f655ddfb47e8484b205b14c7f871c643ad24d701) Signed-off-by: Michael Niedermayer --- libavformat/oggparsedaala.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index a373b41b4c..e944470aca 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -218,6 +218,7 @@ static int daala_packet(AVFormatContext *s, int idx) int seg, duration = 1; struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; + int64_t pts; /* * first packet handling: here we parse the duration of each packet in the @@ -230,7 +231,10 @@ static int daala_packet(AVFormatContext *s, int idx) if (os->segments[seg] < 255) duration++; - os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - duration; + pts = daala_gptopts(s, idx, os->granule, NULL); + if (pts != AV_NOPTS_VALUE) + pts -= duration; + os->lastpts = os->lastdts = pts; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration != AV_NOPTS_VALUE) From 3fa6e594a0f2575ddb6b2183961fde42ab5ab37b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Mar 2018 01:40:36 +0100 Subject: [PATCH 0200/1764] avformat/img2dec: fix infinite loop Fixes: kira-poc Found-by: Kira Change suggested by Kira Signed-off-by: Michael Niedermayer (cherry picked from commit a6cba062051f345e8ebfdff34aba071ed73d923f) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index ecf64eaffa..2585634e7c 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -878,10 +878,14 @@ static int svg_probe(AVProbeData *p) { const uint8_t *b = p->buf; const uint8_t *end = p->buf + p->buf_size; + if (memcmp(p->buf, "= end - 4) return 0; if (!memcmp(b, " Date: Fri, 9 Mar 2018 16:43:29 +0100 Subject: [PATCH 0201/1764] avformat/mov: Fix integer overflows related to sample_duration Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type Fixes: Chromium bug 791349 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f91a006639..25131449e7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2682,14 +2682,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) && total_sample_count > 100 && sample_duration/10 > duration / total_sample_count) sample_duration = duration / total_sample_count; - duration+=(int64_t)sample_duration*sample_count; + duration+=(int64_t)sample_duration*(uint64_t)sample_count; total_sample_count+=sample_count; } sc->stts_count = i; - sc->duration_for_fps += duration; - sc->nb_frames_for_fps += total_sample_count; + if (duration > 0 && + duration <= INT64_MAX - sc->duration_for_fps && + total_sample_count <= INT64_MAX - sc->nb_frames_for_fps + ) { + sc->duration_for_fps += duration; + sc->nb_frames_for_fps += total_sample_count; + } if (pb->eof_reached) return AVERROR_EOF; @@ -4409,8 +4414,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) dts += sample_duration; offset += sample_size; sc->data_size += sample_size; - sc->duration_for_fps += sample_duration; - sc->nb_frames_for_fps ++; + + if (sample_duration <= INT64_MAX - sc->duration_for_fps && + 1 <= INT64_MAX - sc->nb_frames_for_fps + ) { + sc->duration_for_fps += sample_duration; + sc->nb_frames_for_fps ++; + } } if (pb->eof_reached) From 8ba8e0a1c7739bb0d9f044fe7a93eec65ce1091b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Mar 2018 00:13:57 +0100 Subject: [PATCH 0202/1764] avcodec/wmalosslessdec: Reset num_saved_bits on error path Fixes: NULL pointer dereference Fixes: poc-201803.wav Found-by: GwanYeong Kim Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 64c9ce0abc0fd8774b523afda3ddb17c86caa86a) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 133a3e92d1..59e8929586 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1148,6 +1148,7 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* gb, int len, if (len <= 0 || buflen > s->max_frame_size) { avpriv_request_sample(s->avctx, "Too small input buffer"); s->packet_loss = 1; + s->num_saved_bits = 0; return; } From 031206032960dbfe399f0925e8ddc8c73bd89df1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2018 15:17:12 +0100 Subject: [PATCH 0203/1764] avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee3265dbe2e85537affe3b3055b00ba8646aa70) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index ad6c029e50..8d806dbbff 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -161,6 +161,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int orig_size = buf_size; int keyframe, ret; int size_change = 0; + int minsize = 0; int result, init_frame = !avctx->frame_number; enum { NUV_UNCOMPRESSED = '0', @@ -206,6 +207,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, keyframe = 1; break; } + switch (comptype) { + case NUV_UNCOMPRESSED: + minsize = c->width * c->height * 3 / 2; + break; + case NUV_RTJPEG: + minsize = c->width/16 * (c->height/16) * 6; + break; + } + if (buf_size < minsize / 4) + return AVERROR_INVALIDDATA; retry: // Skip the rest of the frame header. buf = &buf[12]; From 46ed4d52825379fcb43d830ac16da9827738ea61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2018 15:17:12 +0100 Subject: [PATCH 0204/1764] avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 939440ad1aa820bed51f54d273b4fa6c5016d9f9) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 8d806dbbff..32ed65899b 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -199,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: keyframe = !buf[2]; + if (c->width < 16 || c->height < 16) { + return AVERROR_INVALIDDATA; + } break; case NUV_COPY_LAST: keyframe = 0; From e26ae6e6cec85423851172d3a19d8df6ab8c03de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Mar 2018 19:53:36 +0100 Subject: [PATCH 0205/1764] avformat/mov: Check STSC and remove invalid entries Fixes assertion failure Fixes: crbug 822547, crbug 822666 and crbug 823009 Affects: aark15sd_9A62E2FA.mp4 Found-by: ClusterFuzz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 25131449e7..3c43ea05e8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2444,6 +2444,21 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } sc->stsc_count = i; + for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { + if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || + (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || + sc->stsc_data[i].first < 1 || + sc->stsc_data[i].count < 1 || + sc->stsc_data[i].id < 1) { + av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); + if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) + return AVERROR_INVALIDDATA; + // We replace this entry by the next valid + sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; + sc->stsc_data[i].count = sc->stsc_data[i+1].count; + sc->stsc_data[i].id = sc->stsc_data[i+1].id; + } + } if (pb->eof_reached) return AVERROR_EOF; @@ -3794,6 +3809,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } + if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", + st->index); + return AVERROR_INVALIDDATA; + } fix_timescale(c, sc); From 26fcff1eb40db93809f20c60dab9c1541a4a1bbd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2018 01:38:53 +0100 Subject: [PATCH 0206/1764] avcodec/get_bits: Make sure the input bitstream with padding can be addressed Signed-off-by: Michael Niedermayer (cherry picked from commit e529fe7633762cb26a665fb6dee3be29b15285cc) Signed-off-by: Michael Niedermayer --- libavcodec/get_bits.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 0c7f5ff0c6..d7cf286378 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -32,6 +32,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/log.h" #include "libavutil/avassert.h" +#include "avcodec.h" #include "mathops.h" #include "vlc.h" @@ -428,7 +429,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, int buffer_size; int ret = 0; - if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) { + if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) { bit_size = 0; buffer = NULL; ret = AVERROR_INVALIDDATA; From 9b2ce61155db08c27c8d68d2229888c66533a29c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Feb 2018 21:36:22 +0100 Subject: [PATCH 0207/1764] avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry() Signed-off-by: Michael Niedermayer (cherry picked from commit eb60b9d3aaaa42265fb1960be6fff6383cfdbf37) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3c43ea05e8..154469e286 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2979,7 +2979,7 @@ static int64_t add_ctts_entry(MOVStts** ctts_data, unsigned int* ctts_count, uns FFMAX(min_size_needed, 2 * (*allocated_size)) : min_size_needed; - if((unsigned)(*ctts_count) + 1 >= UINT_MAX / sizeof(MOVStts)) + if((unsigned)(*ctts_count) >= UINT_MAX / sizeof(MOVStts) - 1) return -1; ctts_buf_new = av_fast_realloc(*ctts_data, allocated_size, requested_size); From 2be397e234a03acaaecf2bb1b325e460068624b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Mar 2018 01:07:24 +0200 Subject: [PATCH 0208/1764] avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables Found-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 5c75438b893539dd17998c489fb4c540fc5a6e48) Signed-off-by: Michael Niedermayer --- libavcodec/tableprint_vlc.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tableprint_vlc.h b/libavcodec/tableprint_vlc.h index 675251a836..3004be3f9c 100644 --- a/libavcodec/tableprint_vlc.h +++ b/libavcodec/tableprint_vlc.h @@ -35,6 +35,7 @@ #define av_freep(p) while(0) #define AVCODEC_AVCODEC_H #define AVCODEC_INTERNAL_H +#define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this #include "tableprint.h" #include "get_bits.h" #include "mathtables.c" From fdf56c5654c81c138947666a3879c4e10124ca30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Mar 2018 01:51:28 +0100 Subject: [PATCH 0209/1764] avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame() Fixes: 2018_03_23_poc.wav Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit ea15915b2dc5aaa80c91879fbd183475a7e66e54) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 59e8929586..eb1db615ae 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1256,7 +1256,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, (frame_size = show_bits(gb, s->log2_frame_size)) && frame_size <= remaining_bits(s, gb)) { save_bits(s, gb, frame_size, 0); - s->packet_done = !decode_frame(s); + + if (!s->packet_loss) + s->packet_done = !decode_frame(s); } else if (!s->len_prefix && s->num_saved_bits > get_bits_count(&s->gb)) { /* when the frames do not have a length prefix, we don't know the From 51035698bde9c13da7eedc1f6eb47d190bbc949d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Mar 2018 03:10:43 +0200 Subject: [PATCH 0210/1764] avcodec/utvideodec: Set pro flag based on fourcc This avoids mixing 8bit variants with pro and 10bit with non pro mode. Fixes: out of array read Fixes: poc_03_30.avi Found-by: GwanYeong Kim Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 47b7c68ae54560e2308bdb6be4fb076c73b93081) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 64 +++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index ebd9d55cf2..0df91ac2cb 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -798,37 +798,6 @@ static av_cold int decode_init(AVCodecContext *avctx) ff_bswapdsp_init(&c->bdsp); ff_llviddsp_init(&c->llviddsp); - if (avctx->extradata_size >= 16) { - av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", - avctx->extradata[3], avctx->extradata[2], - avctx->extradata[1], avctx->extradata[0]); - av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", - AV_RB32(avctx->extradata + 4)); - c->frame_info_size = AV_RL32(avctx->extradata + 8); - c->flags = AV_RL32(avctx->extradata + 12); - - if (c->frame_info_size != 4) - avpriv_request_sample(avctx, "Frame info not 4 bytes"); - av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", c->flags); - c->slices = (c->flags >> 24) + 1; - c->compression = c->flags & 1; - c->interlaced = c->flags & 0x800; - } else if (avctx->extradata_size == 8) { - av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", - avctx->extradata[3], avctx->extradata[2], - avctx->extradata[1], avctx->extradata[0]); - av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", - AV_RB32(avctx->extradata + 4)); - c->interlaced = 0; - c->pro = 1; - c->frame_info_size = 4; - } else { - av_log(avctx, AV_LOG_ERROR, - "Insufficient extradata size %d, should be at least 16\n", - avctx->extradata_size); - return AVERROR_INVALIDDATA; - } - c->slice_bits_size = 0; switch (avctx->codec_tag) { @@ -857,14 +826,17 @@ static av_cold int decode_init(AVCodecContext *avctx) break; case MKTAG('U', 'Q', 'Y', '2'): c->planes = 3; + c->pro = 1; avctx->pix_fmt = AV_PIX_FMT_YUV422P10; break; case MKTAG('U', 'Q', 'R', 'G'): c->planes = 3; + c->pro = 1; avctx->pix_fmt = AV_PIX_FMT_GBRP10; break; case MKTAG('U', 'Q', 'R', 'A'): c->planes = 4; + c->pro = 1; avctx->pix_fmt = AV_PIX_FMT_GBRAP10; break; case MKTAG('U', 'L', 'H', '0'): @@ -895,6 +867,36 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + if (!c->pro && avctx->extradata_size >= 16) { + av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", + avctx->extradata[3], avctx->extradata[2], + avctx->extradata[1], avctx->extradata[0]); + av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", + AV_RB32(avctx->extradata + 4)); + c->frame_info_size = AV_RL32(avctx->extradata + 8); + c->flags = AV_RL32(avctx->extradata + 12); + + if (c->frame_info_size != 4) + avpriv_request_sample(avctx, "Frame info not 4 bytes"); + av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", c->flags); + c->slices = (c->flags >> 24) + 1; + c->compression = c->flags & 1; + c->interlaced = c->flags & 0x800; + } else if (c->pro && avctx->extradata_size == 8) { + av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", + avctx->extradata[3], avctx->extradata[2], + avctx->extradata[1], avctx->extradata[0]); + av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", + AV_RB32(avctx->extradata + 4)); + c->interlaced = 0; + c->frame_info_size = 4; + } else { + av_log(avctx, AV_LOG_ERROR, + "Insufficient extradata size %d, should be at least 16\n", + avctx->extradata_size); + return AVERROR_INVALIDDATA; + } + return 0; } From 43916494f8cac6ed294309e70de346e309d51058 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Mar 2018 02:16:31 +0200 Subject: [PATCH 0211/1764] avfilter/vf_signature: use av_strlcpy() Fixes: out of array access Found-by: Kira Signed-off-by: Michael Niedermayer (cherry picked from commit 35eeff30caf34df835206f1c12bcf4b7c2bd6758) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index f0078ba1a6..d07b213f31 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -576,7 +576,8 @@ static int export(AVFilterContext *ctx, StreamContext *sc, int input) /* error already handled */ av_assert0(av_get_frame_filename(filename, sizeof(filename), sic->filename, input) == 0); } else { - strcpy(filename, sic->filename); + if (av_strlcpy(filename, sic->filename, sizeof(filename)) >= sizeof(filename)) + return AVERROR(EINVAL); } if (sic->format == FORMAT_XML) { return xml_export(ctx, sc, filename); From 2c2ab8556263fd58e27913eac4c9d858797d39a8 Mon Sep 17 00:00:00 2001 From: heimdallr Date: Sat, 31 Mar 2018 19:37:23 +0700 Subject: [PATCH 0212/1764] avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list() example: AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA }; int loss = 0; AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, AV_PIX_FMT_BGRA, 1, &loss); best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better. Signed-off-by: Michael Niedermayer (cherry picked from commit 354b26a3945eadd4ed8fcd801dfefad2566241de) Signed-off-by: Michael Niedermayer --- libavcodec/imgconvert.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 1547f18966..7b0005b308 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -69,10 +69,14 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p int i; enum AVPixelFormat best = AV_PIX_FMT_NONE; + int loss; - for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) - best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, loss_ptr); + for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) { + loss = *loss_ptr; + best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, &loss); + } + *loss_ptr = loss; return best; } From f4e01b87f2bcb0a97d80214730a7e8a509982fe2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Mar 2018 00:05:04 +0100 Subject: [PATCH 0213/1764] avcodec/cscd: Error out when LZ* decompression fails Fixes: Timeout Fixes: 6304/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5754772461191168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d52be5d4e91871a22dac70af3e0ab429e95a2d10) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 9e1dec9d96..35c4ee08c3 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); + return AVERROR_INVALIDDATA; + } break; } case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; - if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) + if (uncompress(c->decomp_buf, &dlen, &buf[2], buf_size - 2) != Z_OK) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); + return AVERROR_INVALIDDATA; + } break; #else av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n"); From 46db1182da23d955939bdd34088c969584ce96f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Mar 2018 21:19:19 +0200 Subject: [PATCH 0214/1764] avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed() I was not able to reproduce this, this fix is based on just the fuzzer log. Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 197a4e8feed45b2e5868760240e83636818f32a9) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 32bd1454bd..fbf541df24 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -417,7 +417,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, int i, c, shift, round, tmp; const int gain = cce->coup.gain[index][0]; const int *src = cce->ch[0].ret; - int *dest = target->ret; + unsigned int *dest = target->ret; const int len = 1024 << (ac->oc[1].m4ac.sbr == 1); c = cce_scale_fixed[gain & 7]; From 3e6adf0842b6a4042dcd1f1ff04fcfafb1010815 Mon Sep 17 00:00:00 2001 From: Hendrik Schreiber Date: Thu, 5 Apr 2018 13:58:37 +0200 Subject: [PATCH 0215/1764] swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering. Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for it. After removal, problem was gone. Signed-off-by: Hendrik Schreiber Signed-off-by: Michael Niedermayer (cherry picked from commit 647fd4b8292e3bfae30b1086aa842a5ee47ee868) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 74c96dce60..170f76bc56 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -678,7 +678,7 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co s->mix_2_1_simd(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_simd_one, 0, 0, len1); if(out_count != len1) for(ch=0; chch_count; ch++) - s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off + len1, s->native_one, 0, 0, out_count - len1); + s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off, s->native_one, 0, 0, out_count - len1); } else { for(ch=0; chch_count; ch++) s->mix_2_1_f(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_one, 0, 0, out_count); From c8f700975ea0f287d297d07d6dedff6df33130f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Apr 2018 20:01:07 +0200 Subject: [PATCH 0216/1764] libavcodec/rv34: error out earlier on missing references Fixes visual corruption on seeking Fixes: downloadTest_clip_24M.rmvb Signed-off-by: Michael Niedermayer (cherry picked from commit 6cd81d68c5e4b0ff00288970c4151ff4031c0ea9) Signed-off-by: Michael Niedermayer --- libavcodec/rv34.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index f1495fb5a8..d171e6e1bd 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1585,7 +1585,7 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte // Do no call ff_mpeg_update_thread_context on a partially initialized // decoder context. - if (!s1->linesize) + if (!s1->context_initialized) return 0; return ff_mpeg_update_thread_context(dst, src); @@ -1733,6 +1733,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if ((err = rv34_decoder_realloc(r)) < 0) return err; } + if (faulty_b) + return AVERROR_INVALIDDATA; s->pict_type = si.type ? si.type : AV_PICTURE_TYPE_I; if (ff_mpv_frame_start(s, s->avctx) < 0) return -1; @@ -1786,8 +1788,6 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, "multithreading mode (start MB is %d).\n", si.start); return AVERROR_INVALIDDATA; } - if (faulty_b) - return AVERROR_INVALIDDATA; for(i = 0; i < slice_count; i++){ int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size); From 053b9766b4a969802313f9cad63559db4a14d70c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Apr 2018 21:55:06 +0200 Subject: [PATCH 0217/1764] avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble() Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int' This was missed in b1bef755f617af9685b592d866b3eb7f3c4b02b1 Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c837918f50a7bbd6150afd340857ea43fe4717c7) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index eeada0b9f2..59cbba10ff 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -567,7 +567,7 @@ static void sbr_hf_assemble(int Y1[38][64][2], int idx = indexsine&1; int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; - int *out = &Y1[i][kx][idx]; + unsigned *out = &Y1[i][kx][idx]; int shift; unsigned round; From c44244424ff2a50e50661c8fe86b252ee563d6d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Apr 2018 03:29:44 +0200 Subject: [PATCH 0218/1764] avcodec/movtextdec: Check style_start/end Limits based on 3GPP TS 26.245 V14.0.0 Fixes: Timeout Fixes: 6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Philip Langdale Signed-off-by: Michael Niedermayer (cherry picked from commit 249aca8f98ff7fb09c12ea68e23c862c62203b95) Signed-off-by: Michael Niedermayer --- libavcodec/movtextdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index fb5085c3e8..73e83f2f2c 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -299,6 +299,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) m->s_temp->style_start = AV_RB16(tsmb); tsmb += 2; m->s_temp->style_end = AV_RB16(tsmb); + + if ( m->s_temp->style_end < m->s_temp->style_start + || (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) { + av_freep(&m->s_temp); + mov_text_cleanup(m); + return AVERROR(ENOMEM); + } + tsmb += 2; m->s_temp->style_fontID = AV_RB16(tsmb); tsmb += 2; From ae136f8d6425c318a6c92f7b593582305143e346 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Tue, 10 Apr 2018 13:59:25 -0700 Subject: [PATCH 0219/1764] lavc/libopusdec: Allow avcodec_open2 to call .close If there is a decoder initialization failure detected in avcodec_open2 after .init is called, allow graceful decoder .close to prevent leaking libopus decoder allocations. BUG=828526 Signed-off-by: Michael Niedermayer (cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081) Signed-off-by: Michael Niedermayer --- libavcodec/libopusdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index e6ca61a78f..806ca1863d 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -126,7 +126,10 @@ static av_cold int libopus_decode_close(AVCodecContext *avc) { struct libopus_context *opus = avc->priv_data; - opus_multistream_decoder_destroy(opus->dec); + if (opus->dec) { + opus_multistream_decoder_destroy(opus->dec); + opus->dec = NULL; + } return 0; } @@ -200,6 +203,7 @@ AVCodec ff_libopus_decoder = { .decode = libopus_decode, .flush = libopus_flush, .capabilities = AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT, AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, From 0f868badcfdb40711e1158b863bfc66d97b028b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Apr 2018 23:56:57 +0200 Subject: [PATCH 0220/1764] avformat/mov: Fix extradata memleak Fixes: crbug 822705 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 0a8133119ca5d087c7c7140d100406ff84c477ee) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 154469e286..f14fd14c7d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2402,6 +2402,12 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) return mov_finalize_stsd_codec(c, pb, st, sc); fail: + if (sc->extradata) { + int j; + for (j = 0; j < sc->stsd_count; j++) + av_freep(&sc->extradata[j]); + } + av_freep(&sc->extradata); av_freep(&sc->extradata_size); return ret; From fffc77b472800a75eed147f8510ab52b87631256 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Apr 2018 00:34:25 +0200 Subject: [PATCH 0221/1764] avcodec/h264_slice: Fix integer overflow with last_poc Fixes: signed integer overflow: 2147483646 - -2816 cannot be represented in type 'int' Fixes: crbug 823145 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 8c02cd8ca097871dcd00cf8e08ce51660873f405) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index cf1b22fc32..f55cdf51f9 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1322,7 +1322,7 @@ static int h264_select_output_frame(H264Context *h) } out_of_order = MAX_DELAYED_PIC_COUNT - i; if( cur->f->pict_type == AV_PICTURE_TYPE_B - || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2)) + || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - (int64_t)h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2)) out_of_order = FFMAX(out_of_order, 1); if (out_of_order == MAX_DELAYED_PIC_COUNT) { av_log(h->avctx, AV_LOG_VERBOSE, "Invalid POC %d<%d\n", cur->poc, h->last_pocs[0]); From 78c8e77c8635d02b63cbd858a975823ace310a32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Apr 2018 16:12:15 +0200 Subject: [PATCH 0222/1764] avcodec/mjpegdec: Check input buffer size. Fixes: Timeout Fixes: 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8d381b57fd9d17fb5c3a851ca46c738b3afc33a2) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ libavcodec/mjpegdec.h | 1 + 2 files changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 3455126cac..068bb4691c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -328,6 +328,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height); if (av_image_check_size(width, height, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; + if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL) + return AVERROR_INVALIDDATA; nb_components = get_bits(&s->gb, 8); if (nb_components <= 0 || @@ -2193,6 +2195,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int ret = 0; int is16bit; + s->buf_size = buf_size; + av_dict_free(&s->exif_metadata); av_freep(&s->stereo3d); s->adobe_transform = -1; diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h index c84a40aa6e..269f521623 100644 --- a/libavcodec/mjpegdec.h +++ b/libavcodec/mjpegdec.h @@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext { AVClass *class; AVCodecContext *avctx; GetBitContext gb; + int buf_size; int start_code; /* current start code */ int buffer_size; From ca119e9456a22c3205794beb425bdc6ac24d97e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Apr 2018 18:55:57 +0200 Subject: [PATCH 0223/1764] avformat/utils: Fix integer overflow in end time calculation in update_stream_timings() Fixes: crbug 829153 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit c48ceff786bdc96fdc64417118c457d03bd19871) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2ca80e0925..afafb59bfe 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2611,7 +2611,7 @@ static void update_stream_timings(AVFormatContext *ic) else if (start_time > start_time_text) av_log(ic, AV_LOG_VERBOSE, "Ignoring outlier non primary stream starttime %f\n", start_time_text / (float)AV_TIME_BASE); - if (end_time == INT64_MIN || (end_time < end_time_text && end_time_text - end_time < AV_TIME_BASE)) { + if (end_time == INT64_MIN || (end_time < end_time_text && end_time_text - (uint64_t)end_time < AV_TIME_BASE)) { end_time = end_time_text; } else if (end_time < end_time_text) { av_log(ic, AV_LOG_VERBOSE, "Ignoring outlier non primary stream endtime %f\n", end_time_text / (float)AV_TIME_BASE); From 8d05a802dd2f47bf73dc024ae45fb5e27f5709e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Apr 2018 22:24:03 +0200 Subject: [PATCH 0224/1764] avcodec/truemotion2: Propagate out of bounds error from GET_TOK() Fixes: Timeout Fixes: 6389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5695918121680896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f6304af2341d0cee51c2116766622e3ac567b7a0) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 97c38f7f08..f7dbe047c7 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -63,6 +63,7 @@ typedef struct TM2Context { AVFrame *pic; GetBitContext gb; + int error; BswapDSPContext bdsp; uint8_t *buffer; @@ -398,6 +399,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) { if (ctx->tok_ptrs[type] >= ctx->tok_lens[type]) { av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]); + ctx->error = 1; return 0; } if (type <= TM2_MOT) { @@ -809,6 +811,8 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) default: av_log(ctx->avctx, AV_LOG_ERROR, "Skipping unknown block type %i\n", type); } + if (ctx->error) + return AVERROR_INVALIDDATA; } } @@ -889,6 +893,8 @@ static int decode_frame(AVCodecContext *avctx, int offset = TM2_HEADER_SIZE; int i, t, ret; + l->error = 0; + av_fast_padded_malloc(&l->buffer, &l->buffer_size, buf_size); if (!l->buffer) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); From 22a4b599f05e7405bd25d828f967df8740ec63fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Apr 2018 19:50:52 +0200 Subject: [PATCH 0225/1764] avcodec/utils: Enforce minimum width also for VP5/6 Fixes: out of array access Fixes: poc_0411 Found-by: GwanYeong Kim Tested-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 544324827e0131e43af1a54fb790a48a25fd7ba4) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 0c47e761f6..ec03bdc866 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -419,7 +419,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); - if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) { + if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || + s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || + s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A + ) { // some of the optimized chroma MC reads one line too much // which is also done in mpeg decoders with lowres > 0 *height += 2; From 0b5a2c9a52eb4b1e68d01163eada80e6af5ef33e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Apr 2018 11:38:48 +0200 Subject: [PATCH 0226/1764] avformat/utils: Check cur_dts in update_initial_timestamps() more Fixes: runtime error: signed integer overflow: 18133149658382192 - -9223090561878065151 cannot be represented in type 'long long' Fixes: crbug 831552 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 37d46dc21d708192b12aa13617ebe6a117b07363) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index afafb59bfe..75adea10e3 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1093,6 +1093,7 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index, if (st->first_dts != AV_NOPTS_VALUE || dts == AV_NOPTS_VALUE || st->cur_dts == AV_NOPTS_VALUE || + st->cur_dts < INT_MIN + RELATIVE_TS_BASE || is_relative(dts)) return; From 86a6e700e1162a52012d175e71498a82389dae5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 18:23:12 +0200 Subject: [PATCH 0227/1764] doc/APIchanges: Fix typos in hashes Thanks-to: Moritz Barsnick for finding the correct ones Signed-off-by: Michael Niedermayer (cherry picked from commit ec8a5262b03f85158d722dbc8b8f30cb6bd67e0f) Signed-off-by: Michael Niedermayer --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 6803eaaea2..5905a7890e 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -742,7 +742,7 @@ API changes, most recent first: Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support dictionary types being set as options. -2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h +2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h Add AVFormatContext.event_flags and AVStream.event_flags for signaling to the user when events happen in the file/stream. @@ -759,7 +759,7 @@ API changes, most recent first: 2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h Add avio_feof() and deprecate url_feof(). -2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h +2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h sws_getContext is not going to be removed in the future. 2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h From 47c3d2459e953856d7089bbf3d5baa269080bcc0 Mon Sep 17 00:00:00 2001 From: Rahul Chaudhry Date: Wed, 18 Apr 2018 16:29:39 -0700 Subject: [PATCH 0228/1764] swresample/arm: remove unintentional relocation. Branch to global symbol results in reference to PLT, and when compiling for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't support this relocation (ld.gold), while others can end up truncating the relocation to fit (ld.bfd). Convert this branch through PLT into a direct branch that the assembler can resolve locally. See https://github.com/android-ndk/ndk/issues/337 for background. The current workaround is to disable neon during gstreamer build, which is not optimal and can be reverted after this patch: https://github.com/freedesktop/gstreamer-cerbero/commit/41556c415739fbc3a72c7eaee7e70a565b719b2f Signed-off-by: Michael Niedermayer (cherry picked from commit b22db4f465c9adb2cf1489e04f7b65ef6bb55b8b) Signed-off-by: Michael Niedermayer --- libswresample/arm/audio_convert_neon.S | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswresample/arm/audio_convert_neon.S b/libswresample/arm/audio_convert_neon.S index 1f88316dde..7729514701 100644 --- a/libswresample/arm/audio_convert_neon.S +++ b/libswresample/arm/audio_convert_neon.S @@ -22,6 +22,7 @@ #include "libavutil/arm/asm.S" function swri_oldapi_conv_flt_to_s16_neon, export=1 +_swri_oldapi_conv_flt_to_s16_neon: subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! vcvt.s32.f32 q8, q0, #31 @@ -66,6 +67,7 @@ function swri_oldapi_conv_flt_to_s16_neon, export=1 endfunc function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1 +_swri_oldapi_conv_fltp_to_s16_2ch_neon: ldm r1, {r1, r3} subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! @@ -133,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1 cmp r3, #2 itt lt ldrlt r1, [r1] - blt X(swri_oldapi_conv_flt_to_s16_neon) - beq X(swri_oldapi_conv_fltp_to_s16_2ch_neon) + blt _swri_oldapi_conv_flt_to_s16_neon + beq _swri_oldapi_conv_fltp_to_s16_2ch_neon push {r4-r8, lr} cmp r3, #4 From 205e93fa0d2b66e6e84576542e17bfba36e309a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Apr 2018 02:13:42 +0200 Subject: [PATCH 0229/1764] avcodec/cinepak: move some checks prior to frame allocation Speeds up decoding from 8 to 3 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2324ef1ff32e5effd6f295bca80580ae4816be0b) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 89e940ae0d..ba0589582f 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -315,14 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s, return AVERROR_INVALIDDATA; } -static int cinepak_decode (CinepakContext *s) +static int cinepak_predecode_check (CinepakContext *s) { - const uint8_t *eod = (s->data + s->size); - int i, result, strip_size, frame_flags, num_strips; - int y0 = 0; + int num_strips; int encoded_buf_size; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -353,6 +350,21 @@ static int cinepak_decode (CinepakContext *s) s->sega_film_skip_bytes = 0; } + if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12) + return AVERROR_INVALIDDATA; + + return 0; +} + +static int cinepak_decode (CinepakContext *s) +{ + const uint8_t *eod = (s->data + s->size); + int i, result, strip_size, frame_flags, num_strips; + int y0 = 0; + + frame_flags = s->data[0]; + num_strips = AV_RB16 (&s->data[8]); + s->data += 10 + s->sega_film_skip_bytes; num_strips = FFMIN(num_strips, MAX_STRIPS); @@ -439,6 +451,11 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; + if ((ret = cinepak_predecode_check(s)) < 0) { + av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); + return ret; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From a6db663a31cea5e358b3c38cd3a40f22166b1c43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Apr 2018 02:13:43 +0200 Subject: [PATCH 0230/1764] avcodec/cinepak: Skip empty frames Speeds up decoding from 3 to 0.1 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9033920bec9ccf17de205fc17c2b330906b200f5) Signed-off-by: Michael Niedermayer --- libavcodec/cinepak.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index ba0589582f..9b0077402f 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -444,6 +444,7 @@ static int cinepak_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int ret = 0, buf_size = avpkt->size; CinepakContext *s = avctx->priv_data; + int num_strips; s->data = buf; s->size = buf_size; @@ -451,6 +452,12 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; + num_strips = AV_RB16 (&s->data[8]); + + //Empty frame, do not waste time + if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL))) + return buf_size; + if ((ret = cinepak_predecode_check(s)) < 0) { av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); return ret; From 86c7035646d581a3cf20d7ce8662fae1ea3f3c5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 22:04:53 +0200 Subject: [PATCH 0231/1764] avcodec/dfa: Check dimension against maximum The headers from where the dimensions are read in actual files are limited to 16bit per component. Fixes: Timeout Fixes: 6305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-4824270749302784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d5a4fcfbb51edc871bdb1c67a88223cbfb1c0e4) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 43dba2c8e9..fdc1e198da 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; - if (!avctx->width || !avctx->height) + if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) >= (1<<16)) return AVERROR_INVALIDDATA; av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 0); From 81d8bd6f421b6f48447198d7ed4d4f2f9a4ae2d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 22:28:23 +0200 Subject: [PATCH 0232/1764] avcodec/dsicinvideo: Propagate errors from cin_decode_rle() Signed-off-by: Michael Niedermayer (cherry picked from commit 942217b153a9bff2d17463957abd772fcd72b400) Signed-off-by: Michael Niedermayer --- libavcodec/dsicinvideo.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index f95cbc74a0..add7afa383 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -226,27 +226,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, * surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: - cin_decode_rle(buf, bitmap_frame_size, + res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; break; case 34: - cin_decode_rle(buf, bitmap_frame_size, + res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 35: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); - cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, + res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; break; case 36: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); - cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, + res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); + if (res < 0) + return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; From f93d7a0c0a233fc5992092b5764d83f3f96077d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Apr 2018 22:29:09 +0200 Subject: [PATCH 0233/1764] avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame Fixes: Timeout Fixes: 6306/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSICINVIDEO_fuzzer-5079253549842432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5549488bbf3a23c0fb9833cefc6354f97055dd96) Signed-off-by: Michael Niedermayer --- libavcodec/dsicinvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index add7afa383..aa080417d2 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, } } + if (dst_end - dst > dst_size - dst_size/10) + return AVERROR_INVALIDDATA; + return 0; } @@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size, } dst += len; } + + if (dst_end - dst > dst_size - dst_size/10) + return AVERROR_INVALIDDATA; + return 0; } From 1d5694ba1101e6d26f15909eee0d10c6a4fe55c3 Mon Sep 17 00:00:00 2001 From: Stephan Holljes Date: Fri, 12 Jan 2018 19:16:29 +0100 Subject: [PATCH 0234/1764] lavf/http.c: Free allocated client URLContext in case of error. Signed-off-by: Stephan Holljes Signed-off-by: Michael Niedermayer (cherry picked from commit 7b6b8c92652d6683d97515352e4a9a4147b7da7c) Signed-off-by: Michael Niedermayer --- libavformat/http.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index 668cd51986..d066b639b5 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -538,7 +538,11 @@ static int http_accept(URLContext *s, URLContext **c) goto fail; cc->hd = cl; cc->is_multi_client = 1; + return 0; fail: + if (c) { + ffurl_closep(c); + } return ret; } From be9c4cc0e60a2e7cecd25d9c78d4f11aba274620 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Apr 2018 22:19:31 +0200 Subject: [PATCH 0235/1764] avcodec/ffv1enc: Check that the crc + version combination is supported The crc flag is only stored since version 3 thus before this crcs do not work. We increase the version as needed same as we do with pix_fmts Signed-off-by: Michael Niedermayer (cherry picked from commit d9706f79c17a33bf97e51a7d6ab211ce83a463ee) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index c9a885ebfa..2759db31d3 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -539,6 +539,10 @@ static av_cold int encode_init(AVCodecContext *avctx) s->ec = (s->version >= 3); } + // CRC requires version 3+ + if (s->ec) + s->version = FFMAX(s->version, 3); + if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; From f31ead3f76dab89586bbfdbbe70e055b50f6f040 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Apr 2018 02:08:10 +0200 Subject: [PATCH 0236/1764] avcodec/vc1_block: simplify ac_val computation also fixes: runtime error: index 1456 out of bounds for type 'int16_t [16]' Found-by: durandal_1707 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d06b01fc2d4f5e031d45f9460d1eea610d23d6c5) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index f9f26f7e42..b06ee9fce7 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -594,7 +594,7 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n, scale = s->c_dc_scale; block[0] = dcdiff * scale; - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -745,7 +745,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, scale = mquant * 2 + ((mquant == v->pq) ? v->halfpq : 0); - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -946,7 +946,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (!a_avail) dc_pred_dir = 1; if (!c_avail) dc_pred_dir = 0; if (!a_avail && !c_avail) use_pred = 0; - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; scale = mquant * 2 + v->halfpq; From 24947b3f7dd26a73696f428b3311731995bc45ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Apr 2018 01:54:17 +0200 Subject: [PATCH 0237/1764] avcodec/elsdec: Fix memleaks Fixes: 6798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5135899701542912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bd0401336df4e4ca7f3da6a7e226904fd7d5add) Signed-off-by: Michael Niedermayer --- libavcodec/elsdec.c | 8 +++----- libavcodec/g2meet.c | 1 + 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/elsdec.c b/libavcodec/elsdec.c index 4797965457..cb0e9c6534 100644 --- a/libavcodec/elsdec.c +++ b/libavcodec/elsdec.c @@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size) void ff_els_decoder_uninit(ElsUnsignedRung *rung) { - av_free(rung->rem_rung_list); + av_freep(&rung->rem_rung_list); } static int els_import_byte(ElsDecCtx *ctx) @@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur) if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) { // remember rung_node position ptrdiff_t pos = rung_node - ur->rem_rung_list; - ur->rem_rung_list = av_realloc(ur->rem_rung_list, + ctx->err = av_reallocp(&ur->rem_rung_list, ur->rung_list_size + RUNG_SPACE); - if (!ur->rem_rung_list) { - av_free(ur->rem_rung_list); - ctx->err = AVERROR(ENOMEM); + if (ctx->err < 0) { return 0; } memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0, diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index a46157218f..b409dae813 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -927,6 +927,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, if (c->ec.els_ctx.err != 0) { av_log(avctx, AV_LOG_ERROR, "ePIC: couldn't decode transparency pixel!\n"); + ff_els_decoder_uninit(&c->ec.unsigned_rung); return AVERROR_INVALIDDATA; } From 3b23dd4b91afa378344cc3f4cdc7dea2b88a9fe7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Apr 2018 21:07:45 +0200 Subject: [PATCH 0238/1764] avcodec/h263dec: Check slice_ret in mspeg4 slice loop Fixes infinite loop Fixes: 6858/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_MSMPEG4V3_fuzzer-4681563766784000 Fixes: 6890/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_WMV1_fuzzer-4756103142309888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de841fbea7655b74a9663001e01008a86c88779a) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index bcb2b08bb0..9497c735b2 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -637,7 +637,7 @@ retry: slice_ret = decode_slice(s); while (s->mb_y < s->mb_height) { if (s->msmpeg4_version) { - if (s->slice_height == 0 || s->mb_x != 0 || + if (s->slice_height == 0 || s->mb_x != 0 || slice_ret < 0 || (s->mb_y % s->slice_height) != 0 || get_bits_left(&s->gb) < 0) break; } else { From 30ec2357c98a1eb0c18e1990af04266cf77fac19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Apr 2018 21:46:05 +0200 Subject: [PATCH 0239/1764] avcodec/error_resilience: Fix integer overflow in filter181() Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int' Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d) Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 5364940e94..d7f94c10c2 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + 1 + y * stride]; - dc = (dc * 10923 + 32768) >> 16; + dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } @@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + (y + 1) * stride]; - dc = (dc * 10923 + 32768) >> 16; + dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } From c437510d5cf696d2267493b977669dee16f98f9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Apr 2018 21:44:06 +0200 Subject: [PATCH 0240/1764] avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() Fixes: runtime error: signed integer overflow: 2147483531 + 16384 cannot be represented in type 'int' Fixes: 6615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5165715515506688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da038c07f02dfc10380001c11b3d047eca7cb8c9) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 0e40b29879..22a2c83a30 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -452,7 +452,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, if (type != AV_SAMPLE_FMT_S16P) R2 = R + ((s->decorr[i].weightB * (int64_t)L2 + 512) >> 10); else - R2 = R + ((int)(s->decorr[i].weightB * (unsigned)L2 + 512) >> 10); + R2 = R + (unsigned)((int)(s->decorr[i].weightB * (unsigned)L2 + 512) >> 10); UPDATE_WEIGHT_CLIP(s->decorr[i].weightB, s->decorr[i].delta, L2, R); R = R2; s->decorr[i].samplesA[0] = R; From 909c1aa0ec27f4a69353b6b79ac7eb8ba3c79de5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Apr 2018 21:44:07 +0200 Subject: [PATCH 0241/1764] avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED() Fixes: runtime error: signed integer overflow: 2147483637 + 128 cannot be represented in type 'int' Fixes: 6701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5358324934508544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e95d80e6fae978f8a44afc24b0c5097a062719f) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index 3ae601f914..6caad038e9 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -99,8 +99,8 @@ typedef struct WvChannel { // macros for manipulating median values #define GET_MED(n) ((c->median[n] >> 4) + 1) -#define DEC_MED(n) c->median[n] -= ((c->median[n] + (128 >> (n)) - 2) / (128 >> (n))) * 2U -#define INC_MED(n) c->median[n] += ((c->median[n] + (128 >> (n)) ) / (128 >> (n))) * 5U +#define DEC_MED(n) c->median[n] -= ((int)(c->median[n] + (128U >> (n)) - 2) / (128 >> (n))) * 2U +#define INC_MED(n) c->median[n] += ((int)(c->median[n] + (128U >> (n)) ) / (128 >> (n))) * 5U // macros for applying weight #define UPDATE_WEIGHT_CLIP(weight, delta, samples, in) \ From 5d1c783bf02796ce50bfdcf6d1ad52c31c2f585a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Apr 2018 22:20:28 +0200 Subject: [PATCH 0242/1764] avcodec/flac_parser: Fix infinite loop Fixes: crbug/827204 Reported-by: Frank Liberato Reviewed-by: Frank Liberato Signed-off-by: Michael Niedermayer (cherry picked from commit 15a2e35e9e74bba5a27e39c26da5be2361f27945) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 84da23f327..2721286464 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -686,12 +686,17 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, } for (curr = fpc->headers; curr; curr = curr->next) { - if (curr->max_score > 0 && - (!fpc->best_header || curr->max_score > fpc->best_header->max_score)) { + if (!fpc->best_header || curr->max_score > fpc->best_header->max_score) { fpc->best_header = curr; } } + if (fpc->best_header && fpc->best_header->max_score <= 0) { + // Only accept a bad header if there is no other option to continue + if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < FLAC_MIN_HEADERS) + fpc->best_header = NULL; + } + if (fpc->best_header) { fpc->best_header_valid = 1; if (fpc->best_header->offset > 0) { From 2cb3dff0f938ff27cc9b3c79bd9446d42a797746 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 May 2018 18:16:08 +0200 Subject: [PATCH 0243/1764] avcodec/g2meet: Change order of operations to avoid undefined behavior Fixes: signed integer overflow: 65280 * 196032 cannot be represented in type 'int' Fixes: 7279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5977332473921536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a4745145840d97619c424961c1b5c625dbf516c) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index b409dae813..5edfb31560 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -1356,14 +1356,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t *dst, int stride) } else { dst += x * 3; } - if (y < 0) { + + if (y < 0) h += y; + if (w < 0 || h < 0) + return; + if (y < 0) { cursor += -y * c->cursor_stride; } else { dst += y * stride; } - if (w < 0 || h < 0) - return; for (j = 0; j < h; j++) { for (i = 0; i < w; i++) { From f4d90a36c5d39e04ff048b945d0ec48fa9a890b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 May 2018 19:11:36 +0200 Subject: [PATCH 0244/1764] avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done Fixes: assertion failure Fixes: 7949/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-4819602782552064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a96c131eb53b00de154f4773d96a3b323ea3daed) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 9d895ce55f..1ebc955c1f 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1127,6 +1127,9 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; + if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) + continue; + for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; From 022c8c07f82d4309efe2baf0683c4a2a497ed068 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 May 2018 19:18:25 +0200 Subject: [PATCH 0245/1764] avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 7955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6016721977606144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652ba72ed3124f201f98eea9bafb2232b535f549) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 1ebc955c1f..d8325320de 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1149,10 +1149,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 int xc = x / s->cdx[compno]; int yc = y / s->cdy[compno]; - if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check + if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; - if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check + if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists From b802baadfda46cd5735c1b7f8dd2d8d649cf2787 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Apr 2018 20:16:13 +0200 Subject: [PATCH 0246/1764] avcodec/g2meet: Check RGB upper limit Fixes: runtime error: left shift of 1876744317 by 16 places cannot be represented in type 'int' Fixes: 6799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5115274731716608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dd2c8b9ea46b4e008a8bfc2077834428cd5a17c) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 5edfb31560..2cf708a4f0 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -556,7 +556,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, B = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta); } - if (R<0 || G<0 || B<0) { + if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); return 0; } From 14cea440183fe72eaabbf1b964c31f31f4f1cb2a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 May 2018 22:00:01 +0200 Subject: [PATCH 0247/1764] avcodec/fic: Check available input space for cursor Fixes: out of array read Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb2f7ea96b4f6e03ebf0c0563677745fc65f148e) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index d7ee370423..526af63f6c 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -337,6 +337,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, skip_cursor = 1; } + if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) { + skip_cursor = 1; + } + /* Slice height for all but the last slice. */ ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices; if (ctx->slice_h % 16) From 22b3e924dfd6de52310bbb578d1462eb7ce4166a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 May 2018 00:10:33 +0200 Subject: [PATCH 0248/1764] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0 Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); Fixes: 6500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-4523620274536448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb944fc7f1327443a0cf449afbce5a3e8712f90f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 68ebd19560..994dc21d70 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) + (int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) + (int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) From 3712d4da1e2cc6683579cc2e4fde449cd5b0cf67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 May 2018 17:07:00 +0200 Subject: [PATCH 0249/1764] avformat/mov: Only fail for STCO/STSC contradictions if both exist Fixes regression with playback of GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a See: crbug 822666 Found-by: "Mattias Wadman Signed-off-by: Michael Niedermayer (cherry picked from commit 2c2d689c56646cce64d02a3b75f61c12c5589260) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f14fd14c7d..5ebca26ae5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3815,7 +3815,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } - if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", st->index); return AVERROR_INVALIDDATA; From 9d3ae9051622cb5eb07a19efb83c9579539da17d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 May 2018 13:40:38 +0200 Subject: [PATCH 0250/1764] indeo4: Decode all or nothing of a band header. This avoids inconsistent value combinations. Alternatively it would be possible to add more checks and careful use of temporary variables, but my try of this quickly seemed to become a rather large change. The disadvantage of this, is that the struct is copied back and forth. Fixes: index 6 out of bounds for type 'const uint16_t [5][16]' Fixes: 6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10c8521265da86118597336c5589e26de377a374) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index a3562f6fd8..7dff9db877 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -260,12 +260,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) * @param[in] avctx pointer to the AVCodecContext * @return result code: 0 = OK, negative number = error */ -static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, +static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band, AVCodecContext *avctx) { int plane, band_num, indx, transform_id, scan_indx; int i; int quant_mat; + IVIBandDesc temp_band, *band = &temp_band; + memcpy(&temp_band, arg_band, sizeof(temp_band)); plane = get_bits(&ctx->gb, 2); band_num = get_bits(&ctx->gb, 4); @@ -395,10 +397,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, /* decode block huffman codebook */ if (!get_bits1(&ctx->gb)) - band->blk_vlc.tab = ctx->blk_vlc.tab; + arg_band->blk_vlc.tab = ctx->blk_vlc.tab; else if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF, - &band->blk_vlc, avctx)) + &arg_band->blk_vlc, avctx)) return AVERROR_INVALIDDATA; /* select appropriate rvmap table for this band */ @@ -439,6 +441,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, return AVERROR_INVALIDDATA; } + band->blk_vlc = arg_band->blk_vlc; + memcpy(arg_band, band, sizeof(*arg_band)); + return 0; } From 4cbd92baa3f4e571e1bce0e27c2df8c178158967 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 May 2018 13:58:46 +0200 Subject: [PATCH 0251/1764] avcodec/mlpdec: Only change noise_type if the related fields are valid Fixes: inconsistency Fixes:runtime error: index 8 out of bounds for type 'int32_t [8]' Fixes: 6686/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5191383498358784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63c4a4b0d692bc86142790276358ba35129f2290) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index d5585d3080..bf3fd5050f 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -474,7 +474,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, uint8_t checksum; uint8_t lossless_check; int start_count = get_bits_count(gbp); - int min_channel, max_channel, max_matrix_channel; + int min_channel, max_channel, max_matrix_channel, noise_type; const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP ? MAX_MATRIX_CHANNEL_MLP : MAX_MATRIX_CHANNEL_TRUEHD; @@ -487,9 +487,9 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, return AVERROR_INVALIDDATA; } - s->noise_type = get_bits1(gbp); + noise_type = get_bits1(gbp); - if (m->avctx->codec_id == AV_CODEC_ID_MLP && s->noise_type) { + if (m->avctx->codec_id == AV_CODEC_ID_MLP && noise_type) { av_log(m->avctx, AV_LOG_ERROR, "MLP must have 0x31ea sync word.\n"); return AVERROR_INVALIDDATA; } @@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ - if (max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) { + if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", @@ -532,6 +532,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, s->min_channel = min_channel; s->max_channel = max_channel; s->max_matrix_channel = max_matrix_channel; + s->noise_type = noise_type; if (m->avctx->request_channel_layout && (s->ch_layout & m->avctx->request_channel_layout) == m->avctx->request_channel_layout && m->max_decoded_substream > substr) { From bd1fd3ff4b0437153a6c4717f59ce31a7bba8ca0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 May 2018 23:08:05 +0200 Subject: [PATCH 0252/1764] avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes truncation Fixes Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:169 Fixes: ffmpeg_crash_2.avi Found-by: Thuan Pham , Marcel Böhme, Andrew Santosa and Alexandru RazvanCaciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit e1182fac1afba92a4975917823a5f644bee7e6e8) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 494452c938..f6a5992df7 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -882,7 +882,7 @@ void ff_set_mpeg4_time(MpegEncContext *s) static void mpeg4_encode_gop_header(MpegEncContext *s) { - int hours, minutes, seconds; + int64_t hours, minutes, seconds; int64_t time; put_bits(&s->pb, 16, 0); From c91f199f5d19a4924edb18fe39a21c5e69bca3d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 May 2018 21:56:04 +0200 Subject: [PATCH 0253/1764] avcodec/g723_1dec: Clip bits2 in both directions Fixes: shift exponent 33 is too large for 32-bit type 'int' Fixes: 6743/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5823772687859712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53f241218d9eac368e2e1c58bcca9bbdf10fd0e1) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index c8202a937c..ab952ec66d 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -549,7 +549,7 @@ static void gain_scale(G723_1_Context *p, int16_t * buf, int energy) denom <<= bits2; bits2 = 5 + bits1 - bits2; - bits2 = FFMAX(0, bits2); + bits2 = av_clip_uintp2(bits2, 5); gain = (num >> 1) / (denom >> 16); gain = square_root(gain << 16 >> bits2); From b7b178fd0fa1f648ac53ec80d851c3a3a0ddf39d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 May 2018 22:02:20 +0200 Subject: [PATCH 0254/1764] oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior Fixes: signed integer overflow: 1073741842 + 1784008138 cannot be represented in type 'int' Fixes: 6792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5677589835284480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62cb6fadf33de6db386deac92853d4b95c930015) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 19be200653..65867649c7 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -181,10 +181,10 @@ static void ps_stereo_interpolate_ipdopd_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2], INTFLOAT h01 = h[0][1], h11 = h[1][1]; INTFLOAT h02 = h[0][2], h12 = h[1][2]; INTFLOAT h03 = h[0][3], h13 = h[1][3]; - INTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0]; - INTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1]; - INTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2]; - INTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3]; + UINTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0]; + UINTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1]; + UINTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2]; + UINTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3]; int n; for (n = 0; n < len; n++) { From ada22c1c0f552056f9ac7dbfc3c5417b9ca94b98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 May 2018 22:06:48 +0200 Subject: [PATCH 0255/1764] avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed() Fixes: signed integer overflow: -2141499320 + -14469590 cannot be represented in type 'int' Fixes: 7351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6351214791884800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90475db97e2e5931d295df6ab86519fa2e14d259) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index fbf541df24..71a4611082 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -385,7 +385,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += (tmp + round) >> shift; + dest[group * 128 + k] += (tmp + (int64_t)round) >> shift; } } } From 12f0cfede607c2ae0ea2a139890884d0903990b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 May 2018 22:50:19 +0200 Subject: [PATCH 0256/1764] avcodec/g2meet: ask for sample with overflowing RGB MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit ab834b8f36c8157b7015e849405cbf6ae21e672f) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 2cf708a4f0..a1dec8d823 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -557,7 +557,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, } if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { - av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); + avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B); return 0; } From 26667dc5baaf922ce24933bb1509515b1eb05e9b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 May 2018 23:42:36 +0200 Subject: [PATCH 0257/1764] avcodec/fic: Avoid some magic numbers related to cursors Signed-off-by: Michael Niedermayer (cherry picked from commit c6a11714c4b1227be62cbc36651ccfc415e8e623) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 526af63f6c..c288c9771b 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -82,6 +82,7 @@ static const uint8_t fic_qmat_lq[64] = { static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; #define FIC_HEADER_SIZE 27 +#define CURSOR_OFFSET 59 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { @@ -420,7 +421,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, /* Draw cursor. */ if (!skip_cursor) { - memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4); + memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf)); fic_draw_cursor(avctx, cur_x, cur_y); } From ce7be9cdc5d53242e1b326f40289c2ceec63a2d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 May 2018 17:06:59 +0200 Subject: [PATCH 0258/1764] avformat/mov: Break out early if chunk_count is 0 in mov_build_index() Without this some operations might overflow (undefined behavior) even though the index adding loop would never execute No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit 56e76bd0579cc7f7b28860885d9e569a39daf41b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5ebca26ae5..9f30e21355 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3572,6 +3572,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } else { unsigned chunk_samples, total = 0; + if (!sc->chunk_count) + return; + // compute total chunk count for (i = 0; i < sc->stsc_count; i++) { unsigned count, chunk_count; From adea365be9e0723f797d25bbca7c32e9068e2d60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 May 2018 03:16:58 +0200 Subject: [PATCH 0259/1764] avformat/mov: replace a value error by clipping into valid range in mov_read_stsc() Fixes: #7165 Signed-off-by: Michael Niedermayer (cherry picked from commit fe84f70819d6f5aab3c4823290e0d32b99d6de78) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9f30e21355..62746448ed 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2451,14 +2451,22 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stsc_count = i; for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { + int64_t first_min = i + 1; if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || - sc->stsc_data[i].first < 1 || + sc->stsc_data[i].first < first_min || sc->stsc_data[i].count < 1 || sc->stsc_data[i].id < 1) { av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); - if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) - return AVERROR_INVALIDDATA; + if (i+1 >= sc->stsc_count) { + sc->stsc_data[i].first = FFMAX(sc->stsc_data[i].first, first_min); + if (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) + sc->stsc_data[i].first = FFMIN(sc->stsc_data[i-1].first + 1LL, INT_MAX); + sc->stsc_data[i].count = FFMAX(sc->stsc_data[i].count, 1); + sc->stsc_data[i].id = FFMAX(sc->stsc_data[i].id, 1); + continue; + } + av_assert0(sc->stsc_data[i+1].first >= 2); // We replace this entry by the next valid sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; sc->stsc_data[i].count = sc->stsc_data[i+1].count; From f0c60a91ae864d34a178025eec3c57fcc38a74bf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2018 00:48:06 +0200 Subject: [PATCH 0260/1764] avcodec/amrwbdec: Fix division by 0 in find_hb_gain() This restructures the code slightly toward D_UTIL_dec_synthesis() Fixes: 7420/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMRWB_fuzzer-6577305112543232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dce80a4b47efaba97707bda781a9ee57f5a26974) Signed-off-by: Michael Niedermayer --- libavcodec/amrwbdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 7f2874d35f..47fe7eb55e 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -862,15 +862,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float *synth, { int wsp = (vad > 0); float tilt; + float tmp; if (ctx->fr_cur_mode == MODE_23k85) return qua_hb_gain[hb_idx] * (1.0f / (1 << 14)); - tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) / - ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); + tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1); + + if (tmp > 0) { + tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); + } else + tilt = 0; /* return gain bounded by [0.1, 1.0] */ - return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0); + return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0); } /** From df7d70272e90d4d5cbc08ecb4803eaf68da32300 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jun 2018 01:33:54 +0200 Subject: [PATCH 0261/1764] avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c Fixes: runtime error: signed integer overflow: -1440457022 - 785819492 cannot be represented in type 'int' Fixes: 7700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OPUS_fuzzer-6595838684954624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7dda51150b73e5fbdccf4c2d3a72e356980fba3) Signed-off-by: Michael Niedermayer --- libavcodec/opus_silk.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 3c9c849c21..a6fcca6211 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -232,8 +232,10 @@ static void silk_lsf2lpc(const int16_t nlsf[16], float lpcf[16], int order) /* reconstruct A(z) */ for (k = 0; k < order>>1; k++) { - lpc32[k] = -p[k + 1] - p[k] - q[k + 1] + q[k]; - lpc32[order-k-1] = -p[k + 1] - p[k] + q[k + 1] - q[k]; + int32_t p_tmp = p[k + 1] + p[k]; + int32_t q_tmp = q[k + 1] - q[k]; + lpc32[k] = -q_tmp - p_tmp; + lpc32[order-k-1] = q_tmp - p_tmp; } /* limit the range of the LPC coefficients to each fit within an int16_t */ From c4c56eb839c02be120bef7a90d01e29d3bdd8f0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 02:09:59 +0200 Subject: [PATCH 0262/1764] avcodec/truemotion2: Fix overflow in tm2_apply_deltas() Fixes: signed integer overflow: 1077952576 + 1077952576 cannot be represented in type 'int' Fixes: 7712/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5056281753681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79c6047c3668c639f717b3a7001a34dddba0ede2) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index f7dbe047c7..b689efdb99 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -451,7 +451,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* common operations - add deltas to 4x4 block of luma or 2x2 blocks of chroma */ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *deltas, int *last) { - int ct, d; + unsigned ct, d; int i, j; for (j = 0; j < 4; j++){ From aa30aa8c136425a488eb9a059c6b8ca005f7bf48 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 02:17:24 +0200 Subject: [PATCH 0263/1764] avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan() Fixes: signed integer overflow: 32768 + 2147450880 cannot be represented in type 'int' Fixes: 7885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5298834394578944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 936f4a2c2e14ec753e8835f2e820b4cd9aec9a56) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 068bb4691c..7e852cdebb 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1034,7 +1034,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return -1; left[i] = buffer[mb_x][i] = - mask & (pred + (dc * (1 << point_transform))); + mask & (pred + (unsigned)(dc * (1 << point_transform))); } if (s->restart_interval && !--s->restart_count) { From 7598b161f4ee88219be41caff09c219c83282b8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 02:33:43 +0200 Subject: [PATCH 0264/1764] avcodec/shorten: Check non COMM chunk len before skip in decode_aiff_header() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8024/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5109204648984576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 424a81df107b63a166894a4aee3d27702ae3f459) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 49af6beec6..ae0cdfe09d 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -234,11 +234,11 @@ static int decode_aiff_header(AVCodecContext *avctx, const uint8_t *header, while (bytestream2_get_le32(&gb) != MKTAG('C', 'O', 'M', 'M')) { len = bytestream2_get_be32(&gb); - bytestream2_skip(&gb, len + (len & 1)); - if (len < 0 || bytestream2_get_bytes_left(&gb) < 18) { + if (len < 0 || bytestream2_get_bytes_left(&gb) < 18LL + len + (len&1)) { av_log(avctx, AV_LOG_ERROR, "no COMM chunk found\n"); return AVERROR_INVALIDDATA; } + bytestream2_skip(&gb, len + (len & 1)); } len = bytestream2_get_be32(&gb); From 3f5bc91be324a555133e0509f73c4f46983dfed8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:03:48 +0200 Subject: [PATCH 0265/1764] avcodec/shorten: Sanity check nmeans Fixes: OOM Fixes: 8195/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5179785826271232 The reference software appears to use longs for 32bits and it uses int for nmeans hinting that the intended maximum size was not 32bit. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d91a0b503d7a886587281bc1ee42476aa5e89f85) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index ae0cdfe09d..8aeacfeb31 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -450,6 +450,10 @@ static int read_header(ShortenContext *s) return AVERROR_INVALIDDATA; } s->nmean = get_uint(s, 0); + if (s->nmean > 32768U) { + av_log(s->avctx, AV_LOG_ERROR, "nmean is: %d\n", s->nmean); + return AVERROR_INVALIDDATA; + } skip_bytes = get_uint(s, NSKIPSIZE); if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { From 8b6c773fe80deaf3a00a55e85317d42ca6ccf15f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:12:54 +0200 Subject: [PATCH 0266/1764] avcodec/shorten: Fix a negative left shift in shorten_decode_frame() Fixes: left shift of negative value -9057 Fixes: 8527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5666853924896768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a711efe922b2bf1d363bdf7f8357656c3e35021e) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 8aeacfeb31..f7475b4954 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -710,7 +710,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, if (s->version < 2) s->offset[channel][s->nmean - 1] = sum / s->blocksize; else - s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) << s->bitshift; + s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) * (1 << s->bitshift); } /* copy wrap samples for use with next block */ From 62e1c5db4acc208c09bba83ba6a964a20be04bd2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:15:34 +0200 Subject: [PATCH 0267/1764] avcodec/shorten: Fix undefined shift in fix_bitshift() Fixes: left shift of negative value -9 Fixes: 8571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5715966875926528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 606c7148231404544005c0827b83c165dd6b39a8) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index f7475b4954..0bd3e1e5f7 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -177,7 +177,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) buffer[i] = 0; } else if (s->bitshift != 0) { for (i = 0; i < s->blocksize; i++) - buffer[i] <<= s->bitshift; + buffer[i] *= 1 << s->bitshift; } } From 5d61400740842ad0b90528a0bce54e577d21e0d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Jun 2018 13:19:35 +0200 Subject: [PATCH 0268/1764] avcodec/shorten: Fix multiple integer overflows Fixes: signed integer overflow: 3 * 1006632960 cannot be represented in type 'int' Fixes: 8278/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5692857166856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f2abd36b3863188894fd21964c662b6c17268bfb) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0bd3e1e5f7..18a12d0b97 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -389,7 +389,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (i = 0; i < s->blocksize; i++) { sum = init_sum; for (j = 0; j < pred_order; j++) - sum += coeffs[j] * s->decoded[channel][i - j - 1]; + sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + (sum >> qshift); } @@ -700,7 +700,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, /* update means with info from the current block */ if (s->nmean > 0) { - int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2; + int64_t sum = (s->version < 2) ? 0 : s->blocksize / 2; for (i = 0; i < s->blocksize; i++) sum += s->decoded[channel][i]; From b60a750af75878b6f4b9c2ca1a8211ddefcb49b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 00:07:04 +0200 Subject: [PATCH 0269/1764] avcodec/wavpack: Fix overflow in adding tail Fixes: signed integer overflow: 2146907204 + 26846088 cannot be represented in type 'int' Fixes: 8105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6233036682166272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d13379fb79708f550460dd6d698023bf26f968d5) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 22a2c83a30..8306ec020f 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -85,7 +85,7 @@ typedef struct WavpackContext { #define LEVEL_DECAY(a) (((a) + 0x80) >> 8) -static av_always_inline int get_tail(GetBitContext *gb, int k) +static av_always_inline unsigned get_tail(GetBitContext *gb, int k) { int p, e, res; From 5d6d0d20fe3fdd5115c689a8028f995147469ffa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 00:42:31 +0200 Subject: [PATCH 0270/1764] avcodec/xwddec: Use ff_set_dimensions() Fixes: OOM Fixes: 8178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XWD_fuzzer-4844793342459904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c2852e4e00de4073ff7de82d41cb3368702686e8) Signed-off-by: Michael Niedermayer --- libavcodec/xwddec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 8b0845fc01..25c64e0e14 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -39,6 +39,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, uint32_t pixformat, pixdepth, bunit, bitorder, bpad; uint32_t rgb[3]; uint8_t *ptr; + int width, height; GetByteContext gb; if (buf_size < XWD_HEADER_SIZE) @@ -60,8 +61,8 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, pixformat = bytestream2_get_be32u(&gb); pixdepth = bytestream2_get_be32u(&gb); - avctx->width = bytestream2_get_be32u(&gb); - avctx->height = bytestream2_get_be32u(&gb); + width = bytestream2_get_be32u(&gb); + height = bytestream2_get_be32u(&gb); xoffset = bytestream2_get_be32u(&gb); be = bytestream2_get_be32u(&gb); bunit = bytestream2_get_be32u(&gb); @@ -77,6 +78,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, ncolors = bytestream2_get_be32u(&gb); bytestream2_skipu(&gb, header_size - (XWD_HEADER_SIZE - 20)); + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) + return ret; + av_log(avctx, AV_LOG_DEBUG, "pixformat %"PRIu32", pixdepth %"PRIu32", bunit %"PRIu32", bitorder %"PRIu32", bpad %"PRIu32"\n", pixformat, pixdepth, bunit, bitorder, bpad); From 28f044965975dc39bd51322b9887f01bc4eedc3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 18:25:14 +0200 Subject: [PATCH 0271/1764] avcodec/h264_mc_template: Only prefetch motion if the list is used. Fixes: index 59 out of bounds for type 'H264Ref [48]' Fixes: 8232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5703295145345024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b55591757244d8244a2be369c2b54c9ae79b02a) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mc_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c index 58c05044c1..d02e2bf580 100644 --- a/libavcodec/h264_mc_template.c +++ b/libavcodec/h264_mc_template.c @@ -78,7 +78,8 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl, if (HAVE_THREADS && (h->avctx->active_thread_type & FF_THREAD_FRAME)) await_references(h, sl); - prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); + if (USES_LIST(mb_type, 0)) + prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); if (IS_16X16(mb_type)) { mc_part(h, sl, 0, 1, 16, 0, dest_y, dest_cb, dest_cr, 0, 0, From 3be0549029b0bc770107058cad496f0ee78268ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Jun 2018 17:02:47 +0200 Subject: [PATCH 0272/1764] avcodec/h264_ps: Move MAX_LOG2_MAX_FRAME_NUM to header so it can be used in h264_sei Signed-off-by: Michael Niedermayer (cherry picked from commit b796c5ae9299c795cba0d16ce1d8eef05488953b) Signed-off-by: Michael Niedermayer --- libavcodec/h264_ps.c | 1 - libavcodec/h264_ps.h | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index b7d5f65d32..6c5b1ca80e 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -35,7 +35,6 @@ #include "h264_ps.h" #include "golomb.h" -#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) #define MIN_LOG2_MAX_FRAME_NUM 4 #define EXTENDED_SAR 255 diff --git a/libavcodec/h264_ps.h b/libavcodec/h264_ps.h index 51b6694b5f..e967b9cbcf 100644 --- a/libavcodec/h264_ps.h +++ b/libavcodec/h264_ps.h @@ -36,6 +36,7 @@ #define MAX_SPS_COUNT 32 #define MAX_PPS_COUNT 256 +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) /** * Sequence parameter set From 78fe6f7c32ddca273587529ab3c517c39f6dc0d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Jun 2018 19:07:22 +0200 Subject: [PATCH 0273/1764] avcodec/h264_slice: Fix overflow in recovery_frame computation Fixes: signed integer overflow: 15 + 2147483646 cannot be represented in type 'int' Fixes: 8381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6225533137321984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c20ea8ee0f3f0b27aca0204c6dfaa4ac137e34e) Signed-off-by: Michael Niedermayer --- libavcodec/h264_sei.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index 332ae50860..89ec5ddd78 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -264,10 +264,16 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext * return 0; } -static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb) +static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb, void *logctx) { - h->recovery_frame_cnt = get_ue_golomb_long(gb); + unsigned recovery_frame_cnt = get_ue_golomb_long(gb); + if (recovery_frame_cnt >= (1<recovery_frame_cnt = recovery_frame_cnt; /* 1b exact_match_flag, * 1b broken_link_flag, * 2b changing_slice_group_idc */ @@ -431,7 +437,7 @@ int ff_h264_sei_decode(H264SEIContext *h, GetBitContext *gb, ret = decode_unregistered_user_data(&h->unregistered, gb, logctx, size); break; case H264_SEI_TYPE_RECOVERY_POINT: - ret = decode_recovery_point(&h->recovery_point, gb); + ret = decode_recovery_point(&h->recovery_point, gb, logctx); break; case H264_SEI_TYPE_BUFFERING_PERIOD: ret = decode_buffering_period(&h->buffering_period, gb, ps, logctx); From 532ba2e4ae8c6cc07a85df0719c5adb9cd57f27c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 May 2018 23:35:58 +0200 Subject: [PATCH 0274/1764] avformat/mov: Only set pkt->duration to non negative values Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit 8176799f31b23849382623f0f9001acc5edf7c76) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 62746448ed..7f5f93e648 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6654,7 +6654,9 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } else { int64_t next_dts = (sc->current_sample < st->nb_index_entries) ? st->index_entries[sc->current_sample].timestamp : st->duration; - pkt->duration = next_dts - pkt->dts; + + if (next_dts >= pkt->dts) + pkt->duration = next_dts - pkt->dts; pkt->pts = pkt->dts; } if (st->discard == AVDISCARD_ALL) From f35fb0c82692165df5ffe1cd086a1a89a856c8d5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 May 2018 22:44:07 +0200 Subject: [PATCH 0275/1764] fftools/ffmpeg: Fallback to duration if sample rate is unavailable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Regression since: af1761f7 Fixes: Division by 0 Fixes: ffmpeg_crash_1 Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 16d8b13b3b26c19d7f8856e039fe6662d96b4ff3) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index d581b40bf2..f19d9b8e73 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -2737,8 +2737,12 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt, int no_eo ist->dts = ist->next_dts; switch (ist->dec_ctx->codec_type) { case AVMEDIA_TYPE_AUDIO: - ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / - ist->dec_ctx->sample_rate; + if (ist->dec_ctx->sample_rate) { + ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / + ist->dec_ctx->sample_rate; + } else { + ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q); + } break; case AVMEDIA_TYPE_VIDEO: if (ist->framerate.num) { From 84d473a9cfc61c4b4f1557f41462d02088b94614 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jun 2018 15:41:33 +0200 Subject: [PATCH 0276/1764] avutil/common: Fix undefined behavior in av_clip_uintp2_c() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 8521/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5639024952737792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa41d322be71106ce147445f2b42bb763f1eff86) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/common.h b/libavutil/common.h index 53e43feb3a..58ead80514 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -228,7 +228,7 @@ static av_always_inline av_const int av_clip_intp2_c(int a, int p) */ static av_always_inline av_const unsigned av_clip_uintp2_c(int a, int p) { - if (a & ~((1<> 31 & ((1<> 31 & ((1< Date: Thu, 14 Jun 2018 16:37:32 +0200 Subject: [PATCH 0277/1764] avcodec/dirac_dwt_template: Fix undefined behavior in interleave() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8697/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5197148130902016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 575d8ca0260fabac29e5b3541154633569ce2b5d) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 8c25c1f822..528fc7e9e7 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src { int i; for (i = 0; i < w2; i++) { - dst[2*i ] = (src0[i] + add) >> shift; - dst[2*i+1] = (src1[i] + add) >> shift; + dst[2*i ] = (src0[i] + (unsigned)add) >> shift; + dst[2*i+1] = (src1[i] + (unsigned)add) >> shift; } } From 41315d5c7d48d939e218e4f62fe7acb36d33a958 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jun 2018 16:41:49 +0200 Subject: [PATCH 0278/1764] avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed() Fixes: signed integer overflow: 1195517 * 2048 cannot be represented in type 'int' Fixes: 8636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4695836326887424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8bd514d9343746566b123275f8b6d0e9c11ec2b0) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 71a4611082..26b605b59c 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -436,7 +436,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37); - dest[i] += tmp * (1 << shift); + dest[i] += tmp * (1U << shift); } } } From 126d3bdb042bc41d6dbd341cc771a0804b0abfaf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jun 2018 22:48:54 +0200 Subject: [PATCH 0279/1764] avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan() Fixes: Timeout Fixes: 8648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5108395525799936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 540e8c2d641bf90fc28e47e170f8c0b1962197e9) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 7e852cdebb..a94762929f 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1011,6 +1011,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p for (mb_x = 0; mb_x < s->mb_width; mb_x++) { int modified_predictor = predictor; + if (get_bits_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n"); + return AVERROR_INVALIDDATA; + } + if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; From d56eed37d195fe7b12ba3b00160032240cb06ea8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jun 2018 23:37:10 +0200 Subject: [PATCH 0280/1764] avcodec/magicyuv: Check bits left in flags&1 branch Fixes: Timeout Fixes: 8690/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-6542020913922048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7719b8ccc790b6e1325af0afe2b65e2334a7173c) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 3c1a89077b..cc1c63072b 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -240,6 +240,8 @@ static int magy_decode_slice10(AVCodecContext *avctx, void *tdata, dst = (uint16_t *)p->data[i] + j * sheight * stride; if (flags & 1) { + if (get_bits_left(&gb) < bps * width * height) + return AVERROR_INVALIDDATA; for (k = 0; k < height; k++) { for (x = 0; x < width; x++) dst[x] = get_bits(&gb, bps); @@ -371,6 +373,8 @@ static int magy_decode_slice(AVCodecContext *avctx, void *tdata, dst = p->data[i] + j * sheight * stride; if (flags & 1) { + if (get_bits_left(&gb) < 8* width * height) + return AVERROR_INVALIDDATA; for (k = 0; k < height; k++) { for (x = 0; x < width; x++) dst[x] = get_bits(&gb, 8); From 0fce2872e43d511284293b77089145409864475a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jun 2018 21:45:59 +0200 Subject: [PATCH 0281/1764] avcodec/h264_parser: Reduce needed history for parsing mb index This fixes a bug/regression with very small packets Fixes: output_file Regression since: 0782fb6bcb32fe3ab956a99af4cc472ff81da0c2 Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit d25c945247979a88fac6bb3b7a26370262b96ef1) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parser.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index dd0a965af0..84988e6d79 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -121,20 +121,23 @@ static int h264_find_frame_end(H264ParseContext *p, const uint8_t *buf, } state = 7; } else { + unsigned int mb, last_mb = p->parse_last_mb; + GetBitContext gb; p->parse_history[p->parse_history_count++] = buf[i]; - if (p->parse_history_count > 5) { - unsigned int mb, last_mb = p->parse_last_mb; - GetBitContext gb; - init_get_bits(&gb, p->parse_history, 8*p->parse_history_count); - p->parse_history_count = 0; - mb= get_ue_golomb_long(&gb); + init_get_bits(&gb, p->parse_history, 8*p->parse_history_count); + mb= get_ue_golomb_long(&gb); + if (get_bits_left(&gb) > 0 || p->parse_history_count > 5) { p->parse_last_mb = mb; if (pc->frame_start_found) { - if (mb <= last_mb) + if (mb <= last_mb) { + i -= p->parse_history_count - 1; + p->parse_history_count = 0; goto found; + } } else pc->frame_start_found = 1; + p->parse_history_count = 0; state = 7; } } @@ -149,7 +152,7 @@ found: pc->frame_start_found = 0; if (p->is_avc) return next_avc; - return i - (state & 5) - 5 * (state > 7); + return i - (state & 5); } static int scan_mmco_reset(AVCodecParserContext *s, GetBitContext *gb, From dc41504521c7ba93d3ad5e42880f2a4ebd0f66f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Jun 2018 19:23:02 +0200 Subject: [PATCH 0282/1764] avcodec/escape124: Check buf_size against num_superblocks Fixes: Timeout Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index eb051eba54..14f9396332 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. - if (get_bits_left(&gb) < 64) + // Check if the amount we will read minimally is available on input. + // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 + // represent a lower bound of the space needed for skiped superblocks. Non + // skipped SBs need more space. + if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; frame_flags = get_bits_long(&gb, 32); From 35c365f6ef44c37bfc17af45b6e909fff7fa3f0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jun 2018 01:18:20 +0200 Subject: [PATCH 0283/1764] avcodec/cscd: Check output buffer size for lzo. Fixes: Timeout Fixes: 8665/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5768442610188288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 78167b498f53c36c31105a2bf11e90b03637598f) Signed-off-by: Michael Niedermayer --- libavcodec/cscd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 35c4ee08c3..5eb511a565 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,7 +81,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; - if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) { + if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } From 80b2041c8c06dc85ad01b99bcc952c17374fb7a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jun 2018 23:08:32 +0200 Subject: [PATCH 0284/1764] avcodec/ra144: Fix integer overflow in ff_eval_refl() Fixes: signed integer overflow: -4096 * -524288 cannot be represented in type 'int' Fixes: 8650/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734816036159488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b31189881a4cf54b0057ecf3eab917ad56eecfea) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index c077b7b327..cf8127c236 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) b = 0x1000000 / b; for (j=0; j <= i; j++) { #if CONFIG_FTRAPV - int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12); + int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12); if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; + bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) From c218ae2ade20c72510e76d53d4e3d559ee3791ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jun 2018 13:00:28 +0200 Subject: [PATCH 0285/1764] avcodec/escape124: Fix spelling errors in comment Signed-off-by: Michael Niedermayer (cherry picked from commit f59c4e43915ed0528e2789f27ddb1635b59779df) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 14f9396332..cffd3e12b1 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -222,8 +222,8 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. // Check if the amount we will read minimally is available on input. - // The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 - // represent a lower bound of the space needed for skiped superblocks. Non + // The 64 represent the immediately next 2 frame_* elements read, the 23/4320 + // represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; From 3a04f518ac283194bb13d8aff7d9fa963d551547 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jun 2018 17:27:50 +0200 Subject: [PATCH 0286/1764] avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array read Fixes: ffmpeg_crash_8.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 95556e27e2c1d56d9e18f5db34d6f756f3011148) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 2838286141..c44ed48dec 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -381,7 +381,7 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track) if (hdr->substreamid == info->num_ind_sub + 1) { //info->num_ind_sub++; - avpriv_request_sample(track->par, "Multiple independent substreams"); + avpriv_request_sample(mov->fc, "Multiple independent substreams"); return AVERROR_PATCHWELCOME; } else if (hdr->substreamid < info->num_ind_sub || hdr->substreamid == 0 && info->substream[0].bsid) { From 428c3e5975d3cf742b97aeb4a8352ed3bcd8bb0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 18:40:08 +0200 Subject: [PATCH 0287/1764] avcodec/jpeg2000dec: Check that there are enough bytes for all tiles Fixes: OOM Fixes: 8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0898a3d9909960324e27d3a7a4f48c4effbb654a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index d8325320de..0c3ebfcf11 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -342,7 +342,10 @@ static int get_siz(Jpeg2000DecoderContext *s) s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width); s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height); - if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) { + // There must be at least a SOT and SOD per tile, their minimum size is 14 + if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) || + s->numXtiles * s->numYtiles * 14LL > bytestream2_size(&s->g) + ) { s->numXtiles = s->numYtiles = 0; return AVERROR(EINVAL); } From e6db9900efaa2e2bc7286d9748a240325df0609b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 18:57:05 +0200 Subject: [PATCH 0288/1764] avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration() Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652d7c6348f96181fa69f8e2afb7b27a14c0a88a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 0c3ebfcf11..5cba177513 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1222,10 +1222,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 if (reslevelno >= codsty->nreslevels) continue; - if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check + if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; - if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check + if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists @@ -1293,10 +1293,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; - if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check + if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; - if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check + if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists From 2f51a56ec9df85546cf9fc520252d0b87d0029cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 19:08:54 +0200 Subject: [PATCH 0289/1764] avcodec/shorten: Fix undefined integer overflow Fixes: signed integer overflow: 8454144 * 256 cannot be represented in type 'int' Fixes: 8788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5728205041303552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 70832333bba3b915040f415548518e136b44280e) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 18a12d0b97..79656e7757 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -177,7 +177,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) buffer[i] = 0; } else if (s->bitshift != 0) { for (i = 0; i < s->blocksize; i++) - buffer[i] *= 1 << s->bitshift; + buffer[i] *= 1U << s->bitshift; } } From 4ca95e64db794245b37d1685855bfdd6b0914964 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 19:11:46 +0200 Subject: [PATCH 0290/1764] avcodec/shorten: Fix undefined addition in shorten_decode_frame() Fixes: signed integer overflow: 1139785606 + 1454196085 cannot be represented in type 'int' Fixes: 8937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6202943597445120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b10bb8772c76177cc47b8d15a6970f19dd11039) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 79656e7757..0f491090fd 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -682,7 +682,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, else { int32_t sum = (s->version < 2) ? 0 : s->nmean / 2; for (i = 0; i < s->nmean; i++) - sum += s->offset[channel][i]; + sum += (unsigned)s->offset[channel][i]; coffset = sum / s->nmean; if (s->version >= 2) coffset = s->bitshift == 0 ? coffset : coffset >> s->bitshift - 1 >> 1; From 78aa78410b6dcc962d7a05ee03524514a9e3933f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jul 2018 01:26:44 +0200 Subject: [PATCH 0291/1764] avcodec/indeo4: Check for end of bitstream in decode_mb_info() Fixes: Timeout Fixes: 8776/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5361788798369792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 267ba2aa96354c5b6a1ea89b2943fbd7a4893862) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 7dff9db877..15ad6f8afc 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -492,6 +492,11 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, mb->b_mv_x = mb->b_mv_y = 0; + if (get_bits_left(&ctx->gb) < 1) { + av_log(avctx, AV_LOG_ERROR, "Insufficient input for mb info\n"); + return AVERROR_INVALIDDATA; + } + if (get_bits1(&ctx->gb)) { if (ctx->frame_type == IVI4_FRAMETYPE_INTRA) { av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n"); From 9dea41eac7229688e566a4a3e3f8251acf7ab97c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 21:01:23 +0200 Subject: [PATCH 0292/1764] avformat/asfdec_o: Check size_bmp more fully Fixes: integer overflow and out of array access Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 5122e33c78..b4b2698368 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -706,7 +706,8 @@ static int parse_video_info(AVIOContext *pb, AVStream *st) st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); size_bmp = FFMAX(size_asf, size_bmp); - if (size_bmp > BMP_HEADER_SIZE) { + if (size_bmp > BMP_HEADER_SIZE && + size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { int ret; st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE; if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size + From 09401d0a0abec4d1db395af3ddb2c610c5b51153 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 21:37:46 +0200 Subject: [PATCH 0293/1764] avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata() Fixes: use after free() Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit a7e032a277452366771951e29fd0bf2bd5c029f0) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index d6d7d9cd84..3eb49a5d29 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -526,7 +526,7 @@ static int rm_read_multi(AVFormatContext *s, AVIOContext *pb, size2 = avio_rb32(pb); ret = ff_rm_read_mdpr_codecdata(s, s->pb, st2, st2->priv_data, - size2, mime); + size2, NULL); if (ret < 0) return ret; } From 717ece29fd497500ef0315d1841fa7bd0640f53c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 22:14:42 +0200 Subject: [PATCH 0294/1764] avformat/pva: Check for EOF before retrying in read_part_of_packet() Fixes: Infinite loop Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1) Signed-off-by: Michael Niedermayer --- libavformat/pva.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/pva.c b/libavformat/pva.c index 16381db905..04ae8e2800 100644 --- a/libavformat/pva.c +++ b/libavformat/pva.c @@ -134,6 +134,10 @@ recover: pes_flags = avio_rb16(pb); pes_header_data_length = avio_r8(pb); + if (avio_feof(pb)) { + return AVERROR_EOF; + } + if (pes_signal != 1 || pes_header_data_length == 0) { pva_log(s, AV_LOG_WARNING, "expected non empty signaled PES packet, " "trying to recover\n"); From 5da77e7e9e91a1f2a6b80f64f4202c0a4534e307 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Jul 2018 20:33:04 +0200 Subject: [PATCH 0295/1764] avformat/mms: Add missing chunksize check Fixes: out of array read Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a Found-by: Paul Ch 1st hunk by Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit cced03dd667a5df6df8fd40d8de0bff477ee02e8) Signed-off-by: Michael Niedermayer --- libavformat/mms.c | 44 ++++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/libavformat/mms.c b/libavformat/mms.c index 17fa76a8d4..768fda6525 100644 --- a/libavformat/mms.c +++ b/libavformat/mms.c @@ -94,24 +94,26 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) { - flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); - stream_id = flags & 0x7F; - //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, - //we can calculate the packet size by stream_num. - //Please see function send_stream_selection_request(). - if (mms->stream_num < MMS_MAX_STREAMS && - 46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { - mms->streams = av_fast_realloc(mms->streams, - &mms->nb_streams_allocated, - (mms->stream_num + 1) * sizeof(MMSStream)); - if (!mms->streams) - return AVERROR(ENOMEM); - mms->streams[mms->stream_num].id = stream_id; - mms->stream_num++; - } else { - av_log(NULL, AV_LOG_ERROR, - "Corrupt stream (too many A/V streams)\n"); - return AVERROR_INVALIDDATA; + if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) { + flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); + stream_id = flags & 0x7F; + //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, + //we can calculate the packet size by stream_num. + //Please see function send_stream_selection_request(). + if (mms->stream_num < MMS_MAX_STREAMS && + 46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { + mms->streams = av_fast_realloc(mms->streams, + &mms->nb_streams_allocated, + (mms->stream_num + 1) * sizeof(MMSStream)); + if (!mms->streams) + return AVERROR(ENOMEM); + mms->streams[mms->stream_num].id = stream_id; + mms->stream_num++; + } else { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (too many A/V streams)\n"); + return AVERROR_INVALIDDATA; + } } } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) { if (end - p >= 88) { @@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { chunksize = 46; // see references [2] section 3.4. This should be set 46. + if (chunksize > end - p) { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (header chunksize %"PRId64" is invalid)\n", + chunksize); + return AVERROR_INVALIDDATA; + } } p += chunksize; } From 93a77afdaca7df6074f5422e2218331122c6caa6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jul 2018 12:01:46 +0200 Subject: [PATCH 0296/1764] avcodec/vp8_parser: Do not leave data/size uninitialized This is identical to what the VP9 parser does Fixes: 9215/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-5768227253649408 Fixes: out of memory access This may also fix oss fuzz issue 9212 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 284dde24dab30225ed3e233b0e5908d67d7e13e7) Signed-off-by: Michael Niedermayer --- libavcodec/vp8_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp8_parser.c b/libavcodec/vp8_parser.c index 609f5077d1..e2d91b271f 100644 --- a/libavcodec/vp8_parser.c +++ b/libavcodec/vp8_parser.c @@ -28,6 +28,9 @@ static int parse(AVCodecParserContext *s, unsigned int frame_type; unsigned int profile; + *poutbuf = buf; + *poutbuf_size = buf_size; + if (buf_size < 3) return buf_size; From 36c779bffe2ceef48a0fa4d7a6691c6895faf9e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Jun 2018 16:51:51 +0200 Subject: [PATCH 0297/1764] avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array access Fixes: ffmpeg_bof_1.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit ed22dc22216f74c75ee7901f82649e1ff725ba50) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index c44ed48dec..aab3e31010 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -388,6 +388,11 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track) info->ec3_done = 1; goto concatenate; } + } else { + if (hdr->substreamid != 0) { + avpriv_request_sample(mov->fc, "Multiple non EAC3 independent substreams"); + return AVERROR_PATCHWELCOME; + } } /* fill the info needed for the "dec3" atom */ From cb21af2844158397fcbb21baae4eeaeceec8ac02 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Jul 2018 18:20:18 +0200 Subject: [PATCH 0298/1764] update for 3.4.3 Signed-off-by: Michael Niedermayer --- Changelog | 140 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 142 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 5db7b0a8a7..c586c9a508 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,146 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.3: +- avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id +- avcodec/vp8_parser: Do not leave data/size uninitialized +- avformat/mms: Add missing chunksize check +- avformat/pva: Check for EOF before retrying in read_part_of_packet() +- avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata() +- avformat/asfdec_o: Check size_bmp more fully +- avcodec/indeo4: Check for end of bitstream in decode_mb_info() +- avcodec/shorten: Fix undefined addition in shorten_decode_frame() +- avcodec/shorten: Fix undefined integer overflow +- avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration() +- avcodec/jpeg2000dec: Check that there are enough bytes for all tiles +- avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample +- avcodec/escape124: Fix spelling errors in comment +- avcodec/ra144: Fix integer overflow in ff_eval_refl() +- avcodec/cscd: Check output buffer size for lzo. +- avcodec/escape124: Check buf_size against num_superblocks +- avcodec/h264_parser: Reduce needed history for parsing mb index +- avcodec/magicyuv: Check bits left in flags&1 branch +- avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan() +- avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed() +- avcodec/dirac_dwt_template: Fix undefined behavior in interleave() +- avutil/common: Fix undefined behavior in av_clip_uintp2_c() +- fftools/ffmpeg: Fallback to duration if sample rate is unavailable +- avformat/mov: Only set pkt->duration to non negative values +- avcodec/h264_slice: Fix overflow in recovery_frame computation +- avcodec/h264_ps: Move MAX_LOG2_MAX_FRAME_NUM to header so it can be used in h264_sei +- avcodec/h264_mc_template: Only prefetch motion if the list is used. +- avcodec/xwddec: Use ff_set_dimensions() +- avcodec/wavpack: Fix overflow in adding tail +- avcodec/shorten: Fix multiple integer overflows +- avcodec/shorten: Fix undefined shift in fix_bitshift() +- avcodec/shorten: Fix a negative left shift in shorten_decode_frame() +- avcodec/shorten: Sanity check nmeans +- avcodec/shorten: Check non COMM chunk len before skip in decode_aiff_header() +- avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan() +- avcodec/truemotion2: Fix overflow in tm2_apply_deltas() +- avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c +- avcodec/amrwbdec: Fix division by 0 in find_hb_gain() +- avformat/mov: replace a value error by clipping into valid range in mov_read_stsc() +- avformat/mov: Break out early if chunk_count is 0 in mov_build_index() +- avcodec/fic: Avoid some magic numbers related to cursors +- avcodec/g2meet: ask for sample with overflowing RGB +- avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed() +- oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior +- avcodec/g723_1dec: Clip bits2 in both directions +- avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header() +- avcodec/mlpdec: Only change noise_type if the related fields are valid +- indeo4: Decode all or nothing of a band header. +- avformat/mov: Only fail for STCO/STSC contradictions if both exist +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0 +- avcodec/fic: Check available input space for cursor +- avcodec/g2meet: Check RGB upper limit +- avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case +- avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done +- avcodec/g2meet: Change order of operations to avoid undefined behavior +- avcodec/flac_parser: Fix infinite loop +- avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED() +- avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() +- avcodec/error_resilience: Fix integer overflow in filter181() +- avcodec/h263dec: Check slice_ret in mspeg4 slice loop +- avcodec/elsdec: Fix memleaks +- avcodec/vc1_block: simplify ac_val computation +- avcodec/ffv1enc: Check that the crc + version combination is supported +- lavf/http.c: Free allocated client URLContext in case of error. +- avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame +- avcodec/dsicinvideo: Propagate errors from cin_decode_rle() +- avcodec/dfa: Check dimension against maximum +- avcodec/cinepak: Skip empty frames +- avcodec/cinepak: move some checks prior to frame allocation +- swresample/arm: remove unintentional relocation. +- doc/APIchanges: Fix typos in hashes +- avformat/utils: Check cur_dts in update_initial_timestamps() more +- avcodec/utils: Enforce minimum width also for VP5/6 +- avcodec/truemotion2: Propagate out of bounds error from GET_TOK() +- avformat/utils: Fix integer overflow in end time calculation in update_stream_timings() +- avcodec/mjpegdec: Check input buffer size. +- avcodec/h264_slice: Fix integer overflow with last_poc +- avformat/mov: Fix extradata memleak +- lavc/libopusdec: Allow avcodec_open2 to call .close +- avcodec/movtextdec: Check style_start/end +- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble() +- libavcodec/rv34: error out earlier on missing references +- swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering. +- avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed() +- avcodec/cscd: Error out when LZ* decompression fails +- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list() +- avfilter/vf_signature: use av_strlcpy() +- avcodec/utvideodec: Set pro flag based on fourcc +- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame() +- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables +- avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry() +- avcodec/get_bits: Make sure the input bitstream with padding can be addressed +- avformat/mov: Check STSC and remove invalid entries +- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it +- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg +- avcodec/wmalosslessdec: Reset num_saved_bits on error path +- avformat/mov: Fix integer overflows related to sample_duration +- avformat/img2dec: fix infinite loop +- avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE +- avformat/oggparseogm: Check lb against psize +- avformat/oggparseogm: Fix undefined shift in ogm_packet() +- avformat/avidec: Fix integer overflow in cum_len check +- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE +- avformat/utils: Fix integer overflow of fps_first/last_dts +- avformat/oggdec: Fix metadata memleak on multiple headers +- libavformat/oggparsevorbis: Fix memleak on multiple headers +- avformat/mov: Fix integer overflow in mov_get_stsc_samples() +- avcodec/truemotion2rt: Check input buffer size +- avcodec/g2meet: Check tile dimensions with av_image_check_size2() +- avcodec/exr: fix invalid shift in unpack_14() +- avcodec/bintext: sanity check dimensions +- avcodec/utvideodec: Check subsample factors +- avcodec/smc: Check input packet size +- avcodec/cavsdec: Check alpha/beta offset +- avcodec/diracdec: Fix integer overflow in mv computation +- avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table() +- avcodec/aacdec_templat: Fix integer overflow in apply_ltp() +- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53() +- avcodec/diracdec: Use int64 in global mv to prevent overflow +- avcodec/dxtory: Remove code that corrupts dimensions +- avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() +- avcodec/hevcdec: Check luma/chroma_log2_weight_denom +- avcodec/jpeg2000dec: Use av_image_check_size2() +- avcodec/vp8: Check for bitstream end before vp7_fade_frame() +- avcodec/exr: Check remaining bits in last get code loop +- avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() +- avdevice/decklink_dec: Fix ;; +- avcodec/h264_cabac: Tighten allowed coeff_abs range +- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() +- avdevice/iec61883: free the private context at the end +- avdevice/iec61883: return reference counted packets +- configure: add nvcc to CMDLINE_SET +- avcodec/mpeg4_unpack_bframes: make sure the packet is writable when data needs to be changed +- avcodec/mp3_header_decompress: don't free the user provided packet on error +- avcodec/extract_extradata: zero initalize the padding bytes in all allocated buffers +- avformat/hvcc: zero initialize the nal buffers past the last written byte +- swresample/rematrix: fix update of channel matrix if input or output layout is undefined +- avformat/matroskadec: ignore CodecPrivate if the stream is VP9 + version 3.4.2: - avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() - avcodec/mpeg4videodec: Ignore multiple VOL headers diff --git a/RELEASE b/RELEASE index 4d9d11cf50..6cb9d3dd0d 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.2 +3.4.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4f0c5ab628..969e5f89db 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.2 +PROJECT_NUMBER = 3.4.3 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 9fc60cebe42e6e492b6e1a7bcc479796ee42c3ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jul 2018 16:28:14 +0200 Subject: [PATCH 0299/1764] avcodec/mjpegdec: Check for odd progressive RGB Fixes: out of array access Fixes: 9225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5684770334834688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ee1e3ca5eb1ec7d34e925d129c893e33847ee0b7) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index a94762929f..95d35fbc31 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -616,6 +616,10 @@ unk_pixfmt: avpriv_report_missing_feature(s->avctx, "Lowres for weird subsampling"); return AVERROR_PATCHWELCOME; } + if ((AV_RB32(s->upscale_h) || AV_RB32(s->upscale_v)) && s->progressive && s->avctx->pix_fmt == AV_PIX_FMT_GBRP) { + avpriv_report_missing_feature(s->avctx, "progressive for weird subsampling"); + return AVERROR_PATCHWELCOME; + } if (s->ls) { memset(s->upscale_h, 0, sizeof(s->upscale_h)); memset(s->upscale_v, 0, sizeof(s->upscale_v)); From 20ad61ffb7b0fc72d17b5c21035eb85a698ac64b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jul 2018 22:23:25 +0200 Subject: [PATCH 0300/1764] avformat/movenc: Check input sample count Fixes: division by 0 Fixes: fpe_movenc.c_199_1.wav Fixes: fpe_movenc.c_199_2.wav Fixes: fpe_movenc.c_199_3.wav Fixes: fpe_movenc.c_199_4.wav Fixes: fpe_movenc.c_199_5.wav Fixes: fpe_movenc.c_199_6.wav Fixes: fpe_movenc.c_199_7.wav Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit 3a2d21bc5f97aa0161db3ae731fc2732be6108b8) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index aab3e31010..cfbe554dd4 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5077,6 +5077,11 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) else samples_in_chunk = 1; + if (samples_in_chunk < 1) { + av_log(s, AV_LOG_ERROR, "fatal error, input packet contains no samples\n"); + return AVERROR_PATCHWELCOME; + } + /* copy extradata if it exists */ if (trk->vos_len == 0 && par->extradata_size > 0 && !TAG_IS_AVCI(trk->tag) && From 89355585366b16238244decae40fbe0cc7ae3e40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jul 2018 11:37:06 +0200 Subject: [PATCH 0301/1764] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog b/Changelog index c586c9a508..c9ddfd2ba8 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,8 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.4.3: +- avformat/movenc: Check input sample count +- avcodec/mjpegdec: Check for odd progressive RGB - avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id - avcodec/vp8_parser: Do not leave data/size uninitialized - avformat/mms: Add missing chunksize check From c1e172c2e14ef059dac632f7c67f081dfecd30dc Mon Sep 17 00:00:00 2001 From: Simon Thelen Date: Tue, 3 Apr 2018 14:41:33 +0200 Subject: [PATCH 0302/1764] avcodec/imgconvert: fix possible null pointer dereference regression since 354b26a3945eadd4ed8fcd801dfefad2566241de (cherry picked from commit 8c2c97403baf95d0facb53f03e468f023eb943e1) --- libavcodec/imgconvert.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 7b0005b308..1fd636c83d 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -72,11 +72,12 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p int loss; for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) { - loss = *loss_ptr; + loss = loss_ptr ? *loss_ptr : 0; best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, &loss); } - *loss_ptr = loss; + if (loss_ptr) + *loss_ptr = loss; return best; } From a8c5c71a0489b2b391af6d356385e5718af97d8f Mon Sep 17 00:00:00 2001 From: Rahul Chaudhry Date: Fri, 27 Apr 2018 13:49:52 -0700 Subject: [PATCH 0303/1764] swresample/arm: rename labels to fix xcode build error Signed-off-by: Michael Niedermayer (cherry picked from commit e84212b78e00df17799e01be1e153a073eb8f689) Signed-off-by: Michael Niedermayer --- libswresample/arm/audio_convert_neon.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswresample/arm/audio_convert_neon.S b/libswresample/arm/audio_convert_neon.S index 7729514701..085d50aafa 100644 --- a/libswresample/arm/audio_convert_neon.S +++ b/libswresample/arm/audio_convert_neon.S @@ -22,7 +22,7 @@ #include "libavutil/arm/asm.S" function swri_oldapi_conv_flt_to_s16_neon, export=1 -_swri_oldapi_conv_flt_to_s16_neon: +.L_swri_oldapi_conv_flt_to_s16_neon: subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! vcvt.s32.f32 q8, q0, #31 @@ -67,7 +67,7 @@ _swri_oldapi_conv_flt_to_s16_neon: endfunc function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1 -_swri_oldapi_conv_fltp_to_s16_2ch_neon: +.L_swri_oldapi_conv_fltp_to_s16_2ch_neon: ldm r1, {r1, r3} subs r2, r2, #8 vld1.32 {q0}, [r1,:128]! @@ -135,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1 cmp r3, #2 itt lt ldrlt r1, [r1] - blt _swri_oldapi_conv_flt_to_s16_neon - beq _swri_oldapi_conv_fltp_to_s16_2ch_neon + blt .L_swri_oldapi_conv_flt_to_s16_neon + beq .L_swri_oldapi_conv_fltp_to_s16_2ch_neon push {r4-r8, lr} cmp r3, #4 From 2b8d4f6f0186b3ed0b223f665d32c36ed887149e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jul 2018 00:16:42 +0200 Subject: [PATCH 0304/1764] avformat/movenc: Write version 2 of audio atom if channels is not known The version 1 needs the channel count and would divide by 0 Fixes: division by 0 Fixes: fpe_movenc.c_1108_1.ogg Fixes: fpe_movenc.c_1108_2.ogg Fixes: fpe_movenc.c_1108_3.wav Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index cfbe554dd4..b57778bd4f 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -964,7 +964,7 @@ static int mov_write_audio_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex uint32_t tag = track->tag; if (track->mode == MODE_MOV) { - if (track->timescale > UINT16_MAX) { + if (track->timescale > UINT16_MAX || !track->par->channels) { if (mov_get_lpcm_flags(track->par->codec_id)) tag = AV_RL32("lpcm"); version = 2; From 15990a43b023c87148658e271476b7a19ccde8ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jul 2018 18:33:08 +0200 Subject: [PATCH 0305/1764] avcodec/dirac_dwt_template: Fix signedness regression in interleave() Found-by: Tested-by: James Darnley Signed-off-by: Michael Niedermayer (cherry picked from commit 181435a4de6e38e0a15ddaf16de9a157ef41cb18) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 528fc7e9e7..2369c8d15b 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src { int i; for (i = 0; i < w2; i++) { - dst[2*i ] = (src0[i] + (unsigned)add) >> shift; - dst[2*i+1] = (src1[i] + (unsigned)add) >> shift; + dst[2*i ] = ((int)(src0[i] + (unsigned)add)) >> shift; + dst[2*i+1] = ((int)(src1[i] + (unsigned)add)) >> shift; } } From 6ea8b39c905722201424e12f9c179732fb5dac58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jul 2018 18:54:48 +0200 Subject: [PATCH 0306/1764] avcodec/dvdsub_parser: Init output buf/size No testcase Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c8437761661441d836876934314cb2b8fafe7) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 32a945ed65..8e1c48bef6 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -44,6 +44,9 @@ static int dvdsub_parse(AVCodecParserContext *s, { DVDSubParseContext *pc = s->priv_data; + *poutbuf = buf; + *poutbuf_size = buf_size; + if (pc->packet_index == 0) { if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { if (buf_size) From 6f354ca5fd5e758cdc0151f6e84936c44e0b8e2f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jul 2018 18:56:10 +0200 Subject: [PATCH 0307/1764] avcodec/dvdsub_parser: Allocate input padding Fixes: out of array read Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cd86b5cfe278af79d6b147e122d9a72c270a9fde) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsub_parser.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 8e1c48bef6..698ccb6987 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -57,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); av_freep(&pc->packet); - pc->packet = av_malloc(pc->packet_len); + if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { + av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len); + return buf_size; + } + pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE); } if (pc->packet) { if (pc->packet_index + buf_size <= pc->packet_len) { From 8df2c7dde6af3e748447ac313947388e6887178a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Jul 2018 15:07:41 +0200 Subject: [PATCH 0308/1764] Update for 3.4.4 Signed-off-by: Michael Niedermayer --- Changelog | 8 ++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index c9ddfd2ba8..5560069441 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,14 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.4: +- avcodec/dvdsub_parser: Allocate input padding +- avcodec/dvdsub_parser: Init output buf/size +- avcodec/dirac_dwt_template: Fix signedness regression in interleave() +- avformat/movenc: Write version 2 of audio atom if channels is not known +- swresample/arm: rename labels to fix xcode build error +- avcodec/imgconvert: fix possible null pointer dereference + version 3.4.3: - avformat/movenc: Check input sample count - avcodec/mjpegdec: Check for odd progressive RGB diff --git a/RELEASE b/RELEASE index 6cb9d3dd0d..f9892605c7 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.3 +3.4.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 969e5f89db..883d9a5680 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.3 +PROJECT_NUMBER = 3.4.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From bc2301429e9c779237e43acf913331af018211f2 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 28 Jul 2018 00:51:57 -0300 Subject: [PATCH 0309/1764] avcodec/bitstream_filters: check the input argument of av_bsf_get_by_name() for NULL Fixes crashes like "ffmpeg -h bsf" caused by passing NULL to strcmp() Signed-off-by: James Almer (cherry picked from commit 3258cc6507a2012d54889ce5f8efbde7e81d927d) --- libavcodec/bitstream_filters.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/bitstream_filters.c b/libavcodec/bitstream_filters.c index ce34de640d..ace2a1e01f 100644 --- a/libavcodec/bitstream_filters.c +++ b/libavcodec/bitstream_filters.c @@ -62,6 +62,9 @@ const AVBitStreamFilter *av_bsf_get_by_name(const char *name) { int i; + if (!name) + return NULL; + for (i = 0; bitstream_filters[i]; i++) { const AVBitStreamFilter *f = bitstream_filters[i]; if (!strcmp(f->name, name)) From c50dc77ac708e98d02da7c422a6b9cbf9f565aa5 Mon Sep 17 00:00:00 2001 From: Giulio Benetti Date: Tue, 11 Sep 2018 22:29:32 +0200 Subject: [PATCH 0310/1764] configure: add LIBDRM to extralibs_avutil When static linking programs using ffmpeg libraries, if linking against libavutil, -ldrm is listed before -lavutil. This leads to linking failure due to undefined reference of drmGetVersion() and drmFreeVersion(). This is why when pkg-config create libavutil.pc doesn't append -ldrm after -lavutil. Create LIBDRM=-ldrm in case libdrm is enabled and add $LIBDRM to extralibs_avutil. Signed-off-by: Giulio Benetti Signed-off-by: James Almer --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 7377046d0a..9fe7760822 100755 --- a/configure +++ b/configure @@ -5919,7 +5919,7 @@ enabled libcelt && require libcelt celt/celt.h celt_decode -lcelt0 && die "ERROR: libcelt must be installed and version must be >= 0.11.0."; } enabled libcaca && require_pkg_config libcaca caca caca.h caca_create_canvas enabled libdc1394 && require_pkg_config libdc1394 libdc1394-2 dc1394/dc1394.h dc1394_new -enabled libdrm && require_pkg_config libdrm libdrm xf86drm.h drmGetVersion +enabled libdrm && require_pkg_config libdrm libdrm xf86drm.h drmGetVersion && LIBDRM="-ldrm" enabled libfdk_aac && { use_pkg_config libfdk_aac fdk-aac "fdk-aac/aacenc_lib.h" aacEncOpen || { require libfdk_aac fdk-aac/aacenc_lib.h aacEncOpen -lfdk-aac && warn "using libfdk without pkg-config"; } } @@ -7096,7 +7096,7 @@ source_path=${source_path} LIBPREF=${LIBPREF} LIBSUF=${LIBSUF} -extralibs_avutil="$LIBRT $LIBM" +extralibs_avutil="$LIBRT $LIBDRM $LIBM" extralibs_avcodec="$extralibs" extralibs_avformat="$extralibs" extralibs_avdevice="$extralibs" From e225db5d758ccad0fd84bfa0649f77385faafd44 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Sat, 13 Oct 2018 23:44:30 +0200 Subject: [PATCH 0311/1764] avcodec/cuviddec: properly take deinterlacing and display delay into account for buffer_full check Signed-off-by: Timo Rothenpieler --- libavcodec/cuvid.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/cuvid.c b/libavcodec/cuvid.c index 2ba8e00c6a..68671f0ecc 100644 --- a/libavcodec/cuvid.c +++ b/libavcodec/cuvid.c @@ -373,7 +373,11 @@ static int cuvid_is_buffer_full(AVCodecContext *avctx) { CuvidContext *ctx = avctx->priv_data; - return (av_fifo_size(ctx->frame_queue) / sizeof(CuvidParsedFrame)) + 2 > ctx->nb_surfaces; + int delay = ctx->cuparseinfo.ulMaxDisplayDelay; + if (ctx->deint_mode != cudaVideoDeinterlaceMode_Weave && !ctx->drop_second_field) + delay *= 2; + + return (av_fifo_size(ctx->frame_queue) / sizeof(CuvidParsedFrame)) + delay >= ctx->nb_surfaces; } static int cuvid_decode_packet(AVCodecContext *avctx, const AVPacket *avpkt) From 7489a527f000a8b48bfcd1c1dafcb68f310e1695 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Jul 2018 22:22:35 +0200 Subject: [PATCH 0312/1764] avutil/pixfmt: Document chroma plane size for odd resolutions Signed-off-by: Michael Niedermayer (cherry picked from commit be0b77e6e83b61c2da338201b5ddfae1c9acedc5) Signed-off-by: Michael Niedermayer --- libavutil/pixfmt.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/pixfmt.h b/libavutil/pixfmt.h index 24889c8e52..8a26fa874c 100644 --- a/libavutil/pixfmt.h +++ b/libavutil/pixfmt.h @@ -42,6 +42,10 @@ * This is stored as BGRA on little-endian CPU architectures and ARGB on * big-endian CPUs. * + * @note + * If the resolution is not a multiple of the chroma subsampling factor + * then the chroma plane resolution must be rounded up. + * * @par * When the pixel format is palettized RGB32 (AV_PIX_FMT_PAL8), the palettized * image data is stored in AVFrame.data[0]. The palette is transported in From 5cbf4849e37620b0886e63e25aef02cd766ba5f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jul 2018 22:44:12 +0200 Subject: [PATCH 0313/1764] swresample/swresample: Fix input channel count in resample_first computation Found-by: Marcin Gorzel Reviewed-by: Marcin Gorzel Signed-off-by: Michael Niedermayer (cherry picked from commit bce4da85e8110b66040a5fb07ffc724ab4e09a86) Signed-off-by: Michael Niedermayer --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 170f76bc56..c740f5d5fd 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -318,7 +318,7 @@ av_cold int swr_init(struct SwrContext *s){ av_assert0(s->used_ch_count); av_assert0(s->out.ch_count); - s->resample_first= RSC*s->out.ch_count/s->in.ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; + s->resample_first= RSC*s->out.ch_count/s->used_ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; s->in_buffer= s->in; s->silence = s->in; From 9da24737a3b27c962a4bba8d1b16acdff4a078f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 18:58:34 +0200 Subject: [PATCH 0314/1764] avcodec/diracdec: Prevent integer overflow in intermediate in global_mv() Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 'int' Fixes: 8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51290406461ed40b70e0e05b389a461a283f3367) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 2c8d94758c..98474eaf50 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1398,8 +1398,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From 330ed0772c6f6f36e9a027757f393a2886e44c55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 19:11:04 +0200 Subject: [PATCH 0315/1764] avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6047609228623872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69cac9e130dc8c9d2a5b8012011df372974adf35) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_dwt_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 2369c8d15b..5d55d932a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t *_b, uint8_t *_temp, int // second stage combined with interleave and shift b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]); - b[0] = (b0 + 1) >> 1; + b[0] = ~((~b0) >> 1); for (x = 1; x < w2; x++) { b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x ], temp[x+w2]); b1 = COMPOSE_DAUB97iH0( b0, temp[x+w2-1], b2 ); - b[2*x-1] = (b1 + 1) >> 1; - b[2*x ] = (b2 + 1) >> 1; + b[2*x-1] = ~((~b1) >> 1); + b[2*x ] = ~((~b2) >> 1); b0 = b2; } - b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1; + b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1); } static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_b2, From 7068bcf58ad2ad8190ce343934503dd1f0b98ee4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 20:45:39 +0200 Subject: [PATCH 0316/1764] avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 462d1be6dec5ff4768be8c202f359cbf037db3c6) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 98474eaf50..376732c310 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -140,7 +140,7 @@ typedef struct DiracContext { GetBitContext gb; AVDiracSeqHeader seq; int seen_sequence_header; - int frame_number; /* number of the next frame to display */ + int64_t frame_number; /* number of the next frame to display */ Plane plane[3]; int chroma_x_shift; int chroma_y_shift; @@ -2302,7 +2302,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (*got_frame) - s->frame_number = picture->display_picture_number + 1; + s->frame_number = picture->display_picture_number + 1LL; return buf_idx; } From a594ce26ce3842a1a52558bcfc3f8f57fd5c6f45 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 21:26:24 +0200 Subject: [PATCH 0317/1764] avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions Fixes: signed integer overflow: 88 * 33685506 cannot be represented in type 'int' Fixes: 9433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5725943535501312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f457c0ad7f73e31e99761f2ad3738cf3b3c24ca0) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 376732c310..2ceb2234c6 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1242,7 +1242,10 @@ static int dirac_unpack_idwt_params(DiracContext *s) else { s->num_x = get_interleaved_ue_golomb(gb); s->num_y = get_interleaved_ue_golomb(gb); - if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) { + if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX || + s->num_x * (uint64_t)s->avctx->width > INT_MAX || + s->num_y * (uint64_t)s->avctx->height > INT_MAX + ) { av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); s->num_x = s->num_y = 0; return AVERROR_INVALIDDATA; From 9abcade734cb72a908264ca29f187554cdfde8c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jul 2018 21:42:16 +0200 Subject: [PATCH 0318/1764] avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too Fixes: signed integer overflow: 8 * 340018243 cannot be represented in type 'int' Fixes: 9441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5194665207791616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bed125b7108481574f36fdd6ee699b27354602e8) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 2ceb2234c6..04f54634e0 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -985,6 +985,10 @@ static int decode_lowdelay(DiracContext *s) for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) { bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den - slice_num * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den; + if (bytes >= INT_MAX || bytes*8 > bufsize) { + av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n"); + return AVERROR_INVALIDDATA; + } slices[slice_num].bytes = bytes; slices[slice_num].slice_x = slice_x; slices[slice_num].slice_y = slice_y; From 7abc4445f911a4264876d45d2f905ea2475fbfb9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Jul 2018 12:40:48 +0200 Subject: [PATCH 0319/1764] avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp() Fixes: Timeout Fixes: 9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7dd836a3f9771e0e44df1b27e67d6866d91e06d7) Signed-off-by: Michael Niedermayer --- libavcodec/qtrle.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 1b0d2016b5..cd8301d143 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -155,6 +155,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr, CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (num_pixels * (bytestream2_get_byte(&s->g) - 1)); @@ -210,6 +212,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change) CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (4 * (bytestream2_get_byte(&s->g) - 1)); @@ -259,6 +263,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 2; @@ -303,6 +309,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 3; @@ -350,6 +358,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) { + if (bytestream2_get_bytes_left(&s->g) < 1) + return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 4; From c90457a95ee8c81617ec6227784780b691ad3061 Mon Sep 17 00:00:00 2001 From: Nikolas Bowe Date: Mon, 30 Jul 2018 17:22:02 -0700 Subject: [PATCH 0320/1764] lavc/svq3: Fix regression decoding some files. Fixes some SVQ3 encoded files which fail to decode correctly after 6d6faa2a2d. These files exhibit lots of artifacts and logs show "Media key encryption is not implemented". However they decode without artifacts before 6d6faa2a2d. The attatched patch allows these files to successfully decode, but also reject media key files. Tested on the files in #6094 and http://samples.mplayerhq.hu/V-codecs/SVQ3/Vertical400kbit.sorenson3.mov Signed-off-by: Michael Niedermayer (cherry picked from commit 5aeb3b008080d8d4a38f245d557dbc9bd6c36dcf) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index a937b2f951..5d89921323 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1064,16 +1064,15 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) av_log(s->avctx, AV_LOG_ERROR, "illegal slice type %u \n", slice_id); return -1; } - if (get_bits1(&s->gb_slice)) { - avpriv_report_missing_feature(s->avctx, "Media key encryption"); - return AVERROR_PATCHWELCOME; - } s->slice_type = ff_h264_golomb_to_pict_type[slice_id]; if ((header & 0x9F) == 2) { - i = (s->mb_num < 64) ? 5 : av_log2(s->mb_num - 1); + i = (s->mb_num < 64) ? 6 : (1 + av_log2(s->mb_num - 1)); get_bits(&s->gb_slice, i); + } else if (get_bits1(&s->gb_slice)) { + avpriv_report_missing_feature(s->avctx, "Media key encryption"); + return AVERROR_PATCHWELCOME; } s->slice_num = get_bits(&s->gb_slice, 8); From 44e878d08674a15906badfb921443a44ebf6257d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Jul 2018 15:03:50 +0200 Subject: [PATCH 0321/1764] avformat/flvenc: Check audio packet size Fixes: Assertion failure Fixes: assert_flvenc.c:941_1.swf Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10) Signed-off-by: Michael Niedermayer --- libavformat/flvenc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 899b07ea7b..e966c36c65 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -879,6 +879,11 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) int flags = -1, flags_size, ret; int64_t cur_offset = avio_tell(pb); + if (par->codec_type == AVMEDIA_TYPE_AUDIO && !pkt->size) { + av_log(s, AV_LOG_WARNING, "Empty audio Packet\n"); + return AVERROR(EINVAL); + } + if (par->codec_id == AV_CODEC_ID_VP6F || par->codec_id == AV_CODEC_ID_VP6A || par->codec_id == AV_CODEC_ID_VP6 || par->codec_id == AV_CODEC_ID_AAC) flags_size = 2; From b6098dd17feca3f1d0b8796c81bab5f038258a1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Jul 2018 10:59:09 +0200 Subject: [PATCH 0322/1764] avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c() Fixes: signed integer overflow: -1813244069 + -1407981383 cannot be represented in type 'int' Fixes: 8823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5643295618236416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47db5763e21c5e3b0ddde2430d15938f8d88480d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 65867649c7..5f4be017d5 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -150,10 +150,10 @@ static void ps_stereo_interpolate_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2], INTFLOAT h1 = h[0][1]; INTFLOAT h2 = h[0][2]; INTFLOAT h3 = h[0][3]; - INTFLOAT hs0 = h_step[0][0]; - INTFLOAT hs1 = h_step[0][1]; - INTFLOAT hs2 = h_step[0][2]; - INTFLOAT hs3 = h_step[0][3]; + UINTFLOAT hs0 = h_step[0][0]; + UINTFLOAT hs1 = h_step[0][1]; + UINTFLOAT hs2 = h_step[0][2]; + UINTFLOAT hs3 = h_step[0][3]; int n; for (n = 0; n < len; n++) { From 4df3a367df8e35cdc415364fd11e26dd92cee18c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Aug 2018 14:51:36 +0200 Subject: [PATCH 0323/1764] avcodec/mpegaudio_parser: Initialize poutbuf* Possibly fixes: null pointer dereference Possibly fixes: 9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224 Fixes: Heap-use-after-free Fixes: 9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f4c3b0b8e5435d13fd3b64c91969b31c3c018dc) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudio_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 8c39825792..a072851ecf 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -98,6 +98,8 @@ static int mpegaudio_parse(AVCodecParserContext *s1, } else if (codec_id == AV_CODEC_ID_MP3ADU) { avpriv_report_missing_feature(avctx, "MP3ADU full parser"); + *poutbuf = NULL; + *poutbuf_size = 0; return 0; /* parsers must not return error codes */ } From 7f480bedd069df9b4b9f9646ac8c649024a76e1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Aug 2018 22:43:33 +0200 Subject: [PATCH 0324/1764] avcodec/shorten: Check verbatim length Fixes: Timeout Fixes: 9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7007dabec08f2f9f81661e71ef482dde394e17a8) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0f491090fd..9094d3fc55 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -623,6 +623,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, switch (cmd) { case FN_VERBATIM: len = get_ur_golomb_shorten(&s->gb, VERBATIM_CKSIZE_SIZE); + if (len < 0 || len > get_bits_left(&s->gb)) { + av_log(avctx, AV_LOG_ERROR, "verbatim length %d invalid\n", + len); + return AVERROR_INVALIDDATA; + } while (len--) get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE); break; From ec573bd2eb085b40e65dd8e1cf3c488631f62ccb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Aug 2018 22:55:59 +0200 Subject: [PATCH 0325/1764] avcodec/shorten: Fix integer overflow in residual/LPC combination Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented in type 'int' Fixes: 9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7e9082e1a1479c6a8844f7adf77eae03cc2aa7) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 9094d3fc55..054494f8ce 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -391,7 +391,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (j = 0; j < pred_order; j++) sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + - (sum >> qshift); + (unsigned)(sum >> qshift); } /* add offset to current samples */ From e3cc5e81ab00f8b7a8ca230cd4cdba28443a39ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Aug 2018 23:06:55 +0200 Subject: [PATCH 0326/1764] avcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame() Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 9480/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6647324284551168 -rss_limit_mb=2000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b604e96a51a1fca92bbabfe4f7ac53f0470ee41) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 054494f8ce..1ffb7d8d79 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -715,7 +715,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, if (s->version < 2) s->offset[channel][s->nmean - 1] = sum / s->blocksize; else - s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) * (1 << s->bitshift); + s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) * (1LL << s->bitshift); } /* copy wrap samples for use with next block */ From 007da8396fedde3a3fb8c99cb7c7aaa46cdec1c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Aug 2018 23:45:52 +0200 Subject: [PATCH 0327/1764] avcodec/scpr: Check for min > max in decompress_p() Fixes: Timeout Fixes: 9342/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-4795990841229312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3378194ce8e9a126a7cc6ed57bedde1221790469) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index ad6073dbf0..66b4157576 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -522,6 +522,9 @@ static int decompress_p(AVCodecContext *avctx, return ret; max += temp << 8; + if (min > max) + return AVERROR_INVALIDDATA; + memset(s->blocks, 0, sizeof(*s->blocks) * s->nbcount); while (min <= max) { From 17c03479779111d966ff284c50fd09e008971653 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2018 15:36:29 +0200 Subject: [PATCH 0328/1764] avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header() Fixes: long running loop Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6 Found-by: Paul Ch Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c2eec1762d372663c35aaf3d6ee419bafb185057) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 3eb49a5d29..f3fa550c63 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1270,6 +1270,8 @@ static int ivr_read_header(AVFormatContext *s) if (avio_rb32(pb) == MKBETAG('M', 'L', 'T', 'I')) { ret = rm_read_multi(s, pb, st, NULL); } else { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -4, SEEK_CUR); ret = ff_rm_read_mdpr_codecdata(s, pb, st, st->priv_data, len, NULL); } From ff5196a98afbcfe0661d937a66ced6cf0844db3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2018 15:36:28 +0200 Subject: [PATCH 0329/1764] avformat/mlvdec: read_string() received unsigned size, make the argument unsigned Fixes: infinite loop Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04 Found-by: Paul Ch Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1e71cb2c8edcf3dad657c15a6fb8572862f2afb9) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 319cd26de4..6d774a191d 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -77,7 +77,7 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) return 0; } -static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, int size) +static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); if (!value) { From 0ef49c0818f29150d74d01c264ac792acd5598dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Aug 2018 12:23:20 +0200 Subject: [PATCH 0330/1764] avformat/nsvdec: Do not parse multiple NSVf The specification states "NSV files may contain a single file header. " Fixes: out of array access Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421 Found-by: Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 78d4b6bd43fc266a2ee926f0555c8782246f9445) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index d8ce656817..92f7d178f6 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -176,6 +176,7 @@ typedef struct NSVContext { int16_t avsync; AVRational framerate; uint32_t *nsvs_timestamps; + int nsvf; } NSVContext; static const AVCodecTag nsv_codec_video_tags[] = { @@ -266,6 +267,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) nsv->state = NSV_UNSYNC; /* in case we fail */ + if (nsv->nsvf) { + av_log(s, AV_LOG_TRACE, "Multiple NSVf\n"); + return 0; + } + nsv->nsvf = 1; + size = avio_rl32(pb); if (size < 28) return -1; From 812f7fae356af4ef679fe4fde09cce56b92726e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Aug 2018 20:15:19 +0200 Subject: [PATCH 0331/1764] avcodec/snowdec: Fix integer overflow with motion vector residual Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in type 'int' Fixes: 9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit acba153a148782c08f9fd17f0c05b93468f3cbd0) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 0146a2a4c9..59bd24e881 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -208,8 +208,8 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ return AVERROR_INVALIDDATA; } pred_mv(s, &mx, &my, ref, left, top, tr); - mx+= get_symbol(&s->c, &s->block_state[128 + 32*(mx_context + 16*!!ref)], 1); - my+= get_symbol(&s->c, &s->block_state[128 + 32*(my_context + 16*!!ref)], 1); + mx+= (unsigned)get_symbol(&s->c, &s->block_state[128 + 32*(mx_context + 16*!!ref)], 1); + my+= (unsigned)get_symbol(&s->c, &s->block_state[128 + 32*(my_context + 16*!!ref)], 1); } set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type); }else{ From 88afcff2f5530ec08f2e559987d73945da640aea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Aug 2018 22:19:23 +0200 Subject: [PATCH 0332/1764] avcodec/vb: Check for end of bytestream before reading blocktype Fixes: Timeout Fixes: 9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1cbac9ce20d32806febf64cbd9f830e1485695ca) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 021657f7d8..c6dd6fb456 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset) blk2 = 0; for (blk = 0; blk < blocks; blk++) { if (!(blk & 3)) { + if (bytestream2_get_bytes_left(&g) < 1) { + av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n"); + return AVERROR_INVALIDDATA; + } blocktypes = bytestream2_get_byte(&g); } switch (blocktypes & 0xC0) { From b61b38766ee9ebf31f69bea834fa23bb63dcb8b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Aug 2018 22:53:32 +0200 Subject: [PATCH 0333/1764] avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb() Fixes: Timeout Fixes: 9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9222b972d6cbdaf6571cf7ae0a6513bffa5ff9f) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index f88ad7d5f5..ec9da3e04f 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -181,6 +181,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int qgroup, int flag = 0; int i, ret, cbp; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1); for (i = 0; i < 12; i++) From 462edf5b94354fac265f5c76eff7c733f8ee5b3e Mon Sep 17 00:00:00 2001 From: Michael Bunk Date: Thu, 30 Aug 2018 08:56:19 +0200 Subject: [PATCH 0334/1764] examples: Fix use of AV_CODEC_FLAG_GLOBAL_HEADER AV_CODEC_FLAG_GLOBAL_HEADER should be set before calling avcodec_open2() to have any effect. Signed-off-by: Michael Niedermayer (cherry picked from commit a82e4fb8c6f26e75506df6818fee1b61f940cbeb) Signed-off-by: Michael Niedermayer --- doc/examples/transcoding.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/examples/transcoding.c b/doc/examples/transcoding.c index fb15a2148d..6e5124e6d3 100644 --- a/doc/examples/transcoding.c +++ b/doc/examples/transcoding.c @@ -173,6 +173,9 @@ static int open_output_file(const char *filename) enc_ctx->time_base = (AVRational){1, enc_ctx->sample_rate}; } + if (ofmt_ctx->oformat->flags & AVFMT_GLOBALHEADER) + enc_ctx->flags |= AV_CODEC_FLAG_GLOBAL_HEADER; + /* Third parameter can be used to pass settings to encoder */ ret = avcodec_open2(enc_ctx, encoder, NULL); if (ret < 0) { @@ -184,8 +187,6 @@ static int open_output_file(const char *filename) av_log(NULL, AV_LOG_ERROR, "Failed to copy encoder parameters to output stream #%u\n", i); return ret; } - if (ofmt_ctx->oformat->flags & AVFMT_GLOBALHEADER) - enc_ctx->flags |= AV_CODEC_FLAG_GLOBAL_HEADER; out_stream->time_base = enc_ctx->time_base; stream_ctx[i].enc_ctx = enc_ctx; From eab5f6e419ec8b195d0247d5a4acce9cfc9e0f7a Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 30 Aug 2018 15:18:25 -0700 Subject: [PATCH 0335/1764] avformat/mov: Error on too large stsd entry counts. Entries are always at least 8 bytes per the parsing code, so if we see an impossible entry count avoid massive allocations. This is similar to an existing check in mov_read_stsc(). Since ff_mov_read_stsd_entries() does eof checks, an alternative approach could be to clamp the entry count to atom.size / 8. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7f5f93e648..2328b8f445 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2365,7 +2365,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); - if (entries <= 0) { + /* Each entry contains a size (4 bytes) and format (4 bytes). */ + if (entries <= 0 || entries > atom.size / 8) { av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries); return AVERROR_INVALIDDATA; } From 073a65aefc2e17969d4508760fdda9e769e596c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Aug 2018 01:58:32 +0200 Subject: [PATCH 0336/1764] avcodec/indeo4: Check dimensions in decode_pic_hdr() Fixes: Timeout Fixes: 9654/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-6289863463665664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7592e88bfe3d5bf9109a55acd025af9110618405) Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 15ad6f8afc..4bfc6cdd74 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -30,6 +30,7 @@ #define BITSTREAM_READER_LE #include "avcodec.h" #include "get_bits.h" +#include "libavutil/imgutils.h" #include "indeo4data.h" #include "internal.h" #include "ivi.h" @@ -178,6 +179,13 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) pic_conf.chroma_bands = 0; if (pic_conf.luma_bands) pic_conf.chroma_bands = decode_plane_subdivision(&ctx->gb); + + if (av_image_check_size2(pic_conf.pic_width, pic_conf.pic_height, avctx->max_pixels, AV_PIX_FMT_YUV410P, 0, avctx) < 0) { + av_log(avctx, AV_LOG_ERROR, "picture dimensions %d %d cannot be decoded\n", + pic_conf.pic_width, pic_conf.pic_height); + return AVERROR_INVALIDDATA; + } + ctx->is_scalable = pic_conf.luma_bands != 1 || pic_conf.chroma_bands != 1; if (ctx->is_scalable && (pic_conf.luma_bands != 4 || pic_conf.chroma_bands != 1)) { av_log(avctx, AV_LOG_ERROR, "Scalability: unsupported subdivision! Luma bands: %d, chroma bands: %d\n", From ee8b4c16d792482b0bec75dbe4d1fdb01f236985 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Aug 2018 02:26:24 +0200 Subject: [PATCH 0337/1764] avcodec/ra144: Fix undefined integer overflow in add_wav() Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 'int' Fixes: 9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index cf8127c236..573703d70b 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) - dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12; + dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; From ab5d930762389f4200fb600c84580e6b79b2c153 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Aug 2018 02:06:27 +0200 Subject: [PATCH 0338/1764] avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking() Signed-off-by: Michael Niedermayer (cherry picked from commit 697984b9db4d4d199680f43ac3eb662cd1d37eff) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index af70829594..2cdb67f978 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -806,6 +806,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h) } } + // Detect unmarked random access points if ( err >= 0 && h->long_ref_count==0 && ( h->short_ref_count<=2 From 1a106752f37cf9119615e0db908d13b714f565d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Sep 2018 04:24:49 +0200 Subject: [PATCH 0339/1764] avcodec/dvdsubdec: Avoid branch in decode_run_8bit() Speed improvment 35.5 sec -> 34.7sec Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 71bf0330505e2108935d05c5c018ec65eac4b946) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index e18113c20c..a5107096df 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color) { int len; int has_run = get_bits1(gb); - if (get_bits1(gb)) - *color = get_bits(gb, 8); - else - *color = get_bits(gb, 2); + *color = get_bits(gb, 2 + 6*get_bits1(gb)); if (has_run) { if (get_bits1(gb)) { len = get_bits(gb, 7); From 98709a12448283bff56a03f436c735d2f58e7b3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Sep 2018 02:08:20 +0200 Subject: [PATCH 0340/1764] avcodec/shorten: Fix bitstream end check in read_header() Fixes: Timeout Fixes: 9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 28b80c2d52d82eb4f73af5f818dab60946bcf299) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 1ffb7d8d79..4b45e6d6dc 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -456,7 +456,7 @@ static int read_header(ShortenContext *s) } skip_bytes = get_uint(s, NSKIPSIZE); - if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { + if ((unsigned)skip_bytes > FFMAX(get_bits_left(&s->gb), 0)/8) { av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes); return AVERROR_INVALIDDATA; } From 80af29f32e54ae1d7d5f69d966d86ebda56517f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Sep 2018 21:33:59 +0200 Subject: [PATCH 0341/1764] avcodec/zmbv: Update decomp_len in raw frames decomp_len is used in raw frames, so it should not be left at the value from whatever was decoded previously (which may be any other frame) Signed-off-by: Michael Niedermayer (cherry picked from commit 3d201b83cda03fd9e866acafee82d7ce88260e66) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index f91d2e3931..1ec656be36 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -519,6 +519,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac return AVERROR_INVALIDDATA; } memcpy(c->decomp_buf, buf, len); + c->decomp_len = len; } else { // ZLIB-compressed data c->zstream.total_in = c->zstream.total_out = 0; c->zstream.next_in = (uint8_t*)buf; From 127ec77e8cc5563c21966ed0dc61be00ee167e71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Sep 2018 00:28:37 +0200 Subject: [PATCH 0342/1764] avcodec/zmbv: Check that the decompressed data size is correct This checks the value exactly for intra frames and checks it against a minimum for inter frames as they can be variable. Fixes: Timeout Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 1ec656be36..b994e96e95 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int zret = Z_OK; // Zlib return code int len = buf_size; int hi_ver, lo_ver, ret; + int expected_size; /* parse header */ if (len < 1) @@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8)); c->decode_intra= decode_intra; } + if (c->flags & ZMBV_KEYFRAME) { + expected_size = avctx->width * avctx->height * (c->bpp / 8); + } else { + expected_size = (c->bx * c->by * 2 + 3) & ~3; + } + if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && + (c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME))) + expected_size += 768; if (!c->decode_intra) { av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n"); @@ -533,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } c->decomp_len = c->zstream.total_out; } + if (expected_size > c->decomp_len || + (c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) { + av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); + return AVERROR_INVALIDDATA; + } if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; From f80da843b219d978d8c102a5ade94e032a09f9a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Sep 2018 00:20:38 +0200 Subject: [PATCH 0343/1764] avcodec/mpeg4videodec: Fix undefined shift in get_amv() Fixes: runtime error: shift exponent -1 is negative Fixes: 9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c88afa44c4823aba7b6f4a1b01fd6a4169643c57) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 319a3809ea..91a0d726f9 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -539,7 +539,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) len >>= s->quarter_sample; if (s->real_sprite_warping_points == 1) { - if (ctx->divx_version == 500 && ctx->divx_build == 413) + if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= s->quarter_sample) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); From 50aa132f4d34465e291eb7acb5c884e4d8aa7232 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Sep 2018 03:33:50 +0200 Subject: [PATCH 0344/1764] avcodec/dvdsubdec: Sanity check len in decode_rle() Fixes: Timeout Fixes: 9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7b023e1db9fb13175929c02a02846d03510ec91) Signed-off-by: Michael Niedermayer --- libavcodec/dvdsubdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index a5107096df..cf10844753 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -124,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, len = decode_run_8bit(&gb, &color); else len = decode_run_2bit(&gb, &color); + if (len != INT_MAX && len > w - x) + return AVERROR_INVALIDDATA; len = FFMIN(len, w - x); memset(d + x, color, len); x += len; From 848726afc642fbe8aea7773594506bfb495bd8ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Aug 2018 16:13:24 +0200 Subject: [PATCH 0345/1764] avcodec/gdv: Replace divisions by shifts in rescale() Divisions tend to be slower than shifts unless the compiler optimizes them out. And some of these are in inner loops. Signed-off-by: Michael Niedermayer (cherry picked from commit b90d8cc7466386a166dd72107457498aa5a7c43d) Signed-off-by: Michael Niedermayer --- libavcodec/gdv.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index dc91869edf..d4d24931c9 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -85,14 +85,14 @@ static void rescale(GDVContext *gdv, uint8_t *dst, int w, int h, int scale_v, in int y = h - j - 1; for (i = 0; i < w; i++) { int x = w - i - 1; - dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x/2 + (y/2) * (w/2)]; + dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + (x>>1) + (y>>1) * (w>>1)]; } } } else if (gdv->scale_h) { for (j = 0; j < h; j++) { int y = h - j - 1; for (x = 0; x < w; x++) { - dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x + (y/2) * w]; + dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x + (y>>1) * w]; } } } else if (gdv->scale_v) { @@ -100,26 +100,26 @@ static void rescale(GDVContext *gdv, uint8_t *dst, int w, int h, int scale_v, in int y = h - j - 1; for (i = 0; i < w; i++) { int x = w - i - 1; - dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x/2 + y * (w/2)]; + dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + (x>>1) + y * (w>>1)]; } } } if (scale_h && scale_v) { - for (y = 0; y < h/2; y++) { - for (x = 0; x < w/2; x++) { - dst[PREAMBLE_SIZE + x + y * (w/2)] = dst[PREAMBLE_SIZE + x*2 + y*2 * w]; + for (y = 0; y < (h>>1); y++) { + for (x = 0; x < (w>>1); x++) { + dst[PREAMBLE_SIZE + x + y * (w>>1)] = dst[PREAMBLE_SIZE + x*2 + y*2 * w]; } } } else if (scale_h) { - for (y = 0; y < h/2; y++) { + for (y = 0; y < (h>>1); y++) { for (x = 0; x < w; x++) { dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x + y*2 * w]; } } } else if (scale_v) { for (y = 0; y < h; y++) { - for (x = 0; x < w/2; x++) { + for (x = 0; x < (w>>1); x++) { dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x*2 + y * w]; } } From 0cbd4fb9955e1cb3ff2427b1a7dbf1b0da4d57d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Sep 2018 15:18:17 +0200 Subject: [PATCH 0346/1764] avcodec/unary: Improve get_unary() docs Found-by: kierank Signed-off-by: Michael Niedermayer (cherry picked from commit ad89e203bfedf25df00e2a6ed9196170d772f25b) Signed-off-by: Michael Niedermayer --- libavcodec/unary.h | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/unary.h b/libavcodec/unary.h index 908dc93507..d57f9f70c5 100644 --- a/libavcodec/unary.h +++ b/libavcodec/unary.h @@ -28,7 +28,20 @@ * @param gb GetBitContext * @param[in] stop The bitstop value (unary code of 1's or 0's) * @param[in] len Maximum length - * @return Unary length/index + * @return unary 0 based code index. This is also the length in bits of the + * code excluding the stop bit. + * (in case len=1) + * 1 0 + * 0 1 + * (in case len=2) + * 1 0 + * 01 1 + * 00 2 + * (in case len=3) + * 1 0 + * 01 1 + * 001 2 + * 000 3 */ static inline int get_unary(GetBitContext *gb, int stop, int len) { From e9975d1b511812984f208128711a6aa68eddf82a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Oct 2018 03:00:32 +0200 Subject: [PATCH 0347/1764] avformat/utils: Fix integer overflow in discontinuity check Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 cannot be represented in type 'long' Fixes: find_stream_info_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 75adea10e3..db79577548 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3748,7 +3748,7 @@ FF_ENABLE_DEPRECATION_WARNINGS * sequence, we treat it as a discontinuity. */ if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && - (pkt->dts - st->info->fps_last_dts) / 1000 > + (pkt->dts - (uint64_t)st->info->fps_last_dts) / 1000 > (st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, From d17d08035cd4e8cc6782ad251d39b6c61913518e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 12 Oct 2018 20:55:25 +0200 Subject: [PATCH 0348/1764] avformat/utils: Never store negative values in last_IP_duration Fixes: integer overflow compute_pkt_fields() Fixes: compute_pkt_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 079d1a7175c4b881631a7e7f449c4c13b761cdeb) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index db79577548..27071e10b4 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1314,7 +1314,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, /* This is tricky: the dts must be incremented by the duration * of the frame we are displaying, i.e. the last I- or P-frame. */ - if (st->last_IP_duration == 0) + if (st->last_IP_duration == 0 && (uint64_t)pkt->duration <= INT32_MAX) st->last_IP_duration = pkt->duration; if (pkt->dts != AV_NOPTS_VALUE) st->cur_dts = pkt->dts + st->last_IP_duration; @@ -1326,7 +1326,8 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, next_pts != AV_NOPTS_VALUE) pkt->pts = next_dts; - st->last_IP_duration = pkt->duration; + if ((uint64_t)pkt->duration <= INT32_MAX) + st->last_IP_duration = pkt->duration; st->last_IP_pts = pkt->pts; /* Cannot compute PTS if not present (we can compute it only * by knowing the future. */ From a3ef90a73cd9a2d09f8529b9672d05a1cf3ea825 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Oct 2018 04:25:50 +0200 Subject: [PATCH 0349/1764] avcodec/ra144: Fix integer overflow in add_wav() Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in type 'int' Fixes: 10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c6282141cba20934d9801f31134872fabbd6ba3e) Signed-off-by: Michael Niedermayer --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 573703d70b..65a744876c 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) - dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; + dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; From ced37ef52c24d35ac61bf885a753799d2dee464e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Oct 2018 03:13:41 +0200 Subject: [PATCH 0350/1764] avcodec/h264_cavlc: Check mb_skip_run Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264 Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f72b9904fefa79d799d0f6ecc8bd97ce52658725) Signed-off-by: Michael Niedermayer --- libavcodec/h264_cavlc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 5e6a20304a..d82144e3c3 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -714,8 +714,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl) cbp = 0; /* avoid warning. FIXME: find a solution without slowing down the code */ if (sl->slice_type_nos != AV_PICTURE_TYPE_I) { - if (sl->mb_skip_run == -1) - sl->mb_skip_run = get_ue_golomb_long(&sl->gb); + if (sl->mb_skip_run == -1) { + unsigned mb_skip_run = get_ue_golomb_long(&sl->gb); + if (mb_skip_run > h->mb_num) { + av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run); + return AVERROR_INVALIDDATA; + } + sl->mb_skip_run = mb_skip_run; + } if (sl->mb_skip_run--) { if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) { From 6763ff890e41fb6669ce2cbc1ec1108d12641318 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Oct 2018 01:19:36 +0200 Subject: [PATCH 0351/1764] avcodec/mpeg4videodec: Fix typo in sprite delta check Fixes: Integer overflow Fixes: 10890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5636062181851136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b737317a8813e671c00b8ac7023c47e48ffeb1c8) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 91a0d726f9..d241c58e8a 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -392,7 +392,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX || - llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || From 1bcc79db44ed0089c6dd7b2ce3ed99234bfa73db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Oct 2018 22:35:37 +0200 Subject: [PATCH 0352/1764] avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling Fixes: assertion failure Fixes: 10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 305e523105f6f59e7572050f19edc9f4671c036c) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 5cba177513..3edcb81094 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1130,7 +1130,7 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; - if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) + if (RSpoc >= FFMIN(codsty->nreslevels, REpoc)) continue; for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { From 707ec3cfc00b227dcc2189cfdd51807f3cd45a92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Oct 2018 14:40:14 +0200 Subject: [PATCH 0353/1764] avcodec/msrle: Check that the input is large enough to contain a end of picture code Fixes: Timeout Fixes: 10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 203ccb8746997777ce66beadd53b4631d217b9cd) Signed-off-by: Michael Niedermayer --- libavcodec/msrle.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index adb55b1302..1ab8a41985 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + if (buf_size < 2) //Minimally a end of picture code should be there + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; From 0e853b61e65c81f31da5707d40559815bfa39767 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Oct 2018 01:44:12 +0200 Subject: [PATCH 0354/1764] avutil/integer: Fix integer overflow in av_mul_i() Found-by: fate Signed-off-by: Michael Niedermayer (cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe) Signed-off-by: Michael Niedermayer --- libavutil/integer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/integer.c b/libavutil/integer.c index 6d6855fa1b..ba4aa778c9 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){ if(a.v[i]) for(j=i; j>16) + out.v[j] + a.v[i]*b.v[j-i]; + carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i]; out.v[j]= carry; } } From cb74b3ff27d510c62b6a78fef5a416674bbb4e51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Nov 2018 15:40:09 +0100 Subject: [PATCH 0355/1764] Update for 3.4.5 Signed-off-by: Michael Niedermayer --- Changelog | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 50 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 5560069441..cbc6ae7675 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,54 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.5: +- avutil/integer: Fix integer overflow in av_mul_i() +- avcodec/msrle: Check that the input is large enough to contain a end of picture code +- avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling +- avcodec/mpeg4videodec: Fix typo in sprite delta check +- avcodec/h264_cavlc: Check mb_skip_run +- avcodec/ra144: Fix integer overflow in add_wav() +- avformat/utils: Never store negative values in last_IP_duration +- avformat/utils: Fix integer overflow in discontinuity check +- avcodec/unary: Improve get_unary() docs +- avcodec/gdv: Replace divisions by shifts in rescale() +- avcodec/dvdsubdec: Sanity check len in decode_rle() +- avcodec/mpeg4videodec: Fix undefined shift in get_amv() +- avcodec/zmbv: Check that the decompressed data size is correct +- avcodec/zmbv: Update decomp_len in raw frames +- avcodec/shorten: Fix bitstream end check in read_header() +- avcodec/dvdsubdec: Avoid branch in decode_run_8bit() +- avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking() +- avcodec/ra144: Fix undefined integer overflow in add_wav() +- avcodec/indeo4: Check dimensions in decode_pic_hdr() +- avformat/mov: Error on too large stsd entry counts. +- examples: Fix use of AV_CODEC_FLAG_GLOBAL_HEADER +- avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb() +- avcodec/vb: Check for end of bytestream before reading blocktype +- avcodec/snowdec: Fix integer overflow with motion vector residual +- avformat/nsvdec: Do not parse multiple NSVf +- avformat/mlvdec: read_string() received unsigned size, make the argument unsigned +- avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header() +- avcodec/scpr: Check for min > max in decompress_p() +- avcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame() +- avcodec/shorten: Fix integer overflow in residual/LPC combination +- avcodec/shorten: Check verbatim length +- avcodec/mpegaudio_parser: Initialize poutbuf* +- avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c() +- avformat/flvenc: Check audio packet size +- lavc/svq3: Fix regression decoding some files. +- avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp() +- avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too +- avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions +- avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case +- avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i() +- avcodec/diracdec: Prevent integer overflow in intermediate in global_mv() +- swresample/swresample: Fix input channel count in resample_first computation +- avutil/pixfmt: Document chroma plane size for odd resolutions +- avcodec/cuviddec: properly take deinterlacing and display delay into account for buffer_full check +- configure: add LIBDRM to extralibs_avutil +- avcodec/bitstream_filters: check the input argument of av_bsf_get_by_name() for NUL + version 3.4.4: - avcodec/dvdsub_parser: Allocate input padding - avcodec/dvdsub_parser: Init output buf/size diff --git a/RELEASE b/RELEASE index f9892605c7..4f5e69734c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.4 +3.4.5 diff --git a/doc/Doxyfile b/doc/Doxyfile index 883d9a5680..4ac2d47e66 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.4 +PROJECT_NUMBER = 3.4.5 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 15b385efca6a79e3762cfbfdd7a5678e245e811e Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Nov 2017 16:32:54 +0100 Subject: [PATCH 0356/1764] avfilter/af_silenceremove: fix possible crash if supplied duration is negative Signed-off-by: Paul B Mahol Fixes ticket #7697. (cherry picked from commit 2d1594a8d6a754a426cb53184dccf9cf8c8a94b0) --- libavfilter/af_silenceremove.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavfilter/af_silenceremove.c b/libavfilter/af_silenceremove.c index af50463059..25a453a085 100644 --- a/libavfilter/af_silenceremove.c +++ b/libavfilter/af_silenceremove.c @@ -186,8 +186,17 @@ static int config_input(AVFilterLink *inlink) s->start_duration = av_rescale(s->start_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->start_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "start duration must be non-negative\n"); + s->start_duration = -s->start_duration; + } + s->stop_duration = av_rescale(s->stop_duration, inlink->sample_rate, AV_TIME_BASE); + if (s->stop_duration < 0) { + av_log(ctx, AV_LOG_WARNING, "stop duration must be non-negative\n"); + s->stop_duration = -s->stop_duration; + } s->start_holdoff = av_malloc_array(FFMAX(s->start_duration, 1), sizeof(*s->start_holdoff) * From da6a61606a1936a6ccceb6a4868247a19309c140 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 18 Mar 2019 17:25:58 -0300 Subject: [PATCH 0357/1764] avcodec/hevcdec: decode at most one slice reporting being the first in the picture Fixes deadlocks when decoding packets containing more than one of the aforementioned slices when using frame threads. Tested-by: Derek Buitenhuis Signed-off-by: James Almer (cherry picked from commit 70c8c8a818f39bc262565ec29fae2baffb3e1660) --- libavcodec/hevcdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 89b121d2f0..734c42037a 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -2864,6 +2864,10 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) return ret; if (s->sh.first_slice_in_pic_flag) { + if (s->ref) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + goto fail; + } if (s->max_ra == INT_MAX) { if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { s->max_ra = s->poc; From f3404f6b90ef740bfc0a9924a033c78c4947e2f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Oct 2018 21:08:39 +0100 Subject: [PATCH 0358/1764] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case Fixes: Timeout Fixes: 10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896 Fixes: 10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index a072851ecf..04400a44e7 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -100,7 +100,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, "MP3ADU full parser"); *poutbuf = NULL; *poutbuf_size = 0; - return 0; /* parsers must not return error codes */ + return buf_size; /* parsers must not return error codes */ } break; From a6e6b866694ea1d8627e392f138a1029d9e54a19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Nov 2018 20:00:16 +0100 Subject: [PATCH 0359/1764] avcodec/cavsdec: Propagate error codes inside decode_mb_i() Fixes: Timeout Fixes: 10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index c7fff67c06..5f3b354518 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, } -static inline void decode_residual_chroma(AVSContext *h) +static inline int decode_residual_chroma(AVSContext *h) { - if (h->cbp & (1 << 4)) - decode_residual_block(h, &h->gb, chroma_dec, 0, + if (h->cbp & (1 << 4)) { + int ret = decode_residual_block(h, &h->gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride); - if (h->cbp & (1 << 5)) - decode_residual_block(h, &h->gb, chroma_dec, 0, + if (ret < 0) + return ret; + } + if (h->cbp & (1 << 5)) { + int ret = decode_residual_block(h, &h->gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride); + if (ret < 0) + return ret; + } + return 0; } static inline int decode_residual_inter(AVSContext *h) @@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; + int ret; ff_cavs_init_mb(h); @@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code) ff_cavs_load_intra_pred_luma(h, top, &left, block); h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]] (d, top, left, h->l_stride); - if (h->cbp & (1<qp, d, h->l_stride); + if (h->cbp & (1<qp, d, h->l_stride); + if (ret < 0) + return ret; + } } /* chroma intra prediction */ @@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code) h->intra_pred_c[pred_mode_uv](h->cv, &h->top_border_v[h->mbx * 10], h->left_border_v, h->c_stride); - decode_residual_chroma(h); + ret = decode_residual_chroma(h); + if (ret < 0) + return ret; ff_cavs_filter(h, I_8X8); set_mv_intra(h); return 0; From e8aaadd41ea508ab1e0f28b2bf68b3433d041b9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Nov 2018 19:59:27 +0100 Subject: [PATCH 0360/1764] avcodec/shorten: Fix integer overflow with offset Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented in type 'int' Fixes: 10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4b45e6d6dc..4134af74cf 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -382,7 +382,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* subtract offset from previous samples to use in prediction */ if (command == FN_QLPC && coffset) for (i = -pred_order; i < 0; i++) - s->decoded[channel][i] -= coffset; + s->decoded[channel][i] -= (unsigned)coffset; /* decode residual and do LPC prediction */ init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset; @@ -397,7 +397,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* add offset to current samples */ if (command == FN_QLPC && coffset) for (i = 0; i < s->blocksize; i++) - s->decoded[channel][i] += coffset; + s->decoded[channel][i] += (unsigned)coffset; return 0; } From 4376377c51335f0d28ca1470d625aae8342ead95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Nov 2018 20:29:40 +0100 Subject: [PATCH 0361/1764] fftools/ffmpeg: Repair reinit_filter feature Signed-off-by: Michael Niedermayer (cherry picked from commit 35040048793bc5d19942277fe17d1235e915a7d8) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index f19d9b8e73..0def128650 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -2154,9 +2154,6 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) /* determine if the parameters for this input changed */ need_reinit = ifilter->format != frame->format; - if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || - (ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) - need_reinit = 1; switch (ifilter->ist->st->codecpar->codec_type) { case AVMEDIA_TYPE_AUDIO: @@ -2170,6 +2167,13 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) break; } + if (!ifilter->ist->reinit_filters && fg->graph) + need_reinit = 0; + + if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || + (ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) + need_reinit = 1; + if (need_reinit) { ret = ifilter_parameters_from_frame(ifilter, frame); if (ret < 0) From 5e1133920f52f9baa05134702e10b1d02c5a5a8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Nov 2018 03:12:45 +0100 Subject: [PATCH 0362/1764] avcodec/pngdec: Check compression method method 0 (inflate/deflate) is the only specified in the specification and the only supported Fixes: Timeout Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f99674ddddcc33f4c37def0a206e31ad7c4c1af) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 0d6612ccca..0a2772f763 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -577,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); + if (s->compression_type) { + av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type); + goto error; + } s->filter_type = bytestream2_get_byte(&s->gb); s->interlace_type = bytestream2_get_byte(&s->gb); bytestream2_skip(&s->gb, 4); /* crc */ From 940c6f3fb1899069c8575ca7ed52310a2c9ec5e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Nov 2018 00:38:53 +0100 Subject: [PATCH 0363/1764] avcodec/truemotion2: fix integer overflows in tm2_low_chroma() Fixes: 11295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-4888953459572736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ae39d795613f3c6925c59852b625029b747fe42) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index b689efdb99..2945d9948d 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -480,7 +480,7 @@ static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *C } } -static inline void tm2_low_chroma(int *data, int stride, int *clast, int *CD, int *deltas, int bx) +static inline void tm2_low_chroma(int *data, int stride, int *clast, unsigned *CD, int *deltas, int bx) { int t; int l; @@ -490,8 +490,8 @@ static inline void tm2_low_chroma(int *data, int stride, int *clast, int *CD, in prev = clast[-3]; else prev = 0; - t = (CD[0] + CD[1]) >> 1; - l = (prev - CD[0] - CD[1] + clast[1]) >> 1; + t = (int)(CD[0] + CD[1]) >> 1; + l = (int)(prev - CD[0] - CD[1] + clast[1]) >> 1; CD[1] = CD[0] + CD[1] - t; CD[0] = t; clast[0] = l; From 506b9c88c739097a62622b7a28cf4577d36e2107 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Nov 2018 09:24:30 +0100 Subject: [PATCH 0364/1764] avcodec/truemotion2rt: Fix rounding in input size check Fixes: Timeout Fixes: 11332/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2RT_fuzzer-5678456612847616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f22a4ebc97817fd0968f5ea8295c9a59a6292e0) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2rt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2rt.c b/libavcodec/truemotion2rt.c index 9df0b527bb..e3ab998fda 100644 --- a/libavcodec/truemotion2rt.c +++ b/libavcodec/truemotion2rt.c @@ -116,7 +116,7 @@ static int truemotion2rt_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; - if (avctx->width / s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4) + if ((avctx->width + s->hscale - 1)/ s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4) return AVERROR_INVALIDDATA; ret = init_get_bits8(gb, avpkt->data + ret, avpkt->size - ret); From f06485063df089145ad91f6e53d17587bcaf0fb6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Nov 2018 02:32:10 +0100 Subject: [PATCH 0365/1764] avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size Frames that small are not valid and of limited use for error concealment, while being very computationally intensive to process. Fixes: Timeout Fixes: 11318/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSMPEG4V1_fuzzer-5710884555456512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09ec182864d41c990bc18f620eabb77444aeff57) Signed-off-by: Michael Niedermayer --- libavcodec/msmpeg4dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 4105d4ba7d..2de308f608 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -409,6 +409,14 @@ int ff_msmpeg4_decode_picture_header(MpegEncContext * s) { int code; + // at minimum one bit per macroblock is required at least in a valid frame, + // we discard frames much smaller than this. Frames smaller than 1/8 of the + // smallest "black/skip" frame generally contain not much recoverable content + // while at the same time they have the highest computational requirements + // per byte + if (get_bits_left(&s->gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16)) + return AVERROR_INVALIDDATA; + if(s->msmpeg4_version==1){ int start_code = get_bits_long(&s->gb, 32); if(start_code!=0x00000100){ From d6aac086b61ca11f813105695cbf69f0e0da529b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Nov 2018 23:37:03 +0100 Subject: [PATCH 0366/1764] avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size Frames that small are not valid and of limited use for error concealment, while being very computationally intensive to process. Fixes: Timeout Fixes: 11168/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-5733782032744448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6f4341522c3eafb046c47b115d79ce684a899fc) Signed-off-by: Michael Niedermayer --- libavcodec/wmv2dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index 225e30ab5a..1aa0da0271 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -166,6 +166,14 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } s->dc_table_index = get_bits1(&s->gb); + + // at minimum one bit per macroblock is required at least in a valid frame, + // we discard frames much smaller than this. Frames smaller than 1/8 of the + // smallest "black/skip" frame generally contain not much recoverable content + // while at the same time they have the highest computational requirements + // per byte + if (get_bits_left(&s->gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16)) + return AVERROR_INVALIDDATA; } s->inter_intra_pred = 0; s->no_rounding = 1; From a6d25b6ba54826c545febc55ce77feb15f61efef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Dec 2018 22:16:19 +0100 Subject: [PATCH 0367/1764] avcodec/msvideo1: Check for too small dimensions Such low resolution would result in empty output as a minimum of 4x4 is needed We could also check for multiple of 4 dimensions but that is not needed Fixes: Timeout Fixes: 11191/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSVIDEO1_fuzzer-5739529588178944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 953bd58861ad933e614510140b05a61e3d1375be) Signed-off-by: Michael Niedermayer --- libavcodec/msvideo1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 29700f54b6..de048d8b6f 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -62,6 +62,9 @@ static av_cold int msvideo1_decode_init(AVCodecContext *avctx) s->avctx = avctx; + if (avctx->width < 4 || avctx->height < 4) + return AVERROR_INVALIDDATA; + /* figure out the colorspace based on the presence of a palette */ if (s->avctx->bits_per_coded_sample == 8) { s->mode_8bit = 1; From 04fe02bd80bc8dddd1e9d5a1cc9d336fc3a5a6da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 Dec 2018 16:29:40 +0100 Subject: [PATCH 0368/1764] avcodec/ppc/hevcdsp: Fix build failures with powerpc-linux-gnu-gcc-4.8 with --disable-optimizations The affected functions could also be changed into macros, this is the smaller change to fix it though. And avoids (probably) less readable macros The extra code should be optimized out when optimizations are done as all values are known at build after inlining. Signed-off-by: Michael Niedermayer (cherry picked from commit 2c64a6bcd280c64997e6c4799bc89c0a9393bbf3) Signed-off-by: Michael Niedermayer --- libavcodec/ppc/hevcdsp.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/libavcodec/ppc/hevcdsp.c b/libavcodec/ppc/hevcdsp.c index 4b1037d792..42a5bc487d 100644 --- a/libavcodec/ppc/hevcdsp.c +++ b/libavcodec/ppc/hevcdsp.c @@ -57,7 +57,13 @@ static void transform4x4(vec_s16 src_01, vec_s16 src_23, vec_s32 res[4], e1 = vec_msums(src_02, trans4[2], zero); o1 = vec_msums(src_13, trans4[3], zero); - add = vec_sl(vec_splat_s32(1), vec_splat_u32(shift - 1)); + switch(shift) { + case 7: add = vec_sl(vec_splat_s32(1), vec_splat_u32( 7 - 1)); break; + case 10: add = vec_sl(vec_splat_s32(1), vec_splat_u32(10 - 1)); break; + case 12: add = vec_sl(vec_splat_s32(1), vec_splat_u32(12 - 1)); break; + default: abort(); + } + e0 = vec_add(e0, add); e1 = vec_add(e1, add); @@ -70,7 +76,14 @@ static void transform4x4(vec_s16 src_01, vec_s16 src_23, vec_s32 res[4], static void scale(vec_s32 res[4], vec_s16 res_packed[2], int shift) { int i; - vec_u32 v_shift = vec_splat_u32(shift); + vec_u32 v_shift; + + switch(shift) { + case 7: v_shift = vec_splat_u32(7) ; break; + case 10: v_shift = vec_splat_u32(10); break; + case 12: v_shift = vec_splat_u32(12); break; + default: abort(); + } for (i = 0; i < 4; i++) res[i] = vec_sra(res[i], v_shift); From cb901e183608b58b6ed9aea0f11c77b20967fe0e Mon Sep 17 00:00:00 2001 From: chcunningham Date: Thu, 13 Dec 2018 13:58:40 -0800 Subject: [PATCH 0369/1764] lavf/mov: ensure only one tkhd per trak Chromium fuzzing produced a whacky file with extra tkhds. This caused an AVStream that was already in use to be corrupted by assigning it a new id, which blows up later in mov_read_trun because the MOVFragmentStreamInfo.index_entry now points OOB. Reviewed-by: Baptiste Coudurier Signed-off-by: Michael Niedermayer (cherry picked from commit c9f7b6f7a9fdffa0ab8f3aa84a1f701cf5b3a6e9) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2328b8f445..6e954dd444 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3805,7 +3805,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = avformat_new_stream(c->fc, NULL); if (!st) return AVERROR(ENOMEM); - st->id = c->fc->nb_streams; + st->id = -1; sc = av_mallocz(sizeof(MOVStreamContext)); if (!sc) return AVERROR(ENOMEM); @@ -4087,6 +4087,11 @@ static int mov_read_tkhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; + // Each stream (trak) should have exactly 1 tkhd. This catches bad files and + // avoids corrupting AVStreams mapped to an earlier tkhd. + if (st->id != -1) + return AVERROR_INVALIDDATA; + version = avio_r8(pb); flags = avio_rb24(pb); st->disposition |= (flags & MOV_TKHD_FLAG_ENABLED) ? AV_DISPOSITION_DEFAULT : 0; From f9b7c87145d20363f2aa027b62e5aac9afb927f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 14 Dec 2018 21:52:09 +0100 Subject: [PATCH 0370/1764] avformat/nutenc: Document trailer index assert better Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3a95b73abc868995b08ca2b4d8bbf2cda43184f8) Signed-off-by: Michael Niedermayer --- libavformat/nutenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index a92ff55c01..e9a3bb49db 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -1172,7 +1172,7 @@ static int nut_write_trailer(AVFormatContext *s) ret = avio_open_dyn_buf(&dyn_bc); if (ret >= 0 && nut->sp_count) { - av_assert1(nut->write_index); + av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written write_index(nut, dyn_bc); put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE); } From 96062eb3cc82134921f12da02c2842fa21208742 Mon Sep 17 00:00:00 2001 From: chcunningham Date: Fri, 14 Dec 2018 13:44:07 -0800 Subject: [PATCH 0371/1764] lavf/id3v2: fail read_apic on EOF reading mimetype MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit avio_read may return EOF, leaving the mimetype array unitialized. fail early when this occurs to avoid using the array in an unitialized state. Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit ee1e39a576977fd38c3b94fc56125d31d38833e9) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 6c216ba7a2..ac39b03af4 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -589,7 +589,7 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, int isv34) { int enc, pic_type; - char mimetype[64]; + char mimetype[64] = {0}; const CodecMime *mime = ff_id3v2_mime_tags; enum AVCodecID id = AV_CODEC_ID_NONE; ID3v2ExtraMetaAPIC *apic = NULL; @@ -611,7 +611,9 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, if (isv34) { taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); } else { - avio_read(pb, mimetype, 3); + if (avio_read(pb, mimetype, 3) < 0) + goto fail; + mimetype[3] = 0; taglen -= 3; } From e657e8e8d69b471f9fe9ee6a4eab3d1d559c569c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Dec 2018 14:27:48 +0100 Subject: [PATCH 0372/1764] avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan() Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit ea30ac1e408246382796f61d645d1e087aed390a) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 95d35fbc31..4498bf8be7 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1157,25 +1157,25 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, || v * mb_y + y >= s->height) { // Nothing to do } else if (bits<=8) { - ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap - if(y==0 && toprow){ - if(x==0 && leftcol){ - pred= 1 << (bits - 1); + ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap + if(y==0 && toprow){ + if(x==0 && leftcol){ + pred= 1 << (bits - 1); + }else{ + pred= ptr[-1]; + } }else{ - pred= ptr[-1]; + if(x==0 && leftcol){ + pred= ptr[-linesize]; + }else{ + PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); + } } - }else{ - if(x==0 && leftcol){ - pred= ptr[-linesize]; - }else{ - PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); - } - } - if (s->interlaced && s->bottom_field) - ptr += linesize >> 1; - pred &= mask; - *ptr= pred + ((unsigned)dc << point_transform); + if (s->interlaced && s->bottom_field) + ptr += linesize >> 1; + pred &= mask; + *ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ From 53d34fad0dd09501e1416796e2d2b35d45ed8453 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Dec 2018 21:51:22 +0100 Subject: [PATCH 0373/1764] tests/fate/filter-video: increase fuzz for fate-filter-refcmp-psnr-rgb Fixes: test failure on powerpc Signed-off-by: Michael Niedermayer (cherry picked from commit f8f762c300e29d80ece363edc08e137b371d909f) Signed-off-by: Michael Niedermayer --- tests/fate/filter-video.mak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate/filter-video.mak b/tests/fate/filter-video.mak index c19f301ff8..49bd743e68 100644 --- a/tests/fate/filter-video.mak +++ b/tests/fate/filter-video.mak @@ -750,7 +750,7 @@ fate-filter-meta-4560-rotate0: CMD = framecrc -flags +bitexact -c:a aac_fixed -i REFCMP_DEPS = FFMPEG LAVFI_INDEV TESTSRC2_FILTER AVGBLUR_FILTER METADATA_FILTER FATE_FILTER_SAMPLES-$(call ALLYES, $(REFCMP_DEPS) PSNR_FILTER) += fate-filter-refcmp-psnr-rgb -fate-filter-refcmp-psnr-rgb: CMD = refcmp_metadata psnr rgb24 0.001 +fate-filter-refcmp-psnr-rgb: CMD = refcmp_metadata psnr rgb24 0.002 FATE_FILTER_SAMPLES-$(call ALLYES, $(REFCMP_DEPS) PSNR_FILTER) += fate-filter-refcmp-psnr-yuv fate-filter-refcmp-psnr-yuv: CMD = refcmp_metadata psnr yuv422p 0.0015 From f51a271f206b1a1e3944e441aa7a2cb9947d999f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Dec 2018 21:51:48 +0100 Subject: [PATCH 0374/1764] avformat/mpegts: Fix side data type for stream id Signed-off-by: Michael Niedermayer (cherry picked from commit ab1319d82f0c77308792fa2d88cbfc73c3e47cb7) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 53cbcfb543..1bc5b674b2 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -887,7 +887,7 @@ static void new_data_packet(const uint8_t *buffer, int len, AVPacket *pkt) static int new_pes_packet(PESContext *pes, AVPacket *pkt) { - char *sd; + uint8_t *sd; av_init_packet(pkt); From 4556f7c8a2106ad514c84576b28e05249e1b6862 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Dec 2018 21:52:30 +0100 Subject: [PATCH 0375/1764] avcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID Signed-off-by: Michael Niedermayer (cherry picked from commit 68e011e4103b9cb5ac2d152d73ca8393065a33fb) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 18c3e3ea1e..771d59d726 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1574,7 +1574,7 @@ enum AVPacketSideDataType { AV_PKT_DATA_METADATA_UPDATE, /** - * MPEGTS stream ID, this is required to pass the stream ID + * MPEGTS stream ID as uint8_t, this is required to pass the stream ID * information from the demuxer to the corresponding muxer. */ AV_PKT_DATA_MPEGTS_STREAM_ID, From 3ca0a8e077fc2281165f3d343b4f7a26f02a080a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Dec 2018 19:04:56 +0100 Subject: [PATCH 0376/1764] avcodec/rpza: Move frame allocation to a later point This will allow performing some fast checks before the slow allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 8a708aa99cb0e8d76e52117b1fd89d221f0055e9) Signed-off-by: Michael Niedermayer --- libavcodec/rpza.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index b71ebd1cbe..cffbfe4416 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -73,13 +73,12 @@ typedef struct RpzaContext { static int rpza_decode_stream(RpzaContext *s) { int width = s->avctx->width; - int stride = s->frame->linesize[0] / 2; - int row_inc = stride - 4; + int stride, row_inc, ret; int chunk_size; uint16_t colorA = 0, colorB; uint16_t color4[4]; uint16_t ta, tb; - uint16_t *pixels = (uint16_t *)s->frame->data[0]; + uint16_t *pixels; int row_ptr = 0; int pixel_ptr = 0; @@ -106,6 +105,12 @@ static int rpza_decode_stream(RpzaContext *s) /* Number of 4x4 blocks in frame. */ total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); + if ((ret = ff_reget_buffer(s->avctx, s->frame)) < 0) + return ret; + pixels = (uint16_t *)s->frame->data[0]; + stride = s->frame->linesize[0] / 2; + row_inc = stride - 4; + /* Process chunk data */ while (bytestream2_get_bytes_left(&s->gb)) { uint8_t opcode = bytestream2_get_byte(&s->gb); /* Get opcode */ @@ -256,9 +261,6 @@ static int rpza_decode_frame(AVCodecContext *avctx, bytestream2_init(&s->gb, avpkt->data, avpkt->size); - if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) - return ret; - ret = rpza_decode_stream(s); if (ret < 0) return ret; From 728f142651267f6f4511c3117234242295ad3b96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Dec 2018 19:13:27 +0100 Subject: [PATCH 0377/1764] avcodec/rpza: Check that there is enough data for all the blocks Fixes: Timeout Fixes: 11547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RPZA_fuzzer-5678435842654208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e63517e00a1a8375c7fb3b8c4c64c9a7c3da713e) Signed-off-by: Michael Niedermayer --- libavcodec/rpza.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index cffbfe4416..8e1efa2445 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -105,6 +105,9 @@ static int rpza_decode_stream(RpzaContext *s) /* Number of 4x4 blocks in frame. */ total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); + if (total_blocks / 32 > bytestream2_get_bytes_left(&s->gb)) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(s->avctx, s->frame)) < 0) return ret; pixels = (uint16_t *)s->frame->data[0]; From 7df1c9361992418ce24232c26af3ac8b94aea066 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Dec 2018 22:40:05 +0100 Subject: [PATCH 0378/1764] postproc/postprocess_template: Avoid using %4 for the threshold compare This avoids problems if %4 is the stack pointer the constraints do not allow %4 to be the stack pointer but gcc 9 may no longer support specifying such constraints Signed-off-by: Michael Niedermayer (cherry picked from commit 4325527e1c4fd2da119e81933172065ee1274eda) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libpostproc/postprocess_template.c b/libpostproc/postprocess_template.c index 0a43989266..485eb5cfc0 100644 --- a/libpostproc/postprocess_template.c +++ b/libpostproc/postprocess_template.c @@ -1184,10 +1184,10 @@ FIND_MIN_MAX((%0, %1, 8)) #endif "movq %%mm6, %%mm0 \n\t" // max "psubb %%mm7, %%mm6 \n\t" // max - min - "push %4 \n\t" - "movd %%mm6, %k4 \n\t" - "cmpb "MANGLE(deringThreshold)", %b4 \n\t" - "pop %4 \n\t" + "push %%"FF_REG_a" \n\t" + "movd %%mm6, %%eax \n\t" + "cmpb "MANGLE(deringThreshold)", %%al \n\t" + "pop %%"FF_REG_a" \n\t" " jb 1f \n\t" PAVGB(%%mm0, %%mm7) // a=(max + min)/2 "punpcklbw %%mm7, %%mm7 \n\t" From 30046553a5a301cfc12295f2d42e1d40eb075268 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Dec 2018 22:40:06 +0100 Subject: [PATCH 0379/1764] postproc/postprocess_template: remove FF_REG_sp from clobber list Future gcc may no longer support this Tested-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit c1cbeb87db4bfc6e281e4254a6c7fdd3854fc9b9) Signed-off-by: Michael Niedermayer --- libpostproc/postprocess_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpostproc/postprocess_template.c b/libpostproc/postprocess_template.c index 485eb5cfc0..b0adfd168c 100644 --- a/libpostproc/postprocess_template.c +++ b/libpostproc/postprocess_template.c @@ -1317,7 +1317,7 @@ DERING_CORE((%0, %1, 8) ,(%%FF_REGd, %1, 4),%%mm2,%%mm4,%%mm0,%%mm3,%%mm5, "1: \n\t" : : "r" (src), "r" ((x86_reg)stride), "m" (c->pQPb), "m"(c->pQPb2), "q"(tmp) NAMED_CONSTRAINTS_ADD(deringThreshold,b00,b02,b08) - : "%"FF_REG_a, "%"FF_REG_d, "%"FF_REG_sp + : "%"FF_REG_a, "%"FF_REG_d ); #else // HAVE_7REGS && (TEMPLATE_PP_MMXEXT || TEMPLATE_PP_3DNOW) int y; From d99a3f9792ec2e7c7882203ac31fbefe391ff9f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Dec 2018 21:43:07 +0100 Subject: [PATCH 0380/1764] avcodec/fic: Fail on invalid slice size/off Fixes: Timeout Fixes: 11486/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-5677133863583744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 30a7a81cdc2ee2eac6d3271439c43f11b7327b3e) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index c288c9771b..0b491ef7de 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -380,6 +380,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, slice_h = FFALIGN(avctx->height - ctx->slice_h * (nslices - 1), 16); } else { slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4); + if (slice_size < slice_off) + return AVERROR_INVALIDDATA; } if (slice_size < slice_off || slice_size > msize) From 4656ad1e962512db26ef40e8c280b942468107ae Mon Sep 17 00:00:00 2001 From: gxw Date: Mon, 24 Dec 2018 14:07:44 +0800 Subject: [PATCH 0381/1764] avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa The AV_INPUT_BUFFER_PADDING_SIZE has been increased to 64, but the value is still 32 in function ff_hevc_sao_edge_filter_8_msa. So, use AV_INPUT_BUFFER_PADDING_SIZE directly. Also, use MAX_PB_SIZE directly instead of 64. Fate tests passed. Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit f652c7a45c60427db0a89fae665e63b546af6ebb) Signed-off-by: Michael Niedermayer --- libavcodec/mips/hevc_lpf_sao_msa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mips/hevc_lpf_sao_msa.c b/libavcodec/mips/hevc_lpf_sao_msa.c index 5b5537a264..adcafde621 100644 --- a/libavcodec/mips/hevc_lpf_sao_msa.c +++ b/libavcodec/mips/hevc_lpf_sao_msa.c @@ -2630,7 +2630,7 @@ void ff_hevc_sao_edge_filter_8_msa(uint8_t *dst, uint8_t *src, int16_t *sao_offset_val, int eo, int width, int height) { - ptrdiff_t stride_src = (2 * 64 + 32) / sizeof(uint8_t); + ptrdiff_t stride_src = (2 * MAX_PB_SIZE + AV_INPUT_BUFFER_PADDING_SIZE) / sizeof(uint8_t); switch (eo) { case 0: From 24438427ef598a4ab36eb5e99f572ff1e358475d Mon Sep 17 00:00:00 2001 From: David Bryant Date: Tue, 20 Nov 2018 21:00:47 -0800 Subject: [PATCH 0382/1764] avformat/wvdec: detect and error out on WavPack DSD files Not currently supported. (cherry picked from commit db109373d87b1fa5fe9f3d027d1bb752f725b74a) Signed-off-by: Michael Niedermayer --- libavformat/wvdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/wvdec.c b/libavformat/wvdec.c index 82526563ec..2060523c3b 100644 --- a/libavformat/wvdec.c +++ b/libavformat/wvdec.c @@ -40,6 +40,7 @@ enum WV_FLAGS { WV_HBAL = 0x0400, WV_MCINIT = 0x0800, WV_MCEND = 0x1000, + WV_DSD = 0x80000000, }; static const int wv_rates[16] = { @@ -97,6 +98,11 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb) return ret; } + if (wc->header.flags & WV_DSD) { + avpriv_report_missing_feature(ctx, "WV DSD"); + return AVERROR_PATCHWELCOME; + } + if (wc->header.version < 0x402 || wc->header.version > 0x410) { avpriv_report_missing_feature(ctx, "WV version 0x%03X", wc->header.version); From 8490652c9cef87273873b1d001044872d105b0dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Dec 2018 22:22:56 +0100 Subject: [PATCH 0383/1764] avcodec/mjpegbdec: Fix some misplaced {} and spaces Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit 11a8d2ccab1fe165eef4578c048d38731dbe1d6f) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegbdec.c | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index a858707d54..8583fcb4f9 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -70,8 +70,7 @@ read_header: skip_bits(&hgb, 32); /* reserved zeros */ - if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g')) - { + if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g')) { av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n"); return AVERROR_INVALIDDATA; } @@ -85,19 +84,17 @@ read_header: dqt_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "dqt is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "dqt offs: 0x%"PRIx32"\n", dqt_offs); - if (dqt_offs) - { + if (dqt_offs) { init_get_bits(&s->gb, buf_ptr+dqt_offs, (buf_end - (buf_ptr+dqt_offs))*8); s->start_code = DQT; if (ff_mjpeg_decode_dqt(s) < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return AVERROR_INVALIDDATA; + return AVERROR_INVALIDDATA; } dht_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "dht is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "dht offs: 0x%"PRIx32"\n", dht_offs); - if (dht_offs) - { + if (dht_offs) { init_get_bits(&s->gb, buf_ptr+dht_offs, (buf_end - (buf_ptr+dht_offs))*8); s->start_code = DHT; ff_mjpeg_decode_dht(s); @@ -105,8 +102,7 @@ read_header: sof_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "sof is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "sof offs: 0x%"PRIx32"\n", sof_offs); - if (sof_offs) - { + if (sof_offs) { init_get_bits(&s->gb, buf_ptr+sof_offs, (buf_end - (buf_ptr+sof_offs))*8); s->start_code = SOF0; if (ff_mjpeg_decode_sof(s) < 0) @@ -117,25 +113,23 @@ read_header: av_log(avctx, AV_LOG_DEBUG, "sos offs: 0x%"PRIx32"\n", sos_offs); sod_offs = read_offs(avctx, &hgb, buf_end - buf_ptr, "sof is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%"PRIx32"\n", sod_offs); - if (sos_offs) - { + if (sos_offs) { init_get_bits(&s->gb, buf_ptr + sos_offs, 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; if (ff_mjpeg_decode_sos(s, NULL, 0, NULL) < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return AVERROR_INVALIDDATA; + return AVERROR_INVALIDDATA; } if (s->interlaced) { s->bottom_field ^= 1; /* if not bottom field, do not output image yet */ - if (s->bottom_field != s->interlace_polarity && second_field_offs) - { + if (s->bottom_field != s->interlace_polarity && second_field_offs) { buf_ptr = buf + second_field_offs; goto read_header; - } + } } //XXX FIXME factorize, this looks very similar to the EOI code From 8349bcb526ebe0af3c3ec62833e0940c7655e95a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Dec 2018 22:22:53 +0100 Subject: [PATCH 0384/1764] avcodec/v4l2_m2m: fix cant typo Reviewed-by: Lou Logan Signed-off-by: Michael Niedermayer (cherry picked from commit 062bf5639359e183e016bcb795ac10735f83e863) Signed-off-by: Michael Niedermayer --- libavcodec/v4l2_m2m.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/v4l2_m2m.h b/libavcodec/v4l2_m2m.h index afa3987c46..db47761941 100644 --- a/libavcodec/v4l2_m2m.h +++ b/libavcodec/v4l2_m2m.h @@ -83,7 +83,7 @@ int ff_v4l2_m2m_codec_init(AVCodecContext *avctx); int ff_v4l2_m2m_codec_end(AVCodecContext *avctx); /** - * Reinitializes the V4L2m2mContext when the driver cant continue processing + * Reinitializes the V4L2m2mContext when the driver cannot continue processing * with the capture parameters. * * @param[in] ctx The V4L2m2mContext instantiated by the encoder/decoder. @@ -93,7 +93,7 @@ int ff_v4l2_m2m_codec_end(AVCodecContext *avctx); int ff_v4l2_m2m_codec_reinit(V4L2m2mContext *ctx); /** - * Reinitializes the V4L2m2mContext when the driver cant continue processing + * Reinitializes the V4L2m2mContext when the driver cannot continue processing * with the any of the current V4L2Contexts (ie, changes in output and capture). * * @param[in] ctx The V4L2m2mContext instantiated by the encoder/decoder. From d43b488340105e09bf378795bd621ebe1520594b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 Dec 2018 18:11:44 +0100 Subject: [PATCH 0385/1764] avcodec/4xm: Fix returned error codes Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 07607a1db879d0d96e2c91e1354bc4e425937d3a) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 5547dfd87f..8e05a4c366 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -498,7 +498,7 @@ static int decode_i_block(FourXContext *f, int16_t *block) if (get_bits_left(&f->gb) < 2){ av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb)); - return -1; + return AVERROR_INVALIDDATA; } /* DC coef */ @@ -732,7 +732,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length) for (x = 0; x < width; x += 16) { unsigned int color[4] = { 0 }, bits; if (buf_end - buf < 8) - return -1; + return AVERROR_INVALIDDATA; // warning following is purely guessed ... color[0] = bytestream2_get_le16u(&g3); color[1] = bytestream2_get_le16u(&g3); From b2fd3250c4a559d2941a6940c3e3190d4beabe25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Dec 2018 18:41:58 +0100 Subject: [PATCH 0386/1764] avcodec/exr: Check for duplicate channel index Fixes: Out of memory Fixes: 11582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5730204559867904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f9728feaf90eb7493f8872356f54150efafb59cc) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index ff31d7267c..e7a6146f0e 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1461,6 +1461,11 @@ static int decode_header(EXRContext *s, AVFrame *frame) } s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; + } else if (channel_index >= 0) { + av_log(s->avctx, AV_LOG_ERROR, + "Multiple channels with index %d.\n", channel_index); + ret = AVERROR_INVALIDDATA; + goto fail; } s->channels = av_realloc(s->channels, From 980ad512910a21d09c488968b402e2f35e94a22e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Dec 2018 21:30:54 +0100 Subject: [PATCH 0387/1764] avcodec/exr: set layer_match in all branches Otherwise it is left to the value from the previous iteration Signed-off-by: Michael Niedermayer (cherry picked from commit 433d2ae4353f3c513a45780845d9d8ca252cd4dc) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index e7a6146f0e..5aa75ab112 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1387,6 +1387,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (*ch_gb.buffer == '.') ch_gb.buffer++; /* skip dot if not given */ } else { + layer_match = 0; av_log(s->avctx, AV_LOG_INFO, "Channel doesn't match layer : %s.\n", ch_gb.buffer); } From 84ef2bba6c513d5a461a484ee0d141264e2f4882 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Jan 2019 20:00:38 +0100 Subject: [PATCH 0388/1764] avcodec/h264_slice: Fix integer overflow in implicit_weight_table() Fixes: signed integer overflow: 2 * 2132811760 cannot be represented in type 'int' Fixes: 11156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6237685933408256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 77e56d74f972537aecd5bc2c5c4111e1d6ad0963) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index f55cdf51f9..c9c475d73c 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -672,7 +672,7 @@ static void implicit_weight_table(const H264Context *h, H264SliceContext *sl, in cur_poc = h->cur_pic_ptr->field_poc[h->picture_structure - 1]; } if (sl->ref_count[0] == 1 && sl->ref_count[1] == 1 && !FRAME_MBAFF(h) && - sl->ref_list[0][0].poc + (int64_t)sl->ref_list[1][0].poc == 2 * cur_poc) { + sl->ref_list[0][0].poc + (int64_t)sl->ref_list[1][0].poc == 2LL * cur_poc) { sl->pwt.use_weight = 0; sl->pwt.use_weight_chroma = 0; return; From c4f2a8c6c1257205eae85ef48d64ada552038299 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Jan 2019 02:46:29 +0100 Subject: [PATCH 0389/1764] avcodec/tests/rangecoder: initialize array to avoid valgrind warning Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit c15972f0af7679b466dd4a10a54ab2f04f9372c8) Signed-off-by: Michael Niedermayer --- libavcodec/tests/rangecoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/rangecoder.c b/libavcodec/tests/rangecoder.c index 2da5c0ce33..3a8ba6759c 100644 --- a/libavcodec/tests/rangecoder.c +++ b/libavcodec/tests/rangecoder.c @@ -29,7 +29,7 @@ int main(void) { RangeCoder c; - uint8_t b[9 * SIZE]; + uint8_t b[9 * SIZE] = {0}; uint8_t r[9 * SIZE]; int i; uint8_t state[10]; From e726cd332dcfa58acf7115c29170fb1b93feb3e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Nov 2018 09:42:44 +0100 Subject: [PATCH 0390/1764] avcodec/diracdec: Check component quant Fixes: Timeout Fixes: 10708/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5730140957442048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28c96c2ce2781c2cd147a9f3c299e18ce1dc7ff8) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 04f54634e0..67aaf1f0c3 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -667,6 +667,10 @@ static void decode_component(DiracContext *s, int comp) b->length = get_interleaved_ue_golomb(&s->gb); if (b->length) { b->quant = get_interleaved_ue_golomb(&s->gb); + if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) { + av_log(s->avctx, AV_LOG_ERROR, "Unsupported quant %d\n", b->quant); + b->quant = 0; + } align_get_bits(&s->gb); b->coeff_data = s->gb.buffer + get_bits_count(&s->gb)/8; b->length = FFMIN(b->length, FFMAX(get_bits_left(&s->gb)/8, 0)); From 6c2e465f62c8a5e5ef0b63a81494389c3df79b52 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 1 Jan 2019 15:26:31 -0300 Subject: [PATCH 0391/1764] configure: bump year Happy new year! (cherry picked from commit 3209d7b3930bab554bf7d97d8041d9d0b88423a8) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 9fe7760822..51c5db53e6 100755 --- a/configure +++ b/configure @@ -7001,7 +7001,7 @@ cat > $TMPH < Date: Thu, 17 Jan 2019 22:35:10 +0100 Subject: [PATCH 0392/1764] avutil/mem: Optimize fill32() by unrolling and using 64bit Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 12b1338be376a3e5fb606d9fe41b58dc4a9e62c7) Signed-off-by: Michael Niedermayer --- libavutil/mem.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavutil/mem.c b/libavutil/mem.c index 36740f1154..4f7ac75df1 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -385,6 +385,18 @@ static void fill32(uint8_t *dst, int len) { uint32_t v = AV_RN32(dst - 4); +#if HAVE_FAST_64BIT + uint64_t v2= v + ((uint64_t)v<<32); + while (len >= 32) { + AV_WN64(dst , v2); + AV_WN64(dst+ 8, v2); + AV_WN64(dst+16, v2); + AV_WN64(dst+24, v2); + dst += 32; + len -= 32; + } +#endif + while (len >= 4) { AV_WN32(dst, v); dst += 4; From 532b6c2b25c177ec4bd23ae45cbd48678f860906 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Dec 2018 23:15:20 +0100 Subject: [PATCH 0393/1764] avutil/imgutils: Optimize memset_bytes() by using av_memcpy_backptr() This is strongly based on code by Marton Balint, and depends on the previous commit Fixes: Timeout Fixes: 11502/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 Before: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 in 11209 ms After: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 in 4104 ms Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit f64c0dffa13e6263de3fdff0058ab2fdb03ac1d6) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 5005178804..4f3cf86dca 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -499,7 +499,6 @@ int av_image_copy_to_buffer(uint8_t *dst, int dst_size, static void memset_bytes(uint8_t *dst, size_t dst_size, uint8_t *clear, size_t clear_size) { - size_t pos = 0; int same = 1; int i; @@ -519,28 +518,12 @@ static void memset_bytes(uint8_t *dst, size_t dst_size, uint8_t *clear, if (clear_size == 1) { memset(dst, clear[0], dst_size); dst_size = 0; - } else if (clear_size == 2) { - uint16_t val = AV_RN16(clear); - for (; dst_size >= 2; dst_size -= 2) { - AV_WN16(dst, val); - dst += 2; - } - } else if (clear_size == 4) { - uint32_t val = AV_RN32(clear); - for (; dst_size >= 4; dst_size -= 4) { - AV_WN32(dst, val); - dst += 4; - } - } else if (clear_size == 8) { - uint32_t val = AV_RN64(clear); - for (; dst_size >= 8; dst_size -= 8) { - AV_WN64(dst, val); - dst += 8; - } + } else { + if (clear_size > dst_size) + clear_size = dst_size; + memcpy(dst, clear, clear_size); + av_memcpy_backptr(dst + clear_size, clear_size, dst_size - clear_size); } - - for (; dst_size; dst_size--) - *dst++ = clear[pos++ % clear_size]; } // Maximum size in bytes of a plane element (usually a pixel, or multiple pixels From 23f6170f1bdb54151638b0f76e39267781bc0405 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Jan 2019 19:37:18 +0100 Subject: [PATCH 0394/1764] avcodec/tiff: Check for 12bit gray fax Fixes: Assertion failure Fixes: 11898/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5759794191794176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec28a85107cccece4dce17c0ccb633defe2d6e98) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 1b332a754d..9c13a758ee 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -571,7 +571,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid if (s->compr == TIFF_CCITT_RLE || s->compr == TIFF_G3 || s->compr == TIFF_G4) { - if (is_yuv) + if (is_yuv || p->format == AV_PIX_FMT_GRAY12) return AVERROR_INVALIDDATA; return tiff_unpack_fax(s, dst, stride, src, size, width, lines); From ae4148b895392065bdced752e82c682ecd83c4de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Jan 2019 00:30:53 +0100 Subject: [PATCH 0395/1764] avcodec/fic: Check that there is input left in fic_decode_block() Fixes: Timeout Fixes: 12450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-5661984622641152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db1c4acd02af4de5dfbea6012c296470679aa7a6) Signed-off-by: Michael Niedermayer --- libavcodec/fic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 0b491ef7de..b7b834596b 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -139,6 +139,9 @@ static int fic_decode_block(FICContext *ctx, GetBitContext *gb, { int i, num_coeff; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; + /* Is it a skip block? */ if (get_bits1(gb)) { *is_p = 1; From d3aab63320657ce0c567bd5deedbbe0cf567086c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Jan 2019 00:53:22 +0100 Subject: [PATCH 0396/1764] avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect() Fixes: Infinite loop Found-by: Michael Hanselmann Reviewed-by: Michael Hanselmann Signed-off-by: Michael Niedermayer (cherry picked from commit 0b50f27635f684ec0526e9975c9979f35bbf486b) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index b6da61b95e..0524ced682 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1655,7 +1655,7 @@ int ff_rtsp_connect(AVFormatContext *s) char tcpname[1024], cmd[2048], auth[128]; const char *lower_rtsp_proto = "tcp"; int port, err, tcp_fd; - RTSPMessageHeader reply1 = {0}, *reply = &reply1; + RTSPMessageHeader reply1, *reply = &reply1; int lower_transport_mask = 0; int default_port = RTSP_DEFAULT_PORT; char real_challenge[64] = ""; @@ -1684,6 +1684,7 @@ int ff_rtsp_connect(AVFormatContext *s) rt->lower_transport_mask &= (1 << RTSP_LOWER_TRANSPORT_NB) - 1; redirect: + memset(&reply1, 0, sizeof(reply1)); /* extract hostname and port */ av_url_split(proto, sizeof(proto), auth, sizeof(auth), host, sizeof(host), &port, path, sizeof(path), s->filename); From 136ec39a2f810f8bbdb29d80aeb3ee430e6eecd8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Jan 2019 21:30:04 +0100 Subject: [PATCH 0397/1764] avformat/rtsp: Check number of streams in sdp_parse_line() Fixes: OOM Found-by: Michael Hanselmann Reviewed-by: Michael Hanselmann Signed-off-by: Michael Niedermayer (cherry picked from commit 497c9b0cce559d43607bbbd679fe42f1d7e9040e) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 0524ced682..91176420c8 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -446,7 +446,10 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1, } else if (!strcmp(st_type, "text")) { codec_type = AVMEDIA_TYPE_SUBTITLE; } - if (codec_type == AVMEDIA_TYPE_UNKNOWN || !(rt->media_type_mask & (1 << codec_type))) { + if (codec_type == AVMEDIA_TYPE_UNKNOWN || + !(rt->media_type_mask & (1 << codec_type)) || + rt->nb_rtsp_streams >= s->max_streams + ) { s1->skip_media = 1; return; } From 4946bda47302276e09000c0cd011e8327230d440 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2019 01:06:01 +0100 Subject: [PATCH 0398/1764] avcodec/pgssubdec: Check for duplicate display segments In such a duplication the previous gets overwritten and leaks Fixes: memleak Fixes: 12510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5694439226343424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e35c3d887b3e374c6a091342206a42da48785d70) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index b897d72aab..8c10f6d573 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -676,6 +676,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size, */ break; case DISPLAY_SEGMENT: + if (*data_size) { + av_log(avctx, AV_LOG_ERROR, "Duplicate display segment\n"); + ret = AVERROR_INVALIDDATA; + break; + } ret = display_end_segment(avctx, data, buf, segment_length); if (ret >= 0) *data_size = ret; From 0063964f84b163495b3569aab13f73f65a7ac1c6 Mon Sep 17 00:00:00 2001 From: chcunningham Date: Wed, 6 Feb 2019 16:12:51 -0800 Subject: [PATCH 0399/1764] avformat/mov.c: require tfhd to begin parsing trun Detecting missing tfhd avoids re-using tfhd track info from the previous moof. For files with multiple tracks, this may make a mess of the avindex and fragindex, which can later trigger av_assert0 in mov_read_trun(). Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit 3ea87e5d9ea075d5b3c0f4f8c6c48e514b454cbe) Signed-off-by: Michael Niedermayer --- libavformat/isom.h | 1 + libavformat/mov.c | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/libavformat/isom.h b/libavformat/isom.h index b9380e9dcc..e50e74b5a3 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -85,6 +85,7 @@ typedef struct MOVAtom { struct MOVParseTableEntry; typedef struct MOVFragment { + int found_tfhd; unsigned track_id; uint64_t base_data_offset; uint64_t moof_offset; diff --git a/libavformat/mov.c b/libavformat/mov.c index 6e954dd444..27c103ba43 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1170,6 +1170,9 @@ static int mov_read_moov(MOVContext *c, AVIOContext *pb, MOVAtom atom) static int mov_read_moof(MOVContext *c, AVIOContext *pb, MOVAtom atom) { + // Set by mov_read_tfhd(). mov_read_trun() will reject files missing tfhd. + c->fragment.found_tfhd = 0; + if (!c->has_looked_for_mfra && c->use_mfra_for > 0) { c->has_looked_for_mfra = 1; if (pb->seekable & AVIO_SEEKABLE_NORMAL) { @@ -4195,6 +4198,8 @@ static int mov_read_tfhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVFragmentIndex* index = NULL; int flags, track_id, i, found = 0; + c->fragment.found_tfhd = 1; + avio_r8(pb); /* version */ flags = avio_rb24(pb); @@ -4342,6 +4347,11 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) unsigned entries, first_sample_flags = frag->flags; int flags, distance, i; + if (!frag->found_tfhd) { + av_log(c->fc, AV_LOG_ERROR, "trun track id unknown, no tfhd was found\n"); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < c->fc->nb_streams; i++) { if (c->fc->streams[i]->id == frag->track_id) { st = c->fc->streams[i]; From 08b159fd0d9ddcc3a26fe96ca754d77f1de3c40a Mon Sep 17 00:00:00 2001 From: chcunningham Date: Thu, 7 Feb 2019 14:58:17 -0800 Subject: [PATCH 0400/1764] avformat/mov: validate chunk_count vs stsc_data Bad content may contain stsc boxes with a first_chunk index that exceeds stco.entries (chunk_count). This ammends the existing check to include cases where chunk_count == 0. It also patches up the case when stsc refers to unknown chunks, but stts has no samples (so we can simply ignore stsc). Signed-off-by: Michael Niedermayer (cherry picked from commit 1c15449ca9a5bfa387868ac55628397273da761f) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 27c103ba43..19884b73e8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2496,8 +2496,11 @@ static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc, unsigned int in if (mov_stsc_index_valid(index, sc->stsc_count)) chunk_count = sc->stsc_data[index + 1].first - sc->stsc_data[index].first; - else + else { + // Validation for stsc / stco happens earlier in mov_read_stsc + mov_read_trak. + av_assert0(sc->stsc_data[index].first <= sc->chunk_count); chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1); + } return sc->stsc_data[index].count * (int64_t)chunk_count; } @@ -3822,6 +3825,13 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->trak_index = -1; + // Here stsc refers to a chunk not described in stco. This is technically invalid, + // but we can overlook it (clearing stsc) whenever stts_count == 0 (indicating no samples). + if (!sc->chunk_count && !sc->stts_count && sc->stsc_count) { + sc->stsc_count = 0; + av_freep(&sc->stsc_data); + } + /* sanity checks */ if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count || (!sc->sample_size && !sc->sample_count))) || @@ -3830,7 +3840,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } - if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { + if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", st->index); return AVERROR_INVALIDDATA; From 80603682ff59f14197b5207c908c91b88aeda242 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Feb 2019 15:13:03 +0100 Subject: [PATCH 0401/1764] avcodec/sbrdsp_fixed.c: remove input value limit for sbr_sum_square_c() Fixes: 1377/clusterfuzz-testcase-minimized-5487049807233024 Fixes: assertion failure in sbr_sum_square_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 4cde7e62dbaa63eda173e8d24a97d273890f282c) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 57d98da979..91fa664c08 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -34,32 +34,36 @@ static SoftFloat sbr_sum_square_c(int (*x)[2], int n) { SoftFloat ret; - uint64_t accu, round; + uint64_t accu = 0, round; uint64_t accu0 = 0, accu1 = 0, accu2 = 0, accu3 = 0; int i, nz, nz0; unsigned u; + nz = 0; for (i = 0; i < n; i += 2) { - // Larger values are inavlid and could cause overflows of accu. - av_assert2(FFABS(x[i + 0][0]) >> 30 == 0); accu0 += (int64_t)x[i + 0][0] * x[i + 0][0]; - av_assert2(FFABS(x[i + 0][1]) >> 30 == 0); accu1 += (int64_t)x[i + 0][1] * x[i + 0][1]; - av_assert2(FFABS(x[i + 1][0]) >> 30 == 0); accu2 += (int64_t)x[i + 1][0] * x[i + 1][0]; - av_assert2(FFABS(x[i + 1][1]) >> 30 == 0); accu3 += (int64_t)x[i + 1][1] * x[i + 1][1]; + if ((accu0|accu1|accu2|accu3) > UINT64_MAX - INT32_MIN*(int64_t)INT32_MIN || i+2>=n) { + accu0 >>= nz; + accu1 >>= nz; + accu2 >>= nz; + accu3 >>= nz; + while ((accu0|accu1|accu2|accu3) > (UINT64_MAX - accu) >> 2) { + accu0 >>= 1; + accu1 >>= 1; + accu2 >>= 1; + accu3 >>= 1; + accu >>= 1; + nz ++; + } + accu += accu0 + accu1 + accu2 + accu3; + accu0 = accu1 = accu2 = accu3 = 0; + } } - nz0 = 15; - while ((accu0|accu1|accu2|accu3) >> 62) { - accu0 >>= 1; - accu1 >>= 1; - accu2 >>= 1; - accu3 >>= 1; - nz0 --; - } - accu = accu0 + accu1 + accu2 + accu3; + nz0 = 15 - nz; u = accu >> 32; if (u) { From 3ae6063f5ac38ed6010dcf6e096c3022e6799834 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Feb 2019 23:28:35 +0100 Subject: [PATCH 0402/1764] avformat/mov: Do not use reference stream in mov_read_sidx() if there is no reference stream Fixes: NULL pointer dereference Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5634316373721088 Reported-by: Chris Cunningham Signed-off-by: Michael Niedermayer (cherry picked from commit b0d8b7cb8e86367178ef0c35dcae359d820c3b27) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 19884b73e8..51118ba07d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4602,7 +4602,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) break; } } - for (i = 0; i < c->fc->nb_streams; i++) { + if (ref_st) for (i = 0; i < c->fc->nb_streams; i++) { st = c->fc->streams[i]; sc = st->priv_data; if (!sc->has_sidx) { From f9067108708ade40b6989328d22e84a73e408759 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Feb 2019 15:29:38 +0100 Subject: [PATCH 0403/1764] avformat/matroskadec: Do not leak queued packets on sync errors Fixes: memleak Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5649187601121280 Reported-by: Chris Cunningham Tested-by: Chris Cunningham Signed-off-by: Michael Niedermayer (cherry picked from commit d1afa7284c3feba4debfebf1b9cf8ad67640e34a) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 95189525e3..c65a912408 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3507,7 +3507,7 @@ static int matroska_read_packet(AVFormatContext *s, AVPacket *pkt) ret = matroska_resync(matroska, pos); } - return ret; + return 0; } static int matroska_read_seek(AVFormatContext *s, int stream_index, From 9191218d11684a5a283fcf387fc85af62ceef9bb Mon Sep 17 00:00:00 2001 From: Kevin Backhouse via RT Date: Wed, 6 Feb 2019 11:29:22 +0000 Subject: [PATCH 0404/1764] avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning Fixes: [Semmle Security Reports #19438] Fixes: dos_sscanf1.mkv Signed-off-by: Michael Niedermayer (cherry picked from commit 1f00c97bc3475c477f3c468cf2d924d5761d0982) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index fb9f900422..c0cfccfb16 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -74,6 +74,34 @@ struct font_tag { uint32_t color; }; +/* + * Fast code for scanning the rest of a tag. Functionally equivalent to + * this sscanf call: + * + * sscanf(in, "%127[^<>]>%n", buffer, lenp) == 2 + */ +static int scantag(const char* in, char* buffer, int* lenp) { + int len; + + for (len = 0; len < 128; len++) { + const char c = *in++; + switch (c) { + case '\0': + return 0; + case '<': + return 0; + case '>': + buffer[len] = '\0'; + *lenp = len+1; + return 1; + default: + break; + } + buffer[len] = c; + } + return 0; +} + /* * The general politic of the convert is to mask unsupported tags or formatting * errors (but still alert the user/subtitles writer with an error/warning) @@ -155,7 +183,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) len = 0; - if (sscanf(in+tag_close+1, "%127[^<>]>%n", buffer, &len) >= 1 && len > 0) { + if (scantag(in+tag_close+1, buffer, &len) && len > 0) { const int skip = len + tag_close; const char *tagname = buffer; while (*tagname == ' ') { From e2ae3419ff47b66a2a9a93c0cdf81155c70f2b3c Mon Sep 17 00:00:00 2001 From: Kevin Backhouse via RT Date: Wed, 6 Feb 2019 12:56:01 +0000 Subject: [PATCH 0405/1764] avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces Fixes: [Semmle Security Reports #19439] Fixes: dos_sscanf2.mkv Signed-off-by: Michael Niedermayer (cherry picked from commit 894995c41e0795c7a44f81adc4838dedc3932e65) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index c0cfccfb16..d9221ba16b 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -24,6 +24,7 @@ #include "libavutil/common.h" #include "libavutil/parseutils.h" #include "htmlsubtitles.h" +#include static int html_color_parse(void *log_ctx, const char *str) { @@ -44,14 +45,32 @@ static void rstrip_spaces_buf(AVBPrint *buf) buf->str[--buf->len] = 0; } +/* + * Fast code for scanning text enclosed in braces. Functionally + * equivalent to this sscanf call: + * + * sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0 + */ +static int scanbraces(const char* in) { + if (strncmp(in, "{\\an", 4) != 0) { + return 0; + } + if (!isdigit(in[4])) { + return 0; + } + if (in[5] != '}') { + return 0; + } + return 1; +} + /* skip all {\xxx} substrings except for {\an%d} and all microdvd like styles such as {Y:xxx} */ static void handle_open_brace(AVBPrint *dst, const char **inp, int *an, int *closing_brace_missing) { - int len = 0; const char *in = *inp; - *an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0; + *an += scanbraces(in); if (!*closing_brace_missing) { if ( (*an != 1 && in[1] == '\\') From e62abf9398633c6341e34e8f2eab781dd5bf040f Mon Sep 17 00:00:00 2001 From: Wenxiang Qian Date: Wed, 13 Feb 2019 08:47:20 +0100 Subject: [PATCH 0406/1764] avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393 Signed-off-by: Michael Niedermayer (cherry picked from commit a142ffdcaec06fcbf7d4b00dbb0e5ddfb9e3344d) Signed-off-by: Michael Niedermayer --- libavformat/ftp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 9aa7a45629..7b3c8600e4 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -389,7 +389,7 @@ static int ftp_file_size(FTPContext *s) static const int size_codes[] = {213, 0}; snprintf(command, sizeof(command), "SIZE %s\r\n", s->path); - if (ftp_send_command(s, command, size_codes, &res) == 213 && res) { + if (ftp_send_command(s, command, size_codes, &res) == 213 && res && strlen(res) > 4) { s->filesize = strtoll(&res[4], NULL, 10); } else { s->filesize = -1; From 3b4630c181cba8c2416a90e7fc7cc4beacb33a99 Mon Sep 17 00:00:00 2001 From: Wenxiang Qian Date: Wed, 13 Feb 2019 08:54:08 +0100 Subject: [PATCH 0407/1764] avformat/http: Fix Out-of-Bounds access in process_line() Signed-off-by: Michael Niedermayer (cherry picked from commit 85f91ed760a517c0d5fcf692d40a5a9d7efa9476) Signed-off-by: Michael Niedermayer --- libavformat/http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/http.c b/libavformat/http.c index d066b639b5..0112f64b4c 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -871,7 +871,7 @@ static int process_line(URLContext *h, char *line, int line_count, while (av_isspace(*p)) p++; resource = p; - while (!av_isspace(*p)) + while (*p && !av_isspace(*p)) p++; *(p++) = '\0'; av_log(h, AV_LOG_TRACE, "Requested resource: %s\n", resource); From 1613b1669d023cb81c832b209b817e783262e8e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Feb 2019 10:15:04 +0100 Subject: [PATCH 0408/1764] avformat/webmdashenc: Check id in adaption_sets Fixes: out of array access Found-by: Wenxiang Qian Signed-off-by: Michael Niedermayer (cherry picked from commit b687b549aa0fb115861b1343208de8c2630803bf) Signed-off-by: Michael Niedermayer --- libavformat/webmdashenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 1280d8a763..26b8727304 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -466,6 +466,7 @@ static int parse_adaptation_sets(AVFormatContext *s) continue; else if (state == new_set && !strncmp(p, "id=", 3)) { void *mem = av_realloc(w->as, sizeof(*w->as) * (w->nb_as + 1)); + const char *comma; if (mem == NULL) return AVERROR(ENOMEM); w->as = mem; @@ -474,6 +475,11 @@ static int parse_adaptation_sets(AVFormatContext *s) w->as[w->nb_as - 1].streams = NULL; p += 3; // consume "id=" q = w->as[w->nb_as - 1].id; + comma = strchr(p, ','); + if (!comma || comma - p >= sizeof(w->as[w->nb_as - 1].id)) { + av_log(s, AV_LOG_ERROR, "'id' in 'adaptation_sets' is malformed.\n"); + return AVERROR(EINVAL); + } while (*p != ',') *q++ = *p++; *q = 0; p++; From 8ddad9f9cdac4bf05a455fe5bb3efdab5957d1e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Feb 2019 00:05:34 +0100 Subject: [PATCH 0409/1764] avcodec/h264_direct: Fix overflow in POC comparission Fixes: runtime error: signed integer overflow: 2147421862 - -33624063 cannot be represented in type 'int' Fixes: 12885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5733516975800320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5ccf296e74725bc8bdfbfe500d0482daa200b6f3) Signed-off-by: Michael Niedermayer --- libavcodec/h264_direct.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index a7a107c8c2..3825996762 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -156,8 +156,8 @@ void ff_h264_direct_ref_list_init(const H264Context *const h, H264SliceContext * av_log(h->avctx, AV_LOG_ERROR, "co located POCs unavailable\n"); sl->col_parity = 1; } else - sl->col_parity = (FFABS(col_poc[0] - cur_poc) >= - FFABS(col_poc[1] - cur_poc)); + sl->col_parity = (FFABS(col_poc[0] - (int64_t)cur_poc) >= + FFABS(col_poc[1] - (int64_t)cur_poc)); ref1sidx = sidx = sl->col_parity; // FL -> FL & differ parity From 3891dbf4cf6564767ffc564374db741ae5efa5f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Feb 2019 01:09:43 +0100 Subject: [PATCH 0410/1764] avcodec/jvdec: Check available input space before decode8x8() Fixes: Timeout (78 sec -> 15 millisec) Fixes: 13147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JV_fuzzer-5727107827630080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61523683c5a9bda9aaa7ae24764a3df0401a9877) Signed-off-by: Michael Niedermayer --- libavcodec/jvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index cbe83d3c10..4337d5681e 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -170,6 +170,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, GetBitContext gb; init_get_bits(&gb, buf, 8 * video_size); + if (avctx->height/8 * (avctx->width/8) > 4 * video_size) { + av_log(avctx, AV_LOG_ERROR, "Insufficient input data for dimensions\n"); + return AVERROR_INVALIDDATA; + } + for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) decode8x8(&gb, From edf0297c6147453571c96042d0b09a45720dee3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Feb 2019 17:25:14 +0100 Subject: [PATCH 0411/1764] avcodec/zmbv: obtain frame later MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The frame is not needed that early so obtaining it later avoids the costly operation in case other checks fail. Fixes: Timeout (14sec -> 4sec) Fixes: 13140/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-5738330308739072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 177b40890c6de8c6896e0a1d4a631ea1ca89c044) Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index b994e96e95..6ef549dff1 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -519,9 +519,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac return AVERROR_INVALIDDATA; } - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - if (c->comp == 0) { // uncompressed data if (c->decomp_size < len) { av_log(avctx, AV_LOG_ERROR, "Buffer too small\n"); @@ -547,6 +544,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); return AVERROR_INVALIDDATA; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; From 49f8873f8b89707e6453adc9996980ac80596997 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Feb 2019 22:00:39 +0100 Subject: [PATCH 0412/1764] avcodec/mlpdec: Insuffient typo Signed-off-by: Michael Niedermayer (cherry picked from commit fc32e08941ea2795a3096e7a4013843e9ebf5fe3) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index bf3fd5050f..1cf14057f2 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -1190,7 +1190,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, } if (length < header_size + substr_header_size) { - av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + av_log(m->avctx, AV_LOG_ERROR, "Insufficient data for headers\n"); goto error; } From 902c96ae16a0a1935388d22cd2f9e916262811a6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Feb 2019 18:41:42 +0100 Subject: [PATCH 0413/1764] avcodec/error_resilience: Use a symmetric check for skipping MV estimation This speeds up the testcase by a factor of 4 Fixes: Timeout Fixes: 13100/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-5767533905313792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e4289cb253e29e4d62dc46759eb1a45d8f6d82df) Signed-off-by: Michael Niedermayer --- libavcodec/error_resilience.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index d7f94c10c2..8f67542baf 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -438,7 +438,7 @@ static void guess_mv(ERContext *s) } if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) || - num_avail <= mb_width / 2) { + num_avail <= FFMAX(mb_width, mb_height) / 2) { for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; From 7a25b3192de6f91e2ae721ede46f6a5a2f48a550 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Feb 2019 00:05:51 +0100 Subject: [PATCH 0414/1764] avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() Fixes: runtime error: signed integer overflow: 2147483598 + 128 cannot be represented in type 'int' Fixes: 12926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5705100733972480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4801eea0d465cd54670e7c19322705544e3e7524) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index ce1678a3d7..badf0f8cd0 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -531,7 +531,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) } for (i = 0; i < w * h; i++) - data[i] = (data[i] + ((1<>1)) >> I_PRESHIFT; + data[i] = (data[i] + ((1LL<>1)) >> I_PRESHIFT; } int ff_jpeg2000_dwt_init(DWTContext *s, int border[2][2], From 6abc6acd50ae02e0e9d77557fab53a665c46aeb9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Feb 2019 23:39:44 +0100 Subject: [PATCH 0415/1764] avcodec/bethsoftvideo: Check block_type Fixes: Timeout (17 seconds -> 1 second) Fixes: 13184/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BETHSOFTVID_fuzzer-5711446296494080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b8ecadec0582a1521b5d0d253376966138e6ca78) Signed-off-by: Michael Niedermayer --- libavcodec/bethsoftvideo.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/bethsoftvideo.c b/libavcodec/bethsoftvideo.c index 274516bf4d..e5a73f55a1 100644 --- a/libavcodec/bethsoftvideo.c +++ b/libavcodec/bethsoftvideo.c @@ -109,6 +109,11 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, if(yoffset >= avctx->height) return AVERROR_INVALIDDATA; dst += vid->frame->linesize[0] * yoffset; + case VIDEO_P_FRAME: + case VIDEO_I_FRAME: + break; + default: + return AVERROR_INVALIDDATA; } // main code From 98fa61c020722f7251435f3377eba449127962d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Feb 2019 01:26:30 +0100 Subject: [PATCH 0416/1764] avcodec/gdv: Check for truncated tags in decompress_5() Testcase: 13169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5666354038833152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5cf42f65b60d226d1223d2100cb1d90402189275) Signed-off-by: Michael Niedermayer --- libavcodec/gdv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index d4d24931c9..98bdee5aca 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -244,6 +244,8 @@ static int decompress_5(AVCodecContext *avctx, unsigned skip) while (bytestream2_get_bytes_left_p(pb) > 0 && bytestream2_get_bytes_left(gb) > 0) { int tag = read_bits2(&bits, gb); + if (bytestream2_get_bytes_left(gb) < 1) + return AVERROR_INVALIDDATA; if (tag == 0) { bytestream2_put_byte(pb, bytestream2_get_byte(gb)); } else if (tag == 1) { From 7cc9a207919f4ddda55501d2a05fc410ec6c04f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Feb 2019 13:26:25 +0100 Subject: [PATCH 0417/1764] avcodec/aic: Check remaining bits in aic_decode_coeffs() Fixes: Timeout (78 seconds -> 2 seconds) Fixes: 13186/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-5639516533030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 951bb7632fe6e3bb1a9c3b47610705871e471f34) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index 67d78c5ddd..77f342e6d6 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -208,6 +208,9 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst, int mb, idx; unsigned val; + if (get_bits_left(gb) < 5) + return AVERROR_INVALIDDATA; + has_skips = get_bits1(gb); coeff_type = get_bits1(gb); coeff_bits = get_bits(gb, 3); From f2e3eae2041824713e59408c0246e6f94d60cc2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Feb 2019 00:44:40 +0100 Subject: [PATCH 0418/1764] avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes Fixes: Timeout (27 sec -> 39 milli sec) Fixes: 13151/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QPEG_fuzzer-5717536023248896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b819472995f55e827d6bb70dcdd86d963f65ae31) Signed-off-by: Michael Niedermayer --- libavcodec/qpeg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index e1210c1972..10b55d2dff 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -90,6 +90,8 @@ static void qpeg_decode_intra(QpegContext *qctx, uint8_t *dst, } } } else { + if (bytestream2_get_bytes_left(&qctx->buffer) < copy) + copy = bytestream2_get_bytes_left(&qctx->buffer); for(i = 0; i < copy; i++) { dst[filled++] = bytestream2_get_byte(&qctx->buffer); if (filled >= width) { From 66894351909ffca0bd55b4e349362741f25a0f08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Feb 2019 00:12:14 +0100 Subject: [PATCH 0419/1764] avcodec/scpr: Fix use of uninitialized variable Fixes: Undefined shift Fixes: 12911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5677102915911680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53248acfb3b23007c89ae822d7bcae451272d5a7) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 66b4157576..6d9c437c0b 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -504,7 +504,7 @@ static int decompress_p(AVCodecContext *avctx, { SCPRContext *s = avctx->priv_data; GetByteContext *gb = &s->gb; - int ret, temp, min, max, x, y, cx = 0, cx1 = 0; + int ret, temp = 0, min, max, x, y, cx = 0, cx1 = 0; int backstep = linesize - avctx->width; const int cxshift = s->cxshift; From 2d825946a3970e566fa41829eb758f94169c4a0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2019 00:48:18 +0100 Subject: [PATCH 0420/1764] avformat/gdv: Check fps Fixes: Division by 0 Fixes: ffmpeg_zero_division.bin Found-by: Anatoly Trosinenko Signed-off-by: Michael Niedermayer (cherry picked from commit 38381400fca45d1ae6e7604335b507b7dc70a903) Signed-off-by: Michael Niedermayer --- libavformat/gdv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/gdv.c b/libavformat/gdv.c index a69c349cab..3ead383892 100644 --- a/libavformat/gdv.c +++ b/libavformat/gdv.c @@ -86,6 +86,9 @@ static int gdv_read_header(AVFormatContext *ctx) vst->nb_frames = avio_rl16(pb); fps = avio_rl16(pb); + if (!fps) + return AVERROR_INVALIDDATA; + snd_flags = avio_rl16(pb); if (snd_flags & 1) { ast = avformat_new_stream(ctx, 0); From d2fd2921e3427918cfc91a45a96d044079461e69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2019 12:51:22 +0100 Subject: [PATCH 0421/1764] avcodec/cdgraphics: Use ff_set_dimensions() Fixes: Timeout (17 sec -> 65 milli sec) Fixes: 13264/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5711167941509120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a9f0e239c1c6f5c96cc90ba673087f86ca1eabc) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 87ad5e79f4..da6fb7af03 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -80,11 +80,8 @@ static av_cold int cdg_decode_init(AVCodecContext *avctx) return AVERROR(ENOMEM); cc->transparency = -1; - avctx->width = CDG_FULL_WIDTH; - avctx->height = CDG_FULL_HEIGHT; avctx->pix_fmt = AV_PIX_FMT_PAL8; - - return 0; + return ff_set_dimensions(avctx, CDG_FULL_WIDTH, CDG_FULL_HEIGHT); } static void cdg_border_preset(CDGraphicsContext *cc, uint8_t *data) From 51d29541cb22b2fb258fcafbd8bf6038c35a3a62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2019 20:14:05 +0100 Subject: [PATCH 0422/1764] avcodec/dvbsubdec: Check object position Reference: ETSI EN 300 743 V1.2.1 7.2.2 Region composition segment Fixes: Timeout Fixes: 13325/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVBSUB_fuzzer-5143979392237568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8c5ae451184e879fc8ff1333c6f26f9542c8ebf) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index b683109643..f329e05746 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1242,6 +1242,13 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, display->y_pos = AV_RB16(buf) & 0xfff; buf += 2; + if (display->x_pos >= region->width || + display->y_pos >= region->height) { + av_log(avctx, AV_LOG_ERROR, "Object outside region\n"); + av_free(display); + return AVERROR_INVALIDDATA; + } + if ((object->type == 1 || object->type == 2) && buf+1 < buf_end) { display->fgcolor = *buf++; display->bgcolor = *buf++; From 5e09dc8afebbdefa0b4c1b3d9e6b5b601e2b815b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 Mar 2019 23:45:19 +0100 Subject: [PATCH 0423/1764] avcodec/dfa: Check the chunk header is not truncated Fixes: Timeout (11sec -> 3sec) Fixes: 13218/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-5661074316066816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f20760fadbc77483b9ff4b400b53ebb38ee33793) Signed-off-by: Michael Niedermayer --- libavcodec/dfa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index fdc1e198da..5aa1c8408e 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -353,6 +353,8 @@ static int dfa_decode_frame(AVCodecContext *avctx, bytestream2_init(&gb, avpkt->data, avpkt->size); while (bytestream2_get_bytes_left(&gb) > 0) { + if (bytestream2_get_bytes_left(&gb) < 12) + return AVERROR_INVALIDDATA; bytestream2_skip(&gb, 4); chunk_size = bytestream2_get_le32(&gb); chunk_type = bytestream2_get_le32(&gb); From 807d443c7eb4318c768f2b665c81defa405e9fe2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Mar 2019 02:30:57 +0100 Subject: [PATCH 0424/1764] avcodec/truemotion2: Fix integer overflow in tm2_null_res_block() Fixes: signed integer overflow: 1111638592 - -2122219136 cannot be represented in type 'int' Fixes: 13441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5732769815068672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1223696c725a8ea7e80498e6ccfab37eea179b76) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 2945d9948d..bc3f16827c 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -587,7 +587,8 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int { int i; int ct; - int left, right, diff; + unsigned left, right; + int diff; int deltas[16]; TM2_INIT_POINTERS(); From d31940f04e864542819fb6b998d796e14305bd3c Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Tue, 26 Mar 2019 13:32:11 +0100 Subject: [PATCH 0425/1764] lavc/bmp: Avoid a heap buffer overwrite for 1bpp input. Found by Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University. (cherry picked from commit 1e34014010dba9325fc5430934b51a61a5007c63) Signed-off-by: Michael Niedermayer --- libavcodec/bmp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index 65d239e4f8..40010ac46f 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -291,7 +291,7 @@ static int bmp_decode_frame(AVCodecContext *avctx, case 1: for (i = 0; i < avctx->height; i++) { int j; - for (j = 0; j < n; j++) { + for (j = 0; j < avctx->width >> 3; j++) { ptr[j*8+0] = buf[j] >> 7; ptr[j*8+1] = (buf[j] >> 6) & 1; ptr[j*8+2] = (buf[j] >> 5) & 1; @@ -301,6 +301,9 @@ static int bmp_decode_frame(AVCodecContext *avctx, ptr[j*8+6] = (buf[j] >> 1) & 1; ptr[j*8+7] = buf[j] & 1; } + for (j = 0; j < (avctx->width & 7); j++) { + ptr[avctx->width - (avctx->width & 7) + j] = buf[avctx->width >> 3] >> (7 - j) & 1; + } buf += n; ptr += linesize; } From 9ccc633068c6fe76989f487c8932bd11886ad65b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Mar 2019 20:55:08 +0100 Subject: [PATCH 0426/1764] avcodec/hevcdec: Avoid only partly skiping duplicate first slices Fixes: NULL pointer dereference and out of array access Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432 Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304 This also fixes the return code for explode mode Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 54655623a82632e7624714d7b2a3e039dc5faa7e) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 734c42037a..2412bd0a97 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -472,6 +472,11 @@ static int hls_slice_header(HEVCContext *s) // Coded parameters sh->first_slice_in_pic_flag = get_bits1(gb); + if (s->ref && sh->first_slice_in_pic_flag) { + av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); + return 1; // This slice will be skiped later, do not corrupt state + } + if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { s->seq_decode = (s->seq_decode + 1) & 0xff; s->max_ra = INT_MAX; @@ -2862,12 +2867,13 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) ret = hls_slice_header(s); if (ret < 0) return ret; + if (ret == 1) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + if (s->sh.first_slice_in_pic_flag) { - if (s->ref) { - av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); - goto fail; - } if (s->max_ra == INT_MAX) { if (s->nal_unit_type == HEVC_NAL_CRA_NUT || IS_BLA(s)) { s->max_ra = s->poc; From 0ac9001ab9f2bdd7c4306afd1a91d6c78b294d9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Mar 2019 10:23:26 +0100 Subject: [PATCH 0427/1764] Update for 3.4.6 Signed-off-by: Michael Niedermayer --- Changelog | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 75 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index cbc6ae7675..3c234352b9 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,79 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.6: +- avcodec/hevcdec: Avoid only partly skiping duplicate first slices +- lavc/bmp: Avoid a heap buffer overwrite for 1bpp input. +- avcodec/truemotion2: Fix integer overflow in tm2_null_res_block() +- avcodec/dfa: Check the chunk header is not truncated +- avcodec/dvbsubdec: Check object position +- avcodec/cdgraphics: Use ff_set_dimensions() +- avformat/gdv: Check fps +- avcodec/scpr: Fix use of uninitialized variable +- avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes +- avcodec/aic: Check remaining bits in aic_decode_coeffs() +- avcodec/gdv: Check for truncated tags in decompress_5() +- avcodec/bethsoftvideo: Check block_type +- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() +- avcodec/error_resilience: Use a symmetric check for skipping MV estimation +- avcodec/mlpdec: Insuffient typo +- avcodec/zmbv: obtain frame later +- avcodec/jvdec: Check available input space before decode8x8() +- avcodec/h264_direct: Fix overflow in POC comparission +- avformat/webmdashenc: Check id in adaption_sets +- avformat/http: Fix Out-of-Bounds access in process_line() +- avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393 +- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces +- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning +- avformat/matroskadec: Do not leak queued packets on sync errors +- avformat/mov: Do not use reference stream in mov_read_sidx() if there is no reference stream +- avcodec/sbrdsp_fixed.c: remove input value limit for sbr_sum_square_c() +- avformat/mov: validate chunk_count vs stsc_data +- avformat/mov.c: require tfhd to begin parsing trun +- avcodec/pgssubdec: Check for duplicate display segments +- avformat/rtsp: Check number of streams in sdp_parse_line() +- avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect() +- avcodec/fic: Check that there is input left in fic_decode_block() +- avcodec/tiff: Check for 12bit gray fax +- avutil/imgutils: Optimize memset_bytes() by using av_memcpy_backptr() +- avutil/mem: Optimize fill32() by unrolling and using 64bit +- configure: bump year +- avcodec/diracdec: Check component quant +- avcodec/tests/rangecoder: initialize array to avoid valgrind warning +- avcodec/h264_slice: Fix integer overflow in implicit_weight_table() +- avcodec/exr: set layer_match in all branches +- avcodec/exr: Check for duplicate channel index +- avcodec/4xm: Fix returned error codes +- avcodec/v4l2_m2m: fix cant typo +- avcodec/mjpegbdec: Fix some misplaced {} and spaces +- avformat/wvdec: detect and error out on WavPack DSD files +- avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa +- avcodec/fic: Fail on invalid slice size/off +- postproc/postprocess_template: remove FF_REG_sp from clobber list +- postproc/postprocess_template: Avoid using %4 for the threshold compare +- avcodec/rpza: Check that there is enough data for all the blocks +- avcodec/rpza: Move frame allocation to a later point +- avcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID +- avformat/mpegts: Fix side data type for stream id +- tests/fate/filter-video: increase fuzz for fate-filter-refcmp-psnr-rgb +- avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan() +- lavf/id3v2: fail read_apic on EOF reading mimetype +- avformat/nutenc: Document trailer index assert better +- lavf/mov: ensure only one tkhd per trak +- avcodec/ppc/hevcdsp: Fix build failures with powerpc-linux-gnu-gcc-4.8 with --disable-optimizations +- avcodec/msvideo1: Check for too small dimensions +- avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size +- avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size +- avcodec/truemotion2rt: Fix rounding in input size check +- avcodec/truemotion2: fix integer overflows in tm2_low_chroma() +- avcodec/pngdec: Check compression method +- fftools/ffmpeg: Repair reinit_filter feature +- avcodec/shorten: Fix integer overflow with offset +- avcodec/cavsdec: Propagate error codes inside decode_mb_i() +- avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case +- avcodec/hevcdec: decode at most one slice reporting being the first in the picture +- avfilter/af_silenceremove: fix possible crash if supplied duration is negative + version 3.4.5: - avutil/integer: Fix integer overflow in av_mul_i() - avcodec/msrle: Check that the input is large enough to contain a end of picture code diff --git a/RELEASE b/RELEASE index 4f5e69734c..1cf8253024 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.5 +3.4.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4ac2d47e66..79b27a6b2f 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.5 +PROJECT_NUMBER = 3.4.6 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From a9282fc9642bd67c2bbc16dd4b7b3fe7ab27e104 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 20 Jul 2019 10:13:08 -0300 Subject: [PATCH 0428/1764] avformat/aacdec: factorize the adts frame resync code Signed-off-by: James Almer (cherry picked from commit a38eab8b7501440f872ff1af8a0c5482b7b3e532) --- libavformat/aacdec.c | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c index 36d558ff54..4cd2f9077e 100644 --- a/libavformat/aacdec.c +++ b/libavformat/aacdec.c @@ -77,10 +77,31 @@ static int adts_aac_probe(AVProbeData *p) return 0; } +static int adts_aac_resync(AVFormatContext *s) +{ + uint16_t state; + + // skip data until an ADTS frame is found + state = avio_r8(s->pb); + while (!avio_feof(s->pb) && avio_tell(s->pb) < s->probesize) { + state = (state << 8) | avio_r8(s->pb); + if ((state >> 4) != 0xFFF) + continue; + avio_seek(s->pb, -2, SEEK_CUR); + break; + } + if (s->pb->eof_reached) + return AVERROR_EOF; + if ((state >> 4) != 0xFFF) + return AVERROR_INVALIDDATA; + + return 0; +} + static int adts_aac_read_header(AVFormatContext *s) { AVStream *st; - uint16_t state; + int ret; st = avformat_new_stream(s, NULL); if (!st) @@ -98,17 +119,9 @@ static int adts_aac_read_header(AVFormatContext *s) avio_seek(s->pb, cur, SEEK_SET); } - // skip data until the first ADTS frame is found - state = avio_r8(s->pb); - while (!avio_feof(s->pb) && avio_tell(s->pb) < s->probesize) { - state = (state << 8) | avio_r8(s->pb); - if ((state >> 4) != 0xFFF) - continue; - avio_seek(s->pb, -2, SEEK_CUR); - break; - } - if ((state >> 4) != 0xFFF) - return AVERROR_INVALIDDATA; + ret = adts_aac_resync(s); + if (ret < 0) + return ret; // LCM of all possible ADTS sample rates avpriv_set_pts_info(st, 64, 1, 28224000); From bb22b9ce211c934db628a4ab1669d436864753e3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 20 Jul 2019 21:47:55 -0300 Subject: [PATCH 0429/1764] avformat/aacdec: resync to the next adts frame on invalid data instead of aborting Should fix ticket #6634 Signed-off-by: James Almer (cherry picked from commit 881e1f5a6227a6fbaf67083d4d4b6caf58ff9892) --- libavformat/aacdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c index 4cd2f9077e..7008340a32 100644 --- a/libavformat/aacdec.c +++ b/libavformat/aacdec.c @@ -133,6 +133,7 @@ static int adts_aac_read_packet(AVFormatContext *s, AVPacket *pkt) { int ret, fsize; +retry: ret = av_get_packet(s->pb, pkt, ADTS_HEADER_SIZE); if (ret < 0) return ret; @@ -143,7 +144,10 @@ static int adts_aac_read_packet(AVFormatContext *s, AVPacket *pkt) if ((AV_RB16(pkt->data) >> 4) != 0xfff) { av_packet_unref(pkt); - return AVERROR_INVALIDDATA; + ret = adts_aac_resync(s); + if (ret < 0) + return ret; + goto retry; } fsize = (AV_RB32(pkt->data + 3) >> 13) & 0x1FFF; From 29362d5f9a4cc99a783e6c0e362644219e61bb89 Mon Sep 17 00:00:00 2001 From: Mark Harris Date: Sat, 24 Nov 2018 13:02:02 -0800 Subject: [PATCH 0430/1764] avutil/mem: Fix invalid use of av_alloc_size The alloc_size attribute is valid only on functions that return a pointer. GCC 9 (not yet released) warns about invalid usage: ./libavutil/mem.h:342:1: warning: 'alloc_size' attribute ignored on a function returning int' [-Wattributes] 342 | av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); | ^~~~~~~~~~~~~ Signed-off-by: Michael Niedermayer (cherry picked from commit 4361293fcf59edb56879c36edcd25f0a91e0edf8) --- libavutil/mem.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mem.h b/libavutil/mem.h index 527cd03191..d6f9c81549 100644 --- a/libavutil/mem.h +++ b/libavutil/mem.h @@ -338,7 +338,7 @@ av_alloc_size(2, 3) void *av_realloc_array(void *ptr, size_t nmemb, size_t size) * @warning Unlike av_malloc(), the allocated memory is not guaranteed to be * correctly aligned. */ -av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size); +int av_reallocp_array(void *ptr, size_t nmemb, size_t size); /** * Reallocate the given buffer if it is not large enough, otherwise do nothing. From 31161bc96931fb86465d1adaef44df375201a033 Mon Sep 17 00:00:00 2001 From: Stefan Schoenefeld Date: Fri, 2 Aug 2019 09:18:10 +0000 Subject: [PATCH 0431/1764] avcodec/h263dec: fix hwaccel decoding Recently we encountered an issue when decoding a h.263 file: FFmpeg will freeze when decoding h.263 video with NVDEC. Turns out this is not directly related to NVDEC but is a problem that shows with several other HW decoders like VDPAU, though the exact kind of error is different (either error messages or freezing[1]). The root cause is that ff_thread_finish_setup() is called twice per frame from ff_h263_decode_frame(). This is not supported by ff_thread_finish_setup() and specifically checked for and warned against in the functions code. The issue is also specific to hw accelerated decoding only as the second call to ff_thread_finish_setup() is only issued when hw acceleration is on. The fix is simple: add a check that the first call is only send when hw acceleration is off, and the second call only when hw acceleration is on (see attached patch). This works fine as far as I was able to test with vdpau and nvdec/nvcuvid hw decoding. The patch also adds NVDEC to the hw config list if available. I also noticed a secondary issue when browsing through the code which is that, according to documentation, ff_thread_finish_setup() should only be called if the codec implements update_thread_context(), which h263dec does not. The patch does not address this and I'm not sure any action needs to be taken here at all. [1] This is depending on whether or not the hw decoder sets the HWACCEL_CAPS_ASYNC_SAFE flag Signed-off-by: Timo Rothenpieler --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 9497c735b2..7659697d17 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -600,7 +600,7 @@ retry: if ((ret = ff_mpv_frame_start(s, avctx)) < 0) return ret; - if (!s->divx_packed) + if (!s->divx_packed && !avctx->hwaccel) ff_thread_finish_setup(avctx); #if FF_API_CAP_VDPAU From cfa7c079f72b65bfe038af84d95d384a609d4f0a Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Mon, 1 Jul 2019 00:37:08 +0200 Subject: [PATCH 0432/1764] lavf/rawenc: Only accept the appropriate stream type for raw muxers. This does not affect the rawvideo muxer. Fixes ticket #7979. (cherry picked from commit aef24efb0c1e65097ab77a4bf9264189bdf3ace3) --- libavformat/rawenc.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/libavformat/rawenc.c b/libavformat/rawenc.c index f640121cb4..440ea4a598 100644 --- a/libavformat/rawenc.c +++ b/libavformat/rawenc.c @@ -39,6 +39,18 @@ static int force_one_stream(AVFormatContext *s) s->oformat->name); return AVERROR(EINVAL); } + if ( s->oformat->audio_codec != AV_CODEC_ID_NONE + && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_AUDIO) { + av_log(s, AV_LOG_ERROR, "%s files have exactly one audio stream\n", + s->oformat->name); + return AVERROR(EINVAL); + } + if ( s->oformat->video_codec != AV_CODEC_ID_NONE + && s->streams[0]->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) { + av_log(s, AV_LOG_ERROR, "%s files have exactly one video stream\n", + s->oformat->name); + return AVERROR(EINVAL); + } return 0; } From 45bf2f4d72f11ea4bf757b413931fc1b43c0d643 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 22 Sep 2019 23:55:49 -0300 Subject: [PATCH 0433/1764] avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it This can happen when av_bsf_free() is called on av_bsf_alloc() failure. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit d889ae33962e4ad2b24175418fe89d72ce712179) --- libavcodec/bsf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/bsf.c b/libavcodec/bsf.c index 38b423101c..676c271b9c 100644 --- a/libavcodec/bsf.c +++ b/libavcodec/bsf.c @@ -47,7 +47,8 @@ void av_bsf_free(AVBSFContext **pctx) av_opt_free(ctx); - av_packet_free(&ctx->internal->buffer_pkt); + if (ctx->internal) + av_packet_free(&ctx->internal->buffer_pkt); av_freep(&ctx->internal); av_freep(&ctx->priv_data); From 1a71be4eaa22f131de272232672746622956638f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Mar 2019 17:31:17 +0200 Subject: [PATCH 0434/1764] avcodec/rscc: Check that the to be uncompressed input is large enough Fixes: Out of array access Fixes: 13984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5734128093233152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3a0ec1511e7040845a0d1ce99fe2f30a0972b6d2) Signed-off-by: Michael Niedermayer --- libavcodec/rscc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index f270cd5351..b170e5f618 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -182,6 +182,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, /* If necessary, uncompress tiles, and hijack the bytestream reader */ if (packed_tiles_size != tiles_nb * TILE_SIZE) { uLongf length = tiles_nb * TILE_SIZE; + + if (bytestream2_get_bytes_left(gbc) < packed_tiles_size) { + ret = AVERROR_INVALIDDATA; + goto end; + } + inflated_tiles = av_malloc(length); if (!inflated_tiles) { ret = AVERROR(ENOMEM); From 12a6305799d8768fa88daf1e3fa294abb19024d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Mar 2019 00:39:56 +0100 Subject: [PATCH 0435/1764] avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks() Fixes: signed integer overflow: 255 + 2147483634 cannot be represented in type 'int' Fixes: 13472/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5712444142387200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ad0533e914a2618aea1dc77748037bd8459f61d) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index bc3f16827c..691a05a696 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -824,7 +824,7 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) dst = p->data[0]; for (j = 0; j < h; j++) { for (i = 0; i < w; i++) { - int y = Y[i], u = U[i >> 1], v = V[i >> 1]; + unsigned y = Y[i], u = U[i >> 1], v = V[i >> 1]; dst[3*i+0] = av_clip_uint8(y + v); dst[3*i+1] = av_clip_uint8(y); dst[3*i+2] = av_clip_uint8(y + u); From 76f6712057e1e6ad0f9f2a8e4f83c4656e24e81e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Apr 2019 16:44:53 +0200 Subject: [PATCH 0436/1764] avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation It seems the specification does not limit the value to 32bit Fixes: signed integer overflow: -109611143 * 24 cannot be represented in type 'int' Fixes: 13477/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5648337460527104 Signed-off-by: Michael Niedermayer (cherry picked from commit 837820f385af699f9bee5e2ba3169dda15e5894d) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 67aaf1f0c3..7ae795a928 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1408,7 +1408,7 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *b = s->globalmc[ref].pan_tilt; int *c = s->globalmc[ref].perspective; - int m = (1< Date: Fri, 12 Apr 2019 00:09:57 +0200 Subject: [PATCH 0437/1764] avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform() Fixes: assertion failure Fixes: 14078/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5760571284127744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 110dce96331529a13cc815d3c852aed9d37f83d0) Signed-off-by: Michael Niedermayer --- libavcodec/ivi.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index cea40d82ca..68cef856d4 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -488,12 +488,6 @@ static int ivi_dec_tile_data_size(GetBitContext *gb) static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs, int blk_size) { - int buf_size = band->pitch * band->aheight - buf_offs; - int min_size = (blk_size - 1) * band->pitch + blk_size; - - if (min_size > buf_size) - return AVERROR_INVALIDDATA; - band->dc_transform(prev_dc, band->buf + buf_offs, band->pitch, blk_size); @@ -724,6 +718,11 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, if (ret < 0) return ret; } else { + int buf_size = band->pitch * band->aheight - buf_offs; + int min_size = (blk_size - 1) * band->pitch + blk_size; + + if (min_size > buf_size) + return AVERROR_INVALIDDATA; /* block not coded */ /* for intra blocks apply the dc slant transform */ /* for inter - perform the motion compensation without delta */ From 7751626787a4b9075880312d128cd4bc0caaedbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Apr 2019 18:11:42 +0200 Subject: [PATCH 0438/1764] avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside Fixes: index 20 out of bounds for type 'const char *[4][128]' Fixes: 14367/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CCAPTION_fuzzer-5718819672162304 Reviewed-by: Paul B Mahol Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f17e8e90bb1fe5e4db18cc6dde9522417108c7bd) Signed-off-by: Michael Niedermayer --- libavcodec/ccaption_dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/ccaption_dec.c b/libavcodec/ccaption_dec.c index 09ceb1b3bf..bf3563a0bc 100644 --- a/libavcodec/ccaption_dec.c +++ b/libavcodec/ccaption_dec.c @@ -212,10 +212,10 @@ static const unsigned char pac2_attribs[32][3] = // Color, font, ident struct Screen { /* +1 is used to compensate null character of string */ - uint8_t characters[SCREEN_ROWS][SCREEN_COLUMNS+1]; - uint8_t charsets[SCREEN_ROWS][SCREEN_COLUMNS+1]; - uint8_t colors[SCREEN_ROWS][SCREEN_COLUMNS+1]; - uint8_t fonts[SCREEN_ROWS][SCREEN_COLUMNS+1]; + uint8_t characters[SCREEN_ROWS+1][SCREEN_COLUMNS+1]; + uint8_t charsets[SCREEN_ROWS+1][SCREEN_COLUMNS+1]; + uint8_t colors[SCREEN_ROWS+1][SCREEN_COLUMNS+1]; + uint8_t fonts[SCREEN_ROWS+1][SCREEN_COLUMNS+1]; /* * Bitmask of used rows; if a bit is not set, the * corresponding row is not used. From 59ac4182583e4791a7f98b79099916fd96beedfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Apr 2019 23:56:43 +0200 Subject: [PATCH 0439/1764] avformat/aadec: Check for scanf() failure Fixes: use of uninitialized variables Fixes: blank.aa Found-by: Chamal De Silva Signed-off-by: Michael Niedermayer (cherry picked from commit ed188f6dcdf0935c939ed813cf8745d50742014b) Signed-off-by: Michael Niedermayer --- libavformat/aadec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/aadec.c b/libavformat/aadec.c index 8d39b1d9ba..fe7a99f827 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -79,6 +79,7 @@ static int aa_read_header(AVFormatContext *s) AADemuxContext *c = s->priv_data; AVIOContext *pb = s->pb; AVStream *st; + int ret; /* parse .aa header */ avio_skip(pb, 4); // file size @@ -112,8 +113,12 @@ static int aa_read_header(AVFormatContext *s) header_seed = atoi(val); } else if (!strcmp(key, "HeaderKey")) { // this looks like "1234567890 1234567890 1234567890 1234567890" av_log(s, AV_LOG_DEBUG, "HeaderKey is <%s>\n", val); - sscanf(val, "%"SCNu32"%"SCNu32"%"SCNu32"%"SCNu32, + + ret = sscanf(val, "%"SCNu32"%"SCNu32"%"SCNu32"%"SCNu32, &header_key_part[0], &header_key_part[1], &header_key_part[2], &header_key_part[3]); + if (ret != 4) + return AVERROR_INVALIDDATA; + for (idx = 0; idx < 4; idx++) { AV_WB32(&header_key[idx * 4], header_key_part[idx]); // convert each part to BE! } From 26d7824352f0baada703024b4920166004b451af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Apr 2019 22:15:14 +0200 Subject: [PATCH 0440/1764] avformat/mov: Skip stsd adjustment without chunks Fixes: Assertion failure Fixes: clusterfuzz-testcase-minimized-media_pipeline_integration_fuzzer-5683096400822272 Found-by: Clusterfuzz Reported-by: Dan Sanders Signed-off-by: Michael Niedermayer (cherry picked from commit 18a567c369d74af5ef651b07c4c5615f5598616b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 51118ba07d..e72a9f6cbe 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6781,6 +6781,7 @@ static int mov_seek_stream(AVFormatContext *s, AVStream *st, int64_t timestamp, } /* adjust stsd index */ + if (sc->chunk_count) { time_sample = 0; for (i = 0; i < sc->stsc_count; i++) { int64_t next = time_sample + mov_get_stsc_samples(sc, i); @@ -6792,6 +6793,7 @@ static int mov_seek_stream(AVFormatContext *s, AVStream *st, int64_t timestamp, av_assert0(next == (int)next); time_sample = next; } + } return sample; } From bbbe82b142f26ce54dd55f5589b4d5c436b280df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Apr 2019 00:09:38 +0200 Subject: [PATCH 0441/1764] avutil/avstring: Fix bug and undefined behavior in av_strncasecmp() The function in case of n=0 would read more bytes than 0. The end pointer could be beyond the allocated space, which is undefined. Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6f0e9a863466bfcbd75ee15d4d8a6aad2a5126a4) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index f03dd25141..4c068f5bc5 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -222,12 +222,13 @@ int av_strcasecmp(const char *a, const char *b) int av_strncasecmp(const char *a, const char *b, size_t n) { - const char *end = a + n; uint8_t c1, c2; + if (n <= 0) + return 0; do { c1 = av_tolower(*a++); c2 = av_tolower(*b++); - } while (a < end && c1 && c1 == c2); + } while (--n && c1 && c1 == c2); return c1 - c2; } From 85b8a4d2c7f4e2b5ea2ac0ba6f3bbfa12a10708d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2019 08:58:49 +0100 Subject: [PATCH 0442/1764] avcodec/aacdec_fixed: Fix undefined shift in noise_scale() Fixes: 13655/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5120559430500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ea211ab79d646f6d0af0945971ee55f36bfcbc9) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 26b605b59c..0b0281de4a 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -221,7 +221,7 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) } else { s = s + 32; - round = 1 << (s-1); + round = s ? 1 << (s-1) : 0; for (i=0; i> s); coefs[i] = out * ssign; From b131d7653ecbd95ba7f432b1952f3ca514aadd19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Apr 2019 00:41:54 +0200 Subject: [PATCH 0443/1764] avcodec/jpeg2000: Check stepsize before using it Fixes: value 1.87633e+10 is outside the range of representable values of type 'int' Fixes: Undefined behavior Fixes: 14246/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5758393601490944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06ef186fa1b7329c6fe6723372a72464c998059b) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index 026b2db56f..3ec4e8d7d9 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -247,6 +247,11 @@ static void init_band_stepsize(AVCodecContext *avctx, } } + if (band->f_stepsize > (INT_MAX >> 15)) { + band->f_stepsize = 0; + av_log(avctx, AV_LOG_ERROR, "stepsize out of range\n"); + } + band->i_stepsize = band->f_stepsize * (1 << 15); /* FIXME: In OpenJPEG code stepsize = stepsize * 0.5. Why? From 0fe00cdc5443512c982b09595df61a47173f8b2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Apr 2019 01:05:44 +0200 Subject: [PATCH 0444/1764] avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block() Fixes: signed integer overflow: -2147483648 + -1 cannot be represented in type 'int' Fixes: 14107/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5694078680825856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f4a1b8d409639b2394589efe20ad55410cce391c) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 691a05a696..b0a6935b0d 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -674,8 +674,8 @@ static inline void tm2_update_block(TM2Context *ctx, AVFrame *pic, int bx, int b /* update chroma */ for (j = 0; j < 2; j++) { for (i = 0; i < 2; i++) { - U[i] = Uo[i] + GET_TOK(ctx, TM2_UPD); - V[i] = Vo[i] + GET_TOK(ctx, TM2_UPD); + U[i] = Uo[i] + (unsigned)GET_TOK(ctx, TM2_UPD); + V[i] = Vo[i] + (unsigned)GET_TOK(ctx, TM2_UPD); } U += Ustride; V += Vstride; From cc5257aa270ef78f7f6293b08a97965aff91123d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 May 2019 00:15:33 +0200 Subject: [PATCH 0445/1764] avcodec/jvdec: Use ff_get_buffer() when the content is not reused Fixes: Timeout (11sec -> 5sec) Fixes: 14473/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JV_fuzzer-5761630857592832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 09edcd35726c9ebea8a175b54dfe05483f7154f2) Signed-off-by: Michael Niedermayer --- libavcodec/jvdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 4337d5681e..b06e7cf2bf 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -163,13 +163,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size); return AVERROR_INVALIDDATA; } - if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) - return ret; if (video_type == 0 || video_type == 1) { GetBitContext gb; init_get_bits(&gb, buf, 8 * video_size); + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) + return ret; + if (avctx->height/8 * (avctx->width/8) > 4 * video_size) { av_log(avctx, AV_LOG_ERROR, "Insufficient input data for dimensions\n"); return AVERROR_INVALIDDATA; @@ -184,6 +185,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, buf += video_size; } else if (video_type == 2) { int v = *buf++; + + av_frame_unref(s->frame); + if ((ret = ff_get_buffer(avctx, s->frame, AV_GET_BUFFER_FLAG_REF)) < 0) + return ret; + for (j = 0; j < avctx->height; j++) memset(s->frame->data[0] + j * s->frame->linesize[0], v, avctx->width); From ae1c6169b6c1d71f68227478fe0d2e899889669d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2019 18:38:33 +0200 Subject: [PATCH 0446/1764] avcodec/fits: Check bitpix Reference: Table 8: Interpretation of valid BITPIX value from FITS standard 4.0 Fixes: runtime error: division by zero Fixes: 14581/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5652382425284608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0b5c93b276a14d1990aaabd77410a562f4b242c3) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index 365347fc64..ad73ab70de 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -138,6 +138,17 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t case STATE_BITPIX: CHECK_KEYWORD("BITPIX"); CHECK_VALUE("BITPIX", bitpix); + + switch(header->bitpix) { + case 8: + case 16: + case 32: case -32: + case 64: case -64: break; + default: + av_log(avcl, AV_LOG_ERROR, "invalid value of BITPIX %d\n", header->bitpix); \ + return AVERROR_INVALIDDATA; + } + dict_set_if_not_null(metadata, keyword, value); header->state = STATE_NAXIS; From 81b5f4fac7fca819e3d09d0995f012b50f036585 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 20 Apr 2019 00:03:14 +0200 Subject: [PATCH 0447/1764] lavf/webm_chunk: Respect buffer size The last argument of av_strlcpy is supposed to contain the size of the destination buffer, but it was filled with the size of the source string, effectively negating its very purpose. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 73ef1f47f59333328264a968c8fbbcfb0bf0643f) Signed-off-by: Michael Niedermayer --- libavformat/webm_chunk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index f8dbaa3339..3f91162da7 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -96,7 +96,7 @@ static int get_chunk_filename(AVFormatContext *s, int is_header, char *filename) av_log(oc, AV_LOG_ERROR, "No header filename provided\n"); return AVERROR(EINVAL); } - av_strlcpy(filename, wc->header_filename, strlen(wc->header_filename) + 1); + av_strlcpy(filename, wc->header_filename, MAX_FILENAME_SIZE); } else { if (av_get_frame_filename(filename, MAX_FILENAME_SIZE, s->filename, wc->chunk_index - 1) < 0) { From 9f8d2716a6419bd622d394961214303ae4667d85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2019 23:05:47 +0200 Subject: [PATCH 0448/1764] avcodec/hq_hqa: Check available space before reading slice offsets Fixes: Timeout (43sec -> 18sec) Fixes: 14556/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5673543024508928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 407e7c34ca8a3047e4f1b14287053638b4add68d) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index ec9da3e04f..90bafdc72a 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -248,6 +248,9 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size) int width, height, quant; const uint8_t *src = ctx->gbc.buffer; + if (bytestream2_get_bytes_left(&ctx->gbc) < 8 + 4*(num_slices + 1)) + return AVERROR_INVALIDDATA; + width = bytestream2_get_be16(&ctx->gbc); height = bytestream2_get_be16(&ctx->gbc); From a0966c15b1747b93dd3b9da6d29b2b12dccf6733 Mon Sep 17 00:00:00 2001 From: Adam Richter Date: Sun, 12 May 2019 05:03:25 -0700 Subject: [PATCH 0449/1764] libswcale: Fix possible string overflow in test. In libswcale/tests/swcale.c, the function fileTest() calls sscanf in an argument of "%12s" on character srcStr[] and dstStr[], which are only 12 bytes. So, if the input string is 12 characters, a terminating null byte can be written past the end of these arrays. This bug was found by cppcheck. Signed-off-by: Michael Niedermayer (cherry picked from commit b8ed4930618b170de57a9086e1e9892216454684) Signed-off-by: Michael Niedermayer --- libswscale/tests/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index b4b8173a31..2ea0eaf79b 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -308,10 +308,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp, while (fgets(buf, sizeof(buf), fp)) { struct Results r; enum AVPixelFormat srcFormat; - char srcStr[12]; + char srcStr[13]; int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; - char dstStr[12]; + char dstStr[13]; int dstW = 0, dstH = 0; int flags; int ret; From 900c0ecaedfed4670cb5f8c4719988557ccbad39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 May 2019 12:50:38 +0200 Subject: [PATCH 0450/1764] swscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes Some formats use longer names than 12. Signed-off-by: Michael Niedermayer (cherry picked from commit 9d269301f017657c3ae2e95a411317640acd39a8) Signed-off-by: Michael Niedermayer --- libswscale/tests/swscale.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index 2ea0eaf79b..4e0e9a22c5 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -308,22 +308,22 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp, while (fgets(buf, sizeof(buf), fp)) { struct Results r; enum AVPixelFormat srcFormat; - char srcStr[13]; + char srcStr[21]; int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; - char dstStr[13]; + char dstStr[21]; int dstW = 0, dstH = 0; int flags; int ret; ret = sscanf(buf, - " %12s %dx%d -> %12s %dx%d flags=%d CRC=%x" + " %20s %dx%d -> %20s %dx%d flags=%d CRC=%x" " SSD=%"SCNu64 ", %"SCNu64 ", %"SCNu64 ", %"SCNu64 "\n", srcStr, &srcW, &srcH, dstStr, &dstW, &dstH, &flags, &r.crc, &r.ssdY, &r.ssdU, &r.ssdV, &r.ssdA); if (ret != 12) { srcStr[0] = dstStr[0] = 0; - ret = sscanf(buf, "%12s -> %12s\n", srcStr, dstStr); + ret = sscanf(buf, "%20s -> %20s\n", srcStr, dstStr); } srcFormat = av_get_pix_fmt(srcStr); From 0ecde06ee746ca3b785cd200e0af0485b03cf922 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2019 17:42:04 +0200 Subject: [PATCH 0451/1764] avcodec/cpia: Check input size also against linesizes and EOL Fixes: Timeout (14sec -> 29ms) Fixes: 14733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CPIA_fuzzer-5707022445576192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Carl Eugen Hoyos Signed-off-by: Michael Niedermayer (cherry picked from commit 3c0bfa7d1a90a22d5fe8daa415cc689c111562f1) Signed-off-by: Michael Niedermayer --- libavcodec/cpia.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cpia.c b/libavcodec/cpia.c index 58833b2f26..f6d7332606 100644 --- a/libavcodec/cpia.c +++ b/libavcodec/cpia.c @@ -63,7 +63,7 @@ static int cpia_decode_frame(AVCodecContext *avctx, uint8_t *y, *u, *v, *y_end, *u_end, *v_end; // Check header - if ( avpkt->size < FRAME_HEADER_SIZE + if ( avpkt->size < FRAME_HEADER_SIZE + avctx->height * 3 || header[0] != MAGIC_0 || header[1] != MAGIC_1 || (header[17] != SUBSAMPLE_420 && header[17] != SUBSAMPLE_422) || (header[18] != YUVORDER_YUYV && header[18] != YUVORDER_UYVY) From abb7d3f1d00aad2f2c7923b59f847064f7017e06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 May 2019 20:45:14 +0200 Subject: [PATCH 0452/1764] avformat/webm_chunk: Check header filename length Signed-off-by: Michael Niedermayer (cherry picked from commit 3b5b977c9f96e2c3803317ad75253801bc571791) Signed-off-by: Michael Niedermayer --- libavformat/webm_chunk.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index 3f91162da7..dd49afdb9e 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -92,11 +92,16 @@ static int get_chunk_filename(AVFormatContext *s, int is_header, char *filename) return AVERROR(EINVAL); } if (is_header) { + int len; if (!wc->header_filename) { av_log(oc, AV_LOG_ERROR, "No header filename provided\n"); return AVERROR(EINVAL); } - av_strlcpy(filename, wc->header_filename, MAX_FILENAME_SIZE); + len = av_strlcpy(filename, wc->header_filename, MAX_FILENAME_SIZE); + if (len >= MAX_FILENAME_SIZE) { + av_log(oc, AV_LOG_ERROR, "Header filename too long\n"); + return AVERROR(EINVAL); + } } else { if (av_get_frame_filename(filename, MAX_FILENAME_SIZE, s->filename, wc->chunk_index - 1) < 0) { From e1ceb17ee357bc5cd31843793c0d1a0a3c030199 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 May 2019 20:36:18 +0200 Subject: [PATCH 0453/1764] avformat/webm_chunk: Specify expected argument length of get_chunk_filename() Signed-off-by: Michael Niedermayer (cherry picked from commit 1a74b04737f08e2e11a02ada280407889f6cadb1) Signed-off-by: Michael Niedermayer --- libavformat/webm_chunk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index dd49afdb9e..191a30e64f 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -84,7 +84,7 @@ static int chunk_mux_init(AVFormatContext *s) return 0; } -static int get_chunk_filename(AVFormatContext *s, int is_header, char *filename) +static int get_chunk_filename(AVFormatContext *s, int is_header, char filename[MAX_FILENAME_SIZE]) { WebMChunkContext *wc = s->priv_data; AVFormatContext *oc = wc->avf; From eec89990b5571a34f86251f01d0e3c77d38c67fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2019 00:31:24 +0200 Subject: [PATCH 0454/1764] avcodec/truemotion2: Fix several integer overflows in tm2_update_block() Fixes: signed integer overflow: -1877966852 + -469491713 cannot be represented in type 'int' Fixes: 14561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5167608359288832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8eecf761a65baf4ce6f25c0a149819cc9414c0f0) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index b0a6935b0d..d59095622d 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -688,15 +688,15 @@ static inline void tm2_update_block(TM2Context *ctx, AVFrame *pic, int bx, int b TM2_RECALC_BLOCK(V, Vstride, (clast + 2), (ctx->CD + 2)); /* update deltas */ - ctx->D[0] = Yo[3] - last[3]; - ctx->D[1] = Yo[3 + oYstride] - Yo[3]; - ctx->D[2] = Yo[3 + oYstride * 2] - Yo[3 + oYstride]; - ctx->D[3] = Yo[3 + oYstride * 3] - Yo[3 + oYstride * 2]; + ctx->D[0] = (unsigned)Yo[3] - last[3]; + ctx->D[1] = (unsigned)Yo[3 + oYstride] - Yo[3]; + ctx->D[2] = (unsigned)Yo[3 + oYstride * 2] - Yo[3 + oYstride]; + ctx->D[3] = (unsigned)Yo[3 + oYstride * 3] - Yo[3 + oYstride * 2]; for (j = 0; j < 4; j++) { d = last[3]; for (i = 0; i < 4; i++) { - Y[i] = Yo[i] + GET_TOK(ctx, TM2_UPD); + Y[i] = Yo[i] + (unsigned)GET_TOK(ctx, TM2_UPD); last[i] = Y[i]; } ctx->D[j] = last[3] - d; From 20ecac12c9d82efd397a0aee8d8c76fe9bb9c665 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 May 2019 12:12:29 +0200 Subject: [PATCH 0455/1764] avformat/mp3enc: Avoid SEEK_END as it is unsupported Signed-off-by: Michael Niedermayer (cherry picked from commit bf3ee6a13053d37a0c5022a324624e89f0bce8c5) Signed-off-by: Michael Niedermayer --- libavformat/mp3enc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c index 8479e2485b..dd805dc5c8 100644 --- a/libavformat/mp3enc.c +++ b/libavformat/mp3enc.c @@ -393,6 +393,7 @@ static void mp3_update_xing(AVFormatContext *s) uint16_t tag_crc; uint8_t *toc; int i, rg_size; + int64_t old_pos = avio_tell(s->pb); /* replace "Xing" identification string with "Info" for CBR files. */ if (!mp3->has_variable_bitrate) @@ -452,7 +453,7 @@ static void mp3_update_xing(AVFormatContext *s) avio_seek(s->pb, mp3->xing_frame_offset, SEEK_SET); avio_write(s->pb, mp3->xing_frame, mp3->xing_frame_size); - avio_seek(s->pb, 0, SEEK_END); + avio_seek(s->pb, old_pos, SEEK_SET); } static int mp3_write_trailer(struct AVFormatContext *s) From e575ac8d8463a356dfce9e2bde367edaa4bf75f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2019 11:03:59 +0200 Subject: [PATCH 0456/1764] avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify (cherry picked from commit 3d5863d73915748013975cac8d2148c5fc3d01c3) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 0b0281de4a..589e28eb86 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -195,12 +195,12 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) static void noise_scale(int *coefs, int scale, int band_energy, int len) { - int ssign = scale < 0 ? -1 : 1; - int s = FFABS(scale); + int s = -scale; unsigned int round; int i, out, c = exp2tab[s & 3]; int nlz = 0; + av_assert0(s >= 0); while (band_energy > 0x7fff) { band_energy >>= 1; nlz++; @@ -216,7 +216,7 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) round = s ? 1 << (s-1) : 0; for (i=0; i> 32); - coefs[i] = ((int)(out+round) >> s) * ssign; + coefs[i] = -((int)(out+round) >> s); } } else { @@ -224,7 +224,7 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) round = s ? 1 << (s-1) : 0; for (i=0; i> s); - coefs[i] = out * ssign; + coefs[i] = -out; } } } From 1b2691fe1a6bf8a51f27bec0769ce5b754e61d77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2019 11:55:43 +0200 Subject: [PATCH 0457/1764] avcodec/aacdec_template: Merge 3 #ifs related to noise handling Fewer #if and fewer lines Signed-off-by: Michael Niedermayer (cherry picked from commit bc33c99d56791fc26ccafb49512b59e38b99ca12) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 10de02b34c..3853fb5d8e 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1672,25 +1672,24 @@ static int decode_spectrum_and_dequant(AACContext *ac, INTFLOAT coef[1024], } } else if (cbt_m1 == NOISE_BT - 1) { for (group = 0; group < (AAC_SIGNE)g_len; group++, cfo+=128) { -#if !USE_FIXED - float scale; -#endif /* !USE_FIXED */ INTFLOAT band_energy; - +#if USE_FIXED for (k = 0; k < off_len; k++) { ac->random_state = lcg_random(ac->random_state); -#if USE_FIXED cfo[k] = ac->random_state >> 3; -#else - cfo[k] = ac->random_state; -#endif /* USE_FIXED */ } -#if USE_FIXED band_energy = ac->fdsp->scalarproduct_fixed(cfo, cfo, off_len); band_energy = fixed_sqrt(band_energy, 31); noise_scale(cfo, sf[idx], band_energy, off_len); #else + float scale; + + for (k = 0; k < off_len; k++) { + ac->random_state = lcg_random(ac->random_state); + cfo[k] = ac->random_state; + } + band_energy = ac->fdsp->scalarproduct_float(cfo, cfo, off_len); scale = sf[idx] / sqrtf(band_energy); ac->fdsp->vector_fmul_scalar(cfo, cfo, scale, off_len); From 1dc80a7d4e3cd49e031e43af0701b65f0060f94f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 May 2019 12:00:18 +0200 Subject: [PATCH 0458/1764] avcodec/aacdec_fixed: Handle more extreem cases in noise_scale() Its unclear if these cases have any relevance in real files Fixes: shift exponent -2 is negative Fixes: 14489/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5681941631729664 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d14663f8345a84613b1ec041fd65e4a90057320) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 589e28eb86..16a8e9ce48 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -221,10 +221,15 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len) } else { s = s + 32; - round = s ? 1 << (s-1) : 0; - for (i=0; i> s); - coefs[i] = -out; + if (s > 0) { + round = 1 << (s-1); + for (i=0; i> s); + coefs[i] = -out; + } + } else { + for (i=0; i Date: Sat, 18 May 2019 10:37:26 +0200 Subject: [PATCH 0459/1764] avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure) Fixes: NULL pointer dereference Fixes: 14723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5654612436058112 Fixes: 14724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5712607111020544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf3156e762bbd3fbaf9da53f3ef1ea6d1bad2ec5) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 3853fb5d8e..499071a1df 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2462,6 +2462,9 @@ static void apply_tns(INTFLOAT coef_param[1024], TemporalNoiseShaping *tns, INTFLOAT tmp[TNS_MAX_ORDER+1]; UINTFLOAT *coef = coef_param; + if(!mmm) + return; + for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; for (filt = 0; filt < tns->n_filt[w]; filt++) { From 14a62019bbbd122d396acc593ba1cf1b1f1a7ec0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2019 23:28:49 +0200 Subject: [PATCH 0460/1764] avcodec/vmnc: Check available space against chunks before reget_buffer() Fixes: Timeout (16sec -> 60ms) Fixes: 14673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMNC_fuzzer-5640217517621248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 279d9a84af37cc1a7cf79c1cd667105eeb948611) Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 30b1414e49..e273043311 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -333,11 +333,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint8_t *outptr; int dx, dy, w, h, depth, enc, chunks, res, size_left, ret; + bytestream2_init(gb, buf, buf_size); + bytestream2_skip(gb, 2); + chunks = bytestream2_get_be16(gb); + if (12LL * chunks > bytestream2_get_bytes_left(gb)) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) return ret; - bytestream2_init(gb, buf, buf_size); - c->pic->key_frame = 0; c->pic->pict_type = AV_PICTURE_TYPE_P; @@ -369,8 +373,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } } - bytestream2_skip(gb, 2); - chunks = bytestream2_get_be16(gb); + while (chunks--) { if (bytestream2_get_bytes_left(gb) < 12) { av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n"); From ddf153b139dde63690c26868c7b9d924be73a08f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 May 2019 02:01:33 +0200 Subject: [PATCH 0461/1764] avcodec/diracdec: Fix integer overflow in global_mv() Fixes: signed integer overflow: 16384 * 196607 cannot be represented in type 'int' Fixes: 14810/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5091232683917312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a99ffb5bb4454c625748972d9389cfaa5433a342) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 7ae795a928..f81a041834 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1409,8 +1409,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int64_t m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From ac7d8767239f26eb47c4f8ec3847631e74b5f727 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 May 2019 14:29:43 +0200 Subject: [PATCH 0462/1764] avcodec/mss4: Check input size against skip bits Fixes: Timeout (17sec -> 20ms) Fixes: 14615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-5093007763701760 Fixes: 14797/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-5651696119709696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0fef412dffb74fef3494f7fae0c138c32a444484) Signed-off-by: Michael Niedermayer --- libavcodec/mss4.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/mss4.c b/libavcodec/mss4.c index b58c21be93..76c746a2d5 100644 --- a/libavcodec/mss4.c +++ b/libavcodec/mss4.c @@ -552,6 +552,11 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, "Empty frame found but it is not a skip frame.\n"); return AVERROR_INVALIDDATA; } + mb_width = FFALIGN(width, 16) >> 4; + mb_height = FFALIGN(height, 16) >> 4; + + if (frame_type != SKIP_FRAME && 8*buf_size < 8*HEADER_SIZE + mb_width*mb_height) + return AVERROR_INVALIDDATA; if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) return ret; @@ -574,9 +579,6 @@ static int mss4_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if ((ret = init_get_bits8(&gb, buf + HEADER_SIZE, buf_size - HEADER_SIZE)) < 0) return ret; - - mb_width = FFALIGN(width, 16) >> 4; - mb_height = FFALIGN(height, 16) >> 4; dst[0] = c->pic->data[0]; dst[1] = c->pic->data[1]; dst[2] = c->pic->data[2]; From a2927d38cb1fe9deeb6fde106758325e35d0055d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2019 23:17:35 +0200 Subject: [PATCH 0463/1764] avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle Fixes: signed integer overflow: -2142516591 + -267814575 cannot be represented in type 'int' Fixes: 14450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5716105319940096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 4896fa18add7636ea9986edde51493331f1fb01e) Signed-off-by: Michael Niedermayer --- libavcodec/h264_parse.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index dc643009ec..7407b9dfd7 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -296,7 +296,8 @@ int ff_h264_init_poc(int pic_field_poc[2], int *pic_poc, if (picture_structure == PICT_FRAME) field_poc[1] += pc->delta_poc_bottom; } else if (sps->poc_type == 1) { - int abs_frame_num, expected_delta_per_poc_cycle, expectedpoc; + int abs_frame_num; + int64_t expected_delta_per_poc_cycle, expectedpoc; int i; if (sps->poc_cycle_length != 0) From 84b444aa781a6c69947354cde0146e943888e242 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2019 23:18:34 +0200 Subject: [PATCH 0464/1764] avcodec/interplayvideo: check decoding_map_size with video_data_size Fixes: Timeout (90543 ms -> 59 ms) Fixes: 14721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer-5697492148027392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 914d6a7c1a7a1850b4053847a784b174c9146c55) Signed-off-by: Michael Niedermayer --- libavcodec/interplayvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index deaa09cba6..4313fdf7ac 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -1260,7 +1260,7 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, s->decoding_map_size = ((s->avctx->width / 8) * (s->avctx->height / 8)) * 2; s->decoding_map = buf + 8 + 14; /* 14 bits of op data */ video_data_size -= s->decoding_map_size + 14; - if (video_data_size <= 0) + if (video_data_size <= 0 || s->decoding_map_size == 0) return AVERROR_INVALIDDATA; if (buf_size < 8 + s->decoding_map_size + 14 + video_data_size) From b8bb86efe7e1f107f2001e1aea3c5839c5dcaa58 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Jun 2019 19:06:07 +0200 Subject: [PATCH 0465/1764] avcodec/mjpegdec: Check for non ls PAL8 Fixes: Null-dereference READ in av_malloc Fixes: 15002/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5643474625363968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 442375fee7f1fb15e42fbc128dc38bdfcc2cc105) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 4498bf8be7..4572dcfd61 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -668,7 +668,9 @@ unk_pixfmt: } if ((s->rgb && !s->lossless && !s->ls) || - (!s->rgb && s->ls && s->nb_components > 1)) { + (!s->rgb && s->ls && s->nb_components > 1) || + (s->avctx->pix_fmt == AV_PIX_FMT_PAL8 && !s->ls) + ) { av_log(s->avctx, AV_LOG_ERROR, "Unsupported coding and pixel format combination\n"); return AVERROR_PATCHWELCOME; } From d14dd61a3d49cd8d96ff24b03906e24651899a08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Jun 2019 23:14:13 +0200 Subject: [PATCH 0466/1764] avformat/vpk: Fix integer overflow in samples_per_block computation Fixes: signed integer overflow: 84026453 * 28 cannot be represented in type 'int' Fixes: 15111/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5675630072430592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c6c4129b4cc3b9e0b3a527a5a15c904ec6ae3b6) Signed-off-by: Michael Niedermayer --- libavformat/vpk.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/vpk.c b/libavformat/vpk.c index bb9eabb2ba..0a058b9d7f 100644 --- a/libavformat/vpk.c +++ b/libavformat/vpk.c @@ -56,12 +56,12 @@ static int vpk_read_header(AVFormatContext *s) st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX; st->codecpar->block_align = avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); - if (st->codecpar->sample_rate <= 0) + if (st->codecpar->sample_rate <= 0 || st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; st->codecpar->channels = avio_rl32(s->pb); if (st->codecpar->channels <= 0) return AVERROR_INVALIDDATA; - samples_per_block = ((st->codecpar->block_align / st->codecpar->channels) * 28) / 16; + samples_per_block = ((st->codecpar->block_align / st->codecpar->channels) * 28LL) / 16; if (samples_per_block <= 0) return AVERROR_INVALIDDATA; vpk->block_count = (st->duration + (samples_per_block - 1)) / samples_per_block; From 62c408412f02e15514f216b34ee6b048f95928b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Jun 2019 23:17:18 +0200 Subject: [PATCH 0467/1764] avformat/vpk: Check offset for validity Signed-off-by: Michael Niedermayer (cherry picked from commit aa003019ab9ec5ef7e7b3ff9d6262d3472b427eb) Signed-off-by: Michael Niedermayer --- libavformat/vpk.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/vpk.c b/libavformat/vpk.c index 0a058b9d7f..64a0d56926 100644 --- a/libavformat/vpk.c +++ b/libavformat/vpk.c @@ -66,6 +66,9 @@ static int vpk_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; vpk->block_count = (st->duration + (samples_per_block - 1)) / samples_per_block; vpk->last_block_size = (st->duration % samples_per_block) * 16 * st->codecpar->channels / 28; + + if (offset < avio_tell(s->pb)) + return AVERROR_INVALIDDATA; avio_skip(s->pb, offset - avio_tell(s->pb)); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 5b4ceb45e3eae7f4f8a57369c35fee2400140bf1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Jun 2019 23:20:49 +0200 Subject: [PATCH 0468/1764] avformat/sbgdec: Fixes integer overflow in str_to_time() with hours Fixes: signed integer overflow: 904444 * 3600 cannot be represented in type 'int' Fixes: 15113/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5764083346833408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0f23b9d647ad84e0351b43ca4b552add00c8dc) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index cbedd120fb..1541836439 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -197,7 +197,7 @@ static int str_to_time(const char *str, int64_t *rtime) if (end > cur + 1) cur = end; } - *rtime = (hours * 3600 + minutes * 60 + seconds) * AV_TIME_BASE; + *rtime = (hours * 3600LL + minutes * 60LL + seconds) * AV_TIME_BASE; return cur - str; } From 8d2d04569a054bce1f10244e9913089156c44681 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Jun 2019 12:18:54 +0200 Subject: [PATCH 0469/1764] avcodec/bitstream: Check for integer code truncation in build_table() Fixes: out of array read Fixes: 14563/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5646451545210880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e78b0f83748f92ea9e93b21c36082e0dd04d7cb1) Signed-off-by: Michael Niedermayer --- libavcodec/bitstream.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index ed528fe4af..218412bb9b 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -226,6 +226,10 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, /* note: realloc has been done, so reload tables */ table = (volatile VLC_TYPE (*)[2])&vlc->table[table_index]; table[j][0] = index; //code + if (table[j][0] != index) { + avpriv_request_sample(NULL, "strange codes"); + return AVERROR_PATCHWELCOME; + } i = k-1; } } From c8f7f583c073f3ad9b95b7b63b1805f443a5b751 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 5 Jun 2019 12:18:54 +0200 Subject: [PATCH 0470/1764] avcodec/bitstream: Check for more conflicting codes in build_table() Fixes: out of array read Fixes: 14563/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5646451545210880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a7e3b271fc9a91c5d2e4df32e70e525c15c6d3ef) Signed-off-by: Michael Niedermayer --- libavcodec/bitstream.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index 218412bb9b..32f3055a6f 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -188,8 +188,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, } for (k = 0; k < nb; k++) { int bits = table[j][1]; + int oldsym = table[j][0]; ff_dlog(NULL, "%4x: code=%d n=%d\n", j, i, n); - if (bits != 0 && bits != n) { + if ((bits || oldsym) && (bits != n || oldsym != symbol)) { av_log(NULL, AV_LOG_ERROR, "incorrect codes\n"); return AVERROR_INVALIDDATA; } From a8ff09d7b7cda944b8cf5641ae30c5fa041bbfc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 01:20:19 +0200 Subject: [PATCH 0471/1764] avformat/wtvdec: Avoid (32bit signed) sectors Fixes: left shift of negative value -14614752 Fixes: 15174/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5670543606415360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit dd357d76e5faf3ce6fc46ffb924cf30f1cb54af9) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 27be5c9c04..7300b9fd42 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -149,7 +149,7 @@ static int read_ints(AVIOContext *pb, uint32_t *data, int count) * @param depth File allocation table depth * @return NULL on error */ -static AVIOContext * wtvfile_open_sector(int first_sector, uint64_t length, int depth, AVFormatContext *s) +static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length, int depth, AVFormatContext *s) { AVIOContext *pb; WtvFile *wf; @@ -957,7 +957,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p static int read_header(AVFormatContext *s) { WtvContext *wtv = s->priv_data; - int root_sector, root_size; + unsigned root_sector; + int root_size; uint8_t root[WTV_SECTOR_SIZE]; AVIOContext *pb; int64_t timeline_pos; From 039c7d21f6988983580cbe22003a9b8ab75f6580 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 21:52:24 +0200 Subject: [PATCH 0472/1764] avcodec/bink: Reorder operations in init to avoid memleak on error Fixes: Direct leak of 536 byte(s) in 1 object(s) Fixes: 15266/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5629530426834944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 2603f25d326476a83f5d093b522590b05b6e703b) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index 346b6cda9d..c501ea3915 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -1299,13 +1299,13 @@ static av_cold int decode_init(AVCodecContext *avctx) } c->avctx = avctx; + if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0) + return ret; + c->last = av_frame_alloc(); if (!c->last) return AVERROR(ENOMEM); - if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0) - return ret; - avctx->pix_fmt = c->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; ff_blockdsp_init(&c->bdsp, avctx); From 30047c052d9d5591f69c8170763e80b5d4a2349b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Jun 2019 23:16:40 +0200 Subject: [PATCH 0473/1764] avcodec/fmvc: Check if header fields are available before allocating the image Fixes: Timeout (15sec -> 0.5sec) Fixes: 14846/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FMVC_fuzzer-5068322120400896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 561cc161ca617c1b8d48fef0f02d56c0f1af0486) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 74e9bdd8a0..9bbe8c6ccf 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -403,6 +403,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret, y, x; + if (avpkt->size < 8) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; From 25d3ae96972f8760182ff84d4117084dff54579a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2019 09:27:49 +0200 Subject: [PATCH 0474/1764] avformat/wsddec: Fix undefined shift Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 15123/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5738039235575808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 112eb17a2bbf6d02f81fdf0743b353a6b010aedc) Signed-off-by: Michael Niedermayer --- libavformat/wsddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wsddec.c b/libavformat/wsddec.c index 81a4dcc71e..a6bddec138 100644 --- a/libavformat/wsddec.c +++ b/libavformat/wsddec.c @@ -137,7 +137,7 @@ static int wsd_read_header(AVFormatContext *s) if (!(channel_assign & 1)) { int i; for (i = 1; i < 32; i++) - if (channel_assign & (1 << i)) + if ((channel_assign >> i) & 1) st->codecpar->channel_layout |= wsd_to_av_channel_layoyt(s, i); } From 1246e38511f685473812f838001a6bdf8a8cc9ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2019 10:48:41 +0200 Subject: [PATCH 0475/1764] avformat/icodec: Free ico->images on error paths Fixes: 15116/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5715173567889408 Fixes: memleak Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 54918b51161610a364de697b80acb9583eecf41b) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index f33fa1195b..00c03d409c 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -96,8 +96,10 @@ static int read_header(AVFormatContext *s) break; st = avformat_new_stream(s, NULL); - if (!st) + if (!st) { + av_freep(&ico->images); return AVERROR(ENOMEM); + } st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; st->codecpar->width = avio_r8(pb); @@ -111,6 +113,7 @@ static int read_header(AVFormatContext *s) ico->images[i].size = avio_rl32(pb); if (ico->images[i].size <= 0) { av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); + av_freep(&ico->images); return AVERROR_INVALIDDATA; } ico->images[i].offset = avio_rl32(pb); @@ -126,8 +129,10 @@ static int read_header(AVFormatContext *s) st->codecpar->height = 0; break; case 40: - if (ico->images[i].size < 40) + if (ico->images[i].size < 40) { + av_freep(&ico->images); return AVERROR_INVALIDDATA; + } st->codecpar->codec_id = AV_CODEC_ID_BMP; tmp = avio_rl32(pb); if (tmp) @@ -138,6 +143,7 @@ static int read_header(AVFormatContext *s) break; default: avpriv_request_sample(s, "codec %d", codec); + av_freep(&ico->images); return AVERROR_INVALIDDATA; } } From 67ad2f201c42df2b5ac7f52c26bc10e80c4c1316 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 20:05:15 +0200 Subject: [PATCH 0476/1764] avcodec/iff: Fix mask_buf / mask_palbuf leak Fixes: 15372/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5708881759567872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 92e8db532cdee3c73913174413428ffdc35032e2) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 33cf2e3a94..b43bd507b3 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -371,6 +371,8 @@ static av_cold int decode_end(AVCodecContext *avctx) av_freep(&s->planebuf); av_freep(&s->ham_buf); av_freep(&s->ham_palbuf); + av_freep(&s->mask_buf); + av_freep(&s->mask_palbuf); av_freep(&s->video[0]); av_freep(&s->video[1]); av_freep(&s->pal); From d88be9bc678619604d916a5d6db8c13ccf9bec1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 21:17:52 +0200 Subject: [PATCH 0477/1764] avcodec/iff: finetune the palette size check in the mask case Fixes: out of array access Fixes: 15381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5668057826983936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 0f9789c8e37eb6d166729e876729beb21b7d5647) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index b43bd507b3..4099d118e4 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1514,7 +1514,7 @@ static int decode_frame(AVCodecContext *avctx, buf_size -= bytestream2_tell(gb); desc = av_pix_fmt_desc_get(avctx->pix_fmt); - if (!s->init && avctx->bits_per_coded_sample <= 8 && + if (!s->init && avctx->bits_per_coded_sample <= 8 - (s->masking == MASK_HAS_MASK) && avctx->pix_fmt == AV_PIX_FMT_PAL8) { if ((res = cmap_read_palette(avctx, (uint32_t *)frame->data[1])) < 0) return res; From 7ca17d973b14ccd0fb2502ee1bd81be76e8430f0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 19:45:50 +0200 Subject: [PATCH 0478/1764] avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block() Fixes: signed integer overflow: -1727985666 - 538976288 cannot be represented in type 'int' Fixes: 15031/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5100228035739648 Signed-off-by: Michael Niedermayer (cherry picked from commit 3aecd0170413c7e56f19de4e34d093a2c4027c2a) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index d59095622d..4e3a429777 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -668,7 +668,7 @@ static inline void tm2_still_block(TM2Context *ctx, AVFrame *pic, int bx, int by static inline void tm2_update_block(TM2Context *ctx, AVFrame *pic, int bx, int by) { int i, j; - int d; + unsigned d; TM2_INIT_POINTERS_2(); /* update chroma */ From 36f8bb1261e3a1ef6213d7a5a41742420e11c6da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 15:00:14 +0200 Subject: [PATCH 0479/1764] avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c() Fixes: signed integer overflow: -1539565182 + -798086761 cannot be represented in type 'int' Fixes: 14807/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-564925382682214 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f8f5668df590d853429586e1f95cbd9cee38920e) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsdsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 5f4be017d5..eef8adc7e2 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -54,10 +54,10 @@ static void ps_hybrid_analysis_c(INTFLOAT (*out)[2], INTFLOAT (*in)[2], INT64FLOAT sum_im = (INT64FLOAT)filter[i][6][0] * in[6][1]; for (j = 0; j < 6; j++) { - INTFLOAT in0_re = in[j][0]; - INTFLOAT in0_im = in[j][1]; - INTFLOAT in1_re = in[12-j][0]; - INTFLOAT in1_im = in[12-j][1]; + INT64FLOAT in0_re = in[j][0]; + INT64FLOAT in0_im = in[j][1]; + INT64FLOAT in1_re = in[12-j][0]; + INT64FLOAT in1_im = in[12-j][1]; sum_re += (INT64FLOAT)filter[i][j][0] * (in0_re + in1_re) - (INT64FLOAT)filter[i][j][1] * (in0_im - in1_im); sum_im += (INT64FLOAT)filter[i][j][0] * (in0_im + in1_im) + From 91348aa5ba6b24aa2f15646cf9b3946bcf075315 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 16:08:03 +0200 Subject: [PATCH 0480/1764] avcodec/fitsdec: Fix division by 0 in size check Fixes: division by zero Fixes: 15210/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5746033243455488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 07ffe94c172041cfb03109b9bb6b8bf577332bda) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index b0753813c9..67a8bd71f4 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -143,7 +143,7 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead size = abs(header->bitpix) >> 3; for (i = 0; i < header->naxis; i++) { - if (header->naxisn[i] > SIZE_MAX / size) { + if (size && header->naxisn[i] > SIZE_MAX / size) { av_log(avctx, AV_LOG_ERROR, "unsupported size of FITS image"); return AVERROR_INVALIDDATA; } From eca9b4022b0fcffe521abab45ef5102d9a837687 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Jun 2019 20:13:34 +0200 Subject: [PATCH 0481/1764] avcodec/xpmdec: Do not use context dimensions as temporary variables Fixes: Integer overflow Fixes: 15134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5722635939348480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5ea7f2050050fd6a9177a9b618f2bb2d4add9230) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 03172e4aad..82a484dabb 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -307,6 +307,7 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, int ncolors, cpp, ret, i, j; int64_t size; uint32_t *dst; + int width, height; avctx->pix_fmt = AV_PIX_FMT_BGRA; @@ -328,12 +329,12 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, ptr += mod_strcspn(ptr, "\""); if (sscanf(ptr, "\"%u %u %u %u\",", - &avctx->width, &avctx->height, &ncolors, &cpp) != 4) { + &width, &height, &ncolors, &cpp) != 4) { av_log(avctx, AV_LOG_ERROR, "missing image parameters\n"); return AVERROR_INVALIDDATA; } - if ((ret = ff_set_dimensions(avctx, avctx->width, avctx->height)) < 0) + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) From a77473d040d6cd6246146082fcb4810e142867e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 00:12:36 +0200 Subject: [PATCH 0482/1764] avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed Fixes: Assertion failure Fixes: crbug971646.mp4 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 696312c487d9d8c49a087017a829d1cdcbd68651) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index e72a9f6cbe..ac69c41ebb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4208,8 +4208,6 @@ static int mov_read_tfhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVFragmentIndex* index = NULL; int flags, track_id, i, found = 0; - c->fragment.found_tfhd = 1; - avio_r8(pb); /* version */ flags = avio_rb24(pb); @@ -4226,6 +4224,7 @@ static int mov_read_tfhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_ERROR, "could not find corresponding trex\n"); return AVERROR_INVALIDDATA; } + c->fragment.found_tfhd = 1; frag->base_data_offset = flags & MOV_TFHD_BASE_DATA_OFFSET ? avio_rb64(pb) : flags & MOV_TFHD_DEFAULT_BASE_IS_MOOF ? From 65326b27b615163cb1d68b6673dcd924aa3b0d23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 21:47:16 +0200 Subject: [PATCH 0483/1764] avcodec/loco: Limit lossy parameter so it is sane and does not overflow Fixes: 15248/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5087440458481664 Fixes: signed integer overflow: 3 + 2147483647 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce3b0b9066b433564ed3ee3eed3a1e8f2c0834a1) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 9d0f144451..9a309fd063 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -293,6 +293,11 @@ static av_cold int decode_init(AVCodecContext *avctx) avpriv_request_sample(avctx, "LOCO codec version %i", version); } + if (l->lossy > 65536U) { + av_log(avctx, AV_LOG_ERROR, "lossy %i is too large\n", l->lossy); + return AVERROR_INVALIDDATA; + } + l->mode = AV_RL32(avctx->extradata + 4); switch (l->mode) { case LOCO_CYUY2: From ed92170916cab316ae22e06cde6a47d0f8bf4d0a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 21:08:31 +0200 Subject: [PATCH 0484/1764] avcodec/motionpixels: Check for vlc error in mp_get_vlc() Fixes: 15246/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-5168534407086080 Fixes: runtime error: index -1 out of bounds for type 'HuffCode [16]' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 930cdef80ab695132d3de2128c3c23f2d698918b) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index a88b837b3e..73977664a5 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -201,6 +201,8 @@ static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) int i; i = (mp->codes_count == 1) ? 0 : get_vlc2(gb, mp->vlc.table, mp->max_codes_bits, 1); + if (i < 0) + return i; return mp->codes[i].delta; } From 00d5a4703925c4b3c8a3c5df73f984e6c4b9d3f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2019 14:28:17 +0200 Subject: [PATCH 0485/1764] avcodec/binkdsp: Fix integer overflows in idct Fixes: signed integer overflow: 3784 * 682038 cannot be represented in type 'int' Fixes: 15265/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5088311799971840 Fixes: 15268/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5666502344179712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 7a072fbcc4c6f8ddbf37b131c2d141589118abcd) Signed-off-by: Michael Niedermayer --- libavcodec/binkdsp.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/binkdsp.c b/libavcodec/binkdsp.c index 9d70e2326f..a357d31672 100644 --- a/libavcodec/binkdsp.c +++ b/libavcodec/binkdsp.c @@ -33,20 +33,22 @@ #define A3 3784 #define A4 -5352 +#define MUL(X,Y) ((int)((unsigned)(X) * (Y)) >> 11) + #define IDCT_TRANSFORM(dest,s0,s1,s2,s3,s4,s5,s6,s7,d0,d1,d2,d3,d4,d5,d6,d7,munge,src) {\ const int a0 = (src)[s0] + (src)[s4]; \ const int a1 = (src)[s0] - (src)[s4]; \ const int a2 = (src)[s2] + (src)[s6]; \ - const int a3 = (A1*((src)[s2] - (src)[s6])) >> 11; \ + const int a3 = MUL(A1, (src)[s2] - (src)[s6]); \ const int a4 = (src)[s5] + (src)[s3]; \ const int a5 = (src)[s5] - (src)[s3]; \ const int a6 = (src)[s1] + (src)[s7]; \ const int a7 = (src)[s1] - (src)[s7]; \ const int b0 = a4 + a6; \ - const int b1 = (A3*(a5 + a7)) >> 11; \ - const int b2 = ((A4*a5) >> 11) - b0 + b1; \ - const int b3 = (A1*(a6 - a4) >> 11) - b2; \ - const int b4 = ((A2*a7) >> 11) + b3 - b1; \ + const int b1 = MUL(A3, a5 + a7); \ + const int b2 = MUL(A4, a5) - b0 + b1; \ + const int b3 = MUL(A1, a6 - a4) - b2; \ + const int b4 = MUL(A2, a7) + b3 - b1; \ (dest)[d0] = munge(a0+a2 +b0); \ (dest)[d1] = munge(a1+a3-a2+b2); \ (dest)[d2] = munge(a1-a3+a2+b3); \ From 6aa01c06252a225073e7275aca0bd0b5f4db740a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 16:01:45 +0200 Subject: [PATCH 0486/1764] avcodec/bintext: Check font height Fixes: division by zero Fixes: 15257/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINTEXT_fuzzer-5757352881422336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bfb58bdd7015a6df2d130c92cf284d6a2362f3df) Signed-off-by: Michael Niedermayer --- libavcodec/bintext.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c index d967317671..8e5c44446c 100644 --- a/libavcodec/bintext.c +++ b/libavcodec/bintext.c @@ -63,6 +63,10 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "not enough extradata\n"); return AVERROR_INVALIDDATA; } + if (!s->font_height) { + av_log(avctx, AV_LOG_ERROR, "invalid font height\n"); + return AVERROR_INVALIDDATA; + } } else { s->font_height = 8; s->flags = 0; From 7887aa79de9c78ff56934ce4ece2df74b75f718a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 15:53:27 +0200 Subject: [PATCH 0487/1764] avcodec/qdmc: Fix integer overflows in PRNG Fixes: signed integer overflow: 214013 * 2531011 cannot be represented in type 'int' Fixes: 15254/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDMC_fuzzer-5698137026461696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2921b45a388a81968d946996bb32e72d7bb5d5b7) Signed-off-by: Michael Niedermayer --- libavcodec/qdmc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/qdmc.c b/libavcodec/qdmc.c index 1c8952b97b..f4d63cd8b8 100644 --- a/libavcodec/qdmc.c +++ b/libavcodec/qdmc.c @@ -571,9 +571,9 @@ static void add_noise(QDMCContext *s, int ch, int current_subframe) for (j = 2; j < s->subframe_size - 1; j++) { float rnd_re, rnd_im; - s->rndval = 214013 * s->rndval + 2531011; + s->rndval = 214013U * s->rndval + 2531011; rnd_im = ((s->rndval & 0x7FFF) - 16384.0f) * 0.000030517578f * s->noise2_buffer[j]; - s->rndval = 214013 * s->rndval + 2531011; + s->rndval = 214013U * s->rndval + 2531011; rnd_re = ((s->rndval & 0x7FFF) - 16384.0f) * 0.000030517578f * s->noise2_buffer[j]; im[j ] += rnd_im; re[j ] += rnd_re; From 5a49cad78aa6920a166f057e74d7ffa219cb0781 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 15:55:55 +0200 Subject: [PATCH 0488/1764] avcodec/tta: Fix undefined shift Fixes: left shift of negative value -4483 Fixes: 15256/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5738691617619968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebccd2f778a861b41ad38a8464ea120d4f16b2d7) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 8f097b3bcc..c7702610b6 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -372,7 +372,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; for (i = 0; i < framelen * s->channels; i++) - *samples++ <<= 8; + *samples++ *= 256; // reset decode buffer s->decode_buffer = NULL; break; From 0409e5fe361cc8dc9c4150012cd9b67ed60499d2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 16:17:12 +0200 Subject: [PATCH 0489/1764] avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c Fixes: left shift of negative value -13 Fixes: 15260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5702076048343040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 507ca66ee41aa8a95b75654163f77af0a99a25b1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dsp.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/vc1dsp.c b/libavcodec/vc1dsp.c index 9239a4a1f5..54a6ecf969 100644 --- a/libavcodec/vc1dsp.c +++ b/libavcodec/vc1dsp.c @@ -95,10 +95,10 @@ static void vc1_v_s_overlap_c(int16_t *top, int16_t *bottom) d1 = a - d; d2 = a - d + b - c; - top[48] = ((a << 3) - d1 + rnd1) >> 3; - top[56] = ((b << 3) - d2 + rnd2) >> 3; - bottom[0] = ((c << 3) + d2 + rnd1) >> 3; - bottom[8] = ((d << 3) + d1 + rnd2) >> 3; + top[48] = ((a * 8) - d1 + rnd1) >> 3; + top[56] = ((b * 8) - d2 + rnd2) >> 3; + bottom[0] = ((c * 8) + d2 + rnd1) >> 3; + bottom[8] = ((d * 8) + d1 + rnd2) >> 3; bottom++; top++; @@ -121,10 +121,10 @@ static void vc1_h_s_overlap_c(int16_t *left, int16_t *right) d1 = a - d; d2 = a - d + b - c; - left[6] = ((a << 3) - d1 + rnd1) >> 3; - left[7] = ((b << 3) - d2 + rnd2) >> 3; - right[0] = ((c << 3) + d2 + rnd1) >> 3; - right[1] = ((d << 3) + d1 + rnd2) >> 3; + left[6] = ((a * 8) - d1 + rnd1) >> 3; + left[7] = ((b * 8) - d2 + rnd2) >> 3; + right[0] = ((c * 8) + d2 + rnd1) >> 3; + right[1] = ((d * 8) + d1 + rnd2) >> 3; right += 8; left += 8; From fb81fd52d35565439592cd616c5680601a137cf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 16:12:42 +0200 Subject: [PATCH 0490/1764] avcodec/ffwavesynth: Check ts_end - ts_start for overflow Fixes: signed integer overflow: 2314885530818453536 - -8926099139098304480 cannot be represented in type 'long' Fixes: 15259/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5764366093254656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2db7a3bc4acdd293ed10b71e55f16a45ca28b629) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 9d055e4019..a66113972b 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -267,7 +267,10 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) in->type = AV_RL32(edata + 16); in->channels = AV_RL32(edata + 20); edata += 24; - if (in->ts_start < cur_ts || in->ts_end <= in->ts_start) + if (in->ts_start < cur_ts || + in->ts_end <= in->ts_start || + (uint64_t)in->ts_end - in->ts_start > INT64_MAX + ) return AVERROR(EINVAL); cur_ts = in->ts_start; dt = in->ts_end - in->ts_start; From 55fca6e6e5ec63565ecce4d3447ccd814aced9b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2019 19:09:11 +0200 Subject: [PATCH 0491/1764] avcodec/alsdec: Fix invalid shift in multiply() Fixes: shift exponent -24 is negative Fixes: 15292/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5768533318828032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f30be1ec9856551d96f3876eec5f8b8abf456b81) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 13bd52f297..6805a8d694 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1384,6 +1384,9 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) { mantissa_temp = (uint64_t)a.mant * (uint64_t)b.mant; mask_64 = (uint64_t)0x1 << 47; + if (!mantissa_temp) + return FLOAT_0; + // Count the valid bit count while (!(mantissa_temp & mask_64) && mask_64) { bit_count--; From f1400191c600f992c6cbab933a9dba7e3cedccde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 00:47:06 +0200 Subject: [PATCH 0492/1764] avcodec/videodsp_template: Fix overflow of addition Fixes: addition of unsigned offset to 0x7f56fc26a9b6 overflowed to 0x7f56fc26a8be* Fixes: clusterfuzz-testcase-minimized-mediasource_MP4_AVC1_pipeline_integration_fuzzer-4917949056679936 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 247a1de7f7d9c5628cf188e677d10ce9e12bd2f2) Signed-off-by: Michael Niedermayer --- libavcodec/videodsp_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c index 94c1b7188d..55123a5844 100644 --- a/libavcodec/videodsp_template.c +++ b/libavcodec/videodsp_template.c @@ -44,7 +44,8 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, src_y = 1 - block_h; } if (src_x >= w) { - src += (w - 1 - src_x) * sizeof(pixel); + // The subtracted expression has an unsigned type and must thus not be negative + src -= (1 + src_x - w) * sizeof(pixel); src_x = w - 1; } else if (src_x <= -block_w) { src += (1 - block_w - src_x) * sizeof(pixel); From ec2b12fa05cbd2aca03cafa723504f9ab7156add Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2019 23:55:56 +0200 Subject: [PATCH 0493/1764] avcodec/utils: Check bits_per_coded_sample This avoids the need for each decoder separately having to handle this case Fixes: shift exponent -100663046 is negative Fixes: out of array access Fixes: 15270/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5727829913763840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d33414d2ad27a5d2193c9ab0948ba7a282c2f910) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index ec03bdc866..c587110af2 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1056,6 +1056,10 @@ FF_ENABLE_DEPRECATION_WARNINGS ret = AVERROR(EINVAL); goto free_and_end; } + if (avctx->bits_per_coded_sample < 0) { + ret = AVERROR(EINVAL); + goto free_and_end; + } if (avctx->sub_charenc) { if (avctx->codec_type != AVMEDIA_TYPE_SUBTITLE) { av_log(avctx, AV_LOG_ERROR, "Character encoding is only " From 93baaaaa8c65971811349612c8ff390a626bef3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2019 23:17:23 +0200 Subject: [PATCH 0494/1764] avformat/vqf: Check header_size Fixes: 15271/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5735262606327808 Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c30ff38880570377168096417f714b21102b343) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index d00fa5e08c..ff38a3d1ca 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -107,6 +107,9 @@ static int vqf_read_header(AVFormatContext *s) header_size = avio_rb32(s->pb); + if (header_size < 0) + return AVERROR_INVALIDDATA; + st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->codec_id = AV_CODEC_ID_TWINVQ; st->start_time = 0; @@ -120,7 +123,7 @@ static int vqf_read_header(AVFormatContext *s) len = avio_rb32(s->pb); - if ((unsigned) len > INT_MAX/2) { + if ((unsigned) len > INT_MAX/2 || header_size < 8) { av_log(s, AV_LOG_ERROR, "Malformed header\n"); return -1; } From 9856f1f6155170567232d43cfbcb16ab5f34d813 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2019 21:26:45 +0200 Subject: [PATCH 0495/1764] avcodec/libvorbisdec: Check extradata size Fixes: out of array read Fixes: 15261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_fuzzer-5764908467093504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf3c245566e8a8d45ed2ad9fdff9ef50327ba2d3) Signed-off-by: Michael Niedermayer --- libavcodec/libvorbisdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c index ecf690a553..89cbbb41b6 100644 --- a/libavcodec/libvorbisdec.c +++ b/libavcodec/libvorbisdec.c @@ -49,8 +49,16 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) { vorbis_comment_init(&context->vc) ; if(p[0] == 0 && p[1] == 30) { + int sizesum = 0; for(i = 0; i < 3; i++){ hsizes[i] = bytestream_get_be16((const uint8_t **)&p); + sizesum += 2 + hsizes[i]; + if (sizesum > avccontext->extradata_size) { + av_log(avccontext, AV_LOG_ERROR, "vorbis extradata too small\n"); + ret = AVERROR_INVALIDDATA; + goto error; + } + headers[i] = p; p += hsizes[i]; } From d84f4c0c25ea09e383d9f09051ed4927e4b19eec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2019 20:58:47 +0200 Subject: [PATCH 0496/1764] avcodec/qdm2: Move fft_order check up This avoids undefined computations with unchecked values Fixes: shift exponent -21 is negative Fixes: 15262/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5651261753393152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8d8b8c4ac6fb5b5d40bd131f2d2ea9d85b8759a6) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 88b6b19d11..1397218bdd 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1702,6 +1702,12 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->fft_order = av_log2(s->fft_size) + 1; + // Fail on unknown fft order + if ((s->fft_order < 7) || (s->fft_order > 9)) { + avpriv_request_sample(avctx, "Unknown FFT order %d", s->fft_order); + return AVERROR_PATCHWELCOME; + } + // something like max decodable tones s->group_order = av_log2(s->group_size) + 1; s->frame_size = s->group_size / 16; // 16 iterations per super block @@ -1735,11 +1741,6 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) else s->coeff_per_sb_select = 2; - // Fail on unknown fft order - if ((s->fft_order < 7) || (s->fft_order > 9)) { - avpriv_request_sample(avctx, "Unknown FFT order %d", s->fft_order); - return AVERROR_PATCHWELCOME; - } if (s->fft_size != (1 << (s->fft_order - 1))) { av_log(avctx, AV_LOG_ERROR, "FFT size %d not power of 2.\n", s->fft_size); return AVERROR_INVALIDDATA; From 80bbb8b85107370ca687edd212736dc41fc52d35 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2019 21:13:17 +0200 Subject: [PATCH 0497/1764] avcodec/m101: Fix off be 2 error Fixes: out of array read Fixes: 15263/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_M101_fuzzer-5728999453491200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89b96900fa7c17d0770c9af26af7c3ae36ae0253) Signed-off-by: Michael Niedermayer --- libavcodec/m101.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/m101.c b/libavcodec/m101.c index d2549668fd..70f1da4f45 100644 --- a/libavcodec/m101.c +++ b/libavcodec/m101.c @@ -61,7 +61,7 @@ static int m101_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, stride = AV_RL32(avctx->extradata + 5*4); if (avctx->pix_fmt == AV_PIX_FMT_YUV422P10) - min_stride = (avctx->width + 15) / 16 * 20; + min_stride = (avctx->width + 15) / 16 * 40; if (stride < min_stride || avpkt->size < stride * (uint64_t)avctx->height) { av_log(avctx, AV_LOG_ERROR, "stride (%d) is invalid for packet sized %d\n", From 6aaca5234dd299568bd2acd03d27a22ab731b0b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 00:24:53 +0200 Subject: [PATCH 0498/1764] avcodec/fitsdec: Check data_min/max Fixes: division by 0 Fixes: 15206/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5657260212092928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb82d19f035f59edf0aee215f02baaea908875de) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 67a8bd71f4..4f452422ef 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -168,6 +168,14 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead header->data_min = (header->data_min - header->bzero) / header->bscale; header->data_max = (header->data_max - header->bzero) / header->bscale; } + if (!header->rgb && header->data_min >= header->data_max) { + if (header->data_min > header->data_max) { + av_log(avctx, AV_LOG_ERROR, "data min/max (%g %g) is invalid\n", header->data_min, header->data_max); + return AVERROR_INVALIDDATA; + } + av_log(avctx, AV_LOG_WARNING, "data min/max indicates a blank image\n"); + header->data_max ++; + } return 0; } From 241f59eb8b4ab078a5d6642edd27b60019c03d8c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2019 22:04:16 +0200 Subject: [PATCH 0499/1764] avformat/aviobuf: Delay buffer downsizing until asserts are met Fixes: Assertion failure Fixes: 15151/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5757079496687616 Fixes: 15205/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5767573242642432 May fix: Ticket7094 Signed-off-by: Michael Niedermayer (cherry picked from commit 0334632d5c02720f1829d59cd20c009584b5b163) Signed-off-by: Michael Niedermayer --- libavformat/aviobuf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 636cb46161..c004e08bdf 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -557,7 +557,7 @@ static void fill_buffer(AVIOContext *s) } /* make buffer smaller in case it ended up large after probing */ - if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size) { + if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size && len >= s->orig_buffer_size) { if (dst == s->buffer && s->buf_ptr != dst) { int ret = ffio_set_buf_size(s, s->orig_buffer_size); if (ret < 0) @@ -565,7 +565,6 @@ static void fill_buffer(AVIOContext *s) s->checksum_ptr = dst = s->buffer; } - av_assert0(len >= s->orig_buffer_size); len = s->orig_buffer_size; } From 9a7d3304ff40bc5c93f92aaa375d4177672b8b5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 11:26:57 +0200 Subject: [PATCH 0500/1764] avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check Fixes: 15255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718831688843264 Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d4f4f4a15e79c96c3613e5c252b2f5cc4190e18) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 15eb416ba4..eb31fd70c1 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -460,7 +460,7 @@ static inline void update_rice(APERice *rice, unsigned int x) if (rice->ksum < lim) rice->k--; - else if (rice->ksum >= (1 << (rice->k + 5))) + else if (rice->ksum >= (1 << (rice->k + 5)) && rice->k < 24) rice->k++; } From 3bdd16fd68c32b13fc0e24e68af3fa4ce3d5df85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Jun 2019 15:05:54 +0200 Subject: [PATCH 0501/1764] avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 14880/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5130977304641536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit c692051252693155c4eecd16f4f8a79caf66cd54) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 23 +++++++++++++---------- libavcodec/hevc_ps.h | 4 ++-- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 6f3af2daec..de75d30de4 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1582,22 +1582,25 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, pps->entropy_coding_sync_enabled_flag = get_bits1(gb); if (pps->tiles_enabled_flag) { - pps->num_tile_columns = get_ue_golomb_long(gb) + 1; - pps->num_tile_rows = get_ue_golomb_long(gb) + 1; - if (pps->num_tile_columns <= 0 || - pps->num_tile_columns >= sps->width) { + int num_tile_columns_minus1 = get_ue_golomb(gb); + int num_tile_rows_minus1 = get_ue_golomb(gb); + + if (num_tile_columns_minus1 < 0 || + num_tile_columns_minus1 >= sps->width - 1) { av_log(avctx, AV_LOG_ERROR, "num_tile_columns_minus1 out of range: %d\n", - pps->num_tile_columns - 1); - ret = AVERROR_INVALIDDATA; + num_tile_columns_minus1); + ret = num_tile_columns_minus1 < 0 ? num_tile_columns_minus1 : AVERROR_INVALIDDATA; goto err; } - if (pps->num_tile_rows <= 0 || - pps->num_tile_rows >= sps->height) { + if (num_tile_rows_minus1 < 0 || + num_tile_rows_minus1 >= sps->height - 1) { av_log(avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of range: %d\n", - pps->num_tile_rows - 1); - ret = AVERROR_INVALIDDATA; + num_tile_rows_minus1); + ret = num_tile_rows_minus1 < 0 ? num_tile_rows_minus1 : AVERROR_INVALIDDATA; goto err; } + pps->num_tile_columns = num_tile_columns_minus1 + 1; + pps->num_tile_rows = num_tile_rows_minus1 + 1; pps->column_width = av_malloc_array(pps->num_tile_columns, sizeof(*pps->column_width)); pps->row_height = av_malloc_array(pps->num_tile_rows, sizeof(*pps->row_height)); diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h index f19d022469..552a6426b5 100644 --- a/libavcodec/hevc_ps.h +++ b/libavcodec/hevc_ps.h @@ -343,8 +343,8 @@ typedef struct HEVCPPS { uint8_t tiles_enabled_flag; uint8_t entropy_coding_sync_enabled_flag; - int num_tile_columns; ///< num_tile_columns_minus1 + 1 - int num_tile_rows; ///< num_tile_rows_minus1 + 1 + uint16_t num_tile_columns; ///< num_tile_columns_minus1 + 1 + uint16_t num_tile_rows; ///< num_tile_rows_minus1 + 1 uint8_t uniform_spacing_flag; uint8_t loop_filter_across_tiles_enabled_flag; From ec9a2cb48b957bd8368c62d027da09267044945f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Jun 2019 10:29:57 +0200 Subject: [PATCH 0502/1764] avcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight Suggested-by: James Almer Reviewed-by: James Almer (cherry picked from commit 3b2082c663dac93fd722289a540c1b1e24a12564) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index de75d30de4..1c7c873294 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1586,14 +1586,14 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx, int num_tile_rows_minus1 = get_ue_golomb(gb); if (num_tile_columns_minus1 < 0 || - num_tile_columns_minus1 >= sps->width - 1) { + num_tile_columns_minus1 >= sps->ctb_width - 1) { av_log(avctx, AV_LOG_ERROR, "num_tile_columns_minus1 out of range: %d\n", num_tile_columns_minus1); ret = num_tile_columns_minus1 < 0 ? num_tile_columns_minus1 : AVERROR_INVALIDDATA; goto err; } if (num_tile_rows_minus1 < 0 || - num_tile_rows_minus1 >= sps->height - 1) { + num_tile_rows_minus1 >= sps->ctb_height - 1) { av_log(avctx, AV_LOG_ERROR, "num_tile_rows_minus1 out of range: %d\n", num_tile_rows_minus1); ret = num_tile_rows_minus1 < 0 ? num_tile_rows_minus1 : AVERROR_INVALIDDATA; From 5f5766691dbb2a80bd0a2ca3bf38845379793faa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2019 21:53:43 +0200 Subject: [PATCH 0503/1764] avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT() Fixes: left shift of negative value -6 Fixes: 15275/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5742361767837696 Fixes: signed integer overflow: 41582592 * 256 cannot be represented in type 'int' Fixes: 15296/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5739558227935232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e131568752ad41222946304c61eadb87b0a24791) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 6805a8d694..d167782f61 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -772,8 +772,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) if (*bd->use_ltp) { int r, c; - bd->ltp_gain[0] = decode_rice(gb, 1) << 3; - bd->ltp_gain[1] = decode_rice(gb, 2) << 3; + bd->ltp_gain[0] = decode_rice(gb, 1) * 8; + bd->ltp_gain[1] = decode_rice(gb, 2) * 8; r = get_unary(gb, 0, 4); c = get_bits(gb, 2); @@ -784,8 +784,8 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) bd->ltp_gain[2] = ltp_gain_values[r][c]; - bd->ltp_gain[3] = decode_rice(gb, 2) << 3; - bd->ltp_gain[4] = decode_rice(gb, 1) << 3; + bd->ltp_gain[3] = decode_rice(gb, 2) * 8; + bd->ltp_gain[4] = decode_rice(gb, 1) * 8; *bd->ltp_lag = get_bits(gb, ctx->ltp_lag_length); *bd->ltp_lag += FFMAX(4, opt_order + 1); @@ -1804,11 +1804,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, if (!ctx->cs_switch) { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[c][sample] << shift; \ + *dest++ = ctx->raw_samples[c][sample] * (1U << shift); \ } else { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] << shift; \ + *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] * (1U << shift); \ } \ } From 1ebd25b1f1fb16e32e0509c2ab4cf92eca1303e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2019 23:17:31 +0200 Subject: [PATCH 0504/1764] avcodec/alsdec: Fix undefined behavior in decode_rice() Fixes: left shift of 72 by 26 places cannot be represented in type 'int' Fixes: 15279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5700665621348352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51f6870c37cc29e1ea7e0c66df2fe505938b7561) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index d167782f61..517ea4f16b 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -487,7 +487,7 @@ static void parse_bs_info(const uint32_t bs_info, unsigned int n, static int32_t decode_rice(GetBitContext *gb, unsigned int k) { int max = get_bits_left(gb) - k; - int q = get_unary(gb, 0, max); + unsigned q = get_unary(gb, 0, max); int r = k ? get_bits1(gb) : !(q & 1); if (k > 1) { From 49cb2d44a45fceff1c7628ceab99c00b880480b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2019 23:27:21 +0200 Subject: [PATCH 0505/1764] avcodec/alsdec: Fix integer overflow with shifting samples Fixes: signed integer overflow: -346039050 * 8 cannot be represented in type 'int' Fixes: 15283/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5692700268953600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3bd4b260eb9f0d5817f9b3d672844f127c51a0b) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 517ea4f16b..73ef25b6c4 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1038,7 +1038,7 @@ static int decode_block(ALSDecContext *ctx, ALSBlockData *bd) if (*bd->shift_lsbs) for (smp = 0; smp < bd->block_length; smp++) - bd->raw_samples[smp] <<= *bd->shift_lsbs; + bd->raw_samples[smp] = (unsigned)bd->raw_samples[smp] << *bd->shift_lsbs; return 0; } From 36c278078d7538fd8c1913fa979d78c61b1d8741 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 00:47:15 +0200 Subject: [PATCH 0506/1764] avcodec/alsdec: Check opt_order / sb_length in ra_block handling Fixes: out of array access Fixes: 15277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5184853437317120 Fixes: 15280/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5741062137577472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0794494c8f2f756e3c9384dba21c54f7d4ba9286) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 73ef25b6c4..c83f78dad7 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -794,14 +794,20 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // read first value and residuals in case of a random access block if (bd->ra_block) { + start = FFMIN(opt_order, 3); + av_assert0(sb_length <= sconf->frame_length); + if (sb_length <= start) { + // opt_order or sb_length may be corrupted, either way this is unsupported and not well defined in the specification + av_log(avctx, AV_LOG_ERROR, "Sub block length smaller or equal start\n"); + return AVERROR_PATCHWELCOME; + } + if (opt_order) bd->raw_samples[0] = decode_rice(gb, avctx->bits_per_raw_sample - 4); if (opt_order > 1) bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max)); if (opt_order > 2) bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max)); - - start = FFMIN(opt_order, 3); } // read all residuals From 3e491e9c59a79d4cb3db4bedf66f3b7124c8c644 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 00:47:16 +0200 Subject: [PATCH 0507/1764] avcodec/alsdec: Fixes signed integer overflow in LSB addition Fixes: signed integer overflow: 8 * 536870912 cannot be represented in type 'int' Fixes: 15281/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5744458785619968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f527021df73b4792323f38f84a4bf2fbe5a2052) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index c83f78dad7..1beb9eb40a 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -872,7 +872,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) res >>= 1; if (cur_k) { - res *= 1 << cur_k; + res *= 1U << cur_k; res |= get_bits_long(gb, cur_k); } } From 4852df4a21ecf3319ed8742b833f1f8408defa97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 00:47:17 +0200 Subject: [PATCH 0508/1764] avcodec/alsdec: Fix integer overflow with buffer number Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5738074249625600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f64f6058e0c23641a68ce7dfe47b1f55efd401c) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 1beb9eb40a..9953322fce 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1998,6 +1998,8 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate quantized parcor coefficient buffer num_buffers = sconf->mc_coding ? avctx->channels : 1; + if (num_buffers * (uint64_t)num_buffers > INT_MAX) // protect chan_data_buffer allocation + return AVERROR_INVALIDDATA; ctx->quant_cof = av_malloc_array(num_buffers, sizeof(*ctx->quant_cof)); ctx->lpc_cof = av_malloc_array(num_buffers, sizeof(*ctx->lpc_cof)); From 5190d3a2f74885fa65ad3a16da7e56968a25a501 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 00:47:19 +0200 Subject: [PATCH 0509/1764] avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP Fixes: multiple memleaks Fixes: 15293/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5642409288925184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7b6ddd59693008c35b3247496ecc946331d0856) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 9953322fce..e02c9e3874 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -2132,7 +2132,6 @@ static av_cold int decode_init(AVCodecContext *avctx) return 0; fail: - decode_end(avctx); return ret; } @@ -2158,4 +2157,5 @@ AVCodec ff_als_decoder = { .decode = decode_frame, .flush = flush, .capabilities = AV_CODEC_CAP_SUBFRAMES | AV_CODEC_CAP_DR1, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; From ea7aadd74aef432345e93863da3a097ffe8c1ca1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2019 01:04:07 +0200 Subject: [PATCH 0510/1764] avcodec/alac: Check lpc_quant lpc_quant of 0 produces undefined behavior, thus disallow this. If valid samples use this then such a sample would be quite usefull to confirm the correct&lossles handling of this. Fixes: libavcodec/alac.c:218:25: runtime error: shift exponent -1 is negative Fixes: 15273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5656388535058432 Fixes: 15276/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5761238417539072 Fixes: 15315/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5767260766994432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6474b899c1153e3bb95e399b6605c3507aea0d0) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index d6bd21ba13..e1b3e8c183 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -306,7 +306,7 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, rice_history_mult[ch] = get_bits(&alac->gb, 3); lpc_order[ch] = get_bits(&alac->gb, 5); - if (lpc_order[ch] >= alac->max_samples_per_frame) + if (lpc_order[ch] >= alac->max_samples_per_frame || !lpc_quant[ch]) return AVERROR_INVALIDDATA; /* read the predictor table */ From 8548434337b22aa0530c2b32af14dcd0dc2e2c80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Jun 2019 23:28:25 +0200 Subject: [PATCH 0511/1764] avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff() Fixes: index -1 out of bounds for type 'const uint8_t [185][2]' Fixes: 15250/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5648992869810176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79204a1fc8f1988f7d7e6cae2c3b68f513444d38) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index b06ee9fce7..45760cc6ee 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -489,13 +489,15 @@ static inline int vc1_coded_block_pred(MpegEncContext * s, int n, * @param codingset set of VLC to decode data * @see 8.1.3.4 */ -static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, +static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int *value, int codingset) { GetBitContext *gb = &v->s.gb; int index, run, level, lst, sign; index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); + if (index < 0) + return index; if (index != ff_vc1_ac_sizes[codingset] - 1) { run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; @@ -541,6 +543,8 @@ static void vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, *last = lst; *skip = run; *value = (level ^ -sign) + sign; + + return 0; } /** Decode intra block in intra frames - should be faster than decode_intra_block @@ -620,7 +624,9 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n, zz_table = v->zz_8x8[1]; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + if (ret < 0) + return ret; i += skip; if (i > 63) break; @@ -792,7 +798,9 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, } while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + if (ret < 0) + return ret; i += skip; if (i > 63) break; @@ -972,7 +980,9 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, int k; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, codingset); + if (ret < 0) + return ret; i += skip; if (i > 63) break; @@ -1135,7 +1145,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n, i = 0; last = 0; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + if (ret < 0) + return ret; i += skip; if (i > 63) break; @@ -1163,7 +1175,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n, i = 0; off = (j & 1) * 4 + (j & 2) * 16; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + if (ret < 0) + return ret; i += skip; if (i > 15) break; @@ -1190,7 +1204,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n, i = 0; off = j * 32; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + if (ret < 0) + return ret; i += skip; if (i > 31) break; @@ -1217,7 +1233,9 @@ static int vc1_decode_p_block(VC1Context *v, int16_t block[64], int n, i = 0; off = j * 4; while (!last) { - vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + int ret = vc1_decode_ac_coeff(v, &last, &skip, &value, v->codingset2); + if (ret < 0) + return ret; i += skip; if (i > 31) break; From eb7a4a27c47439b52b93f0bcab669fc4e654ad71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 23:45:36 +0200 Subject: [PATCH 0512/1764] avcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP() Fixes: out of array access Fixes: 15360/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5653837190266880 Fixes: 15412/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5740537648250880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37708cbae8d6887b80f58a70a1dfa01af6ea2c85) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index ba5bda48c4..c0e1e16bcd 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -900,7 +900,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, } else { if (bytestream2_tell(&g2) + 2*byte_run > stream_ptr_after_chunk) break; - CHECK_PIXEL_PTR(2 * byte_run); + CHECK_PIXEL_PTR(3 * byte_run); for (j = 0; j < byte_run; j++, pixel_countdown--) { pixel = bytestream2_get_le24(&g2); AV_WL24(&pixels[pixel_ptr], pixel); From 98e712bd1c7dc0bfe7e99d1688b995d03ff83051 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 22:08:27 +0200 Subject: [PATCH 0513/1764] avcodec/ffwavesynth: Fix backward lcg_seek() Signed-off-by: Michael Niedermayer (cherry picked from commit cf2bd3ce79b12256d7d129b2ada5ee649b9a27eb) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index a66113972b..cf8c780f3e 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -122,7 +122,7 @@ static void lcg_seek(uint32_t *s, int64_t dt) c = LCG_C; } else { /* coefficients for a step backward */ a = LCG_AI; - c = (uint32_t)(LCG_AI * LCG_C); + c = (uint32_t)(-LCG_AI * LCG_C); dt = -dt; } while (dt) { From 6e050fc931033a7148b7482d42278c807b05a69e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 22:41:25 +0200 Subject: [PATCH 0514/1764] avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself Fixes: 15289/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5709034499342336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c022099351c04ae21e0b8696ea71a690ed03cd2) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index cf8c780f3e..b2cc7c8fc1 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -113,18 +113,12 @@ static uint32_t lcg_next(uint32_t *s) return *s; } -static void lcg_seek(uint32_t *s, int64_t dt) +static void lcg_seek(uint32_t *s, uint32_t dt) { uint32_t a, c, t = *s; - if (dt >= 0) { - a = LCG_A; - c = LCG_C; - } else { /* coefficients for a step backward */ - a = LCG_AI; - c = (uint32_t)(-LCG_AI * LCG_C); - dt = -dt; - } + a = LCG_A; + c = LCG_C; while (dt) { if (dt & 1) t = a * t + c; From 69a7633a76f0217c130740ce130bb714f957d979 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 22:43:23 +0200 Subject: [PATCH 0515/1764] avcodec/ffwavesynth: use uint32_t to compute difference, it is enough Fixes: signed integer overflow: 6494225984479297536 - -6043795377581187040 cannot be represented in type 'long' Fixes: 15285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5632780307791872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e9dd3c7126097d7c8d4f137db9957b81a219aa2c) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index b2cc7c8fc1..793eada7a5 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -215,7 +215,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) ws->next_inter = i; ws->next_ts = i < ws->nb_inter ? ws->inter[i].ts_start : INF_TS; *last = -1; - lcg_seek(&ws->dither_state, ts - ws->cur_ts); + lcg_seek(&ws->dither_state, (uint32_t)ts - ws->cur_ts); if (ws->pink_need) { int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); From d0651f24baf90ac6ce29bdea085102efab96b66e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Jun 2019 19:21:50 +0200 Subject: [PATCH 0516/1764] avcodec/iff: Check ham vs bpp This checks the ham value much stricter and avoids hitting cases which cannot be reached with data from the libavformat demuxer. Fixes: out of array access Fixes: 15320/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5080476840099840 Fixes: 15423/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5630765833912320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f76d7352e05526fde7c607b9a9db536a5760af29) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 4099d118e4..c6e2359b00 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -280,6 +280,16 @@ static int extract_header(AVCodecContext *const avctx, for (i = 0; i < 16; i++) s->tvdc[i] = bytestream_get_be16(&buf); + if (s->ham) { + if (s->bpp > 8) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham); + return AVERROR_INVALIDDATA; + } if (s->ham != (s->bpp > 6 ? 6 : 4)) { + av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u, BPP: %u\n", s->ham, s->bpp); + return AVERROR_INVALIDDATA; + } + } + if (s->masking == MASK_HAS_MASK) { if (s->bpp >= 8 && !s->ham) { avctx->pix_fmt = AV_PIX_FMT_RGB32; @@ -307,9 +317,6 @@ static int extract_header(AVCodecContext *const avctx, if (!s->bpp || s->bpp > 32) { av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n", s->bpp); return AVERROR_INVALIDDATA; - } else if (s->ham >= 8) { - av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM: %u\n", s->ham); - return AVERROR_INVALIDDATA; } av_freep(&s->ham_buf); From 388d36101ba5a393db634f4c5dc55d93c6658f12 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 25 Jun 2019 23:42:43 +0200 Subject: [PATCH 0517/1764] avcodec/svq3: Use ff_set_dimension() Fixes: OOM Fixes: 15410/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5659464805384192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b114d76878f1a542bcb75456492cc43e6414f8b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 5d89921323..d8d5131f54 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1183,6 +1183,7 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) GetBitContext gb; int frame_size_code; int unk0, unk1, unk2, unk3, unk4; + int w,h; size = AV_RB32(&extradata[4]); if (size > extradata_end - extradata - 8) { @@ -1195,38 +1196,41 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) frame_size_code = get_bits(&gb, 3); switch (frame_size_code) { case 0: - avctx->width = 160; - avctx->height = 120; + w = 160; + h = 120; break; case 1: - avctx->width = 128; - avctx->height = 96; + w = 128; + h = 96; break; case 2: - avctx->width = 176; - avctx->height = 144; + w = 176; + h = 144; break; case 3: - avctx->width = 352; - avctx->height = 288; + w = 352; + h = 288; break; case 4: - avctx->width = 704; - avctx->height = 576; + w = 704; + h = 576; break; case 5: - avctx->width = 240; - avctx->height = 180; + w = 240; + h = 180; break; case 6: - avctx->width = 320; - avctx->height = 240; + w = 320; + h = 240; break; case 7: - avctx->width = get_bits(&gb, 12); - avctx->height = get_bits(&gb, 12); + w = get_bits(&gb, 12); + h = get_bits(&gb, 12); break; } + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + goto fail; s->halfpel_flag = get_bits1(&gb); s->thirdpel_flag = get_bits1(&gb); From 32902cc9883b82cd625041bf81df47bd54f6304c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jun 2019 01:01:02 +0200 Subject: [PATCH 0518/1764] avcodec/qdm2: Do not read out of array in fix_coding_method_array() Instead we ask for a sample, its unclear what to do in this case. Fixes: index 30 out of bounds for type 'int8_t [30][64]' Fixes: 15339/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5749441484554240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae021c1239ec3bc0a30dc5a4720569071599ece4) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 1397218bdd..44ff4fa6c6 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -408,7 +408,12 @@ static int fix_coding_method_array(int sb, int channels, } for (k = 0; k < run; k++) { if (j + k < 128) { - if (coding_method[ch][sb + (j + k) / 64][(j + k) % 64] > coding_method[ch][sb][j]) { + int sbjk = sb + (j + k) / 64; + if (sbjk > 29) { + SAMPLES_NEEDED + continue; + } + if (coding_method[ch][sbjk][(j + k) % 64] > coding_method[ch][sb][j]) { if (k > 0) { SAMPLES_NEEDED //not debugged, almost never used From a85e0a0b8dd34908eb0532c1f7534d7bb2f7c25d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jun 2019 01:01:03 +0200 Subject: [PATCH 0519/1764] avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop Fixes: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: infinite loop Fixes: 15396/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5116605501014016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 694be24bd6c4cc9c62222f4583260bf79056e4c1) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 44ff4fa6c6..1e91f477e8 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1289,6 +1289,10 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration, } offset += (n - 2); } else { + if (local_int_10 <= 2) { + av_log(NULL, AV_LOG_ERROR, "qdm2_fft_decode_tones() stuck\n"); + return; + } offset += qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2); while (offset >= (local_int_10 - 1)) { offset += (1 - (local_int_10 - 1)); From c698d9e46b3a1b65225f07555f19393b34c12d59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Jun 2019 01:01:04 +0200 Subject: [PATCH 0520/1764] avcodec/qdm2: Check checksum_size for 0 Fixes: Infinite loop Fixes: 15337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5757428949319680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b2ebf89a411d957ca999f1e7a919ff617fbfd56) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 1e91f477e8..eaffb36dcc 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1704,8 +1704,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->group_size = bytestream2_get_be32(&gb); s->fft_size = bytestream2_get_be32(&gb); s->checksum_size = bytestream2_get_be32(&gb); - if (s->checksum_size >= 1U << 28) { - av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size); + if (s->checksum_size >= 1U << 28 || !s->checksum_size) { + av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size); return AVERROR_INVALIDDATA; } From a7acecb0d9e3c96930c284f36205e30100894788 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jun 2019 00:15:03 +0200 Subject: [PATCH 0521/1764] avcodec/4xm: Fix signed integer overflows in idct() Fixes: signed integer overflow: 20242 * 121095 cannot be represented in type 'int' Fixes: 15310/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5737051745419264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bbea155bf7c6ce6d5ae53cc41e44798cad2f39c) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 8e05a4c366..7e6a15e49f 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -158,7 +158,7 @@ typedef struct FourXContext { #define FIX_1_847759065 121095 #define FIX_2_613125930 171254 -#define MULTIPLY(var, const) (((var) * (const)) >> 16) +#define MULTIPLY(var, const) ((int)((var) * (unsigned)(const)) >> 16) static void idct(int16_t block[64]) { From 99c45c0c82a6e22f1e8caa6bfc08bb655dcf9e42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Jun 2019 19:20:43 +0200 Subject: [PATCH 0522/1764] avcodec/rv10: Fix integer overflow in aspect ratio compare Fixes: signed integer overflow: 2040 * 1187872 cannot be represented in type 'int' Fixes: 15368/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV20_fuzzer-5681657136283648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 14fcf42958608223a0be6558fb6e323419c9fc27) Signed-off-by: Michael Niedermayer --- libavcodec/rv10.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 595e217519..3b9ebbe8fa 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -388,9 +388,9 @@ static int rv20_decode_picture_header(RVDecContext *rv) // attempt to keep aspect during typical resolution switches if (!old_aspect.num) old_aspect = (AVRational){1, 1}; - if (2 * new_w * s->height == new_h * s->width) + if (2 * (int64_t)new_w * s->height == (int64_t)new_h * s->width) s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){2, 1}); - if (new_w * s->height == 2 * new_h * s->width) + if ((int64_t)new_w * s->height == 2 * (int64_t)new_h * s->width) s->avctx->sample_aspect_ratio = av_mul_q(old_aspect, (AVRational){1, 2}); ret = ff_set_dimensions(s->avctx, new_w, new_h); From f09573400521fb5e966d62cc498d904d198296e2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jun 2019 21:53:09 +0200 Subject: [PATCH 0523/1764] avcodec/hq_hqa: Use ff_set_dimensions() Fixes: 15530/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5637370344374272 Fixes: signed integer overflow: 65312 * 65312 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6229fcd405d4135848c83df73634871260de59c) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index 90bafdc72a..eec2e980b3 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -254,10 +254,12 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size) width = bytestream2_get_be16(&ctx->gbc); height = bytestream2_get_be16(&ctx->gbc); + ret = ff_set_dimensions(ctx->avctx, width, height); + if (ret < 0) + return ret; + ctx->avctx->coded_width = FFALIGN(width, 16); ctx->avctx->coded_height = FFALIGN(height, 16); - ctx->avctx->width = width; - ctx->avctx->height = height; ctx->avctx->bits_per_raw_sample = 8; ctx->avctx->pix_fmt = AV_PIX_FMT_YUVA422P; From bcc19ab7b7d14b7087602bb8e7944035d9493f9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Jun 2019 23:23:25 +0200 Subject: [PATCH 0524/1764] avformat/utils: Check timebase before use in estimate_timings() Fixes: division by 0 Fixes: 15480/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5746727434321920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f57e97dfd9539bc3f4f97a76ebc001f0b055cb88) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 27071e10b4..17c85e0aaa 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2884,6 +2884,7 @@ static void estimate_timings(AVFormatContext *ic, int64_t old_offset) AVStream av_unused *st; for (i = 0; i < ic->nb_streams; i++) { st = ic->streams[i]; + if (st->time_base.den) av_log(ic, AV_LOG_TRACE, "stream %d: start_time: %0.3f duration: %0.3f\n", i, (double) st->start_time * av_q2d(st->time_base), (double) st->duration * av_q2d(st->time_base)); From 49b4d41ec1b33214aac0f3e51c0ca177e3dfeb37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2019 17:54:45 +0200 Subject: [PATCH 0525/1764] avcodec/golomb: Correct the doxy about get_ue_golomb() and errors Signed-off-by: Michael Niedermayer (cherry picked from commit 1bb3b3f11c6960e90bcfe685c0ad1e355a3e787e) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index efb1eff8aa..06f5c69960 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -49,6 +49,8 @@ extern const uint8_t ff_interleaved_dirac_golomb_vlc_code[256]; /** * Read an unsigned Exp-Golomb code in the range 0 to 8190. + * + * @returns the read value or a negative error code. */ static inline int get_ue_golomb(GetBitContext *gb) { From 7a026998b07ebfbf419d64106be11d9486312c91 Mon Sep 17 00:00:00 2001 From: James Zern Date: Tue, 9 Jul 2019 19:03:58 -0700 Subject: [PATCH 0526/1764] avcodec/utils, avcodec_open2: close codec on failure after a successful init if the function fails for another reason close the codec without requiring FF_CODEC_CAP_INIT_CLEANUP which is meant to cover init failures themselves. fixes a memory leak in those cases. BUG=oss-fuzz:15529 Signed-off-by: James Zern Signed-off-by: Michael Niedermayer (cherry picked from commit b1febda061955c6f4bfbc1a75918b5e75e7d7f80) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index c587110af2..1a5f4e7e4f 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -630,6 +630,7 @@ int attribute_align_arg ff_codec_open2_recursive(AVCodecContext *avctx, const AV int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *codec, AVDictionary **options) { int ret = 0; + int codec_init_ok = 0; AVDictionary *tmp = NULL; const AVPixFmtDescriptor *pixdesc; @@ -1024,6 +1025,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (ret < 0) { goto free_and_end; } + codec_init_ok = 1; } ret=0; @@ -1117,7 +1119,8 @@ end: return ret; free_and_end: if (avctx->codec && - (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP)) + (codec_init_ok || + (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) avctx->codec->close(avctx); if (codec->priv_class && codec->priv_data_size) From db136657d425425c019ef7dec1918ff028b03c0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2019 20:02:24 +0200 Subject: [PATCH 0527/1764] avcodec/mpc8: Fixes invalid shift in mpc8_decode_frame() Fixes: left shift of negative value -456 Fixes: 15561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC8_fuzzer-5758130404720640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 1dbb67d39b21ed320edd2b1599b502518250cfd3) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 80e0e9e68d..7e172a2181 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -364,8 +364,9 @@ static int mpc8_decode_frame(AVCodecContext * avctx, void *data, for(j = 0; j < SAMPLES_PER_BAND; j += SAMPLES_PER_BAND / 2){ cnt = get_vlc2(gb, q1_vlc.table, MPC8_Q1_BITS, 2); t = mpc8_get_mask(gb, 18, cnt); - for(k = 0; k < SAMPLES_PER_BAND / 2; k++, t <<= 1) - c->Q[ch][off + j + k] = (t & 0x20000) ? (get_bits1(gb) << 1) - 1 : 0; + for(k = 0; k < SAMPLES_PER_BAND / 2; k++) + c->Q[ch][off + j + k] = t & (1 << (SAMPLES_PER_BAND / 2 - k - 1)) + ? (get_bits1(gb) << 1) - 1 : 0; } break; case 2: From 2b0180f80b1eb791850a8667128f84fdf011c0d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Jul 2019 23:25:07 +0200 Subject: [PATCH 0528/1764] avcodec/huffyuv: remove gray8a (the format is listed but not supported by the implementation) Fixes: null pointer dereference Fixes: 15464/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5681391150301184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6aaa01afe4fb774d0767684aa00f075b0ee5fca6) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 3 --- libavcodec/huffyuvenc.c | 2 -- 2 files changed, 5 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 66357bfb40..17c9679cb4 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -418,9 +418,6 @@ static av_cold int decode_init(AVCodecContext *avctx) case 0x0F0: avctx->pix_fmt = AV_PIX_FMT_GRAY16; break; - case 0x170: - avctx->pix_fmt = AV_PIX_FMT_GRAY8A; - break; case 0x470: avctx->pix_fmt = AV_PIX_FMT_GBRP; break; diff --git a/libavcodec/huffyuvenc.c b/libavcodec/huffyuvenc.c index 89639b75df..a90011e55e 100644 --- a/libavcodec/huffyuvenc.c +++ b/libavcodec/huffyuvenc.c @@ -279,7 +279,6 @@ FF_ENABLE_DEPRECATION_WARNINGS case AV_PIX_FMT_YUVA420P: case AV_PIX_FMT_YUVA422P: case AV_PIX_FMT_GBRAP: - case AV_PIX_FMT_GRAY8A: case AV_PIX_FMT_YUV420P9: case AV_PIX_FMT_YUV420P10: case AV_PIX_FMT_YUV420P12: @@ -1133,7 +1132,6 @@ AVCodec ff_ffvhuff_encoder = { AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY16, AV_PIX_FMT_YUVA420P, AV_PIX_FMT_YUVA422P, AV_PIX_FMT_YUVA444P, AV_PIX_FMT_GBRAP, - AV_PIX_FMT_GRAY8A, AV_PIX_FMT_YUV420P9, AV_PIX_FMT_YUV420P10, AV_PIX_FMT_YUV420P12, AV_PIX_FMT_YUV420P14, AV_PIX_FMT_YUV420P16, AV_PIX_FMT_YUV422P9, AV_PIX_FMT_YUV422P10, AV_PIX_FMT_YUV422P12, AV_PIX_FMT_YUV422P14, AV_PIX_FMT_YUV422P16, AV_PIX_FMT_YUV444P9, AV_PIX_FMT_YUV444P10, AV_PIX_FMT_YUV444P12, AV_PIX_FMT_YUV444P14, AV_PIX_FMT_YUV444P16, From 0af60924ea506457dc82e95b012d4c57824d07fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2019 23:02:36 +0200 Subject: [PATCH 0529/1764] avcodec/pngdec: Check that previous_picture has same w/h/format Fixes: out of array access Fixes: 15540/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5684905029140480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 18c808ffbed81ea580fe6ddd6524dd7bea3f8d0e) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 0a2772f763..1faf80108b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1352,6 +1352,9 @@ exit_loop: if (CONFIG_PNG_DECODER && avctx->codec_id != AV_CODEC_ID_APNG) handle_p_frame_png(s, p); else if (CONFIG_APNG_DECODER && + s->previous_picture.f->width == p->width && + s->previous_picture.f->height== p->height && + s->previous_picture.f->format== p->format && avctx->codec_id == AV_CODEC_ID_APNG && (ret = handle_p_frame_apng(avctx, s, p)) < 0) goto fail; From cda23a57cc1e882ffae8b1a09a9e6c96b5451c5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2019 20:12:41 +0200 Subject: [PATCH 0530/1764] avformat/xmv: Make bitrate 64bit Fixes: signed integer overflow: 32 * 538976288 cannot be represented in type 'int' Fixes: 15633/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5752273981931520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 39a6a79bcbe3c2d239ed207a34c5fb3ca7bfdaf0) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index b974e5a6e6..96c7f0372c 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -79,7 +79,7 @@ typedef struct XMVAudioPacket { uint16_t channels; ///< Number of channels. int32_t sample_rate; ///< Sampling rate. uint16_t bits_per_sample; ///< Bits per compressed sample. - uint32_t bit_rate; ///< Bits of compressed data per second. + uint64_t bit_rate; ///< Bits of compressed data per second. uint16_t flags; ///< Flags unsigned block_align; ///< Bytes per compressed block. uint16_t block_samples; ///< Decompressed samples per compressed block. @@ -191,7 +191,7 @@ static int xmv_read_header(AVFormatContext *s) packet->bits_per_sample = avio_rl16(pb); packet->flags = avio_rl16(pb); - packet->bit_rate = packet->bits_per_sample * + packet->bit_rate = (uint64_t)packet->bits_per_sample * packet->sample_rate * packet->channels; packet->block_align = XMV_BLOCK_ALIGN_SIZE * packet->channels; From c2507e1946d345ca6e8cb63624c8509f7b63bd31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jul 2019 19:57:08 +0200 Subject: [PATCH 0531/1764] avcodec/ivi: Ask for samples with odd tiles Fixes: Assertion failure Fixes: 15422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5676625481433088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a7e02cf3ad6f6eaae07fa68ecb93014e1dfd224e) Signed-off-by: Michael Niedermayer --- libavcodec/ivi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index 68cef856d4..8b197c64eb 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -429,6 +429,10 @@ av_cold int ff_ivi_init_tiles(IVIPlaneDesc *planes, t_height = !p ? tile_height : (tile_height + 3) >> 2; if (!p && planes[0].num_bands == 4) { + if (t_width % 2 || t_height % 2) { + avpriv_request_sample(NULL, "Odd tiles"); + return AVERROR_PATCHWELCOME; + } t_width >>= 1; t_height >>= 1; } From 5bcced7beaedaa89996e7c73cb92dbc63b9341f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jul 2019 09:21:52 +0200 Subject: [PATCH 0532/1764] avcodec/parser: Check next index validity in ff_combine_frame() Fixes: out of array access Fixes: 15522/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DNXHD_fuzzer-5747756078989312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15008db0fac6d97bb939fa7ef9e92d79bf1f7cb1) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 670680ea7c..1b50f40b20 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -262,6 +262,9 @@ int ff_combine_frame(ParseContext *pc, int next, for (; pc->overread > 0; pc->overread--) pc->buffer[pc->index++] = pc->buffer[pc->overread_index++]; + if (next > *buf_size) + return AVERROR(EINVAL); + /* flush remaining if EOF */ if (!*buf_size && next == END_NOT_FOUND) next = 0; From 12dfbefda254180ed2f1ce6795380458c446bd54 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2019 22:19:22 +0200 Subject: [PATCH 0533/1764] avcodec/h264_refs: Also check reference in ff_h264_build_ref_list() Fixes: out of array read Fixes: 15409/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5758846959616000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d3581e6bbec309ca0cc617c37cf6e87547764ef) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 2cdb67f978..e43ce428c5 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -373,9 +373,11 @@ int ff_h264_build_ref_list(H264Context *h, H264SliceContext *sl) av_assert0(0); } - if (i < 0) { + if (i < 0 || mismatches_ref(h, ref)) { av_log(h->avctx, AV_LOG_ERROR, - "reference picture missing during reorder\n"); + i < 0 ? "reference picture missing during reorder\n" : + "mismatching reference\n" + ); memset(&sl->ref_list[list][index], 0, sizeof(sl->ref_list[0][0])); // FIXME } else { for (i = index; i + 1 < sl->ref_count[list]; i++) { From 774d23af2ffefe6ce598ef906d3c76ddaa6f4f4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jul 2019 23:01:19 +0200 Subject: [PATCH 0534/1764] avformat/utils: Check rfps_duration_sum for overflow Fixes: signed integer overflow: 9151595917793558550 + 297519050751678697 cannot be represented in type 'long' Fixes: 15496/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5722866475073536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5c46fdf305caac8bf2f270e69e60ae3d614df468) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 17c85e0aaa..8e61ae029d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3282,8 +3282,10 @@ int ff_rfps_add_frame(AVFormatContext *ic, AVStream *st, int64_t ts) } } } - st->info->duration_count++; - st->info->rfps_duration_sum += duration; + if (st->info->rfps_duration_sum <= INT64_MAX - duration) { + st->info->duration_count++; + st->info->rfps_duration_sum += duration; + } if (st->info->duration_count % 10 == 0) { int n = st->info->duration_count; From 6118362864af889a30bfcff3b0a5a929ca4cd713 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jul 2019 09:51:46 +0200 Subject: [PATCH 0535/1764] avcodec/dnxhd_parser: remove unneeded code Signed-off-by: Michael Niedermayer (cherry picked from commit 1707dbdf49b22021b0845482806b881093534f2f) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhd_parser.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c index 79ca1d6718..154a858476 100644 --- a/libavcodec/dnxhd_parser.c +++ b/libavcodec/dnxhd_parser.c @@ -81,8 +81,6 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, } dctx->remaining = remaining; if (buf_size - i + 47 >= dctx->remaining) { - int remaining = dctx->remaining; - pc->frame_start_found = 0; pc->state64 = -1; dctx->cur_byte = 0; From 190b92359bb2b2d259b57655d56087a88b14c27e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jul 2019 11:51:09 +0200 Subject: [PATCH 0536/1764] avcodec/dnxhd_parser: Fix parser when input does not have nicely sized packets Fixes: out of array access Fixes: 15522/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DNXHD_fuzzer-5747756078989312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d900d8fe0aaf9c984e024956eb537ecdfe2c949) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhd_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c index 154a858476..3cc005ab84 100644 --- a/libavcodec/dnxhd_parser.c +++ b/libavcodec/dnxhd_parser.c @@ -79,8 +79,9 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, if (remaining <= 0) continue; } + remaining += i - 47; dctx->remaining = remaining; - if (buf_size - i + 47 >= dctx->remaining) { + if (buf_size >= dctx->remaining) { pc->frame_start_found = 0; pc->state64 = -1; dctx->cur_byte = 0; From 68ee6f4d8b75bd535257ff601229b8fb70f47680 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 00:35:47 +0200 Subject: [PATCH 0537/1764] avcodec/ffwavesynth: Check sample rate before use Fixes: division by zero Fixes: 15725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5641231956180992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit c95857a4237d7a0c55378a44f51d2d809f3bc8f5) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 793eada7a5..1dbfaa5847 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -270,7 +270,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) dt = in->ts_end - in->ts_start; switch (in->type) { case WS_SINE: - if (edata_end - edata < 20) + if (edata_end - edata < 20 || avc->sample_rate <= 0) return AVERROR(EINVAL); f1 = AV_RL32(edata + 0); f2 = AV_RL32(edata + 4); From 6e1b07c0b29b532656dc42c0e6d5fbf426502610 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 00:35:48 +0200 Subject: [PATCH 0538/1764] avcodec/ffwavesynth: More correct cast in wavesynth_seek() Fixes: signed integer overflow: 553590816 - -9223372036315799520 cannot be represented in type 'long' Fixes: 15743/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5705835377852416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit f4605770af712dd9d7b0136fe298f8aa52101011) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 1dbfaa5847..94a843e3ca 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -215,7 +215,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) ws->next_inter = i; ws->next_ts = i < ws->nb_inter ? ws->inter[i].ts_start : INF_TS; *last = -1; - lcg_seek(&ws->dither_state, (uint32_t)ts - ws->cur_ts); + lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); if (ws->pink_need) { int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); From 2d86e41d450c00956cc2d3fcedcd00a9d41e1005 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 00:35:49 +0200 Subject: [PATCH 0539/1764] avcodec/ffwavesynth: Check if there is enough extradata before allocation Fixes: OOM Fixes: 15750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5702090367696896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 65bac4a7825e1f2bbf4112569ffa363cc1fdbce5) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 94a843e3ca..b319b3341a 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -247,7 +247,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) edata_end = edata + avc->extradata_size; ws->nb_inter = AV_RL32(edata); edata += 4; - if (ws->nb_inter < 0) + if (ws->nb_inter < 0 || (edata_end - edata) / 24 < ws->nb_inter) return AVERROR(EINVAL); ws->inter = av_calloc(ws->nb_inter, sizeof(*ws->inter)); if (!ws->inter) From 03ea84792af1521c08db1db203f174e2b3a6dde1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Jul 2019 00:07:59 +0200 Subject: [PATCH 0540/1764] avcodec/dvbsubdec: Use ff_set_dimensions() Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15740/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVBSUB_fuzzer-5641749164195840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5941b7f615b0c0cab0d8f8613b918de75d3c1222) Signed-off-by: Michael Niedermayer --- libavcodec/dvbsubdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index f329e05746..756e3a8e95 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1553,8 +1553,9 @@ static int dvbsub_parse_display_definition_segment(AVCodecContext *avctx, display_def->width = bytestream_get_be16(&buf) + 1; display_def->height = bytestream_get_be16(&buf) + 1; if (!avctx->width || !avctx->height) { - avctx->width = display_def->width; - avctx->height = display_def->height; + int ret = ff_set_dimensions(avctx, display_def->width, display_def->height); + if (ret < 0) + return ret; } if (info_byte & 1<<3) { // display_window_flag From b3d8b99a286a033524a4e3ec0c83fe0304f6d2d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 23:01:04 +0200 Subject: [PATCH 0541/1764] avcodec/flicvideo: Make line_packets int Fixes: signed integer overflow: -32768 * 196032 cannot be represented in type 'int' Fixes: 15300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5733319519502336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 54bd47f861e8cdc74aea816ebfbbaac25fefd0d1) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index c0e1e16bcd..99868f3ba3 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -175,7 +175,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, int lines; int compressed_lines; int starting_line; - signed short line_packets; + int line_packets; int y_ptr; int byte_run; int pixel_skip; @@ -274,7 +274,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx, break; if (y_ptr > pixel_limit) return AVERROR_INVALIDDATA; - line_packets = bytestream2_get_le16(&g2); + line_packets = sign_extend(bytestream2_get_le16(&g2), 16); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; @@ -508,7 +508,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, int lines; int compressed_lines; - signed short line_packets; + int line_packets; int y_ptr; int byte_run; int pixel_skip; @@ -572,7 +572,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, break; if (y_ptr > pixel_limit) return AVERROR_INVALIDDATA; - line_packets = bytestream2_get_le16(&g2); + line_packets = sign_extend(bytestream2_get_le16(&g2), 16); if (line_packets < 0) { line_packets = -line_packets; if (line_packets > s->avctx->height) @@ -806,7 +806,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, int lines; int compressed_lines; - signed short line_packets; + int line_packets; int y_ptr; int byte_run; int pixel_skip; @@ -870,7 +870,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, break; if (y_ptr > pixel_limit) return AVERROR_INVALIDDATA; - line_packets = bytestream2_get_le16(&g2); + line_packets = sign_extend(bytestream2_get_le16(&g2), 16); if (line_packets < 0) { line_packets = -line_packets; if (line_packets > s->avctx->height) From 71fd0201974023137bb74207846638fde5e4ed80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jul 2019 23:20:30 +0200 Subject: [PATCH 0542/1764] avcodec/alsdec: Fix 2 integer overflows Fixes: signed integer overflow: 1270564968 + 904828220 cannot be represented in type 'int' Fixes: 15402/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5755426823471104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9cd0d94f59d05e7bfaae9690e827752e7717eda3) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e02c9e3874..7388dded19 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -507,7 +507,7 @@ static void parcor_to_lpc(unsigned int k, const int32_t *par, int32_t *cof) int i, j; for (i = 0, j = k - 1; i < j; i++, j--) { - int tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20); + unsigned tmp1 = ((MUL64(par[k], cof[j]) + (1 << 19)) >> 20); cof[j] += ((MUL64(par[k], cof[i]) + (1 << 19)) >> 20); cof[i] += tmp1; } @@ -985,7 +985,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 19; for (sb = -opt_order; sb < 0; sb++) - y += MUL64(lpc_cof[sb], raw_samples[sb]); + y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[sb]); *raw_samples -= y >> 20; } From 428dee1a0357203dab107f3769485013d886f9ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2019 00:03:51 +0200 Subject: [PATCH 0543/1764] avcodec/alsdec: fix undefined shift in multiply() Fixes: left shift of negative value -6 Fixes: 15564/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5701655938465792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b880b3b236ddd00f85ea502b4c17a145fd26c790) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 7388dded19..bd7049d28a 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1421,7 +1421,7 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) { return_val = 0x80000000U; } - return_val |= (a.exp + b.exp + bit_count - 47) << 23; + return_val |= ((unsigned)av_clip(a.exp + b.exp + bit_count - 47, -126, 127) << 23) & 0x7F800000; return_val |= mantissa; return av_bits2sf_ieee754(return_val); } From 91abbbda598e457a6b48778a43a7ca7f1f0f36ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 10:54:13 +0200 Subject: [PATCH 0544/1764] avcodec/apedec: Fix multiple integer overflows in predictor_update_filter() Fixes: signed integer overflow: -829262115 + -1410750414 cannot be represented in type 'int' Fixes: 15251/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5651742252859392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0af08cb803844b9eba4ff3e552c26452ec6fa7d2) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index eb31fd70c1..63335f542c 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1142,7 +1142,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayB - 3] * p->coeffsB[filter][3] + p->buf[delayB - 4] * p->coeffsB[filter][4]; - p->lastA[filter] = decoded + ((predictionA + (predictionB >> 1)) >> 10); + p->lastA[filter] = decoded + ((int)((unsigned)predictionA + (predictionB >> 1)) >> 10); p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5); sign = APESIGN(decoded); From 1dcb1dd490f62141254f6ca32426b7c37df7f00a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 11:32:10 +0200 Subject: [PATCH 0545/1764] avcodec/apedec: Fix various integer overflows Fixes: signed integer overflow: -538976267 * 31 cannot be represented in type 'int' Fixes: left shift of 65312 by 16 places cannot be represented in type 'int' Fixes: 15255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718831688843264 Fixes: 15547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5691384901664768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 240bf0e5960fca424e43b7ab1048897fdecabf26) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 63335f542c..7cf99a00b1 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -554,7 +554,7 @@ static inline int ape_decode_value_3990(APEContext *ctx, APERice *rice) overflow = range_get_symbol(ctx, counts_3980, counts_diff_3980); if (overflow == (MODEL_ELEMENTS - 1)) { - overflow = range_decode_bits(ctx, 16) << 16; + overflow = (unsigned)range_decode_bits(ctx, 16) << 16; overflow |= range_decode_bits(ctx, 16); } @@ -1130,7 +1130,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayA - 3] * p->coeffsA[filter][3]; /* Apply a scaled first-order filter compression */ - p->buf[delayB] = p->filterA[filter ^ 1] - ((p->filterB[filter] * 31) >> 5); + p->buf[delayB] = p->filterA[filter ^ 1] - ((int)(p->filterB[filter] * 31U) >> 5); p->buf[adaptB] = APESIGN(p->buf[delayB]); p->buf[delayB - 1] = p->buf[delayB] - p->buf[delayB - 1]; p->buf[adaptB - 1] = APESIGN(p->buf[delayB - 1]); @@ -1143,7 +1143,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayB - 4] * p->coeffsB[filter][4]; p->lastA[filter] = decoded + ((int)((unsigned)predictionA + (predictionB >> 1)) >> 10); - p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); p->coeffsA[filter][0] += p->buf[adaptA ] * sign; @@ -1229,7 +1229,7 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) p->buf = p->historybuffer; } - p->filterA[0] = currentA + ((p->filterA[0] * 31) >> 5); + p->filterA[0] = currentA + ((int)(p->filterA[0] * 31U) >> 5); *(decoded0++) = p->filterA[0]; } From 175def86b7d7765c1c64c635a7ba5ed1957dc718 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2019 14:47:58 +0200 Subject: [PATCH 0546/1764] avutil/softfloat_ieee754: Fix odd bit position for exponent and sign in av_bits2sf_ieee754() Signed-off-by: Michael Niedermayer (cherry picked from commit 82e389d066923412dd945543418e8cb6c63d0997) Signed-off-by: Michael Niedermayer --- libavutil/softfloat_ieee754.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/softfloat_ieee754.h b/libavutil/softfloat_ieee754.h index b8957fb0a9..3398aa18be 100644 --- a/libavutil/softfloat_ieee754.h +++ b/libavutil/softfloat_ieee754.h @@ -64,7 +64,7 @@ static inline SoftFloat_IEEE754 av_int2sf_ieee754(int64_t n, int e) { * by the IEEE 754 spec. */ static inline SoftFloat_IEEE754 av_bits2sf_ieee754(uint32_t n) { - return ((SoftFloat_IEEE754) { (n & 0x80000000UL), (n & 0x7FFFFFUL), (n & 0x7F800000UL) }); + return ((SoftFloat_IEEE754) { (n & 0x80000000UL) >> 31, (n & 0x7FFFFFUL), (int8_t)((n & 0x7F800000UL) >> 23)}); } /** Convert the softfloat to integer From 8666a635fdb02bcc1d1fb390df04e92776d17803 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2019 23:16:12 +0200 Subject: [PATCH 0547/1764] avcodec/vorbisdec: amplitude bits can be more than 25 bits Fixes: assertion failure, invalid shift Fixes: 15583/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5640157484548096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 308771a73870863d1b4f630234fbb5bc7aec8252) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 2a4f482031..2b3fb6c0c0 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1097,13 +1097,14 @@ static int vorbis_floor0_decode(vorbis_context *vc, { vorbis_floor0 *vf = &vfu->t0; float *lsp = vf->lsp; - unsigned amplitude, book_idx; + unsigned book_idx; + uint64_t amplitude; unsigned blockflag = vc->modes[vc->mode_number].blockflag; if (!vf->amplitude_bits) return 1; - amplitude = get_bits(&vc->gb, vf->amplitude_bits); + amplitude = get_bits64(&vc->gb, vf->amplitude_bits); if (amplitude > 0) { float last = 0; unsigned idx, lsp_len = 0; @@ -1181,7 +1182,7 @@ static int vorbis_floor0_decode(vorbis_context *vc, /* calculate linear floor value */ q = exp((((amplitude*vf->amplitude_offset) / - (((1 << vf->amplitude_bits) - 1) * sqrt(p + q))) + (((1ULL << vf->amplitude_bits) - 1) * sqrt(p + q))) - vf->amplitude_offset) * .11512925f); /* fill vector */ From baa8bca4485734e4eba2b54563ff25ecfcba439b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jul 2019 23:23:53 +0200 Subject: [PATCH 0548/1764] avcodec/vorbisdec: Check vlc for floor0 dec vector offset Fixes: out of array access Fixes: 15649/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5729191309344768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 99f95f39c6978f0d91e42b3bced126a98173dbef) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 2b3fb6c0c0..fa85266f41 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1128,8 +1128,10 @@ static int vorbis_floor0_decode(vorbis_context *vc, ff_dlog(NULL, "floor0 dec: maximum depth: %d\n", codebook.maxdepth); /* read temp vector */ vec_off = get_vlc2(&vc->gb, codebook.vlc.table, - codebook.nb_bits, codebook.maxdepth) - * codebook.dimensions; + codebook.nb_bits, codebook.maxdepth); + if (vec_off < 0) + return AVERROR_INVALIDDATA; + vec_off *= codebook.dimensions; ff_dlog(NULL, "floor0 dec: vector offset: %d\n", vec_off); /* copy each vector component and add last to it */ for (idx = 0; idx < codebook.dimensions; ++idx) From c3b7afa4e917d748f0c3f8237b04ebdd99bdcacb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Jul 2019 00:08:55 +0200 Subject: [PATCH 0549/1764] avcodec/utils: Check close before calling it Fixes: NULL pointer dereference Fixes: 15733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IDF_fuzzer-5658616977162240 Reviewed-by: Paul B Mahol Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8df6884832ec413cf032dfaa45c23b1c7876670c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 1a5f4e7e4f..7cd14c8e1e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1118,7 +1118,7 @@ end: return ret; free_and_end: - if (avctx->codec && + if (avctx->codec && avctx->codec->close && (codec_init_ok || (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) avctx->codec->close(avctx); From 5088a3e2d3b1f94fedb4d880413b3e9a2dc9c5fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jul 2019 23:39:23 +0200 Subject: [PATCH 0550/1764] avcodec/utils: fix leak of subtitle_header on error path Fixes: memleak Fixes: 15528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_STL_fuzzer-5735993371525120 Fixes: 15792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SAMI_fuzzer-5737754232619008 Fixes: 16008/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SSA_fuzzer-5650582821404672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 923d5c489fd4ffd0b9dbfdc6c14f594bd134ab47) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 7cd14c8e1e..f40a533399 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1135,6 +1135,7 @@ FF_ENABLE_DEPRECATION_WARNINGS av_dict_free(&tmp); av_freep(&avctx->priv_data); + av_freep(&avctx->subtitle_header); if (avctx->internal) { av_frame_free(&avctx->internal->to_free); av_frame_free(&avctx->internal->compat_decode_frame); From c88d2c4e2f7632f5695d0d24899e5aa9db842eea Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Thu, 25 Jul 2019 15:54:49 -0700 Subject: [PATCH 0551/1764] lafv/wavdec: Fail bext parsing on incomplete reads avio_read can successfully return even when less than the requested amount of input was read. wavdec's bext parsing mistakenly assumed a successful avio_read always read the full amount that was requested. The result could be dictionary tags populated with partially uninitialized values. This change also fixes a broken assertion in wav_parse_bext_string that was off-by-one, though no known current usage of that method hits that broken case. Chromium bug: 987270 Signed-off-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 052d41377a02f480f8e7135c0f7d418e9a405215) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index b016185a1b..22150f63e9 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -232,9 +232,9 @@ static inline int wav_parse_bext_string(AVFormatContext *s, const char *key, char temp[257]; int ret; - av_assert0(length <= sizeof(temp)); - if ((ret = avio_read(s->pb, temp, length)) < 0) - return ret; + av_assert0(length < sizeof(temp)); + if ((ret = avio_read(s->pb, temp, length)) != length) + return ret < 0 ? ret : AVERROR_INVALIDDATA; temp[length] = 0; @@ -303,8 +303,10 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t size) if (!(coding_history = av_malloc(size + 1))) return AVERROR(ENOMEM); - if ((ret = avio_read(s->pb, coding_history, size)) < 0) - return ret; + if ((ret = avio_read(s->pb, coding_history, size)) != size) { + av_free(coding_history); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } coding_history[size] = 0; if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history, From 86549d839f8e5c1203639fcef41c3effefb1e9fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 14:16:16 +0200 Subject: [PATCH 0552/1764] avcodec/brenderpix: Check input size before allocating image An incomplete image is not supported prior to this and will not produce any output. This commit moves the failure before time consuming operations. Fixes: Timeout (81sec -> 76ms) Fixes: 15723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BRENDER_PIX_fuzzer-5147265653538816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 38b6c48c4300343f4703019a90a332773e64e11b) Signed-off-by: Michael Niedermayer --- libavcodec/brenderpix.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/brenderpix.c b/libavcodec/brenderpix.c index 0556858de1..46b7a59aa4 100644 --- a/libavcodec/brenderpix.c +++ b/libavcodec/brenderpix.c @@ -204,6 +204,10 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, avpriv_request_sample(avctx, "Format %d", hdr.format); return AVERROR_PATCHWELCOME; } + bytes_per_scanline = bytes_pp * hdr.width; + + if (bytestream2_get_bytes_left(&gb) < hdr.height * bytes_per_scanline) + return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, hdr.width, hdr.height)) < 0) return ret; @@ -261,7 +265,6 @@ static int pix_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytestream2_skip(&gb, 8); // read the image data to the buffer - bytes_per_scanline = bytes_pp * hdr.width; bytes_left = bytestream2_get_bytes_left(&gb); if (chunk_type != IMAGE_DATA_CHUNK || data_len != bytes_left || From a71f9aaf42c899c5e2bcf7b064d731ec9c2a006a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jul 2019 22:55:15 +0200 Subject: [PATCH 0553/1764] avcodec/assdec: undefined use of memcpy() Fixes: null pointer passed as argument 2, which is declared to never be null Fixes: 16008/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SSA_fuzzer-5650582821404672 (this is a separate issue found in this testcase) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 47b6ca0b022a413e392707464f2423795aa89bfb) Signed-off-by: Michael Niedermayer --- libavcodec/assdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/assdec.c b/libavcodec/assdec.c index 3178f2953c..f0b1069cd2 100644 --- a/libavcodec/assdec.c +++ b/libavcodec/assdec.c @@ -31,7 +31,8 @@ static av_cold int ass_decode_init(AVCodecContext *avctx) avctx->subtitle_header = av_malloc(avctx->extradata_size + 1); if (!avctx->subtitle_header) return AVERROR(ENOMEM); - memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size); + if (avctx->extradata_size) + memcpy(avctx->subtitle_header, avctx->extradata, avctx->extradata_size); avctx->subtitle_header[avctx->extradata_size] = 0; avctx->subtitle_header_size = avctx->extradata_size; return 0; From 2a43d9f882d83b4d71e37c7b50114f70380a0bcf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2019 21:09:14 +0200 Subject: [PATCH 0554/1764] avcodec/eatgv: Check remaining size after the keyframe header The minimal size which unpack() will not fail on is 5 bytes Fixes: Timeout (14sec -> 77ms) (testcase 15508) Fixes: 15508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGV_fuzzer-5700053513011200 Fixes: 15996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGV_fuzzer-5751353223151616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 009ec8dc3345353b1cd2316423918533fcb89552) Signed-off-by: Michael Niedermayer --- libavcodec/eatgv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index 93e291f053..f82f7b9cca 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -300,6 +300,9 @@ static int tgv_decode_frame(AVCodecContext *avctx, s->palette[i] = 0xFFU << 24 | AV_RB24(buf); buf += 3; } + if (buf_end - buf < 5) { + return AVERROR_INVALIDDATA; + } } if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) From b4edee5cab63e1db7be93f9bb70cf3d62c83bcc2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2019 22:29:57 +0200 Subject: [PATCH 0555/1764] avcodec/eatqi: Check for minimum frame size The minimum header is 8 bytes, the smallest bitstream that is passed to the MB decode code is 4 bytes Fixes: Timeout (35sec -> 18sec) Fixes: 15800/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATQI_fuzzer-5684154517159936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5ffb8e879389fb0642654e3233cfeca1f9841e52) Signed-off-by: Michael Niedermayer --- libavcodec/eatqi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 1a847a35da..2805bd00bb 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -131,6 +131,9 @@ static int tqi_decode_frame(AVCodecContext *avctx, AVFrame *frame = data; int ret, w, h; + if (buf_size < 12) + return AVERROR_INVALIDDATA; + t->avctx = avctx; w = AV_RL16(&buf[0]); From 29fe37850af22e7a45a75932c16b5c1225079812 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Jul 2019 23:11:50 +0200 Subject: [PATCH 0556/1764] avformat/mpc: deallocate frames array on errors Fixes: memleak on error path Fixes: 15984/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5679918412726272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da5039415c2bd625085d15e6c92e0b64eefddcbf) Signed-off-by: Michael Niedermayer --- libavformat/mpc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc.c b/libavformat/mpc.c index af333746e3..a1e7878946 100644 --- a/libavformat/mpc.c +++ b/libavformat/mpc.c @@ -88,7 +88,7 @@ static int mpc_read_header(AVFormatContext *s) st = avformat_new_stream(s, NULL); if (!st) - return AVERROR(ENOMEM); + goto mem_error; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->codec_id = AV_CODEC_ID_MUSEPACK7; st->codecpar->channels = 2; @@ -96,7 +96,7 @@ static int mpc_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample = 16; if (ff_get_extradata(s, st->codecpar, s->pb, 16) < 0) - return AVERROR(ENOMEM); + goto mem_error; st->codecpar->sample_rate = mpc_rate[st->codecpar->extradata[2] & 3]; avpriv_set_pts_info(st, 32, MPC_FRAMESIZE, st->codecpar->sample_rate); /* scan for seekpoints */ @@ -113,6 +113,9 @@ static int mpc_read_header(AVFormatContext *s) } return 0; +mem_error: + av_freep(&c->frames); + return AVERROR(ENOMEM); } static int mpc_read_packet(AVFormatContext *s, AVPacket *pkt) From 363dd60366e253b8d93d67b26dce30dfc8e04c0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 11:39:15 +0200 Subject: [PATCH 0557/1764] avcodec/apedec: Fix multiple integer overflows and undefined behaviorin filter_3800() Fixes: left shift of negative value -4 Fixes: signed integer overflow: -15091694 * 167 cannot be represented in type 'int' Fixes: signed integer overflow: 1898547155 + 453967445 cannot be represented in type 'int' Fixes: 15258/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5759095564402688 Fixes: signed integer overflow: 962196438 * 31 cannot be represented in type 'int' Fixes: 15364/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718799845687296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 267eb2ab7f87696e1a156ca9a5ff1b1628d170c1) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7cf99a00b1..27425b17e6 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -859,9 +859,9 @@ static av_always_inline int filter_3800(APEPredictor *p, return predictionA; } d2 = p->buf[delayA]; - d1 = (p->buf[delayA] - p->buf[delayA - 1]) << 1; - d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) << 3); - d3 = p->buf[delayB] * 2 - p->buf[delayB - 1]; + d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U; + d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U); + d3 = p->buf[delayB] * 2U - p->buf[delayB - 1]; d4 = p->buf[delayB]; predictionA = d0 * p->coeffsA[filter][0] + @@ -881,7 +881,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); - p->filterA[filter] = p->filterB[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterA[filter] = p->filterB[filter] + ((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; } @@ -902,7 +902,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod = 0; sign = APESIGN(buffer[i]); for (j = 0; j < order; j++) { - dotprod += delay[j] * coeffs[j]; + dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } buffer[i] -= dotprod >> shift; From ef6ca6adff59a7fabf126ab0873963ce639eeb8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Jul 2019 12:13:19 +0200 Subject: [PATCH 0558/1764] avcodec/apedec: make left/right unsigned to avoid undefined behavior Fixes: signed integer overflow: 755176387 + 1515360583 cannot be represented in type 'int' Fixes: 15506/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5706859232624640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf778af1493b0814696307432763246fb53c75e7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 27425b17e6..7a7097e7a4 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1376,7 +1376,7 @@ static void ape_unpack_mono(APEContext *ctx, int count) static void ape_unpack_stereo(APEContext *ctx, int count) { - int32_t left, right; + unsigned left, right; int32_t *decoded0 = ctx->decoded[0]; int32_t *decoded1 = ctx->decoded[1]; @@ -1393,7 +1393,7 @@ static void ape_unpack_stereo(APEContext *ctx, int count) /* Decorrelate and scale to output depth */ while (count--) { - left = *decoded1 - (*decoded0 / 2); + left = *decoded1 - (unsigned)(*decoded0 / 2); right = left + *decoded0; *(decoded0++) = left; From 9ba145e243cbde7539263b8fcd79c52e06b33da7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2019 23:00:09 +0200 Subject: [PATCH 0559/1764] avcodec/truemotion2: Fix several integer overflows in tm2_motion_block() Fixes: 15524/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5173148372172800 Fixes: signed integer overflow: 13701388 - -2134868270 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a353ea8766206bd302f3f12ca1d226237542908) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 4e3a429777..3443bbeda2 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -751,10 +751,10 @@ static inline void tm2_motion_block(TM2Context *ctx, AVFrame *pic, int bx, int b } /* calculate deltas */ Y -= Ystride * 4; - ctx->D[0] = Y[3] - last[3]; - ctx->D[1] = Y[3 + Ystride] - Y[3]; - ctx->D[2] = Y[3 + Ystride * 2] - Y[3 + Ystride]; - ctx->D[3] = Y[3 + Ystride * 3] - Y[3 + Ystride * 2]; + ctx->D[0] = (unsigned)Y[3] - last[3]; + ctx->D[1] = (unsigned)Y[3 + Ystride] - Y[3]; + ctx->D[2] = (unsigned)Y[3 + Ystride * 2] - Y[3 + Ystride]; + ctx->D[3] = (unsigned)Y[3 + Ystride * 3] - Y[3 + Ystride * 2]; for (i = 0; i < 4; i++) last[i] = Y[i + Ystride * 3]; } From 06ad82980087589f91cdfc03614b7319dd24613c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Jul 2019 23:13:13 +0200 Subject: [PATCH 0560/1764] avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc() Fixes: signed integer overflow: 32796 * 65536 cannot be represented in type 'int' Fixes: 15430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5735424087031808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f31ed8f3b00ec7afe87092798bf0b397f6e19ed5) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 45760cc6ee..9fe12a40ff 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -411,12 +411,12 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, if (c_avail && (n != 1 && n != 3)) { q2 = s->current_picture.qscale_table[mb_pos - 1]; if (q2 && q2 != q1) - c = (c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + c = (int)((unsigned)c * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && (n != 2 && n != 3)) { q2 = s->current_picture.qscale_table[mb_pos - s->mb_stride]; if (q2 && q2 != q1) - a = (a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + a = (int)((unsigned)a * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (a_avail && c_avail && (n != 3)) { int off = mb_pos; @@ -426,7 +426,7 @@ static inline int ff_vc1_pred_dc(MpegEncContext *s, int overlap, int pq, int n, off -= s->mb_stride; q2 = s->current_picture.qscale_table[off]; if (q2 && q2 != q1) - b = (b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; + b = (int)((unsigned)b * s->y_dc_scale_table[q2] * ff_vc1_dqscale[dqscale_index] + 0x20000) >> 18; } if (c_avail && (!a_avail || abs(a - b) <= abs(b - c))) { From 2dadc27de2b70b9d385e6e1e0f6103145ecdc055 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2019 23:27:19 +0200 Subject: [PATCH 0561/1764] avcodec/vc1_pred: Fix invalid shift in scaleforsame() Fixes: left shift of negative value -1 Fixes: 15531/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5759556258365440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6dfda35dd29d2e2a86554d2c05d957a09ab79b0c) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_pred.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index 54712f6b7a..aa8e402af9 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -178,7 +178,7 @@ static av_always_inline int scaleforsame(VC1Context *v, int i, int n /* MV */, brfd = FFMIN(v->brfd, 3); scalesame = ff_vc1_b_field_mvpred_scales[0][brfd]; - n = (n * scalesame >> 8) << hpel; + n = (n * scalesame >> 8) * (1 << hpel); return n; } From 8b525ccd366ed6330249eb2e0b80d412b385e076 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jul 2019 00:41:06 +0200 Subject: [PATCH 0562/1764] avcodec/vp3: Check that theora is theora Theora is forced to be non zero if it is zero and a sample is asked for, as suggested by reimar Fixes: Timeout (2min -> 600ms) Fixes: 15366/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5737849938247680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4bf7226aff28e9ca379c5a3dedf745a2d316739) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index e9bb7dcb38..38cecf22a9 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2276,6 +2276,10 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); + if (!s->theora) { + s->theora = 1; + avpriv_request_sample(s->avctx, "theora 0"); + } /* 3.2.0 aka alpha3 has the same frame orientation as original vp3 * but previous versions have the image flipped relative to vp3 */ From d218b9e0671659fbb0f10fe2dc4e67fe6e94aaab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Aug 2019 23:54:49 +0200 Subject: [PATCH 0563/1764] avcodec/hnm4video: Forward errors of decode_interframe_v4() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout (108sec -> 160ms) Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Reviewed-by: Tomas Härdin Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9af8ce754b705c36ad4d2b6fd0f73f87ca4381c4) Signed-off-by: Michael Niedermayer --- libavcodec/hnm4video.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index a64dbb1746..5ca7fb58cd 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -143,7 +143,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame) } } -static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) +static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) { Hnm4VideoContext *hnm = avctx->priv_data; GetByteContext gb; @@ -162,7 +162,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (tag == 0) { if (writeoffset + 2 > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } hnm->current[writeoffset++] = bytestream2_get_byte(&gb); hnm->current[writeoffset++] = bytestream2_get_byte(&gb); @@ -176,7 +176,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s count = bytestream2_get_byte(&gb) * 2; if (writeoffset + count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } while (count > 0) { hnm->current[writeoffset++] = bytestream2_peek_byte(&gb); @@ -188,7 +188,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } if (writeoffset > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { previous = bytestream2_peek_byte(&gb) & 0x20; @@ -204,24 +204,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (!backward && offset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (backward && offset + 1 >= hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (writeoffset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to write out of bounds\n"); - break; + return AVERROR_INVALIDDATA; + } if(backward) { if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { if (offset < (!!backline)*(2 * hnm->width - 1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } @@ -268,6 +269,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } } } + return 0; } static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src, @@ -434,7 +436,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data, decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8); memcpy(hnm->processed, hnm->current, hnm->width * hnm->height); } else { - decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + if (ret < 0) + return ret; postprocess_current_frame(avctx); } copy_processed_frame(avctx, frame); From bf3520cd641d11f133c52f192ce7ec84119a685a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 08:26:40 +0200 Subject: [PATCH 0564/1764] avcodec/apedec: Do not partially clear data array Fixes: Assertion failure and memleak Fixes: 15709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5182435093905408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e4b522c9146b9c14579ae7381fb1043b7423578) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7a7097e7a4..1a86ac1786 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1451,7 +1451,8 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, if (s->fileversion >= 3900) { if (offset > 3) { av_log(avctx, AV_LOG_ERROR, "Incorrect offset passed\n"); - s->data = NULL; + av_freep(&s->data); + s->data_size = 0; return AVERROR_INVALIDDATA; } if (s->data_end - s->ptr < offset) { From 5d353f32c69cdbcd7d460a2e1937688a6cead998 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 08:32:58 +0200 Subject: [PATCH 0565/1764] avcodec/vc1_block: Check get_vlc2() return before use Fixes: index -1 out of bounds for type 'const uint8_t [185][2]' Fixes: 15720/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS2_fuzzer-5666071933091840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2cb1f797350875ec45cb20d59dc0684fcbac20fc) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 9fe12a40ff..05ffed45f2 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -507,6 +507,8 @@ static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int escape = decode210(gb); if (escape != 2) { index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); + if (index < 0) + return AVERROR_INVALIDDATA; run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; lst = index >= vc1_last_decode_table[codingset]; From 003bb6616c8b27033cfd5915b75bac8b63f5a55c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 09:33:45 +0200 Subject: [PATCH 0566/1764] avcodec/mss3: Check for the rac stream being invalid in rac_normalize() Fixes: out of array read Fixes: 15982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSA1_fuzzer-5630676251967488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 99a172f3f4d0bef024c6293f575caaaddce0b267) Signed-off-by: Michael Niedermayer --- libavcodec/mss3.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 21226f9085..02bd360996 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -298,6 +298,10 @@ static void rac_normalise(RangeCoder *c) c->got_error = 1; c->low = 1; } + if (c->low > c->range) { + c->got_error = 1; + c->low = 1; + } if (c->range >= RAC_BOTTOM) return; } From e7efe2aacfd5fdde4b3e7ec7bd9af1a577c6f0e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 09:46:34 +0200 Subject: [PATCH 0567/1764] avcodec/apedec: Fix 2 signed overflows Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: signed integer overflow: 2049431315 + 262759074 cannot be represented in type 'int' Fixes: 16012/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5719016003338240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 392c028cd23d128f33d93b2159eed5de42f72b4d) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 1a86ac1786..b9df8c6b12 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -589,7 +589,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, int32_t *out, APERice *rice, int blockstodecode) { int i; - int ksummax, ksummin; + unsigned ksummax, ksummin; rice->ksum = 0; for (i = 0; i < FFMIN(blockstodecode, 5); i++) { @@ -836,7 +836,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p, else p->coeffsA[filter][0]--; - p->filterA[filter] += p->lastA[filter]; + p->filterA[filter] += (unsigned)p->lastA[filter]; return p->filterA[filter]; } From b7fcf8bf26a3421d6f753f5e762022fc11cb52e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 12:21:51 +0200 Subject: [PATCH 0568/1764] avformat/realtextdec: Check for duplicate extradata in realtext_read_header() Fixes: memleak Fixes: 16140/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5684008052064256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652ea23cb34bc59b38c0088865600e2b86079815) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index 618d4f78ec..b33d5289f7 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -87,6 +87,10 @@ static int realtext_read_header(AVFormatContext *s) /* save header to extradata */ const char *p = ff_smil_get_attr_ptr(buf.str, "duration"); + if (st->codecpar->extradata) { + res = AVERROR_INVALIDDATA; + goto end; + } if (p) duration = read_ts(p); st->codecpar->extradata = av_strdup(buf.str); From 8f14f0659539f34f41eaeaa4cddd6c6c37f6b38c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 12:28:55 +0200 Subject: [PATCH 0569/1764] avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divide Fixes: division by zero Fixes: 16183/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5688966782648320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aecc9b96d613f54d772e9475738bb54e0e1f182e) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index fa85266f41..12a3fe9c2e 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1182,6 +1182,9 @@ static int vorbis_floor0_decode(vorbis_context *vc, q *= q; } + if (p + q == 0.0) + return AVERROR_INVALIDDATA; + /* calculate linear floor value */ q = exp((((amplitude*vf->amplitude_offset) / (((1ULL << vf->amplitude_bits) - 1) * sqrt(p + q))) From 5a16b294ed91aa0aef42dcfd38677065002668e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 17:10:18 +0200 Subject: [PATCH 0570/1764] avcodec/vorbisdec: Implement vr->classifications = 1 It appears no valid file uses this, so this is not testable with a valid file. Fixes: assertion failure Fixes: 16187/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5638880618872832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a5f12e3b3f2177ede5839ff4141228666b8436f) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 12a3fe9c2e..f0a7cc3581 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1361,8 +1361,12 @@ static av_always_inline int setup_classifs(vorbis_context *vc, return AVERROR_INVALIDDATA; } - av_assert0(vr->classifications > 1); //needed for inverse[] - + if (vr->classifications == 1) { + for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { + if (i < ptns_to_read) + vr->classifs[p + i] = 0; + } + } else { for (i = partition_count + c_p_c - 1; i >= partition_count; i--) { temp2 = (((uint64_t)temp) * inverse_class) >> 32; @@ -1370,6 +1374,7 @@ static av_always_inline int setup_classifs(vorbis_context *vc, vr->classifs[p + i] = temp - temp2 * vr->classifications; temp = temp2; } + } } p += ptns_to_read; } From 0f11aa263e90f10f0611667d2df29e345512e99d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 17:20:45 +0200 Subject: [PATCH 0571/1764] avcodec/ralf: Fix integer overflow in apply_lpc() Fixes: signed integer overflow: 1603085316 + 1238786562 cannot be represented in type 'int' Fixes: 16203/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5086088934195200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ccca484324e04dff4cb81d0f9018ae828e6b5c89) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 3f7953c6db..0d6b57d652 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -323,7 +323,7 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits) acc = 0; for (j = 0; j < flen; j++) - acc += ctx->filter[j] * audio[i - j - 1]; + acc += (unsigned)ctx->filter[j] * audio[i - j - 1]; if (acc < 0) { acc = (acc + bias - 1) >> ctx->filter_bits; acc = FFMAX(acc, min_clip); From 499ec067adbd78a3bda607c92bf4bf24c33ecfe4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2019 17:25:55 +0200 Subject: [PATCH 0572/1764] avcodec/ralf: Fix undefined pointer in decode_channel() Fixes: 16203/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5086088934195200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c06ba171697b665ef4b2b47fe0008199b3eff86) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 0d6b57d652..619fd7126a 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -286,7 +286,7 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, add_bits--; range = 10; range2 = 21; - code_vlc = set->long_codes + code_params - 15; + code_vlc = set->long_codes + (code_params - 15); } else { add_bits = 0; range = 6; From fbb686fe1a3108b1896ec115b89599ed3fb5c929 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2019 23:23:07 +0200 Subject: [PATCH 0573/1764] avcodec/dirac_parser: Fix overflow in dts Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 15568/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5634719611355136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 549fcba8fc83330763ccd3cc67233037c96bc6d9) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 1ade44a438..fbc7414c79 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -212,7 +212,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; - int pts = AV_RB32(cur_pu + 13); + int64_t pts = AV_RB32(cur_pu + 13); if (s->last_pts == 0 && s->last_dts == 0) s->dts = pts - 1; else From 703ddaeac24143dc35659cf8331456cfc52da190 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2019 00:29:48 +0200 Subject: [PATCH 0574/1764] avcodec/mss1: check for overread and forward errors Fixes: Timeout (106sec -> 14ms) Fixes: 15576/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS1_fuzzer-5688080461201408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 43015afd7ce9055f1fa2d7648c3fcd9b7cfd7721) Signed-off-by: Michael Niedermayer --- libavcodec/mss1.c | 3 +++ libavcodec/mss12.c | 12 ++++++++++++ libavcodec/mss12.h | 2 ++ libavcodec/mss2.c | 1 + 4 files changed, 18 insertions(+) diff --git a/libavcodec/mss1.c b/libavcodec/mss1.c index a579d9d9a4..84b7a37007 100644 --- a/libavcodec/mss1.c +++ b/libavcodec/mss1.c @@ -56,6 +56,8 @@ static void arith_normalise(ArithCoder *c) c->low <<= 1; c->high <<= 1; c->high |= 1; + if (get_bits_left(c->gbc.gb) < 1) + c->overread++; c->value |= get_bits1(c->gbc.gb); } } @@ -112,6 +114,7 @@ static void arith_init(ArithCoder *c, GetBitContext *gb) c->low = 0; c->high = 0xFFFF; c->value = get_bits(gb, 16); + c->overread = 0; c->gbc.gb = gb; c->get_model_sym = arith_get_model_sym; c->get_number = arith_get_number; diff --git a/libavcodec/mss12.c b/libavcodec/mss12.c index 3b1a3029e0..5a5bd9a91b 100644 --- a/libavcodec/mss12.c +++ b/libavcodec/mss12.c @@ -161,6 +161,8 @@ static av_always_inline int decode_pixel(ArithCoder *acoder, PixContext *pctx, { int i, val, pix; + if (acoder->overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; val = acoder->get_model_sym(acoder, &pctx->cache_model); if (val < pctx->num_syms) { if (any_ngb) { @@ -306,6 +308,8 @@ static int decode_region(ArithCoder *acoder, uint8_t *dst, uint8_t *rgb_pic, else p = decode_pixel_in_context(acoder, pctx, dst + i, stride, i, j, width - i - 1); + if (p < 0) + return p; dst[i] = p; if (rgb_pic) @@ -398,6 +402,8 @@ static int decode_region_masked(MSS12Context const *c, ArithCoder *acoder, else p = decode_pixel_in_context(acoder, pctx, dst + i, stride, i, j, width - i - 1); + if (p < 0) + return p; dst[i] = p; if (c->rgb_pic) AV_WB24(rgb_dst + i * 3, c->pal[p]); @@ -473,6 +479,8 @@ static int decode_region_intra(SliceContext *sc, ArithCoder *acoder, uint8_t *rgb_dst = c->rgb_pic + x * 3 + y * rgb_stride; pix = decode_pixel(acoder, &sc->intra_pix_ctx, NULL, 0, 0); + if (pix < 0) + return pix; rgb_pix = c->pal[pix]; for (i = 0; i < height; i++, dst += stride, rgb_dst += rgb_stride) { memset(dst, pix, width); @@ -499,6 +507,8 @@ static int decode_region_inter(SliceContext *sc, ArithCoder *acoder, if (!mode) { mode = decode_pixel(acoder, &sc->inter_pix_ctx, NULL, 0, 0); + if (mode < 0) + return mode; if (c->avctx->err_recognition & AV_EF_EXPLODE && ( c->rgb_pic && mode != 0x01 && mode != 0x02 && mode != 0x04 || @@ -530,6 +540,8 @@ int ff_mss12_decode_rect(SliceContext *sc, ArithCoder *acoder, int x, int y, int width, int height) { int mode, pivot; + if (acoder->overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; mode = acoder->get_model_sym(acoder, &sc->split_mode); diff --git a/libavcodec/mss12.h b/libavcodec/mss12.h index 45c4074652..6f68fc3db6 100644 --- a/libavcodec/mss12.h +++ b/libavcodec/mss12.h @@ -47,6 +47,8 @@ typedef struct Model { typedef struct ArithCoder { int low, high, value; + int overread; +#define MAX_OVERREAD 16 union { GetBitContext *gb; GetByteContext *gB; diff --git a/libavcodec/mss2.c b/libavcodec/mss2.c index 9e7cc466de..369a9b7226 100644 --- a/libavcodec/mss2.c +++ b/libavcodec/mss2.c @@ -152,6 +152,7 @@ static void arith2_init(ArithCoder *c, GetByteContext *gB) c->low = 0; c->high = 0xFFFFFF; c->value = bytestream2_get_be24(gB); + c->overread = 0; c->gbc.gB = gB; c->get_model_sym = arith2_get_model_sym; c->get_number = arith2_get_number; From e17bf0ab54ed42a7bf910730cca4659155a52fe9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 23:26:05 +0200 Subject: [PATCH 0575/1764] avcodec/sanm: Check extradata_size before allocations Fixes: Leaks Fixes: 15349/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5102530557640704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 172a43ce36e671fdab63afe1c06876bba91445b3) Signed-off-by: Michael Niedermayer --- libavcodec/sanm.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c index 811fd2188e..0f278d609d 100644 --- a/libavcodec/sanm.c +++ b/libavcodec/sanm.c @@ -491,6 +491,11 @@ static av_cold int decode_init(AVCodecContext *avctx) ctx->avctx = avctx; ctx->version = !avctx->extradata_size; + // early sanity check before allocations to avoid need for deallocation code. + if (!ctx->version && avctx->extradata_size < 1026) { + av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n"); + return AVERROR_INVALIDDATA; + } avctx->pix_fmt = ctx->version ? AV_PIX_FMT_RGB565 : AV_PIX_FMT_PAL8; @@ -506,11 +511,6 @@ static av_cold int decode_init(AVCodecContext *avctx) if (!ctx->version) { int i; - if (avctx->extradata_size < 1026) { - av_log(avctx, AV_LOG_ERROR, "Not enough extradata.\n"); - return AVERROR_INVALIDDATA; - } - ctx->subversion = AV_RL16(avctx->extradata); for (i = 0; i < PALETTE_SIZE; i++) ctx->pal[i] = 0xFFU << 24 | AV_RL32(avctx->extradata + 2 + i * 4); From 4aaf644892843e3c68f4761725ab9435745f015c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 00:35:32 +0200 Subject: [PATCH 0576/1764] avcodec/vqavideo: Set video size Fixes: out of array access Fixes: 15919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-5657368257363968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 02f909dc24b1f05cfbba75077c7707b905e63cd2) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index 0e70be1000..b9743abda9 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -147,7 +147,7 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx) } s->width = AV_RL16(&s->avctx->extradata[6]); s->height = AV_RL16(&s->avctx->extradata[8]); - if ((ret = av_image_check_size(s->width, s->height, 0, avctx)) < 0) { + if ((ret = ff_set_dimensions(avctx, s->width, s->height)) < 0) { s->width= s->height= 0; return ret; } From c3ab134903c75df7c562b15ed6a40fa251d3b856 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 15:26:08 +0200 Subject: [PATCH 0577/1764] avcodec/alsdec: Check for block_length <= 0 in read_var_block_data() Fixes: left shift of negative value -1 Fixes: 15719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5685731105701888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be4fb282f9fb00d9c267dcc477745e2e468e758f) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index bd7049d28a..25e41ded3a 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -657,7 +657,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // do not continue in case of a damaged stream since // block_length must be evenly divisible by sub_blocks - if (bd->block_length & (sub_blocks - 1)) { + if (bd->block_length & (sub_blocks - 1) || bd->block_length <= 0) { av_log(avctx, AV_LOG_WARNING, "Block length is not evenly divisible by the number of subblocks.\n"); return AVERROR_INVALIDDATA; From dbc9034dc2d715fc415e5747ded7e8ca1ece533c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 2 Aug 2019 22:29:16 +0200 Subject: [PATCH 0578/1764] libavcodec/iff: Use unsigned to avoid undefined behaviour The initialization of the uint32_t plane32_lut matrix uses left shifts of the form 1 << plane; plane can be as big as 31 which means that this is undefined behaviour as 1 will be simply an int. So make it unsigned to avoid this. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f12e662a3d3f489eec887b5f2ab20a550caed9cf) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index c6e2359b00..459d5d4a55 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -111,23 +111,23 @@ static const uint64_t plane8_lut[8][256] = { LUT8(4), LUT8(5), LUT8(6), LUT8(7), }; -#define LUT32(plane) { \ - 0, 0, 0, 0, \ - 0, 0, 0, 1 << plane, \ - 0, 0, 1 << plane, 0, \ - 0, 0, 1 << plane, 1 << plane, \ - 0, 1 << plane, 0, 0, \ - 0, 1 << plane, 0, 1 << plane, \ - 0, 1 << plane, 1 << plane, 0, \ - 0, 1 << plane, 1 << plane, 1 << plane, \ - 1 << plane, 0, 0, 0, \ - 1 << plane, 0, 0, 1 << plane, \ - 1 << plane, 0, 1 << plane, 0, \ - 1 << plane, 0, 1 << plane, 1 << plane, \ - 1 << plane, 1 << plane, 0, 0, \ - 1 << plane, 1 << plane, 0, 1 << plane, \ - 1 << plane, 1 << plane, 1 << plane, 0, \ - 1 << plane, 1 << plane, 1 << plane, 1 << plane, \ +#define LUT32(plane) { \ + 0, 0, 0, 0, \ + 0, 0, 0, 1U << plane, \ + 0, 0, 1U << plane, 0, \ + 0, 0, 1U << plane, 1U << plane, \ + 0, 1U << plane, 0, 0, \ + 0, 1U << plane, 0, 1U << plane, \ + 0, 1U << plane, 1U << plane, 0, \ + 0, 1U << plane, 1U << plane, 1U << plane, \ + 1U << plane, 0, 0, 0, \ + 1U << plane, 0, 0, 1U << plane, \ + 1U << plane, 0, 1U << plane, 0, \ + 1U << plane, 0, 1U << plane, 1U << plane, \ + 1U << plane, 1U << plane, 0, 0, \ + 1U << plane, 1U << plane, 0, 1U << plane, \ + 1U << plane, 1U << plane, 1U << plane, 0, \ + 1U << plane, 1U << plane, 1U << plane, 1U << plane, \ } // 32 planes * 4-bit mask * 4 lookup tables each From e5661aa706368c9c2fb4f8e4c43d1996a3e49265 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2019 00:04:02 +0200 Subject: [PATCH 0579/1764] avcodec/aacdec_template: fix integer overflow in imdct_and_windowing() Fixes: signed integer overflow: 2147483645 + 4 cannot be represented in type 'int' Fixes: 15418/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5685269069561856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da93e2b14218c4ab0fda60e21882a4633aac5748) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 499071a1df..5fc4adcd51 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2629,7 +2629,7 @@ static void imdct_and_windowing(AACContext *ac, SingleChannelElement *sce) ac->mdct.imdct_half(&ac->mdct, buf, in); #if USE_FIXED for (i=0; i<1024; i++) - buf[i] = (buf[i] + 4) >> 3; + buf[i] = (buf[i] + 4LL) >> 3; #endif /* USE_FIXED */ } From 351381a3e3443e6e6330cc122d3a5ee0b550bfae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 17:07:01 +0200 Subject: [PATCH 0580/1764] avcodec/alsdec: fix mantisse shift Fixes: shift exponent -1 is negative Fixes: 16039/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5656825657032704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 02346292a334a51f6da802146b782bdb01ae9b4e) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 25e41ded3a..41aa051907 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1409,7 +1409,11 @@ static SoftFloat_IEEE754 multiply(SoftFloat_IEEE754 a, SoftFloat_IEEE754 b) { } } - mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count); + if (cutoff_bit_count >= 0) { + mantissa = (unsigned int)(mantissa_temp >> cutoff_bit_count); + } else { + mantissa = (unsigned int)(mantissa_temp <<-cutoff_bit_count); + } // Need one more shift? if (mantissa & 0x01000000ul) { From fb12d635c5ca96eb5c164d7a0d362ff7cd17247a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 14:33:14 +0200 Subject: [PATCH 0581/1764] avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks() Fixes: signed integer overflow: 2147483424 - -1772303236 cannot be represented in type 'int' Fixes: 15708/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5067890362941440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ce652324062a2c72f92e40699797630ef7f1ec5a) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 41aa051907..21282eb459 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1180,10 +1180,10 @@ static int decode_blocks(ALSDecContext *ctx, unsigned int ra_frame, av_log(ctx->avctx, AV_LOG_WARNING, "Invalid channel pair.\n"); for (s = 0; s < div_blocks[b]; s++) - bd[0].raw_samples[s] = bd[1].raw_samples[s] - bd[0].raw_samples[s]; + bd[0].raw_samples[s] = bd[1].raw_samples[s] - (unsigned)bd[0].raw_samples[s]; } else if (bd[1].js_blocks) { for (s = 0; s < div_blocks[b]; s++) - bd[1].raw_samples[s] = bd[1].raw_samples[s] + bd[0].raw_samples[s]; + bd[1].raw_samples[s] = bd[1].raw_samples[s] + (unsigned)bd[0].raw_samples[s]; } offset += div_blocks[b]; From e80c90eadba45349f89d85a1048cf08e95158c90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Jul 2019 15:37:30 +0200 Subject: [PATCH 0582/1764] avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data() This also makes the code consistent with the existing similar MUL64() in decode_var_block_data() Fixes: signed integer overflow: -7277630735906765035 + -3272193951413647896 cannot be represented in type 'long' Fixes: 16015/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5666552818434048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fad3ec89b7a664b93b5e29bdb0db0cab0272a0c4) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 21282eb459..c9de71f960 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -923,7 +923,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 6; for (base = begin; base < end; base++, tab++) - y += MUL64(bd->ltp_gain[tab], raw_samples[base]); + y += (uint64_t)MUL64(bd->ltp_gain[tab], raw_samples[base]); raw_samples[ltp_smp] += y >> 7; } @@ -935,7 +935,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) y = 1 << 19; for (sb = 0; sb < smp; sb++) - y += MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]); + y += (uint64_t)MUL64(lpc_cof[sb], raw_samples[-(sb + 1)]); *raw_samples++ -= y >> 20; parcor_to_lpc(smp, quant_cof, lpc_cof); From dbc9f38aac161de909d55c534f6b7721fa33a9e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:42 +0200 Subject: [PATCH 0583/1764] avcodec/mpc8: Fix 32bit mask/enum Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 15817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC8_fuzzer-5636626409062400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e8bb949ade4078ca318a9b3475cb7a6cfc7e4639) Signed-off-by: Michael Niedermayer --- libavcodec/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 7e172a2181..faa22fce9a 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -62,7 +62,7 @@ static inline int mpc8_dec_enum(GetBitContext *gb, int k, int n) do { n--; if (code >= C[n]) { - bits |= 1 << n; + bits |= 1U << n; code -= C[n]; C -= 32; k--; From 26d48144e5994ea88a21d7a8918e231ae6d86c9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:49 +0200 Subject: [PATCH 0584/1764] avcodec/dds: Use ff_set_dimensions() Fixes: signed integer overflow: 2082471995 * 36 cannot be represented in type 'int' Fixes: 16025/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DDS_fuzzer-5136663778426880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9cd1e939cf26e7a53f28cbbda22d27535981b9db) Signed-off-by: Michael Niedermayer --- libavcodec/dds.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index f026f9cd5a..9154f692fa 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -613,6 +613,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, AVFrame *frame = data; int mipmap; int ret; + int width, height; ff_texturedsp_init(&ctx->texdsp); bytestream2_init(gbc, avpkt->data, avpkt->size); @@ -631,9 +632,9 @@ static int dds_decode(AVCodecContext *avctx, void *data, bytestream2_skip(gbc, 4); // flags - avctx->height = bytestream2_get_le32(gbc); - avctx->width = bytestream2_get_le32(gbc); - ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + height = bytestream2_get_le32(gbc); + width = bytestream2_get_le32(gbc); + ret = ff_set_dimensions(avctx, width, height); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n", avctx->width, avctx->height); From fd897acc35d45f0b72aee2021170a679b53ffe50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jul 2019 00:52:18 +0200 Subject: [PATCH 0585/1764] avcodec/scpr: Use av_memcpy_backptr() in type 17 and 33 This makes the changed code-path faster. Change not tested except with the fuzzer testcase as I found no other testcase. Improves: Timeout (136sec -> 74sec) Improves: 16040/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5705876062601216 Reviewed-by: Paul B Mahol Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 950a21e83c742714d6afbecd3e3fd1887e80fa40) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 6d9c437c0b..1ec1b6d583 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -782,7 +782,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, s->current_frame->linesize[0] / 4); } else if (type == 17) { uint32_t clr, *dst = (uint32_t *)s->current_frame->data[0]; - int x, y; + int y; frame->key_frame = 1; bytestream2_skip(gb, 1); @@ -798,9 +798,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, clr = bytestream2_get_le24(gb); } for (y = 0; y < avctx->height; y++) { - for (x = 0; x < avctx->width; x++) { - dst[x] = clr; - } + dst[0] = clr; + av_memcpy_backptr((uint8_t*)(dst+1), 4, 4*avctx->width - 4); dst += s->current_frame->linesize[0] / 4; } } else if (type == 0 || type == 1) { From 23f54b4db28ae5fe35f92e521b76f49e7d989eb9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2019 18:05:02 +0200 Subject: [PATCH 0586/1764] avcodec/hevc_refs: Optimize 16bit generate_missing_ref() Fixes: Timeout (86sec -> 8sec) [these numbers assume also "[FFmpeg-devel] [PATCH 2/5] [RFC] avcodec/hevcdec: Check for overread in hls_decode_entry()"] Fixes: 15702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657764929470464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit da8936969fe695a042282d5686e12227745d299a) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_refs.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c index ac462d350b..b14afe3a87 100644 --- a/libavcodec/hevc_refs.c +++ b/libavcodec/hevc_refs.c @@ -397,7 +397,7 @@ static void mark_ref(HEVCFrame *frame, int flag) static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) { HEVCFrame *frame; - int i, x, y; + int i, y; frame = alloc_frame(s); if (!frame) @@ -410,11 +410,11 @@ static HEVCFrame *generate_missing_ref(HEVCContext *s, int poc) frame->frame->buf[i]->size); } else { for (i = 0; frame->frame->data[i]; i++) - for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) - for (x = 0; x < (s->ps.sps->width >> s->ps.sps->hshift[i]); x++) { - AV_WN16(frame->frame->data[i] + y * frame->frame->linesize[i] + 2 * x, - 1 << (s->ps.sps->bit_depth - 1)); - } + for (y = 0; y < (s->ps.sps->height >> s->ps.sps->vshift[i]); y++) { + uint8_t *dst = frame->frame->data[i] + y * frame->frame->linesize[i]; + AV_WN16(dst, 1 << (s->ps.sps->bit_depth - 1)); + av_memcpy_backptr(dst + 2, 2, 2*(s->ps.sps->width >> s->ps.sps->hshift[i]) - 2); + } } } From 0ca85d1326d0c2aae7940a904030dd93e96aa234 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Aug 2019 01:49:55 +0200 Subject: [PATCH 0587/1764] avcodec/hnm4video: Optimize postprocess_current_frame() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Improves: Timeout (220sec -> 108sec) Improves: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit cd460f4da04c05d6ba93ccbbe294e948768f0937) Signed-off-by: Michael Niedermayer --- libavcodec/hnm4video.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index 5ca7fb58cd..c6b41edd7b 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -117,14 +117,17 @@ static void unpack_intraframe(AVCodecContext *avctx, uint8_t *src, static void postprocess_current_frame(AVCodecContext *avctx) { Hnm4VideoContext *hnm = avctx->priv_data; - uint32_t x, y, src_x, src_y; + uint32_t x, y, src_y; + int width = hnm->width; for (y = 0; y < hnm->height; y++) { + uint8_t *dst = hnm->processed + y * width; + const uint8_t *src = hnm->current; src_y = y - (y % 2); - src_x = src_y * hnm->width + (y % 2); - for (x = 0; x < hnm->width; x++) { - hnm->processed[(y * hnm->width) + x] = hnm->current[src_x]; - src_x += 2; + src += src_y * width + (y % 2); + for (x = 0; x < width; x++) { + dst[x] = *src; + src += 2; } } } From 1adb5720a2a5bd0ecc74e9df319ce5f019a42fca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 02:17:15 +0200 Subject: [PATCH 0588/1764] avcodec/hevcdec: Check delta_luma_weight_l0/1 Fixes: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int' Fixes: 16041/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5685680656613376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 021f29506b493376d62cdb5b9cb66a6b85e5361f) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 2412bd0a97..764c2b26f8 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -181,6 +181,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) for (i = 0; i < s->sh.nb_refs[L0]; i++) { if (luma_weight_l0_flag[i]) { int delta_luma_weight_l0 = get_se_golomb(gb); + if ((int8_t)delta_luma_weight_l0 != delta_luma_weight_l0) + return AVERROR_INVALIDDATA; s->sh.luma_weight_l0[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l0; s->sh.luma_offset_l0[i] = get_se_golomb(gb); } @@ -223,6 +225,8 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) for (i = 0; i < s->sh.nb_refs[L1]; i++) { if (luma_weight_l1_flag[i]) { int delta_luma_weight_l1 = get_se_golomb(gb); + if ((int8_t)delta_luma_weight_l1 != delta_luma_weight_l1) + return AVERROR_INVALIDDATA; s->sh.luma_weight_l1[i] = (1 << s->sh.luma_log2_weight_denom) + delta_luma_weight_l1; s->sh.luma_offset_l1[i] = get_se_golomb(gb); } From 32b4512aeca862815363a99ea1e84b87205d4053 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 02:17:18 +0200 Subject: [PATCH 0589/1764] avcodec/4xm: Check for end of input in decode_p_block() Fixes: Timeout (81sec -> 0.2sec) Fixes: 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8f92eb05e063e6c4d6e36521020620d4e6e1c21d) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 7e6a15e49f..5cfb9e735e 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -351,6 +351,8 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, const uint16_t *src, index = size2index[log2h][log2w]; av_assert0(index >= 0); + if (get_bits_left(&f->gb) < 1) + return AVERROR_INVALIDDATA; h = 1 << log2h; code = get_vlc2(&f->gb, block_type_vlc[1 - (f->version > 1)][index].table, BLOCK_TYPE_VLC_BITS, 1); From b9b9106f25d2608bec368164a6e2273d922f4db1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2019 23:30:02 +0200 Subject: [PATCH 0590/1764] avcodec/vp56: Consider the alpha start as end of the prior header Fixes: Timeout (23sec -> 71ms) Fixes: 15661/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6A_fuzzer-6257865947348992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit db78bc1297ebaa51cfe5c80775808ec11ed7512b) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index b69fe6c176..8ccad53e47 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -548,7 +548,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, VP56Context *s = avctx->priv_data; AVFrame *const p = s->frames[VP56_FRAME_CURRENT]; int remaining_buf_size = avpkt->size; - int av_uninit(alpha_offset); + int alpha_offset = remaining_buf_size; int i, res; int ret; @@ -561,7 +561,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, return AVERROR_INVALIDDATA; } - res = s->parse_header(s, buf, remaining_buf_size); + res = s->parse_header(s, buf, alpha_offset); if (res < 0) return res; From 87a487157190d88574b44759bbf5d0b5299ed388 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Aug 2019 01:49:47 +0200 Subject: [PATCH 0591/1764] avcodec/diracdec: Check that slices are fewer than pixels Fixes: Timeout (197sec ->144ms) Fixes: 15034/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5733549405110272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbbc8ba67f19d55380b1bc8b5f057328c266d747) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index f81a041834..69828c4589 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1252,7 +1252,9 @@ static int dirac_unpack_idwt_params(DiracContext *s) s->num_y = get_interleaved_ue_golomb(gb); if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX || s->num_x * (uint64_t)s->avctx->width > INT_MAX || - s->num_y * (uint64_t)s->avctx->height > INT_MAX + s->num_y * (uint64_t)s->avctx->height > INT_MAX || + s->num_x > s->avctx->width || + s->num_y > s->avctx->height ) { av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); s->num_x = s->num_y = 0; From 66e60b3c968541ed82fc0d7e10c6c76bb6bdbc05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Aug 2019 00:50:21 +0200 Subject: [PATCH 0592/1764] avcodec/indeo2: Check remaining input more often Fixes: Timeout (95sec -> 30ms) Fixes: 14765/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO2_fuzzer-5692455527120896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe Signed-off-by: Michael Niedermayer (cherry picked from commit 52939a2c5772ec00101d293695d0a96dcccf99d9) Signed-off-by: Michael Niedermayer --- libavcodec/indeo2.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 4971b84308..3c8934e377 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -79,10 +79,11 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; - if (get_bits_left(&ctx->gb) <= 0) - return AVERROR_INVALIDDATA; while (out < width) { - int c = ir2_get_code(&ctx->gb); + int c; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; + c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; if (out + c*2 > width) @@ -123,9 +124,9 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; - if (get_bits_left(&ctx->gb) <= 0) - return AVERROR_INVALIDDATA; while (out < width) { + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; From a2d0ed8718ec807fd5eeaf5dd0a715defa791b5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:44 +0200 Subject: [PATCH 0593/1764] avcodec/ffwavesynth: Fix integer overflow for some corner case values Fixes: left shift of negative value -14671840 Fixes: 16000/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5145977817661440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4a88fb546b64179aff12c169239285932e570ac) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index b319b3341a..e6d2606c2f 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -301,8 +301,8 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) default: return AVERROR(EINVAL); } - in->amp0 = (int64_t)a1 << 32; - in->damp = (((int64_t)a2 << 32) - ((int64_t)a1 << 32)) / dt; + in->amp0 = (uint64_t)a1 << 32; + in->damp = (int64_t)(((uint64_t)a2 << 32) - ((uint64_t)a1 << 32)) / dt; } if (edata != edata_end) return AVERROR(EINVAL); From 50b07e145bf2a37528cee4e2a5916d3978243705 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 23:09:45 +0200 Subject: [PATCH 0594/1764] avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking Fixes: left shift of negative value -961533698048 Fixes: 16242/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5738550670131200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit cdea0206efeca83a0a9b57d0764b177b2e11ab7c) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index e6d2606c2f..cfd0951d8f 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -220,7 +220,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) << 1); + lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2); if (pos) { pink_fill(ws); ws->pink_pos = pos; From 36e34701955e843599fa582bc6ed2863cf265585 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 21:17:04 +0200 Subject: [PATCH 0595/1764] avcodec/loco: Check left column value Fixes: Timeout (42sec -> 379 ms) Fixes: 16323/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5679178099195904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c812db814ebd603106220854e343558ec1115e57) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 9a309fd063..e3746c8317 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -159,6 +159,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh for (j = 1; j < height; j++) { /* restore left column */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = data[-stride] + val; /* restore all other pixels */ for (i = 1; i < width; i++) { From 5349964e02f73eec0ff4edd3df76d6a0dea3be43 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 21:17:05 +0200 Subject: [PATCH 0596/1764] avcodec/flicvideo: Optimize and Simplify FLI_COPY in flic_decode_frame_24BPP() by using bytestream2_get_buffer() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout (31sec -> 22sec) Fixes: 16217/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5658084189405184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit e301736862f18a449c317a47d0d60d3484e41667) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index 99868f3ba3..bf8ffeba4f 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -1024,14 +1024,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx, for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { - pixel_countdown = s->avctx->width; - pixel_ptr = 0; - while (pixel_countdown > 0) { - pixel = bytestream2_get_le24(&g2); - AV_WL24(&pixels[y_ptr + pixel_ptr], pixel); - pixel_ptr += 3; - pixel_countdown--; - } + bytestream2_get_buffer(&g2, pixels + y_ptr, 3*s->avctx->width); if (s->avctx->width & 1) bytestream2_skip(&g2, 3); } From 12f5cb95f8b46c047843221c8501378d604b43e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 21:00:54 +0200 Subject: [PATCH 0597/1764] avcodec/anm: Check input size for a frame with just a stop code Fixes: Timeout (11sec -> 6sec) Fixes: 16344/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ANM_fuzzer-5673032000995328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1965161ef6d2aac8d3b034570c3da69dabca9e71) Signed-off-by: Michael Niedermayer --- libavcodec/anm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/anm.c b/libavcodec/anm.c index 72684189bb..07a4a5586c 100644 --- a/libavcodec/anm.c +++ b/libavcodec/anm.c @@ -119,6 +119,9 @@ static int decode_frame(AVCodecContext *avctx, uint8_t *dst, *dst_end; int count, ret; + if (buf_size < 7) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; dst = s->frame->data[0]; From e37b9df6c9827d61f5aea987d85072a33b33f4dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2019 16:52:07 +0200 Subject: [PATCH 0598/1764] avcodec/alsdec: Limit maximum channels to 512 There seems to be no limit in the specification and upto 64k could be stored 512 is choosen as limit as thats the maximum in a conformance sample An alternative to this patch would be a max_channels variable Fixes: OOM Fixes: 16200/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5764788793114624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Thilo Borgmann Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit f51e4d026cc762ff2d47d6107658dbff42ba5ea8) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index c9de71f960..7605267244 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -348,6 +348,11 @@ static av_cold int read_specific_config(ALSDecContext *ctx) if (als_id != MKBETAG('A','L','S','\0')) return AVERROR_INVALIDDATA; + if (avctx->channels > FF_SANE_NB_CHANNELS) { + avpriv_request_sample(avctx, "Huge number of channels\n"); + return AVERROR_PATCHWELCOME; + } + ctx->cur_frame_length = sconf->frame_length; // read channel config From 9dd231c42c3fe427444632627be4dc31a4ce459a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2019 01:30:53 +0200 Subject: [PATCH 0599/1764] avcodec/alsdec: Fix integer overflow in decode_var_block_data() Fixes: signed integer overflow: 1927975249 - -514719744 cannot be represented in type 'int' Fixes: 16413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5651206856245248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit 661a9b274b0181b2e36ff21fd13840f35992bea6) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 7605267244..5c68463f18 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -956,7 +956,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // reconstruct difference signal for prediction (joint-stereo) if (bd->js_blocks && bd->raw_other) { - int32_t *left, *right; + uint32_t *left, *right; if (bd->raw_other > raw_samples) { // D = R - L left = raw_samples; From 032fc5b082fafd931cb3a71d8e0b6da2deeda1d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Aug 2019 20:37:17 +0200 Subject: [PATCH 0600/1764] avformat/realtextdec: free queue on error Fixes: memleak Fixes: 16277/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5696629440512000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 493438fafc5c43b7b7c62bf0c21b7cc884034ce9) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index b33d5289f7..4f25754b9f 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -123,6 +123,8 @@ static int realtext_read_header(AVFormatContext *s) end: av_bprint_finalize(&buf, NULL); + if (res < 0) + ff_subtitles_queue_clean(&rt->q); return res; } From b72b3d43ed3b87031405efe067ac8b4e767fc040 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2019 19:13:56 +0200 Subject: [PATCH 0601/1764] avcodec/idcinvideo: Add 320x240 default maximum resolution MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Timeout (128sec -> 2ms) Fixes: 16568/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IDCIN_fuzzer-5675004095627264 See: [FFmpeg-devel] [PATCH 4/4] tools/target_dec_fuzzer: Adjust max_pixels for IDCIN Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit c9fcf881e69e34a2acfa2bb7052ca200cab16740) Signed-off-by: Michael Niedermayer --- libavcodec/idcinvideo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/idcinvideo.c b/libavcodec/idcinvideo.c index cff9ad31ac..6b2d8087ae 100644 --- a/libavcodec/idcinvideo.c +++ b/libavcodec/idcinvideo.c @@ -243,6 +243,11 @@ static int idcin_decode_frame(AVCodecContext *avctx, return buf_size; } +static const AVCodecDefault idcin_defaults[] = { + { "max_pixels", "320*240" }, + { NULL }, +}; + AVCodec ff_idcin_decoder = { .name = "idcinvideo", .long_name = NULL_IF_CONFIG_SMALL("id Quake II CIN video"), @@ -252,4 +257,5 @@ AVCodec ff_idcin_decoder = { .init = idcin_decode_init, .decode = idcin_decode_frame, .capabilities = AV_CODEC_CAP_DR1, + .defaults = idcin_defaults, }; From 3381c2bd9b687564224b59004fe70c790a69b8ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Aug 2019 23:43:48 +0200 Subject: [PATCH 0602/1764] avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP Fixes: memleaks Fixes: 16289/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5200695692623872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 48b86dd8a6bf50a7d8ab0343a1535bc4b0b5b196) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index fe50871476..bffb9b80e7 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -561,7 +561,7 @@ AVCodec ff_aac_decoder = { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, .channel_layouts = aac_channel_layout, .flush = flush, .priv_class = &aac_decoder_class, @@ -586,7 +586,7 @@ AVCodec ff_aac_latm_decoder = { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, .capabilities = AV_CODEC_CAP_CHANNEL_CONF | AV_CODEC_CAP_DR1, - .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP, .channel_layouts = aac_channel_layout, .flush = flush, .profiles = NULL_IF_CONFIG_SMALL(ff_aac_profiles), From 793ff83b165da2eb199e2c36954229b251a45b44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jul 2019 23:24:35 +0200 Subject: [PATCH 0603/1764] avcodec/rl2: set dimensions The dimensions are always 320x200 they are hardcoded in the demuxer. Hardcode them instead in the decoder. Fixes: Timeout (16sec -> 400ms) Fixes: 15574/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RL2_fuzzer-5158614072819712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 965e766e4892cfc45c97cca88895248a7735e7d0) Signed-off-by: Michael Niedermayer --- libavcodec/rl2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rl2.c b/libavcodec/rl2.c index 6662979c52..2d336a61e5 100644 --- a/libavcodec/rl2.c +++ b/libavcodec/rl2.c @@ -134,10 +134,15 @@ static av_cold int rl2_decode_init(AVCodecContext *avctx) Rl2Context *s = avctx->priv_data; int back_size; int i; + int ret; s->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 320, 200); + if (ret < 0) + return ret; + /** parse extra data */ if (!avctx->extradata || avctx->extradata_size < EXTRADATA1_SIZE) { av_log(avctx, AV_LOG_ERROR, "invalid extradata size\n"); From cc70b01c394e46c1f4b711de615b45763ce1eef0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Aug 2019 19:48:19 +0200 Subject: [PATCH 0604/1764] avcodec/alac: Fix multiple integer overflows in lpc_prediction() Fixes: signed integer overflow: 2088795537 + 2147254401 cannot be represented in type 'int' Fixes: signed integer overflow: -1500363496 + -1295351808 cannot be represented in type 'int' Fixes: signed integer overflow: -79560 * 32640 cannot be represented in type 'int' Fixes: signed integer overflow: 2088910005 + 2088796058 cannot be represented in type 'int' Fixes: signed integer overflow: -117258064 - 2088725225 cannot be represented in type 'int' Fixes: signed integer overflow: 2088725225 - -117258064 cannot be represented in type 'int' Fixes: 15739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5630664122040320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae3d6a337ad25527bcd3172e3885e45fadf9908c) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index e1b3e8c183..6019cc7a94 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -171,12 +171,12 @@ static inline int sign_only(int v) return v ? FFSIGN(v) : 0; } -static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, +static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, int nb_samples, int bps, int16_t *lpc_coefs, int lpc_order, int lpc_quant) { int i; - int32_t *pred = buffer_out; + uint32_t *pred = buffer_out; /* first sample always copies */ *buffer_out = *error_buffer; @@ -208,7 +208,7 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, for (; i < nb_samples; i++) { int j; int val = 0; - int error_val = error_buffer[i]; + unsigned error_val = error_buffer[i]; int error_sign; int d = *pred++; @@ -222,7 +222,7 @@ static void lpc_prediction(int32_t *error_buffer, int32_t *buffer_out, /* adapt LPC coefficients */ error_sign = sign_only(error_val); if (error_sign) { - for (j = 0; j < lpc_order && error_val * error_sign > 0; j++) { + for (j = 0; j < lpc_order && (int)error_val * error_sign > 0; j++) { int sign; val = d - pred[j]; sign = sign_only(val) * error_sign; From 1f47a0135e7c6c8c5dc8ac81495f8bc5c7d97d97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Aug 2019 01:23:49 +0200 Subject: [PATCH 0605/1764] avcodec/alac: Check for bps of 0 Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 15764/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5102101203517440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 8f49176e845fee8e4e0aaf06411636b46d1ae3ad) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 6019cc7a94..691a09023d 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -250,10 +250,12 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, alac->extra_bits = get_bits(&alac->gb, 2) << 3; bps = alac->sample_size - alac->extra_bits + channels - 1; - if (bps > 32U) { + if (bps > 32) { avpriv_report_missing_feature(avctx, "bps %d", bps); return AVERROR_PATCHWELCOME; } + if (bps < 1) + return AVERROR_INVALIDDATA; /* whether the frame is compressed */ is_compressed = !get_bits1(&alac->gb); From 891508dd8892e055b3f05c26ccd58f167c2ffb5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Aug 2019 17:34:37 +0200 Subject: [PATCH 0606/1764] avcodec/cavsdec: Limit the number of access units per packet to 2 Fixes: Timeout (122sec -> 13ms) Fixes: 15978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5148925004087296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37bc8e3249c88b733bcc0d8c74cdf668292e4d63) Signed-off-by: Michael Niedermayer --- libavcodec/cavsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 5f3b354518..1c4f71824a 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1215,6 +1215,7 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int input_size, ret; const uint8_t *buf_end; const uint8_t *buf_ptr; + int frame_start = 0; if (buf_size == 0) { if (!h->low_delay && h->DPB[0].f->data[0]) { @@ -1248,6 +1249,9 @@ static int cavs_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h->got_keyframe = 1; } case PIC_PB_START_CODE: + if (frame_start > 1) + return AVERROR_INVALIDDATA; + frame_start ++; if (*got_frame) av_frame_unref(data); *got_frame = 0; From 697383e1789b18266edc2804521d694967f68fdb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Aug 2019 00:21:49 +0200 Subject: [PATCH 0607/1764] avcodec/vb: Check input packet size to be large enough to contain flags Fixes: Timeout (->9sec) Fixes: 16292/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-5747063496638464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dea2591d4fbc989ca82bc8a8ad7d16aacdc89af1) Signed-off-by: Michael Niedermayer --- libavcodec/vb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index c6dd6fb456..d9c6b93a73 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -199,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint32_t size; int offset = 0; + if (avpkt->size < 2) + return AVERROR_INVALIDDATA; + bytestream2_init(&c->stream, avpkt->data, avpkt->size); if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) From 1b4b7a7de1c5a90cc95cf22a11bdd22aed5788f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2019 20:56:44 +0200 Subject: [PATCH 0608/1764] avcodec/tta: Fix integer overflow in prediction Fixes: signed integer overflow: -395281576 + -1827578048 cannot be represented in type 'int' Fixes: 16038/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5646109705240576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e9aecc9f358901426c134978e764ee7beac4944) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index c7702610b6..afc4907432 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -227,7 +227,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, GetBitContext gb; int i, ret; int cur_chan = 0, framelen = s->frame_length; - int32_t *p; + uint32_t *p; if (avctx->err_recognition & AV_EF_CRCCHECK) { if (buf_size < 4 || @@ -261,7 +261,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, } i = 0; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) { + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) { int32_t *predictor = &s->ch_ctx[cur_chan].predictor; TTAFilter *filter = &s->ch_ctx[cur_chan].filter; TTARice *rice = &s->ch_ctx[cur_chan].rice; @@ -334,7 +334,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, // decorrelate in case of multiple channels if (s->channels > 1) { int32_t *r = p - 1; - for (*p += *r / 2; r > p - s->channels; r--) + for (*p += *r / 2; r > (int32_t*)p - s->channels; r--) *r = *(r + 1) - *r; } cur_chan = 0; @@ -358,13 +358,13 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, switch (s->bps) { case 1: { uint8_t *samples = (uint8_t *)frame->data[0]; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) *samples++ = *p + 0x80; break; } case 2: { int16_t *samples = (int16_t *)frame->data[0]; - for (p = s->decode_buffer; p < s->decode_buffer + (framelen * s->channels); p++) + for (p = s->decode_buffer; (int32_t*)p < s->decode_buffer + (framelen * s->channels); p++) *samples++ = *p; break; } From 62afc95281c690306c3faf6ea2118ec10b2bee7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jul 2019 01:18:05 +0200 Subject: [PATCH 0609/1764] avcodec/vorbisdec: Check get_vlc2() failure Fixes: out of array read Fixes: 16510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5754510382727168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 07b948fe60789064d7c784d47b8fe798a9a4d2b9) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index f0a7cc3581..2ba19dcdb3 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1442,7 +1442,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, int vqbook = vr->books[vqclass][pass]; if (vqbook >= 0 && vc->codebooks[vqbook].codevectors) { - unsigned coffs; + int coffs; unsigned dim = vc->codebooks[vqbook].dimensions; unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; @@ -1451,14 +1451,20 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, voffs = voffset+j*vlen; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l) vec[voffs + k + l * step] += codebook.codevectors[coffs + l]; } } else if (vr_type == 1) { voffs = voffset + j * vlen; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l, ++voffs) { vec[voffs]+=codebook.codevectors[coffs+l]; @@ -1471,13 +1477,19 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, if (dim == 2) { for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 2; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= 2; vec[voffs + k ] += codebook.codevectors[coffs ]; vec[voffs + k + vlen] += codebook.codevectors[coffs + 1]; } } else if (dim == 4) { for (k = 0; k < step; ++k, voffs += 2) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 4; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= 4; vec[voffs ] += codebook.codevectors[coffs ]; vec[voffs + 1 ] += codebook.codevectors[coffs + 2]; vec[voffs + vlen ] += codebook.codevectors[coffs + 1]; @@ -1485,7 +1497,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, } } else for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; l += 2, voffs++) { vec[voffs ] += codebook.codevectors[coffs + l ]; vec[voffs + vlen] += codebook.codevectors[coffs + l + 1]; @@ -1502,7 +1517,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned voffs_mod = voffset - voffs_div * ch; for (k = 0; k < step; ++k) { - coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; + coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3); + if (coffs < 0) + return coffs; + coffs *= dim; for (l = 0; l < dim; ++l) { vec[voffs_div + voffs_mod * vlen] += codebook.codevectors[coffs + l]; From 29765b3be363df5ff0b6d5cb7400fdf3aa101b71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 18:47:54 +0200 Subject: [PATCH 0610/1764] avcodec/vc1_block: Check for double escapes Fixes: out of array read Fixes: 16331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5672735195267072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6962fd586e1a9a98828866dcfb4114af30c8c756) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 05ffed45f2..1f2244e16f 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -507,7 +507,7 @@ static int vc1_decode_ac_coeff(VC1Context *v, int *last, int *skip, int escape = decode210(gb); if (escape != 2) { index = get_vlc2(gb, ff_vc1_ac_coeff_table[codingset].table, AC_VLC_BITS, 3); - if (index < 0) + if (index >= ff_vc1_ac_sizes[codingset] - 1U) return AVERROR_INVALIDDATA; run = vc1_index_decode_table[codingset][index][0]; level = vc1_index_decode_table[codingset][index][1]; From befb2f717b64a99ea0e8d94c8e482306ae389edc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 20:04:35 +0200 Subject: [PATCH 0611/1764] avcodec/vc1dec: Require res_sprite for wmv3images non res_sprite leads to decoder delay which leads to assertion failure Fixes: Assertion failure Fixes: 16402/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5704510034411520 Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 16425/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5692858838810624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c6b4004928ef41563b0e913666f8da27fdb2399) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 16c601e756..dbdd5a8857 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -450,6 +450,11 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if ((ret = ff_vc1_decode_sequence_header(avctx, v, &gb)) < 0) return ret; + if (avctx->codec_id == AV_CODEC_ID_WMV3IMAGE && !v->res_sprite) { + avpriv_request_sample(avctx, "Non sprite WMV3IMAGE"); + return AVERROR_PATCHWELCOME; + } + count = avctx->extradata_size*8 - get_bits_count(&gb); if (count > 0) { av_log(avctx, AV_LOG_INFO, "Extra data: %i bits left, value: %X\n", From 0ccc7efc4d8eaa556d002d5dfccbc1f91685ac2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2019 23:22:50 +0200 Subject: [PATCH 0612/1764] avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block() Fixes: signed integer overflow: 1795032576 + 598344192 cannot be represented in type 'int' Fixes: 16196/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5636723419119616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cc78783ce5e8837d4f4ca43eedf2d299651e65ff) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 3443bbeda2..80a28a0ac6 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -606,7 +606,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int ct = ctx->D[0] + ctx->D[1] + ctx->D[2] + ctx->D[3]; if (bx > 0) - left = last[-1] - ct; + left = last[-1] - (unsigned)ct; else left = 0; @@ -617,7 +617,7 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int last[2] = right - (diff >> 2); last[3] = right; { - int tp = left; + unsigned tp = left; ctx->D[0] = (tp + (ct >> 2)) - left; left += ctx->D[0]; From cb1af09dd0e7a086d17ecc77f1fe37115c972cd3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Sep 2019 22:31:45 +0200 Subject: [PATCH 0613/1764] avcodec/bgmc: Check input space in ff_bgmc_decode_init() Fixes: Infinite loop Fixes: 16608/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5636229827133440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Thilo Borgmann Signed-off-by: Michael Niedermayer (cherry picked from commit b54031a6e93d1abc7fb2d0263e0f6c4b639e423f) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 +++- libavcodec/bgmc.c | 7 ++++++- libavcodec/bgmc.h | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 5c68463f18..abeaf2cf3f 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -826,7 +826,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) unsigned int low; unsigned int value; - ff_bgmc_decode_init(gb, &high, &low, &value); + int ret = ff_bgmc_decode_init(gb, &high, &low, &value); + if (ret < 0) + return ret; current_res = bd->raw_samples + start; diff --git a/libavcodec/bgmc.c b/libavcodec/bgmc.c index 1a6817b73f..2d59aa37ad 100644 --- a/libavcodec/bgmc.c +++ b/libavcodec/bgmc.c @@ -485,12 +485,17 @@ av_cold void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status) /** Initialize decoding and reads the first value */ -void ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, +int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, unsigned int *l, unsigned int *v) { + if (get_bits_left(gb) < VALUE_BITS) + return AVERROR_INVALIDDATA; + *h = TOP_VALUE; *l = 0; *v = get_bits_long(gb, VALUE_BITS); + + return 0; } diff --git a/libavcodec/bgmc.h b/libavcodec/bgmc.h index 4893736af5..466df31a2e 100644 --- a/libavcodec/bgmc.h +++ b/libavcodec/bgmc.h @@ -40,7 +40,7 @@ int ff_bgmc_init(AVCodecContext *avctx, uint8_t **cf_lut, int **cf_lut_status); void ff_bgmc_end(uint8_t **cf_lut, int **cf_lut_status); -void ff_bgmc_decode_init(GetBitContext *gb, +int ff_bgmc_decode_init(GetBitContext *gb, unsigned int *h, unsigned int *l, unsigned int *v); From 7096eb193c02b674dceccca740bc0938cca66a9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2019 19:18:31 +0200 Subject: [PATCH 0614/1764] avcodec/ralf: fix undefined shift Fixes: left shift of negative value -2 Fixes: 16145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5146671058518016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ee886988e75b3c22cabc2ca0fadcf8e4f787640) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 619fd7126a..d2d803b0d4 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -300,8 +300,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2); code1 = t / range2; code2 = t % range2; - dst[i] = extend_code(gb, code1, range, 0) << add_bits; - dst[i + 1] = extend_code(gb, code2, range, 0) << add_bits; + dst[i] = extend_code(gb, code1, range, 0) * (1 << add_bits); + dst[i + 1] = extend_code(gb, code2, range, 0) * (1 << add_bits); if (add_bits) { dst[i] |= get_bits(gb, add_bits); dst[i + 1] |= get_bits(gb, add_bits); From aefa5dd5a4880ff5093db5b095ef6510afcabd65 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2019 19:25:01 +0200 Subject: [PATCH 0615/1764] avcodec/ralf: fix undefined shift in extend_code() Fixes: left shift of negative value -3 Fixes: 16147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5658392722407424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4778407ab3b545c40def7e95a8f9dd4ae92a4e8e) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index d2d803b0d4..75c9371b95 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -220,7 +220,7 @@ static inline int extend_code(GetBitContext *gb, int val, int range, int bits) val -= range; } if (bits) - val = (val << bits) | get_bits(gb, bits); + val = ((unsigned)val << bits) | get_bits(gb, bits); return val; } From 6d1f143ae128d02e68cbb7895ef6302e883c008d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Sep 2019 22:44:50 +0200 Subject: [PATCH 0616/1764] avcodec/apedec: Fix 32bit int overflow in do_apply_filter() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 2147480546 + 4096 cannot be represented in type 'int' Fixes: 16280/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5123442566758400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 9d3ddef519e88c40c05be8cb94cd9e71c0957ec7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index b9df8c6b12..59e829ee5b 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1266,7 +1266,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, f->delay - order, f->adaptcoeffs - order, order, APESIGN(*data)); - res = (res + (1 << (fracbits - 1))) >> fracbits; + res = (int)(res + (1U << (fracbits - 1))) >> fracbits; res += *data; *data++ = res; From 79e06f4d316b550c08749b43f0f5f29c1bdca56d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Aug 2019 23:22:39 +0200 Subject: [PATCH 0617/1764] avcodec/iff: Check for overlap in cmap_read_palette() Fixes: undefined memcpy() use Fixes: 16302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5678750575886336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dfa5d1a3667fa38e07373becc2401175b31d8228) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 459d5d4a55..1bb7924c98 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -180,6 +180,10 @@ static int cmap_read_palette(AVCodecContext *avctx, uint32_t *pal) pal[i] = 0xFF000000 | gray2rgb((i * 255) >> avctx->bits_per_coded_sample); } if (s->masking == MASK_HAS_MASK) { + if ((1 << avctx->bits_per_coded_sample) < count) { + avpriv_request_sample(avctx, "overlapping mask"); + return AVERROR_PATCHWELCOME; + } memcpy(pal + (1 << avctx->bits_per_coded_sample), pal, count * 4); for (i = 0; i < count; i++) pal[i] &= 0xFFFFFF; From eeb1e37e7645867fc3cc25adb7d1a4a315519b68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 12:06:30 +0200 Subject: [PATCH 0618/1764] avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2 This reverts a hunk from f1ca40ee00402102046fc7e59606651930436b0e Fixes: out of array read Fixes: 16924/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5157893162139648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 722fd4696583cc984700eaec4745922ae177b2da) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 2ba19dcdb3..2fd0f0e8d3 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1513,7 +1513,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, } } else if (vr_type == 2) { - unsigned voffs_div = FASTDIV(voffset << 1, ch <<1); + unsigned voffs_div = ch == 1 ? voffset : FASTDIV(voffset, ch); unsigned voffs_mod = voffset - voffs_div * ch; for (k = 0; k < step; ++k) { From 18c0c14a056888aa7c5b88373363700a5a1fec05 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 22:12:38 +0200 Subject: [PATCH 0619/1764] avcodec/vc1_pred: Fix refdist in scaleforopp() Fixes: out of array access Fixes: 16601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5656105392275456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 413e0f2516eef678011cffd1ec6f0d92aa8bb96a) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_pred.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index aa8e402af9..a126677c72 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -197,9 +197,10 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */, return n; } if (v->s.pict_type != AV_PICTURE_TYPE_B) - refdist = FFMIN(v->refdist, 3); + refdist = v->refdist; else refdist = dir ? v->brfd : v->frfd; + refdist = FFMIN(refdist, 3); scaleopp = ff_vc1_field_mvpred_scales[dir ^ v->second_field][0][refdist]; n = (n * scaleopp >> 8) * (1 << hpel); From f1b943df926635b189f59887dac81b9476185e1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Aug 2019 21:26:43 +0200 Subject: [PATCH 0620/1764] avcodec/qdm2: Check frame size Fixes: index 2304 out of bounds for type 'float [2304]' Fixes: 16332/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5679142481166336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 12b909ba319d32ed100d9b26021aa9b6976424d7) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index eaffb36dcc..ac8ae8cbbb 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1727,6 +1727,11 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->sub_sampling = s->fft_order - 7; s->frequency_range = 255 / (1 << (2 - s->sub_sampling)); + if (s->frame_size * 4 >> s->sub_sampling > MPA_FRAME_SIZE) { + avpriv_request_sample(avctx, "large frames"); + return AVERROR_PATCHWELCOME; + } + switch ((s->sub_sampling * 2 + s->channels - 1)) { case 0: tmp = 40; break; case 1: tmp = 48; break; From ad3452eb25604ebff8f93311407fec060bf78096 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Aug 2018 22:28:31 +0200 Subject: [PATCH 0621/1764] avcodec/vp56: Add vpX_rac_is_end() to check for the end of input Signed-off-by: Michael Niedermayer (cherry picked from commit 0fb83b4c91d5a0784ca81df4283f25740c263f20) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index b8dda9e73a..70e1d38a83 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -227,6 +227,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, extern const uint8_t ff_vp56_norm_shift[256]; int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); +/** + * vp5689 returns 1 if the end of the stream has been reached, 0 otherwise. + */ +static av_always_inline int vpX_rac_is_end(VP56RangeCoder *c) +{ + return c->end <= c->buffer && c->bits >= 0; +} + static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) { int shift = ff_vp56_norm_shift[c->high]; From 8e41f410774be95db22bea924a4fd19233f73df5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2019 11:51:48 +0200 Subject: [PATCH 0622/1764] avcodec/vp5/6/8: use vpX_rac_is_end() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ab56e62e8f7e02760cfc883956511cab32393315) Signed-off-by: Michael Niedermayer (cherry picked from commit 1dd89192c59df0d6655e9308a0782d8c7b259b18) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 2 +- libavcodec/vp6.c | 2 +- libavcodec/vp8.c | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index cb08cec33f..db97e7f772 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -183,7 +183,7 @@ static int vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end <= c->buffer && c->bits >= 0) { + if (vpX_rac_is_end(c)) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 645fc5c690..61e790fa93 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -460,7 +460,7 @@ static int vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end <= c->buffer && c->bits >= 0) { + if (vpX_rac_is_end(c)) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index dbe3da0842..bc0ba46014 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -606,7 +606,7 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->fade_present = vp8_rac_get(c); } - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; /* E. Fading information for previous frame */ if (s->fade_present && vp8_rac_get(c)) { @@ -2301,7 +2301,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; if (mb_y == 0) @@ -2332,7 +2332,7 @@ static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void td->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { - if (c->end <= c->buffer && c->bits >= 0) + if (vpX_rac_is_end(c)) return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { From bc2fb4cf8a6c572df841d8fa8fd0f7246f0b88ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Aug 2019 09:16:40 +0200 Subject: [PATCH 0623/1764] avcodec/vp56rac: delay signaling an error on truncated input A threshold of 1 is sufficient for simple_dump_cut.webm, 10 is used just to be sure the next truncated file doesnt cause the same issue Obvious alternative fixes are to simply accept that the file is broken or to write some advanced error concealment or to simply accept that the decoder wont stop at the end of input. Fixes: Ticket 8069 (artifacts not the differing md5 which was there before 1afd246960202917e244c844c534e9c1e3c323f5) Fixes: simple_dump_cut.webm Fixes: regression of 1afd246960202917e244c844c534e9c1e3c323f5 fate-vp5 changes because the last frame is truncated and now handled differently. Signed-off-by: Michael Niedermayer (cherry picked from commit b6b9ac5698c8f911841b469af77199153278c55c) Signed-off-by: Michael Niedermayer (cherry picked from commit 70fb3fa990d604211d5b24fc43cdfe31560de250) Signed-off-by: Michael Niedermayer --- libavcodec/vp56.h | 5 ++++- libavcodec/vp56rac.c | 1 + tests/ref/fate/vp5 | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 70e1d38a83..0b9ecbb8f3 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -89,6 +89,7 @@ typedef struct VP56RangeCoder { const uint8_t *buffer; const uint8_t *end; unsigned int code_word; + int end_reached; } VP56RangeCoder; typedef struct VP56RefDc { @@ -232,7 +233,9 @@ int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_si */ static av_always_inline int vpX_rac_is_end(VP56RangeCoder *c) { - return c->end <= c->buffer && c->bits >= 0; + if (c->end <= c->buffer && c->bits >= 0) + c->end_reached ++; + return c->end_reached > 10; } static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index e70302bf85..64fb6a99b4 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -43,6 +43,7 @@ int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_si c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + c->end_reached = 0; if (buf_size < 1) return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 2469a3ec21..09ebe62b25 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -249,4 +249,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xbf73f1b7 +0, 246, 246, 1, 233472, 0x4f3ef38c From 089b1e16770be2903b2a0c9fb3e394f5c64c3918 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Aug 2019 00:11:02 +0200 Subject: [PATCH 0624/1764] avcodec/aacps: Fix integer overflows in hybrid_synthesis() Fixes: signed integer overflow: -822667928 + -1399761199 cannot be represented in type 'int' Fixes: 15756/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5645182051024896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec749ed2225e0c33f0910fc318c73da6f4ceb587) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index b16c3393d1..acfdfa6f0c 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -414,33 +414,33 @@ static void hybrid_synthesis(PSDSPContext *dsp, INTFLOAT out[2][38][64], memset(out[0][n], 0, 5*sizeof(out[0][n][0])); memset(out[1][n], 0, 5*sizeof(out[1][n][0])); for (i = 0; i < 12; i++) { - out[0][n][0] += in[ i][n][0]; - out[1][n][0] += in[ i][n][1]; + out[0][n][0] += (UINTFLOAT)in[ i][n][0]; + out[1][n][0] += (UINTFLOAT)in[ i][n][1]; } for (i = 0; i < 8; i++) { - out[0][n][1] += in[12+i][n][0]; - out[1][n][1] += in[12+i][n][1]; + out[0][n][1] += (UINTFLOAT)in[12+i][n][0]; + out[1][n][1] += (UINTFLOAT)in[12+i][n][1]; } for (i = 0; i < 4; i++) { - out[0][n][2] += in[20+i][n][0]; - out[1][n][2] += in[20+i][n][1]; - out[0][n][3] += in[24+i][n][0]; - out[1][n][3] += in[24+i][n][1]; - out[0][n][4] += in[28+i][n][0]; - out[1][n][4] += in[28+i][n][1]; + out[0][n][2] += (UINTFLOAT)in[20+i][n][0]; + out[1][n][2] += (UINTFLOAT)in[20+i][n][1]; + out[0][n][3] += (UINTFLOAT)in[24+i][n][0]; + out[1][n][3] += (UINTFLOAT)in[24+i][n][1]; + out[0][n][4] += (UINTFLOAT)in[28+i][n][0]; + out[1][n][4] += (UINTFLOAT)in[28+i][n][1]; } } dsp->hybrid_synthesis_deint(out, in + 27, 5, len); } else { for (n = 0; n < len; n++) { - out[0][n][0] = in[0][n][0] + in[1][n][0] + in[2][n][0] + - in[3][n][0] + in[4][n][0] + in[5][n][0]; - out[1][n][0] = in[0][n][1] + in[1][n][1] + in[2][n][1] + - in[3][n][1] + in[4][n][1] + in[5][n][1]; - out[0][n][1] = in[6][n][0] + in[7][n][0]; - out[1][n][1] = in[6][n][1] + in[7][n][1]; - out[0][n][2] = in[8][n][0] + in[9][n][0]; - out[1][n][2] = in[8][n][1] + in[9][n][1]; + out[0][n][0] = (UINTFLOAT)in[0][n][0] + in[1][n][0] + in[2][n][0] + + (UINTFLOAT)in[3][n][0] + in[4][n][0] + in[5][n][0]; + out[1][n][0] = (UINTFLOAT)in[0][n][1] + in[1][n][1] + in[2][n][1] + + (UINTFLOAT)in[3][n][1] + in[4][n][1] + in[5][n][1]; + out[0][n][1] = (UINTFLOAT)in[6][n][0] + in[7][n][0]; + out[1][n][1] = (UINTFLOAT)in[6][n][1] + in[7][n][1]; + out[0][n][2] = (UINTFLOAT)in[8][n][0] + in[9][n][0]; + out[1][n][2] = (UINTFLOAT)in[8][n][1] + in[9][n][1]; } dsp->hybrid_synthesis_deint(out, in + 7, 3, len); } From da76ca55518e6c19beee3dfcaa2189c6fd21f061 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Aug 2019 17:49:15 +0200 Subject: [PATCH 0625/1764] avcodec/takdec: Fix integer overflow in decorrelate() Fixes: signed integer overflow: -2424832 - 2145653689 cannot be represented in type 'int' Fixes: 16138/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5643451346976768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1192736494a5b16717de66da4a3d3c6af0e9a7a) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 0439a3ac9b..4fb5825532 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -653,7 +653,7 @@ static int decorrelate(TAKDecContext *s, int c1, int c2, int length) s->residues[i ] * s->filter[0]; } - v = av_clip_intp2(v >> 10, 13) * (1 << dshift) - *p1; + v = av_clip_intp2(v >> 10, 13) * (1U << dshift) - *p1; *p1++ = v; } From a003c985bb8659809e3ac774d0dd717638d90586 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Aug 2019 18:22:50 +0200 Subject: [PATCH 0626/1764] avcodec/alsdec: Check k from being outside what our implementation can handle The specification does not seem to list what the maximum valid value is Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 16268/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5638164544225280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e1255789941d213a8e193469d0687946c9fa4a63) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index abeaf2cf3f..cb5e6d17b8 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -838,6 +838,9 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; + if (k[sb] >= 32) + return AVERROR_INVALIDDATA; + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); From a663d186a635ece13274ea04921d136a17f14e07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 21:56:35 +0200 Subject: [PATCH 0627/1764] avcodec/htmlsubtitles: Avoid locale dependant isdigit() Signed-off-by: Michael Niedermayer (cherry picked from commit b94cf549e2d9e456d77f8539baca0fffa805ba69) Signed-off-by: Michael Niedermayer --- libavcodec/htmlsubtitles.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index d9221ba16b..8ce66e0b27 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -55,7 +55,7 @@ static int scanbraces(const char* in) { if (strncmp(in, "{\\an", 4) != 0) { return 0; } - if (!isdigit(in[4])) { + if (!av_isdigit(in[4])) { return 0; } if (in[5] != '}') { From 1b90d7bbde65b297f372b62560fafb39309f18ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Aug 2019 17:21:00 +0200 Subject: [PATCH 0628/1764] libavcodec/utils: Free threads on init failure Fixes: Multiple memleaks Fixes: ffmpeg-memory-leak Found-by: Francis Provencher Signed-off-by: Michael Niedermayer (cherry picked from commit 61b055bed0968d60eb24a5080fb4ba2bcf73b753) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f40a533399..80a6aa6930 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1123,6 +1123,9 @@ free_and_end: (avctx->codec->caps_internal & FF_CODEC_CAP_INIT_CLEANUP))) avctx->codec->close(avctx); + if (HAVE_THREADS && avctx->internal->thread_ctx) + ff_thread_free(avctx); + if (codec->priv_class && codec->priv_data_size) av_opt_free(avctx->priv_data); av_opt_free(avctx); From 71e74978b414064a201ed80b4016ee982896c319 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 21:53:05 +0200 Subject: [PATCH 0629/1764] avcodec/gdv: Replace assert() checking bitstream by if() Signed-off-by: Michael Niedermayer (cherry picked from commit a9fae76370baf11a03b2c0ea590bb2d2f3f372ce) Signed-off-by: Michael Niedermayer --- libavcodec/gdv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index 98bdee5aca..769765318b 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -306,7 +306,8 @@ static int decompress_68(AVCodecContext *avctx, unsigned skip, unsigned use8) if (val != ((1 << lbits) - 1)) { break; } - assert(lbits < 16); + if (lbits >= 16) + return AVERROR_INVALIDDATA; } for (i = 0; i < len; i++) { bytestream2_put_byte(pb, bytestream2_get_byte(gb)); From a77652e93e4f64a99450f7f71308b2d298623324 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Aug 2019 19:01:41 +0200 Subject: [PATCH 0630/1764] avcodec/hevcdec: repeat character in skiped Signed-off-by: Michael Niedermayer (cherry picked from commit d2d8e797cc4f3cea3470d464bd5f51cd097fe371) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 764c2b26f8..417bc98cf9 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -478,7 +478,7 @@ static int hls_slice_header(HEVCContext *s) sh->first_slice_in_pic_flag = get_bits1(gb); if (s->ref && sh->first_slice_in_pic_flag) { av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n"); - return 1; // This slice will be skiped later, do not corrupt state + return 1; // This slice will be skipped later, do not corrupt state } if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) { From f369b5b287b5f0df23863be037c5a040cf03653e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 00:20:39 +0200 Subject: [PATCH 0631/1764] avformat/cdxl: Fix integer overflow in intermediate Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5c5575c8dc892473ef9d35ca6419e8dabbc5e5ac) Signed-off-by: Michael Niedermayer --- libavformat/cdxl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/cdxl.c b/libavformat/cdxl.c index 94a063c813..bd87c8d5d6 100644 --- a/libavformat/cdxl.c +++ b/libavformat/cdxl.c @@ -131,7 +131,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt) height = AV_RB16(&cdxl->header[16]); palette_size = AV_RB16(&cdxl->header[20]); audio_size = AV_RB16(&cdxl->header[22]); - if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) + if (cdxl->header[19] == 0 || + FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX) return AVERROR_INVALIDDATA; if (format == 0x20) image_size = width * height * cdxl->header[19] / 8; From c888b34b1c55e41826a9692cf9707dc0959d55f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2019 19:40:37 +0200 Subject: [PATCH 0632/1764] avcodec/hevcdec: Fix memleak of a53_caption Fixes: 15295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5675655187922944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ef50cf7b32b91af303e37236f22e2e89971a84b7) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 417bc98cf9..e9651855e2 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -3254,6 +3254,8 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx) ff_h2645_packet_uninit(&s->pkt); + ff_hevc_reset_sei(&s->sei); + return 0; } @@ -3443,6 +3445,7 @@ static void hevc_decode_flush(AVCodecContext *avctx) { HEVCContext *s = avctx->priv_data; ff_hevc_flush_dpb(s); + ff_hevc_reset_sei(&s->sei); s->max_ra = INT_MAX; s->eos = 1; } From b1f0a2bdefa9519a0aea33cfba7ef8e18035ad2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 01:25:03 +0200 Subject: [PATCH 0633/1764] avformat/mov: Check for EOF in mov_read_meta() Fixes: Timeout (195sec -> 2ms) Fixes: 16735/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5090676403863552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 093d1f42507e07d9acb43a8a3135e4ebe3530fe2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ac69c41ebb..9d6aa5b01b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4063,7 +4063,10 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) static int mov_read_meta(MOVContext *c, AVIOContext *pb, MOVAtom atom) { while (atom.size > 8) { - uint32_t tag = avio_rl32(pb); + uint32_t tag; + if (avio_feof(pb)) + return AVERROR_EOF; + tag = avio_rl32(pb); atom.size -= 4; if (tag == MKTAG('h','d','l','r')) { avio_seek(pb, -8, SEEK_CUR); From 0b8b5fea94391fc44facaeb74e55de710df7941e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:06:02 +0200 Subject: [PATCH 0634/1764] avcodec/sunrast: Fix return type for "unsupported (compression) type" Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0e8b7709a92afd7c10b4b5861870f6e365f280c3) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 0af5626e35..883421202a 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -72,7 +72,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) { av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n"); - return -1; + return AVERROR_PATCHWELCOME; } switch (depth) { From 1eb05c3bbb377eb3f3d8970df2032149fbe0dea7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:06:24 +0200 Subject: [PATCH 0635/1764] avcodec/sunrast: Fix indention Signed-off-by: Michael Niedermayer (cherry picked from commit 0728d644973c314785c26b3d0559ba829ca31641) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 883421202a..baf184968f 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -132,8 +132,8 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR(ENOMEM); stride = (w + 15 >> 3) * depth; } else { - ptr = p->data[0]; - stride = p->linesize[0]; + ptr = p->data[0]; + stride = p->linesize[0]; } /* scanlines are aligned on 16 bit boundaries */ From 8567a8619598dff3be34789aa7bf5fcdd643fee7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2019 23:52:04 +0200 Subject: [PATCH 0636/1764] avcodec/adpcm: Check number of channels for MTAF Fixes: out of array access Fixes: 17608/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_MTAF_fuzzer-5074936267276288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 74bbf9bc8279e0b8eba89c8cca68e8ad7ff547ed) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index be206c55ba..2b2f38e9dd 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -110,6 +110,10 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) case AV_CODEC_ID_ADPCM_MTAF: min_channels = 2; max_channels = 8; + if (avctx->channels & 1) { + avpriv_request_sample(avctx, "channel count %d\n", avctx->channels); + return AVERROR_PATCHWELCOME; + } break; case AV_CODEC_ID_ADPCM_PSX: max_channels = 8; From ad7b379e426ee36f375f0f7ddff90775be0a46d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Sep 2019 20:47:04 +0200 Subject: [PATCH 0637/1764] avcodec/ffwavesynth: Fix integer overflow in timestamps Fixes: signed integer overflow: 9223371075321077760 * 2 cannot be represented in type 'long' Fixes: 16447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5698937431785472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c7ccbf40edb81d40727cca3a7ffd1848d3ed880a) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index cfd0951d8f..6736587e32 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -220,7 +220,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2); + lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); if (pos) { pink_fill(ws); ws->pink_pos = pos; From 8831d1c8501564b88820979dc241a00f99d9faf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 10:36:43 +0200 Subject: [PATCH 0638/1764] avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction() Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 16786/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5632818851348480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0831cbfe099192098d91e049ed9cf03c5a9cb376) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 691a09023d..e6eac2e400 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -222,7 +222,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, /* adapt LPC coefficients */ error_sign = sign_only(error_val); if (error_sign) { - for (j = 0; j < lpc_order && (int)error_val * error_sign > 0; j++) { + for (j = 0; j < lpc_order && (int)(error_val * error_sign) > 0; j++) { int sign; val = d - pred[j]; sign = sign_only(val) * error_sign; From 9b73ca0bca6e3893a80580c1aedd5f46299d69e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 10:46:38 +0200 Subject: [PATCH 0639/1764] avcodec/alac: Fix invalid shifts in 20/24 bps Fixes: left shift of negative value -256 Fixes: 16892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4880802642395136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b30c07cc2b9ee5bc52e1782eba9aa40e99085a7e) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index e6eac2e400..8cb8d72122 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -397,13 +397,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, case 20: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] <<= 12; + alac->output_samples_buffer[ch][i] *= 1 << 12; }} break; case 24: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] <<= 8; + alac->output_samples_buffer[ch][i] *= 1 << 8; }} break; } From 6c4d2cc992cdcd414a149c8ab8213c121a06edc4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Sep 2019 10:55:26 +0200 Subject: [PATCH 0640/1764] avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL Fixes: signed integer overflow: 238 * 16843009 cannot be represented in type 'int' Fixes: 16958/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5193905355620352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 033d2c4884eca3f4f80047bff93255b0cc4fa7a3) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 2d20be9c10..843b73d33b 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -529,7 +529,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, while(run-- && blk < blocks){ uint32_t col; out = smk->pic->data[0] + (blk / bw) * (stride * 4) + (blk % bw) * 4; - col = mode * 0x01010101; + col = mode * 0x01010101U; for(i = 0; i < 4; i++) { *((uint32_t*)out) = col; out += stride; From 51618d1cbf3fbb6cdba44bcbfa812d1c657fb92c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Sep 2019 17:25:07 +0200 Subject: [PATCH 0641/1764] avcodec/utils: Use av_memcpy_backptr() in ff_color_frame() Fixes: Timeout (191sec -> 53sec) Fixes: 16908/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5711207859748864 Fixes: 10709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5630617975259136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 340ab13504dddb71889f518983174d7bac7cfe96) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 80a6aa6930..455a46424e 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -515,7 +515,7 @@ int avcodec_fill_audio_frame(AVFrame *frame, int nb_channels, void ff_color_frame(AVFrame *frame, const int c[4]) { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(frame->format); - int p, y, x; + int p, y; av_assert0(desc->flags & AV_PIX_FMT_FLAG_PLANAR); @@ -526,8 +526,8 @@ void ff_color_frame(AVFrame *frame, const int c[4]) int height = is_chroma ? AV_CEIL_RSHIFT(frame->height, desc->log2_chroma_h) : frame->height; for (y = 0; y < height; y++) { if (desc->comp[0].depth >= 9) { - for (x = 0; xlinesize[p]; From b5a8b3883e44263b648a28c5e354e6d1d2fd55dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Sep 2019 21:08:31 +0200 Subject: [PATCH 0642/1764] avcodec/aacdec: Check if we run out of input in read_stream_mux_config() Fixes: Infinite loop Fixes: 16920/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5653421289373696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3dce4d03d5a555bff2e11f97fb54701b22effeaf) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index bffb9b80e7..53bb247811 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -411,6 +411,8 @@ static int read_stream_mux_config(struct LATMContext *latmctx, } else { int esc; do { + if (get_bits_left(gb) < 9) + return AVERROR_INVALIDDATA; esc = get_bits(gb, 1); skip_bits(gb, 8); } while (esc); From 7bc4f1452f2b404855c56b8ad1aa4db5d08cdf9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Dec 2018 01:14:51 +0100 Subject: [PATCH 0643/1764] avcodec/utils: Optimize ff_color_frame() using memcpy() 4650975 -> 4493240 dezicycles This optimizes lines 2 and later. Line 1 still uses av_memcpy_backptr() This change originally fixed ossfuzz 10790 but this is now fixed by other optimizations already Signed-off-by: Michael Niedermayer (cherry picked from commit 95e5396919b13a00264466b5d766f80f1a4f7fdc) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 455a46424e..a8ff4f4db8 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -524,13 +524,19 @@ void ff_color_frame(AVFrame *frame, const int c[4]) int is_chroma = p == 1 || p == 2; int bytes = is_chroma ? AV_CEIL_RSHIFT(frame->width, desc->log2_chroma_w) : frame->width; int height = is_chroma ? AV_CEIL_RSHIFT(frame->height, desc->log2_chroma_h) : frame->height; - for (y = 0; y < height; y++) { - if (desc->comp[0].depth >= 9) { - ((uint16_t*)dst)[0] = c[p]; - av_memcpy_backptr(dst + 2, 2, bytes - 2); - }else - memset(dst, c[p], bytes); + if (desc->comp[0].depth >= 9) { + ((uint16_t*)dst)[0] = c[p]; + av_memcpy_backptr(dst + 2, 2, bytes - 2); dst += frame->linesize[p]; + for (y = 1; y < height; y++) { + memcpy(dst, frame->data[p], 2*bytes); + dst += frame->linesize[p]; + } + } else { + for (y = 0; y < height; y++) { + memset(dst, c[p], bytes); + dst += frame->linesize[p]; + } } } } From d7d7c9b2caf8cecfcd27f2b262a7cb0367263983 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 01:07:34 +0200 Subject: [PATCH 0644/1764] avcodec/g729_parser: Check block_size Fixes: Infinite loop Fixes: 17611/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5765134928052224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 972a0a818ff7a9b33c7f37e08783f4b6082f9aa2) Signed-off-by: Michael Niedermayer --- libavcodec/g729_parser.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c index d13c990807..a2cecb7223 100644 --- a/libavcodec/g729_parser.c +++ b/libavcodec/g729_parser.c @@ -51,6 +51,12 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx, s->duration = avctx->frame_size; } + if (!s->block_size) { + *poutbuf = buf; + *poutbuf_size = buf_size; + return buf_size; + } + if (!s->remaining) s->remaining = s->block_size; if (s->remaining <= buf_size) { From f29bd3930f5dec34f73afe4e8531e9271bead5fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 16:48:46 +0200 Subject: [PATCH 0645/1764] avcodec/dstdec: Fix integer overflow in samples_per_frame computation Fixes: Timeout (? -> 2ms) Fixes: 17616/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5198057947267072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7dc0943d4aa014e616e2f2a4802cb3da829f9420) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 368cb64931..10b89c3c1b 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -37,7 +37,7 @@ #define DST_MAX_CHANNELS 6 #define DST_MAX_ELEMENTS (2 * DST_MAX_CHANNELS) -#define DSD_FS44(sample_rate) (sample_rate * 8 / 44100) +#define DSD_FS44(sample_rate) (sample_rate * 8LL / 44100) #define DST_SAMPLES_PER_FRAME(sample_rate) (588 * DSD_FS44(sample_rate)) From b6a62d5bd4a4d6c34b5edb136b08f8ae93b3469c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Jul 2019 23:42:42 +0200 Subject: [PATCH 0646/1764] avcodec/fitsdec: Prevent division by 0 with huge data_max Fixes: division by 0 Fixes: 15657/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5738154838982656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit cfa193779103c97bbfc28273a0ab12c114b6786d) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 4f452422ef..88b841a964 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -195,6 +195,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint8_t *dst8; uint16_t *dst16; uint64_t t; + double scale; FITSHeader header; FITSContext * fitsctx = avctx->priv_data; @@ -204,6 +205,12 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; + scale = header.data_max - header.data_min; + if (scale <= 0 || !isfinite(scale)) { + scale = 1; + } + scale = 1/scale; + if (header.rgb) { if (header.bitpix == 8) { if (header.naxisn[2] == 3) { @@ -272,7 +279,7 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < avctx->width; j++) { \ t = rd; \ if (!header.blank_found || t != header.blank) { \ - *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) / (header.data_max - header.data_min); \ + *dst++ = ((t - header.data_min) * ((1 << (sizeof(type) * 8)) - 1)) * scale; \ } else { \ *dst++ = fitsctx->blank_val; \ } \ From 4aedbf234c41c6d2ed06d1d798b7a077dfd2121f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 20:31:50 +0200 Subject: [PATCH 0647/1764] avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop This makes the decoder faster Improves/Fixes: Timeout (22sec -> 20sec) Testcase: 17619/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5078510820917248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 581a895c5c8b464a7fc7ebbaa6d9f565c10bae62) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cb5e6d17b8..223f3f94f5 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1820,15 +1820,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, #define INTERLEAVE_OUTPUT(bps) \ { \ int##bps##_t *dest = (int##bps##_t*)frame->data[0]; \ + int channels = avctx->channels; \ + int32_t **raw_samples = ctx->raw_samples; \ shift = bps - ctx->avctx->bits_per_raw_sample; \ if (!ctx->cs_switch) { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ - for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[c][sample] * (1U << shift); \ + for (c = 0; c < channels; c++) \ + *dest++ = raw_samples[c][sample] * (1U << shift); \ } else { \ for (sample = 0; sample < ctx->cur_frame_length; sample++) \ - for (c = 0; c < avctx->channels; c++) \ - *dest++ = ctx->raw_samples[sconf->chan_pos[c]][sample] * (1U << shift); \ + for (c = 0; c < channels; c++) \ + *dest++ = raw_samples[sconf->chan_pos[c]][sample] * (1U << shift);\ } \ } From 6c93707b9f5acc97ec0701c77218941fbcf250d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 20:51:22 +0200 Subject: [PATCH 0648/1764] avcodec/atrac3: Check block_align Fixes: Infinite loop Fixes: 17620/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3_fuzzer-5086123012915200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2acbbe262325187d87e8881c2984d203fb54207e) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 6cdcdf1964..dc19a3863e 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -964,7 +964,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - if (avctx->block_align >= UINT_MAX / 2) + if (avctx->block_align >= UINT_MAX / 2 || avctx->block_align <= 0) return AVERROR(EINVAL); q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) + From 5401126753f26382c5a2b25ce378a463314a3dff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Sep 2019 19:53:45 +0200 Subject: [PATCH 0649/1764] avcodec/4xm: Check index in decode_i_block() also in the path where its not used. Fixes: Infinite loop Fixes: signed integer overflow: 2147483644 + 16 cannot be represented in type 'int' Fixes: 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584 Fixes: 16782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5743163859271680 Fixes: 17641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5711603562971136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 87ddf9f1ef17726fd4235f2e7aed8334d0ff231b) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 5cfb9e735e..2ee742fccd 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -525,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block) break; if (code == 0xf0) { i += 16; + if (i >= 64) { + av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i); + return 0; + } } else { if (code & 0xf) { level = get_xbits(&f->gb, code & 0xf); From 538bfc605371ffe947913adfcb9851e6f22a7148 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2019 23:23:20 +0200 Subject: [PATCH 0650/1764] avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs() Values larger would fail subsequent tests. Fixes: signed integer overflow: 5 + 2147483646 cannot be represented in type 'int' Fixes: 16966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5695709549953024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f63cd1963e36bc70211e072bac7eb3606cf85f14) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index faa36d5459..8abb780dd7 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -642,11 +642,11 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) } if (prefix_val >= 5) { int k = 0; - while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { + while (k < 7 && get_cabac_bypass(&s->HEVClc->cc)) { suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) { + if (k == 7) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); return AVERROR_INVALIDDATA; } From 860ae495c723c542e1fa52dfdf70991cfe11d17c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Sep 2019 22:59:55 +0200 Subject: [PATCH 0651/1764] avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: signed integer overflow: -14527961 - 2147483425 cannot be represented in type 'int' Fixes: 16380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5645957131141120 Fixes: 16968/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5716169901735936 Fixes: 17074/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5198710497083392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e95a3e8a7250060befd9a5fba69151bb2a6690c) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 59e829ee5b..0e1336b832 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1121,7 +1121,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, p->buf[delayA] = p->lastA[filter]; p->buf[adaptA] = APESIGN(p->buf[delayA]); - p->buf[delayA - 1] = p->buf[delayA] - p->buf[delayA - 1]; + p->buf[delayA - 1] = p->buf[delayA] - (unsigned)p->buf[delayA - 1]; p->buf[adaptA - 1] = APESIGN(p->buf[delayA - 1]); predictionA = p->buf[delayA ] * p->coeffsA[filter][0] + @@ -1132,7 +1132,7 @@ static av_always_inline int predictor_update_filter(APEPredictor *p, /* Apply a scaled first-order filter compression */ p->buf[delayB] = p->filterA[filter ^ 1] - ((int)(p->filterB[filter] * 31U) >> 5); p->buf[adaptB] = APESIGN(p->buf[delayB]); - p->buf[delayB - 1] = p->buf[delayB] - p->buf[delayB - 1]; + p->buf[delayB - 1] = p->buf[delayB] - (unsigned)p->buf[delayB - 1]; p->buf[adaptB - 1] = APESIGN(p->buf[delayB - 1]); p->filterB[filter] = p->filterA[filter ^ 1]; @@ -1282,7 +1282,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, /* Version 3.98 and later files */ /* Update the adaption coefficients */ - absres = FFABS(res); + absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3))); From bea0915aafe81babea34bb9909409fc39b3ed1d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Aug 2019 22:00:35 +0200 Subject: [PATCH 0652/1764] avcodec/vc1: check REFDIST "9.1.1.43 P Reference Distance (REFDIST)" "The value of REFDIST shall be less than, or equal to, 16." Signed-off-by: Michael Niedermayer (cherry picked from commit 7f7af9e294f8bc00756922ab088430ea5b9d7498) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 48a2cc1e48..501e1ece5e 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -937,7 +937,9 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) else if ((v->s.pict_type != AV_PICTURE_TYPE_B) && (v->s.pict_type != AV_PICTURE_TYPE_BI)) { v->refdist = get_bits(gb, 2); if (v->refdist == 3) - v->refdist += get_unary(gb, 0, 16); + v->refdist += get_unary(gb, 0, 14); + if (v->refdist > 16) + return AVERROR_INVALIDDATA; } if ((v->s.pict_type == AV_PICTURE_TYPE_B) || (v->s.pict_type == AV_PICTURE_TYPE_BI)) { if (read_bfraction(v, gb) < 0) From 47e61e223d305ab119463fb9e69db5bb8f1a1b1e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Aug 2019 19:30:50 +0200 Subject: [PATCH 0653/1764] avcodec/vc1: Check for excessive resolution Fixes: overflow in aspect ratio calculation Fixes: signed integer overflow: 393215 * 14594 cannot be represented in type 'int' Fixes: 15728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5661588893204480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 181e138da7207523b387eabc28d24e74a46248bc) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 501e1ece5e..d6d880096e 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -456,7 +456,11 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb) h = get_bits(gb, 8) + 1; v->s.avctx->sample_aspect_ratio = (AVRational){w, h}; } else { - av_reduce(&v->s.avctx->sample_aspect_ratio.num, + if (v->s.avctx->width > v->max_coded_width || + v->s.avctx->height > v->max_coded_height) { + avpriv_request_sample(v->s.avctx, "Huge resolution"); + } else + av_reduce(&v->s.avctx->sample_aspect_ratio.num, &v->s.avctx->sample_aspect_ratio.den, v->s.avctx->height * w, v->s.avctx->width * h, From c92c220d2cba85f08675824e81fb563693001a94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 17:39:45 +0200 Subject: [PATCH 0654/1764] avcodec/vc1_block: Fix invalid shift with rangeredfrm Fixes: left shift of negative value -7 Fixes: 16959/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5200360825683968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c722a69253a280b86b1d2a4ca00c89345a796781) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 1f2244e16f..f61bf9a7f0 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1978,7 +1978,7 @@ static void vc1_decode_b_mb(VC1Context *v) v->vc1dsp.vc1_inv_trans_8x8(s->block[i]); if (v->rangeredfrm) for (j = 0; j < 64; j++) - s->block[i][j] <<= 1; + s->block[i][j] *= 2; s->idsp.put_signed_pixels_clamped(s->block[i], s->dest[dst_idx] + off, i & 4 ? s->uvlinesize From 4ca1bcdfca019f925d162786f23ff2912c6155ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 18:57:25 +0200 Subject: [PATCH 0655/1764] avcodec/vc1_pred: Fix invalid shifts in scaleforopp() Fixes: left shift of negative value -2 Fixes: 16964/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5757853565976576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ced9a1cd0ab76a65e509b0d7c56965d61ea1df84) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_pred.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_pred.c b/libavcodec/vc1_pred.c index a126677c72..dadbdf500c 100644 --- a/libavcodec/vc1_pred.c +++ b/libavcodec/vc1_pred.c @@ -191,9 +191,9 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */, n >>= hpel; if (v->s.pict_type == AV_PICTURE_TYPE_B && !v->second_field && dir == 1) { if (dim) - n = scaleforopp_y(v, n, dir) << hpel; + n = scaleforopp_y(v, n, dir) * (1 << hpel); else - n = scaleforopp_x(v, n) << hpel; + n = scaleforopp_x(v, n) * (1 << hpel); return n; } if (v->s.pict_type != AV_PICTURE_TYPE_B) From d5bca31f5821aa5406f50efbbdc4782fe2007dcc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Sep 2019 20:20:31 +0200 Subject: [PATCH 0656/1764] vcodec/vc1: compute rangex/y only for P/B frames Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 16976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4847262047404032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e75e7fe1601b97c31e3ce90473ab71b9a0667573) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index d6d880096e..f88c83d7e4 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -1317,16 +1317,17 @@ int ff_vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb) break; } - if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) { - v->range_x <<= 1; - v->range_y <<= 1; - } /* AC Syntax */ v->c_ac_table_index = decode012(gb); if (v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI) { v->y_ac_table_index = decode012(gb); } + else if (v->fcm != PROGRESSIVE && !v->s.quarter_sample) { + v->range_x <<= 1; + v->range_y <<= 1; + } + /* DC Syntax */ v->s.dc_table_index = get_bits1(gb); if ((v->s.pict_type == AV_PICTURE_TYPE_I || v->s.pict_type == AV_PICTURE_TYPE_BI) From 1f2d293fabe58dbc2ad81b42a96d58bd99aa8397 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Sep 2019 14:26:49 +0200 Subject: [PATCH 0657/1764] avcodec/ralf: Fix integer overflow in decode_channel() Fixes: signed integer overflow: -1094995519 * 64 cannot be represented in type 'int' Fixes: 17030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5640695838146560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fbb314b6f2c2b77608442966f28aac20343a1cae) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 75c9371b95..006ab46414 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -300,8 +300,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2); code1 = t / range2; code2 = t % range2; - dst[i] = extend_code(gb, code1, range, 0) * (1 << add_bits); - dst[i + 1] = extend_code(gb, code2, range, 0) * (1 << add_bits); + dst[i] = extend_code(gb, code1, range, 0) * (1U << add_bits); + dst[i + 1] = extend_code(gb, code2, range, 0) * (1U << add_bits); if (add_bits) { dst[i] |= get_bits(gb, add_bits); dst[i + 1] |= get_bits(gb, add_bits); From c6c9f2e30e12a9ce515751ef519857cc0843ce91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2019 22:28:09 +0200 Subject: [PATCH 0658/1764] avcodec/motionpixels: Mark 2 functions as always_inline Fixes: Timeout (30sec -> 25sec) Fixes: 17050/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-5719149803732992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 017884bdc3975528cacd5d23001558952cbdbabb) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 73977664a5..8750a4fa16 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -171,7 +171,7 @@ static int mp_read_codes_table(MotionPixelsContext *mp, GetBitContext *gb) return 0; } -static int mp_gradient(MotionPixelsContext *mp, int component, int v) +static av_always_inline int mp_gradient(MotionPixelsContext *mp, int component, int v) { int delta; @@ -196,7 +196,7 @@ static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const Yuv *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2] = color; } -static int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) +static av_always_inline int mp_get_vlc(MotionPixelsContext *mp, GetBitContext *gb) { int i; From 64cfde80336eeed16a7a5efa78b561c1ec57b186 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sat, 28 Sep 2019 23:11:06 -0300 Subject: [PATCH 0659/1764] avcodec/fitsdec: fix use of uninitialised values header.data_max and header.data_min are not necessarely set on all decoding scenarios. Fixes a Valgrind reported regression since cfa193779103c97bbfc28273a0ab12c114b6786d. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit e3f0ecfc57889de0e0a359ec30b77851d53cea87) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index 88b841a964..a20b8faf9e 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -195,7 +195,6 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint8_t *dst8; uint16_t *dst16; uint64_t t; - double scale; FITSHeader header; FITSContext * fitsctx = avctx->priv_data; @@ -205,12 +204,6 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; - scale = header.data_max - header.data_min; - if (scale <= 0 || !isfinite(scale)) { - scale = 1; - } - scale = 1/scale; - if (header.rgb) { if (header.bitpix == 8) { if (header.naxisn[2] == 3) { @@ -271,6 +264,13 @@ static int fits_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, CASE_RGB(16, dst16, uint16_t, AV_RB16); } } else { + double scale = header.data_max - header.data_min; + + if (scale <= 0 || !isfinite(scale)) { + scale = 1; + } + scale = 1/scale; + switch (header.bitpix) { #define CASE_GRAY(cas, dst, type, t, rd) \ case cas: \ From 3faa5c0fec8cc62b0c957095ec1b8ef5fc6d3ea5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 12:31:39 +0200 Subject: [PATCH 0660/1764] avcodec/utils: Check sample_rate before opening the decoder Fixes: signed integer overflow: 2 * -1306460384 cannot be represented in type 'int' Fixes: 17685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_fuzzer-5747390337777664 Fixes: 17688/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5739287210885120 Fixes: 17699/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5678394531905536 Fixes: 17738/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5763415733174272 Fixes: 17746/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5703008159006720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 75fefb1fb7ac8b423e08a8dca19b19884a325ebf) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index a8ff4f4db8..c367d8b7c9 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -778,6 +778,11 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code ret = AVERROR(EINVAL); goto free_and_end; } + if (avctx->sample_rate < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid sample rate: %d\n", avctx->sample_rate); + ret = AVERROR(EINVAL); + goto free_and_end; + } avctx->codec = codec; if ((avctx->codec_type == AVMEDIA_TYPE_UNKNOWN || avctx->codec_type == codec->type) && From 38800ac4dd0069aeda52e6b6dfb76bdc765a38d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 23:42:41 +0200 Subject: [PATCH 0661/1764] avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet Fixes: Assertion failure Fixes: 17770/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5700606668308480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c4de49edc4652e2f17c8747a6dd9b36ff362017a) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index bfd3fed3a2..9ea4c5d708 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -574,11 +574,12 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) EaDemuxContext *ea = s->priv_data; AVIOContext *pb = s->pb; int partial_packet = 0; + int hit_end = 0; unsigned int chunk_type, chunk_size; int ret = 0, packet_read = 0, key = 0; int av_uninit(num_samples); - while (!packet_read || partial_packet) { + while ((!packet_read && !hit_end) || partial_packet) { chunk_type = avio_rl32(pb); chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); if (chunk_size < 8) @@ -676,7 +677,7 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) } if (avio_feof(pb)) ret = AVERROR_EOF; - packet_read = 1; + hit_end = 1; break; case MVIh_TAG: @@ -737,6 +738,9 @@ get_video_packet: if (ret < 0 && partial_packet) av_packet_unref(pkt); + if (ret >= 0 && hit_end && !packet_read) + return AVERROR(EAGAIN); + return ret; } From 8ca3bf37abde85786dc21b154743eb21ab01bd5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2019 20:05:09 +0200 Subject: [PATCH 0662/1764] avcodec/g2meet: Check if adjusted pixel was on the stack MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This basically checks if a pixel that was coded with prediction and residual could have been stored using a previous case. This avoids basically a string of 0 symbols stored in less than 50 bytes to hit a O(n²) codepath. Fixes: Timeout (too slow to wait -> immediately) Fixes: 8668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-4895946310680576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c84c162e9f9f000ef47d4fcd07354805f38d455) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index a1dec8d823..19e1c130ce 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -854,6 +854,9 @@ static int epic_decode_tile(ePICContext *dc, uint8_t *out, int tile_height, uint32_t ref_pix = curr_row[x - 1]; if (!x || !epic_decode_from_cache(dc, ref_pix, &pix)) { pix = epic_decode_pixel_pred(dc, x, y, curr_row, above_row); + if (is_pixel_on_stack(dc, pix)) + return AVERROR_INVALIDDATA; + if (x) { int ret = epic_add_pixel_to_cache(&dc->hash, ref_pix, From 29f07606b6b13739e8a19dc8eeab183fdde74ce8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Sep 2019 20:30:32 +0200 Subject: [PATCH 0663/1764] avcodec/g2meet: Check for end of input in jpg_decode_block() Fixes: Timeout (100sec -> 0.7sec) Fixes: 8668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5174143888130048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61dd2e07be7ca636e1d3d868f90dde1b10985f4c) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 19e1c130ce..731d29a5d4 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -244,6 +244,9 @@ static int jpg_decode_block(JPGContext *c, GetBitContext *gb, const int is_chroma = !!plane; const uint8_t *qmat = is_chroma ? chroma_quant : luma_quant; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + c->bdsp.clear_block(block); dc = get_vlc2(gb, c->dc_vlc[is_chroma].table, 9, 3); if (dc < 0) From d458cfdcca2a1a68f1a731c43df2587c1aa1ab89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2019 19:26:51 +0200 Subject: [PATCH 0664/1764] avcodec/wmaprodec: Check if there is a stream Fixes: null pointer dereference Fixes: signed integer overflow: 512 * 2147483647 cannot be represented in type 'int' Fixes: 17809/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5634409947987968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9b533de28eb19c660c75823ff2af2f8549c4095a) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 77a49c9db8..526e94ba5d 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1874,7 +1874,9 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) } /* encoder supports up to 64 streams / 64*2 channels (would have to alloc arrays) */ - if (avctx->channels > XMA_MAX_CHANNELS || s->num_streams > XMA_MAX_STREAMS) { + if (avctx->channels > XMA_MAX_CHANNELS || s->num_streams > XMA_MAX_STREAMS || + s->num_streams <= 0 + ) { avpriv_request_sample(avctx, "More than %d channels in %d streams", XMA_MAX_CHANNELS, s->num_streams); return AVERROR_PATCHWELCOME; } From a7e147c85688ab3e16321eaf67e303e2dcf2da46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 17:10:38 +0200 Subject: [PATCH 0665/1764] avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize() Fixes: null pointer dereference Fixes: 17828/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5645915116797952 Fixes: Ticket8147 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 81b53913bbb97234e22187d1122948c351a3466d) Signed-off-by: Michael Niedermayer --- libavformat/subtitles.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 93c9ef05cf..1230e34d08 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -194,6 +194,9 @@ void ff_subtitles_queue_finalize(void *log_ctx, FFDemuxSubtitlesQueue *q) { int i; + if (!q->nb_subs) + return; + qsort(q->subs, q->nb_subs, sizeof(*q->subs), q->sort == SUB_SORT_TS_POS ? cmp_pkt_sub_ts_pos : cmp_pkt_sub_pos_ts); From 3e5316bf2f5c7b58846d54d05b868e188e6778cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:10:25 +0200 Subject: [PATCH 0666/1764] avcodec/sunrast: Check for availability of maplength before allocating image Signed-off-by: Michael Niedermayer (cherry picked from commit 711ad71aea7847883662bf95e01640d9745b313b) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index baf184968f..98bc4ffa63 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -100,14 +100,14 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; + if (buf_end - buf < maplength) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; p->pict_type = AV_PICTURE_TYPE_I; - if (buf_end - buf < maplength) - return AVERROR_INVALIDDATA; - if (depth > 8 && maplength) { av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n"); From 9462ca109fbb8dd9d6b1ec0aa2a2403db3395e82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 18:14:03 +0200 Subject: [PATCH 0667/1764] avcodec/sunrast: Check that the input is large enough for the maximally compressed image Fixes: Timeout (17sec -> 15ms) Fixes: 17224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SUNRAST_fuzzer-5663218491457536 Fixes: 17224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SUNRAST_fuzzer-5735590015795200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf0ba75c4a9231ed62afe60bed5bde2728971e30) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 98bc4ffa63..e1ec8a0832 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -100,7 +100,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; - if (buf_end - buf < maplength) + /* scanlines are aligned on 16 bit boundaries */ + len = (depth * w + 7) >> 3; + alen = len + (len & 1); + + if (buf_end - buf < maplength + (len * h) * 3 / 256) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) @@ -136,10 +140,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, stride = p->linesize[0]; } - /* scanlines are aligned on 16 bit boundaries */ - len = (depth * w + 7) >> 3; - alen = len + (len & 1); - if (type == RT_BYTE_ENCODED) { int value, run; uint8_t *end = ptr + h * stride; From f83710ee4bbb1ff171697c79dcd8a133bc56f736 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Sep 2019 13:43:19 +0200 Subject: [PATCH 0668/1764] avformat/mpsubdec: Clear queue on error Fixes: Memleaks Fixes: 17219/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5720539124989952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a0d36e562d53716cf000895c2f892fb1f48165d) Signed-off-by: Michael Niedermayer --- libavformat/mpsubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index 1236efa712..fc1731f26e 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -106,6 +106,9 @@ static int mpsub_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &mpsub->q); end: + if (res < 0) + ff_subtitles_queue_clean(&mpsub->q); + av_bprint_finalize(&buf, NULL); return res; } From c388edef742fc1099ba413a6657d2f48f5170704 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 01:43:35 +0200 Subject: [PATCH 0669/1764] avcodec/truemotion1: Check that the input has enough space for a minimal index_stream Fixes: Timeout (18sec -> 0.4sec) Fixes: 17585/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5117015135617024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a660fac9899191d4121cde02f2a98977b1303b6) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index e1824384c5..602de99f10 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -444,6 +444,8 @@ static int truemotion1_decode_header(TrueMotion1Context *s) if (s->flags & FLAG_KEYFRAME) { /* no change bits specified for a keyframe; only index bytes */ s->index_stream = s->mb_change_bits; + if (s->avctx->width * s->avctx->height / 2048 + header.header_size > s->size) + return AVERROR_INVALIDDATA; } else { /* one change bit per 4x4 block */ s->index_stream = s->mb_change_bits + From 4b7829bf9c71ec729af5177cc15377461a7a51f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 00:42:04 +0200 Subject: [PATCH 0670/1764] avcodec/ituh263dec: Check input for minimal frame size Fixes: Timeout (28sec -> 3sec) Fixes: 17559/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H263_fuzzer-5681050776240128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f0498ed461987b62bb97ff6463b4df108d60d78) Signed-off-by: Michael Niedermayer --- libavcodec/ituh263dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index fc95a532ce..dc8e7879db 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -1203,6 +1203,11 @@ int ff_h263_decode_picture_header(MpegEncContext *s) if ((ret = av_image_check_size(s->width, s->height, 0, s)) < 0) return ret; + if (!(s->avctx->flags2 & AV_CODEC_FLAG2_CHUNKS)) { + if ((s->width * s->height / 256 / 8) > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; + } + s->mb_width = (s->width + 15) / 16; s->mb_height = (s->height + 15) / 16; s->mb_num = s->mb_width * s->mb_height; From 60c8cf09df541a6ba07de98aad6337813710246b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 08:50:41 +0200 Subject: [PATCH 0671/1764] avcodec/fitsdec: Fail on 0 naxisn Fixes: Timeout (100+ sec -> 23ms) Fixes: 17769/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5678314672357376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4a3303d52096337dc109fbd523ecb4b46cddace1) Signed-off-by: Michael Niedermayer --- libavcodec/fitsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/fitsdec.c b/libavcodec/fitsdec.c index a20b8faf9e..1f06754f8b 100644 --- a/libavcodec/fitsdec.c +++ b/libavcodec/fitsdec.c @@ -143,7 +143,7 @@ static int fits_read_header(AVCodecContext *avctx, const uint8_t **ptr, FITSHead size = abs(header->bitpix) >> 3; for (i = 0; i < header->naxis; i++) { - if (size && header->naxisn[i] > SIZE_MAX / size) { + if (size == 0 || header->naxisn[i] > SIZE_MAX / size) { av_log(avctx, AV_LOG_ERROR, "unsupported size of FITS image"); return AVERROR_INVALIDDATA; } From d109b2d41dfd552ef210bbd72eadfcad154f7b2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Sep 2019 15:40:30 +0200 Subject: [PATCH 0672/1764] avcodec/exr: Allow duplicate use of channel indexes Fixes: Ticket #8203 Reported-by: durandal_1707 Signed-off-by: Michael Niedermayer (cherry picked from commit 080819b3b4b59ef498511ac349414af85728349c) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 5aa75ab112..7c3e3dc6f6 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1307,6 +1307,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) int magic_number, version, i, flags, sar = 0; int layer_match = 0; int ret; + int dup_channels = 0; s->current_channel_offset = 0; s->xmin = ~0; @@ -1463,10 +1464,12 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; } else if (channel_index >= 0) { - av_log(s->avctx, AV_LOG_ERROR, + av_log(s->avctx, AV_LOG_WARNING, "Multiple channels with index %d.\n", channel_index); - ret = AVERROR_INVALIDDATA; - goto fail; + if (++dup_channels > 10) { + ret = AVERROR_INVALIDDATA; + goto fail; + } } s->channels = av_realloc(s->channels, From 5577079473003d0bc1e283197fd6f852b5491bce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Sep 2019 01:22:37 +0200 Subject: [PATCH 0673/1764] avcodec/pcm: Check bits_per_coded_sample Fixes: shift exponent -2 is negative Fixes: 17736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F16LE_fuzzer-5742815929171968 Fixes: 17998/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F24LE_fuzzer-5716980383875072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5de19160a3c0dedb3cefd00e863a8d8f74ca2ad0) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 8c326c6829..c52ebcd0d6 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -251,6 +251,9 @@ static av_cold int pcm_decode_init(AVCodecContext *avctx) break; case AV_CODEC_ID_PCM_F16LE: case AV_CODEC_ID_PCM_F24LE: + if (avctx->bits_per_coded_sample < 1 || avctx->bits_per_coded_sample > 24) + return AVERROR_INVALIDDATA; + s->scale = 1. / (1 << (avctx->bits_per_coded_sample - 1)); s->fdsp = avpriv_float_dsp_alloc(0); if (!s->fdsp) From 34905f72198b59f4a2bb2f54c24d5c04b7414828 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Oct 2019 18:26:44 +0200 Subject: [PATCH 0674/1764] avcodec/qdmc: Check input space in qdmc_get_vlc() Fixes: Timeout (125sec -> 0.4sec) Fixes: 18059/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDMC_fuzzer-5656195825664000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c7975fe6f5c734fce9c59e8418c7f2de15a558d) Signed-off-by: Michael Niedermayer --- libavcodec/qdmc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdmc.c b/libavcodec/qdmc.c index f4d63cd8b8..b5e015f9bf 100644 --- a/libavcodec/qdmc.c +++ b/libavcodec/qdmc.c @@ -361,6 +361,8 @@ static int qdmc_get_vlc(GetBitContext *gb, VLC *table, int flag) { int v; + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; v = get_vlc2(gb, table->table, table->bits, 1); if (v < 0) return AVERROR_INVALIDDATA; From 25a917e46f798350460df75e35cf87c07bff83b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Oct 2019 18:32:08 +0200 Subject: [PATCH 0675/1764] avcodec/wmaprodec: Check that the streams channels do not exceed the overall channels Fixes: NULL pointer dereference Fixes: 18075/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5708262036471808 Fixes: 18087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5740627634946048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e418b315ddd0505e707860f8cc8b796ce06f3458) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 526e94ba5d..fc96278512 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -436,7 +436,7 @@ static av_cold int decode_init(WMAProDecodeCtx *s, AVCodecContext *avctx, int nu av_log(avctx, AV_LOG_ERROR, "invalid number of channels per XMA stream %d\n", s->nb_channels); return AVERROR_INVALIDDATA; - } else if (s->nb_channels > WMAPRO_MAX_CHANNELS) { + } else if (s->nb_channels > WMAPRO_MAX_CHANNELS || s->nb_channels > avctx->channels) { avpriv_request_sample(avctx, "More than %d channels", WMAPRO_MAX_CHANNELS); return AVERROR_PATCHWELCOME; From 386b987f2a8c4abe507d2d58136acc0ef4ace9a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Oct 2019 13:46:04 +0200 Subject: [PATCH 0676/1764] avfilter/vf_geq: Use av_clipd() instead of av_clipf() With floats we cannot represent all 32bit integer dimensions Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c8813b1a984714f0027cabeea2394035df20cf38) Signed-off-by: Michael Niedermayer --- libavfilter/vf_geq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_geq.c b/libavfilter/vf_geq.c index 36dbd421ce..f441c591f9 100644 --- a/libavfilter/vf_geq.c +++ b/libavfilter/vf_geq.c @@ -82,8 +82,8 @@ static inline double getpix(void *priv, double x, double y, int plane) if (!src) return 0; - xi = x = av_clipf(x, 0, w - 2); - yi = y = av_clipf(y, 0, h - 2); + xi = x = av_clipd(x, 0, w - 2); + yi = y = av_clipd(y, 0, h - 2); x -= xi; y -= yi; From 3ba68a54000078d4faed0cfe4106695f25b1d8a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2019 22:52:03 +0200 Subject: [PATCH 0677/1764] avformat/shortendec: Check k in probe Fixes: Assertion failure Fixes: 17640/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5708767475269632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea770eb55941a6ed7b86828d6ea2f4e718a4b337) Signed-off-by: Michael Niedermayer --- libavformat/shortendec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/shortendec.c b/libavformat/shortendec.c index 42fcdf75c3..97f4d66130 100644 --- a/libavformat/shortendec.c +++ b/libavformat/shortendec.c @@ -40,12 +40,18 @@ static int shn_probe(AVProbeData *p) channels = get_ur_golomb_shorten(&gb, 0); blocksize = 256; } else { - int k; + unsigned k; k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; internal_ftype = get_ur_golomb_shorten(&gb, k); k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; channels = get_ur_golomb_shorten(&gb, k); k = get_ur_golomb_shorten(&gb, 2); + if (k > 31) + return 0; blocksize = get_ur_golomb_shorten(&gb, k); } From 6b85dc6569bbfb5c735c3fa7f76e862926559c39 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 12:04:57 +0200 Subject: [PATCH 0678/1764] avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA Fixes: left shift of negative value -1 Fixes: 17683/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_EA_R2_fuzzer-5111690013704192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8695fbec573b0d434cf2e703a0d45742a09a5d94) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 2b2f38e9dd..295241ce2b 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1287,10 +1287,10 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (count2=0; count2<28; count2++) { if (count2 & 1) - next_sample = sign_extend(byte, 4) << shift; + next_sample = (unsigned)sign_extend(byte, 4) << shift; else { byte = bytestream2_get_byte(&gb); - next_sample = sign_extend(byte >> 4, 4) << shift; + next_sample = (unsigned)sign_extend(byte >> 4, 4) << shift; } next_sample += (current_sample * coeff1) + From 6d62dbb46bca27941c328f7df4ac559e324d1882 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:01:38 +0200 Subject: [PATCH 0679/1764] avcodec/lsp: Fix undefined shifts in lsp2poly() Fixes: left shift of negative value -30635 Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b93f52cd635f372b7b22396939e840c63e8edf3) Signed-off-by: Michael Niedermayer --- libavcodec/lsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lsp.c b/libavcodec/lsp.c index 9aba020ebb..fb4da47894 100644 --- a/libavcodec/lsp.c +++ b/libavcodec/lsp.c @@ -108,7 +108,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order) int i, j; f[0] = 0x400000; // 1.0 in (3.22) - f[1] = -lsp[0] << 8; // *2 and (0.15) -> (3.22) + f[1] = -lsp[0] * 256; // *2 and (0.15) -> (3.22) for(i=2; i<=lp_half_order; i++) { @@ -116,7 +116,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order) for(j=i; j>1; j--) f[j] -= MULL(f[j-1], lsp[2*i-2], FRAC_BITS) - f[j-2]; - f[1] -= lsp[2*i-2] << 8; + f[1] -= lsp[2*i-2] * 256; } } From d998b81ce17f3fd3416b8e065910c73c1415297f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:01:38 +0200 Subject: [PATCH 0680/1764] avcodec/g729postfilter: Fix undefined shifts Fixes: left shift of negative value -12 Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a4fdbf112385824fc9b7d7739685359213b579a) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index d9076ec735..e8e031a1ed 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -156,7 +156,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, sig_scaled[i] = residual[i] >> shift; else for (i = 0; i < subframe_size + RES_PREV_DATA_SIZE; i++) - sig_scaled[i] = residual[i] << -shift; + sig_scaled[i] = (unsigned)residual[i] << -shift; /* Start of best delay searching code */ gain_num = 0; @@ -500,14 +500,14 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, tmp = res_pst[subframe_size - 1]; for (i = subframe_size - 1; i >= 1; i--) { - tmp2 = (res_pst[i] << 15) + ((gt * res_pst[i-1]) << 1); - tmp2 = (tmp2 + 0x4000) >> 15; + tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000; + tmp2 = res_pst[i] + (tmp2 >> 15); tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; out[i] = tmp2; } - tmp2 = (res_pst[0] << 15) + ((gt * ht_prev_data) << 1); - tmp2 = (tmp2 + 0x4000) >> 15; + tmp2 = (gt * ht_prev_data) * 2 + 0x4000; + tmp2 = res_pst[0] + (tmp2 >> 15); tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; out[0] = tmp2; From 4b4c26ca09b525168339df8697eb7f6bfe20345f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:01:38 +0200 Subject: [PATCH 0681/1764] avcodec/g729postfilter: Fix undefined intermediate pointers Fixes: index -49 out of bounds for type 'int16_t [192]' Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c61661a2cbe1b8b284c80ada1c2fdddf4992cad) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index e8e031a1ed..ef4fec4c95 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -201,8 +201,8 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, } if (corr_int_num) { /* Compute denominator of pseudo-normalized correlation R'(0). */ - corr_int_den = adsp->scalarproduct_int16(sig_scaled - best_delay_int + RES_PREV_DATA_SIZE, - sig_scaled - best_delay_int + RES_PREV_DATA_SIZE, + corr_int_den = adsp->scalarproduct_int16(sig_scaled + RES_PREV_DATA_SIZE - best_delay_int, + sig_scaled + RES_PREV_DATA_SIZE - best_delay_int, subframe_size); /* Compute signals with non-integer delay k (with 1/8 precision), From 0041d3cebab4f28a4c80a7be01889c3ccdc9874c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:19:36 +0200 Subject: [PATCH 0682/1764] avcodec/apedec: Fix integer overflow in predictor_update_3930() Fixes: signed integer overflow: -69555262 * 31 cannot be represented in type 'int' Fixes: 17698/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5728970447781888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5c072c9ed7c6f173b8a0a886fb7fe1e8e4c1fadd) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 0e1336b832..9f1e8123b7 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1051,7 +1051,7 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, d3 * p->coeffsA[filter][3]; p->lastA[filter] = decoded + (predictionA >> 9); - p->filterA[filter] = p->lastA[filter] + ((p->filterA[filter] * 31) >> 5); + p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; From 888df4b68ce6fd4c920509588000a634ff900f88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 17:53:35 +0200 Subject: [PATCH 0683/1764] avcodec/g723_1dec: Fix overflow in shift Fixes: shift exponent 1008 is too large for 32-bit type 'int' Fixes: 17700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5707633436131328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 07732f12a43ac3048e44c086c9a8c811452ba31c) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index ab952ec66d..f92eb76ba0 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -668,6 +668,8 @@ static int estimate_sid_gain(G723_1_Context *p) else t = INT32_MAX; } else t = p->sid_gain << shift; + } else if(shift < -31) { + t = (p->sid_gain < 0) ? -1 : 0; }else t = p->sid_gain >> -shift; x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16); From 22336d5c480a8cf06f0ee0cfe9e8b02ffe592916 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Sep 2019 18:02:17 +0200 Subject: [PATCH 0684/1764] avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS Fixes: signed integer overflow: -2147483360 - 631 cannot be represented in type 'int' Fixes: 17701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_EA_EACS_fuzzer-5711517319692288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f66e8436d89963362acf533a60ed4fedb42546e) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 295241ce2b..938b09bfb5 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1138,8 +1138,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } } - for (i=0; i<=st; i++) + for (i=0; i<=st; i++) { c->status[i].predictor = bytestream2_get_le32u(&gb); + if (FFABS(c->status[i].predictor) > (1<<16)) + return AVERROR_INVALIDDATA; + } for (n = nb_samples >> (1 - st); n > 0; n--) { int byte = bytestream2_get_byteu(&gb); From 7c7e10372979dca4b1a6fc21653e8d46983f43de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Oct 2019 00:40:07 +0200 Subject: [PATCH 0685/1764] avcodec/binkaudio: Check sample rate Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in type 'int' Fixes: 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 2fca09bce49c7de590560d9517fd2414b6c0c14f) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index e0f3d14eef..fd56d17ca2 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) { // audio is already interleaved for the RDFT format variant avctx->sample_fmt = AV_SAMPLE_FMT_FLT; + if (sample_rate > INT_MAX / avctx->channels) + return AVERROR_INVALIDDATA; sample_rate *= avctx->channels; s->channels = 1; if (!s->version_b) From f628f38f6e43c140167005593b447c47fd731a44 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 11:48:47 +0200 Subject: [PATCH 0686/1764] avcodec/g729postfilter: Fix left shift of negative value Fixes: Ticket8176 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0acc5064ed501cb40d4aaccae2b3ce5c4552fd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index ef4fec4c95..fc9a8d54cc 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -346,7 +346,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, L_temp1 = gain_long_num * gain_long_num; L_temp1 = MULL(L_temp1, gain_den, FRAC_BITS); - tmp = ((sh_gain_long_num - sh_gain_num) << 1) - (sh_gain_long_den - sh_gain_den); + tmp = ((sh_gain_long_num - sh_gain_num) * 2) - (sh_gain_long_den - sh_gain_den); if (tmp > 0) L_temp0 >>= tmp; else @@ -367,7 +367,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, /* Rescale selected signal to original value. */ if (shift > 0) for (i = 0; i < subframe_size; i++) - selected_signal[i] <<= shift; + selected_signal[i] *= 1 << shift; else for (i = 0; i < subframe_size; i++) selected_signal[i] >>= -shift; @@ -464,7 +464,7 @@ static int16_t get_tilt_comp(AudioDSPContext *adsp, int16_t *lp_gn, speech[i] = (speech[i] * temp + 0x4000) >> 15; } - return -(rh1 << 15) / rh0; + return -(rh1 * (1 << 15)) / rh0; } /** From c992a8301a3467572003e55e6f4da91e3919daaf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 19:18:18 +0200 Subject: [PATCH 0687/1764] avcodec/wmalosslessdec: Check block_align Fixes: NULL pointer dereference Fixes: 18331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5652847445671936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c1c799271eefb8afe22804a710baa5cbaad57d91) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index eb1db615ae..19bac949d4 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -184,8 +184,8 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int channel_mask; int i, log2_max_num_subframes; - if (!avctx->block_align) { - av_log(avctx, AV_LOG_ERROR, "block_align is not set\n"); + if (avctx->block_align <= 0) { + av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n"); return AVERROR(EINVAL); } From 0dc659b8fbe5a7af4a25123481a855b75291f1de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Sep 2019 21:19:26 +0200 Subject: [PATCH 0688/1764] avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv() Fixes: signed integer overflow: 62220 * 262144 cannot be represented in type 'int' Fixes: 17145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5667394743173120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6fdeb208172dc95b29b965a0cc365ca0925e151e) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index f61bf9a7f0..51a2f41316 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -825,7 +825,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, return AVERROR_INVALIDDATA; q2 = q2 * 2 + ((q2 == v->pq) ? v->halfpq : 0) - 1; for (k = 1; k < 8; k++) - block[k << sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << sh] += (int)(ac_val[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } else { for (k = 1; k < 8; k++) block[k << sh] += ac_val[k]; From 8d7d6066efc84d88893ca5590a844627eecedd2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2019 00:35:15 +0200 Subject: [PATCH 0689/1764] avcodec/ffwavesynth: Fix integer overflows in pink noise addition Fixes: signed integer overflow: -1795675744 + -1926578528 cannot be represented in type 'int' Fixes: 17741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5131336402075648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7916b6863caec55d7e64758a1bfe436834f2faf6) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 6736587e32..3a6a057964 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -377,7 +377,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, in->dphi += in->ddphi; break; case WS_NOISE: - val = amp * pink; + val = amp * (unsigned)pink; break; default: val = 0; @@ -385,7 +385,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, all_ch |= in->channels; for (c = in->channels, cv = channels; c; c >>= 1, cv++) if (c & 1) - *cv += val; + *cv += (unsigned)val; } val = (int32_t)lcg_next(&ws->dither_state) >> 16; for (c = all_ch, cv = channels; c; c >>= 1, cv++) From 08972bff12b66670dc609719639f858f3fcc5f37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:06:35 +0200 Subject: [PATCH 0690/1764] avcodec/aliaspixdec: Check input size against minimal picture size Fixes: Timeout (15sec -> 72ms) Fixes: 17774/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALIAS_PIX_fuzzer-5193929107963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8c693104779830028bd5f76bf32a93e059c04d2c) Signed-off-by: Michael Niedermayer --- libavcodec/aliaspixdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aliaspixdec.c b/libavcodec/aliaspixdec.c index 087b18fb91..def7e17c0f 100644 --- a/libavcodec/aliaspixdec.c +++ b/libavcodec/aliaspixdec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, if (ret < 0) return ret; + if (bytestream2_get_bytes_left(&gb) < width*height / 255) + return AVERROR_INVALIDDATA; + ret = ff_get_buffer(avctx, f, 0); if (ret < 0) return ret; From b58e7868f20569357c5a68824e18b8b5d18dde7d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:10:47 +0200 Subject: [PATCH 0691/1764] avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame() Fixes: signed integer overflow: -2147481503 + -32732 cannot be represented in type 'int' Fixes: 17782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-5769672225456128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76897e19ca96127e07f5acc5a773b904dcf6124) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 843b73d33b..8503fee5ec 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -727,7 +727,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } val |= h[3].values[res] << 8; - pred[1] += sign_extend(val, 16); + pred[1] += (unsigned)sign_extend(val, 16); *samples++ = pred[1]; } else { if(vlc[0].table) @@ -748,7 +748,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } val |= h[1].values[res] << 8; - pred[0] += sign_extend(val, 16); + pred[0] += (unsigned)sign_extend(val, 16); *samples++ = pred[0]; } } From 958cc68d51abb7db894675c6d0a71aa43ced77d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:16:20 +0200 Subject: [PATCH 0692/1764] avcodec/alac: Fix integer overflow in LPC Fixes: signed integer overflow: 2147483628 + 128 cannot be represented in type 'int' Fixes: 17783/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5146470595952640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44b73a0568f8ad5993ec79b29873151f316bf95c) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 8cb8d72122..5c8230bea4 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -215,7 +215,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, /* LPC prediction */ for (j = 0; j < lpc_order; j++) val += (pred[j] - d) * lpc_coefs[j]; - val = (val + (1 << (lpc_quant - 1))) >> lpc_quant; + val = (val + (1LL << (lpc_quant - 1))) >> lpc_quant; val += d + error_val; buffer_out[i] = sign_extend(val, bps); From 8d483f9849b2293fced7a7b0a7d46226e9eaf4a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Oct 2019 22:05:52 +0200 Subject: [PATCH 0693/1764] avcodec/ptx: Check that the input contains at least one line Fixes: Timeout (19sec -> 44ms) Fixes: 17816/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PTX_fuzzer-5704459950227456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a6ad328256fe6a6ace7d1e15f3515afccf1247fc) Signed-off-by: Michael Niedermayer --- libavcodec/ptx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c index 42147f4afc..19f9305cda 100644 --- a/libavcodec/ptx.c +++ b/libavcodec/ptx.c @@ -55,6 +55,9 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, buf += offset; + if (buf_end - buf < w * bytes_per_pixel) + return AVERROR_INVALIDDATA; + if ((ret = ff_set_dimensions(avctx, w, h)) < 0) return ret; From b3d6eabd78338f5b1ba94f158980afce764f9d86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 17:10:38 +0200 Subject: [PATCH 0694/1764] avformat/pjsdec: Check duration for overflow Fixes: signed integer overflow: -3 - 9223372036854775807 cannot be represented in type 'long' Fixes: 17828/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5645915116797952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1efaac69328bdc17680924c71be7ec990f0e8f2c) Signed-off-by: Michael Niedermayer --- libavformat/pjsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c index bb587b569a..448962bf8a 100644 --- a/libavformat/pjsdec.c +++ b/libavformat/pjsdec.c @@ -55,6 +55,8 @@ static int64_t read_ts(char **line, int *duration) if (sscanf(*line, "%"SCNd64",%"SCNd64, &start, &end) == 2) { *line += strcspn(*line, "\""); *line += !!**line; + if (end < start || end - (uint64_t)start > INT_MAX) + return AV_NOPTS_VALUE; *duration = end - start; return start; } From 09e942aa4d597a75a3c510bf96583302ae707f30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Oct 2019 19:35:15 +0200 Subject: [PATCH 0695/1764] avcodec/alsdec: Check that input space for header exists in read_diff_float_data() Fixes: Timeout (21sec -> 8sec) Fixes: 17832/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5737092172218368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09581f7923ed9af7719762868e8f1ff626ea8374) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 223f3f94f5..a9740699f6 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1480,6 +1480,9 @@ static int read_diff_float_data(ALSDecContext *ctx, unsigned int ra_frame) { ff_mlz_flush_dict(ctx->mlz); } + if (avctx->channels * 8 > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + for (c = 0; c < avctx->channels; ++c) { if (use_acf) { //acf_flag From e02dedf2670c380011f52b6243bf0a3a88906576 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Oct 2019 19:52:53 +0200 Subject: [PATCH 0696/1764] avcodec/takdec: Fix overflow with large sample rates Fixes: signed integer overflow: 2147483647 + 511 cannot be represented in type 'int' Fixes: 17899/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5719753322135552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 42eb78059d149abcd994f46c8b8a0dd98e86b594) Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 4fb5825532..8ec87ab509 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -176,8 +176,8 @@ static void set_sample_rate_params(AVCodecContext *avctx) } else { shift = 0; } - s->uval = FFALIGN(avctx->sample_rate + 511 >> 9, 4) << shift; - s->subframe_scale = FFALIGN(avctx->sample_rate + 511 >> 9, 4) << 1; + s->uval = FFALIGN(avctx->sample_rate + 511LL >> 9, 4) << shift; + s->subframe_scale = FFALIGN(avctx->sample_rate + 511LL >> 9, 4) << 1; } static av_cold int tak_decode_init(AVCodecContext *avctx) From 4ed397df65552c2a50d78614124d94e9c2e857dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Oct 2019 19:34:17 +0200 Subject: [PATCH 0697/1764] avcodec/ralf: Skip initializing unused filter variables Fixes: left shift of negative value -1 Fixes: 17890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5643307467669504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f4ecf6c39de9a7cc1dae70cf87c225771001e883) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 006ab46414..1d881cf7ae 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -234,8 +234,10 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, int *dst = ctx->channel_data[ch]; ctx->filter_params = get_vlc2(gb, set->filter_params.table, 9, 2); - ctx->filter_bits = (ctx->filter_params - 2) >> 6; - ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1; + if (ctx->filter_params > 1) { + ctx->filter_bits = (ctx->filter_params - 2) >> 6; + ctx->filter_length = ctx->filter_params - (ctx->filter_bits << 6) - 1; + } if (ctx->filter_params == FILTER_RAW) { for (i = 0; i < length; i++) From 7b0ad24b1042d34470911fc43474a0c00eb79838 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Oct 2019 16:14:32 +0200 Subject: [PATCH 0698/1764] avcodec/qdrw: Check input for header/skiped space before get_buffer() Fixes: Timeout (21sec -> 0.8sec) Fixes: 17990/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDRAW_fuzzer-5200374436200448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b63fbc19c09d0b42da4f83c21fcf362d6ed7c545) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 3a0bc6f760..34c1442063 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -453,6 +453,8 @@ static int decode_frame(AVCodecContext *avctx, avpriv_request_sample(avctx, "Pack type %d", pack_type); return AVERROR_PATCHWELCOME; } + if (bytestream2_get_bytes_left(&gbc) < 30) + return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; From 68274f568e9187f73dac5762bc4238bd6422df26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 20:57:12 +0200 Subject: [PATCH 0699/1764] avcodec/vp5: Check render_x/y Fixes: Timeout (15sec -> 91ms) Fixes: 18353/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP5_fuzzer-5704150326706176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 698e042c77ecb5b0d616de254adc783e8b61b9c4) Signed-off-by: Michael Niedermayer --- libavcodec/vp5.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index db97e7f772..247225e0fa 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -48,6 +48,8 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); if (s->frames[VP56_FRAME_CURRENT]->key_frame) { + int render_x, render_y; + vp56_rac_gets(c, 8); if(vp56_rac_gets(c, 5) > 5) return AVERROR_INVALIDDATA; @@ -63,8 +65,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) cols << 4, rows << 4); return AVERROR_INVALIDDATA; } - vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ - vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ + render_y = vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ + render_x = vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ + if (render_x == 0 || render_x > cols || + render_y == 0 || render_y > rows) + return AVERROR_INVALIDDATA; vp56_rac_gets(c, 2); if (!s->macroblocks || /* first frame */ 16*cols != s->avctx->coded_width || From a1d6813649028b274679cdcff5d431824eeb77b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2019 21:56:03 +0200 Subject: [PATCH 0700/1764] avcodec/g723_1dec: fix invalid shift with negative sid_gain Fixes: left shift of negative value -1 Fixes: 18395/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5710313034350592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1850c3feaa1c7b5b63a55c61075029fa59c84e66) Signed-off-by: Michael Niedermayer --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index f92eb76ba0..d5a8e19f05 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -667,7 +667,7 @@ static int estimate_sid_gain(G723_1_Context *p) if (p->sid_gain < 0) t = INT32_MIN; else t = INT32_MAX; } else - t = p->sid_gain << shift; + t = p->sid_gain * (1 << shift); } else if(shift < -31) { t = (p->sid_gain < 0) ? -1 : 0; }else From 490f931494a8ff26581769f9e9de4a583e17a289 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2019 23:58:02 +0200 Subject: [PATCH 0701/1764] avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads Fixes: 16144/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_fuzzer-5638618940440576 Fixes: out of array read Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 069be4aa5ddce4479b18896d80a852b144e680df) Signed-off-by: Michael Niedermayer --- libavcodec/libvorbisdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c index 89cbbb41b6..3c53b8fdaf 100644 --- a/libavcodec/libvorbisdec.c +++ b/libavcodec/libvorbisdec.c @@ -64,22 +64,25 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) { } } else if(*p == 2) { unsigned int offset = 1; + unsigned int sizesum = 1; p++; for(i=0; i<2; i++) { hsizes[i] = 0; - while((*p == 0xFF) && (offset < avccontext->extradata_size)) { + while((*p == 0xFF) && (sizesum < avccontext->extradata_size)) { hsizes[i] += 0xFF; offset++; + sizesum += 1 + 0xFF; p++; } - if(offset >= avccontext->extradata_size - 1) { + hsizes[i] += *p; + offset++; + sizesum += 1 + *p; + if(sizesum > avccontext->extradata_size) { av_log(avccontext, AV_LOG_ERROR, "vorbis header sizes damaged\n"); ret = AVERROR_INVALIDDATA; goto error; } - hsizes[i] += *p; - offset++; p++; } hsizes[2] = avccontext->extradata_size - hsizes[0]-hsizes[1]-offset; From 132e4e5460c8c46c144bad7ae80fea1f2e0e0799 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2019 23:26:52 +0100 Subject: [PATCH 0702/1764] avcodec/apedec: Only clear the needed buffer space, instead of all Fixes: Timeout (15sec -> 0.4sec) Fixes: 18396/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5730080487112704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f17ea0200178a4dae446a6bec2f68312f41714a0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9f1e8123b7..9409a4727d 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1500,7 +1500,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); - memset(s->decoded_buffer, 0, s->decoded_size); + memset(s->decoded_buffer, 0, decoded_buffer_size); s->decoded[0] = s->decoded_buffer; s->decoded[1] = s->decoded_buffer + FFALIGN(blockstodecode, 8); From 7369aa201e71caee68a6d6e279163ec42ec1a43a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Oct 2019 23:38:47 +0100 Subject: [PATCH 0703/1764] avcodec/adpcm: Fix invalid shifts in ADPCM DTK Fixes: left shift of negative value -1 Fixes: 18397/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_DTK_fuzzer-5675653487132672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 34e701ff93b664703e1bc1b1a6073fa058b02f34) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 938b09bfb5..5b77fa15c9 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1630,7 +1630,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, else sampledat = sign_extend(byte >> 4, 4); - sampledat = (((sampledat << 12) >> (header & 0xf)) << 6) + prev; + sampledat = ((sampledat * (1 << 12)) >> (header & 0xf)) * (1 << 6) + prev; *samples++ = av_clip_int16(sampledat >> 6); c->status[channel].sample2 = c->status[channel].sample1; c->status[channel].sample1 = sampledat; From 2635bfb2b39e786da248f33be96baf5fc76feba5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Oct 2019 00:12:59 +0100 Subject: [PATCH 0704/1764] avcodec/wmalosslessdec: Fix some integer anomalies Fixes: left shift of negative value -341180 Fixes: 18401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5686380134400000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d3dee676b8a8ab6752c599e25c9b5461f06a3959) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 19bac949d4..d4f18b9841 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -766,7 +766,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ for (ilms = num_lms - 1; ilms >= 0; ilms--) { \ for (icoef = coef_begin; icoef < coef_end; icoef++) { \ int##bits##_t *prevvalues = (int##bits##_t *)s->cdlms[ch][ilms].lms_prevvalues; \ - pred = 1 << (s->cdlms[ch][ilms].scaling - 1); \ + pred = (1 << s->cdlms[ch][ilms].scaling) >> 1; \ residue = s->channel_residues[ch][icoef]; \ pred += s->dsp.scalarproduct_and_madd_int## bits (s->cdlms[ch][ilms].coefs, \ prevvalues + s->cdlms[ch][ilms].recent, \ @@ -987,9 +987,9 @@ static int decode_subframe(WmallDecodeCtx *s) for (j = 0; j < subframe_len; j++) { if (s->bits_per_sample == 16) { - *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] << padding_zeroes; + *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] * (1 << padding_zeroes); } else { - *s->samples_32[c]++ = s->channel_residues[c][j] << (padding_zeroes + 8); + *s->samples_32[c]++ = s->channel_residues[c][j] * (256 << padding_zeroes); } } } From 64b961273aac24522a0f850386425a62ff933072 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 09:31:22 +0100 Subject: [PATCH 0705/1764] avcodec/utils: Check block_align Fixes: out of array access Fixes: 18432/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5675574936207360 Fixes: 18326/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5071752362721280 Fixes: 18384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV1_fuzzer-5769439500304384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f011572e66c8dd2f0ac3cb147a769e91f24e0202) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index c367d8b7c9..6e72329f04 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -783,6 +783,11 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code ret = AVERROR(EINVAL); goto free_and_end; } + if (avctx->block_align < 0) { + av_log(avctx, AV_LOG_ERROR, "Invalid block align: %d\n", avctx->block_align); + ret = AVERROR(EINVAL); + goto free_and_end; + } avctx->codec = codec; if ((avctx->codec_type == AVMEDIA_TYPE_UNKNOWN || avctx->codec_type == codec->type) && From a154ec5f43a581a4f98deae948ee5e3a90ce39e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Oct 2019 21:39:41 +0200 Subject: [PATCH 0706/1764] avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block() Fixes: signed integer overflow: 1077952576 + 1355863565 cannot be represented in type 'int' Fixes: 16196/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5679842317565952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b655f55eaf09eb99b5e694dba2c0cf73fa2c646) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 80a28a0ac6..1c9e9a93d8 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -568,10 +568,10 @@ static inline void tm2_low_res_block(TM2Context *ctx, AVFrame *pic, int bx, int deltas[10] = GET_TOK(ctx, TM2_L_LO); if (bx > 0) - last[0] = (last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1; + last[0] = (int)((unsigned)last[-1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3] + last[1]) >> 1; else - last[0] = (last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; - last[2] = (last[1] + last[3]) >> 1; + last[0] = (int)((unsigned)last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; + last[2] = (int)((unsigned)last[1] + last[3]) >> 1; t1 = ctx->D[0] + ctx->D[1]; ctx->D[0] = t1 >> 1; From eda94068959f4990c161b36541f11005b6422978 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Oct 2019 22:52:56 +0200 Subject: [PATCH 0707/1764] avcodec/aacdec_template: Check samplerate Fixes: signed integer overflow: 2 * 1881153568 cannot be represented in type 'int' Fixes: 17996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5687126468853760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7730bacb413fcb59f30acef0b2c6d50c5e6382d6) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 5fc4adcd51..a3bec6b04f 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1156,6 +1156,9 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) AACContext *ac = avctx->priv_data; int ret; + if (avctx->sample_rate > 96000) + return AVERROR_INVALIDDATA; + ret = ff_thread_once(&aac_table_init, &aac_static_table_init); if (ret != 0) return AVERROR_UNKNOWN; From f4103876f90f3eb68b64a5015ed3a3a158e82883 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 1 Nov 2019 10:02:29 +0100 Subject: [PATCH 0708/1764] avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags() This compared to the other suggestions is cleaner and easier to understand keeping the condition in the if() simple. This affects alot of fate tests. See: [FFmpeg-devel] [PATCH 05/11] avformat/nutenc: Don't pass NULL to memcmp See: [FFmpeg-devel] [PATCH]lavf/nutenc: Do not call memcmp() with NULL argument Fixes: Ticket 7980 Signed-off-by: Michael Niedermayer (cherry picked from commit e4fdeb3fcefeb98f2225f7ccded156fb175959c5) Signed-off-by: Michael Niedermayer --- libavformat/nutenc.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index e9a3bb49db..2c2334a69c 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -789,11 +789,12 @@ static int get_needed_flags(NUTContext *nut, StreamContext *nus, FrameCode *fc, flags |= FLAG_CHECKSUM; if (FFABS(pkt->pts - nus->last_pts) > nus->max_pts_distance) flags |= FLAG_CHECKSUM; - if (pkt->size < nut->header_len[fc->header_idx] || - (pkt->size > 4096 && fc->header_idx) || - memcmp(pkt->data, nut->header[fc->header_idx], - nut->header_len[fc->header_idx])) - flags |= FLAG_HEADER_IDX; + if (fc->header_idx) + if (pkt->size < nut->header_len[fc->header_idx] || + pkt->size > 4096 || + memcmp(pkt->data, nut->header [fc->header_idx], + nut->header_len[fc->header_idx])) + flags |= FLAG_HEADER_IDX; return flags | (fc->flags & FLAG_CODED); } From 0c9ad1c746e3a8ccb7c6f292e10c8017c0a9dc3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Oct 2019 22:51:57 +0200 Subject: [PATCH 0709/1764] avcodec/snowenc: Fix 2 undefined shifts Fixes: Ticket7990 Signed-off-by: Michael Niedermayer (cherry picked from commit 8802e329c8317ca5ceb929df48a23eb0f9e852b2) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 0d800b9f49..4e51e18e1f 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -311,7 +311,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ if(P_LEFT[1] > (c->ymax<ymax< (c->xmax<xmax< (c->ymax<ymax<xmin<xmin<xmin * (1<xmin * (1< (c->xmax<xmax< (c->ymax<ymax<spatial_dwt_buffer[y*w + x]=s->spatial_idwt_buffer[y*w + x]<spatial_dwt_buffer[y*w + x]= s->spatial_idwt_buffer[y*w + x] * (1 << ENCODER_EXTRA_BITS); } } } From e0d167051e93bad55a4c009399de1545aa07eeb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Oct 2019 23:03:50 +0200 Subject: [PATCH 0710/1764] avcodec/snowenc: Set mb_num to avoid ratecontrol floating point divisions by 0.0 Fixes: Ticket7990 Signed-off-by: Michael Niedermayer (cherry picked from commit 55279d699fa64d8eb1185d8db04ab4ed92e8dea2) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 4e51e18e1f..cdb65ea78b 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -86,6 +86,7 @@ FF_ENABLE_DEPRECATION_WARNINGS s->m.bit_rate= avctx->bit_rate; s->m.lmin = avctx->mb_lmin; s->m.lmax = avctx->mb_lmax; + s->m.mb_num = (avctx->width * avctx->height + 255) / 256; // For ratecontrol s->m.me.temp = s->m.me.scratchpad= av_mallocz_array((avctx->width+64), 2*16*2*sizeof(uint8_t)); From 2258982c8bfc99a6751bd1dc76891bbf3a01fc75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Oct 2019 23:40:21 +0200 Subject: [PATCH 0711/1764] avcodec/dstdec: Check read_table() for failure Fixes: Timeout (too long -> 42sec) Fixes: 18181/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5736646250594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 03ea8d8cd45e55eeb9675c38184dc2149710a557) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 10b89c3c1b..51ca810c05 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -298,11 +298,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, /* Filter Coef Sets (10.12) */ - read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0); + ret = read_table(gb, &s->fsets, fsets_code_pred_coeff, 7, 9, 1, 0); + if (ret < 0) + return ret; /* Probability Tables (10.13) */ - read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1); + ret = read_table(gb, &s->probs, probs_code_pred_coeff, 6, 7, 0, 1); + if (ret < 0) + return ret; /* Arithmetic Coded Data (10.11) */ From 3de0c702bdf13ef4fa14840c6060cf70d15716b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Oct 2019 23:42:50 +0200 Subject: [PATCH 0712/1764] avcodec/dstdec: Check that AC probabilities are within range ISO/IEC 14496-3:2005(E): "Each entry of P_one[ ][ ] is in the range of 1 to 128, corresponding to a probability of 1/256 to 128/256 of the next error bit (bit E, See Figure 10.5)..." Fixes: Timeout (42sec ->1sec) Fixes: 18181/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5736646250594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c3e1b395b47fac44397604b2a3343c4bd92561c) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 51ca810c05..daf906ba0c 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -161,6 +161,10 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[ c -= (x + 4) / 8; else c += (-x + 3) / 8; + if (!is_signed) { + if (c < offset || c >= offset + (1<coeff[i][j] = c; } } From aaa9b96cf6bf257a4709015403e5bb5b38d1d8c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 20:56:23 +0200 Subject: [PATCH 0713/1764] avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() Fixes: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int' Fixes: 18281/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5692589180715008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d1719a44dd43b2d9d8ccd26e3b2854e675a7bd7) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9409a4727d..315bd162d5 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -916,7 +916,8 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length) { int i, j; int32_t dotprod, sign; - int32_t coeffs[8] = { 0 }, delay[8] = { 0 }; + int32_t delay[8] = { 0 }; + uint32_t coeffs[8] = { 0 }; for (i = 0; i < length; i++) { dotprod = 0; From a687664dd48949e9483a715085f214dbe66721cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 23:22:22 +0200 Subject: [PATCH 0714/1764] avcodec/ffv1dec: Use a different error message for the slice level CRC This way they can be told apart easily Signed-off-by: Michael Niedermayer (cherry picked from commit df498cf544fd4690e5a246925e4de1125b57795b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 5eadb6b158..9a58bb601c 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -878,7 +878,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac unsigned crc = av_crc(av_crc_get_table(AV_CRC_32_IEEE), 0, buf_p, v); if (crc) { int64_t ts = avpkt->pts != AV_NOPTS_VALUE ? avpkt->pts : avpkt->dts; - av_log(f->avctx, AV_LOG_ERROR, "CRC mismatch %X!", crc); + av_log(f->avctx, AV_LOG_ERROR, "slice CRC mismatch %X!", crc); if (ts != AV_NOPTS_VALUE && avctx->pkt_timebase.num) { av_log(f->avctx, AV_LOG_ERROR, "at %f seconds\n", ts*av_q2d(avctx->pkt_timebase)); } else if (ts != AV_NOPTS_VALUE) { From 5ebee49b343ba79449074b58d86e6b35f2b10667 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2019 12:12:12 +0200 Subject: [PATCH 0715/1764] avutil/lfg: Document the AVLFG struct Signed-off-by: Michael Niedermayer (cherry picked from commit d6fea2ef221a2f438cc55e82c61d0375750edf94) Signed-off-by: Michael Niedermayer --- libavutil/lfg.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavutil/lfg.h b/libavutil/lfg.h index 03f779ad8a..ab38a8a0df 100644 --- a/libavutil/lfg.h +++ b/libavutil/lfg.h @@ -24,6 +24,12 @@ #include +/** + * Context structure for the Lagged Fibonacci PRNG. + * The exact layout, types and content of this struct may change and should + * not be accessed directly. Only its sizeof() is guranteed to stay the same + * to allow easy instanciation. + */ typedef struct AVLFG { unsigned int state[64]; int index; From ffc4603e61453cbdd065c4d5f5da9de02aafbeae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 00:26:25 +0200 Subject: [PATCH 0716/1764] avcodec/apedec: Fix integer overflow in filter_3800() Fixes: signed integer overflow: 2117181180 + 60483298 cannot be represented in type 'int' Fixes: 18344/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5685327791915008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c038c5c63375883a8a94332cffd701c4cb1301a) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 315bd162d5..0c0c22b18a 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -881,7 +881,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); - p->filterA[filter] = p->filterB[filter] + ((int)(p->filterA[filter] * 31U) >> 5); + p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; } From 4b8a0ce8f7934c14bface833def676b866076925 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 23:31:03 +0200 Subject: [PATCH 0717/1764] avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta() Fixes: Timeout (31sec -> 41ms) Fixes: 18380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5645210121404416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 32b3c8ce7d050210d210511cdb8c6644664a70ab) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 1bb7924c98..3d9ce9d29c 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1143,6 +1143,9 @@ static void decode_long_vertical_delta(uint8_t *dst, x = bytestream2_get_be32(&dgb); } + if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb)) + return; + while (opcode) { bytestream2_seek_p(&pb, ofsdst, SEEK_SET); if (h && (j == (ncolumns - 1))) { @@ -1283,6 +1286,9 @@ static void decode_long_vertical_delta2(uint8_t *dst, x = bytestream2_get_be32(&gb); } + if (ofsdst + (opcode - 1LL) * dstpitch > bytestream2_size_p(&pb)) + return; + while (opcode && bytestream2_get_bytes_left_p(&pb) > 1) { bytestream2_seek_p(&pb, ofsdst, SEEK_SET); if (h && (j == ncolumns - 1)) From f94127a40ef3c20f784b9e073be08e633f347430 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 22:08:37 +0200 Subject: [PATCH 0718/1764] avcodec/xsubdec: fix overflow in alpha handling Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 18368/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XSUB_fuzzer-5702665442426880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9ea997395909907f569787d4ba5b96352ad31a80) Signed-off-by: Michael Niedermayer --- libavcodec/xsubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index 93fd0f4d50..05c4a64ee5 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -130,7 +130,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, ((uint32_t *)sub->rects[0]->data[1])[i] |= 0xff000000; } else { for (i = 0; i < sub->rects[0]->nb_colors; i++) - ((uint32_t *)sub->rects[0]->data[1])[i] |= *buf++ << 24; + ((uint32_t *)sub->rects[0]->data[1])[i] |= (unsigned)*buf++ << 24; } #if FF_API_AVPICTURE From 8255244f19d81c1455167a7e710425b85ead94ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 22:32:47 +0200 Subject: [PATCH 0719/1764] avcodec/wmavoice: Check sample_rate Fixes: left shift of 538976288 by 8 places cannot be represented in type 'int' Fixes: 18376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5741645391200256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55c97a763783540ee48a326a3e82fbdea42f8280) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 2ec4499981..8871935315 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -429,6 +429,9 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) return AVERROR_INVALIDDATA; } + if (ctx->sample_rate >= INT_MAX / (256 * 37)) + return AVERROR_INVALIDDATA; + s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8; s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8; pitch_range = s->max_pitch_val - s->min_pitch_val; From 25727befccd1a545f89772d75bca45bf12d43b95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Oct 2019 22:02:32 +0200 Subject: [PATCH 0720/1764] avcodec/atrac3plus: Check split point in fill mode 3 Fixes: index 32 out of bounds for type 'int [32]' Fixes: 18350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3P_fuzzer-5643794862571520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de5102fd92de8d353fdf060375ed3ce859c83977) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3plus.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/atrac3plus.c b/libavcodec/atrac3plus.c index 3e3bba801b..f135606e2a 100644 --- a/libavcodec/atrac3plus.c +++ b/libavcodec/atrac3plus.c @@ -456,6 +456,10 @@ static int decode_channel_wordlen(GetBitContext *gb, Atrac3pChanUnitCtx *ctx, } else if (chan->fill_mode == 3) { pos = ch_num ? chan->num_coded_vals + chan->split_point : ctx->num_quant_units - chan->split_point; + if (pos > FF_ARRAY_ELEMS(chan->qu_wordlen)) { + av_log(avctx, AV_LOG_ERROR, "Split point beyond array\n"); + pos = FF_ARRAY_ELEMS(chan->qu_wordlen); + } for (i = chan->num_coded_vals; i < pos; i++) chan->qu_wordlen[i] = 1; } From a76e4ba104badfe9e2e65916e90c2e41b15b5e04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 19:41:27 +0200 Subject: [PATCH 0721/1764] avcodec/cook: Check samples_per_channel earlier Fixes: division by zero Fixes: 18362/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5653727679086592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57750bb629a145326e20b8760f21f1041464a937) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 53cb83852e..f8d401e6ae 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1217,6 +1217,15 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } } + + /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ + if (q->samples_per_channel != 256 && q->samples_per_channel != 512 && + q->samples_per_channel != 1024) { + avpriv_request_sample(avctx, "samples_per_channel = %d", + q->samples_per_channel); + return AVERROR_PATCHWELCOME; + } + /* Generate tables */ init_pow2table(); init_gain_table(q); @@ -1252,14 +1261,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->saturate_output = saturate_output_float; } - /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ - if (q->samples_per_channel != 256 && q->samples_per_channel != 512 && - q->samples_per_channel != 1024) { - avpriv_request_sample(avctx, "samples_per_channel = %d", - q->samples_per_channel); - return AVERROR_PATCHWELCOME; - } - avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (channel_mask) avctx->channel_layout = channel_mask; From d3fe22a1dcec8d006e73744fbfb5fae64e6c279a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Oct 2019 19:59:57 +0200 Subject: [PATCH 0722/1764] avcodec/cook: Enlarge gain table Fixes: index 25 out of bounds for type 'float [23]' Fixes: 18355/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5641398941908992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50001cd440ac89ed125f0154dedbcfa2718d2d68) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index f8d401e6ae..6fabed9ed7 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -143,7 +143,7 @@ typedef struct cook { /* generate tables and related variables */ int gain_size_factor; - float gain_table[23]; + float gain_table[31]; /* data buffers */ @@ -185,8 +185,8 @@ static av_cold void init_gain_table(COOKContext *q) { int i; q->gain_size_factor = q->samples_per_channel / 8; - for (i = 0; i < 23; i++) - q->gain_table[i] = pow(pow2tab[i + 52], + for (i = 0; i < 31; i++) + q->gain_table[i] = pow(pow2tab[i + 48], (1.0 / (double) q->gain_size_factor)); } @@ -670,7 +670,7 @@ static void interpolate_float(COOKContext *q, float *buffer, for (i = 0; i < q->gain_size_factor; i++) buffer[i] *= fc1; } else { // smooth gain - fc2 = q->gain_table[11 + (gain_index_next - gain_index)]; + fc2 = q->gain_table[15 + (gain_index_next - gain_index)]; for (i = 0; i < q->gain_size_factor; i++) { buffer[i] *= fc1; fc1 *= fc2; From d737429008ee2a4362c878bf44dfe966bc545698 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Oct 2019 15:41:51 +0200 Subject: [PATCH 0723/1764] avcodec/twinvq: Check block_align Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 18348/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_METASOUND_fuzzer-6681325716635648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97f778e9c55328e8b48f4b8b4171245e5f2232f6) Signed-off-by: Michael Niedermayer --- libavcodec/twinvq.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 7b2e19e536..34ca1846b9 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -771,23 +771,26 @@ av_cold int ff_twinvq_decode_init(AVCodecContext *avctx) { int ret; TwinVQContext *tctx = avctx->priv_data; + int64_t frames_per_packet; tctx->avctx = avctx; avctx->sample_fmt = AV_SAMPLE_FMT_FLTP; if (!avctx->block_align) { avctx->block_align = tctx->frame_size + 7 >> 3; - } else if (avctx->block_align * 8 < tctx->frame_size) { - av_log(avctx, AV_LOG_ERROR, "Block align is %d bits, expected %d\n", - avctx->block_align * 8, tctx->frame_size); + } + frames_per_packet = avctx->block_align * 8LL / tctx->frame_size; + if (frames_per_packet <= 0) { + av_log(avctx, AV_LOG_ERROR, "Block align is %"PRId64" bits, expected %d\n", + avctx->block_align * (int64_t)8, tctx->frame_size); return AVERROR_INVALIDDATA; } - tctx->frames_per_packet = avctx->block_align * 8 / tctx->frame_size; - if (tctx->frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) { - av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%d)\n", - tctx->frames_per_packet); + if (frames_per_packet > TWINVQ_MAX_FRAMES_PER_PACKET) { + av_log(avctx, AV_LOG_ERROR, "Too many frames per packet (%"PRId64")\n", + frames_per_packet); return AVERROR_INVALIDDATA; } + tctx->frames_per_packet = frames_per_packet; tctx->fdsp = avpriv_float_dsp_alloc(avctx->flags & AV_CODEC_FLAG_BITEXACT); if (!tctx->fdsp) { From 07f16ceb8e71c7ae07f45d7a560c20e5ab460d96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2019 01:12:15 +0200 Subject: [PATCH 0724/1764] avcodec/cook: Move up and extend block_align check Fixes: signed integer overflow: 2046820356 * 8 cannot be represented in type 'int' Fixes: 18391/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5631674666188800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c63edcdd208bf18a3be66e94deb6ac115f6364e) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 6fabed9ed7..dbf55c8226 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1075,6 +1075,9 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (avctx->block_align >= INT_MAX / 8) + return AVERROR(EINVAL); + /* Initialize RNG. */ av_lfg_init(&q->random_state, 0); @@ -1234,10 +1237,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) if ((ret = init_cook_vlc_tables(q))) return ret; - - if (avctx->block_align >= UINT_MAX / 2) - return AVERROR(EINVAL); - /* Pad the databuffer with: DECODE_BYTES_PAD1 or DECODE_BYTES_PAD2 for decode_bytes(), AV_INPUT_BUFFER_PADDING_SIZE, for the bitstreamreader. */ From 965b610359eb761fe59b178f8634a42da3a20aac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2019 11:12:02 +0200 Subject: [PATCH 0725/1764] avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI Fixes: left shift of negative value -30 Fixes: 18392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_OKI_fuzzer-5631771831435264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7786f6c30e77a393b72ded01baa4250738925509) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 5b77fa15c9..70906c8028 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -293,7 +293,7 @@ static inline int16_t adpcm_ima_oki_expand_nibble(ADPCMChannelStatus *c, int nib c->predictor = av_clip_intp2(predictor, 11); c->step_index = step_index; - return c->predictor << 4; + return c->predictor * 16; } static inline int16_t adpcm_ct_expand_nibble(ADPCMChannelStatus *c, int8_t nibble) From 9e635252fb158cbb02c60c208d040737b50f69d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Oct 2019 12:44:45 +0200 Subject: [PATCH 0726/1764] avcodec/interplayacm: Fix overflow of last unused value Fixes: signed integer overflow: -2147450880 - 65535 cannot be represented in type 'int' Fixes: 18393/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5667520110919680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10eabb8e40df0ad84470d750f903917f4a05cb1f) Signed-off-by: Michael Niedermayer --- libavcodec/interplayacm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c index c897e72bb6..c2e50dc6b9 100644 --- a/libavcodec/interplayacm.c +++ b/libavcodec/interplayacm.c @@ -528,7 +528,7 @@ static int decode_block(InterplayACMContext *s) for (i = 1, x = -val; i <= count; i++) { s->midbuf[-i] = x; - x -= val; + x -= (unsigned)val; } ret = fill_block(s); From 955c310b75ddd1dccf29c9dec41c9dde252c05cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Sep 2019 15:54:45 +0200 Subject: [PATCH 0727/1764] avcodec/wmaprodec: get frame during frame decode Fixes: memleak Fixes: 17615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5681306024804352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0f89a2293ea5f642a67700225d76948ed154418e) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index fc96278512..8429c8dec6 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1765,6 +1765,12 @@ static int xma_decode_packet(AVCodecContext *avctx, void *data, AVFrame *frame = data; int i, ret, offset = INT_MAX; + if (!s->frames[s->current_stream]->data[0]) { + s->frames[s->current_stream]->nb_samples = 512; + if ((ret = ff_get_buffer(avctx, s->frames[s->current_stream], 0)) < 0) { + return ret; + } + } /* decode current stream packet */ ret = decode_packet(avctx, &s->xma[s->current_stream], s->frames[s->current_stream], &got_stream_frame_ptr, avpkt); @@ -1889,10 +1895,6 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->frames[i] = av_frame_alloc(); if (!s->frames[i]) return AVERROR(ENOMEM); - s->frames[i]->nb_samples = 512; - if ((ret = ff_get_buffer(avctx, s->frames[i], 0)) < 0) { - return AVERROR(ENOMEM); - } s->start_channel[i] = start_channels; start_channels += s->xma[i].nb_channels; From 1b814e6afffb99eb471b61fce986e9b117856835 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 19 Jun 2019 13:41:01 +0200 Subject: [PATCH 0728/1764] lavc/tableprint_vlc: Remove avpriv_request_sample() from included files. Fixes compilation with --enable-hardcoded-tables. Fixes ticket #7962. (cherry picked from commit c8232e50074f6f9f9b0674d0a5433f49d73a4e50) Signed-off-by: Michael Niedermayer --- libavcodec/tableprint_vlc.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tableprint_vlc.h b/libavcodec/tableprint_vlc.h index 3004be3f9c..b3ff36562b 100644 --- a/libavcodec/tableprint_vlc.h +++ b/libavcodec/tableprint_vlc.h @@ -36,6 +36,7 @@ #define AVCODEC_AVCODEC_H #define AVCODEC_INTERNAL_H #define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this +#define avpriv_request_sample(...) #include "tableprint.h" #include "get_bits.h" #include "mathtables.c" From 6e208e78d365ffe775cc6e772a82d3cabc5ba4c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Nov 2019 17:19:45 +0100 Subject: [PATCH 0729/1764] Update for 3.4.7 Signed-off-by: Michael Niedermayer --- Changelog | 303 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 305 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 3c234352b9..34176c53fa 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,309 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.7: +- lavc/tableprint_vlc: Remove avpriv_request_sample() from included files. +- avcodec/wmaprodec: get frame during frame decode +- avcodec/interplayacm: Fix overflow of last unused value +- avcodec/adpcm: Fix undefined behavior with negative predictions in IMA OKI +- avcodec/cook: Move up and extend block_align check +- avcodec/twinvq: Check block_align +- avcodec/cook: Enlarge gain table +- avcodec/cook: Check samples_per_channel earlier +- avcodec/atrac3plus: Check split point in fill mode 3 +- avcodec/wmavoice: Check sample_rate +- avcodec/xsubdec: fix overflow in alpha handling +- avcodec/iff: Check available space before entering loop in decode_long_vertical_delta2() / decode_long_vertical_delta() +- avcodec/apedec: Fix integer overflow in filter_3800() +- avutil/lfg: Document the AVLFG struct +- avcodec/ffv1dec: Use a different error message for the slice level CRC +- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() +- avcodec/dstdec: Check that AC probabilities are within range +- avcodec/dstdec: Check read_table() for failure +- avcodec/snowenc: Set mb_num to avoid ratecontrol floating point divisions by 0.0 +- avcodec/snowenc: Fix 2 undefined shifts +- avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags() +- avcodec/aacdec_template: Check samplerate +- avcodec/truemotion2: Fix several integer overflows in tm2_low_res_block() +- avcodec/utils: Check block_align +- avcodec/wmalosslessdec: Fix some integer anomalies +- avcodec/adpcm: Fix invalid shifts in ADPCM DTK +- avcodec/apedec: Only clear the needed buffer space, instead of all +- avcodec/libvorbisdec: Fix insufficient input checks leading to out of array reads +- avcodec/g723_1dec: fix invalid shift with negative sid_gain +- avcodec/vp5: Check render_x/y +- avcodec/qdrw: Check input for header/skiped space before get_buffer() +- avcodec/ralf: Skip initializing unused filter variables +- avcodec/takdec: Fix overflow with large sample rates +- avcodec/alsdec: Check that input space for header exists in read_diff_float_data() +- avformat/pjsdec: Check duration for overflow +- avcodec/ptx: Check that the input contains at least one line +- avcodec/alac: Fix integer overflow in LPC +- avcodec/smacker: Fix integer overflows in pred[] in smka_decode_frame() +- avcodec/aliaspixdec: Check input size against minimal picture size +- avcodec/ffwavesynth: Fix integer overflows in pink noise addition +- avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv() +- avcodec/wmalosslessdec: Check block_align +- avcodec/g729postfilter: Fix left shift of negative value +- avcodec/binkaudio: Check sample rate +- avcodec/adpcm: Check initial predictor for ADPCM_IMA_EA_EACS +- avcodec/g723_1dec: Fix overflow in shift +- avcodec/apedec: Fix integer overflow in predictor_update_3930() +- avcodec/g729postfilter: Fix undefined intermediate pointers +- avcodec/g729postfilter: Fix undefined shifts +- avcodec/lsp: Fix undefined shifts in lsp2poly() +- avcodec/adpcm: Fix left shifts in AV_CODEC_ID_ADPCM_EA +- avformat/shortendec: Check k in probe +- avfilter/vf_geq: Use av_clipd() instead of av_clipf() +- avcodec/wmaprodec: Check that the streams channels do not exceed the overall channels +- avcodec/qdmc: Check input space in qdmc_get_vlc() +- avcodec/pcm: Check bits_per_coded_sample +- avcodec/exr: Allow duplicate use of channel indexes +- avcodec/fitsdec: Fail on 0 naxisn +- avcodec/ituh263dec: Check input for minimal frame size +- avcodec/truemotion1: Check that the input has enough space for a minimal index_stream +- avformat/mpsubdec: Clear queue on error +- avcodec/sunrast: Check that the input is large enough for the maximally compressed image +- avcodec/sunrast: Check for availability of maplength before allocating image +- avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize() +- avcodec/wmaprodec: Check if there is a stream +- avcodec/g2meet: Check for end of input in jpg_decode_block() +- avcodec/g2meet: Check if adjusted pixel was on the stack +- avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet +- avcodec/utils: Check sample_rate before opening the decoder +- avcodec/fitsdec: fix use of uninitialised values +- avcodec/motionpixels: Mark 2 functions as always_inline +- avcodec/ralf: Fix integer overflow in decode_channel() +- vcodec/vc1: compute rangex/y only for P/B frames +- avcodec/vc1_pred: Fix invalid shifts in scaleforopp() +- avcodec/vc1_block: Fix invalid shift with rangeredfrm +- avcodec/vc1: Check for excessive resolution +- avcodec/vc1: check REFDIST +- avcodec/apedec: Fix several integer overflows in predictor_update_filter() and do_apply_filter() +- avcodec/hevc_cabac: Tighten the limit on k in ff_hevc_cu_qp_delta_abs() +- avcodec/4xm: Check index in decode_i_block() also in the path where its not used. +- avcodec/atrac3: Check block_align +- avcodec/alsdec: Avoid dereferencing context pointer in inner interleave loop +- avcodec/fitsdec: Prevent division by 0 with huge data_max +- avcodec/dstdec: Fix integer overflow in samples_per_frame computation +- avcodec/g729_parser: Check block_size +- avcodec/utils: Optimize ff_color_frame() using memcpy() +- avcodec/aacdec: Check if we run out of input in read_stream_mux_config() +- avcodec/utils: Use av_memcpy_backptr() in ff_color_frame() +- avcodec/smacker: Fix integer overflow in signed int multiply in SMK_BLK_FILL +- avcodec/alac: Fix invalid shifts in 20/24 bps +- avcodec/alac: fix undefined behavior with INT_MIN in lpc_prediction() +- avcodec/ffwavesynth: Fix integer overflow in timestamps +- avcodec/adpcm: Check number of channels for MTAF +- avcodec/sunrast: Fix indention +- avcodec/sunrast: Fix return type for "unsupported (compression) type" +- avformat/mov: Check for EOF in mov_read_meta() +- avcodec/hevcdec: Fix memleak of a53_caption +- avformat/cdxl: Fix integer overflow in intermediate +- avcodec/hevcdec: repeat character in skiped +- avcodec/gdv: Replace assert() checking bitstream by if() +- libavcodec/utils: Free threads on init failure +- avcodec/htmlsubtitles: Avoid locale dependant isdigit() +- avcodec/alsdec: Check k from being outside what our implementation can handle +- avcodec/takdec: Fix integer overflow in decorrelate() +- avcodec/aacps: Fix integer overflows in hybrid_synthesis() +- avcodec/vp56rac: delay signaling an error on truncated input +- avcodec/vp5/6/8: use vpX_rac_is_end() +- avcodec/vp56: Add vpX_rac_is_end() to check for the end of input +- avcodec/qdm2: Check frame size +- avcodec/vc1_pred: Fix refdist in scaleforopp() +- avcodec/vorbisdec: fix FASTDIV usage for vr_type == 2 +- avcodec/iff: Check for overlap in cmap_read_palette() +- avcodec/apedec: Fix 32bit int overflow in do_apply_filter() +- avcodec/ralf: fix undefined shift in extend_code() +- avcodec/ralf: fix undefined shift +- avcodec/bgmc: Check input space in ff_bgmc_decode_init() +- avcodec/truemotion2: Fix multiple integer overflows in tm2_null_res_block() +- avcodec/vc1dec: Require res_sprite for wmv3images +- avcodec/vc1_block: Check for double escapes +- avcodec/vorbisdec: Check get_vlc2() failure +- avcodec/tta: Fix integer overflow in prediction +- avcodec/vb: Check input packet size to be large enough to contain flags +- avcodec/cavsdec: Limit the number of access units per packet to 2 +- avcodec/alac: Check for bps of 0 +- avcodec/alac: Fix multiple integer overflows in lpc_prediction() +- avcodec/rl2: set dimensions +- avcodec/aacdec: Add FF_CODEC_CAP_INIT_CLEANUP +- avcodec/idcinvideo: Add 320x240 default maximum resolution +- avformat/realtextdec: free queue on error +- avcodec/alsdec: Fix integer overflow in decode_var_block_data() +- avcodec/alsdec: Limit maximum channels to 512 +- avcodec/anm: Check input size for a frame with just a stop code +- avcodec/flicvideo: Optimize and Simplify FLI_COPY in flic_decode_frame_24BPP() by using bytestream2_get_buffer() +- avcodec/loco: Check left column value +- avcodec/ffwavesynth: Fixes invalid shift with pink noise seeking +- avcodec/ffwavesynth: Fix integer overflow for some corner case values +- avcodec/indeo2: Check remaining input more often +- avcodec/diracdec: Check that slices are fewer than pixels +- avcodec/vp56: Consider the alpha start as end of the prior header +- avcodec/4xm: Check for end of input in decode_p_block() +- avcodec/hevcdec: Check delta_luma_weight_l0/1 +- avcodec/hnm4video: Optimize postprocess_current_frame() +- avcodec/hevc_refs: Optimize 16bit generate_missing_ref() +- avcodec/scpr: Use av_memcpy_backptr() in type 17 and 33 +- avcodec/dds: Use ff_set_dimensions() +- avcodec/mpc8: Fix 32bit mask/enum +- avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data() +- avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks() +- avcodec/alsdec: fix mantisse shift +- avcodec/aacdec_template: fix integer overflow in imdct_and_windowing() +- libavcodec/iff: Use unsigned to avoid undefined behaviour +- avcodec/alsdec: Check for block_length <= 0 in read_var_block_data() +- avcodec/vqavideo: Set video size +- avcodec/sanm: Check extradata_size before allocations +- avcodec/mss1: check for overread and forward errors +- avcodec/dirac_parser: Fix overflow in dts +- avcodec/ralf: Fix undefined pointer in decode_channel() +- avcodec/ralf: Fix integer overflow in apply_lpc() +- avcodec/vorbisdec: Implement vr->classifications = 1 +- avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divide +- avformat/realtextdec: Check for duplicate extradata in realtext_read_header() +- avcodec/apedec: Fix 2 signed overflows +- avcodec/mss3: Check for the rac stream being invalid in rac_normalize() +- avcodec/vc1_block: Check get_vlc2() return before use +- avcodec/apedec: Do not partially clear data array +- avcodec/hnm4video: Forward errors of decode_interframe_v4() +- avcodec/vp3: Check that theora is theora +- avcodec/vc1_pred: Fix invalid shift in scaleforsame() +- avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc() +- avcodec/truemotion2: Fix several integer overflows in tm2_motion_block() +- avcodec/apedec: make left/right unsigned to avoid undefined behavior +- avcodec/apedec: Fix multiple integer overflows and undefined behaviorin filter_3800() +- avformat/mpc: deallocate frames array on errors +- avcodec/eatqi: Check for minimum frame size +- avcodec/eatgv: Check remaining size after the keyframe header +- avcodec/assdec: undefined use of memcpy() +- avcodec/brenderpix: Check input size before allocating image +- lafv/wavdec: Fail bext parsing on incomplete reads +- avcodec/utils: fix leak of subtitle_header on error path +- avcodec/utils: Check close before calling it +- avcodec/vorbisdec: Check vlc for floor0 dec vector offset +- avcodec/vorbisdec: amplitude bits can be more than 25 bits +- avutil/softfloat_ieee754: Fix odd bit position for exponent and sign in av_bits2sf_ieee754() +- avcodec/apedec: Fix various integer overflows +- avcodec/apedec: Fix multiple integer overflows in predictor_update_filter() +- avcodec/alsdec: fix undefined shift in multiply() +- avcodec/alsdec: Fix 2 integer overflows +- avcodec/flicvideo: Make line_packets int +- avcodec/dvbsubdec: Use ff_set_dimensions() +- avcodec/ffwavesynth: Check if there is enough extradata before allocation +- avcodec/ffwavesynth: More correct cast in wavesynth_seek() +- avcodec/ffwavesynth: Check sample rate before use +- avcodec/dnxhd_parser: Fix parser when input does not have nicely sized packets +- avcodec/dnxhd_parser: remove unneeded code +- avformat/utils: Check rfps_duration_sum for overflow +- avcodec/h264_refs: Also check reference in ff_h264_build_ref_list() +- avcodec/parser: Check next index validity in ff_combine_frame() +- avcodec/ivi: Ask for samples with odd tiles +- avformat/xmv: Make bitrate 64bit +- avcodec/pngdec: Check that previous_picture has same w/h/format +- avcodec/huffyuv: remove gray8a (the format is listed but not supported by the implementation) +- avcodec/mpc8: Fixes invalid shift in mpc8_decode_frame() +- avcodec/utils, avcodec_open2: close codec on failure +- avcodec/golomb: Correct the doxy about get_ue_golomb() and errors +- avformat/utils: Check timebase before use in estimate_timings() +- avcodec/hq_hqa: Use ff_set_dimensions() +- avcodec/rv10: Fix integer overflow in aspect ratio compare +- avcodec/4xm: Fix signed integer overflows in idct() +- avcodec/qdm2: Check checksum_size for 0 +- avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop +- avcodec/qdm2: Do not read out of array in fix_coding_method_array() +- avcodec/svq3: Use ff_set_dimension() +- avcodec/iff: Check ham vs bpp +- avcodec/ffwavesynth: use uint32_t to compute difference, it is enough +- avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case +- avcodec/ffwavesynth: Fix backward lcg_seek() +- avcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP() +- avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff() +- avcodec/alac: Check lpc_quant +- avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP +- avcodec/alsdec: Fix integer overflow with buffer number +- avcodec/alsdec: Fixes signed integer overflow in LSB addition +- avcodec/alsdec: Check opt_order / sb_length in ra_block handling +- avcodec/alsdec: Fix integer overflow with shifting samples +- avcodec/alsdec: Fix undefined behavior in decode_rice() +- avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT() +- avcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight +- avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns +- avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check +- avformat/aviobuf: Delay buffer downsizing until asserts are met +- avcodec/fitsdec: Check data_min/max +- avcodec/m101: Fix off be 2 error +- avcodec/qdm2: Move fft_order check up +- avcodec/libvorbisdec: Check extradata size +- avformat/vqf: Check header_size +- avcodec/utils: Check bits_per_coded_sample +- avcodec/videodsp_template: Fix overflow of addition +- avcodec/alsdec: Fix invalid shift in multiply() +- avcodec/ffwavesynth: Check ts_end - ts_start for overflow +- avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c +- avcodec/tta: Fix undefined shift +- avcodec/qdmc: Fix integer overflows in PRNG +- avcodec/bintext: Check font height +- avcodec/binkdsp: Fix integer overflows in idct +- avcodec/motionpixels: Check for vlc error in mp_get_vlc() +- avcodec/loco: Limit lossy parameter so it is sane and does not overflow +- avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed +- avcodec/xpmdec: Do not use context dimensions as temporary variables +- avcodec/fitsdec: Fix division by 0 in size check +- avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c() +- avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block() +- avcodec/iff: finetune the palette size check in the mask case +- avcodec/iff: Fix mask_buf / mask_palbuf leak +- avformat/icodec: Free ico->images on error paths +- avformat/wsddec: Fix undefined shift +- avcodec/fmvc: Check if header fields are available before allocating the image +- avcodec/bink: Reorder operations in init to avoid memleak on error +- avformat/wtvdec: Avoid (32bit signed) sectors +- avcodec/bitstream: Check for more conflicting codes in build_table() +- avcodec/bitstream: Check for integer code truncation in build_table() +- avformat/sbgdec: Fixes integer overflow in str_to_time() with hours +- avformat/vpk: Check offset for validity +- avformat/vpk: Fix integer overflow in samples_per_block computation +- avcodec/mjpegdec: Check for non ls PAL8 +- avcodec/interplayvideo: check decoding_map_size with video_data_size +- avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle +- avcodec/mss4: Check input size against skip bits +- avcodec/diracdec: Fix integer overflow in global_mv() +- avcodec/vmnc: Check available space against chunks before reget_buffer() +- avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure) +- avcodec/aacdec_fixed: Handle more extreem cases in noise_scale() +- avcodec/aacdec_template: Merge 3 #ifs related to noise handling +- avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify +- avformat/mp3enc: Avoid SEEK_END as it is unsupported +- avcodec/truemotion2: Fix several integer overflows in tm2_update_block() +- avformat/webm_chunk: Specify expected argument length of get_chunk_filename() +- avformat/webm_chunk: Check header filename length +- avcodec/cpia: Check input size also against linesizes and EOL +- swscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes +- libswcale: Fix possible string overflow in test. +- avcodec/hq_hqa: Check available space before reading slice offsets +- lavf/webm_chunk: Respect buffer size +- avcodec/fits: Check bitpix +- avcodec/jvdec: Use ff_get_buffer() when the content is not reused +- avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block() +- avcodec/jpeg2000: Check stepsize before using it +- avcodec/aacdec_fixed: Fix undefined shift in noise_scale() +- avutil/avstring: Fix bug and undefined behavior in av_strncasecmp() +- avformat/mov: Skip stsd adjustment without chunks +- avformat/aadec: Check for scanf() failure +- avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside +- avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform() +- avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation +- avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks() +- avcodec/rscc: Check that the to be uncompressed input is large enough +- avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it +- lavf/rawenc: Only accept the appropriate stream type for raw muxers. +- avcodec/h263dec: fix hwaccel decoding +- avutil/mem: Fix invalid use of av_alloc_size +- avformat/aacdec: resync to the next adts frame on invalid data instead of aborting +- avformat/aacdec: factorize the adts frame resync code + version 3.4.6: - avcodec/hevcdec: Avoid only partly skiping duplicate first slices - lavc/bmp: Avoid a heap buffer overwrite for 1bpp input. diff --git a/RELEASE b/RELEASE index 1cf8253024..2aa5131992 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.6 +3.4.7 diff --git a/doc/Doxyfile b/doc/Doxyfile index 79b27a6b2f..f9aee57c56 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.6 +PROJECT_NUMBER = 3.4.7 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 0a4d2b5f674ed1b4632b550d9a176de05fab7a16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Nov 2019 21:16:32 +0100 Subject: [PATCH 0730/1764] avformat/mp3dec: Check that the frame fits within the probe buffer Signed-off-by: Michael Niedermayer (cherry picked from commit e9a335150a62bb377a26ce096187b4476145d02b) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index a5c4f2ea12..7720a8c19f 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -89,7 +89,7 @@ static int mp3_read_probe(AVProbeData *p) header = AV_RB32(buf2); ret = avpriv_mpegaudio_decode_header(&h, header); - if (ret != 0) + if (ret != 0 || end - buf2 < h.frame_size) break; buf2 += h.frame_size; } From c2f81cfc78fe59b1dbdb8d10dcda43bc8365e655 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 23:41:49 +0200 Subject: [PATCH 0731/1764] avcodec/sonic: Fix integer overflow in predictor_calc_error() Fixes: signed integer overflow: 5 * -1094995529 cannot be represented in type 'int' Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c8c17b8cef77dc052e8845e5fd86daf2983fd7dd) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 2e3ca79fdd..953c70fcd4 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -473,7 +473,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error) { int k_value = *k_ptr, state_value = *state_ptr; x -= shift_down(k_value * state_value, LATTICE_SHIFT); - state_ptr[1] = state_value + shift_down(k_value * x, LATTICE_SHIFT); + state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else for (i = order-2; i >= 0; i--) From 5222756b36fe2172903e1e165deb7c05cb34b025 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Oct 2019 18:30:07 +0100 Subject: [PATCH 0732/1764] avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter() Fixes: signed integer overflow: 7400 + 2147482786 cannot be represented in type 'int' Fixes: 18405/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5708834760294400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dc3f327e7403a34c88a900f0b8de55b4afd7cf6c) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 0c0c22b18a..7d07f5f8f1 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1268,7 +1268,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, f->adaptcoeffs - order, order, APESIGN(*data)); res = (int)(res + (1U << (fracbits - 1))) >> fracbits; - res += *data; + res += (unsigned)*data; *data++ = res; /* Update the output history */ From 0e96cffff6e4bf4ac7e9a4022af81bbb228a9488 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 15:22:53 +0100 Subject: [PATCH 0733/1764] avcodec/qdm2: The smallest header seems to have 2 bytes so treat 1 as invalid Fixes: Timeout (217sec -> 2ms) Fixes: 18488/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5708293662310400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e36ccb5048f052b8b2ef08281cb607fa53a7b7e4) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index ac8ae8cbbb..7b9d50b234 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1704,7 +1704,7 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx) s->group_size = bytestream2_get_be32(&gb); s->fft_size = bytestream2_get_be32(&gb); s->checksum_size = bytestream2_get_be32(&gb); - if (s->checksum_size >= 1U << 28 || !s->checksum_size) { + if (s->checksum_size >= 1U << 28 || s->checksum_size <= 1) { av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size); return AVERROR_INVALIDDATA; } From 313af229425799e15f0d810cbec1af65e5293a8a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 15:00:32 +0100 Subject: [PATCH 0734/1764] avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling The intermediates are required to fit in 12bit (8.1.3.9 Coefficient Scaling) See SMPTE 421M-2006 and Amendment 1-2007 Fixes: signed integer overflow: -20691 * 262144 cannot be represented in type 'int' Fixes: 18479/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5128912371187712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7fc1baf0ca83ef06014878290339a59735603959) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 51a2f41316..b4a674978f 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1013,10 +1013,10 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, return AVERROR_INVALIDDATA; if (dc_pred_dir) { // left for (k = 1; k < 8; k++) - block[k << v->left_blk_sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << v->left_blk_sh] += (int)(ac_val[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } else { //top for (k = 1; k < 8; k++) - block[k << v->top_blk_sh] += (ac_val[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + block[k << v->top_blk_sh] += (int)(ac_val[k + 8] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } else { if (dc_pred_dir) { // left From b385b34761415735c464b9560b1f64f8babc9ee6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 14:38:16 +0100 Subject: [PATCH 0735/1764] avcodec/wmadec: Require previous exponents for reuse Fixes: division by zero Fixes: 18474/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5764986962182144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c54b9fc42fee613e2c4c0dae2052ff94cd15e254) Signed-off-by: Michael Niedermayer --- libavcodec/wma.h | 1 + libavcodec/wmadec.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/libavcodec/wma.h b/libavcodec/wma.h index 325f03c44b..8344cb5b93 100644 --- a/libavcodec/wma.h +++ b/libavcodec/wma.h @@ -123,6 +123,7 @@ typedef struct WMACodecContext { uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; /* padding added */ int last_bitoffset; int last_superframe_len; + int exponents_initialized; float noise_table[NOISE_TAB_SIZE]; int noise_index; float noise_mult; /* XXX: suppress that and integrate it in the noise array */ diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 78b51e5871..bb9bc8d236 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -587,6 +587,9 @@ static int wma_decode_block(WMACodecContext *s) s->exponents_bsize[ch] = bsize; } } + s->exponents_initialized = 1; + }else if (!s->exponents_initialized) { + return AVERROR_INVALIDDATA; } /* parse spectral coefficients : just RLE encoding */ From 978aa2ae50877e8575d6f5061787f836dd2227d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 15:52:52 +0100 Subject: [PATCH 0736/1764] avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block() Fixes: left shift of negative value -249 Fixes: 18566/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5649394561187840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b7d02642b2096622cee6165fea1301bb9ad54ff) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 1d881cf7ae..ca8817aa21 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -408,7 +408,7 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, case 4: for (i = 0; i < len; i++) { t = ch1[i] + ctx->bias[1]; - t2 = ((ch0[i] + ctx->bias[0]) << 1) | (t & 1); + t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1); dst0[i] = (t2 + t) / 2; dst1[i] = (t2 - t) / 2; } From eabece8639dd0a4f887319b9f22dbbcb72df32d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2019 23:51:58 +0200 Subject: [PATCH 0737/1764] avcodec/atrac3: Check for huge block aligns The largest documented frame size = block align is 1024 bytes (https://wiki.multimedia.cx/index.php/ATRAC3) Without a limit this can allocate arbitrary memory and trigger OOM Fixes: OOM Fixes: 18337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3_fuzzer-5763861478637568 Fixes: 18556/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC3AL_fuzzer-5646183334936576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f09151fff9c754fbc1d2560adf18b14957f8b181) Signed-off-by: Michael Niedermayer --- libavcodec/atrac3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index dc19a3863e..067aa23f1f 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -964,7 +964,7 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } - if (avctx->block_align >= UINT_MAX / 2 || avctx->block_align <= 0) + if (avctx->block_align > 1024 || avctx->block_align <= 0) return AVERROR(EINVAL); q->decoded_bytes_buffer = av_mallocz(FFALIGN(avctx->block_align, 4) + From b9735a0271a95d4188b195723e31a817cd6bd33a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Oct 2019 19:12:23 +0100 Subject: [PATCH 0738/1764] avcodec/iff: Move index use after check in decodeplane8() Fixes: index 9 out of bounds for type 'const uint64_t [8][256]' Fixes: 18409/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5767030560522240 Fixes: 18720/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5651995784642560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1f8b36cc45406f66aac635a4db32d2a5cc29f43) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 3d9ce9d29c..8a2ae2542d 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -456,11 +456,12 @@ static av_cold int decode_init(AVCodecContext *avctx) */ static void decodeplane8(uint8_t *dst, const uint8_t *buf, int buf_size, int plane) { - const uint64_t *lut = plane8_lut[plane]; + const uint64_t *lut; if (plane >= 8) { av_log(NULL, AV_LOG_WARNING, "Ignoring extra planes beyond 8\n"); return; } + lut = plane8_lut[plane]; do { uint64_t v = AV_RN64A(dst) | lut[*buf++]; AV_WN64A(dst, v); From e5baac772ccbabda4eb06fc48cbf332660da6815 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Nov 2019 22:46:42 +0100 Subject: [PATCH 0739/1764] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Changelog b/Changelog index 34176c53fa..7bc36db2db 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,15 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.4.7: +- avcodec/iff: Move index use after check in decodeplane8() +- avcodec/atrac3: Check for huge block aligns +- avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block() +- avcodec/wmadec: Require previous exponents for reuse +- avcodec/vc1_block: Fix undefined behavior in ac prediction rescaling +- avcodec/qdm2: The smallest header seems to have 2 bytes so treat 1 as invalid +- avcodec/apedec: Fixes integer overflow of res+*data in do_apply_filter() +- avcodec/sonic: Fix integer overflow in predictor_calc_error() +- avformat/mp3dec: Check that the frame fits within the probe buffe - lavc/tableprint_vlc: Remove avpriv_request_sample() from included files. - avcodec/wmaprodec: get frame during frame decode - avcodec/interplayacm: Fix overflow of last unused value From e2def5f382b03eeec8ec3662daed4381d9c95b92 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 21:58:26 +0200 Subject: [PATCH 0740/1764] avcodec/cngdec: Remove AV_CODEC_CAP_DELAY As is the decoder will never stop, it will cause an infinite loop. The RFC seems only to speak of non empty packets so endlessly generating noise from the last empty flush packets seems wrong. Fixes: infinite loop Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 327a968817a366c24d1513526258a3dbbcf888a7) Signed-off-by: Michael Niedermayer --- libavcodec/cngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 28432ac719..6b3e5ad7c8 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -174,5 +174,5 @@ AVCodec ff_comfortnoise_decoder = { .close = cng_decode_close, .sample_fmts = (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, - .capabilities = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_DR1, + .capabilities = AV_CODEC_CAP_DR1, }; From 650ce5047cf3e8286e6fbca8cdf14b1bb885bcb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2019 21:27:41 +0200 Subject: [PATCH 0741/1764] avutil/lfg: Correct index increment type to avoid undefined behavior Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6014bcf1b74e903f535461ade4aa5fb44dbf5d8b) Signed-off-by: Michael Niedermayer --- libavutil/lfg.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/lfg.h b/libavutil/lfg.h index ab38a8a0df..2b669205d1 100644 --- a/libavutil/lfg.h +++ b/libavutil/lfg.h @@ -51,8 +51,9 @@ int av_lfg_init_from_data(AVLFG *c, const uint8_t *data, unsigned int length); * it may be good enough and faster for your specific use case. */ static inline unsigned int av_lfg_get(AVLFG *c){ - c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; - return c->state[c->index++ & 63]; + unsigned a = c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; + c->index += 1U; + return a; } /** @@ -63,7 +64,9 @@ static inline unsigned int av_lfg_get(AVLFG *c){ static inline unsigned int av_mlfg_get(AVLFG *c){ unsigned int a= c->state[(c->index-55) & 63]; unsigned int b= c->state[(c->index-24) & 63]; - return c->state[c->index++ & 63] = 2*a*b+a+b; + a = c->state[c->index & 63] = 2*a*b+a+b; + c->index += 1U; + return a; } /** From f3e553e36a98efd6cadf49ae3bdf4171210b521e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Oct 2019 23:02:27 +0200 Subject: [PATCH 0742/1764] avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases Fixes: shift exponent -14 is negative Fixes: 18335/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RAWVIDEO_fuzzer-5723267192586240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5634e2052533fcce46f20c2720b0c8d5f55143ce) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 1893b26444..2314809ea7 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -221,7 +221,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, FFALIGN(avctx->width, 16), avctx->height, 1); } else { - context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample && avctx->bits_per_coded_sample < 16; + context->is_lt_16bpp = av_get_bits_per_pixel(desc) == 16 && avctx->bits_per_coded_sample > 8 && avctx->bits_per_coded_sample < 16; context->frame_size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); } From 66e701af697da60553f2252ab617081b11672854 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 15:15:46 +0100 Subject: [PATCH 0743/1764] avcodec/wmavoice: Fix integer overflow in synth_frame() Fixes: left shift of negative value -3 Fixes: 18518/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-6560514359951360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf323f4d38f5756ecdb8fb4f72c80a8069da832e) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 8871935315..abea3a6751 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1519,7 +1519,7 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* "pitch-diff-per-sample" for calculation of pitch per sample */ s->pitch_diff_sh16 = - ((cur_pitch_val - s->last_pitch_val) << 16) / MAX_FRAMESIZE; + (cur_pitch_val - s->last_pitch_val) * (1 << 16) / MAX_FRAMESIZE; } /* Global gain (if silence) and pitch-adaptive window coordinates */ From 9162df98e1cf4e240f36944def19e8cd2cc28359 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2019 14:14:44 +0100 Subject: [PATCH 0744/1764] avcodec/nuv: Move comptype check up Fixes: Timeout (23sec -> 5ms) Fixes: 18517/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5753135536013312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1138cdecbe0164ab1f07768418e794fddfdc636d) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 32ed65899b..6192a70c74 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -217,6 +217,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case NUV_RTJPEG: minsize = c->width/16 * (c->height/16) * 6; break; + case NUV_BLACK: + case NUV_COPY_LAST: + case NUV_LZO: + case NUV_RTJPEG_IN_LZO: + break; + default: + av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); + return AVERROR_INVALIDDATA; } if (buf_size < minsize / 4) return AVERROR_INVALIDDATA; @@ -305,9 +313,6 @@ retry: case NUV_COPY_LAST: /* nothing more to do here */ break; - default: - av_log(avctx, AV_LOG_ERROR, "unknown compression\n"); - return AVERROR_INVALIDDATA; } if ((result = av_frame_ref(picture, c->pic)) < 0) From 3f186986520f3baa05de9d3126fa48ec8a270f36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2019 12:20:14 +0100 Subject: [PATCH 0745/1764] avcodec/mxpegdec: Check for multiple SOF Fixes: Timeout (14sec -> 9ms) Fixes: 18598/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5726095261564928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75b64e5aa36e7796a0460415a1f3fd7372029525) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 2e3ebe6e70..55ec6e928e 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -199,6 +199,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, buf_end = buf + buf_size; jpg->got_picture = 0; s->got_mxm_bitmask = 0; + s->got_sof_data = !!s->got_sof_data; while (buf_ptr < buf_end) { start_code = ff_mjpeg_find_marker(jpg, &buf_ptr, buf_end, &unescaped_buf_ptr, &unescaped_buf_size); @@ -241,6 +242,11 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, return ret; break; case SOF0: + if (s->got_sof_data > 1) { + av_log(avctx, AV_LOG_ERROR, + "Multiple SOF in a frame\n"); + return AVERROR_INVALIDDATA; + } s->got_sof_data = 0; ret = ff_mjpeg_decode_sof(jpg); if (ret < 0) { @@ -253,7 +259,7 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, "Interlaced mode not supported in MxPEG\n"); return AVERROR(EINVAL); } - s->got_sof_data = 1; + s->got_sof_data ++; break; case SOS: if (!s->got_sof_data) { From a67d997ad7358cbc9fbcf2c54f537c403786416b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 23:28:35 +0100 Subject: [PATCH 0746/1764] avcodec/g729dec: Use 64bit and clip in scalar product The G729 reference decoder clips after each individual operation and keeps track if overflow occurred (in the fixed point implementation), this here is simpler and faster but not 1:1 the same what the reference does. Non fuzzed samples which trigger any such overflow are welcome, so the need and impact of different clipping solutions can be evaluated. Fixes: signed integer overflow: 1271483721 + 1073676289 cannot be represented in type 'int' Fixes: 18617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5137705679978496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf9c4a12750e593d753011166b066efce208d9e0) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 2e1bf18e4e..32218e5989 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -328,11 +328,14 @@ static int16_t g729d_voice_decision(int onset, int prev_voice_decision, const in static int32_t scalarproduct_int16_c(const int16_t * v1, const int16_t * v2, int order) { - int res = 0; + int64_t res = 0; while (order--) res += *v1++ * *v2++; + if (res > INT32_MAX) return INT32_MAX; + else if (res < INT32_MIN) return INT32_MIN; + return res; } From 6ce537910543398067afe8395562938d1d002b29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 22:27:04 +0100 Subject: [PATCH 0747/1764] avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel() Fixes: signed integer overflow: 1145975808 - -1146173210 cannot be represented in type 'int' Fixes: 18616/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5121296757424128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 721624c2f67545989626ba4413f7b8dbd7dff678) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index ca8817aa21..d8f1803086 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -264,8 +264,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch, t = get_vlc2(gb, vlc[cmode].table, vlc[cmode].bits, 2); t = extend_code(gb, t, 21, add_bits); if (!cmode) - coeff -= 12 << add_bits; - coeff = t - coeff; + coeff -= 12U << add_bits; + coeff = (unsigned)t - coeff; ctx->filter[i] = coeff; cmode = coeff >> add_bits; From ed4f4853533587fc9ca443f40e63a1cca3fd5aa1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Nov 2019 22:11:52 +0100 Subject: [PATCH 0748/1764] avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next Fixes: signed integer overflow: 6175076100092079360 - -5034989061050195840 cannot be represented in type 'long' Fixes: 18614/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5704508847423488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d82ab96e76bfec6568d059df7c8591dda4317c62) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 3a6a057964..349b45534d 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -217,8 +217,8 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) *last = -1; lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); if (ws->pink_need) { - int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); - int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); + uint64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); + uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); if (pos) { From db659cdf47892e13b75facfd5407397ddd26c3b7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Nov 2019 09:29:58 +0100 Subject: [PATCH 0749/1764] avcodec/nuv: Use ff_set_dimensions() Fixes: OOM Fixes: 18956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5766505644163072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1ca978d6366f3c7d7df6b3d50566e892f8da605a) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 6192a70c74..39f4e79ba0 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -131,10 +131,10 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, + RTJPEG_HEADER_SIZE; if (buf_size > INT_MAX/8) return -1; - if ((ret = av_image_check_size(height, width, 0, avctx)) < 0) + if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - avctx->width = c->width = width; - avctx->height = c->height = height; + c->width = width; + c->height = height; av_fast_malloc(&c->decomp_buf, &c->decomp_size, buf_size); if (!c->decomp_buf) { From 0eff731d8d35d4177ea1e817399946bd8f36a686 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 31 Oct 2019 13:32:55 +0100 Subject: [PATCH 0750/1764] avformat/mxfdec: Clear metadata_sets_count in mxf_read_close() This avoids problems if the function is called twice Signed-off-by: Michael Niedermayer (cherry picked from commit 13816a1d085fdb6598ea6dc92ed3a1e6aff0cc1f) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 118e3e40b4..368524e5cf 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3239,6 +3239,7 @@ static int mxf_read_close(AVFormatContext *s) for (i = 0; i < mxf->metadata_sets_count; i++) { mxf_free_metadataset(mxf->metadata_sets + i, 1); } + mxf->metadata_sets_count = 0; av_freep(&mxf->partitions); av_freep(&mxf->metadata_sets); av_freep(&mxf->aesc); From 2f942ddf7415baa55bdd4e60038526c35571b0c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 17:28:27 +0100 Subject: [PATCH 0751/1764] avcodec/vmdaudio: Check chunk counts to avoid integer overflow Fixes: signed integer overflow: 4 * 538976288 cannot be represented in type 'int' Fixes: 18622/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5092166174507008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47d963335eb2c36c0e6615d7971c762458e813dd) Signed-off-by: Michael Niedermayer --- libavcodec/vmdaudio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vmdaudio.c b/libavcodec/vmdaudio.c index e8c8a064c7..c7826fa3ce 100644 --- a/libavcodec/vmdaudio.c +++ b/libavcodec/vmdaudio.c @@ -179,6 +179,9 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data, /* drop incomplete chunks */ buf_size = audio_chunks * s->chunk_size; + if (silent_chunks + audio_chunks >= INT_MAX / avctx->block_align) + return AVERROR_INVALIDDATA; + /* get output buffer */ frame->nb_samples = ((silent_chunks + audio_chunks) * avctx->block_align) / avctx->channels; From 5b43aa7a80f5ddaa46fec9866061a7c0e0d7f72e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 18:31:02 +0100 Subject: [PATCH 0752/1764] avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv() Fixes: signed integer overflow: 50176 * 262144 cannot be represented in type 'int' Fixes: 18629/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5182370286403584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e010e489b70c044a67c47083cf8eb03209ee89f) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index b4a674978f..976d330935 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -867,7 +867,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, if (q1 < 1) return AVERROR_INVALIDDATA; for (k = 1; k < 8; k++) - ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k] = (int)(ac_val2[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } for (k = 1; k < 8; k++) { block[k << sh] = ac_val2[k] * scale; From f4daf42c1a5ce6ecf7234d804952536160870dba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 19:20:31 +0100 Subject: [PATCH 0753/1764] avcodec/wmaprodec: Fix buflen computation in save_bits() Fixes: Assertion failure Fixes: 18630/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5201588654440448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 589cb44498b5e9683c95746255a2abd6d1e74f94) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 8429c8dec6..4cff07adf8 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1564,9 +1564,9 @@ static void save_bits(WMAProDecodeCtx *s, GetBitContext* gb, int len, s->frame_offset = get_bits_count(gb) & 7; s->num_saved_bits = s->frame_offset; init_put_bits(&s->pb, s->frame_data, MAX_FRAMESIZE); - } - - buflen = (put_bits_count(&s->pb) + len + 8) >> 3; + buflen = (s->num_saved_bits + len + 7) >> 3; + } else + buflen = (put_bits_count(&s->pb) + len + 7) >> 3; if (len <= 0 || buflen > MAX_FRAMESIZE) { avpriv_request_sample(s->avctx, "Too small input buffer"); From 4d932eb66b037acf63bef4ce9a975a6f28f0e99a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Nov 2019 20:40:46 +0100 Subject: [PATCH 0754/1764] avcodec/alac: Fix integer overflow in lpc_prediction() with sign Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 18643/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5672182449700864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7686ba1f149a94c3bac235589de8aa8db92be4e5) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 5c8230bea4..21a48d252a 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -227,7 +227,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, val = d - pred[j]; sign = sign_only(val) * error_sign; lpc_coefs[j] -= sign; - val *= sign; + val *= (unsigned)sign; error_val -= (val >> lpc_quant) * (j + 1); } } From 0b49c74fe177fad620dfe3c358d9215e9dbe752f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Nov 2019 21:19:24 +0100 Subject: [PATCH 0755/1764] avcodec/g729dec: require buf_size to be non 0 The 0 case was added with the support for multiple packets. It appears unintended and causes extra complexity and out of array accesses (though within padding) No testcase Signed-off-by: Michael Niedermayer (cherry picked from commit f64be9da4c8b16071ec84056a61d1fc0d5d6728c) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 32218e5989..908c12a73a 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -416,7 +416,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, return ret; out_frame = (int16_t*) frame->data[0]; - if (buf_size % 10 == 0) { + if (buf_size && buf_size % 10 == 0) { packet_type = FORMAT_G729_8K; format = &format_g729_8k; //Reset voice decision From 289a79d545e83a97f5cdd00b28ce70638dae53e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2019 18:24:40 +0100 Subject: [PATCH 0756/1764] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Changelog b/Changelog index 7bc36db2db..700d38d2e3 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,22 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.4.7: +- avcodec/g729dec: require buf_size to be non 0 +- avcodec/alac: Fix integer overflow in lpc_prediction() with sign +- avcodec/wmaprodec: Fix buflen computation in save_bits() +- avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv() +- avcodec/vmdaudio: Check chunk counts to avoid integer overflow +- avformat/mxfdec: Clear metadata_sets_count in mxf_read_close() +- avcodec/nuv: Use ff_set_dimensions() +- avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next +- avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel() +- avcodec/g729dec: Use 64bit and clip in scalar product +- avcodec/mxpegdec: Check for multiple SOF +- avcodec/nuv: Move comptype check up +- avcodec/wmavoice: Fix integer overflow in synth_frame() +- avcodec/rawdec: Check bits_per_coded_sample more pedantically for 16bit cases +- avutil/lfg: Correct index increment type to avoid undefined behavior +- avcodec/cngdec: Remove AV_CODEC_CAP_DELAY - avcodec/iff: Move index use after check in decodeplane8() - avcodec/atrac3: Check for huge block aligns - avcodec/ralf: use multiply instead of shift to avoid undefined behavior in decode_block() From 164bafe8b1d11bc92fc8796d9e3fe9a63cb9730f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 20 Nov 2019 13:26:59 +0100 Subject: [PATCH 0757/1764] avformat/matroskadec: Fix default value of BlockAddID Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit dbc50f8a935043243232b2e01f3c012ab6d49928) --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index c65a912408..1bcc47b107 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -684,7 +684,7 @@ static const EbmlSyntax matroska_segments[] = { }; static const EbmlSyntax matroska_blockmore[] = { - { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id) }, + { MATROSKA_ID_BLOCKADDID, EBML_UINT, 0, offsetof(MatroskaBlock,additional_id), { .u = 1 } }, { MATROSKA_ID_BLOCKADDITIONAL, EBML_BIN, 0, offsetof(MatroskaBlock,additional) }, { 0 } }; From b9aaa444e193553c98da3992ed348d4bb1711d9e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 11:40:23 +0200 Subject: [PATCH 0758/1764] avcodec/libopusenc: Don't free user-provided AVPacket Reviewed-by: James Almer Signed-off-by: Andreas Rheinhardt (cherry picked from commit b803993b6d99423c8c1e01e7e206e3916a98d5d5) --- libavcodec/libopusenc.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libopusenc.c b/libavcodec/libopusenc.c index 3d88c296d3..31c7d6f5a8 100644 --- a/libavcodec/libopusenc.c +++ b/libavcodec/libopusenc.c @@ -482,7 +482,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, // Check if subtraction resulted in an overflow if ((discard_padding < opus->opts.packet_size) != (avpkt->duration > 0)) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if (discard_padding > 0) { @@ -491,7 +490,6 @@ static int libopus_encode(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } AV_WL32(side_data + 4, discard_padding); From f7dc65d74f7503ad5f0aec4355f4399aa4b96eb2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:11:30 +0200 Subject: [PATCH 0759/1764] libavcodec/libmp3lame: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 7e6941e185649409f44fb5aa31207bd7b00d23cd) --- libavcodec/libmp3lame.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/libmp3lame.c b/libavcodec/libmp3lame.c index 5e26743f29..79b2b9de06 100644 --- a/libavcodec/libmp3lame.c +++ b/libavcodec/libmp3lame.c @@ -279,7 +279,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, if ((discard_padding < avctx->frame_size) != (avpkt->duration > 0)) { av_log(avctx, AV_LOG_ERROR, "discard padding overflow\n"); av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(EINVAL); } if ((!s->delay_sent && avctx->initial_padding > 0) || discard_padding > 0) { @@ -288,7 +287,6 @@ static int mp3lame_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, 10); if(!side_data) { av_packet_unref(avpkt); - av_free(avpkt); return AVERROR(ENOMEM); } if (!s->delay_sent) { From a1a6336a586ecf3c7d3486138dfc64afe9453980 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 23 May 2020 12:13:26 +0200 Subject: [PATCH 0760/1764] libavcodec/libvpxenc: Don't free user-provided AVPacket Signed-off-by: Andreas Rheinhardt (cherry picked from commit 26b45096906097a73ba587bf3b98dada4e795224) --- libavcodec/libvpxenc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 64a7459331..7894e277f8 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -860,7 +860,6 @@ FF_ENABLE_DEPRECATION_WARNINGS cx_frame->sz_alpha + 8); if(!side_data) { av_packet_unref(pkt); - av_free(pkt); return AVERROR(ENOMEM); } AV_WB64(side_data, 1); From 63bad93076218af1b0dd3248f6b9149b0ebe7f47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 18:39:08 +0100 Subject: [PATCH 0761/1764] avcodec/wmaprodec: Check if the channel sum of all internal contexts match the external Fixes: NULL pointer dereference Fixes: 18689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5715114640015360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 090ac5799751c6f52358da4e5201a3845760db93) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 4cff07adf8..327db9335d 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1899,6 +1899,8 @@ static av_cold int xma_decode_init(AVCodecContext *avctx) s->start_channel[i] = start_channels; start_channels += s->xma[i].nb_channels; } + if (start_channels != avctx->channels) + return AVERROR_INVALIDDATA; return ret; } From 6d3a91c49d21842ca32f6cc176a9086c77d4d827 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 18:47:52 +0100 Subject: [PATCH 0762/1764] avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block() Fixes: signed integer overflow: 1778647621 + 574372924 cannot be represented in type 'int' Fixes: 18692/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-6248679635943424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93d52a181ec050d3a4fb68f526604d39cd006be5) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 1c9e9a93d8..800fff0e12 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -573,10 +573,10 @@ static inline void tm2_low_res_block(TM2Context *ctx, AVFrame *pic, int bx, int last[0] = (int)((unsigned)last[1] - ctx->D[0] - ctx->D[1] - ctx->D[2] - ctx->D[3])>> 1; last[2] = (int)((unsigned)last[1] + last[3]) >> 1; - t1 = ctx->D[0] + ctx->D[1]; + t1 = ctx->D[0] + (unsigned)ctx->D[1]; ctx->D[0] = t1 >> 1; ctx->D[1] = t1 - (t1 >> 1); - t2 = ctx->D[2] + ctx->D[3]; + t2 = ctx->D[2] + (unsigned)ctx->D[3]; ctx->D[2] = t2 >> 1; ctx->D[3] = t2 - (t2 >> 1); From 47d0725b91eb1b59722dd0ba6b8c9226c05d8ad7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 20:06:35 +0100 Subject: [PATCH 0763/1764] avcodec/wmaprodec: Check offset Fixes: index 33280 out of bounds for type 'float [32768]' Fixes: 18718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5635373899710464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5473c7825ea627a115155313a56a907d67a0d0c1) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 327db9335d..ee2b3c5e2b 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1775,6 +1775,11 @@ static int xma_decode_packet(AVCodecContext *avctx, void *data, ret = decode_packet(avctx, &s->xma[s->current_stream], s->frames[s->current_stream], &got_stream_frame_ptr, avpkt); + if (got_stream_frame_ptr && s->offset[s->current_stream] >= 64) { + got_stream_frame_ptr = 0; + ret = AVERROR_INVALIDDATA; + } + /* copy stream samples (1/2ch) to sample buffer (Nch) */ if (got_stream_frame_ptr) { int start_ch = s->start_channel[s->current_stream]; From 081aa19ac93af7a7aec2233d29621c801ed5101d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Nov 2019 20:25:00 +0100 Subject: [PATCH 0764/1764] avcodec/wmaprodec: Set packet_loss when we error out on a sanity check Fixes: left shift of negative value -34 Fixes: 18719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5642658173419520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a9cbd25d89dbdf72f7b616fdf672d7da36143cfe) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index ee2b3c5e2b..28824ed11f 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1616,6 +1616,7 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s, if (avctx->codec_id == AV_CODEC_ID_WMAPRO && buf_size < avctx->block_align) { av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n", buf_size, avctx->block_align); + s->packet_loss = 1; return AVERROR_INVALIDDATA; } From bc73f923e23d7e0ebcc64dac11b1309d3be3ed82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Nov 2019 16:38:36 +0100 Subject: [PATCH 0765/1764] avcodec/apedec: Fix 2 integer overflows Fixes: signed integer overflow: 2119056926 - -134217728 cannot be represented in type 'int' Fixes: 18728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5747539563511808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e15ba2d1f688c61759001839811b11903de9ce0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7d07f5f8f1..95bcc0c413 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1230,7 +1230,7 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) p->buf = p->historybuffer; } - p->filterA[0] = currentA + ((int)(p->filterA[0] * 31U) >> 5); + p->filterA[0] = currentA + (unsigned)((int)(p->filterA[0] * 31U) >> 5); *(decoded0++) = p->filterA[0]; } @@ -1298,7 +1298,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, else *f->adaptcoeffs = 0; - f->avg += (absres - f->avg) / 16; + f->avg += (int)(absres - (unsigned)f->avg) / 16; f->adaptcoeffs[-1] >>= 1; f->adaptcoeffs[-2] >>= 1; From 57c602ab246a5ed2fb14d0bd0180c76a1984d494 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Nov 2019 23:00:51 +0100 Subject: [PATCH 0766/1764] avformat/rmdec: Initialize and sanity check offset in ivr_read_header() Fixes: signed integer overflow: -9223372036854775808 - 17 cannot be represented in type 'long' Fixes: 18768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5674385247830016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e665e4a81e2e96eb45138a1dfa38617de2631a4) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index f3fa550c63..9db163d392 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1175,7 +1175,7 @@ static int ivr_read_header(AVFormatContext *s) uint8_t key[256], val[256]; AVIOContext *pb = s->pb; AVStream *st; - int64_t pos, offset, temp; + int64_t pos, offset=0, temp; pos = avio_tell(pb); tag = avio_rl32(pb); @@ -1192,6 +1192,8 @@ static int ivr_read_header(AVFormatContext *s) offset = temp; temp = avio_rb64(pb); } + if (offset <= 0) + return AVERROR_INVALIDDATA; avio_skip(pb, offset - avio_tell(pb)); if (avio_r8(pb) != 1) return AVERROR_INVALIDDATA; From 41fc3f3851d3a54a14e98b204ccba0f7aaf24967 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 00:37:27 +0100 Subject: [PATCH 0767/1764] avcodec/mp3_header_decompress_bsf: Check sample_rate_index Fixes: out of array read Fixes: 19309/clusterfuzz-testcase-minimized-ffmpeg_BSF_MP3_HEADER_DECOMPRESS_fuzzer-5651002950942720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f064c7c449f162a9011ad890f26ceeca26934d22) Signed-off-by: Michael Niedermayer --- libavcodec/mp3_header_decompress_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/mp3_header_decompress_bsf.c b/libavcodec/mp3_header_decompress_bsf.c index 294858953c..ab3d420300 100644 --- a/libavcodec/mp3_header_decompress_bsf.c +++ b/libavcodec/mp3_header_decompress_bsf.c @@ -62,6 +62,11 @@ static int mp3_header_decompress(AVBSFContext *ctx, AVPacket *out) lsf = sample_rate < (24000+32000)/2; mpeg25 = sample_rate < (12000+16000)/2; sample_rate_index= (header>>10)&3; + if (sample_rate_index == 3) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + sample_rate= avpriv_mpa_freq_tab[sample_rate_index] >> (lsf + mpeg25); //in case sample rate is a little off for(bitrate_index=2; bitrate_index<30; bitrate_index++){ From bbae90e2cb658e336d0104154f37235782253ba9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 19:19:57 +0100 Subject: [PATCH 0768/1764] avcodec/pnm: Check that the header is not truncated Fixes: Ticket8430 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c94cb8d9b21baeeecef962c72965dbedc4e0b0e1) Signed-off-by: Michael Niedermayer --- libavcodec/pnm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c index b06a6e81b5..b5d074f1f8 100644 --- a/libavcodec/pnm.c +++ b/libavcodec/pnm.c @@ -108,6 +108,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) return AVERROR_INVALIDDATA; } } + if (!pnm_space(s->bytestream[-1])) + return AVERROR_INVALIDDATA; + /* check that all tags are present */ if (w <= 0 || h <= 0 || maxval <= 0 || maxval > UINT16_MAX || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) @@ -188,6 +191,10 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s) } }else s->maxval=1; + + if (!pnm_space(s->bytestream[-1])) + return AVERROR_INVALIDDATA; + /* more check if YUV420 */ if (av_pix_fmt_desc_get(avctx->pix_fmt)->flags & AV_PIX_FMT_FLAG_PLANAR) { if ((avctx->width & 1) != 0) From 2309850cb90b72edfcb4637237725842f938bb80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2019 09:45:29 +0100 Subject: [PATCH 0769/1764] avcodec/iff: Skip overflowing runs in decode_delta_d() Fixes: Timeout (107sec - 75ms> Fixes: 18812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6295585225441280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 185f441ba26a2112725db1e8f218e54ac8068bbb) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 8a2ae2542d..eac873c9da 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1359,6 +1359,8 @@ static void decode_delta_d(uint8_t *dst, bytestream2_seek_p(&pb, (offset / planepitch_byte) * pitch + (offset % planepitch_byte) + k * planepitch, SEEK_SET); if (opcode >= 0) { uint32_t x = bytestream2_get_be32(&gb); + if (opcode && 4 + (opcode - 1LL) * pitch > bytestream2_get_bytes_left_p(&pb)) + continue; while (opcode && bytestream2_get_bytes_left_p(&pb) > 0) { bytestream2_put_be32(&pb, x); bytestream2_skip_p(&pb, pitch - 4); From 699a6dddc757d3ac9010c2444ec6f33c0d702ad9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2019 12:49:25 +0100 Subject: [PATCH 0770/1764] avcodec/wmalosslessdec: Check that padding bits is not more than sample bits Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 18817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5713317180211200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d428265808255ad2fc60355fe641aaa4fd3dae4) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index d4f18b9841..45740a090b 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -950,6 +950,8 @@ static int decode_subframe(WmallDecodeCtx *s) for (j = 0; j < subframe_len; j++) s->channel_residues[i][j] = get_sbits_long(&s->gb, bits); } else { + if (s->bits_per_sample < padding_zeroes) + return AVERROR_INVALIDDATA; for (i = 0; i < s->num_channels; i++) { if (s->is_channel_coded[i]) { decode_channel_residues(s, i, subframe_len); From 18a6ff88ce380e3d652cbefbaf7da20ea5e8f0b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2019 14:22:57 +0100 Subject: [PATCH 0771/1764] avcodec/wmalosslessdec: Fix several integer issues Fixes: shift exponent -1 is negative (and others) Fixes: 18852/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5660855295541248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec3fe67074ad0a6a3a817f6f42175ea63a98092b) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 45740a090b..c8c941c31a 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -678,7 +678,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) for (i = 0; i < ich; i++) pred[ich] += (uint32_t)s->channel_residues[i][icoef] * s->mclms_coeffs_cur[i + num_channels * ich]; - pred[ich] += 1 << s->mclms_scaling - 1; + pred[ich] += (1 << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; s->channel_residues[ich][icoef] += pred[ich]; } @@ -811,19 +811,19 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size) pred = 0; for (j = 0; j < order; j++) { if (i <= j) - pred += filter_coeffs[j] * prevvalues[j - i]; + pred += (uint32_t)filter_coeffs[j] * prevvalues[j - i]; else - pred += s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; + pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; } pred >>= scaling; - s->channel_residues[ich][i] += pred; + s->channel_residues[ich][i] += (unsigned)pred; } for (i = order; i < tile_size; i++) { pred = 0; for (j = 0; j < order; j++) pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j]; pred >>= scaling; - s->channel_residues[ich][i] += pred; + s->channel_residues[ich][i] += (unsigned)pred; } for (j = 0; j < order; j++) prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; From 9776bc11257293243827dbfecfe120835e677b08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Nov 2019 19:13:09 +0100 Subject: [PATCH 0772/1764] avcodec/adpcm: Fix invalid shift in xa_decode() Fixes: left shift of negative value -1 Fixes: 18859/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5748474213040128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50db30b47d016fc4e7b47067545b15d22d4faddf) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 70906c8028..d2aa235c72 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -392,7 +392,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, d = in[16+i+j*4]; t = sign_extend(d, 4); - s = ( t<>6); + s = t*(1<>6); s_2 = s_1; s_1 = av_clip_int16(s); out0[j] = s_1; @@ -419,7 +419,7 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, d = in[16+i+j*4]; t = sign_extend(d >> 4, 4); - s = ( t<>6); + s = t*(1<>6); s_2 = s_1; s_1 = av_clip_int16(s); out1[j] = s_1; From 5f820ffe81265016eb9caaf4d8b2606a6b9fd0d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Nov 2019 20:34:55 +0100 Subject: [PATCH 0773/1764] avcodec/wmaprodec: Fixes integer overflow with 32bit samples Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 18860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5755223125786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a9cc69c0d59057ea172a107e0308fdf5fd8fc04e) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 28824ed11f..b279369241 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -543,7 +543,7 @@ static av_cold int decode_init(WMAProDecodeCtx *s, AVCodecContext *avctx, int nu for (i = 0; i < WMAPRO_BLOCK_SIZES; i++) ff_mdct_init(&s->mdct_ctx[i], WMAPRO_BLOCK_MIN_BITS+1+i, 1, 1.0 / (1 << (WMAPRO_BLOCK_MIN_BITS + i - 1)) - / (1 << (s->bits_per_sample - 1))); + / (1ll << (s->bits_per_sample - 1))); /** init MDCT windows: simple sine window */ for (i = 0; i < WMAPRO_BLOCK_SIZES; i++) { From 3191aecdfa7ec0218c578c031ae9555bb2f98c2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Nov 2019 22:05:40 +0100 Subject: [PATCH 0774/1764] avcodec/wmalosslessdec: Fix 2 overflows in mclms Fixes: signed integer overflow: 2038337026 + 109343477 cannot be represented in type 'int' Fixes: 18886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5673660505653248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 92455c8c65c403ea696cb8c63d474d386d631bbd) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c8c941c31a..7de93f241f 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -628,7 +628,7 @@ static void mclms_update(WmallDecodeCtx *s, int icoef, int *pred) int range = 1 << (s->bits_per_sample - 1); for (ich = 0; ich < num_channels; ich++) { - pred_error = s->channel_residues[ich][icoef] - pred[ich]; + pred_error = s->channel_residues[ich][icoef] - (unsigned)pred[ich]; if (pred_error > 0) { for (i = 0; i < order * num_channels; i++) s->mclms_coeffs[i + ich * order * num_channels] += @@ -680,7 +680,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) s->mclms_coeffs_cur[i + num_channels * ich]; pred[ich] += (1 << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; - s->channel_residues[ich][icoef] += pred[ich]; + s->channel_residues[ich][icoef] += (unsigned)pred[ich]; } } From 71c228d2b8c93857a104c034937b1350d1959b3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Nov 2019 09:18:12 +0100 Subject: [PATCH 0775/1764] avcodec/wmavoice: Check remaining input in parse_packet_header() Fixes: Infinite loop Fixes: 18914/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5731902946541568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19c41969b26d07519fff8182a0d3266cdb712078) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index abea3a6751..4c764a8f01 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1835,6 +1835,9 @@ static int parse_packet_header(WMAVoiceContext *s) skip_bits(gb, 4); // packet sequence number s->has_residual_lsps = get_bits1(gb); do { + if (get_bits_left(gb) < 6 + s->spillover_bitsize) + return AVERROR_INVALIDDATA; + res = get_bits(gb, 6); // number of superframes per packet // (minus first one if there is spillover) n_superframes += res; From 9645c0b322c108a6b3a2d437fae10a2529eb3f7e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2019 00:43:03 +0200 Subject: [PATCH 0776/1764] avcodec/dstdec: Use get_ur_golomb_jpegls() Fixes: shift exponent -4 is negative Fixes: 17793/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5766088435957760 Fixes: 18989/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5175008116867072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76690c02b4fd12d7fac6f753af8bad72c82d55c) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index daf906ba0c..c548174331 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -120,7 +120,7 @@ static int read_map(GetBitContext *gb, Table *t, unsigned int map[DST_MAX_CHANNE static av_always_inline int get_sr_golomb_dst(GetBitContext *gb, unsigned int k) { - int v = get_ur_golomb(gb, k, get_bits_left(gb), 0); + int v = get_ur_golomb_jpegls(gb, k, get_bits_left(gb), 0); if (v && get_bits1(gb)) v = -v; return v; From b84ab52628568f477e9f78a69dbedf4b57123be5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Nov 2019 22:43:01 +0100 Subject: [PATCH 0777/1764] avcodec/targa: Check colors vs. available space Fixes: Timeout (37sec -> 52ms) Fixes: 18892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5739537854889984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01593278cef06dbb4491d50d03b72198d2848adf) Signed-off-by: Michael Niedermayer --- libavcodec/targa.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/targa.c b/libavcodec/targa.c index 93e0ef7905..a61fef1d7b 100644 --- a/libavcodec/targa.c +++ b/libavcodec/targa.c @@ -132,12 +132,6 @@ static int decode_frame(AVCodecContext *avctx, h = bytestream2_get_le16(&s->gb); bpp = bytestream2_get_byte(&s->gb); - if (bytestream2_get_bytes_left(&s->gb) <= idlen) { - av_log(avctx, AV_LOG_ERROR, - "Not enough data to read header\n"); - return AVERROR_INVALIDDATA; - } - flags = bytestream2_get_byte(&s->gb); if (!pal && (first_clr || colors || csize)) { @@ -146,6 +140,12 @@ static int decode_frame(AVCodecContext *avctx, first_clr = colors = csize = 0; } + if (bytestream2_get_bytes_left(&s->gb) < idlen + 2*colors) { + av_log(avctx, AV_LOG_ERROR, + "Not enough data to read header\n"); + return AVERROR_INVALIDDATA; + } + // skip identifier if any bytestream2_skip(&s->gb, idlen); From d8e5d0264eea4c9b9e3d7e36e0053ab14e33af4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Nov 2019 23:02:56 +0100 Subject: [PATCH 0778/1764] avcodec/adpcm: Clip predictor for APC Fixes: signed integer overflow: -2147483648 - 13 cannot be represented in type 'int' Fixes: 18893/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_APC_fuzzer-5630760442920960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9fe07908c3f67d59cf4db5668d61b34506189590) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index d2aa235c72..9063f3c49b 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -139,8 +139,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) break; case AV_CODEC_ID_ADPCM_IMA_APC: if (avctx->extradata && avctx->extradata_size >= 8) { - c->status[0].predictor = AV_RL32(avctx->extradata); - c->status[1].predictor = AV_RL32(avctx->extradata + 4); + c->status[0].predictor = av_clip_intp2(AV_RL32(avctx->extradata ), 18); + c->status[1].predictor = av_clip_intp2(AV_RL32(avctx->extradata + 4), 18); } break; case AV_CODEC_ID_ADPCM_IMA_WS: From cda7dd2124480dec91363d8dd4728842d74d46ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2019 12:22:25 +0100 Subject: [PATCH 0779/1764] avcodec/iff: Check that video_size is large enough for the read parameters video is allocated before parameters like bpp are read. Fixes: out of array access Fixes: 19084/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5718556033679360 Fixes: 19465/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5759908398235648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1b97f62f86d5dca35d01d7a5ebbc5dca2a88ae6) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index eac873c9da..a03f80ce53 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -322,6 +322,8 @@ static int extract_header(AVCodecContext *const avctx, av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n", s->bpp); return AVERROR_INVALIDDATA; } + if (s->video_size && s->planesize * s->bpp * avctx->height > s->video_size) + return AVERROR_INVALIDDATA; av_freep(&s->ham_buf); av_freep(&s->ham_palbuf); From 6c5be12e7c7bf518398ab0b9e5a0b3f4466e5c2c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2019 16:46:46 +0100 Subject: [PATCH 0780/1764] avcodec/wmadec: Keep track of exponent initialization per channel Fixes: division by 0 Fixes: 19123/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5655493121146880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bf5c850b795126d4f60dd9498c06f0492f5726a7) Signed-off-by: Michael Niedermayer --- libavcodec/wma.h | 2 +- libavcodec/wmadec.c | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/wma.h b/libavcodec/wma.h index 8344cb5b93..c7fcf5047c 100644 --- a/libavcodec/wma.h +++ b/libavcodec/wma.h @@ -123,7 +123,7 @@ typedef struct WMACodecContext { uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + AV_INPUT_BUFFER_PADDING_SIZE]; /* padding added */ int last_bitoffset; int last_superframe_len; - int exponents_initialized; + int exponents_initialized[MAX_CHANNELS]; float noise_table[NOISE_TAB_SIZE]; int noise_index; float noise_mult; /* XXX: suppress that and integrate it in the noise array */ diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index bb9bc8d236..6365fe7f47 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -585,11 +585,14 @@ static int wma_decode_block(WMACodecContext *s) decode_exp_lsp(s, ch); } s->exponents_bsize[ch] = bsize; + s->exponents_initialized[ch] = 1; } } - s->exponents_initialized = 1; - }else if (!s->exponents_initialized) { - return AVERROR_INVALIDDATA; + } + + for (ch = 0; ch < s->avctx->channels; ch++) { + if (s->channel_coded[ch] && !s->exponents_initialized[ch]) + return AVERROR_INVALIDDATA; } /* parse spectral coefficients : just RLE encoding */ From 9fbd7b65d754f1b68c83e66f144ff89f7000759a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 16 Dec 2019 23:31:22 +0100 Subject: [PATCH 0781/1764] avcodec/vc1dec: Free sprite_output_frame on error Fixes: memleaks Fixes: 19471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5688035714269184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3ee9240be3e4044ae9e60a9a3a68820bf8075299) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index dbdd5a8857..29ec19f57f 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -576,14 +576,21 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if (v->sprite_width > 1 << 14 || v->sprite_height > 1 << 14 || v->output_width > 1 << 14 || - v->output_height > 1 << 14) return -1; + v->output_height > 1 << 14) { + ret = -1; + goto error; + } if ((v->sprite_width&1) || (v->sprite_height&1)) { avpriv_request_sample(avctx, "odd sprites support"); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto error; } } return 0; +error: + av_frame_free(&v->sprite_output_frame); + return ret; } /** Close a VC1/WMV3 decoder From 6583f572d1244736e5ef8599cf7a8296347274b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 17 Dec 2019 00:04:23 +0100 Subject: [PATCH 0782/1764] avcodec/vc1dec: Fix "return -1" cases Reviewed-by: "mypopy@gmail.com" Signed-off-by: Michael Niedermayer (cherry picked from commit 26f040bcb4a1db78d1311af2e69de6984ecb43e5) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 29ec19f57f..1c9af34368 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -431,7 +431,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) v->output_height = avctx->height; if (!avctx->extradata_size || !avctx->extradata) - return -1; + return AVERROR_INVALIDDATA; v->s.avctx = avctx; if ((ret = ff_vc1_init_common(v)) < 0) @@ -472,7 +472,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) if (avctx->extradata_size < 16) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small: %i\n", avctx->extradata_size); - return -1; + return AVERROR_INVALIDDATA; } buf2 = av_mallocz(avctx->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); @@ -508,7 +508,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) av_free(buf2); if (!seq_initialized || !ep_initialized) { av_log(avctx, AV_LOG_ERROR, "Incomplete extradata\n"); - return -1; + return AVERROR_INVALIDDATA; } v->res_sprite = (avctx->codec_id == AV_CODEC_ID_VC1IMAGE); } @@ -577,7 +577,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx) v->sprite_height > 1 << 14 || v->output_width > 1 << 14 || v->output_height > 1 << 14) { - ret = -1; + ret = AVERROR_INVALIDDATA; goto error; } From a1474a83048620d734001414db0f75e16d97adcc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Dec 2019 19:48:46 +0100 Subject: [PATCH 0783/1764] avcodec/twinvqdec: Correct overflow in block align check Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 19126/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TWINVQ_fuzzer-5687464110325760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dc93ae3d725e892927f04002021337c2f90252a) Signed-off-by: Michael Niedermayer --- libavcodec/twinvqdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/twinvqdec.c b/libavcodec/twinvqdec.c index c2353f51b5..c00ebb2ad5 100644 --- a/libavcodec/twinvqdec.c +++ b/libavcodec/twinvqdec.c @@ -404,7 +404,7 @@ static av_cold int twinvq_decode_init(AVCodecContext *avctx) tctx->frame_size = avctx->bit_rate * tctx->mtab->size / avctx->sample_rate + 8; tctx->is_6kbps = 0; - if (avctx->block_align && avctx->block_align * 8 / tctx->frame_size > 1) { + if (avctx->block_align && avctx->block_align * 8LL / tctx->frame_size > 1) { av_log(avctx, AV_LOG_ERROR, "VQF TwinVQ should have only one frame per packet\n"); return AVERROR_INVALIDDATA; From 5dea535114c90f4f83e4ed981b94ffae56bf1572 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Oct 2019 23:22:05 +0200 Subject: [PATCH 0784/1764] avcodec/sonic: Check e in get_symbol() Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be represented in type 'int' Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176 Fixes: 18753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5663299131932672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aea67556116330d3151e4cd3ef1e266b5d90f388) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 953c70fcd4..1b16825403 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; } a= 1; From 0f8f37a99418039923e6db8e8bbc53fe5fac1167 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Nov 2019 22:45:07 +0100 Subject: [PATCH 0785/1764] avcodec/wmalosslessdec: Fixes undefined overflow in dequantization in decode_subframe() Fixes: signed integer overflow: 47875596 * 45 cannot be represented in type 'int' Fixes: 19082/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5687766512041984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53efab44a9d0971c6c12d9b3d1af855ca863c847) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 7de93f241f..d47fd89c52 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -979,7 +979,7 @@ static int decode_subframe(WmallDecodeCtx *s) if (s->quant_stepsize != 1) for (i = 0; i < s->num_channels; i++) for (j = 0; j < subframe_len; j++) - s->channel_residues[i][j] *= s->quant_stepsize; + s->channel_residues[i][j] *= (unsigned)s->quant_stepsize; } /* Write to proper output buffer depending on bit-depth */ From d22da8f54c97ed66e23c0ef57163eb4874dbcd4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Nov 2019 21:39:48 +0100 Subject: [PATCH 0786/1764] avcodec/cook: Use 3 stage VLC decoding for channel_coupling Fixes: shift exponent -1 is negative Fixes: out of array read Fixes: 19028/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5759766471376896 Fixes: 19037/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5734106625474560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 89fd76db71d9d4f87c51fee2a2edf99662444df7) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index dbf55c8226..14ff389d00 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -759,7 +759,7 @@ static int decouple_info(COOKContext *q, COOKSubpacket *p, int *decouple_tab) for (i = 0; i < length; i++) decouple_tab[start + i] = get_vlc2(&q->gb, p->channel_coupling.table, - p->channel_coupling.bits, 2); + p->channel_coupling.bits, 3); else for (i = 0; i < length; i++) { int v = get_bits(&q->gb, p->js_vlc_bits); From b9b2ac5dbb858927db5ad528a00e12809cf4862c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Nov 2019 21:50:57 +0100 Subject: [PATCH 0787/1764] avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample() Fixes: signed integer overflow: 2147464192 + 21176 cannot be represented in type 'int' Fixes: 19042/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5719828090585088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fa47f6412dbf93b4865adf8c66618906a3274330) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 349b45534d..b9c63abb8d 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -350,7 +350,8 @@ fail: static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, int32_t *channels) { - int32_t amp, val, *cv; + int32_t amp, *cv; + unsigned val; struct ws_interval *in; int i, *last, pink; uint32_t c, all_ch = 0; From 0b05ea827ee20e744304e0c6ee6abb0b126865be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Jan 2020 21:58:28 +0100 Subject: [PATCH 0788/1764] avcodec/pgssubdec: Free subtitle on error Fixes: Assertion failure Fixes: 19753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5688461843759104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b0a718923bb4a75b0c1cbf283fb17a319b840346) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 8c10f6d573..7fadcb8b4b 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -691,8 +691,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size, ret = AVERROR_INVALIDDATA; break; } - if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) + if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) { + avsubtitle_free(data); + *data_size = 0; return ret; + } buf += segment_length; } From b4ff849594acef6c69d40fd33ede8e588dbbada3 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Wed, 1 Jan 2020 12:14:30 +0530 Subject: [PATCH 0789/1764] configure: bump year (cherry picked from commit 7b58702cbdce097f32f62c87cd537ab28c04ffb2) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 51c5db53e6..8de1146602 100755 --- a/configure +++ b/configure @@ -7001,7 +7001,7 @@ cat > $TMPH < Date: Mon, 6 Jan 2020 01:38:21 +0100 Subject: [PATCH 0790/1764] avcodec/vmdaudio: Check block_align more Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 19788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5743379690553344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 06f6857b54a7fbbd087b0803f75bed44abed50d9) Signed-off-by: Michael Niedermayer --- libavcodec/vmdaudio.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vmdaudio.c b/libavcodec/vmdaudio.c index c7826fa3ce..dfbd49fd84 100644 --- a/libavcodec/vmdaudio.c +++ b/libavcodec/vmdaudio.c @@ -76,7 +76,9 @@ static av_cold int vmdaudio_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "invalid number of channels\n"); return AVERROR(EINVAL); } - if (avctx->block_align < 1 || avctx->block_align % avctx->channels) { + if (avctx->block_align < 1 || avctx->block_align % avctx->channels || + avctx->block_align > INT_MAX - avctx->channels + ) { av_log(avctx, AV_LOG_ERROR, "invalid block align\n"); return AVERROR(EINVAL); } From 5e874507e141143cdd7fbc6c09054d5e295369d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2019 19:37:46 +0100 Subject: [PATCH 0791/1764] avcodec/vc1dec: Limit bits by the actual bitstream size Fixes: Timeout (350 ->19sec) Fixes: 19249/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6566896438870016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c56a52a82c0a4039e606e82b948a8abfe417f35f) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 1c9af34368..ca39ceed1d 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1012,7 +1012,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ff_mpeg_er_frame_start(s); - v->bits = buf_size * 8; + v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits); v->end_mb_x = s->mb_width; if (v->field_mode) { s->current_picture.f->linesize[0] <<= 1; @@ -1084,8 +1084,10 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, continue; } ff_vc1_decode_blocks(v); - if (i != n_slices) + if (i != n_slices) { s->gb = slices[i].gb; + v->bits = FFMIN(buf_size * 8, s->gb.size_in_bits); + } } if (v->field_mode) { v->second_field = 0; From bcc836d1f27469eac3a5a928aa961f95381452dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2019 20:18:07 +0100 Subject: [PATCH 0792/1764] avcodec/vc1dec: Check field_mode for sprites Fixes: Out of array read Fixes: 19263/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5389219325542400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 32fb9198360402941e49aa878b9d33737b654f62) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index ca39ceed1d..d05c902b70 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -877,7 +877,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto err; } - + if ((avctx->codec_id == AV_CODEC_ID_WMV3IMAGE || avctx->codec_id == AV_CODEC_ID_VC1IMAGE) + && v->field_mode) { + av_log(v->s.avctx, AV_LOG_ERROR, "Sprite decoder: expected Frames not Fields\n"); + ret = AVERROR_INVALIDDATA; + goto err; + } if ((s->mb_height >> v->field_mode) == 0) { av_log(v->s.avctx, AV_LOG_ERROR, "image too short\n"); ret = AVERROR_INVALIDDATA; From 4f739a58795ad76207bb9a2674333dbd08914c0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 20:38:13 +0100 Subject: [PATCH 0793/1764] avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp() Fixes: signed integer overflow: -1114392282 * 2 cannot be represented in type 'int' Fixes: 19236/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5741678938030080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0bd5fa43d193aa389bea7c5176b2fe23f6eeddd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index fc9a8d54cc..ab668594d2 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -486,14 +486,14 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, if (refl_coeff > 0) { gt = (refl_coeff * G729_TILT_FACTOR_PLUS + 0x4000) >> 15; - fact = 0x4000; // 0.5 in (0.15) - sh_fact = 15; + fact = 0x2000; // 0.5 in (0.15) + sh_fact = 14; } else { gt = (refl_coeff * G729_TILT_FACTOR_MINUS + 0x4000) >> 15; - fact = 0x800; // 0.5 in (3.12) - sh_fact = 12; + fact = 0x400; // 0.5 in (3.12) + sh_fact = 11; } - ga = (fact << 15) / av_clip_int16(32768 - FFABS(gt)); + ga = (fact << 16) / av_clip_int16(32768 - FFABS(gt)); gt >>= 1; /* Apply tilt compensation filter to signal. */ @@ -503,12 +503,12 @@ static int16_t apply_tilt_comp(int16_t* out, int16_t* res_pst, int refl_coeff, tmp2 = (gt * res_pst[i-1]) * 2 + 0x4000; tmp2 = res_pst[i] + (tmp2 >> 15); - tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; + tmp2 = (tmp2 * ga + fact) >> sh_fact; out[i] = tmp2; } tmp2 = (gt * ht_prev_data) * 2 + 0x4000; tmp2 = res_pst[0] + (tmp2 >> 15); - tmp2 = (tmp2 * ga * 2 + fact) >> sh_fact; + tmp2 = (tmp2 * ga + fact) >> sh_fact; out[0] = tmp2; return tmp; From 5684147644f529f4ac9f8aa3b658d80296db36ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 20:42:54 +0100 Subject: [PATCH 0794/1764] avcodec/alac: Fix integer overflow in LPC coefficient adaption Fixes: signed integer overflow: 267693597 * 10 cannot be represented in type 'int' Fixes: 19237/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5755407700328448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a865cec5e7584ef476f394fc55c1fc91cec1a14) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 21a48d252a..0d9a83c6bb 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -228,7 +228,7 @@ static void lpc_prediction(int32_t *error_buffer, uint32_t *buffer_out, sign = sign_only(val) * error_sign; lpc_coefs[j] -= sign; val *= (unsigned)sign; - error_val -= (val >> lpc_quant) * (j + 1); + error_val -= (val >> lpc_quant) * (j + 1U); } } } From bdb0af634e3fa8b04fc63fa201dfceae9a5f7a89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 00:14:16 +0100 Subject: [PATCH 0795/1764] avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 19235/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_EA_EACS_fuzzer-5680878952382464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 794352ae9d1cb32b4b9e45d3affb83763f4ee12e) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 9063f3c49b..3560cae472 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1140,7 +1140,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, } for (i=0; i<=st; i++) { c->status[i].predictor = bytestream2_get_le32u(&gb); - if (FFABS(c->status[i].predictor) > (1<<16)) + if (FFABS((int64_t)c->status[i].predictor) > (1<<16)) return AVERROR_INVALIDDATA; } From 04ef299aa0dd8261ec9d0e5e13bf97c8cdfaddb4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jan 2020 00:32:55 +0100 Subject: [PATCH 0796/1764] avcodec/wmalosslessdec: move channel check up Fixes: out of array access Fixes: 2nd part of 18429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-6210814364614656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 891bcc4acc93e0c5a75ab7a9da668df84a0edba7) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index d47fd89c52..220488df3c 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -189,6 +189,16 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR(EINVAL); } + if (avctx->channels < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", + avctx->channels); + return AVERROR_INVALIDDATA; + } else if (avctx->channels > WMALL_MAX_CHANNELS) { + avpriv_request_sample(avctx, + "More than %d channels", WMALL_MAX_CHANNELS); + return AVERROR_PATCHWELCOME; + } + s->max_frame_size = MAX_FRAMESIZE * avctx->channels; s->frame_data = av_mallocz(s->max_frame_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->frame_data) @@ -267,16 +277,6 @@ static av_cold int decode_init(AVCodecContext *avctx) ++s->lfe_channel; } - if (s->num_channels < 0) { - av_log(avctx, AV_LOG_ERROR, "invalid number of channels %"PRId8"\n", - s->num_channels); - return AVERROR_INVALIDDATA; - } else if (s->num_channels > WMALL_MAX_CHANNELS) { - avpriv_request_sample(avctx, - "More than %d channels", WMALL_MAX_CHANNELS); - return AVERROR_PATCHWELCOME; - } - s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); From 0ab57e062641c8f6df5b8bc43e3ae392edb76a7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Dec 2019 00:38:29 +0100 Subject: [PATCH 0797/1764] avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy() Fixes: invalid memcpy use Fixes: 19299/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5169193398042624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e23b5a706cd378ed07a200dfee656b38504f165) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_mp4toannexb_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index 09bce5b34c..d0f1b94f0e 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -164,7 +164,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) if (ret < 0) goto fail; - if (add_extradata) + if (extra_size) memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size); AV_WB32(out->data + prev_size + extra_size, 1); bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size); From a0868285c097808a6a49f09906e436a887fbbf33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Dec 2019 00:50:21 +0100 Subject: [PATCH 0798/1764] avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow Fixes: Out of array access Fixes: 19299/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5169193398042624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8ceb2a72fa1bef4ab5f1ec6cdc7ce74fffda19d) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_mp4toannexb_bsf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index d0f1b94f0e..baa93628ed 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -152,8 +152,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) extra_size = add_extradata * ctx->par_out->extradata_size; got_irap |= is_irap; - if (SIZE_MAX - nalu_size < 4 || - SIZE_MAX - 4 - nalu_size < extra_size) { + if (FFMIN(INT_MAX, SIZE_MAX) < 4ULL + nalu_size + extra_size) { ret = AVERROR_INVALIDDATA; goto fail; } From 850eec92d0e594ae8839e76c2aaac90e2e3856da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jan 2020 22:52:19 +0100 Subject: [PATCH 0799/1764] swscale/swscale: Fix several invalid shifts related to vChrDrop Fixes: Invalid shifts Fixes: #8166 Fixes: filter-crop_scale_vflip FATE-test Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit a6ca22c11834c0ff075592e3f051d41068c407db) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 7f3e22355f..1b88a2633e 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -294,8 +294,8 @@ static int swscale(SwsContext *c, const uint8_t *src[], srcStride[2] = srcStride[3] = srcStride[0]; } - srcStride[1] <<= c->vChrDrop; - srcStride[2] <<= c->vChrDrop; + srcStride[1] *= 1 << c->vChrDrop; + srcStride[2] *= 1 << c->vChrDrop; DEBUG_BUFFERS("swscale() %p[%d] %p[%d] %p[%d] %p[%d] -> %p[%d] %p[%d] %p[%d] %p[%d]\n", src[0], srcStride[0], src[1], srcStride[1], From 65d9d164da20ac95d54d35f558e1e101c1f8a6a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jan 2020 22:52:19 +0100 Subject: [PATCH 0800/1764] swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template() Fixes: Invalid shifts Fixes: #8320 Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 7b7f97532b2ac8836d8d8e3c71dd026e35ae1ca7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index f30bce8dd3..c1d07b427d 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1877,7 +1877,7 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0, if (uvalpha < 2048) { int A = 0; //init to silence warning for (i = 0; i < dstW; i++) { - int Y = buf0[i] << 2; + int Y = buf0[i] * 4; int U = (ubuf0[i] - (128<<7)) * 4; int V = (vbuf0[i] - (128<<7)) * 4; @@ -1894,9 +1894,9 @@ yuv2rgb_full_1_c_template(SwsContext *c, const int16_t *buf0, const int16_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0; //init to silence warning for (i = 0; i < dstW; i++) { - int Y = buf0[i] << 2; - int U = (ubuf0[i] + ubuf1[i] - (128<<8)) << 1; - int V = (vbuf0[i] + vbuf1[i] - (128<<8)) << 1; + int Y = buf0[i] * 4; + int U = (ubuf0[i] + ubuf1[i] - (128<<8)) * 2; + int V = (vbuf0[i] + vbuf1[i] - (128<<8)) * 2; if (hasAlpha) { A = (abuf0[i] + 64) >> 7; From 4e1480a4e85e9b8212d74ba9c7a51cd842dd0070 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Jan 2020 22:52:19 +0100 Subject: [PATCH 0801/1764] swscale/input: Fix several invalid shifts related to rgb2yuv constants Fixes: Invalid shifts Fixes: #8140 Fixes: #8146 Signed-off-by: Michael Niedermayer (cherry picked from commit d48e510124d0fea24e2ec27271687c92e4428a18) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index bb2f4933ec..3d365d54ac 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -286,8 +286,8 @@ static av_always_inline void rgb16_32ToUV_c_template(int16_t *dstU, int gsh, int bsh, int S, int32_t *rgb2yuv) { - const int ru = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh, - rv = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh; + const int ru = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh), + rv = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh); const unsigned rnd = (256u<<((S)-1)) + (1<<(S-7)); int i; @@ -314,8 +314,8 @@ static av_always_inline void rgb16_32ToUV_half_c_template(int16_t *dstU, int gsh, int bsh, int S, int32_t *rgb2yuv) { - const int ru = rgb2yuv[RU_IDX] << rsh, gu = rgb2yuv[GU_IDX] << gsh, bu = rgb2yuv[BU_IDX] << bsh, - rv = rgb2yuv[RV_IDX] << rsh, gv = rgb2yuv[GV_IDX] << gsh, bv = rgb2yuv[BV_IDX] << bsh, + const int ru = rgb2yuv[RU_IDX] * (1 << rsh), gu = rgb2yuv[GU_IDX] * (1 << gsh), bu = rgb2yuv[BU_IDX] * (1 << bsh), + rv = rgb2yuv[RV_IDX] * (1 << rsh), gv = rgb2yuv[GV_IDX] * (1 << gsh), bv = rgb2yuv[BV_IDX] * (1 << bsh), maskgx = ~(maskr | maskb); const unsigned rnd = (256U<<(S)) + (1<<(S-6)); int i; From bd8633d4d3e194a7b018ae081674b4f06890013a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jan 2020 20:45:06 +0100 Subject: [PATCH 0802/1764] avfilter/vf_find_rect: Increase worst case score score could be 1.0 which lead to uninitialized values Signed-off-by: Michael Niedermayer (cherry picked from commit 6ff2474e02200dce7abdea3fd211fcaf49691c2c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_find_rect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c index d7e6579af7..458252a7ba 100644 --- a/libavfilter/vf_find_rect.c +++ b/libavfilter/vf_find_rect.c @@ -159,7 +159,7 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax, if (pass + 1 <= maxpass) { int sub_x, sub_y; - search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 1.0); + search(foc, pass+1, maxpass, xmin>>1, (xmax+1)>>1, ymin>>1, (ymax+1)>>1, &sub_x, &sub_y, 2.0); xmin = FFMAX(xmin, 2*sub_x - 4); xmax = FFMIN(xmax, 2*sub_x + 4); ymin = FFMAX(ymin, 2*sub_y - 4); @@ -198,7 +198,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) FFMIN(foc->xmax, foc->last_x + 8), FFMAX(foc->ymin, foc->last_y - 8), FFMIN(foc->ymax, foc->last_y + 8), - &best_x, &best_y, 1.0); + &best_x, &best_y, 2.0); best_score = search(foc, 0, foc->mipmaps - 1, foc->xmin, foc->xmax, foc->ymin, foc->ymax, &best_x, &best_y, best_score); From cb9ec725c31dc8d3a7e1fe165a8dbdcc1ec4e935 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jan 2020 20:45:07 +0100 Subject: [PATCH 0803/1764] avfilter/vf_find_rect: Remove assert A score of 0 is possible Fixes: Ticket8500 Reviewed-by: Paul B Mahol Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit dfc471488675aa257183745502d0074055db3bd2) Signed-off-by: Michael Niedermayer --- libavfilter/vf_find_rect.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavfilter/vf_find_rect.c b/libavfilter/vf_find_rect.c index 458252a7ba..706e59cefe 100644 --- a/libavfilter/vf_find_rect.c +++ b/libavfilter/vf_find_rect.c @@ -22,7 +22,6 @@ * @todo switch to dualinput */ -#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/opt.h" #include "internal.h" @@ -169,7 +168,6 @@ static float search(FOCContext *foc, int pass, int maxpass, int xmin, int xmax, for (y = ymin; y <= ymax; y++) { for (x = xmin; x <= xmax; x++) { float score = compare(foc->haystack_frame[pass], foc->needle_frame[pass], x, y); - av_assert0(score != 0); if (score < best_score) { best_score = score; *best_x = x; From f2c99c2f882e8da3d47cd1a4e4bebecdd25eba4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Jan 2020 22:11:45 +0100 Subject: [PATCH 0804/1764] avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32() Fixes: Segfault (not reproducable with asm, which made this hard to debug) Fixes: decoding errors Fixes: 19854/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5729372837511168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0694b60b7b4892eac1d6e2aca64de9e0cb096486) Signed-off-by: Michael Niedermayer --- libavcodec/x86/diracdsp.asm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/x86/diracdsp.asm b/libavcodec/x86/diracdsp.asm index cc8a26fca5..a18bda113e 100644 --- a/libavcodec/x86/diracdsp.asm +++ b/libavcodec/x86/diracdsp.asm @@ -294,8 +294,9 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h add srcq, mmsize add dstq, mmsize - sub tot_hd, 4 + sub tot_hq, 4 jg .loop_h + lea srcq, [srcq + 4*tot_hq] add r3, strideq dec tot_vd From a45cc681cc53bd7fc3816eaf7b7c67ca7a25d568 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Jan 2020 23:24:15 +0100 Subject: [PATCH 0805/1764] avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM IFF-PBM-HAM6 can read out of array without this overallocation Fixes: Out of array read Fixes: 19752/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5675331403120640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8652f4e7a15e56fadf9697188c1ed42c9981db82) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index a03f80ce53..72e3ae73b2 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -332,13 +332,17 @@ static int extract_header(AVCodecContext *const avctx, int i, count = FFMIN(palette_size / 3, 1 << s->ham); int ham_count; const uint8_t *const palette = avctx->extradata + AV_RB16(avctx->extradata); + int extra_space = 1; + + if (avctx->codec_tag == MKTAG('P', 'B', 'M', ' ') && s->ham == 4) + extra_space = 4; s->ham_buf = av_malloc((s->planesize * 8) + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->ham_buf) return AVERROR(ENOMEM); ham_count = 8 * (1 << s->ham); - s->ham_palbuf = av_malloc((ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE); + s->ham_palbuf = av_malloc(extra_space * (ham_count << !!(s->masking == MASK_HAS_MASK)) * sizeof (uint32_t) + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->ham_palbuf) { av_freep(&s->ham_buf); return AVERROR(ENOMEM); From 6452023550c15dde16efde5d8a62a65d7532115a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2020 22:32:04 +0100 Subject: [PATCH 0806/1764] avcodec/rawdec: Use linesize in b64a Fixes: out of array access Fixes: 19750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RAWVIDEO_fuzzer-5074834119983104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b5b9d5dac9a3525d7330662724c0e9045078bfb) Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 2314809ea7..75928167d6 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -465,10 +465,13 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, avctx->pix_fmt == AV_PIX_FMT_RGBA64BE) { uint8_t *dst = frame->data[0]; uint64_t v; - int x; - for (x = 0; x >> 3 < avctx->width * avctx->height; x += 8) { - v = AV_RB64(&dst[x]); - AV_WB64(&dst[x], v << 16 | v >> 48); + int x, y; + for (y = 0; y < avctx->height; y++) { + for (x = 0; x >> 3 < avctx->width; x += 8) { + v = AV_RB64(&dst[x]); + AV_WB64(&dst[x], v << 16 | v >> 48); + } + dst += frame->linesize[0]; } } From 1dc21175138b31e70a862b58f761efb02c22676f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jan 2020 20:43:05 +0100 Subject: [PATCH 0807/1764] avcodec/smacker: Check space before decoding type Fixes: Timeout (232sec -> 280ms) Fixes: 19682/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5654129649385472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6f5c18da5977a3214e1ea30e6b0c0d9d858ce83d) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 8503fee5ec..6e6aa34d29 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -384,6 +384,8 @@ static av_always_inline int smk_get_code(GetBitContext *gb, int *recode, int *la int v; while(*table & SMK_NODE) { + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if(get_bits1(gb)) table += (*table) & (~SMK_NODE); table++; @@ -448,6 +450,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, uint16_t pix; type = smk_get_code(&gb, smk->type_tbl, smk->type_last); + if (type < 0) + return type; run = block_runs[(type >> 2) & 0x3F]; switch(type & 3){ case SMK_BLK_MONO: From 848a93b8c8e98e9300f1d8b2a45a50e60c24d15d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Dec 2019 20:55:16 +0100 Subject: [PATCH 0808/1764] avcodec/apedec: Fix undefined integer overflow in decode_array_0000() Fixes: signed integer overflow: -2143289344 - 6246400 cannot be represented in type 'int' Fixes: 19239/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5173755680915456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a3655bb02c21e70573335e9396632f64b2589536) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 95bcc0c413..19678a3ef0 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -610,7 +610,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb, ksummin = rice->k ? (1 << rice->k + 6) : 0; for (; i < blockstodecode; i++) { out[i] = get_rice_ook(&ctx->gb, rice->k); - rice->ksum += out[i] - out[i - 64]; + rice->ksum += out[i] - (unsigned)out[i - 64]; while (rice->ksum < ksummin) { rice->k--; ksummin = rice->k ? ksummin >> 1 : 0; From 05cafd2a0e4757733701161b74fb8e4fb7eab4d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2020 02:06:36 +0100 Subject: [PATCH 0809/1764] avcodec/wmalosslessdec: Fix multiple integer overflows Fixes: left shift of 3329 by 20 places cannot be represented in type 'int' Fixes: signed integer overflow: -199378355 + -1948950833 cannot be represented in type 'int' Fixes: 19837/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5752565837070336 Fixes: 19839/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5767483265122304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 422202516cfb6239abb4e20db9f628f3899a76e2) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 220488df3c..c72b9fdc05 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -535,7 +535,8 @@ static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size) i++; } for (; i < tile_size; i++) { - int quo = 0, rem, rem_bits, residue; + int rem, rem_bits; + unsigned quo = 0, residue; while(get_bits1(&s->gb)) { quo++; if (get_bits_left(&s->gb) <= 0) @@ -774,7 +775,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ s->cdlms[ch][ilms].recent, \ FFALIGN(s->cdlms[ch][ilms].order, ROUND), \ WMASIGN(residue)); \ - input = residue + (pred >> s->cdlms[ch][ilms].scaling); \ + input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \ lms_update ## bits(s, ch, ilms, input); \ s->channel_residues[ch][icoef] = input; \ } \ From b20f8759cd8cd03b5e81845d7a35d78a9aeb1243 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 Jan 2020 12:09:08 +0100 Subject: [PATCH 0810/1764] avformat/mov: Check STCO location Fixes: bypassing of checks and assertion failure Fixes: asan_1003879.mp4 Found-by: Clusterfuzz + asan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 1cd41840208bce7e690a4ccc48077567418a0aa8) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9d6aa5b01b..03177b496d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1771,6 +1771,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVStreamContext *sc; unsigned int i, entries; + if (c->trak_index < 0) { + av_log(c->fc, AV_LOG_WARNING, "STCO outside TRAK\n"); + return 0; + } if (c->fc->nb_streams < 1) return 0; st = c->fc->streams[c->fc->nb_streams-1]; From 06f3cea696d863361ad524e6ec394eb04bbaa11b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jan 2020 22:04:06 +0100 Subject: [PATCH 0811/1764] avcodec/x86/diracdsp: Fix high bits on Windows x86_64 Found-by: james (cherry picked from commit 24af459d1e568fd134476f305f4fba23bf2c386a) Signed-off-by: Michael Niedermayer --- libavcodec/x86/diracdsp.asm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/x86/diracdsp.asm b/libavcodec/x86/diracdsp.asm index a18bda113e..17145baf87 100644 --- a/libavcodec/x86/diracdsp.asm +++ b/libavcodec/x86/diracdsp.asm @@ -274,7 +274,7 @@ cglobal dequant_subband_32, 7, 7, 4, src, dst, stride, qf, qs, tot_v, tot_h movd m3, qsd SPLATD m2 SPLATD m3 - mov r4, tot_hq + mov r4d, tot_hd mov r3, dstq .loop_v: From 344368df558725e65fb9bf008fd96d0f0e6c1f86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Jan 2020 21:54:22 +0100 Subject: [PATCH 0812/1764] avcodec/avdct: Clear IDCTDSPContext context Fixes use of uninitialized variable and segfault Reviewed-by: Paul B Mahol Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit b82825eba837f7cbb24c1d66e93285d029307417) Signed-off-by: Michael Niedermayer --- libavcodec/avdct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avdct.c b/libavcodec/avdct.c index 80aca8872b..7853f7a226 100644 --- a/libavcodec/avdct.c +++ b/libavcodec/avdct.c @@ -109,7 +109,7 @@ int avcodec_dct_init(AVDCT *dsp) #if CONFIG_IDCTDSP { - IDCTDSPContext idsp; + IDCTDSPContext idsp = {0}; ff_idctdsp_init(&idsp, avctx); COPY(idsp, idct); COPY(idsp, idct_permutation); From afc97ceb22f2e7a04644b826298f1d5793e697bc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2020 23:25:42 +0100 Subject: [PATCH 0813/1764] avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel() Fixes: left shift of negative value -2 Fixes: 20305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5677196618498048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Jai Luthra Signed-off-by: Michael Niedermayer (cherry picked from commit fcc9f13717c8c3fe08ca5caf957c39e76ea35e4f) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 32a4503b64..12bef3a721 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -79,7 +79,7 @@ void ff_mlp_rematrix_channel(int32_t *samples, if (matrix_noise_shift) { index &= access_unit_size_pow2 - 1; - accum += noise_buffer[index] << (matrix_noise_shift + 7); + accum += noise_buffer[index] * (1 << (matrix_noise_shift + 7)); index += index2; } From 2b57b593b5216f369888aa7672ab4a11b26163ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jan 2020 21:51:11 +0100 Subject: [PATCH 0814/1764] avcodec/snappy: Sanity check bytestream2_get_levarint() Fixes: left shift of 79 by 28 places cannot be represented in type 'int' Fixes: 20202/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5719004081815552 Fixes: 20219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5641738677125120 Fixes: 20389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5680721517871104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be54da2117a6f58c14283f2511e71fda8d3bfe9d) Signed-off-by: Michael Niedermayer --- libavcodec/snappy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/snappy.c b/libavcodec/snappy.c index 7900b0f978..f5c4c6578b 100644 --- a/libavcodec/snappy.c +++ b/libavcodec/snappy.c @@ -39,6 +39,8 @@ static int64_t bytestream2_get_levarint(GetByteContext *gb) do { tmp = bytestream2_get_byte(gb); + if (shift > 31 || ((tmp & 127LL) << shift) > INT_MAX) + return AVERROR_INVALIDDATA; val |= (tmp & 127) << shift; shift += 7; } while (tmp & 128); From 7a0317e38cdebd673ea0353843f1e76fe9ade1bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Dec 2019 00:07:50 +0100 Subject: [PATCH 0815/1764] avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF Fixes: left shift of 32 by 28 places cannot be represented in type 'int' Fixes: 19472/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_LXF_fuzzer-5704364320096256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 985d3666f672781152f4b68093740ea6a9888194) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index c52ebcd0d6..482cbbe516 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -501,7 +501,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, dst_int32_t = (int32_t *)frame->extended_data[c]; for (i = 0; i < n; i++) { // extract low 20 bits and expand to 32 bits - *dst_int32_t++ = (src[2] << 28) | + *dst_int32_t++ = ((uint32_t)src[2]<<28) | (src[1] << 20) | (src[0] << 12) | ((src[2] & 0x0F) << 8) | From a344f245c42ff2d47523c8d339c2caed75009e17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 21 Dec 2019 22:27:37 +0100 Subject: [PATCH 0816/1764] avcodec/wmavoice: sanity check block_align This limit is roughly based on the bitreader limit, its likely a much tighter limit could be used Fixes: left shift of 1965039647 by 1 places cannot be represented in type 'int' Fixes: 19545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5695391899320320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6847e22c8c85b80bf1d25ec66f77f7ccbcf43aed) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 4c764a8f01..6f46fe3c8a 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -382,7 +382,7 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx) ctx->extradata_size); return AVERROR_INVALIDDATA; } - if (ctx->block_align <= 0) { + if (ctx->block_align <= 0 || ctx->block_align > (1<<22)) { av_log(ctx, AV_LOG_ERROR, "Invalid block alignment %d.\n", ctx->block_align); return AVERROR_INVALIDDATA; } From 168e6748eeca9ad4b925208e2a35d59e7b009815 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Dec 2019 15:27:44 +0100 Subject: [PATCH 0817/1764] avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response() Fixes: out of array access Fixes: inf is outside the range of representable values of type 'int' Fixes: signed integer overflow: -9223372036854775808 - 1 cannot be represented in type 'long' Fixes: 19316/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5677369365102592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38d37584448731f90977132b838d50ff1a28811b) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 6f46fe3c8a..16a04e3677 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -632,12 +632,14 @@ static void calc_input_response(WMAVoiceContext *s, float *lpcs, for (n = 0; n <= 64; n++) { float pwr; - idx = FFMAX(0, lrint((max - lpcs[n]) * irange) - 1); + idx = lrint((max - lpcs[n]) * irange - 1); + idx = FFMAX(0, idx); pwr = wmavoice_denoise_power_table[s->denoise_strength][idx]; lpcs[n] = angle_mul * pwr; /* 70.57 =~ 1/log10(1.0331663) */ - idx = (pwr * gain_mul - 0.0295) * 70.570526123; + idx = av_clipf((pwr * gain_mul - 0.0295) * 70.570526123, 0, INT_MAX / 2); + if (idx > 127) { // fall back if index falls outside table range coeffs[n] = wmavoice_energy_table[127] * powf(1.0331663, idx - 127); From 57879ec143ee19be638c2f1776a1a2e8c9c15280 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Jan 2020 23:01:12 +0100 Subject: [PATCH 0818/1764] avcodec/dca_lbr: Fix some error codes and error passing Signed-off-by: Michael Niedermayer (cherry picked from commit bfea054a75f17d140f2f171056a801c4c89f6d26) Signed-off-by: Michael Niedermayer --- libavcodec/dca_lbr.c | 162 +++++++++++++++++++++++++------------------ 1 file changed, 93 insertions(+), 69 deletions(-) diff --git a/libavcodec/dca_lbr.c b/libavcodec/dca_lbr.c index 3b50a99cf6..747fdafd3e 100644 --- a/libavcodec/dca_lbr.c +++ b/libavcodec/dca_lbr.c @@ -154,7 +154,7 @@ static int parse_lfe_24(DCALbrDecoder *s) step_i = get_bits(&s->gb, 8); if (step_i > step_max) { av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n"); - return -1; + return AVERROR_INVALIDDATA; } step = ff_dca_lfe_step_size_24[step_i]; @@ -208,7 +208,7 @@ static int parse_lfe_16(DCALbrDecoder *s) step_i = get_bits(&s->gb, 8); if (step_i > step_max) { av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE step size index\n"); - return -1; + return AVERROR_INVALIDDATA; } step = ff_dca_lfe_step_size_16[step_i]; @@ -246,14 +246,17 @@ static int parse_lfe_16(DCALbrDecoder *s) static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk) { + int ret; + if (!(s->flags & LBR_FLAG_LFE_PRESENT)) return 0; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Determine bit depth from chunk size if (chunk->len >= 52) @@ -262,7 +265,7 @@ static int parse_lfe_chunk(DCALbrDecoder *s, LBRChunk *chunk) return parse_lfe_16(s); av_log(s->avctx, AV_LOG_ERROR, "LFE chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } static inline int parse_vlc(GetBitContext *s, VLC *vlc, int max_depth) @@ -291,13 +294,13 @@ static int parse_tonal(DCALbrDecoder *s, int group) for (freq = 1;; freq++) { if (get_bits_left(&s->gb) < 1) { av_log(s->avctx, AV_LOG_ERROR, "Tonal group chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } diff = parse_vlc(&s->gb, &ff_dca_vlc_tnl_grp[group], 2); if (diff >= FF_ARRAY_ELEMS(ff_dca_fst_amp)) { av_log(s->avctx, AV_LOG_ERROR, "Invalid tonal frequency diff\n"); - return -1; + return AVERROR_INVALIDDATA; } diff = get_bitsz(&s->gb, diff >> 2) + ff_dca_fst_amp[diff]; @@ -307,7 +310,7 @@ static int parse_tonal(DCALbrDecoder *s, int group) freq += diff - 2; if (freq >> (5 - group) > s->nsubbands * 4 - 6) { av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n"); - return -1; + return AVERROR_INVALIDDATA; } // Main channel @@ -358,19 +361,21 @@ static int parse_tonal(DCALbrDecoder *s, int group) static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk) { - int sb, group; + int sb, group, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + + if (ret < 0) + return ret; // Scale factors if (chunk->id == LBR_CHUNK_SCF || chunk->id == LBR_CHUNK_TONAL_SCF) { if (get_bits_left(&s->gb) < 36) { av_log(s->avctx, AV_LOG_ERROR, "Tonal scale factor chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } for (sb = 0; sb < 6; sb++) s->tonal_scf[sb] = get_bits(&s->gb, 6); @@ -378,20 +383,25 @@ static int parse_tonal_chunk(DCALbrDecoder *s, LBRChunk *chunk) // Tonal groups if (chunk->id == LBR_CHUNK_TONAL || chunk->id == LBR_CHUNK_TONAL_SCF) - for (group = 0; group < 5; group++) - if (parse_tonal(s, group) < 0) - return -1; + for (group = 0; group < 5; group++) { + ret = parse_tonal(s, group); + if (ret < 0) + return ret; + } return 0; } static int parse_tonal_group(DCALbrDecoder *s, LBRChunk *chunk) { + int ret; + if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; return parse_tonal(s, chunk->id); } @@ -404,7 +414,7 @@ static int ensure_bits(GetBitContext *s, int n) { int left = get_bits_left(s); if (left < 0) - return -1; + return AVERROR_INVALIDDATA; if (left < n) { skip_bits_long(s, left); return 1; @@ -433,7 +443,7 @@ static int parse_scale_factors(DCALbrDecoder *s, uint8_t *scf) dist = parse_vlc(&s->gb, &ff_dca_vlc_rsd_apprx, 1) + 1; if (dist > 7 - sf) { av_log(s->avctx, AV_LOG_ERROR, "Invalid scale factor distance\n"); - return -1; + return AVERROR_INVALIDDATA; } if (ensure_bits(&s->gb, 20)) @@ -498,22 +508,26 @@ static int parse_st_code(GetBitContext *s, int min_v) static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { - int ch, sb, sf, nsubbands; + int ch, sb, sf, nsubbands, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Scale factors nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1; for (sb = 2; sb < nsubbands; sb++) { - if (parse_scale_factors(s, s->grid_1_scf[ch1][sb]) < 0) - return -1; - if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband - && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0) - return -1; + ret = parse_scale_factors(s, s->grid_1_scf[ch1][sb]); + if (ret < 0) + return ret; + if (ch1 != ch2 && ff_dca_grid_1_to_scf[sb] < s->min_mono_subband) { + ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]); + if (ret < 0) + return ret; + } } if (get_bits_left(&s->gb) < 1) @@ -532,7 +546,7 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch if (get_bits_left(&s->gb) < 0) { av_log(s->avctx, AV_LOG_ERROR, "First grid chunk too short\n"); - return -1; + return AVERROR_INVALIDDATA; } // Stereo image for partial mono mode @@ -562,14 +576,16 @@ static int parse_grid_1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch static int parse_grid_1_sec_ch(DCALbrDecoder *s, int ch2) { - int sb, nsubbands; + int sb, nsubbands, ret; // Scale factors nsubbands = ff_dca_scf_to_grid_1[s->nsubbands - 1] + 1; for (sb = 2; sb < nsubbands; sb++) { - if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband - && parse_scale_factors(s, s->grid_1_scf[ch2][sb]) < 0) - return -1; + if (ff_dca_grid_1_to_scf[sb] >= s->min_mono_subband) { + ret = parse_scale_factors(s, s->grid_1_scf[ch2][sb]); + if (ret < 0) + return ret; + } } // Average values for third grid @@ -709,7 +725,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2, s->sb_indices[sb] = sb_reorder; } if (sb_reorder >= s->nsubbands) - return -1; + return AVERROR_INVALIDDATA; // Third grid scale factors if (sb == 12) { @@ -731,7 +747,7 @@ static int parse_ts(DCALbrDecoder *s, int ch1, int ch2, quant_level = s->quant_levels[ch1 / 2][sb]; if (!quant_level) - return -1; + return AVERROR_INVALIDDATA; // Time samples for one or both channels if (sb < s->max_mono_subband && sb_reorder >= s->min_mono_subband) { @@ -792,13 +808,14 @@ static int parse_lpc(DCALbrDecoder *s, int ch1, int ch2, int start_sb, int end_s static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { int quant_levels[DCA_LBR_SUBBANDS]; - int sb, ch, ol, st, max_sb, profile; + int sb, ch, ol, st, max_sb, profile, ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; + ret = init_get_bits8(&s->gb, chunk->data, chunk->len); + if (ret < 0) + return ret; // Quantizer profile profile = get_bits(&s->gb, 8); @@ -832,18 +849,20 @@ static int parse_high_res_grid(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int c s->quant_levels[ch1 / 2][sb] = quant_levels[sb]; // LPC for the first two subbands - if (parse_lpc(s, ch1, ch2, 0, 2) < 0) - return -1; + ret = parse_lpc(s, ch1, ch2, 0, 2); + if (ret < 0) + return ret; // Time-samples for the first two subbands of main channel - if (parse_ts(s, ch1, ch2, 0, 2, 0) < 0) - return -1; + ret = parse_ts(s, ch1, ch2, 0, 2, 0); + if (ret < 0) + return ret; // First two bands of the first grid for (sb = 0; sb < 2; sb++) for (ch = ch1; ch <= ch2; ch++) - if (parse_scale_factors(s, s->grid_1_scf[ch][sb]) < 0) - return -1; + if ((ret = parse_scale_factors(s, s->grid_1_scf[ch][sb])) < 0) + return ret; return 0; } @@ -892,39 +911,42 @@ static int parse_grid_2(DCALbrDecoder *s, int ch1, int ch2, static int parse_ts1_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { + int ret; if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; - if (parse_lpc(s, ch1, ch2, 2, 3) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 2, 4, 0) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 0, 1, 0) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 4, 6, 0) < 0) - return -1; + if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0) + return ret; + if ((ret = parse_lpc(s, ch1, ch2, 2, 3)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 2, 4, 0)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 0, 1, 0)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 4, 6, 0)) < 0) + return ret; return 0; } static int parse_ts2_chunk(DCALbrDecoder *s, LBRChunk *chunk, int ch1, int ch2) { + int ret; + if (!chunk->len) return 0; - if (init_get_bits8(&s->gb, chunk->data, chunk->len) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 1, 3, 0) < 0) - return -1; - if (parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0) < 0) - return -1; + if ((ret = init_get_bits8(&s->gb, chunk->data, chunk->len)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 1, 3, 0)) < 0) + return ret; + if ((ret = parse_ts(s, ch1, ch2, 6, s->max_mono_subband, 0)) < 0) + return ret; if (ch1 != ch2) { - if (parse_grid_1_sec_ch(s, ch2) < 0) - return -1; - if (parse_grid_2(s, ch1, ch2, 0, 3, 1) < 0) - return -1; + if ((ret = parse_grid_1_sec_ch(s, ch2)) < 0) + return ret; + if ((ret = parse_grid_2(s, ch1, ch2, 0, 3, 1)) < 0) + return ret; } - if (parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1) < 0) - return -1; + if ((ret = parse_ts(s, ch1, ch2, s->min_mono_subband, s->nsubbands, 1)) < 0) + return ret; return 0; } @@ -932,11 +954,13 @@ static int init_sample_rate(DCALbrDecoder *s) { double scale = (-1.0 / (1 << 17)) * sqrt(1 << (2 - s->limited_range)); int i, br_per_ch = s->bit_rate_scaled / s->nchannels_total; + int ret; ff_mdct_end(&s->imdct); - if (ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale) < 0) - return -1; + ret = ff_mdct_init(&s->imdct, s->freq_range + 6, 1, scale); + if (ret < 0) + return ret; for (i = 0; i < 32 << s->freq_range; i++) s->window[i] = ff_dca_long_window[i << (2 - s->freq_range)]; @@ -975,7 +999,7 @@ static int alloc_sample_buffer(DCALbrDecoder *s) // Reallocate time sample buffer av_fast_mallocz(&s->ts_buffer, &s->ts_size, nsamples * sizeof(float)); if (!s->ts_buffer) - return -1; + return AVERROR(ENOMEM); ptr = s->ts_buffer + DCA_LBR_TIME_HISTORY; for (ch = 0; ch < s->nchannels; ch++) { @@ -1796,7 +1820,7 @@ av_cold int ff_dca_lbr_init(DCALbrDecoder *s) init_tables(); if (!(s->fdsp = avpriv_float_dsp_alloc(0))) - return -1; + return AVERROR(ENOMEM); s->lbr_rand = 1; return 0; From 4c1c8ea33ec3a6847c9f6c8aa9e5bde0426b18aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Dec 2019 13:48:45 +0100 Subject: [PATCH 0819/1764] avcodec/ralf: Fix integer overflow in apply_lpc() Fixes: signed integer overflow: 2147482897 + 2048 cannot be represented in type 'int' Fixes: 19240/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5743240326414336 Fixes: 19869/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5150136636538880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fd313d8cf8368918882b6de0880e44ae25cc7394) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index d8f1803086..15be19b526 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -330,7 +330,7 @@ static void apply_lpc(RALFContext *ctx, int ch, int length, int bits) acc = (acc + bias - 1) >> ctx->filter_bits; acc = FFMAX(acc, min_clip); } else { - acc = (acc + bias) >> ctx->filter_bits; + acc = ((unsigned)acc + bias) >> ctx->filter_bits; acc = FFMIN(acc, max_clip); } audio[i] += acc; From c3e113d705fb8b644e0548496cdd196241d056f6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2020 18:35:43 +0100 Subject: [PATCH 0820/1764] avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() Fixes: signed integer overflow: -2147407150 + -1871606 cannot be represented in type 'int' Fixes: 18702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679095417667584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb64a5c6f94981e4a68ad65a6e445557e11c08fc) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 19678a3ef0..3f9a2ce656 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1203,14 +1203,14 @@ static void predictor_decode_mono_3950(APEContext *ctx, int count) A = *decoded0; p->buf[YDELAYA] = currentA; - p->buf[YDELAYA - 1] = p->buf[YDELAYA] - p->buf[YDELAYA - 1]; + p->buf[YDELAYA - 1] = p->buf[YDELAYA] - (unsigned)p->buf[YDELAYA - 1]; predictionA = p->buf[YDELAYA ] * p->coeffsA[0][0] + p->buf[YDELAYA - 1] * p->coeffsA[0][1] + p->buf[YDELAYA - 2] * p->coeffsA[0][2] + p->buf[YDELAYA - 3] * p->coeffsA[0][3]; - currentA = A + (predictionA >> 10); + currentA = A + (unsigned)(predictionA >> 10); p->buf[YADAPTCOEFFSA] = APESIGN(p->buf[YDELAYA ]); p->buf[YADAPTCOEFFSA - 1] = APESIGN(p->buf[YDELAYA - 1]); From b6e15c1156f6ecb78ce805cc7660eb9a060b7f07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Jan 2020 20:12:25 +0100 Subject: [PATCH 0821/1764] avcodec/lagarith: Sanity check scale A value of 24 and above can collaps the range to 0 which would not work. Fixes: Timeout (75sec -> 21sec) Fixes: 18707/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5708950892969984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fb3855342b9e4c577c63b38a7a5a574830a21934) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 0f4aa89486..ff3eded761 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -222,6 +222,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } } + if (scale_factor > 23) + return AVERROR_INVALIDDATA; + rac->scale = scale_factor; /* Fill probability array with cumulative probability for each symbol. */ From 41447fcbcb7f0c4bcc2eb2bf879a0ff8a0eca50d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jan 2020 19:28:36 +0100 Subject: [PATCH 0822/1764] avcodec/wmalosslessdec: Fix loop in revert_acfilter() Fixes: out of array read Fixes: 20059/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5691776237305856 No testcase except the fuzzed one. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5584c0bb945d6010a9d8c22ef3270792022e1761) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c72b9fdc05..b3446cf49a 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -826,8 +826,11 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size) pred >>= scaling; s->channel_residues[ich][i] += (unsigned)pred; } - for (j = 0; j < order; j++) - prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; + for (j = order - 1; j >= 0; j--) + if (tile_size <= j) { + prevvalues[j] = prevvalues[j - tile_size]; + }else + prevvalues[j] = s->channel_residues[ich][tile_size - j - 1]; } } From d60daf43bc7dced5088434a7209a7135830bc811 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jan 2020 19:55:23 +0100 Subject: [PATCH 0823/1764] avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits Fixes: signed integer overflow: -53716100 * 256 cannot be represented in type 'int' Fixes: 20143/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5716604000403456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b8a0be93528187721a2414f66abbc252a258afa3) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index b3446cf49a..c02b156f0f 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -995,7 +995,7 @@ static int decode_subframe(WmallDecodeCtx *s) if (s->bits_per_sample == 16) { *s->samples_16[c]++ = (int16_t) s->channel_residues[c][j] * (1 << padding_zeroes); } else { - *s->samples_32[c]++ = s->channel_residues[c][j] * (256 << padding_zeroes); + *s->samples_32[c]++ = s->channel_residues[c][j] * (256U << padding_zeroes); } } } From e4921f409d839a07c90d232ea0629779ee064e1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 22 Jan 2020 23:11:47 +0100 Subject: [PATCH 0824/1764] avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM Fixes: signed integer overflow: -2147479324 + -32568 cannot be represented in type 'int' Fixes: 20103/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GREMLIN_DPCM_fuzzer-5667667579240448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1aecad9eae900b9c3054392994d150d5ae572c5) Signed-off-by: Michael Niedermayer --- libavcodec/dpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 7d3934ee35..5958081b66 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -367,7 +367,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, while (output_samples < samples_end) { uint8_t n = bytestream2_get_byteu(&gb); - *output_samples++ = s->sample[idx] += s->array[n]; + *output_samples++ = s->sample[idx] += (unsigned)s->array[n]; idx ^= 1; } } From 89c4c3c9442a86c747dbc09ef906e52a5c8635d5 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Tue, 28 Jan 2020 16:49:14 -0800 Subject: [PATCH 0825/1764] avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index() When e2_pts == INT64_MIN and e1_pts >= 0 the calculation of e2_pts - e1_pts will overflow an int64_t. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit f15007afa90a3eb3639848d9702c1cc3ac3e896b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 8e61ae029d..47e712c252 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2042,6 +2042,8 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance) //We could use URLProtocol flags here but as many user applications do not use URLProtocols this would be unreliable const char *proto = avio_find_protocol_name(s->filename); + av_assert0(time_tolerance >= 0); + if (!proto) { av_log(s, AV_LOG_INFO, "Protocol name not provided, cannot determine if input is local or " @@ -2069,7 +2071,7 @@ void ff_configure_buffers_for_index(AVFormatContext *s, int64_t time_tolerance) for (; i2 < st2->nb_index_entries; i2++) { AVIndexEntry *e2 = &st2->index_entries[i2]; int64_t e2_pts = av_rescale_q(e2->timestamp, st2->time_base, AV_TIME_BASE_Q); - if (e2_pts - e1_pts < time_tolerance) + if (e2_pts < e1_pts || e2_pts - (uint64_t)e1_pts < time_tolerance) continue; pos_delta = FFMAX(pos_delta, e1->pos - e2->pos); break; From f6d0260a81cea5dbe385df36d8b63fd237c162c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Feb 2020 23:56:45 +0100 Subject: [PATCH 0826/1764] avcodec/apedec: Fix invalid shift with 24 bps Fixes: left shift of negative value -463 Fixes: 20542/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5688714435231744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8e278672294f28a3feaba0a38460afd51f0fadda) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 3f9a2ce656..93e9a18e5d 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1543,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample24 = (int32_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample24++ = s->decoded[ch][i] << 8; + *sample24++ = s->decoded[ch][i] * 256; } break; } From 4f04fa75dd07ff51015af61ee7140e5cb4980597 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 22:35:37 +0100 Subject: [PATCH 0827/1764] avfilter/vf_aspect: Fix integer overflow in compute_dar() Fixes: signed integer overflow: 1562273630 * 17 cannot be represented in type 'int' Fixes: Ticket8323 Found-by: Suhwan Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0c0ca0f244b823238e5a4f5584168e620da84899) Signed-off-by: Michael Niedermayer --- libavfilter/vf_aspect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_aspect.c b/libavfilter/vf_aspect.c index bf30824851..81a7e263d5 100644 --- a/libavfilter/vf_aspect.c +++ b/libavfilter/vf_aspect.c @@ -104,7 +104,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *frame) static inline void compute_dar(AVRational *dar, AVRational sar, int w, int h) { if (sar.num && sar.den) { - av_reduce(&dar->num, &dar->den, sar.num * w, sar.den * h, INT_MAX); + av_reduce(&dar->num, &dar->den, sar.num * (int64_t)w, sar.den * (int64_t)h, INT_MAX); } else { av_reduce(&dar->num, &dar->den, w, h, INT_MAX); } From 49a8960cdce0fcbf1460fe81c46ddc2874d4aa82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 22:56:18 +0100 Subject: [PATCH 0828/1764] fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start() Fixes: signed integer overflow: -9223372036854775808 - 9223372036854775807 cannot be represented in type 'long' Fixes: Ticket8142 Found-by: Suhwan Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4f4ad33d96a01d82edf56d58599017cb0ae5bfa8) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 0def128650..1706fd0d75 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -4201,7 +4201,8 @@ static int seek_to_start(InputFile *ifile, AVFormatContext *is) ifile->time_base = ist->st->time_base; /* the total duration of the stream, max_pts - min_pts is * the duration of the stream without the last frame */ - duration += ist->max_pts - ist->min_pts; + if (ist->max_pts > ist->min_pts && ist->max_pts - (uint64_t)ist->min_pts < INT64_MAX - duration) + duration += ist->max_pts - ist->min_pts; ifile->time_base = duration_max(duration, &ifile->duration, ist->st->time_base, ifile->time_base); } From aab46bb8d6a06e61d3c3f6c6821c673c17d6c40e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 23:18:25 +0100 Subject: [PATCH 0829/1764] avformat/avidec: Avoid integer overflow in NI switch check Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: Ticket8149 Found-by: Suhwan Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 347920ca2102d762e4713f101a2e75811791e2b3) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index f55d0694fa..962ea83f13 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1523,11 +1523,12 @@ resync: if (!avi->non_interleaved && st->nb_index_entries>1 && avi->index_loaded>1) { int64_t dts= av_rescale_q(pkt->dts, st->time_base, AV_TIME_BASE_Q); - if (avi->dts_max - dts > 2*AV_TIME_BASE) { + if (avi->dts_max < dts) { + avi->dts_max = dts; + } else if (avi->dts_max - (uint64_t)dts > 2*AV_TIME_BASE) { avi->non_interleaved= 1; av_log(s, AV_LOG_INFO, "Switching to NI mode, due to poor interleaving\n"); - }else if (avi->dts_max < dts) - avi->dts_max = dts; + } } return 0; From cdd886b1fb782f17970c7f2caa5bf203eb4dd608 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Feb 2020 23:23:55 +0100 Subject: [PATCH 0830/1764] avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info() Fixes: signed integer overflow: 2045163756 * 2 cannot be represented in type 'int' Fixes: Ticket5132 Found-by: tsmith Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f3d8f517dbc42de8e2f97cc01bf5171bb05fbcc7) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 47e712c252..c561c2089b 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3946,7 +3946,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!st->r_frame_rate.num) { if ( avctx->time_base.den * (int64_t) st->time_base.num - <= avctx->time_base.num * avctx->ticks_per_frame * (int64_t) st->time_base.den) { + <= avctx->time_base.num * avctx->ticks_per_frame * (uint64_t) st->time_base.den) { av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den, avctx->time_base.den, (int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX); } else { From b2c54369feeefb1cb2132909a1b427489d768feb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2020 22:58:12 +0100 Subject: [PATCH 0831/1764] avcodec/qdm2: Check fft_coefs_index Fixes: out of array access Fixes: 20660/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5658290216501248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9fc73bf022eb781eea7f685e2d2e9de4ba8898ca) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 7b9d50b234..657b2da64d 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1334,6 +1334,9 @@ static void qdm2_fft_decode_tones(QDM2Context *q, int duration, if (q->frequency_range > (local_int_14 + 1)) { int sub_packet = (local_int_20 + local_int_28); + if (q->fft_coefs_index + stereo >= FF_ARRAY_ELEMS(q->fft_coefs)) + return; + qdm2_fft_init_coefficient(q, sub_packet, offset, duration, channel, exp, phase); if (stereo) From 8c594a9070375e136230cd2b2718d385f676a8c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Feb 2020 22:26:18 +0100 Subject: [PATCH 0832/1764] avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF Fixes: left shift of 233 by 24 places cannot be represented in type 'int' Fixes: 20736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_LXF_fuzzer-4829212685107200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 051d11f659455f38be7ce40e2dc9d03b082dcd4d) Signed-off-by: Michael Niedermayer --- libavcodec/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index 482cbbe516..f987f03c00 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -507,7 +507,7 @@ static int pcm_decode_frame(AVCodecContext *avctx, void *data, ((src[2] & 0x0F) << 8) | src[1]; // extract high 20 bits and expand to 32 bits - *dst_int32_t++ = (src[4] << 24) | + *dst_int32_t++ = ((uint32_t)src[4]<<24) | (src[3] << 16) | ((src[2] & 0xF0) << 8) | (src[4] << 4) | From fa85195a94f3954565081db6b3156e13fb92b98b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Feb 2020 09:27:27 +0100 Subject: [PATCH 0833/1764] avformat/mvdec: Check stream numbers Fixes: null pointer dereference Fixes: 20768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5638648978735104.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 618a9bea65112a27a106e02ada3ae475cc8ac1ac) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index f7aa4cbaec..025dfe52fb 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -355,6 +355,12 @@ static int mv_read_header(AVFormatContext *avctx) if ((ret = read_table(avctx, NULL, parse_global_var)) < 0) return ret; + if (mv->nb_audio_tracks < 0 || mv->nb_video_tracks < 0 || + (mv->nb_audio_tracks == 0 && mv->nb_video_tracks == 0)) { + av_log(avctx, AV_LOG_ERROR, "Stream count is invalid.\n"); + return AVERROR_INVALIDDATA; + } + if (mv->nb_audio_tracks > 1) { avpriv_request_sample(avctx, "Multiple audio streams support"); return AVERROR_PATCHWELCOME; From 80d6a3c271275a66e6165681e91ac43ad976fa23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 22 Feb 2020 00:42:30 +0100 Subject: [PATCH 0834/1764] avcodec/magicyuv: Check that there are enough lines for interlacing to be possible Fixes: out of array access Fixes: 20763/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5759562508664832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit f8a0e9f9f71cf5650bdc250ff7475e0f7d8e8420) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index cc1c63072b..5ba88dfa47 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -673,6 +673,17 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + if (s->interlaced) { + if ((s->slice_height >> s->vshift[1]) < 2) { + av_log(avctx, AV_LOG_ERROR, "impossible slice height\n"); + return AVERROR_INVALIDDATA; + } + if ((avctx->coded_height % s->slice_height) && ((avctx->coded_height % s->slice_height) >> s->vshift[1]) < 2) { + av_log(avctx, AV_LOG_ERROR, "impossible height\n"); + return AVERROR_INVALIDDATA; + } + } + for (i = 0; i < s->planes; i++) { av_fast_malloc(&s->slices[i], &s->slices_size[i], s->nb_slices * sizeof(Slice)); if (!s->slices[i]) From 50a35f078086e5c8aebbfd47677c56e0488a7085 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 Jan 2020 19:07:00 +0100 Subject: [PATCH 0835/1764] avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet() Fixes: assertion failure Fixes: Ticket 8005 Signed-off-by: Michael Niedermayer (cherry picked from commit e5bb48ae5990347dff22fc38ff5a1c1f7f60a1c5) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 1bc5b674b2..6f137fec20 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2247,13 +2247,12 @@ static int parse_pcr(int64_t *ppcr_high, int *ppcr_low, const uint8_t *packet); /* handle one TS packet */ -static int handle_packet(MpegTSContext *ts, const uint8_t *packet) +static int handle_packet(MpegTSContext *ts, const uint8_t *packet, int64_t pos) { MpegTSFilter *tss; int len, pid, cc, expected_cc, cc_ok, afc, is_start, is_discontinuity, has_adaptation, has_payload; const uint8_t *p, *p_end; - int64_t pos; pid = AV_RB16(packet + 1) & 0x1fff; if (pid && discard_pid(ts, pid)) @@ -2310,7 +2309,6 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) if (p >= p_end || !has_payload) return 0; - pos = avio_tell(ts->stream->pb); if (pos >= 0) { av_assert0(pos >= TS_PACKET_SIZE); ts->pos47_full = pos - TS_PACKET_SIZE; @@ -2521,7 +2519,7 @@ static int handle_packets(MpegTSContext *ts, int64_t nb_packets) ret = read_packet(s, packet, ts->raw_packet_size, &data); if (ret != 0) break; - ret = handle_packet(ts, data); + ret = handle_packet(ts, data, avio_tell(s->pb)); finished_reading_packet(s, ts->raw_packet_size); if (ret != 0) break; @@ -2918,7 +2916,7 @@ int avpriv_mpegts_parse_packet(MpegTSContext *ts, AVPacket *pkt, buf++; len--; } else { - handle_packet(ts, buf); + handle_packet(ts, buf, len1 - len + TS_PACKET_SIZE); buf += TS_PACKET_SIZE; len -= TS_PACKET_SIZE; if (ts->stop_parse == 1) From 15ca3c1c8b3d2a2de146ac8feaa826cbb82f6ea8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jan 2020 22:19:48 +0100 Subject: [PATCH 0836/1764] libavformat/avienc: Check bits per sample for PAL8 Fixes: assertion failure Fixes: Ticket 8172 Signed-off-by: Michael Niedermayer (cherry picked from commit 35958782819c00211e247332ab18fbf2f28267e1) Signed-off-by: Michael Niedermayer --- libavformat/avienc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/avienc.c b/libavformat/avienc.c index 483f5b54b1..e02987f615 100644 --- a/libavformat/avienc.c +++ b/libavformat/avienc.c @@ -459,6 +459,14 @@ static int avi_write_header(AVFormatContext *s) && par->format != AV_PIX_FMT_NONE) av_log(s, AV_LOG_ERROR, "%s rawvideo cannot be written to avi, output file will be unreadable\n", av_get_pix_fmt_name(par->format)); + + if (par->format == AV_PIX_FMT_PAL8) { + if (par->bits_per_coded_sample < 0 || par->bits_per_coded_sample > 8) { + av_log(s, AV_LOG_ERROR, "PAL8 with %d bps is not allowed\n", par->bits_per_coded_sample); + return AVERROR(EINVAL); + } + } + break; case AVMEDIA_TYPE_AUDIO: flags = (avi->write_channel_mask == 0) ? FF_PUT_WAV_HEADER_SKIP_CHANNELMASK : 0; From 3a2dfcf3a1f3b601e92db135742c033440499db0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jan 2020 12:50:30 +0100 Subject: [PATCH 0837/1764] avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search() Fixes: Ticket8167 Signed-off-by: Michael Niedermayer (cherry picked from commit e13eee37ee3268b0a985ddc74a9bde0179bd553c) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/motion_est_template.c b/libavcodec/motion_est_template.c index 0c21bbfe1a..63d3301a5b 100644 --- a/libavcodec/motion_est_template.c +++ b/libavcodec/motion_est_template.c @@ -157,8 +157,8 @@ static int no_sub_motion_search(MpegEncContext * s, int src_index, int ref_index, int size, int h) { - (*mx_ptr)<<=1; - (*my_ptr)<<=1; + (*mx_ptr) *= 2; + (*my_ptr) *= 2; return dmin; } From 2e893054bf32b80c32256152f8d4fa7e9d4186ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jan 2020 12:41:41 +0100 Subject: [PATCH 0838/1764] avcodec/mpegaudioenc_template: fix invalid shift of sample Fixes: Ticket8010 Signed-off-by: Michael Niedermayer (cherry picked from commit a2c97a8342fab6393280cc2f0e2ffb39c381d29c) Signed-off-by: Michael Niedermayer --- libavcodec/mpegaudioenc_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudioenc_template.c b/libavcodec/mpegaudioenc_template.c index 93363fe1d2..12f7a098e6 100644 --- a/libavcodec/mpegaudioenc_template.c +++ b/libavcodec/mpegaudioenc_template.c @@ -701,7 +701,7 @@ static void encode_frame(MpegAudioContext *s, /* normalize to P bits */ if (shift < 0) - q1 = sample << (-shift); + q1 = sample * (1 << -shift); else q1 = sample >> shift; q1 = (q1 * mult) >> P; From 51d2137b98592ac43ac700270db14f4546f1aeb3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Dec 2019 22:35:03 +0100 Subject: [PATCH 0839/1764] avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra() Fixes: left shift of negative value -695 Fixes: 19232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5702856963522560 Fixes: 19555/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5741218147598336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c40df2166c7925fc81e1ef22563c2e32124cf1d6) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 4b76428f53..b9bda8a234 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -586,7 +586,7 @@ static inline int mpeg2_fast_decode_block_intra(MpegEncContext *s, dc = s->last_dc[component]; dc += diff; s->last_dc[component] = dc; - block[0] = dc << (3 - s->intra_dc_precision); + block[0] = dc * (1 << (3 - s->intra_dc_precision)); i = 0; if (s->intra_vlc_format) rl = &ff_rl_mpeg2; From 807af727507ac125c1ec4706d1dad44f67f373c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Mar 2020 22:46:34 +0100 Subject: [PATCH 0840/1764] avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX Fixes: left shift of negative value -1 Fixes: 20859/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_PSX_fuzzer-5720391507247104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a11ef68f0a85905e704e503b433f5aa645d59ac) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 3560cae472..787dd5380a 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1667,7 +1667,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, scale = sign_extend(byte, 4); } - scale = scale << 12; + scale = scale * (1 << 12); sample = (int)((scale >> shift) + (c->status[channel].sample1 * xa_adpcm_table[filter][0] + c->status[channel].sample2 * xa_adpcm_table[filter][1]) / 64); } *samples++ = av_clip_int16(sample); From 658085fbcff249da29b45d398d59ea17d8dc06e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Mar 2020 18:25:56 +0100 Subject: [PATCH 0841/1764] avcodec/ffwavesynth: Fix integer overflow in computation of ddphi Fixes: signed integer overflow: 1302123111085380114 - -8319005078741256972 cannot be represented in type 'long' Fixes: 20991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5148554161291264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit c85bf1631823e9089e59a474d5c6c0efc708c507) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index b9c63abb8d..998e1a4ad6 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -281,7 +281,7 @@ static int wavesynth_parse_extradata(AVCodecContext *avc) dphi1 = frac64(f1, (int64_t)avc->sample_rate << 16); dphi2 = frac64(f2, (int64_t)avc->sample_rate << 16); in->dphi0 = dphi1; - in->ddphi = (dphi2 - dphi1) / dt; + in->ddphi = (int64_t)(dphi2 - (uint64_t)dphi1) / dt; if (phi & 0x80000000) { phi &= ~0x80000000; if (phi >= i) From e2d4a434413668e4bff9a53ca8b4d3b3e1182c3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Mar 2020 20:20:44 +0100 Subject: [PATCH 0842/1764] avformat/nsvdec: Fix memleaks on errors while reading the header Fixes: memleaks Fixes: 21084/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5655975492321280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 96c04694550999cc214cae8c4a16d2d7ac0958bc) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 92f7d178f6..4ec0a0e488 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -211,6 +211,7 @@ static const AVCodecTag nsv_codec_audio_tags[] = { //static int nsv_load_index(AVFormatContext *s); static int nsv_read_chunk(AVFormatContext *s, int fill_header); +static int nsv_read_close(AVFormatContext *s); /* try to find something we recognize, and set the state accordingly */ static int nsv_resync(AVFormatContext *s) @@ -492,25 +493,32 @@ static int nsv_read_header(AVFormatContext *s) nsv->ahead[0].data = nsv->ahead[1].data = NULL; for (i = 0; i < NSV_MAX_RESYNC_TRIES; i++) { - if (nsv_resync(s) < 0) - return -1; + err = nsv_resync(s); + if (err < 0) + goto fail; if (nsv->state == NSV_FOUND_NSVF) { err = nsv_parse_NSVf_header(s); if (err < 0) - return err; + goto fail; } /* we need the first NSVs also... */ if (nsv->state == NSV_FOUND_NSVS) { err = nsv_parse_NSVs_header(s); if (err < 0) - return err; + goto fail; break; /* we just want the first one */ } } - if (s->nb_streams < 1) /* no luck so far */ - return -1; + if (s->nb_streams < 1) { /* no luck so far */ + err = AVERROR_INVALIDDATA; + goto fail; + } + /* now read the first chunk, so we can attempt to decode more info */ err = nsv_read_chunk(s, 1); +fail: + if (err < 0) + nsv_read_close(s); av_log(s, AV_LOG_TRACE, "parsed header\n"); return err; From 47b6f07f32afbbbb8f3ddf3b26e9b9eb155ad46d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Mar 2020 17:26:51 +0100 Subject: [PATCH 0843/1764] avformat/asfdec_f: Fix overflow check in get_tag() Fixes: signed integer overflow: 2 * 1210064928 cannot be represented in type 'int' Fixes: 20873/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5761116909338624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit c8140fe7324f264faacf7395b27e12531d1f13f7) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 64a0b9d7f2..1d62d4e05e 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -321,8 +321,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int int64_t off = avio_tell(s->pb); #define LEN 22 - if ((unsigned)len >= (UINT_MAX - LEN) / 2) - return; + av_assert0((unsigned)len < (INT_MAX - LEN) / 2); if (!asf->export_xmp && !strncmp(key, "xmp", 3)) goto finish; @@ -712,6 +711,9 @@ static int asf_read_metadata(AVFormatContext *s, int64_t size) value_type = avio_rl16(pb); /* value_type */ value_len = avio_rl32(pb); + if (value_len < 0 || value_len > UINT16_MAX) + return AVERROR_INVALIDDATA; + name_len_utf8 = 2*name_len_utf16 + 1; name = av_malloc(name_len_utf8); if (!name) @@ -857,11 +859,20 @@ static int asf_read_header(AVFormatContext *s) return ret; av_hex_dump_log(s, AV_LOG_DEBUG, pkt.data, pkt.size); av_packet_unref(&pkt); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_Protection_Type", -1, len, 32); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_Key_ID", -1, len, 32); + len= avio_rl32(pb); + if (len > UINT16_MAX) + return AVERROR_INVALIDDATA; get_tag(s, "ASF_License_URL", -1, len, 32); } else if (!ff_guidcmp(&g, &ff_asf_ext_content_encryption)) { av_log(s, AV_LOG_WARNING, From e9b952d2837cca0bfb5b556ffa76f2a7b0903bea Mon Sep 17 00:00:00 2001 From: John Rummell Date: Mon, 30 Mar 2020 14:56:11 -0700 Subject: [PATCH 0844/1764] libavformat/oggdec.c: Check return value from avio_read() If the buffer doesn't contain enough bytes when reading a stream, fail rather than continuing on with unitialized data. Caught by Chromium fuzzers (crbug.com/1054229). Signed-off-by: Michael Niedermayer (cherry picked from commit b7c67b1ae3657058b32b9235119d07529ad5cce1) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 6a05278b52..8794871c80 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -216,7 +216,8 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, int nsegs) uint8_t magic[8]; int64_t pos = avio_tell(s->pb); avio_skip(s->pb, nsegs); - avio_read(s->pb, magic, sizeof(magic)); + if (avio_read(s->pb, magic, sizeof(magic)) != sizeof(magic)) + return AVERROR_INVALIDDATA; avio_seek(s->pb, pos, SEEK_SET); codec = ogg_find_codec(magic, sizeof(magic)); if (!codec) { From c703bdf3c8617016589b2896a3b5e23c2b0c236d Mon Sep 17 00:00:00 2001 From: John Rummell Date: Mon, 30 Mar 2020 14:08:01 -0700 Subject: [PATCH 0845/1764] libavformat/mov.c: Free aes_decrypt to avoid leaking memory Found by Chromium fuzzers (crbug.com/1057205). Signed-off-by: Michael Niedermayer (cherry picked from commit ad91cf1f2f5793db5c6dd7ab9947fcc6d7832607) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 03177b496d..c02b157534 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1019,6 +1019,7 @@ static int mov_read_adrm(MOVContext *c, AVIOContext *pb, MOVAtom atom) sha = av_sha_alloc(); if (!sha) return AVERROR(ENOMEM); + av_free(c->aes_decrypt); c->aes_decrypt = av_aes_alloc(); if (!c->aes_decrypt) { ret = AVERROR(ENOMEM); From 1e61cc5c51357f30f3e5ddcf69868b68afccc407 Mon Sep 17 00:00:00 2001 From: John Rummell Date: Mon, 30 Mar 2020 21:30:33 -0700 Subject: [PATCH 0846/1764] libavformat/amr.c: Check return value from avio_read() If the buffer doesn't contain enough bytes when reading a stream, fail rather than continuing on with initialized data. Caught by Chromium fuzzeras (crbug.com/1065731). Signed-off-by: Michael Niedermayer (cherry picked from commit 5b967f56b6d85f62446836fc8ef64d0dcfcbda17) Signed-off-by: Michael Niedermayer --- libavformat/amr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/amr.c b/libavformat/amr.c index b5194a2d9e..d6c4b15b8d 100644 --- a/libavformat/amr.c +++ b/libavformat/amr.c @@ -83,13 +83,15 @@ static int amr_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 6); + if (avio_read(pb, header, 6) != 6) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); if (memcmp(header, AMR_header, 6)) { - avio_read(pb, header + 6, 3); + if (avio_read(pb, header + 6, 3) != 3) + return AVERROR_INVALIDDATA; if (memcmp(header, AMRWB_header, 9)) { return -1; } From d33f8f2871d6d3ecdc589cf72a75e04715cc5e33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 20:18:11 +0100 Subject: [PATCH 0847/1764] swscale/output: Fix integer overflow in alpha computation in yuv2gbrp16_full_X_c() Fixes: signed integer overflow: 524280 * 4432 cannot be represented in type 'int' Fixes: ticket8322 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit 49ba1879add99d3f64d70d34fb0255c8a49d4b28) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/output.c b/libswscale/output.c index c1d07b427d..6660b14994 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -2062,7 +2062,7 @@ yuv2gbrp16_full_X_c(SwsContext *c, const int16_t *lumFilter, A = -0x40000000; for (j = 0; j < lumFilterSize; j++) - A += alpSrc[j][i] * lumFilter[j]; + A += alpSrc[j][i] * (unsigned)lumFilter[j]; A >>= 1; A += 0x20002000; From 64bee9c2f8479f50fcf61b71b1f0970014621228 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 20:11:52 +0100 Subject: [PATCH 0848/1764] swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input Fixes: signed integer overflow: 1169365504 + 981452800 cannot be represented in type 'int' Fixes: ticket8293 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit e057e83a4ff4c0eeeb78dffe58e21af951c056b6) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 6660b14994..37cd124e21 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1634,9 +1634,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = Y + V*c->yuv2rgb_v2r_coeff; - G = Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); From 4a60aa9bd3b759d0956ca7c0948cb12fcb318eba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 Jan 2020 23:42:08 +0100 Subject: [PATCH 0849/1764] avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT Fixes: signed integer overflow: 9223372036854775775 + 128 cannot be represented in type 'long' Fixes: 20054/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5686385113825280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 187161d62f35c8b613c4a6739b0a6dfa9a24da60) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 998e1a4ad6..a446aa2fdf 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -217,7 +217,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) *last = -1; lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); if (ws->pink_need) { - uint64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); + uint64_t pink_ts_cur = (ws->cur_ts + (uint64_t)PINK_UNIT - 1) & ~(PINK_UNIT - 1); uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); From a8ba25defd34795f46ab7034412ae96f00648894 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 31 Jan 2020 23:43:57 +0100 Subject: [PATCH 0850/1764] avcodec/xvididct: Fix integer overflow in MULT() Fixes: signed integer overflow: 23170 * 95058 cannot be represented in type 'int' Fixes: 20295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5800212870463488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ccb576191e91b393041b14917f1b681ec75ed3b) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index d8f3dd7072..14116bd6d3 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -142,7 +142,7 @@ static int idct_row(short *in, const int *const tab, int rnd) #define TAN3 0xAB0E #define SQRT2 0x5A82 -#define MULT(c, x, n) (((c) * (x)) >> (n)) +#define MULT(c, x, n) ((unsigned)((int)((c) * (unsigned)(x)) >> (n))) // 12b version => #define MULT(c,x, n) ((((c) >> 3) * (x)) >> ((n) - 3)) // 12b zero-testing version: From bc624d1853182e16c8704c67d51ea88826a23e4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2020 22:52:13 +0100 Subject: [PATCH 0851/1764] avcodec/flacdsp_template: Fix invalid shifts in decorrelate Fixes: left shift of negative value -2 Fixes: 20303/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5096829297623040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3935c891e96c0819439da43d1b862652bbbdf065) Signed-off-by: Michael Niedermayer --- libavcodec/flacdsp_template.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/flacdsp_template.c b/libavcodec/flacdsp_template.c index 776c78da71..892418cddc 100644 --- a/libavcodec/flacdsp_template.c +++ b/libavcodec/flacdsp_template.c @@ -66,8 +66,8 @@ static void FUNC(flac_decorrelate_ls_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; - int b = in[1][i]; + unsigned a = in[0][i]; + unsigned b = in[1][i]; S(samples, 0, i) = a << shift; S(samples, 1, i) = (a - b) << shift; } @@ -80,8 +80,8 @@ static void FUNC(flac_decorrelate_rs_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; - int b = in[1][i]; + unsigned a = in[0][i]; + unsigned b = in[1][i]; S(samples, 0, i) = (a + b) << shift; S(samples, 1, i) = b << shift; } @@ -94,7 +94,7 @@ static void FUNC(flac_decorrelate_ms_c)(uint8_t **out, int32_t **in, int i; for (i = 0; i < len; i++) { - int a = in[0][i]; + unsigned a = in[0][i]; int b = in[1][i]; a -= b >> 1; S(samples, 0, i) = (a + b) << shift; From 63c6e55edf231c2ad4915bad43f862da8be9e0e7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Apr 2020 15:37:55 +0200 Subject: [PATCH 0852/1764] avcodec/dpcm: clip exponent into supported range in XAN DPCM Fixes: shift exponent 32 is too large for 32-bit type 'int' Fixes: 21200/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XAN_DPCM_fuzzer-5754704894361600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 20ade59d9633def4ebf84ec170f56367bfb6aa6c) Signed-off-by: Michael Niedermayer --- libavcodec/dpcm.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c index 5958081b66..c7712ad412 100644 --- a/libavcodec/dpcm.c +++ b/libavcodec/dpcm.c @@ -305,9 +305,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data, shift[ch] -= (2 * n); diff = sign_extend((diff &~ 3) << 8, 16); - /* saturate the shifter to a lower limit of 0 */ - if (shift[ch] < 0) - shift[ch] = 0; + /* saturate the shifter to 0..31 */ + shift[ch] = av_clip_uintp2(shift[ch], 5); diff >>= shift[ch]; predictor[ch] += diff; From 3a53f3795084afef052ca46beb51b83ffc89b988 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 2 Apr 2020 22:38:46 +0200 Subject: [PATCH 0853/1764] swscale/yuv2rgb: Fix vertical dither offset with slices Signed-off-by: Michael Niedermayer (cherry picked from commit be3c29e3795cb2499e3b96335286d6a8423c0bcf) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 1fe5abed9c..9b86c4c181 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -138,10 +138,11 @@ const int *sws_getCoefficients(int colorspace) srcStride[2] *= 2; \ } \ for (y = 0; y < srcSliceH; y += 2) { \ + int yd = y + srcSliceY; \ dst_type *dst_1 = \ - (dst_type *)(dst[0] + (y + srcSliceY) * dstStride[0]); \ + (dst_type *)(dst[0] + (yd) * dstStride[0]); \ dst_type *dst_2 = \ - (dst_type *)(dst[0] + (y + srcSliceY + 1) * dstStride[0]); \ + (dst_type *)(dst[0] + (yd + 1) * dstStride[0]); \ dst_type av_unused *r, *g, *b; \ const uint8_t *py_1 = src[0] + y * srcStride[0]; \ const uint8_t *py_2 = py_1 + srcStride[0]; \ @@ -490,8 +491,8 @@ CLOSEYUV2RGBFUNC(8) // r, g, b, dst_1, dst_2 YUV2RGBFUNC(yuv2rgb_c_8_ordered_dither, uint8_t, 0) - const uint8_t *d32 = ff_dither_8x8_32[y & 7]; - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; + const uint8_t *d32 = ff_dither_8x8_32[yd & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; #define PUTRGB8(dst, src, i, o) \ Y = src[2 * i]; \ @@ -520,8 +521,8 @@ YUV2RGBFUNC(yuv2rgb_c_8_ordered_dither, uint8_t, 0) PUTRGB8(dst_1, py_1, 3, 6); ENDYUV2RGBLINE(8, 0) - const uint8_t *d32 = ff_dither_8x8_32[y & 7]; - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; + const uint8_t *d32 = ff_dither_8x8_32[yd & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; LOADCHROMA(0); PUTRGB8(dst_1, py_1, 0, 0); PUTRGB8(dst_2, py_2, 0, 0 + 8); @@ -531,8 +532,8 @@ ENDYUV2RGBLINE(8, 0) PUTRGB8(dst_1, py_1, 1, 2); ENDYUV2RGBLINE(8, 1) - const uint8_t *d32 = ff_dither_8x8_32[y & 7]; - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; + const uint8_t *d32 = ff_dither_8x8_32[yd & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; LOADCHROMA(0); PUTRGB8(dst_1, py_1, 0, 0); PUTRGB8(dst_2, py_2, 0, 0 + 8); @@ -541,8 +542,8 @@ ENDYUV2RGBFUNC() YUV2RGBFUNC(yuv2rgb_c_4_ordered_dither, uint8_t, 0) - const uint8_t * d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t * d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; int acc; #define PUTRGB4D(dst, src, i, o) \ @@ -573,8 +574,8 @@ YUV2RGBFUNC(yuv2rgb_c_4_ordered_dither, uint8_t, 0) PUTRGB4D(dst_1, py_1, 3, 6); ENDYUV2RGBLINE(4, 0) - const uint8_t * d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t * d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; int acc; LOADCHROMA(0); PUTRGB4D(dst_1, py_1, 0, 0); @@ -585,8 +586,8 @@ ENDYUV2RGBLINE(4, 0) PUTRGB4D(dst_1, py_1, 1, 2); ENDYUV2RGBLINE(4, 1) - const uint8_t * d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t * d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; int acc; LOADCHROMA(0); PUTRGB4D(dst_1, py_1, 0, 0); @@ -594,8 +595,8 @@ ENDYUV2RGBLINE(4, 1) ENDYUV2RGBFUNC() YUV2RGBFUNC(yuv2rgb_c_4b_ordered_dither, uint8_t, 0) - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; #define PUTRGB4DB(dst, src, i, o) \ Y = src[2 * i]; \ @@ -623,8 +624,8 @@ YUV2RGBFUNC(yuv2rgb_c_4b_ordered_dither, uint8_t, 0) PUTRGB4DB(dst_2, py_2, 3, 6 + 8); PUTRGB4DB(dst_1, py_1, 3, 6); ENDYUV2RGBLINE(8, 0) - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; LOADCHROMA(0); PUTRGB4DB(dst_1, py_1, 0, 0); PUTRGB4DB(dst_2, py_2, 0, 0 + 8); @@ -633,15 +634,15 @@ ENDYUV2RGBLINE(8, 0) PUTRGB4DB(dst_2, py_2, 1, 2 + 8); PUTRGB4DB(dst_1, py_1, 1, 2); ENDYUV2RGBLINE(8, 1) - const uint8_t *d64 = ff_dither_8x8_73[y & 7]; - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d64 = ff_dither_8x8_73[yd & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; LOADCHROMA(0); PUTRGB4DB(dst_1, py_1, 0, 0); PUTRGB4DB(dst_2, py_2, 0, 0 + 8); ENDYUV2RGBFUNC() YUV2RGBFUNC(yuv2rgb_c_1_ordered_dither, uint8_t, 0) - const uint8_t *d128 = ff_dither_8x8_220[y & 7]; + const uint8_t *d128 = ff_dither_8x8_220[yd & 7]; char out_1 = 0, out_2 = 0; g = c->table_gU[128 + YUVRGB_TABLE_HEADROOM] + c->table_gV[128 + YUVRGB_TABLE_HEADROOM]; From e0c13429cacb4d1510081c0153703ff688ced7c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Apr 2020 20:58:52 +0200 Subject: [PATCH 0854/1764] avformat/oggdec: Check for EOF after page header Fixes: Infinite loop Fixes: Ticket8594 Signed-off-by: Michael Niedermayer (cherry picked from commit f1589be9fda00c417f9bcccb55dbbea998ee08ac) Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 8794871c80..58e3bd871a 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -389,6 +389,9 @@ static int ogg_read_page(AVFormatContext *s, int *sid) avio_skip(bc, 8); /* seq, crc */ nsegs = avio_r8(bc); + if (avio_feof(bc)) + return AVERROR_EOF; + idx = ogg_find_stream(ogg, serial); if (idx < 0) { if (data_packets_seen(ogg)) From 4eccd918994d4e2f15b7d38eccb2b2823e7f0bae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Feb 2020 20:02:55 +0100 Subject: [PATCH 0855/1764] avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c() Fixes: signed integer overflow: 2145417478 + 76702564 cannot be represented in type 'int' Fixes: 20313/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734487724130304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit abb5762e985f4ce34e97c1b2fa6d1108ce8a881f) Signed-off-by: Michael Niedermayer --- libavcodec/audiodsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/audiodsp.c b/libavcodec/audiodsp.c index 3c7a3a7583..efcb0a8e8a 100644 --- a/libavcodec/audiodsp.c +++ b/libavcodec/audiodsp.c @@ -79,7 +79,7 @@ static void vector_clipf_c(float *dst, const float *src, int len, static int32_t scalarproduct_int16_c(const int16_t *v1, const int16_t *v2, int order) { - int res = 0; + unsigned res = 0; while (order--) res += *v1++ **v2++; From 725a2495f80ff00e678ac0a029f8e93d5b712fc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Feb 2020 23:20:23 +0100 Subject: [PATCH 0856/1764] avcodec/flac_parser: Do not lose header count in find_headers_search() Fixes: Timeout Fixes: out of array access Fixes: 20274/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5649631988154368 Fixes: 19275/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5757535722405888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55f9683cf6be97f4b398a7a35ee5bfd1208ac2a5) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 2721286464..fed33087e8 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -216,16 +216,20 @@ static int find_headers_search(FLACParseContext *fpc, uint8_t *buf, int buf_size uint32_t x; for (i = 0; i < mod_offset; i++) { - if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) - size = find_headers_search_validate(fpc, search_start + i); + if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) { + int ret = find_headers_search_validate(fpc, search_start + i); + size = FFMAX(size, ret); + } } for (; i < buf_size - 1; i += 4) { x = AV_RB32(buf + i); if (((x & ~(x + 0x01010101)) & 0x80808080)) { for (j = 0; j < 4; j++) { - if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) - size = find_headers_search_validate(fpc, search_start + i + j); + if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) { + int ret = find_headers_search_validate(fpc, search_start + i + j); + size = FFMAX(size, ret); + } } } } From 5c1985f22b7320064e977a3825df24240b88451f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 1 Feb 2020 21:25:33 +0100 Subject: [PATCH 0857/1764] avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs() Fixes: left shift of negative value -14336 Fixes: 20298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-5675484201615360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e30502abe62f741cfef1e7b75048ae86a99a50f) Signed-off-by: Michael Niedermayer --- libavcodec/ac3dec_fixed.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index bd66175d50..1e1edc8964 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -107,29 +107,30 @@ static void scale_coefs ( } } else { shift = -shift; + mul <<= shift; for (i=0; i Date: Sun, 2 Feb 2020 21:01:12 +0100 Subject: [PATCH 0858/1764] avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*() Fixes: signed integer overflow: 40550400 * 128 cannot be represented in type 'int' Fixes: 20331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV40_fuzzer-5676685725007872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 13171ad2e304b2a7d959429527b98c68ec5ea320) Signed-off-by: Michael Niedermayer --- libavcodec/rv40dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 5579bd9bed..2ac791d674 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -385,7 +385,7 @@ static void rv40_weight_func_rnd_ ## size (uint8_t *dst, uint8_t *src1, uint8_t \ for (j = 0; j < size; j++) {\ for (i = 0; i < size; i++)\ - dst[i] = (((w2 * src1[i]) >> 9) + ((w1 * src2[i]) >> 9) + 0x10) >> 5;\ + dst[i] = ((((unsigned)w2 * src1[i]) >> 9) + (((unsigned)w1 * src2[i]) >> 9) + 0x10) >> 5;\ src1 += stride;\ src2 += stride;\ dst += stride;\ @@ -397,7 +397,7 @@ static void rv40_weight_func_nornd_ ## size (uint8_t *dst, uint8_t *src1, uint8_ \ for (j = 0; j < size; j++) {\ for (i = 0; i < size; i++)\ - dst[i] = (w2 * src1[i] + w1 * src2[i] + 0x10) >> 5;\ + dst[i] = ((unsigned)w2 * src1[i] + (unsigned)w1 * src2[i] + 0x10) >> 5;\ src1 += stride;\ src2 += stride;\ dst += stride;\ From f0f164f8c535d8785b7d44a6f95f1aa4c8aefa13 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Apr 2020 01:48:47 +0200 Subject: [PATCH 0859/1764] avcodec/pngdec: Pass ret from decode_iccp_chunk() Found while reviewing a patch fixing a similar issue Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 4c7bcaa385e5e5fda0084de2fb823ac25c0deba0) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 1faf80108b..c0bb60ecc1 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1287,7 +1287,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, break; } case MKTAG('i', 'C', 'C', 'P'): { - if (decode_iccp_chunk(s, length, p) < 0) + if ((ret = decode_iccp_chunk(s, length, p)) < 0) goto fail; break; } From e038ecf7076746752d76f4049968eae646dd830c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Apr 2020 00:03:39 +0200 Subject: [PATCH 0860/1764] avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit bc41a29a5aa3c3dedba0a85b4aeb79a07eeeb1b4) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 72e3ae73b2..76ad63d102 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -715,7 +715,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in { const uint8_t *src_end = src + src_size; int x = 0, y = 0, i; - while (src + 5 <= src_end) { + while (src_end - src >= 5) { int opcode; opcode = *(int8_t *)src++; if (opcode >= 0) { From 2f1bf3452262311f58f68bd15e468509fe72e511 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 Apr 2020 00:03:40 +0200 Subject: [PATCH 0861/1764] avcodec/iff: Check length before memcpy() in decode_deep_rle32() Fixes: out of array read Fixes: 20796/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5111364702175232.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4a33387cb1cd3f4c5036e65e0fdd953c6b5012f) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 76ad63d102..83d0ee524d 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -722,6 +722,8 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in int size = opcode + 1; for (i = 0; i < size; i++) { int length = FFMIN(size - i, width); + if (src_end - src < length * 4) + return; memcpy(dst + y*linesize + x * 4, src, length * 4); src += length * 4; x += length; From 9ce7c9c463b3f912b234af3dbfe1b4b46c4b443a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Apr 2020 18:24:55 +0200 Subject: [PATCH 0862/1764] avcodec/hevc_mp4toannexb_bsf: Check nalu_size Fixes: Timeout (29sec -> 5ms) Fixes: 20237/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5165615044362240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae2537f53e8ebfa36345241b5b70c0b1aef66dd2) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_mp4toannexb_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index baa93628ed..30f733d775 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -144,6 +144,11 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); + if (nalu_size < 2) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + nalu_type = (bytestream2_peek_byte(&gb) >> 1) & 0x3f; /* prepend extradata to IRAP frames */ From 90cbc65f4fe9155b7d8e9d76593426574895ed0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Feb 2020 00:33:40 +0100 Subject: [PATCH 0863/1764] avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture() Fixes: Timeout (105sec -> 1sec) Fixes: 20479/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5769846937878528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a9ccc2514da82812584b0e49a30625151d225e9) Signed-off-by: Michael Niedermayer --- libavcodec/intrax8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/intrax8.c b/libavcodec/intrax8.c index d46f97c7a4..f385423dc1 100644 --- a/libavcodec/intrax8.c +++ b/libavcodec/intrax8.c @@ -801,6 +801,8 @@ int ff_intrax8_decode_picture(IntraX8Context *w, Picture *pict, for (w->mb_y = 0; w->mb_y < w->mb_height * 2; w->mb_y++) { x8_init_block_index(w, w->frame); mb_xy = (w->mb_y >> 1) * (w->mb_width + 1); + if (get_bits_left(gb) < 1) + goto error; for (w->mb_x = 0; w->mb_x < w->mb_width * 2; w->mb_x++) { x8_get_prediction(w); if (x8_setup_spatial_predictor(w, 0)) From 96d4183cd292f7908b9f5ddde68cf82491772363 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2020 23:28:33 +0100 Subject: [PATCH 0864/1764] avcodec/svq1dec: Check that there is data left after the header Fixes: Timeout (21sec -> 255ms) Fixes: 20709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ1_fuzzer-5085075089915904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 55e344ee5aa6f6e04e50bbac457e0ca53433ab75) Signed-off-by: Michael Niedermayer --- libavcodec/svq1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index d3e60c3a4a..b61ae348d2 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -602,6 +602,8 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) if (skip_1stop_8data_bits(bitbuf) < 0) return AVERROR_INVALIDDATA; } + if (get_bits_left(bitbuf) <= 0) + return AVERROR_INVALIDDATA; s->width = width; s->height = height; From 53b2e3268833faa4a0d81fa6fd7bb3164e36ad6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Feb 2020 23:14:16 +0100 Subject: [PATCH 0865/1764] avcodec/txd: Check for input size against the header size. Fixes: Timeout (21sec -> 80ms) Fixes: 20673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TXD_fuzzer-5177453863763968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aeb4e435847e0c970bcb1a835fe5eda17a4e1ce3) Signed-off-by: Michael Niedermayer --- libavcodec/txd.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/txd.c b/libavcodec/txd.c index 8b20475d39..f00ba89e82 100644 --- a/libavcodec/txd.c +++ b/libavcodec/txd.c @@ -43,6 +43,9 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int i, j; int ret; + if (avpkt->size < 88) + return AVERROR_INVALIDDATA; + ff_texturedsp_init(&dxtc); bytestream2_init(&gb, avpkt->data, avpkt->size); From 0e7a8c9665bcef96a084c7118c11773e034872f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2020 00:23:14 +0100 Subject: [PATCH 0866/1764] avcodec/dstdec: Fix integer overflow in read_table() Fixes: signed integer overflow: -16 * 134217879 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5639509530378240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d465a401dd790e2ca126ecb9cbda43f898a492f) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index c548174331..b70e0d27ec 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -155,7 +155,7 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[ for (j = method + 1; j < t->length[i]; j++) { int c, x = 0; for (k = 0; k < method + 1; k++) - x += code_pred_coeff[method][k] * t->coeff[i][j - k - 1]; + x += code_pred_coeff[method][k] * (unsigned)t->coeff[i][j - k - 1]; c = get_sr_golomb_dst(gb, lsb_size); if (x >= 0) c -= (x + 4) / 8; From 6feb24a33699d47d8a748047ed6d0d5fd2194719 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2020 18:09:24 +0100 Subject: [PATCH 0867/1764] libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative Fixes: left shift of negative value -8321365 Fixes: 20506/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-4798062906310656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62e4003780cad60ac1371fef892da08c27069964) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index c02b156f0f..22596bd5f8 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -164,7 +164,7 @@ typedef struct WmallDecodeCtx { int transient_pos[WMALL_MAX_CHANNELS]; int seekable_tile; - int ave_sum[WMALL_MAX_CHANNELS]; + unsigned ave_sum[WMALL_MAX_CHANNELS]; int channel_residues[WMALL_MAX_CHANNELS][WMALL_BLOCK_MAX_SIZE]; From 9ee52de7af57c9da24f20e1383dfbe372233730e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Apr 2020 19:29:39 +0200 Subject: [PATCH 0868/1764] avcodec/alacdsp: Fix invalid shift in append_extra_bits() Fixes: left shift of negative value -1 Fixes: 21390/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-6242539519868928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49ae034b42234486712a02f9b00253a0975cea02) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index ecbaedb067..9996eb4319 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -49,7 +49,7 @@ static void append_extra_bits(int32_t *buffer[2], int32_t *extra_bits_buffer[2], for (ch = 0; ch < channels; ch++) for (i = 0; i < nb_samples; i++) - buffer[ch][i] = (buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i]; + buffer[ch][i] = ((unsigned)buffer[ch][i] << extra_bits) | extra_bits_buffer[ch][i]; } av_cold void ff_alacdsp_init(ALACDSPContext *c) From 264f478274e784aeccd64e639585989def31b3fa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Feb 2020 22:58:08 +0100 Subject: [PATCH 0869/1764] avcodec/vp9dsp_template: Fix integer overflows in idct32_1d() Fixes: signed integer overflow: -193177 * 11585 cannot be represented in type 'int' Fixes: 20557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5704852816789504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e16e3e63f0a96b4e0ec32972c975bc0e339a49d1) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 132 +++++++++++++++++------------------ 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index bb54561a60..c3273dd726 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1479,38 +1479,38 @@ itxfm_wrap(16, 6) static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, dctcoef *out, int pass) { - dctint t0a = ((IN(0) + IN(16)) * 11585 + (1 << 13)) >> 14; - dctint t1a = ((IN(0) - IN(16)) * 11585 + (1 << 13)) >> 14; - dctint t2a = (IN( 8) * 6270 - IN(24) * 15137 + (1 << 13)) >> 14; - dctint t3a = (IN( 8) * 15137 + IN(24) * 6270 + (1 << 13)) >> 14; - dctint t4a = (IN( 4) * 3196 - IN(28) * 16069 + (1 << 13)) >> 14; - dctint t7a = (IN( 4) * 16069 + IN(28) * 3196 + (1 << 13)) >> 14; - dctint t5a = (IN(20) * 13623 - IN(12) * 9102 + (1 << 13)) >> 14; - dctint t6a = (IN(20) * 9102 + IN(12) * 13623 + (1 << 13)) >> 14; - dctint t8a = (IN( 2) * 1606 - IN(30) * 16305 + (1 << 13)) >> 14; - dctint t15a = (IN( 2) * 16305 + IN(30) * 1606 + (1 << 13)) >> 14; - dctint t9a = (IN(18) * 12665 - IN(14) * 10394 + (1 << 13)) >> 14; - dctint t14a = (IN(18) * 10394 + IN(14) * 12665 + (1 << 13)) >> 14; - dctint t10a = (IN(10) * 7723 - IN(22) * 14449 + (1 << 13)) >> 14; - dctint t13a = (IN(10) * 14449 + IN(22) * 7723 + (1 << 13)) >> 14; - dctint t11a = (IN(26) * 15679 - IN( 6) * 4756 + (1 << 13)) >> 14; - dctint t12a = (IN(26) * 4756 + IN( 6) * 15679 + (1 << 13)) >> 14; - dctint t16a = (IN( 1) * 804 - IN(31) * 16364 + (1 << 13)) >> 14; - dctint t31a = (IN( 1) * 16364 + IN(31) * 804 + (1 << 13)) >> 14; - dctint t17a = (IN(17) * 12140 - IN(15) * 11003 + (1 << 13)) >> 14; - dctint t30a = (IN(17) * 11003 + IN(15) * 12140 + (1 << 13)) >> 14; - dctint t18a = (IN( 9) * 7005 - IN(23) * 14811 + (1 << 13)) >> 14; - dctint t29a = (IN( 9) * 14811 + IN(23) * 7005 + (1 << 13)) >> 14; - dctint t19a = (IN(25) * 15426 - IN( 7) * 5520 + (1 << 13)) >> 14; - dctint t28a = (IN(25) * 5520 + IN( 7) * 15426 + (1 << 13)) >> 14; - dctint t20a = (IN( 5) * 3981 - IN(27) * 15893 + (1 << 13)) >> 14; - dctint t27a = (IN( 5) * 15893 + IN(27) * 3981 + (1 << 13)) >> 14; - dctint t21a = (IN(21) * 14053 - IN(11) * 8423 + (1 << 13)) >> 14; - dctint t26a = (IN(21) * 8423 + IN(11) * 14053 + (1 << 13)) >> 14; - dctint t22a = (IN(13) * 9760 - IN(19) * 13160 + (1 << 13)) >> 14; - dctint t25a = (IN(13) * 13160 + IN(19) * 9760 + (1 << 13)) >> 14; - dctint t23a = (IN(29) * 16207 - IN( 3) * 2404 + (1 << 13)) >> 14; - dctint t24a = (IN(29) * 2404 + IN( 3) * 16207 + (1 << 13)) >> 14; + dctint t0a = (dctint)((IN(0) + IN(16)) * 11585U + (1 << 13)) >> 14; + dctint t1a = (dctint)((IN(0) - IN(16)) * 11585U + (1 << 13)) >> 14; + dctint t2a = (dctint)(IN( 8) * 6270U - IN(24) * 15137U + (1 << 13)) >> 14; + dctint t3a = (dctint)(IN( 8) * 15137U + IN(24) * 6270U + (1 << 13)) >> 14; + dctint t4a = (dctint)(IN( 4) * 3196U - IN(28) * 16069U + (1 << 13)) >> 14; + dctint t7a = (dctint)(IN( 4) * 16069U + IN(28) * 3196U + (1 << 13)) >> 14; + dctint t5a = (dctint)(IN(20) * 13623U - IN(12) * 9102U + (1 << 13)) >> 14; + dctint t6a = (dctint)(IN(20) * 9102U + IN(12) * 13623U + (1 << 13)) >> 14; + dctint t8a = (dctint)(IN( 2) * 1606U - IN(30) * 16305U + (1 << 13)) >> 14; + dctint t15a = (dctint)(IN( 2) * 16305U + IN(30) * 1606U + (1 << 13)) >> 14; + dctint t9a = (dctint)(IN(18) * 12665U - IN(14) * 10394U + (1 << 13)) >> 14; + dctint t14a = (dctint)(IN(18) * 10394U + IN(14) * 12665U + (1 << 13)) >> 14; + dctint t10a = (dctint)(IN(10) * 7723U - IN(22) * 14449U + (1 << 13)) >> 14; + dctint t13a = (dctint)(IN(10) * 14449U + IN(22) * 7723U + (1 << 13)) >> 14; + dctint t11a = (dctint)(IN(26) * 15679U - IN( 6) * 4756U + (1 << 13)) >> 14; + dctint t12a = (dctint)(IN(26) * 4756U + IN( 6) * 15679U + (1 << 13)) >> 14; + dctint t16a = (dctint)(IN( 1) * 804U - IN(31) * 16364U + (1 << 13)) >> 14; + dctint t31a = (dctint)(IN( 1) * 16364U + IN(31) * 804U + (1 << 13)) >> 14; + dctint t17a = (dctint)(IN(17) * 12140U - IN(15) * 11003U + (1 << 13)) >> 14; + dctint t30a = (dctint)(IN(17) * 11003U + IN(15) * 12140U + (1 << 13)) >> 14; + dctint t18a = (dctint)(IN( 9) * 7005U - IN(23) * 14811U + (1 << 13)) >> 14; + dctint t29a = (dctint)(IN( 9) * 14811U + IN(23) * 7005U + (1 << 13)) >> 14; + dctint t19a = (dctint)(IN(25) * 15426U - IN( 7) * 5520U + (1 << 13)) >> 14; + dctint t28a = (dctint)(IN(25) * 5520U + IN( 7) * 15426U + (1 << 13)) >> 14; + dctint t20a = (dctint)(IN( 5) * 3981U - IN(27) * 15893U + (1 << 13)) >> 14; + dctint t27a = (dctint)(IN( 5) * 15893U + IN(27) * 3981U + (1 << 13)) >> 14; + dctint t21a = (dctint)(IN(21) * 14053U - IN(11) * 8423U + (1 << 13)) >> 14; + dctint t26a = (dctint)(IN(21) * 8423U + IN(11) * 14053U + (1 << 13)) >> 14; + dctint t22a = (dctint)(IN(13) * 9760U - IN(19) * 13160U + (1 << 13)) >> 14; + dctint t25a = (dctint)(IN(13) * 13160U + IN(19) * 9760U + (1 << 13)) >> 14; + dctint t23a = (dctint)(IN(29) * 16207U - IN( 3) * 2404U + (1 << 13)) >> 14; + dctint t24a = (dctint)(IN(29) * 2404U + IN( 3) * 16207U + (1 << 13)) >> 14; dctint t0 = t0a + t3a; dctint t1 = t1a + t2a; @@ -1545,20 +1545,20 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, dctint t30 = t31a - t30a; dctint t31 = t31a + t30a; - t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14; - t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14; - t9a = ( t14 * 6270 - t9 * 15137 + (1 << 13)) >> 14; - t14a = ( t14 * 15137 + t9 * 6270 + (1 << 13)) >> 14; - t10a = (-(t13 * 15137 + t10 * 6270) + (1 << 13)) >> 14; - t13a = ( t13 * 6270 - t10 * 15137 + (1 << 13)) >> 14; - t17a = ( t30 * 3196 - t17 * 16069 + (1 << 13)) >> 14; - t30a = ( t30 * 16069 + t17 * 3196 + (1 << 13)) >> 14; - t18a = (-(t29 * 16069 + t18 * 3196) + (1 << 13)) >> 14; - t29a = ( t29 * 3196 - t18 * 16069 + (1 << 13)) >> 14; - t21a = ( t26 * 13623 - t21 * 9102 + (1 << 13)) >> 14; - t26a = ( t26 * 9102 + t21 * 13623 + (1 << 13)) >> 14; - t22a = (-(t25 * 9102 + t22 * 13623) + (1 << 13)) >> 14; - t25a = ( t25 * 13623 - t22 * 9102 + (1 << 13)) >> 14; + t5a = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14; + t6a = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14; + t9a = (dctint)( t14 * 6270U - t9 * 15137U + (1 << 13)) >> 14; + t14a = (dctint)( t14 * 15137U + t9 * 6270U + (1 << 13)) >> 14; + t10a = (dctint)(-(t13 * 15137U + t10 * 6270U) + (1 << 13)) >> 14; + t13a = (dctint)( t13 * 6270U - t10 * 15137U + (1 << 13)) >> 14; + t17a = (dctint)( t30 * 3196U - t17 * 16069U + (1 << 13)) >> 14; + t30a = (dctint)( t30 * 16069U + t17 * 3196U + (1 << 13)) >> 14; + t18a = (dctint)(-(t29 * 16069U + t18 * 3196U) + (1 << 13)) >> 14; + t29a = (dctint)( t29 * 3196U - t18 * 16069U + (1 << 13)) >> 14; + t21a = (dctint)( t26 * 13623U - t21 * 9102U + (1 << 13)) >> 14; + t26a = (dctint)( t26 * 9102U + t21 * 13623U + (1 << 13)) >> 14; + t22a = (dctint)(-(t25 * 9102U + t22 * 13623U) + (1 << 13)) >> 14; + t25a = (dctint)( t25 * 13623U - t22 * 9102U + (1 << 13)) >> 14; t0a = t0 + t7; t1a = t1 + t6a; @@ -1593,18 +1593,18 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, t30 = t30a + t29a; t31a = t31 + t28; - t10a = ((t13 - t10) * 11585 + (1 << 13)) >> 14; - t13a = ((t13 + t10) * 11585 + (1 << 13)) >> 14; - t11 = ((t12a - t11a) * 11585 + (1 << 13)) >> 14; - t12 = ((t12a + t11a) * 11585 + (1 << 13)) >> 14; - t18a = ( t29 * 6270 - t18 * 15137 + (1 << 13)) >> 14; - t29a = ( t29 * 15137 + t18 * 6270 + (1 << 13)) >> 14; - t19 = ( t28a * 6270 - t19a * 15137 + (1 << 13)) >> 14; - t28 = ( t28a * 15137 + t19a * 6270 + (1 << 13)) >> 14; - t20 = (-(t27a * 15137 + t20a * 6270) + (1 << 13)) >> 14; - t27 = ( t27a * 6270 - t20a * 15137 + (1 << 13)) >> 14; - t21a = (-(t26 * 15137 + t21 * 6270) + (1 << 13)) >> 14; - t26a = ( t26 * 6270 - t21 * 15137 + (1 << 13)) >> 14; + t10a = (dctint)((t13 - t10) * 11585U + (1 << 13)) >> 14; + t13a = (dctint)((t13 + t10) * 11585U + (1 << 13)) >> 14; + t11 = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14; + t12 = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14; + t18a = (dctint)( t29 * 6270U - t18 * 15137U + (1 << 13)) >> 14; + t29a = (dctint)( t29 * 15137U + t18 * 6270U + (1 << 13)) >> 14; + t19 = (dctint)( t28a * 6270U - t19a * 15137U + (1 << 13)) >> 14; + t28 = (dctint)( t28a * 15137U + t19a * 6270U + (1 << 13)) >> 14; + t20 = (dctint)(-(t27a * 15137U + t20a * 6270U) + (1 << 13)) >> 14; + t27 = (dctint)( t27a * 6270U - t20a * 15137U + (1 << 13)) >> 14; + t21a = (dctint)(-(t26 * 15137U + t21 * 6270U) + (1 << 13)) >> 14; + t26a = (dctint)( t26 * 6270U - t21 * 15137U + (1 << 13)) >> 14; t0 = t0a + t15a; t1 = t1a + t14; @@ -1639,14 +1639,14 @@ static av_always_inline void idct32_1d(const dctcoef *in, ptrdiff_t stride, t30a = t30 + t25; t31 = t31a + t24a; - t20 = ((t27a - t20a) * 11585 + (1 << 13)) >> 14; - t27 = ((t27a + t20a) * 11585 + (1 << 13)) >> 14; - t21a = ((t26 - t21 ) * 11585 + (1 << 13)) >> 14; - t26a = ((t26 + t21 ) * 11585 + (1 << 13)) >> 14; - t22 = ((t25a - t22a) * 11585 + (1 << 13)) >> 14; - t25 = ((t25a + t22a) * 11585 + (1 << 13)) >> 14; - t23a = ((t24 - t23 ) * 11585 + (1 << 13)) >> 14; - t24a = ((t24 + t23 ) * 11585 + (1 << 13)) >> 14; + t20 = (dctint)((t27a - t20a) * 11585U + (1 << 13)) >> 14; + t27 = (dctint)((t27a + t20a) * 11585U + (1 << 13)) >> 14; + t21a = (dctint)((t26 - t21 ) * 11585U + (1 << 13)) >> 14; + t26a = (dctint)((t26 + t21 ) * 11585U + (1 << 13)) >> 14; + t22 = (dctint)((t25a - t22a) * 11585U + (1 << 13)) >> 14; + t25 = (dctint)((t25a + t22a) * 11585U + (1 << 13)) >> 14; + t23a = (dctint)((t24 - t23 ) * 11585U + (1 << 13)) >> 14; + t24a = (dctint)((t24 + t23 ) * 11585U + (1 << 13)) >> 14; out[ 0] = t0 + t31; out[ 1] = t1 + t30a; From 77751f605383b9af212bce74c62a6d81c4837b61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Apr 2020 22:58:29 +0200 Subject: [PATCH 0870/1764] avcodec/g2meet: Check tile_width in epic_jb_decode_tile() Fixes: out of array access Fixes: 21469/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5199357982015488 Alternatively the arrays can be made bigger or the index can be clipped. In case a real file with such huge tiles exist we ask the user to upload it. Signed-off-by: Michael Niedermayer (cherry picked from commit 5501bb28ddfa6441dcbf8ea0a964a13aa33f66fe) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 731d29a5d4..7ef275c9fe 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -917,6 +917,11 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, awidth = FFALIGN(tile_width, 16); aheight = FFALIGN(tile_height, 16); + if (tile_width > (1 << FF_ARRAY_ELEMS(c->ec.prev_row_rung))) { + avpriv_request_sample(avctx, "large tile width"); + return AVERROR_INVALIDDATA; + } + if (els_dsize) { int ret, i, j, k; uint8_t tr_r, tr_g, tr_b, *buf; From 997d5b45b58ddb8acdc0cec3e216b238eeb08105 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2020 19:29:44 +0200 Subject: [PATCH 0871/1764] avcodec/pngdec: Check length in fdAT Fixes: 21089/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5135981419429888 Fixes: out of array read Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79e5c2ee2bbdf462cabd2113c723dfb613d735c2) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index c0bb60ecc1..9d2c74d758 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1239,7 +1239,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, case MKTAG('f', 'd', 'A', 'T'): if (!CONFIG_APNG_DECODER || avctx->codec_id != AV_CODEC_ID_APNG) goto skip_tag; - if (!decode_next_dat) { + if (!decode_next_dat || length < 4) { ret = AVERROR_INVALIDDATA; goto fail; } From d98833eb792f884b7a8e4f78351824c5059efb7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Apr 2020 00:03:30 +0200 Subject: [PATCH 0872/1764] avformat/mpeg: Decrease score by 1 for files with very little valid data Fixes: 8233/PPY6574574605_cut.mp3 Signed-off-by: Michael Niedermayer (cherry picked from commit 20f7b4dfc9640c910655bd153c6996e9edd42ff0) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 50fe7a1a76..b5e5e95858 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -106,7 +106,7 @@ static int mpegps_probe(AVProbeData *p) if (sys > invalid && sys * 9 <= pspack * 10) return (audio > 12 || vid > 3 || pspack > 2) ? AVPROBE_SCORE_EXTENSION + 2 - : AVPROBE_SCORE_EXTENSION / 2 + 1; // 1 more than mp3 + : AVPROBE_SCORE_EXTENSION / 2 + (audio + vid + pspack > 1); // 1 more than mp3 if (pspack > invalid && (priv1 + vid + audio) * 10 >= pspack * 9) return pspack > 2 ? AVPROBE_SCORE_EXTENSION + 2 : AVPROBE_SCORE_EXTENSION / 2; // 1 more than .mpg From f698ec9a2398e5ffd16090d3ad59f9463fdec467 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Apr 2020 20:27:27 +0200 Subject: [PATCH 0873/1764] avformat/thp: Require a video stream The demuxer code assumes the existence of a video stream Fixes: assertion failure Fixes: 21512/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5699660783288320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97c78caf3e8f7ec4df3d3123b5e8d0e7541319e6) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 76b9b3820c..38db4da89a 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -145,6 +145,9 @@ static int thp_read_header(AVFormatContext *s) } } + if (!thp->vst) + return AVERROR_INVALIDDATA; + return 0; } From 3168a4aeea7aa3202a8c708c9886dacf9f9cc730 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 13 Feb 2020 20:56:56 +0100 Subject: [PATCH 0874/1764] avcodec/dstdec: Check sample rate Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5735812071424000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5727b1f13f36c4db30d5d0de51640f740edf01e8) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index b70e0d27ec..d8f80bd114 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -85,6 +85,10 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) { + return AVERROR_PATCHWELCOME; + } + avctx->sample_fmt = AV_SAMPLE_FMT_FLT; for (i = 0; i < avctx->channels; i++) From 1974e661b05d7ac7c3962e7ac034c688ce665b88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 11:08:28 +0200 Subject: [PATCH 0875/1764] avcodec/alac: Fix integer overflow with 24/20bps samples Fixes: signed integer overflow: 1020048 * 4096 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5753877751660544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 22e51e95ac97864b3d7b21124eaf8fcce147f61e) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 0d9a83c6bb..d2a2297bf7 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -397,13 +397,13 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, case 20: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] *= 1 << 12; + alac->output_samples_buffer[ch][i] *= 1U << 12; }} break; case 24: { for (ch = 0; ch < channels; ch++) { for (i = 0; i < alac->nb_samples; i++) - alac->output_samples_buffer[ch][i] *= 1 << 8; + alac->output_samples_buffer[ch][i] *= 1U << 8; }} break; } From c7d003e0b7e362d45ac9b53d7aaab1eb2719d1af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 11:34:53 +0200 Subject: [PATCH 0876/1764] avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1 The fixed point integer reference specifies the multiplication used to have 16bit input and clips so we need to clip the input The floating point implementation does not seem to do that. Fixes: signed integer overflow: 6317568 * 410 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5700189272932352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 82d4c7b95ed98d38aa834ef5a8fb1d2ef3901698) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index ab668594d2..617744ec8e 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -600,6 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t * gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000; gain = bidir_sal(gain, exp_after - exp_before); } + gain = av_clip_int16(gain); gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875) } else gain = 0; From 926bec89cc8b4ab2b0a50b74b8d5c9215231dd52 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 12:04:05 +0200 Subject: [PATCH 0877/1764] avcodec/iff: Fix several integer overflows Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int32_t' (aka 'int') Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5764066459254784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7a92147f87129851c1cc2c15f4ba714b8cf23f71) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 83d0ee524d..fcc5c67430 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1375,11 +1375,10 @@ static void decode_delta_d(uint8_t *dst, opcode--; } } else { - opcode = -opcode; while (opcode && bytestream2_get_bytes_left(&gb) > 0) { bytestream2_put_be32(&pb, bytestream2_get_be32(&gb)); bytestream2_skip_p(&pb, pitch - 4); - opcode--; + opcode++; } } entries--; From 1ddde7f986f3f210debe5a79a7013a9b58acabf0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 19:09:47 +0200 Subject: [PATCH 0878/1764] avcodec/nuv: widen buf_size type Fixes: signed integer overflow: 65312 * 65312 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5740176118906880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ac106bf5625de6aec31a34319298032e988f349) Signed-off-by: Michael Niedermayer --- libavcodec/nuv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 39f4e79ba0..c4e44b7200 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -126,7 +126,7 @@ static int codec_reinit(AVCodecContext *avctx, int width, int height, get_quant_quality(c, quality); if (width != c->width || height != c->height) { // also reserve space for a possible additional header - int buf_size = height * width * 3 / 2 + int64_t buf_size = height * (int64_t)width * 3 / 2 + FFMAX(AV_LZO_OUTPUT_PADDING, AV_INPUT_BUFFER_PADDING_SIZE) + RTJPEG_HEADER_SIZE; if (buf_size > INT_MAX/8) From 14b955ba85aa870c3db0074e78515a05a6f77100 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 20:15:11 +0200 Subject: [PATCH 0879/1764] avcodec/ralf: Fix integer overflow in decode_block() Fixes: signed integer overflow: 289082077 - -2003141111 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5196077752123392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c4330847c104fcf3ef929c1acee33b5b34c20db) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index 15be19b526..a57966a298 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -344,7 +344,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, int len, ch, ret; int dmode, mode[2], bits[2]; int *ch0, *ch1; - int i, t, t2; + int i; + unsigned int t, t2; len = 12 - get_unary(gb, 0, 6); @@ -409,8 +410,8 @@ static int decode_block(AVCodecContext *avctx, GetBitContext *gb, for (i = 0; i < len; i++) { t = ch1[i] + ctx->bias[1]; t2 = ((ch0[i] + ctx->bias[0]) * 2) | (t & 1); - dst0[i] = (t2 + t) / 2; - dst1[i] = (t2 - t) / 2; + dst0[i] = (int)(t2 + t) / 2; + dst1[i] = (int)(t2 - t) / 2; } break; } From 8858e92b7a1d3f51f488790fc0d370c27da7b22c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 21:12:22 +0200 Subject: [PATCH 0880/1764] avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c() Fixes: signed integer overflow: 1931744255 + 252497024 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5763348114440192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8627885172cc54db95f86529d134308d4d095054) Signed-off-by: Michael Niedermayer --- libavcodec/ttadsp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ttadsp.c b/libavcodec/ttadsp.c index 056a2c7ef1..1d1443aee0 100644 --- a/libavcodec/ttadsp.c +++ b/libavcodec/ttadsp.c @@ -20,9 +20,11 @@ #include "ttadsp.h" #include "config.h" -static void tta_filter_process_c(int32_t *qm, int32_t *dx, int32_t *dl, +static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl, int32_t *error, int32_t *in, int32_t shift, int32_t round) { + uint32_t *qm = qmi; + if (*error < 0) { qm[0] -= dx[0]; qm[1] -= dx[1]; qm[2] -= dx[2]; qm[3] -= dx[3]; qm[4] -= dx[4]; qm[5] -= dx[5]; qm[6] -= dx[6]; qm[7] -= dx[7]; From 15062f646646487cb756edcb0fd76b0d67bf2b1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 21:16:59 +0200 Subject: [PATCH 0881/1764] avcodec/utvideodec: Fix integer overflow in decode_plane() Fixes: signed integer overflow: 2147483594 + 142 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-5658568101724160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 876cfa67f37e944b0f42cb67b2de4e2e06f52e82) Signed-off-by: Michael Niedermayer --- libavcodec/utvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 0df91ac2cb..fb29788a02 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -260,7 +260,7 @@ static int decode_plane(UtvideoContext *c, int plane_no, for (i = 0; i < width * step; i += step) { pix = fsym; if (use_pred) { - prev += pix; + prev += (unsigned)pix; pix = prev; } dest[i] = pix; From 9aaf2c77dbd245b6796c54100e13f59dcf625a7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2020 21:18:58 +0200 Subject: [PATCH 0882/1764] avcodec/iff: Test video_size being non zero Fixes: Out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5658548592967680 Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723561177382912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a035fd88ae7341a05c01f3b393921933e4ea9665) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index fcc5c67430..f094b4b548 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -440,6 +440,8 @@ static av_cold int decode_init(AVCodecContext *avctx) if (avctx->codec_tag == MKTAG('A', 'N', 'I', 'M')) { s->video_size = FFALIGN(avctx->width, 2) * avctx->height * s->bpp; + if (!s->video_size) + return AVERROR_INVALIDDATA; s->video[0] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp); s->video[1] = av_calloc(FFALIGN(avctx->width, 2) * avctx->height, s->bpp); s->pal = av_calloc(256, sizeof(*s->pal)); From 68ecaacbac77c2fe80f5bebfa11445f982fe7492 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 May 2020 22:17:43 +0200 Subject: [PATCH 0883/1764] avcodec/ralf: Check num_blocks before use Fixes: out of array access Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5739471895265280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0c0471075fe52ed31c46e038df4280aef5b67a1) Signed-off-by: Michael Niedermayer --- libavcodec/ralf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c index a57966a298..406326779a 100644 --- a/libavcodec/ralf.c +++ b/libavcodec/ralf.c @@ -482,6 +482,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, init_get_bits(&gb, src + 2, table_size); ctx->num_blocks = 0; while (get_bits_left(&gb) > 0) { + if (ctx->num_blocks >= FF_ARRAY_ELEMS(ctx->block_size)) + return AVERROR_INVALIDDATA; ctx->block_size[ctx->num_blocks] = get_bits(&gb, 13 + avctx->channels); if (get_bits1(&gb)) { ctx->block_pts[ctx->num_blocks] = get_bits(&gb, 9); From 5e4238c3fd5f00df72766db772a77923b531c475 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Feb 2020 21:30:08 +0100 Subject: [PATCH 0884/1764] avcodec/adpcm: Fix integer overflow in ADPCM THP The reference (thp.txt) uses floats so wrap around would seem incorrect. Fixes: signed integer overflow: 1073741824 + 1073741824 cannot be represented in type 'int' Fixes: 20658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_THP_fuzzer-5646302555930624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12b05374f7025167e2c43449ceb8ba3f0a6083f) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 787dd5380a..5c2e8c94e9 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1568,8 +1568,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, int byte = bytestream2_get_byteu(&gb); int index = (byte >> 4) & 7; unsigned int exp = byte & 0x0F; - int factor1 = table[ch][index * 2]; - int factor2 = table[ch][index * 2 + 1]; + int64_t factor1 = table[ch][index * 2]; + int64_t factor2 = table[ch][index * 2 + 1]; /* Decode 14 samples. */ for (n = 0; n < 14 && (i * 14 + n < nb_samples); n++) { From 4077647a8f9fd9c0a6622bf13bc35138c7dfcd4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Apr 2020 17:05:53 +0200 Subject: [PATCH 0885/1764] avcodec/binkaudio: Fix 2Ghz sample_rate Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 19950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_DCT_fuzzer-5765514337189888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Paul Signed-off-by: Michael Niedermayer (cherry picked from commit f603d10b1e6bb2fbf4dcccc43d3ea2fb911b36ba) Signed-off-by: Michael Niedermayer --- libavcodec/binkaudio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c index fd56d17ca2..21145d4bbe 100644 --- a/libavcodec/binkaudio.c +++ b/libavcodec/binkaudio.c @@ -109,7 +109,7 @@ static av_cold int decode_init(AVCodecContext *avctx) s->frame_len = 1 << frame_len_bits; s->overlap_len = s->frame_len / 16; s->block_size = (s->frame_len - s->overlap_len) * s->channels; - sample_rate_half = (sample_rate + 1) / 2; + sample_rate_half = (sample_rate + 1LL) / 2; if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) s->root = 2.0 / (sqrt(s->frame_len) * 32768.0); else From 57ef3712d7a7197938a7ccc238769f8abb63c99f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 May 2020 12:38:26 +0200 Subject: [PATCH 0886/1764] avformat/mpegts: Shuffle avio_seek This avoids accessing an old, no longer valid buffer. Fixes: out of array access Fixes: crash_audio-2020 Found-by: le wu Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit cd74af14162c803f18e90bb12b52135e893d990c) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 6f137fec20..ca6430de18 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2416,15 +2416,16 @@ static int mpegts_resync(AVFormatContext *s, int seekback, const uint8_t *curren AVIOContext *pb = s->pb; int c, i; uint64_t pos = avio_tell(pb); - - avio_seek(pb, -FFMIN(seekback, pos), SEEK_CUR); + int64_t back = FFMIN(seekback, pos); //Special case for files like 01c56b0dc1.ts if (current_packet[0] == 0x80 && current_packet[12] == 0x47) { - avio_seek(pb, 12, SEEK_CUR); + avio_seek(pb, 12 - back, SEEK_CUR); return 0; } + avio_seek(pb, -back, SEEK_CUR); + for (i = 0; i < ts->resync_size; i++) { c = avio_r8(pb); if (avio_feof(pb)) From 34c4c9114cc718ab7371ca2cdd2c7bb1115cb18e Mon Sep 17 00:00:00 2001 From: Vitaly Buka Date: Tue, 21 Apr 2020 21:34:19 -0700 Subject: [PATCH 0887/1764] mpeg4videoenc: Don't crash with -fsanitize=bounds Also the patch makes this code consistent with mpeg4videodec.c Signed-off-by: Michael Niedermayer (cherry picked from commit f163d30de2090a7275f1fb8ad69258576f12c1a2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index f6a5992df7..2cd5a8c015 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -104,7 +104,7 @@ static inline void restore_ac_coeffs(MpegEncContext *s, int16_t block[6][64], memcpy(s->block_last_index, zigzag_last_index, sizeof(int) * 6); for (n = 0; n < 6; n++) { - int16_t *ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + int16_t *ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16; st[n] = s->intra_scantable.permutated; if (dir[n]) { @@ -143,7 +143,7 @@ static inline int decide_ac_pred(MpegEncContext *s, int16_t block[6][64], score -= get_block_rate(s, block[n], s->block_last_index[n], s->intra_scantable.permutated); - ac_val = s->ac_val[0][0] + s->block_index[n] * 16; + ac_val = &s->ac_val[0][0][0] + s->block_index[n] * 16; ac_val1 = ac_val; if (dir[n]) { const int xy = s->mb_x + s->mb_y * s->mb_stride - s->mb_stride; From c9672ca36330751f6c7455965d61634a94328fe0 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 14 May 2020 15:31:55 -0700 Subject: [PATCH 0888/1764] avformat/mov: Don't allow negative sample sizes. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8d554f15a7a27cfeca81467cc9341a86f784e2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index c02b157534..7d643071c2 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2663,6 +2663,10 @@ static int mov_read_stsz(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) { sc->sample_sizes[i] = get_bits_long(&gb, field_size); + if (sc->sample_sizes[i] < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid sample size %d\n", sc->sample_sizes[i]); + return AVERROR_INVALIDDATA; + } sc->data_size += sc->sample_sizes[i]; } From 42d2468ce4d3e711bf8dc0944eb1f70b767a0d9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Apr 2020 12:04:25 +0200 Subject: [PATCH 0889/1764] avformat/aadec: Check toc_size to contain the minimum to demuxer uses Fixes: out of array access Fixes: stack-buffer-overflow-READ-0x0831fff1 Found-by: GalyCannon Signed-off-by: Michael Niedermayer (cherry picked from commit daa2482871dffa9af12fa6d874a3d2dedd73f42e) Signed-off-by: Michael Niedermayer --- libavformat/aadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aadec.c b/libavformat/aadec.c index fe7a99f827..7327f0df68 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -86,7 +86,7 @@ static int aa_read_header(AVFormatContext *s) avio_skip(pb, 4); // magic string toc_size = avio_rb32(pb); // TOC size avio_skip(pb, 4); // unidentified integer - if (toc_size > MAX_TOC_ENTRIES) + if (toc_size > MAX_TOC_ENTRIES || toc_size < 2) return AVERROR_INVALIDDATA; for (i = 0; i < toc_size; i++) { // read TOC avio_skip(pb, 4); // TOC entry index From 4dd9ae41a2e447e43b89dd814e470215eb20c179 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 18:32:31 +0100 Subject: [PATCH 0890/1764] avformat/swfenc: Fix integer overflow in frame rate handling Fixes: signed integer overflow: 30000299 * 256 cannot be represented in type 'int' Fixes: ticket8184 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit 31f956acadd994b8c4e22b714aaffee0f527c827) Signed-off-by: Michael Niedermayer --- libavformat/swfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index cada45ef9a..075d1a3d3e 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -256,7 +256,7 @@ static int swf_write_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid (too large) frame rate %d/%d\n", rate, rate_base); return AVERROR(EINVAL); } - avio_wl16(pb, (rate * 256) / rate_base); /* frame rate */ + avio_wl16(pb, (rate * 256LL) / rate_base); /* frame rate */ swf->duration_pos = avio_tell(pb); avio_wl16(pb, (uint16_t)(DUMMY_DURATION * (int64_t)rate / rate_base)); /* frame count */ From 738e284ff9b53523e467baff8c7eb8c3b1caa447 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Feb 2020 18:51:52 +0100 Subject: [PATCH 0891/1764] avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE Fixes: signed integer overflow: -9223372036854775808 - 45000 cannot be represented in type 'long' Fixes: ticket8187 Found-by: Suhwan Signed-off-by: Michael Niedermayer (cherry picked from commit 9874815b1aadadd7fd19aa6aabb7d9193f2f43d5) Signed-off-by: Michael Niedermayer --- libavformat/mpegenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegenc.c b/libavformat/mpegenc.c index c77c3dfe41..12651bea1a 100644 --- a/libavformat/mpegenc.c +++ b/libavformat/mpegenc.c @@ -1162,7 +1162,7 @@ static int mpeg_mux_write_packet(AVFormatContext *ctx, AVPacket *pkt) if (s->is_dvd) { // min VOBU length 0.4 seconds (mpucoder) if (is_iframe && - (s->packet_number == 0 || + (s->packet_number == 0 || pts != AV_NOPTS_VALUE && (pts - stream->vobu_start_pts >= 36000))) { stream->bytes_to_iframe = av_fifo_size(stream->fifo); stream->align_iframe = 1; From af354a91d33dbf4e18f0a82d317efe504bc3386b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Apr 2020 21:19:13 +0200 Subject: [PATCH 0892/1764] avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr() Fixes: signed integer overflow: -717241856 + -1434459904 cannot be represented in type 'int' Fixes: 21405/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5677143666458624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e9a4c4fe9918220be492a4a9d74c2293fd706be3) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 22596bd5f8..8eb473e3ba 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -793,8 +793,8 @@ static void revert_inter_ch_decorr(WmallDecodeCtx *s, int tile_size) else if (s->is_channel_coded[0] || s->is_channel_coded[1]) { int icoef; for (icoef = 0; icoef < tile_size; icoef++) { - s->channel_residues[0][icoef] -= s->channel_residues[1][icoef] >> 1; - s->channel_residues[1][icoef] += s->channel_residues[0][icoef]; + s->channel_residues[0][icoef] -= (unsigned)(s->channel_residues[1][icoef] >> 1); + s->channel_residues[1][icoef] += (unsigned) s->channel_residues[0][icoef]; } } } From a8b61aaa115128f2c0fcdcd9535b9921dd5ef99b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 May 2020 21:25:17 +0200 Subject: [PATCH 0893/1764] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: -1238335488 + -1003634688 cannot be represented in type 'int' Fixes: 21649/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5112005765890048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 620236e4d2ac46821911b99fa4551868675d4ed9) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 14116bd6d3..360deb3244 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -115,24 +115,24 @@ static int idct_row(short *in, const int *const tab, int rnd) in[6] = a1; } else { const int k = c4 * in[0] + rnd; - const int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; - const int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; - const int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; - const int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6]; + const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; + const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; + const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; + const unsigned int a3 = k - c2 * in[2] + c4 * in[4] - c6 * in[6]; - const int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7]; - const int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7]; - const int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7]; - const int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7]; + const unsigned int b0 = c1 * in[1] + c3 * in[3] + c5 * in[5] + c7 * in[7]; + const unsigned int b1 = c3 * in[1] - c7 * in[3] - c1 * in[5] - c5 * in[7]; + const unsigned int b2 = c5 * in[1] - c1 * in[3] + c7 * in[5] + c3 * in[7]; + const unsigned int b3 = c7 * in[1] - c5 * in[3] + c3 * in[5] - c1 * in[7]; - in[0] = (a0 + b0) >> ROW_SHIFT; - in[1] = (a1 + b1) >> ROW_SHIFT; - in[2] = (a2 + b2) >> ROW_SHIFT; - in[3] = (a3 + b3) >> ROW_SHIFT; - in[4] = (a3 - b3) >> ROW_SHIFT; - in[5] = (a2 - b2) >> ROW_SHIFT; - in[6] = (a1 - b1) >> ROW_SHIFT; - in[7] = (a0 - b0) >> ROW_SHIFT; + in[0] = (int)(a0 + b0) >> ROW_SHIFT; + in[1] = (int)(a1 + b1) >> ROW_SHIFT; + in[2] = (int)(a2 + b2) >> ROW_SHIFT; + in[3] = (int)(a3 + b3) >> ROW_SHIFT; + in[4] = (int)(a3 - b3) >> ROW_SHIFT; + in[5] = (int)(a2 - b2) >> ROW_SHIFT; + in[6] = (int)(a1 - b1) >> ROW_SHIFT; + in[7] = (int)(a0 - b0) >> ROW_SHIFT; } return 1; } From e1f9f5168b6d0ac7dfb7890d61298be226e9af85 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 May 2020 00:04:49 +0200 Subject: [PATCH 0894/1764] avcodec/dsddec: Check channels Fixes: division by zero Fixes: 21677/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSD_MSBF_fuzzer-5712547983654912 Fixes: 21751/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSD_LSBF_fuzzer-5197097180856320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2570a8777e7095358b10f679d35641e114a2ab33) Signed-off-by: Michael Niedermayer --- libavcodec/dsddec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dsddec.c b/libavcodec/dsddec.c index 2c5c357acc..a2e038419f 100644 --- a/libavcodec/dsddec.c +++ b/libavcodec/dsddec.c @@ -44,6 +44,9 @@ static av_cold int decode_init(AVCodecContext *avctx) int i; uint8_t silence; + if (!avctx->channels) + return AVERROR_INVALIDDATA; + ff_init_dsd_data(); s = av_malloc_array(sizeof(DSDContext), avctx->channels); From f56853057388f3e0b0550aee2c32a05c332ea08a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 May 2020 00:11:37 +0200 Subject: [PATCH 0895/1764] avcodec/ivi: Clear got_p_frame before decoding a new frame using it Fixes: assertion failure Fixes: 21666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5706468994318336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d633e6a0a61118c9b2d1785d96bdebaa8c38592) Signed-off-by: Michael Niedermayer --- libavcodec/ivi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c index 8b197c64eb..4b32a00b06 100644 --- a/libavcodec/ivi.c +++ b/libavcodec/ivi.c @@ -1174,6 +1174,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPacket pkt; pkt.data = avpkt->data + (get_bits_count(&ctx->gb) >> 3); pkt.size = get_bits_left(&ctx->gb) >> 3; + ctx->got_p_frame = 0; + av_frame_unref(ctx->p_frame); ff_ivi_decode_frame(avctx, ctx->p_frame, &ctx->got_p_frame, &pkt); } } From 979800019983cd398eee78dda0f2cfd4890e933e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 May 2020 00:31:23 +0200 Subject: [PATCH 0896/1764] avcodec/pnmdec: Use unsigned for maxval rescaling Fixes: signed integer overflow: 65535 * 55335 cannot be represented in type 'int' Fixes: 21955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5669206981083136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49459aca47d4803b2188fbf12b758bd2b01e91d7) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index 958c5e43b0..2c98e26934 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -132,7 +132,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, init_put_bits(&pb, ptr, linesize); for(j=0; jwidth * components; j++){ unsigned int c=0; - int v=0; + unsigned v=0; if(s->type < 4) while(s->bytestream < s->bytestream_end && (*s->bytestream < '0' || *s->bytestream > '9' )) s->bytestream++; From d08b1cec2cb7bdc4cb09523790d734bf56d105f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Apr 2020 17:05:52 +0200 Subject: [PATCH 0897/1764] avformat/oggparsevorbis: Error out on double init of vp Fixes: memleak Fixes: 19949/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5743636058210304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a3bbc0086aa608cc0465dd14901178d41cfe113) Signed-off-by: Michael Niedermayer --- libavformat/oggparsevorbis.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 572e5169ca..462dd18a3d 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -387,7 +387,12 @@ static int vorbis_header(AVFormatContext *s, int idx) } } } else { - int ret = fixup_vorbis_headers(s, priv, &st->codecpar->extradata); + int ret; + + if (priv->vp) + return AVERROR_INVALIDDATA; + + ret = fixup_vorbis_headers(s, priv, &st->codecpar->extradata); if (ret < 0) { st->codecpar->extradata_size = 0; return ret; From d36e98b072bbe10cd5a74dc08357f19e1ab90719 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2020 14:33:58 +0200 Subject: [PATCH 0898/1764] avcodec/h264dec: Disable forced small_padding on flag2 fast Fixes: 20978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5746381832847360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index f29c3f9048..6a28f3a3ae 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -626,7 +626,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) } ret = ff_h2645_packet_split(&h->pkt, buf, buf_size, avctx, h->is_avc, - h->nal_length_size, avctx->codec_id, avctx->flags2 & AV_CODEC_FLAG2_FAST); + h->nal_length_size, avctx->codec_id, 0); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Error splitting the input into NAL units.\n"); From 0f39caec999ff7ee4a3c55df39ec98491e84e462 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 May 2020 00:24:40 +0200 Subject: [PATCH 0899/1764] avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d() Fixes: signed integer overflow: 1080285923 - -1130879337 cannot be represented in type 'int' Fixes: 22002/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-6260237310099456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 071e2937236945c168ab99d3e3b01539194466dd) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 144 +++++++++++++++++------------------ 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index c3273dd726..c6944f5ce3 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1378,48 +1378,48 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride, dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a; dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a; - t0 = IN(15) * 16364 + IN(0) * 804; - t1 = IN(15) * 804 - IN(0) * 16364; - t2 = IN(13) * 15893 + IN(2) * 3981; - t3 = IN(13) * 3981 - IN(2) * 15893; - t4 = IN(11) * 14811 + IN(4) * 7005; - t5 = IN(11) * 7005 - IN(4) * 14811; - t6 = IN(9) * 13160 + IN(6) * 9760; - t7 = IN(9) * 9760 - IN(6) * 13160; - t8 = IN(7) * 11003 + IN(8) * 12140; - t9 = IN(7) * 12140 - IN(8) * 11003; - t10 = IN(5) * 8423 + IN(10) * 14053; - t11 = IN(5) * 14053 - IN(10) * 8423; - t12 = IN(3) * 5520 + IN(12) * 15426; - t13 = IN(3) * 15426 - IN(12) * 5520; - t14 = IN(1) * 2404 + IN(14) * 16207; - t15 = IN(1) * 16207 - IN(14) * 2404; + t0 = IN(15) * 16364U + IN(0) * 804U; + t1 = IN(15) * 804U - IN(0) * 16364U; + t2 = IN(13) * 15893U + IN(2) * 3981U; + t3 = IN(13) * 3981U - IN(2) * 15893U; + t4 = IN(11) * 14811U + IN(4) * 7005U; + t5 = IN(11) * 7005U - IN(4) * 14811U; + t6 = IN(9) * 13160U + IN(6) * 9760U; + t7 = IN(9) * 9760U - IN(6) * 13160U; + t8 = IN(7) * 11003U + IN(8) * 12140U; + t9 = IN(7) * 12140U - IN(8) * 11003U; + t10 = IN(5) * 8423U + IN(10) * 14053U; + t11 = IN(5) * 14053U - IN(10) * 8423U; + t12 = IN(3) * 5520U + IN(12) * 15426U; + t13 = IN(3) * 15426U - IN(12) * 5520U; + t14 = IN(1) * 2404U + IN(14) * 16207U; + t15 = IN(1) * 16207U - IN(14) * 2404U; - t0a = (t0 + t8 + (1 << 13)) >> 14; - t1a = (t1 + t9 + (1 << 13)) >> 14; - t2a = (t2 + t10 + (1 << 13)) >> 14; - t3a = (t3 + t11 + (1 << 13)) >> 14; - t4a = (t4 + t12 + (1 << 13)) >> 14; - t5a = (t5 + t13 + (1 << 13)) >> 14; - t6a = (t6 + t14 + (1 << 13)) >> 14; - t7a = (t7 + t15 + (1 << 13)) >> 14; - t8a = (t0 - t8 + (1 << 13)) >> 14; - t9a = (t1 - t9 + (1 << 13)) >> 14; - t10a = (t2 - t10 + (1 << 13)) >> 14; - t11a = (t3 - t11 + (1 << 13)) >> 14; - t12a = (t4 - t12 + (1 << 13)) >> 14; - t13a = (t5 - t13 + (1 << 13)) >> 14; - t14a = (t6 - t14 + (1 << 13)) >> 14; - t15a = (t7 - t15 + (1 << 13)) >> 14; + t0a = (dctint)((1U << 13) + t0 + t8 ) >> 14; + t1a = (dctint)((1U << 13) + t1 + t9 ) >> 14; + t2a = (dctint)((1U << 13) + t2 + t10) >> 14; + t3a = (dctint)((1U << 13) + t3 + t11) >> 14; + t4a = (dctint)((1U << 13) + t4 + t12) >> 14; + t5a = (dctint)((1U << 13) + t5 + t13) >> 14; + t6a = (dctint)((1U << 13) + t6 + t14) >> 14; + t7a = (dctint)((1U << 13) + t7 + t15) >> 14; + t8a = (dctint)((1U << 13) + t0 - t8 ) >> 14; + t9a = (dctint)((1U << 13) + t1 - t9 ) >> 14; + t10a = (dctint)((1U << 13) + t2 - t10) >> 14; + t11a = (dctint)((1U << 13) + t3 - t11) >> 14; + t12a = (dctint)((1U << 13) + t4 - t12) >> 14; + t13a = (dctint)((1U << 13) + t5 - t13) >> 14; + t14a = (dctint)((1U << 13) + t6 - t14) >> 14; + t15a = (dctint)((1U << 13) + t7 - t15) >> 14; - t8 = t8a * 16069 + t9a * 3196; - t9 = t8a * 3196 - t9a * 16069; - t10 = t10a * 9102 + t11a * 13623; - t11 = t10a * 13623 - t11a * 9102; - t12 = t13a * 16069 - t12a * 3196; - t13 = t13a * 3196 + t12a * 16069; - t14 = t15a * 9102 - t14a * 13623; - t15 = t15a * 13623 + t14a * 9102; + t8 = t8a * 16069U + t9a * 3196U; + t9 = t8a * 3196U - t9a * 16069U; + t10 = t10a * 9102U + t11a * 13623U; + t11 = t10a * 13623U - t11a * 9102U; + t12 = t13a * 16069U - t12a * 3196U; + t13 = t13a * 3196U + t12a * 16069U; + t14 = t15a * 9102U - t14a * 13623U; + t15 = t15a * 13623U + t14a * 9102U; t0 = t0a + t4a; t1 = t1a + t5a; @@ -1429,49 +1429,49 @@ static av_always_inline void iadst16_1d(const dctcoef *in, ptrdiff_t stride, t5 = t1a - t5a; t6 = t2a - t6a; t7 = t3a - t7a; - t8a = (t8 + t12 + (1 << 13)) >> 14; - t9a = (t9 + t13 + (1 << 13)) >> 14; - t10a = (t10 + t14 + (1 << 13)) >> 14; - t11a = (t11 + t15 + (1 << 13)) >> 14; - t12a = (t8 - t12 + (1 << 13)) >> 14; - t13a = (t9 - t13 + (1 << 13)) >> 14; - t14a = (t10 - t14 + (1 << 13)) >> 14; - t15a = (t11 - t15 + (1 << 13)) >> 14; + t8a = (dctint)((1U << 13) + t8 + t12) >> 14; + t9a = (dctint)((1U << 13) + t9 + t13) >> 14; + t10a = (dctint)((1U << 13) + t10 + t14) >> 14; + t11a = (dctint)((1U << 13) + t11 + t15) >> 14; + t12a = (dctint)((1U << 13) + t8 - t12) >> 14; + t13a = (dctint)((1U << 13) + t9 - t13) >> 14; + t14a = (dctint)((1U << 13) + t10 - t14) >> 14; + t15a = (dctint)((1U << 13) + t11 - t15) >> 14; - t4a = t4 * 15137 + t5 * 6270; - t5a = t4 * 6270 - t5 * 15137; - t6a = t7 * 15137 - t6 * 6270; - t7a = t7 * 6270 + t6 * 15137; - t12 = t12a * 15137 + t13a * 6270; - t13 = t12a * 6270 - t13a * 15137; - t14 = t15a * 15137 - t14a * 6270; - t15 = t15a * 6270 + t14a * 15137; + t4a = t4 * 15137U + t5 * 6270U; + t5a = t4 * 6270U - t5 * 15137U; + t6a = t7 * 15137U - t6 * 6270U; + t7a = t7 * 6270U + t6 * 15137U; + t12 = t12a * 15137U + t13a * 6270U; + t13 = t12a * 6270U - t13a * 15137U; + t14 = t15a * 15137U - t14a * 6270U; + t15 = t15a * 6270U + t14a * 15137U; out[ 0] = t0 + t2; out[15] = -(t1 + t3); t2a = t0 - t2; t3a = t1 - t3; - out[ 3] = -((t4a + t6a + (1 << 13)) >> 14); - out[12] = (t5a + t7a + (1 << 13)) >> 14; - t6 = (t4a - t6a + (1 << 13)) >> 14; - t7 = (t5a - t7a + (1 << 13)) >> 14; + out[ 3] = -((dctint)((1U << 13) + t4a + t6a) >> 14); + out[12] = (dctint)((1U << 13) + t5a + t7a) >> 14; + t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; + t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; out[ 1] = -(t8a + t10a); out[14] = t9a + t11a; t10 = t8a - t10a; t11 = t9a - t11a; - out[ 2] = (t12 + t14 + (1 << 13)) >> 14; - out[13] = -((t13 + t15 + (1 << 13)) >> 14); - t14a = (t12 - t14 + (1 << 13)) >> 14; - t15a = (t13 - t15 + (1 << 13)) >> 14; + out[ 2] = (dctint)((1U << 13) + t12 + t14) >> 14; + out[13] = -((dctint)((1U << 13) + t13 + t15) >> 14); + t14a = (dctint)((1U << 13) + t12 - t14) >> 14; + t15a = (dctint)((1U << 13) + t13 - t15) >> 14; - out[ 7] = ((t2a + t3a) * -11585 + (1 << 13)) >> 14; - out[ 8] = ((t2a - t3a) * 11585 + (1 << 13)) >> 14; - out[ 4] = ((t7 + t6) * 11585 + (1 << 13)) >> 14; - out[11] = ((t7 - t6) * 11585 + (1 << 13)) >> 14; - out[ 6] = ((t11 + t10) * 11585 + (1 << 13)) >> 14; - out[ 9] = ((t11 - t10) * 11585 + (1 << 13)) >> 14; - out[ 5] = ((t14a + t15a) * -11585 + (1 << 13)) >> 14; - out[10] = ((t14a - t15a) * 11585 + (1 << 13)) >> 14; + out[ 7] = (dctint)(-(t2a + t3a) * 11585U + (1 << 13)) >> 14; + out[ 8] = (dctint)( (t2a - t3a) * 11585U + (1 << 13)) >> 14; + out[ 4] = (dctint)( (t7 + t6) * 11585U + (1 << 13)) >> 14; + out[11] = (dctint)( (t7 - t6) * 11585U + (1 << 13)) >> 14; + out[ 6] = (dctint)( (t11 + t10) * 11585U + (1 << 13)) >> 14; + out[ 9] = (dctint)( (t11 - t10) * 11585U + (1 << 13)) >> 14; + out[ 5] = (dctint)(-(t14a + t15a) * 11585U + (1 << 13)) >> 14; + out[10] = (dctint)( (t14a - t15a) * 11585U + (1 << 13)) >> 14; } itxfm_wrap(16, 6) From 762daa3975de652731dacfc2298d2276a50efbba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 May 2020 22:02:56 +0200 Subject: [PATCH 0900/1764] avcodec/wmalosslessdec: Fix integer overflow in mclms_predict() Fixes: signed integer overflow: 2147483636 + 2048 cannot be represented in type 'int' Fixes: 22016/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5109395618004992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c42ed06695848617350a94543823e850f190b3ab) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 8eb473e3ba..78b9b5c1fd 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -679,7 +679,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred) for (i = 0; i < ich; i++) pred[ich] += (uint32_t)s->channel_residues[i][icoef] * s->mclms_coeffs_cur[i + num_channels * ich]; - pred[ich] += (1 << s->mclms_scaling) >> 1; + pred[ich] += (1U << s->mclms_scaling) >> 1; pred[ich] >>= s->mclms_scaling; s->channel_residues[ich][icoef] += (unsigned)pred[ich]; } From 6f6066ef09ae7798e21673e42185419da0fd732b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 May 2020 00:43:46 +0200 Subject: [PATCH 0901/1764] avcodec/hq_hqa: Check info size Fixes: assertion failure Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf28521fee22dbe2f7eeb8ab0306c0fd0802c48a) Signed-off-by: Michael Niedermayer --- libavcodec/hq_hqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index eec2e980b3..8404e80ec8 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data, int info_size; bytestream2_skip(&ctx->gbc, 4); info_size = bytestream2_get_le32(&ctx->gbc); - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) { av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size); return AVERROR_INVALIDDATA; } From 2f51ee968cd821ee170b59333366cbcf2d28241a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jun 2020 22:05:27 +0200 Subject: [PATCH 0902/1764] avcodec/huffyuvdec: Test vertical coordinate more often Fixes: out of array access Fixes: 22892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5135996772679680.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit a1223ddc5692772198a02600ecff2545f32b37be) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 17c9679cb4..f6a51c3320 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -988,12 +988,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, left= left_prediction(s, p->data[plane], s->temp[0], w, 0); y = 1; + if (y >= h) + break; /* second line is left predicted for interlaced case */ if (s->interlaced) { decode_plane_bitstream(s, w, plane); left = left_prediction(s, p->data[plane] + p->linesize[plane], s->temp[0], w, left); y++; + if (y >= h) + break; } lefttop = p->data[plane][0]; @@ -1105,6 +1109,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } cy = y = 1; + if (y >= height) + break; /* second line is left predicted for interlaced case */ if (s->interlaced) { @@ -1117,6 +1123,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } y++; cy++; + if (y >= height) + break; } /* next 4 pixels are left predicted too */ From 33b0592bfe3b74136285eab01b07be6c05bc0036 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 May 2020 14:59:02 +0200 Subject: [PATCH 0903/1764] avcodec/adpcm: XA: Check shift similar to filter Fixes: negative shift Fixes: 22499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5765452130418688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d96bae9c480e020e9f51fabd5642d7ae6020943) Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 5c2e8c94e9..9c59e457c6 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -382,6 +382,10 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); filter=0; } + if (shift < 0) { + avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift); + shift = 0; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; @@ -407,10 +411,14 @@ static int xa_decode(AVCodecContext *avctx, int16_t *out0, int16_t *out1, shift = 12 - (in[5+i*2] & 15); filter = in[5+i*2] >> 4; - if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table)) { + if (filter >= FF_ARRAY_ELEMS(xa_adpcm_table) || shift < 0) { avpriv_request_sample(avctx, "unknown XA-ADPCM filter %d", filter); filter=0; } + if (shift < 0) { + avpriv_request_sample(avctx, "unknown XA-ADPCM shift %d", shift); + shift = 0; + } f0 = xa_adpcm_table[filter][0]; f1 = xa_adpcm_table[filter][1]; From d46f466bb7041de84834aac5f1cb210ca3abd1b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 May 2020 14:24:04 +0200 Subject: [PATCH 0904/1764] avformat/thp: Check compcount Fixes: out of array access Fixes: 22520/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5100297658826752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ba8484559661dfdbca36dbc17b203f33f62e26c) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 38db4da89a..249c767b20 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -93,6 +93,9 @@ static int thp_read_header(AVFormatContext *s) avio_seek (pb, thp->compoff, SEEK_SET); thp->compcount = avio_rb32(pb); + if (thp->compcount > FF_ARRAY_ELEMS(thp->components)) + return AVERROR_INVALIDDATA; + /* Read the list of component types. */ avio_read(pb, thp->components, 16); From 97181789302302cac633ecb303cc59f88ae8f594 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 May 2020 14:30:43 +0200 Subject: [PATCH 0905/1764] avformat/mlvdec: fail reading a packet with 0 streams Fixes: NULL pointer dereference Fixes: 22604/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5667739074297856.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5bd5c3108786bf69f108c55c375f1956f67ca7a4) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 6d774a191d..9d14e93396 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -393,10 +393,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) { MlvContext *mlv = avctx->priv_data; AVIOContext *pb; - AVStream *st = avctx->streams[mlv->stream_index]; + AVStream *st; int index, ret; unsigned int size, space; + if (!avctx->nb_streams) + return AVERROR_EOF; + + st = avctx->streams[mlv->stream_index]; if (mlv->pts >= st->duration) return AVERROR_EOF; From 7ba0435959d95212bd673a0ba3dd6dc89923035a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2020 18:08:57 +0200 Subject: [PATCH 0906/1764] avcodec/lzf: Consider the needed size in reallocation Fixes: NULL pointer dereference Fixes: 22381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-5659879921680384.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 292b9b93a50aa0622e33013de9f2ddc130bef671) Signed-off-by: Michael Niedermayer --- libavcodec/lzf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c index 5b7526ef18..1e3c86c88c 100644 --- a/libavcodec/lzf.c +++ b/libavcodec/lzf.c @@ -49,7 +49,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) if (s < LZF_LITERAL_MAX) { s++; if (s > *size - len) { - *size += *size /2; + *size += s + *size /2; ret = av_reallocp(buf, *size); if (ret < 0) return ret; @@ -72,7 +72,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size) return AVERROR_INVALIDDATA; if (l > *size - len) { - *size += *size / 2; + *size += l + *size / 2; ret = av_reallocp(buf, *size); if (ret < 0) return ret; From 794d40a500ced454f6fad322b83b4454e7d5b2ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2020 21:35:43 +0200 Subject: [PATCH 0907/1764] avformat/4xm: Cleanup on GET_LIST_HEADER() failure Fixes: memleak Fixes: 23142/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5932860820422656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit a5313ce6542a4ee4112acd260e59bff698f3dddd) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index ead6d2b424..39b30413cf 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -59,8 +59,10 @@ #define GET_LIST_HEADER() \ fourcc_tag = avio_rl32(pb); \ size = avio_rl32(pb); \ - if (fourcc_tag != LIST_TAG) \ - return AVERROR_INVALIDDATA; \ + if (fourcc_tag != LIST_TAG) { \ + ret = AVERROR_INVALIDDATA; \ + goto fail; \ + } \ fourcc_tag = avio_rl32(pb); typedef struct AudioTrack { @@ -210,7 +212,7 @@ static int fourxm_read_header(AVFormatContext *s) unsigned int size; int header_size; FourxmDemuxContext *fourxm = s->priv_data; - unsigned char *header; + unsigned char *header = NULL; int i, ret; fourxm->track_count = 0; From e30f9de0877e3ce4b63ee6377090eec426898200 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 May 2020 00:19:56 +0200 Subject: [PATCH 0908/1764] avcodec/mpeg12dec: Fix got_output This makes got_output consistent with the code in slice_end() which sets the output in slice_end() if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { int ret = av_frame_ref(pict, s->current_picture_ptr->f); ... } else { Fixes: assertion failure Fixes: 22178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5664234440753152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f33a9803a3068ce2d52289fc1db60375dc8b7a5) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index b9bda8a234..bacb645f71 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -2473,7 +2473,7 @@ static int decode_chunks(AVCodecContext *avctx, AVFrame *picture, return ret; else if (ret) { // FIXME: merge with the stuff in mpeg_decode_slice - if (s2->last_picture_ptr || s2->low_delay) + if (s2->last_picture_ptr || s2->low_delay || s2->pict_type == AV_PICTURE_TYPE_B) *got_output = 1; } } From 39a986a5c2c171adf574e98c63fddd0bf2238c73 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Thu, 14 May 2020 14:38:07 -0700 Subject: [PATCH 0909/1764] avformat/mov: Check if DTS is AV_NOPTS_VALUE in mov_find_next_sample(). Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit bf446711bc8b7f316771870b8d4dc4dd65f5d94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7d643071c2..ac4d3ceb29 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6505,7 +6505,7 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && - ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && + ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; From 06298dbe8f8739e26cc9830ac9ea1de1877b0fa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2020 17:45:39 +0200 Subject: [PATCH 0910/1764] avcodec/snowdec: Avoid integer overflow with huge qlog Fixes: integer overflow Fixes: 22285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5682428762128384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38fbf33c7255b503453052c32ab5ae4fb151b29e) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 59bd24e881..504382f589 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -117,7 +117,7 @@ static av_always_inline void predict_slice_buffered(SnowContext *s, slice_buffer static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, slice_buffer * sb, int start_y, int h, int save_state[1]){ const int w= b->width; int y; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int new_index = 0; @@ -224,7 +224,7 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand *b, IDWTELEM *src, int stride, int start_y, int end_y){ const int w= b->width; - const int qlog= av_clip(s->qlog + b->qlog, 0, QROOT*16); + const int qlog= av_clip(s->qlog + (int64_t)b->qlog, 0, QROOT*16); const int qmul= ff_qexp[qlog&(QROOT-1)]<<(qlog>>QSHIFT); const int qadd= (s->qbias*qmul)>>QBIAS_SHIFT; int x,y; From 248048d53f497cff9bb419a9bd400716a70cfc51 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 Jun 2020 19:42:07 +0200 Subject: [PATCH 0911/1764] avcodec/mpeg12dec: remove outdated comments Found-by: Kieran Signed-off-by: Michael Niedermayer (cherry picked from commit 48de8f5816aa54dc584aeb2dbbf63a0e880279e2) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index bacb645f71..c6a56fd5ae 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -220,7 +220,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -396,7 +395,6 @@ end: } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ @@ -558,7 +556,6 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, } /** - * Note: this function can read out of range and crash for corrupt streams. * Changing this would eat up any speed benefits it has. * Do not use "fast" flag if you need the code to be robust. */ From 54b8ce27f45cea0e82f2b13a52f276f8ad26b432 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jun 2020 09:47:41 +0200 Subject: [PATCH 0912/1764] avformat/mpl2dec: Fix integer overflow with duration Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 23167/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6425051741290496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a42a67c5ca198a3879b7f3663cc44ccbcaf0bd3) Signed-off-by: Michael Niedermayer --- libavformat/mpl2dec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index dfcdf5a564..0665c4c635 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -55,7 +55,7 @@ static int mpl2_probe(AVProbeData *p) return AVPROBE_SCORE_MAX; } -static int read_ts(char **line, int64_t *pts_start, int *duration) +static int read_ts(char **line, int64_t *pts_start, int64_t *duration) { char c; int len; @@ -69,7 +69,10 @@ static int read_ts(char **line, int64_t *pts_start, int *duration) } if (sscanf(*line, "[%"SCNd64"][%"SCNd64"]%c%n", pts_start, &end, &c, &len) >= 3) { - *duration = end - *pts_start; + if (end < *pts_start || end - (uint64_t)*pts_start > INT64_MAX) { + *duration = -1; + } else + *duration = end - *pts_start; *line += len - 1; return 0; } @@ -97,7 +100,7 @@ static int mpl2_read_header(AVFormatContext *s) const int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line, sizeof(line)); int64_t pts_start; - int duration; + int64_t duration; if (!len) break; From 685a7d671888570dc06d6f60402803d4b059a1aa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Jun 2020 09:28:55 +0200 Subject: [PATCH 0913/1764] avformat/thp: Check fps Fixes: division by zero Fixes: 23162/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4856420817436672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e15b01b4e463d12128db2c15de7741637548347) Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 249c767b20..dcf02d4a04 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -75,6 +75,8 @@ static int thp_read_header(AVFormatContext *s) avio_rb32(pb); /* Max samples. */ thp->fps = av_d2q(av_int2float(avio_rb32(pb)), INT_MAX); + if (thp->fps.den <= 0 || thp->fps.num < 0) + return AVERROR_INVALIDDATA; thp->framecnt = avio_rb32(pb); thp->first_framesz = avio_rb32(pb); pb->maxsize = avio_rb32(pb); From 9765341d648ad24fc598d838a5c140ec673e479c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2020 22:14:59 +0200 Subject: [PATCH 0914/1764] avcodec/loco: Fix signed integer overflow in loco_get_rice() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 22975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5658160970072064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa88cdfd90f5da0683cd6556c75a5ba5740a1c27) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index e3746c8317..e22d280b96 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -82,7 +82,7 @@ static inline void loco_update_rice_param(RICEContext *r, int val) static inline int loco_get_rice(RICEContext *r) { - int v; + unsigned v; if (r->run > 0) { /* we have zero run */ r->run--; loco_update_rice_param(r, 0); From 58997137b42db3df4fa0a201646ab544d4e02977 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Jun 2020 22:11:23 +0200 Subject: [PATCH 0915/1764] avcodec/wmalosslessdec: Check block_align maximum Fixes: Assertion failure Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 314d10f7a60f1786c85da30a569be61e2b906fef) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 78b9b5c1fd..7251bc0d32 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -184,7 +184,7 @@ static av_cold int decode_init(AVCodecContext *avctx) unsigned int channel_mask; int i, log2_max_num_subframes; - if (avctx->block_align <= 0) { + if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) { av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n"); return AVERROR(EINVAL); } From 91f56dc64738c17d694b817a6f08db3966766446 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 10:48:14 +0200 Subject: [PATCH 0916/1764] avcodec/iff: Fix off by x error Fixes: out of array access Fixes: 23245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723121327013888.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51225dee0a6266780d26d43bd6802bbcf736327e) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index f094b4b548..6ec2dd60ad 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -723,7 +723,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in if (opcode >= 0) { int size = opcode + 1; for (i = 0; i < size; i++) { - int length = FFMIN(size - i, width); + int length = FFMIN(size - i, width - x); if (src_end - src < length * 4) return; memcpy(dst + y*linesize + x * 4, src, length * 4); From 2f25de29cf4dcde2a03973542effcc16f55c0071 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 11:21:52 +0200 Subject: [PATCH 0917/1764] avcodec/pixlet: Fix log(0) check Fixes: passing zero to clz(), which is not a valid argument Fixes: 23337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5179131989065728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd0f81526d3f4c23ecd0a399829103be2445c011) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index a9cfe085c9..aa7ef55b7d 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -217,7 +217,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, i length = 25 - nbits; while (i < size) { - if (state >> 8 != -3) { + if (((state >> 8) + 3) & 0xFFFFFFF) { value = ff_clz((state >> 8) + 3) ^ 0x1F; } else { value = -1; From 78c0117119a9fbd35ecd366d2e9b85a49d6b5261 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Feb 2020 19:56:39 +0100 Subject: [PATCH 0918/1764] avcodec/sonic: Fix several integer overflows Fixes: signed integer overflow: 2129689466 + 2129689466 cannot be represented in type 'int' Fixes: 20715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5155263109922816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 75d520e33704447f1b29ac47fd9e40994a6bc659) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 1b16825403..f1bc3409bf 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -140,7 +140,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; @@ -474,7 +475,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error) for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { int k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * state_value, LATTICE_SHIFT); + x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else @@ -1044,7 +1045,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, x += s->channels; } - s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * quant); + s->int_samples[x] = predictor_calc_error(s->predictor_k, s->predictor_state[ch], s->num_taps, s->coded_samples[ch][i] * (unsigned)quant); x += s->channels; } From b27f5309167234baa45b6979aab7d9e9ab97a1c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Jun 2020 19:24:10 +0200 Subject: [PATCH 0919/1764] avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c() Fixes: signed integer overflow: 2142077091 + 6881070 cannot be represented in type 'int' Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0dfe134beefde4070d43910518b1f4a58f01794) Signed-off-by: Michael Niedermayer --- libavcodec/lossless_audiodsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/lossless_audiodsp.c b/libavcodec/lossless_audiodsp.c index 3a9f9b20bb..378165924d 100644 --- a/libavcodec/lossless_audiodsp.c +++ b/libavcodec/lossless_audiodsp.c @@ -27,7 +27,7 @@ static int32_t scalarproduct_and_madd_int16_c(int16_t *v1, const int16_t *v2, const int16_t *v3, int order, int mul) { - int res = 0; + unsigned res = 0; do { res += *v1 * *v2++; From d9629dcd5d0a445f1a012f357e7eb45d14b63f09 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jun 2020 22:22:57 +0200 Subject: [PATCH 0920/1764] avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv() Fixes: signed integer overflow: -144876608 * 16 cannot be represented in type 'int' Fixes: 22782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-6039584977977344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e361785ee05cc75d3caacf2f254160b0336f5358) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index d241c58e8a..11cf530cdd 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -551,7 +551,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) dy -= 1 << (shift + a + 1); else dx -= 1 << (shift + a + 1); - mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16; + mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U; sum = 0; for (y = 0; y < 16; y++) { From bd103bd3feee6f0ffaa76975e86712ac7ed06d3e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jun 2020 21:47:03 +0200 Subject: [PATCH 0921/1764] avcodec/ffwavesynth: Avoid undefined operation on ts overflow Alternatively these conditions could be treated as errors Fixes: 23147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5639254549200896 Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'int64_t' (aka 'long') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 584d334afd59714ed04637a9227a4f1368c26166) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index a446aa2fdf..8d3ac81aef 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -444,7 +444,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, if (r < 0) return r; pcm = (int16_t *)frame->data[0]; - for (s = 0; s < duration; s++, ts++) { + for (s = 0; s < duration; s++, ts+=(uint64_t)1) { memset(channels, 0, avc->channels * sizeof(*channels)); if (ts >= ws->next_ts) wavesynth_enter_intervals(ws, ts); @@ -452,7 +452,7 @@ static int wavesynth_decode(AVCodecContext *avc, void *rframe, int *rgot_frame, for (c = 0; c < avc->channels; c++) *(pcm++) = channels[c] >> 16; } - ws->cur_ts += duration; + ws->cur_ts += (uint64_t)duration; *rgot_frame = 1; return packet->size; } From 2e3f6afda52d599e70a5b0a29d4d22857054f32a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jun 2020 19:51:23 +0200 Subject: [PATCH 0922/1764] avformat/4xm: Check that a video stream was created before returning packets for it Fixes: assertion failure Fixes: 23434/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5227750851084288.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c517c3f4741b6897ea952d1fba199c93c5217cfe) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 39b30413cf..e93095cb09 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -218,6 +218,7 @@ static int fourxm_read_header(AVFormatContext *s) fourxm->track_count = 0; fourxm->tracks = NULL; fourxm->fps = (AVRational){1,1}; + fourxm->video_stream_index = -1; /* skip the first 3 32-bit numbers */ avio_skip(pb, 12); @@ -323,6 +324,8 @@ static int fourxm_read_packet(AVFormatContext *s, case cfr2_TAG: /* allocate 8 more bytes than 'size' to account for fourcc * and size */ + if (fourxm->video_stream_index < 0) + return AVERROR_INVALIDDATA; if (size + 8 < size || av_new_packet(pkt, size + 8)) return AVERROR(EIO); pkt->stream_index = fourxm->video_stream_index; From 73a41531e562b4f0a0a74ab0d0ef23eb3bc3cb36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Jun 2020 19:45:05 +0200 Subject: [PATCH 0923/1764] avformat/mxfdec: free duplicated utf16 strings Fixes: memleak Fixes: 23415/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5124814510751744 Suggested-by: Marton Balint Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0aa2768cb275bda9e9e1331ed95adc7cd686eafe) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 368524e5cf..3759e02c7e 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -721,6 +721,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i return AVERROR(EINVAL); buf_size = size + size / 2 + 1; + av_free(*str); *str = av_malloc(buf_size); if (!*str) return AVERROR(ENOMEM); From 3d888131d1892427e26a8fbb1eeb4758c8a30b33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2020 01:43:14 +0200 Subject: [PATCH 0924/1764] avformat/microdvddec: skip malformed lines without frame number. Fixes: signed integer overflow: 1 - -9223372036854775808 cannot be represented in type 'long' Fixes: 23490/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5133490093031424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a8fb7612a97530bdd0b2549dacf91dcf71a3187a) Signed-off-by: Michael Niedermayer --- libavformat/microdvddec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index c2f1ac45cd..bf71c5e770 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -94,6 +94,7 @@ static int microdvd_read_header(AVFormatContext *s) int64_t pos = avio_tell(s->pb); int len = ff_get_line(s->pb, line_buf, sizeof(line_buf)); char *line = line_buf; + int64_t pts; if (!strncmp(line, bom, 3)) line += 3; @@ -134,11 +135,14 @@ static int microdvd_read_header(AVFormatContext *s) SKIP_FRAME_ID; if (!*p) continue; + pts = get_pts(line); + if (pts == AV_NOPTS_VALUE) + continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); if (!sub) return AVERROR(ENOMEM); sub->pos = pos; - sub->pts = get_pts(line); + sub->pts = pts; sub->duration = get_duration(line); } ff_subtitles_queue_finalize(s, µdvd->q); From 9953671609f7d7f4b3ae0d8152d814c5f74d141e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 23 Jun 2020 01:01:53 +0200 Subject: [PATCH 0925/1764] avformat/mvdec: Fix integer overflow with billions of channels Fixes: signed integer overflow: 1394614304 * 2 cannot be represented in type 'int' Fixes: 23491/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5697377020411904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b6fbbe08c325415cc784df296058beb6604f0b9c) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 025dfe52fb..b357ab1d45 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -260,7 +260,7 @@ static void read_index(AVIOContext *pb, AVStream *st) avio_skip(pb, 8); av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME); if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { - timestamp += size / (st->codecpar->channels * 2); + timestamp += size / (st->codecpar->channels * 2LL); } else { timestamp++; } @@ -347,7 +347,7 @@ static int mv_read_header(AVFormatContext *avctx) avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); - timestamp += asize / (ast->codecpar->channels * 2); + timestamp += asize / (ast->codecpar->channels * 2LL); } } else if (!version && avio_rb16(pb) == 3) { avio_skip(pb, 4); From f8f2629b4e0dc2b1bdf80e08f6af475992284105 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jun 2020 00:10:19 +0200 Subject: [PATCH 0926/1764] avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms Fixes: signed integer overflow: 2048 + 2147483646 cannot be represented in type 'int' Fixes: 23538/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5227567073460224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 21598d711d894081d0566282473044ba4f378f33) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 7251bc0d32..2228eecd96 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -761,7 +761,8 @@ static void lms_update ## bits (WmallDecodeCtx *s, int ich, int ilms, int input) static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ int coef_begin, int coef_end) \ { \ - int icoef, pred, ilms, num_lms, residue, input; \ + int icoef, ilms, num_lms, residue, input; \ + unsigned pred;\ \ num_lms = s->cdlms_ttl[ch]; \ for (ilms = num_lms - 1; ilms >= 0; ilms--) { \ @@ -775,7 +776,7 @@ static void revert_cdlms ## bits (WmallDecodeCtx *s, int ch, \ s->cdlms[ch][ilms].recent, \ FFALIGN(s->cdlms[ch][ilms].order, ROUND), \ WMASIGN(residue)); \ - input = residue + (unsigned)(pred >> s->cdlms[ch][ilms].scaling); \ + input = residue + (unsigned)((int)pred >> s->cdlms[ch][ilms].scaling); \ lms_update ## bits(s, ch, ilms, input); \ s->channel_residues[ch][icoef] = input; \ } \ From 12c61c2fda31ee772823556230201e8a7b76ec46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jun 2020 00:21:09 +0200 Subject: [PATCH 0927/1764] avutil/common: Fix integer overflow in av_ceil_log2_c() Fixes: left shift of 1913647649 by 1 places cannot be represented in type 'int' Fixes: 23572/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5082619795734528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e409262837712016097c187e97bf99aadf6a4cdf) Signed-off-by: Michael Niedermayer --- libavutil/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/common.h b/libavutil/common.h index 58ead80514..735a22221a 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -307,7 +307,7 @@ static av_always_inline av_const double av_clipd_c(double a, double amin, double */ static av_always_inline av_const int av_ceil_log2_c(int x) { - return av_log2((x - 1) << 1); + return av_log2((x - 1U) << 1); } /** From bd09c9d46c70ef94d34c91f502326853d3f741ab Mon Sep 17 00:00:00 2001 From: Steven Liu Date: Fri, 29 May 2020 11:39:05 +0800 Subject: [PATCH 0928/1764] avformat/hls: check segment duration value of EXTINF fix ticket: 8673 set the default EXTINF duration to 1ms if duration is smaller than 1ms Signed-off-by: Steven Liu (cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc) --- libavformat/hls.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 786934af03..a4d840b780 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -810,8 +810,6 @@ static int parse_playlist(HLSContext *c, const char *url, ret = AVERROR(ENOMEM); goto fail; } - seg->duration = duration; - seg->key_type = key_type; if (has_iv) { memcpy(seg->iv, iv, sizeof(iv)); } else { @@ -841,6 +839,13 @@ static int parse_playlist(HLSContext *c, const char *url, goto fail; } + if (duration < 0.001 * AV_TIME_BASE) { + av_log(c->ctx, AV_LOG_WARNING, "Cannot get correct #EXTINF value of segment %s," + " set to default value to 1ms.\n", seg->url); + duration = 0.001 * AV_TIME_BASE; + } + seg->duration = duration; + seg->key_type = key_type; dynarray_add(&pls->segments, &pls->n_segments, seg); is_segment = 0; From 21ce988f98f2399b8919a8a425d467da682a29a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 29 Jun 2020 19:49:41 +0200 Subject: [PATCH 0929/1764] avformat/hls: Pass a copy of the URL for probing The segments / url can be modified by the io read when reloading This may be an alternative or additional fix for Ticket8673 as a further alternative the reload stuff could be disabled during probing Signed-off-by: Michael Niedermayer (cherry picked from commit b5e39880fb7269b1b3577cee288e06aa3dc1dfa2) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index a4d840b780..332d10f2ee 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1742,6 +1742,7 @@ static int hls_read_header(AVFormatContext *s) for (i = 0; i < c->n_playlists; i++) { struct playlist *pls = c->playlists[i]; AVInputFormat *in_fmt = NULL; + char *url; if (!(pls->ctx = avformat_alloc_context())) { ret = AVERROR(ENOMEM); @@ -1777,8 +1778,9 @@ static int hls_read_header(AVFormatContext *s) ffio_init_context(&pls->pb, pls->read_buffer, INITIAL_BUFFER_SIZE, 0, pls, read_data, NULL, NULL); pls->pb.seekable = 0; - ret = av_probe_input_buffer(&pls->pb, &in_fmt, pls->segments[0]->url, - NULL, 0, 0); + url = av_strdup(pls->segments[0]->url); + ret = av_probe_input_buffer(&pls->pb, &in_fmt, url, NULL, 0, 0); + av_free(url); if (ret < 0) { /* Free the ctx - it isn't initialized properly at this point, * so avformat_close_input shouldn't be called. If From 6674fb44f109ce022f5afa7092e156a95502194d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 Jun 2020 19:22:01 +0200 Subject: [PATCH 0930/1764] avcodec/pngdec: Check for fctl after idat Fixes: out of array access Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b1ba680fb67902a9c876a49d0146eaae5a1c3d) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 9d2c74d758..1196e1a010 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -970,6 +970,11 @@ static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } + if (s->pic_state & PNG_IDAT) { + av_log(avctx, AV_LOG_ERROR, "fctl after IDAT\n"); + return AVERROR_INVALIDDATA; + } + s->last_w = s->cur_w; s->last_h = s->cur_h; s->last_x_offset = s->x_offset; From 2a4edfd64c07d925770977693717ebd83183dd27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 21 Jun 2020 12:24:04 +0200 Subject: [PATCH 0931/1764] avformat/utils: reorder duration computation to avoid overflow Fixes: signed integer overflow: 8 * 9223372036854774783 cannot be represented in type 'long' Fixes: 23381/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4818340509122560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10cc82c35baabbb07ffec3faccb04d8928c39e4c) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index c561c2089b..b72f23e422 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2707,7 +2707,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) st = ic->streams[i]; if ( st->time_base.num <= INT64_MAX / ic->bit_rate && st->duration == AV_NOPTS_VALUE) { - duration = av_rescale(8 * filesize, st->time_base.den, + duration = av_rescale(filesize, 8LL * st->time_base.den, ic->bit_rate * (int64_t) st->time_base.num); st->duration = duration; From 5b8e98c0d56703ea1adb8622389ff54df14b7db1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 1 Jul 2020 21:27:23 +0200 Subject: [PATCH 0932/1764] avcodec/dstdec: Replace AC overread check by sample rate check Real files do skip coding 0 bits at the end, thus this kind of check does not work reliable. Fixes: Ticket 8770 Fixes: dst-256fs44-6ch-refdstencoder.dff The samplerate is specified in ISO/IEC 14496-3:2005(E) as one of 3 fixed values, this also can be used to limit the duration and avoid the timeout This reverts commit f6df99dba1ae64b05d08fba8160d13eb9795042f. (cherry picked from commit 1679f23beb3cfc3639352b3cbe7c08c00189c6b0) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index d8f80bd114..d7a82f34ec 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -85,6 +85,12 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } + // the sample rate is only allowed to be 64,128,256 * 44100 by ISO/IEC 14496-3:2005(E) + // We are a bit more tolerant here, but this check is needed to bound the size and duration + if (avctx->sample_rate > 512 * 44100) + return AVERROR_INVALIDDATA; + + if (DST_SAMPLES_PER_FRAME(avctx->sample_rate) & 7) { return AVERROR_PATCHWELCOME; } From 660c42ca19d849b19fd60d0622d0ea2cb17249f2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 25 Jun 2020 15:10:35 +0200 Subject: [PATCH 0933/1764] avcodec/bitstream: Don't check for undefined behaviour after it happened Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5e196dac22cc510db104922f99626a03b453ef4a) Signed-off-by: Andreas Rheinhardt --- libavcodec/bitstream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c index 32f3055a6f..de3acf0838 100644 --- a/libavcodec/bitstream.c +++ b/libavcodec/bitstream.c @@ -162,9 +162,9 @@ static int build_table(VLC *vlc, int table_nb_bits, int nb_codes, uint32_t code; volatile VLC_TYPE (* volatile table)[2]; // the double volatile is needed to prevent an internal compiler error in gcc 4.2 - table_size = 1 << table_nb_bits; if (table_nb_bits > 30) return -1; + table_size = 1 << table_nb_bits; table_index = alloc_table(vlc, table_size, flags & INIT_VLC_USE_NEW_STATIC); ff_dlog(NULL, "new table index=%d size=%d\n", table_index, table_size); if (table_index < 0) From 41a3aab5da52307afa3d6d28c17aae24ba7af101 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 15:48:31 +0200 Subject: [PATCH 0934/1764] libavformat/mov: Fix memleaks when demuxing DV audio The code for demuxing DV audio predates the introduction of refcounted packets and when the latter was added, changes to the former were forgotten. This meant that when avpriv_dv_produce_packet initialized the packet containing the AVBufferRef, the AVBufferRef as well as the underlying AVBuffer leaked; the actual packet data didn't leak: They were directly freed, but not via their AVBuffer's free function. https://samples.ffmpeg.org/ffmpeg-bugs/trac/ticket4671/dir1.tar.bz2 contains samples for this (enable_drefs needs to be enabled for them). Moreover, errors in avpriv_dv_produce_packet were ignored; this has been changed, too. Furthermore, in the hypothetical scenario that the track has a palette, this would leak, too, so reorder the code so that the palette code appears after the DV audio code. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 61f5c6ab06fc61e0f9f8f8dab5595b8bb202df73) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ac4d3ceb29..c8033edb48 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6647,6 +6647,19 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } return ret; } +#if CONFIG_DV_DEMUXER + if (mov->dv_demux && sc->dv_audio_container) { + AVBufferRef *buf = pkt->buf; + ret = avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); + pkt->buf = buf; + av_packet_unref(pkt); + if (ret < 0) + return ret; + ret = avpriv_dv_get_packet(mov->dv_demux, pkt); + if (ret < 0) + return ret; + } +#endif if (sc->has_palette) { uint8_t *pal; @@ -6658,16 +6671,6 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) sc->has_palette = 0; } } -#if CONFIG_DV_DEMUXER - if (mov->dv_demux && sc->dv_audio_container) { - avpriv_dv_produce_packet(mov->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); - av_freep(&pkt->data); - pkt->size = 0; - ret = avpriv_dv_get_packet(mov->dv_demux, pkt); - if (ret < 0) - return ret; - } -#endif if (st->codecpar->codec_id == AV_CODEC_ID_MP3 && !st->need_parsing && pkt->size > 4) { if (ff_mpa_check_header(AV_RB32(pkt->data)) < 0) st->need_parsing = AVSTREAM_PARSE_FULL; From 27660619016014ee64aec085608f1c8e79029fac Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 28 Jun 2020 11:15:39 +0800 Subject: [PATCH 0935/1764] avformat/mov: fix memleaks Fix two cases of memleaks: 1. The leak of dv_demux 2. The leak of dv_fctx upon dv_demux allocate failure Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3dc38a186b2326ce03e50969897ea703817ddb0) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c8033edb48..4da44b1bb9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6103,10 +6103,9 @@ static int mov_read_close(AVFormatContext *s) av_freep(&sc->coll); } - if (mov->dv_demux) { - avformat_free_context(mov->dv_fctx); - mov->dv_fctx = NULL; - } + av_freep(&mov->dv_demux); + avformat_free_context(mov->dv_fctx); + mov->dv_fctx = NULL; if (mov->meta_keys) { for (i = 1; i < mov->meta_keys_count; i++) { From 674cbe52e96d6367e26bc37a746701af5a374181 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:42 +0100 Subject: [PATCH 0936/1764] avformat/fitsdec: Fix potential leak of string in AVBPrint by freeing it a bit earlier. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit bb20f3dd730689c3a99f7820cff8b74b06992fff) Signed-off-by: Andreas Rheinhardt --- libavformat/fitsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/fitsdec.c b/libavformat/fitsdec.c index 4b288b3903..e5f152fd68 100644 --- a/libavformat/fitsdec.c +++ b/libavformat/fitsdec.c @@ -157,11 +157,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt) av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED); while ((ret = is_image(s, fits, &header, &avbuf, &size)) == 0) { + av_bprint_finalize(&avbuf, NULL); pos = avio_skip(s->pb, size); if (pos < 0) return pos; - av_bprint_finalize(&avbuf, NULL); av_bprint_init(&avbuf, FITS_BLOCK_SIZE, AV_BPRINT_SIZE_UNLIMITED); avpriv_fits_header_init(&header, STATE_XTENSION); } From f078e402828674f25144c7202a2e7a84f50e7cfd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:48 +0100 Subject: [PATCH 0937/1764] avformat/wtvdec: Fix memleak when reading header fails Fixes #8314. Signed-off-by: Andreas Rheinhardt Reviewed-by: Peter Ross Signed-off-by: James Almer (cherry picked from commit 373c1c9b691fd4c6831b3a114a006b639304c2af) Signed-off-by: Andreas Rheinhardt --- libavformat/wtvdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 7300b9fd42..77737fa9e7 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -993,8 +993,10 @@ static int read_header(AVFormatContext *s) } ret = parse_chunks(s, SEEK_TO_DATA, 0, 0); - if (ret < 0) + if (ret < 0) { + wtvfile_close(wtv->pb); return ret; + } avio_seek(wtv->pb, -32, SEEK_CUR); timeline_pos = avio_tell(s->pb); // save before opening another file From 7d51f4d891cdd976d59da8db6ed34e10400d5569 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 8 Jan 2020 19:29:13 +0100 Subject: [PATCH 0938/1764] avcodec/proresenc_anatoliy: Fix invalid left shift of negative number This fixes ticket #7997 as well as the vsynth*-prores_# FATE-tests (where * ranges over { 1, 2, 3, _lena } and # over { , _int, _444, _444_int }). (Given that prev_dc is in the range -0xC000..0x3FFF, no overflow can happen upon multiplication with 2.) Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 198081efb7c7343349f0a7acc836f001c511e990) Signed-off-by: Andreas Rheinhardt --- libavcodec/proresenc_anatoliy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_anatoliy.c b/libavcodec/proresenc_anatoliy.c index 0516066163..eccfc5661d 100644 --- a/libavcodec/proresenc_anatoliy.c +++ b/libavcodec/proresenc_anatoliy.c @@ -183,7 +183,7 @@ static void encode_codeword(PutBitContext *pb, int val, int codebook) } #define QSCALE(qmat,ind,val) ((val) / ((qmat)[ind])) -#define TO_GOLOMB(val) (((val) << 1) ^ ((val) >> 31)) +#define TO_GOLOMB(val) (((val) * 2) ^ ((val) >> 31)) #define DIFF_SIGN(val, sign) (((val) >> 31) ^ (sign)) #define IS_NEGATIVE(val) ((((val) >> 31) ^ -1) + 1) #define TO_GOLOMB2(val,sign) ((val)==0 ? 0 : ((val) << 1) + (sign)) From 040a93fe0a6a80f63e935fea2ea97870fa3ed416 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jan 2020 16:56:55 +0100 Subject: [PATCH 0939/1764] avcodec/adpcm: Fix undefined left shifts of negative numbers Affected the adpcm-afc, adpcm-ea-1, adpcm-ea-2, adpcm-ea-maxis-xa, adpcm-thp and ea-cdata FATE-tests. Also fixes ticket #8487. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 3ad8af51b7c0a968ac3fd62964780d4ff9136c5a) Signed-off-by: Andreas Rheinhardt --- libavcodec/adpcm.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 9c59e457c6..77474c204d 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1197,8 +1197,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, for (count2 = 0; count2 < 28; count2++) { byte = bytestream2_get_byteu(&gb); - next_left_sample = sign_extend(byte >> 4, 4) << shift_left; - next_right_sample = sign_extend(byte, 4) << shift_right; + next_left_sample = sign_extend(byte >> 4, 4) * (1 << shift_left); + next_right_sample = sign_extend(byte, 4) * (1 << shift_right); next_left_sample = (next_left_sample + (current_left_sample * coeff1l) + @@ -1237,7 +1237,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, if (st) byte[1] = bytestream2_get_byteu(&gb); for(i = 4; i >= 0; i-=4) { /* Pairwise samples LL RR (st) or LL LL (mono) */ for(channel = 0; channel < avctx->channels; channel++) { - int sample = sign_extend(byte[channel] >> i, 4) << shift[channel]; + int sample = sign_extend(byte[channel] >> i, 4) * (1 << shift[channel]); sample = (sample + c->status[channel].sample1 * coeff[channel][0] + c->status[channel].sample2 * coeff[channel][1] + 0x80) >> 8; @@ -1352,11 +1352,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, int level, pred; int byte = bytestream2_get_byteu(&gb); - level = sign_extend(byte >> 4, 4) << shift[n]; + level = sign_extend(byte >> 4, 4) * (1 << shift[n]); pred = s[-1] * coeff[0][n] + s[-2] * coeff[1][n]; s[0] = av_clip_int16((level + pred + 0x80) >> 8); - level = sign_extend(byte, 4) << shift[n]; + level = sign_extend(byte, 4) * (1 << shift[n]); pred = s[0] * coeff[0][n] + s[-1] * coeff[1][n]; s[1] = av_clip_int16((level + pred + 0x80) >> 8); } @@ -1513,8 +1513,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, sampledat = sign_extend(byte >> 4, 4); } - sampledat = ((prev1 * factor1 + prev2 * factor2) + - ((sampledat * scale) << 11)) >> 11; + sampledat = ((prev1 * factor1 + prev2 * factor2) >> 11) + + sampledat * scale; *samples = av_clip_int16(sampledat); prev2 = prev1; prev1 = *samples++; @@ -1591,7 +1591,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, } sampledat = ((c->status[ch].sample1 * factor1 - + c->status[ch].sample2 * factor2) >> 11) + (sampledat << exp); + + c->status[ch].sample2 * factor2) >> 11) + sampledat * (1 << exp); *samples = av_clip_int16(sampledat); c->status[ch].sample2 = c->status[ch].sample1; c->status[ch].sample1 = *samples++; From 30cf495505cf897eb25a89d0f915e49733e4c36b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 20 Jan 2020 20:20:42 +0100 Subject: [PATCH 0940/1764] avcodec/adxenc: Avoid undefined left shift of negative numbers Replace "((a << shift) + b) >> shift" by "a + (b >> shift)". This avoids a left shift which also happens to trigger undefined behaviour in case "a" is negative. This affected the FATE-tests acodec-adpcm-adx and acodec-adpcm-adx-trellis; it also fixes ticket #8008. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 59a9d65e0d790821f88527a82569f56eb2f8a9be) Signed-off-by: Andreas Rheinhardt --- libavcodec/adxenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/adxenc.c b/libavcodec/adxenc.c index f1ba5911b3..77f6bf0487 100644 --- a/libavcodec/adxenc.c +++ b/libavcodec/adxenc.c @@ -48,7 +48,7 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { s0 = wav[i]; - d = ((s0 << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = s0 + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); if (max < d) max = d; if (min > d) @@ -79,13 +79,13 @@ static void adx_encode(ADXContext *c, uint8_t *adx, const int16_t *wav, s1 = prev->s1; s2 = prev->s2; for (i = 0, j = 0; j < 32; i += channels, j++) { - d = ((wav[i] << COEFF_BITS) - c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS; + d = wav[i] + ((-c->coeff[0] * s1 - c->coeff[1] * s2) >> COEFF_BITS); d = av_clip_intp2(ROUNDED_DIV(d, scale), 3); put_sbits(&pb, 4, d); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = d * scale + ((c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS); s2 = s1; s1 = s0; } From 4374da638ec944b485ece1ecb15fd9f562cde1cb Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 22 Jan 2020 15:52:10 +0100 Subject: [PATCH 0941/1764] avcodec/ra144enc: Fix invalid left shift of negative number by replacing it with a multiplication. Said multiplication can't overflow an int32_t because lpc_coefs is limited to 16 bit precision. Fixes the FACE-test acodec-ra144 as well as part of #8217. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit e3fb9af6f1353f30855eaa1cbd5befaf06e303b8) Signed-off-by: Andreas Rheinhardt --- libavcodec/ra144enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144enc.c b/libavcodec/ra144enc.c index cc4f381606..059f582334 100644 --- a/libavcodec/ra144enc.c +++ b/libavcodec/ra144enc.c @@ -477,8 +477,8 @@ static int ra144_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, LPC_ORDER, 16, lpc_coefs, shift, FF_LPC_TYPE_LEVINSON, 0, ORDER_METHOD_EST, 0, 12, 0); for (i = 0; i < LPC_ORDER; i++) - block_coefs[NBLOCKS - 1][i] = -(lpc_coefs[LPC_ORDER - 1][i] << - (12 - shift[LPC_ORDER - 1])); + block_coefs[NBLOCKS - 1][i] = -lpc_coefs[LPC_ORDER - 1][i] + * (1 << (12 - shift[LPC_ORDER - 1])); /** * TODO: apply perceptual weighting of the input speech through bandwidth From e66185eaeff1445074f6586cffa6e79c0e4fc9a3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 23 Jan 2020 17:08:27 +0100 Subject: [PATCH 0942/1764] avformat/matroskaenc: Check for reformatting errors This is needed especially for AV1: If a reformatting error happens (e.g. if the length field of an OBU contained in the current packet indicates that said OBU extends beyond the current packet), the data pointer is still NULL, yet the size is unchanged, so that writing the data leads to a segmentation fault. Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 58428bef4b2c053f47dce35157fb96833ba8efea) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 3073fd8f77..d8b36435b9 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2111,13 +2111,13 @@ fail: return ret; } -static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, - unsigned int blockid, AVPacket *pkt, int keyframe) +static int mkv_write_block(AVFormatContext *s, AVIOContext *pb, + uint32_t blockid, AVPacket *pkt, int keyframe) { MatroskaMuxContext *mkv = s->priv_data; AVCodecParameters *par = s->streams[pkt->stream_index]->codecpar; uint8_t *data = NULL, *side_data = NULL; - int offset = 0, size = pkt->size, side_data_size = 0; + int err = 0, offset = 0, size = pkt->size, side_data_size = 0; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; uint64_t additional_id = 0; int64_t discard_padding = 0; @@ -2132,20 +2132,22 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, keyframe != 0); if (par->codec_id == AV_CODEC_ID_H264 && par->extradata_size > 0 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) - ff_avc_parse_nal_units_buf(pkt->data, &data, &size); + err = ff_avc_parse_nal_units_buf(pkt->data, &data, &size); else if (par->codec_id == AV_CODEC_ID_HEVC && par->extradata_size > 6 && (AV_RB24(par->extradata) == 1 || AV_RB32(par->extradata) == 1)) /* extradata is Annex B, assume the bitstream is too and convert it */ - ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); + err = ff_hevc_annexb2mp4_buf(pkt->data, &data, &size, 0, NULL); else if (par->codec_id == AV_CODEC_ID_WAVPACK) { - int ret = mkv_strip_wavpack(pkt->data, &data, &size); - if (ret < 0) { - av_log(s, AV_LOG_ERROR, "Error stripping a WavPack packet.\n"); - return; - } + err = mkv_strip_wavpack(pkt->data, &data, &size); } else data = pkt->data; + if (err < 0) { + av_log(s, AV_LOG_ERROR, "Error when reformatting data of " + "a packet from stream %d.\n", pkt->stream_index); + return err; + } + if (par->codec_id == AV_CODEC_ID_PRORES && size >= 8) { /* Matroska specification requires to remove the first QuickTime atom */ @@ -2210,6 +2212,8 @@ static void mkv_write_block(AVFormatContext *s, AVIOContext *pb, if ((side_data_size && additional_id == 1) || discard_padding) { end_ebml_master(pb, block_group); } + + return 0; } static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) @@ -2384,7 +2388,9 @@ static int mkv_write_packet_internal(AVFormatContext *s, AVPacket *pkt, int add_ relative_packet_pos = avio_tell(pb); if (par->codec_type != AVMEDIA_TYPE_SUBTITLE) { - mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + ret = mkv_write_block(s, pb, MATROSKA_ID_SIMPLEBLOCK, pkt, keyframe); + if (ret < 0) + return ret; if ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && (par->codec_type == AVMEDIA_TYPE_VIDEO && keyframe || add_cue)) { ret = mkv_add_cuepoint(mkv->cues, pkt->stream_index, dash_tracknum, ts, mkv->cluster_pos, relative_packet_pos, -1); if (ret < 0) return ret; From 826c92975129b8262abb9c5dd536320601c23f77 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 23 Jan 2020 17:08:29 +0100 Subject: [PATCH 0943/1764] avformat/hevc: Fix potential leak in case of ff_hevc_annexb2mp4_buf failure ff_hevc_annexb2mp4_buf() could indicate an error, yet leave cleaning after itself to the caller, so that a caller could not simply return the error, but had to free the buffer first. (Given that all current callers have set filter_ps = 0, this error can currently not be triggered.) Signed-off-by: Andreas Rheinhardt Signed-off-by: James Almer (cherry picked from commit 680cd59bb21c7bce92789ff885c018207b0b90bc) Signed-off-by: Andreas Rheinhardt --- libavformat/hevc.c | 6 ++++++ libavformat/hevc.h | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 25898937a5..3b13c2e462 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -25,6 +25,7 @@ #include "libavutil/intreadwrite.h" #include "avc.h" #include "avio.h" +#include "avio_internal.h" #include "hevc.h" #define MAX_SPATIAL_SEGMENTATION 4096 // max. value of u(12) field @@ -1088,6 +1089,11 @@ int ff_hevc_annexb2mp4_buf(const uint8_t *buf_in, uint8_t **buf_out, return ret; ret = ff_hevc_annexb2mp4(pb, buf_in, *size, filter_ps, ps_count); + if (ret < 0) { + ffio_free_dyn_buf(&pb); + return ret; + } + *size = avio_close_dyn_buf(pb, buf_out); return ret; diff --git a/libavformat/hevc.h b/libavformat/hevc.h index 796eaf40b1..1e355cd34a 100644 --- a/libavformat/hevc.h +++ b/libavformat/hevc.h @@ -60,13 +60,13 @@ int ff_hevc_annexb2mp4(AVIOContext *pb, const uint8_t *buf_in, * If filter_ps is non-zero, any HEVC parameter sets found in the input will be * discarded, and *ps_count will be set to the number of discarded PS NAL units. * - * On output, *size holds the size (in bytes) of the output data buffer. + * On success, *size holds the size (in bytes) of the output data buffer. * * @param buf_in address of the buffer holding the input data * @param size address of the variable holding the size (in bytes) of the input - * buffer (on input) and of the output buffer (on output) - * @param buf_out address of the variable holding the address of the output - * buffer + * buffer (on input) and of the output buffer (on success) + * @param buf_out on success, address of the variable holding the address of + * the output buffer * @param filter_ps whether to write parameter set NAL units to the output (0) * or to discard them (non-zero) * @param ps_count address of the variable where the number of discarded From 0c104fc424808d8432dab3911b427eab76cbd737 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:00 +0200 Subject: [PATCH 0944/1764] avcodec/cavsdsp: Fix undefined left shifts of negative numbers Affected the ffmpeg-filter_colorkey FATE-test (but only if the C version of idct8_add is used and not e.g. the x86 SSE2 version). Signed-off-by: Andreas Rheinhardt Fixes: left shift of negative value -107 Fixes: 20398/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5725389278412800 Signed-off-by: Michael Niedermayer (cherry picked from commit 0f0f2ab0c3b3d04e904db97b07ae829c72c91778) Signed-off-by: Andreas Rheinhardt --- libavcodec/cavsdsp.c | 48 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/libavcodec/cavsdsp.c b/libavcodec/cavsdsp.c index 90a67e910c..ba92121cc9 100644 --- a/libavcodec/cavsdsp.c +++ b/libavcodec/cavsdsp.c @@ -201,20 +201,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[0][0] += 8; for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[i][1] - (src[i][7]<<1); - const int a1 = 3*src[i][3] + (src[i][5]<<1); - const int a2 = (src[i][3]<<1) - 3*src[i][5]; - const int a3 = (src[i][1]<<1) + 3*src[i][7]; + const int a0 = 3 * src[i][1] - 2 * src[i][7]; + const int a1 = 3 * src[i][3] + 2 * src[i][5]; + const int a2 = 2 * src[i][3] - 3 * src[i][5]; + const int a3 = 2 * src[i][1] + 3 * src[i][7]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[i][2]<<2) - 10*src[i][6]; - const int a6 = (src[i][6]<<2) + 10*src[i][2]; - const int a5 = ((src[i][0] - src[i][4]) << 3) + 4; - const int a4 = ((src[i][0] + src[i][4]) << 3) + 4; + const int a7 = 4 * src[i][2] - 10 * src[i][6]; + const int a6 = 4 * src[i][6] + 10 * src[i][2]; + const int a5 = 8 * (src[i][0] - src[i][4]) + 4; + const int a4 = 8 * (src[i][0] + src[i][4]) + 4; const int b0 = a4 + a6; const int b1 = a5 + a7; @@ -231,20 +231,20 @@ static void cavs_idct8_add_c(uint8_t *dst, int16_t *block, ptrdiff_t stride) src[i][7] = (b0 - b4) >> 3; } for( i = 0; i < 8; i++ ) { - const int a0 = 3*src[1][i] - (src[7][i]<<1); - const int a1 = 3*src[3][i] + (src[5][i]<<1); - const int a2 = (src[3][i]<<1) - 3*src[5][i]; - const int a3 = (src[1][i]<<1) + 3*src[7][i]; + const int a0 = 3 * src[1][i] - 2 * src[7][i]; + const int a1 = 3 * src[3][i] + 2 * src[5][i]; + const int a2 = 2 * src[3][i] - 3 * src[5][i]; + const int a3 = 2 * src[1][i] + 3 * src[7][i]; - const int b4 = ((a0 + a1 + a3)<<1) + a1; - const int b5 = ((a0 - a1 + a2)<<1) + a0; - const int b6 = ((a3 - a2 - a1)<<1) + a3; - const int b7 = ((a0 - a2 - a3)<<1) - a2; + const int b4 = 2 * (a0 + a1 + a3) + a1; + const int b5 = 2 * (a0 - a1 + a2) + a0; + const int b6 = 2 * (a3 - a2 - a1) + a3; + const int b7 = 2 * (a0 - a2 - a3) - a2; - const int a7 = (src[2][i]<<2) - 10*src[6][i]; - const int a6 = (src[6][i]<<2) + 10*src[2][i]; - const int a5 = (src[0][i] - src[4][i]) << 3; - const int a4 = (src[0][i] + src[4][i]) << 3; + const int a7 = 4 * src[2][i] - 10 * src[6][i]; + const int a6 = 4 * src[6][i] + 10 * src[2][i]; + const int a5 = 8 * (src[0][i] - src[4][i]); + const int a4 = 8 * (src[0][i] + src[4][i]); const int b0 = a4 + a6; const int b1 = a5 + a7; From 4ed977bbe5b03e39a0f4218316063b4ec9732e21 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 7 Jan 2020 14:55:47 +0100 Subject: [PATCH 0945/1764] avformat/utils: Fix memleaks in avformat_open_input() A demuxer might have allocated memory while reading the header. If reading the header was successfull and an error happens before returning (e.g. when queueing the attached pictures), the read_close function would have never been called, so that all those allocations would leak. This commit changes this. Furthermore, there would be even more memleaks if the error level was set to AV_EF_EXPLODE in case there is both metadata and id3v2 metadata. This has been fixed, too. Signed-off-by: Andreas Rheinhardt Signed-off-by: Marton Balint (cherry picked from commit e2307f4ff197646a7feee0edbcdd2d3262932676) Signed-off-by: Andreas Rheinhardt --- libavformat/utils.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index b72f23e422..9ff6284dfb 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -604,24 +604,26 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, level = AV_LOG_ERROR; av_log(s, level, "Discarding ID3 tags because more suitable tags were found.\n"); av_dict_free(&s->internal->id3v2_meta); - if (s->error_recognition & AV_EF_EXPLODE) - return AVERROR_INVALIDDATA; + if (s->error_recognition & AV_EF_EXPLODE) { + ret = AVERROR_INVALIDDATA; + goto close; + } } if (id3v2_extra_meta) { if (!strcmp(s->iformat->name, "mp3") || !strcmp(s->iformat->name, "aac") || !strcmp(s->iformat->name, "tta")) { if ((ret = ff_id3v2_parse_apic(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; if ((ret = ff_id3v2_parse_chapters(s, &id3v2_extra_meta)) < 0) - goto fail; + goto close; } else av_log(s, AV_LOG_DEBUG, "demuxer does not support additional id3 data, skipping\n"); } ff_id3v2_free_extra_meta(&id3v2_extra_meta); if ((ret = avformat_queue_attached_pictures(s)) < 0) - goto fail; + goto close; if (!(s->flags&AVFMT_FLAG_PRIV_OPT) && s->pb && !s->internal->data_offset) s->internal->data_offset = avio_tell(s->pb); @@ -640,6 +642,9 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, *ps = s; return 0; +close: + if (s->iformat->read_close) + s->iformat->read_close(s); fail: ff_id3v2_free_extra_meta(&id3v2_extra_meta); av_dict_free(&tmp); From 94ca3a00c8b6d37f7b66f873041981506e95b6ea Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 26 Jan 2020 06:10:27 +0100 Subject: [PATCH 0946/1764] avformat/matroskaenc: Check BlockAdditional size before use Don't read a 64bit number before having checked that the data is at least 8 bytes long. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6e9cc964293bf1e0cca6a52b2938a20d711e4146) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index d8b36435b9..a52b38731f 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2169,9 +2169,13 @@ static int mkv_write_block(AVFormatContext *s, AVIOContext *pb, AV_PKT_DATA_MATROSKA_BLOCKADDITIONAL, &side_data_size); if (side_data) { - additional_id = AV_RB64(side_data); - side_data += 8; - side_data_size -= 8; + if (side_data_size < 8) { + side_data_size = 0; + } else { + additional_id = AV_RB64(side_data); + side_data += 8; + side_data_size -= 8; + } } if ((side_data_size && additional_id == 1) || discard_padding) { From d7fa4cadeaa5e2a33624a73fed1b10b79c75201b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Dec 2019 11:53:28 +0100 Subject: [PATCH 0947/1764] avformat/smoothstreaming: Fix memleaks on errors If an AVFormatContext could be allocated, but white-/blacklists couldn't be copied, the AVFormatContext would leak as it was only accessible through a local variable that goes out of scope when one goes to fail. Furthermore, in case writing a header of a submuxer failed, the options used for said call could leak. Both of these memleaks have been fixed. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit abbb466368c51285ca27d5e3959a16a9591e9a4c) Signed-off-by: Andreas Rheinhardt --- libavformat/smoothstreamingenc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/smoothstreamingenc.c b/libavformat/smoothstreamingenc.c index 54a1c49caa..0349d6297b 100644 --- a/libavformat/smoothstreamingenc.c +++ b/libavformat/smoothstreamingenc.c @@ -331,12 +331,11 @@ static int ism_write_header(AVFormatContext *s) goto fail; } - ctx = avformat_alloc_context(); + os->ctx = ctx = avformat_alloc_context(); if (!ctx || ff_copy_whiteblacklists(ctx, s) < 0) { ret = AVERROR(ENOMEM); goto fail; } - os->ctx = ctx; ctx->oformat = oformat; ctx->interrupt_callback = s->interrupt_callback; @@ -356,12 +355,13 @@ static int ism_write_header(AVFormatContext *s) av_dict_set_int(&opts, "ism_lookahead", c->lookahead_count, 0); av_dict_set(&opts, "movflags", "frag_custom", 0); - if ((ret = avformat_write_header(ctx, &opts)) < 0) { + ret = avformat_write_header(ctx, &opts); + av_dict_free(&opts); + if (ret < 0) { goto fail; } os->ctx_inited = 1; avio_flush(ctx->pb); - av_dict_free(&opts); s->streams[i]->time_base = st->time_base; if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { c->has_video = 1; From 97e0ff9793b82b2da827ac33b84b900c1ca1d35f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 03:57:32 +0100 Subject: [PATCH 0948/1764] avformat/bethsoftvid: Fix potential memleak upon reallocation failure The classical ptr = av_realloc(ptr, size), just with av_fast_realloc(). Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5acef1206144554a48f699b421e8d739e752d8ab) Signed-off-by: Andreas Rheinhardt --- libavformat/bethsoftvid.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/bethsoftvid.c b/libavformat/bethsoftvid.c index f516806d91..752e05236d 100644 --- a/libavformat/bethsoftvid.c +++ b/libavformat/bethsoftvid.c @@ -146,9 +146,13 @@ static int read_frame(BVID_DemuxContext *vid, AVIOContext *pb, AVPacket *pkt, } do{ - vidbuf_start = av_fast_realloc(vidbuf_start, &vidbuf_capacity, vidbuf_nbytes + BUFFER_PADDING_SIZE); - if(!vidbuf_start) - return AVERROR(ENOMEM); + uint8_t *tmp = av_fast_realloc(vidbuf_start, &vidbuf_capacity, + vidbuf_nbytes + BUFFER_PADDING_SIZE); + if (!tmp) { + ret = AVERROR(ENOMEM); + goto fail; + } + vidbuf_start = tmp; code = avio_r8(pb); vidbuf_start[vidbuf_nbytes++] = code; From d001c06f8223c7ccb41c6075949dd27de25fcf90 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 04:50:20 +0100 Subject: [PATCH 0949/1764] avformat/subtitles: Don't increment packet counter prematurely Do it only if the packet has been successfully allocated in av_new_packet() -- otherwise on error a completely uninitialized packet would be unreferenced later. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6bd8bcc2ac4c64577d964552317989e61db794d8) Signed-off-by: Andreas Rheinhardt --- libavformat/subtitles.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 1230e34d08..bbc4e3e356 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -132,9 +132,10 @@ AVPacket *ff_subtitles_queue_insert(FFDemuxSubtitlesQueue *q, if (!subs) return NULL; q->subs = subs; - sub = &subs[q->nb_subs++]; + sub = &subs[q->nb_subs]; if (av_new_packet(sub, len) < 0) return NULL; + q->nb_subs++; sub->flags |= AV_PKT_FLAG_KEY; sub->pts = sub->dts = 0; memcpy(sub->data, event, len); From 766b1b6a25866547cae77fee0f8a7c177787e460 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 21 Mar 2020 07:31:17 +0100 Subject: [PATCH 0950/1764] avformat/hnm: Check for extradata allocation failure and also add padding to it; moreover, don't use memcpy to write one byte to extradata. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9e0f3352d1f37a739d98df4347a2b60a396a56fe) Signed-off-by: Andreas Rheinhardt --- libavformat/hnm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 24d4e808a5..9ad457ac83 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -70,6 +70,7 @@ static int hnm_read_header(AVFormatContext *s) Hnm4DemuxContext *hnm = s->priv_data; AVIOContext *pb = s->pb; AVStream *vst; + int ret; /* default context members */ hnm->pts = 0; @@ -113,10 +114,10 @@ static int hnm_read_header(AVFormatContext *s) vst->codecpar->codec_tag = 0; vst->codecpar->width = hnm->width; vst->codecpar->height = hnm->height; - vst->codecpar->extradata = av_mallocz(1); + if ((ret = ff_alloc_extradata(vst->codecpar, 1)) < 0) + return ret; - vst->codecpar->extradata_size = 1; - memcpy(vst->codecpar->extradata, &hnm->version, 1); + vst->codecpar->extradata[0] = hnm->version; vst->start_time = 0; From 9d1d4ba63ec6c9b04407c9abbecb1c3903e4f3ca Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 26 Dec 2019 04:17:24 +0100 Subject: [PATCH 0951/1764] avformat/matroskadec: Don't discard the upper 32bits of TrackNumber Signed-off-by: Andreas Rheinhardt (cherry picked from commit ba36a077342c01faa3f3deb841e8cdcc1379ea3d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1bcc47b107..92710440d8 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1319,7 +1319,7 @@ static int matroska_probe(AVProbeData *p) } static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, - int num) + uint64_t num) { MatroskaTrack *tracks = matroska->tracks.elem; int i; @@ -1328,7 +1328,7 @@ static MatroskaTrack *matroska_find_track_by_num(MatroskaDemuxContext *matroska, if (tracks[i].num == num) return &tracks[i]; - av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %d\n", num); + av_log(matroska->ctx, AV_LOG_ERROR, "Invalid track number %"PRIu64"\n", num); return NULL; } From f34d5ab876a952fcb878c3380371336f80daf45a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Dec 2019 21:21:59 +0100 Subject: [PATCH 0952/1764] avformat/webmdashenc: Fix memleak upon realloc failure The classical ptr = av_realloc(ptr, size). Reviewed-by: Paul B Mahol Signed-off-by: Andreas Rheinhardt (cherry picked from commit 418e468699868a0265f8b439beedf64bb643b088) Signed-off-by: Andreas Rheinhardt --- libavformat/webmdashenc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 26b8727304..14c3888b1e 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -489,11 +489,12 @@ static int parse_adaptation_sets(AVFormatContext *s) state = parsing_streams; } else if (state == parsing_streams) { struct AdaptationSet *as = &w->as[w->nb_as - 1]; + int ret = av_reallocp_array(&as->streams, ++as->nb_streams, + sizeof(*as->streams)); + if (ret < 0) + return ret; q = p; while (*q != '\0' && *q != ',' && *q != ' ') q++; - as->streams = av_realloc(as->streams, sizeof(*as->streams) * ++as->nb_streams); - if (as->streams == NULL) - return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); if (as->streams[as->nb_streams - 1] < 0 || as->streams[as->nb_streams - 1] >= s->nb_streams) { From c4c3d3bc1de75a112f84cfae319c3d30aa6d8a90 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 27 Mar 2020 08:31:29 +0100 Subject: [PATCH 0953/1764] avformat/avidec: Fix memleak with embedded GAB2 subtitles The code for GAB2 subtitles predates refcounting AVPackets. So in order to transfer the ownership of a packet's data pkt->data was simply stored and the packet zeroed; in the end (i.e. in the read_close-function) this data was then simply freed with av_freep(). This of course leads to a leak of an AVBufferRef and an AVBuffer. It has been fixed by keeping and eventually unreferencing the packet's buf instead. Additionally, the packet is now reset via av_packet_unref(). Signed-off-by: Andreas Rheinhardt (cherry picked from commit da44bbefaabeb2fdb58a03fe533a44aa150486fc) Signed-off-by: Andreas Rheinhardt --- libavformat/avidec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 962ea83f13..e644e8413f 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -61,7 +61,7 @@ typedef struct AVIStream { AVFormatContext *sub_ctx; AVPacket sub_pkt; - uint8_t *sub_buffer; + AVBufferRef *sub_buffer; int64_t seek_pos; } AVIStream; @@ -1118,8 +1118,9 @@ static int read_gab2_sub(AVFormatContext *s, AVStream *st, AVPacket *pkt) time_base = ast->sub_ctx->streams[0]->time_base; avpriv_set_pts_info(st, 64, time_base.num, time_base.den); } - ast->sub_buffer = pkt->data; - memset(pkt, 0, sizeof(*pkt)); + ast->sub_buffer = pkt->buf; + pkt->buf = NULL; + av_packet_unref(pkt); return 1; error: @@ -1906,7 +1907,7 @@ static int avi_read_close(AVFormatContext *s) av_freep(&ast->sub_ctx->pb); avformat_close_input(&ast->sub_ctx); } - av_freep(&ast->sub_buffer); + av_buffer_unref(&ast->sub_buffer); av_packet_unref(&ast->sub_pkt); } } From a7e278e467600dcaec47dacb2e2fbfb56ac77505 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 30 Mar 2020 02:50:02 +0200 Subject: [PATCH 0954/1764] avformat/webmdashenc: Check codec types The WebM DASH Manifest muxer only supports VP8, VP9, Vorbis and Opus, but there was no check for this. The codec type is used to get a pointer to a string containing the codec name or NULL if it is not one of those four codecs. Said pointer has then been used without further checks as string for the %s conversion specifier in an avio_printf()) call which is undefined behaviour. This commit adds a check for the supported codec types. Signed-off-by: Andreas Rheinhardt (cherry picked from commit cbea58b2b35c6409e062c929f0b2ab763b8661eb) Signed-off-by: Andreas Rheinhardt --- libavformat/webmdashenc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 14c3888b1e..542410f26b 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -517,6 +517,14 @@ static int webm_dash_manifest_write_header(AVFormatContext *s) double start = 0.0; int ret; WebMDashMuxContext *w = s->priv_data; + + for (unsigned i = 0; i < s->nb_streams; i++) { + enum AVCodecID codec_id = s->streams[i]->codecpar->codec_id; + if (codec_id != AV_CODEC_ID_VP8 && codec_id != AV_CODEC_ID_VP9 && + codec_id != AV_CODEC_ID_VORBIS && codec_id != AV_CODEC_ID_OPUS) + return AVERROR(EINVAL); + } + ret = parse_adaptation_sets(s); if (ret < 0) { goto fail; From 32467cfc07026bd5cb124511f277c1f5502747da Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 15 Apr 2020 20:54:42 +0200 Subject: [PATCH 0955/1764] fftools/ffmpeg_opt: Check attachment filesize The data of an attachment file is put into an AVCodecParameter's extradata. The corresponding size field has type int, yet there was no check for the size to fit into an int. As a consequence, it was possible to create extradata with negative size (by using a big enough max_alloc). Other errors were also possible: If SIZE_MAX < INT64_MAX (e.g. on 32bit systems) then the file size might be truncated before the allocation; and avio_read() takes an int, too, so one would not have read as much as one desired. Furthermore, the extradata is now padded as is required. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 889ad93c8839e5ac1ec28bc8e1fea6df71b9bf80) Signed-off-by: Andreas Rheinhardt --- fftools/ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index 100fa76e46..9bce6fd4aa 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -2378,12 +2378,14 @@ loop_end: o->attachments[i]); exit_program(1); } - if (!(attachment = av_malloc(len))) { - av_log(NULL, AV_LOG_FATAL, "Attachment %s too large to fit into memory.\n", + if (len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE || + !(attachment = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE))) { + av_log(NULL, AV_LOG_FATAL, "Attachment %s too large.\n", o->attachments[i]); exit_program(1); } avio_read(pb, attachment, len); + memset(attachment + len, 0, AV_INPUT_BUFFER_PADDING_SIZE); ost = new_attachment_stream(o, oc, -1); ost->stream_copy = 0; From b7d11cc6e850225eab4c501211edbab57b9acef8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 27 Apr 2020 05:42:09 +0200 Subject: [PATCH 0956/1764] avformat/matroskaenc: Fix memleak upon encountering bogus chapter Signed-off-by: Andreas Rheinhardt (cherry picked from commit cb255b616cf1ebc6bc89b3538b6b7465dc2c526b) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index a52b38731f..697a946ce9 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1497,6 +1497,7 @@ static int mkv_write_chapters(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Invalid chapter start (%"PRId64") or end (%"PRId64").\n", chapterstart, chapterend); + ffio_free_dyn_buf(&dyn_cp); return AVERROR_INVALIDDATA; } From 6132ea3daf23fb03314f7fc00275f438a1cea07e Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 24 May 2020 03:14:00 +0200 Subject: [PATCH 0957/1764] avformat/aviobuf: Don't check for overflow after it happened If adding two ints overflows, it doesn't matter whether the result will be stored in an unsigned or not; and checking afterwards does not make it retroactively defined. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 28a078eded1c29985ed078b59d48ff59cf00394b) Signed-off-by: Andreas Rheinhardt --- libavformat/aviobuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index c004e08bdf..2d31ab948f 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1231,7 +1231,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) unsigned new_size, new_allocated_size; /* reallocate buffer if needed */ - new_size = d->pos + buf_size; + new_size = (unsigned)d->pos + buf_size; new_allocated_size = d->allocated_size; if (new_size < d->pos || new_size > INT_MAX/2) return -1; From 86a30618c9863df8470a9a955d19a37189ed9e65 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 4 Sep 2019 00:50:11 +0200 Subject: [PATCH 0958/1764] avformat/matroskadec: Fix handling gigantic durations matroska_parse_block currently asserts that the duration is not equal to AV_NOPTS_VALUE, but there is nothing that actually guarantees this. It is easy to create (spec-compliant) files which run into this assert; so replace it and instead cap the duration to INT64_MAX, as the duration field of an AVPacket is an int64_t. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3714d452b894821591a2fbafdd1b8ef15abe4be6) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 92710440d8..183b643a01 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3301,7 +3301,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, st = track->stream; if (st->discard >= AVDISCARD_ALL) return res; - av_assert1(block_duration != AV_NOPTS_VALUE); + if (block_duration > INT64_MAX) + block_duration = INT64_MAX; block_time = sign_extend(AV_RB16(data), 16); data += 2; From 9a72122a98046708724564a5e3ef2a2e7ac6d1e8 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 30 Aug 2019 15:18:29 +0200 Subject: [PATCH 0959/1764] avformat/matroskadec: Use right number of tracks When demuxing a Matroska/WebM file, streams are added for tracks and for attachments, so that the array containing the former can be NULL even when the corresponding AVFormatContext has streams. So check for there to be tracks in the MatroskaDemuxContext instead of just streams in the AVFormatContext before dereferencing the pointer to the tracks. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 1ef30571a0a7150cb20c580bfc52af2a7101c20d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 183b643a01..b5dfe5bfbc 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3932,9 +3932,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) av_log(s, AV_LOG_ERROR, "Failed to read file headers\n"); return -1; } - if (!s->nb_streams) { + if (!matroska->tracks.nb_elem || !s->nb_streams) { matroska_read_close(s); - av_log(s, AV_LOG_ERROR, "No streams found\n"); + av_log(s, AV_LOG_ERROR, "No track found\n"); return AVERROR_INVALIDDATA; } From 7230f0986676b5df1488eb400b0cc2278e686345 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 13 Jun 2020 23:58:32 +0200 Subject: [PATCH 0960/1764] avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer In certain error scenarios, the underlying Matroska demuxer was not properly closed, causing leaks. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 0841063ce6a2e664fb3986b0a255c57392cd9f02) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index b5dfe5bfbc..117deb5713 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3933,14 +3933,17 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) return -1; } if (!matroska->tracks.nb_elem || !s->nb_streams) { - matroska_read_close(s); av_log(s, AV_LOG_ERROR, "No track found\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (!matroska->is_live) { buf = av_asprintf("%g", matroska->duration); - if (!buf) return AVERROR(ENOMEM); + if (!buf) { + ret = AVERROR(ENOMEM); + goto fail; + } av_dict_set(&s->streams[0]->metadata, DURATION, buf, 0); av_free(buf); @@ -3963,7 +3966,7 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) ret = webm_dash_manifest_cues(s, init_range); if (ret < 0) { av_log(s, AV_LOG_ERROR, "Error parsing Cues\n"); - return ret; + goto fail; } } @@ -3973,6 +3976,9 @@ static int webm_dash_manifest_read_header(AVFormatContext *s) matroska->bandwidth, 0); } return 0; +fail: + matroska_read_close(s); + return ret; } static int webm_dash_manifest_read_packet(AVFormatContext *s, AVPacket *pkt) From 2e68c8442f38e2d6f880daa3e509026b6a18265b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:24:55 +0200 Subject: [PATCH 0961/1764] avformat/omadec: Fix memleaks upon read_header failure Fixes possible leaks of id3v2 metadata as well as an AVDES struct in case the content is encrypted and an error happens lateron. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 3d3ba43bc68ca90fe72d0fc390c9e5f5c7de1513) Signed-off-by: Andreas Rheinhardt --- libavformat/omadec.c | 44 ++++++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 423d52b3aa..e6e855eb67 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -79,6 +79,13 @@ typedef struct OMAContext { int (*read_packet)(AVFormatContext *s, AVPacket *pkt); } OMAContext; +static int oma_read_close(AVFormatContext *s) +{ + OMAContext *oc = s->priv_data; + av_freep(&oc->av_des); + return 0; +} + static void hex_log(AVFormatContext *s, int level, const char *name, const uint8_t *value, int len) { @@ -403,11 +410,14 @@ static int oma_read_header(AVFormatContext *s) } ret = avio_read(s->pb, buf, EA3_HEADER_SIZE); - if (ret < EA3_HEADER_SIZE) + if (ret < EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); return -1; + } if (memcmp(buf, ((const uint8_t[]){'E', 'A', '3'}), 3) || buf[4] != 0 || buf[5] != EA3_HEADER_SIZE) { + ff_id3v2_free_extra_meta(&extra_meta); av_log(s, AV_LOG_ERROR, "Couldn't find the EA3 header !\n"); return AVERROR_INVALIDDATA; } @@ -426,8 +436,10 @@ static int oma_read_header(AVFormatContext *s) codec_params = AV_RB24(&buf[33]); st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } st->start_time = 0; st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; @@ -442,7 +454,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (samplerate != 44100) avpriv_request_sample(s, "Sample rate %d", samplerate); @@ -459,8 +472,8 @@ static int oma_read_header(AVFormatContext *s) /* fake the ATRAC3 extradata * (wav format, makes stream copy to wav work) */ - if (ff_alloc_extradata(st->codecpar, 14)) - return AVERROR(ENOMEM); + if ((ret = ff_alloc_extradata(st->codecpar, 14)) < 0) + goto fail; edata = st->codecpar->extradata; AV_WL16(&edata[0], 1); // always 1 @@ -477,7 +490,8 @@ static int oma_read_header(AVFormatContext *s) if (!channel_id) { av_log(s, AV_LOG_ERROR, "Invalid ATRAC-X channel id: %"PRIu32"\n", channel_id); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->channel_layout = ff_oma_chid_to_native_layout[channel_id - 1]; st->codecpar->channels = ff_oma_chid_to_num_channels[channel_id - 1]; @@ -485,7 +499,8 @@ static int oma_read_header(AVFormatContext *s) samplerate = ff_oma_srate_tab[(codec_params >> 13) & 7] * 100; if (!samplerate) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->sample_rate = samplerate; st->codecpar->bit_rate = samplerate * framesize / (2048 / 8); @@ -525,12 +540,16 @@ static int oma_read_header(AVFormatContext *s) break; default: av_log(s, AV_LOG_ERROR, "Unsupported codec %d!\n", buf[32]); - return AVERROR(ENOSYS); + ret = AVERROR(ENOSYS); + goto fail; } st->codecpar->block_align = framesize; return 0; +fail: + oma_read_close(s); + return ret; } static int oma_read_packet(AVFormatContext *s, AVPacket *pkt) @@ -592,13 +611,6 @@ wipe: return err; } -static int oma_read_close(AVFormatContext *s) -{ - OMAContext *oc = s->priv_data; - av_free(oc->av_des); - return 0; -} - AVInputFormat ff_oma_demuxer = { .name = "oma", .long_name = NULL_IF_CONFIG_SMALL("Sony OpenMG audio"), From 9e404b60b17e1430aa587e2083bcd109f4fcff32 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 00:37:40 +0200 Subject: [PATCH 0962/1764] avformat/mov: Fix memleaks upon read_header failure By default, a demuxer's read_close function is not called automatically if an error happens when reading the header; instead it is up to the demuxer to clean up after itself in this case. The mov demuxer did this by calling its read_close function when it encountered some errors when reading the header. Yet for other errors (mostly adding side-data to streams) this has been forgotten, so that all the internal structures of the demuxer leak. This commit fixes this by making sure mov_read_close is called when necessary. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ac378c535be907ee383dafb430be7216a2920982) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4da44b1bb9..08c83c22f7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6305,14 +6305,13 @@ static int mov_read_header(AVFormatContext *s) avio_seek(pb, 0, SEEK_SET); if ((err = mov_read_default(mov, pb, atom)) < 0) { av_log(s, AV_LOG_ERROR, "error reading header\n"); - mov_read_close(s); - return err; + goto fail; } } while ((pb->seekable & AVIO_SEEKABLE_NORMAL) && !mov->found_moov && !mov->moov_retry++); if (!mov->found_moov) { av_log(s, AV_LOG_ERROR, "moov atom not found\n"); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } av_log(mov->fc, AV_LOG_TRACE, "on_parse_exit_offset=%"PRId64"\n", avio_tell(pb)); @@ -6365,7 +6364,7 @@ static int mov_read_header(AVFormatContext *s) } if (st->codecpar->codec_id == AV_CODEC_ID_DVD_SUBTITLE) { if ((err = mov_rewrite_dvd_sub_extradata(st)) < 0) - return err; + goto fail; } } if (mov->handbrake_version && @@ -6385,8 +6384,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / st->duration; } @@ -6401,8 +6400,8 @@ static int mov_read_header(AVFormatContext *s) if (sc->data_size > INT64_MAX / sc->time_scale / 8) { av_log(s, AV_LOG_ERROR, "Overflow during bit rate calculation %"PRId64" * 8 * %d\n", sc->data_size, sc->time_scale); - mov_read_close(s); - return AVERROR_INVALIDDATA; + err = AVERROR_INVALIDDATA; + goto fail; } st->codecpar->bit_rate = sc->data_size * 8 * sc->time_scale / sc->duration_for_fps; @@ -6426,8 +6425,7 @@ static int mov_read_header(AVFormatContext *s) case AVMEDIA_TYPE_AUDIO: err = ff_replaygain_export(st, s->metadata); if (err < 0) { - mov_read_close(s); - return err; + goto fail; } break; case AVMEDIA_TYPE_VIDEO: @@ -6435,7 +6433,7 @@ static int mov_read_header(AVFormatContext *s) err = av_stream_add_side_data(st, AV_PKT_DATA_DISPLAYMATRIX, (uint8_t*)sc->display_matrix, sizeof(int32_t) * 9); if (err < 0) - return err; + goto fail; sc->display_matrix = NULL; } @@ -6444,7 +6442,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->stereo3d, sizeof(*sc->stereo3d)); if (err < 0) - return err; + goto fail; sc->stereo3d = NULL; } @@ -6453,7 +6451,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->spherical, sc->spherical_size); if (err < 0) - return err; + goto fail; sc->spherical = NULL; } @@ -6462,7 +6460,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->mastering, sizeof(*sc->mastering)); if (err < 0) - return err; + goto fail; sc->mastering = NULL; } @@ -6471,7 +6469,7 @@ static int mov_read_header(AVFormatContext *s) (uint8_t *)sc->coll, sc->coll_size); if (err < 0) - return err; + goto fail; sc->coll = NULL; } @@ -6488,6 +6486,9 @@ static int mov_read_header(AVFormatContext *s) } return 0; +fail: + mov_read_close(s); + return err; } static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) From 58fd406e27fb8c6386830a9d6b4816b5019ac015 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:04:29 +0200 Subject: [PATCH 0963/1764] avformat/aqtitledec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a86a5d06d8967d01964833456df1df9fc186f125) Signed-off-by: Andreas Rheinhardt --- libavformat/aqtitledec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index f0e840b0f7..317547c4f4 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -81,11 +81,11 @@ static int aqt_read_header(AVFormatContext *s) if (!new_event) { sub = ff_subtitles_queue_insert(&aqt->q, "\n", 1, 1); if (!sub) - return AVERROR(ENOMEM); + goto fail; } sub = ff_subtitles_queue_insert(&aqt->q, line, strlen(line), !new_event); if (!sub) - return AVERROR(ENOMEM); + goto fail; if (new_event) { sub->pts = frame; sub->duration = -1; @@ -97,6 +97,9 @@ static int aqt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &aqt->q); return 0; +fail: + ff_subtitles_queue_clean(&aqt->q); + return AVERROR(ENOMEM); } static int aqt_read_packet(AVFormatContext *s, AVPacket *pkt) From 91016727dc9e2fbbfc6cb3622d090334d9a06f10 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:07:28 +0200 Subject: [PATCH 0964/1764] avformat/assdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or if creating the extradata failed. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 5ab39c2d8c1e5e00b48d758eee7d5ae435a99ef7) Signed-off-by: Andreas Rheinhardt --- libavformat/assdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/assdec.c b/libavformat/assdec.c index d89c14e5b8..3b580fc4d2 100644 --- a/libavformat/assdec.c +++ b/libavformat/assdec.c @@ -160,6 +160,8 @@ static int ass_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &ass->q); end: + if (res < 0) + ass_read_close(s); av_bprint_finalize(&header, NULL); av_bprint_finalize(&line, NULL); av_bprint_finalize(&rline, NULL); From bde71f0c9b6fdb218f9910e180e3ac362d6ac9ba Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:09:08 +0200 Subject: [PATCH 0965/1764] avformat/jacosubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c13a752733a9af955b032c55f704b748fe37dd19) Signed-off-by: Andreas Rheinhardt --- libavformat/jacosubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 520c435cc5..87dc649485 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -187,8 +187,10 @@ static int jacosub_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&jacosub->q, line, len, merge_line); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; merge_line = len > 1 && !strcmp(&line[len - 2], "\\\n"); continue; From 9b021e24f723a707c2bd90ca557cec8ac454386c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:12:00 +0200 Subject: [PATCH 0966/1764] avformat/lrcdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit d38694cea9f289b3f9dcce1a2f07746d029b35f3) Signed-off-by: Andreas Rheinhardt --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index f4e9a4efa9..45f0bf24a7 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -202,6 +202,7 @@ static int lrc_read_header(AVFormatContext *s) sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); if(!sub) { + ff_subtitles_queue_clean(&lrc->q); return AVERROR(ENOMEM); } sub->pos = pos; From a7309ecc325119623ee2807da194111da0eda2fd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:16:15 +0200 Subject: [PATCH 0967/1764] avformat/microdvddec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when allocating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit b12014a5b861959fd41a32ba3ff4cb139c56efcd) Signed-off-by: Andreas Rheinhardt --- libavformat/microdvddec.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index bf71c5e770..4ba32fd3d9 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -81,7 +81,7 @@ static int microdvd_read_header(AVFormatContext *s) AVRational pts_info = (AVRational){ 2997, 125 }; /* default: 23.976 fps */ MicroDVDContext *microdvd = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); - int i = 0; + int i = 0, ret; char line_buf[MAX_LINESIZE]; int has_real_fps = 0; @@ -117,8 +117,10 @@ static int microdvd_read_header(AVFormatContext *s) } if (!st->codecpar->extradata && sscanf(line, "{DEFAULT}{}%c", &c) == 1) { st->codecpar->extradata = av_strdup(line + 11); - if (!st->codecpar->extradata) - return AVERROR(ENOMEM); + if (!st->codecpar->extradata) { + ret = AVERROR(ENOMEM); + goto fail; + } st->codecpar->extradata_size = strlen(st->codecpar->extradata) + 1; continue; } @@ -139,8 +141,10 @@ static int microdvd_read_header(AVFormatContext *s) if (pts == AV_NOPTS_VALUE) continue; sub = ff_subtitles_queue_insert(µdvd->q, p, strlen(p), 0); - if (!sub) - return AVERROR(ENOMEM); + if (!sub) { + ret = AVERROR(ENOMEM); + goto fail; + } sub->pos = pos; sub->pts = pts; sub->duration = get_duration(line); @@ -157,6 +161,9 @@ static int microdvd_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_MICRODVD; return 0; +fail: + ff_subtitles_queue_clean(µdvd->q); + return ret; } static int microdvd_read_packet(AVFormatContext *s, AVPacket *pkt) From 036c52f2d6b9f42e171b186cf2a038b8684d3f71 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:19:32 +0200 Subject: [PATCH 0968/1764] avformat/mpl2dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 331799747e7e995710f5dfc4d413cda35eb01289) Signed-off-by: Andreas Rheinhardt --- libavformat/mpl2dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpl2dec.c b/libavformat/mpl2dec.c index 0665c4c635..c25f85e0e3 100644 --- a/libavformat/mpl2dec.c +++ b/libavformat/mpl2dec.c @@ -111,8 +111,10 @@ static int mpl2_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&mpl2->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&mpl2->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From d3dab0886facea0800d7dbf6ba2082732d3c8f59 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:20:09 +0200 Subject: [PATCH 0969/1764] avformat/mpsubdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon creating an AVStream. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a5ed8aeea4f4199e89520c3fdbd9d07ae7fc3c3f) Signed-off-by: Andreas Rheinhardt --- libavformat/mpsubdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c index fc1731f26e..4e6e2cb09c 100644 --- a/libavformat/mpsubdec.c +++ b/libavformat/mpsubdec.c @@ -97,8 +97,10 @@ static int mpsub_read_header(AVFormatContext *s) } st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + res = AVERROR(ENOMEM); + goto end; + } avpriv_set_pts_info(st, 64, pts_info.den, pts_info.num); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; From 7b5f24a142286bd37ec7ada6ae6d20551217ba50 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:03 +0200 Subject: [PATCH 0970/1764] avformat/pjsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9df560e8986640e20c62286f0baee2a80540accd) Signed-off-by: Andreas Rheinhardt --- libavformat/pjsdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/pjsdec.c b/libavformat/pjsdec.c index 448962bf8a..b4ae1fa10f 100644 --- a/libavformat/pjsdec.c +++ b/libavformat/pjsdec.c @@ -94,8 +94,10 @@ static int pjs_read_header(AVFormatContext *s) p[strcspn(p, "\"")] = 0; sub = ff_subtitles_queue_insert(&pjs->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&pjs->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From 97e3d91f4d88c860e404d2fe72c7e5556f195265 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:21:46 +0200 Subject: [PATCH 0971/1764] avformat/samidec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle or when creating extradata. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f161f8e4ad10c8ae5b2e97870e09bc6a421408eb) Signed-off-by: Andreas Rheinhardt --- libavformat/samidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/samidec.c b/libavformat/samidec.c index 7ea1bdfdd9..678fac0e17 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -108,6 +108,8 @@ static int sami_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &sami->q); end: + if (res < 0) + ff_subtitles_queue_clean(&sami->q); av_bprint_finalize(&buf, NULL); return res; } From abf63fef43c86f75d87409a0732ae32f5dd6d76a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:22:32 +0200 Subject: [PATCH 0972/1764] avformat/sccdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit f3c63e67bb00fa7d96595203d01a576df651e275) Signed-off-by: Andreas Rheinhardt --- libavformat/sccdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sccdec.c b/libavformat/sccdec.c index 89d21b9c1f..371d2d9d13 100644 --- a/libavformat/sccdec.c +++ b/libavformat/sccdec.c @@ -132,7 +132,7 @@ static int scc_read_header(AVFormatContext *s) sub = ff_subtitles_queue_insert(&scc->q, out, i, 0); if (!sub) - return AVERROR(ENOMEM); + goto fail; sub->pos = pos; sub->pts = ts_start; @@ -144,6 +144,9 @@ static int scc_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &scc->q); return ret; +fail: + ff_subtitles_queue_clean(&scc->q); + return AVERROR(ENOMEM); } static int scc_read_packet(AVFormatContext *s, AVPacket *pkt) From 280f6bcddd956a3a4b37f5ef2b2ddb1a960f1f9a Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:23:27 +0200 Subject: [PATCH 0973/1764] avformat/srtdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c70409957c7332971f0e147729d769f6d2f95390) Signed-off-by: Andreas Rheinhardt --- libavformat/srtdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/srtdec.c b/libavformat/srtdec.c index 56bd0c43f6..67b245a123 100644 --- a/libavformat/srtdec.c +++ b/libavformat/srtdec.c @@ -207,6 +207,8 @@ static int srt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &srt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&srt->q); av_bprint_finalize(&buf, NULL); return res; } From f596a7325536ebbd1c3737c266ff60b7c39eb9fa Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:24:23 +0200 Subject: [PATCH 0974/1764] avformat/stldec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit e13874b9eae4e156ca1c478e6d59d3461bbdc09f) Signed-off-by: Andreas Rheinhardt --- libavformat/stldec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/stldec.c b/libavformat/stldec.c index 35de49322c..87bf0724a9 100644 --- a/libavformat/stldec.c +++ b/libavformat/stldec.c @@ -97,8 +97,10 @@ static int stl_read_header(AVFormatContext *s) if (pts_start != AV_NOPTS_VALUE) { AVPacket *sub; sub = ff_subtitles_queue_insert(&stl->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&stl->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = duration; From db23ea60eff2721479daa5a47698af7001185656 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:26:40 +0200 Subject: [PATCH 0975/1764] avformat/subviewer1dec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 9751d7515222c7b58d0c6fb31aec6e0464c0f338) Signed-off-by: Andreas Rheinhardt --- libavformat/subviewer1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/subviewer1dec.c b/libavformat/subviewer1dec.c index e579d1ca9a..90a430404b 100644 --- a/libavformat/subviewer1dec.c +++ b/libavformat/subviewer1dec.c @@ -77,8 +77,10 @@ static int subviewer1_read_header(AVFormatContext *s) sub->duration = pts_start - sub->pts; } else { sub = ff_subtitles_queue_insert(&subviewer1->q, line, len, 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&subviewer1->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From b429a8e13fc159b6166c7475ebf2646919b31a68 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:11 +0200 Subject: [PATCH 0976/1764] avformat/subviewerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit a708f652737eba08607df84394ca4bec6b458736) Signed-off-by: Andreas Rheinhardt --- libavformat/subviewerdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index af084f4856..e8d1eb6c96 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -156,6 +156,8 @@ static int subviewer_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &subviewer->q); end: + if (res < 0) + ff_subtitles_queue_clean(&subviewer->q); av_bprint_finalize(&header, NULL); return res; } From 2dcc447410509572a19242e43b89ce64244e9e4b Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:27:43 +0200 Subject: [PATCH 0977/1764] avformat/tedcaptionsdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if allocating the AVStream for the subtitles fails. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 337783b118d4cc265759c103b672dd5d5d3e7cb8) Signed-off-by: Andreas Rheinhardt --- libavformat/tedcaptionsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 774d4993b5..21d44c17f4 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -275,10 +275,13 @@ static int parse_file(AVIOContext *pb, FFDemuxSubtitlesQueue *subs) static av_cold int tedcaptions_read_header(AVFormatContext *avf) { TEDCaptionsDemuxer *tc = avf->priv_data; - AVStream *st; + AVStream *st = avformat_new_stream(avf, NULL); int ret, i; AVPacket *last; + if (!st) + return AVERROR(ENOMEM); + ret = parse_file(avf->pb, &tc->subs); if (ret < 0) { if (ret == AVERROR_INVALIDDATA) @@ -292,9 +295,6 @@ static av_cold int tedcaptions_read_header(AVFormatContext *avf) tc->subs.subs[i].pts += tc->start_time; last = &tc->subs.subs[tc->subs.nb_subs - 1]; - st = avformat_new_stream(avf, NULL); - if (!st) - return AVERROR(ENOMEM); st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_TEXT; avpriv_set_pts_info(st, 64, 1, 1000); From 1bd3683a4154c6f6d890e1e767e4f391dfc5a9ed Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:28:56 +0200 Subject: [PATCH 0978/1764] avformat/vplayerdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 67434afa7fcb2b411b10a4d09fb30cd3a5907c2c) Signed-off-by: Andreas Rheinhardt --- libavformat/vplayerdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/vplayerdec.c b/libavformat/vplayerdec.c index 49943d0d0e..feee9af873 100644 --- a/libavformat/vplayerdec.c +++ b/libavformat/vplayerdec.c @@ -83,8 +83,10 @@ static int vplayer_read_header(AVFormatContext *s) AVPacket *sub; sub = ff_subtitles_queue_insert(&vplayer->q, p, strlen(p), 0); - if (!sub) + if (!sub) { + ff_subtitles_queue_clean(&vplayer->q); return AVERROR(ENOMEM); + } sub->pos = pos; sub->pts = pts_start; sub->duration = -1; From 5b4b24b4c0b8b241d69e4b728ce905894e4c4a27 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:29:17 +0200 Subject: [PATCH 0979/1764] avformat/webvttdec: Fix memleak upon read header failure The already parsed subtitles (contained in an FFDemuxSubtitlesQueue) would leak if an error happened upon reading a subsequent subtitle. Signed-off-by: Andreas Rheinhardt (cherry picked from commit c784fe8b867e42a1c8d2c48d7046e3e0cce7ec31) Signed-off-by: Andreas Rheinhardt --- libavformat/webvttdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/webvttdec.c b/libavformat/webvttdec.c index 0aeb8a63f4..8e9c562683 100644 --- a/libavformat/webvttdec.c +++ b/libavformat/webvttdec.c @@ -165,6 +165,8 @@ static int webvtt_read_header(AVFormatContext *s) ff_subtitles_queue_finalize(s, &webvtt->q); end: + if (res < 0) + ff_subtitles_queue_clean(&webvtt->q); av_bprint_finalize(&cue, NULL); av_bprint_finalize(&header, NULL); return res; From 961f21ffbadbe9a55f5c4c11946832ec19625ffd Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 03:35:41 +0200 Subject: [PATCH 0980/1764] avformat/matroskaenc: Don't use NULL for %s format string The argument pertaining to a printf %s conversion specifier must not be NULL, even if the precision (i.e. the number of characters to write) is zero. If it is NULL, it is undefined behaviour. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 6de6ce7bc80e874099895b6c73977bc2efb06a4d) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskaenc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 697a946ce9..64a114b83e 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -2226,17 +2226,19 @@ static int mkv_write_vtt_blocks(AVFormatContext *s, AVIOContext *pb, AVPacket *p MatroskaMuxContext *mkv = s->priv_data; ebml_master blockgroup; int id_size, settings_size, size; - uint8_t *id, *settings; + const char *id, *settings; int64_t ts = mkv->tracks[pkt->stream_index].write_dts ? pkt->dts : pkt->pts; const int flags = 0; id_size = 0; id = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_IDENTIFIER, &id_size); + id = id ? id : ""; settings_size = 0; settings = av_packet_get_side_data(pkt, AV_PKT_DATA_WEBVTT_SETTINGS, &settings_size); + settings = settings ? settings : ""; size = id_size + 1 + settings_size + 1 + pkt->size; From 62cf20e0eb902006ab2604057f68481b4ca8e58f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 09:19:38 +0200 Subject: [PATCH 0981/1764] avformat/mov: Fix memleak upon encountering repeating tags mov_read_custom tries to read three strings belonging to three different tags. When an already encountered tag is encountered again, a new buffer for the string to be read is allocated and stored in the pointer destined for this particular tag. But in this scenario, said pointer already holds the address of the string read earlier, leading to a leak. This commit therefore aborts the reading process upon encountering an already encountered tag. Signed-off-by: Andreas Rheinhardt (cherry picked from commit dfef1d5e3cd4dfead84416a01e6c9ff0da50b34d) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 08c83c22f7..f0fbb6d421 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4033,6 +4033,9 @@ static int mov_read_custom(MOVContext *c, AVIOContext *pb, MOVAtom atom) } else break; + if (*p) + break; + *p = av_malloc(len + 1); if (!*p) break; From d925a11a80638d95abee0d290312a6beb943a001 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 14 Jun 2020 20:54:46 +0200 Subject: [PATCH 0982/1764] avformat/mov: Fix reel_name size check Only read str_size bytes from offset 30 of extradata if the extradata is indeed at least 30 + str_size bytes long. Signed-off-by: Andreas Rheinhardt (cherry picked from commit ff3fad6b0edb13dd664403b01bc00309f035b110) Signed-off-by: Andreas Rheinhardt --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f0fbb6d421..407d801775 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2135,7 +2135,7 @@ FF_ENABLE_DEPRECATION_WARNINGS uint32_t format = AV_RB32(st->codecpar->extradata + 22); if (format == AV_RB32("name") && (int64_t)size >= (int64_t)len + 18) { uint16_t str_size = AV_RB16(st->codecpar->extradata + 26); /* string length */ - if (str_size > 0 && size >= (int)str_size + 26) { + if (str_size > 0 && size >= (int)str_size + 30) { char *reel_name = av_malloc(str_size + 1); if (!reel_name) return AVERROR(ENOMEM); From 00e52eff6553c4eb8cd8ae91954552936123d51c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 16 Sep 2019 17:55:01 +0200 Subject: [PATCH 0983/1764] fftools/ffmpeg_opt: Fix signed integer overflow Fixes ticket #8154. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 2b1fcba8ddcb7d29299ea28403fb597640a7288b) Signed-off-by: Andreas Rheinhardt --- fftools/ffmpeg_opt.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index 9bce6fd4aa..dcfaa06926 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -1,3 +1,4 @@ + /* * ffmpeg option parsing * @@ -2777,13 +2778,14 @@ static int opt_target(void *optctx, const char *opt, const char *arg) } else { /* Try to determine PAL/NTSC by peeking in the input files */ if (nb_input_files) { - int i, j, fr; + int i, j; for (j = 0; j < nb_input_files; j++) { for (i = 0; i < input_files[j]->nb_streams; i++) { AVStream *st = input_files[j]->ctx->streams[i]; + int64_t fr; if (st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO) continue; - fr = st->time_base.den * 1000 / st->time_base.num; + fr = st->time_base.den * 1000LL / st->time_base.num; if (fr == 25000) { norm = PAL; break; From aed40628d4e846f294147a7e0035f57e0b4908a5 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:16:59 +0200 Subject: [PATCH 0984/1764] avcodec/tdsc: Fix undefined shifts Fixes the tdsc FATE-test. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 86bef10e7aee338a4df60c57904c16e33509e76e) Signed-off-by: Andreas Rheinhardt --- libavcodec/tdsc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index 4182404cf0..e9ea41ef55 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -187,7 +187,7 @@ static void tdsc_paint_cursor(AVCodecContext *avctx, uint8_t *dst, int stride) static int tdsc_load_cursor(AVCodecContext *avctx) { TDSCContext *ctx = avctx->priv_data; - int i, j, k, ret, bits, cursor_fmt; + int i, j, k, ret, cursor_fmt; uint8_t *dst; ctx->cursor_hot_x = bytestream2_get_le16(&ctx->gbc); @@ -231,7 +231,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) case CUR_FMT_MONO: for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { dst[0] = !!(bits & 0x80000000); dst += 4; @@ -244,7 +244,7 @@ static int tdsc_load_cursor(AVCodecContext *avctx) dst = ctx->cursor; for (j = 0; j < ctx->cursor_h; j++) { for (i = 0; i < ctx->cursor_w; i += 32) { - bits = bytestream2_get_be32(&ctx->gbc); + uint32_t bits = bytestream2_get_be32(&ctx->gbc); for (k = 0; k < 32; k++) { int mask_bit = !!(bits & 0x80000000); switch (dst[0] * 2 + mask_bit) { From d4824eec3b45ad817ed0a3dc48009f56d4465c51 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:06 +0200 Subject: [PATCH 0985/1764] avcodec/ac3enc: Fix invalid shift Fixes the FATE-tests unknown_layout-ac3, ac3-fixed-encode, ac3-encode and eac3-encode. It furthermore fixes the ac3-encoder bugs mentioned in tickets #7994, #8144 and #8159. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 2f289ec914cc7e8133858d4f9e8d91dab685ae44) Signed-off-by: Andreas Rheinhardt --- libavcodec/ac3enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c index 636ca72050..032881724b 100644 --- a/libavcodec/ac3enc.c +++ b/libavcodec/ac3enc.c @@ -1065,7 +1065,7 @@ static int bit_alloc(AC3EncodeContext *s, int snr_offset) { int blk, ch; - snr_offset = (snr_offset - 240) << 2; + snr_offset = (snr_offset - 240) * 4; reset_block_bap(s); for (blk = 0; blk < s->num_blocks; blk++) { From 7a6c286d1f51e64c6b092c21c588086be92e7667 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:16:58 +0200 Subject: [PATCH 0986/1764] avcodec/wavpackenc: Fix undefined shifts Fixes ticket #8161 and the acodec-wavpack FATE-test. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 84974c6fb542cf019904016c2165d9a62db9f312) Signed-off-by: Andreas Rheinhardt --- libavcodec/wavpackenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index 979b92165b..bc896f15e5 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -529,9 +529,9 @@ static int8_t store_weight(int weight) static int restore_weight(int8_t weight) { - int result; + int result = 8 * weight; - if ((result = (int) weight << 3) > 0) + if (result > 0) result += (result + 64) >> 7; return result; @@ -2571,7 +2571,7 @@ static int wavpack_encode_block(WavPackEncodeContext *s, ret = wv_mono(s, samples_l, !s->num_terms, 1); } else { for (i = 0; i < nb_samples; i++) - crc += (crc << 3) + (samples_l[i] << 1) + samples_l[i] + samples_r[i]; + crc += (crc << 3) + ((uint32_t)samples_l[i] << 1) + samples_l[i] + samples_r[i]; if (s->num_passes) ret = wv_stereo(s, samples_l, samples_r, !s->num_terms, 1); From 8c49f5715cef85a71df2d97563e9ffe658b226be Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:01 +0200 Subject: [PATCH 0987/1764] avcodec/pcm: Fix undefined shifts Fixes the acodec-pcm-u16[lb]e FATE-tests. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 69473bec6f38fefc9a433d95f8e00de101299592) Signed-off-by: Andreas Rheinhardt --- libavcodec/pcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pcm.c b/libavcodec/pcm.c index f987f03c00..c2791c2e9a 100644 --- a/libavcodec/pcm.c +++ b/libavcodec/pcm.c @@ -293,7 +293,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) #define DECODE(size, endian, src, dst, n, shift, offset) \ for (; n > 0; n--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ## _t)(v - offset) << shift); \ dst += size / 8; \ } @@ -304,7 +304,7 @@ static av_cold int pcm_decode_close(AVCodecContext *avctx) dst = frame->extended_data[c]; \ for (i = n; i > 0; i--) { \ uint ## size ## _t v = bytestream_get_ ## endian(&src); \ - AV_WN ## size ## A(dst, (v - offset) << shift); \ + AV_WN ## size ## A(dst, (uint ## size ##_t)(v - offset) << shift); \ dst += size / 8; \ } \ } From e1577085a91f8517bc97b61bd670ef4c7e920923 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 20 Sep 2019 00:17:03 +0200 Subject: [PATCH 0988/1764] avformat/movenc: Fix undefined shift Fixes the movenc FATE-test. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 646799b42fd59ee79920e472795bf881b78bb5ce) Signed-off-by: Andreas Rheinhardt --- libavformat/movenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index b57778bd4f..9fbfd9645c 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4292,7 +4292,8 @@ static int mov_write_sidx_tag(AVIOContext *pb, { int64_t pos = avio_tell(pb), offset_pos, end_pos; int64_t presentation_time, duration, offset; - int starts_with_SAP, i, entries; + unsigned starts_with_SAP; + int i, entries; if (track->entry) { entries = 1; From 00d98fa0579657ebc1b56f3d290489724c430d28 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 25 Sep 2019 00:03:07 +0200 Subject: [PATCH 0989/1764] avcodec/exr: Fix undefined left shifts of negative numbers Affected the FATE-tests exr-rgb-scanline-pxr24-half-uint32-13x9 and exr-rgb-scanline-pxr24-uint32. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 8b0f949906116c40b6f1e55a1bce4447ada3219c) Signed-off-by: Andreas Rheinhardt --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 7c3e3dc6f6..89966a8b61 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -881,7 +881,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, in = ptr[3] + s->xdelta; for (j = 0; j < s->xdelta; ++j) { - uint32_t diff = (*(ptr[0]++) << 24) | + uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8 ) | (*(ptr[3]++)); From 9ed82df0f3b19a1cc22349c4722b604b54eecb7d Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:58 +0200 Subject: [PATCH 0990/1764] swscale/x86/swscale: Fix undefined left shifts of negative numbers This affected many FATE-tests: The number of failing tests went down from 663 to 344. (Both numbers exclude tests that failed because of unaligned accesses in code that is inside #if HAVE_FAST_UNALIGNED.) Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 736c7c20e7819811dc59f43490563789b192eb6e) Signed-off-by: Andreas Rheinhardt --- libswscale/x86/swscale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libswscale/x86/swscale.c b/libswscale/x86/swscale.c index 869e7fb176..1c452941c7 100644 --- a/libswscale/x86/swscale.c +++ b/libswscale/x86/swscale.c @@ -160,7 +160,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&lumMmxFilter[s*i+APCK_PTR2/4 ]= lumSrcPtr[i+(vLumFilterSize>1)]; lumMmxFilter[s*i+APCK_COEF/4 ]= lumMmxFilter[s*i+APCK_COEF/4+1]= vLumFilter[dstY*vLumFilterSize + i ] - + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1]<<16 : 0); + + (vLumFilterSize>1 ? vLumFilter[dstY*vLumFilterSize + i + 1] * (1 << 16) : 0); if (CONFIG_SWSCALE_ALPHA && hasAlpha) { *(const void**)&alpMmxFilter[s*i ]= alpSrcPtr[i ]; *(const void**)&alpMmxFilter[s*i+APCK_PTR2/4 ]= alpSrcPtr[i+(vLumFilterSize>1)]; @@ -173,7 +173,7 @@ void ff_updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrB *(const void**)&chrMmxFilter[s*i+APCK_PTR2/4 ]= chrUSrcPtr[i+(vChrFilterSize>1)]; chrMmxFilter[s*i+APCK_COEF/4 ]= chrMmxFilter[s*i+APCK_COEF/4+1]= vChrFilter[chrDstY*vChrFilterSize + i ] - + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1]<<16 : 0); + + (vChrFilterSize>1 ? vChrFilter[chrDstY*vChrFilterSize + i + 1] * (1 << 16) : 0); } } else { for (i=0; i Date: Sat, 28 Sep 2019 04:26:02 +0200 Subject: [PATCH 0991/1764] swscale/utils: Fix invalid left shifts of negative numbers Affected the FATE-tests vsynth_lena-dv-411, vsynth1-dv-411, vsynth2-dv-411 and hevc-paramchange-yuv420p.yuv420p10. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit e2646e23be69bdef1e41d4decee1a4298701b8d1) Signed-off-by: Andreas Rheinhardt --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index dcab707de6..1786b937b4 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -380,7 +380,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, (*filterPos)[i] = xx; // bilinear upscale / linear interpolate / area averaging for (j = 0; j < filterSize; j++) { - int64_t coeff= fone - FFABS(((int64_t)xx<<16) - xDstInSrc)*(fone>>16); + int64_t coeff = fone - FFABS((int64_t)xx * (1 << 16) - xDstInSrc) * (fone >> 16); if (coeff < 0) coeff = 0; filter[i * filterSize + j] = coeff; From d9ceecc51f8779e340d51321cffceef53262bf11 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:06 +0200 Subject: [PATCH 0992/1764] avcodec/dnxhdenc: Fix undefined left shifts of negative numbers Affected 61 FATE-tests: 60 vsynth tests and lavf-mxf_opatom. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit b7f156e8cbdf3256c7860c62ebb7a6c3002cbb03) Signed-off-by: Andreas Rheinhardt --- libavcodec/dnxhdenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dnxhdenc.c b/libavcodec/dnxhdenc.c index 0d80381a2d..4daca1cbc4 100644 --- a/libavcodec/dnxhdenc.c +++ b/libavcodec/dnxhdenc.c @@ -220,7 +220,7 @@ static av_cold int dnxhd_init_vlc(DNXHDEncContext *ctx) ctx->vlc_bits += max_level * 2; for (level = -max_level; level < max_level; level++) { for (run = 0; run < 2; run++) { - int index = (level << 1) | run; + int index = level * (1 << 1) | run; int sign, offset = 0, alevel = level; MASK_ABS(sign, alevel); @@ -616,7 +616,7 @@ void dnxhd_encode_block(DNXHDEncContext *ctx, int16_t *block, slevel = block[j]; if (slevel) { int run_level = i - last_non_zero - 1; - int rlevel = (slevel << 1) | !!run_level; + int rlevel = slevel * (1 << 1) | !!run_level; put_bits(&ctx->m.pb, ctx->vlc_bits[rlevel], ctx->vlc_codes[rlevel]); if (run_level) put_bits(&ctx->m.pb, ctx->run_bits[run_level], @@ -696,7 +696,7 @@ int dnxhd_calc_ac_bits(DNXHDEncContext *ctx, int16_t *block, int last_index) level = block[j]; if (level) { int run_level = i - last_non_zero - 1; - bits += ctx->vlc_bits[(level << 1) | + bits += ctx->vlc_bits[level * (1 << 1) | !!run_level] + ctx->run_bits[run_level]; last_non_zero = i; } From 2faaf92e3fc878ef9641ca2d44b4e8316ccfe1c6 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:07 +0200 Subject: [PATCH 0993/1764] avcodec/ituh263dec: Fix undefined left shift of negative number Fixes ticket #8160. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 324487b596fbcda0a5753c7bb7b2e96e9d512479) Signed-off-by: Andreas Rheinhardt --- libavcodec/ituh263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index dc8e7879db..cd578cb0c7 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -1271,7 +1271,7 @@ int ff_h263_decode_picture_header(MpegEncContext *s) for(i=0; i<13; i++){ for(j=0; j<3; j++){ int v= get_bits(&s->gb, 8); - v |= get_sbits(&s->gb, 8)<<8; + v |= get_sbits(&s->gb, 8) * (1 << 8); av_log(s->avctx, AV_LOG_DEBUG, " %5d", v); } av_log(s->avctx, AV_LOG_DEBUG, "\n"); From 5367c91e021d5c790f41a8f071d60806bd1007f3 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:26:10 +0200 Subject: [PATCH 0994/1764] avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers Affected the vsynth*-jpeg2000 and the vsynth*-jpeg2000-97 FATE tests (where * ranges over { 1, 2, 3, _lena }) as well as ticket #7983. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5cf593adcd79a7c9502dc2725e1f0681ada36aef) Signed-off-by: Andreas Rheinhardt --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index badf0f8cd0..f418454ee9 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -255,7 +255,7 @@ static void dwt_encode97_int(DWTContext *s, int *t) line += 5; for (i = 0; i < w * h; i++) - t[i] <<= I_PRESHIFT; + t[i] *= 1 << I_PRESHIFT; for (lev = s->ndeclevels-1; lev >= 0; lev--){ int lh = s->linelen[lev][0], From 9eeef68b50c22b5b4c64a62cca21caa852282895 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:57 +0200 Subject: [PATCH 0995/1764] avfilter/vf_hqx: Fix undefined left shifts of negative numbers Affected every usage of this filter; in particular, it affected the FATE-tests filter-2xbr, filter-3xbr and filter-4xbr. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fa211943265ca991548a4cc2f85a6df9cedcd092) Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_hqx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_hqx.c b/libavfilter/vf_hqx.c index 16a1be7bd4..4f768c7a13 100644 --- a/libavfilter/vf_hqx.c +++ b/libavfilter/vf_hqx.c @@ -523,7 +523,7 @@ static av_cold int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { hqx->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; From 59b73dc1f386ac8f3582e0b7cbb91e22c41f9f24 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 28 Sep 2019 04:25:56 +0200 Subject: [PATCH 0996/1764] avfilter/vf_xbr: Fix left shift of negative number Affected every usage of vf_xbr, e.g. the FATE-tests filter-2xbr, filter-3xbr, filter-4xbr. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4294dc3589a3ab973b10a85b576ff15e3ffb000d) Signed-off-by: Andreas Rheinhardt --- libavfilter/vf_xbr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_xbr.c b/libavfilter/vf_xbr.c index 78094e0287..5a6dcc4dba 100644 --- a/libavfilter/vf_xbr.c +++ b/libavfilter/vf_xbr.c @@ -395,7 +395,7 @@ static int init(AVFilterContext *ctx) int startg = FFMAX3(-bg, -rg, 0); int endg = FFMIN3(255-bg, 255-rg, 255); uint32_t y = (uint32_t)(( 299*rg + 1000*startg + 114*bg)/1000); - c = bg + (rg<<16) + 0x010101 * startg; + c = bg + rg * (1 << 16) + 0x010101 * startg; for (g = startg; g <= endg; g++) { s->rgbtoyuv[c] = ((y++) << 16) + (u << 8) + v; c+= 0x010101; From ec43a80774d2763228c4c0f1fc79e3ff7a8fc537 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 24 Oct 2019 15:36:35 +0200 Subject: [PATCH 0997/1764] fftools/ffmpeg: Free swresample dictionary during cleanup Freeing this was forgotten in ad899522. Fixes #8315 and #8316. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6f2a3958cfac135c60b509a61a4fd39432d8f9a9) Signed-off-by: Andreas Rheinhardt --- fftools/ffmpeg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index 1706fd0d75..b07c086aa2 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -553,6 +553,7 @@ static void ffmpeg_cleanup(int ret) ost->audio_channels_mapped = 0; av_dict_free(&ost->sws_dict); + av_dict_free(&ost->swr_opts); avcodec_free_context(&ost->enc_ctx); avcodec_parameters_free(&ost->ref_par); From d6d41db435b0b86351824cad920580d8461794bc Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 15 Sep 2019 22:01:20 +0200 Subject: [PATCH 0998/1764] avcodec/ttaenc: Fix undefined shift MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ttaenc contained (1 << unary) - 1 as an argument for a function expecting an unsigned int. unary can be as big as 31 in this case. The type of the shift and the whole expression is int, because 1 fits into an integer, so that the behaviour is undefined if unary == 31 as the result of the shift can't be represented in an int §. Subtraction by 1 (which makes the result of the whole expression representable in an int) doesn't change that this is undefined (it usually leads to signed integer overflow which is undefined, too). The solution is simple: Make 1 unsigned to change the type of the whole expression to unsigned int (as the function expects anyway). Fixes ticket #8153. §: This of course presupposes the common int range of -2^31..2^31-1 Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3ab488a5407f833ecc66e8fa4c537dc4852db720) Signed-off-by: Andreas Rheinhardt --- libavcodec/ttaenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ttaenc.c b/libavcodec/ttaenc.c index 3cc54d78c5..08a0d0483a 100644 --- a/libavcodec/ttaenc.c +++ b/libavcodec/ttaenc.c @@ -164,7 +164,7 @@ pkt_alloc: put_bits(&pb, 31, 0x7FFFFFFF); unary -= 31; } else { - put_bits(&pb, unary, (1 << unary) - 1); + put_bits(&pb, unary, (1U << unary) - 1); unary = 0; } } while (unary); From a3a2e782c2ab5ccfcd864f476e6c3b7aa03c8dcf Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 20 Apr 2019 00:03:15 +0200 Subject: [PATCH 0999/1764] lavf/webm_chunk: Fix NULL dereference The earlier version of the webm_chunk muxer had several bugs: 1. If the first packet of an audio stream didn't have a PTS of zero, then no chunk will be started before a packet is delivered to the underlying Matroska/WebM muxer, i.e. the AVFormatContext used to write these packets had a NULL as AVIOContext for output. This is behind the crash in ticket #5752. 2. If an error happens during writing a packet, the underlyimg Matroska/WebM muxer context is freed. This leads to a use-after-free coupled with a double-free in webm_chunk_write_trailer (which supposes that the underlying AVFormatContext is still valid). 3. Even when no error occurs at all, webm_chunk_write_trailer is still buggy: After the underlying Matroska/WebM muxer has written its trailer, ending the chunk implicitly flushes it again which is illegal at this point. These bugs have been fixed. Fixes #5752. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8c6ee7626bcce7c270360f33b60dc7ef99939fc3) Signed-off-by: Andreas Rheinhardt --- libavformat/webm_chunk.c | 44 +++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/libavformat/webm_chunk.c b/libavformat/webm_chunk.c index 191a30e64f..d457acf05f 100644 --- a/libavformat/webm_chunk.c +++ b/libavformat/webm_chunk.c @@ -167,7 +167,7 @@ static int chunk_start(AVFormatContext *s) return 0; } -static int chunk_end(AVFormatContext *s) +static int chunk_end(AVFormatContext *s, int flush) { WebMChunkContext *wc = s->priv_data; AVFormatContext *oc = wc->avf; @@ -178,11 +178,14 @@ static int chunk_end(AVFormatContext *s) char filename[MAX_FILENAME_SIZE]; AVDictionary *options = NULL; - if (wc->chunk_start_index == wc->chunk_index) + if (!oc->pb) return 0; - // Flush the cluster in WebM muxer. - oc->oformat->write_packet(oc, NULL); + + if (flush) + // Flush the cluster in WebM muxer. + oc->oformat->write_packet(oc, NULL); buffer_size = avio_close_dyn_buf(oc->pb, &buffer); + oc->pb = NULL; ret = get_chunk_filename(s, 0, filename); if (ret < 0) goto fail; @@ -193,7 +196,6 @@ static int chunk_end(AVFormatContext *s) goto fail; avio_write(pb, buffer, buffer_size); ff_format_io_close(s, &pb); - oc->pb = NULL; fail: av_dict_free(&options); av_free(buffer); @@ -215,27 +217,19 @@ static int webm_chunk_write_packet(AVFormatContext *s, AVPacket *pkt) } // For video, a new chunk is started only on key frames. For audio, a new - // chunk is started based on chunk_duration. - if ((st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && + // chunk is started based on chunk_duration. Also, a new chunk is started + // unconditionally if there is no currently open chunk. + if (!oc->pb || (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && (pkt->flags & AV_PKT_FLAG_KEY)) || (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO && - (pkt->pts == 0 || wc->duration_written >= wc->chunk_duration))) { + wc->duration_written >= wc->chunk_duration)) { wc->duration_written = 0; - if ((ret = chunk_end(s)) < 0 || (ret = chunk_start(s)) < 0) { - goto fail; + if ((ret = chunk_end(s, 1)) < 0 || (ret = chunk_start(s)) < 0) { + return ret; } } ret = oc->oformat->write_packet(oc, pkt); - if (ret < 0) - goto fail; - -fail: - if (ret < 0) { - oc->streams = NULL; - oc->nb_streams = 0; - avformat_free_context(oc); - } return ret; } @@ -244,12 +238,20 @@ static int webm_chunk_write_trailer(AVFormatContext *s) { WebMChunkContext *wc = s->priv_data; AVFormatContext *oc = wc->avf; + int ret; + + if (!oc->pb) { + ret = chunk_start(s); + if (ret < 0) + goto fail; + } oc->oformat->write_trailer(oc); - chunk_end(s); + ret = chunk_end(s, 0); +fail: oc->streams = NULL; oc->nb_streams = 0; avformat_free_context(oc); - return 0; + return ret; } #define OFFSET(x) offsetof(WebMChunkContext, x) From b66884f4aa6701a842bb83b407d546cdb76320d9 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Wed, 27 May 2020 19:09:14 +0200 Subject: [PATCH 1000/1764] avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit is so big that it extends beyond the end of the input packet; it does so only implicitly by using the checked version of the bytestream2 API. But this has downsides compared to real checks: It can lead to huge allocations (up to 2GiB) even when the input packet is just a few bytes. And furthermore it leads to uninitialized data being output. So add a check to error out early if it happens. Also check directly whether there is enough data for the length field. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ea1b71e82f5a1752d59d3bfb9704092a79eba6b5) Signed-off-by: Andreas Rheinhardt --- libavcodec/hevc_mp4toannexb_bsf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index 30f733d775..477d86d9fd 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -141,10 +141,14 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) int nalu_type; int is_irap, add_extradata, extra_size, prev_size; + if (bytestream2_get_bytes_left(&gb) < s->length_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); - if (nalu_size < 2) { + if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) { ret = AVERROR_INVALIDDATA; goto fail; } From 567c20f78109588620c57696ab39ff314fe12d6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Jul 2020 12:05:27 +0200 Subject: [PATCH 1001/1764] Update for 3.4.8 Signed-off-by: Michael Niedermayer --- Changelog | 246 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 248 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 700d38d2e3..34f312dcc2 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,252 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.8: + avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input + lavf/webm_chunk: Fix NULL dereference + avcodec/ttaenc: Fix undefined shift + fftools/ffmpeg: Free swresample dictionary during cleanup + avfilter/vf_xbr: Fix left shift of negative number + avfilter/vf_hqx: Fix undefined left shifts of negative numbers + avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers + avcodec/ituh263dec: Fix undefined left shift of negative number + avcodec/dnxhdenc: Fix undefined left shifts of negative numbers + swscale/utils: Fix invalid left shifts of negative numbers + swscale/x86/swscale: Fix undefined left shifts of negative numbers + avcodec/exr: Fix undefined left shifts of negative numbers + avformat/movenc: Fix undefined shift + avcodec/pcm: Fix undefined shifts + avcodec/wavpackenc: Fix undefined shifts + avcodec/ac3enc: Fix invalid shift + avcodec/tdsc: Fix undefined shifts + fftools/ffmpeg_opt: Fix signed integer overflow + avformat/mov: Fix reel_name size check + avformat/mov: Fix memleak upon encountering repeating tags + avformat/matroskaenc: Don't use NULL for %s format string + avformat/webvttdec: Fix memleak upon read header failure + avformat/vplayerdec: Fix memleak upon read header failure + avformat/tedcaptionsdec: Fix memleak upon read header failure + avformat/subviewerdec: Fix memleak upon read header failure + avformat/subviewer1dec: Fix memleak upon read header failure + avformat/stldec: Fix memleak upon read header failure + avformat/srtdec: Fix memleak upon read header failure + avformat/sccdec: Fix memleak upon read header failure + avformat/samidec: Fix memleak upon read header failure + avformat/pjsdec: Fix memleak upon read header failure + avformat/mpsubdec: Fix memleak upon read header failure + avformat/mpl2dec: Fix memleak upon read header failure + avformat/microdvddec: Fix memleak upon read header failure + avformat/lrcdec: Fix memleak upon read header failure + avformat/jacosubdec: Fix memleak upon read header failure + avformat/assdec: Fix memleak upon read header failure + avformat/aqtitledec: Fix memleak upon read header failure + avformat/mov: Fix memleaks upon read_header failure + avformat/omadec: Fix memleaks upon read_header failure + avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer + avformat/matroskadec: Use right number of tracks + avformat/matroskadec: Fix handling gigantic durations + avformat/aviobuf: Don't check for overflow after it happened + avformat/matroskaenc: Fix memleak upon encountering bogus chapter + fftools/ffmpeg_opt: Check attachment filesize + avformat/webmdashenc: Check codec types + avformat/avidec: Fix memleak with embedded GAB2 subtitles + avformat/webmdashenc: Fix memleak upon realloc failure + avformat/matroskadec: Don't discard the upper 32bits of TrackNumber + avformat/hnm: Check for extradata allocation failure + avformat/subtitles: Don't increment packet counter prematurely + avformat/bethsoftvid: Fix potential memleak upon reallocation failure + avformat/smoothstreaming: Fix memleaks on errors + avformat/matroskaenc: Check BlockAdditional size before use + avformat/utils: Fix memleaks in avformat_open_input() + avcodec/cavsdsp: Fix undefined left shifts of negative numbers + avformat/hevc: Fix potential leak in case of ff_hevc_annexb2mp4_buf failure + avformat/matroskaenc: Check for reformatting errors + avcodec/ra144enc: Fix invalid left shift of negative number + avcodec/adxenc: Avoid undefined left shift of negative numbers + avcodec/adpcm: Fix undefined left shifts of negative numbers + avcodec/proresenc_anatoliy: Fix invalid left shift of negative number + avformat/wtvdec: Fix memleak when reading header fails + avformat/fitsdec: Fix potential leak of string in AVBPrint + avformat/mov: fix memleaks + libavformat/mov: Fix memleaks when demuxing DV audio + avcodec/bitstream: Don't check for undefined behaviour after it happened + avcodec/dstdec: Replace AC overread check by sample rate check + avformat/utils: reorder duration computation to avoid overflow + avcodec/pngdec: Check for fctl after idat + avformat/hls: Pass a copy of the URL for probing + avformat/hls: check segment duration value of EXTINF + avutil/common: Fix integer overflow in av_ceil_log2_c() + avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms + avformat/mvdec: Fix integer overflow with billions of channels + avformat/microdvddec: skip malformed lines without frame number. + avformat/mxfdec: free duplicated utf16 strings + avformat/4xm: Check that a video stream was created before returning packets for it + avcodec/ffwavesynth: Avoid undefined operation on ts overflow + avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv() + avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c() + avcodec/sonic: Fix several integer overflows + avcodec/pixlet: Fix log(0) check + avcodec/iff: Fix off by x error + avcodec/wmalosslessdec: Check block_align maximum + avcodec/loco: Fix signed integer overflow in loco_get_rice() + avformat/thp: Check fps + avformat/mpl2dec: Fix integer overflow with duration + avcodec/mpeg12dec: remove outdated comments + avcodec/snowdec: Avoid integer overflow with huge qlog + avformat/mov: Check if DTS is AV_NOPTS_VALUE in mov_find_next_sample(). + avcodec/mpeg12dec: Fix got_output + avformat/4xm: Cleanup on GET_LIST_HEADER() failure + avcodec/lzf: Consider the needed size in reallocation + avformat/mlvdec: fail reading a packet with 0 streams + avformat/thp: Check compcount + avcodec/adpcm: XA: Check shift similar to filter + avcodec/huffyuvdec: Test vertical coordinate more often + avcodec/hq_hqa: Check info size + avcodec/wmalosslessdec: Fix integer overflow in mclms_predict() + avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d() + avcodec/h264dec: Disable forced small_padding on flag2 fast + avformat/oggparsevorbis: Error out on double init of vp + avcodec/pnmdec: Use unsigned for maxval rescaling + avcodec/ivi: Clear got_p_frame before decoding a new frame using it + avcodec/dsddec: Check channels + avcodec/xvididct: Fix integer overflow in idct_row() + avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr() + avformat/mpegenc: Fix integer overflow with AV_NOPTS_VALUE + avformat/swfenc: Fix integer overflow in frame rate handling + avformat/aadec: Check toc_size to contain the minimum to demuxer uses + avformat/mov: Don't allow negative sample sizes. + mpeg4videoenc: Don't crash with -fsanitize=bounds + avformat/mpegts: Shuffle avio_seek + avcodec/binkaudio: Fix 2Ghz sample_rate + avcodec/adpcm: Fix integer overflow in ADPCM THP + avcodec/ralf: Check num_blocks before use + avcodec/iff: Test video_size being non zero + avcodec/utvideodec: Fix integer overflow in decode_plane() + avcodec/ttadsp: Fix several integer overflows in tta_filter_process_c() + avcodec/ralf: Fix integer overflow in decode_block() + avcodec/nuv: widen buf_size type + avcodec/iff: Fix several integer overflows + avcodec/g729postfilter: Clip gain before scaling with AGC_FAC1 + avcodec/alac: Fix integer overflow with 24/20bps samples + avcodec/dstdec: Check sample rate + avformat/thp: Require a video stream + avformat/mpeg: Decrease score by 1 for files with very little valid data + avcodec/pngdec: Check length in fdAT + avcodec/g2meet: Check tile_width in epic_jb_decode_tile() + avcodec/vp9dsp_template: Fix integer overflows in idct32_1d() + avcodec/alacdsp: Fix invalid shift in append_extra_bits() + libavcodec/wmalosslessdec: prevent sum of positive numbers from becoming negative + avcodec/dstdec: Fix integer overflow in read_table() + avcodec/txd: Check for input size against the header size. + avcodec/svq1dec: Check that there is data left after the header + avcodec/intrax8: Check for end of bitstream in ff_intrax8_decode_picture() + avcodec/hevc_mp4toannexb_bsf: Check nalu_size + avcodec/iff: Check length before memcpy() in decode_deep_rle32() + avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32() + avcodec/pngdec: Pass ret from decode_iccp_chunk() + avcodec/rv40dsp: Fix integer overflows in rv40_weight_func_*() + avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs() + avcodec/flac_parser: Do not lose header count in find_headers_search() + avcodec/audiodsp: Fix integer overflow in scalarproduct_int16_c() + avformat/oggdec: Check for EOF after page header + swscale/yuv2rgb: Fix vertical dither offset with slices + avcodec/dpcm: clip exponent into supported range in XAN DPCM + avcodec/flacdsp_template: Fix invalid shifts in decorrelate + avcodec/xvididct: Fix integer overflow in MULT() + avcodec/ffwavesynth: Correct undefined overflow of PINK_UNIT + swscale/output: Fix integer overflow in yuv2rgb_write_full() with out of range input + swscale/output: Fix integer overflow in alpha computation in yuv2gbrp16_full_X_c() + libavformat/amr.c: Check return value from avio_read() + libavformat/mov.c: Free aes_decrypt to avoid leaking memory + libavformat/oggdec.c: Check return value from avio_read() + avformat/asfdec_f: Fix overflow check in get_tag() + avformat/nsvdec: Fix memleaks on errors while reading the header + avcodec/ffwavesynth: Fix integer overflow in computation of ddphi + avcodec/adpcm: Fix invalid shift in AV_CODEC_ID_ADPCM_PSX + avcodec/mpeg12dec: Fix invalid shift in mpeg2_fast_decode_block_intra() + avcodec/mpegaudioenc_template: fix invalid shift of sample + avcodec/motion_est_template: Fix invalid shifts in no_sub_motion_search() + libavformat/avienc: Check bits per sample for PAL8 + avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet() + avcodec/magicyuv: Check that there are enough lines for interlacing to be possible + avformat/mvdec: Check stream numbers + avcodec/pcm: Fix invalid shift in AV_CODEC_ID_PCM_LXF + avcodec/qdm2: Check fft_coefs_index + avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info() + avformat/avidec: Avoid integer overflow in NI switch check + fftools/ffmpeg: Fix integer overflow in duration computation in seek_to_start() + avfilter/vf_aspect: Fix integer overflow in compute_dar() + avcodec/apedec: Fix invalid shift with 24 bps + avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index() + avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM + avcodec/wmalosslessdec: Fix integer overflow with sliding in padding bits + avcodec/wmalosslessdec: Fix loop in revert_acfilter() + avcodec/lagarith: Sanity check scale + avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() + avcodec/ralf: Fix integer overflow in apply_lpc() + avcodec/dca_lbr: Fix some error codes and error passing + avcodec/wmavoice: Fix rounding and integer anomalies in calc_input_response() + avcodec/wmavoice: sanity check block_align + avcodec/pcm: Fix invalid shift in pcm_decode_frame for LXF + avcodec/snappy: Sanity check bytestream2_get_levarint() + avcodec/mlpdsp: Fix a invalid shift in ff_mlp_rematrix_channel() + avcodec/avdct: Clear IDCTDSPContext context + avcodec/x86/diracdsp: Fix high bits on Windows x86_64 + avformat/mov: Check STCO location + avcodec/wmalosslessdec: Fix multiple integer overflows + avcodec/apedec: Fix undefined integer overflow in decode_array_0000() + avcodec/smacker: Check space before decoding type + avcodec/rawdec: Use linesize in b64a + avcodec/iff: Over-allocate ham_palbuf for HAM6 IFF-PBM + avcodec/x86/diracdsp: Fix incorrect src addressing in dequant_subband_32() + avfilter/vf_find_rect: Remove assert + avfilter/vf_find_rect: Increase worst case score + swscale/input: Fix several invalid shifts related to rgb2yuv constants + swscale/output: Fix several invalid shifts in yuv2rgb_full_1_c_template() + swscale/swscale: Fix several invalid shifts related to vChrDrop + avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow + avcodec/hevc_mp4toannexb_bsf: Avoid NULL memcpy() + avcodec/wmalosslessdec: move channel check up + avcodec/adpcm: Fix overflow in FFABS() IMA_EA_EACS + avcodec/alac: Fix integer overflow in LPC coefficient adaption + avcodec/g729postfilter: Optimize out overflowing multiplication from apply_tilt_comp() + avcodec/vc1dec: Check field_mode for sprites + avcodec/vc1dec: Limit bits by the actual bitstream size + avcodec/vmdaudio: Check block_align more + configure: bump year + avcodec/pgssubdec: Free subtitle on error + avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample() + avcodec/cook: Use 3 stage VLC decoding for channel_coupling + avcodec/wmalosslessdec: Fixes undefined overflow in dequantization in decode_subframe() + avcodec/sonic: Check e in get_symbol() + avcodec/twinvqdec: Correct overflow in block align check + avcodec/vc1dec: Fix "return -1" cases + avcodec/vc1dec: Free sprite_output_frame on error + avcodec/wmadec: Keep track of exponent initialization per channel + avcodec/iff: Check that video_size is large enough for the read parameters + avcodec/adpcm: Clip predictor for APC + avcodec/targa: Check colors vs. available space + avcodec/dstdec: Use get_ur_golomb_jpegls() + avcodec/wmavoice: Check remaining input in parse_packet_header() + avcodec/wmalosslessdec: Fix 2 overflows in mclms + avcodec/wmaprodec: Fixes integer overflow with 32bit samples + avcodec/adpcm: Fix invalid shift in xa_decode() + avcodec/wmalosslessdec: Fix several integer issues + avcodec/wmalosslessdec: Check that padding bits is not more than sample bits + avcodec/iff: Skip overflowing runs in decode_delta_d() + avcodec/pnm: Check that the header is not truncated + avcodec/mp3_header_decompress_bsf: Check sample_rate_index + avformat/rmdec: Initialize and sanity check offset in ivr_read_header() + avcodec/apedec: Fix 2 integer overflows + avcodec/wmaprodec: Set packet_loss when we error out on a sanity check + avcodec/wmaprodec: Check offset + avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block() + avcodec/wmaprodec: Check if the channel sum of all internal contexts match the external + libavcodec/libvpxenc: Don't free user-provided AVPacket + libavcodec/libmp3lame: Don't free user-provided AVPacket + avcodec/libopusenc: Don't free user-provided AVPacket + avformat/matroskadec: Fix default value of BlockAddID + version 3.4.7: - avcodec/g729dec: require buf_size to be non 0 - avcodec/alac: Fix integer overflow in lpc_prediction() with sign diff --git a/RELEASE b/RELEASE index 2aa5131992..7921bd0c89 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.7 +3.4.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index f9aee57c56..8b9ae1d495 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.7 +PROJECT_NUMBER = 3.4.8 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 30891d0932c884afb86589a8b1121df9c1fd052f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Wegner?= Date: Thu, 2 Aug 2018 21:08:12 +0200 Subject: [PATCH 1002/1764] avformat/tls_schannel: Fix use of uninitialized variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: runtime error: passing uninitialized value to FreeContextBuffer causes a crash Signed-off-by: Paweł Wegner (cherry picked from commit 85c00643b763bc62f3a15c19df44c3f1312bfe81) --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index 9f1c08806f..1c65c25441 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -148,7 +148,7 @@ static int tls_client_handshake_loop(URLContext *h, int initial) TLSContext *c = h->priv_data; TLSShared *s = &c->tls_shared; SECURITY_STATUS sspi_ret; - SecBuffer outbuf[3]; + SecBuffer outbuf[3] = { 0 }; SecBufferDesc outbuf_desc; SecBuffer inbuf[2]; SecBufferDesc inbuf_desc; From 895f67bbed4360ffbf507b0cfb2c98b3e17a7266 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Wed, 13 May 2020 00:27:58 +0300 Subject: [PATCH 1003/1764] avformat/tls_schannel: always decrypt all received data The dec_buf seems to be properly managed between read calls, and we have no logic to decrypt before attempting socket I/O. Thus - until now - such data would not be decrypted in case of connections such as HTTP keep-alive, as the recv call would always get executed first, block until rw_timeout, and then get retried by retry_transfer_wrapper. Thus - if data is received - decrypt all of it right away. This way it is available for the following requests in case they can be satisfied with it. (cherry picked from commit 39977fff20048f1798a95c593d6034a0e73ebbe5) --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index 1c65c25441..7718681495 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -422,7 +422,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) c->enc_buf_offset += ret; } - while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK && c->dec_buf_offset < len) { + while (c->enc_buf_offset > 0 && sspi_ret == SEC_E_OK) { /* input buffer */ init_sec_buffer(&inbuf[0], SECBUFFER_DATA, c->enc_buf, c->enc_buf_offset); From a6006fe0473d9d2789063c74087167f29d03a6ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Ekstr=C3=B6m?= Date: Wed, 13 May 2020 00:31:03 +0300 Subject: [PATCH 1004/1764] avformat/tls_schannel: immediately return decrypted data if available Until now, we would have only attempted to utilize already decrypted data if it was enough to fill the size of buffer requested, that could very well be up to 32 kilobytes. With keep-alive connections this would just lead to recv blocking until rw_timeout had been reached, as the connection would not be officially closed after each transfer. This would also lead to a loop, as such timed out I/O request would just be attempted again. By just returning the available decrypted data, keep-alive based connectivity such as HLS playback is fixed with schannel. (cherry picked from commit 6f8826e4aaddf1ee6cf3f333ed0e392a748382fe) --- libavformat/tls_schannel.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index 7718681495..b53a36aaac 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -392,7 +392,12 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) int size, ret; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; - if (len <= c->dec_buf_offset) + /* If we have some left-over data from previous network activity, + * return it first in case it is enough. It may contain + * data that is required to know whether this connection + * is still required or not, esp. in case of HTTP keep-alive + * connections. */ + if (c->dec_buf_offset > 0) goto cleanup; if (c->sspi_close_notify) From 891a7c3765579c884979f4a627cd74c5154ffdf3 Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Tue, 29 Sep 2020 23:19:23 +0200 Subject: [PATCH 1005/1764] avcodec/cuviddec: handle arbitrarily sized extradata --- libavcodec/cuvid.c | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/libavcodec/cuvid.c b/libavcodec/cuvid.c index 68671f0ecc..fba252995d 100644 --- a/libavcodec/cuvid.c +++ b/libavcodec/cuvid.c @@ -79,7 +79,7 @@ typedef struct CuvidContext CUVIDDECODECAPS caps8, caps10, caps12; CUVIDPARSERPARAMS cuparseinfo; - CUVIDEOFORMATEX cuparse_ext; + CUVIDEOFORMATEX *cuparse_ext; CudaFunctions *cudl; CuvidFunctions *cvdl; @@ -696,6 +696,8 @@ static av_cold int cuvid_decode_end(AVCodecContext *avctx) av_buffer_unref(&ctx->hwframe); av_buffer_unref(&ctx->hwdevice); + av_freep(&ctx->cuparse_ext); + cuvid_free_functions(&ctx->cvdl); return 0; @@ -799,6 +801,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) CUcontext cuda_ctx = NULL; CUcontext dummy; const AVBitStreamFilter *bsf; + uint8_t *extradata; + uint32_t extradata_size; int ret = 0; enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA, @@ -895,11 +899,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) ctx->cudl = device_hwctx->internal->cuda_dl; memset(&ctx->cuparseinfo, 0, sizeof(ctx->cuparseinfo)); - memset(&ctx->cuparse_ext, 0, sizeof(ctx->cuparse_ext)); memset(&seq_pkt, 0, sizeof(seq_pkt)); - ctx->cuparseinfo.pExtVideoInfo = &ctx->cuparse_ext; - switch (avctx->codec->id) { #if CONFIG_H264_CUVID_DECODER case AV_CODEC_ID_H264: @@ -969,17 +970,25 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) goto error; } - ctx->cuparse_ext.format.seqhdr_data_length = ctx->bsf->par_out->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - ctx->bsf->par_out->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), ctx->bsf->par_out->extradata_size)); + extradata = ctx->bsf->par_out->extradata; + extradata_size = ctx->bsf->par_out->extradata_size; } else if (avctx->extradata_size > 0) { - ctx->cuparse_ext.format.seqhdr_data_length = avctx->extradata_size; - memcpy(ctx->cuparse_ext.raw_seqhdr_data, - avctx->extradata, - FFMIN(sizeof(ctx->cuparse_ext.raw_seqhdr_data), avctx->extradata_size)); + extradata = avctx->extradata; + extradata_size = avctx->extradata_size; } + ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext) + + FFMAX(extradata_size - sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); + if (!ctx->cuparse_ext) { + ret = AVERROR(ENOMEM); + goto error; + } + + ctx->cuparse_ext->format.seqhdr_data_length = avctx->extradata_size; + memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + + ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext; + ctx->cuparseinfo.ulMaxNumDecodeSurfaces = ctx->nb_surfaces; ctx->cuparseinfo.ulMaxDisplayDelay = 4; ctx->cuparseinfo.pUserData = avctx; @@ -1002,8 +1011,8 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); @@ -1062,8 +1071,8 @@ static void cuvid_flush(AVCodecContext *avctx) if (ret < 0) goto error; - seq_pkt.payload = ctx->cuparse_ext.raw_seqhdr_data; - seq_pkt.payload_size = ctx->cuparse_ext.format.seqhdr_data_length; + seq_pkt.payload = ctx->cuparse_ext->raw_seqhdr_data; + seq_pkt.payload_size = ctx->cuparse_ext->format.seqhdr_data_length; if (seq_pkt.payload && seq_pkt.payload_size) { ret = CHECK_CU(ctx->cvdl->cuvidParseVideoData(ctx->cuparser, &seq_pkt)); From 8f5e16b5f129f6d62b5135bd095c41e64998d2ed Mon Sep 17 00:00:00 2001 From: Timo Rothenpieler Date: Thu, 1 Oct 2020 20:20:48 +0200 Subject: [PATCH 1006/1764] avcodec/cuviddec: backport extradata fixes --- libavcodec/cuvid.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libavcodec/cuvid.c b/libavcodec/cuvid.c index fba252995d..c93d85adcc 100644 --- a/libavcodec/cuvid.c +++ b/libavcodec/cuvid.c @@ -802,7 +802,7 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) CUcontext dummy; const AVBitStreamFilter *bsf; uint8_t *extradata; - uint32_t extradata_size; + int extradata_size; int ret = 0; enum AVPixelFormat pix_fmts[3] = { AV_PIX_FMT_CUDA, @@ -972,20 +972,21 @@ static av_cold int cuvid_decode_init(AVCodecContext *avctx) extradata = ctx->bsf->par_out->extradata; extradata_size = ctx->bsf->par_out->extradata_size; - } else if (avctx->extradata_size > 0) { + } else { extradata = avctx->extradata; extradata_size = avctx->extradata_size; } ctx->cuparse_ext = av_mallocz(sizeof(*ctx->cuparse_ext) - + FFMAX(extradata_size - sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); + + FFMAX(extradata_size - (int)sizeof(ctx->cuparse_ext->raw_seqhdr_data), 0)); if (!ctx->cuparse_ext) { ret = AVERROR(ENOMEM); goto error; } - ctx->cuparse_ext->format.seqhdr_data_length = avctx->extradata_size; - memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + if (extradata_size > 0) + memcpy(ctx->cuparse_ext->raw_seqhdr_data, extradata, extradata_size); + ctx->cuparse_ext->format.seqhdr_data_length = extradata_size; ctx->cuparseinfo.pExtVideoInfo = ctx->cuparse_ext; From fa3702fbaf39513a6563313eb79efce6e165dcfb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Jul 2020 23:55:50 +0200 Subject: [PATCH 1007/1764] avcodec/pnmdec: Fix misaligned reads Found-by: "Steinar H. Gunderson" Signed-off-by: Michael Niedermayer (cherry picked from commit ea28ce9bc13803ccef97850388ddc9a73998a23e) Signed-off-by: Michael Niedermayer --- libavcodec/pnmdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index 2c98e26934..b625d8d3c4 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -172,7 +172,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, } else if (upgrade == 2) { unsigned int j, v, f = (65535 * 32768 + s->maxval / 2) / s->maxval; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } } @@ -226,7 +226,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; for (i = 0; i < avctx->height; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ((uint16_t *)ptr)[j] = (v * f + 16384) >> 15; } s->bytestream += n; @@ -238,13 +238,13 @@ static int pnm_decode_frame(AVCodecContext *avctx, void *data, h = avctx->height >> 1; for (i = 0; i < h; i++) { for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr1[j] = (v * f + 16384) >> 15; } s->bytestream += n; for (j = 0; j < n / 2; j++) { - v = av_be2ne16(((uint16_t *)s->bytestream)[j]); + v = AV_RB16(s->bytestream + 2*j); ptr2[j] = (v * f + 16384) >> 15; } s->bytestream += n; From a86e6a6a987bc4e4274e753d92ae3364117a938c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jul 2020 20:18:42 +0200 Subject: [PATCH 1008/1764] avformat/smjpegdec: Check the existence of referred streams Fixes: Assertion failure Fixes: 23758/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5160954605338624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 321ea59dac6538f92206bab0a2688fa24a25c4d2) Signed-off-by: Michael Niedermayer --- libavformat/smjpegdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/smjpegdec.c b/libavformat/smjpegdec.c index c184c0d9fd..ec5f2957e5 100644 --- a/libavformat/smjpegdec.c +++ b/libavformat/smjpegdec.c @@ -51,6 +51,9 @@ static int smjpeg_read_header(AVFormatContext *s) uint32_t version, htype, hlength, duration; char *comment; + sc->audio_stream_index = + sc->video_stream_index = -1; + avio_skip(pb, 8); // magic version = avio_rb32(pb); if (version) @@ -147,6 +150,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) dtype = avio_rl32(s->pb); switch (dtype) { case SMJPEG_SNDD: + if (sc->audio_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); @@ -155,6 +160,8 @@ static int smjpeg_read_packet(AVFormatContext *s, AVPacket *pkt) pkt->pos = pos; break; case SMJPEG_VIDD: + if (sc->video_stream_index < 0) + return AVERROR_INVALIDDATA; timestamp = avio_rb32(s->pb); size = avio_rb32(s->pb); ret = av_get_packet(s->pb, pkt, size); From bd2c09a5c52647ec61096f101f3d6df528e77fc6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2020 21:11:25 +0200 Subject: [PATCH 1009/1764] avcodec/loco: Fix integer overflow with large values from loco_get_rice() Fixes: signed integer overflow: 155 + 2147483647 cannot be represented in type 'int' Fixes: 23421/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5652849097965568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3ddc5e1f3cebca25ade54ee68159d305f210bf5f) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index e22d280b96..f9655c0bf5 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -129,7 +129,7 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh int stride, const uint8_t *buf, int buf_size, int step) { RICEContext rc; - int val; + unsigned val; int ret; int i, j; From 2a34d7476d78a5b970ed332f4e6c910c383128e1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2020 22:01:22 +0200 Subject: [PATCH 1010/1764] avcodec/apedec: Fix undefined integer overflow with 24bit Fixes: signed integer overflow: 8683744 * 256 cannot be represented in type 'int' Fixes: 23527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679885932822528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9f7b252cdf2d0e0f79d16dc7cd575d1884239863) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 93e9a18e5d..3bec1eee68 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1543,7 +1543,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample24 = (int32_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample24++ = s->decoded[ch][i] * 256; + *sample24++ = s->decoded[ch][i] * 256U; } break; } From a79700555fb2de8f18dbb0bd0c72a77aa59613f1 Mon Sep 17 00:00:00 2001 From: Zhao Zhili Date: Sun, 5 Jul 2020 00:51:53 +0800 Subject: [PATCH 1011/1764] avformat/mov: Fix unaligned read of uint32_t and endian-dependance in mov_read_default Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 806a4d5187aeb82b97898683242886ed1e84f894) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 407d801775..1668b599c8 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5706,13 +5706,12 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) a.size >= 8 && c->fc->strict_std_compliance < FF_COMPLIANCE_STRICT && c->moov_retry) { - uint8_t buf[8]; - uint32_t *type = (uint32_t *)buf + 1; - if (avio_read(pb, buf, 8) != 8) - return AVERROR_INVALIDDATA; + uint32_t type; + avio_skip(pb, 4); + type = avio_rl32(pb); avio_seek(pb, -8, SEEK_CUR); - if (*type == MKTAG('m','v','h','d') || - *type == MKTAG('c','m','o','v')) { + if (type == MKTAG('m','v','h','d') || + type == MKTAG('c','m','o','v')) { av_log(c->fc, AV_LOG_ERROR, "Detected moov in a free atom.\n"); a.type = MKTAG('m','o','o','v'); } From d46b698478f11ab85135b3cf0a7944c4dd62e37c Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 9 Jul 2020 12:07:28 +0200 Subject: [PATCH 1012/1764] avformat/mm: Check for existence of audio stream No audio stream is created unconditionally and if none has been created, no packet with stream_index 1 may be returned. This fixes an assert in ff_read_packet() in libavformat/utils reported in ticket #8782. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit ec59dc73f0cc8930bf5dae389cd76d049d537ca7) Signed-off-by: Andreas Rheinhardt --- libavformat/mm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mm.c b/libavformat/mm.c index 8a1382e03c..de5f9d6161 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -174,6 +174,8 @@ static int read_packet(AVFormatContext *s, return 0; case MM_TYPE_AUDIO : + if (s->nb_streams < 2) + return AVERROR_INVALIDDATA; if (av_get_packet(s->pb, pkt, length)<0) return AVERROR(ENOMEM); pkt->stream_index = 1; From baeec0cba97a82e7c47752fb76d885769217ac80 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jul 2020 22:47:50 +0200 Subject: [PATCH 1013/1764] avcodec/tdsc: Fix tile checks Fixes: out of array access Fixes: crash.asf Found-by: anton listov Reviewed-by: anton listov Signed-off-by: Michael Niedermayer (cherry picked from commit 081e3001edb67dcd55fe0f68505df1fce667476d) Signed-off-by: Michael Niedermayer --- libavcodec/tdsc.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/libavcodec/tdsc.c b/libavcodec/tdsc.c index e9ea41ef55..854e7e0510 100644 --- a/libavcodec/tdsc.c +++ b/libavcodec/tdsc.c @@ -390,7 +390,7 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) for (i = 0; i < number_tiles; i++) { int tile_size; int tile_mode; - int x, y, w, h; + int x, y, x2, y2, w, h; int ret; if (bytestream2_get_bytes_left(&ctx->gbc) < 4 || @@ -408,20 +408,19 @@ static int tdsc_decode_tiles(AVCodecContext *avctx, int number_tiles) bytestream2_skip(&ctx->gbc, 4); // unknown x = bytestream2_get_le32(&ctx->gbc); y = bytestream2_get_le32(&ctx->gbc); - w = bytestream2_get_le32(&ctx->gbc) - x; - h = bytestream2_get_le32(&ctx->gbc) - y; + x2 = bytestream2_get_le32(&ctx->gbc); + y2 = bytestream2_get_le32(&ctx->gbc); - if (x >= ctx->width || y >= ctx->height) { + if (x < 0 || y < 0 || x2 <= x || y2 <= y || + x2 > ctx->width || y2 > ctx->height + ) { av_log(avctx, AV_LOG_ERROR, - "Invalid tile position (%d.%d outside %dx%d).\n", - x, y, ctx->width, ctx->height); - return AVERROR_INVALIDDATA; - } - if (x + w > ctx->width || y + h > ctx->height) { - av_log(avctx, AV_LOG_ERROR, - "Invalid tile size %dx%d\n", w, h); + "Invalid tile position (%d.%d %d.%d outside %dx%d).\n", + x, y, x2, y2, ctx->width, ctx->height); return AVERROR_INVALIDDATA; } + w = x2 - x; + h = y2 - y; ret = av_reallocp(&ctx->tilebuffer, tile_size); if (!ctx->tilebuffer) From e9edf11076032ace848ad720f9fea3a5485ced20 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jul 2020 23:41:27 +0200 Subject: [PATCH 1014/1764] avcodec/alac: Check decorr_shift to avoid invalid shift Later the decorrelate_stereo call is guarded by channels == 2 and non-zero decorr_left_weight. Make sure decorr_shift is in the expected shift range for that case. Fixes: shift exponent 128 is too large for 32-bit type 'int' Fixes: 23860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5751138914402304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 4333718b357a9ad195031e5d0ea080d37677b795) Signed-off-by: Michael Niedermayer --- libavcodec/alac.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index d2a2297bf7..c21253f63e 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -302,6 +302,9 @@ static int decode_element(AVCodecContext *avctx, AVFrame *frame, int ch_index, decorr_shift = get_bits(&alac->gb, 8); decorr_left_weight = get_bits(&alac->gb, 8); + if (channels == 2 && decorr_left_weight && decorr_shift > 31) + return AVERROR_INVALIDDATA; + for (ch = 0; ch < channels; ch++) { prediction_type[ch] = get_bits(&alac->gb, 4); lpc_quant[ch] = get_bits(&alac->gb, 4); From 475cfa1218e6d161422c3d53a6a229f69e562e9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 Aug 2020 00:51:12 +0200 Subject: [PATCH 1015/1764] avformat/mov: Check comp_brand_size Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 24457/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5760093644390400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ffa6072fc727a14680a85449259f6b49b47587e6) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1668b599c8..9e26b3ebbe 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1132,7 +1132,7 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_dict_set_int(&c->fc->metadata, "minor_version", minor_ver, 0); comp_brand_size = atom.size - 8; - if (comp_brand_size < 0) + if (comp_brand_size < 0 || comp_brand_size == INT_MAX) return AVERROR_INVALIDDATA; comp_brands_str = av_malloc(comp_brand_size + 1); /* Add null terminator */ if (!comp_brands_str) From 4155510f7486d24c21c5d78cba331fee9b2687a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Aug 2020 21:35:06 +0200 Subject: [PATCH 1016/1764] avcodec/snowdec: Sanity check hcoeff Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 24011/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5486376610168832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d51d569cf68f78aaea8464a156c847a0e294726a) Signed-off-by: Michael Niedermayer --- libavcodec/snowdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 504382f589..dfbb9686da 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -369,7 +369,10 @@ static int decode_header(SnowContext *s){ htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ - p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1)); + unsigned hcoeff = get_symbol(&s->c, s->header_state, 0); + if (hcoeff > 127) + return AVERROR_INVALIDDATA; + p->hcoeff[i]= hcoeff * (1-2*(i&1)); sum += p->hcoeff[i]; } p->hcoeff[0]= 32-sum; From 190c2f40cf1c416bbd3e048b9905a37576305c6d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Aug 2020 21:42:43 +0200 Subject: [PATCH 1017/1764] avcodec/tiff: Check bpp/bppcount for 0 Fixes: division by zero Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit be090da25f734460f3105075456877b8a66185c1) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 9c13a758ee..34f99e3f26 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -831,7 +831,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->height = value; break; case TIFF_BPP: - if (count > 4U) { + if (count > 4 || count <= 0) { av_log(s->avctx, AV_LOG_ERROR, "This format is not supported (bpp=%d, %d components)\n", value, count); @@ -862,9 +862,9 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) "Samples per pixel requires a single value, many provided\n"); return AVERROR_INVALIDDATA; } - if (value > 4U) { + if (value > 4 || value <= 0) { av_log(s->avctx, AV_LOG_ERROR, - "Samples per pixel %d is too large\n", value); + "Invalid samples per pixel %d\n", value); return AVERROR_INVALIDDATA; } if (s->bppcount == 1) From 40528776124d6c3761f2d68e3affda797311d8f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2020 01:07:44 +0200 Subject: [PATCH 1018/1764] avformat/mpeg: Check avio_read() return value in get_pts() Found-by: Thierry Foucu Fixes: Use-of-uninitialized-value Reviewed-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit e8a88a16f78e66c8d7645b5f71dc8390b033fa70) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index b5e5e95858..b3daaaf637 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -159,9 +159,12 @@ static int mpegps_read_header(AVFormatContext *s) static int64_t get_pts(AVIOContext *pb, int c) { uint8_t buf[5]; + int ret; buf[0] = c < 0 ? avio_r8(pb) : c; - avio_read(pb, buf + 1, 4); + ret = avio_read(pb, buf + 1, 4); + if (ret < 4) + return AV_NOPTS_VALUE; return ff_parse_pes_pts(buf); } From ea12dd67ee244db59ebb176b71a042865a03777d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Aug 2020 14:41:13 +0200 Subject: [PATCH 1019/1764] avformat/siff: Reject audio packets without audio stream Fixes: Assertion failure Fixes: 24612/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6600899842277376.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 8931c55789a69f717b4a6954c5bb7acf5475a134) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/siff.c b/libavformat/siff.c index ddd1715680..e4da95ee0b 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -200,6 +200,8 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->curstrm == -1) { c->pktsize = avio_rl32(s->pb) - 4; c->flags = avio_rl16(s->pb); + if (c->flags & VB_HAS_AUDIO && !c->has_audio) + return AVERROR_INVALIDDATA; c->gmcsize = (c->flags & VB_HAS_GMC) ? 4 : 0; if (c->gmcsize) avio_read(s->pb, c->gmc, c->gmcsize); From ea43ce9aa99616415eab789510166b12c81db085 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Aug 2020 01:05:35 +0200 Subject: [PATCH 1020/1764] avcodec/tiff: Restrict tag order based on specification "The entries in an IFD must be sorted in ascending order by Tag. Note that this is not the order in which the fields are described in this document." This way various dimensions, sample and bit sizes cannot be changed at arbitrary times which reduces the potential for bugs. The tag reading code also on various places assumes that numerically previous tags have already been parsed, so this needs to be enforced one way or another. If this commit causes problems with real world files which are not easy to fix then some other form of checks are needed to ensure the various dependencies in the tag reading are not violated. Fixes: out of array access Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad29f9e47cb848e11ee1d358d2bae15cd35ef04b) Signed-off-by: Michael Niedermayer --- libavcodec/tiff.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 34f99e3f26..1fd17aa005 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -64,6 +64,7 @@ typedef struct TiffContext { int predictor; int fill_order; uint32_t res[4]; + unsigned last_tag; int strips, rps, sstype; int sot; @@ -801,6 +802,12 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) if (ret < 0) { goto end; } + if (tag <= s->last_tag) + return AVERROR_INVALIDDATA; + + // We ignore TIFF_STRIP_SIZE as it is sometimes in the logic but wrong order around TIFF_STRIP_OFFS + if (tag != TIFF_STRIP_SIZE) + s->last_tag = tag; off = bytestream2_tell(&s->gb); if (count == 1) { @@ -1239,6 +1246,7 @@ static int decode_frame(AVCodecContext *avctx, s->photometric = TIFF_PHOTOMETRIC_NONE; s->compr = TIFF_RAW; s->fill_order = 0; + s->last_tag = 0; free_geotags(s); // Reset these offsets so we can tell if they were set this frame From de5349f0cf5fea59ad4dc10ae15a565b334de5e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Aug 2020 00:17:41 +0200 Subject: [PATCH 1021/1764] avcodec/cfhd: Check transform type Fixes: out of array access Fixes: 24823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4855119863349248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 659658d08bb2e7219001795c78efd24f381446e2) Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 5ea8f24821..1fc2e5e2b4 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -345,6 +345,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, avpriv_report_missing_feature(avctx, "Transform type of %"PRIu16, data); ret = AVERROR_PATCHWELCOME; break; + } else if (data == 1) { + av_log(avctx, AV_LOG_ERROR, "unsupported transform type\n"); + ret = AVERROR_PATCHWELCOME; + break; } av_log(avctx, AV_LOG_DEBUG, "Transform-type? %"PRIu16"\n", data); } else if (abstag >= 0x4000 && abstag <= 0x40ff) { From 59c25dd671d8bdd2009b7699988bf8704a5b2f8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2020 00:09:05 +0200 Subject: [PATCH 1022/1764] avformat/avidec: Fix io_fsize overflow Fixes: signed integer overflow: 7958120835074169528 * 9 cannot be represented in type 'long long' Fixes: 23382/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6230683226996736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf0c700b0c25f5d9fe50dd27086a06812822f11a) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index e644e8413f..0b7b7f73dc 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -438,7 +438,7 @@ static int calculate_bitrate(AVFormatContext *s) maxpos = FFMAX(maxpos, st->index_entries[j-1].pos); lensum += len; } - if (maxpos < avi->io_fsize*9/10) // index does not cover the whole file + if (maxpos < av_rescale(avi->io_fsize, 9, 10)) // index does not cover the whole file return 0; if (lensum*9/10 > maxpos || lensum < maxpos*9/10) // frame sum and filesize mismatch return 0; From 9904e30c80b40a3a82956bc6d748885a1b0b16f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Jun 2020 00:24:55 +0200 Subject: [PATCH 1023/1764] avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d() Fixes: signed integer overflow: 998938090 + 1169275991 cannot be represented in type 'int' Fixes: 23411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-4644692330545152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d182d8f10cf69c59ef9c21df4b06e5478df063ef) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index c6944f5ce3..8d00e77d70 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1260,20 +1260,20 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (t2a - t6a + (1 << 13)) >> 14; t7 = (t3a - t7a + (1 << 13)) >> 14; - t4a = 15137 * t4 + 6270 * t5; - t5a = 6270 * t4 - 15137 * t5; - t6a = 15137 * t7 - 6270 * t6; - t7a = 6270 * t7 + 15137 * t6; + t4a = 15137U * t4 + 6270U * t5; + t5a = 6270U * t4 - 15137U * t5; + t6a = 15137U * t7 - 6270U * t6; + t7a = 6270U * t7 + 15137U * t6; out[0] = t0 + t2; out[7] = -(t1 + t3); t2 = t0 - t2; t3 = t1 - t3; - out[1] = -((t4a + t6a + (1 << 13)) >> 14); - out[6] = (t5a + t7a + (1 << 13)) >> 14; - t6 = (t4a - t6a + (1 << 13)) >> 14; - t7 = (t5a - t7a + (1 << 13)) >> 14; + out[1] = -((dctint)((1U << 13) + t4a + t6a) >> 14); + out[6] = (dctint)((1U << 13) + t5a + t7a) >> 14; + t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; + t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; From 7a6863501bacb4188d19177d3e71de94a9805908 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Sep 2020 17:58:53 +0200 Subject: [PATCH 1024/1764] avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINE Fixes: signed integer overflow: -1429092 * -32596 cannot be represented in type 'int' Fixes: 24419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5157849974702080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a0da95df77a528251a326fc8b7e2ff48c60e41d0) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index 8d3ac81aef..d92bb38c45 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -373,7 +373,7 @@ static void wavesynth_synth_sample(struct wavesynth_context *ws, int64_t ts, in->amp += in->damp; switch (in->type) { case WS_SINE: - val = amp * ws->sin[in->phi >> (64 - SIN_BITS)]; + val = amp * (unsigned)ws->sin[in->phi >> (64 - SIN_BITS)]; in->phi += in->dphi; in->dphi += in->ddphi; break; From 5dad9581f6568e4766ed5536730a72ab16f7e6b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Sep 2020 00:09:33 +0200 Subject: [PATCH 1025/1764] avformat/electronicarts: Check if there are any streams Fixes: Assertion failure (invalid stream index) Fixes: 25120/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6565251898933248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 39a98623edbbdcf9d9b76e9d7aff3ce086ebfbfe) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 9ea4c5d708..87c7f0cf70 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -530,20 +530,17 @@ static int ea_read_header(AVFormatContext *s) if (ea->num_channels <= 0 || ea->num_channels > 2) { av_log(s, AV_LOG_WARNING, "Unsupported number of channels: %d\n", ea->num_channels); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->sample_rate <= 0) { av_log(s, AV_LOG_ERROR, "Unsupported sample rate: %d\n", ea->sample_rate); - ea->audio_codec = 0; - return 1; + goto no_audio; } if (ea->bytes <= 0 || ea->bytes > 2) { av_log(s, AV_LOG_ERROR, "Invalid number of bytes per sample: %d\n", ea->bytes); - ea->audio_codec = AV_CODEC_ID_NONE; - return 1; + goto no_audio; } /* initialize the audio decoder stream */ @@ -564,8 +561,13 @@ static int ea_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample; ea->audio_stream_index = st->index; st->start_time = 0; + return 1; } +no_audio: + ea->audio_codec = AV_CODEC_ID_NONE; + if (!ea->video.codec) + return AVERROR_INVALIDDATA; return 1; } From c232e5e3755847a41d7cf8e27680f4165232e9b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 10 May 2020 19:04:23 +0200 Subject: [PATCH 1026/1764] avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth() Fixes: -2.4187e+09 is outside the range of representable values of type 'int' Fixes: signed integer overflow: -14512205 + -2147483648 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Fixes: 23528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b9f39689ab19c68ff37b5a4ac71e8fb7f58c487) Signed-off-by: Michael Niedermayer --- libavcodec/mpc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpc.c b/libavcodec/mpc.c index 6cf9b9d520..e56b608d8c 100644 --- a/libavcodec/mpc.c +++ b/libavcodec/mpc.c @@ -75,17 +75,17 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, int16_t **out, j = 0; mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0] & 0xFF]; for(; j < 12; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1] & 0xFF]; for(; j < 24; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2] & 0xFF]; for(; j < 36; j++) - c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off]; + c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX); } } if(bands[i].msf){ - int t1, t2; + unsigned t1, t2; for(j = 0; j < SAMPLES_PER_BAND; j++){ t1 = c->sb_samples[0][j][i]; t2 = c->sb_samples[1][j][i]; From 98c1938fa97fb241c6fb3e00af6220dceac20e00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 16:54:28 +0200 Subject: [PATCH 1027/1764] avformat/cdg: Fix integer overflow in duration computation Fixes: signed integer overflow: 8398407 * 300 cannot be represented in type 'int' Fixes: 23914/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4702539290509312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa8935b395162f8438d1f055e671e92685ed1586) Signed-off-by: Michael Niedermayer --- libavformat/cdg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cdg.c b/libavformat/cdg.c index 05cac6e528..f933819d57 100644 --- a/libavformat/cdg.c +++ b/libavformat/cdg.c @@ -49,7 +49,7 @@ static int read_header(AVFormatContext *s) if (ret < 0) { av_log(s, AV_LOG_WARNING, "Cannot calculate duration as file size cannot be determined\n"); } else - vst->duration = (ret * vst->time_base.den) / (CDG_PACKET_SIZE * 300); + vst->duration = (ret * (int64_t)vst->time_base.den) / (CDG_PACKET_SIZE * 300); return 0; } From 0d0a60070f0cf85f89f76671676717f7740c8844 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Sep 2020 21:12:17 +0200 Subject: [PATCH 1028/1764] avcodec/wmalosslessdec: Check remaining space before padding and channel residue Fixes: Timeout (1101sec -> 0.4sec) Fixes: 24491/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5725337036783616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c467adf3bf9bb4b7fd28956ec698d884e63f145d) Signed-off-by: Michael Niedermayer --- libavcodec/wmalosslessdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 2228eecd96..5afc0544d5 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -935,6 +935,8 @@ static int decode_subframe(WmallDecodeCtx *s) s->do_lpc = 0; } + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) padding_zeroes = get_bits(&s->gb, 5); From fb2f9fd67de1592cb6f05fac19971f061dc80d11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Jul 2020 22:58:13 +0200 Subject: [PATCH 1029/1764] avutil/fixed_dsp: Fix integer overflows in butterflies_fixed_c() Fixes: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Fixes: 23646/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5480991098667008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a02ae49c26395fc3ae2d38c733a2a13bd3080e7) Signed-off-by: Michael Niedermayer --- libavutil/fixed_dsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/fixed_dsp.c b/libavutil/fixed_dsp.c index 8c018581df..f1b195f184 100644 --- a/libavutil/fixed_dsp.c +++ b/libavutil/fixed_dsp.c @@ -134,9 +134,10 @@ static int scalarproduct_fixed_c(const int *v1, const int *v2, int len) return (int)(p >> 31); } -static void butterflies_fixed_c(int *v1, int *v2, int len) +static void butterflies_fixed_c(int *v1s, int *v2, int len) { int i; + unsigned int *v1 = v1s; for (i = 0; i < len; i++){ int t = v1[i] - v2[i]; From 0f280bb03883161f93685881048ed8e63784c22f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jul 2020 14:30:19 +0200 Subject: [PATCH 1030/1764] avcodec/diracdsp: Fix integer anomaly in dequant_subband_* Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 23760/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-604209011412172 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca3c6c981aa5b0af8a5576020b79fdd3cdf9ae9e) Signed-off-by: Michael Niedermayer --- libavcodec/diracdsp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 2dd56f83f3..4e08d3817e 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -198,9 +198,9 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s PX c, sign, *src_r = (PX *)src, *dst_r = (PX *)dst; \ for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ - sign = FFSIGN(c)*(!!c); \ - c = (FFABS(c)*(unsigned)qf + qs) >> 2; \ - *dst_r++ = c*sign; \ + if (c < 0) c = -((-(unsigned)c*qf + qs) >> 2); \ + else if(c > 0) c = (( (unsigned)c*qf + qs) >> 2); \ + *dst_r++ = c; \ } \ src += tot_h << (sizeof(PX) >> 1); \ dst += stride; \ From 6c9f2d9ef43beed512e0dbc81dbd3ff37d51d127 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 20:48:38 +0200 Subject: [PATCH 1031/1764] avcodec/ansi: Check nb_args for overflow Fixes: Integer overflow (no testcase) Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit bc0e776c9aaf06f437bf21e05a713fd54dc85400) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index f1fafab771..c42d6d3dba 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -430,7 +430,8 @@ static int decode_frame(AVCodecContext *avctx, s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0'; break; case ';': - s->nb_args++; + if (s->nb_args < MAX_NB_ARGS) + s->nb_args++; if (s->nb_args < MAX_NB_ARGS) s->args[s->nb_args] = 0; break; From dcf59c522c7e58bc2f5e1b590ba4d2682386c347 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2020 22:20:39 +0200 Subject: [PATCH 1032/1764] avcodec/sonic: Check channels before deallocating Fixes: heap-buffer-overflow Fixes: 25744/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5172961169113088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit f249981976b18438cfb646183d4c21fb051e1ad4) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index f1bc3409bf..ad1552a434 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -980,9 +980,7 @@ static av_cold int sonic_decode_close(AVCodecContext *avctx) av_freep(&s->int_samples); av_freep(&s->tap_quant); av_freep(&s->predictor_k); - - for (i = 0; i < s->channels; i++) - { + for (i = 0; i < MAX_CHANNELS; i++) { av_freep(&s->predictor_state[i]); av_freep(&s->coded_samples[i]); } From b2a793369bc50fa011c043b20cedc5b06fcb8569 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Sep 2020 20:08:37 +0200 Subject: [PATCH 1033/1764] avcodec/dxtory: Fix negative shift in dx2_decode_slice_410() Fixes: left shift of negative value -768 Fixes: 25574/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-6012596027916288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit abebd87764992dc22c82802bdc75d40aac14ab86) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 285ca38efb..b2daaa7cc2 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -442,7 +442,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, V[x >> 2] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 2; + Y += ystride * 4; U += ustride; V += vstride; } From 6c8dd6697762820b46460efb28ff5cea57e57d82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Sep 2020 22:20:52 +0200 Subject: [PATCH 1034/1764] avformat/iff: Check data_size not overflowing int64 Fixes: Infinite loop Fixes: 25844/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5660803318153216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 24352ca79207d3311ee544fcba908a64004763ef) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 4cf17f6e1a..aa2d9dd48c 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -449,6 +449,9 @@ static int iff_read_header(AVFormatContext *s) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); orig_pos = avio_tell(pb); + if (data_size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(chunk_id) { case ID_VHDR: st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; From 13c542795e24c943114dd802258de1d5595cd124 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Sep 2020 22:42:05 +0200 Subject: [PATCH 1035/1764] avcodec/vc1_block: Fix integer overflow in ac value Fixes: signed integer overflow: 25488 * 87381 cannot be represented in type 'int' Fixes: 24765/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5108259565076480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3056e19e68122b9464b24870488f8faca4e78ea8) Signed-off-by: Michael Niedermayer --- libavcodec/vc1_block.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 976d330935..f87f664a2e 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -1056,7 +1056,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (q1 < 1) return AVERROR_INVALIDDATA; for (k = 1; k < 8; k++) - ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k] = (int)(ac_val2[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } else { // top @@ -1068,7 +1068,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (q1 < 1) return AVERROR_INVALIDDATA; for (k = 1; k < 8; k++) - ac_val2[k + 8] = (ac_val2[k + 8] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; + ac_val2[k + 8] = (int)(ac_val2[k + 8] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18; } } } From 67c5f747d16bdb8147e7e092108509233c018e9c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Sep 2020 23:13:00 +0200 Subject: [PATCH 1036/1764] avformat/dxa: Use av_rescale() for duration computation Fixes: signed integer overflow: 8224000000 * 1629552639 cannot be represented in type 'long' Fixes: 24908/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4658478506049536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c313089fbe1df71b5406dd9d7e4d36361051c620) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 50193907be..bdb93b0835 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -143,7 +143,7 @@ static int dxa_read_header(AVFormatContext *s) c->readvid = !c->has_sound; c->vidpos = avio_tell(pb); s->start_time = 0; - s->duration = (int64_t)c->frames * AV_TIME_BASE * num / den; + s->duration = av_rescale(c->frames, AV_TIME_BASE * (int64_t)num, den); av_log(s, AV_LOG_DEBUG, "%d frame(s)\n",c->frames); return 0; From ef3fee893d0ea7093c86a6ac62cb985b4f493c41 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Sep 2020 19:44:35 +0200 Subject: [PATCH 1037/1764] avformat/asfdec_f: Change order or operations slightly Fixes: signed integer overflow: 20 * 5184056935931942919 cannot be represented in type 'long' Fixes: 25466/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4798660247552000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 686f0151901849de3b2073fa73265472073e0208) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 1d62d4e05e..ae36aeab28 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -424,7 +424,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) if (!(asf->hdr.flags & 0x01)) { // if we aren't streaming... int64_t fsize = avio_size(pb); if (fsize <= 0 || (int64_t)asf->hdr.file_size <= 0 || - 20*FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)) + FFABS(fsize - (int64_t)asf->hdr.file_size) < FFMIN(fsize, asf->hdr.file_size)/20) st->duration = asf->hdr.play_time / (10000000 / 1000) - start_time; } From d9b610ee717216bc6e044856139056eb1a166161 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Oct 2020 14:59:13 +0200 Subject: [PATCH 1038/1764] avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420() Fixes: left shift of negative value -640 Fixes: 26044/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-5631057602543616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3291d994b76db4b6e67c8467367ce68f79785e60) Signed-off-by: Michael Niedermayer --- libavcodec/dxtory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index b2daaa7cc2..7731d05f25 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -487,7 +487,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, V[x >> 1] = decode_sym(gb, lru[2]) ^ 0x80; } - Y += ystride << 1; + Y += ystride * 2; U += ustride; V += vstride; } From 6d9a3bb1df9cab4423d0608815475c1063326347 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Sep 2020 21:59:04 +0200 Subject: [PATCH 1039/1764] avcodec/takdsp: Fix negative shift in decorrelate_sf() Fixes: left shift of negative value -4 Fixes: 25723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6250580752990208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f54f530039db149808478796e8389c14eb73095) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 2441c2baa6..9cb8052596 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = dfactor * (b >> dshift) + 128 >> 8 << dshift; + b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; p1[i] = b - a; } } From 18967c97843e31398977d0e347ef6c78628a4e03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Sep 2020 23:31:59 +0200 Subject: [PATCH 1040/1764] avcodec/celp_filters: Avoid invalid negation in ff_celp_lp_synthesis_filter() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 25675/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-4786580731199488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 11a6347f9e544a1b9fba059ae02c30c0e512c195) Signed-off-by: Michael Niedermayer --- libavcodec/celp_filters.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/celp_filters.c b/libavcodec/celp_filters.c index fafedd99a3..40ff7427df 100644 --- a/libavcodec/celp_filters.c +++ b/libavcodec/celp_filters.c @@ -65,11 +65,11 @@ int ff_celp_lp_synthesis_filter(int16_t *out, const int16_t *filter_coeffs, int i,n; for (n = 0; n < buffer_length; n++) { - int sum = -rounder, sum1; + int sum = rounder, sum1; for (i = 1; i <= filter_length; i++) - sum += (unsigned)(filter_coeffs[i-1] * out[n-i]); + sum -= (unsigned)(filter_coeffs[i-1] * out[n-i]); - sum1 = ((-sum >> 12) + in[n]) >> shift; + sum1 = ((sum >> 12) + in[n]) >> shift; sum = av_clip_int16(sum1); if (stop_on_overflow && sum != sum1) From c4c59c19c2e609defb6e56961a0fd3143821b0c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 21:54:36 +0200 Subject: [PATCH 1041/1764] avcodec/exr: Check xdelta, ydelta Fixes: assertion failure Fixes: 25617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5648746061496320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6949df35d0c69ae91bb0f49069e0703deb9bd676) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 89966a8b61..4c7aa53095 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1737,7 +1737,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, s->ymin > s->ymax || s->xdelta != s->xmax - s->xmin + 1 || s->xmax >= s->w || - s->ymax >= s->h) { + s->ymax >= s->h || + s->ydelta == 0xFFFFFFFF || s->xdelta == 0xFFFFFFFF + ) { av_log(avctx, AV_LOG_ERROR, "Wrong or missing size information.\n"); return AVERROR_INVALIDDATA; } From ff531c345c9d626957d7e09f718ceb47362ddb50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 22:04:16 +0200 Subject: [PATCH 1042/1764] avcodec/exr: Check line size for overflow Fixes: signed integer overflow: 570425356 * 6 cannot be represented in type 'int Fixes: 25929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5099197739827200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b72cea4463dd2fabcd9ba1454a0855e521d0148) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 4c7aa53095..59ea43fe23 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1092,6 +1092,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, if ((col + td->xsize) != s->xdelta)/* not the last tile of the line */ axmax = 0; /* doesn't add pixel at the right of the datawindow */ + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ } else { @@ -1111,6 +1114,9 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ td->xsize = s->xdelta; + if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) + return AVERROR_INVALIDDATA; + td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ From 2659b0f1804dd0ea1cfbb5b9d84e4402333b759e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Jul 2020 17:13:10 +0200 Subject: [PATCH 1043/1764] avformat/subviewerdec: fail on AV_NOPTS_VALUE Such values are not supported by ff_subtitles_queue* Fixes: signed integer overflow: 10 - -9223372036854775808 cannot be represented in type 'long' Fixes: 24193/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5714901855895552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7f51428b1c73ab5840485ce537ce098a85d0881) Signed-off-by: Michael Niedermayer --- libavformat/subviewerdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c index e8d1eb6c96..19a39f227f 100644 --- a/libavformat/subviewerdec.c +++ b/libavformat/subviewerdec.c @@ -132,6 +132,10 @@ static int subviewer_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); } else if (*line) { + if (pts_start == AV_NOPTS_VALUE) { + res = AVERROR_INVALIDDATA; + goto end; + } if (!new_event) { sub = ff_subtitles_queue_insert(&subviewer->q, "\n", 1, 1); if (!sub) { From d09bc9fe7ffa6b15c7ffb24ee8eaf6e107ad8a6b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 11:29:01 +0200 Subject: [PATCH 1044/1764] avcodec/sonic: Check for overread Fixes: Timeout (too long -> 1.3 sec) Fixes: 24358/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5107284099989504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eeabdef1bf96cdecf80aeb8d0478d008457b048c) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index ad1552a434..2dc04846ab 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1031,6 +1031,9 @@ static int sonic_decode_frame(AVCodecContext *avctx, { int x = ch; + if (c.overread > MAX_OVERREAD) + return AVERROR_INVALIDDATA; + predictor_init_state(s->predictor_k, s->predictor_state[ch], s->num_taps); intlist_read(&c, state, s->coded_samples[ch], s->block_align, 1); From df983bd5e68be06e667b186e296f5771eae999c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 16:29:15 +0200 Subject: [PATCH 1045/1764] avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset Fixes: signed integer overflow: 29 + 2147483640 cannot be represented in type 'int' Fixes: 25413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5697909331591168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 106f11f68af643ad1f372b840d38a0a30c6e9bcf) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index e9651855e2..ecc8ad820c 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -749,6 +749,11 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->pic_slice_level_chroma_qp_offsets_present_flag) { sh->slice_cb_qp_offset = get_se_golomb(gb); sh->slice_cr_qp_offset = get_se_golomb(gb); + if (sh->slice_cb_qp_offset < -12 || sh->slice_cb_qp_offset > 12 || + sh->slice_cr_qp_offset < -12 || sh->slice_cr_qp_offset > 12) { + av_log(s->avctx, AV_LOG_ERROR, "Invalid slice cx qp offset.\n"); + return AVERROR_INVALIDDATA; + } } else { sh->slice_cb_qp_offset = 0; sh->slice_cr_qp_offset = 0; From e2e1d13191068fb07466bfbd3c25959819663413 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 21:17:32 +0200 Subject: [PATCH 1046/1764] avcodec/ansi: Check initial dimensions Fixes: Timeout (minutes to less than 1sec) Fixes: 25682/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ANSI_fuzzer-6320712032452608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 949f0a6be974e4083f8e130c2d6870ef26f0eece) Signed-off-by: Michael Niedermayer --- libavcodec/ansi.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c index c42d6d3dba..e4106dcf72 100644 --- a/libavcodec/ansi.c +++ b/libavcodec/ansi.c @@ -474,6 +474,11 @@ static av_cold int decode_close(AVCodecContext *avctx) return 0; } +static const AVCodecDefault ansi_defaults[] = { + { "max_pixels", "640*480" }, + { NULL }, +}; + AVCodec ff_ansi_decoder = { .name = "ansi", .long_name = NULL_IF_CONFIG_SMALL("ASCII/ANSI art"), @@ -485,4 +490,5 @@ AVCodec ff_ansi_decoder = { .decode = decode_frame, .capabilities = AV_CODEC_CAP_DR1, .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE, + .defaults = ansi_defaults, }; From 4a6d3375c3c3c57348eecfb0d4b275dc33655637 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Sep 2020 16:40:22 +0200 Subject: [PATCH 1047/1764] avcodec/vp9dsp_template: Fix integer overflows in idct16_1d() Fixes: signed integer overflow: -190760 * 11585 cannot be represented in type 'int' Fixes: 25471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5743354917421056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 394e8bb385a351091cb1ba0be986f3bbb15039fd) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 52 ++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index 8d00e77d70..bfabe63536 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1290,22 +1290,22 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, dctint t0a, t1a, t2a, t3a, t4a, t5a, t6a, t7a; dctint t8a, t9a, t10a, t11a, t12a, t13a, t14a, t15a; - t0a = ((IN(0) + IN(8)) * 11585 + (1 << 13)) >> 14; - t1a = ((IN(0) - IN(8)) * 11585 + (1 << 13)) >> 14; - t2a = (IN(4) * 6270 - IN(12) * 15137 + (1 << 13)) >> 14; - t3a = (IN(4) * 15137 + IN(12) * 6270 + (1 << 13)) >> 14; - t4a = (IN(2) * 3196 - IN(14) * 16069 + (1 << 13)) >> 14; - t7a = (IN(2) * 16069 + IN(14) * 3196 + (1 << 13)) >> 14; - t5a = (IN(10) * 13623 - IN(6) * 9102 + (1 << 13)) >> 14; - t6a = (IN(10) * 9102 + IN(6) * 13623 + (1 << 13)) >> 14; - t8a = (IN(1) * 1606 - IN(15) * 16305 + (1 << 13)) >> 14; - t15a = (IN(1) * 16305 + IN(15) * 1606 + (1 << 13)) >> 14; - t9a = (IN(9) * 12665 - IN(7) * 10394 + (1 << 13)) >> 14; - t14a = (IN(9) * 10394 + IN(7) * 12665 + (1 << 13)) >> 14; - t10a = (IN(5) * 7723 - IN(11) * 14449 + (1 << 13)) >> 14; - t13a = (IN(5) * 14449 + IN(11) * 7723 + (1 << 13)) >> 14; - t11a = (IN(13) * 15679 - IN(3) * 4756 + (1 << 13)) >> 14; - t12a = (IN(13) * 4756 + IN(3) * 15679 + (1 << 13)) >> 14; + t0a = (dctint)((IN(0) + IN(8)) * 11585U + (1 << 13)) >> 14; + t1a = (dctint)((IN(0) - IN(8)) * 11585U + (1 << 13)) >> 14; + t2a = (dctint)(IN(4) * 6270U - IN(12) * 15137U + (1 << 13)) >> 14; + t3a = (dctint)(IN(4) * 15137U + IN(12) * 6270U + (1 << 13)) >> 14; + t4a = (dctint)(IN(2) * 3196U - IN(14) * 16069U + (1 << 13)) >> 14; + t7a = (dctint)(IN(2) * 16069U + IN(14) * 3196U + (1 << 13)) >> 14; + t5a = (dctint)(IN(10) * 13623U - IN(6) * 9102U + (1 << 13)) >> 14; + t6a = (dctint)(IN(10) * 9102U + IN(6) * 13623U + (1 << 13)) >> 14; + t8a = (dctint)(IN(1) * 1606U - IN(15) * 16305U + (1 << 13)) >> 14; + t15a = (dctint)(IN(1) * 16305U + IN(15) * 1606U + (1 << 13)) >> 14; + t9a = (dctint)(IN(9) * 12665U - IN(7) * 10394U + (1 << 13)) >> 14; + t14a = (dctint)(IN(9) * 10394U + IN(7) * 12665U + (1 << 13)) >> 14; + t10a = (dctint)(IN(5) * 7723U - IN(11) * 14449U + (1 << 13)) >> 14; + t13a = (dctint)(IN(5) * 14449U + IN(11) * 7723U + (1 << 13)) >> 14; + t11a = (dctint)(IN(13) * 15679U - IN(3) * 4756U + (1 << 13)) >> 14; + t12a = (dctint)(IN(13) * 4756U + IN(3) * 15679U + (1 << 13)) >> 14; t0 = t0a + t3a; t1 = t1a + t2a; @@ -1324,12 +1324,12 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t15a - t14a; t15 = t15a + t14a; - t5a = ((t6 - t5) * 11585 + (1 << 13)) >> 14; - t6a = ((t6 + t5) * 11585 + (1 << 13)) >> 14; - t9a = ( t14 * 6270 - t9 * 15137 + (1 << 13)) >> 14; - t14a = ( t14 * 15137 + t9 * 6270 + (1 << 13)) >> 14; - t10a = (-(t13 * 15137 + t10 * 6270) + (1 << 13)) >> 14; - t13a = ( t13 * 6270 - t10 * 15137 + (1 << 13)) >> 14; + t5a = (dctint)((t6 - t5) * 11585U + (1 << 13)) >> 14; + t6a = (dctint)((t6 + t5) * 11585U + (1 << 13)) >> 14; + t9a = (dctint)( t14 * 6270U - t9 * 15137U + (1 << 13)) >> 14; + t14a = (dctint)( t14 * 15137U + t9 * 6270U + (1 << 13)) >> 14; + t10a = (dctint)(-(t13 * 15137U + t10 * 6270U) + (1 << 13)) >> 14; + t13a = (dctint)( t13 * 6270U - t10 * 15137U + (1 << 13)) >> 14; t0a = t0 + t7; t1a = t1 + t6a; @@ -1348,10 +1348,10 @@ static av_always_inline void idct16_1d(const dctcoef *in, ptrdiff_t stride, t14 = t14a + t13a; t15a = t15 + t12; - t10a = ((t13 - t10) * 11585 + (1 << 13)) >> 14; - t13a = ((t13 + t10) * 11585 + (1 << 13)) >> 14; - t11 = ((t12a - t11a) * 11585 + (1 << 13)) >> 14; - t12 = ((t12a + t11a) * 11585 + (1 << 13)) >> 14; + t10a = (dctint)((t13 - t10) * 11585U + (1 << 13)) >> 14; + t13a = (dctint)((t13 + t10) * 11585U + (1 << 13)) >> 14; + t11 = (dctint)((t12a - t11a) * 11585U + (1 << 13)) >> 14; + t12 = (dctint)((t12a + t11a) * 11585U + (1 << 13)) >> 14; out[ 0] = t0a + t15a; out[ 1] = t1a + t14; From feab2fb911c3379e0638089a31c8ab9bfe3b9c0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Sep 2020 21:58:37 +0200 Subject: [PATCH 1048/1764] avcodec/exr: Fix overflow with many blocks Fixes: signed integer overflow: 1073741827 * 8 cannot be represented in type 'int' Fixes: 25621/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6304841641754624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7265b7d904f86ec1c681222310c739f92ba55e5e) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 59ea43fe23..002375e288 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1769,7 +1769,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) return ret; - if (bytestream2_get_bytes_left(&s->gb) < nb_blocks * 8) + if (bytestream2_get_bytes_left(&s->gb)/8 < nb_blocks) return AVERROR_INVALIDDATA; // check offset table and recreate it if need From 99f6a8ed8a5745e4cb20c8e1a34757600efc49b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 19:05:23 +0200 Subject: [PATCH 1049/1764] avformat/icodec: Change order of operations to avoid NULL dereference Fixes: SEGV on unknown address 0x000000000000 Fixes: 26379/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5709011753893888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 3300f5c133650ba25f94531d40ecc94c79b84457) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 00c03d409c..59e5416116 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -156,12 +156,14 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) IcoDemuxContext *ico = s->priv_data; IcoImage *image; AVIOContext *pb = s->pb; - AVStream *st = s->streams[0]; + AVStream *st; int ret; if (ico->current_image >= ico->nb_images) return AVERROR_EOF; + st = s->streams[0]; + image = &ico->images[ico->current_image]; if ((ret = avio_seek(pb, image->offset, SEEK_SET)) < 0) From 49492d6ce9d52157d5213870d874e9e9cf47783b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 13:30:28 +0200 Subject: [PATCH 1050/1764] avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge case in intra_pred Fixes: pixel decode issue.ts Fixes: raw frame.hevc Signed-off-by: Michael Niedermayer (cherry picked from commit 3fbf8737923ac49754946a2505367630544b87f1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcpred_template.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcpred_template.c b/libavcodec/hevcpred_template.c index 6fe33546b1..f1a1f4c1f0 100644 --- a/libavcodec/hevcpred_template.c +++ b/libavcodec/hevcpred_template.c @@ -83,6 +83,7 @@ do { \ int y = y0 >> vshift; int x_tb = (x0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; int y_tb = (y0 >> s->ps.sps->log2_min_tb_size) & s->ps.sps->tb_mask; + int spin = c_idx && !size_in_tbs_v && ((2 * y0) & (1 << s->ps.sps->log2_min_tb_size)); int cur_tb_addr = MIN_TB_ADDR_ZS(x_tb, y_tb); @@ -103,11 +104,11 @@ do { \ pixel *top = top_array + 1; pixel *filtered_left = filtered_left_array + 1; pixel *filtered_top = filtered_top_array + 1; - int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v) & s->ps.sps->tb_mask); + int cand_bottom_left = lc->na.cand_bottom_left && cur_tb_addr > MIN_TB_ADDR_ZS( x_tb - 1, (y_tb + size_in_tbs_v + spin) & s->ps.sps->tb_mask); int cand_left = lc->na.cand_left; int cand_up_left = lc->na.cand_up_left; int cand_up = lc->na.cand_up; - int cand_up_right = lc->na.cand_up_right && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); + int cand_up_right = lc->na.cand_up_right && !spin && cur_tb_addr > MIN_TB_ADDR_ZS((x_tb + size_in_tbs_h) & s->ps.sps->tb_mask, y_tb - 1); int bottom_left_size = (FFMIN(y0 + 2 * size_in_luma_v, s->ps.sps->height) - (y0 + size_in_luma_v)) >> vshift; From 9190bd717be41126b1b752db526872d3453af84c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Sep 2020 20:23:10 +0200 Subject: [PATCH 1051/1764] avcodec/cook: Check subpacket index against max Fixes: off by 1 error Fixes: index 5 out of bounds for type 'COOKSubpacket [5]' Fixes: 25772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5762459498184704.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a2a7604da5f7a2fc498d1d5c90bd892edac9ce8) Signed-off-by: Michael Niedermayer --- libavcodec/cook.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/cook.c b/libavcodec/cook.c index 14ff389d00..90d98db3bc 100644 --- a/libavcodec/cook.c +++ b/libavcodec/cook.c @@ -1084,6 +1084,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) ff_audiodsp_init(&q->adsp); while (bytestream2_get_bytes_left(&gb)) { + if (s >= FFMIN(MAX_SUBPACKETS, avctx->block_align)) { + avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); + return AVERROR_PATCHWELCOME; + } /* 8 for mono, 16 for stereo, ? for multichannel Swap to right endianness so we don't need to care later on. */ q->subpacket[s].cookversion = bytestream2_get_be32(&gb); @@ -1215,10 +1219,6 @@ static av_cold int cook_decode_init(AVCodecContext *avctx) q->num_subpackets++; s++; - if (s > FFMIN(MAX_SUBPACKETS, avctx->block_align)) { - avpriv_request_sample(avctx, "subpackets > %d", FFMIN(MAX_SUBPACKETS, avctx->block_align)); - return AVERROR_PATCHWELCOME; - } } /* Try to catch some obviously faulty streams, otherwise it might be exploitable */ From a73090f2e1ff02d9f72e19882d50813cef120e5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 2 Oct 2020 10:54:31 +0200 Subject: [PATCH 1052/1764] avcodec/smacker: Check remaining bits in SMK_BLK_FULL Fixes: out of array access Fixes: 26047/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5083031667474432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 42ded4d1e6fb0086a235dc584118414ae2bf30c9) Signed-off-by: Michael Niedermayer --- libavcodec/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 6e6aa34d29..9731b707aa 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -477,6 +477,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case SMK_BLK_FULL: mode = 0; if(avctx->codec_tag == MKTAG('S', 'M', 'K', '4')) { // In case of Smacker v4 we have three modes + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; if(get_bits1(&gb)) mode = 1; else if(get_bits1(&gb)) mode = 2; } From 26bda210ee34b0e0f79ea9b92e8a56827bfc3e4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Oct 2020 20:44:23 +0200 Subject: [PATCH 1053/1764] avformat/flvdec: Check for EOF in amf_parse_object() Fixes: Timeout (too long -> 1ms) Fixes: 26108/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5653887668977664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 33624f4f2e1feb08f277126e637d4a28016eb07a) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 2d89bef15f..6eb13c7920 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -467,6 +467,8 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, num_val = 0; ioc = s->pb; + if (avio_feof(ioc)) + return AVERROR_EOF; amf_type = avio_r8(ioc); switch (amf_type) { From be635d2bfb31261ee251e917b71bbd7e00247564 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Aug 2020 18:05:34 +0200 Subject: [PATCH 1054/1764] avformat/rmdec: sanity check coded_framesize Fixes: signed integer overflow: -14671840 * 8224 cannot be represented in type 'int' Fixes: 24793/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5101884323659776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aee8477c6ba20469ebe531448d31c642717b5f48) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 9db163d392..8368966082 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -168,7 +168,11 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, avio_rb16(pb); /* version2 */ avio_rb32(pb); /* header size */ flavor= avio_rb16(pb); /* add codec info / flavor */ - ast->coded_framesize = coded_framesize = avio_rb32(pb); /* coded frame size */ + coded_framesize = avio_rb32(pb); /* coded frame size */ + if (coded_framesize < 0) + return AVERROR_INVALIDDATA; + ast->coded_framesize = coded_framesize; + avio_rb32(pb); /* ??? */ bytes_per_minute = avio_rb32(pb); if (version == 4) { From 517b62a5a9737cc15c7daf079f84893cb7e09128 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Oct 2020 17:11:27 +0200 Subject: [PATCH 1055/1764] avcodec/aacdec_fixed: Limit index in vector_pow43() Fixes: out of array access Fixes: 26087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5724825462767616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f83a536384afda45acb6d7cdd22017c8c314f9e) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 16a8e9ce48..0c0f196fb1 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -155,9 +155,9 @@ static void vector_pow43(int *coefs, int len) for (i=0; i Date: Thu, 15 Oct 2020 21:35:43 +0200 Subject: [PATCH 1056/1764] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct() Fixes: signed integer overflow: 241173056 + 1953511200 cannot be represented in type 'int' Fixes: 26086/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5068366420901888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d1983628394e076001cc67d85656f9842b7282a3) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index 5993ae2e6e..f19579a47c 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -278,7 +278,7 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ const int stride= 16*2; const int xStride= 16; int i; - int temp[8]; + unsigned temp[8]; static const uint8_t x_offset[2]={0, 16}; dctcoef *block = (dctcoef*)_block; From 2912ec590920c5febaa18e53b269559ad66e096f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Oct 2020 22:04:56 +0200 Subject: [PATCH 1057/1764] avformat/asfdec_f: Check name_len for overflow Fixes: signed integer overflow: -1172299744 * 2 cannot be represented in type 'int' Fixes: 26258/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5672758488596480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0d088a47ca0243576078f109fff20617d1fac382) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index ae36aeab28..2964384430 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -769,6 +769,8 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) avio_rl32(pb); // send time avio_rl32(pb); // flags name_len = avio_rl32(pb); // name length + if ((unsigned)name_len > INT_MAX / 2) + return AVERROR_INVALIDDATA; if ((ret = avio_get_str16le(pb, name_len * 2, name, sizeof(name))) < name_len) avio_skip(pb, name_len - ret); From 907cfa45bb7e0c1458ae64b1802f962226ede080 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 19:09:37 +0200 Subject: [PATCH 1058/1764] avformat/boadec: Check that channels and block_align are set Fixes: Infinite loop Fixes: 26381/clusterfuzz-testcase-minimized-ffmpeg_dem_BOA_fuzzer-5745789089087488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44ff5a1bff424b1576dff366ccd246805b4e5567) Signed-off-by: Michael Niedermayer --- libavformat/boadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/boadec.c b/libavformat/boadec.c index 730e9573d5..70b4955a7b 100644 --- a/libavformat/boadec.c +++ b/libavformat/boadec.c @@ -54,12 +54,12 @@ static int read_header(AVFormatContext *s) avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); st->codecpar->channels = avio_rl32(s->pb); - if (st->codecpar->channels > FF_SANE_NB_CHANNELS) + if (st->codecpar->channels > FF_SANE_NB_CHANNELS || st->codecpar->channels <= 0) return AVERROR(ENOSYS); s->internal->data_offset = avio_rl32(s->pb); avio_r8(s->pb); st->codecpar->block_align = avio_rl32(s->pb); - if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS) + if (st->codecpar->block_align > INT_MAX / FF_SANE_NB_CHANNELS || st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; st->codecpar->block_align *= st->codecpar->channels; From bb7ad5c1285596b0176e0eeafc8519dade3fbff7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 18:08:37 +0200 Subject: [PATCH 1059/1764] avcodec/exr: Check limits to avoid overflow in delta computation Fixes: signed integer overflow: 553590816 - -2145378049 cannot be represented in type 'int' Fixes: 26315/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5938755121446912 Fixes: 26340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5644316208529408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6910e0f4e5c40b5b902e4dd87256327d860d53f5) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 002375e288..14bb4b40e9 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1518,15 +1518,27 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "dataWindow", "box2i", 31)) >= 0) { + int xmin, ymin, xmax, ymax; if (!var_size) { ret = AVERROR_INVALIDDATA; goto fail; } - s->xmin = bytestream2_get_le32(&s->gb); - s->ymin = bytestream2_get_le32(&s->gb); - s->xmax = bytestream2_get_le32(&s->gb); - s->ymax = bytestream2_get_le32(&s->gb); + xmin = bytestream2_get_le32(&s->gb); + ymin = bytestream2_get_le32(&s->gb); + xmax = bytestream2_get_le32(&s->gb); + ymax = bytestream2_get_le32(&s->gb); + + if (xmin > xmax || ymin > ymax || + (unsigned)xmax - xmin >= INT_MAX || + (unsigned)ymax - ymin >= INT_MAX) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + s->xmin = xmin; + s->xmax = xmax; + s->ymin = ymin; + s->ymax = ymax; s->xdelta = (s->xmax - s->xmin) + 1; s->ydelta = (s->ymax - s->ymin) + 1; From 4a9b5ec1e8010c0e8cc7b53bebed5a6a7c359ec6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:59:53 +0200 Subject: [PATCH 1060/1764] avformat/wtvdec: Check dir_length Fixes: Infinite loop Fixes: 26445/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5125558331244544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 1868cb731660490beb750389266adb6e68e9123d) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 77737fa9e7..366a42829f 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -274,6 +274,11 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b "bad filename length, remaining directory entries ignored\n"); break; } + if (dir_length == 0) { + av_log(s, AV_LOG_ERROR, + "bad dir length, remaining directory entries ignored\n"); + break; + } if (48 + (int64_t)name_size > buf_end - buf) { av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); break; From 7d539878ca105155d0183642c609e01087110f18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 00:37:25 +0200 Subject: [PATCH 1061/1764] avformat/segafilm: Check that there is a stream Fixes: assertion failure Fixes: 26472/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-5759751591559168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit c0d7fd269beed030fc767fee28d9dbe111bc4427) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 1fdef50cc7..e590deb88d 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -144,6 +144,9 @@ static int film_read_header(AVFormatContext *s) film->video_type = AV_CODEC_ID_NONE; } + if (!film->video_type && !film->audio_type) + return AVERROR_INVALIDDATA; + /* initialize the decoder streams */ if (film->video_type) { st = avformat_new_stream(s, NULL); From dcb461aef5aba54dc7f0670fc2659163826d7495 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 18:18:43 +0200 Subject: [PATCH 1062/1764] avformat/segafilm: Do not assume AV_CODEC_ID_NONE is 0 Suggested-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit d34e4904cd6d965693b285713660f4e84200d60b) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index e590deb88d..ca0b516804 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -144,11 +144,11 @@ static int film_read_header(AVFormatContext *s) film->video_type = AV_CODEC_ID_NONE; } - if (!film->video_type && !film->audio_type) + if (film->video_type == AV_CODEC_ID_NONE && film->audio_type == AV_CODEC_ID_NONE) return AVERROR_INVALIDDATA; /* initialize the decoder streams */ - if (film->video_type) { + if (film->video_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -169,7 +169,7 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) { + if (film->audio_type != AV_CODEC_ID_NONE) { st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); @@ -244,7 +244,7 @@ static int film_read_header(AVFormatContext *s) film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; film->sample_table[i].keyframe = (scratch[8] & 0x80) ? 0 : 1; video_frame_counter++; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) av_add_index_entry(s->streams[film->video_stream_index], film->sample_table[i].sample_offset, film->sample_table[i].pts, @@ -253,10 +253,10 @@ static int film_read_header(AVFormatContext *s) } } - if (film->audio_type) + if (film->audio_type != AV_CODEC_ID_NONE) s->streams[film->audio_stream_index]->duration = audio_frame_counter; - if (film->video_type) + if (film->video_type != AV_CODEC_ID_NONE) s->streams[film->video_stream_index]->duration = video_frame_counter; film->current_sample = 0; From 0303836e313c775ed64a0ed17b639634f408e98f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Oct 2020 22:19:32 +0200 Subject: [PATCH 1063/1764] avformat/au: Check for EOF in au_read_annotation() Fixes: Timeout (too looong -> 1 ms) Fixes: 26366/clusterfuzz-testcase-minimized-ffmpeg_dem_SDX_fuzzer-5655584843759616 Fixes: 26391/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-5484026133217280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e680d50eb4feddafb2d8575b21fc5fc8764f4801) Signed-off-by: Michael Niedermayer --- libavformat/au.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/au.c b/libavformat/au.c index 520824fc12..a414292894 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -86,6 +86,8 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { + if (avio_feof(pb)) + return AVERROR_EOF; c = avio_r8(pb); switch(state) { case PARSE_KEY: From cd158183e27774315ae2b17632380e9f12e7943d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:40:57 +0200 Subject: [PATCH 1064/1764] avformat/genh: Check block_align for how it will be used in SDX2_DPCM Fixes: signed integer overflow: 19922944 * 1024 cannot be represented in type 'int' Fixes: 26402/clusterfuzz-testcase-minimized-ffmpeg_dem_VMD_fuzzer-5745470053548032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c95b47e18fdb43a4c667ae22a5d3a5ee6cf7782d) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/genh.c b/libavformat/genh.c index dd4e76d3d9..2582151df0 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -87,7 +87,9 @@ static int genh_read_header(AVFormatContext *s) case 5: st->codecpar->codec_id = st->codecpar->block_align > 0 ? AV_CODEC_ID_PCM_S8_PLANAR : AV_CODEC_ID_PCM_S8; break; - case 6: st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; + case 6: if (st->codecpar->block_align > INT_MAX/1024) + return AVERROR_INVALIDDATA; + st->codecpar->codec_id = AV_CODEC_ID_SDX2_DPCM; break; case 7: ret = ff_alloc_extradata(st->codecpar, 2); if (ret < 0) return ret; From c43e2980c77729da67c6c54b3701384544a2c0b1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 22:19:58 +0200 Subject: [PATCH 1065/1764] avformat/bethsoftvid: Check image dimensions before use Fixes: signed integer overflow: 55255 * 53207 cannot be represented in type 'int' Fixes: 26387/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS2_fuzzer-5684222226071552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50b29f081e9620dc39727adef707c2c323a8c095) Signed-off-by: Michael Niedermayer --- libavformat/bethsoftvid.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/bethsoftvid.c b/libavformat/bethsoftvid.c index 752e05236d..5ecd26c5a9 100644 --- a/libavformat/bethsoftvid.c +++ b/libavformat/bethsoftvid.c @@ -28,6 +28,7 @@ */ #include "libavutil/channel_layout.h" +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "avformat.h" #include "internal.h" @@ -71,6 +72,7 @@ static int vid_read_header(AVFormatContext *s) { BVID_DemuxContext *vid = s->priv_data; AVIOContext *pb = s->pb; + int ret; /* load main header. Contents: * bytes: 'V' 'I' 'D' @@ -83,6 +85,10 @@ static int vid_read_header(AVFormatContext *s) vid->bethsoft_global_delay = avio_rl16(pb); avio_rl16(pb); + ret = av_image_check_size(vid->width, vid->height, 0, s); + if (ret < 0) + return ret; + // wait until the first packet to create each stream vid->video_index = -1; vid->audio_index = -1; From 31e76094917ba50fe3f260464d7877f1138ccfb1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Oct 2020 11:13:19 +0200 Subject: [PATCH 1066/1764] avformat/asfdec_f: Check for negative ext_len Fixes: Infinite loop Fixes: 26376/clusterfuzz-testcase-minimized-ffmpeg_dem_PCM_U32LE_fuzzer-6050518830678016 Fixes: 26377/clusterfuzz-testcase-minimized-ffmpeg_dem_TY_fuzzer-4838195726123008 Fixes: 26384/clusterfuzz-testcase-minimized-ffmpeg_dem_G729_fuzzer-5173450337157120 Fixes: 26396/clusterfuzz-testcase-minimized-ffmpeg_dem_PCM_S24BE_fuzzer-5071092206796800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 209b9ff5c3f337da4a3d82e59b8815eca2737ffa) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 2964384430..3439bcbd51 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -607,6 +607,8 @@ static int asf_read_ext_stream_properties(AVFormatContext *s, int64_t size) ff_get_guid(pb, &g); size = avio_rl16(pb); ext_len = avio_rl32(pb); + if (ext_len < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, ext_len); if (stream_num < 128 && i < FF_ARRAY_ELEMS(asf->streams[stream_num].payload)) { ASFPayload *p = &asf->streams[stream_num].payload[i]; From 9c00ffb073100e5ac5d080af0070c6ed2fb4abdf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 20:39:33 +0200 Subject: [PATCH 1067/1764] avcodec/magicyuv: Check slice size before reading flags and pred Fixes: heap-buffer-overflow Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 0dc42147b6843b133d4fa46bf1c2568a837b4bec) Signed-off-by: Michael Niedermayer --- libavcodec/magicyuv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 5ba88dfa47..26174aad3e 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -709,6 +709,9 @@ static int magy_decode_frame(AVCodecContext *avctx, void *data, s->slices[i][j].start = offset + header_size; s->slices[i][j].size = avpkt->size - s->slices[i][j].start; + + if (s->slices[i][j].size < 2) + return AVERROR_INVALIDDATA; } if (bytestream2_get_byte(&gbyte) != s->planes) From 3c9806077a8b0b1bb6d85d382e649a8fc9205531 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:39:30 +0200 Subject: [PATCH 1068/1764] avformat/mvi: Check count for overflow Fixes: left shift of 21378748 by 10 places cannot be represented in type 'int' Fixes: 26449/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5680463374712832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a413ed98632127342ad04b26e0ba0dc26adb70c9) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 9f90faf56b..1e2a08b44c 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -122,6 +122,8 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; + if ((int64_t)count << MVI_FRAC_BITS > INT_MAX) + return AVERROR_INVALIDDATA; if ((ret = av_get_packet(pb, pkt, count)) < 0) return ret; pkt->stream_index = MVI_AUDIO_STREAM_INDEX; From 80983b7bb3d20b423d3915a1249cb16e672dc6cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:05:01 +0200 Subject: [PATCH 1069/1764] avformat/genh: Check block_align Fixes: infinite loop Fixes: 26440/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5632134020333568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 37396e9ba85d8969a3b5e3314ab99ff604845628) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index 2582151df0..cbdd53324b 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -146,6 +146,9 @@ static int genh_read_header(AVFormatContext *s) } } + if (st->codecpar->block_align <= 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, start_offset - avio_tell(s->pb)); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From bed66afc0be72db7d819f9f325d23f0e73dbc5d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 17:29:01 +0200 Subject: [PATCH 1070/1764] avformat/jacosubdec: Use 64bit inside get_shift() Fixes: signed integer overflow: 111111111 * 30 cannot be represented in type 'int' Fixes: 26448/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5638440374501376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 715ff75e5dbbbefff7337351db596a9b7a5d4379) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 87dc649485..85840d8529 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -135,6 +135,7 @@ static int get_shift(int timeres, const char *buf) { int sign = 1; int a = 0, b = 0, c = 0, d = 0; + int64_t ret; #define SSEP "%*1[.:]" int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP @@ -144,13 +145,16 @@ static int get_shift(int timeres, const char *buf) a = FFABS(a); } + ret = 0; switch (n) { - case 4: return sign * ((a*3600 + b*60 + c) * timeres + d); - case 3: return sign * (( a*60 + b) * timeres + c); - case 2: return sign * (( a) * timeres + b); + case 4: ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); + case 2: ret = sign * (( (int64_t)a) * timeres + b); } + if ((int)ret != ret) + ret = 0; - return 0; + return ret; } static int jacosub_read_header(AVFormatContext *s) From bcad7fceb1f03fa0c4c127206678aadc9e407938 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Oct 2020 10:53:31 +0200 Subject: [PATCH 1071/1764] avformat/nistspheredec: Check bps Fixes: left shift of 1111111190 by 3 places cannot be represented in type 'int' Fixes: 26437/clusterfuzz-testcase-minimized-ffmpeg_dem_NISTSPHERE_fuzzer-4886896091856896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c144b363e67bef7651108c88687b38155172c1f) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 55f22ebcf4..dbf031f3e3 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -109,6 +109,8 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); + if (bps > INT_MAX/8U) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) { From 6557a72a0bc690139c117728aef36e80996309b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Oct 2020 21:54:14 +0200 Subject: [PATCH 1072/1764] avcodec/fits: Check bscale Fixes: division by 0 Fixes: 26208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-6270472117026816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2ccd76fd000f69e355280b487213fb63821c8aa) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index ad73ab70de..25c33e06c8 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -187,6 +187,8 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t header->blank = t; header->blank_found = 1; } else if (!strcmp(keyword, "BSCALE") && sscanf(value, "%lf", &d) == 1) { + if (d <= 0) + return AVERROR_INVALIDDATA; header->bscale = d; } else if (!strcmp(keyword, "BZERO") && sscanf(value, "%lf", &d) == 1) { header->bzero = d; From b1117dd702f0c5b3412907f0d3f452d6e27de304 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Oct 2020 22:04:14 +0200 Subject: [PATCH 1073/1764] avcodec/vp9dsp_template: Fix some overflows in iadst8_1d() Fixes: signed integer overflow: 190587 * 11585 cannot be represented in type 'int' Fixes: 26407/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5086348408782848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bca0735be52e471b1906aed34c60028d90646d90) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index bfabe63536..3acf94c583 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1275,10 +1275,10 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; - out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); - out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; - out[2] = ((t6 + t7) * 11585 + (1 << 13)) >> 14; - out[5] = -(((t6 - t7) * 11585 + (1 << 13)) >> 14); + out[3] = -((dctint)((t2 + t3) * 11585U + (1 << 13)) >> 14); + out[4] = (dctint)((t2 - t3) * 11585U + (1 << 13)) >> 14; + out[2] = (dctint)((t6 + t7) * 11585U + (1 << 13)) >> 14; + out[5] = -((dctint)((t6 - t7) * 11585U + (1 << 13)) >> 14); } itxfm_wrap(8, 5) From 42604d3676c2f6aa64e0f2d7b090c4108c16a1c1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 19:24:30 +0200 Subject: [PATCH 1074/1764] avformat/electronicarts: Check for EOF in each iteration of the loop in ea_read_packet() Fixes: timeout(>20sec -> 1ms) Fixes: 26526/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-5672328069120000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 857aba7c45faf0335ad91ecabc0bce8b94320758) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 87c7f0cf70..eddc81b8ee 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -582,6 +582,8 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) int av_uninit(num_samples); while ((!packet_read && !hit_end) || partial_packet) { + if (avio_feof(pb)) + return AVERROR_EOF; chunk_type = avio_rl32(pb); chunk_size = ea->big_endian ? avio_rb32(pb) : avio_rl32(pb); if (chunk_size < 8) From 29745dda10f1bcf64bbf59b1184cd8d92db74de3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:55:13 +0200 Subject: [PATCH 1075/1764] avformat/lrcdec: Clip timestamps Fixes: signed integer overflow: 7111111111111531010 - -7335632962598013506 cannot be represented in type 'long' Fixes: 26463/clusterfuzz-testcase-minimized-ffmpeg_dem_LRC_fuzzer-6015558333759488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 80bc2ac3c06319cf85428c58c471d105d25ae987) Signed-off-by: Michael Niedermayer --- libavformat/lrcdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index 45f0bf24a7..fa379372a1 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -185,6 +185,8 @@ static int lrc_read_header(AVFormatContext *s) sscanf(comma_offset + 1, "%"SCNd64, &lrc->ts_offset) != 1) { av_dict_set(&s->metadata, line.str + 1, comma_offset + 1, 0); } + lrc->ts_offset = av_clip64(lrc->ts_offset, INT64_MIN/4, INT64_MAX/4); + *comma_offset = ':'; *right_bracket_offset = ']'; } @@ -198,6 +200,7 @@ static int lrc_read_header(AVFormatContext *s) while((ts_stroffset_incr = read_ts(line.str + ts_stroffset, &ts_start)) != 0) { + ts_start = av_clip64(ts_start, INT64_MIN/4, INT64_MAX/4); ts_stroffset += ts_stroffset_incr; sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); From 3e9e5344edf7387b0e2fe42de6064e91e0263d97 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 21:32:59 +0200 Subject: [PATCH 1076/1764] avformat/rmdec: Make expected_len 64bit Fixes: signed integer overflow: 1347551268 * 14 cannot be represented in type 'int' Fixes: 26458/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5655364324032512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 728330462cadb765307cc132377b6b5d177a225c) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 8368966082..9624171dde 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -704,17 +704,19 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre state= (state<<8) + avio_r8(pb); if(state == MKBETAG('I', 'N', 'D', 'X')){ - int n_pkts, expected_len; + int n_pkts; + int64_t expected_len; len = avio_rb32(pb); avio_skip(pb, 2); n_pkts = avio_rb32(pb); - expected_len = 20 + n_pkts * 14; - if (len == 20) + expected_len = 20 + n_pkts * 14LL; + + if (len == 20 && expected_len <= INT_MAX) /* some files don't add index entries to chunk size... */ len = expected_len; else if (len != expected_len) av_log(s, AV_LOG_WARNING, - "Index size %d (%d pkts) is wrong, should be %d.\n", + "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); len -= 14; // we already read part of the index header if(len<0) From ec94d7545e9a8635721a1ee7ce33f6b156b4347e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 20:29:50 +0200 Subject: [PATCH 1077/1764] avcodec/dirac_parser: do not offset AV_NOPTS_OFFSET Fixes: signed integer overflow: -9223372036854775807 - 48000 cannot be represented in type 'long long' Fixes: 26521/clusterfuzz-testcase-minimized-ffmpeg_dem_DIRAC_fuzzer-5635536506847232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne Signed-off-by: Michael Niedermayer (cherry picked from commit 343c3149ab3d77be76f035d3b18bb2b2da48ce1f) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index fbc7414c79..8e68b4a9da 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -215,7 +215,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, int64_t pts = AV_RB32(cur_pu + 13); if (s->last_pts == 0 && s->last_dts == 0) s->dts = pts - 1; - else + else if (s->last_dts != AV_NOPTS_VALUE) s->dts = s->last_dts + 1; s->pts = pts; if (!avctx->has_b_frames && (cur_pu[4] & 0x03)) From b42f802a3855be7124c6d644e6479214bfca9c8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Oct 2020 17:21:19 +0100 Subject: [PATCH 1078/1764] avcodec/utils: Check sample rate before use for AV_CODEC_ID_BINKAUDIO_DCT in get_audio_frame_duration() Fixes: shift exponent 95 is too large for 32-bit type 'int' Fixes: 26590/clusterfuzz-testcase-minimized-ffmpeg_dem_SMACKER_fuzzer-5120609937522688 Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ec7e0d42884b40ce93b6b5e94de5f7849310f8a0) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 6e72329f04..97c61cf1dd 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1749,8 +1749,11 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ch > 0) { /* calc from sample rate and channels */ - if (id == AV_CODEC_ID_BINKAUDIO_DCT) + if (id == AV_CODEC_ID_BINKAUDIO_DCT) { + if (sr / 22050 > 22) + return 0; return (480 << (sr / 22050)) / ch; + } } if (id == AV_CODEC_ID_MP3) From 48fbee3b44481d18b208fe893e4c2da9999567ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 19:37:45 +0200 Subject: [PATCH 1079/1764] avformat/xwma: Check for EOF in dpds_table read code Fixes: Timeout (>30 -> 140ms) Fixes: 26478/clusterfuzz-testcase-minimized-ffmpeg_dem_XWMA_fuzzer-5918147066200064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44b18a76b8d4e01c7ce62474aaf196857e75e976) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 1c18772928..0f0e3fc8ea 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -187,6 +187,10 @@ static int xwma_read_header(AVFormatContext *s) } for (i = 0; i < dpds_table_size; ++i) { + if (avio_feof(pb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } dpds_table[i] = avio_rl32(pb); size -= 4; } From e03a2c7106412f1eea113827901237f800b79809 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 22:56:17 +0200 Subject: [PATCH 1080/1764] avformat/iff: More completely check body_size Fixes: infinite loop Fixes: 26485/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5126561373880320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3588e2e6b05ba92f0907e9ffe263c2e65d53e346) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index aa2d9dd48c..d1c99fe9ce 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -837,7 +837,7 @@ static int iff_read_packet(AVFormatContext *s, } else if (st->codecpar->codec_tag == ID_DST) { return read_dst_frame(s, pkt); } else { - if (iff->body_size > INT_MAX) + if (iff->body_size > INT_MAX || !iff->body_size) return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); } @@ -873,6 +873,8 @@ static int iff_read_packet(AVFormatContext *s, pkt->flags |= AV_PKT_FLAG_KEY; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st->codecpar->codec_tag != ID_ANIM) { + if (iff->body_size > INT_MAX || !iff->body_size) + return AVERROR_INVALIDDATA; ret = av_get_packet(pb, pkt, iff->body_size); pkt->pos = pos; if (pos == iff->body_pos) From 92aece7e5a56c1cc6f2c2cffcd5845e3bfe5ff67 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Oct 2020 18:15:53 +0200 Subject: [PATCH 1081/1764] avformat/rsd: Check size and start before computing duration Fixes: signed integer overflow: 100794754 * 28 cannot be represented in type 'int' Fixes: 26474/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5181797606096896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c79d8a685182a8d8735887399bf0f3742b020597) Signed-off-by: Michael Niedermayer --- libavformat/rsd.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index 1c99f8c21c..f3833d5145 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -104,13 +104,9 @@ static int rsd_read_header(AVFormatContext *s) break; case AV_CODEC_ID_ADPCM_PSX: par->block_align = 16 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_RAD: par->block_align = 20 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_IMA_WAV: if (version == 2) @@ -118,8 +114,6 @@ static int rsd_read_header(AVFormatContext *s) par->bits_per_coded_sample = 4; par->block_align = 36 * par->channels; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP_LE: /* RSD3GADP is mono, so only alloc enough memory @@ -129,8 +123,6 @@ static int rsd_read_header(AVFormatContext *s) if ((ret = ff_get_extradata(s, par, s->pb, 32)) < 0) return ret; - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = av_get_audio_frame_duration2(par, avio_size(pb) - start); break; case AV_CODEC_ID_ADPCM_THP: par->block_align = 8 * par->channels; @@ -143,18 +135,36 @@ static int rsd_read_header(AVFormatContext *s) avio_read(s->pb, st->codecpar->extradata + 32 * i, 32); avio_skip(s->pb, 8); } - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / (8 * par->channels) * 14; break; case AV_CODEC_ID_PCM_S16LE: case AV_CODEC_ID_PCM_S16BE: if (version != 4) start = avio_rl32(pb); - if (pb->seekable & AVIO_SEEKABLE_NORMAL) - st->duration = (avio_size(pb) - start) / 2 / par->channels; break; } + if (start < 0) + return AVERROR_INVALIDDATA; + + if (pb->seekable & AVIO_SEEKABLE_NORMAL) { + int64_t remaining = avio_size(pb); + + if (remaining >= start && remaining - start <= INT_MAX) + switch (par->codec_id) { + case AV_CODEC_ID_ADPCM_PSX: + case AV_CODEC_ID_ADPCM_IMA_RAD: + case AV_CODEC_ID_ADPCM_IMA_WAV: + case AV_CODEC_ID_ADPCM_THP_LE: + st->duration = av_get_audio_frame_duration2(par, remaining - start); + break; + case AV_CODEC_ID_ADPCM_THP: + st->duration = (remaining - start) / (8 * par->channels) * 14; + break; + case AV_CODEC_ID_PCM_S16LE: + case AV_CODEC_ID_PCM_S16BE: + st->duration = (remaining - start) / 2 / par->channels; + } + } avio_skip(pb, start - avio_tell(pb)); if (par->codec_id == AV_CODEC_ID_XMA2) { From 633f4568be8ac67da7252dd33e304f3a239c20c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Oct 2020 23:50:57 +0200 Subject: [PATCH 1082/1764] avformat/wavdec: Refuse to read chunks bigger than the filesize in w64_read_header() Fixes: OOM Fixes: 26414/clusterfuzz-testcase-minimized-ffmpeg_dem_FWSE_fuzzer-5070632544632832 Fixes: 26475/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5770207722995712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b2244565ac8cb1eddd085e1a382a893ac03bfb4) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 22150f63e9..1bb987f47b 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -835,6 +835,7 @@ static int w64_read_header(AVFormatContext *s) } else if (!memcmp(guid, ff_w64_guid_summarylist, 16)) { int64_t start, end, cur; uint32_t count, chunk_size, i; + int64_t filesize = avio_size(s->pb); start = avio_tell(pb); end = start + FFALIGN(size, INT64_C(8)) - 24; @@ -849,7 +850,7 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); - if (chunk_size == UINT32_MAX) + if (chunk_size == UINT32_MAX || (filesize >= 0 && chunk_size > filesize)) return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); From 7186ab2b7dea989210027ae0bf0cd94d3678a856 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 23:46:33 +0100 Subject: [PATCH 1083/1764] avformat/concatdec: use av_strstart() Fixes: out array read Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 2610acb49a140901dacbd36c598a5514cf9ade0d) Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 0e189012ad..a6d93e2a61 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -111,7 +111,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, ConcatFile *file; char *url = NULL; const char *proto; - size_t url_len, proto_len; + const char *ptr; + size_t url_len; int ret; if (cat->safe > 0 && !safe_filename(filename)) { @@ -120,9 +121,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, } proto = avio_find_protocol_name(filename); - proto_len = proto ? strlen(proto) : 0; - if (proto && !memcmp(filename, proto, proto_len) && - (filename[proto_len] == ':' || filename[proto_len] == ',')) { + if (proto && av_strstart(filename, proto, &ptr) && + (*ptr == ':' || *ptr == ',')) { url = filename; filename = NULL; } else { From 025be7dfca9a9a37dbd4ad7c4d13ba7252db6379 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 20:55:31 +0100 Subject: [PATCH 1084/1764] avformat/aiffdec: Check packet size Fixes: Fixes infinite loop Fixes: 26575/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5727522236661760 Signed-off-by: Michael Niedermayer (cherry picked from commit 0ba71a72d3a617b255b71988a000d5093222f779) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 99e05c78ec..8d262d8d38 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -389,6 +389,8 @@ static int aiff_read_packet(AVFormatContext *s, break; default: size = st->codecpar->block_align ? (MAX_SIZE / st->codecpar->block_align) * st->codecpar->block_align : MAX_SIZE; + if (!size) + return AVERROR_INVALIDDATA; } size = FFMIN(max_size, size); res = av_get_packet(s->pb, pkt, size); From 570884a6c4e5c8ddd6f9e993c556e25d4ae1cf06 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 21:08:55 +0100 Subject: [PATCH 1085/1764] avformat/gxf: Check pkt_len Fixes: Infinite loop Fixes: 26576/clusterfuzz-testcase-minimized-ffmpeg_dem_GXF_fuzzer-4823080360476672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dad9a86ca7bf912289aafb33d96980630e6ec53a) Signed-off-by: Michael Niedermayer --- libavformat/gxf.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 399f745bc7..640a2bacb4 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -285,9 +285,12 @@ static void gxf_track_tags(AVIOContext *pb, int *len, struct gxf_stream_info *si static void gxf_read_index(AVFormatContext *s, int pkt_len) { AVIOContext *pb = s->pb; AVStream *st; - uint32_t fields_per_map = avio_rl32(pb); - uint32_t map_cnt = avio_rl32(pb); + uint32_t fields_per_map, map_cnt; int i; + if (pkt_len < 8) + return; + fields_per_map = avio_rl32(pb); + map_cnt = avio_rl32(pb); pkt_len -= 8; if ((s->flags & AVFMT_FLAG_IGNIDX) || !s->streams) { avio_skip(pb, pkt_len); From 774b06e252f04321f7814a7d93523fcace5157e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 20:30:48 +0200 Subject: [PATCH 1086/1764] avformat/paf: Check for EOF in read_table() Fixes: OOM Fixes: 26528/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5081929248145408 Fixes: 26584/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5172661183053824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 437b7302b09a04e0fbfcd594114b52c5c6d89d32) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavformat/paf.c b/libavformat/paf.c index fa30cdd72a..a2d411c2f6 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -75,14 +75,18 @@ static int read_close(AVFormatContext *s) return 0; } -static void read_table(AVFormatContext *s, uint32_t *table, uint32_t count) +static int read_table(AVFormatContext *s, uint32_t *table, uint32_t count) { int i; - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; table[i] = avio_rl32(s->pb); + } avio_skip(s->pb, 4 * (FFALIGN(count, 512) - count)); + return 0; } static int read_header(AVFormatContext *s) @@ -171,9 +175,15 @@ static int read_header(AVFormatContext *s) avio_seek(pb, p->buffer_size, SEEK_SET); - read_table(s, p->blocks_count_table, p->nb_frames); - read_table(s, p->frames_offset_table, p->nb_frames); - read_table(s, p->blocks_offset_table, p->frame_blks); + ret = read_table(s, p->blocks_count_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->frames_offset_table, p->nb_frames); + if (ret < 0) + goto fail; + ret = read_table(s, p->blocks_offset_table, p->frame_blks); + if (ret < 0) + goto fail; p->got_audio = 0; p->current_frame = 0; From 992fd3262d02dc7be51085f9c8acc549870b6adb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Oct 2020 21:51:08 +0100 Subject: [PATCH 1087/1764] avformat/iff: check size against INT64_MAX Bigger sizes are misinterpreted as negative numbers by the API Fixes: infinite loop Fixes: 26611/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4890614975692800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f291cd681b1235e150464ad83974d60d6879b492) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index d1c99fe9ce..dd434de2d4 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -223,6 +223,9 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t orig_pos = avio_tell(pb); const char * metadata_tag = NULL; + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('D','I','A','R'): metadata_tag = "artist"; break; case MKTAG('D','I','T','I'): metadata_tag = "title"; break; From e51ff9d5fdc096f104213decefcca1eb3432de3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 13:51:47 +0100 Subject: [PATCH 1088/1764] avformat/bintext: Check width in idf_read_header() Fixes: division by 0 Fixes: 26802/clusterfuzz-testcase-minimized-ffmpeg_dem_IDF_fuzzer-5180591554953216.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 442d53f409c8d84c7db120227caac00af54aa884) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index 12e3bfde4d..defc39c9be 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -293,6 +293,8 @@ static int idf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 12 - 4096 - 48; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 12, SEEK_SET); From bec84159901eec2a83e0aace09ce5a8f460ca6d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:47 +0100 Subject: [PATCH 1089/1764] avformat/mpegts: Limit copied data to space Fixes: out of array access Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 79cf7c71910a69b9f22b3e7ee6508a771262abaf) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index ca6430de18..b4eb5cb64c 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2734,7 +2734,7 @@ static int mpegts_raw_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; } if (data != pkt->data) - memcpy(pkt->data, data, ts->raw_packet_size); + memcpy(pkt->data, data, TS_PACKET_SIZE); finished_reading_packet(s, ts->raw_packet_size); if (ts->mpeg2ts_compute_pcr) { /* compute exact PCR for each packet */ From 78f990e9bddfa7ba6d70cb2939b88c36920c733b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 20:23:54 +0100 Subject: [PATCH 1090/1764] avformat/au: cleanup on EOF return in au_read_annotation() Fixes: memleak Fixes: 26841/clusterfuzz-testcase-minimized-ffmpeg_dem_AU_fuzzer-5174166309044224 Regression since: e680d50eb4feddafb2d8575b21fc5fc8764f4801 Reviewed-by: Andreas Rheinhardt Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d16974c3dd3a05900aa080ea0729284aea358d10) Signed-off-by: Michael Niedermayer --- libavformat/au.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/au.c b/libavformat/au.c index a414292894..55c73015e8 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -86,8 +86,11 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { - if (avio_feof(pb)) + if (avio_feof(pb)) { + av_bprint_finalize(&bprint, NULL); + av_freep(&key); return AVERROR_EOF; + } c = avio_r8(pb); switch(state) { case PARSE_KEY: From 3454254eb44b0b40e54eccb97e8e057ac345d2fe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Nov 2020 00:17:09 +0100 Subject: [PATCH 1091/1764] avformat/lvfdec: Check stream_index before use Fixes: assertion failure Fixes: 26905/clusterfuzz-testcase-minimized-ffmpeg_dem_LVF_fuzzer-5724267599364096.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b1d99ab14f2fd273e678dcb618dabfb38aab91b6) Signed-off-by: Michael Niedermayer --- libavformat/lvfdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/lvfdec.c b/libavformat/lvfdec.c index b8af25609f..0ff531ddde 100644 --- a/libavformat/lvfdec.c +++ b/libavformat/lvfdec.c @@ -106,6 +106,7 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) unsigned size, flags, timestamp, id; int64_t pos; int ret, is_video = 0; + int stream_index; pos = avio_tell(s->pb); while (!avio_feof(s->pb)) { @@ -121,12 +122,15 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) case MKTAG('0', '1', 'w', 'b'): if (size < 8) return AVERROR_INVALIDDATA; + stream_index = is_video ? 0 : 1; + if (stream_index >= s->nb_streams) + return AVERROR_INVALIDDATA; timestamp = avio_rl32(s->pb); flags = avio_rl32(s->pb); ret = av_get_packet(s->pb, pkt, size - 8); if (flags & (1 << 12)) pkt->flags |= AV_PKT_FLAG_KEY; - pkt->stream_index = is_video ? 0 : 1; + pkt->stream_index = stream_index; pkt->pts = timestamp; pkt->pos = pos; return ret; From 3dc3b959103bac2965fb5ca036bb6b7485558697 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 00:04:50 +0100 Subject: [PATCH 1092/1764] avformat/sbgdec: Check that end is not before start Fixes: signed integer overflow: -9223372036854775808 + -5279949906739200 cannot be represented in type 'long' Fixes: 26908/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6329610851319808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 9ef60a66f1f155605049402415bd901c8baf1a24) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 1541836439..86d8418f62 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1411,6 +1411,11 @@ static av_cold int sbg_read_header(AVFormatContext *avf) if (r < 0) goto fail; + if (script.end_ts != AV_NOPTS_VALUE && script.end_ts < script.start_ts) { + r = AVERROR_INVALIDDATA; + goto fail; + } + st = avformat_new_stream(avf, NULL); if (!st) return AVERROR(ENOMEM); From 1703863faa7dca619d761c0145e1b226a5e89a00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Oct 2020 13:51:47 +0100 Subject: [PATCH 1093/1764] avformat/bintext: Check width Fixes: division by 0 Fixes: 26780/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5117945027756032 Fixes: 26998/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5119352359354368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f6dc285fb5f30406b275b968ee438a738da799d1) Signed-off-by: Michael Niedermayer --- libavformat/bintext.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bintext.c b/libavformat/bintext.c index defc39c9be..c827a35e5f 100644 --- a/libavformat/bintext.c +++ b/libavformat/bintext.c @@ -242,6 +242,8 @@ static int adf_read_header(AVFormatContext *s) bin->fsize = avio_size(pb) - 1 - 192 - 4096; st->codecpar->width = 80<<3; ff_sauce_read(s, &bin->fsize, &got_width, 0); + if (st->codecpar->width < 8) + return AVERROR_INVALIDDATA; if (!bin->width) calculate_height(st->codecpar, bin->fsize); avio_seek(pb, 1 + 192 + 4096, SEEK_SET); From ee7cdaaa3fb009ff6681a9238a7efa80c7e68bd4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:45 +0100 Subject: [PATCH 1094/1764] avformat/icodec: Factor failure code out in read_header() Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 27ee67c00f4402030af3b7477dd5088464d31d80) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 59e5416116..4d93b74a1d 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -113,8 +113,7 @@ static int read_header(AVFormatContext *s) ico->images[i].size = avio_rl32(pb); if (ico->images[i].size <= 0) { av_log(s, AV_LOG_ERROR, "Invalid image size %d\n", ico->images[i].size); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } ico->images[i].offset = avio_rl32(pb); @@ -130,8 +129,7 @@ static int read_header(AVFormatContext *s) break; case 40: if (ico->images[i].size < 40) { - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } st->codecpar->codec_id = AV_CODEC_ID_BMP; tmp = avio_rl32(pb); @@ -143,12 +141,14 @@ static int read_header(AVFormatContext *s) break; default: avpriv_request_sample(s, "codec %d", codec); - av_freep(&ico->images); - return AVERROR_INVALIDDATA; + goto fail; } } return 0; +fail: + av_freep(&ico->images); + return AVERROR_INVALIDDATA; } static int read_packet(AVFormatContext *s, AVPacket *pkt) From ea83351a49ef9e9d39266f5672dd5a0103cc7c9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Nov 2020 01:06:46 +0100 Subject: [PATCH 1095/1764] avformat/icodec: Check for zero streams and stream creation failure Fixes: NULL pointer dereference Fixes: 26814/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5758487797432320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit b33233bd53f74f94f4cd7be0645a99a9549a913e) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 4d93b74a1d..d86b85099d 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -84,6 +84,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); ico->nb_images = avio_rl16(pb); + if (!ico->nb_images) + return AVERROR_INVALIDDATA; + ico->images = av_malloc_array(ico->nb_images, sizeof(IcoImage)); if (!ico->images) return AVERROR(ENOMEM); @@ -93,7 +96,7 @@ static int read_header(AVFormatContext *s) int tmp; if (avio_seek(pb, 6 + i * 16, SEEK_SET) < 0) - break; + goto fail; st = avformat_new_stream(s, NULL); if (!st) { @@ -118,7 +121,7 @@ static int read_header(AVFormatContext *s) ico->images[i].offset = avio_rl32(pb); if (avio_seek(pb, ico->images[i].offset, SEEK_SET) < 0) - break; + goto fail; codec = avio_rl32(pb); switch (codec) { From 5515c34baf20d9db0d81c611037f7911c86e955c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Nov 2020 23:30:47 +0100 Subject: [PATCH 1096/1764] avformat/rmdec: Check for EOF in index packet reading Fixes: Timeout(>10sec -> 1ms) Fixes: 27284/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6304211110985728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebf4bc629e6d0dbb4bb6725849bdd06456e4c8af) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 9624171dde..64b3b6aa4f 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -461,6 +461,8 @@ static int rm_read_index(AVFormatContext *s) } for (n = 0; n < n_pkts; n++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 2); pts = avio_rb32(pb); pos = avio_rb32(pb); From b9df29a39326f965405324b1cd3034a4366a1bc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2020 20:59:01 +0100 Subject: [PATCH 1097/1764] avformat/iff: Check size before skip Fixes: Infinite loop Fixes: 27292/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5731168991051776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b50e8bc2975fad85e0713e05940ee9ecb5e8a18) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index dd434de2d4..643ca71dca 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -259,6 +259,9 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, uint64_t eof) uint64_t size = avio_rb64(pb); uint64_t orig_pos = avio_tell(pb); + if (size >= INT64_MAX) + return AVERROR_INVALIDDATA; + switch(tag) { case MKTAG('A','B','S','S'): if (size < 8) From 9ca75063eae7a2d755391fcd8c7f5c10255245d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2020 22:13:52 +0100 Subject: [PATCH 1098/1764] avformat/wavdec: More complete size check in find_guid() Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long' Fixes: 27341/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5442833206738944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a207df2acb92d6366ab2f0f18ba35709066b8eec) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 1bb987f47b..2938914cd0 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -599,7 +599,7 @@ static int64_t find_guid(AVIOContext *pb, const uint8_t guid1[16]) while (!avio_feof(pb)) { avio_read(pb, guid, 16); size = avio_rl64(pb); - if (size <= 24) + if (size <= 24 || size > INT64_MAX - 8) return AVERROR_INVALIDDATA; if (!memcmp(guid, guid1, 16)) return size; From caefd7a3ba9fd48f1204d9b16a4e619fb85c4aa6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 00:23:10 +0200 Subject: [PATCH 1099/1764] avformat/avs: Use 64bit for the avio_tell() output Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long' Fixes: 26549/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4844306424397824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1278f117d75ab9238ef181ba29b31c6ea569571b) Signed-off-by: Michael Niedermayer --- libavformat/avs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/avs.c b/libavformat/avs.c index 763ba63f64..544263957f 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -123,7 +123,8 @@ avs_read_video_packet(AVFormatContext * s, AVPacket * pkt, static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) { AvsFormat *avs = s->priv_data; - int ret, size; + int ret; + int64_t size; size = avio_tell(s->pb); ret = ff_voc_get_packet(s, pkt, avs->st_audio, avs->remaining_audio_size); From 00115573e3030eff57847e1045ec18f0da5adb5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Oct 2020 22:21:48 +0200 Subject: [PATCH 1100/1764] avcodec/exr: Check ymin vs. h Fixes: out of array access Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3e5959b3457f7f1856d997261e6ac672bba49e8b) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 14bb4b40e9..aec9505eb9 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1809,7 +1809,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, ptr = picture->data[0]; // Zero out the start if ymin is not 0 - for (y = 0; y < s->ymin; y++) { + for (y = 0; y < FFMIN(s->ymin, s->h); y++) { memset(ptr, 0, out_line_size); ptr += picture->linesize[0]; } From 9162b1a60dbd427a3c3a0e2353efae21e9fb9a25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 01:14:26 +0100 Subject: [PATCH 1101/1764] avformat/mpc8: correct 32bit timestamp truncation Fixes: left shift of 65536 by 15 places cannot be represented in type 'int' Fixes: 26801/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-5164313092030464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad3e495657eaa24cba9251c2379797c208998201) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index f280faa5cc..e42008d74f 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -182,7 +182,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) if(t & 1) t = -(t & ~1); pos = (t >> 1) + ppos[0]*2 - ppos[1]; - av_add_index_entry(s->streams[0], pos, i << seekd, 0, 0, AVINDEX_KEYFRAME); + av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; } @@ -257,7 +257,7 @@ static int mpc8_read_header(AVFormatContext *s) st->codecpar->channels = (st->codecpar->extradata[1] >> 4) + 1; st->codecpar->sample_rate = mpc8_rate[st->codecpar->extradata[0] >> 5]; - avpriv_set_pts_info(st, 32, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); + avpriv_set_pts_info(st, 64, 1152 << (st->codecpar->extradata[1]&3)*2, st->codecpar->sample_rate); st->start_time = 0; st->duration = c->samples / (1152 << (st->codecpar->extradata[1]&3)*2); size -= avio_tell(pb) - pos; From 3293cf065ec926fcd00c705b96e6f9537b3f3425 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 21:50:32 +0100 Subject: [PATCH 1102/1764] avformat/mpc8: correct integer overflow in mpc8_parse_seektable() Fixes: signed integer overflow: -4683718486770919638 * 2 cannot be represented in type 'long' Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208 Fixes: 27550/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6259212652642304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0897402ac8a2045691395380a9fd2ea88c0d3798) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index e42008d74f..4bbee8f3b3 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -181,7 +181,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) t += get_bits(&gb, 12); if(t & 1) t = -(t & ~1); - pos = (t >> 1) + ppos[0]*2 - ppos[1]; + pos = (t >> 1) + (uint64_t)ppos[0]*2 - ppos[1]; av_add_index_entry(s->streams[0], pos, (int64_t)i << seekd, 0, 0, AVINDEX_KEYFRAME); ppos[1] = ppos[0]; ppos[0] = pos; From f7fe3969ef943bb375ac1b16e4fd5915e4096cf3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 23:08:13 +0200 Subject: [PATCH 1103/1764] avformat/cafdec: Check that bytes_per_packet and frames_per_packet are non negative These fields are not signed in the spec (1.0) so they cannot be negative Changing bytes_per_packet to unsigned would not solve this as it is exported as block_align which is signed Fixes: Infinite loop Fixes: 26492/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5632087614554112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5eed718087f2ba307a3d1d294016d2ebae9230f3) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 7652d9e238..5b1abc4f47 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -79,6 +79,9 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) + return AVERROR_INVALIDDATA; + /* calculate bit rate for constant size packets */ if (caf->frames_per_packet > 0 && caf->bytes_per_packet > 0) { st->codecpar->bit_rate = (uint64_t)st->codecpar->sample_rate * (uint64_t)caf->bytes_per_packet * 8 From a0f3a049e62d3c57ef0f82f0733f465bdc0737ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2020 00:58:37 +0100 Subject: [PATCH 1104/1764] avformat/cafdec: Check for EOF in index read loop Fixes: OOM Fixes: 27398/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-541296033975500 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eb46939e3ab3e0e4df69486b1a037bffc50493bd) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 5b1abc4f47..dc87bb4502 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -207,6 +207,8 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) st->duration = 0; for (i = 0; i < num_packets; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); From 9b82853d3ccad8ec2d50b14fb4630b86b74997f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Oct 2020 23:13:16 +0200 Subject: [PATCH 1105/1764] avformat/cafdec: Check the return code from av_add_index_entry() Signed-off-by: Michael Niedermayer (cherry picked from commit 9dc3301745d8271ae3ba0f1b998d8e6a0aa01bc1) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index dc87bb4502..a063549561 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -194,6 +194,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) CafContext *caf = s->priv_data; int64_t pos = 0, ccount, num_packets; int i; + int ret; ccount = avio_tell(pb); @@ -209,7 +210,9 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) for (i = 0; i < num_packets; i++) { if (avio_feof(pb)) return AVERROR_INVALIDDATA; - av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + if (ret < 0) + return ret; pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); } From 9a523ef89f0538cb0b6d8c694188dfa043264872 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 00:24:01 +0200 Subject: [PATCH 1106/1764] avcodec/hevc_cabac: Limit value in coeff_abs_level_remaining_decode() tighter The max depth is 16bps, the max allowed coefficient depth is depth+6 Fixes: signed integer overflow: 1074266112 + 1073725439 cannot be represented in type 'int' Fixes: 26493/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657763331702784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf852b03c3ae6b61f89614371d2cb308d0b7f86) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 8abb780dd7..12fc9f9fdc 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -998,7 +998,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int } else { int prefix_minus3 = prefix - 3; - if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param > 16 + 6) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); return 0; } From 8d4d02c13a1e68f8de7647af16f20178d5a1e792 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Nov 2020 20:20:02 +0100 Subject: [PATCH 1107/1764] avformat/vqf: Check len for COMM chunks Fixes: Infinite loop Fixes: 26696/clusterfuzz-testcase-minimized-ffmpeg_dem_VQF_fuzzer-5648269168082944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a834af133b1fe8f29b4075808710ffd98abcac40) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index ff38a3d1ca..f43a20d6fc 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -132,6 +132,9 @@ static int vqf_read_header(AVFormatContext *s) switch(chunk_tag){ case MKTAG('C','O','M','M'): + if (len < 12) + return AVERROR_INVALIDDATA; + avio_read(s->pb, comm_chunk, 12); st->codecpar->channels = AV_RB32(comm_chunk ) + 1; read_bitrate = AV_RB32(comm_chunk + 4); From 7dcf0f1ebbfefede61d89ffccf932584fedde034 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2020 21:39:21 +0100 Subject: [PATCH 1108/1764] avformat/id3v2: Sanity check tlen before alloc and uncompress Fixes: Timeout (>20sec -> 65ms) Fixes: 26896/clusterfuzz-testcase-minimized-ffmpeg_dem_DAUD_fuzzer-5691024049176576 Fixes: 27627/clusterfuzz-testcase-minimized-ffmpeg_dem_AEA_fuzzer-4907019324358656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d7f87a4b9ef18a9846439b7787874cc11e5940de) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index ac39b03af4..f52e28951d 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -1002,6 +1002,9 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_log(s, AV_LOG_DEBUG, "Compresssed frame %s tlen=%d dlen=%ld\n", tag, tlen, dlen); + if (tlen <= 0) + goto seek; + av_fast_malloc(&uncompressed_buffer, &uncompressed_buffer_size, dlen); if (!uncompressed_buffer) { av_log(s, AV_LOG_ERROR, "Failed to alloc %ld bytes\n", dlen); From a8584c6cbf5250b1f324ac55534c8a2e850c61cd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 21:50:32 +0100 Subject: [PATCH 1109/1764] avformat/mpc8: Check remaining space in mpc8_parse_seektable() Fixes: Fixes infinite loop Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f66dd13d08d063e2748d172239df595078ff624) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 4bbee8f3b3..7c6c53e2a4 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -177,6 +177,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME); } for(; i < size; i++){ + if (get_bits_left(&gb) < 13) { + av_free(buf); + return; + } t = get_unary(&gb, 1, 33) << 12; t += get_bits(&gb, 12); if(t & 1) From 6996bf684e665887f4e25964a7955a62ac6b5b33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 21:22:13 +0100 Subject: [PATCH 1110/1764] avformat/dsfdec: Check block_align more completely Fixes: infinite loop Fixes: 26865/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-5649473830912000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b8974d54455adc7a462f0f7385b76e1d08101c) Signed-off-by: Michael Niedermayer --- libavformat/dsfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dsfdec.c b/libavformat/dsfdec.c index 41538fd83c..6ef66ba930 100644 --- a/libavformat/dsfdec.c +++ b/libavformat/dsfdec.c @@ -122,8 +122,8 @@ static int dsf_read_header(AVFormatContext *s) avio_skip(pb, 8); st->codecpar->block_align = avio_rl32(pb); - if (st->codecpar->block_align > INT_MAX / st->codecpar->channels) { - avpriv_request_sample(s, "block_align overflow"); + if (st->codecpar->block_align > INT_MAX / st->codecpar->channels || st->codecpar->block_align <= 0) { + avpriv_request_sample(s, "block_align invalid"); return AVERROR_INVALIDDATA; } st->codecpar->block_align *= st->codecpar->channels; From d4eaf3346f89490597e280ef9c20c83bf435e96f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2020 22:14:21 +0100 Subject: [PATCH 1111/1764] avcodec/h264idct_template: Fix integer overflow in ff_h264_chroma422_dc_dequant_idct() Fixes: signed integer overflow: -2105540608 - 2105540608 cannot be represented in type 'int' Fixes: 26870/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5656647567147008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51dfd6f1bdb03bfc7574b12e921fb3b8639ba5cf) Signed-off-by: Michael Niedermayer --- libavcodec/h264idct_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index f19579a47c..ce66ed3ab8 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -283,8 +283,8 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ dctcoef *block = (dctcoef*)_block; for(i=0; i<4; i++){ - temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1]; - temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1]; + temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1]; + temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1]; } for(i=0; i<2; i++){ From f817e1396ed77405a99310a0f6f7978786a7b2d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2020 00:49:29 +0100 Subject: [PATCH 1112/1764] avformat/rpl: Check the number of streams Fixes: out of memory access Fixes: 27787/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4743666463408128.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 0677bdb1f522d0d25b47bca3d8e09ece83083678) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index d373600478..d6d81549b0 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -230,6 +230,9 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); } + if (s->nb_streams == 0) + return AVERROR_INVALIDDATA; + rpl->frames_per_chunk = read_line_and_int(pb, &error); // video frames per chunk if (rpl->frames_per_chunk > 1 && vst->codecpar->codec_tag != 124) av_log(s, AV_LOG_WARNING, From 38e6692a31a8cdc9b0ccca3253eb2465123d7d17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Dec 2020 00:37:25 +0100 Subject: [PATCH 1113/1764] avformat/matroskadec: Sanity check codec_id/track type Fixes: memleak Fixes: 27766/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5198300814508032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b88dd8f0cb48b46f3178d274a9117a3d2307f4e) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 117deb5713..cf21cb9463 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2080,6 +2080,15 @@ static int matroska_parse_tracks(AVFormatContext *s) if (!track->codec_id) continue; + if ( track->type == MATROSKA_TRACK_TYPE_AUDIO && track->codec_id[0] != 'A' + || track->type == MATROSKA_TRACK_TYPE_VIDEO && track->codec_id[0] != 'V' + || track->type == MATROSKA_TRACK_TYPE_SUBTITLE && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + || track->type == MATROSKA_TRACK_TYPE_METADATA && track->codec_id[0] != 'D' && track->codec_id[0] != 'S' + ) { + av_log(matroska->ctx, AV_LOG_INFO, "Inconsistent track type\n"); + continue; + } + if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX || isnan(track->audio.samplerate)) { av_log(matroska->ctx, AV_LOG_WARNING, From eeb387c9a54c376c4d79b3504a3d3ba19e6b36dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Dec 2020 00:49:23 +0100 Subject: [PATCH 1114/1764] avformat/iff: Check data_size Fixes: infinite loop Fixes: 27834/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5694930919620608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 001bc594d82f3df67a6e96c6ea022f4e39002385) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 643ca71dca..45dbdc4d88 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -368,7 +368,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) data_size = iff->is_64bit ? avio_rb64(pb) : avio_rb32(pb); data_pos = avio_tell(pb); - if (data_size < 1) + if (data_size < 1 || data_size >= INT64_MAX) return AVERROR_INVALIDDATA; switch (chunk_id) { From 339f357bbc5b194db40aa1e365a061c5af546ec1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 23:05:22 +0100 Subject: [PATCH 1115/1764] avcodec/hevc_ps: check scaling_list_dc_coef Fixes: signed integer overflow: 2147483640 + 8 cannot be represented in type 'int' Fixes: 28449/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5686013259284480 Reviewed-by: James Almer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f1700bd8bb983bb3b56c3a1f8b9078cb62a44f65) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 1c7c873294..70c1080690 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -778,7 +778,11 @@ static int scaling_list_data(GetBitContext *gb, AVCodecContext *avctx, ScalingLi next_coef = 8; coef_num = FFMIN(64, 1 << (4 + (size_id << 1))); if (size_id > 1) { - scaling_list_dc_coef[size_id - 2][matrix_id] = get_se_golomb(gb) + 8; + int scaling_list_coeff_minus8 = get_se_golomb(gb); + if (scaling_list_coeff_minus8 < -7 || + scaling_list_coeff_minus8 > 247) + return AVERROR_INVALIDDATA; + scaling_list_dc_coef[size_id - 2][matrix_id] = scaling_list_coeff_minus8 + 8; next_coef = scaling_list_dc_coef[size_id - 2][matrix_id]; sl->sl_dc[size_id - 2][matrix_id] = next_coef; } From 8a3b513aa76f774f07ec29c48eba7a8904c41f20 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 18:39:45 +0100 Subject: [PATCH 1116/1764] avformat/mov: Check if hoov is at the end Fixes: Timeout, probably infinite loop Fixes: 26559/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5391165484171264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0afbaabdca2730d3f8d88719d64802d50b92d351) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9e26b3ebbe..eb522e626b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5709,6 +5709,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) uint32_t type; avio_skip(pb, 4); type = avio_rl32(pb); + if (avio_feof(pb)) + break; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('m','v','h','d') || type == MKTAG('c','m','o','v')) { From 6c179e59338e0ae364468b0ee7444ec7cc1bc588 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 19:19:54 +0100 Subject: [PATCH 1117/1764] avcodec/utils: Check bitrate for overflow in get_bit_rate() Fixes: signed integer overflow: 617890810133996544 * 16 cannot be represented in type 'long' Fixes: 26565/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5092054700654592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8aadae670f28b88e94770262cd1136562bdb2f45) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 97c61cf1dd..2097337c39 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -612,7 +612,14 @@ static int64_t get_bit_rate(AVCodecContext *ctx) break; case AVMEDIA_TYPE_AUDIO: bits_per_sample = av_get_bits_per_sample(ctx->codec_id); - bit_rate = bits_per_sample ? ctx->sample_rate * (int64_t)ctx->channels * bits_per_sample : ctx->bit_rate; + if (bits_per_sample) { + bit_rate = ctx->sample_rate * (int64_t)ctx->channels; + if (bit_rate > INT64_MAX / bits_per_sample) { + bit_rate = 0; + } else + bit_rate *= bits_per_sample; + } else + bit_rate = ctx->bit_rate; break; default: bit_rate = 0; From 3049331a493ed9f7e4f7ca92dbd6fd6c464779f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:22:01 +0100 Subject: [PATCH 1118/1764] avformat/mpegts: Increase pcr_incr width to 64bit Fixes: division by zero Fixes: 26459/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5666350112178176 Fixes: 28154/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5195728439476224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit ef7b117b7be8a81d6b245cadf096cbe4b1a12987) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index b4eb5cb64c..f80953de2e 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -131,7 +131,7 @@ struct MpegTSContext { int fix_teletext_pts; int64_t cur_pcr; /**< used to estimate the exact PCR */ - int pcr_incr; /**< used to estimate the exact PCR */ + int64_t pcr_incr; /**< used to estimate the exact PCR */ /* data needed to handle file based ts */ /** stop parsing loop */ From 6e093adcccfaae663805c74e3c404fcb403d0378 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:22:04 +0100 Subject: [PATCH 1119/1764] avcodec/ffv1dec: Fix off by 1 error with quant tables Fixes: assertion failure Fixes: 28447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5369575948550144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5cae71d2b722d0beed4d46f189db42fbb57d877b) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 9a58bb601c..10962fd2d7 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -761,7 +761,7 @@ static int read_header(FFV1Context *f) if (f->version == 2) { int idx = get_symbol(c, state, 0); - if (idx > (unsigned)f->quant_table_count) { + if (idx >= (unsigned)f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant_table_index out of range\n"); return AVERROR_INVALIDDATA; From 607098b74a917a335cc300e471c9318d156db54e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 Nov 2020 00:48:26 +0100 Subject: [PATCH 1120/1764] avformat/cafdec: clip sample rate Fixes: 1.21126e+111 is outside the range of representable values of type 'int' Fixes: 27398/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5412960339755008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 684aec6a6872c9e3bb0afee1979f1cd3edd1f8ce) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index a063549561..70005aa3d0 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -70,7 +70,7 @@ static int read_desc_chunk(AVFormatContext *s) /* parse format description */ st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; - st->codecpar->sample_rate = av_int2double(avio_rb64(pb)); + st->codecpar->sample_rate = av_clipd(av_int2double(avio_rb64(pb)), 0, INT_MAX); st->codecpar->codec_tag = avio_rl32(pb); flags = avio_rb32(pb); caf->bytes_per_packet = avio_rb32(pb); From c9b74bbec2e86ba5855d64a5de8619c22b6a79a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Dec 2020 18:47:44 +0100 Subject: [PATCH 1121/1764] avformat/mpegts: Fix argument type for av_log Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 654b21ef176a807bf4e8359a4ed52c629d766100) --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index f80953de2e..e4976d76d2 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2706,7 +2706,7 @@ static int mpegts_read_header(AVFormatContext *s) s->bit_rate = TS_PACKET_SIZE * 8 * 27000000LL / ts->pcr_incr; st->codecpar->bit_rate = s->bit_rate; st->start_time = ts->cur_pcr; - av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%d\n", + av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%"PRId64"\n", st->start_time / 1000000.0, pcrs[0] / 27e6, ts->pcr_incr); } From 226aa33f06230bfbcd759da6227bb645de79d5e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 26 Dec 2020 18:55:08 +0100 Subject: [PATCH 1122/1764] avcodec/alsdec: Fix integer overflow with quant_cof Fixes: signed integer overflow: -210824 * 16384 cannot be represented in type 'int' Fixes: 28670/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5682310846480384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ce40dde03ea56684f2cb6b40991a90bc38c3ad9) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index a9740699f6..8a8f82fb85 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -766,7 +766,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) } for (k = 2; k < opt_order; k++) - quant_cof[k] = (quant_cof[k] * (1 << 14)) + (add_base << 13); + quant_cof[k] = (quant_cof[k] * (1U << 14)) + (add_base << 13); } } From 63ea2114e3f7c9ba28e254960e2cb7ecd605f396 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2020 00:52:47 +0100 Subject: [PATCH 1123/1764] avcodec/wmaprodec: Check packet size Fixes: left shift of negative value -25824 Fixes: 27754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5760255962906624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69aeba8a19ac2fa6e1c9bdfb19229b513f314bb1) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index b279369241..5c3887f07c 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1691,6 +1691,12 @@ static int decode_packet(AVCodecContext *avctx, WMAProDecodeCtx *s, } } else { int frame_size; + + if (avpkt->size < s->next_packet_start) { + s->packet_loss = 1; + return AVERROR_INVALIDDATA; + } + s->buf_bit_size = (avpkt->size - s->next_packet_start) << 3; init_get_bits(gb, avpkt->data, s->buf_bit_size); skip_bits(gb, s->packet_offset); From 26c82e3038cdb817cafddface5cab6d261e70f88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Oct 2020 18:01:11 +0200 Subject: [PATCH 1124/1764] uavformat/rsd: check for EOF in extradata Fixes: OOM Fixes: 26503/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6530816735444992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7186ec88b98bc589f1403985ab10cc7f77461ec8) Signed-off-by: Michael Niedermayer --- libavformat/rsd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rsd.c b/libavformat/rsd.c index f3833d5145..325c696798 100644 --- a/libavformat/rsd.c +++ b/libavformat/rsd.c @@ -132,6 +132,8 @@ static int rsd_read_header(AVFormatContext *s) return ret; for (i = 0; i < par->channels; i++) { + if (avio_feof(pb)) + return AVERROR_EOF; avio_read(s->pb, st->codecpar->extradata + 32 * i, 32); avio_skip(s->pb, 8); } From 4f4d738dea0ca8491a78631454d89da09d8f295e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Oct 2020 20:22:48 +0200 Subject: [PATCH 1125/1764] avformat/mxfdec: Free all types for both Descriptors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: memleak Fixes: 26352/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5201158714687488 Suggested-by: Tomas Härdin Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 88519be8db66811e203408b413d9039ac9c3fe91) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 3759e02c7e..dbad31432f 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -309,9 +309,8 @@ static void mxf_free_metadataset(MXFMetadataSet **ctx, int freectx) MXFIndexTableSegment *seg; switch ((*ctx)->type) { case Descriptor: - av_freep(&((MXFDescriptor *)*ctx)->extradata); - break; case MultipleDescriptor: + av_freep(&((MXFDescriptor *)*ctx)->extradata); av_freep(&((MXFDescriptor *)*ctx)->sub_descriptors_refs); break; case Sequence: From 2e239cbcb8620b9983bbd187f0df7c39b88812ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 00:07:29 +0100 Subject: [PATCH 1126/1764] avformat/sbgdec: Reduce the amount of floating point in str_to_time() Fixes: 1e+75 is outside the range of representable values of type 'long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6626834808700928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit ac6c8993f79eaefb76e1fdf0eef5373ab3a46a4e) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 86d8418f62..646c141ab4 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -181,6 +181,7 @@ static int str_to_time(const char *str, int64_t *rtime) char *end; int hours, minutes; double seconds = 0; + int64_t ts = 0; if (*cur < '0' || *cur > '9') return 0; @@ -196,8 +197,9 @@ static int str_to_time(const char *str, int64_t *rtime) seconds = strtod(cur + 1, &end); if (end > cur + 1) cur = end; + ts = av_clipd(seconds * AV_TIME_BASE, INT64_MIN/2, INT64_MAX/2); } - *rtime = (hours * 3600LL + minutes * 60LL + seconds) * AV_TIME_BASE; + *rtime = (hours * 3600LL + minutes * 60LL) * AV_TIME_BASE + ts; return cur - str; } From 3cd7db6c4f99071df4d06aa8ee862fef5bc32e4b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2020 21:31:16 +0100 Subject: [PATCH 1127/1764] avutil/timecode: Avoid undefined behavior with large framenum Fixes: signed integer overflow: 2147462079 + 2149596 cannot be represented in type 'int' Fixes: 27565/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5091972813160448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1905739638c22b476c99c679b41f29fa00bf07) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index c0c67c8478..6bdbebdb82 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -49,7 +49,7 @@ int av_timecode_adjust_ntsc_framenum2(int framenum, int fps) d = framenum / frames_per_10mins; m = framenum % frames_per_10mins; - return framenum + 9 * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); + return framenum + 9U * drop_frames * d + drop_frames * ((m - drop_frames) / (frames_per_10mins / 10)); } uint32_t av_timecode_get_smpte_from_framenum(const AVTimecode *tc, int framenum) From 13c058d51cea4d82acbc0ad9761a7cb853daea17 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 15 Aug 2020 22:52:42 +0200 Subject: [PATCH 1128/1764] avformat/utils: check for integer overflow in av_get_frame_filename2() Fixes: signed integer overflow: 317316873 * 10 cannot be represented in type 'int' Fixes: 24708/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5731180885049344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 03c479ce236955fc329c7f9f4765ee1ec256bb73) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 9ff6284dfb..fef57a26cf 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4582,8 +4582,11 @@ int av_get_frame_filename2(char *buf, int buf_size, const char *path, int number if (c == '%') { do { nd = 0; - while (av_isdigit(*p)) + while (av_isdigit(*p)) { + if (nd >= INT_MAX / 10 - 255) + goto fail; nd = nd * 10 + *p++ - '0'; + } c = *p++; } while (av_isdigit(c)); From 21b22a76d672f97e214ac5f2f39ac7fe8e47fa71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 21:17:18 +0100 Subject: [PATCH 1129/1764] avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject() Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long' Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800 Alternatively this could be ignored but then the end condition of the loop would be hard to reach as avio_tell() is int64_t Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bee216ad454dd7238a03dd9a76428cc6c3233cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index b4b2698368..6174cfae2c 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1679,6 +1679,9 @@ static int detect_unknown_subobject(AVFormatContext *s, int64_t offset, int64_t ff_asf_guid guid; int ret; + if (offset > INT64_MAX - size) + return AVERROR_INVALIDDATA; + while (avio_tell(pb) <= offset + size) { if (avio_tell(pb) == asf->offset) break; From 1f29e97714052553b29d2e60b90b04f137543bde Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 00:07:26 +0100 Subject: [PATCH 1130/1764] avformat/nistspheredec: Check bits_per_coded_sample and channels Fixes: signed integer overflow: 80 * 92233009 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_NISTSPHERE_fuzzer-6669100654919680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 60770a50fba0d47203d417b048b37d314918085d) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index dbf031f3e3..ea59f3eb25 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -90,6 +90,8 @@ static int nist_read_header(AVFormatContext *s) return 0; } else if (!memcmp(buffer, "channel_count", 13)) { sscanf(buffer, "%*s %*s %u", &st->codecpar->channels); + if (st->codecpar->channels <= 0 || st->codecpar->channels > INT16_MAX) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_byte_format", 18)) { sscanf(buffer, "%*s %*s %31s", format); @@ -109,12 +111,14 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); - if (bps > INT_MAX/8U) + if (bps > INT16_MAX/8U) return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->bits_per_coded_sample); + if (st->codecpar->bits_per_coded_sample <= 0 || st->codecpar->bits_per_coded_sample > INT16_MAX) + return AVERROR_INVALIDDATA; } else { char key[32], value[32]; if (sscanf(buffer, "%31s %*s %31s", key, value) == 2) { From 41d3d169b4031e977ea3dfaf76c7353784cc7cb3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Nov 2020 19:58:20 +0100 Subject: [PATCH 1131/1764] libavformat/utils: consider avio_size() failure in ffio_limit() Fixes: Timeout (>20sec -> 3ms) Fixes: 26918/clusterfuzz-testcase-minimized-ffmpeg_dem_THP_fuzzer-5750425191710720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1dac2716d713dfd6949b7eb4a3c18c16f1faf6) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index fef57a26cf..59d77fd14f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -226,13 +226,16 @@ int av_format_get_probe_score(const AVFormatContext *s) int ffio_limit(AVIOContext *s, int size) { if (s->maxsize>= 0) { - int64_t remaining= s->maxsize - avio_tell(s); + int64_t pos = avio_tell(s); + int64_t remaining= s->maxsize - pos; if (remaining < size) { int64_t newsize = avio_size(s); if (!s->maxsize || s->maxsizemaxsize = newsize - !newsize; - remaining= s->maxsize - avio_tell(s); - remaining= FFMAX(remaining, 0); + if (pos > s->maxsize && s->maxsize >= 0) + s->maxsize = AVERROR(EIO); + if (s->maxsize >= 0) + remaining = s->maxsize - pos; } if (s->maxsize>= 0 && remaining+1 < size) { From d28761462010e2239761524793bbaa9deb3c28d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Nov 2020 21:48:31 +0100 Subject: [PATCH 1132/1764] avformat/avidec: dv does not support palettes Fixes: memleak Fixes: 26937/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5763003338981376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b373b41d940e3058cdfb3d17703e23ed665353c) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 0b7b7f73dc..c8f1f63ca6 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1419,6 +1419,7 @@ resync: if (avi->stream_index >= 0) { AVStream *st = s->streams[avi->stream_index]; AVIStream *ast = st->priv_data; + int dv_demux = CONFIG_DV_DEMUXER && avi->dv_demux; int size, err; if (get_subtitle_pkt(s, st, pkt)) @@ -1441,7 +1442,7 @@ resync: return err; size = err; - if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2) { + if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2 && !dv_demux) { uint8_t *pal; pal = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, @@ -1455,7 +1456,7 @@ resync: } } - if (CONFIG_DV_DEMUXER && avi->dv_demux) { + if (dv_demux) { AVBufferRef *avbuf = pkt->buf; size = avpriv_dv_produce_packet(avi->dv_demux, pkt, pkt->data, pkt->size, pkt->pos); From 5a2d06862738729e5f17d3efa77e4942eb1040fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Jan 2021 21:41:41 +0100 Subject: [PATCH 1133/1764] avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags() Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long' Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d3d9b1fc8e2dfc8b4d66c9916ab7221062ff4660) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index dbad31432f..c8442aadf2 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2431,8 +2431,11 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF int ret; int tag = avio_rb16(pb); int size = avio_rb16(pb); /* KLV specified by 0x53 */ - uint64_t next = avio_tell(pb) + size; + int64_t next = avio_tell(pb); UID uid = {0}; + if (next < 0 || next > INT64_MAX - size) + return next < 0 ? next : AVERROR_INVALIDDATA; + next += size; av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size); if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */ From f897515f5f3e25edae61e060a4a63d806e52d68e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 23:41:36 +0100 Subject: [PATCH 1134/1764] avformat/fitsdec: Better size checks Fixes: out of array access Fixes: 26819/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5634559355650048 Fixes: 26820/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5760774955597824 Fixes: 27379/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5129775942991872.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 14bbb6bb30a6053e82f865c2d69d1a4dd2297fc1) Signed-off-by: Michael Niedermayer --- libavformat/fitsdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavformat/fitsdec.c b/libavformat/fitsdec.c index e5f152fd68..d571ab9d36 100644 --- a/libavformat/fitsdec.c +++ b/libavformat/fitsdec.c @@ -24,6 +24,7 @@ * FITS demuxer. */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "internal.h" #include "libavutil/opt.h" @@ -125,14 +126,14 @@ static int64_t is_image(AVFormatContext *s, FITSContext *fits, FITSHeader *heade size += header->pcount; t = (abs(header->bitpix) >> 3) * ((int64_t) header->gcount); - if(size && t > UINT64_MAX / size) + if(size && t > INT64_MAX / size) return AVERROR_INVALIDDATA; size *= t; if (!size) { image = 0; } else { - if(FITS_BLOCK_SIZE - 1 > UINT64_MAX - size) + if(FITS_BLOCK_SIZE - 1 > INT64_MAX - size) return AVERROR_INVALIDDATA; size = ((size + FITS_BLOCK_SIZE - 1) / FITS_BLOCK_SIZE) * FITS_BLOCK_SIZE; } @@ -173,6 +174,11 @@ static int fits_read_packet(AVFormatContext *s, AVPacket *pkt) goto fail; } + av_assert0(avbuf.len <= INT64_MAX && size <= INT64_MAX); + if (avbuf.len + size > INT_MAX - 80) { + ret = AVERROR_INVALIDDATA; + goto fail; + } // Header is sent with the first line removed... ret = av_new_packet(pkt, avbuf.len - 80 + size); if (ret < 0) From 03cc7590a91f395c0aa5f67a65bc20491003dd23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 3 Nov 2020 19:21:18 +0100 Subject: [PATCH 1135/1764] avcodec/utils: Check for integer overflow in get_audio_frame_duration() for ADPCM_DTK Fixes: signed integer overflow: 131203586 * 28 cannot be represented in type 'int' Fixes: 26817/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6296902548848640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2488ba85a0fa5ee4125888258d3d95ce3f03bbb6) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 2097337c39..bb352c6597 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1808,7 +1808,10 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, return frame_bytes / (9 * ch) * 16; case AV_CODEC_ID_ADPCM_PSX: case AV_CODEC_ID_ADPCM_DTK: - return frame_bytes / (16 * ch) * 28; + frame_bytes /= 16 * ch; + if (frame_bytes > INT_MAX / 28) + return 0; + return frame_bytes * 28; case AV_CODEC_ID_ADPCM_4XM: case AV_CODEC_ID_ADPCM_IMA_DAT4: case AV_CODEC_ID_ADPCM_IMA_ISS: From fd7d3d60439fb8cf16e0bdc1a82151399fa596d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Jan 2021 00:58:42 +0100 Subject: [PATCH 1136/1764] avformat/iff: Check block align also for ID_MAUD Fixes: Timeout & OOM Fixes: 28701/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5185094964871168 Fixes: 29116/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4874284795297792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b17ffe8f8f30ba03901bcf7caa6c523e874e8fde) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 45dbdc4d88..05e79ace75 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -760,7 +760,7 @@ static int iff_read_header(AVFormatContext *s) st->codecpar->bits_per_coded_sample = av_get_bits_per_sample(st->codecpar->codec_id); st->codecpar->bit_rate = (int64_t)st->codecpar->channels * st->codecpar->sample_rate * st->codecpar->bits_per_coded_sample; st->codecpar->block_align = st->codecpar->channels * st->codecpar->bits_per_coded_sample; - if (st->codecpar->codec_tag == ID_DSD && st->codecpar->block_align <= 0) + if ((st->codecpar->codec_tag == ID_DSD || st->codecpar->codec_tag == ID_MAUD) && st->codecpar->block_align <= 0) return AVERROR_INVALIDDATA; break; From ec0eb88a3905eaa7e610c869fa71675ddc83146f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 18:38:16 +0100 Subject: [PATCH 1137/1764] avformat/ads: Check size Fixes: signed integer overflow: -2147483616 - 64 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_ADS_fuzzer-6617769344892928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c78b2b138ce222de2f4cecac8fd4361f05ee9428) Signed-off-by: Michael Niedermayer --- libavformat/ads.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/ads.c b/libavformat/ads.c index 73ea7c7d54..45c21a33d4 100644 --- a/libavformat/ads.c +++ b/libavformat/ads.c @@ -34,8 +34,9 @@ static int ads_probe(AVProbeData *p) static int ads_read_header(AVFormatContext *s) { - int align, codec, size; + int align, codec; AVStream *st; + int64_t size; st = avformat_new_stream(s, NULL); if (!st) @@ -62,7 +63,7 @@ static int ads_read_header(AVFormatContext *s) st->codecpar->block_align = st->codecpar->channels * align; avio_skip(s->pb, 12); size = avio_rl32(s->pb); - if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX) + if (st->codecpar->codec_id == AV_CODEC_ID_ADPCM_PSX && size >= 0x40) st->duration = (size - 0x40) / 16 / st->codecpar->channels * 28; avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 74b28ca1ab554fe96698fc6282086b20bd31f48c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 18:41:41 +0100 Subject: [PATCH 1138/1764] avformat/bfi: Check chunk_header Fixes: signed integer overflow: -2147483648 - 3 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_BFI_fuzzer-6665764123836416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 638a151a877c27a46c15643db26c9ba726feecde) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 6c98e33ab4..9d88533acf 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -69,6 +69,9 @@ static int bfi_read_header(AVFormatContext * s) /* Set the total number of frames. */ avio_skip(pb, 8); chunk_header = avio_rl32(pb); + if (chunk_header < 3) + return AVERROR_INVALIDDATA; + bfi->nframes = avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); From 2d104fd260410ff80ea4a97d83256be1cb396a1b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 21:29:01 +0100 Subject: [PATCH 1139/1764] avformat/utils: Check dts - (1< (cherry picked from commit d82ee907d6caafbc1212c4b63ecac2dcd30f23b0) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 59d77fd14f..735be289c4 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1249,7 +1249,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << (st->pts_wrap_bits - 1)) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; From f4651936468a40242ca3080e6123be903a0a9a62 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 00:00:27 +0100 Subject: [PATCH 1140/1764] avformat/asfdec_o: Check for EOF in asf_read_marker() Fixes: Timeout Fixes: 26460/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5710884393189376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e3d09f435f83f9653056b2fecc4d03ac45f3ffd) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 6174cfae2c..7d60b37b21 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -245,6 +245,9 @@ static int asf_read_marker(AVFormatContext *s, const GUIDParseTable *g) avio_skip(pb, 4); // flags len = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if ((ret = avio_get_str16le(pb, len, name, sizeof(name))) < len) avio_skip(pb, len - ret); From d99234eec2ed3c6445f4673533c3fec9f9f81a07 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2021 21:20:57 +0100 Subject: [PATCH 1141/1764] avformat/flvdec: Check for nesting depth in amf_parse_object() Fixes: out of array access Fixes: 29202/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5112845840809984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 074e204b42acdacc0a055671481e00914524af93) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 6eb13c7920..75bdb9526e 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -41,6 +41,8 @@ #define RESYNC_BUFFER_SIZE (1<<20) +#define MAX_DEPTH 16 ///< arbitrary limit to prevent unbounded recursion + typedef struct FLVContext { const AVClass *class; ///< Class for private options. int trust_metadata; ///< configure streams according onMetaData @@ -465,6 +467,9 @@ static int amf_parse_object(AVFormatContext *s, AVStream *astream, char str_val[1024]; double num_val; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + num_val = 0; ioc = s->pb; if (avio_feof(ioc)) From abb8a37bf8f68dc021a6c8bb098cfe6275a15ae7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Jan 2021 22:00:40 +0100 Subject: [PATCH 1142/1764] avformat/flvdec: Check for nesting depth in amf_skip_tag() Fixes: out of array access Fixes: 29440/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5985279812960256.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ef522c918d48b9f101548b2cadce02003cb3510) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 75bdb9526e..506b24143f 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -794,10 +794,13 @@ static void clear_index_entries(AVFormatContext *s, int64_t pos) } } -static int amf_skip_tag(AVIOContext *pb, AMFDataType type) +static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) { int nb = -1, ret, parse_name = 1; + if (depth > MAX_DEPTH) + return AVERROR_PATCHWELCOME; + switch (type) { case AMF_DATA_TYPE_NUMBER: avio_skip(pb, 8); @@ -822,7 +825,7 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type) } avio_skip(pb, size); } - if ((ret = amf_skip_tag(pb, avio_r8(pb))) < 0) + if ((ret = amf_skip_tag(pb, avio_r8(pb), depth + 1)) < 0) return ret; } break; @@ -866,7 +869,7 @@ static int flv_data_packet(AVFormatContext *s, AVPacket *pkt, else break; } else { - if ((ret = amf_skip_tag(pb, type)) < 0) + if ((ret = amf_skip_tag(pb, type, 0)) < 0) goto skip; } } From f551bcd6d68e4c4e4ce2acb60a002023c23d3b03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Jan 2021 17:41:28 +0100 Subject: [PATCH 1143/1764] avformat/flvdec: Check for avio_read() failure in amf_get_string() Suggested-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit cb316676112c01e8d66420908b6b3d06b3b498e3) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 506b24143f..c0a97258a6 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -357,13 +357,18 @@ static int flv_set_video_codec(AVFormatContext *s, AVStream *vstream, static int amf_get_string(AVIOContext *ioc, char *buffer, int buffsize) { + int ret; int length = avio_rb16(ioc); if (length >= buffsize) { avio_skip(ioc, length); return -1; } - avio_read(ioc, buffer, length); + ret = avio_read(ioc, buffer, length); + if (ret < 0) + return ret; + if (ret < length) + return AVERROR_INVALIDDATA; buffer[length] = '\0'; From c3cd65720fcd71b4dcd2450fa997e5d8f88147fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:05:53 +0100 Subject: [PATCH 1144/1764] avformat/utils: Check dts in update_initial_timestamps() more Fixes: signed integer overflow: -9223372036853488158 - 90000000 cannot be represented in type 'long long' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MPSUB_fuzzer-6696625298866176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29851cb840c176d514573914799ca6c95f3f4e8e) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index 735be289c4..92cdd3cc11 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1102,6 +1102,7 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index, dts == AV_NOPTS_VALUE || st->cur_dts == AV_NOPTS_VALUE || st->cur_dts < INT_MIN + RELATIVE_TS_BASE || + dts < INT_MIN + (st->cur_dts - RELATIVE_TS_BASE) || is_relative(dts)) return; From a34dd1d5018578f3cca2573bb672178ac034c39a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:20:37 +0100 Subject: [PATCH 1145/1764] avformat/mvi: Use 64bit for testing dimensions Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-6649291124899840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 48fb752767086a48e599f9e86d87096f66cc7590) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 1e2a08b44c..0b53473671 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -93,7 +93,7 @@ static int read_header(AVFormatContext *s) vst->codecpar->codec_type = AVMEDIA_TYPE_VIDEO; vst->codecpar->codec_id = AV_CODEC_ID_MOTIONPIXELS; - mvi->get_int = (vst->codecpar->width * vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; + mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { From 38f634ac7f6e9802c6a53680ba85341b714b9edd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Jan 2021 22:44:33 +0100 Subject: [PATCH 1146/1764] avformat/nutdec: Fix integer overflow in count computation Note, the value is checked a few lines later already Fixes: signed integer overflow: -440402016 - 1879048064 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6603876618469376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0014249fd92132515b3ff0ce034dd65e745cb400) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 27440c88d4..0f6e4b21bb 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -260,7 +260,7 @@ static int decode_main_header(NUTContext *nut) if (tmp_fields > 5) count = ffio_read_varlen(bc); else - count = tmp_mul - tmp_size; + count = tmp_mul - (unsigned)tmp_size; if (tmp_fields > 6) get_s(bc); if (tmp_fields > 7) From 6d96e983f15c496c7df6953f891d588e9254a421 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Dec 2020 20:42:27 +0100 Subject: [PATCH 1147/1764] avformat/mpc8: Check size before implicitly converting to int Fixes: Timeout Fixes: 28551/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6229183210586112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 78d6d8ddb571ecca54616517defbf894a45ea9c3) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index 7c6c53e2a4..e15d228e2c 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -291,7 +291,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR_EOF; mpc8_get_chunk_header(s->pb, &tag, &size); - if (size < 0) + if (size < 0 || size > INT_MAX) return -1; if(tag == TAG_AUDIOPACKET){ if(av_get_packet(s->pb, pkt, size) < 0) From 71f0cfd327d6cf13c96ec424fc20dd58eca67cf3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jan 2021 23:42:39 +0100 Subject: [PATCH 1148/1764] avformat/nuv: Check channels Fixes: signed integer overflow: -3468545475927866368 * 4 cannot be represented in type 'long' Fixes: 28879/clusterfuzz-testcase-minimized-ffmpeg_dem_NUV_fuzzer-6303367307591680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fc45d924d7ff6be80e90870540ba35efc290e428) Signed-off-by: Michael Niedermayer --- libavformat/nuv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 9bdea4ab55..2be22f9f51 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -121,6 +121,10 @@ static int get_codec_data(AVFormatContext *s, AVIOContext *pb, AVStream *vst, ast->codecpar->bits_per_coded_sample = avio_rl32(pb); ast->codecpar->channels = avio_rl32(pb); ast->codecpar->channel_layout = 0; + if (ast->codecpar->channels <= 0) { + av_log(s, AV_LOG_ERROR, "Invalid channels %d\n", ast->codecpar->channels); + return AVERROR_INVALIDDATA; + } id = ff_wav_codec_get_id(ast->codecpar->codec_tag, ast->codecpar->bits_per_coded_sample); From c44aadea591f55598da0c97377598a05aeb6571e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Nov 2020 21:11:32 +0100 Subject: [PATCH 1149/1764] avformat/tedcaptionsdec: Check for overflow in parse_int() Fixes: signed integer overflow: 1111111111111111111 * 10 cannot be represented in type 'long' Fixes: 26892/clusterfuzz-testcase-minimized-ffmpeg_dem_TEDCAPTIONS_fuzzer-5756045055754240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b0f8586ca9853ab3d324ccd3c42bad4375000b0a) Signed-off-by: Michael Niedermayer --- libavformat/tedcaptionsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/tedcaptionsdec.c b/libavformat/tedcaptionsdec.c index 21d44c17f4..b2714f5576 100644 --- a/libavformat/tedcaptionsdec.c +++ b/libavformat/tedcaptionsdec.c @@ -181,6 +181,8 @@ static int parse_int(AVIOContext *pb, int *cur_byte, int64_t *result) if ((unsigned)*cur_byte - '0' > 9) return AVERROR_INVALIDDATA; while (BETWEEN(*cur_byte, '0', '9')) { + if (val > INT_MAX/10 - (*cur_byte - '0')) + return AVERROR_INVALIDDATA; val = val * 10 + (*cur_byte - '0'); next_byte(pb, cur_byte); } From 3bdf23b9feaa354d59e4f631dab0d25665231a5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 22:18:59 +0100 Subject: [PATCH 1150/1764] avformat/electronicarts: More chunk_size checks Fixes: Timeout Fixes: 26909/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-6489496553783296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d03f0ec9a1ce9903ae533059d30758bede238e40) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index eddc81b8ee..4c1b64cca9 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -607,10 +607,14 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) break; } else if (ea->audio_codec == AV_CODEC_ID_PCM_S16LE_PLANAR || ea->audio_codec == AV_CODEC_ID_MP3) { + if (chunk_size < 12) + return AVERROR_INVALIDDATA; num_samples = avio_rl32(pb); avio_skip(pb, 8); chunk_size -= 12; } else if (ea->audio_codec == AV_CODEC_ID_ADPCM_PSX) { + if (chunk_size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); chunk_size -= 8; } @@ -694,6 +698,8 @@ static int ea_read_packet(AVFormatContext *s, AVPacket *pkt) case fVGT_TAG: case MADm_TAG: case MADe_TAG: + if (chunk_size > INT_MAX - 8) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); // include chunk preamble chunk_size += 8; goto get_video_packet; From 35d9e182b9b711631c91d84bfe20ec23862a8147 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 10 Nov 2020 23:01:12 +0100 Subject: [PATCH 1151/1764] avformat/aiffdec: Check size before subtraction in get_aiff_header() Fixes: Infinite loop Fixes: 27235/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5761398380167168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8af299acde9601e64740b75430960503615873b4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 8d262d8d38..ceb7952a9c 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -120,6 +120,8 @@ static int get_aiff_header(AVFormatContext *s, int size, else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; par->sample_rate = sample_rate; + if (size < 18) + return AVERROR_INVALIDDATA; size -= 18; /* get codec id for AIFF-C */ From ec6eb51ae8fdcd4823500b47160b5e1ae90c4917 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jan 2021 21:54:31 +0100 Subject: [PATCH 1152/1764] avformat/flvdec: Check for EOF in amf_skip_tag() Fixes: Timeout Fixes: 29070/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5650106766458880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9725d07a1770fbfafe5f7b3f7d95a2a513308538) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index c0a97258a6..828b572f7e 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -806,6 +806,9 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) if (depth > MAX_DEPTH) return AVERROR_PATCHWELCOME; + if (avio_feof(pb)) + return AVERROR_EOF; + switch (type) { case AMF_DATA_TYPE_NUMBER: avio_skip(pb, 8); From 9b43c8d34ad561b9e906e24143b5cacf7019ba5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Jan 2021 23:58:04 +0100 Subject: [PATCH 1153/1764] avformat/wavdec: Check avio_get_str16le() for failure Fixes: out of array access Fixes: 29195/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5037853281222656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d7594ee751e621f6c7ef4d4977c4a3ce169ae0af) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 2938914cd0..ad72ad0622 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -858,6 +858,10 @@ static int w64_read_header(AVFormatContext *s) return AVERROR(ENOMEM); ret = avio_get_str16le(pb, chunk_size, value, chunk_size); + if (ret < 0) { + av_free(value); + return ret; + } avio_skip(pb, chunk_size - ret); av_dict_set(&s->metadata, chunk_key, value, AV_DICT_DONT_STRDUP_VAL); From cd6449508401b5f44d3e5f4dbf72be883d984682 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 00:46:26 +0100 Subject: [PATCH 1154/1764] avcodec/vp3: Check input amount in theora_decode_header() Fixes: Timeout Fixes: 29226/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-6195092572471296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 869fe41d1088c4badcd98ee1ca2490451a07b173) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 38cecf22a9..5ecbf9f383 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2273,6 +2273,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + if (get_bits_left(gb) < 206) + return AVERROR_INVALIDDATA; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); From d40aefc2dc6221956d2ca2428aff421a88e1ae63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 22:52:59 +0100 Subject: [PATCH 1155/1764] avformat/soxdec: Check channels to be positive Fixes: signed integer overflow: 32 * -1795162112 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SOX_fuzzer-6724151473340416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b0588b73daeb0e6a0741f39b33943c67eac71619) Signed-off-by: Michael Niedermayer --- libavformat/soxdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/soxdec.c b/libavformat/soxdec.c index 12a94c8ffa..2801c3e239 100644 --- a/libavformat/soxdec.c +++ b/libavformat/soxdec.c @@ -90,7 +90,7 @@ static int sox_read_header(AVFormatContext *s) sample_rate_frac); if ((header_size + 4) & 7 || header_size < SOX_FIXED_HDR + comment_size - || st->codecpar->channels > 65535) /* Reserve top 16 bits */ { + || st->codecpar->channels > 65535 || st->codecpar->channels <= 0) /* Reserve top 16 bits */ { av_log(s, AV_LOG_ERROR, "invalid header\n"); return AVERROR_INVALIDDATA; } From 7f8f71737da44f31ec24dfc63b6095ab45dd305f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Jan 2021 22:57:28 +0100 Subject: [PATCH 1156/1764] avformat/tta: Use 64bit intermediate for index Fixes: signed integer overflow: 42032 * 51092 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6679539648430080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fd61b42b4c8709a7888fa5c9cce0c19d754e39fc) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index ae90a85544..c50f029d66 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -119,7 +119,7 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; - if ((r = av_add_index_entry(st, framepos, i * c->frame_size, size, 0, + if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; framepos += size; From 15e4a29785bc8c04a52540a9b64c6da41fd27c64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 00:31:08 +0100 Subject: [PATCH 1157/1764] avcodec/simple_idct: Fix undefined integer overflow in idct4row() Fixes: signed integer overflow: -1498310196 - 902891776 cannot be represented in type 'int' Fixes: 28445/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5075163389493248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57f7e5caa324fd760aa9e134ee963e9936083c59) Signed-off-by: Michael Niedermayer --- libavcodec/simple_idct.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/simple_idct.c b/libavcodec/simple_idct.c index 1d05b2fe08..9fdd17034f 100644 --- a/libavcodec/simple_idct.c +++ b/libavcodec/simple_idct.c @@ -166,7 +166,8 @@ static inline void idct4col_add(uint8_t *dest, ptrdiff_t line_size, const int16_ #define R_SHIFT 11 static inline void idct4row(int16_t *row) { - int c0, c1, c2, c3, a0, a1, a2, a3; + unsigned c0, c1, c2, c3; + int a0, a1, a2, a3; a0 = row[0]; a1 = row[1]; From 599b9b89d1bccf2e72a75bc6e546b6ac0a898fa0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2020 23:13:58 +0100 Subject: [PATCH 1158/1764] avformat/rmdec: Fix codecdata_length overflow check Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 28509/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6310969680723968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3c41d0bfd6041890b394a3e6eb2f8da92b83416b) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 64b3b6aa4f..6f0cb1c549 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -257,7 +257,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } From 90a723f134385e75f5c0d3f97e05cc5833c7850b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 20:47:10 +0100 Subject: [PATCH 1159/1764] avformat/mvdec: Sanity check SAMPLE_WIDTH Fixes: signed integer overflow: 999999999 * 8 cannot be represented in type 'int' Fixes: 30048/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5864289917337600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit ab82c105787fa81d1e35b9209f3d53e98be936a4) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index b357ab1d45..c7709ef681 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -159,7 +159,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, st->codecpar->sample_rate = var_read_int(pb, size); avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { - st->codecpar->bits_per_coded_sample = var_read_int(pb, size) * 8; + uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; + if (bpc > 16) + return AVERROR_INVALIDDATA; + st->codecpar->bits_per_coded_sample = bpc; } else return AVERROR_INVALIDDATA; From c6f65b8711f19fc5f8c18961e8e73ffe4a6dce98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 00:31:47 +0100 Subject: [PATCH 1160/1764] avcodec/rscc: Check inflated_buf size whan it is used Fixes: out of array access Fixes: 27434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5196757675540480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit a5ed6da9bdbe32408aabe1c75e4b55fcaeec1e9b) Signed-off-by: Michael Niedermayer --- libavcodec/rscc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index b170e5f618..d9b4faaf0b 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -283,6 +283,10 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto end; } + if (ctx->inflated_size < pixel_size) { + ret = AVERROR_INVALIDDATA; + goto end; + } ret = uncompress(ctx->inflated_buf, &len, gbc->buffer, packed_size); if (ret) { av_log(avctx, AV_LOG_ERROR, "Pixel deflate error %d.\n", ret); From 64be5589067ba08ecac464299e7887a035e2575a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 00:31:07 +0100 Subject: [PATCH 1161/1764] avcodec/mxpegdec: fix SOF counting Fixes: Timeout (>10sec -> 15ms) Fixes: 27652/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5125920868007936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 401495def62638a205569cac0f7861c7faba4d18) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index 55ec6e928e..f89226fefa 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -247,16 +247,17 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, "Multiple SOF in a frame\n"); return AVERROR_INVALIDDATA; } - s->got_sof_data = 0; ret = ff_mjpeg_decode_sof(jpg); if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "SOF data decode error\n"); + s->got_sof_data = 0; return ret; } if (jpg->interlaced) { av_log(avctx, AV_LOG_ERROR, "Interlaced mode not supported in MxPEG\n"); + s->got_sof_data = 0; return AVERROR(EINVAL); } s->got_sof_data ++; From 270b1a9514ca9a31c72a71ecd52a4e42a893b1c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2020 00:54:46 +0100 Subject: [PATCH 1162/1764] avformat/rmdec: Reorder operations to avoid overflow Fixes: signed integer overflow: -2147483648 - 14 cannot be represented in type 'int' Fixes: 27659/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5697250168406016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12e713b8061cc6a71ec69da946552bc593d5fa7) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 6f0cb1c549..c01c822152 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -720,9 +720,9 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre av_log(s, AV_LOG_WARNING, "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); - len -= 14; // we already read part of the index header - if(len<0) + if(len < 14) continue; + len -= 14; // we already read part of the index header goto skip; } else if (state == MKBETAG('D','A','T','A')) { av_log(s, AV_LOG_WARNING, From d6258650954e1da6eef77dfd45f5ea7808c7f8ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 17:55:12 +0100 Subject: [PATCH 1163/1764] avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper Fixes: signed integer overflow: 2147483641 + 32 cannot be represented in type 'int' Fixes: 27452/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5078752576667648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dfb7ff528c02afbafba14676c139ecb82164c44) Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index 3acf94c583..9b11661704 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1138,7 +1138,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (t + (1 << (bits - 1))) >> bits : \ + (int)(t + (1U << (bits - 1))) >> bits : \ t)); \ dst++; \ } \ @@ -1153,7 +1153,7 @@ static void type_a##_##type_b##_##sz##x##sz##_add_c(uint8_t *_dst, \ for (j = 0; j < sz; j++) \ dst[j * stride] = av_clip_pixel(dst[j * stride] + \ (bits ? \ - (out[j] + (1 << (bits - 1))) >> bits : \ + (int)(out[j] + (1U << (bits - 1))) >> bits : \ out[j])); \ dst++; \ } \ From b26360b7f928faeefda36f260eac46d722ceffed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 19:13:01 +0100 Subject: [PATCH 1164/1764] avformat/mov: Use av_mul_q() to avoid integer overflows Fixes: signed integer overflow: 538976288 * 538976288 cannot be represented in type 'int' Fixes: 27473/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5758978289827840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f70e1ec0cfa8ae24b224faf522c1d6ca95a42f6) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index eb522e626b..436acd9fae 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2121,12 +2121,10 @@ FF_ENABLE_DEPRECATION_WARNINGS if (tmcd_ctx->tmcd_flags & 0x0008) { int timescale = AV_RB32(st->codecpar->extradata + 8); int framedur = AV_RB32(st->codecpar->extradata + 12); - st->avg_frame_rate.num *= timescale; - st->avg_frame_rate.den *= framedur; + st->avg_frame_rate = av_mul_q(st->avg_frame_rate, (AVRational){timescale, framedur}); #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS - st->codec->time_base.den *= timescale; - st->codec->time_base.num *= framedur; + st->codec->time_base = av_mul_q(st->codec->time_base , (AVRational){framedur, timescale}); FF_ENABLE_DEPRECATION_WARNINGS #endif } From 2aa07c6b8e7adb8cb6162d1f44b90549c163321c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Nov 2020 20:41:56 +0100 Subject: [PATCH 1165/1764] avformat/4xm: Make audio_frame_count 64bit Fixes: signed integer overflow: 2099257366 * 2 cannot be represented in type 'int' Fixes: 27486/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-5112179134824448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 842c268c6436c9e90e689402be138c2e539f7059) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index e93095cb09..8e2d305b24 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -298,7 +298,7 @@ static int fourxm_read_packet(AVFormatContext *s, unsigned int track_number; int packet_read = 0; unsigned char header[8]; - int audio_frame_count; + int64_t audio_frame_count; while (!packet_read) { if ((ret = avio_read(s->pb, header, 8)) < 0) From e41c1dde7268e4ea796f63e9bba4bd43dc2ea1cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Feb 2021 14:29:02 +0100 Subject: [PATCH 1166/1764] avformat/3dostr: Check sample_rate Fixes: signed integer overflow: -1268324762623155200 * 8 cannot be represented in type 'long' Fixes: 30123/clusterfuzz-testcase-minimized-ffmpeg_dem_THREEDOSTR_fuzzer-6710765123928064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7e5034f97e41d3f8112c1f8da3b5274ab99ef6f8) Signed-off-by: Michael Niedermayer --- libavformat/3dostr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/3dostr.c b/libavformat/3dostr.c index 3668e5f613..fd08265c08 100644 --- a/libavformat/3dostr.c +++ b/libavformat/3dostr.c @@ -64,7 +64,7 @@ static int threedostr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->sample_rate = avio_rb32(s->pb); st->codecpar->channels = avio_rb32(s->pb); - if (st->codecpar->channels <= 0) + if (st->codecpar->channels <= 0 || st->codecpar->sample_rate <= 0) return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); avio_skip(s->pb, 4); From 201eb0c99495e91e1e30108a27bec41c2c82e648 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Feb 2021 21:50:03 +0100 Subject: [PATCH 1167/1764] avformat/asfdec_f: Add an additional check for the extradata size Fixes: OOM Fixes: 30066/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6182309126602752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c8cd4490a6ab2742e6ad1ce059b4f4957b39500) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 3439bcbd51..922ad3c29f 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -516,6 +516,8 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { + if (size < sizeX - 40) + return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); From 6ada27fe955b1a223cb8993443aef097762b1cbb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Feb 2021 14:29:01 +0100 Subject: [PATCH 1168/1764] avformat/wtvdec: Check len in parse_chunks() to avoid overflow Fixes: signed integer overflow: 2147483647 + 7 cannot be represented in type 'int' Fixes: 30084/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6192261941559296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 5552ceaf568915e668679f9581e07eb5507cafc4) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 366a42829f..f3103c0790 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -795,7 +795,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p ff_get_guid(pb, &g); len = avio_rl32(pb); - if (len < 32) { + if (len < 32 || len > INT_MAX - 7) { int ret; if (avio_feof(pb)) return AVERROR_EOF; From c58d3ebcf498139e849c0b9b4d923e015e992dcd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:22:53 +0100 Subject: [PATCH 1169/1764] libavutil/eval: Remove CONFIG_TRAPV special handling Fixes: division by zero Fixes: 29555/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-5149951447400448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8574fcbfc7784173347418e09035ff8121574571) Signed-off-by: Michael Niedermayer --- libavutil/eval.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/eval.c b/libavutil/eval.c index b5f4ea2409..85228cc75b 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -297,7 +297,7 @@ static double eval_expr(Parser *p, AVExpr *e) double d = eval_expr(p, e->param[0]); double d2 = eval_expr(p, e->param[1]); switch (e->type) { - case e_mod: return e->value * (d - floor((!CONFIG_FTRAPV || d2) ? d / d2 : d * INFINITY) * d2); + case e_mod: return e->value * (d - floor(d2 ? d / d2 : d * INFINITY) * d2); case e_gcd: return e->value * av_gcd(d,d2); case e_max: return e->value * (d > d2 ? d : d2); case e_min: return e->value * (d < d2 ? d : d2); From 4db28ef7c24a4cea4e2eaa807c47a476fded40b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 14:59:27 +0100 Subject: [PATCH 1170/1764] avcodec/hevc_sei: Check payload size in decode_nal_sei_message() Fixes: out of array access Fixes: 29392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4821602850177024.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0791a515d38fd35c1e2a309ec8f4015153687b8c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 4fae797251..7da65cdba5 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -336,6 +336,8 @@ static int decode_nal_sei_message(GetBitContext *gb, HEVCSEIContext *s, byte = get_bits(gb, 8); payload_size += byte; } + if (get_bits_left(gb) < 8LL*payload_size) + return AVERROR_INVALIDDATA; if (nal_unit_type == HEVC_NAL_SEI_PREFIX) { return decode_nal_sei_prefix(gb, s, ps, payload_type, payload_size, logctx); } else { /* nal_unit_type == NAL_SEI_SUFFIX */ From cc919e40ac00978b01233c3bf301cf763f117485 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:14:03 +0100 Subject: [PATCH 1171/1764] avformat/id3v2: Check the return from avio_get_str() Fixes: out of array access Fixes: 29446/clusterfuzz-testcase-minimized-ffmpeg_dem_AAC_fuzzer-5096222622875648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 25f240fcb398eb499ca4b70c026a8bb9f2a32731) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index f52e28951d..8f8ffc416f 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -609,7 +609,10 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, /* mimetype */ if (isv34) { - taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + int ret = avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); + if (ret < 0 || ret >= taglen) + goto fail; + taglen -= ret; } else { if (avio_read(pb, mimetype, 3) < 0) goto fail; From 2813037bd0f057e110e321eced019d549e5d8b40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 19:37:52 +0100 Subject: [PATCH 1172/1764] avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular() Fixes: Timeout Fixes: left shift of 33046 by 16 places cannot be represented in type 'int' Fixes: 29258/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-4889231489105920 Fixes: 29515/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-6161940391002112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 980900d991606cbc3747b37d6e83c7aae98cbecc) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 5308b744df..de1875ce30 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -149,7 +149,7 @@ static inline int ls_get_code_regular(GetBitContext *gb, JLSState *state, int Q) { int k, ret; - for (k = 0; (state->N[Q] << k) < state->A[Q]; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < state->A[Q]; k++) ; #ifdef JLS_BROKEN From 69fc4a7cae8da3734185ccede0a17ab2f4371195 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:19:42 +0100 Subject: [PATCH 1173/1764] avformat/mvdec: Check for EOF in read_index() Fixes: Timeout Fixes: 29550/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5094307193290752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6c64351bb1f4dc148069a37754b746fcd4c784cf) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index c7709ef681..d5bc38e874 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -261,6 +261,8 @@ static void read_index(AVIOContext *pb, AVStream *st) uint32_t pos = avio_rb32(pb); uint32_t size = avio_rb32(pb); avio_skip(pb, 8); + if (avio_feof(pb)) + return ; av_add_index_entry(st, pos, timestamp, size, 0, AVINDEX_KEYFRAME); if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) { timestamp += size / (st->codecpar->channels * 2LL); From 58b0d89f959ef4016000ba8582212e638b667756 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:28:08 +0100 Subject: [PATCH 1174/1764] avformat/mov: Check for duplicate st3d Fixes: memleak Fixes: 29585/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6594188688490496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 658f0606cba0f866714cbe09af30ec40c4168930) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 436acd9fae..38d44b72db 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4904,6 +4904,10 @@ static int mov_read_st3d(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_ERROR, "Empty stereoscopic video box\n"); return AVERROR_INVALIDDATA; } + + if (sc->stereo3d) + return AVERROR_INVALIDDATA; + avio_skip(pb, 4); /* version + flags */ mode = avio_r8(pb); From 69ffdd28c430a8375a2b19a34987df944832c632 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 16:30:59 +0100 Subject: [PATCH 1175/1764] avformat/avidec: Use 64bit in get_duration() Fixes: signed integer overflow: 2147483424 + 8224 cannot be represented in type 'int' Fixes: 29619/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5191424373030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0ceb0cdd41b56241697cd8f83e22cdb4822d2d9) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index c8f1f63ca6..9e71dcfc6f 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -126,7 +126,7 @@ static inline int get_duration(AVIStream *ast, int len) if (ast->sample_size) return len; else if (ast->dshow_block_align) - return (len + ast->dshow_block_align - 1) / ast->dshow_block_align; + return (len + (int64_t)ast->dshow_block_align - 1) / ast->dshow_block_align; else return 1; } From 27a9a8187542cc66d1ff502b2aefcc34586163a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 17:00:38 +0100 Subject: [PATCH 1176/1764] avformat/samidec: Sanity check pts Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: 29743/clusterfuzz-testcase-minimized-ffmpeg_dem_SAMI_fuzzer-5499256859394048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2014b0135293c41d261757bfa1aaba51653bab8e) Signed-off-by: Michael Niedermayer --- libavformat/samidec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/samidec.c b/libavformat/samidec.c index 678fac0e17..0824aee741 100644 --- a/libavformat/samidec.c +++ b/libavformat/samidec.c @@ -95,6 +95,11 @@ static int sami_read_header(AVFormatContext *s) const char *p = ff_smil_get_attr_ptr(buf.str, "Start"); sub->pos = pos; sub->pts = p ? strtol(p, NULL, 10) : 0; + if (sub->pts <= INT64_MIN/2 || sub->pts >= INT64_MAX/2) { + res = AVERROR_PATCHWELCOME; + goto end; + } + sub->duration = -1; } } From bbdd7670535d66f65c2ad22c72316b1f59053881 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Nov 2020 21:42:23 +0100 Subject: [PATCH 1177/1764] avformat/flvdec: Treat high ts byte as unsigned Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 27516/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5152854660349952 Signed-off-by: Michael Niedermayer (cherry picked from commit f514113cfa9fc44d80086bb2a2b783e8026dc3a9) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 828b572f7e..25ee352f8c 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -1108,7 +1108,7 @@ retry_duration: avio_seek(s->pb, fsize - 3 - size, SEEK_SET); if (size == avio_rb24(s->pb) + 11) { uint32_t ts = avio_rb24(s->pb); - ts |= avio_r8(s->pb) << 24; + ts |= (unsigned)avio_r8(s->pb) << 24; if (ts) s->duration = ts * (int64_t)AV_TIME_BASE / 1000; else if (fsize >= 8 && fsize - 8 >= size) { From 73c963692e78a7f15bfa09f19cf2f86860fb36fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Oct 2020 22:04:37 +0100 Subject: [PATCH 1178/1764] avformat/rmdec: Check remaining space in debug av_log() loop Fixes: Timeout (long -> 2 ms) Fixes: 26709/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5665833403285504 Fixes: 27522/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6321071221112832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8fe78decd700afec461f06df4ce0d36f3e9cc4b) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index c01c822152..23b8b86354 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1292,8 +1292,11 @@ static int ivr_read_header(AVFormatContext *s) int j; av_log(s, AV_LOG_DEBUG, "%s = '0x", key); - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); + } av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "Duration", tlen)) { st->duration = avio_rb32(pb); From 5bd10bb5f6abab4872ef648d409f5a28609fa671 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Nov 2020 00:22:39 +0100 Subject: [PATCH 1179/1764] avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif() The buffer is read by using the bit reader Fixes: out of array read Fixes: 27539/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5650565572591616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a7c648e2d85a59975cc88079975cf9f3306ed0a) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index ad72ad0622..ef0c6b374c 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -68,7 +68,7 @@ static void set_spdif(AVFormatContext *s, WAVDemuxContext *wav) int ret = ffio_ensure_seekback(s->pb, len); if (ret >= 0) { - uint8_t *buf = av_malloc(len); + uint8_t *buf = av_malloc(len + AV_INPUT_BUFFER_PADDING_SIZE); if (!buf) { ret = AVERROR(ENOMEM); } else { From 7d1d375245dfe96abd712f722281faf639c97033 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 22:28:20 +0100 Subject: [PATCH 1180/1764] avcodec/pnm_parser: Check av_image_get_buffer_size() for failure Fixes: out of array access Fixes: 30135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-4997145650397184 Fixes: 30208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5605891665690624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5314a4996cc76e2a8534c74a66f5181e95ac64fc) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index bdd7f2b505..036ee97914 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -60,8 +60,10 @@ retry: } else if (pnmctx.type < 4) { next = END_NOT_FOUND; } else { - next = pnmctx.bytestream - pnmctx.bytestream_start - + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + next = pnmctx.bytestream - pnmctx.bytestream_start; + if (ret >= 0) + next += ret; if (pnmctx.bytestream_start != buf) next -= pc->index; if (next > buf_size) From 7fed68e63ba2a438690a96e53585efd7976d2a34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 23:21:53 +0100 Subject: [PATCH 1181/1764] avformat/r3d: Check samples before computing duration Fixes: signed integer overflow: -4611686024827895807 + -4611686016279904256 cannot be represented in type 'long' Fixes: 30161/clusterfuzz-testcase-minimized-ffmpeg_dem_R3D_fuzzer-5694406713802752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7a2aa5dc2af6c4fc66aaedd341b0886fbc746f0d) Signed-off-by: Michael Niedermayer --- libavformat/r3d.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/r3d.c b/libavformat/r3d.c index 1f53d847e9..f4a5a99670 100644 --- a/libavformat/r3d.c +++ b/libavformat/r3d.c @@ -326,7 +326,8 @@ static int r3d_read_reda(AVFormatContext *s, AVPacket *pkt, Atom *atom) pkt->stream_index = 1; pkt->dts = dts; - if (st->codecpar->sample_rate) + + if (st->codecpar->sample_rate && samples > 0) pkt->duration = av_rescale(samples, st->time_base.den, st->codecpar->sample_rate); av_log(s, AV_LOG_TRACE, "pkt dts %"PRId64" duration %"PRId64" samples %d sample rate %d\n", pkt->dts, pkt->duration, samples, st->codecpar->sample_rate); From 3b36248fe61953512b36b8b4e58f784e3b163f0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:40:21 +0100 Subject: [PATCH 1182/1764] avformat/electronicarts: Clear partial_packet on error Fixes: Infinite loop Fixes: 30165/clusterfuzz-testcase-minimized-ffmpeg_dem_EA_fuzzer-6224642371092480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 59bb9dc2a670cbe5d659585392b6d79f7bb6d40f) Signed-off-by: Michael Niedermayer --- libavformat/electronicarts.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c index 4c1b64cca9..2cfee81b6c 100644 --- a/libavformat/electronicarts.c +++ b/libavformat/electronicarts.c @@ -729,6 +729,7 @@ get_video_packet: ret = av_get_packet(pb, pkt, chunk_size); if (ret < 0) { packet_read = 1; + partial_packet = 0; break; } partial_packet = chunk_type == MVIh_TAG; From 7901a7ed2047c128bd2fad1d71b6302255c36b91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2020 00:00:40 +0100 Subject: [PATCH 1183/1764] avformat/nutdec: Check timebase count against main header length Fixes: Timeout (long -> 3ms) Fixes: 28514/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6078669009321984 Fixes: 30095/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-5074433016463360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c425198558826795d94af45eeb9d94e4436c9a0f) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 0f6e4b21bb..e14d118bb8 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -193,13 +193,13 @@ static int decode_main_header(NUTContext *nut) { AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; - uint64_t tmp, end; + uint64_t tmp, end, length; unsigned int stream_count; int i, j, count, ret; int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; - end = get_packetheader(nut, bc, 1, MAIN_STARTCODE); - end += avio_tell(bc); + length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); if (nut->version < NUT_MIN_VERSION || @@ -219,7 +219,7 @@ static int decode_main_header(NUTContext *nut) nut->max_distance = 65536; } - GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational)); + GET_V(nut->time_base_count, tmp > 0 && tmp < INT_MAX / sizeof(AVRational) && tmp < length/2); nut->time_base = av_malloc_array(nut->time_base_count, sizeof(AVRational)); if (!nut->time_base) return AVERROR(ENOMEM); From 7fd5a96f7faf8225395357e4c96758a438898188 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 19:28:15 +0100 Subject: [PATCH 1184/1764] avcodec/fits: Check gcount and pcount being non negative Fixes: signed integer overflow: 9223372036854775807 - -30069403896 cannot be represented in type 'long' Fixes: 30046/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5807144773484544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c000a9128815e7cee4316dc45605259bbaa138ff) Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index 25c33e06c8..97fa7abe80 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -205,8 +205,12 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t } else if (!strcmp(keyword, "GROUPS") && sscanf(value, "%c", &c) == 1) { header->groups = (c == 'T'); } else if (!strcmp(keyword, "GCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->gcount = t; } else if (!strcmp(keyword, "PCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->pcount = t; } dict_set_if_not_null(metadata, keyword, value); From 947ce7cca0468620055495c99d1578a8d360c792 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 20:41:31 +0100 Subject: [PATCH 1185/1764] avformat/mov: Check element count in mov_metadata_hmmt() Fixes: Timeout Fixes: 30325/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6048395703746560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d277b92fa4c149d589e6828d4e18ad578406f1f) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 38d44b72db..957af54d22 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -288,6 +288,8 @@ static int mov_metadata_hmmt(MOVContext *c, AVIOContext *pb, unsigned len) return 0; n_hmmt = avio_rb32(pb); + if (n_hmmt > len / 4) + return AVERROR_INVALIDDATA; for (i = 0; i < n_hmmt && !pb->eof_reached; i++) { int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); From 93bb05f77f7185a17ee11ce40fed1f2300be31b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Feb 2021 20:52:17 +0100 Subject: [PATCH 1186/1764] avformat/rmdec: Check codec_length without overflow Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 30333/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5175286983426048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d558c9f2375fd2136d20422cb1119cfbf872abeb) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 23b8b86354..153e9eb930 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -226,7 +226,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, if (version == 5) avio_r8(pb); codecdata_length = avio_rb32(pb); - if(codecdata_length + AV_INPUT_BUFFER_PADDING_SIZE <= (unsigned)codecdata_length){ + if((unsigned)codecdata_length > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE){ av_log(s, AV_LOG_ERROR, "codecdata_length too large\n"); return -1; } From 5422b33281f75aff1f449e3d78e740f224f07900 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2021 21:16:25 +0100 Subject: [PATCH 1187/1764] avcodec/hapdec: Change compressed_offset to unsigned 32bit Fixes: out of array access Fixes: 29345/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5401813482340352 Fixes: 30745/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5762798221131776 Suggested-by: Anton Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 89fe1935b18621af06587c76bcde6adcdc8f2249) Signed-off-by: Michael Niedermayer --- libavcodec/hap.h | 2 +- libavcodec/hapdec.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hap.h b/libavcodec/hap.h index 0ee65335d9..21f9b01760 100644 --- a/libavcodec/hap.h +++ b/libavcodec/hap.h @@ -52,7 +52,7 @@ enum HapSectionType { typedef struct HapChunk { enum HapCompressor compressor; - int compressed_offset; + uint32_t compressed_offset; size_t compressed_size; int uncompressed_offset; size_t uncompressed_size; diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index fc9dff10f1..cf252e2872 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -128,6 +128,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size) size_t running_size = 0; for (i = 0; i < ctx->chunk_count; i++) { ctx->chunks[i].compressed_offset = running_size; + if (ctx->chunks[i].compressed_size > UINT32_MAX - running_size) + return AVERROR_INVALIDDATA; running_size += ctx->chunks[i].compressed_size; } } @@ -207,7 +209,7 @@ static int hap_parse_frame_header(AVCodecContext *avctx) HapChunk *chunk = &ctx->chunks[i]; /* Check the compressed buffer is valid */ - if (chunk->compressed_offset + chunk->compressed_size > bytestream2_get_bytes_left(gbc)) + if (chunk->compressed_offset + (uint64_t)chunk->compressed_size > bytestream2_get_bytes_left(gbc)) return AVERROR_INVALIDDATA; /* Chunks are unpacked sequentially, ctx->tex_size is the uncompressed From f59e526e09c0f4888045566c9bf315efd047b6ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Dec 2020 01:06:46 +0100 Subject: [PATCH 1188/1764] avformat/microdvddec: use 64bit for durations Fixes: signed integer overflow: 7 - -2147483647 cannot be represented in type 'int' Fixes: 28036/clusterfuzz-testcase-minimized-ffmpeg_dem_MICRODVD_fuzzer-5171698751766528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f569ac4ce0514bf4e0dd768c5ed007c82548d326) Signed-off-by: Michael Niedermayer --- libavformat/microdvddec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/microdvddec.c b/libavformat/microdvddec.c index 4ba32fd3d9..ab2a64f1a5 100644 --- a/libavformat/microdvddec.c +++ b/libavformat/microdvddec.c @@ -65,12 +65,12 @@ static int64_t get_pts(const char *buf) return AV_NOPTS_VALUE; } -static int get_duration(const char *buf) +static int64_t get_duration(const char *buf) { int frame_start, frame_end; if (sscanf(buf, "{%d}{%d}", &frame_start, &frame_end) == 2) - return frame_end - frame_start; + return frame_end - (int64_t)frame_start; return -1; } From da70d471ad830c0b6acfb4f31163dbeddcfd3322 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Dec 2020 01:24:42 +0100 Subject: [PATCH 1189/1764] avformat/voc_packet: Add a basic check on max_size Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 28127/clusterfuzz-testcase-minimized-ffmpeg_dem_VOC_fuzzer-4880586455646208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 52f75181bfada2b4b127e744674591c7753c4b7d) Signed-off-by: Michael Niedermayer --- libavformat/voc_packet.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 1e2e19e1c3..9d7d2025cd 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -44,6 +44,8 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) AVINDEX_KEYFRAME); while (!voc->remaining_size) { + if (max_size < 4) + max_size = 0; type = avio_r8(pb); if (type == VOC_TYPE_EOF) return AVERROR_EOF; From 07b08082f023c7e373e8324617d515dd08339795 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Dec 2020 00:08:46 +0100 Subject: [PATCH 1190/1764] avformat/mov: Extend data_size check in mov_read_udta_string() Fixes: signed integer overflow: -2147483634 - 16 cannot be represented in type 'int' Fixes: 28322/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5711888402612224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74c4c539538e36d8df02de2484b045010d292f2c) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 957af54d22..cf2f0330e3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -402,7 +402,7 @@ retry: if (c->itunes_metadata && atom.size > 8) { int data_size = avio_rb32(pb); int tag = avio_rl32(pb); - if (tag == MKTAG('d','a','t','a') && data_size <= atom.size) { + if (tag == MKTAG('d','a','t','a') && data_size <= atom.size && data_size >= 16) { data_type = avio_rb32(pb); // type avio_rb32(pb); // unknown str_size = data_size - 16; From a3cac14fb92075cb9385c35bcd5b2a619ac968d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Mar 2021 23:24:37 +0100 Subject: [PATCH 1191/1764] avcodec/alsdec: Check bitstream input in read_block() Fixes: Timeout Fixes: 28110/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5036338973507584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53d739db4e528388fae89459e887a633ffbce12c) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 8a8f82fb85..4511eec424 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1020,6 +1020,10 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) ALSSpecificConfig *sconf = &ctx->sconf; *bd->shift_lsbs = 0; + + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; + // read block type flag and read the samples accordingly if (get_bits1(gb)) { ret = read_var_block_data(ctx, bd); From a072c4a1789941b5968e264f33099b6f8a1d18cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Mar 2021 10:49:03 +0100 Subject: [PATCH 1192/1764] avformat/dcstr: Check sample rate Fixes: signed integer overflow: -1300248894420254720 * 16 cannot be represented in type 'long' Fixes: 30879/clusterfuzz-testcase-minimized-ffmpeg_dem_DCSTR_fuzzer-5094464215449600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fdcb966f4a3c6f872891b8dd554e3652b9e02d4f) Signed-off-by: Michael Niedermayer --- libavformat/dcstr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dcstr.c b/libavformat/dcstr.c index 6035dd4334..8bcafc7663 100644 --- a/libavformat/dcstr.c +++ b/libavformat/dcstr.c @@ -43,6 +43,8 @@ static int dcstr_read_header(AVFormatContext *s) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = avio_rl32(s->pb); st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; codec = avio_rl32(s->pb); align = avio_rl32(s->pb); avio_skip(s->pb, 4); From ae9919bb6c0b45973aba012f86ba42486a7e25bb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 3 Mar 2021 10:49:04 +0100 Subject: [PATCH 1193/1764] avformat/aiffdec: Check that SSND is at least 8 bytes Fixes: Infinite loop Fixes: 30874/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-5933710488764416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 460d3dc41f57a6dcefbd72db6e2e368fee05340b) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index ceb7952a9c..7c88327e9c 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -285,6 +285,8 @@ static int aiff_read_header(AVFormatContext *s) get_meta(s, "comment" , size); break; case MKTAG('S', 'S', 'N', 'D'): /* Sampled sound chunk */ + if (size < 8) + return AVERROR_INVALIDDATA; aiff->data_end = avio_tell(pb) + size; offset = avio_rb32(pb); /* Offset of sound data */ avio_rb32(pb); /* BlockSize... don't care */ From af1a0cedb22c287cdc79f230082d9fec87a9823a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Oct 2020 00:23:12 +0200 Subject: [PATCH 1194/1764] avcodec/exr: skip bottom clearing loop when its outside the image Fixes: signed integer overflow: 1633771809 * 32960 cannot be represented in type 'int' Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index aec9505eb9..8dbe9e2696 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1819,10 +1819,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, avctx->execute2(avctx, decode_block, s->thread_data, NULL, nb_blocks); // Zero out the end if ymax+1 is not h - ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]); - for (y = s->ymax + 1; y < avctx->height; y++) { - memset(ptr, 0, out_line_size); - ptr += picture->linesize[0]; + if ((s->ymax+1) < avctx->height) { + ptr = picture->data[0] + ((s->ymax+1) * picture->linesize[0]); + for (y = s->ymax + 1; y < avctx->height; y++) { + memset(ptr, 0, out_line_size); + ptr += picture->linesize[0]; + } } picture->pict_type = AV_PICTURE_TYPE_I; From e4f149a26f8f47274a7cfccef892cf09d4a7b6d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 14 Jan 2021 22:08:25 +0100 Subject: [PATCH 1195/1764] avformat/lxfdec: Fix multiple integer overflows related to track_size Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_LXF_fuzzer-6634030636335104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7819412f4468514a2bab924291d79806a569388c) Signed-off-by: Michael Niedermayer --- libavformat/lxfdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/lxfdec.c b/libavformat/lxfdec.c index 9b3eb6a650..b544966f5a 100644 --- a/libavformat/lxfdec.c +++ b/libavformat/lxfdec.c @@ -195,7 +195,7 @@ static int get_packet_header(AVFormatContext *s) return AVERROR_PATCHWELCOME; } - samples = track_size * 8 / st->codecpar->bits_per_coded_sample; + samples = track_size * 8LL / st->codecpar->bits_per_coded_sample; //use audio packet size to determine video standard //for NTSC we have one 8008-sample audio frame per five video frames @@ -210,6 +210,8 @@ static int get_packet_header(AVFormatContext *s) avpriv_set_pts_info(s->streams[0], 64, 1, 25); } + if (av_popcount(channels) * (uint64_t)track_size > INT_MAX) + return AVERROR_INVALIDDATA; //TODO: warning if track mask != (1 << channels) - 1? ret = av_popcount(channels) * track_size; From 15321c10b6e5772e7e874ac4e1b8a4feec90a872 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 23:56:43 +0100 Subject: [PATCH 1196/1764] avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld() Fixes: negation of -2147483648 cannot be represented in type 'INTFLOAT' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 29057/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5642758933053440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 633924539aae73714facf31aa7001d01e8be48a1) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index a3bec6b04f..1d43e1f11e 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2777,7 +2777,7 @@ static void imdct_and_windowing_ld(AACContext *ac, SingleChannelElement *sce) static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce) { - INTFLOAT *in = sce->coeffs; + UINTFLOAT *in = sce->coeffs; INTFLOAT *out = sce->ret; INTFLOAT *saved = sce->saved; INTFLOAT *buf = ac->buf_mdct; From a3d5698106a16c6ba84949d3f1d2557c78e1c1e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Jan 2021 00:11:34 +0100 Subject: [PATCH 1197/1764] avformat/paf: Check for EOF before allocation in read_header() Fixes: OOM Fixes: 26584/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5172661183053824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb1e9d3b9b97359e01e5978067c8ee558efa8b4) Signed-off-by: Michael Niedermayer --- libavformat/paf.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/paf.c b/libavformat/paf.c index a2d411c2f6..47b61c226a 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -136,6 +136,10 @@ static int read_header(AVFormatContext *s) p->start_offset = avio_rl32(pb); p->max_video_blks = avio_rl32(pb); p->max_audio_blks = avio_rl32(pb); + + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + if (p->buffer_size < 175 || p->max_audio_blks < 2 || p->max_video_blks < 1 || From 89e3962271d0f703f226de8d827f62e79def32e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Jan 2021 16:50:10 +0100 Subject: [PATCH 1198/1764] avformat/flvdec: Check double before cast in parse_keyframes_index() Fixes: -2.21166e+304 is outside the range of representable values of type 'long' Fixes: 29169/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5725452796821504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09e5e406c7b9d7c1ee97ebae1476a2f68e6a90d1) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 25ee352f8c..3ba2aedde3 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -426,9 +426,13 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m } for (i = 0; i < arraylen && avio_tell(ioc) < max_pos - 1; i++) { + double d; if (avio_r8(ioc) != AMF_DATA_TYPE_NUMBER) goto invalid; - current_array[0][i] = av_int2double(avio_rb64(ioc)); + d = av_int2double(avio_rb64(ioc)); + if (isnan(d) || d < INT64_MIN || d > INT64_MAX) + goto invalid; + current_array[0][i] = d; } if (times && filepositions) { // All done, exiting at a position allowing amf_parse_object From e7da859daab2a9948e59f96e00b30bc0e969a71f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Jan 2021 19:09:36 +0100 Subject: [PATCH 1199/1764] avcodec/dcadsp: Fix integer overflow in dmix_add_c() Fixes: signed integer overflow: 1515225320 + 759416059 cannot be represented in type 'int' Fixes: 29256/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DCA_fuzzer-5719088561258496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4ebf483bcbf2e5db6bd29607142741f62598b4e) Signed-off-by: Michael Niedermayer --- libavcodec/dcadsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index fade1a6c02..f97874fbe6 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -328,7 +328,7 @@ static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] += mul15(src[i], coeff); + dst[i] += (unsigned)mul15(src[i], coeff); } static void dmix_scale_c(int32_t *dst, int scale, ptrdiff_t len) From ec0531808ec322fc18fc79a77edef9009ad2eeb9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Mar 2021 21:39:30 +0100 Subject: [PATCH 1200/1764] avcodec/4xm: Check pre_gb in decode_i_block() Fixes: Timeout Fixes: 31257/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5150866229297152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b87781649e2862d07fcb8d322289d89b47a530b6) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 2ee742fccd..5321b103af 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -498,8 +498,8 @@ static int decode_i_block(FourXContext *f, int16_t *block) { int code, i, j, level, val; - if (get_bits_left(&f->gb) < 2){ - av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->gb)); + if (get_bits_left(&f->pre_gb) < 2) { + av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(&f->pre_gb)); return AVERROR_INVALIDDATA; } From a477cc0379a439e51dc15922fdd9bd53c0b7c38d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 21:22:11 +0100 Subject: [PATCH 1201/1764] avcodec/ffv1dec: Check if trailer is available Fixes: out of array read Fixes: 29750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4808377272238080.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 36ad2f41e30ad9f2a8ead76e0b1526b9712f0925) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 10962fd2d7..68a06b1c5f 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -865,8 +865,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int trailer = 3 + 5*!!f->ec; int v; - if (i || f->version > 2) v = AV_RB24(buf_p-trailer) + trailer; - else v = buf_p - c->bytestream_start; + if (i || f->version > 2) { + if (trailer > buf_p - buf) v = INT_MAX; + else v = AV_RB24(buf_p-trailer) + trailer; + } else v = buf_p - c->bytestream_start; if (buf_p - c->bytestream_start < v) { av_log(avctx, AV_LOG_ERROR, "Slice pointer chain broken\n"); ff_thread_report_progress(&f->picture, INT_MAX, 0); From 44ab20a67853069738d93888701b70761138a02c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Mar 2021 00:55:38 +0100 Subject: [PATCH 1202/1764] avcodec/flacdec: Avoid undefined shift in error case Fixes: flac_1040988 Reported-by: Thomas Guilbert Reviewed-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit bd525e2876bef428e896b8da5e5b5507451f4ed5) Signed-off-by: Michael Niedermayer --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 3d41a1af7f..42546728be 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -260,7 +260,7 @@ static int decode_residuals(FLACContext *s, int32_t *decoded, int pred_order) } else { int real_limit = tmp ? (INT_MAX >> tmp) + 2 : INT_MAX; for (; i < samples; i++) { - int v = get_sr_golomb_flac(&s->gb, tmp, real_limit, 0); + int v = get_sr_golomb_flac(&s->gb, tmp, real_limit, 1); if (v == 0x80000000){ av_log(s->avctx, AV_LOG_ERROR, "invalid residual\n"); return AVERROR_INVALIDDATA; From 87a22936cb55b04702403a98d64079d37d886171 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Feb 2021 20:20:48 +0100 Subject: [PATCH 1203/1764] avformat/mvi: Check audio size for more overflows Fixes: left shift of negative value -352256000 Fixes: 30837/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-5755626262888448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 403b35e16e16a8c4a13e531ccdc23598f685ca20) Signed-off-by: Michael Niedermayer --- libavformat/mvi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mvi.c b/libavformat/mvi.c index 0b53473671..6aad6cb86a 100644 --- a/libavformat/mvi.c +++ b/libavformat/mvi.c @@ -119,6 +119,10 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) mvi->video_frame_size = (mvi->get_int)(pb); if (mvi->audio_size_left == 0) return AVERROR(EIO); + if (mvi->audio_size_counter + 512 > UINT64_MAX - mvi->audio_frame_size || + mvi->audio_size_counter + 512 + mvi->audio_frame_size >= ((uint64_t)INT32_MAX) << MVI_FRAC_BITS) + return AVERROR_INVALIDDATA; + count = (mvi->audio_size_counter + mvi->audio_frame_size + 512) >> MVI_FRAC_BITS; if (count > mvi->audio_size_left) count = mvi->audio_size_left; From 862b1ca108f03d372b5353ad639fcb821831a3dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Mar 2021 13:44:12 +0100 Subject: [PATCH 1204/1764] avutil/timecode: Avoid fps overflow Fixes: Integer overflow and division by 0 Fixes: poc-202102-div.mov Found-by: 1vanChen of NSFOCUS Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c94875471e3ba3dc396c6919ff3ec9b14539cd71) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 6bdbebdb82..2ca7dbecc6 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -96,8 +96,8 @@ char *av_timecode_make_string(const AVTimecode *tc, char *buf, int framenum) } ff = framenum % fps; ss = framenum / fps % 60; - mm = framenum / (fps*60) % 60; - hh = framenum / (fps*3600); + mm = framenum / (fps*60LL) % 60; + hh = framenum / (fps*3600LL); if (tc->flags & AV_TIMECODE_FLAG_24HOURSMAX) hh = hh % 24; snprintf(buf, AV_TIMECODE_STR_SIZE, "%s%02d:%02d:%02d%c%02d", From fcc7bc3cd5df67cc30aa5685c3b9424001690fd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Mar 2021 20:47:06 +0100 Subject: [PATCH 1205/1764] avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet() Fixes: memleak Fixes: 30909/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4886284057313280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 337984c13327bc67e1e9e3e9bfd743cfbfbc42f8) Signed-off-by: Michael Niedermayer --- libavformat/voc_packet.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/libavformat/voc_packet.c b/libavformat/voc_packet.c index 9d7d2025cd..e5ae0be1de 100644 --- a/libavformat/voc_packet.c +++ b/libavformat/voc_packet.c @@ -51,14 +51,22 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) return AVERROR_EOF; voc->remaining_size = avio_rl24(pb); if (!voc->remaining_size) { + int64_t filesize; if (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL)) return AVERROR(EIO); - voc->remaining_size = avio_size(pb) - avio_tell(pb); + filesize = avio_size(pb); + if (filesize - avio_tell(pb) > INT_MAX) + return AVERROR_INVALIDDATA; + voc->remaining_size = filesize - avio_tell(pb); } max_size -= 4; switch (type) { case VOC_TYPE_VOICE_DATA: + if (voc->remaining_size < 2) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = 1000000 / (256 - avio_r8(pb)); if (sample_rate) @@ -87,6 +95,10 @@ ff_voc_get_packet(AVFormatContext *s, AVPacket *pkt, AVStream *st, int max_size) break; case VOC_TYPE_NEW_VOICE_DATA: + if (voc->remaining_size < 12) { + voc->remaining_size = 0; + return AVERROR_INVALIDDATA; + } if (!par->sample_rate) { par->sample_rate = avio_rl32(pb); avpriv_set_pts_info(st, 64, 1, par->sample_rate); From 5e01c257411364511a5259d51a21fec0ffbe7575 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Mar 2021 20:07:13 +0100 Subject: [PATCH 1206/1764] avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() Fixes: Timeout Fixes: 30912/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5556235476795392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8a3fea802a3e4274dbe084d372ec8aeab3932b3e) Signed-off-by: Michael Niedermayer --- libavcodec/jpegls.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpegls.h b/libavcodec/jpegls.h index c8997c7861..060ded9df8 100644 --- a/libavcodec/jpegls.h +++ b/libavcodec/jpegls.h @@ -97,7 +97,7 @@ static inline void ff_jpegls_downscale_state(JLSState *state, int Q) static inline int ff_jpegls_update_state_regular(JLSState *state, int Q, int err) { - if(FFABS(err) > 0xFFFF) + if(FFABS(err) > 0xFFFF || FFABS(err) > INT_MAX - state->A[Q]) return -0x10000; state->A[Q] += FFABS(err); err *= state->twonear; From e9871b10a9f0f38d227147fa90e2b95fbcbe4bab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Feb 2021 19:55:03 +0100 Subject: [PATCH 1207/1764] avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS Fixes: signed integer overflow: 1172577312 * 2 cannot be represented in type 'int' Fixes: 29924/clusterfuzz-testcase-minimized-ffmpeg_dem_BOA_fuzzer-4882912874594304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f441b9063281d8ef5d4c30b10379d08aad8924f) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index bb352c6597..55644a9b61 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1869,7 +1869,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_IMA_RAD: return blocks * ((ba - 4 * ch) * 2 / ch); case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2 / ch); + return blocks * (2 + (ba - 7 * ch) * 2LL / ch); case AV_CODEC_ID_ADPCM_MTAF: return blocks * (ba - 16) * 2 / ch; } From f7e195bdd31820fa5eed0aa935798658956f214c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Jan 2021 21:18:36 +0100 Subject: [PATCH 1208/1764] avformat/matroskadec: Check for EOF in resync loop Fixes: Timeout (too long -> instantly) Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672 Reviewed-by: Andreas Rheinhardt Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5282147d0c92ac821e85b93e2db6704f4720e0c1) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index cf21cb9463..7c00b5b764 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2620,6 +2620,8 @@ static int matroska_read_header(AVFormatContext *s) goto fail; pos = avio_tell(matroska->ctx->pb); res = ebml_parse(matroska, matroska_segment, matroska); + if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF + goto fail; } matroska_execute_seekhead(matroska); From 36ee2ff37aa6c856e9f6d26136e4d00836076aa1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Mar 2021 13:14:39 +0100 Subject: [PATCH 1209/1764] avcodec/speedhq: Width < 8 is not supported Fixes: out of array access Fixes: 31733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4704307963363328 Fixes: 31736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6190960292790272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 462b8261aa3c4f9844b2e050c74b9a2018e3649d) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 6d3487ca19..8897611ec7 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -424,7 +424,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, uint32_t second_field_offset; int ret; - if (buf_size < 4) + if (buf_size < 4 || avctx->width < 8) return AVERROR_INVALIDDATA; quality = buf[0]; From 5c3e6406244201ba3886cf2d0df99b84a3411cd4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Mar 2021 16:30:08 +0100 Subject: [PATCH 1210/1764] avcodec/mpeg4videoenc: Check extradata malloc() Fixes: Null pointer dereference Fixes: any mpeg4 testcase which fails the malloc at that exact spot Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 33a1687bf623cdd5c6ffe8f63024d22ed20b4ead) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videoenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 2cd5a8c015..2d9d6cd654 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -1306,6 +1306,8 @@ static av_cold int encode_init(AVCodecContext *avctx) if (s->avctx->flags & AV_CODEC_FLAG_GLOBAL_HEADER) { s->avctx->extradata = av_malloc(1024); + if (!s->avctx->extradata) + return AVERROR(ENOMEM); init_put_bits(&s->pb, s->avctx->extradata, 1024); if (!(s->workaround_bugs & FF_BUG_MS)) From 6114ba9ee17951ebeebf52422faecaee54255521 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Mar 2021 20:27:50 +0100 Subject: [PATCH 1211/1764] avcodec/ffwavesynth: Avoid signed integer overflow in phi_at() Fixes: signed integer overflow: 2314885530818453536 - -9070214327174160352 cannot be represented in type 'long' Fixes: 31000/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-6558389742206976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit be08b84f8bb7acc0c45800c7f488399327a22961) Signed-off-by: Michael Niedermayer --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index d92bb38c45..a7bb351ee5 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -188,7 +188,7 @@ static uint64_t frac64(uint64_t a, uint64_t b) static uint64_t phi_at(struct ws_interval *in, int64_t ts) { - uint64_t dt = ts - in->ts_start; + uint64_t dt = ts - (uint64_t)in->ts_start; uint64_t dt2 = dt & 1 ? /* dt * (dt - 1) / 2 without overflow */ dt * ((dt - 1) >> 1) : (dt >> 1) * (dt - 1); return in->phi0 + dt * in->dphi0 + dt2 * in->ddphi; From cf88ca01da0e98992f1dddcf9ce3cfc35353d5a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 17 Mar 2021 23:39:04 +0100 Subject: [PATCH 1212/1764] avformat/mov: Check sample size for overflow in mov_parse_stsd_audio() Fixes: signed integer overflow: 2 * 1914708000 cannot be represented in type 'int' Fixes: 31639/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6303428239294464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d35677736a59ec6579b4da63d9b1444986ba339e) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index cf2f0330e3..ee5d834dce 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2023,7 +2023,7 @@ static void mov_parse_stsd_audio(MOVContext *c, AVIOContext *pb, } bits_per_sample = av_get_bits_per_sample(st->codecpar->codec_id); - if (bits_per_sample) { + if (bits_per_sample && (bits_per_sample >> 3) * (uint64_t)st->codecpar->channels <= INT_MAX) { st->codecpar->bits_per_coded_sample = bits_per_sample; sc->sample_size = (bits_per_sample >> 3) * st->codecpar->channels; } From 225d542c34e668982c712b0f628f455803f14a55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Mar 2021 10:59:19 +0100 Subject: [PATCH 1213/1764] avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb Fixes: null pointer dereference Fixes: 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit f733688d30021587c3f3a1b280d6ece8b04f26ff) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 9e71dcfc6f..f47e436f86 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1251,7 +1251,7 @@ start_sync: AVStream *st1 = s->streams[1]; AVIStream *ast1 = st1->priv_data; // workaround for broken small-file-bug402.avi - if ( d[2] == 'w' && d[3] == 'b' + if (ast1 && d[2] == 'w' && d[3] == 'b' && n == 0 && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO From c932b82cc9bb57071d8eda9dd5151383963a9559 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Mar 2021 18:01:52 +0100 Subject: [PATCH 1214/1764] avformat/movenc: Avoid loosing cluster array on failure Fixes: crash Fixes: check_pkt.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 5c2ff44f915d6ceeea36a2f99e534562764218dd) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 9fbfd9645c..623a8f6b47 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5173,11 +5173,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (trk->entry >= trk->cluster_capacity) { unsigned new_capacity = 2 * (trk->entry + MOV_INDEX_CLUSTER_SIZE); - if (av_reallocp_array(&trk->cluster, new_capacity, - sizeof(*trk->cluster))) { + void *cluster = av_realloc_array(trk->cluster, new_capacity, sizeof(*trk->cluster)); + if (!cluster) { ret = AVERROR(ENOMEM); goto err; } + trk->cluster = cluster; trk->cluster_capacity = new_capacity; } From 564a4331fdb511820eda8eb40fa72cfd607a2ba2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Mar 2021 17:02:36 +0100 Subject: [PATCH 1215/1764] avcodec/h264_slice: Check sps in h264_slice_header_init() Fixes: null pointer dereference Fixes: h264_slice_header_init.mp4 Found-by: Rafael Dutra Tested-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 80472438996ed1928b30f6ac4e0d17a492de2cdf) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index c9c475d73c..6952feaa2d 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -915,6 +915,11 @@ static int h264_slice_header_init(H264Context *h) const SPS *sps = h->ps.sps; int i, ret; + if (!sps) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + ff_set_sar(h->avctx, sps->sar); av_pix_fmt_get_chroma_sub_sample(h->avctx->pix_fmt, &h->chroma_x_shift, &h->chroma_y_shift); From f5e2d548f13d211759f5fc45a7f17520dc2686cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Feb 2021 22:58:53 +0100 Subject: [PATCH 1216/1764] avformat/flvdec: Check array entry number Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5d8fe1c874947ca67ee8117b18f8052f0e590fc) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 3ba2aedde3..70622e261b 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -827,6 +827,8 @@ static int amf_skip_tag(AVIOContext *pb, AMFDataType type, int depth) parse_name = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = avio_rb32(pb); + if (nb < 0) + return AVERROR_INVALIDDATA; case AMF_DATA_TYPE_OBJECT: while(!pb->eof_reached && (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY)) { if (parse_name) { From 843437a14a1b9518738d551aeeaec48e7eea2591 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 23:05:17 +0100 Subject: [PATCH 1217/1764] avcodec/sonic: Use unsigned temporary in predictor_calc_error() Fixes: signed integer overflow: -2147471366 - 18638 cannot be represented in type 'int' Fixes: 30157/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5171199746506752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 075d793ba87635b77f8302d8a454fa681f90d267) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 2dc04846ab..9498919d2f 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -475,13 +475,13 @@ static int predictor_calc_error(int *k, int *state, int order, int error) for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { int k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); + x -= (unsigned)shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); state_ptr[1] = state_value + shift_down(k_value * (unsigned)x, LATTICE_SHIFT); } #else for (i = order-2; i >= 0; i--) { - x -= shift_down(k[i] * state[i], LATTICE_SHIFT); + x -= (unsigned)shift_down(k[i] * state[i], LATTICE_SHIFT); state[i+1] = state[i] + shift_down(k[i] * x, LATTICE_SHIFT); } #endif From 578b4ce853b86ca19a9c4f5f2ca5fe9e26c95976 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Mar 2021 19:21:35 +0100 Subject: [PATCH 1218/1764] avformat/cafdec: Do not build an index if all packets are the same Fixes: Timeout Fixes: 28214/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6495999421579264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ea12590c8ecc1e3c4c7732e5adced21fb5feffa6) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 70005aa3d0..197001667c 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -206,15 +206,20 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) st->nb_frames += avio_rb32(pb); /* priming frames */ st->nb_frames += avio_rb32(pb); /* remainder frames */ - st->duration = 0; - for (i = 0; i < num_packets; i++) { - if (avio_feof(pb)) - return AVERROR_INVALIDDATA; - ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); - if (ret < 0) - return ret; - pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); - st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { + st->duration = caf->frames_per_packet * num_packets; + pos = caf-> bytes_per_packet * num_packets; + } else { + st->duration = 0; + for (i = 0; i < num_packets; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + ret = av_add_index_entry(s->streams[0], pos, st->duration, 0, 0, AVINDEX_KEYFRAME); + if (ret < 0) + return ret; + pos += caf->bytes_per_packet ? caf->bytes_per_packet : ff_mp4_read_descr_len(pb); + st->duration += caf->frames_per_packet ? caf->frames_per_packet : ff_mp4_read_descr_len(pb); + } } if (avio_tell(pb) - ccount > size) { From bc4a1f63fb3d30c8974a6fdcd821108f95d8a36b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Mar 2021 00:30:45 +0100 Subject: [PATCH 1219/1764] avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid Fixes: signed integer overflow: 539033600 - -1910497124 cannot be represented in type 'int' Fixes: 30928/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5922630966312960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f74661543c0c336e88846f90608fda7bd12deac) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index f3103c0790..d5e318abed 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -818,6 +818,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 92) + return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; } @@ -832,6 +834,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); + if (size < 0 || size > INT_MAX - 76) + return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; } From 8adb20d3de90411c8cba39e058ca83547788f25f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Mar 2021 09:47:43 +0100 Subject: [PATCH 1220/1764] avutil/common: Add FF_PTR_ADD() Suggested-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 522a5259e9cc17faf1f83c9cfb93c960a2ecf8a2) Signed-off-by: Michael Niedermayer --- libavutil/internal.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavutil/internal.h b/libavutil/internal.h index a2d73e3cc6..28f889e27f 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -166,6 +166,8 @@ }\ } +#define FF_PTR_ADD(ptr, off) ((off) ? (ptr) + (off) : (ptr)) + #include "libm.h" /** From 5ca2ee38e805b9242360020241ed8f01be89c05b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Feb 2021 21:43:45 +0100 Subject: [PATCH 1221/1764] avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice() Found-by: Jeremy Leconte Signed-off-by: Michael Niedermayer (cherry picked from commit 1cf96ce269364e3c2b4ec2097f121ad42b336839) Signed-off-by: Michael Niedermayer --- libavfilter/vf_scale.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 3329c12346..d8a1fe7f56 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -388,8 +388,8 @@ static int scale_slice(AVFilterLink *link, AVFrame *out_buf, AVFrame *cur_pic, s int vsub= ((i+1)&2) ? scale->vsub : 0; in_stride[i] = cur_pic->linesize[i] * mul; out_stride[i] = out_buf->linesize[i] * mul; - in[i] = cur_pic->data[i] + ((y>>vsub)+field) * cur_pic->linesize[i]; - out[i] = out_buf->data[i] + field * out_buf->linesize[i]; + in[i] = FF_PTR_ADD(cur_pic->data[i], ((y>>vsub)+field) * cur_pic->linesize[i]); + out[i] = FF_PTR_ADD(out_buf->data[i], field * out_buf->linesize[i]); } if(scale->input_is_pal) in[1] = cur_pic->data[1]; From 5c9eaff60c12628c697f178e9b2474980d276e84 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Feb 2021 17:29:23 +0100 Subject: [PATCH 1222/1764] avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() Fixes: signed integer overflow: -9223372032574480351 - 4294967296 cannot be represented in type 'long long' Fixes: 30022/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5568610275819520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b37ff29e0e093b15585e9fb44bbd82bdf14b5230) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 92cdd3cc11..2351be972d 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1250,7 +1250,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << (st->pts_wrap_bits - 1)) && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << st->pts_wrap_bits) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; From e6d3ace07ea8b0fc1a2a0a7d7fa7ac66b5c9e98f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 24 Mar 2021 17:03:08 +0100 Subject: [PATCH 1223/1764] avformat/mov: Ignore multiple STSC / STCO Fixes: STSC / STCO inconsistency and assertion failure Fixes: crbug1184666.mp4 Found-by: Chromium ASAN fuzzer Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 2611d20d353026f996cb9aaced8b35db37f490d4) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ee5d834dce..827fb9fcb9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1791,8 +1791,10 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->chunk_offsets) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STCO atom\n"); + if (sc->chunk_offsets) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STCO atom\n"); + return 0; + } av_free(sc->chunk_offsets); sc->chunk_count = 0; sc->chunk_offsets = av_malloc_array(entries, sizeof(*sc->chunk_offsets)); @@ -2444,8 +2446,10 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (!entries) return 0; - if (sc->stsc_data) - av_log(c->fc, AV_LOG_WARNING, "Duplicated STSC atom\n"); + if (sc->stsc_data) { + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicated STSC atom\n"); + return 0; + } av_free(sc->stsc_data); sc->stsc_count = 0; sc->stsc_data = av_malloc_array(entries, sizeof(*sc->stsc_data)); From 9689bc0c5c5c527e628ddb4de13d6708c2815f36 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Mar 2021 15:22:35 +0100 Subject: [PATCH 1224/1764] avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change() Fixes: out of array access Fixes: 31201/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4627865612189696.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87d87e6587deec1fa8ed5f5c6901535becdb0358) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index c4089972f0..7c611cfdb0 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -1071,6 +1071,13 @@ int ff_mpv_common_frame_size_change(MpegEncContext *s) (err = av_image_check_size(s->width, s->height, 0, s->avctx)) < 0) goto fail; + /* set chroma shifts */ + err = av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, + &s->chroma_x_shift, + &s->chroma_y_shift); + if (err < 0) + return err; + if ((err = init_context_frame(s))) goto fail; From 5911f7bbf1df4c44e4cca660c9b34b669778c641 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 20 Mar 2021 14:36:28 +0100 Subject: [PATCH 1225/1764] avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context() Fixes: crash Fixes: check_pkt.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit ceae92cb291c2536a93482cdf3c1ae3f7330b924) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 6952feaa2d..dbdbd6093d 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -296,9 +296,8 @@ int ff_h264_update_thread_context(AVCodecContext *dst, if (dst == src) return 0; - // We can't fail if SPS isn't set at it breaks current skip_frame code - //if (!h1->ps.sps) - // return AVERROR_INVALIDDATA; + if (inited && !h1->ps.sps) + return AVERROR_INVALIDDATA; if (inited && (h->width != h1->width || From 3264d9f546ae6025f4892a4da1d0ad222bca1bc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 11:03:56 +0200 Subject: [PATCH 1226/1764] avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' Fixes: 31406/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5024692843970560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cf2fd9204b3c707d9e414583b043ee88b8e8c52e) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 153e9eb930..db196c14d0 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -299,7 +299,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, ast->deint_id == DEINT_ID_GENR || ast->deint_id == DEINT_ID_SIPR) { if (st->codecpar->block_align <= 0 || - ast->audio_framesize * sub_packet_h > (unsigned)INT_MAX || + ast->audio_framesize * (uint64_t)sub_packet_h > (unsigned)INT_MAX || ast->audio_framesize * sub_packet_h < st->codecpar->block_align) return AVERROR_INVALIDDATA; if (av_new_packet(&ast->pkt, ast->audio_framesize * sub_packet_h) < 0) From f4916e5c97d89ece33e96e7fe850f84d89559a76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Mar 2021 13:22:14 +0200 Subject: [PATCH 1227/1764] avcodec/pnm_parser: Check image size addition for overflow Fixes: assertion failure Fixes: out of array access Fixes: 32664/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6533642202513408.fuzz Fixes: 32669/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6001928875147264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79ac8d55468adc9cb9a0908e671807a2a789b7d0) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index 036ee97914..bdb2d07823 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -62,7 +62,7 @@ retry: } else { int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); next = pnmctx.bytestream - pnmctx.bytestream_start; - if (ret >= 0) + if (ret >= 0 && next + (uint64_t)ret <= INT_MAX) next += ret; if (pnmctx.bytestream_start != buf) next -= pc->index; From 6128c6f3384052696d97ffacfc79d5d374eb3991 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Apr 2021 21:04:12 +0200 Subject: [PATCH 1228/1764] avcodec/dpx: Check bits_per_color earlier Fixes: shift exponent 251 is too large for 32-bit type 'int' Fixes: 32147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5519111675314176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c093eb30311b7148a4da1c7555498187c8cdf0db) Signed-off-by: Michael Niedermayer --- libavcodec/dpx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index 1aa2cbd1c8..2b981898a0 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -147,6 +147,9 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if (bits_per_color > 32) + return AVERROR_INVALIDDATA; + buf += 820; avctx->sample_aspect_ratio.num = read32(&buf, endian); avctx->sample_aspect_ratio.den = read32(&buf, endian); From b4eeac2a1bb3b061783bfcb203c968413d1ccb70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Apr 2021 22:46:13 +0200 Subject: [PATCH 1229/1764] avformat/cafdec: Check channels Fixes: signed integer overflow: -1184429040541376544 * 32 cannot be represented in type 'long' Fixes: 31788/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6236746338664448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 641c1db22bb27752b925293ad93f68843baa43bf) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 197001667c..4817b90b0b 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -79,7 +79,7 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); - if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0 || st->codecpar->channels < 0) return AVERROR_INVALIDDATA; /* calculate bit rate for constant size packets */ From 175c3a090471dc198aaa0f3cd36f593fd4f2e690 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Apr 2021 20:32:55 +0200 Subject: [PATCH 1230/1764] avcodec/utils: Check ima wav duration for overflow Fixes: signed integer overflow: 44331634 * 65 cannot be represented in type 'int' Fixes: 32120/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5760221223583744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f40e9b13554d88cbdd6cd2b4a3da2cbea9590f5d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 55644a9b61..3af627175f 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1857,11 +1857,15 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; + int64_t tmp; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - return blocks * (1 + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + if (tmp != (int)tmp) + return 0; + return tmp; case AV_CODEC_ID_ADPCM_IMA_DK3: return blocks * (((ba - 16) * 2 / 3 * 4) / ch); case AV_CODEC_ID_ADPCM_IMA_DK4: From 7cd4ac4b2d29c4875f79a281dbbe145bdf2d1c4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Apr 2021 20:08:22 +0200 Subject: [PATCH 1231/1764] avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() Fixes: Timeout Fixes: 32886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4779761466474496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b3881f0da6da00cb6b5b123328e2fbfca936c47) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 2a1d2bc3f6..400458b994 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -224,7 +224,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, run = 0; mode = !mode; } else if ((int)t == -1) { - if (show_bits(gb, 12) == 15) { + if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) { int ret; skip_bits(gb, 12); ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode); From 069ea22b51dda3b346842039d0357a6f84c99124 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 20:23:41 +0200 Subject: [PATCH 1232/1764] avformat/wtvdec: Improve size overflow checks in parse_chunks() Fixes: signed integer overflow: 32 + 2147483647 cannot be represented in type 'int Fixes: 32967/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5132856218222592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit f8ec1da8ac8e3daf2403e744f166ea9557b2d333) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index d5e318abed..0ca7a79140 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -818,7 +818,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 92) + if (size < 0 || size > INT_MAX - 92 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; @@ -834,7 +834,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 76) + if (size < 0 || size > INT_MAX - 76 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; From 13a3dc95b913fc35229f909e75b687acf183e6dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 20:23:44 +0200 Subject: [PATCH 1233/1764] avformat/id3v2: Check end for overflow in id3v2_parse() Fixes: signed integer overflow: 9223372036840103978 + 67637280 cannot be represented in type 'long' Fixes: 33341/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6408154041679872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit efdb56450418933965dc6e27f0b1625d25e44a8c) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 8f8ffc416f..a1ef29ab01 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -827,7 +827,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, int isv34, unsync; unsigned tlen; char tag[5]; - int64_t next, end = avio_tell(pb) + len; + int64_t next, end = avio_tell(pb); int taghdrlen; const char *reason = NULL; AVIOContext pb_local; @@ -839,6 +839,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_unused int uncompressed_buffer_size = 0; const char *comm_frame; + if (end > INT64_MAX - len - 10) + return; + end += len; + av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len); switch (version) { From 0a123f3b676733e9b9dba5b6cb27bd8590fb3824 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:16:20 +0200 Subject: [PATCH 1234/1764] avformat/asfdec_o: Use ff_get_extradata() Fixes: OOM Fixes: 27240/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5937469859823616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 098314e1e5142aa2b53dc5371a9d01eb09ddd30f) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 7d60b37b21..40a24b15df 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -694,7 +694,7 @@ static int asf_read_properties(AVFormatContext *s, const GUIDParseTable *g) return 0; } -static int parse_video_info(AVIOContext *pb, AVStream *st) +static int parse_video_info(AVFormatContext *avfmt, AVIOContext *pb, AVStream *st) { uint16_t size_asf; // ASF-specific Format Data size uint32_t size_bmp; // BMP_HEADER-specific Format Data size @@ -709,19 +709,10 @@ static int parse_video_info(AVIOContext *pb, AVStream *st) st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); size_bmp = FFMAX(size_asf, size_bmp); - if (size_bmp > BMP_HEADER_SIZE && - size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { - int ret; - st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE; - if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size + - AV_INPUT_BUFFER_PADDING_SIZE))) { - st->codecpar->extradata_size = 0; - return AVERROR(ENOMEM); - } - memset(st->codecpar->extradata + st->codecpar->extradata_size , 0, - AV_INPUT_BUFFER_PADDING_SIZE); - if ((ret = avio_read(pb, st->codecpar->extradata, - st->codecpar->extradata_size)) < 0) + if (size_bmp > BMP_HEADER_SIZE) { + int ret = ff_get_extradata(avfmt, st->codecpar, pb, size_bmp - BMP_HEADER_SIZE); + + if (ret < 0) return ret; } return 0; @@ -802,7 +793,7 @@ static int asf_read_stream_properties(AVFormatContext *s, const GUIDParseTable * break; case AVMEDIA_TYPE_VIDEO: asf_st->type = AVMEDIA_TYPE_VIDEO; - if ((ret = parse_video_info(pb, st)) < 0) + if ((ret = parse_video_info(s, pb, st)) < 0) return ret; break; default: From 2a5d44e3cb461a172e4bbb86de1fd9ee9ad42a32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 2 May 2021 15:49:55 +0200 Subject: [PATCH 1235/1764] avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent Fixes: tickets/3933/128.jls Signed-off-by: Michael Niedermayer (cherry picked from commit 011006874cb46325b6bc83234f81879ff421c05f) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index de1875ce30..a8d9eaa18a 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->avctx->pix_fmt = AV_PIX_FMT_PAL8; for (i=s->palette_index; i<=maxtab; i++) { uint8_t k = i << shift; - pal[k] = 0; + pal[k] = wt < 4 ? 0xFF000000 : 0; for (j=0; jgb, 8) << (8*(wt-j-1)); } From 78da48bb741cdcd1adfa3ea99ba96bd5e2add3d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Apr 2021 21:21:27 +0200 Subject: [PATCH 1236/1764] avcodec/utils: treat PAL8 for jpegs similar to other colorspaces Fixes: out of array access Fixes: 33713/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5778775641030656 Fixes: 33717/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4960397238075392 Fixes: 33718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-5314270096130048.fuzz Fixes: 33719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5352721864589312 Fixes: 33721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5938892055379968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0ce023ddb8863d16ab650fcc0731851a55db084) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 3af627175f..13f8804fbc 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -395,6 +395,16 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, w_align = 8; h_align = 8; } + if (s->codec_id == AV_CODEC_ID_MJPEG || + s->codec_id == AV_CODEC_ID_MJPEGB || + s->codec_id == AV_CODEC_ID_LJPEG || + s->codec_id == AV_CODEC_ID_SMVJPEG || + s->codec_id == AV_CODEC_ID_AMV || + s->codec_id == AV_CODEC_ID_SP5X || + s->codec_id == AV_CODEC_ID_JPEGLS) { + w_align = 8; + h_align = 2*8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || From 4da6a183950b17c985896a40ab1caca163bf5513 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:58:50 +0200 Subject: [PATCH 1237/1764] avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() Fixes: infinite loop Fixes: 33674/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4816457818046464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 08d2df41538b583932c1a6772e3c8978a2334107) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 400458b994..469999e046 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -206,6 +206,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int run = 0; unsigned int t; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); run += t; if (t < 64) { @@ -251,7 +253,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, unsigned int offs = 0, run = 0; while (offs < width) { - int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); + int cmode; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); if (cmode == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n"); return AVERROR_INVALIDDATA; From 1c48b56a0ea8aea8ff061735ef176bc2a88ab8e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:44:13 +0200 Subject: [PATCH 1238/1764] avformat/mvdec: Check sample rate in parse_audio_var() Fixes: signed integer overflow: -635424002382840000 * 16 cannot be represented in type 'long' Fixes: 33612/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5704741108711424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 0ff60249a57cba00ab679ca6190a802cc0c7b9c7) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index d5bc38e874..3e483ebf70 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -157,6 +157,8 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { st->codecpar->sample_rate = var_read_int(pb, size); + if (st->codecpar->sample_rate <= 0) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; From 78f4185041523dced28fcee73f7934d76c442d61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Apr 2021 22:33:06 +0200 Subject: [PATCH 1239/1764] avformat/utils: Use 64bit earlier in r_frame_rate check Fixes: signed integer overflow: 1406796319 * 2 cannot be represented in type 'int' Fixes: 32777/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5632576913014784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 578633fc1ac8c02a36a706bd71f775550412d1e1) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2351be972d..cc5a06b127 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3955,7 +3955,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!st->r_frame_rate.num) { if ( avctx->time_base.den * (int64_t) st->time_base.num - <= avctx->time_base.num * avctx->ticks_per_frame * (uint64_t) st->time_base.den) { + <= avctx->time_base.num * (uint64_t)avctx->ticks_per_frame * st->time_base.den) { av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den, avctx->time_base.den, (int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX); } else { From 34880e35418b5fed42281adf1c8bb6e92ad2dce3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 13:30:17 +0200 Subject: [PATCH 1240/1764] avformat/mov: Limit nb_chapter_tracks to input size Fixes: Timeout (15k loop iterations instead of 400m) Fixes: 31368/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6601583174483968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 299a56c9006b2eb8807c3e3efefb91a78fe6b3b2) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 827fb9fcb9..68959a583d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4304,6 +4304,8 @@ static int mov_read_chap(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < num && !pb->eof_reached; i++) c->chapter_tracks[i] = avio_rb32(pb); + c->nb_chapter_tracks = i; + return 0; } From 7ba104475ac5dca2f1e2bbe4802e33e911920510 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 13:37:26 +0200 Subject: [PATCH 1241/1764] avformat/mov: Ignore duplicate CoLL Fixes: memleak Fixes: 32146/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5377612845285376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9548dc74d8db2bc002e1195dbd076f621f5c3ea1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 68959a583d..83abdd4a47 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4885,6 +4885,11 @@ static int mov_read_coll(MOVContext *c, AVIOContext *pb, MOVAtom atom) } avio_skip(pb, 3); /* flags */ + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); From c46b016b1d455266c71a4349142de3d5ee1e8a70 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Apr 2021 15:50:43 +0200 Subject: [PATCH 1242/1764] avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() Fixes: Timeout Fixes: 33156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-6259655027326976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38c47615880357314ba30727a85bf7b00989706a) Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index f88c83d7e4..86f72f32f4 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -676,6 +676,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) if (v->s.pict_type == AV_PICTURE_TYPE_P) v->rnd ^= 1; + if (get_bits_left(gb) < 5) + return AVERROR_INVALIDDATA; /* Quantizer stuff */ pqindex = get_bits(gb, 5); if (!pqindex) @@ -768,6 +770,9 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) av_log(v->s.avctx, AV_LOG_DEBUG, "MB Skip plane encoding: " "Imode: %i, Invert: %i\n", status>>1, status&1); + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; + /* Hopefully this is correct for P-frames */ v->s.mv_table_index = get_bits(gb, 2); //but using ff_vc1_ tables v->cbpcy_vlc = &ff_vc1_cbpcy_p_vlc[get_bits(gb, 2)]; From fcff15dc06d79f52bdc61b5fb7bf69f76520be57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 May 2021 21:16:52 +0200 Subject: [PATCH 1243/1764] avformat/avio: Check av_opt_copy() for failure Fixes: CID1477416 Unchecked return value Signed-off-by: Michael Niedermayer (cherry picked from commit f8611ae1efc47fbe1aff140c89bee4fd1d62d3e1) Signed-off-by: Michael Niedermayer --- libavformat/avio.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/avio.c b/libavformat/avio.c index 64248e098b..772aeb3456 100644 --- a/libavformat/avio.c +++ b/libavformat/avio.c @@ -314,8 +314,11 @@ int ffurl_open_whitelist(URLContext **puc, const char *filename, int flags, int ret = ffurl_alloc(puc, filename, flags, int_cb); if (ret < 0) return ret; - if (parent) - av_opt_copy(*puc, parent); + if (parent) { + ret = av_opt_copy(*puc, parent); + if (ret < 0) + goto fail; + } if (options && (ret = av_opt_set_dict(*puc, options)) < 0) goto fail; From 95cacdbbca75e18cfad508d2c95beb01abe4502b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Apr 2021 20:24:21 +0200 Subject: [PATCH 1244/1764] avcodec/exr: x/ymax cannot be INT_MAX The code uses x/ymax + 1 so the maximum is INT_MAX-1 Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 33158/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5545462457303040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 48342aa0750f83006582d1598b5f22297f6dbf83) Signed-off-by: Michael Niedermayer --- libavcodec/exr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 8dbe9e2696..6bbd77d8ca 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1530,6 +1530,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) ymax = bytestream2_get_le32(&s->gb); if (xmin > xmax || ymin > ymax || + ymax == INT_MAX || xmax == INT_MAX || (unsigned)xmax - xmin >= INT_MAX || (unsigned)ymax - ymin >= INT_MAX) { ret = AVERROR_INVALIDDATA; From 00446f74ad5d8b89202f5f5234b1720ed3b901a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 21:37:26 +0200 Subject: [PATCH 1245/1764] avcodec/aacenc: Avoid 0 lambda Fixes: Ticket8003 Fixes: CVE-2020-20453 Signed-off-by: Michael Niedermayer (cherry picked from commit a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 11da260742..9eaf92b04b 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -28,6 +28,7 @@ * TODOs: * add sane pulse detection ***********************************/ +#include #include "libavutil/libm.h" #include "libavutil/thread.h" @@ -808,7 +809,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = FFMIN(s->lambda * ratio, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { From f07177cb7165cba55abbf6426345524bf97c5ced Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 20:18:25 +0200 Subject: [PATCH 1246/1764] avcodec/aacpsy: Avoid floating point division by 0 of norm_fac Fixes: Ticket7995 Fixes: CVE-2020-20446 Signed-off-by: Michael Niedermayer (cherry picked from commit 223b5e8ac9f6461bb13ed365419ec485c5b2b002) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index fca692cb15..bd444fecdc 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -794,7 +794,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int channel, if (pe < 1.15f * desired_pe) { /* 6.6.1.3.6 "Final threshold modification by linearization" */ - norm_fac = 1.0f / norm_fac; + norm_fac = norm_fac ? 1.0f / norm_fac : 0; for (w = 0; w < wi->num_windows*16; w += 16) { for (g = 0; g < num_bands; g++) { AacPsyBand *band = &pch->band[w+g]; From 3d97ab7dad9f3fa84ec2e1a0ac2f5697971ddd0e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 May 2021 20:31:19 +0200 Subject: [PATCH 1247/1764] avcodec/lpc: Avoid floating point division by 0 Fixes: Ticket7996 Fixes: CVE-2020-20445 Signed-off-by: Michael Niedermayer (cherry picked from commit 38d18fb57863bb9c54e68ae44aa780c5c282a184) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 2 +- libavcodec/lpc.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index f8da1e1266..c990cfc6c3 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -188,7 +188,7 @@ double ff_lpc_calc_ref_coefs_f(LPCContext *s, const float *samples, int len, compute_ref_coefs(autoc, order, ref, error); for (i = 0; i < order; i++) avg_err = (avg_err + error[i])/2.0f; - return signal/avg_err; + return avg_err ? signal/avg_err : NAN; } /** diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 88ca247f87..52170fd623 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -143,7 +143,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen0[i] = gen1[i] = autoc[i + 1]; err = autoc[0]; - ref[0] = -gen1[0] / err; + ref[0] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[0]; if (error) error[0] = err; @@ -152,7 +152,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j]; gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j]; } - ref[i] = -gen1[0] / err; + ref[i] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[i]; if (error) error[i] = err; From a4a70c156850dfbf1362736e5bc5ac07162a7129 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 09:22:27 +0200 Subject: [PATCH 1248/1764] avformat/movenc: Check pal_size before use Fixes: assertion failure Fixes: out of array read Fixes: Ticket8190 Fixes: CVE-2020-22015 Signed-off-by: Michael Niedermayer (cherry picked from commit 4c1afa292520329eecd1cc7631bc59a8cca95c46) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 623a8f6b47..d69e0e543d 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1867,11 +1867,13 @@ static int mov_write_video_tag(AVIOContext *pb, MOVMuxContext *mov, MOVTrack *tr avio_wb16(pb, 0x18); /* Reserved */ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { - int pal_size = 1 << track->par->bits_per_coded_sample; - int i; + int pal_size, i; avio_wb16(pb, 0); /* Color table ID */ avio_wb32(pb, 0); /* Color table seed */ avio_wb16(pb, 0x8000); /* Color table flags */ + if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) + return AVERROR(EINVAL); + pal_size = 1 << track->par->bits_per_coded_sample; avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ for (i = 0; i < pal_size; i++) { uint32_t rgb = track->palette[i]; From c2ae30188823e6c25183283607495c3bc1584a8e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 09:58:31 +0200 Subject: [PATCH 1249/1764] avfilter/vf_vmafmotion: Check dimensions Fixes: out of array access Fixes: Ticket8241 Fixes: Ticket8246 Fixes: CVE-2020-22019 Fixes: CVE-2020-22033 Signed-off-by: Michael Niedermayer (cherry picked from commit 82ad1b76751bcfad5005440db48c46a4de5d6f02) Signed-off-by: Michael Niedermayer --- libavfilter/vf_vmafmotion.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c index 9bcc4ff16f..3dc031ae16 100644 --- a/libavfilter/vf_vmafmotion.c +++ b/libavfilter/vf_vmafmotion.c @@ -239,6 +239,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + if (w < 3 || h < 3) + return AVERROR(EINVAL); + s->width = w; s->height = h; s->stride = FFALIGN(w * sizeof(uint16_t), 32); From 1c5391ce1c34824d29794ee827aa6d5e984a14b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 11:17:35 +0200 Subject: [PATCH 1250/1764] avfilter/vf_yadif: Fix handing of tiny images Fixes: out of array access Fixes: Ticket8240 Fixes: CVE-2020-22021 Signed-off-by: Michael Niedermayer (cherry picked from commit 7971f62120a55c141ec437aa3f0bacc1c1a3526b) Signed-off-by: Michael Niedermayer (cherry picked from commit bb08ee0c6fb7bdebd37cbf00aefed206909e8f78) Signed-off-by: Michael Niedermayer --- libavfilter/vf_yadif.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index 694ac44999..86b82de5e2 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -122,20 +122,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, int x; uint8_t *prev2 = parity ? prev : cur ; uint8_t *next2 = parity ? cur : next; + int offset = FFMAX(w - (MAX_ALIGN-1), 3); /* Only edge pixels need to be processed here. A constant value of false * for is_not_edge should let the compiler ignore the whole branch. */ - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint8_t*)dst1 + w - (MAX_ALIGN-1); - prev = (uint8_t*)prev1 + w - (MAX_ALIGN-1); - cur = (uint8_t*)cur1 + w - (MAX_ALIGN-1); - next = (uint8_t*)next1 + w - (MAX_ALIGN-1); + dst = (uint8_t*)dst1 + offset; + prev = (uint8_t*)prev1 + offset; + cur = (uint8_t*)cur1 + offset; + next = (uint8_t*)next1 + offset; prev2 = (uint8_t*)(parity ? prev : cur); next2 = (uint8_t*)(parity ? cur : next); - FILTER(w - (MAX_ALIGN-1), w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } @@ -167,20 +169,22 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, int x; uint16_t *prev2 = parity ? prev : cur ; uint16_t *next2 = parity ? cur : next; + int offset = FFMAX(w - (MAX_ALIGN/2-1), 3); mrefs /= 2; prefs /= 2; - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint16_t*)dst1 + w - (MAX_ALIGN/2-1); - prev = (uint16_t*)prev1 + w - (MAX_ALIGN/2-1); - cur = (uint16_t*)cur1 + w - (MAX_ALIGN/2-1); - next = (uint16_t*)next1 + w - (MAX_ALIGN/2-1); + dst = (uint16_t*)dst1 + offset; + prev = (uint16_t*)prev1 + offset; + cur = (uint16_t*)cur1 + offset; + next = (uint16_t*)next1 + offset; prev2 = (uint16_t*)(parity ? prev : cur); next2 = (uint16_t*)(parity ? cur : next); - FILTER(w - (MAX_ALIGN/2-1), w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) From ed9f251a5dd3a1ae4c65c44e4f1878c8ff815907 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Jan 2021 22:42:54 +0100 Subject: [PATCH 1251/1764] avformat/cinedec: Fix index_entries size check Fixes: out of array access Fixes: 29868/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5692001957445632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/cinedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index de34fb9638..8ed2fde35e 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -284,7 +284,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt) AVIOContext *pb = avctx->pb; int n, size, ret; - if (cine->pts >= st->duration) + if (cine->pts >= st->nb_index_entries) return AVERROR_EOF; avio_seek(pb, st->index_entries[cine->pts].pos, SEEK_SET); From 0c71bd5ebf113f14e80af856b34d81a4e46dda81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Jun 2021 10:07:05 +0200 Subject: [PATCH 1252/1764] avcodec/aacenc: Use FLT_EPSILON for lambda minimum (cherry picked from commit 4b89cf7aa49191c7f8a5ae6e9cf6cfc79ff4ee5e) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 9eaf92b04b..0248077822 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -809,7 +809,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { From bcab3700dfaf765e2df068fc0f7c3679bc1aec42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 17:49:22 +0200 Subject: [PATCH 1253/1764] avcodec/aacenc: Do not divide by lambda_count if it is 0 Avoids Floating point division by 0 Fixes: Ticket8011 Signed-off-by: Michael Niedermayer (cherry picked from commit c520b986915a3fdf3a20f6ce0ad5833eccfb7a91) Signed-off-by: Michael Niedermayer --- libavcodec/aacenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 0248077822..94b3e81699 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -854,7 +854,7 @@ static av_cold int aac_encode_end(AVCodecContext *avctx) { AACEncContext *s = avctx->priv_data; - av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum / s->lambda_count); + av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum / s->lambda_count : NAN); ff_mdct_end(&s->mdct1024); ff_mdct_end(&s->mdct128); From 92f83a21472f4b954aa3e96fa948b15591ea2dd6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 May 2021 17:50:27 +0200 Subject: [PATCH 1254/1764] avcodec/aacpsy: Check bandwidth Fixes: Ticket8011 Signed-off-by: Michael Niedermayer (cherry picked from commit 36dead4bc28ca8aab13c61661f28c68bdefa5e9d) Signed-off-by: Michael Niedermayer --- libavcodec/aacpsy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c index bd444fecdc..76458783ce 100644 --- a/libavcodec/aacpsy.c +++ b/libavcodec/aacpsy.c @@ -308,6 +308,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) { const int bandwidth = ctx->cutoff ? ctx->cutoff : AAC_CUTOFF(ctx->avctx); const float num_bark = calc_bark((float)bandwidth); + if (bandwidth <= 0) + return AVERROR(EINVAL); + ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext)); if (!ctx->model_priv_data) return AVERROR(ENOMEM); From a3f8ddabde93acc67e6fcb5a0d35cb7a515d7272 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 May 2021 18:09:37 +0200 Subject: [PATCH 1255/1764] avcodec/svq1enc: Do not print debug RD value before it has been computed Avoids floating point division by 0 Fixes: Ticket8191 Signed-off-by: Michael Niedermayer (cherry picked from commit c297f7e57a223da9f0d350e30456d60c8c87f902) Signed-off-by: Michael Niedermayer --- libavcodec/svq1enc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index d78ede72cd..d45ba9ffde 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -499,9 +499,10 @@ static av_cold int svq1_encode_end(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int i; - av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", - s->rd_total / (double)(avctx->width * avctx->height * - avctx->frame_number)); + if (avctx->frame_number) + av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", + s->rd_total / (double)(avctx->width * avctx->height * + avctx->frame_number)); s->m.mb_type = NULL; ff_mpv_common_end(&s->m); From 5f44a99a603bf3d95d56cd574ea7aee99d43485b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Apr 2021 22:43:51 +0200 Subject: [PATCH 1256/1764] avformat/rpl: Use 64bit in bitrate computation and check it Fixes: signed integer overflow: 777777776 * 4 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6726188921913344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 29b244ffc15abe2c24d2145f63048e8b3bdaa303) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index d6d81549b0..0b97699ca3 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -195,8 +195,10 @@ static int rpl_read_header(AVFormatContext *s) ast->codecpar->bits_per_coded_sample = 4; ast->codecpar->bit_rate = ast->codecpar->sample_rate * - ast->codecpar->bits_per_coded_sample * - ast->codecpar->channels; + (int64_t)ast->codecpar->channels; + if (ast->codecpar->bit_rate > INT64_MAX / ast->codecpar->bits_per_coded_sample) + return AVERROR_INVALIDDATA; + ast->codecpar->bit_rate *= ast->codecpar->bits_per_coded_sample; ast->codecpar->codec_id = AV_CODEC_ID_NONE; switch (audio_format) { From 2e36b0d55a9d2fc6e117972372e9e5d3382c3dd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 21:40:17 +0200 Subject: [PATCH 1257/1764] avcodec/vc2enc: Check for non negative slice bounds Fixes: invalid shifts Fixes: Ticket 8221 Signed-off-by: Michael Niedermayer (cherry picked from commit f7862e82686b347eb6a9e64fa7ccdf25d5a76b4b) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index cdc7d4250d..00d5847cdc 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1022,6 +1022,8 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, s->slice_max_bytes = SSIZE_ROUND(s->slice_max_bytes); s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); + if (s->slice_min_bytes < 0) + return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); if (ret) From 226d608e952f65b0ffd11708a9ed8e8cd1fcf831 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Jun 2021 22:46:05 +0200 Subject: [PATCH 1258/1764] avformat/rpl: Check for EOF and zero framesize Fixes: Infinite loop Fixes: 34751/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5439330800762880 Fixes: 34774/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5851571660390400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0a4a527c3b0819368d9b148542bb7663f39df79) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 0b97699ca3..a7665cf421 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -309,7 +309,7 @@ static int rpl_read_packet(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 4); /* flags */ frame_size = avio_rl32(pb); - if (avio_seek(pb, -8, SEEK_CUR) < 0) + if (avio_feof(pb) || avio_seek(pb, -8, SEEK_CUR) < 0 || !frame_size) return AVERROR(EIO); ret = av_get_packet(pb, pkt, frame_size); From a2d45c6b9a8fb713a48c282075105f99c9f27f3b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 19:54:45 +0200 Subject: [PATCH 1259/1764] avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black Fixes: floating point division by 0 Fixes: undefined behavior in handling NaN Fixes: Ticket 8268 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d500e62f6206ad11308b18976246366aed8c1a5) Signed-off-by: Michael Niedermayer --- libavfilter/vf_ciescope.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_ciescope.c b/libavfilter/vf_ciescope.c index 7c0cfed061..311696817d 100644 --- a/libavfilter/vf_ciescope.c +++ b/libavfilter/vf_ciescope.c @@ -842,7 +842,8 @@ rgb_to_xy(double rc, *z = m[2][0] * rc + m[2][1] * gc + m[2][2] * bc; sum = *x + *y + *z; - + if (sum == 0) + sum = 1; *x = *x / sum; *y = *y / sum; } From 58bbb40b720682d12d3ea94cf3f43bf29bec5c55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:00:38 +0200 Subject: [PATCH 1260/1764] avfilter/vf_dctdnoiz: Check threads Fixes: floating point division by 0 Fixes: Ticket 8269 Signed-off-by: Michael Niedermayer (cherry picked from commit 4a3917c02c428b11128ac3d4a01b780ea44aa53c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_dctdnoiz.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_dctdnoiz.c b/libavfilter/vf_dctdnoiz.c index cdbe5f853f..3fbea473ed 100644 --- a/libavfilter/vf_dctdnoiz.c +++ b/libavfilter/vf_dctdnoiz.c @@ -563,6 +563,9 @@ static int config_input(AVFilterLink *inlink) inlink->h - s->pr_height); max_slice_h = s->pr_height / ((s->bsize - 1) * 2); + if (max_slice_h == 0) + return AVERROR(EINVAL); + s->nb_threads = FFMIN3(MAX_THREADS, ff_filter_get_nb_threads(ctx), max_slice_h); av_log(ctx, AV_LOG_DEBUG, "threads: [max=%d hmax=%d user=%d] => %d\n", MAX_THREADS, max_slice_h, ff_filter_get_nb_threads(ctx), s->nb_threads); From 628a1682e9438c3bd119c915d2e7ae986c639239 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Jun 2021 20:10:56 +0200 Subject: [PATCH 1261/1764] avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 Fixes: out of array access Fixes: 34933/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5629322560929792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dbbcfbcc4e4f0e91f814f2e13ced7b6d99069518) Signed-off-by: Michael Niedermayer --- libavcodec/ttadata.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/ttadata.c b/libavcodec/ttadata.c index bf793a4cc8..aa9f418a7d 100644 --- a/libavcodec/ttadata.c +++ b/libavcodec/ttadata.c @@ -30,7 +30,8 @@ const uint32_t ff_tta_shift_1[] = { 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, 0x20000000, 0x40000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, - 0x80000000, 0x80000000, 0x80000000, 0x80000000 + 0x80000000, 0x80000000, 0x80000000, 0x80000000, + 0xFFFFFFFF }; const uint32_t * const ff_tta_shift_16 = ff_tta_shift_1 + 4; From 6bbacb011a4c784edbfd4b7c6026fb222e57d003 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Apr 2021 16:50:13 +0200 Subject: [PATCH 1262/1764] avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit Fixes: signed integer overflow: 104962766 * 32 cannot be represented in type 'int' Fixes: 33614/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6252129036664832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3447979d08d701581a65f7275425cb1a59302319) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 13f8804fbc..827855bf3b 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1867,25 +1867,33 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; - int64_t tmp; + int64_t tmp = 0; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + break; + case AV_CODEC_ID_ADPCM_IMA_DK3: + tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); + break; + case AV_CODEC_ID_ADPCM_IMA_DK4: + tmp = blocks * (1 + (ba - 4LL * ch) * 2 / ch); + break; + case AV_CODEC_ID_ADPCM_IMA_RAD: + tmp = blocks * ((ba - 4LL * ch) * 2 / ch); + break; + case AV_CODEC_ID_ADPCM_MS: + tmp = blocks * (2 + (ba - 7LL * ch) * 2LL / ch); + break; + case AV_CODEC_ID_ADPCM_MTAF: + tmp = blocks * (ba - 16LL) * 2 / ch; + break; + } + if (tmp) { if (tmp != (int)tmp) return 0; return tmp; - case AV_CODEC_ID_ADPCM_IMA_DK3: - return blocks * (((ba - 16) * 2 / 3 * 4) / ch); - case AV_CODEC_ID_ADPCM_IMA_DK4: - return blocks * (1 + (ba - 4 * ch) * 2 / ch); - case AV_CODEC_ID_ADPCM_IMA_RAD: - return blocks * ((ba - 4 * ch) * 2 / ch); - case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2LL / ch); - case AV_CODEC_ID_ADPCM_MTAF: - return blocks * (ba - 16) * 2 / ch; } } From 40053dc0bc992f430c22dd80d37b7602cc878934 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Jun 2021 21:20:04 +0200 Subject: [PATCH 1263/1764] avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 Fixes: Timeout Fixes: 34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d8421e3d5bc1300687a65384baccbcb3874b7ac) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 469999e046..7febcaa763 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -301,7 +301,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, mode = !mode; } } else if (cmode == 9 || cmode == 10) { - int xxx = get_bits(gb, 3); + int xxx; + if (get_bits_left(gb) < 3) + return AVERROR_INVALIDDATA; + xxx = get_bits(gb, 3); if (cmode == 9 && xxx == 7) { int ret; int pix_left = width - offs; From 7f28e32486eed2802a4290a964a52863abc2d32d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Jun 2021 21:25:58 +0200 Subject: [PATCH 1264/1764] avcodec/faxcompr: Check available bits in decode_uncompressed() Fixes: Timeout Fixes: 34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112 Fixes: 34966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4587409334468608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ff56c139e07a4de2803b974b6595f6b71fbf53bd) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 7febcaa763..0392c72519 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -141,6 +141,8 @@ static int decode_uncompressed(AVCodecContext *avctx, GetBitContext *gb, return AVERROR_INVALIDDATA; } cwi = 10 - av_log2(cwi); + if (get_bits_left(gb) < cwi + 1) + return AVERROR_INVALIDDATA; skip_bits(gb, cwi + 1); if (cwi > 5) { newmode = get_bits1(gb); From 9274418fe8bb1e936f6c3227a99326286dd723a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Jun 2021 20:35:43 +0200 Subject: [PATCH 1265/1764] avformat/rpl: The associative law doesnt hold for signed integers in C Add () to avoid undefined behavior Fixes: signed integer overflow: 9223372036854775790 + 57 cannot be represented in type 'long' Fixes: 34983/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5765822923538432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 480f11bdd713c15e4964093be7ef0adf5b619cc1) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index a7665cf421..ad3800a906 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -103,7 +103,7 @@ static AVRational read_fps(const char* line, int* error) // Truncate any numerator too large to fit into an int64_t if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) break; - num = 10 * num + *line - '0'; + num = 10 * num + (*line - '0'); den *= 10; } if (!num) From aee1476099b08992f12b75c6fe1e52c72e1b5b95 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Jun 2021 18:37:01 +0200 Subject: [PATCH 1266/1764] Update missed irc links Signed-off-by: Michael Niedermayer (cherry picked from commit c067d20177613e9cf74bcbd2a26e729ef7ababdb) Signed-off-by: Michael Niedermayer --- RELEASE_NOTES | 2 +- configure | 2 +- doc/writing_filters.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RELEASE_NOTES b/RELEASE_NOTES index d649c77bd5..8a656e7ea3 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES @@ -11,5 +11,5 @@ We hope you will like this release as much as we enjoyed working on it, and as usual, if you have any questions about it, or any FFmpeg related topic, - feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask on the mailing-lists. diff --git a/configure b/configure index 8de1146602..ebd1820396 100755 --- a/configure +++ b/configure @@ -498,7 +498,7 @@ die(){ If you think configure made a mistake, make sure you are using the latest version from Git. If the latest version fails, report the problem to the -ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net. +ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat. EOF if disabled logging; then cat < Date: Tue, 4 May 2021 18:34:44 +0200 Subject: [PATCH 1267/1764] avformat/tta: Check for EOF in index reading loop Fixes: OOM Fixes: 33585/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-4564665830080512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b72d657b73b2aa4a2a2f72f613199e6080ad48c0) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/tta.c b/libavformat/tta.c index c50f029d66..82869f5d8e 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -119,6 +119,8 @@ static int tta_read_header(AVFormatContext *s) for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; From e618928e40a345b4e6cbda08a6452d07483c5895 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 4 May 2021 22:52:41 +0200 Subject: [PATCH 1268/1764] avcodec/iff: Only write palette to plane 1 if its PAL8 Fixes: null pointer passed as argument 1, which is declared to never be null Fixes: 33791/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5107575256383488.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 216eb60b853e9a230c1238ab7d1c63d3fa892d34) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 6ec2dd60ad..dbd51cb895 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1845,7 +1845,8 @@ static int decode_frame(AVCodecContext *avctx, buf += s->planesize; } } - memcpy(frame->data[1], s->pal, 256 * 4); + if (avctx->pix_fmt == AV_PIX_FMT_PAL8) + memcpy(frame->data[1], s->pal, 256 * 4); } else if (s->ham) { int i, count = 1 << s->ham; From d4755459b3b929f547ec7c9af4f5f5fcb15aeb5c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 13:08:24 +0200 Subject: [PATCH 1269/1764] avformat/dxa: Check fps to be within the supported range more precissely Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: assertion failure Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6744985740378112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ea494befcb5d944ce8275e6f59de1a24c25ffb6) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index bdb93b0835..a616f8f74b 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -79,7 +79,7 @@ static int dxa_read_header(AVFormatContext *s) if(fps > 0){ den = 1000; num = fps; - }else if (fps < 0){ + }else if (fps < 0 && fps > INT_MIN){ den = 100000; num = -fps; }else{ From 7a62ddb3cdfd63bd59f5d80a39b8f3a034ad7728 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 15:41:16 +0200 Subject: [PATCH 1270/1764] avformat/iff: Use 64bit in duration computation Fixes: signed integer overflow: 588 * 16719904 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6748331936186368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93d964689c3b2bae26e6e3f502c1ffc4c2e46989) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 05e79ace75..5be0eb55b7 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -385,7 +385,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588 * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); From c65e5a1933427e35df0f58d0829f75de0cb2f037 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Apr 2021 17:42:19 +0200 Subject: [PATCH 1271/1764] avformat/mpc8: Check for position overflow in mpc8_handle_chunk() Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208 Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ef25d118246bf443900033fb3588dba628d11b0) Signed-off-by: Michael Niedermayer --- libavformat/mpc8.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index e15d228e2c..1bada480fe 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -200,8 +200,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in switch(tag){ case TAG_SEEKTBLOFF: - pos = avio_tell(pb) + size; + pos = avio_tell(pb); off = ffio_read_varlen(pb); + if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos) + return; + pos += size; mpc8_parse_seektable(s, chunk_pos + off); avio_seek(pb, pos, SEEK_SET); break; From 159ec5a6abcd6dc39683e1a9f540e4e40f2d4f8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 19:54:19 +0200 Subject: [PATCH 1272/1764] avformat/msf: Check that channels doesnt overflow during extradata construction Fixes: signed integer overflow: 2048 * 1122336 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6726959600107520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1a277926b49dad60d9e78c6c7a8c6b5d0d6d7c9) Signed-off-by: Michael Niedermayer --- libavformat/msf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/msf.c b/libavformat/msf.c index 6bd18f29bd..9b9d43b4c4 100644 --- a/libavformat/msf.c +++ b/libavformat/msf.c @@ -70,6 +70,8 @@ static int msf_read_header(AVFormatContext *s) case 4: case 5: case 6: st->codecpar->block_align = (codec == 4 ? 96 : codec == 5 ? 152 : 192) * st->codecpar->channels; + if (st->codecpar->channels > UINT16_MAX / 2048) + return AVERROR_INVALIDDATA; ret = ff_alloc_extradata(st->codecpar, 14); if (ret < 0) return ret; From 5ae0f402debdb3e3d9e0e1e01d93bff0b877ca98 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:01:03 +0200 Subject: [PATCH 1273/1764] avformat/nutdec: Check tmp_size Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6739990530883584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1ca00b5e44f21840b608e238fa135a1aab6e576b) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index e14d118bb8..e86d8222d0 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -286,6 +286,11 @@ static int decode_main_header(NUTContext *nut) ret = AVERROR_INVALIDDATA; goto fail; } + if (tmp_size < 0 || tmp_size > INT_MAX - count) { + av_log(s, AV_LOG_ERROR, "illegal size\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } for (j = 0; j < count; j++, i++) { if (i == 'N') { From 0602cf0ce3d9d3629bd9dca9756c9f8ca5d8c8b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:16:38 +0200 Subject: [PATCH 1274/1764] avformat/qcp: Avoid negative nb_rates Fixes: signed integer overflow: 2 * -1725947872 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_QCP_fuzzer-6726807632084992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b865cc703d29cb307e1fa628aa02940d54eb42a) Signed-off-by: Michael Niedermayer --- libavformat/qcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/qcp.c b/libavformat/qcp.c index b842e2633c..90954a39e9 100644 --- a/libavformat/qcp.c +++ b/libavformat/qcp.c @@ -93,7 +93,8 @@ static int qcp_read_header(AVFormatContext *s) QCPContext *c = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); uint8_t buf[16]; - int i, nb_rates; + int i; + unsigned nb_rates; if (!st) return AVERROR(ENOMEM); From 090e2d16809e3b52fbc7d1e4a2d1c568f4d1c263 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Apr 2021 20:45:10 +0200 Subject: [PATCH 1275/1764] avformat/realtextdec: Check the pts difference before using it for the duration computation Fixes: signed integer overflow: 5404200000 - -9223372031709351616 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_REALTEXT_fuzzer-6737340551790592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe12aa689003db9b07a6e1b837031dcc57a71435) Signed-off-by: Michael Niedermayer --- libavformat/realtextdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index 4f25754b9f..ba8cdfd196 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -111,10 +111,11 @@ static int realtext_read_header(AVFormatContext *s) if (!merge) { const char *begin = ff_smil_get_attr_ptr(buf.str, "begin"); const char *end = ff_smil_get_attr_ptr(buf.str, "end"); + int64_t endi = end ? read_ts(end) : 0; sub->pos = pos; sub->pts = begin ? read_ts(begin) : 0; - sub->duration = end ? (read_ts(end) - sub->pts) : duration; + sub->duration = (end && endi > sub->pts && endi - (uint64_t)sub->pts <= INT64_MAX) ? endi - sub->pts : duration; } } av_bprint_clear(&buf); From 153833e42cfd0b6e0423288b0ffb8522c9dfb7e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Apr 2021 22:35:37 +0200 Subject: [PATCH 1276/1764] avformat/rmdec: Check old_format len for overflow Maybe such large values could be disallowed earlier and closer to where they are set. Fixes: signed integer overflow: 538976288 * 8224 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6704350354341888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06d174e289eb185f03a34a738965f0042f39c038) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index db196c14d0..9f5df91c86 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1012,8 +1012,8 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) { RMDemuxContext *rm = s->priv_data; AVStream *st = NULL; // init to silence compiler warning - int i, len, res, seq = 1; - int64_t timestamp, pos; + int i, res, seq = 1; + int64_t timestamp, pos, len; int flags; for (;;) { @@ -1032,7 +1032,9 @@ static int rm_read_packet(AVFormatContext *s, AVPacket *pkt) ast = st->priv_data; timestamp = AV_NOPTS_VALUE; len = !ast->audio_framesize ? RAW_PACKET_SIZE : - ast->coded_framesize * ast->sub_packet_h / 2; + ast->coded_framesize * (int64_t)ast->sub_packet_h / 2; + if (len > INT_MAX) + return AVERROR_INVALIDDATA; flags = (seq++ == 1) ? 2 : 0; pos = avio_tell(s->pb); } else { From 2eb23b82c850c7558f74abb880c01d6989bc5788 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Jun 2021 20:00:05 +0200 Subject: [PATCH 1277/1764] avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation Fixes: signed integer overflow: 486539264 * 14 cannot be represented in type 'int' Fixes: 35281/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6068262742917120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 00ae9b77ef757f82660b4b3d2f490374a4f209fd) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 827855bf3b..64d5e0d776 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1833,7 +1833,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_THP: case AV_CODEC_ID_ADPCM_THP_LE: if (extradata) - return frame_bytes * 14 / (8 * ch); + return frame_bytes * 14LL / (8 * ch); break; case AV_CODEC_ID_ADPCM_XA: return (frame_bytes / 128) * 224 / ch; From 3ecb97e45bff369ac604a4025a3f53cee484c0a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Jun 2021 22:59:04 +0200 Subject: [PATCH 1278/1764] avcodec/cpia: Fix missing src_size update Fixes: out of array read Fixes: 35210/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CPIA_fuzzer-5669199688105984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cea05864e65db9a2dc8af82b2c63fb8f03c5f876) Signed-off-by: Michael Niedermayer --- libavcodec/cpia.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/cpia.c b/libavcodec/cpia.c index f6d7332606..1be47cf5d2 100644 --- a/libavcodec/cpia.c +++ b/libavcodec/cpia.c @@ -111,6 +111,7 @@ static int cpia_decode_frame(AVCodecContext *avctx, // Read line length, two byte little endian linelength = AV_RL16(src); src += 2; + src_size -= 2; if (src_size < linelength) { frame->decode_error_flags = FF_DECODE_ERROR_INVALID_BITSTREAM; From 375aa8f5f85c6b905e556a197e38a5edb2f59f71 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 May 2021 20:36:46 +0200 Subject: [PATCH 1279/1764] tools/cws2fws: Check read() for failure Fixes: CID1452579 Argument cannot be negative Signed-off-by: Michael Niedermayer (cherry picked from commit 0b3cdd7cc2c63969e144cc3eb39d0c61260509ee) Signed-off-by: Michael Niedermayer --- tools/cws2fws.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/cws2fws.c b/tools/cws2fws.c index 7046b69957..9ce321fe20 100644 --- a/tools/cws2fws.c +++ b/tools/cws2fws.c @@ -89,6 +89,12 @@ int main(int argc, char *argv[]) for (i = 0; i < comp_len - 8;) { int ret, len = read(fd_in, &buf_in, 1024); + if (len == -1) { + printf("read failure\n"); + inflateEnd(&zstream); + goto out; + } + dbgprintf("read %d bytes\n", len); last_out = zstream.total_out; From afb3519570f1035e3da1e86ac8612f6212a32d72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 May 2021 22:38:40 +0200 Subject: [PATCH 1280/1764] avformat/ftp: Check for av_strtok() failure Fixes: CID1396258 Dereference null return value Signed-off-by: Michael Niedermayer (cherry picked from commit 9d40782088cf969fbadc881e4a97ec22b8ae0177) Signed-off-by: Michael Niedermayer --- libavformat/ftp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 7b3c8600e4..382b262576 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -950,6 +950,8 @@ static int ftp_parse_entry_mlsd(char *mlsd, AVIODirEntry *next) continue; } fact = av_strtok(fact, "=", &value); + if (!fact) + continue; if (!av_strcasecmp(fact, "type")) { if (!av_strcasecmp(value, "cdir") || !av_strcasecmp(value, "pdir")) return 1; From 73e81965b7d3a93b58bcdc6825fb38c24248493d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 15:27:18 +0200 Subject: [PATCH 1281/1764] avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() Fixes: floating point division by 0 Fixes: Ticket8213 Signed-off-by: Michael Niedermayer (cherry picked from commit 70874e024a6eae0f95bd8dd4b9b4367ffd937f41) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 52170fd623..e1b41bfd9b 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -186,7 +186,8 @@ static inline int AAC_RENAME(compute_lpc_coefs)(const LPC_TYPE *autoc, int max_o for(j=0; j Date: Tue, 11 May 2021 18:40:32 +0200 Subject: [PATCH 1282/1764] avformat/matroskadec: Fix handling of huge default durations Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself Fixes: 33997/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6752039691485184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 343d950a4a8a8c32f5f7d9d4ac1fbe317cb9cc80) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 7c00b5b764..20a16664c3 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2475,8 +2475,9 @@ static int matroska_parse_tracks(AVFormatContext *s) st->need_parsing = AVSTREAM_PARSE_HEADERS; if (track->default_duration) { + int div = track->default_duration <= INT64_MAX ? 1 : 2; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, - 1000000000, track->default_duration, 30000); + 1000000000 / div, track->default_duration / div, 30000); #if FF_API_R_FRAME_RATE if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL) From 2e1e677c6df4f3f2b976aaceef1b0e5252f7cee6 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 29 Apr 2018 15:04:10 -0300 Subject: [PATCH 1283/1764] configure: add missing pthreads dependency to v4l2_m2m Signed-off-by: James Almer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index ebd1820396..e6de1794c0 100755 --- a/configure +++ b/configure @@ -2785,7 +2785,7 @@ omx_rpi_select="omx" qsvdec_select="qsv" qsvenc_select="qsv" vaapi_encode_deps="vaapi" -v4l2_m2m_deps_any="linux_videodev2_h" +v4l2_m2m_deps="linux_videodev2_h sem_timedwait" hwupload_cuda_filter_deps="cuda" scale_npp_filter_deps="cuda libnpp" From 9cfd59b5fa52a2da6ac59dc15d5959401ac6b6fe Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 12 Oct 2017 19:20:28 -0300 Subject: [PATCH 1284/1764] configure: Fix sem_timedwait probe (cherry-picked from libav commit 41262498ff89ef48e5ce4823b2fc2dc514a3eb0c) Signed-off-by: James Almer --- configure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index e6de1794c0..5a82980cc1 100755 --- a/configure +++ b/configure @@ -5690,7 +5690,6 @@ check_builtin atomic_cas_ptr atomic.h "void **ptr; void *oldval, *newval; atomic check_builtin machine_rw_barrier mbarrier.h "__machine_rw_barrier()" check_builtin MemoryBarrier windows.h "MemoryBarrier()" check_builtin sarestart signal.h "SA_RESTART" -check_builtin sem_timedwait semaphore.h "sem_t *s; sem_init(s,0,0); sem_timedwait(s,0); sem_destroy(s)" -lpthread check_builtin sync_val_compare_and_swap "" "int *ptr; int oldval, newval; __sync_val_compare_and_swap(ptr, oldval, newval)" check_builtin gmtime_r time.h "time_t *time; struct tm *tm; gmtime_r(time, tm)" check_builtin localtime_r time.h "time_t *time; struct tm *tm; localtime_r(time, tm)" @@ -5872,7 +5871,7 @@ if enabled pthreads; then fi enabled pthreads && - check_builtin sem_timedwait semaphore.h "sem_t *s; sem_init(s,0,0); sem_timedwait(s,0); sem_destroy(s)" + check_builtin sem_timedwait semaphore.h "sem_t *s; sem_init(s,0,0); sem_timedwait(s,0); sem_destroy(s)" $pthreads_extralibs enabled zlib && check_lib zlib zlib.h zlibVersion -lz enabled bzlib && check_lib bzlib bzlib.h BZ2_bzlibVersion -lbz2 From a6f5191f2ecbfd25f4ffbb6ad14136e34d97cacd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Jul 2021 14:05:26 +0200 Subject: [PATCH 1285/1764] swscale/slice: Check slice for allocation failure Fixes: null pointer dereference Fixes: alloc_slice.mp4 Found-by: Rafael Dutra Signed-off-by: Michael Niedermayer (cherry picked from commit 997f9cfc1295769be8d3180860ceebbc16f59069) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index db4fa874ff..6599f88373 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -286,7 +286,8 @@ int ff_init_filters(SwsContext * c) if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - + if (!c->slice) + goto cleanup; res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; From e4f7328d51505b55834eeecc8fbefb9147247a75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Jul 2021 15:20:47 +0200 Subject: [PATCH 1286/1764] swscale/slice: Fix wrong return on error Signed-off-by: Michael Niedermayer (cherry picked from commit 7874d40f10cca922797a8da14189a53ee52f0156) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index 6599f88373..f242c04a40 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -286,8 +286,10 @@ int ff_init_filters(SwsContext * c) if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - if (!c->slice) + if (!c->slice) { + res = AVERROR(ENOMEM); goto cleanup; + } res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; From e61b25e2557394e640a5aae901473785a4b23db5 Mon Sep 17 00:00:00 2001 From: maryam ebr Date: Tue, 3 Aug 2021 01:05:47 -0400 Subject: [PATCH 1287/1764] avcodec/dnxhddec: check and propagate function return value Similar to CVE-2013-0868, here return value check for 'init_vlc' is needed. crafted DNxHD data can cause unspecified impact. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit 7150f9575671f898382c370acae35f9087a30ba1) Signed-off-by: Michael Niedermayer --- libavcodec/dnxhddec.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 1f93f9dfc2..505a51d3ea 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -107,6 +107,7 @@ static av_cold int dnxhd_decode_init(AVCodecContext *avctx) static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) { + int ret; if (cid != ctx->cid) { int index; @@ -126,19 +127,26 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) ff_free_vlc(&ctx->dc_vlc); ff_free_vlc(&ctx->run_vlc); - init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, + if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ctx->cid_table->ac_bits, 1, 1, - ctx->cid_table->ac_codes, 2, 2, 0); - init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, + ctx->cid_table->ac_codes, 2, 2, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ctx->cid_table->dc_bits, 1, 1, - ctx->cid_table->dc_codes, 1, 1, 0); - init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, + ctx->cid_table->dc_codes, 1, 1, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, ctx->cid_table->run_bits, 1, 1, - ctx->cid_table->run_codes, 2, 2, 0); + ctx->cid_table->run_codes, 2, 2, 0)) < 0) + goto out; ctx->cid = cid; } - return 0; + ret = 0; +out: + if (ret < 0) + av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n"); + return ret; } static av_cold int dnxhd_decode_init_thread_copy(AVCodecContext *avctx) From 00ecb2216730635498532d8b4c316898e00936e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jul 2021 12:39:34 +0200 Subject: [PATCH 1288/1764] avformat/mxfdec: Check size for shrinking av_shrink_packet() takes int size, so size must fit in int Fixes: out of array access Fixes: 35607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4875541323841536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65b862ab59c4bfaae98be596b84a072f52444398) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c8442aadf2..a5cdacb881 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -465,7 +465,7 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv return AVERROR_INVALIDDATA; // enc. code size = klv_decode_ber_length(pb); - if (size < 32 || size - 32 < orig_size) + if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); avio_read(pb, tmpbuf, 16); From bbec731fca035c854ac738b0e8ddb2234edf984a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Jul 2021 14:27:22 +0200 Subject: [PATCH 1289/1764] avformat/mov: do not ignore errors in mov_metadata_hmmt() Fixes: Timeout Fixes: 35637/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6311060272447488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c52c99a18f6e40973e52d99d4bb29e34a66c695a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 83abdd4a47..f081ced86e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -294,6 +294,8 @@ static int mov_metadata_hmmt(MOVContext *c, AVIOContext *pb, unsigned len) int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); } + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; return 0; } From 7590dbf9be5e70432699cc70e5d96f9a6eb30dfc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Jun 2021 20:04:45 +0200 Subject: [PATCH 1290/1764] avfilter/vf_mestimate: Check b_count Fixes: left shift of negative value -1 Fixes: Ticket8270 Signed-off-by: Michael Niedermayer (cherry picked from commit 06af6e101bbd04e8ecc5337bc3b6894a5e058e14) Signed-off-by: Michael Niedermayer --- libavfilter/vf_mestimate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_mestimate.c b/libavfilter/vf_mestimate.c index 7ecfe7da60..9a2865a0cb 100644 --- a/libavfilter/vf_mestimate.c +++ b/libavfilter/vf_mestimate.c @@ -100,6 +100,9 @@ static int config_input(AVFilterLink *inlink) s->b_height = inlink->h >> s->log2_mb_size; s->b_count = s->b_width * s->b_height; + if (s->b_count == 0) + return AVERROR(EINVAL); + for (i = 0; i < 3; i++) { s->mv_table[i] = av_mallocz_array(s->b_count, sizeof(*s->mv_table[0])); if (!s->mv_table[i]) From c593517453bce7f034417850cbe5dc03c54de466 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 31 May 2021 21:00:32 +0200 Subject: [PATCH 1291/1764] avcodec/aaccoder: Add minimal bias in search_for_ms() Fixes: floating point division by 0 Fixes: Ticket8218 Signed-off-by: Michael Niedermayer (cherry picked from commit 75a099fc734a4ee2b1347d0a3d8c53d883b95174) Signed-off-by: Michael Niedermayer --- libavcodec/aaccoder.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index baa82489b1..11b0559e1c 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -843,25 +843,25 @@ static void search_for_ms(AACEncContext *s, ChannelElement *cpe) sce0->ics.swb_sizes[g], sce0->sf_idx[w*16+g], sce0->band_type[w*16+g], - lambda / band0->threshold, INFINITY, &b1, NULL, 0); + lambda / (band0->threshold + FLT_MIN), INFINITY, &b1, NULL, 0); dist1 += quantize_band_cost(s, &sce1->coeffs[start + (w+w2)*128], R34, sce1->ics.swb_sizes[g], sce1->sf_idx[w*16+g], sce1->band_type[w*16+g], - lambda / band1->threshold, INFINITY, &b2, NULL, 0); + lambda / (band1->threshold + FLT_MIN), INFINITY, &b2, NULL, 0); dist2 += quantize_band_cost(s, M, M34, sce0->ics.swb_sizes[g], mididx, midcb, - lambda / minthr, INFINITY, &b3, NULL, 0); + lambda / (minthr + FLT_MIN), INFINITY, &b3, NULL, 0); dist2 += quantize_band_cost(s, S, S34, sce1->ics.swb_sizes[g], sididx, sidcb, - mslambda / (minthr * bmax), INFINITY, &b4, NULL, 0); + mslambda / (minthr * bmax + FLT_MIN), INFINITY, &b4, NULL, 0); B0 += b1+b2; B1 += b3+b4; dist1 -= b1+b2; From f95a80bbd7cbe335fc8e271084571029d5ee26d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:28:29 +0200 Subject: [PATCH 1292/1764] avformat/aiffdec: Check for size overflow in header parsing Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6723467048255488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bae2e1977744f42d56b85193d4910811de829714) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 7c88327e9c..4a042701e3 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -102,6 +102,9 @@ static int get_aiff_header(AVFormatContext *s, int size, int sample_rate; unsigned int num_frames; + if (size == INT_MAX) + return AVERROR_INVALIDDATA; + if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; From d15d67e6ccc2fe3b5ff0afb1addceb9c6b222781 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 17:35:20 +0200 Subject: [PATCH 1293/1764] avformat/asfdec_f: Check sizeX against padding Fixes: signed integer overflow: 2147483607 + 64 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6753897878257664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f034c2e36acb7d0c11dc1849ddf8a67bde44eff4) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 922ad3c29f..81bf9d83e9 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -516,7 +516,7 @@ static int asf_read_stream_properties(AVFormatContext *s, int64_t size) tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { - if (size < sizeX - 40) + if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + From 89fd36adfe82e0a3a42461ed8a252c637c170da2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:11:03 +0200 Subject: [PATCH 1294/1764] avformat/avidec: fix position overflow in avi_load_index() Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 527821a2dd6f19d9a4d2abe05833346ae86c66c6) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index f47e436f86..46f24a8e55 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1745,7 +1745,10 @@ static int avi_load_index(AVFormatContext *s) size = avio_rl32(pb); if (avio_feof(pb)) break; - next = avio_tell(pb) + size + (size & 1); + next = avio_tell(pb); + if (next < 0 || next > INT64_MAX - size - (size & 1)) + break; + next += size + (size & 1LL); if (tag == MKTAG('i', 'd', 'x', '1') && avi_read_idx1(s, size) >= 0) { From 0b5c5645806e321c52f928cc9a8a12ce3f1b25a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:33:58 +0200 Subject: [PATCH 1295/1764] avformat/bfi: check nframes Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_BFI_fuzzer-6737028768202752 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b4e77dfca1c2970446f79277034d8e60c3fe3f4e) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index 9d88533acf..f32a2cf8ce 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -73,6 +73,8 @@ static int bfi_read_header(AVFormatContext * s) return AVERROR_INVALIDDATA; bfi->nframes = avio_rl32(pb); + if (bfi->nframes < 0) + return AVERROR_INVALIDDATA; avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); From a4b9ac104e9016a08f75544ee0d8a43b2ea20324 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Apr 2021 19:44:08 +0200 Subject: [PATCH 1296/1764] avformat/dsicin: Check packet size for overflow Fixes: signed integer overflow: 24672 + 2147483424 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DSICIN_fuzzer-6731325979623424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d1c47ec033d038e04578eaf0767c8983250d03d) Signed-off-by: Michael Niedermayer --- libavformat/dsicin.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/dsicin.c b/libavformat/dsicin.c index bd4f3ad03a..a1ecd64939 100644 --- a/libavformat/dsicin.c +++ b/libavformat/dsicin.c @@ -166,7 +166,8 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) CinDemuxContext *cin = s->priv_data; AVIOContext *pb = s->pb; CinFrameHeader *hdr = &cin->frame_header; - int rc, palette_type, pkt_size; + int rc, palette_type; + int64_t pkt_size; int ret; if (cin->audio_buffer_size == 0) { @@ -182,7 +183,9 @@ static int cin_read_packet(AVFormatContext *s, AVPacket *pkt) } /* palette and video packet */ - pkt_size = (palette_type + 3) * hdr->pal_colors_count + hdr->video_frame_size; + pkt_size = (palette_type + 3LL) * hdr->pal_colors_count + hdr->video_frame_size; + if (pkt_size + 4 > INT_MAX) + return AVERROR_INVALIDDATA; pkt_size = ffio_limit(pb, pkt_size); From 5ebce16fdec1cff22aae0fa30e55ac3ef42d9c53 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Apr 2021 20:53:32 +0200 Subject: [PATCH 1297/1764] avformat/sbgdec: Check for overflow in timestamp preparation Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6731040263634944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9dbed908403b0d97ae70881fab68020f148b6b11) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 646c141ab4..586a0c58f8 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1281,6 +1281,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, ev1 = &s->events[i]; ev2 = &s->events[(i + 1) % s->nb_events]; ev1->ts_int = ev1->ts; + + if (!ev1->fade.slide && ev1 >= ev2 && ev2->ts > INT64_MAX - period) + return AVERROR_INVALIDDATA; + ev1->ts_trans = ev1->fade.slide ? ev1->ts : ev2->ts + (ev1 < ev2 ? 0 : period); } From a415c253b42210b33fc57da7aa05dcfb028aec04 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Apr 2021 20:57:02 +0200 Subject: [PATCH 1298/1764] avformat/wavdec: Use 64bit in new_pos computation Fixes: signed integer overflow: 129 * 16711680 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6742285317439488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9b57d2f0a967195dc1c72fda8f3a983a0132a243) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index ef0c6b374c..56aef289e9 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -639,7 +639,7 @@ smv_retry: if (wav->smv_last_stream) { uint64_t old_pos = avio_tell(s->pb); uint64_t new_pos = wav->smv_data_ofs + - wav->smv_block * wav->smv_block_size; + wav->smv_block * (int64_t)wav->smv_block_size; if (avio_seek(s->pb, new_pos, SEEK_SET) < 0) { ret = AVERROR_EOF; goto smv_out; From d64fddb9a8ef0aa47535083b4b00b385278f6580 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Aug 2021 20:42:53 +0200 Subject: [PATCH 1299/1764] avformat/wtvdec: Check for EOF before seeking back in parse_media_type() Fixes: Infinite loop Fixes: 36311/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-4889181296918528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 89505d38de989bddd579ce3b841f1c011f1d7bf2) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 0ca7a79140..124d8f4b9c 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -661,6 +661,8 @@ static AVStream * parse_media_type(AVFormatContext *s, AVStream *st, int sid, avio_skip(pb, size - 32); ff_get_guid(pb, &actual_subtype); ff_get_guid(pb, &actual_formattype); + if (avio_feof(pb)) + return NULL; avio_seek(pb, -size, SEEK_CUR); st = parse_media_type(s, st, sid, mediatype, actual_subtype, actual_formattype, size - 32); From 0b98a1d5e55322b80e652c53e4882f9c964ff1ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Jul 2021 23:04:08 +0200 Subject: [PATCH 1300/1764] avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 35593/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5182217725804544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8f2856a1daa4e3d5767b6efe7a70ec86926dba47) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 91fa664c08..43fcc90ae5 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -87,7 +87,7 @@ static void sbr_neg_odd_64_c(int *x) { int i; for (i = 1; i < 64; i += 2) - x[i] = -x[i]; + x[i] = -(unsigned)x[i]; } static void sbr_qmf_pre_shuffle_c(int *z) From 2b4e4af6dcf4da83cd6c78404c535c7dd9a77b0d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Jul 2021 00:01:53 +0200 Subject: [PATCH 1301/1764] avcodec/vc1dec: Disable error concealment for *IMAGE The existing error concealment makes no sense for the image formats, they use transformed source images which is different from keyframe + MC+difference for which the error concealment is designed. Of course feel free to re-enable this if you have a case where it works and improves vissual results Fixes: Timeout Fixes: 36234/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6300306743885824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 643b2d49bf52d5a3205ce3db732e0c4c396bd457) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index d05c902b70..80a7863716 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1114,7 +1114,9 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, ret = AVERROR_INVALIDDATA; goto err; } - if (!v->field_mode) + if ( !v->field_mode + && avctx->codec_id != AV_CODEC_ID_WMV3IMAGE + && avctx->codec_id != AV_CODEC_ID_VC1IMAGE) ff_er_frame_end(&s->er); } From f71c7a358e3ae9ceae681d722e6f350f3eab7976 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 31 Jul 2021 21:17:23 +0200 Subject: [PATCH 1302/1764] avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() Fixes: Infinite loop Fixes: 35591/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4503764022198272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f803635c4fac761ac68b39a369272d4c26433dc1) Signed-off-by: Michael Niedermayer --- libavcodec/faxcompr.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c index 0392c72519..5393fcf82b 100644 --- a/libavcodec/faxcompr.c +++ b/libavcodec/faxcompr.c @@ -280,6 +280,8 @@ static int decode_group3_2d_line(AVCodecContext *avctx, GetBitContext *gb, for (k = 0; k < 2; k++) { run = 0; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); if (t == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect code\n"); From 071ecaddb9ce7a514f4fe8b0ab4bc363d4bb0a38 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Aug 2021 09:55:00 +0200 Subject: [PATCH 1303/1764] avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init Fixes: MemLeak Fixes: 8281 Fixes: PoC_option158.jpg Fixes: CVE-2020-22037 Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 7bba0dd6382e30d646cb406034a66199e071d713) Signed-off-by: Michael Niedermayer --- libavcodec/frame_thread_encoder.c | 11 +++++++---- libavcodec/frame_thread_encoder.h | 4 ++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/frame_thread_encoder.c b/libavcodec/frame_thread_encoder.c index 215aee9fc0..2467619d1b 100644 --- a/libavcodec/frame_thread_encoder.c +++ b/libavcodec/frame_thread_encoder.c @@ -117,7 +117,7 @@ end: int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ int i=0; ThreadContext *c; - + AVCodecContext *thread_avctx = NULL; if( !(avctx->thread_type & FF_THREAD_FRAME) || !(avctx->codec->capabilities & AV_CODEC_CAP_INTRA_ONLY)) @@ -195,16 +195,17 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ AVDictionary *tmp = NULL; int ret; void *tmpv; - AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec); + thread_avctx = avcodec_alloc_context3(avctx->codec); if(!thread_avctx) goto fail; tmpv = thread_avctx->priv_data; *thread_avctx = *avctx; + thread_avctx->priv_data = tmpv; + thread_avctx->internal = NULL; + thread_avctx->hw_frames_ctx = NULL; ret = av_opt_copy(thread_avctx, avctx); if (ret < 0) goto fail; - thread_avctx->priv_data = tmpv; - thread_avctx->internal = NULL; if (avctx->codec->priv_class) { int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data); if (ret < 0) @@ -232,6 +233,8 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ return 0; fail: + avcodec_close(thread_avctx); + av_freep(&thread_avctx); avctx->thread_count = i; av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n"); ff_frame_thread_encoder_free(avctx); diff --git a/libavcodec/frame_thread_encoder.h b/libavcodec/frame_thread_encoder.h index 1f79553f20..fc85ba48b8 100644 --- a/libavcodec/frame_thread_encoder.h +++ b/libavcodec/frame_thread_encoder.h @@ -23,6 +23,10 @@ #include "avcodec.h" +/** + * Initialize frame thread encoder. + * @note hardware encoders are not supported + */ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options); void ff_frame_thread_encoder_free(AVCodecContext *avctx); int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *frame, int *got_packet_ptr); From f4700142dcc09b6d477e8bccd22aaf4752acaf32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Aug 2021 20:46:32 +0200 Subject: [PATCH 1304/1764] avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode Fixes: out of array read Fixes: 36331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5140494328922112.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c59b5e3d1e0121ea23b5b326529f5bdca44cf982) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 80a7863716..c325af2d7e 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -1139,12 +1139,14 @@ image: if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { if ((ret = av_frame_ref(pict, s->current_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->current_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->current_picture_ptr, pict); *got_frame = 1; } else if (s->last_picture_ptr) { if ((ret = av_frame_ref(pict, s->last_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->last_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->last_picture_ptr, pict); *got_frame = 1; } } From 1e198bd926dc07993dc032e1ebebcbed5ac4feea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 25 Jul 2021 15:50:54 +0200 Subject: [PATCH 1305/1764] avcodec/webp: Check available space in loop in decode_entropy_coded_image() Fixes: Timeout Fixes: 35401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5714401821851648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e00eab61112c52f27a09fe77d50e6fc508f9c53) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index efa864a6f1..1e97487ebf 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -665,6 +665,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, while (y < img->frame->height) { int v; + if (get_bits_left(&s->gb) < 0) + return AVERROR_INVALIDDATA; + hg = get_huffman_group(s, img, x, y); v = huff_reader_get_symbol(&hg[HUFF_IDX_GREEN], &s->gb); if (v < NUM_LITERAL_CODES) { From bc9e0b6cd2839acbac8da3232d715eb66857e453 Mon Sep 17 00:00:00 2001 From: maryam ebrahimzadeh Date: Wed, 4 Aug 2021 16:15:18 -0400 Subject: [PATCH 1306/1764] avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata As the second argument for init_get_bits (buf) can be crafted, a return value check for this function call is necessary. 'buf' is part of 'AVPacket pkt'. replace init_get_bits with init_get_bits8. Signed-off-by: Michael Niedermayer (cherry picked from commit 9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6) Signed-off-by: Michael Niedermayer --- libavformat/adtsenc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c index a046c2f2f4..719280773b 100644 --- a/libavformat/adtsenc.c +++ b/libavformat/adtsenc.c @@ -50,9 +50,11 @@ static int adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, const ui GetBitContext gb; PutBitContext pb; MPEG4AudioConfig m4ac; - int off; + int off, ret; - init_get_bits(&gb, buf, size * 8); + ret = init_get_bits8(&gb, buf, size); + if (ret < 0) + return ret; off = avpriv_mpeg4audio_get_config(&m4ac, buf, size * 8, 1); if (off < 0) return off; From 43a4d78e3bf1758d05434f8315115bab2619d75d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Aug 2021 20:47:00 +0200 Subject: [PATCH 1307/1764] avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() Fixes: Timeout Fixes: 36262/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4969052454912000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 909faca929cf30dcd439fa33479177e76fb5121d) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 4572dcfd61..b910373b14 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1452,6 +1452,9 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss, else ret = decode_block_progressive(s, *block, last_nnz, s->ac_index[0], quant_matrix, ss, se, Al, &EOBRUN); + + if (ret >= 0 && get_bits_left(&s->gb) < 0) + ret = AVERROR_INVALIDDATA; if (ret < 0) { av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); From 36f962f3c209f2f402b1ef9091ebbb7a8d11c020 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 May 2021 18:54:53 +0200 Subject: [PATCH 1308/1764] avformat/avidec: Use 64bit for frame number in odml index parsing Fixes: signed integer overflow: 1179337772 + 1392508928 cannot be represented in type 'int' Fixes: 34088/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5846945303232512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a4c98c507ed3c729fc92d641b974385f8aa37b33) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 46f24a8e55..eb7353ddba 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -156,7 +156,7 @@ static int get_riff(AVFormatContext *s, AVIOContext *pb) return 0; } -static int read_odml_index(AVFormatContext *s, int frame_num) +static int read_odml_index(AVFormatContext *s, int64_t frame_num) { AVIContext *avi = s->priv_data; AVIOContext *pb = s->pb; @@ -176,7 +176,7 @@ static int read_odml_index(AVFormatContext *s, int frame_num) av_log(s, AV_LOG_TRACE, "longs_per_entry:%d index_type:%d entries_in_use:%d " - "chunk_id:%X base:%16"PRIX64" frame_num:%d\n", + "chunk_id:%X base:%16"PRIX64" frame_num:%"PRId64"\n", longs_per_entry, index_type, entries_in_use, From fc76c6037acaaef2017fb541213fe151a8d0b999 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Wed, 11 Dec 2019 14:18:43 +0200 Subject: [PATCH 1309/1764] network: Define ENOTCONN as WSAENOTCONN if not defined MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes compilation with old mingw.org toolchains, which has got much fewer errno.h entries. Signed-off-by: Martin Storsjö (cherry picked from commit 6569e9505c781468092c15fa84d034c9e37d26ca) Signed-off-by: Michael Niedermayer --- libavformat/network.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/network.h b/libavformat/network.h index f83c796a95..1b3e0f184c 100644 --- a/libavformat/network.h +++ b/libavformat/network.h @@ -50,6 +50,9 @@ #ifndef EINPROGRESS #define EINPROGRESS WSAEINPROGRESS #endif +#ifndef ENOTCONN +#define ENOTCONN WSAENOTCONN +#endif #define getsockopt(a, b, c, d, e) getsockopt(a, b, c, (char*) d, e) #define setsockopt(a, b, c, d, e) setsockopt(a, b, c, (const char*) d, e) From 980224770abf0d59453bca239bde5288d0c257f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Sep 2021 18:54:08 +0200 Subject: [PATCH 1310/1764] avcodec/xpmdec: Move allocations down after more error checks Fixes: Timeout Fixes: 37035/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5142718576721920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e58692837c20c8484a23cd9beb63ac422f82458a) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 82a484dabb..8aee89dd30 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -337,9 +337,6 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - if ((ret = ff_get_buffer(avctx, p, 0)) < 0) - return ret; - if (cpp <= 0 || cpp >= 5) { av_log(avctx, AV_LOG_ERROR, "unsupported/invalid number of chars per pixel: %d\n", cpp); return AVERROR_INVALIDDATA; @@ -356,14 +353,17 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, size *= 4; - av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); - if (!x->pixels) - return AVERROR(ENOMEM); - ptr += mod_strcspn(ptr, ",") + 1; if (end - ptr < 1) return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) + return ret; + + av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); + if (!x->pixels) + return AVERROR(ENOMEM); + for (i = 0; i < ncolors; i++) { const uint8_t *index; int len; From d11d5f7da46ef51d91d4f2bfecb813feda533d63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Sep 2021 19:55:28 +0200 Subject: [PATCH 1311/1764] avcodec/apedec: Fix 2 integer overflows in filter_3800() Fixes: signed integer overflow: 1683879955 - -466265224 cannot be represented in type 'int' Fixes: 37419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6074294407921664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 33feb527fff9bf547c4118147434869875cf0c3d) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 3bec1eee68..e11ee0a708 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -859,8 +859,8 @@ static av_always_inline int filter_3800(APEPredictor *p, return predictionA; } d2 = p->buf[delayA]; - d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U; - d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U); + d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2; + d0 = p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8); d3 = p->buf[delayB] * 2U - p->buf[delayB - 1]; d4 = p->buf[delayB]; From 0fe497d79581ff9e3c3eb18dc9d0265686933bb0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Sep 2021 21:00:38 +0200 Subject: [PATCH 1312/1764] avcodec/jpeg2000dec: Check that atom header is within bytsetream Fixes: Infinite loop Fixes: 36666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5912760671141888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3c659f861856d751fe3aa1358b1cccff3117f948) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 3edcb81094..a6889cb4bd 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1999,6 +1999,8 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) atom_size >= 16) { uint32_t atom2_size, atom2, atom2_end; do { + if (bytestream2_get_bytes_left(&s->g) < 8) + break; atom2_size = bytestream2_get_be32u(&s->g); atom2 = bytestream2_get_be32u(&s->g); atom2_end = bytestream2_tell(&s->g) + atom2_size - 8; From a4a3fd814aac900175ec4a2811cb5bf98c1ddad3 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 21 Jul 2021 01:02:44 -0300 Subject: [PATCH 1313/1764] avcodec/utils: don't return negative values in av_get_audio_frame_duration() In some extrme cases, like with adpcm_ms samples with an extremely high channel count, get_audio_frame_duration() may return a negative frame duration value. Don't propagate it, and instead return 0, signaling that a duration could not be determined. Fixes ticket #9312 Signed-off-by: James Almer (cherry picked from commit e01d306c647b5827102260b885faa223b646d2d1) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 64d5e0d776..1cadce4c59 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1931,20 +1931,22 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) { - return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, + int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, avctx->channels, avctx->block_align, avctx->codec_tag, avctx->bits_per_coded_sample, avctx->bit_rate, avctx->extradata, avctx->frame_size, frame_bytes); + return FFMAX(0, duration); } int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes) { - return get_audio_frame_duration(par->codec_id, par->sample_rate, + int duration = get_audio_frame_duration(par->codec_id, par->sample_rate, par->channels, par->block_align, par->codec_tag, par->bits_per_coded_sample, par->bit_rate, par->extradata, par->frame_size, frame_bytes); + return FFMAX(0, duration); } #if !HAVE_THREADS From 1b44a20a19bdefc20b6841f735240e0902b5b2d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Sep 2021 21:40:20 +0200 Subject: [PATCH 1314/1764] Update for 3.4.9 Signed-off-by: Michael Niedermayer --- Changelog | 315 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 317 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 34f312dcc2..6b42a45654 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,321 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.9: + avcodec/utils: don't return negative values in av_get_audio_frame_duration() + avcodec/jpeg2000dec: Check that atom header is within bytsetream + avcodec/apedec: Fix 2 integer overflows in filter_3800() + avcodec/xpmdec: Move allocations down after more error checks + network: Define ENOTCONN as WSAENOTCONN if not defined + avformat/avidec: Use 64bit for frame number in odml index parsing + avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() + avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata + avcodec/webp: Check available space in loop in decode_entropy_coded_image() + avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode + avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init + avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() + avcodec/vc1dec: Disable error concealment for *IMAGE + avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() + avformat/wtvdec: Check for EOF before seeking back in parse_media_type() + avformat/wavdec: Use 64bit in new_pos computation + avformat/sbgdec: Check for overflow in timestamp preparation + avformat/dsicin: Check packet size for overflow + avformat/bfi: check nframes + avformat/avidec: fix position overflow in avi_load_index() + avformat/asfdec_f: Check sizeX against padding + avformat/aiffdec: Check for size overflow in header parsing + avcodec/aaccoder: Add minimal bias in search_for_ms() + avfilter/vf_mestimate: Check b_count + avformat/mov: do not ignore errors in mov_metadata_hmmt() + avformat/mxfdec: Check size for shrinking + avcodec/dnxhddec: check and propagate function return value + swscale/slice: Fix wrong return on error + swscale/slice: Check slice for allocation failure + configure: Fix sem_timedwait probe + configure: add missing pthreads dependency to v4l2_m2m + avformat/matroskadec: Fix handling of huge default durations + avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() + avformat/ftp: Check for av_strtok() failure + tools/cws2fws: Check read() for failure + avcodec/cpia: Fix missing src_size update + avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation + avformat/rmdec: Check old_format len for overflow + avformat/realtextdec: Check the pts difference before using it for the duration computation + avformat/qcp: Avoid negative nb_rates + avformat/nutdec: Check tmp_size + avformat/msf: Check that channels doesnt overflow during extradata construction + avformat/mpc8: Check for position overflow in mpc8_handle_chunk() + avformat/iff: Use 64bit in duration computation + avformat/dxa: Check fps to be within the supported range more precissely + avcodec/iff: Only write palette to plane 1 if its PAL8 + avformat/tta: Check for EOF in index reading loop + Update missed irc links + avformat/rpl: The associative law doesnt hold for signed integers in C + avcodec/faxcompr: Check available bits in decode_uncompressed() + avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 + avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit + avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 + avfilter/vf_dctdnoiz: Check threads + avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black + avformat/rpl: Check for EOF and zero framesize + avcodec/vc2enc: Check for non negative slice bounds + avformat/rpl: Use 64bit in bitrate computation and check it + avcodec/svq1enc: Do not print debug RD value before it has been computed + avcodec/aacpsy: Check bandwidth + avcodec/aacenc: Do not divide by lambda_count if it is 0 + avcodec/aacenc: Use FLT_EPSILON for lambda minimum + avformat/cinedec: Fix index_entries size check + avfilter/vf_yadif: Fix handing of tiny images + avfilter/vf_vmafmotion: Check dimensions + avformat/movenc: Check pal_size before use + avcodec/lpc: Avoid floating point division by 0 + avcodec/aacpsy: Avoid floating point division by 0 of norm_fac + avcodec/aacenc: Avoid 0 lambda + avcodec/exr: x/ymax cannot be INT_MAX + avformat/avio: Check av_opt_copy() for failure + avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() + avformat/mov: Ignore duplicate CoLL + avformat/mov: Limit nb_chapter_tracks to input size + avformat/utils: Use 64bit earlier in r_frame_rate check + avformat/mvdec: Check sample rate in parse_audio_var() + avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() + avcodec/utils: treat PAL8 for jpegs similar to other colorspaces + avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent + avformat/asfdec_o: Use ff_get_extradata() + avformat/id3v2: Check end for overflow in id3v2_parse() + avformat/wtvdec: Improve size overflow checks in parse_chunks() + avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() + avcodec/utils: Check ima wav duration for overflow + avformat/cafdec: Check channels + avcodec/dpx: Check bits_per_color earlier + avcodec/pnm_parser: Check image size addition for overflow + avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check + avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context() + avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change() + avformat/mov: Ignore multiple STSC / STCO + avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() + avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice() + avutil/common: Add FF_PTR_ADD() + avformat/wtvdec: Check size in SBE2_STREAM_DESC_EVENT / stream2_guid + avformat/cafdec: Do not build an index if all packets are the same + avcodec/sonic: Use unsigned temporary in predictor_calc_error() + avformat/flvdec: Check array entry number + avcodec/h264_slice: Check sps in h264_slice_header_init() + avformat/movenc: Avoid loosing cluster array on failure + avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb + avformat/mov: Check sample size for overflow in mov_parse_stsd_audio() + avcodec/ffwavesynth: Avoid signed integer overflow in phi_at() + avcodec/mpeg4videoenc: Check extradata malloc() + avcodec/speedhq: Width < 8 is not supported + avformat/matroskadec: Check for EOF in resync loop + avcodec/utils: Use more bits for intermediate for AV_CODEC_ID_ADPCM_MS + avcodec/jpegls: Check A[Q] for overflow in ff_jpegls_update_state_regular() + avformat/voc_packet: prevent remaining size from becoming negative in ff_voc_get_packet() + avutil/timecode: Avoid fps overflow + avformat/mvi: Check audio size for more overflows + avcodec/flacdec: Avoid undefined shift in error case + avcodec/ffv1dec: Check if trailer is available + avcodec/4xm: Check pre_gb in decode_i_block() + avcodec/dcadsp: Fix integer overflow in dmix_add_c() + avformat/flvdec: Check double before cast in parse_keyframes_index() + avformat/paf: Check for EOF before allocation in read_header() + avcodec/aacdec_template: Avoid undefined negation in imdct_and_windowing_eld() + avformat/lxfdec: Fix multiple integer overflows related to track_size + avcodec/exr: skip bottom clearing loop when its outside the image + avformat/aiffdec: Check that SSND is at least 8 bytes + avformat/dcstr: Check sample rate + avcodec/alsdec: Check bitstream input in read_block() + avformat/mov: Extend data_size check in mov_read_udta_string() + avformat/voc_packet: Add a basic check on max_size + avformat/microdvddec: use 64bit for durations + avcodec/hapdec: Change compressed_offset to unsigned 32bit + avformat/rmdec: Check codec_length without overflow + avformat/mov: Check element count in mov_metadata_hmmt() + avcodec/fits: Check gcount and pcount being non negative + avformat/nutdec: Check timebase count against main header length + avformat/electronicarts: Clear partial_packet on error + avformat/r3d: Check samples before computing duration + avcodec/pnm_parser: Check av_image_get_buffer_size() for failure + avformat/wavdec: Consider AV_INPUT_BUFFER_PADDING_SIZE in set_spdif() + avformat/rmdec: Check remaining space in debug av_log() loop + avformat/flvdec: Treat high ts byte as unsigned + avformat/samidec: Sanity check pts + avformat/avidec: Use 64bit in get_duration() + avformat/mov: Check for duplicate st3d + avformat/mvdec: Check for EOF in read_index() + avcodec/jpeglsdec: Fix k=16 in ls_get_code_regular() + avformat/id3v2: Check the return from avio_get_str() + avcodec/hevc_sei: Check payload size in decode_nal_sei_message() + libavutil/eval: Remove CONFIG_TRAPV special handling + avformat/wtvdec: Check len in parse_chunks() to avoid overflow + avformat/asfdec_f: Add an additional check for the extradata size + avformat/3dostr: Check sample_rate + avformat/4xm: Make audio_frame_count 64bit + avformat/mov: Use av_mul_q() to avoid integer overflows + avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper + avformat/rmdec: Reorder operations to avoid overflow + avcodec/mxpegdec: fix SOF counting + avcodec/rscc: Check inflated_buf size whan it is used + avformat/mvdec: Sanity check SAMPLE_WIDTH + avformat/rmdec: Fix codecdata_length overflow check + avcodec/simple_idct: Fix undefined integer overflow in idct4row() + avformat/tta: Use 64bit intermediate for index + avformat/soxdec: Check channels to be positive + avcodec/vp3: Check input amount in theora_decode_header() + avformat/wavdec: Check avio_get_str16le() for failure + avformat/flvdec: Check for EOF in amf_skip_tag() + avformat/aiffdec: Check size before subtraction in get_aiff_header() + avformat/electronicarts: More chunk_size checks + avformat/tedcaptionsdec: Check for overflow in parse_int() + avformat/nuv: Check channels + avformat/mpc8: Check size before implicitly converting to int + avformat/nutdec: Fix integer overflow in count computation + avformat/mvi: Use 64bit for testing dimensions + avformat/utils: Check dts in update_initial_timestamps() more + avformat/flvdec: Check for avio_read() failure in amf_get_string() + avformat/flvdec: Check for nesting depth in amf_skip_tag() + avformat/flvdec: Check for nesting depth in amf_parse_object() + avformat/asfdec_o: Check for EOF in asf_read_marker() + avformat/utils: Check dts - (1< Date: Thu, 7 Oct 2021 17:41:44 +0200 Subject: [PATCH 1315/1764] avfilter/scale_npp: fix non-aligned output frame dimensions --- libavfilter/vf_scale_npp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_scale_npp.c b/libavfilter/vf_scale_npp.c index 8a277ce8e1..86279f5b36 100644 --- a/libavfilter/vf_scale_npp.c +++ b/libavfilter/vf_scale_npp.c @@ -472,13 +472,16 @@ static int nppscale_scale(AVFilterContext *ctx, AVFrame *out, AVFrame *in) src = s->stages[i].frame; last_stage = i; } - if (last_stage < 0) return AVERROR_BUG; + ret = av_hwframe_get_buffer(src->hw_frames_ctx, s->tmp_frame, 0); if (ret < 0) return ret; + s->tmp_frame->width = src->width; + s->tmp_frame->height = src->height; + av_frame_move_ref(out, src); av_frame_move_ref(src, s->tmp_frame); From 90d2f32f621b49637474453536b0fdc4903f8cb5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Sep 2021 21:24:15 +0200 Subject: [PATCH 1316/1764] avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: Out of array access Fixes: 37030/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5387719147651072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 3dd5a8a13510d08a4e25e8f138d718672a0fed4a) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index a5cdacb881..8275add38e 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -412,6 +412,10 @@ static int mxf_get_d10_aes3_packet(AVIOContext *pb, AVStream *st, AVPacket *pkt, data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ + + if (st->codecpar->channels > 8) + return AVERROR_INVALIDDATA; + for (; end_ptr - buf_ptr >= st->codecpar->channels * 4; ) { for (i = 0; i < st->codecpar->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); From cbe954f578a19afc11a440fbd379fa8f6fe57b1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Jun 2021 22:26:41 +0200 Subject: [PATCH 1317/1764] avformat/jacosubdec: Check for min in t overflow in get_shift() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 34651/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5157941012463616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 989febfbd0c986e9e3e0f269a6b22778bf79147b) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 85840d8529..3037085d9c 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -140,6 +140,9 @@ static int get_shift(int timeres, const char *buf) int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP + if (a == INT_MIN) + return 0; + if (*buf == '-' || a < 0) { sign = -1; a = FFABS(a); From 6715ea85c08e41eb5e29690b0d8eeeafd01645d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Apr 2021 22:44:19 +0200 Subject: [PATCH 1318/1764] avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 Fixes: runtime error: signed integer overflow: 65312 * 65535 cannot be represented in type 'int' Fixes: 32832/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-4817710040088576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e2c2872393f25253aa40861a9707934c4b83a3af) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 9f5df91c86..0135f935af 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -272,9 +272,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From fa742cda4e39092d1745c97a07f116448cc26da1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 22:00:46 +0200 Subject: [PATCH 1319/1764] avformat/mvdec: Do not set invalid sample rate Fixes: signed integer overflow: -682581959642593728 * 16 cannot be represented in type 'long' Fixes: 37883/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5311691517198336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 737e6bf2162b89d396f4d477bfe8c99f1dd885de) Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 3e483ebf70..da0b3d4ad0 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -156,9 +156,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, } else if (!strcmp(name, "NUM_CHANNELS")) { return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { - st->codecpar->sample_rate = var_read_int(pb, size); - if (st->codecpar->sample_rate <= 0) + int sample_rate = var_read_int(pb, size); + if (sample_rate <= 0) return AVERROR_INVALIDDATA; + st->codecpar->sample_rate = sample_rate; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; From b9761037d09611c3baab20b6679ae6414bb5f790 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Sep 2021 22:00:47 +0200 Subject: [PATCH 1320/1764] avcodec/apedec: Fix integer overflow in intermediate Fixes: signed integer overflow: 559334865 * 4 cannot be represented in type 'int' Fixes: 37929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6751932295806976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90da43557f7257d72e95504f63ae6504406d6eab) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index e11ee0a708..7db1196d3f 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1286,7 +1286,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3))); + (8 << ((absres > f->avg * 3) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; From fdb61f366c56d075303961181555534627e33bec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 May 2021 18:38:23 +0200 Subject: [PATCH 1321/1764] avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable Fixes: error: 1.66789e+11 is outside the range of representable values of type 'int' Fixes: Ticket8201 Signed-off-by: Michael Niedermayer (cherry picked from commit 245017ec8a87d6e4c764d06afeca37100b980d85) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 5765ef339f..3fe7a0012c 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -505,9 +505,13 @@ FF_ENABLE_DEPRECATION_WARNINGS if (!s->fixed_qscale && avctx->bit_rate * av_q2d(avctx->time_base) > avctx->bit_rate_tolerance) { + double nbt = avctx->bit_rate * av_q2d(avctx->time_base) * 5; av_log(avctx, AV_LOG_WARNING, "bitrate tolerance %d too small for bitrate %"PRId64", overriding\n", avctx->bit_rate_tolerance, avctx->bit_rate); - avctx->bit_rate_tolerance = 5 * avctx->bit_rate * av_q2d(avctx->time_base); + if (nbt <= INT_MAX) { + avctx->bit_rate_tolerance = nbt; + } else + avctx->bit_rate_tolerance = INT_MAX; } if (s->avctx->rc_max_rate && From 22181868e3ef29a99b4ad4d7c0a1aa6fe022c6ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 Aug 2021 20:15:09 +0200 Subject: [PATCH 1322/1764] avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return Fixes: invalid shift Fixes: 37018/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-5290280902328320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5a95abcce4d93f979e4b53f2220f7a54edd03312) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg12dec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index c6a56fd5ae..3d1878a012 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1562,6 +1562,10 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->mpeg_f_code[0][1] = get_bits(&s->gb, 4); s->mpeg_f_code[1][0] = get_bits(&s->gb, 4); s->mpeg_f_code[1][1] = get_bits(&s->gb, 4); + s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; + s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; + s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; + s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; if (!s->pict_type && s1->mpeg_enc_ctx_allocated) { av_log(s->avctx, AV_LOG_ERROR, "Missing picture start code, guessing missing values\n"); @@ -1575,10 +1579,6 @@ static void mpeg_decode_picture_coding_extension(Mpeg1Context *s1) s->current_picture.f->pict_type = s->pict_type; s->current_picture.f->key_frame = s->pict_type == AV_PICTURE_TYPE_I; } - s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; - s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; - s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; - s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; s->intra_dc_precision = get_bits(&s->gb, 2); s->picture_structure = get_bits(&s->gb, 2); From 7f8a534e56128c011a1f1d9668f7885a95c5bd03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Sep 2021 20:31:39 +0200 Subject: [PATCH 1323/1764] avcodec/flicvideo: Check remaining bytes in FLI*COPY Fixes: Timeout Fixes: 37795/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4846536543043584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f835efbca874ad42cb954e6788588f52a57a7a2) Signed-off-by: Michael Niedermayer --- libavcodec/flicvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c index bf8ffeba4f..bf095f7461 100644 --- a/libavcodec/flicvideo.c +++ b/libavcodec/flicvideo.c @@ -735,6 +735,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx, bytestream2_skip(&g2, chunk_size - 6); } else { + if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height ) + return AVERROR_INVALIDDATA; for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { From d0915974671d43464f5b578a3310fefc82184c3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Sep 2021 20:16:27 +0200 Subject: [PATCH 1324/1764] avcodec/mxpegdec: Check for AVDISCARD_ALL Fixes: Fixes NULL pointer dereference Fixes: 36610/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6052641783283712 Fixes: 37907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-4725170850365440 Fixes: 37904/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6367889262247936 Fixes: 38085/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5175270823297024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 20afd3a63a75a160f61a98a8dcfe06f527ea19b4) Signed-off-by: Michael Niedermayer --- libavcodec/mxpegdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/mxpegdec.c b/libavcodec/mxpegdec.c index f89226fefa..ea73bd4a10 100644 --- a/libavcodec/mxpegdec.c +++ b/libavcodec/mxpegdec.c @@ -195,6 +195,9 @@ static int mxpeg_decode_frame(AVCodecContext *avctx, int start_code; int ret; + if (avctx->skip_frame == AVDISCARD_ALL) + return AVERROR_PATCHWELCOME; + buf_ptr = buf; buf_end = buf + buf_size; jpg->got_picture = 0; From 582098acf75984c518e4ff991dbe0fb3e4a5ee47 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Sep 2021 19:00:56 +0200 Subject: [PATCH 1325/1764] swscale/alphablend: Fix slice handling Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 06d67265881249566f385309e2fb5a9449720b6e) Signed-off-by: Michael Niedermayer --- libswscale/alphablend.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/libswscale/alphablend.c b/libswscale/alphablend.c index b5686599c0..b5967c889b 100644 --- a/libswscale/alphablend.c +++ b/libswscale/alphablend.c @@ -26,7 +26,7 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(c->srcFormat); int nb_components = desc->nb_components; - int plane, x, y; + int plane, x, ysrc; int plane_count = isGray(c->srcFormat) ? 1 : 3; int sixteen_bits = desc->comp[0].depth >= 9; unsigned off = 1<<(desc->comp[0].depth - 1); @@ -50,14 +50,15 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], int w = plane ? c->chrSrcW : c->srcW; int x_subsample = plane ? desc->log2_chroma_w: 0; int y_subsample = plane ? desc->log2_chroma_h: 0; - for (y = srcSliceY >> y_subsample; y < AV_CEIL_RSHIFT(srcSliceH, y_subsample); y++) { + for (ysrc = 0; ysrc < AV_CEIL_RSHIFT(srcSliceH, y_subsample); ysrc++) { + int y = ysrc + (srcSliceY >> y_subsample); if (x_subsample || y_subsample) { int alpha; unsigned u; if (sixteen_bits) { ptrdiff_t alpha_step = srcStride[plane_count] >> 1; - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * y << y_subsample)); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample)); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -82,8 +83,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { ptrdiff_t alpha_step = srcStride[plane_count]; - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + (srcStride[plane_count] * y << y_subsample); + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample); uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { if (y_subsample) { @@ -97,8 +98,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } else { if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * y); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * ysrc); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -113,8 +114,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + srcStride[plane_count] * y; + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + srcStride[plane_count] * ysrc; uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { unsigned u = s[x]*a[x] + target_table[((x^y)>>5)&1][plane]*(255-a[x]) + 128; @@ -127,10 +128,11 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } else { int alpha_pos = desc->comp[plane_count].offset; int w = c->srcW; - for (y = srcSliceY; y < srcSliceH; y++) { + for (ysrc = 0; ysrc < srcSliceH; ysrc++) { + int y = ysrc + srcSliceY; if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * y + 2*!alpha_pos); - const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * y + alpha_pos); + const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * ysrc + 2*!alpha_pos); + const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * ysrc + alpha_pos); uint16_t *d = ( uint16_t *)(dst[0] + dstStride[0] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -151,8 +153,8 @@ int ff_sws_alphablendaway(SwsContext *c, const uint8_t *src[], } } } else { - const uint8_t *s = src[0] + srcStride[0] * y + !alpha_pos; - const uint8_t *a = src[0] + srcStride[0] * y + alpha_pos; + const uint8_t *s = src[0] + srcStride[0] * ysrc + !alpha_pos; + const uint8_t *a = src[0] + srcStride[0] * ysrc + alpha_pos; uint8_t *d = dst[0] + dstStride[0] * y; for (x = 0; x < w; x++) { for (plane = 0; plane < plane_count; plane++) { From 67b9b10b70ada6c8df513958c180eb7bd2f9c2d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 16 Sep 2021 23:12:42 +0200 Subject: [PATCH 1326/1764] avformat/mpegts: use actually read packet size in mpegts_resync special case Fixes: infinite loop Fixes: 37986/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5292311517462528 - Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 83b2e4c8f15a00f037040131e26e20de83f0d842) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e4976d76d2..3342193868 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -2419,8 +2419,8 @@ static int mpegts_resync(AVFormatContext *s, int seekback, const uint8_t *curren int64_t back = FFMIN(seekback, pos); //Special case for files like 01c56b0dc1.ts - if (current_packet[0] == 0x80 && current_packet[12] == 0x47) { - avio_seek(pb, 12 - back, SEEK_CUR); + if (current_packet[0] == 0x80 && current_packet[12] == 0x47 && pos >= TS_PACKET_SIZE) { + avio_seek(pb, 12 - TS_PACKET_SIZE, SEEK_CUR); return 0; } From afe2a1a8c52d880f4862aa278a2c98b7f16c9fa7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Sep 2021 21:51:28 +0200 Subject: [PATCH 1327/1764] oavformat/avidec: Check offset in odml Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long' Fixes: 38787/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4859845799444480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 255a7b423ed5e07536bdc72e993056daa4efe009) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index eb7353ddba..b15aa6ecdb 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -236,7 +236,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) avio_rl32(pb); /* size */ duration = avio_rl32(pb); - if (avio_feof(pb)) + if (avio_feof(pb) || offset > INT64_MAX - 8) return AVERROR_INVALIDDATA; pos = avio_tell(pb); From ca5f10e0c39729b6b5ea3cccc36032777a3b94f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Sep 2021 00:11:50 +0200 Subject: [PATCH 1328/1764] avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() Fixes: signed integer overflow: -2145648640 - 3357696 cannot be represented in type 'int' Fixes: 38899/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5358815017566208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ad517ee6e44f093e28021ffd51c7eb2e1394b1a9) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 7db1196d3f..8a7ba73815 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -929,7 +929,7 @@ static void long_filter_ehigh_3830(int32_t *buffer, int length) for (j = 7; j > 0; j--) delay[j] = delay[j - 1]; delay[0] = buffer[i]; - buffer[i] -= dotprod >> 9; + buffer[i] -= (unsigned)(dotprod >> 9); } } From c3971ff707bbcffd7838cd2e8ee48702d6b09f4c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Sep 2021 20:53:53 +0200 Subject: [PATCH 1329/1764] avcodec/apedec: Use 64bit to avoid overflow Fixes: runtime error: signed integer overflow: 727298502 * 3 cannot be represented in type 'int' Fixes: 39172/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-638602483033702 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f059b56195da9c0e2c11a5f7f357a3d6101e6bf0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8a7ba73815..d05aa741ef 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1286,7 +1286,7 @@ static void do_apply_filter(APEContext *ctx, int version, APEFilter *f, absres = res < 0 ? -(unsigned)res : res; if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > (f->avg + f->avg / 3)))); + (8 << ((absres > f->avg * 3LL) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; From a85739087d6c3e0b849824f8603bef6961ffe51a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Sep 2021 20:49:27 +0200 Subject: [PATCH 1330/1764] avformat/rmdec: Check for multiple audio_stream_info Fixes: memleak Fixes: 39166/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5153276690038784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8fe3566b8fdf4bcf5eed419c1aab6eb848287ff3) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 0135f935af..031590b109 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -131,6 +131,10 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; + // Duplicate tags + if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) + return AVERROR_INVALIDDATA; + /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { From 7a1c59e4558673eddbdb639a427709a9d0383608 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Oct 2021 23:54:46 +0200 Subject: [PATCH 1331/1764] avformat/wavdec: Check smv_block_size Fixes: Timeout Fixes: 39554/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-4915221701984256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 849138f476f4b08656681bfc3aec5beac47777fb) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 56aef289e9..b7c5f22a3a 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -480,6 +480,8 @@ static int wav_read_header(AVFormatContext *s) wav->smv_data_ofs = avio_tell(pb) + (size - 5) * 3; avio_rl24(pb); wav->smv_block_size = avio_rl24(pb); + if (!wav->smv_block_size) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(vst, 32, 1, avio_rl24(pb)); vst->duration = avio_rl24(pb); avio_rl24(pb); From e7bed708a88eac516c3022b663aef69ba03fa9e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 9 Oct 2021 18:35:56 +0200 Subject: [PATCH 1332/1764] Changelog: update Signed-off-by: Michael Niedermayer --- Changelog | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Changelog b/Changelog index 6b42a45654..aaab81f211 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,23 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.4.9: + avformat/wavdec: Check smv_block_size + avformat/rmdec: Check for multiple audio_stream_info + avcodec/apedec: Use 64bit to avoid overflow + avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() + oavformat/avidec: Check offset in odml + avformat/mpegts: use actually read packet size in mpegts_resync special case + swscale/alphablend: Fix slice handling + avcodec/mxpegdec: Check for AVDISCARD_ALL + avcodec/flicvideo: Check remaining bytes in FLI*COPY + avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return + avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable + avcodec/apedec: Fix integer overflow in intermediate + avformat/mvdec: Do not set invalid sample rate + avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 + avformat/jacosubdec: Check for min in t overflow in get_shift() + avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() + avfilter/scale_npp: fix non-aligned output frame dimensions avcodec/utils: don't return negative values in av_get_audio_frame_duration() avcodec/jpeg2000dec: Check that atom header is within bytsetream avcodec/apedec: Fix 2 integer overflows in filter_3800() From 1eca11f81a0204acfc85748c5f8d3c95719d8bab Mon Sep 17 00:00:00 2001 From: Lynne Date: Fri, 1 Jan 2021 00:00:00 +0100 Subject: [PATCH 1333/1764] configure: update copyright year (cherry picked from commit 63505fc60a8031ebea824a3e78a07b73c6dc049f) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 5a82980cc1..bf42ade4b1 100755 --- a/configure +++ b/configure @@ -7000,7 +7000,7 @@ cat > $TMPH < Date: Wed, 5 Jan 2022 19:57:58 +0100 Subject: [PATCH 1334/1764] configure: Add missing libshine->mpegaudioheader dependency Signed-off-by: Andreas Rheinhardt (cherry picked from commit e228d7b0db7d6cb02a73bee6d3bf4f6ecf92d0bf) --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index bf42ade4b1..30b1e2107c 100755 --- a/configure +++ b/configure @@ -2970,7 +2970,7 @@ libopus_encoder_deps="libopus" libopus_encoder_select="audio_frame_queue" librsvg_decoder_deps="librsvg" libshine_encoder_deps="libshine" -libshine_encoder_select="audio_frame_queue" +libshine_encoder_select="audio_frame_queue mpegaudioheader" libspeex_decoder_deps="libspeex" libspeex_encoder_deps="libspeex" libspeex_encoder_select="audio_frame_queue" From ef075e363d1a5040d35e8e65dcc5bb0a257c4681 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Oct 2021 19:51:08 +0200 Subject: [PATCH 1335/1764] avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit e154353fdb73dc1b3c1519350244d5346f761850) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/mathematics.h b/libavutil/mathematics.h index 54901800ba..64d4137a60 100644 --- a/libavutil/mathematics.h +++ b/libavutil/mathematics.h @@ -134,6 +134,7 @@ int64_t av_rescale(int64_t a, int64_t b, int64_t c) av_const; * * The operation is mathematically equivalent to `a * b / c`, but writing that * directly can overflow, and does not support different rounding methods. + * If the result is not representable then INT64_MIN is returned. * * @see av_rescale(), av_rescale_q(), av_rescale_q_rnd() */ From a2c450db44ca0df462648059283a546de68b0533 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Oct 2021 00:04:59 +0200 Subject: [PATCH 1336/1764] avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() Fixes: signed integer overflow: 822841647 + 1647055738 cannot be represented in type 'int' Fixes: 39935/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-4592657142251520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f24028c798397af720acb838357785aa705a8122) Signed-off-by: Michael Niedermayer --- libavcodec/ttadsp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/ttadsp.c b/libavcodec/ttadsp.c index 1d1443aee0..99dd66a0c2 100644 --- a/libavcodec/ttadsp.c +++ b/libavcodec/ttadsp.c @@ -47,9 +47,9 @@ static void tta_filter_process_c(int32_t *qmi, int32_t *dx, int32_t *dl, *error = *in; *in += (round >> shift); - dl[4] = -dl[5]; dl[5] = -dl[6]; - dl[6] = *in - dl[7]; dl[7] = *in; - dl[5] += dl[6]; dl[4] += dl[5]; + dl[4] = -(unsigned)dl[5]; dl[5] = -(unsigned)dl[6]; + dl[6] = *in -(unsigned)dl[7]; dl[7] = *in; + dl[5] += (unsigned)dl[6]; dl[4] += (unsigned)dl[5]; } av_cold void ff_ttadsp_init(TTADSPContext *c) From 59b4b9086a525a15345062059ff57cf86086fdba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Oct 2021 13:25:59 +0200 Subject: [PATCH 1337/1764] avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE Fixes: out if array read Fixes: 40109/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-4805686811295744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Mattias Wadman Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index fed33087e8..db6765f34c 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -55,6 +55,7 @@ /** largest possible size of flac header */ #define MAX_FRAME_HEADER_SIZE 16 +#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE) typedef struct FLACHeaderMarker { int offset; /**< byte offset from start of FLACParseContext->buffer */ @@ -169,7 +170,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset) uint8_t *header_buf; int size = 0; header_buf = flac_fifo_read_wrap(fpc, offset, - MAX_FRAME_HEADER_SIZE, + MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE, &fpc->wrap_buf, &fpc->wrap_buf_allocated_size); if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) { From b5873ca4f527570814420adf10bec529f76b2402 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 27 Jan 2020 21:53:08 +0100 Subject: [PATCH 1338/1764] avformat/tty: add probe function (cherry picked from commit 3bce9e9b3ea35c54bacccc793d7da99ea5157532) --- libavformat/tty.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/libavformat/tty.c b/libavformat/tty.c index 8d48f2c45c..60f7e9f87e 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -34,6 +34,13 @@ #include "internal.h" #include "sauce.h" +static int isansicode(int x) +{ + return x == 0x1B || x == 0x0A || x == 0x0D || (x >= 0x20 && x < 0x7f); +} + +static const char tty_extensions[31] = "ans,art,asc,diz,ice,nfo,txt,vt"; + typedef struct TtyDemuxContext { AVClass *class; int chars_per_frame; @@ -42,6 +49,17 @@ typedef struct TtyDemuxContext { AVRational framerate; /**< Set by a private option. */ } TtyDemuxContext; +static int read_probe(const AVProbeData *p) +{ + int cnt = 0; + + for (int i = 0; i < p->buf_size; i++) + cnt += !!isansicode(p->buf[i]); + + return (cnt * 100LL / p->buf_size) * (cnt > 400) * + !!av_match_ext(p->filename, tty_extensions); +} + /** * Parse EFI header */ @@ -153,8 +171,9 @@ AVInputFormat ff_tty_demuxer = { .name = "tty", .long_name = NULL_IF_CONFIG_SMALL("Tele-typewriter"), .priv_data_size = sizeof(TtyDemuxContext), + .read_probe = read_probe, .read_header = read_header, .read_packet = read_packet, - .extensions = "ans,art,asc,diz,ice,nfo,txt,vt", + .extensions = tty_extensions, .priv_class = &tty_demuxer_class, }; From 3b49688440e7bd004634fe289d3f0e128df236fa Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 29 Sep 2020 10:21:34 +0200 Subject: [PATCH 1339/1764] avformat/movenc: Fix segfault when remuxing rtp hint stream When remuxing an rtp hint stream (or any stream with the tag "rtp "), the mov muxer treats this as one of the rtp hint tracks it creates internally when ordered to do so; yet this track lacks the AVFormatContext for the hinting rtp muxer, leading to segfaults in mov_write_udta_sdp() if a "trak" atom is written for this stream; if not, the stream's codecpar is freed by mov_free() as if the mov muxer owned it (it does for the internally created "rtp " tracks), but without resetting st->codecpar, leading to double-frees lateron. This commit therefore ignores said tag which makes rtp hint streams unremuxable. This fixes tickets #8181 and #8186. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 22c3cd176079dd104ec7610ead697235b04396f1) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index d69e0e543d..82e20011ed 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1470,6 +1470,10 @@ static int mov_get_codec_tag(AVFormatContext *s, MOVTrack *track) { int tag = track->par->codec_tag; + // "rtp " is used to distinguish internally created RTP-hint tracks + // (with rtp_ctx) from other tracks. + if (tag == MKTAG('r','t','p',' ')) + tag = 0; if (!tag || (s->strict_std_compliance >= FF_COMPLIANCE_NORMAL && (track->par->codec_id == AV_CODEC_ID_DVVIDEO || track->par->codec_id == AV_CODEC_ID_RAWVIDEO || From 04240e1d09e67c6e92189a96aeab96ef7428d942 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Oct 2019 11:54:12 +0200 Subject: [PATCH 1340/1764] avcodec/g729dec: Avoid computing invalid temporary pointers for ff_acelp_weighted_vector_sum() Fixes: Ticket8176 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 2c78a76cb0443f8a12a5eadc3b58373aa2f4ab22) Signed-off-by: Michael Niedermayer --- libavcodec/g729dec.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/g729dec.c b/libavcodec/g729dec.c index 908c12a73a..943ddf5297 100644 --- a/libavcodec/g729dec.c +++ b/libavcodec/g729dec.c @@ -536,12 +536,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame_ptr, fc_v[i] = < \ fc_v[i] + gain_pitch * fc_v[i-pitch_delay], i >= pitch_delay */ - ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i], - fc + pitch_delay_int[i], - fc, 1 << 14, - av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX), - 0, 14, - SUBFRAME_SIZE - pitch_delay_int[i]); + if (SUBFRAME_SIZE > pitch_delay_int[i]) + ff_acelp_weighted_vector_sum(fc + pitch_delay_int[i], + fc + pitch_delay_int[i], + fc, 1 << 14, + av_clip(ctx->past_gain_pitch[0], SHARP_MIN, SHARP_MAX), + 0, 14, + SUBFRAME_SIZE - pitch_delay_int[i]); memmove(ctx->past_gain_pitch+1, ctx->past_gain_pitch, 5 * sizeof(int16_t)); ctx->past_gain_code[1] = ctx->past_gain_code[0]; From b8197738d27f21583d9f83d7fa8c978d3a47af85 Mon Sep 17 00:00:00 2001 From: James Almer Date: Tue, 15 Oct 2019 11:38:23 -0300 Subject: [PATCH 1341/1764] avformat/latmenc: abort if no extradata is available Fixes ticket #8273. Reviewed-by: Paul B Mahol Signed-off-by: James Almer (cherry picked from commit dd01947397b98e94c3f2a79d5820aaf4594f4d3b) Signed-off-by: Michael Niedermayer --- libavformat/latmenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/latmenc.c b/libavformat/latmenc.c index c919976d49..3e1a01c989 100644 --- a/libavformat/latmenc.c +++ b/libavformat/latmenc.c @@ -172,7 +172,8 @@ static int latm_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; memcpy(par->extradata, side_data, side_data_size); - } + } else + return AVERROR_INVALIDDATA; } } From 32a384519a57ad850789636c4c686091a53ce217 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 23:28:16 +0200 Subject: [PATCH 1342/1764] avfilter/vf_lenscorrection: fix division by zero Fixes #8265 (cherry picked from commit 19587c9332f5be4f6bc6d7b2b8ef3fd21dfeaa01) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lenscorrection.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_lenscorrection.c b/libavfilter/vf_lenscorrection.c index 239fe195bd..43f3c1b7d0 100644 --- a/libavfilter/vf_lenscorrection.c +++ b/libavfilter/vf_lenscorrection.c @@ -155,10 +155,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) for (plane = 0; plane < rect->nb_planes; ++plane) { int hsub = plane == 1 || plane == 2 ? rect->hsub : 0; int vsub = plane == 1 || plane == 2 ? rect->vsub : 0; - int hdiv = 1 << hsub; - int vdiv = 1 << vsub; - int w = rect->width / hdiv; - int h = rect->height / vdiv; + int w = AV_CEIL_RSHIFT(rect->width, hsub); + int h = AV_CEIL_RSHIFT(rect->height, vsub); int xcenter = rect->cx * w; int ycenter = rect->cy * h; int k1 = rect->k1 * (1<<24); From b239ccff7db0d418a74adcebfb1f2304f9a2f1f0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Wed, 16 Oct 2019 12:13:04 +0200 Subject: [PATCH 1343/1764] avfilter/vf_gblur: fix heap-buffer overflow Fixes #8282 (cherry picked from commit 64a805883d7223c868a683f0030837d859edd2ab) Signed-off-by: Michael Niedermayer --- libavfilter/vf_gblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_gblur.c b/libavfilter/vf_gblur.c index fd901e20d4..0b0274782a 100644 --- a/libavfilter/vf_gblur.c +++ b/libavfilter/vf_gblur.c @@ -222,7 +222,7 @@ static int config_input(AVFilterLink *inlink) s->nb_planes = av_pix_fmt_count_planes(inlink->format); - s->buffer = av_malloc_array(inlink->w, inlink->h * sizeof(*s->buffer)); + s->buffer = av_malloc_array(FFALIGN(inlink->w, 16), FFALIGN(inlink->h, 16) * sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); From b982f9fe9d8f76e11b0ce7bd3b60d92e28223787 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:02:04 +0200 Subject: [PATCH 1344/1764] avformat/aiffdec: Check sample_rate Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1b04836dff9958e8bfdbed2746b8c40b1e119ecc) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 4a042701e3..0b05af7e6d 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -122,6 +122,9 @@ static int get_aiff_header(AVFormatContext *s, int size, sample_rate = val << exp; else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; + if (sample_rate <= 0) + return AVERROR_INVALIDDATA; + par->sample_rate = sample_rate; if (size < 18) return AVERROR_INVALIDDATA; From a7eeea7872f3fe854a46a57bce14525844128520 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:10:39 +0200 Subject: [PATCH 1345/1764] avformat/aiffdec: sanity check block_align Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 93f7776921ed8c5219732210067016c3457e864d) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 0b05af7e6d..939e338096 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -353,7 +353,7 @@ got_sound: if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) { av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n"); st->codecpar->block_align = 35; - } else if (!st->codecpar->block_align) { + } else if (st->codecpar->block_align <= 0) { av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } From 1cd6a75cba527e590a8e92fe7005f4a633c14230 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 31 Oct 2021 00:11:23 +0200 Subject: [PATCH 1346/1764] avformat/aiffdec: Use av_rescale() for bitrate Fixes: integer overflow Fixes: 40313/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4814761406103552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 905588df975071c03c00b2e923c311b4de65a8f4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 939e338096..c7572058cc 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -187,8 +187,10 @@ static int get_aiff_header(AVFormatContext *s, int size, par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3; if (aiff->block_duration) { - par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) / - aiff->block_duration; + par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL, + aiff->block_duration); + if (par->bit_rate < 0) + par->bit_rate = 0; } /* Chunk is over */ From f486033934426e435e8c21d9eb0d5cfee39d0ab0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Nov 2021 18:23:24 +0100 Subject: [PATCH 1347/1764] avformat/avidec: Check read_odml_index() for failure Fixes: Timeout Fixes: 40950/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6478873068437504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57adb26d058490daf2c5d6ddd3cf0cf2d2212256) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index b15aa6ecdb..0cb97dec3d 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -232,6 +232,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } else { int64_t offset, pos; int duration; + int ret; + offset = avio_rl64(pb); avio_rl32(pb); /* size */ duration = avio_rl32(pb); @@ -249,7 +251,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) if (avio_seek(pb, offset + 8, SEEK_SET) < 0) return -1; avi->odml_depth++; - read_odml_index(s, frame_num); + ret = read_odml_index(s, frame_num); avi->odml_depth--; frame_num += duration; @@ -257,7 +259,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n"); return -1; } - + if (ret < 0) + return ret; } } avi->index_loaded = 2; From 54d7297b338a6c507cb4f9c98789e5a2ec1fe0f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 7 Nov 2021 13:48:24 +0100 Subject: [PATCH 1348/1764] avformat/mov: Check channels for mov_parse_stsd_audio() Fixes: signed integer overflow: -776522110086937600 * 16 cannot be represented in type 'long' Fixes: 40563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6644829447127040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a64a4c58255d45e05eff80c9464ad3bdc2d6463) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index f081ced86e..3ec6e91098 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2324,6 +2324,10 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext *pb, int entries) av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate); return AVERROR_INVALIDDATA; } + if (st->codecpar->channels < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", st->codecpar->channels); + return AVERROR_INVALIDDATA; + } } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){ st->codecpar->codec_id = id; mov_parse_stsd_subtitle(c, pb, st, sc, From c63fed42930e40b08034c7b0db1139d2739771a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Dec 2021 20:11:35 +0100 Subject: [PATCH 1349/1764] avformat/mov: Check for EOF in mov_read_glbl() Fixes: Infinite loop Fixes: 41351/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5433895854669824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59b4e7cbd87889c0bac710ac7f62782b637419a1) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 3ec6e91098..aeb3cbbc7e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1700,6 +1700,8 @@ static int mov_read_glbl(MOVContext *c, AVIOContext *pb, MOVAtom atom) // wrap a whole fiel atom inside of a glbl atom. unsigned size = avio_rb32(pb); unsigned type = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('f','i','e','l') && size == atom.size) return mov_read_default(c, pb, atom); From b60f4ff5dd7ca6e41fb660b6a9593a6446d514f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Dec 2021 17:42:22 +0100 Subject: [PATCH 1350/1764] avformat/mov: Disallow duplicate smdm Fixes: memleak Fixes: 39879/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5327819907923968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5ba74053c1ef9f38d9e7b3a036675f06d2b2714) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index aeb3cbbc7e..a4eb4751c3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4847,6 +4847,9 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } + if (sc->mastering) + return AVERROR_INVALIDDATA; + avio_skip(pb, 3); /* flags */ sc->mastering = av_mastering_display_metadata_alloc(); From 7300c29bd4c61b7e12b0e68b1d0fb6ae14a81bbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 3 Dec 2021 17:58:50 +0100 Subject: [PATCH 1351/1764] avcodec/apedec: Change avg to uint32_t Fixes: Integer overflow Fixes: 40973/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6739312704618496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 0ec75723a484405eb2f2ec2f9e58161b168ed8b0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index d05aa741ef..9e3756fc32 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -101,7 +101,7 @@ typedef struct APEFilter { int16_t *historybuffer; ///< filter memory int16_t *delay; ///< filtered values - int avg; + uint32_t avg; } APEFilter; typedef struct APERice { From 816a97ba507a92c507f6583859b7f91c63da8a91 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Dec 2021 22:19:05 +0100 Subject: [PATCH 1352/1764] avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: memleak Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4f44a218e53cd92e64ba10a935bc1e7583c3e218) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 8275add38e..06a7af425c 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -900,6 +900,9 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg { int i, length; + if (segment->temporal_offset_entries) + return AVERROR_INVALIDDATA; + segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); From 60500dfc38012613d1dfde59c4ad45e90e0136cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Dec 2021 20:48:54 +0100 Subject: [PATCH 1353/1764] avformat/mov: Check next offset in mov_read_dref() Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long' Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a4eb4751c3..468e4094b9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -597,11 +597,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); - int64_t next = avio_tell(pb) + size - 4; + int64_t next = avio_tell(pb); - if (size < 12) + if (size < 12 || next < 0 || next > INT64_MAX - size) return AVERROR_INVALIDDATA; + next += size - 4; + dref->type = avio_rl32(pb); avio_rb32(pb); // version + flags From e1793ad68e8e71d3850b44be6ac72df06c3d7ae5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Dec 2021 09:14:08 +0100 Subject: [PATCH 1354/1764] avformat/4xm: Consider max_streams on reallocating tracks array Fixes: OOM Fixes: 41595/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-6355979363549184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0dcd95ef8a2e16ed930296567ab1044e33602a34) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 8e2d305b24..bce2727d79 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s, return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); - if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { + if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 || + track >= s->max_streams) { av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } From fa922acc51660df7bbf46ade0d8eca87766200fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 7 Dec 2021 09:14:09 +0100 Subject: [PATCH 1355/1764] avformat/4xm: Check for duplicate track ids Signed-off-by: Michael Niedermayer (cherry picked from commit dd949124793c722ed55dead9da245574ace81968) Signed-off-by: Michael Niedermayer --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index bce2727d79..fd224f9ad5 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -149,6 +149,9 @@ static int parse_strk(AVFormatContext *s, memset(&fourxm->tracks[fourxm->track_count], 0, sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); fourxm->track_count = track + 1; + } else { + if (fourxm->tracks[track].bits) + return AVERROR_INVALIDDATA; } fourxm->tracks[track].adpcm = AV_RL32(buf + 12); fourxm->tracks[track].channels = AV_RL32(buf + 36); From 50b56b539ec534d661cf1ffb2b4fbc8cb9f6eace Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Jul 2020 23:34:15 +0200 Subject: [PATCH 1356/1764] avcodec/alacdsp: fix integer overflow in decorrelate_stereo() Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 'int' Fixes: 23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336 Fixes: 41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 68457c1e85122ffcadb0c909070dd210095fd2cd) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 9996eb4319..8718d1b6b1 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, a = buffer[0][i]; b = buffer[1][i]; - a -= (b * decorr_left_weight) >> decorr_shift; + a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; From 807a564acf39c40faa2282e47fc0457b6e9e9017 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 Dec 2021 22:26:00 +0100 Subject: [PATCH 1357/1764] avcodec/vqavideo: reset accounting on error Fixes: Timeout (same growing chunk is decoded to failure repeatedly) Fixes: 42582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6531195591065600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8ea7a67ba62f5d4520e75e56b9954d80e7ff223) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index b9743abda9..8df3ab3c2b 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame) if (s->partial_countdown <= 0) { bytestream2_init(&s->gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ - if ((res = decode_format80(s, s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0)) < 0) - return res; + res = decode_format80(s, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0); /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; + if (res < 0) + return res; } } From 83778e7787ca07f88f3f4718719c2dbfa363a0fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Dec 2021 20:36:16 +0100 Subject: [PATCH 1358/1764] avformat/flvdec: timestamps cannot use the full int64 range We do not support this as we multiply by 1000 Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented in type 'long' Fixes: 42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c217ca7718c8e24905d7ba9ede719ae040899476) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 70622e261b..7c8d83edf1 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -432,6 +432,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m d = av_int2double(avio_rb64(ioc)); if (isnan(d) || d < INT64_MIN || d > INT64_MAX) goto invalid; + if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { From 0190d175c6f6301458daadd1aae6c9ae83678ec7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Dec 2021 20:39:14 +0100 Subject: [PATCH 1359/1764] avcodec/apedec: fix integer overflow in 8bit samples Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 'int' Fixes: 42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cee3b37187dbf61dbebff023f07ceedfc0129bb) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9e3756fc32..8a54c750b5 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1529,7 +1529,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample8 = (uint8_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff; + *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff; } break; case 16: From a33ae752259c35a56c0c70ae70077b04bc0b0f75 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jan 2022 19:15:18 +0100 Subject: [PATCH 1360/1764] avcodec/apedec: Fix integer overflows in predictor_update_3930() Fixes: signed integer overflow: 1074134419 - -1075212485 cannot be represented in type 'int' Fixes: 43273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4706880883130368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9c9bbd01bd82c35b6a908592d9dd6d9f4bd4a0) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 8a54c750b5..87d704e600 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1038,13 +1038,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, const int delayA) { int32_t predictionA, sign; - int32_t d0, d1, d2, d3; + uint32_t d0, d1, d2, d3; p->buf[delayA] = p->lastA[filter]; d0 = p->buf[delayA ]; - d1 = p->buf[delayA ] - p->buf[delayA - 1]; - d2 = p->buf[delayA - 1] - p->buf[delayA - 2]; - d3 = p->buf[delayA - 2] - p->buf[delayA - 3]; + d1 = p->buf[delayA ] - (unsigned)p->buf[delayA - 1]; + d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2]; + d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3]; predictionA = d0 * p->coeffsA[filter][0] + d1 * p->coeffsA[filter][1] + @@ -1055,10 +1055,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); - p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; - p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign; - p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign; - p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign; + p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign; + p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign; + p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign; + p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign; return p->filterA[filter]; } From e42732b91f93b694d874cf37a49b9635b250afce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jan 2022 14:26:05 +0100 Subject: [PATCH 1361/1764] avformat/mov: Check size before subtraction Fixes: signed integer overflow: -9223372036854775808 - 8 cannot be represented in type 'long' Fixes: 43542/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5237670148702208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d9d506a3de976b647bcbb8f76c7b8d30eff576) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 468e4094b9..78ec7e8f45 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5768,6 +5768,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (a.size == 0) { a.size = atom.size - total_size + 8; } + if (a.size < 0) + break; a.size -= 8; if (a.size < 0) break; From 0027251644310779f63e7edf7957f52d1a026460 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Feb 2022 22:46:55 +0100 Subject: [PATCH 1362/1764] avformat/matroskadec: Fix infinite loop with bz decompression The same check is added to zlib too, it seems not needed there though Fixes: Infinite loop Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 9c3d2cbb510674226b0c8fa6b146bf891f83786c) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 20a16664c3..8dae8e7cb6 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1393,7 +1393,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_ZLIB: { z_stream zstream = { 0 }; - if (inflateInit(&zstream) != Z_OK) + if (!pkt_size || inflateInit(&zstream) != Z_OK) return -1; zstream.next_in = data; zstream.avail_in = isize; @@ -1426,7 +1426,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_BZLIB: { bz_stream bzstream = { 0 }; - if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) + if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) return -1; bzstream.next_in = data; bzstream.avail_in = isize; From 9eca5d77c4678da416212e78b8456faaf9df529d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Feb 2022 00:44:32 +0100 Subject: [PATCH 1363/1764] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() Fixes: pointer index expression with base 0x000000000000 overflowed to 0xffffffffffffffff Fixes: 44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59328aabd2c789ae053e18a62a20a7addfd4d069) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index cc5a06b127..cc1e574ddd 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4808,7 +4808,7 @@ void ff_parse_key_value(const char *str, ff_parse_key_val_cb callback_get_buf, key_len = ptr - key; callback_get_buf(context, key, key_len, &dest, &dest_len); - dest_end = dest + dest_len - 1; + dest_end = dest ? dest + dest_len - 1 : NULL; if (*ptr == '\"') { ptr++; From 79d52d06683c46a0343bb6220433e0c7480744d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Feb 2022 20:37:22 +0100 Subject: [PATCH 1364/1764] avformat/matroskadec: Check desc_bytes Fixes: Division by 0 Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5038933977d06d1048b41d71e0ada4d1ac536ddc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8dae8e7cb6..36674195a1 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3818,12 +3818,16 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t do { int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; - double desc_sec = desc_ns / nano_seconds_per_second; - double calc_bits_per_second = (desc_bytes * 8) / desc_sec; + double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; + if (desc_bytes <= 0) + return -1; + + desc_sec = desc_ns / nano_seconds_per_second; + calc_bits_per_second = (desc_bytes * 8) / desc_sec; // Drop the bps by the percentage of bytes buffered. - double percent = (desc_bytes - prebuffer_bytes) / desc_bytes; - double mod_bits_per_second = calc_bits_per_second * percent; + percent = (desc_bytes - prebuffer_bytes) / desc_bytes; + mod_bits_per_second = calc_bits_per_second * percent; if (prebuffer < desc_sec) { double search_sec = From 07b7a4be0ad847e4a05a31ba85092ceaec4faccf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Feb 2022 20:41:08 +0100 Subject: [PATCH 1365/1764] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned Fixes: left shift of 32768 by 16 places cannot be represented in type 'int' Fixes: Timeout Fixes: 44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520 Fixes: 44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ee283d7d001cfcfec94a023e172bca731e96514) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index a8d9eaa18a..0cb40cc0f1 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, if (RItype) temp += state->N[Q] >> 1; - for (k = 0; (state->N[Q] << k) < temp; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++) ; #ifdef JLS_BROKEN From 5ead85030294e18131dc1f675ea7547babf50b8f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Feb 2022 21:38:50 +0100 Subject: [PATCH 1366/1764] avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() This codepath seems untested, no testcases change Found-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 634312a70f4d5afd40058c52b4d8eade1da07a70) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 316d16a77b..310925c2da 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1634,7 +1634,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) for(y=0; ymb_height; y++){ int x; int xy= y*s->mb_stride; - for(x=0; xmb_width; x++){ + for(x=0; xmb_width; x++, xy++){ if(s->mb_type[xy] & type){ int mx= mv_table[xy][0]; int my= mv_table[xy][1]; @@ -1651,7 +1651,6 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) score[j]-= 170; } } - xy++; } } From 00f9a2bfd5fc59cbb2aab99a3a8c6572b7e85b81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Feb 2022 10:31:34 +0100 Subject: [PATCH 1367/1764] avcodec/motion_est: fix indention of ff_get_best_fcode() Signed-off-by: Michael Niedermayer (cherry picked from commit ce43e1c581b4ed539ab366cc3df458779e8a44b8) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 310925c2da..ec3b6cfbba 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1642,9 +1642,9 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) fcode_tab[my + MAX_MV]); int j; - if(mx >= range || mx < -range || - my >= range || my < -range) - continue; + if (mx >= range || mx < -range || + my >= range || my < -range) + continue; for(j=0; jpict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy]) From fa91d68bf4716b9b20c5fc8b5fe14e6f7d2fd3b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Feb 2022 22:02:13 +0100 Subject: [PATCH 1368/1764] avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error Fixes: Timeout Fixes: Invalid shift Fixes: 44548/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-556487680891289 Fixes: 44569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-6302543246917632 Fixes: 44570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-4550196556595200 Fixes: 44592/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5651610385121280 Fixes: 44571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5094698987945984 Fixes: 44607/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5341352013987840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 151f83584eeb1912c8bdcd0c1ab1296e8664a0de) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 0cb40cc0f1..11b2ff71a8 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, #endif ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1, state->qbpp); + if (ret < 0) + return -0x10000; /* decode mapped error */ map = 0; From 83d5b57074f55c838231d2f499042ddcb1423b30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Feb 2022 21:01:06 +0100 Subject: [PATCH 1369/1764] avcodec/jpeglsdec: Fix if( code style Signed-off-by: Michael Niedermayer (cherry picked from commit f306b8e80ab04cfd8f6cd577a4484cb791d6e765) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 11b2ff71a8..615c9e5068 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->t3 = get_bits(&s->gb, 16); s->reset = get_bits(&s->gb, 16); - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n", s->maxval, s->t1, s->t2, s->t3, s->reset); } @@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) else maxtab = 65530/wt - 1; - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab); } if (maxtab >= 256) { @@ -211,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, ret = ret >> 1; } - if(FFABS(ret) > 0xFFFF) + if (FFABS(ret) > 0xFFFF) return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; From 77f3f2aaf9bbd58aad74b373ce2ace57fd9c18a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Feb 2022 20:01:35 +0100 Subject: [PATCH 1370/1764] avformat/matroskadec: Check duration Fixes: -nan is outside the range of representable values of type 'long' Fixes: 44614/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6216204841254912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 36680078ca3302496d9b0b8a8d7168ce9eabb2bc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 36674195a1..8eb382744f 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2628,6 +2628,8 @@ static int matroska_read_header(AVFormatContext *s) if (!matroska->time_scale) matroska->time_scale = 1000000; + if (isnan(matroska->duration)) + matroska->duration = 0; if (matroska->duration) matroska->ctx->duration = matroska->duration * matroska->time_scale * 1000 / AV_TIME_BASE; From b70429e33c7c33eda2f0cbcf8d9fa0752bcd3c22 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Mar 2022 13:01:53 +0100 Subject: [PATCH 1371/1764] avformat/mov: Disallow empty sidx It appears this is not allowed "Each Segment Index box documents how a (sub)segment is divided into one or more subsegments (which may themselves be further subdivided using Segment Index boxes)." Fixes: Null pointer dereference Fixes: Ticket9517 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4419433d77278cb742944c4514be5f72a04103c0) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 78ec7e8f45..5bbc54493e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4586,7 +4586,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) index->track_id = track_id; index->item_count = avio_rb16(pb); - index->items = av_mallocz_array(index->item_count, sizeof(MOVFragmentIndexItem)); + index->items = index->item_count ? av_mallocz_array(index->item_count, sizeof(MOVFragmentIndexItem)) : NULL; if (!index->items) { av_freep(&index); From 680f821af320cb5955f0acbfea43d9a1350bccea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 24 Feb 2022 00:26:08 +0100 Subject: [PATCH 1372/1764] avformat/rmdec: Better duplicate tags check Fixes: memleaks Fixes: 44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15a646e5018078a0954918f510f819a5599f0445) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 031590b109..42f76491e2 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -131,10 +131,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; - // Duplicate tags - if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) - return AVERROR_INVALIDDATA; - /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { @@ -334,6 +330,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, if (codec_data_size == 0) return 0; + // Duplicate tags + if ( st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN + && st->codecpar->codec_type != AVMEDIA_TYPE_DATA) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); From b545c250783bcc82f07372a6808d9745615d9b1a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Feb 2022 21:44:29 +0100 Subject: [PATCH 1373/1764] avformat/avidec: Check height Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: Ticket8486 Signed-off-by: Michael Niedermayer (cherry picked from commit ec8ff659f57786c4cb089b07dfeab7e5cbab8d52) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 0cb97dec3d..b9b0e6bb6c 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -843,6 +843,8 @@ FF_ENABLE_DEPRECATION_WARNINGS memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9, "BottomUp", 9); } + if (st->codecpar->height == INT_MIN) + return AVERROR_INVALIDDATA; st->codecpar->height = FFABS(st->codecpar->height); // avio_skip(pb, size - 5 * 4); From 4e305299d993868490fb25ebffcc34ea6549a3ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Mar 2022 23:24:49 +0100 Subject: [PATCH 1374/1764] avformat/matroskadec: Use rounded down duration in get_cue_desc() check Floating point is evil, it would be better if duration was not a double Fixes: Infinite loop Fixes: 45123/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6725052291219456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd3a03db9aef72ee36a7cc964171e9f52967f4bc) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8eb382744f..37f6d55e75 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3627,7 +3627,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t ts, int64_t cues_start) int i; int nb_index_entries = s->streams[0]->nb_index_entries; AVIndexEntry *index_entries = s->streams[0]->index_entries; - if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1}; + + if (ts >= (int64_t)(matroska->duration * matroska->time_scale)) + return (CueDesc) {-1, -1, -1, -1}; for (i = 1; i < nb_index_entries; i++) { if (index_entries[i - 1].timestamp * matroska->time_scale <= ts && index_entries[i].timestamp * matroska->time_scale > ts) { From 4b298c87213a481777e9512cc8a16c2b27670655 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 8 Feb 2022 00:43:56 +0100 Subject: [PATCH 1375/1764] avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior Fixes: signed integer overflow: -1094995529 * 24 cannot be represented in type 'int' Fixes: 44436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-4874459459223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28008bf95ed9b2ab5945ae6658358ad7c7f1df35) Signed-off-by: Michael Niedermayer --- libavcodec/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 9498919d2f..d902beb501 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1018,7 +1018,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, // dequantize for (i = 0; i < s->num_taps; i++) - s->predictor_k[i] *= s->tap_quant[i]; + s->predictor_k[i] *= (unsigned) s->tap_quant[i]; if (s->lossless) quant = 1; From 92521686ce4b0c607d5d8a57a2f7dadfc08f40f5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Feb 2022 15:20:02 +0100 Subject: [PATCH 1376/1764] avformat/matroskadec: Check pre_ns Fixes: division by 0 Fixes: 44615/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6681108677263360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 710e51677a6f3a5c2b37dc31a597957a22a5e531) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 37f6d55e75..5def4e311a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3811,6 +3811,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; + if (pre_ns <= 0) + return -1; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); From 14eea4ade4cc02074ca22e13979ea8234dba6332 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Oct 2020 21:30:19 +0100 Subject: [PATCH 1377/1764] avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() Fixes: signed integer overflow: 11494 * 1073741824000000 cannot be represented in type 'long' Fixes: 26586/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5752633970917376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c1f20c6c858b753effda274b58ef635d1924915) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index aa7ef55b7d..611a5cd200 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -396,7 +396,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) low [i - 1] * -INT64_C(325392907) + (int64_t) high[i + 0] * INT64_C(1518500249) + (int64_t) high[i - 1] * INT64_C(1518500249); - dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } for (i = 0; i < hsize; i++) { @@ -407,7 +407,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) high[i + 1] * INT64_C(303700064) + (int64_t) high[i + 0] * -INT64_C(3644400640) + (int64_t) high[i - 1] * INT64_C(303700064); - dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } } From ea391e65ef771e5516a9244f52396e48d3eb4531 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 22:54:31 +0100 Subject: [PATCH 1378/1764] avformat/hls: Check target_duration Fixes: signed integer overflow: 77777777777777 * 1000000 cannot be represented in type 'long long' Fixes: 45545/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6438101247983616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit a8fd3f7fab83e1beea1c441e1a2e538e7aa431a5) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 332d10f2ee..73a5d22b39 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -750,10 +750,16 @@ static int parse_playlist(HLSContext *c, const char *url, &info); new_rendition(c, &info, url); } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", &ptr)) { + int64_t t; ret = ensure_playlist(c, &pls, url); if (ret < 0) goto fail; - pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; + t = strtoll(ptr, NULL, 10); + if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + pls->target_duration = t * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) { ret = ensure_playlist(c, &pls, url); if (ret < 0) From adcacd0d744795b14a90b72ce5b9ba820b5074d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Mar 2022 23:36:22 +0100 Subject: [PATCH 1379/1764] avformat/cafdec: Do not store empty keys in read_info_chunk() Fixes: Timeout Fixes: 45543/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5684953164152832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec28e1d4cef723485f50f7a08859752b79b570c) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 4817b90b0b..b9e70ea2fb 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -243,6 +243,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t size) char value[1024]; avio_get_str(pb, INT_MAX, key, sizeof(key)); avio_get_str(pb, INT_MAX, value, sizeof(value)); + if (!*key) + continue; av_dict_set(&s->metadata, key, value, 0); } } From 86c204addfa0369d45322b9f8392ef3387cf82ee Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 00:07:50 +0100 Subject: [PATCH 1380/1764] avformat/aqtitledec: Skip unrepresentable durations Fixes: signed integer overflow: -5 - 9223372036854775807 cannot be represented in type 'long' Fixes: 45665/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-475618463934054 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2d1597a8a6470045a8da241d4f65c81f26c3107) Signed-off-by: Michael Niedermayer --- libavformat/aqtitledec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index 317547c4f4..01b4fd7b93 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); if (sub) { - sub->duration = frame - sub->pts; + if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX) + sub->duration = frame - sub->pts; sub = NULL; } } else if (*line) { From 1c73b96c21a2484f144648996578e325cc1bc62e Mon Sep 17 00:00:00 2001 From: Oneric Date: Wed, 23 Mar 2022 20:43:54 +0100 Subject: [PATCH 1381/1764] avfilter/vf_subtitles: pass storage size to libass Due to a quirk of the ASS format some tags depend on the exact storage resolution of the video, so tell libass via ass_set_storage_size. --- libavfilter/vf_subtitles.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c index 66a564699a..39c40bf458 100644 --- a/libavfilter/vf_subtitles.c +++ b/libavfilter/vf_subtitles.c @@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink) ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0); ass_set_frame_size (ass->renderer, inlink->w, inlink->h); - if (ass->original_w && ass->original_h) + if (ass->original_w && ass->original_h) { ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h, (double)ass->original_w / ass->original_h); +#if LIBASS_VERSION > 0x01010000 + ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h); + } else { + ass_set_storage_size(ass->renderer, inlink->w, inlink->h); +#endif + } + if (ass->shaping != -1) ass_set_shaper(ass->renderer, ass->shaping); From 7ea021e7bf974256e5b215e3a328855db9d41b5f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Mar 2022 00:12:17 +0200 Subject: [PATCH 1382/1764] avcodec/apedec: fix a integer overflow in long_filter_high_3800() Fixes: signed integer overflow: -2146549696 - 3923884 cannot be represented in type 'int' Fixes: 45907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5992380584558592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b085b400becb93ccc68d786ab738b1fc50408b89) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 87d704e600..035fa9a434 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -905,7 +905,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } - buffer[i] -= dotprod >> shift; + buffer[i] -= (unsigned)(dotprod >> shift); for (j = 0; j < order - 1; j++) delay[j] = delay[j + 1]; delay[order - 1] = buffer[i]; From 8ed50e18388f3d5470d4a89d99a17439245b3173 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 28 Mar 2022 00:26:06 +0200 Subject: [PATCH 1383/1764] avcodec/takdsp: Fix integer overflow in decorrelate_sf() Fixes: signed integer overflow: -101 * 71041254 cannot be represented in type 'int' Fixes: 45938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4687974320701440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01d8c887f63bcb1f870034ed441504b3daffc645) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 9cb8052596..a8f9dba342 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; + b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; } } From 73c593b0ce70faa79e2bd1527362b6d08bec4a9e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Mar 2022 20:51:47 +0100 Subject: [PATCH 1384/1764] avcodec/diracdec: avoid signed integer overflow in global mv Fixes: signed integer overflow: -128275513086 * -76056576 cannot be represented in type 'long' Fixes: 45818/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5129799149944832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f1279684e8e1e33c78577b7f0265c062e4e6232) Signed-off-by: Michael Niedermayer --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 69828c4589..112d7ecfd5 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1411,8 +1411,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int64_t m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); From 07cb2c8863b1bf9ec697641eda3829776c7191ba Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Mon, 14 Oct 2019 20:14:03 +0200 Subject: [PATCH 1385/1764] avfilter/vf_lenscorrection: make width/height int Somehow previous correct fix broke usage. (cherry picked from commit 79522411fa53b68743302d16d28156db95466a21) Signed-off-by: Michael Niedermayer --- libavfilter/vf_lenscorrection.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_lenscorrection.c b/libavfilter/vf_lenscorrection.c index 43f3c1b7d0..754b8f5ada 100644 --- a/libavfilter/vf_lenscorrection.c +++ b/libavfilter/vf_lenscorrection.c @@ -36,8 +36,8 @@ typedef struct LenscorrectionCtx { const AVClass *av_class; - unsigned int width; - unsigned int height; + int width; + int height; int hsub, vsub; int nb_planes; double cx, cy, k1, k2; From 148314955b9cedc9ad229f03b0ac8ddc43904925 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 13 Apr 2022 23:41:11 +0200 Subject: [PATCH 1386/1764] Update for FFmpeg 3.4.10 Signed-off-by: Michael Niedermayer --- Changelog | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 57 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index aaab81f211..3ffaac29c7 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,61 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.10: + avfilter/vf_lenscorrection: make width/height int + avcodec/diracdec: avoid signed integer overflow in global mv + avcodec/takdsp: Fix integer overflow in decorrelate_sf() + avcodec/apedec: fix a integer overflow in long_filter_high_3800() + avfilter/vf_subtitles: pass storage size to libass + avformat/aqtitledec: Skip unrepresentable durations + avformat/cafdec: Do not store empty keys in read_info_chunk() + avformat/hls: Check target_duration + avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() + avformat/matroskadec: Check pre_ns + avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior + avformat/matroskadec: Use rounded down duration in get_cue_desc() check + avformat/avidec: Check height + avformat/rmdec: Better duplicate tags check + avformat/mov: Disallow empty sidx + avformat/matroskadec: Check duration + avcodec/jpeglsdec: Fix if( code style + avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error + avcodec/motion_est: fix indention of ff_get_best_fcode() + avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() + avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned + avformat/matroskadec: Check desc_bytes + avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() + avformat/matroskadec: Fix infinite loop with bz decompression + avformat/mov: Check size before subtraction + avcodec/apedec: Fix integer overflows in predictor_update_3930() + avcodec/apedec: fix integer overflow in 8bit samples + avformat/flvdec: timestamps cannot use the full int64 range + avcodec/vqavideo: reset accounting on error + avcodec/alacdsp: fix integer overflow in decorrelate_stereo() + avformat/4xm: Check for duplicate track ids + avformat/4xm: Consider max_streams on reallocating tracks array + avformat/mov: Check next offset in mov_read_dref() + avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() + avcodec/apedec: Change avg to uint32_t + avformat/mov: Disallow duplicate smdm + avformat/mov: Check for EOF in mov_read_glbl() + avformat/mov: Check channels for mov_parse_stsd_audio() + avformat/avidec: Check read_odml_index() for failure + avformat/aiffdec: Use av_rescale() for bitrate + avformat/aiffdec: sanity check block_align + avformat/aiffdec: Check sample_rate + avfilter/vf_gblur: fix heap-buffer overflow + avfilter/vf_lenscorrection: fix division by zero + avformat/latmenc: abort if no extradata is available + avcodec/g729dec: Avoid computing invalid temporary pointers for ff_acelp_weighted_vector_sum() + avformat/movenc: Fix segfault when remuxing rtp hint stream + avformat/tty: add probe function + avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE + avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() + avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results + configure: Add missing libshine->mpegaudioheader dependency + + version 3.4.9: avformat/wavdec: Check smv_block_size avformat/rmdec: Check for multiple audio_stream_info diff --git a/RELEASE b/RELEASE index 7bcbb3808b..84d6c67654 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.9 +3.4.10 diff --git a/doc/Doxyfile b/doc/Doxyfile index 2a3ef445ae..b3823eac11 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.9 +PROJECT_NUMBER = 3.4.10 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 64c2815c29b353af61a1c509e63cb014c8f4f6f4 Mon Sep 17 00:00:00 2001 From: Gyan Doshi Date: Sat, 1 Jan 2022 00:29:41 +0530 Subject: [PATCH 1387/1764] configure: bump year (cherry picked from commit 2f6360ff21a98f9db6af3e0932d39f1dc7b47d6c) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 30b1e2107c..e6d9030d84 100755 --- a/configure +++ b/configure @@ -7000,7 +7000,7 @@ cat > $TMPH < Date: Sun, 14 Feb 2021 17:20:03 +0100 Subject: [PATCH 1388/1764] avcodec/pngenc: remove monowhite from apng formats Monowhite pixel format is not supported, and it does not make sense to add support for it. Fixes #7989 (cherry picked from commit 5d9f44da460f781a1604d537d0555b78e29438ba) Signed-off-by: Michael Niedermayer --- libavcodec/pngenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c index 69b4495404..dfc8eb58e6 100644 --- a/libavcodec/pngenc.c +++ b/libavcodec/pngenc.c @@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = { AV_PIX_FMT_PAL8, AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A, AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE, - AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE + AV_PIX_FMT_NONE }, .priv_class = &apngenc_class, }; From 8296bf3dd05ea0b48ec479a77178bea6cac19a64 Mon Sep 17 00:00:00 2001 From: James Almer Date: Wed, 25 Sep 2019 14:21:07 -0300 Subject: [PATCH 1389/1764] aformat/movenc: add missing padding to output track extradata Fixes ticket #8183. Tested-by: Thierry Foucu Signed-off-by: James Almer (cherry picked from commit 58aa0ed8f10753ee90f4a4a1f4f3da803cf7c145) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 82e20011ed..b5c1c99a53 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5094,12 +5094,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) !TAG_IS_AVCI(trk->tag) && (par->codec_id != AV_CODEC_ID_DNXHD)) { trk->vos_len = par->extradata_size; - trk->vos_data = av_malloc(trk->vos_len); + trk->vos_data = av_malloc(trk->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!trk->vos_data) { ret = AVERROR(ENOMEM); goto err; } memcpy(trk->vos_data, par->extradata, trk->vos_len); + memset(trk->vos_data + trk->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } if (par->codec_id == AV_CODEC_ID_AAC && pkt->size > 2 && @@ -5169,12 +5170,13 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) par->codec_id == AV_CODEC_ID_AC3) && !trk->vos_len) { /* copy frame to create needed atoms */ trk->vos_len = size; - trk->vos_data = av_malloc(size); + trk->vos_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!trk->vos_data) { ret = AVERROR(ENOMEM); goto err; } memcpy(trk->vos_data, pkt->data, size); + memset(trk->vos_data + size, 0, AV_INPUT_BUFFER_PADDING_SIZE); } if (trk->entry >= trk->cluster_capacity) { @@ -5764,12 +5766,13 @@ static int mov_create_dvd_sub_decoder_specific_info(MOVTrack *track, cur += strspn(cur, "\n\r"); } if (have_palette) { - track->vos_data = av_malloc(16*4); + track->vos_data = av_malloc(16*4 + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) return AVERROR(ENOMEM); for (i = 0; i < 16; i++) { AV_WB32(track->vos_data + i * 4, palette[i]); } + memset(track->vos_data + 16*4, 0, AV_INPUT_BUFFER_PADDING_SIZE); track->vos_len = 16 * 4; } st->codecpar->width = width; @@ -6124,11 +6127,12 @@ static int mov_write_header(AVFormatContext *s) mov_create_dvd_sub_decoder_specific_info(track, st); else if (!TAG_IS_AVCI(track->tag) && st->codecpar->codec_id != AV_CODEC_ID_DNXHD) { track->vos_len = st->codecpar->extradata_size; - track->vos_data = av_malloc(track->vos_len); + track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) { return AVERROR(ENOMEM); } memcpy(track->vos_data, st->codecpar->extradata, track->vos_len); + memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } } @@ -6386,10 +6390,11 @@ static int mov_write_trailer(AVFormatContext *s) AVCodecParameters *par = track->par; track->vos_len = par->extradata_size; - track->vos_data = av_malloc(track->vos_len); + track->vos_data = av_malloc(track->vos_len + AV_INPUT_BUFFER_PADDING_SIZE); if (!track->vos_data) return AVERROR(ENOMEM); memcpy(track->vos_data, par->extradata, track->vos_len); + memset(track->vos_data + track->vos_len, 0, AV_INPUT_BUFFER_PADDING_SIZE); } mov->need_rewrite_extradata = 0; } From 278f86ece9582fd321105a54be9b7cf26b499967 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 19 Oct 2019 11:56:02 +0200 Subject: [PATCH 1390/1764] avfilter/vf_fieldmatch: fix heap-buffer overflow Also fix use of uninitialized values. Fixes #8239 (cherry picked from commit ce5274c1385d55892a692998923802023526b765) Signed-off-by: Michael Niedermayer --- libavfilter/vf_fieldmatch.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_fieldmatch.c b/libavfilter/vf_fieldmatch.c index 3694f26d33..05ead8639d 100644 --- a/libavfilter/vf_fieldmatch.c +++ b/libavfilter/vf_fieldmatch.c @@ -885,7 +885,7 @@ static int config_input(AVFilterLink *inlink) fm->tpitchy = FFALIGN(w, 16); fm->tpitchuv = FFALIGN(w >> 1, 16); - fm->tbuffer = av_malloc(h/2 * fm->tpitchy); + fm->tbuffer = av_calloc((h/2 + 4) * fm->tpitchy, sizeof(*fm->tbuffer)); fm->c_array = av_malloc((((w + fm->blockx/2)/fm->blockx)+1) * (((h + fm->blocky/2)/fm->blocky)+1) * 4 * sizeof(*fm->c_array)); From c72ed4f3ebffbd5ed9713caf694dc8687a35d1c0 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 23:10:16 +0200 Subject: [PATCH 1391/1764] avfilter/vf_fieldorder: fix heap-buffer overflow Fixes #8264 (cherry picked from commit 07050d7bdc32d82e53ee5bb727f5882323d00dba) Signed-off-by: Michael Niedermayer --- libavfilter/vf_fieldorder.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_fieldorder.c b/libavfilter/vf_fieldorder.c index ca55ff1f66..5707151f1b 100644 --- a/libavfilter/vf_fieldorder.c +++ b/libavfilter/vf_fieldorder.c @@ -108,8 +108,8 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) s->dst_tff ? "up" : "down"); h = frame->height; for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) { - dst_line_step = out->linesize[plane]; - src_line_step = frame->linesize[plane]; + dst_line_step = out->linesize[plane] * (h > 2); + src_line_step = frame->linesize[plane] * (h > 2); line_size = s->line_size[plane]; dst = out->data[plane]; src = frame->data[plane]; From c1ce4fba515628096efb93247f5f24a62a91ba64 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 11 Oct 2019 12:42:13 +0200 Subject: [PATCH 1392/1764] avfilter/vf_bitplanenoise: fix overreads Fixes #8244 (cherry picked from commit 0b567238741854b41f84f7457686b044eadfe29c) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bitplanenoise.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_bitplanenoise.c b/libavfilter/vf_bitplanenoise.c index dd6864bc5e..55a3ff80ae 100644 --- a/libavfilter/vf_bitplanenoise.c +++ b/libavfilter/vf_bitplanenoise.c @@ -122,7 +122,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) if (s->depth <= 8) { for (plane = 0; plane < s->nb_planes; plane++) { - const int linesize = in->linesize[plane]; + const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] : 0; const int dlinesize = out->linesize[plane]; uint8_t *val = in->data[plane]; uint8_t *dst = s->filter ? out->data[plane]: NULL; @@ -151,7 +151,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } } else { for (plane = 0; plane < s->nb_planes; plane++) { - const int linesize = in->linesize[plane] / 2; + const int linesize = s->planeheight[plane] > 1 ? in->linesize[plane] / 2 : 0; const int dlinesize = out->linesize[plane] / 2; uint16_t *val = (uint16_t *)in->data[plane]; uint16_t *dst = s->filter ? (uint16_t *)out->data[plane] : NULL; From 3ee76a3ddb6773eb3adee5f9fcd5848d26509689 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 17:23:10 +0200 Subject: [PATCH 1393/1764] avfilter/vf_edgedetect: check if height is big enough Fixes #8260 (cherry picked from commit ccf4ab8c9aca0aee66bcc2914031a9c97ac0eeb8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_edgedetect.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_edgedetect.c b/libavfilter/vf_edgedetect.c index 173f9fe161..49556f33db 100644 --- a/libavfilter/vf_edgedetect.c +++ b/libavfilter/vf_edgedetect.c @@ -122,7 +122,8 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, int i, j; memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; + if (h > 1) + memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; for (j = 2; j < h - 2; j++) { dst[0] = src[0]; dst[1] = src[1]; @@ -152,8 +153,10 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, dst += dst_linesize; src += src_linesize; } - memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; - memcpy(dst, src, w); + if (h > 2) + memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; + if (h > 3) + memcpy(dst, src, w); } enum { From c5629402fa538e957e6e1d7d701ea199e78c36cc Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sat, 19 Oct 2019 19:34:47 +0200 Subject: [PATCH 1394/1764] avfilter/af_tremolo: fix heap-buffer overflow Fixes #8317 (cherry picked from commit 58bb9d3a3a6ede1c6cfb82bf671a5f138e6b2144) Signed-off-by: Michael Niedermayer --- libavfilter/af_tremolo.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_tremolo.c b/libavfilter/af_tremolo.c index 572e9e3b56..ebb7e71013 100644 --- a/libavfilter/af_tremolo.c +++ b/libavfilter/af_tremolo.c @@ -28,6 +28,7 @@ typedef struct TremoloContext { double freq; double depth; double *table; + int table_size; int index; } TremoloContext; @@ -72,7 +73,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) dst += channels; src += channels; s->index++; - if (s->index >= inlink->sample_rate / s->freq) + if (s->index >= s->table_size) s->index = 0; } @@ -125,11 +126,12 @@ static int config_input(AVFilterLink *inlink) const double offset = 1. - s->depth / 2.; int i; - s->table = av_malloc_array(inlink->sample_rate / s->freq, sizeof(*s->table)); + s->table_size = inlink->sample_rate / s->freq; + s->table = av_malloc_array(s->table_size, sizeof(*s->table)); if (!s->table) return AVERROR(ENOMEM); - for (i = 0; i < inlink->sample_rate / s->freq; i++) { + for (i = 0; i < s->table_size; i++) { double env = s->freq * i / inlink->sample_rate; env = sin(2 * M_PI * fmod(env + 0.25, 1.0)); s->table[i] = env * (1 - fabs(offset)) + offset; From cde751ce49e38979626d7c31ffadc57df3d5c518 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 15 Oct 2019 16:31:15 +0200 Subject: [PATCH 1395/1764] avfilter/vf_avgblur: fix heap-buffer overflow Fixes #8274 (cherry picked from commit f069a9c2a65bc20c3462127623127df6dfd06c5b) Signed-off-by: Michael Niedermayer --- libavfilter/vf_avgblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index afd4a6ab79..3e268bb6ee 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -149,7 +149,7 @@ static int filter_vertically_##name(AVFilterContext *ctx, void *arg, int jobnr, \ src = s->buffer + x; \ ptr = buffer + x; \ - for (i = 0; i <= radius; i++) { \ + for (i = 0; i + radius < height && i <= radius; i++) { \ acc += src[(i + radius) * width]; \ count++; \ ptr[i * linesize] = acc / count; \ From da58e7fb9ed7223a555d97bb03b05745644812fb Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 11 Oct 2019 12:55:13 +0200 Subject: [PATCH 1396/1764] avfilter/vf_w3fdif: deny processing small videos Fixes #8243 (cherry picked from commit 0e68e8c93f9068596484ec8ba725586860e06fc8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_w3fdif.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_w3fdif.c b/libavfilter/vf_w3fdif.c index c6a6550778..b84052e8c7 100644 --- a/libavfilter/vf_w3fdif.c +++ b/libavfilter/vf_w3fdif.c @@ -274,6 +274,11 @@ static int config_input(AVFilterLink *inlink) s->planeheight[1] = s->planeheight[2] = AV_CEIL_RSHIFT(inlink->h, desc->log2_chroma_h); s->planeheight[0] = s->planeheight[3] = inlink->h; + if (inlink->h < 3) { + av_log(ctx, AV_LOG_ERROR, "Video of less than 3 lines is not supported\n"); + return AVERROR(EINVAL); + } + s->nb_planes = av_pix_fmt_count_planes(inlink->format); s->nb_threads = ff_filter_get_nb_threads(ctx); s->work_line = av_calloc(s->nb_threads, sizeof(*s->work_line)); From 222783e2faeda088a6289931da1b038f3486ee33 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Tue, 15 Oct 2019 16:38:40 +0200 Subject: [PATCH 1397/1764] avfilter/vf_edgedetect: fix heap-buffer overflow Fixes #8275 (cherry picked from commit de598f82f8c3f8000e1948548e8088148e2b1f44) Signed-off-by: Michael Niedermayer --- libavfilter/vf_edgedetect.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_edgedetect.c b/libavfilter/vf_edgedetect.c index 49556f33db..c1a21c7334 100644 --- a/libavfilter/vf_edgedetect.c +++ b/libavfilter/vf_edgedetect.c @@ -126,7 +126,8 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, memcpy(dst, src, w); dst += dst_linesize; src += src_linesize; for (j = 2; j < h - 2; j++) { dst[0] = src[0]; - dst[1] = src[1]; + if (w > 1) + dst[1] = src[1]; for (i = 2; i < w - 2; i++) { /* Gaussian mask of size 5x5 with sigma = 1.4 */ dst[i] = ((src[-2*src_linesize + i-2] + src[2*src_linesize + i-2]) * 2 @@ -147,8 +148,10 @@ static void gaussian_blur(AVFilterContext *ctx, int w, int h, + src[i+1] * 12 + src[i+2] * 5) / 159; } - dst[i ] = src[i ]; - dst[i + 1] = src[i + 1]; + if (w > 2) + dst[i ] = src[i ]; + if (w > 3) + dst[i + 1] = src[i + 1]; dst += dst_linesize; src += src_linesize; From 6f6036146d5808f4663d7e6e1b614ea23b8f2592 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Fri, 28 Feb 2020 22:06:29 +0100 Subject: [PATCH 1398/1764] fftools/ffmpeg_opt: Fix leak of options when parsing options fails Fixes #8094. Signed-off-by: Andreas Rheinhardt Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 21265f42ecb265debe9fec1dbfd0cb7de5a8aefb) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg_opt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c index dcfaa06926..6aed8b65d8 100644 --- a/fftools/ffmpeg_opt.c +++ b/fftools/ffmpeg_opt.c @@ -3275,6 +3275,7 @@ static int open_files(OptionGroupList *l, const char *inout, if (ret < 0) { av_log(NULL, AV_LOG_ERROR, "Error parsing options for %s file " "%s.\n", inout, g->arg); + uninit_options(&o); return ret; } From 16eb9939ea493b6ed3bfc726e4cba2dacdd2e2fa Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Sun, 13 Oct 2019 23:21:35 +0200 Subject: [PATCH 1399/1764] avfilter/vf_bwdif: fix heap-buffer overflow Fixes #8261 (cherry picked from commit 8c3166e1c302c3ba80d9742ae46161c0fa8e2606) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bwdif.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index b691983611..7290c9a4a2 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -505,8 +505,8 @@ static int config_props(AVFilterLink *link) if(s->mode&1) link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); - if (link->w < 3 || link->h < 3) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or lines is not supported\n"); + if (link->w < 3 || link->h < 4) { + av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } From ac6c213c4eb1132f53d401099dc5e7df32705609 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Thu, 17 Oct 2019 11:28:55 +0200 Subject: [PATCH 1400/1764] avfilter/vf_random: fix memory leaks Fixes #8296 (cherry picked from commit 3488e0977c671568731afa12b811adce9d4d807f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_random.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavfilter/vf_random.c b/libavfilter/vf_random.c index 373a7db053..c7c9ff09c0 100644 --- a/libavfilter/vf_random.c +++ b/libavfilter/vf_random.c @@ -108,6 +108,14 @@ static int request_frame(AVFilterLink *outlink) return ret; } +static av_cold void uninit(AVFilterContext *ctx) +{ + RandomContext *s = ctx->priv; + + for (int i = 0; i < s->nb_frames; i++) + av_frame_free(&s->frames[i]); +} + static const AVFilterPad random_inputs[] = { { .name = "default", @@ -132,6 +140,7 @@ AVFilter ff_vf_random = { .priv_size = sizeof(RandomContext), .priv_class = &random_class, .init = init, + .uninit = uninit, .inputs = random_inputs, .outputs = random_outputs, }; From 13dfa808701732e999dec588b7ff6a96414b90ab Mon Sep 17 00:00:00 2001 From: James Almer Date: Fri, 18 Oct 2019 20:53:10 -0300 Subject: [PATCH 1401/1764] avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written Fixes ticket #8295 Signed-off-by: James Almer (cherry picked from commit 1d479300cbe0522c233b7d51148aea2b29bd29ad) Signed-off-by: Michael Niedermayer --- libavformat/nutenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index 2c2334a69c..7405dc28cc 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -1171,8 +1171,11 @@ static int nut_write_trailer(AVFormatContext *s) while (nut->header_count < 3) write_headers(s, bc); + if (!nut->sp_count) + return 0; + ret = avio_open_dyn_buf(&dyn_bc); - if (ret >= 0 && nut->sp_count) { + if (ret >= 0) { av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written write_index(nut, dyn_bc); put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE); From 02fd294a333baaa55501eb0a26b86c99a80e4569 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Thu, 17 Oct 2019 11:11:55 +0200 Subject: [PATCH 1402/1764] avcodec/ac3enc: Fix memleak Fixes ticket #8294. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 097c917c147661f5378dae8fe3f7e46f43236426) Signed-off-by: Michael Niedermayer --- libavcodec/ac3enc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c index 032881724b..4d83c398bf 100644 --- a/libavcodec/ac3enc.c +++ b/libavcodec/ac3enc.c @@ -2051,7 +2051,8 @@ av_cold int ff_ac3_encode_close(AVCodecContext *avctx) av_freep(&block->cpl_coord_mant); } - s->mdct_end(s); + if (s->mdct_end) + s->mdct_end(s); return 0; } @@ -2433,7 +2434,7 @@ av_cold int ff_ac3_encode_init(AVCodecContext *avctx) ret = validate_options(s); if (ret) - return ret; + goto init_fail; avctx->frame_size = AC3_BLOCK_SIZE * s->num_blocks; avctx->initial_padding = AC3_BLOCK_SIZE; From ee981f7ceb2c20dbfc5a2f5f27b0c44032eac798 Mon Sep 17 00:00:00 2001 From: Paul B Mahol Date: Fri, 18 Oct 2019 10:48:22 +0200 Subject: [PATCH 1403/1764] avfilter/vf_colorspace: fix memmory leaks Fixes #8303 (cherry picked from commit fddef964e8aa4a2c123e470db1436a082ff6bcf3) Signed-off-by: Michael Niedermayer --- libavfilter/vf_colorspace.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_colorspace.c b/libavfilter/vf_colorspace.c index 71ea08a20f..dcac9f48f7 100644 --- a/libavfilter/vf_colorspace.c +++ b/libavfilter/vf_colorspace.c @@ -926,6 +926,7 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) res = av_frame_copy_props(out, in); if (res < 0) { av_frame_free(&in); + av_frame_free(&out); return res; } @@ -985,13 +986,18 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) !s->dither_scratch_base[1][0] || !s->dither_scratch_base[1][1] || !s->dither_scratch_base[2][0] || !s->dither_scratch_base[2][1]) { uninit(ctx); + av_frame_free(&in); + av_frame_free(&out); return AVERROR(ENOMEM); } s->rgb_sz = rgb_sz; } res = create_filtergraph(ctx, in, out); - if (res < 0) + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } s->rgb_stride = rgb_stride / sizeof(int16_t); td.in = in; td.out = out; @@ -1005,8 +1011,11 @@ static int filter_frame(AVFilterLink *link, AVFrame *in) td.out_ss_h = av_pix_fmt_desc_get(out->format)->log2_chroma_h; if (s->yuv2yuv_passthrough) { res = av_frame_copy(out, in); - if (res < 0) + if (res < 0) { + av_frame_free(&in); + av_frame_free(&out); return res; + } } else { ctx->internal->execute(ctx, convert, &td, NULL, FFMIN((in->height + 1) >> 1, ff_filter_get_nb_threads(ctx))); From ffb5153d396150341229165bfa0a3ce0c5ce43a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 May 2022 02:14:22 +0200 Subject: [PATCH 1404/1764] Update for 3.4.11 Signed-off-by: Michael Niedermayer --- Changelog | 18 ++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 3ffaac29c7..7c66bbf90f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,24 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.11: + avfilter/vf_colorspace: fix memmory leaks + avcodec/ac3enc: Fix memleak + avformat/nutenc: don't allocate a dynamic AVIOContext if no index is going to be written + avfilter/vf_random: fix memory leaks + avfilter/vf_bwdif: fix heap-buffer overflow + fftools/ffmpeg_opt: Fix leak of options when parsing options fails + avfilter/vf_edgedetect: fix heap-buffer overflow + avfilter/vf_w3fdif: deny processing small videos + avfilter/vf_avgblur: fix heap-buffer overflow + avfilter/af_tremolo: fix heap-buffer overflow + avfilter/vf_edgedetect: check if height is big enough + avfilter/vf_bitplanenoise: fix overreads + avfilter/vf_fieldorder: fix heap-buffer overflow + avfilter/vf_fieldmatch: fix heap-buffer overflow + aformat/movenc: add missing padding to output track extradata + avcodec/pngenc: remove monowhite from apng formats + version 3.4.10: avfilter/vf_lenscorrection: make width/height int avcodec/diracdec: avoid signed integer overflow in global mv diff --git a/RELEASE b/RELEASE index 84d6c67654..0ce07b72f8 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.10 +3.4.11 diff --git a/doc/Doxyfile b/doc/Doxyfile index b3823eac11..d81f6aa9d8 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.10 +PROJECT_NUMBER = 3.4.11 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From bdadddf530ea1bef4b58261fd5652c5a20c8a5a8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 22:00:52 +0200 Subject: [PATCH 1405/1764] avformat/genh: Check sample rate Fixes: signed integer overflow: -2515507630940093440 * 4 cannot be represented in type 'long' Fixes: 46318/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5009637474172928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit a3d790f1977ed6c326eb93bb61757297a7905dcc) Signed-off-by: Michael Niedermayer --- libavformat/genh.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index cbdd53324b..c7d7b371f0 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -67,6 +67,9 @@ static int genh_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate < 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); From 1e99ff9d338b1573462d8a7a75bc523e9cb35085 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 22:40:59 +0200 Subject: [PATCH 1406/1764] avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d74078270198b97fdda258840f0d501a3ffcc693) Signed-off-by: Michael Niedermayer --- libavfilter/video.c | 7 ++++++- libavfilter/video.h | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/video.c b/libavfilter/video.c index 6f9020b9fe..95ffea5699 100644 --- a/libavfilter/video.c +++ b/libavfilter/video.c @@ -41,7 +41,7 @@ AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h) return ff_get_video_buffer(link->dst->outputs[0], w, h); } -AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align) { int pool_width = 0; int pool_height = 0; @@ -89,6 +89,11 @@ AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) return ff_frame_pool_get(link->frame_pool); } +AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +{ + return ff_default_get_video_buffer2(link, w, h, av_cpu_max_align()); +} + AVFrame *ff_get_video_buffer(AVFilterLink *link, int w, int h) { AVFrame *ret = NULL; diff --git a/libavfilter/video.h b/libavfilter/video.h index 56c58d6766..f9174a4a0b 100644 --- a/libavfilter/video.h +++ b/libavfilter/video.h @@ -24,6 +24,7 @@ #include "avfilter.h" AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h); +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align); AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h); /** From 0a3a33311e7566e0e05ca98f97d1e4b45f37f08d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 11 Apr 2022 13:49:05 +0200 Subject: [PATCH 1407/1764] avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements Fixes: issues with non trivial linesize Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d353909e773ba8a8201fa13d6c35251351dd567a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_frei0r.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/libavfilter/vf_frei0r.c b/libavfilter/vf_frei0r.c index 8aeac08519..bfcec07726 100644 --- a/libavfilter/vf_frei0r.c +++ b/libavfilter/vf_frei0r.c @@ -348,15 +348,21 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) { Frei0rContext *s = inlink->dst->priv; AVFilterLink *outlink = inlink->dst->outputs[0]; - AVFrame *out; + AVFrame *out = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!out) + goto fail; - out = ff_get_video_buffer(outlink, outlink->w, outlink->h); - if (!out) { - av_frame_free(&in); - return AVERROR(ENOMEM); - } av_frame_copy_props(out, in); + if (in->linesize[0] != out->linesize[0]) { + AVFrame *in2 = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!in2) + goto fail; + av_frame_copy(in2, in); + av_frame_free(&in); + in = in2; + } + s->update(s->instance, in->pts * av_q2d(inlink->time_base) * 1000, (const uint32_t *)in->data[0], (uint32_t *)out->data[0]); @@ -364,6 +370,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) av_frame_free(&in); return ff_filter_frame(outlink, out); +fail: + av_frame_free(&in); + av_frame_free(&out); + return AVERROR(ENOMEM); } #define OFFSET(x) offsetof(Frei0rContext, x) @@ -446,7 +456,7 @@ static int source_config_props(AVFilterLink *outlink) static int source_request_frame(AVFilterLink *outlink) { Frei0rContext *s = outlink->src->priv; - AVFrame *frame = ff_get_video_buffer(outlink, outlink->w, outlink->h); + AVFrame *frame = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); if (!frame) return AVERROR(ENOMEM); From 8775295080da8fc1a57493cb0e557366a65a0c0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 21 Apr 2022 22:45:12 +0200 Subject: [PATCH 1408/1764] avfilter/vsrc_mandelbrot: Check for malloc failure Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fbd22504c4148d2a01ccfe38df26c144f56db76b) Signed-off-by: Michael Niedermayer --- libavfilter/vsrc_mandelbrot.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vsrc_mandelbrot.c b/libavfilter/vsrc_mandelbrot.c index 6ad108151f..11650e36f7 100644 --- a/libavfilter/vsrc_mandelbrot.c +++ b/libavfilter/vsrc_mandelbrot.c @@ -134,6 +134,9 @@ static av_cold int init(AVFilterContext *ctx) s-> next_cache= av_malloc_array(s->cache_allocated, sizeof(*s-> next_cache)); s-> zyklus = av_malloc_array(s->maxiter + 16, sizeof(*s->zyklus)); + if (!s->point_cache || !s->next_cache || !s->zyklus) + return AVERROR(ENOMEM); + return 0; } From c5dba22ae49e549882937df10d7876970fe7e5e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 May 2022 22:55:12 +0200 Subject: [PATCH 1409/1764] avformat/act: Check ff_get_wav_header() for failure Fixes: missing error check Fixes: CID717495 Signed-off-by: Michael Niedermayer (cherry picked from commit 5982da87e3464e7df529a169352748560d70ba80) Signed-off-by: Michael Niedermayer --- libavformat/act.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/act.c b/libavformat/act.c index fe67411787..7cbffbfd05 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -66,6 +66,7 @@ static int read_header(AVFormatContext *s) AVIOContext *pb = s->pb; int size; AVStream* st; + int ret; int min,sec,msec; @@ -75,7 +76,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(s, pb, st->codecpar, size, 0); + ret = ff_get_wav_header(s, pb, st->codecpar, size, 0); + if (ret < 0) + return ret; /* 8000Hz (Fine-rec) file format has 10 bytes long From 0a330619bf3be0aefc1750d76e756587d43ae262 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Jan 2017 00:28:33 +0100 Subject: [PATCH 1410/1764] avcodec/texturedspenc: Fix indexing in color distribution determination Fixes CID1396405 MSE and PSNR is slightly improved, and some noticable corruptions disappear as well. Signed-off-by: Michael Niedermayer Signed-off-by: Marton Balint (cherry picked from commit ade36d61de8ea5a5acb30a05a0cbcda069127143) Signed-off-by: Michael Niedermayer --- libavcodec/texturedspenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/texturedspenc.c b/libavcodec/texturedspenc.c index 8b2863033b..5171c69d82 100644 --- a/libavcodec/texturedspenc.c +++ b/libavcodec/texturedspenc.c @@ -255,11 +255,11 @@ static void optimize_colors(const uint8_t *block, ptrdiff_t stride, muv = minv = maxv = bp[0]; for (y = 0; y < 4; y++) { - for (x = 4; x < 4; x += 4) { + for (x = 0; x < 4; x++) { muv += bp[x * 4 + y * stride]; - if (bp[x] < minv) + if (bp[x * 4 + y * stride] < minv) minv = bp[x * 4 + y * stride]; - else if (bp[x] > maxv) + else if (bp[x * 4 + y * stride] > maxv) maxv = bp[x * 4 + y * stride]; } } From 4cd065324a8ca703b447f28b5838bf707f202045 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 23:13:16 +0100 Subject: [PATCH 1411/1764] avformat/asfdec_f: Check packet_frag_timestamp Fixes: signed integer overflow: -9223372036854775808 - 4607 cannot be represented in type 'long' Fixes: 45685/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5280102802391040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ffc877215056e8f0feb1ff23ba7dc4c19277b94b) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 81bf9d83e9..2d7c0a7a5e 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1315,10 +1315,12 @@ static int asf_parse_packet(AVFormatContext *s, AVIOContext *pb, AVPacket *pkt) if ((ret = av_new_packet(&asf_st->pkt, asf_st->packet_obj_size)) < 0) return ret; asf_st->seq = asf->packet_seq; - if (asf->ts_is_pts) { - asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; - } else - asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + if (asf->packet_frag_timestamp != AV_NOPTS_VALUE) { + if (asf->ts_is_pts) { + asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; + } else + asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + } asf_st->pkt.stream_index = asf->stream_index; asf_st->pkt.pos = asf_st->packet_pos = asf->packet_pos; asf_st->pkt_clean = 0; From c7e436a0b3031198c1d533fe2543a313a5a33463 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Mar 2022 23:24:40 +0100 Subject: [PATCH 1412/1764] avformat/bfi: Check offsets better Fixes: signed integer overflow: -2145378272 - 538976288 cannot be represented in type 'int' Fixes: 45690/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5015496544616448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 35dc93ab44a57d78956414624c4e011414220e98) Signed-off-by: Michael Niedermayer --- libavformat/bfi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/bfi.c b/libavformat/bfi.c index f32a2cf8ce..a226101f76 100644 --- a/libavformat/bfi.c +++ b/libavformat/bfi.c @@ -143,12 +143,12 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt) audio_offset = avio_rl32(pb); avio_rl32(pb); video_offset = avio_rl32(pb); - audio_size = video_offset - audio_offset; - bfi->video_size = chunk_size - video_offset; - if (audio_size < 0 || bfi->video_size < 0) { + if (audio_offset < 0 || video_offset < audio_offset || chunk_size < video_offset) { av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); return AVERROR_INVALIDDATA; } + audio_size = video_offset - audio_offset; + bfi->video_size = chunk_size - video_offset; //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); From 6ee5e7a6966efed7d8f14d92a6d22c76d3168540 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Apr 2022 22:18:49 +0200 Subject: [PATCH 1413/1764] avformat/ape: more bits in size for less overflows Fixes: signed integer overflow: 2147483647 + 3 cannot be represented in type 'int' Fixes: 46184/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-4678059519770624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e5f6707a7b91664491041526ef3cce7412258b89) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index c06db78480..3a3b91283e 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -42,8 +42,8 @@ typedef struct APEFrame { int64_t pos; + int64_t size; int nblocks; - int size; int skip; int64_t pts; } APEFrame; @@ -146,7 +146,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext * ape_ctx) av_log(s, AV_LOG_DEBUG, "\nFrames\n\n"); for (i = 0; i < ape_ctx->totalframes; i++) - av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8d (%d samples)\n", i, + av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8"PRId64" (%d samples)\n", i, ape_ctx->frames[i].pos, ape_ctx->frames[i].size, ape_ctx->frames[i].nblocks); @@ -164,7 +164,8 @@ static int ape_read_header(AVFormatContext * s) AVStream *st; uint32_t tag; int i; - int total_blocks, final_size = 0; + int total_blocks; + int64_t final_size = 0; int64_t pts, file_size; /* Skip any leading junk such as id3v2 tags */ @@ -403,7 +404,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket * pkt) if (ape->frames[ape->currentframe].size <= 0 || ape->frames[ape->currentframe].size > INT_MAX - extra_size) { - av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n", + av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n", ape->frames[ape->currentframe].size); ape->currentframe++; return AVERROR(EIO); From 06bd0a44a8a0289afe2ab7a66a62bdde4517207d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2022 01:08:56 +0100 Subject: [PATCH 1414/1764] avformat/aiffdec: avoid integer overflow in get_meta() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a02de21278ec3bea1d2c62665f2629d5a62210f) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index c7572058cc..0a874c4e94 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -73,7 +73,7 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) /* Metadata string read */ static void get_meta(AVFormatContext *s, const char *key, int size) { - uint8_t *str = av_malloc(size+1); + uint8_t *str = av_malloc(size+1U); if (str) { int res = avio_read(s->pb, str, size); From 93d44b10e8bdcf94d2945e0a19572a759e433de9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 22:36:00 +0200 Subject: [PATCH 1415/1764] avcodec/cdgraphics: limit scrolling to the line Fixes: out of array access Fixes: 47877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5690504626438144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7e30a13d4e4557b87f977b76a6bb5e3cbe5ac78) Signed-off-by: Michael Niedermayer --- libavcodec/cdgraphics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index da6fb7af03..3d8219a451 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -238,7 +238,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data, for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++) memcpy(out + FFMAX(0, hinc) + stride * y, in + FFMAX(0, hinc) - hinc + (y - vinc) * stride, - FFMIN(stride + hinc, stride)); + FFABS(stride) - FFABS(hinc)); if (vinc > 0) cdg_fill_wrapper(0, 0, out, From a886e9526d678065ff909b27f353f803f3d4801b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 21:13:59 +0200 Subject: [PATCH 1416/1764] avcodec/jpeglsdec: fix end check for xfrm Fixes: out of array access Fixes: 47871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-5646305956855808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6a82412bf33108111eb3f63076fd5a51349ae114) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 615c9e5068..59fb304a83 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -465,19 +465,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, for (i = 0; i < s->height; i++) { switch(s->xfrm) { case 1: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += src[x+1] + 128; } break; case 2: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += ((src[x ] + src[x+1])>>1) + 128; } break; case 3: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64; src[x+0] = src[x+2] + g + 128; src[x+2] = src[x+1] + g + 128; @@ -485,7 +485,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, } break; case 4: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int r = src[x+0] - (( 359 * (src[x+2]-128) + 490) >> 8); int g = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) + 30) >> 8); int b = src[x+0] + ((454 * (src[x+1]-128) + 574) >> 8); From 9722b774c5c40eb090d0f5a21d3858f51242cd19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 23 Mar 2022 14:30:42 +0100 Subject: [PATCH 1417/1764] avformat/aiffdec: cleanup size handling for extreem cases Signed-off-by: Michael Niedermayer (cherry picked from commit c6f1e48b86471b1cc91c468e78a065075ed409bd) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 0a874c4e94..da5a428b86 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -54,9 +54,9 @@ static enum AVCodecID aiff_codec_get_id(int bps) } /* returns the size of the found tag */ -static int get_tag(AVIOContext *pb, uint32_t * tag) +static int64_t get_tag(AVIOContext *pb, uint32_t * tag) { - int size; + int64_t size; if (avio_feof(pb)) return AVERROR(EIO); @@ -64,16 +64,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag) *tag = avio_rl32(pb); size = avio_rb32(pb); - if (size < 0) - size = 0x7fffffff; - return size; } /* Metadata string read */ -static void get_meta(AVFormatContext *s, const char *key, int size) +static void get_meta(AVFormatContext *s, const char *key, int64_t size) { - uint8_t *str = av_malloc(size+1U); + uint8_t *str = NULL; + + if (size < SIZE_MAX) + str = av_malloc(size+1); if (str) { int res = avio_read(s->pb, str, size); @@ -91,7 +91,7 @@ static void get_meta(AVFormatContext *s, const char *key, int size) } /* Returns the number of sound data frames or negative on error */ -static int get_aiff_header(AVFormatContext *s, int size, +static int get_aiff_header(AVFormatContext *s, int64_t size, unsigned version) { AVIOContext *pb = s->pb; @@ -102,9 +102,6 @@ static int get_aiff_header(AVFormatContext *s, int size, int sample_rate; unsigned int num_frames; - if (size == INT_MAX) - return AVERROR_INVALIDDATA; - if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; @@ -215,7 +212,8 @@ static int aiff_probe(AVProbeData *p) /* aiff input */ static int aiff_read_header(AVFormatContext *s) { - int ret, size, filesize; + int ret; + int64_t filesize, size; int64_t offset = 0, position; uint32_t tag; unsigned version = AIFF_C_VERSION1; @@ -226,7 +224,7 @@ static int aiff_read_header(AVFormatContext *s) /* check FORM header */ filesize = get_tag(pb, &tag); - if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M')) + if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M')) return AVERROR_INVALIDDATA; /* AIFF data type */ From cddda6d7e44b8a8a6805d60e43e0b652c8d72903 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 28 Apr 2022 23:34:53 +0200 Subject: [PATCH 1418/1764] avcodec/alacdsp: Make intermediates unsigned Fixes: signed integer overflow: -14914387 + -2147418648 cannot be represented in type 'int' Fixes: 46464/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-474307197311385 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8709f4c10a216cb3e11564bc392841e832f8e3b1) Signed-off-by: Michael Niedermayer --- libavcodec/alacdsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 8718d1b6b1..b3c1c424f3 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -29,12 +29,12 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, int i; for (i = 0; i < nb_samples; i++) { - int32_t a, b; + uint32_t a, b; a = buffer[0][i]; b = buffer[1][i]; - a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; + a -= (int)(b * decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; From 7521f2f66cd51feaa668dd62377b311f6e6d48a0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 00:43:21 +0200 Subject: [PATCH 1419/1764] avcodec/qdrw: adjust max colors to array size Fixes: out of array access Fixes: 48429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDRAW_fuzzer-4608329791438848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit cd847f86d31f87f0f7733ca6ab7a2c022a1398bd) Signed-off-by: Michael Niedermayer --- libavcodec/qdrw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c index 34c1442063..475cfecf5f 100644 --- a/libavcodec/qdrw.c +++ b/libavcodec/qdrw.c @@ -367,7 +367,7 @@ static int decode_frame(AVCodecContext *avctx, bytestream2_skip(&gbc, 18); colors = bytestream2_get_be16(&gbc); - if (colors < 0 || colors > 256) { + if (colors < 0 || colors > 255) { av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return AVERROR_INVALIDDATA; From 384b5dc0f196d5e5809851093985eb2cfb6e8bf8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Jun 2022 20:54:36 +0200 Subject: [PATCH 1420/1764] avcodec/aasc: Fix indention Signed-off-by: Michael Niedermayer (cherry picked from commit af2ed09220fe82e0aa479d1b93be6aadc4930efc) Signed-off-by: Michael Niedermayer --- libavcodec/aasc.c | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index 58cc3c85ba..bf1555e72c 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -104,26 +104,26 @@ static int aasc_decode_frame(AVCodecContext *avctx, ff_msrle_decode(avctx, s->frame, 8, &s->gb); break; case MKTAG('A', 'A', 'S', 'C'): - switch (compr) { - case 0: - stride = (avctx->width * psize + psize) & ~psize; - if (buf_size < stride * avctx->height) + switch (compr) { + case 0: + stride = (avctx->width * psize + psize) & ~psize; + if (buf_size < stride * avctx->height) + return AVERROR_INVALIDDATA; + for (i = avctx->height - 1; i >= 0; i--) { + memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); + buf += stride; + buf_size -= stride; + } + break; + case 1: + bytestream2_init(&s->gb, buf, buf_size); + ff_msrle_decode(avctx, s->frame, 8, &s->gb); + break; + default: + av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); return AVERROR_INVALIDDATA; - for (i = avctx->height - 1; i >= 0; i--) { - memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); - buf += stride; - buf_size -= stride; } break; - case 1: - bytestream2_init(&s->gb, buf, buf_size); - ff_msrle_decode(avctx, s->frame, 8, &s->gb); - break; - default: - av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); - return AVERROR_INVALIDDATA; - } - break; default: av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag); return -1; From 6d40df7ea76680071ef7ed96731a21a0f0f83407 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 May 2022 01:23:22 +0200 Subject: [PATCH 1421/1764] avformat/sctp: close socket on errors This is untested as i have no testcase Fixes: CID1302709 Signed-off-by: Michael Niedermayer (cherry picked from commit c9a2996544187f67e533bc24f4cf773e50d2362b) Signed-off-by: Michael Niedermayer --- libavformat/sctp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/sctp.c b/libavformat/sctp.c index 9a80e9b015..be0cb47865 100644 --- a/libavformat/sctp.c +++ b/libavformat/sctp.c @@ -282,6 +282,8 @@ fail: goto restart; } fail1: + if (fd >= 0) + closesocket(fd); ret = AVERROR(EIO); freeaddrinfo(ai); return ret; From f0aeea08a9310da79ef05cd4b631931aa699f751 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 02:31:47 +0200 Subject: [PATCH 1422/1764] avcodec/wnv1: Check for width =1 The decoder only outputs pixels for width >1 images, fail early Fixes: Timeout Fixes: 48298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WNV1_fuzzer-6198626319204352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d98d5a436aa70d3cef8f914c0467ef2fb2dd1dfc) Signed-off-by: Michael Niedermayer --- libavcodec/wnv1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 915e9c7dc9..291be78cc8 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -136,6 +136,9 @@ static av_cold int decode_init(AVCodecContext *avctx) { static VLC_TYPE code_table[1 << CODE_VLC_BITS][2]; + if (avctx->width <= 1) + return AVERROR_INVALIDDATA; + avctx->pix_fmt = AV_PIX_FMT_YUV422P; code_vlc.table = code_table; From db0daa80bc2781e6574988654033bcd52aac43ea Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 4 Jul 2022 23:32:40 +0200 Subject: [PATCH 1423/1764] avformat/iff: simplify duration calculation Fixes: signed integer overflow: 315680096256 * 134215943 cannot be represented in type 'long long' Fixes: 48713/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5886272312311808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0740641e932551342cc1737d981e950ecffa3b63) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 5be0eb55b7..1a1c80551a 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -385,7 +385,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = s->streams[0]->codecpar->sample_rate / 75; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); @@ -398,7 +398,8 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) case ID_FRTE: if (data_size < 4) return AVERROR_INVALIDDATA; - s->streams[0]->duration = avio_rb32(pb) * 588LL * s->streams[0]->codecpar->sample_rate / 44100; + s->streams[0]->duration = avio_rb32(pb) * (uint64_t)s->streams[0]->codecpar->sample_rate / 75; + break; } From f3e18932ffaad9b92384e27293ff95d495c6e3ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Jul 2022 13:31:19 +0200 Subject: [PATCH 1424/1764] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M This limit is possibly not reachable due to other restrictions on buffers but the decoder run table is too small beyond this, so explicitly check for it. Signed-off-by: Michael Niedermayer (cherry picked from commit b4431399ec1e10afff458cf1ffae2a75987d725a) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 68a06b1c5f..27f954bd52 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -188,6 +188,9 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) return -1; + if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) + return AVERROR_INVALIDDATA; + for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0); From 55fd698f853e290d36f41018fe1379056ec3a8b4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Jun 2022 00:59:15 +0200 Subject: [PATCH 1425/1764] avcodec/qpeldsp: copy less for the mc0x cases Fixes: out of array access Fixes: 47936/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5745039940124672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e690d4edf581c42dbd907c0fafe53fba86a00812) Signed-off-by: Michael Niedermayer --- libavcodec/qpeldsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/qpeldsp.c b/libavcodec/qpeldsp.c index 6e52b33657..d99b8fd0ba 100644 --- a/libavcodec/qpeldsp.c +++ b/libavcodec/qpeldsp.c @@ -198,7 +198,7 @@ static void OPNAME ## qpel8_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8); \ } \ @@ -208,7 +208,7 @@ static void OPNAME ## qpel8_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[16 * 9]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16); \ } \ \ @@ -218,7 +218,7 @@ static void OPNAME ## qpel8_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8); \ } \ @@ -458,7 +458,7 @@ static void OPNAME ## qpel16_mc01_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16); \ } \ @@ -468,7 +468,7 @@ static void OPNAME ## qpel16_mc02_c(uint8_t *dst, const uint8_t *src, \ { \ uint8_t full[24 * 17]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24); \ } \ \ @@ -478,7 +478,7 @@ static void OPNAME ## qpel16_mc03_c(uint8_t *dst, const uint8_t *src, \ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full + 24, half, stride, 24, 16, 16); \ } \ From 0fcc72472604b9a08f83bb4fa65d0e8d8774a002 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jun 2022 22:21:55 +0200 Subject: [PATCH 1426/1764] avcodec/hevcdsp_template: stay within tables in sao_band_filter() Fixes: out of array read Fixes: 47875/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5719393113341952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c5250a5612d4b32d79108de0c03945b2017963e) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 56cd9e605d..61425975cd 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -313,7 +313,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t *_src, offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1]; for (y = 0; y < height; y++) { for (x = 0; x < width; x++) - dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]); + dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) & 31]); dst += stride_dst; src += stride_src; } From 566aa2305468dfa6da9606578c007082f908557c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 May 2022 00:50:33 +0200 Subject: [PATCH 1427/1764] avformat/rtsp: break on unknown protocols This function needs more cleanup and it lacks error handling Fixes: use of uninitialized memory Fixes: CID700776 Signed-off-by: Michael Niedermayer (cherry picked from commit 73c0fd27c5c53c42e5060fb3a0c1fc5708b6f670) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 91176420c8..fea40e59fb 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -920,6 +920,8 @@ static void rtsp_parse_transport(AVFormatContext *s, ";,", &p); } th->transport = RTSP_TRANSPORT_RAW; + } else { + break; } if (!av_strcasecmp(lower_transport, "TCP")) th->lower_transport = RTSP_LOWER_TRANSPORT_TCP; From aed958c060e58fc8866bb4f5ddd6087e663bd462 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 18 May 2022 02:10:52 +0200 Subject: [PATCH 1428/1764] avfilter/vf_signature: Fix integer overflow in filter_frame() Fixes: CID1403233 The second of the 2 changes may be unneeded but will help coverity Signed-off-by: Michael Niedermayer (cherry picked from commit dd6040675ec18d19429f882caea6bb306ed6677a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index d07b213f31..8bdd7f55a2 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -223,7 +223,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) dw1 = inlink->w / 32; if (inlink->w % 32) dw2 = dw1 + 1; - denom = (sc->divide) ? dh1 * dh2 * dw1 * dw2 : 1; + denom = (sc->divide) ? dh1 * (int64_t)dh2 * dw1 * dw2 : 1; for (i = 0; i < 32; i++) { rowcount = 0; @@ -249,7 +249,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *picref) } } - denom = (sc->divide) ? 1 : dh1 * dh2 * dw1 * dw2; + denom = (sc->divide) ? 1 : dh1 * (int64_t)dh2 * dw1 * dw2; for (i = 0; i < ELEMENT_COUNT; i++) { const ElemCat* elemcat = elements[i]; From 3f9e48f8e6bb0607a2a37004f8833be25e4c50be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 May 2022 00:51:12 +0200 Subject: [PATCH 1429/1764] avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() Fixes: signed integer overflow: 2147483645 + 16 cannot be represented in type 'int' Fixes: 46993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4759025234870272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1537f40516d625fc5fa57db4fdfb737312fbc500) Signed-off-by: Michael Niedermayer --- libavcodec/sbrdsp_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 43fcc90ae5..0d34a2a710 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -114,8 +114,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src) { int i; for (i = 0; i < 32; i++) { - v[ i] = ( src[63 - 2*i ] + 0x10) >> 5; - v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5; + v[ i] = (int)(0x10U + src[63 - 2*i ]) >> 5; + v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5; } } From b66fa64a9fdf7981c91613f2e220991677e66568 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 27 Apr 2022 22:16:51 +0200 Subject: [PATCH 1430/1764] avcodec/h264dec: Skip late SEI Fixes: Race condition Fixes: clusterfuzz-testcase-minimized-mediasource_MP2T_AVC_pipeline_integration_fuzzer-6282675434094592 Found-by: google ClusterFuzz Tested-by: Dan Sanders Signed-off-by: Michael Niedermayer (cherry picked from commit f7dd408d64013ae177c1f8d0e04418e5075db5bc) Signed-off-by: Michael Niedermayer --- libavcodec/h264dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index 6a28f3a3ae..17eaf4c76f 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -724,6 +724,10 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size) avpriv_request_sample(avctx, "data partitioning"); break; case H264_NAL_SEI: + if (h->setup_finished) { + avpriv_request_sample(avctx, "Late SEI"); + break; + } ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx); h->has_recovery_point = h->has_recovery_point || h->sei.recovery_point.recovery_frame_cnt != -1; if (avctx->debug & FF_DEBUG_GREEN_MD) From 26be0c6c7aa98f2c5dc909891b5ea42f58924cc0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Jul 2022 20:43:20 +0200 Subject: [PATCH 1431/1764] avcodec/lagarith: Check dst/src in zero run code Fixes: out of array access Fixes: 48799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4764457825337344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9450f759748d02d1d284d2e4afd741cb0fe0c04a) Signed-off-by: Michael Niedermayer --- libavcodec/lagarith.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index ff3eded761..6e5d754dfb 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -404,6 +404,9 @@ output_zeros: if (zero_run) { zero_run = 0; i += esc_count; + if (i > end - dst || + i >= src_end - src) + return AVERROR_INVALIDDATA; memcpy(dst, src, i); dst += i; l->zeros_rem = lag_calc_zero_run(src[i]); From d51b09d503f4000582175f326f0d064a91d94185 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 19 Jul 2022 00:32:18 +0200 Subject: [PATCH 1432/1764] avformat/asfdec_f: Use 64bit for packet start time Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ed78486fcb065b5b459f14d4b1c3242f6d21ec7) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 2d7c0a7a5e..91104c19dc 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -104,7 +104,7 @@ typedef struct ASFContext { int ts_is_pts; int packet_multi_size; int packet_time_delta; - int packet_time_start; + int64_t packet_time_start; int64_t packet_pos; int stream_index; From 932463c69dc9263a4fdec03f99429ae9885d9a4f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 6 Jul 2022 23:54:49 +0200 Subject: [PATCH 1433/1764] avformat/nutdec: Check get_packetheader() in mainheader Fixes; Timeout Fixes: 48794/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6524604713140224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5de084aa63b79586bc445e6a7fea837688b3941) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index e86d8222d0..0b04aaad3e 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -199,6 +199,8 @@ static int decode_main_header(NUTContext *nut) int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + if (length == (uint64_t)-1) + return AVERROR_INVALIDDATA; end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); From 5dfad587a179bda099d8aeb711fa73db4908b2ac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Jun 2022 01:36:29 +0200 Subject: [PATCH 1434/1764] avformat/flvdec: Check for EOF in index reading Fixes: Timeout Fixes: 47992/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6020443879899136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ceff5d7b74cd9ae6055957979d27d289c70a9e1b) Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 7c8d83edf1..8c81e0b98e 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -434,6 +434,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m goto invalid; if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) goto invalid; + if (avio_feof(ioc)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { From 59d3ee9046102cbbb012c054ad523ef1515aa9d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Jul 2022 00:51:32 +0200 Subject: [PATCH 1435/1764] avcodec/hevc_filter: copy_CTB() only within width&height Fixes: out of array access Fixes: 49271/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5424984922652672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 009ef35d384c3df22d8a8be7416dc9d532e91c52) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_filter.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c index b53f4cc721..aa7ba0d197 100644 --- a/libavcodec/hevc_filter.c +++ b/libavcodec/hevc_filter.c @@ -145,11 +145,22 @@ int i, j; if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) { for (i = 0; i < height; i++) { - for (j = 0; j < width; j+=8) + for (j = 0; j < width - 7; j+=8) AV_COPY64U(dst+j, src+j); dst += stride_dst; src += stride_src; } + if (width&7) { + dst += ((width>>3)<<3) - stride_dst * height; + src += ((width>>3)<<3) - stride_src * height; + width &= 7; + for (i = 0; i < height; i++) { + for (j = 0; j < width; j++) + dst[j] = src[j]; + dst += stride_dst; + src += stride_src; + } + } } else { for (i = 0; i < height; i++) { for (j = 0; j < width; j+=16) From fd1db5262b29cc755961b8a48cdc640978720a0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:53:32 +0200 Subject: [PATCH 1436/1764] MAINTAINERS: Add ED25519 key for signing my commits in the future Signed-off-by: Michael Niedermayer (cherry picked from commit 05225180bea208dfd81efac327e429711a963697) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index 9027ed5846..fcff7884e2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -591,6 +591,7 @@ Jean Delvare 7CA6 9F44 60F1 BDC4 1FD2 C858 A552 6B9B B3CD 4E6A Loren Merritt ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE Lou Logan 7D68 DC73 CBEF EABB 671A B6CF 621C 2E28 82F8 DC3A Michael Niedermayer 9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB + DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64 Nicolas George 24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93 Nikolay Aleksandrov 8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1 Panagiotis Issaris 6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029 From 371fc3769bc633b978128e51a5953eea2276038b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 14 Aug 2022 23:39:56 +0200 Subject: [PATCH 1437/1764] avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel This is somewhat redundant with the is_decoded check. Maybe there is a nicer solution Fixes: Null pointer dereference Fixes: 49584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5297367351427072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b51e1992289383aa9f083c88e153e34b6412c89) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index ecc8ad820c..85f5ec251a 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -3154,7 +3154,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, void *data, int *got_output, } } else { /* verify the SEI checksum */ - if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded && + if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded && s->sei.picture_hash.is_md5) { ret = verify_md5(s, s->ref->frame); if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) { From b2e0b0843f4760918d93d85bc0e17d1cd3b43287 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 15 Aug 2022 00:02:37 +0200 Subject: [PATCH 1438/1764] avcodec/h263dec: Sanity check against minimal I/P frame size Fixes: Timeout Fixes: 49718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4874987894341632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ca4ff9c21cb77e024fa4ff5889826a8bee4d0e0a) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 7659697d17..b13892ddbb 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -532,6 +532,8 @@ retry: avctx->has_b_frames = !s->low_delay; if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) { + if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; if (ff_mpeg4_workaround_bugs(avctx) == 1) goto retry; } From 18a3e264b8a786e54499a8f3f01b99eeaf097315 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 00:22:41 +0200 Subject: [PATCH 1439/1764] avformat/avidec: Prevent entity expansion attacks Fixes: Timeout Fixes no testcase, this is the same idea as similar attacks against XML parsers Signed-off-by: Michael Niedermayer (cherry picked from commit f3e823c2aa04d4f5571a5e04c27a244890704c8d) Signed-off-by: Michael Niedermayer --- libavformat/avidec.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index b9b0e6bb6c..bf96408a96 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -80,6 +80,8 @@ typedef struct AVIContext { int stream_index; DVDemuxContext *dv_demux; int odml_depth; + int64_t odml_read; + int64_t odml_max_pos; int use_odml; #define MAX_ODML_DEPTH 1000 int64_t dts_max; @@ -189,7 +191,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) st = s->streams[stream_id]; ast = st->priv_data; - if (index_sub_type) + if (index_sub_type || entries_in_use < 0) return AVERROR_INVALIDDATA; avio_rl32(pb); @@ -210,11 +212,18 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } for (i = 0; i < entries_in_use; i++) { + avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb)); + + // If we read more than there are bytes then we must have been reading something twice + if (avi->odml_read > avi->odml_max_pos) + return AVERROR_INVALIDDATA; + if (index_type) { int64_t pos = avio_rl32(pb) + base - 8; int len = avio_rl32(pb); int key = len >= 0; len &= 0x7FFFFFFF; + avi->odml_read += 8; av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len); @@ -233,6 +242,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) int64_t offset, pos; int duration; int ret; + avi->odml_read += 16; offset = avio_rl64(pb); avio_rl32(pb); /* size */ From d2f7d6a3800b96d767f8501584abe99101407e31 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 20:31:32 +0200 Subject: [PATCH 1440/1764] libavformat/iff: Check for overflow in body_end calculation Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long' Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 1a1c80551a..52bc8c99c9 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -502,6 +502,9 @@ static int iff_read_header(AVFormatContext *s) case ID_DST: case ID_MDAT: iff->body_pos = avio_tell(pb); + if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX) + return AVERROR_INVALIDDATA; + iff->body_end = iff->body_pos + data_size; iff->body_size = data_size; if (chunk_id == ID_DST) { From 2d83c7492dbdaa76f2f7784f70e83471fe192cec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Aug 2022 22:10:09 +0200 Subject: [PATCH 1441/1764] libavcodec/8bps: Check that line lengths fit within the buffer Fixes: Timeout Fixes: undefined pointer arithmetic Fixes: 50330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5436287485607936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2316d5ec1a95b13ff9a0ce80409fa367a041966d) Signed-off-by: Michael Niedermayer --- libavcodec/8bps.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index aa2318fa2d..655c62725b 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -70,6 +70,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *planemap = c->planemap; int ret; + if (buf_size < planes * height *2) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; From 1d5e021c23fd1dafd20a7e726d6558e3cdf2db5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 9 Aug 2022 21:49:04 +0200 Subject: [PATCH 1442/1764] doc/git-howto.texi: Document commit signing Signed-off-by: Michael Niedermayer (cherry picked from commit ced0dc807eb67516b341d68f04ce5a87b02820de) Signed-off-by: Michael Niedermayer --- doc/git-howto.texi | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/doc/git-howto.texi b/doc/git-howto.texi index 2b4fb80233..bd26fcb259 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions. git add [-i|-p|-A] @end example -Make sure you have told Git your name and email address +Make sure you have told Git your name, email address and GPG key @example git config --global user.name "My Name" git config --global user.email my@@email.invalid +git config --global user.signingkey ABCDEF0123245 +@end example + +Enable signing all commits or use -S + +@example +git config --global commit.gpgsign true @end example Use @option{--global} to set the global configuration for all your Git checkouts. @@ -393,6 +400,19 @@ git checkout -b svn_23456 $SHA1 where @var{$SHA1} is the commit hash from the @command{git log} output. +@chapter gpg key generation + +If you have no gpg key yet, we recommend that you create a ed25519 based key as it +is small, fast and secure. Especially it results in small signatures in git. + +@example +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com" +@end example + +When generating a key, make sure the email specified matches the email used in git as some sites like +github consider mismatches a reason to declare such commits unverified. After generating a key you +can add it to the MAINTAINER file and upload it to a keyserver. + @chapter Pre-push checklist Once you have a set of commits that you feel are ready for pushing, From 70f491be134e0610c42475a08f141c86ed7f7756 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Aug 2022 01:21:38 +0200 Subject: [PATCH 1443/1764] avformat/asfdec_o: limit recursion depth in asf_read_unknown() The threshold of 5 is arbitrary, both smaller and larger should work fine Fixes: Stack overflow Fixes: 50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f1a368169ef9d945dc4b4764f5c60ba9bbc9134) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 40a24b15df..edd139ab9e 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -113,6 +113,7 @@ typedef struct ASFContext { int64_t data_offset; int64_t first_packet_offset; // packet offset int64_t unknown_offset; // for top level header objects or subobjects without specified behavior + int in_asf_read_unknown; // ASF file must not contain more than 128 streams according to the specification ASFStream *asf_st[ASF_MAX_STREAMS]; @@ -177,7 +178,7 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) uint64_t size = avio_rl64(pb); int ret; - if (size > INT64_MAX) + if (size > INT64_MAX || asf->in_asf_read_unknown > 5) return AVERROR_INVALIDDATA; if (asf->is_header) @@ -186,8 +187,11 @@ static int asf_read_unknown(AVFormatContext *s, const GUIDParseTable *g) if (!g->is_subobject) { if (!(ret = strcmp(g->name, "Header Extension"))) avio_skip(pb, 22); // skip reserved fields and Data Size - if ((ret = detect_unknown_subobject(s, asf->unknown_offset, - asf->unknown_size)) < 0) + asf->in_asf_read_unknown ++; + ret = detect_unknown_subobject(s, asf->unknown_offset, + asf->unknown_size); + asf->in_asf_read_unknown --; + if (ret < 0) return ret; } else { if (size < 24) { From 3128853ad48e85e5a87cf5b03dab62d62bfe1e33 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 13 Jun 2022 02:01:20 +0200 Subject: [PATCH 1444/1764] avcodec/bink: disallow odd positioned scaled blocks Fixes: out of array access Fixes: 47911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6194020855971840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit b14104a6376cd774b08cbe5fda56b34320a41b2e) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index c501ea3915..f76ea03d63 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -1026,7 +1026,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it - if ((by & 1) && blk == SCALED_BLOCK) { + if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) { bx++; dst += 8; prev += 8; From ad107f99b606bf2fb41a201565ca5300e31ae1e9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 18 Aug 2022 23:41:57 +0200 Subject: [PATCH 1445/1764] avcodec/speedhq: Check width Fixes: out of array access Fixes: 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400 Alternatively the buffer size can be increased Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0395f9ef6051315973f1fdded1804f81458566d) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 8897611ec7..8faa42c3b4 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -424,7 +424,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, uint32_t second_field_offset; int ret; - if (buf_size < 4 || avctx->width < 8) + if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; quality = buf[0]; From d10b5d96dd2f5002cc4264cc57f60a3aae040a14 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 Jun 2022 23:09:09 +0200 Subject: [PATCH 1446/1764] avcodec/fmvc: Move frame allocation to a later stage This way more things are checked before allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 9783749c66bf6ca2ce7a6db4c74957fe77cbe803) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 9bbe8c6ccf..112b2d4714 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -402,20 +402,17 @@ static int decode_frame(AVCodecContext *avctx, PutByteContext *pb = &s->pb; AVFrame *frame = data; int ret, y, x; + int key_frame; if (avpkt->size < 8) return AVERROR_INVALIDDATA; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - bytestream2_init(gb, avpkt->data, avpkt->size); bytestream2_skip(gb, 2); - frame->key_frame = !!bytestream2_get_le16(gb); - frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + key_frame = !!bytestream2_get_le16(gb); - if (frame->key_frame) { + if (key_frame) { const uint8_t *src; int type, size; uint8_t *dst; @@ -435,6 +432,12 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 1; + frame->pict_type = AV_PICTURE_TYPE_I; + src = s->buffer; dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { @@ -512,6 +515,12 @@ static int decode_frame(AVCodecContext *avctx, dst = &rect[block_h * s->stride]; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 0; + frame->pict_type = AV_PICTURE_TYPE_P; + ssrc = s->buffer; ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { From 0874d4bce7ff684209dc1a4defe14338f85deb81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 9 Sep 2022 00:32:23 +0200 Subject: [PATCH 1447/1764] libavformat/hls: Free keys Fixes: memleak Fixes: 50703/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6399058578636800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit d32a9f3137c91de86547601a38fea0693c3497f1) Signed-off-by: Michael Niedermayer --- libavformat/hls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/hls.c b/libavformat/hls.c index 73a5d22b39..0109ea22a5 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -232,6 +232,7 @@ static void free_init_section_list(struct playlist *pls) { int i; for (i = 0; i < pls->n_init_sections; i++) { + av_freep(&pls->init_sections[i]->key); av_freep(&pls->init_sections[i]->url); av_freep(&pls->init_sections[i]); } From 78da181eee09c821eb35ed26c181d5a9686a3ae0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:11:20 +0200 Subject: [PATCH 1448/1764] avcodec/tta: Check 24bit scaling for overflow Fixes: signed integer overflow: -8427924 * 256 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5409428670644224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3993345f915bccceee315f44d412445346990e14) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index afc4907432..593cb6629a 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -371,8 +371,15 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, case 3: { // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; - for (i = 0; i < framelen * s->channels; i++) - *samples++ *= 256; + int overflow = 0; + + for (i = 0; i < framelen * s->channels; i++) { + int scaled = *samples * 256U; + overflow += (scaled >> 8 != *samples); + *samples++ = scaled; + } + if (overflow) + av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow); // reset decode buffer s->decode_buffer = NULL; break; From b231f3be56359bf87ee81d56b079d09cd9f71384 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Sep 2022 00:30:42 +0200 Subject: [PATCH 1449/1764] avcodec/apedec: Fix integer overflow in filter_3800() Fixes: signed integer overflow: -2147448926 + -198321 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5739619273015296 Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6744428485672960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f05247f6a4698c14f1cd523daa90188f50dcf6ad) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 035fa9a434..5a769a3ea9 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -880,7 +880,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign; p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; - p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); + p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift); p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; From 5ebbc03baaec3b6a41508798d5a3de5381659e4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:08 +0200 Subject: [PATCH 1450/1764] avformat/aiffdec: Check block_duration Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1c2b6265c87417033f990fa4a14da9d4008320a4) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index da5a428b86..25ad9151db 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -357,6 +357,8 @@ got_sound: av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } + if (aiff->block_duration < 0) + return AVERROR_INVALIDDATA; /* Now positioned, get the sound data start and end */ avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From e628454a43a0801adaada086fdb56d087013d614 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 16:32:09 +0200 Subject: [PATCH 1451/1764] avformat/aiffdec: Use 64bit for block_duration use Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 9303ba272e988d87084880c57056b750cc5ffd08) Signed-off-by: Michael Niedermayer --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 25ad9151db..fa8989d5af 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -413,7 +413,7 @@ static int aiff_read_packet(AVFormatContext *s, pkt->flags &= ~AV_PKT_FLAG_CORRUPT; /* Only one stream in an AIFF file */ pkt->stream_index = 0; - pkt->duration = (res / st->codecpar->block_align) * aiff->block_duration; + pkt->duration = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration; return 0; } From 65bc53d6080f997c604083a4cb5fa7d706df2e7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 23:15:56 +0200 Subject: [PATCH 1452/1764] avformat/icodec: Check nb_pal Fixes: signed integer overflow: 538976288 * 4 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-6690068904935424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit db73ae0dc114aa6fae08e69f977944f056a24995) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index d86b85099d..23cd91412d 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -204,6 +204,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } + if (image->nb_pal > INT_MAX / 4 - 14 - 40) + return AVERROR_INVALIDDATA; + AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); AV_WL32(buf + 8, AV_RL32(buf + 8) / 2); } From 225d003f5b944a96ede6d6d964b69e8d0eea7f50 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:19:53 +0200 Subject: [PATCH 1453/1764] avformat/ape: Check frames size Fixes: signed integer overflow: 9223372036854775806 + 3 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APE_fuzzer-6389264140599296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d0349c9929e2891c90011a83152624d5cf18e628) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index 3a3b91283e..c3cc7b6445 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -323,6 +323,8 @@ static int ape_read_header(AVFormatContext * s) ape->frames[i].pos -= ape->frames[i].skip; ape->frames[i].size += ape->frames[i].skip; } + if (ape->frames[i].size > INT_MAX - 3) + return AVERROR_INVALIDDATA; ape->frames[i].size = (ape->frames[i].size + 3) & ~3; } if (ape->fileversion < 3810) { From 049b9f44e9a6c480271188f7fa59020d8e09ae5e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:30:55 +0200 Subject: [PATCH 1454/1764] avformat/asfdec_o: Limit packet offset avoids overflows with it Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136 Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 736e9e69d5dbbe1d81885dfef59917eb915d2f96) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index edd139ab9e..303ee71cd5 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1361,6 +1361,8 @@ static int asf_read_packet_header(AVFormatContext *s) unsigned char error_flags, len_flags, pay_flags; asf->packet_offset = avio_tell(pb); + if (asf->packet_offset > INT64_MAX/2) + asf->packet_offset = 0; error_flags = avio_r8(pb); // read Error Correction Flags if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) { if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) { From 77d5cf5e9bdc0d5b84ff2136344fd84cb7d84c16 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 21:48:43 +0200 Subject: [PATCH 1455/1764] avformat/cafdec: Check that nb_frasmes fits within 64bit Fixes: signed integer overflow: 1099511693312 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6565048815845376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d4bb4e375975dc0d31d5309106cf6ee0ed75140f) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index b9e70ea2fb..3c6d6922a0 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -341,7 +341,7 @@ static int read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { - if (caf->data_size > 0) + if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet) st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet; } else if (st->nb_index_entries && st->duration > 0) { if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) { From 6cc025a76a795dc4ae003d1a4c1411682ee96062 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Sep 2022 22:40:47 +0200 Subject: [PATCH 1456/1764] avformat/dxa: avoid bpc overflows Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93db0f0740cacd64ae07b5e8606b70021e48d364) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index a616f8f74b..0d820c7413 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s) if(tag == MKTAG('d', 'a', 't', 'a')) break; avio_skip(pb, fsize); } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) + c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); avio_seek(pb, c->vidpos, SEEK_SET); From 34e46dc429119e54437d04f474423f2dcbd5bd1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 14:47:25 +0200 Subject: [PATCH 1457/1764] avformat/nutdec: Check fields Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6566001610719232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c146406eac06f3d3cd3d981c29e7affd834cb4d) Signed-off-by: Michael Niedermayer --- libavformat/nutdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 0b04aaad3e..7bde16be9c 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -244,6 +244,11 @@ static int decode_main_header(NUTContext *nut) for (i = 0; i < 256;) { int tmp_flags = ffio_read_varlen(bc); int tmp_fields = ffio_read_varlen(bc); + if (tmp_fields < 0) { + av_log(s, AV_LOG_ERROR, "fields %d is invalid\n", tmp_fields); + ret = AVERROR_INVALIDDATA; + goto fail; + } if (tmp_fields > 0) tmp_pts = get_s(bc); From 82bd617683452a4a2e3eb7126efb495198036b1c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 15:06:25 +0200 Subject: [PATCH 1458/1764] avformat/rmdec: check tag_size Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6598073725353984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2cb7ee8a36bddd3425897135db514ca62fec6e44) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 42f76491e2..c89fba4e7f 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -568,6 +568,8 @@ static int rm_read_header(AVFormatContext *s) } tag_size = avio_rb32(pb); + if (tag_size < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, tag_size - 8); for(;;) { From 136189522975e252d303cf9fb9e86bb19a5fe709 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:42:21 +0200 Subject: [PATCH 1459/1764] avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation Fixes: signed integer overflow: 72128794995445727 * 240 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_SDS_fuzzer-6628185583779840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa8eb1bed075931b0ce0a8bc9a8ff5882830044c) Signed-off-by: Michael Niedermayer --- libavformat/sdsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sdsdec.c b/libavformat/sdsdec.c index 081bb4ca2d..bc8b08446a 100644 --- a/libavformat/sdsdec.c +++ b/libavformat/sdsdec.c @@ -112,7 +112,7 @@ static int sds_read_header(AVFormatContext *ctx) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = 1; st->codecpar->sample_rate = sample_period ? 1000000000 / sample_period : 16000; - st->duration = (avio_size(pb) - 21) / (127) * s->size / 4; + st->duration = av_rescale((avio_size(pb) - 21) / 127, s->size, 4); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); From 989f56371d9de82ac1d98e5c0453cecb0b0b0cce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 16:45:30 +0200 Subject: [PATCH 1460/1764] avformat/xwma: Use av_rescale() for duration computation Fixes: signed integer overflow: 34242363648 * 538976288 cannot be represented in type 'long' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6577923913547776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2c789f753c3657be9041307f9c03749f5ba5a6bb) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 0f0e3fc8ea..8e0f59fab1 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -254,7 +254,7 @@ static int xwma_read_header(AVFormatContext *s) * the total duration using the average bits per sample and the * total data length. */ - st->duration = (size<<3) * st->codecpar->sample_rate / st->codecpar->bit_rate; + st->duration = av_rescale((size<<3), st->codecpar->sample_rate, st->codecpar->bit_rate); } fail: From c825c20c4f0d1b22c2423f847031fff6bf24cf9d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Sep 2022 18:12:11 +0200 Subject: [PATCH 1461/1764] avformat/spdifdec: Use 64bit to compute bit rate Fixes: signed integer overflow: 32 * 553590816 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6564974517944320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4075f0cec1830a7ac081b1a23bd3f5c4e266fe26) Signed-off-by: Michael Niedermayer --- libavformat/spdifdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/spdifdec.c b/libavformat/spdifdec.c index f7288376f6..adc7b138d2 100644 --- a/libavformat/spdifdec.c +++ b/libavformat/spdifdec.c @@ -225,7 +225,7 @@ int ff_spdif_read_packet(AVFormatContext *s, AVPacket *pkt) if (!s->bit_rate && s->streams[0]->codecpar->sample_rate) /* stream bitrate matches 16-bit stereo PCM bitrate for currently supported codecs */ - s->bit_rate = 2 * 16 * s->streams[0]->codecpar->sample_rate; + s->bit_rate = 2 * 16LL * s->streams[0]->codecpar->sample_rate; return 0; } From cdeb121c6a1fae5d785cdba7941046e3f17fc470 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Sep 2022 23:49:28 +0200 Subject: [PATCH 1462/1764] avcodec/dstdec: Check for overflow in build_filter() Fixes: signed integer overflow: 1917019860 + 265558963 cannot be represented in type 'int' Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-4833165046317056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8008940da5aa43895fd4574114309c3324249eab) Signed-off-by: Michael Niedermayer --- libavcodec/dstdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index d7a82f34ec..7a51f6772a 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -214,7 +214,7 @@ static uint8_t prob_dst_x_bit(int c) return (ff_reverse[c & 127] >> 1) + 1; } -static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) +static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) { int i, j, k, l; @@ -225,14 +225,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table * int total = av_clip(length - j * 8, 0, 8); for (k = 0; k < 256; k++) { - int v = 0; + int64_t v = 0; for (l = 0; l < total; l++) v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l]; + if ((int16_t)v != v) + return AVERROR_INVALIDDATA; table[i][j][k] = v; } } } + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, @@ -328,7 +331,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; ac_init(ac, gb); - build_filter(s->filter, &s->fsets); + ret = build_filter(s->filter, &s->fsets); + if (ret < 0) + return ret; memset(s->status, 0xAA, sizeof(s->status)); memset(dsd, 0, frame->nb_samples * 4 * avctx->channels); From 872001459cf0a20c6f44105f485d125c8e22fc76 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Oct 2022 15:05:20 +0200 Subject: [PATCH 1463/1764] Update for 3.4.12 Signed-off-by: Michael Niedermayer --- Changelog | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 62 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 7c66bbf90f..0e6157aa40 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,66 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.12: + avcodec/dstdec: Check for overflow in build_filter() + avformat/spdifdec: Use 64bit to compute bit rate + avformat/xwma: Use av_rescale() for duration computation + avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation + avformat/rmdec: check tag_size + avformat/nutdec: Check fields + avformat/dxa: avoid bpc overflows + avformat/cafdec: Check that nb_frasmes fits within 64bit + avformat/asfdec_o: Limit packet offset + avformat/ape: Check frames size + avformat/icodec: Check nb_pal + avformat/aiffdec: Use 64bit for block_duration use + avformat/aiffdec: Check block_duration + avcodec/apedec: Fix integer overflow in filter_3800() + avcodec/tta: Check 24bit scaling for overflow + libavformat/hls: Free keys + avcodec/fmvc: Move frame allocation to a later stage + avcodec/speedhq: Check width + avcodec/bink: disallow odd positioned scaled blocks + avformat/asfdec_o: limit recursion depth in asf_read_unknown() + doc/git-howto.texi: Document commit signing + libavcodec/8bps: Check that line lengths fit within the buffer + libavformat/iff: Check for overflow in body_end calculation + avformat/avidec: Prevent entity expansion attacks + avcodec/h263dec: Sanity check against minimal I/P frame size + avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel + MAINTAINERS: Add ED25519 key for signing my commits in the future + avcodec/hevc_filter: copy_CTB() only within width&height + avformat/flvdec: Check for EOF in index reading + avformat/nutdec: Check get_packetheader() in mainheader + avformat/asfdec_f: Use 64bit for packet start time + avcodec/lagarith: Check dst/src in zero run code + avcodec/h264dec: Skip late SEI + avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() + avfilter/vf_signature: Fix integer overflow in filter_frame() + avformat/rtsp: break on unknown protocols + avcodec/hevcdsp_template: stay within tables in sao_band_filter() + avcodec/qpeldsp: copy less for the mc0x cases + avcodec/ffv1dec: Limit golomb rice coded slices to width 8M + avformat/iff: simplify duration calculation + avcodec/wnv1: Check for width =1 + avformat/sctp: close socket on errors + avcodec/aasc: Fix indention + avcodec/qdrw: adjust max colors to array size + avcodec/alacdsp: Make intermediates unsigned + avformat/aiffdec: cleanup size handling for extreem cases + avcodec/jpeglsdec: fix end check for xfrm + avcodec/cdgraphics: limit scrolling to the line + avformat/aiffdec: avoid integer overflow in get_meta() + avformat/ape: more bits in size for less overflows + avformat/bfi: Check offsets better + avformat/asfdec_f: Check packet_frag_timestamp + avcodec/texturedspenc: Fix indexing in color distribution determination + avformat/act: Check ff_get_wav_header() for failure + avfilter/vsrc_mandelbrot: Check for malloc failure + avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements + avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment + avformat/genh: Check sample rate + version 3.4.11: avfilter/vf_colorspace: fix memmory leaks avcodec/ac3enc: Fix memleak diff --git a/RELEASE b/RELEASE index 0ce07b72f8..25e863282b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.11 +3.4.12 diff --git a/doc/Doxyfile b/doc/Doxyfile index d81f6aa9d8..15b73f57b1 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.11 +PROJECT_NUMBER = 3.4.12 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 244b61e276c71439d02f9a3995a29cf670404d0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Tue, 25 Oct 2022 13:13:34 +0300 Subject: [PATCH 1464/1764] swscale: aarch64: Fix yuv2rgb with negative strides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Treat the 32 bit stride registers as signed. Alternatively, we could make the stride arguments ptrdiff_t instead of int, and changing all of the assembly to operate on these registers with their full 64 bit width, but that's a much larger and more intrusive change (and risks missing some operation, which would clamp the intermediates to 32 bit still). Fixes: https://trac.ffmpeg.org/ticket/9985 Signed-off-by: Martin Storsjö (cherry picked from commit cb803a0072cb98945dcd3f1660bd2a975650ce42) Signed-off-by: Martin Storsjö --- libswscale/aarch64/yuv2rgb_neon.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswscale/aarch64/yuv2rgb_neon.S b/libswscale/aarch64/yuv2rgb_neon.S index b7446aa105..10bd1f7480 100644 --- a/libswscale/aarch64/yuv2rgb_neon.S +++ b/libswscale/aarch64/yuv2rgb_neon.S @@ -118,8 +118,8 @@ .endm .macro increment_yuv422p - add x6, x6, w7, UXTW // srcU += incU - add x13, x13, w14, UXTW // srcV += incV + add x6, x6, w7, SXTW // srcU += incU + add x13, x13, w14, SXTW // srcV += incV .endm .macro compute_rgba r1 g1 b1 a1 r2 g2 b2 a2 @@ -188,8 +188,8 @@ function ff_\ifmt\()_to_\ofmt\()_neon, export=1 st4 {v16.8B,v17.8B,v18.8B,v19.8B}, [x2], #32 subs w8, w8, #16 // width -= 16 b.gt 2b - add x2, x2, w3, UXTW // dst += padding - add x4, x4, w5, UXTW // srcY += paddingY + add x2, x2, w3, SXTW // dst += padding + add x4, x4, w5, SXTW // srcY += paddingY increment_\ifmt subs w1, w1, #1 // height -= 1 b.gt 1b From f6780b83f708449c38bfe7938df14bb4c4336295 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:04:48 +0200 Subject: [PATCH 1465/1764] avcodec/ffv1dec: Fail earlier if prior context is corrupted Signed-off-by: Michael Niedermayer (cherry picked from commit 4df91e2215a79546a7f08faa457c05182646b302) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 27f954bd52..ac44b3f44d 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -304,8 +304,11 @@ static int decode_slice(AVCodecContext *c, void *arg) } if ((ret = ff_ffv1_init_slice_state(f, fs)) < 0) return ret; - if (f->cur->key_frame || fs->slice_reset_contexts) + if (f->cur->key_frame || fs->slice_reset_contexts) { ff_ffv1_clear_slice_state(f, fs); + } else if (fs->slice_damaged) { + return AVERROR_INVALIDDATA; + } width = fs->slice_width; height = fs->slice_height; From 80201f0dc1a922015639e572a5e29c26e74ec81b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 6 Oct 2022 22:28:33 +0200 Subject: [PATCH 1466/1764] avcodec/speedhq: Check buf_size to be big enough for DC Fixes: Timeout Fixes: 51919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6023716480090112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9184d3d7b64459e975f26284a7b2e26cbf76480b) Signed-off-by: Michael Niedermayer --- libavcodec/speedhq.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 8faa42c3b4..94a2d58d95 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -426,6 +426,8 @@ static int speedhq_decode_frame(AVCodecContext *avctx, if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; + if (buf_size < avctx->width*avctx->height / 64 / 4) + return AVERROR_INVALIDDATA; quality = buf[0]; if (quality >= 100) { From 7c70adcc37f81afdad284f94ea98abbff486e2e5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Nov 2022 20:00:38 +0100 Subject: [PATCH 1467/1764] swscale/output: Bias 16bps output calculations to improve non overflowing range Fixes: integer overflow Fixes: ./ffmpeg -f rawvideo -video_size 66x64 -pixel_format yuva420p10le -i ~/videos/overflow_input_w66h64.yuva420p10le -filter_complex "scale=flags=bicubic+full_chroma_int+full_chroma_inp+bitexact+accurate_rnd:in_color_matrix=bt2020:out_color_matrix=bt2020:in_range=full:out_range=full,format=rgba64[out]" -pixel_format rgba64 -map '[out]' -y overflow_w66h64.png Found-by: Drew Dunne Tested-by: Drew Dunne Signed-off-by: Michael Niedermayer (cherry picked from commit 0f0afc7fb5d30c40108d81b320823d8f5c9fbedc) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 120 ++++++++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 37cd124e21..b740120f54 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -827,8 +827,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; // 21 - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); // 21 + Y2 += (1 << 13) - (1 << 29); // 8 bits: 17 + 13 bits = 30 bits, 16 bits: 17 + 13 bits = 30 bits R = V * c->yuv2rgb_v2r_coeff; @@ -836,20 +836,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -886,8 +886,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -901,20 +901,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -942,8 +942,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -957,20 +957,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -988,8 +988,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 -= c->yuv2rgb_y_offset; Y1 *= c->yuv2rgb_y_coeff; Y2 *= c->yuv2rgb_y_coeff; - Y1 += 1 << 13; - Y2 += 1 << 13; + Y1 += (1 << 13) - (1 << 29); + Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { A1 = abuf0[i * 2 ] << 11; @@ -1003,20 +1003,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y1, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y1, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y1, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[6], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(R_B + Y2, 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2( G + Y2, 30) >> 14); - output_pixel(&dest[5], av_clip_uintp2(B_R + Y2, 30) >> 14); + output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1067,7 +1067,7 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, // 8bit: 27 -> 17bit, 16bit: 31 - 14 = 17bit Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; // 21 + Y += (1 << 13) - (1<<29); // 21 // 8bit: 17 + 13bit = 30bit, 16bit: 17 + 13bit = 30bit R = V * c->yuv2rgb_v2r_coeff; @@ -1075,9 +1075,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1115,7 +1115,7 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); R = V * c->yuv2rgb_v2r_coeff; G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; @@ -1127,9 +1127,9 @@ yuv2rgba64_full_2_c_template(SwsContext *c, const int32_t *buf[2], A += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1158,7 +1158,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1170,9 +1170,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1191,7 +1191,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; - Y += 1 << 13; + Y += (1 << 13) - (1 << 29); if (hasAlpha) { A = abuf0[i] << 11; @@ -1203,9 +1203,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(R_B + Y, 30) >> 14); - output_pixel(&dest[1], av_clip_uintp2( G + Y, 30) >> 14); - output_pixel(&dest[2], av_clip_uintp2(B_R + Y, 30) >> 14); + output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From bf0b88d00a54b911c655175f88d2071b6c99b994 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 28 Oct 2022 23:28:59 +0200 Subject: [PATCH 1468/1764] avformat/replaygain: avoid undefined / negative abs Fixes: signed integer overflow: -2147483648 * 100000 cannot be represented in type 'int' Fixes: 52060/clusterfuzz-testcase-minimized-ffmpeg_dem_MP3_fuzzer-5131616708329472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2532b20b17ec557f1b925bfc41c00e7d4e17356c) Signed-off-by: Michael Niedermayer --- libavformat/replaygain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/replaygain.c b/libavformat/replaygain.c index 707d3cd4f1..01db483257 100644 --- a/libavformat/replaygain.c +++ b/libavformat/replaygain.c @@ -61,7 +61,7 @@ static int32_t parse_value(const char *value, int32_t min) } } - if (abs(db) > (INT32_MAX - mb) / 100000) + if (llabs(db) > (INT32_MAX - mb) / 100000) return min; return db * 100000 + sign * mb; From 42e5ab500a1d0f52ae120de20248486345c8850b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 29 Oct 2022 18:41:24 +0200 Subject: [PATCH 1469/1764] avcodec/alsdec: The minimal block is at least 7 bits Signed-off-by: Michael Niedermayer (cherry picked from commit 5280947fb6db37063334eae5b467cecd2417b063) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 4511eec424..e9b608880f 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1021,7 +1021,7 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) *bd->shift_lsbs = 0; - if (get_bits_left(gb) < 1) + if (get_bits_left(gb) < 7) return AVERROR_INVALIDDATA; // read block type flag and read the samples accordingly From 832cb64af2b376671ca0876d0f7cc0a5db417d5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Nov 2022 23:10:02 +0100 Subject: [PATCH 1470/1764] swscale/input: Use more unsigned intermediates Same principle as previous commit, with sufficiently huge rgb2yuv table values this produces wrong results and undefined behavior. The unsigned produces the same incorrect results. That is probably ok as these cases with huge values seem not to occur in any real use case. Fixes: signed integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit ba209e3d5142fd31bb6c3e05c5b183118a278afc) Signed-off-by: Michael Niedermayer --- libswscale/input.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libswscale/input.c b/libswscale/input.c index 3d365d54ac..3966d96d45 100644 --- a/libswscale/input.c +++ b/libswscale/input.c @@ -84,9 +84,9 @@ rgb64ToUV_half_c_template(uint16_t *dstU, uint16_t *dstV, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1==src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; - int g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; - int b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[8 * i + 0]) + input_pixel(&src1[8 * i + 4]) + 1) >> 1; + unsigned g = (input_pixel(&src1[8 * i + 1]) + input_pixel(&src1[8 * i + 5]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[8 * i + 2]) + input_pixel(&src1[8 * i + 6]) + 1) >> 1; dstU[i]= (ru*r + gu*g + bu*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; dstV[i]= (rv*r + gv*g + bv*b + (0x10001<<(RGB2YUV_SHIFT-1))) >> RGB2YUV_SHIFT; @@ -156,9 +156,9 @@ static av_always_inline void rgb48ToUV_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = input_pixel(&src1[i * 3 + 0]); - int g = input_pixel(&src1[i * 3 + 1]); - int b_r = input_pixel(&src1[i * 3 + 2]); + unsigned r_b = input_pixel(&src1[i * 3 + 0]); + unsigned g = input_pixel(&src1[i * 3 + 1]); + unsigned b_r = input_pixel(&src1[i * 3 + 2]); dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; @@ -178,12 +178,12 @@ static av_always_inline void rgb48ToUV_half_c_template(uint16_t *dstU, int32_t rv = rgb2yuv[RV_IDX], gv = rgb2yuv[GV_IDX], bv = rgb2yuv[BV_IDX]; av_assert1(src1 == src2); for (i = 0; i < width; i++) { - int r_b = (input_pixel(&src1[6 * i + 0]) + - input_pixel(&src1[6 * i + 3]) + 1) >> 1; - int g = (input_pixel(&src1[6 * i + 1]) + - input_pixel(&src1[6 * i + 4]) + 1) >> 1; - int b_r = (input_pixel(&src1[6 * i + 2]) + - input_pixel(&src1[6 * i + 5]) + 1) >> 1; + unsigned r_b = (input_pixel(&src1[6 * i + 0]) + + input_pixel(&src1[6 * i + 3]) + 1) >> 1; + unsigned g = (input_pixel(&src1[6 * i + 1]) + + input_pixel(&src1[6 * i + 4]) + 1) >> 1; + unsigned b_r = (input_pixel(&src1[6 * i + 2]) + + input_pixel(&src1[6 * i + 5]) + 1) >> 1; dstU[i] = (ru*r + gu*g + bu*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; dstV[i] = (rv*r + gv*g + bv*b + (0x10001 << (RGB2YUV_SHIFT - 1))) >> RGB2YUV_SHIFT; From 0f09239167be7af2e7e27e234dc2fc9e71f4264c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 21 Nov 2022 22:59:55 +0100 Subject: [PATCH 1471/1764] avcodec/mlpdec: Check max matrix instead of max channel in noise check This is a regression since: adaa06581c5444c94eef72d61b8166f096e2687a Before this, max_channel and max_matrix_channel where compared for equality Fixes: out of array access Fixes: 53340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-514959011885875 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa79560de5e9596ada0345e5d12aa00dbeddaaa6) Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 1cf14057f2..6cc253adc2 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ - if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { + if (max_matrix_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", From e4b0610c6a787b9a9c5097758791ea0ef36a0a46 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 22 Nov 2022 23:34:22 +0100 Subject: [PATCH 1472/1764] avcodec/ffv1dec: restructure slice coordinate reading a bit Fixes: signed integer overflow: -1094995528 * 8224 cannot be represented in type 'int' Fixes: 53508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-474551033462784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 74b6ac7ebb5c1e06a5fdfa29f79a18599942dbfa) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 61 ++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 25 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index ac44b3f44d..51d1569ff8 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -169,24 +169,31 @@ static int decode_slice_header(FFV1Context *f, FFV1Context *fs) RangeCoder *c = &fs->c; uint8_t state[CONTEXT_SIZE]; unsigned ps, i, context_count; + int sx, sy, sw, sh; + memset(state, 128, sizeof(state)); + sx = get_symbol(c, state, 0); + sy = get_symbol(c, state, 0); + sw = get_symbol(c, state, 0) + 1U; + sh = get_symbol(c, state, 0) + 1U; av_assert0(f->version > 2); - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width /f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height/f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || (unsigned)fs->slice_height > f->height) - return -1; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) - return -1; + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) + return AVERROR_INVALIDDATA; + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) + return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) return AVERROR_INVALIDDATA; @@ -745,21 +752,25 @@ static int read_header(FFV1Context *f) fs->slice_damaged = 0; if (f->version == 2) { - fs->slice_x = get_symbol(c, state, 0) * f->width ; - fs->slice_y = get_symbol(c, state, 0) * f->height; - fs->slice_width = (get_symbol(c, state, 0) + 1) * f->width + fs->slice_x; - fs->slice_height = (get_symbol(c, state, 0) + 1) * f->height + fs->slice_y; + int sx = get_symbol(c, state, 0); + int sy = get_symbol(c, state, 0); + int sw = get_symbol(c, state, 0) + 1U; + int sh = get_symbol(c, state, 0) + 1U; - fs->slice_x /= f->num_h_slices; - fs->slice_y /= f->num_v_slices; - fs->slice_width = fs->slice_width / f->num_h_slices - fs->slice_x; - fs->slice_height = fs->slice_height / f->num_v_slices - fs->slice_y; - if ((unsigned)fs->slice_width > f->width || - (unsigned)fs->slice_height > f->height) + if (sx < 0 || sy < 0 || sw <= 0 || sh <= 0) return AVERROR_INVALIDDATA; - if ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width > f->width - || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) + if (sx > f->num_h_slices - sw || sy > f->num_v_slices - sh) return AVERROR_INVALIDDATA; + + fs->slice_x = sx * (int64_t)f->width / f->num_h_slices; + fs->slice_y = sy * (int64_t)f->height / f->num_v_slices; + fs->slice_width = (sx + sw) * (int64_t)f->width / f->num_h_slices - fs->slice_x; + fs->slice_height = (sy + sh) * (int64_t)f->height / f->num_v_slices - fs->slice_y; + + av_assert0((unsigned)fs->slice_width <= f->width && + (unsigned)fs->slice_height <= f->height); + av_assert0 ( (unsigned)fs->slice_x + (uint64_t)fs->slice_width <= f->width + && (unsigned)fs->slice_y + (uint64_t)fs->slice_height <= f->height); } for (i = 0; i < f->plane_count; i++) { From 76d48fbd867e206a26d9c312bf428378394b39ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Nov 2022 19:04:47 +0100 Subject: [PATCH 1473/1764] avformat/id3v2: Check taglen in read_uslt() Fixes: Timeout (read mostly the same data repeatly) Fixes: 52457/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-6610706313379840 Fixes: 53098/clusterfuzz-testcase-minimized-ffmpeg_dem_SOL_fuzzer-6481382981632000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a798af91d7d1fc31cfc1ae09cc6ab3907304f44f) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index a1ef29ab01..a38cb5a6db 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -375,10 +375,10 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, lang[3] = '\0'; taglen -= 3; - if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0) + if (decode_str(s, pb, encoding, &descriptor, &taglen) < 0 || taglen < 0) goto error; - if (decode_str(s, pb, encoding, &text, &taglen) < 0) + if (decode_str(s, pb, encoding, &text, &taglen) < 0 || taglen < 0) goto error; // FFmpeg does not support hierarchical metadata, so concatenate the keys. From 25b434d931272ce44695fed935d4b6245a925978 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Dec 2022 17:55:09 +0100 Subject: [PATCH 1474/1764] avcodec/wavpack: Avoid undefined shift in get_tail() Fixes: left shift of 1208485947 by 1 places cannot be represented in type 'int' Fixes: 54058/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5827521084260352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8374a747af247d45eb466fcb4aee90f3ae798aad) Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 8306ec020f..916a556346 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -95,7 +95,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, int k) e = (1 << (p + 1)) - k - 1; res = get_bitsz(gb, p); if (res >= e) - res = (res << 1) - e + get_bits1(gb); + res = res * 2U - e + get_bits1(gb); return res; } From 4f9152af7784dae22dd4651e5216fa93ae111fc3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 21 Dec 2022 00:31:00 +0100 Subject: [PATCH 1475/1764] avcodec/sunrast: Fix maplength check Fixes: out of bounds read Found-by: Ibrahim Mohamed Reviewed-by; Ibrahim Mohamed Signed-off-by: Michael Niedermayer (cherry picked from commit f8a2a65078eaac37eae4a0d7ef440849a9d8f5b5) Signed-off-by: Michael Niedermayer --- libavcodec/sunrast.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index e1ec8a0832..991915fa62 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" @@ -75,6 +76,12 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_PATCHWELCOME; } + if (maplength > 768) { + av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); + return AVERROR_INVALIDDATA; + } + + // This also checks depth to be valid switch (depth) { case 1: avctx->pix_fmt = maplength ? AV_PIX_FMT_PAL8 : AV_PIX_FMT_MONOWHITE; @@ -96,15 +103,23 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + // This checks w and h to be valid in the sense that bytes of a padded bitmap are addressable with 32bit int ret = ff_set_dimensions(avctx, w, h); if (ret < 0) return ret; + // ensured by ff_set_dimensions() + av_assert0(w <= (INT32_MAX - 7) / depth); + /* scanlines are aligned on 16 bit boundaries */ len = (depth * w + 7) >> 3; alen = len + (len & 1); - if (buf_end - buf < maplength + (len * h) * 3 / 256) + // ensured by ff_set_dimensions() + av_assert0(h <= INT32_MAX / (3 * len)); + + // maplength is limited to 768 and the right term is limited to INT32_MAX / 256 so the add needs no check + if (buf_end - buf < (uint64_t)maplength + (len * h) * 3 / 256) return AVERROR_INVALIDDATA; if ((ret = ff_get_buffer(avctx, p, 0)) < 0) @@ -118,7 +133,7 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } else if (maplength) { unsigned int len = maplength / 3; - if (maplength % 3 || maplength > 768) { + if (maplength % 3) { av_log(avctx, AV_LOG_WARNING, "invalid colormap length\n"); return AVERROR_INVALIDDATA; } From 879521ecdc9755622e63b4df35b7e11b517ed149 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Jan 2023 20:03:40 +0100 Subject: [PATCH 1476/1764] avcodec/scpr: Test bx before use Fixes: out of array access on 32bit Fixes: 54850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5302669294305280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1b59de3770b2e3f7f44ec4adba27c88b79adaaec) Signed-off-by: Michael Niedermayer --- libavcodec/scpr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 1ec1b6d583..36011c822c 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -583,6 +583,9 @@ static int decompress_p(AVCodecContext *avctx, int run, r, g, b, z, bx = x * 16 + sx1, by = y * 16 + sy1; unsigned clr, ptype = 0; + if (bx >= avctx->width) + return AVERROR_INVALIDDATA; + for (; by < y * 16 + sy2 && by < avctx->height;) { ret = decode_value(s, s->op_model[ptype], 6, 1000, &ptype); if (ret < 0) From 07913403772d9d39ac10e0eff1f06fb6c8433bf9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:05:55 +0100 Subject: [PATCH 1477/1764] avcodec/eatgq: : Check index increments in tgq_decode_block() Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7755b433e913e32bb061f17d5ecfcbcfef995b7) Signed-off-by: Michael Niedermayer --- libavcodec/eatgq.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 1308c07cff..46bf226f6a 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -58,7 +58,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) return 0; } -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) { uint8_t *perm = s->scantable.permutated; int i, j, value; @@ -66,6 +66,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb for (i = 1; i < 64;) { switch (show_bits(gb, 3)) { case 4: + if (i >= 63) + return AVERROR_INVALIDDATA; block[perm[i++]] = 0; case 0: block[perm[i++]] = 0; @@ -75,6 +77,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb case 1: skip_bits(gb, 2); value = get_bits(gb, 6); + if (value > 64 - i) + return AVERROR_INVALIDDATA; for (j = 0; j < value; j++) block[perm[i++]] = 0; break; @@ -102,6 +106,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb } } block[0] += 128 << 4; + return 0; } static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, @@ -161,8 +166,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x) if (ret < 0) return ret; - for (i = 0; i < 6; i++) - tgq_decode_block(s, s->block[i], &gb); + for (i = 0; i < 6; i++) { + int ret = tgq_decode_block(s, s->block[i], &gb); + if (ret < 0) + return ret; + } tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); bytestream2_skip(&s->gb, mode); } else { From 05fd95fe85be527689ff9dfae9345d9ca3f7da40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 13 Jan 2023 01:01:36 +0100 Subject: [PATCH 1478/1764] avcodec/012v: Order operations for odd size handling Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6714182078955520.fuzz Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6698145212137472.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4d42d82563d806b5610c0c91497e24ef7f37d4cf) Signed-off-by: Michael Niedermayer --- libavcodec/012v.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/012v.c b/libavcodec/012v.c index b5a4066656..41d9e2708e 100644 --- a/libavcodec/012v.c +++ b/libavcodec/012v.c @@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, void *data, u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]); v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]); memcpy(y, y_temp, sizeof(*y) * (width - x)); - memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2); - memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2); + memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2)); + memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2)); } line_end += stride; From d361cdee61b07d9c33a639378f82b9e6588c2d15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Jan 2023 00:32:44 +0100 Subject: [PATCH 1479/1764] avcodec/utils: use 32pixel alignment for bink bink supports 16x16 blocks in chroma planes thus we need to allocate enough. Fixes: out of array access Fixes: 55026/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6013915371012096 Reviewed-by: Peter Ross Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b95b2c8492fc1b52afd8fbe67b3be3cd518485d6) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 1cadce4c59..55f3db71b9 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -359,6 +359,8 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, case AV_PIX_FMT_GBRAP16BE: w_align = 16; //FIXME assume 16 pixel per macroblock h_align = 16 * 2; // interlaced needs 2 macroblocks height + if (s->codec_id == AV_CODEC_ID_BINKVIDEO) + w_align = 16*2; break; case AV_PIX_FMT_YUV411P: case AV_PIX_FMT_YUVJ411P: From 1552773f07565321648cfee1ee4d4108927670c4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Jan 2023 23:36:12 +0100 Subject: [PATCH 1480/1764] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Fixes: 2.28595e+09 is outside the range of representable values of type 'int' Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f48d227c153fa6f0a2156f3e8d18ea1bfedf18d) Signed-off-by: Michael Niedermayer --- libavcodec/ac3.h | 2 ++ libavcodec/eac3dec.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h index 5c9c37727e..d405b2bf20 100644 --- a/libavcodec/ac3.h +++ b/libavcodec/ac3.h @@ -74,6 +74,7 @@ #define AC3_DYNAMIC_RANGE1 0 typedef int INTFLOAT; +typedef unsigned int UINTFLOAT; typedef int16_t SHORTFLOAT; #else /* USE_FIXED */ @@ -93,6 +94,7 @@ typedef int16_t SHORTFLOAT; #define AC3_DYNAMIC_RANGE1 1.0f typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float SHORTFLOAT; #endif /* USE_FIXED */ diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index c971879b2d..7764e19b4d 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -146,9 +146,11 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) // spx_noise_blend and spx_signal_blend are both FP.23 nscale *= 1.0 / (1<<23); sscale *= 1.0 / (1<<23); + if (nscale < -1.0) + nscale = -1.0; #endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { - float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); + UINTFLOAT noise = (INTFLOAT)(nscale * (int32_t)av_lfg_get(&s->dith_state)); s->transform_coeffs[ch][bin] *= sscale; s->transform_coeffs[ch][bin++] += noise; } From 07dd5b4d6978538fda541838742a6ecc2ddaf1a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Nov 2022 14:29:32 +0100 Subject: [PATCH 1481/1764] avcodec/pictordec: Remove mid exit branch This causes the RLE decoder to exit before applying the last RLE run All images i tested with are unchanged, this makes the special case for handling the last run unused for non truncated images. Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 88f0e05c72f0de0cae3d9f0c5644f1965632b641) Signed-off-by: Michael Niedermayer --- libavcodec/pictordec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index b29a484534..42fbf9489b 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -223,8 +223,6 @@ static int decode_frame(AVCodecContext *avctx, run = bytestream2_get_le16(&s->g); val = bytestream2_get_byte(&s->g); } - if (!bytestream2_get_bytes_left(&s->g)) - break; if (bits_per_plane == 8) { picmemset_8bpp(s, frame, val, run, &x, &y); From a919346b63933c26ac0c713ba951180e09903c57 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 Feb 2023 19:19:32 +0100 Subject: [PATCH 1482/1764] avformat/mov: Check samplesize and offset to avoid integer overflow Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long' Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53c1f5c2e28e54ea8174b196d5cf4a158907395a) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5bbc54493e..4b9e83de44 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3553,6 +3553,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; + if (current_offset > INT64_MAX - sample_size) { + av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n", + current_offset, + sample_size); + return; + } + if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { AVIndexEntry *e; From a928367cba8b732320b0a07d07559ccd0f9f48d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 Feb 2023 22:33:02 +0100 Subject: [PATCH 1483/1764] avcodec/ffv1dec: Check that num h/v slices is supported Fixes: out of array access Fixes: 55597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4898293416329216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ead0ae68eb64ad325efafd686c434727f3d666a) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 51d1569ff8..6e23f8799f 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -476,6 +476,11 @@ static int read_extra_header(FFV1Context *f) return AVERROR_INVALIDDATA; } + if (f->num_h_slices > MAX_SLICES / f->num_v_slices) { + av_log(f->avctx, AV_LOG_ERROR, "slice count unsupported\n"); + return AVERROR_PATCHWELCOME; + } + f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); From 3b39e8a3b8c62184fdc33e0337db1ab0c4dc0b90 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 23:26:06 +0100 Subject: [PATCH 1484/1764] avcodec/pngdec: Check deloco index more exactly Fixes: out of array access: Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6716193709096960 Alternatively it should be possible to limit this to 3 plane RGB 8 /16bit to ensure the size is what it should be Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d5bae704068dc37191280e024eecb8d02b762b28) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 1196e1a010..ce570e3d55 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -308,7 +308,7 @@ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \ { \ int i; \ - for (i = 0; i < size; i += 3 + alpha) { \ + for (i = 0; i < size - 2; i += 3 + alpha) { \ int g = dst [i + 1]; \ dst[i + 0] += g; \ dst[i + 2] += g; \ From 6047f056afd366cc7c12312cce01f58b60fed6df Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 00:29:02 +0100 Subject: [PATCH 1485/1764] avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things Fixes: subtraction of unsigned offset from 0xf6602770 overflowed to 0xf6638c80 Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-495074400600064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f0150cd41c2d3c01050a6c4f3df1de511a217913) Signed-off-by: Michael Niedermayer --- libavcodec/videodsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c index 55123a5844..8743d725c6 100644 --- a/libavcodec/videodsp_template.c +++ b/libavcodec/videodsp_template.c @@ -60,7 +60,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, av_assert2(start_x < end_x && block_w); w = end_x - start_x; - src += start_y * src_linesize + start_x * sizeof(pixel); + src += start_y * src_linesize + start_x * (ptrdiff_t)sizeof(pixel); buf += start_x * sizeof(pixel); // top @@ -83,7 +83,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src, buf += buf_linesize; } - buf -= block_h * buf_linesize + start_x * sizeof(pixel); + buf -= block_h * buf_linesize + start_x * (ptrdiff_t)sizeof(pixel); while (block_h--) { pixel *bufp = (pixel *) buf; From 331d1d56776db3e70afcc49cb4555ea4941bd499 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 18:59:16 +0100 Subject: [PATCH 1486/1764] avcodec/utils: allocate a line more for VC1 and WMV3 Fixes: out of array read on 32bit Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848 The chroma MC code reads over the currently allocated frame. Alternative fixes would be allocating a few bytes more at the end instead of a whole line extra or to adjust the threshold where the edge emu code is activated Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01636a63d452c592ece35af6f72bb7affcad58f2) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 55f3db71b9..774ce9a0e0 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -432,6 +432,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || + s->codec_id == AV_CODEC_ID_VC1 || s->codec_id == AV_CODEC_ID_WMV3 || s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A ) { From 06fe955608d49d36f8ff9409bfca01a0c5178dce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 19:39:38 +0100 Subject: [PATCH 1487/1764] avcodec/utils: Ensure linesize for SVQ3 Fixes: Assertion block_w * sizeof(uint8_t) <= ((buf_linesize) >= 0 ? (buf_linesize) : (-(buf_linesize)) Fixes: 54861/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5352418248622080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4eef658ca59d3d6ba46ab52a36d7faf5fe820874) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 774ce9a0e0..e431d0b8af 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -446,6 +446,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, // the next rounded up width is 32 *width = FFMAX(*width, 32); } + if (s->codec_id == AV_CODEC_ID_SVQ3) { + *width = FFMAX(*width, 32); + } for (i = 0; i < 4; i++) linesize_align[i] = STRIDE_ALIGN; From e152447bb58279afed11bdb522c3bcafafca2a34 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:42:23 +0100 Subject: [PATCH 1488/1764] avcodec/bink: Fix off by 1 error in ref end Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6657932926517248 Alterantivly to this it is possibly to allocate a bigger array Note: oss-fuzz assigned this issue to a unrelated theora bug so the bug number matches that Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49487045dde6f69194332aac51fd4e598e19c7b6) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index f76ea03d63..c12ce8caac 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -825,7 +825,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw) * 8; + ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; From a2da41e03a445cbdcb89836f426486299c8ea0ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Jan 2023 20:50:39 +0100 Subject: [PATCH 1489/1764] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() Signed-off-by: Michael Niedermayer (cherry picked from commit ea9deafd3b13233802c4548c4c58a707d76805a3) Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index c12ce8caac..263429d3d3 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -825,7 +825,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, binkb_init_bundles(c); ref_start = frame->data[plane_idx]; - ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8; + ref_end = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8; for (i = 0; i < 64; i++) coordmap[i] = (i & 7) + (i >> 3) * stride; @@ -879,7 +879,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8*stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -895,7 +895,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); @@ -925,7 +925,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, xoff = binkb_get_value(c, BINKB_SRC_X_OFF); yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias; ref = dst + xoff + yoff * stride; - if (ref < ref_start || ref + 8 * stride > ref_end) { + if (ref < ref_start || ref > ref_end) { av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n"); } else if (ref + 8*stride < dst || ref >= dst + 8*stride) { c->hdsp.put_pixels_tab[1][0](dst, ref, stride, 8); From 2ca69aa42da16887488e6f903f3af2e041ecfa5b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 22:05:07 +0100 Subject: [PATCH 1490/1764] avcodec/xpmdec: Check size before allocation to avoid truncation Fixes:OOM Fixes:out of array access (no testcase) Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 95f0f84dae4f040d91f1e60dc5438612c58e8906) Signed-off-by: Michael Niedermayer --- libavcodec/xpmdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index 8aee89dd30..64f13e83f0 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -351,6 +351,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } + if (size > SIZE_MAX / 4) + return AVERROR(ENOMEM); + size *= 4; ptr += mod_strcspn(ptr, ",") + 1; From d85f407e0d90a9c5c4c2935d7b59c83501a716d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Jan 2023 23:42:59 +0100 Subject: [PATCH 1491/1764] avcodec/motionpixels: Mask pixels to valid values Fixes: out of array access Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-6724203352555520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ac6eec1fc258efce219e4fccb84312a1b13a7a23) Signed-off-by: Michael Niedermayer --- libavcodec/motionpixels.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c index 8750a4fa16..85b0056e48 100644 --- a/libavcodec/motionpixels.c +++ b/libavcodec/motionpixels.c @@ -185,7 +185,7 @@ static YuvPixel mp_get_yuv_from_rgb(MotionPixelsContext *mp, int x, int y) int color; color = *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2]; - return mp_rgb_yuv_table[color]; + return mp_rgb_yuv_table[color & 0x7FFF]; } static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const YuvPixel *p) From 03b34a884f60b8383847972bbc74234d474688a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 28 Feb 2023 20:24:26 +0100 Subject: [PATCH 1492/1764] Use https for repository links Reviewed-by: Stefano Sabatini Signed-off-by: Michael Niedermayer (cherry picked from commit 011f30fc8205eff8e775d04afb98e02685cd8a7a) Signed-off-by: Michael Niedermayer --- CREDITS | 4 ++-- doc/authors.texi | 4 ++-- doc/git-howto.texi | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CREDITS b/CREDITS index e29f0b853c..f1aea93d6b 100644 --- a/CREDITS +++ b/CREDITS @@ -1,6 +1,6 @@ -See the Git history of the project (git://source.ffmpeg.org/ffmpeg) to +See the Git history of the project (https://git.ffmpeg.org/ffmpeg) to get the names of people who have contributed to FFmpeg. To check the log, you can type the command "git log" in the FFmpeg source directory, or browse the online repository at -http://source.ffmpeg.org. +https://git.ffmpeg.org/ffmpeg diff --git a/doc/authors.texi b/doc/authors.texi index 6c8c1d7efa..ce088392f8 100644 --- a/doc/authors.texi +++ b/doc/authors.texi @@ -3,9 +3,9 @@ The FFmpeg developers. For details about the authorship, see the Git history of the project -(git://source.ffmpeg.org/ffmpeg), e.g. by typing the command +(https://git.ffmpeg.org/ffmpeg), e.g. by typing the command @command{git log} in the FFmpeg source directory, or browsing the -online repository at @url{http://source.ffmpeg.org}. +online repository at @url{https://git.ffmpeg.org/ffmpeg}. Maintainers for the specific components are listed in the file @file{MAINTAINERS} in the source code tree. diff --git a/doc/git-howto.texi b/doc/git-howto.texi index bd26fcb259..a6723931ce 100644 --- a/doc/git-howto.texi +++ b/doc/git-howto.texi @@ -53,7 +53,7 @@ Most distribution and operating system provide a package for it. @section Cloning the source tree @example -git clone git://source.ffmpeg.org/ffmpeg +git clone https://git.ffmpeg.org/ffmpeg.git @end example This will put the FFmpeg sources into the directory @var{}. From 800ba7107e733394c7ff013aef4978b16f375f0c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:25:04 +0100 Subject: [PATCH 1493/1764] avcodec/escape124: fix signdness of end of input check Fixes: Timeout Fixes: 56561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5560363635834880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 87ad0a5dd7d12c91badc215c3b5d6745fa7acb02) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index cffd3e12b1..c6d90280ce 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -88,7 +88,7 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < size * 34) + if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) return cb; if (size >= INT_MAX / sizeof(MacroBlock)) From f8ef4290e3efbf52286f99d1139a07d959ce5506 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 22:37:44 +0100 Subject: [PATCH 1494/1764] avcodec/escape124: Fix some return codes Signed-off-by: Michael Niedermayer (cherry picked from commit 98df605f7a8e80471a113f7beb0983c90aa84525) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index c6d90280ce..50fa882255 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -88,11 +88,6 @@ static CodeBook unpack_codebook(GetBitContext* gb, unsigned depth, unsigned i, j; CodeBook cb = { 0 }; - if (size >= INT_MAX / 34 || get_bits_left(gb) < (int)size * 34) - return cb; - - if (size >= INT_MAX / sizeof(MacroBlock)) - return cb; cb.blocks = av_malloc(size ? size * sizeof(MacroBlock) : 1); if (!cb.blocks) return cb; @@ -226,7 +221,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, // represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) - return -1; + return AVERROR_INVALIDDATA; frame_flags = get_bits_long(&gb, 32); frame_size = get_bits_long(&gb, 32); @@ -277,9 +272,14 @@ static int escape124_decode_frame(AVCodecContext *avctx, } av_freep(&s->codebooks[i].blocks); + if (cb_size >= INT_MAX / 34 || get_bits_left(&gb) < (int)cb_size * 34) + return AVERROR_INVALIDDATA; + + if (cb_size >= INT_MAX / sizeof(MacroBlock)) + return AVERROR_INVALIDDATA; s->codebooks[i] = unpack_codebook(&gb, cb_depth, cb_size); if (!s->codebooks[i].blocks) - return -1; + return AVERROR(ENOMEM); } } From 5cd450dd7ae5f0b25c961fe761f8dbb4c8a7ddae Mon Sep 17 00:00:00 2001 From: Jiasheng Jiang Date: Tue, 15 Feb 2022 17:58:08 +0800 Subject: [PATCH 1495/1764] avcodec/vp3: Add missing check for av_malloc Since the av_malloc() may fail and return NULL pointer, it is needed that the 's->edge_emu_buffer' should be checked whether the new allocation is success. Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") Reviewed-by: Peter Ross Signed-off-by: Jiasheng Jiang (cherry picked from commit 656cb0450aeb73b25d7d26980af342b37ac4c568) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 5ecbf9f383..dfe9de3286 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2099,8 +2099,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, if (ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF) < 0) goto error; - if (!s->edge_emu_buffer) + if (!s->edge_emu_buffer) { s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); + if (!s->edge_emu_buffer) { + ret = AVERROR(ENOMEM); + goto error; + } + } if (s->keyframe) { if (!s->theora) { From bf6bff0b75069c42066b754517a3492894f02fae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 Mar 2023 19:07:47 +0100 Subject: [PATCH 1496/1764] avcodec/tests/snowenc: unbreak DWT tests the IDWT data type mismatched current code Signed-off-by: Michael Niedermayer (cherry picked from commit 8b3351bbead47f7f306621b45c8f2391b6bd23d2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index d5f94e8a61..4d9c12947b 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -31,6 +31,7 @@ int main(void){ #define width 256 #define height 256 int buffer[2][width*height]; + short obuffer[width*height]; SnowContext s; int i; AVLFG prng; @@ -49,24 +50,28 @@ int main(void){ printf("testing 5/3 DWT\n"); for(i=0; i20) printf("fsck: %6d %12d %7d\n",i, buffer[0][i], buffer[1][i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); { int level, orientation, x, y; @@ -87,12 +92,12 @@ int main(void){ if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; - memset(buffer[0], 0, sizeof(int)*width*height); + memset(obuffer, 0, sizeof(short)*width*height); buf[w/2 + h/2*stride]= 256*256; - ff_spatial_idwt((IDWTELEM*)buffer[0], s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); + ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Fri, 24 Mar 2023 00:18:06 +0100 Subject: [PATCH 1497/1764] avcodec/snowenc: Fix visual weight calculation Signed-off-by: Michael Niedermayer (cherry picked from commit 5b5fcadea059ab458a886261a5b7a1cc134b517a) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 8 ++++++-- tests/ref/seek/vsynth_lena-snow | 28 +++++++++++++------------- tests/ref/vsynth/vsynth1-snow | 8 ++++---- tests/ref/vsynth/vsynth1-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth2-snow | 8 ++++---- tests/ref/vsynth/vsynth2-snow-hpel | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow | 8 ++++---- tests/ref/vsynth/vsynth_lena-snow-hpel | 8 ++++---- 8 files changed, 44 insertions(+), 40 deletions(-) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index cdb65ea78b..77d3221624 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -1542,10 +1542,10 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ int level, orientation, x, y; for(level=0; levelspatial_decomposition_count; level++){ + int64_t error=0; for(orientation=level ? 1 : 0; orientation<4; orientation++){ SubBand *b= &p->band[level][orientation]; IDWTELEM *ibuf= b->ibuf; - int64_t error=0; memset(s->spatial_idwt_buffer, 0, sizeof(*s->spatial_idwt_buffer)*width*height); ibuf[b->width/2 + b->height/2*b->stride]= 256*16; @@ -1556,9 +1556,13 @@ static void calculate_visual_weight(SnowContext *s, Plane *p){ error += d*d; } } - + if (orientation == 2) + error /= 2; b->qlog= (int)(QROOT * log2(352256.0/sqrt(error)) + 0.5); + if (orientation != 1) + error = 0; } + p->band[level][1].qlog = p->band[level][2].qlog; } } diff --git a/tests/ref/seek/vsynth_lena-snow b/tests/ref/seek/vsynth_lena-snow index 33d6c27463..b2d2d22cda 100644 --- a/tests/ref/seek/vsynth_lena-snow +++ b/tests/ref/seek/vsynth_lena-snow @@ -2,45 +2,45 @@ ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:0 ts:-1.000000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st:-1 flags:1 ts: 1.894167 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.800000 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st: 0 flags:1 ts:-0.320000 ret:-1 st:-1 flags:0 ts: 2.576668 ret: 0 st:-1 flags:1 ts: 1.470835 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st: 0 flags:0 ts: 0.360000 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st: 0 flags:1 ts:-0.760000 ret:-1 st:-1 flags:0 ts: 2.153336 ret: 0 st:-1 flags:1 ts: 1.047503 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret: 0 st: 0 flags:0 ts:-0.040000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.840000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.730004 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:1 ts: 0.624171 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret: 0 st: 0 flags:0 ts:-0.480000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.400000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 1.306672 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:1 ts: 0.200839 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:0 ts:-0.920000 ret: 0 st: 0 flags:1 dts: 0.000000 pts: 0.000000 pos: 5652 size: 3035 ret: 0 st: 0 flags:1 ts: 2.000000 -ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52608 size: 3582 +ret: 0 st: 0 flags:1 dts: 1.920000 pts: 1.920000 pos: 52538 size: 3582 ret: 0 st:-1 flags:0 ts: 0.883340 -ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27442 size: 3494 +ret: 0 st: 0 flags:1 dts: 0.960000 pts: 0.960000 pos: 27382 size: 3493 ret:-1 st:-1 flags:1 ts:-0.222493 ret:-1 st: 0 flags:0 ts: 2.680000 ret: 0 st: 0 flags:1 ts: 1.560000 -ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39806 size: 3640 +ret: 0 st: 0 flags:1 dts: 1.440000 pts: 1.440000 pos: 39690 size: 3640 ret: 0 st:-1 flags:0 ts: 0.460008 -ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16134 size: 3244 +ret: 0 st: 0 flags:1 dts: 0.480000 pts: 0.480000 pos: 16074 size: 3245 ret:-1 st:-1 flags:1 ts:-0.645825 diff --git a/tests/ref/vsynth/vsynth1-snow b/tests/ref/vsynth/vsynth1-snow index f20abd2ee4..b0e3a0bfd7 100644 --- a/tests/ref/vsynth/vsynth1-snow +++ b/tests/ref/vsynth/vsynth1-snow @@ -1,4 +1,4 @@ -67c10f8d52fcd1103caa675a1408bf6e *tests/data/fate/vsynth1-snow.avi -136088 tests/data/fate/vsynth1-snow.avi -bfc0bcc4bc7b956933aa58acc587018d *tests/data/fate/vsynth1-snow.out.rawvideo -stddev: 22.77 PSNR: 20.98 MAXDIFF: 175 bytes: 7603200/ 7603200 +c4c77a6fb926b89fe6591c398f5cd4db *tests/data/fate/vsynth1-snow.avi +136160 tests/data/fate/vsynth1-snow.avi +dcf8b3f62d9c3ae2b2d0fbbacbf83e4e *tests/data/fate/vsynth1-snow.out.rawvideo +stddev: 22.74 PSNR: 20.99 MAXDIFF: 173 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth1-snow-hpel b/tests/ref/vsynth/vsynth1-snow-hpel index 39780ad8a2..72b082b2ce 100644 --- a/tests/ref/vsynth/vsynth1-snow-hpel +++ b/tests/ref/vsynth/vsynth1-snow-hpel @@ -1,4 +1,4 @@ -e62ae25d5040d04622a965bcb27fdb1e *tests/data/fate/vsynth1-snow-hpel.avi -138446 tests/data/fate/vsynth1-snow-hpel.avi -57c914cd150f8fc260b5989ce3e5884c *tests/data/fate/vsynth1-snow-hpel.out.rawvideo -stddev: 22.74 PSNR: 20.99 MAXDIFF: 172 bytes: 7603200/ 7603200 +5c9eb93646eb0e5570d37e9adc9625e4 *tests/data/fate/vsynth1-snow-hpel.avi +138580 tests/data/fate/vsynth1-snow-hpel.avi +3382bdde624d8bb4af206a5ac6614605 *tests/data/fate/vsynth1-snow-hpel.out.rawvideo +stddev: 22.71 PSNR: 21.00 MAXDIFF: 171 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow b/tests/ref/vsynth/vsynth2-snow index e9607bb7d0..355f89d5f4 100644 --- a/tests/ref/vsynth/vsynth2-snow +++ b/tests/ref/vsynth/vsynth2-snow @@ -1,4 +1,4 @@ -0a41e73ddd2f54936490655b46dad4a3 *tests/data/fate/vsynth2-snow.avi -72868 tests/data/fate/vsynth2-snow.avi -34a75f5cf8a71159f1a572d9cedcfef9 *tests/data/fate/vsynth2-snow.out.rawvideo -stddev: 13.73 PSNR: 25.37 MAXDIFF: 162 bytes: 7603200/ 7603200 +5e130d6a48b69348eee7f7c76c5869a3 *tests/data/fate/vsynth2-snow.avi +72942 tests/data/fate/vsynth2-snow.avi +9b6cee60e3ec0d1f312a8a25a7878fcc *tests/data/fate/vsynth2-snow.out.rawvideo +stddev: 13.39 PSNR: 25.59 MAXDIFF: 154 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth2-snow-hpel b/tests/ref/vsynth/vsynth2-snow-hpel index 66839fd6f6..ec3b5dfad2 100644 --- a/tests/ref/vsynth/vsynth2-snow-hpel +++ b/tests/ref/vsynth/vsynth2-snow-hpel @@ -1,4 +1,4 @@ -9bc409e4794ee50691a26c9c836d31a7 *tests/data/fate/vsynth2-snow-hpel.avi -79728 tests/data/fate/vsynth2-snow-hpel.avi -2cc64d8171175a1532fd7d3ed3011fbf *tests/data/fate/vsynth2-snow-hpel.out.rawvideo -stddev: 13.70 PSNR: 25.39 MAXDIFF: 162 bytes: 7603200/ 7603200 +8edcf0fd7f066972ff77d5b891ed6dde *tests/data/fate/vsynth2-snow-hpel.avi +79798 tests/data/fate/vsynth2-snow-hpel.avi +7e0f2a24feda6fb3e54b85511a28c45f *tests/data/fate/vsynth2-snow-hpel.out.rawvideo +stddev: 13.35 PSNR: 25.62 MAXDIFF: 157 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow b/tests/ref/vsynth/vsynth_lena-snow index ec29a78483..582c294531 100644 --- a/tests/ref/vsynth/vsynth_lena-snow +++ b/tests/ref/vsynth/vsynth_lena-snow @@ -1,4 +1,4 @@ -8e96f337e8f4ccac7d72ef517e1d2208 *tests/data/fate/vsynth_lena-snow.avi -57680 tests/data/fate/vsynth_lena-snow.avi -90963cfd2359d460001c94d94256dc2b *tests/data/fate/vsynth_lena-snow.out.rawvideo -stddev: 10.48 PSNR: 27.72 MAXDIFF: 119 bytes: 7603200/ 7603200 +bf2cf9cacc1d98388798be98872049ee *tests/data/fate/vsynth_lena-snow.avi +57604 tests/data/fate/vsynth_lena-snow.avi +707a42eb20195913be55ba8dfadf72fb *tests/data/fate/vsynth_lena-snow.out.rawvideo +stddev: 10.37 PSNR: 27.81 MAXDIFF: 120 bytes: 7603200/ 7603200 diff --git a/tests/ref/vsynth/vsynth_lena-snow-hpel b/tests/ref/vsynth/vsynth_lena-snow-hpel index 2d6edd8a79..67effebc8a 100644 --- a/tests/ref/vsynth/vsynth_lena-snow-hpel +++ b/tests/ref/vsynth/vsynth_lena-snow-hpel @@ -1,4 +1,4 @@ -56b14cb1cbb637536233982e87f7ac3e *tests/data/fate/vsynth_lena-snow-hpel.avi -61764 tests/data/fate/vsynth_lena-snow-hpel.avi -244b0266127fa354d8485234b2c388e4 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo -stddev: 10.45 PSNR: 27.74 MAXDIFF: 119 bytes: 7603200/ 7603200 +c6ec87a11415a99b1a781f9f5bacb722 *tests/data/fate/vsynth_lena-snow-hpel.avi +61814 tests/data/fate/vsynth_lena-snow-hpel.avi +40f330397b7acf6bdbb3ec6d908be451 *tests/data/fate/vsynth_lena-snow-hpel.out.rawvideo +stddev: 10.34 PSNR: 27.83 MAXDIFF: 118 bytes: 7603200/ 7603200 From 62a0bbfa54dafe63f1de4b13e1a846c5c7bf7cd9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:31:40 +0100 Subject: [PATCH 1498/1764] avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches Signed-off-by: Michael Niedermayer (cherry picked from commit 771c266c0be29e6a1001fbd6795dd343147da1f2) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index 4d9c12947b..b484f3a145 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -37,6 +37,7 @@ int main(void){ AVLFG prng; s.spatial_decomposition_count=6; s.spatial_decomposition_type=1; + int ret = 0; s.temp_dwt_buffer = av_mallocz_array(width, sizeof(DWTELEM)); s.temp_idwt_buffer = av_mallocz_array(width, sizeof(IDWTELEM)); @@ -58,7 +59,10 @@ int main(void){ ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(i=0; i20) printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + if(FFABS(buffer[1][i] - obuffer[i])>20) { + printf("fsck: %4dx%4d %12d %7d\n",i%width, i/width, buffer[1][i], obuffer[i]); + ret = 1; + } { int level, orientation, x, y; @@ -148,5 +155,5 @@ int main(void){ } } - return 0; + return ret; } From 789e1897793fd57b4a71a00a9edc14b7dd7a0a78 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 24 Mar 2023 00:48:56 +0100 Subject: [PATCH 1499/1764] avcodec/tests/snowenc: Fix 2nd test (cherry picked from commit 163013c72452621624f634c706824c77222b77c5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/snowenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c index b484f3a145..65699158ca 100644 --- a/libavcodec/tests/snowenc.c +++ b/libavcodec/tests/snowenc.c @@ -93,14 +93,14 @@ int main(void){ int w= width >> (s.spatial_decomposition_count-level); int h= height >> (s.spatial_decomposition_count-level); int stride= width << (s.spatial_decomposition_count-level); - DWTELEM *buf= buffer[0]; + IDWTELEM *buf= obuffer; int64_t error=0; if(orientation&1) buf+=w; if(orientation>1) buf+=stride>>1; memset(obuffer, 0, sizeof(short)*width*height); - buf[w/2 + h/2*stride]= 256*256; + buf[w/2 + h/2*stride]= 8*256; ff_spatial_idwt(obuffer, s.temp_idwt_buffer, width, height, width, s.spatial_decomposition_type, s.spatial_decomposition_count); for(y=0; y Date: Sun, 1 Jan 2023 00:00:00 +0100 Subject: [PATCH 1500/1764] configure: update copyright year (cherry picked from commit 62da0b4a741a064f118a0eece496d6bcc437ec91) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index e6d9030d84..576a950ea3 100755 --- a/configure +++ b/configure @@ -7000,7 +7000,7 @@ cat > $TMPH < Date: Sun, 26 Mar 2023 21:34:03 +0200 Subject: [PATCH 1501/1764] avcodec/g729postfilter: Limit shift in long term filter Fixes: shift exponent 34 is too large for 32-bit type 'int' Fixes: 57389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6229522659016704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6d1d8609ac1054017ea3d11b325ed94a1205e9fd) Signed-off-by: Michael Niedermayer --- libavcodec/g729postfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index 617744ec8e..668177c843 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -350,7 +350,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int, if (tmp > 0) L_temp0 >>= tmp; else - L_temp1 >>= -tmp; + L_temp1 >>= FFMIN(-tmp, 31); /* Check if longer filter increases the values of R'(k). */ if (L_temp1 > L_temp0) { From e52276f77aecafac312ab0bcb347f9cacb716115 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 Mar 2023 22:35:50 +0200 Subject: [PATCH 1502/1764] avcodec/vp3: Check width to avoid assertion failure Fixes: Assertion failure on x86-32 av_assert2(block_w * sizeof(pixel) <= FFABS(buf_linesize)); in ff_emulated_edge_mc() Fixes: 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dab1cd2dc0471d497f481736059b2023c5b7986a) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index dfe9de3286..49c6b22ab2 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1747,6 +1747,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) s->avctx = avctx; s->width = FFALIGN(avctx->coded_width, 16); s->height = FFALIGN(avctx->coded_height, 16); + if (s->width < 18) + return AVERROR_PATCHWELCOME; if (avctx->codec_id != AV_CODEC_ID_THEORA) avctx->pix_fmt = AV_PIX_FMT_YUV420P; avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; @@ -2313,7 +2315,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) /* sanity check */ if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 || visible_width + offset_x > s->width || - visible_height + offset_y > s->height) { + visible_height + offset_y > s->height || + visible_width < 18 + ) { av_log(avctx, AV_LOG_ERROR, "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n", visible_width, visible_height, offset_x, offset_y, @@ -2359,6 +2363,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) } else avctx->pix_fmt = AV_PIX_FMT_YUV420P; + if (s->width < 18) + return AVERROR_PATCHWELCOME; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; From db29a662954b44b04c2c5e861bd51d20fcc2d8f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Mar 2023 18:15:36 +0200 Subject: [PATCH 1503/1764] avcodec/j2kenc: fix 5/3 DWT identifer Signed-off-by: Michael Niedermayer (cherry picked from commit f6955b6df4b599ff5604e82987b96957414f8dd5) Signed-off-by: Michael Niedermayer --- libavcodec/j2kenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index baaf47422c..4994c40a5c 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -1188,7 +1188,7 @@ static const AVOption options[] = { { "tile_height", "Tile Height", OFFSET(tile_height), AV_OPT_TYPE_INT, { .i64 = 256 }, 1, 1<<30, VE, }, { "pred", "DWT Type", OFFSET(pred), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, VE, "pred" }, { "dwt97int", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, - { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, INT_MIN, INT_MAX, VE, "pred" }, + { "dwt53", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 1 }, INT_MIN, INT_MAX, VE, "pred" }, { NULL } }; From 8c8821b545a287c7a297d0adc83043708e65f526 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 13:18:42 +0200 Subject: [PATCH 1504/1764] avcodec/huffyuvdec: Fix undefined behavior with shift Fixes: left shift of negative value -1 Fixes: 57554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFVHUFF_fuzzer-4853603839115264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 27e7857bd1127974ffe1512293abee83b1035194) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index f6a51c3320..4b8bc5b858 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -691,9 +691,9 @@ static void decode_422_bitstream(HYuvContext *s, int count) /* TODO instead of restarting the read when the code isn't in the first level * of the joint table, jump into the 2nd level of the individual table. */ #define READ_2PIX_PLANE16(dst0, dst1, plane){\ - dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst0 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst0 += get_bits(&s->gb, 2);\ - dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2;\ + dst1 = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)*4;\ dst1 += get_bits(&s->gb, 2);\ } static void decode_plane_bitstream(HYuvContext *s, int width, int plane) From e7ae341c2ab73149d98f066ca9d5fadbbf785d9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Apr 2023 15:18:55 +0200 Subject: [PATCH 1505/1764] avcodec/escape124: Check that blocks are allocated before use Fixes: NULL pointer dereference Fixes: 57819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5077280228769792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5366ae12b9ba60404822f6b39b41f6c0d98a7c8a) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 50fa882255..5e4e57bf90 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -157,7 +157,7 @@ static MacroBlock decode_macroblock(Escape124Context* s, GetBitContext* gb, // This condition can occur with invalid bitstreams and // *codebook_index == 2 - if (block_index >= s->codebooks[*codebook_index].size) + if (block_index >= s->codebooks[*codebook_index].size || !s->codebooks[*codebook_index].blocks) return (MacroBlock) { { 0 } }; return s->codebooks[*codebook_index].blocks[block_index]; From 9989fd451685b1b050622b6c5a21c1f99e22f0db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:14 +0100 Subject: [PATCH 1506/1764] libavcodec/lcldec: width and height should not be unsigned Computations like col < width - 3 will not work with unsigned width=1 Signed-off-by: Michael Niedermayer (cherry picked from commit 3eb4e28c26c3bce608214f392ab1fe6ee28ec1df) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 104defa5f5..ed87e6179b 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -166,8 +166,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int row, col; unsigned char *encoded = avpkt->data, *outptr; uint8_t *y_out, *u_out, *v_out; - unsigned int width = avctx->width; // Real image width - unsigned int height = avctx->height; // Real image height + int width = avctx->width; // Real image width + int height = avctx->height; // Real image height unsigned int mszh_dlen; unsigned char yq, y1q, uq, vq; int uqvq, ret; From 09e16d736b6cadd401b6a37d4ecce619a67d4459 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Mar 2023 13:57:15 +0100 Subject: [PATCH 1507/1764] avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width Fixes: Ticket10240 Fixes: zlib_306_306_yuv422.avi Fixes: zlib_306_306_yuv411.avi Signed-off-by: Michael Niedermayer (cherry picked from commit 0cf1ac905d2d97355a389c3baa4e132824b29f21) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index ed87e6179b..97813b0e00 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -399,6 +399,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac v_out[ col >> 1 ] = *encoded++ + 128; v_out[(col >> 1) + 1] = *encoded++ + 128; } + if (col && col < width) { + u_out[ col >> 1 ] = u_out[(col>>1) - 1]; + v_out[ col >> 1 ] = v_out[(col>>1) - 1]; + } + y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -420,6 +425,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac u_out[col >> 2] = *encoded++ + 128; v_out[col >> 2] = *encoded++ + 128; } + if (col && col < width) { + u_out[col >> 2] = u_out[(col>>2) - 1]; + v_out[col >> 2] = v_out[(col>>2) - 1]; + } y_out -= frame->linesize[0]; u_out -= frame->linesize[1]; v_out -= frame->linesize[2]; @@ -477,6 +486,7 @@ static av_cold int decode_init(AVCodecContext *avctx) FFALIGN(avctx->height, 4); unsigned int max_decomp_size; int subsample_h, subsample_v; + int partial_h_supported = 0; if (avctx->extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n"); @@ -498,14 +508,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 1:1:1.\n"); break; case IMGTYPE_YUV422: - c->decomp_size = basesize * 2; + c->decomp_size = (avctx->width & ~3) * avctx->height * 2; max_decomp_size = max_basesize * 2; avctx->pix_fmt = AV_PIX_FMT_YUV422P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:2:2.\n"); - if (avctx->width % 4) { - avpriv_request_sample(avctx, "Unsupported dimensions"); - return AVERROR_INVALIDDATA; - } + partial_h_supported = 1; break; case IMGTYPE_RGB24: c->decomp_size = basesize * 3; @@ -514,10 +521,11 @@ static av_cold int decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); break; case IMGTYPE_YUV411: - c->decomp_size = basesize / 2 * 3; + c->decomp_size = (avctx->width & ~3) * avctx->height / 2 * 3; max_decomp_size = max_basesize / 2 * 3; avctx->pix_fmt = AV_PIX_FMT_YUV411P; av_log(avctx, AV_LOG_DEBUG, "Image type is YUV 4:1:1.\n"); + partial_h_supported = 1; break; case IMGTYPE_YUV211: c->decomp_size = basesize * 2; @@ -537,7 +545,7 @@ static av_cold int decode_init(AVCodecContext *avctx) } av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &subsample_h, &subsample_v); - if (avctx->width % (1<height % (1<width % (1<height % (1< Date: Thu, 9 Mar 2023 13:57:17 +0100 Subject: [PATCH 1508/1764] avcodec/lcldec: More space for rgb24 Fixes: Ticket 10239 Fixes: zlib_306_306_rgb24.av Signed-off-by: Michael Niedermayer (cherry picked from commit e2c3aa8e2b800c5b860315277b3ea426b8b23393) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 97813b0e00..c29a884701 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -148,6 +148,8 @@ static int zlib_decomp(AVCodecContext *avctx, const uint8_t *src, int src_len, i if (expected != (unsigned int)c->zstream.total_out) { av_log(avctx, AV_LOG_ERROR, "Decoded size differs (%d != %lu)\n", expected, c->zstream.total_out); + if (expected > (unsigned int)c->zstream.total_out) + return (unsigned int)c->zstream.total_out; return AVERROR_UNKNOWN; } return c->zstream.total_out; @@ -274,12 +276,13 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac ret = zlib_decomp(avctx, buf + 8 + mthread_inlen, len - 8 - mthread_inlen, mthread_outlen, mthread_outlen); if (ret < 0) return ret; + len = c->decomp_size; } else { int ret = zlib_decomp(avctx, buf, len, 0, c->decomp_size); if (ret < 0) return ret; + len = ret; } encoded = c->decomp_buf; - len = c->decomp_size; break; #endif default: @@ -515,7 +518,7 @@ static av_cold int decode_init(AVCodecContext *avctx) partial_h_supported = 1; break; case IMGTYPE_RGB24: - c->decomp_size = basesize * 3; + c->decomp_size = FFALIGN(avctx->width*3, 4) * avctx->height; max_decomp_size = max_basesize * 3; avctx->pix_fmt = AV_PIX_FMT_BGR24; av_log(avctx, AV_LOG_DEBUG, "Image type is RGB 24.\n"); From 99bab6e96168e205ffa990369684fee41e367934 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Jan 2023 22:48:46 +0100 Subject: [PATCH 1509/1764] avcodec/g2meet: Replace fake allocation avoidance for framebuf framebuf is only allocated when the new width/height are larger than the old but nothing sets the old so its always allocated. Use av_fast_mallocz() instead. Fixes: Timeout Fixes: 55094/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5116909932904448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38adbc6eebd7f2f34ecf1b0b18019e88bad9d9f4) Signed-off-by: Michael Niedermayer --- libavcodec/g2meet.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 7ef275c9fe..5856d51783 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -143,7 +143,8 @@ typedef struct G2MContext { int got_header; uint8_t *framebuf; - int framebuf_stride, old_width, old_height; + int framebuf_stride; + unsigned int framebuf_allocated; uint8_t *synth_tile, *jpeg_tile, *epic_buf, *epic_buf_base; int tile_stride, epic_buf_stride, old_tile_w, old_tile_h; @@ -1179,14 +1180,13 @@ static int g2m_init_buffers(G2MContext *c) { int aligned_height; - if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) { - c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; - aligned_height = c->height + 15; - av_free(c->framebuf); - c->framebuf = av_mallocz_array(c->framebuf_stride, aligned_height); - if (!c->framebuf) - return AVERROR(ENOMEM); - } + c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3; + aligned_height = c->height + 15; + + av_fast_mallocz(&c->framebuf, &c->framebuf_allocated, c->framebuf_stride * aligned_height); + if (!c->framebuf) + return AVERROR(ENOMEM); + if (!c->synth_tile || !c->jpeg_tile || (c->compression == 2 && !c->epic_buf_base) || c->old_tile_w < c->tile_width || @@ -1638,6 +1638,7 @@ static av_cold int g2m_decode_end(AVCodecContext *avctx) av_freep(&c->jpeg_tile); av_freep(&c->cursor); av_freep(&c->framebuf); + c->framebuf_allocated = 0; return 0; } From 0b003c082831e86fcc3dd3570072c687c42437ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 Feb 2023 22:49:01 +0100 Subject: [PATCH 1510/1764] avcodec/vorbisdec: Check codebook float values to be finite Fixes: Timeout Fixes: 55116/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-4572159970508800 Signed-off-by: Michael Niedermayer (cherry picked from commit cadd7e7a7589b5c118ad1648a09c629a6b65a3be) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 2fd0f0e8d3..d0d5b7082d 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -363,6 +363,10 @@ static int vorbis_parse_setup_hdr_codebooks(vorbis_context *vc) unsigned codebook_value_bits = get_bits(gb, 4) + 1; unsigned codebook_sequence_p = get_bits1(gb); + if (!isfinite(codebook_minimum_value) || !isfinite(codebook_delta_value)) { + ret = AVERROR_INVALIDDATA; + goto error; + } ff_dlog(NULL, " We expect %d numbers for building the codevectors. \n", codebook_lookup_values); ff_dlog(NULL, " delta %f minmum %f \n", From 40f962e56961c980c5282466efc50fc02a543aeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 16:56:40 +0200 Subject: [PATCH 1511/1764] avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5124452659888128 Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6362836707442688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 34056a94eab5f8fbc7e0b8510f7c9851931f23b7) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index e431d0b8af..dbd87a787d 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -426,7 +426,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, } if (s->codec_id == AV_CODEC_ID_IFF_ILBM) { - w_align = FFMAX(w_align, 8); + w_align = FFMAX(w_align, 16); } *width = FFALIGN(*width, w_align); From 77d1ae5d943d029d125c69ec5f63720356e14933 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 17:34:16 +0200 Subject: [PATCH 1512/1764] avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() Fixes: out of array access Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6682195323650048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19b66b89da4b4ff086dc1fc79bbf540e82bdbcb4) Signed-off-by: Michael Niedermayer --- libavcodec/tak.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tak.c b/libavcodec/tak.c index d2670e00ff..053aa05b09 100644 --- a/libavcodec/tak.c +++ b/libavcodec/tak.c @@ -154,6 +154,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb, if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA) return AVERROR_INVALIDDATA; + if (get_bits_left(gb) < 24) + return AVERROR_INVALIDDATA; + skip_bits(gb, 24); return 0; From b79b50a3082a602277fc3e006d581b22d08cce18 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 Mar 2023 00:51:38 +0100 Subject: [PATCH 1513/1764] avformat/wavdec: Check that smv block fits in available space Fixes: OOM Fixes: 56271/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5290810045497344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a76efafdb9be966ae3ad52b32370dc644dd582bf) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index b7c5f22a3a..0912359133 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -647,6 +647,10 @@ smv_retry: goto smv_out; } size = avio_rl24(s->pb); + if (size > wav->smv_block_size) { + ret = AVERROR_EOF; + goto smv_out; + } ret = av_get_packet(s->pb, pkt, size); if (ret < 0) goto smv_out; From 30cdacf8c2ff111a362671be7cec7e4f4000b469 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Apr 2023 15:06:59 +0200 Subject: [PATCH 1514/1764] avcodec/pngdec: Do not pass AVFrame into global header decode The global header should not contain a frame, and decoding it would result in leaks Fixes: memleak Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-6603443149340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d31d4f32283f765c79d6e127d31ee2c37a0acef7) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index ce570e3d55..88ebd82f78 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -620,6 +620,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, int ret; size_t byte_depth = s->bit_depth > 8 ? 2 : 1; + if (!p) + return AVERROR_INVALIDDATA; if (!(s->hdr_state & PNG_IHDR)) { av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n"); return AVERROR_INVALIDDATA; @@ -1292,6 +1294,8 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, break; } case MKTAG('i', 'C', 'C', 'P'): { + if (!p) + return AVERROR_INVALIDDATA; if ((ret = decode_iccp_chunk(s, length, p)) < 0) goto fail; break; @@ -1314,6 +1318,9 @@ skip_tag: } exit_loop: + if (!p) + return AVERROR_INVALIDDATA; + if (avctx->codec_id == AV_CODEC_ID_PNG && avctx->skip_frame == AVDISCARD_ALL) { return 0; @@ -1460,7 +1467,7 @@ static int decode_frame_apng(AVCodecContext *avctx, s->zstream.zfree = ff_png_zfree; bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size); - if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0) + if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0) goto end; } From 5a797e7c23a1f2eb696a2aef76b21c617ab37bef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2023 20:26:33 +0200 Subject: [PATCH 1515/1764] Update for 3.4.13 Signed-off-by: Michael Niedermayer --- Changelog | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 55 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 0e6157aa40..777ef4c4c6 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,59 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.13: + avcodec/pngdec: Do not pass AVFrame into global header decode + avformat/wavdec: Check that smv block fits in available space + avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() + avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated + avcodec/vorbisdec: Check codebook float values to be finite + avcodec/g2meet: Replace fake allocation avoidance for framebuf + avcodec/lcldec: More space for rgb24 + avcodec/lcldec: Support 4:1:1 and 4:2:2 with odd width + libavcodec/lcldec: width and height should not be unsigned + avcodec/escape124: Check that blocks are allocated before use + avcodec/huffyuvdec: Fix undefined behavior with shift + avcodec/j2kenc: fix 5/3 DWT identifer + avcodec/vp3: Check width to avoid assertion failure + avcodec/g729postfilter: Limit shift in long term filter + configure: update copyright year + avcodec/tests/snowenc: Fix 2nd test + avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches + avcodec/snowenc: Fix visual weight calculation + avcodec/tests/snowenc: unbreak DWT tests + avcodec/vp3: Add missing check for av_malloc + avcodec/escape124: Fix some return codes + avcodec/escape124: fix signdness of end of input check + Use https for repository links + avcodec/motionpixels: Mask pixels to valid values + avcodec/xpmdec: Check size before allocation to avoid truncation + avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() + avcodec/bink: Fix off by 1 error in ref end + avcodec/utils: Ensure linesize for SVQ3 + avcodec/utils: allocate a line more for VC1 and WMV3 + avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things + avcodec/pngdec: Check deloco index more exactly + avcodec/ffv1dec: Check that num h/v slices is supported + avformat/mov: Check samplesize and offset to avoid integer overflow + avcodec/pictordec: Remove mid exit branch + avcodec/eac3dec: avoid float noise in fixed mode addition to overflow + avcodec/utils: use 32pixel alignment for bink + avcodec/012v: Order operations for odd size handling + avcodec/eatgq: : Check index increments in tgq_decode_block() + avcodec/scpr: Test bx before use + avcodec/sunrast: Fix maplength check + avcodec/wavpack: Avoid undefined shift in get_tail() + avformat/id3v2: Check taglen in read_uslt() + avcodec/ffv1dec: restructure slice coordinate reading a bit + avcodec/mlpdec: Check max matrix instead of max channel in noise check + swscale/input: Use more unsigned intermediates + avcodec/alsdec: The minimal block is at least 7 bits + avformat/replaygain: avoid undefined / negative abs + swscale/output: Bias 16bps output calculations to improve non overflowing range + avcodec/speedhq: Check buf_size to be big enough for DC + avcodec/ffv1dec: Fail earlier if prior context is corrupted + swscale: aarch64: Fix yuv2rgb with negative strides + version 3.4.12: avcodec/dstdec: Check for overflow in build_filter() avformat/spdifdec: Use 64bit to compute bit rate diff --git a/RELEASE b/RELEASE index 25e863282b..618659f09f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.12 +3.4.13 diff --git a/doc/Doxyfile b/doc/Doxyfile index 15b73f57b1..4c4a79466c 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.12 +PROJECT_NUMBER = 3.4.13 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 7b4662fae5e9e0e3fe70d93471b04ccdb7c0e2d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Jun 2023 19:59:40 +0200 Subject: [PATCH 1516/1764] avcodec/noise_bsf: Check for wrapped frames Wrapped frames contain pointers so they need specific code to noise them, the generic code would lead to segfaults Signed-off-by: Michael Niedermayer (cherry picked from commit 0889ebc577749ee6abc620bc9030d2002487935f) Signed-off-by: Michael Niedermayer --- libavcodec/noise_bsf.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/noise_bsf.c b/libavcodec/noise_bsf.c index 84b94032ad..42b632dd7a 100644 --- a/libavcodec/noise_bsf.c +++ b/libavcodec/noise_bsf.c @@ -45,6 +45,11 @@ static int noise(AVBSFContext *ctx, AVPacket *out) if (amount <= 0) return AVERROR(EINVAL); + if (ctx->par_in->codec_id == AV_CODEC_ID_WRAPPED_AVFRAME) { + av_log(ctx, AV_LOG_ERROR, "Wrapped AVFrame noising is unsupported\n"); + return AVERROR_PATCHWELCOME; + } + ret = ff_bsf_get_packet(ctx, &in); if (ret < 0) return ret; From c7210207555effd194b60dee424fd5632bb388f4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2023 22:49:06 +0200 Subject: [PATCH 1517/1764] Changelog: update --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 777ef4c4c6..a3b9fef375 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.4.13: + avcodec/noise_bsf: Check for wrapped frames avcodec/pngdec: Do not pass AVFrame into global header decode avformat/wavdec: Check that smv block fits in available space avcodec/tak: Check remaining bits in ff_tak_decode_frame_header() From 7167952f0ee6f38a3d145488048413810358409c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Jun 2023 21:44:37 +0200 Subject: [PATCH 1518/1764] avcodec: Ignoring errors is only possible before the input end Fixes: out of array read Fixes: Ticket 10308 Signed-off-by: Michael Niedermayer (cherry picked from commit fead656a7bf523d448fe8bd39c1f2ea36be98fb9) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 2 +- libavcodec/mpeg4videodec.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index b13892ddbb..b2939abd16 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -289,7 +289,7 @@ static int decode_slice(MpegEncContext *s) ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR & part_mask); - if (s->avctx->err_recognition & AV_EF_IGNORE_ERR) + if ((s->avctx->err_recognition & AV_EF_IGNORE_ERR) && get_bits_left(&s->gb) > 0) continue; return AVERROR_INVALIDDATA; } diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 11cf530cdd..81a73a466f 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1128,7 +1128,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "1. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return -1; } SKIP_CACHE(re, &s->gb, 1); @@ -1139,7 +1139,7 @@ static inline int mpeg4_decode_block(Mpeg4DecContext *ctx, int16_t *block, if (SHOW_UBITS(re, &s->gb, 1) == 0) { av_log(s->avctx, AV_LOG_ERROR, "2. marker bit missing in 3. esc\n"); - if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR)) + if (!(s->avctx->err_recognition & AV_EF_IGNORE_ERR) || get_bits_left(&s->gb) <= 0) return -1; } From 4e6b5097f24e2233ea0b27bbbb4760baf7a3fab0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2023 23:40:16 +0200 Subject: [PATCH 1519/1764] avcodec/takdsp: Fix integer overflows Fixes: avcodec/takdsp.c:44:23: runtime error: signed integer overflow: -2097158 - 2147012608 cannot be represented in type 'int' Fixes: 58417/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5268919664640000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ff8a496d41422b694f66684ada97dcf49e167782) Signed-off-by: Michael Niedermayer --- libavcodec/takdsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index a8f9dba342..f5dc47988f 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -28,8 +28,8 @@ static void decorrelate_ls(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p2[i] = a + b; } } @@ -39,8 +39,8 @@ static void decorrelate_sr(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; - int32_t b = p2[i]; + uint32_t a = p1[i]; + uint32_t b = p2[i]; p1[i] = b - a; } } @@ -50,7 +50,7 @@ static void decorrelate_sm(int32_t *p1, int32_t *p2, int length) int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; a -= b >> 1; p1[i] = a; @@ -63,7 +63,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int int i; for (i = 0; i < length; i++) { - int32_t a = p1[i]; + uint32_t a = p1[i]; int32_t b = p2[i]; b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; From 781fdc696419f1db8114d68afc3f2dcfebf451ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 25 May 2023 23:40:18 +0200 Subject: [PATCH 1520/1764] avcodec/hevcdec: Avoid null pointer dereferences in MC Fixes: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xfffffffffffffff8 Fixes: 58440/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5956015530311680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0f4d4e65093a4cb627f05d09b19c922e88cfac1) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 85f5ec251a..88d252769d 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1819,13 +1819,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0) + if (!ref0 || !ref0->frame->data[0]) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1) + if (!ref1 || !ref1->frame->data[0]) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From 9c7334b053d5684724ab394f534f10083c20de01 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2023 21:00:03 +0200 Subject: [PATCH 1521/1764] avcodec/utils: fix 2 integer overflows in get_audio_frame_duration() Fixes: signed integer overflow: 256 * 668003712 cannot be represented in type 'int' Fixes: 59819/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-4674636538052608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a4bf559683a999c8faa408fdd8f29bd28a6a47ea) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index dbd87a787d..5687337284 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1766,9 +1766,9 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, if (sr > 0) { /* calc from sample rate */ if (id == AV_CODEC_ID_TTA) - return 256 * sr / 245; + return 256ll * sr / 245; else if (id == AV_CODEC_ID_DST) - return 588 * sr / 44100; + return 588ll * sr / 44100; if (ch > 0) { /* calc from sample rate and channels */ From f7f742a519736d6076fc1f3437feb5cdbdf0c222 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 00:59:40 +0200 Subject: [PATCH 1522/1764] avutil/softfloat: fix av_sincos_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit d84677abd8ffb8ca8ad94eced6d9e03928f35d79) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 2 +- libavutil/tests/softfloat.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index a651406f74..1520027ddc 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -281,7 +281,7 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) (int64_t)av_sintbl_4_sf[(idx & 0x1f) + 1] * (a & 0x7ff) + 0x400) >> 11); - *c = (int)(((int64_t)cv * ct + (int64_t)sv * st + 0x20000000) >> 30); + *c = (int)(((int64_t)cv * ct - (int64_t)sv * st + 0x20000000) >> 30); *s = (int)(((int64_t)cv * st + (int64_t)sv * ct + 0x20000000) >> 30); } diff --git a/libavutil/tests/softfloat.c b/libavutil/tests/softfloat.c index c06de44933..a2e628fe81 100644 --- a/libavutil/tests/softfloat.c +++ b/libavutil/tests/softfloat.c @@ -148,7 +148,7 @@ int main(void){ av_sincos_sf(i*(1ULL<<32)/36/4, &s, &c); errs = (double)s/ (1<<30) - sin(i*M_PI/36); errc = (double)c/ (1<<30) - cos(i*M_PI/36); - if (fabs(errs) > 0.00000002 || fabs(errc) >0.001) { + if (fabs(errs) > 0.000000004 || fabs(errc) >0.000000004) { printf("sincos FAIL %d %f %f %f %f\n", i, (float)s/ (1<<30), (float)c/ (1<<30), sin(i*M_PI/36), cos(i*M_PI/36)); } From d4fcb508d15779460caba55bd19aaf0a5a775279 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 01:26:33 +0200 Subject: [PATCH 1523/1764] avutil/softfloat: Basic documentation for av_sincos_sf() Signed-off-by: Michael Niedermayer (cherry picked from commit 4aa1a42a91438b7107d2d77db1fc5ca95c27740c) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 1520027ddc..399ca6d682 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -236,6 +236,10 @@ static av_always_inline SoftFloat av_sqrt_sf(SoftFloat val) /** * Rounding-to-nearest used. + * + * @param a angle in units of (1ULL<<30)/M_PI radians + * @param s pointer to where sine in units of (1<<30) is returned + * @param c pointer to where cosine in units of (1<<30) is returned */ static av_unused void av_sincos_sf(int a, int *s, int *c) { From f2937fde73bf42654d71fb722ca35d12a5284354 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 10 Jun 2023 01:09:52 +0200 Subject: [PATCH 1524/1764] avcodec/jpeg2000dec: Check for reduction factor and image offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This combination is not working (it writes out of array) Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 9b6d191a66a8d9b3064efecc79a9f44fb14d7875) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index a6889cb4bd..de503761b8 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -311,6 +311,11 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_INVALIDDATA; } + if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){ + av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented"); + return AVERROR_PATCHWELCOME; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { From 717b15de1d0c7c586b430fbb3e9d4ac8dfd5d837 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 01:46:20 +0200 Subject: [PATCH 1525/1764] avformat/avr: Check sample rate Fixes: 54979/clusterfuzz-testcase-minimized-ffmpeg_dem_AVR_fuzzer-6681035461230592 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 32556fa62b1d0615f621fd8f71bdfe3b72e43896) Signed-off-by: Michael Niedermayer --- libavformat/avr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/avr.c b/libavformat/avr.c index 294160e024..8dde0106e9 100644 --- a/libavformat/avr.c +++ b/libavformat/avr.c @@ -70,6 +70,9 @@ static int avr_read_header(AVFormatContext *s) avio_skip(s->pb, 1); // replay speed st->codecpar->sample_rate = avio_rb24(s->pb); + if (st->codecpar->sample_rate == 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4 * 3); avio_skip(s->pb, 2 * 3); avio_skip(s->pb, 20); From c123a4dd0c5923ac91c07c52c780dcd85f2ba0fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 7 Aug 2023 00:02:21 +0200 Subject: [PATCH 1526/1764] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: -1403461578 + -843974775 cannot be represented in type 'int' Fixes: 60868/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-4599793035378688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ce322a51eae87fd3a0eb96f2280175554ef30c5) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 360deb3244..8863538529 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -69,24 +69,24 @@ static int idct_row(short *in, const int *const tab, int rnd) if (!(right | in[4])) { const int k = c4 * in[0] + rnd; if (left) { - const int a0 = k + c2 * in[2]; - const int a1 = k + c6 * in[2]; - const int a2 = k - c6 * in[2]; - const int a3 = k - c2 * in[2]; + const unsigned a0 = k + c2 * in[2]; + const unsigned a1 = k + c6 * in[2]; + const unsigned a2 = k - c6 * in[2]; + const unsigned a3 = k - c2 * in[2]; const int b0 = c1 * in[1] + c3 * in[3]; const int b1 = c3 * in[1] - c7 * in[3]; const int b2 = c5 * in[1] - c1 * in[3]; const int b3 = c7 * in[1] - c5 * in[3]; - in[0] = (a0 + b0) >> ROW_SHIFT; - in[1] = (a1 + b1) >> ROW_SHIFT; - in[2] = (a2 + b2) >> ROW_SHIFT; - in[3] = (a3 + b3) >> ROW_SHIFT; - in[4] = (a3 - b3) >> ROW_SHIFT; - in[5] = (a2 - b2) >> ROW_SHIFT; - in[6] = (a1 - b1) >> ROW_SHIFT; - in[7] = (a0 - b0) >> ROW_SHIFT; + in[0] = (int)(a0 + b0) >> ROW_SHIFT; + in[1] = (int)(a1 + b1) >> ROW_SHIFT; + in[2] = (int)(a2 + b2) >> ROW_SHIFT; + in[3] = (int)(a3 + b3) >> ROW_SHIFT; + in[4] = (int)(a3 - b3) >> ROW_SHIFT; + in[5] = (int)(a2 - b2) >> ROW_SHIFT; + in[6] = (int)(a1 - b1) >> ROW_SHIFT; + in[7] = (int)(a0 - b0) >> ROW_SHIFT; } else { const int a0 = k >> ROW_SHIFT; if (a0) { From 5e57f3c8de3bf4f780d6a24d8305ea99e7bc14eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Aug 2023 14:35:55 +0200 Subject: [PATCH 1527/1764] avcodec/tta: fix signed overflow in decorrelate Fixes: signed integer overflow: 2079654542 - -139267653 cannot be represented in type 'int' Fixes: 60811/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5915858409750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 283bf5c35bc5ac92e061f27c3a680318175a1600) Signed-off-by: Michael Niedermayer --- libavcodec/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 593cb6629a..a17b6cc0e1 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -335,7 +335,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data, if (s->channels > 1) { int32_t *r = p - 1; for (*p += *r / 2; r > (int32_t*)p - s->channels; r--) - *r = *(r + 1) - *r; + *r = *(r + 1) - (unsigned)*r; } cur_chan = 0; i++; From 1c9ae4ada69fe14991767085ae4504f42d3b5783 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2023 23:35:10 +0200 Subject: [PATCH 1528/1764] avcodec/mpeg4videodec: more unsigned in amv computation Fixes: signed integer overflow: -2147483648 + -1048576 cannot be represented in type 'int' Fixes: 59365/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-642654923954585 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0adaa90d89114dc86dbc5704ce31ded5b6750d13) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 81a73a466f..5174a3a1b6 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -557,7 +557,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) for (y = 0; y < 16; y++) { int v; - v = mb_v + dy * y; + v = mb_v + (unsigned)dy * y; // FIXME optimize for (x = 0; x < 16; x++) { sum += v >> shift; From 83a6af7f1a99bb02516ff3924656368228b5f98a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jul 2023 19:45:18 +0200 Subject: [PATCH 1529/1764] avcodec/hevcdec: Fix undefined memcpy() There is likely a better way to fix this, this is mainly to show the problem Fixes: MC within same frame resulting in overlapping memcpy() Fixes: 60189/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4992746590175232 Fixes: 61753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5022150806077440 Fixes: 58062/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4717458841010176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 94bd1796ff45b396021cd260e9b037bc61815933) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 88d252769d..027423c3af 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1425,7 +1425,8 @@ static void luma_mc_uni(HEVCContext *s, uint8_t *dst, ptrdiff_t dststride, if (x_off < QPEL_EXTRA_BEFORE || y_off < QPEL_EXTRA_AFTER || x_off >= pic_width - block_w - QPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - QPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - QPEL_EXTRA_AFTER || + ref == s->frame) { const ptrdiff_t edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset = QPEL_EXTRA_BEFORE * srcstride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); int buf_offset = QPEL_EXTRA_BEFORE * edge_emu_stride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift); @@ -1573,6 +1574,7 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, intptr_t my = av_mod_uintp2(mv->y, 2 + vshift); intptr_t _mx = mx << (1 - hshift); intptr_t _my = my << (1 - vshift); + int emu = src0 == s->frame->data[1] || src0 == s->frame->data[2]; x_off += mv->x >> (2 + hshift); y_off += mv->y >> (2 + vshift); @@ -1580,7 +1582,8 @@ static void chroma_mc_uni(HEVCContext *s, uint8_t *dst0, if (x_off < EPEL_EXTRA_BEFORE || y_off < EPEL_EXTRA_AFTER || x_off >= pic_width - block_w - EPEL_EXTRA_AFTER || - y_off >= pic_height - block_h - EPEL_EXTRA_AFTER) { + y_off >= pic_height - block_h - EPEL_EXTRA_AFTER || + emu) { const int edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift; int offset0 = EPEL_EXTRA_BEFORE * (srcstride + (1 << s->ps.sps->pixel_shift)); int buf_offset0 = EPEL_EXTRA_BEFORE * From ebea366ea992dcb26c23546ac7f9048b9fb5d81f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Jun 2023 00:13:43 +0200 Subject: [PATCH 1530/1764] avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure Fixes: left shift of negative value -1 Fixes: 59889/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HUFFYUV_fuzzer-5472742275940352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90647a9249aee8c0ef6c0bced3558ada9643f5b6) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 4b8bc5b858..62b83705b4 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -751,7 +751,7 @@ static void decode_plane_bitstream(HYuvContext *s, int width, int plane) } } if( width&1 && get_bits_left(&s->gb)>0 ) { - int dst = get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; + int dst = (unsigned)get_vlc2(&s->gb, s->vlc[plane].table, VLC_BITS, 3)<<2; s->temp16[0][width-1] = dst + get_bits(&s->gb, 2); } } From aef6e2a7cab4fbaf4f83326f8e74fa2a37993506 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 May 2023 23:58:31 +0200 Subject: [PATCH 1531/1764] avformat/format: Stop reading data at EOF during probing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Issue found by: Сергей Колесников Signed-off-by: Michael Niedermayer (cherry picked from commit 80f6e0378beae69d31f24b036a1365405dea61d1) Signed-off-by: Michael Niedermayer --- libavformat/format.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/format.c b/libavformat/format.c index 38ca2a3465..d0d50e8cd1 100644 --- a/libavformat/format.c +++ b/libavformat/format.c @@ -272,6 +272,7 @@ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt, int ret = 0, probe_size, buf_offset = 0; int score = 0; int ret2; + int eof = 0; if (!max_probe_size) max_probe_size = PROBE_BUF_MAX; @@ -303,7 +304,7 @@ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt, } #endif - for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt; + for (probe_size = PROBE_BUF_MIN; probe_size <= max_probe_size && !*fmt && !eof; probe_size = FFMIN(probe_size << 1, FFMAX(max_probe_size, probe_size + 1))) { score = probe_size < max_probe_size ? AVPROBE_SCORE_RETRY : 0; @@ -319,6 +320,7 @@ int av_probe_input_buffer2(AVIOContext *pb, AVInputFormat **fmt, score = 0; ret = 0; /* error was end of file, nothing read */ + eof = 1; } buf_offset += ret; if (buf_offset < offset) From 60e47087297c1ce1d5d01bcd8c91c24c5c1f42e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 7 Sep 2023 02:13:13 +0200 Subject: [PATCH 1532/1764] avcodec/celp_math: avoid overflow in shift by making gain unsigned we have 1 bit more available alternatively we can clip twice as in the g729 reference Fixes: left shift of 23404 by 17 places cannot be represented in type 'int' Fixes: 61728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6280412547383296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6580a7b2b27973947118482235a2eb1214d968a2) Signed-off-by: Michael Niedermayer --- libavcodec/celp_math.h | 2 +- libavcodec/g729postfilter.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/celp_math.h b/libavcodec/celp_math.h index 18888a425d..99a0470719 100644 --- a/libavcodec/celp_math.h +++ b/libavcodec/celp_math.h @@ -78,7 +78,7 @@ int64_t ff_dot_product(const int16_t *a, const int16_t *b, int length); * * @return value << offset, if offset>=0; value >> -offset - otherwise */ -static inline int bidir_sal(int value, int offset) +static inline unsigned bidir_sal(unsigned value, int offset) { if(offset < 0) return value >> -offset; else return value << offset; diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c index 668177c843..7ca569530a 100644 --- a/libavcodec/g729postfilter.c +++ b/libavcodec/g729postfilter.c @@ -578,7 +578,7 @@ void ff_g729_postfilter(AudioDSPContext *adsp, int16_t* ht_prev_data, int* voici int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t *speech, int subframe_size, int16_t gain_prev) { - int gain; // (3.12) + unsigned gain; // (3.12) int n; int exp_before, exp_after; @@ -600,7 +600,7 @@ int16_t ff_g729_adaptive_gain_control(int gain_before, int gain_after, int16_t * gain = ((gain_before - gain_after) << 14) / gain_after + 0x4000; gain = bidir_sal(gain, exp_after - exp_before); } - gain = av_clip_int16(gain); + gain = FFMIN(gain, 32767); gain = (gain * G729_AGC_FAC1 + 0x4000) >> 15; // gain * (1-0.9875) } else gain = 0; From 523a7ddc9fbc4b34368ee7d1f78d3fb893fda252 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 8 Sep 2023 00:13:11 +0200 Subject: [PATCH 1533/1764] avcodec/xvididct: Fix integer overflow in idct_row() Fixes: signed integer overflow: 1871429831 + 343006811 cannot be represented in type 'int' Fixes: 61784/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-5372151001120768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b12444fe72173ab52b6479708cfd12cb889ca300) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index 8863538529..f09ce3d544 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -114,7 +114,7 @@ static int idct_row(short *in, const int *const tab, int rnd) in[5] = a1; in[6] = a1; } else { - const int k = c4 * in[0] + rnd; + const unsigned int k = c4 * in[0] + rnd; const unsigned int a0 = k + c2 * in[2] + c4 * in[4] + c6 * in[6]; const unsigned int a1 = k + c6 * in[2] - c4 * in[4] - c2 * in[6]; const unsigned int a2 = k - c6 * in[2] - c4 * in[4] + c2 * in[6]; From 48c506ddb44c8a0cecad93c47089dd5b9406d6c5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:18:14 +0200 Subject: [PATCH 1534/1764] avformat/sbgdec: Check for period overflow Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit a9137110eda130ba07a2a43bdedff2421efbb7a9) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 586a0c58f8..f37fa9145b 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1272,7 +1272,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* SBaGen handles the time before and after the extremal events, and the corresponding transitions, as if the sequence were cyclic with a 24-hours period. */ - period = s->events[s->nb_events - 1].ts - s->events[0].ts; + period = s->events[s->nb_events - 1].ts - (uint64_t)s->events[0].ts; + if (period < 0) + return AVERROR_INVALIDDATA; + period = (period + (DAY_TS - 1)) / DAY_TS * DAY_TS; period = FFMAX(period, DAY_TS); From 56b0ad3ad134396505e83062919932652e1a3eac Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 22 Sep 2022 20:08:52 +0200 Subject: [PATCH 1535/1764] avformat/westwood_vqa: Check chunk size the type is also changed to int as it is interpreted as int in av_get_packet() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360 Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4613908817903616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 5c0df3da0b7288a43a3b783117064cfcbc8037a5) Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index efb9847ff0..15deef6061 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -163,13 +163,15 @@ static int wsvqa_read_packet(AVFormatContext *s, int ret = -1; uint8_t preamble[VQA_PREAMBLE_SIZE]; uint32_t chunk_type; - uint32_t chunk_size; - int skip_byte; + int chunk_size; + unsigned skip_byte; while (avio_read(pb, preamble, VQA_PREAMBLE_SIZE) == VQA_PREAMBLE_SIZE) { chunk_type = AV_RB32(&preamble[0]); chunk_size = AV_RB32(&preamble[4]); + if (chunk_size < 0) + return AVERROR_INVALIDDATA; skip_byte = chunk_size & 0x01; if ((chunk_type == SND0_TAG) || (chunk_type == SND1_TAG) || From ee9ff31dc6e3948619e291f4cdc5a5d4ddb73e29 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 1 Jun 2023 00:50:15 +0200 Subject: [PATCH 1536/1764] avcodec/lcldec: Make PNG filter addressing match the code afterwards Also update check accordingly Fixes: tickets/10237/mszh_306_306_yuv422_nocompress.avi Fixes: tickets/10237/mszh_306_306_yuv411_nocompress.avi Signed-off-by: Michael Niedermayer (cherry picked from commit d11b8bd0c610c212d2a28767f94dc07a8ec473cf) Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index c29a884701..38a4993143 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -227,16 +227,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac break; case COMP_MSZH_NOCOMP: { int bppx2; + int aligned_width = width; switch (c->imgtype) { case IMGTYPE_YUV111: case IMGTYPE_RGB24: bppx2 = 6; break; case IMGTYPE_YUV422: + aligned_width &= ~3; case IMGTYPE_YUV211: bppx2 = 4; break; case IMGTYPE_YUV411: + aligned_width &= ~3; case IMGTYPE_YUV420: bppx2 = 3; break; @@ -244,7 +247,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac bppx2 = 0; // will error out below break; } - if (len < ((width * height * bppx2) >> 1)) + if (len < ((aligned_width * height * bppx2) >> 1)) return AVERROR_INVALIDDATA; break; } @@ -310,8 +313,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } break; case IMGTYPE_YUV422: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width * 2; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; @@ -327,8 +330,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } break; case IMGTYPE_YUV411: + pixel_ptr = 0; for (row = 0; row < height; row++) { - pixel_ptr = row * width / 2 * 3; yq = uq = vq =0; for (col = 0; col < width/4; col++) { encoded[pixel_ptr] = yq -= encoded[pixel_ptr]; From 557617b129cf29c954e73aea2a795ee76b41ddba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Sep 2023 01:32:56 +0200 Subject: [PATCH 1537/1764] avformat/avs: Check if return code is representable Fixes: leak Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-6738814988320768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 52d666edec73c834c60811e330f86a7cf1d916da) Signed-off-by: Michael Niedermayer --- libavformat/avs.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/avs.c b/libavformat/avs.c index 544263957f..ae20f55eb6 100644 --- a/libavformat/avs.c +++ b/libavformat/avs.c @@ -135,6 +135,10 @@ static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt) return 0; /* this indicate EOS */ if (ret < 0) return ret; + if (size != (int)size) { + av_packet_unref(pkt); + return AVERROR(EDOM); + } pkt->stream_index = avs->st_audio->index; pkt->flags |= AV_PKT_FLAG_KEY; From 9dccc34ce28095c4cde5ba4958e35b605437d704 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Sep 2023 00:21:52 +0200 Subject: [PATCH 1538/1764] avcodec/escape124: Do not return random numbers Fixes: out of array access Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6035022714634240 Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6422176201572352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe6d46490f5ea9155fe0601b6246960ae17317fc) Signed-off-by: Michael Niedermayer --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 5e4e57bf90..6bcad51edc 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -238,7 +238,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, if ((ret = av_frame_ref(frame, s->frame)) < 0) return ret; - return frame_size; + return 0; } for (i = 0; i < 3; i++) { @@ -372,7 +372,7 @@ static int escape124_decode_frame(AVCodecContext *avctx, *got_frame = 1; - return frame_size; + return 0; } From effb46dfb0cafa75993f489befc8be452ca99e8d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 19:59:06 +0200 Subject: [PATCH 1539/1764] avformat/jacosubdec: Check timeres Signed-off-by: Michael Niedermayer (cherry picked from commit 51f0ab8b127282415822959ccad7db95ad749b5d) Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 3037085d9c..79c8247d78 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -228,14 +228,17 @@ static int jacosub_read_header(AVFormatContext *s) } av_bprintf(&header, "#S %s", p); break; - case 'T': // ...but must be placed after TIMERES - jacosub->timeres = strtol(p, NULL, 10); - if (!jacosub->timeres) + case 'T': { // ...but must be placed after TIMERES + int64_t timeres = strtol(p, NULL, 10); + if (timeres <= 0 || timeres > UINT32_MAX) { jacosub->timeres = 30; - else + } else { + jacosub->timeres = timeres; av_bprintf(&header, "#T %s", p); + } break; } + } } /* general/essential directives in the extradata */ From 9d73eb002fb05ec7304b897fcb3e670696e43552 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:04:11 +0200 Subject: [PATCH 1540/1764] avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() Fixes: signed integer overflow: -9223372036854775808 - 9222726413022000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5959420033761280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3508b496e195440d0af0203e2822937b8c6f5598) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4b9e83de44..76fddf04eb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6543,12 +6543,13 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) if (msc->pb && msc->current_sample < avst->nb_index_entries) { AVIndexEntry *current_sample = &avst->index_entries[msc->current_sample]; int64_t dts = av_rescale(current_sample->timestamp, AV_TIME_BASE, msc->time_scale); + uint64_t dtsdiff = best_dts > dts ? best_dts - (uint64_t)dts : ((uint64_t)dts - best_dts); av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (!(s->pb->seekable & AVIO_SEEKABLE_NORMAL) && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && - ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || - (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { + ((dtsdiff <= AV_TIME_BASE && current_sample->pos < sample->pos) || + (dtsdiff > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; best_dts = dts; *st = avst; From 1fb07380539402936ab5ccce64763f4279d720cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:14:28 +0200 Subject: [PATCH 1541/1764] avformat/rpl: Check for number_of_chunks overflow Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int32_t' (aka 'int') Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6086131095830528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b3c973acbecb879d4949fecdadd2fdfc08dea42b) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index ad3800a906..64a711a548 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -242,6 +242,9 @@ static int rpl_read_header(AVFormatContext *s) "Video stream will be broken!\n", av_fourcc2str(vst->codecpar->codec_tag)); number_of_chunks = read_line_and_int(pb, &error); // number of chunks in the file + if (number_of_chunks == INT_MAX) + return AVERROR_INVALIDDATA; + // The number in the header is actually the index of the last chunk. number_of_chunks++; From 9ee8383f8e1598da4fee0f5381bfe4fc6bb406ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:28:55 +0200 Subject: [PATCH 1542/1764] avformat/tta: Better totalframes check Fixes: signed integer overflow: 4 * 740491135 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6298893367508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5f0d00464a50994de0993e045e09313ca8d7cc8f) Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 82869f5d8e..c60a2a89bd 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -91,7 +91,7 @@ static int tta_read_header(AVFormatContext *s) c->totalframes = nb_samples / c->frame_size + (c->last_frame_size < c->frame_size); c->currentframe = 0; - if(c->totalframes >= UINT_MAX/sizeof(uint32_t) || c->totalframes <= 0){ + if(c->totalframes >= (INT_MAX - 4)/sizeof(uint32_t) || c->totalframes <= 0){ av_log(s, AV_LOG_ERROR, "totalframes %d invalid\n", c->totalframes); return AVERROR_INVALIDDATA; } From 1f5bc3b37b0b05a80909add3b291a4225adfa9d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 21:33:34 +0200 Subject: [PATCH 1543/1764] avformat/wavdec: Check left avio_tell for overflow Fixes: signed integer overflow: 155 + 9223372036854775655 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5364032278495232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 929ddef3f40102d6a84cfa17ed7c7ffebcf8236e) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 0912359133..3a8bc882d8 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -689,6 +689,8 @@ smv_out: goto smv_retry; return AVERROR_EOF; } + if (INT64_MAX - left < avio_tell(s->pb)) + return AVERROR_INVALIDDATA; wav->data_end = avio_tell(s->pb) + left; } From d74868664f4e30f83e5c80b37e311ca8c8fe371a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 23:44:25 +0200 Subject: [PATCH 1544/1764] avformat/matroskadec: Check prebuffered_ns for overflow Fixes: signed integer overflow: 9223372036630775808 + 1000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-5406131992526848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d6df3719dd4f75b40cdf25a02f3f075b76ed045) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 5def4e311a..8252661df5 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3783,13 +3783,17 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t prebuffer_ns = 1000000000; int64_t time_ns = st->index_entries[i].timestamp * matroska->time_scale; double nano_seconds_per_second = 1000000000.0; - int64_t prebuffered_ns = time_ns + prebuffer_ns; + int64_t prebuffered_ns; double prebuffer_bytes = 0.0; int64_t temp_prebuffer_ns = prebuffer_ns; int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); + if (time_ns > INT64_MAX - prebuffer_ns) + return -1; + prebuffered_ns = time_ns + prebuffer_ns; + // Start with the first Cue. CueDesc desc_end = desc_beg; From 283e077dc62c8cccf24a073eef53a35a7cccb793 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 23:55:20 +0200 Subject: [PATCH 1545/1764] avformat/xwma: sanity check bits_per_coded_sample Fixes: signed integer overflow: 65312 * 524296 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_XWMA_fuzzer-6595971445555200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe6ce28d118d6030984e1ee5c2d92e98514fe3d1) Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 8e0f59fab1..23a68f6819 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -127,7 +127,7 @@ static int xwma_read_header(AVFormatContext *s) st->codecpar->channels); return AVERROR_INVALIDDATA; } - if (!st->codecpar->bits_per_coded_sample) { + if (!st->codecpar->bits_per_coded_sample || st->codecpar->bits_per_coded_sample > 64) { av_log(s, AV_LOG_WARNING, "Invalid bits_per_coded_sample: %d\n", st->codecpar->bits_per_coded_sample); return AVERROR_INVALIDDATA; From 1de06f992ed12c330b2986bfa2ca27520d2819d8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 9 Oct 2023 00:07:32 +0200 Subject: [PATCH 1546/1764] avformat/tmv: Check video chunk size This check matches the audio chunk check Fixes: Timeout Fixes: 62681/clusterfuzz-testcase-minimized-ffmpeg_dem_TMV_fuzzer-5299107876700160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b79fc7059600b28dce392fc20e5c8bd554c2fc95) Signed-off-by: Michael Niedermayer --- libavformat/tmv.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/tmv.c b/libavformat/tmv.c index 2e351714bc..031e926445 100644 --- a/libavformat/tmv.c +++ b/libavformat/tmv.c @@ -103,6 +103,10 @@ static int tmv_read_header(AVFormatContext *s) char_cols = avio_r8(pb); char_rows = avio_r8(pb); tmv->video_chunk_size = char_cols * char_rows * 2; + if (!tmv->video_chunk_size) { + av_log(s, AV_LOG_ERROR, "invalid video chunk size\n"); + return AVERROR_INVALIDDATA; + } features = avio_r8(pb); if (features & ~(TMV_PADDING | TMV_STEREO)) { From 355d7cd130363de13849fdfdb4d4a1fd36d87c74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Oct 2023 18:27:28 +0200 Subject: [PATCH 1547/1764] avcodec/xvididct: Make c* unsigned to avoid undefined overflows Fixes: signed integer overflow: 1496950099 + 728014168 cannot be represented in type 'int' Fixes: 62667/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-6511785170305024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f7e5537dc1ff2f45a6e4c98091f15e60c3647cfc) Signed-off-by: Michael Niedermayer --- libavcodec/xvididct.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/xvididct.c b/libavcodec/xvididct.c index f09ce3d544..ced8c7235a 100644 --- a/libavcodec/xvididct.c +++ b/libavcodec/xvididct.c @@ -56,13 +56,13 @@ static const int TAB35[] = { 26722, 25172, 22654, 19266, 15137, 10426, 5315 }; static int idct_row(short *in, const int *const tab, int rnd) { - const int c1 = tab[0]; - const int c2 = tab[1]; - const int c3 = tab[2]; - const int c4 = tab[3]; - const int c5 = tab[4]; - const int c6 = tab[5]; - const int c7 = tab[6]; + const unsigned c1 = tab[0]; + const unsigned c2 = tab[1]; + const unsigned c3 = tab[2]; + const unsigned c4 = tab[3]; + const unsigned c5 = tab[4]; + const unsigned c6 = tab[5]; + const unsigned c7 = tab[6]; const int right = in[5] | in[6] | in[7]; const int left = in[1] | in[2] | in[3]; @@ -102,8 +102,8 @@ static int idct_row(short *in, const int *const tab, int rnd) return 0; } } else if (!(left | right)) { - const int a0 = (rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; - const int a1 = (rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; + const int a0 = (int)(rnd + c4 * (in[0] + in[4])) >> ROW_SHIFT; + const int a1 = (int)(rnd + c4 * (in[0] - in[4])) >> ROW_SHIFT; in[0] = a0; in[3] = a0; From a31de889eae5613466ef5c6592cbf2d916146021 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Oct 2023 19:28:55 +0200 Subject: [PATCH 1548/1764] avcodec/h2645_parse: Avoid EAGAIN EAGAIN causes an assertion failure when it is returned from the decoder Fixes: Assertion consumed != (-(11)) failed at libavcodec/decode.c:462 Fixes: assertion_IOT_instruction_decode_c_462/poc Found-by: Hardik Shah of Vehere (Dawn Treaders team) Signed-off-by: Michael Niedermayer (cherry picked from commit 5ddab49d48343385eadb3a435a5491c476b66ecc) Signed-off-by: Michael Niedermayer --- libavcodec/h2645_parse.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index 5f3e17a0f2..ca615d9f1b 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -97,7 +97,7 @@ static inline int get_nalsize(int nal_length_size, const uint8_t *buf, if (*buf_index >= buf_size - nal_length_size) { // the end of the buffer is reached, refill it - return AVERROR(EAGAIN); + return AVERROR_INVALIDDATA; } for (i = 0; i < nal_length_size; i++) From af0b7d9a1a835ccef6ca397fbc021aa9c6b69bcd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 4 Oct 2023 23:32:17 +0200 Subject: [PATCH 1549/1764] avcodec/jpeg2000dec: Check image offset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: left shift of negative value -538967841 Fixes: 62447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6427134337613824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 88453250dbe952e85899d04867914ef95785530e) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index de503761b8..e2af977788 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -311,6 +311,11 @@ static int get_siz(Jpeg2000DecoderContext *s) return AVERROR_INVALIDDATA; } + if (s->image_offset_x >= s->width || s->image_offset_y >= s->height) { + av_log(s->avctx, AV_LOG_ERROR, "image offsets outside image"); + return AVERROR_INVALIDDATA; + } + if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){ av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented"); return AVERROR_PATCHWELCOME; From 7b3534186a2116e2232ae38e1806cfc79f0b9478 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Oct 2023 22:07:36 +0200 Subject: [PATCH 1550/1764] avformat/rtsp: Use rtsp_st->stream_index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: out of array access Fixes: rtpdec_h264.c149/poc Found-by: Hardik Shah of Vehere Reviewed-by: Martin Storsjö Signed-off-by: Michael Niedermayer (cherry picked from commit e4d5ac8d7d2a08658b3db7dd821246fe6b35381f) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index fea40e59fb..9532155c74 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -370,7 +370,7 @@ static void parse_fmtp(AVFormatContext *s, RTSPState *rt, if (rtsp_st->sdp_payload_type == payload_type && rtsp_st->dynamic_handler && rtsp_st->dynamic_handler->parse_sdp_a_line) { - rtsp_st->dynamic_handler->parse_sdp_a_line(s, i, + rtsp_st->dynamic_handler->parse_sdp_a_line(s, rtsp_st->stream_index, rtsp_st->dynamic_protocol_context, line); } } From a65faea34efe12e7bdd529e5bbc0866a94fe0da2 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Mon, 9 Oct 2023 00:16:08 +0200 Subject: [PATCH 1551/1764] avformat/matroskadec: Fix declaration-after-statement warnings Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Rheinhardt (cherry picked from commit 37b5f4a1f6a9c7c8f3620c6b1f7f2b0bb997e5d7) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8252661df5..d24d317257 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3789,14 +3789,13 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); + // Start with the first Cue. + CueDesc desc_end = desc_beg; if (time_ns > INT64_MAX - prebuffer_ns) return -1; prebuffered_ns = time_ns + prebuffer_ns; - // Start with the first Cue. - CueDesc desc_end = desc_beg; - // Figure out how much data we have downloaded for the prebuffer. This will // be used later to adjust the bits per sample to try. while (desc_end.start_time_ns != -1 && desc_end.end_time_ns < prebuffered_ns) { From 9cc9301da793832f31516b52f6d0047e69a70e53 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Sun, 14 Nov 2021 00:42:27 +0000 Subject: [PATCH 1552/1764] doc/t2h.pm: fix missing CSS with texinfo 6.8 and above Since texinfo commit 6a5ceab6a48a4f052baad9f3474d741428409fd7, the formatting functions, in particular begin_file, program_string and end_file, are prefixed with format_, i.e. format_begin_file, etc. This patch fixes building the documentation when texinfo 6.8, or above, is used: Unknown formatting type begin_file at /usr/bin/makeinfo line 415. Unknown formatting type program_string at /usr/bin/makeinfo line 415. Unknown formatting type end_file at /usr/bin/makeinfo line 415. (cherry picked from commit c980dd7a976635426f129417836251740e19b54b) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index e83d564a65..87412699aa 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -126,6 +126,10 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { texinfo_register_command_formatting($command, \&ffmpeg_heading_command); } +# determine if texinfo is at least version 6.8 +my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; +my $program_version_6_8 = $program_version_num >= 6.008000; + # print the TOC where @contents is used set_from_init_file('INLINE_CONTENTS', 1); @@ -184,7 +188,11 @@ EOT return $head1 . $head_title . $head2 . $head_title . $head3; } -texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_begin_file', \&ffmpeg_begin_file); +} else { + texinfo_register_formatting_function('begin_file', \&ffmpeg_begin_file); +} sub ffmpeg_program_string($) { @@ -201,7 +209,11 @@ sub ffmpeg_program_string($) $self->gdt('This document was generated automatically.')); } } -texinfo_register_formatting_function('program_string', \&ffmpeg_program_string); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_program_string', \&ffmpeg_program_string); +} else { + texinfo_register_formatting_function('program_string', \&ffmpeg_program_string); +} # Customized file ending sub ffmpeg_end_file($) @@ -220,7 +232,11 @@ EOT EOT return $program_text . $footer; } -texinfo_register_formatting_function('end_file', \&ffmpeg_end_file); +if ($program_version_6_8) { + texinfo_register_formatting_function('format_end_file', \&ffmpeg_end_file); +} else { + texinfo_register_formatting_function('end_file', \&ffmpeg_end_file); +} # Dummy title command # Ignore title. Title is handled through ffmpeg_begin_file(). From fef23b8c2334ea07ced2ad654fd861e35816cbb3 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Sun, 14 Nov 2021 01:10:58 +0000 Subject: [PATCH 1553/1764] doc/t2h.pm: fix missing TOC with texinfo 6.8 and above Since texinfo 6.8, there's no longer an INLINE_CONTENTS variable. makeinfo: warning: set_from_init_file: unknown variable INLINE_CONTENTS texinfo commit 62a6adfb33b006e187483779974bbd45f0f782b1 replaced INLINE_CONTENTS with OUTPUT_CONTENTS_LOCATION. texinfo commit 41f8ed4eb42bf6daa7df7007afd946875597452d replaced OUTPUT_CONTENTS_LOCATION with CONTENTS_OUTPUT_LOCATION. With texinfo 6.8 and above, the same as INLINE_CONTENTS=1 could be achieved by CONTENTS_OUTPUT_LOCATION=inline. https://www.gnu.org/software/texinfo/manual/texinfo/html_node/HTML-Customization-Variables.html (cherry picked from commit bfbd5954e50e407693932b3900ca77c3daee26d7) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index 87412699aa..d07d974286 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -131,7 +131,11 @@ my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; my $program_version_6_8 = $program_version_num >= 6.008000; # print the TOC where @contents is used -set_from_init_file('INLINE_CONTENTS', 1); +if ($program_version_6_8) { + set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); +} else { + set_from_init_file('INLINE_CONTENTS', 1); +} # make chapters

set_from_init_file('CHAPTER_HEADER_LEVEL', 2); From 4f52743f3a10b34e1b81f2bcd039d6fd64bc48ef Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:18 +0000 Subject: [PATCH 1554/1764] doc/html: support texinfo 7.0 Resolves trac ticket #10636 (http://trac.ffmpeg.org/ticket/10636). Texinfo 7.0, released in November 2022, changed the names of various functions. Compiling docs with Texinfo 7.0 resulted in warnings and improperly formatted documentation. More old names appear to have been removed in Texinfo 7.1, released October 2023, which causes docs compilation to fail. This commit addresses the issue by adding logic to switch between the old and new function names depending on the Texinfo version. Texinfo 6.8 produces identical documentation before and after the patch. CC https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1938238.html https://bugs.gentoo.org/916104 Signed-off-by: Frank Plowman (cherry picked from commit f01fdedb69e4accb1d1555106d8f682ff1f1ddc7) Signed-off-by: Michael Niedermayer --- doc/t2h.pm | 106 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 85 insertions(+), 21 deletions(-) diff --git a/doc/t2h.pm b/doc/t2h.pm index d07d974286..b7485e1f1e 100644 --- a/doc/t2h.pm +++ b/doc/t2h.pm @@ -20,8 +20,45 @@ # License along with FFmpeg; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Texinfo 7.0 changed the syntax of various functions. +# Provide a shim for older versions. +sub ff_set_from_init_file($$) { + my $key = shift; + my $value = shift; + if (exists &{'texinfo_set_from_init_file'}) { + texinfo_set_from_init_file($key, $value); + } else { + set_from_init_file($key, $value); + } +} + +sub ff_get_conf($) { + my $key = shift; + if (exists &{'texinfo_get_conf'}) { + texinfo_get_conf($key); + } else { + get_conf($key); + } +} + +sub get_formatting_function($$) { + my $obj = shift; + my $func = shift; + + my $sub = $obj->can('formatting_function'); + if ($sub) { + return $obj->formatting_function($func); + } else { + return $obj->{$func}; + } +} + +# determine texinfo version +my $program_version_num = version->declare(ff_get_conf('PACKAGE_VERSION'))->numify; +my $program_version_6_8 = $program_version_num >= 6.008000; + # no navigation elements -set_from_init_file('HEADERS', 0); +ff_set_from_init_file('HEADERS', 0); sub ffmpeg_heading_command($$$$$) { @@ -55,7 +92,7 @@ sub ffmpeg_heading_command($$$$$) $element = $command->{'parent'}; } if ($element) { - $result .= &{$self->{'format_element_header'}}($self, $cmdname, + $result .= &{get_formatting_function($self, 'format_element_header')}($self, $cmdname, $command, $element); } @@ -112,7 +149,11 @@ sub ffmpeg_heading_command($$$$$) $cmdname = $Texinfo::Common::level_to_structuring_command{$cmdname}->[$heading_level]; } - $result .= &{$self->{'format_heading_text'}}( + # format_heading_text expects an array of headings for texinfo >= 7.0 + if ($program_version_num >= 7.000000) { + $heading = [$heading]; + } + $result .= &{get_formatting_function($self,'format_heading_text')}( $self, $cmdname, $heading, $heading_level + $self->get_conf('CHAPTER_HEADER_LEVEL') - 1, $command); @@ -126,23 +167,19 @@ foreach my $command (keys(%Texinfo::Common::sectioning_commands), 'node') { texinfo_register_command_formatting($command, \&ffmpeg_heading_command); } -# determine if texinfo is at least version 6.8 -my $program_version_num = version->declare(get_conf('PACKAGE_VERSION'))->numify; -my $program_version_6_8 = $program_version_num >= 6.008000; - # print the TOC where @contents is used if ($program_version_6_8) { - set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); + ff_set_from_init_file('CONTENTS_OUTPUT_LOCATION', 'inline'); } else { - set_from_init_file('INLINE_CONTENTS', 1); + ff_set_from_init_file('INLINE_CONTENTS', 1); } # make chapters

-set_from_init_file('CHAPTER_HEADER_LEVEL', 2); +ff_set_from_init_file('CHAPTER_HEADER_LEVEL', 2); # Do not add
-set_from_init_file('DEFAULT_RULE', ''); -set_from_init_file('BIG_RULE', ''); +ff_set_from_init_file('DEFAULT_RULE', ''); +ff_set_from_init_file('BIG_RULE', ''); # Customized file beginning sub ffmpeg_begin_file($$$) @@ -159,7 +196,18 @@ sub ffmpeg_begin_file($$$) my ($title, $description, $encoding, $date, $css_lines, $doctype, $bodytext, $copying_comment, $after_body_open, $extra_head, $program_and_version, $program_homepage, - $program, $generator) = $self->_file_header_informations($command); + $program, $generator); + if ($program_version_num >= 7.000000) { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_information($command); + } else { + ($title, $description, $encoding, $date, $css_lines, + $doctype, $bodytext, $copying_comment, $after_body_open, + $extra_head, $program_and_version, $program_homepage, + $program, $generator) = $self->_file_header_informations($command); + } my $links = $self->_get_links ($filename, $element); @@ -223,7 +271,7 @@ if ($program_version_6_8) { sub ffmpeg_end_file($) { my $self = shift; - my $program_string = &{$self->{'format_program_string'}}($self); + my $program_string = &{get_formatting_function($self,'format_program_string')}($self); my $program_text = < $program_string @@ -244,7 +292,7 @@ if ($program_version_6_8) { # Dummy title command # Ignore title. Title is handled through ffmpeg_begin_file(). -set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); +ff_set_from_init_file('USE_TITLEPAGE_FOR_TITLE', 1); sub ffmpeg_title($$$$) { return ''; @@ -262,8 +310,14 @@ sub ffmpeg_float($$$$$) my $args = shift; my $content = shift; - my ($caption, $prepended) = Texinfo::Common::float_name_caption($self, - $command); + my ($caption, $prepended); + if ($program_version_num >= 7.000000) { + ($caption, $prepended) = Texinfo::Convert::Converter::float_name_caption($self, + $command); + } else { + ($caption, $prepended) = Texinfo::Common::float_name_caption($self, + $command); + } my $caption_text = ''; my $prepended_text; my $prepended_save = ''; @@ -335,8 +389,13 @@ sub ffmpeg_float($$$$$) $caption->{'args'}->[0], 'float caption'); } if ($prepended_text.$caption_text ne '') { - $prepended_text = $self->_attribute_class('div','float-caption'). '>' - . $prepended_text; + if ($program_version_num >= 7.000000) { + $prepended_text = $self->html_attribute_class('div',['float-caption']). '>' + . $prepended_text; + } else { + $prepended_text = $self->_attribute_class('div','float-caption'). '>' + . $prepended_text; + } $caption_text .= ''; } my $html_class = ''; @@ -349,8 +408,13 @@ sub ffmpeg_float($$$$$) $prepended_text = ''; $caption_text = ''; } - return $self->_attribute_class('div', $html_class). '>' . "\n" . - $prepended_text . $caption_text . $content . ''; + if ($program_version_num >= 7.000000) { + return $self->html_attribute_class('div', [$html_class]). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } else { + return $self->_attribute_class('div', $html_class). '>' . "\n" . + $prepended_text . $caption_text . $content . ''; + } } texinfo_register_command_formatting('float', From aaea9be22e5800dee89f3a84c9471209d73d4c14 Mon Sep 17 00:00:00 2001 From: Frank Plowman Date: Wed, 8 Nov 2023 07:55:57 +0000 Subject: [PATCH 1555/1764] doc/html: fix styling issue with Texinfo 7.0 Texinfo 7.0 produces quite different HTML to Texinfo 6.8. Without this change, enumerated option flags (i.e. Possible values of x are...) render as white text on a white background with Texinfo 7.0 and are unreadable. This change removes a style for the selector `.table .table` which causes the background to turn white for these elements. As far as I can tell, it is not actually used anywhere in files generated by Texinfo 6.8. Signed-off-by: Frank Plowman (cherry picked from commit f16900bda23414caf9ec3f9dc50db7d4caf59a8b) Signed-off-by: Michael Niedermayer --- doc/bootstrap.min.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/bootstrap.min.css b/doc/bootstrap.min.css index 6f68017d58..45bf263d6e 100644 --- a/doc/bootstrap.min.css +++ b/doc/bootstrap.min.css @@ -2,4 +2,4 @@ * Bootstrap v3.2.0 (http://getbootstrap.com) * Copyright 2011-2014 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) - *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} + *//*! normalize.css v3.0.1 | MIT License | git.io/normalize */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:0 0}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}input{line-height:normal}input[type=checkbox],input[type=radio]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type=number]::-webkit-inner-spin-button,input[type=number]::-webkit-outer-spin-button{height:auto}input[type=search]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type=search]::-webkit-search-cancel-button,input[type=search]::-webkit-search-decoration{-webkit-appearance:none}fieldset{padding:.35em .625em .75em;margin:0 2px;border:1px solid silver}legend{padding:0;border:0}textarea{overflow:auto}optgroup{font-weight:700}table{border-spacing:0;border-collapse:collapse}td,th{padding:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;-webkit-box-shadow:none!important;box-shadow:none!important}a,a:visited{text-decoration:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}select{background:#fff!important}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}@font-face{font-family:'Glyphicons Halflings';src:url(../fonts/glyphicons-halflings-regular.eot);src:url(../fonts/glyphicons-halflings-regular.eot?#iefix) format('embedded-opentype'),url(../fonts/glyphicons-halflings-regular.woff) format('woff'),url(../fonts/glyphicons-halflings-regular.ttf) format('truetype'),url(../fonts/glyphicons-halflings-regular.svg#glyphicons_halflingsregular) format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:before{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-road:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-lock:before{content:"\e033"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-bookmark:before{content:"\e044"}.glyphicon-print:before{content:"\e045"}.glyphicon-camera:before{content:"\e046"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.glyphicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphicon-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-resize-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-fire:before{content:"\e104"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-calendar:before{content:"\e109"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-bell:before{content:"\e123"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{content:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-wrench:before{content:"\e136"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-briefcase:before{content:"\e139"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-paperclip:before{content:"\e142"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-pushpin:before{content:"\e146"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-save:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{content:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}:before,:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive,.thumbnail>img,.thumbnail a>img,.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:block;width:100% \9;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;width:100% \9;max-width:100%;height:auto;padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:400;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}cite{font-style:normal}mark,.mark{padding:.2em;background-color:#fcf8e3}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover{color:#2b542c}.text-info{color:#31708f}a.text-info:hover{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;margin-left:-5px;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:700}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;text-align:right;border-right:5px solid #eee;border-left:0}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}blockquote:before,blockquote:after{content:""}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,.25)}kbd kbd{padding:0;font-size:100%;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.row{margin-right:-15px;margin-left:-15px}.col-xs-1,.col-sm-1,.col-md-1,.col-lg-1,.col-xs-2,.col-sm-2,.col-md-2,.col-lg-2,.col-xs-3,.col-sm-3,.col-md-3,.col-lg-3,.col-xs-4,.col-sm-4,.col-md-4,.col-lg-4,.col-xs-5,.col-sm-5,.col-md-5,.col-lg-5,.col-xs-6,.col-sm-6,.col-md-6,.col-lg-6,.col-xs-7,.col-sm-7,.col-md-7,.col-lg-7,.col-xs-8,.col-sm-8,.col-md-8,.col-lg-8,.col-xs-9,.col-sm-9,.col-md-9,.col-lg-9,.col-xs-10,.col-sm-10,.col-md-10,.col-lg-10,.col-xs-11,.col-sm-11,.col-md-11,.col-lg-11,.col-xs-12,.col-sm-12,.col-md-12,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,.col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*=col-]{position:static;display:table-column;float:none}table td[class*=col-],table th[class*=col-]{position:static;display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:auto;overflow-y:hidden;-webkit-overflow-scrolling:touch;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:700}input[type=search]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type=radio],input[type=checkbox]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type=file]{display:block}input[type=range]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type=file]:focus,input[type=radio]:focus,input[type=checkbox]:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075);-webkit-transition:border-color ease-in-out .15s,-webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type=search]{-webkit-appearance:none}input[type=date],input[type=time],input[type=datetime-local],input[type=month]{line-height:34px;line-height:1.42857143 \0}input[type=date].input-sm,input[type=time].input-sm,input[type=datetime-local].input-sm,input[type=month].input-sm{line-height:30px}input[type=date].input-lg,input[type=time].input-lg,input[type=datetime-local].input-lg,input[type=month].input-lg{line-height:46px}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;min-height:20px;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{padding-left:20px;margin-bottom:0;font-weight:400;cursor:pointer}.radio input[type=radio],.radio-inline input[type=radio],.checkbox input[type=checkbox],.checkbox-inline input[type=checkbox]{position:absolute;margin-top:4px \9;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:400;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type=radio][disabled],input[type=checkbox][disabled],input[type=radio].disabled,input[type=checkbox].disabled,fieldset[disabled] input[type=radio],fieldset[disabled] input[type=checkbox]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0}.form-control-static.input-lg,.form-control-static.input-sm{padding-right:0;padding-left:0}.input-sm,.form-horizontal .form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.input-lg,.form-horizontal .form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:25px;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center}.input-lg+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;background-color:#dff0d8;border-color:#3c763d}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;background-color:#fcf8e3;border-color:#8a6d3b}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075);box-shadow:inset 0 1px 1px rgba(0,0,0,.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;background-color:#f2dede;border-color:#a94442}.has-error .form-control-feedback{color:#a94442}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type=radio],.form-inline .checkbox input[type=checkbox]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.form-horizontal .control-label{padding-top:7px;margin-bottom:0;text-align:right}}.form-horizontal .has-feedback .form-control-feedback{top:0;right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:14.3px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:400;line-height:1.42857143;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-image:none;border:1px solid transparent;border-radius:4px}.btn:focus,.btn:active:focus,.btn.active:focus{outline:thin dotted;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none;opacity:.65}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{font-weight:400;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type=submit].btn-block,input[type=reset].btn-block,input[type=button].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;-o-transition:height .35s ease;transition:height .35s ease}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid;border-right:4px solid transparent;border-left:4px solid transparent}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;text-align:left;list-style:none;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,.175);box-shadow:0 6px 12px rgba(0,0,0,.175)}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:400;line-height:1.42857143;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#262626;text-decoration:none;background-color:#f5f5f5}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#777}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTransform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-menu-right{right:0;left:auto}.dropdown-menu-left{right:auto;left:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.42857143;color:#777;white-space:nowrap}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{content:"";border-top:0;border-bottom:4px solid}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media (min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}.navbar-right .dropdown-menu-left{right:auto;left:0}}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-top-left-radius:0;border-bottom-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,.125);box-shadow:inset 0 3px 5px rgba(0,0,0,.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-left-radius:0;border-top-right-radius:0;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-left-radius:0;border-top-right-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{display:table-cell;float:none;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle=buttons]>.btn>input[type=radio],[data-toggle=buttons]>.btn>input[type=checkbox]{position:absolute;z-index:-1;filter:alpha(opacity=0);opacity:0}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*=col-]{float:none;padding-right:0;padding-left:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:400;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type=radio],.input-group-addon input[type=checkbox]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{margin-left:-1px}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{margin-bottom:5px;text-align:center}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{padding-right:15px;padding-left:15px;overflow-x:visible;-webkit-overflow-scrolling:touch;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1)}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-right:0;padding-left:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;height:50px;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}.navbar-nav.navbar-right:last-child{margin-right:-15px}}@media (min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1);box-shadow:inset 0 1px 0 rgba(255,255,255,.1),0 1px 0 rgba(255,255,255,.1)}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type=radio],.navbar-form .checkbox input[type=checkbox]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media (min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-form.navbar-right:last-child{margin-right:-15px}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-left-radius:0;border-top-right-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-right:15px;margin-left:15px}.navbar-text.navbar-right:last-child{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#777}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.42857143;color:#428bca;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-top-left-radius:4px;border-bottom-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.pagination>li>span:focus{color:#2a6496;background-color:#eee;border-color:#ddd}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>span:hover,.pagination>.disabled>span:focus,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#777;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-top-left-radius:6px;border-bottom-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-top-left-radius:3px;border-bottom-left-radius:3px}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#777;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:700;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;color:inherit;background-color:#eee}.jumbotron h1,.jumbotron .h1{color:inherit}.jumbotron p{margin-bottom:15px;font-size:21px;font-weight:200}.jumbotron>hr{border-top-color:#d5d5d5}.container .jumbotron{border-radius:6px}.jumbotron .container{max-width:100%}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1,.jumbotron .h1{font-size:63px}}.thumbnail{display:block;padding:4px;margin-bottom:20px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img,.thumbnail a>img{margin-right:auto;margin-left:auto}a.thumbnail:hover,a.thumbnail:focus,a.thumbnail.active{border-color:#428bca}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:700}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,.1);box-shadow:inset 0 1px 2px rgba(0,0,0,.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar[aria-valuenow="1"],.progress-bar[aria-valuenow="2"]{min-width:30px}.progress-bar[aria-valuenow="0"]{min-width:30px;color:#777;background-color:transparent;background-image:none;-webkit-box-shadow:none;box-shadow:none}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:-o-linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{display:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{color:#555;text-decoration:none;background-color:#f5f5f5}.list-group-item.disabled,.list-group-item.disabled:hover,.list-group-item.disabled:focus{color:#777;background-color:#eee}.list-group-item.disabled .list-group-item-heading,.list-group-item.disabled:hover .list-group-item-heading,.list-group-item.disabled:focus .list-group-item-heading{color:inherit}.list-group-item.disabled .list-group-item-text,.list-group-item.disabled:hover .list-group-item-text,.list-group-item.disabled:focus .list-group-item-text{color:#777}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-item.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading,.list-group-item.active .list-group-item-heading>small,.list-group-item.active:hover .list-group-item-heading>small,.list-group-item.active:focus .list-group-item-heading>small,.list-group-item.active .list-group-item-heading>.small,.list-group-item.active:hover .list-group-item-heading>.small,.list-group-item.active:focus .list-group-item-heading>.small{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-success{color:#3c763d;background-color:#dff0d8}a.list-group-item-success{color:#3c763d}a.list-group-item-success .list-group-item-heading{color:inherit}a.list-group-item-success:hover,a.list-group-item-success:focus{color:#3c763d;background-color:#d0e9c6}a.list-group-item-success.active,a.list-group-item-success.active:hover,a.list-group-item-success.active:focus{color:#fff;background-color:#3c763d;border-color:#3c763d}.list-group-item-info{color:#31708f;background-color:#d9edf7}a.list-group-item-info{color:#31708f}a.list-group-item-info .list-group-item-heading{color:inherit}a.list-group-item-info:hover,a.list-group-item-info:focus{color:#31708f;background-color:#c4e3f3}a.list-group-item-info.active,a.list-group-item-info.active:hover,a.list-group-item-info.active:focus{color:#fff;background-color:#31708f;border-color:#31708f}.list-group-item-warning{color:#8a6d3b;background-color:#fcf8e3}a.list-group-item-warning{color:#8a6d3b}a.list-group-item-warning .list-group-item-heading{color:inherit}a.list-group-item-warning:hover,a.list-group-item-warning:focus{color:#8a6d3b;background-color:#faf2cc}a.list-group-item-warning.active,a.list-group-item-warning.active:hover,a.list-group-item-warning.active:focus{color:#fff;background-color:#8a6d3b;border-color:#8a6d3b}.list-group-item-danger{color:#a94442;background-color:#f2dede}a.list-group-item-danger{color:#a94442}a.list-group-item-danger .list-group-item-heading{color:inherit}a.list-group-item-danger:hover,a.list-group-item-danger:focus{color:#a94442;background-color:#ebcccc}a.list-group-item-danger.active,a.list-group-item-danger.active:hover,a.list-group-item-danger.active:focus{color:#fff;background-color:#a94442;border-color:#a94442}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,.05);box-shadow:0 1px 1px rgba(0,0,0,.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-left-radius:3px;border-top-right-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-left-radius:3px;border-top-right-radius:3px}.panel>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{margin-bottom:0;border:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.embed-responsive{position:relative;display:block;height:0;padding:0;overflow:hidden}.embed-responsive .embed-responsive-item,.embed-responsive iframe,.embed-responsive embed,.embed-responsive object{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive.embed-responsive-16by9{padding-bottom:56.25%}.embed-responsive.embed-responsive-4by3{padding-bottom:75%}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.05);box-shadow:inset 0 1px 1px rgba(0,0,0,.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px}.close{float:right;font-size:21px;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;filter:alpha(opacity=20);opacity:.2}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;filter:alpha(opacity=50);opacity:.5}button.close{-webkit-appearance:none;padding:0;cursor:pointer;background:0 0;border:0}.modal-open{overflow:hidden}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;display:none;overflow:hidden;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transition:-webkit-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out;-webkit-transform:translate3d(0,-25%,0);-o-transform:translate3d(0,-25%,0);transform:translate3d(0,-25%,0)}.modal.in .modal-dialog{-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #999;border:1px solid rgba(0,0,0,.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,.5);box-shadow:0 3px 9px rgba(0,0,0,.5)}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{filter:alpha(opacity=0);opacity:0}.modal-backdrop.in{filter:alpha(opacity=50);opacity:.5}.modal-header{min-height:16.43px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,.5);box-shadow:0 5px 15px rgba(0,0,0,.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.tooltip{position:absolute;z-index:1070;display:block;font-size:12px;line-height:1.4;visibility:visible;filter:alpha(opacity=0);opacity:0}.tooltip.in{filter:alpha(opacity=90);opacity:.9}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:solid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-width:5px 5px 0;border-top-color:#000}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-width:5px 5px 0;border-top-color:#000}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-width:5px 5px 5px 0;border-right-color:#000}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-width:5px 0 5px 5px;border-left-color:#000}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-width:0 5px 5px;border-bottom-color:#000}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-width:0 5px 5px;border-bottom-color:#000}.popover{position:absolute;top:0;left:0;z-index:1060;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;-webkit-background-clip:padding-box;background-clip:padding-box;border:1px solid #ccc;border:1px solid rgba(0,0,0,.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,.2);box-shadow:0 5px 10px rgba(0,0,0,.2)}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:400;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover>.arrow,.popover>.arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover>.arrow{border-width:11px}.popover>.arrow:after{content:"";border-width:10px}.popover.top>.arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,.25);border-bottom-width:0}.popover.top>.arrow:after{bottom:1px;margin-left:-10px;content:" ";border-top-color:#fff;border-bottom-width:0}.popover.right>.arrow{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,.25);border-left-width:0}.popover.right>.arrow:after{bottom:-10px;left:1px;content:" ";border-right-color:#fff;border-left-width:0}.popover.bottom>.arrow{top:-11px;left:50%;margin-left:-11px;border-top-width:0;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,.25)}.popover.bottom>.arrow:after{top:1px;margin-left:-10px;content:" ";border-top-width:0;border-bottom-color:#fff}.popover.left>.arrow{top:50%;right:-11px;margin-top:-11px;border-right-width:0;border-left-color:#999;border-left-color:rgba(0,0,0,.25)}.popover.left>.arrow:after{right:1px;bottom:-10px;content:" ";border-right-width:0;border-left-color:#fff}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;-o-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6);filter:alpha(opacity=50);opacity:.5}.carousel-control.left{background-image:-webkit-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.5)),to(rgba(0,0,0,.0001)));background-image:linear-gradient(to right,rgba(0,0,0,.5) 0,rgba(0,0,0,.0001) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000', endColorstr='#00000000', GradientType=1);background-repeat:repeat-x}.carousel-control.right{right:0;left:auto;background-image:-webkit-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-o-linear-gradient(left,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);background-image:-webkit-gradient(linear,left top,right top,from(rgba(0,0,0,.0001)),to(rgba(0,0,0,.5)));background-image:linear-gradient(to right,rgba(0,0,0,.0001) 0,rgba(0,0,0,.5) 100%);filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000', endColorstr='#80000000', GradientType=1);background-repeat:repeat-x}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;filter:alpha(opacity=90);outline:0;opacity:.9}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right{position:absolute;top:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .glyphicon-chevron-left{left:50%;margin-left:-10px}.carousel-control .icon-next,.carousel-control .glyphicon-chevron-right{right:50%;margin-right:-10px}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;background-color:#000 \9;background-color:rgba(0,0,0,0);border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .glyphicon-chevron-left,.carousel-control .glyphicon-chevron-right,.carousel-control .icon-prev,.carousel-control .icon-next{width:30px;height:30px;margin-top:-15px;font-size:30px}.carousel-control .glyphicon-chevron-left,.carousel-control .icon-prev{margin-left:-15px}.carousel-control .glyphicon-chevron-right,.carousel-control .icon-next{margin-right:-15px}.carousel-caption{right:20%;left:20%;padding-bottom:30px}.carousel-indicators{bottom:20px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.pager:before,.pager:after,.panel-body:before,.panel-body:after,.modal-footer:before,.modal-footer:after{display:table;content:" "}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.pager:after,.panel-body:after,.modal-footer:after{clear:both}.center-block{display:block;margin-right:auto;margin-left:auto}.pull-right{float:right!important}.pull-left{float:left!important}.hide{display:none!important}.show{display:block!important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none!important;visibility:hidden!important}.affix{position:fixed;-webkit-transform:translate3d(0,0,0);-o-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none!important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none!important}@media (max-width:767px){.visible-xs{display:block!important}table.visible-xs{display:table}tr.visible-xs{display:table-row!important}th.visible-xs,td.visible-xs{display:table-cell!important}}@media (max-width:767px){.visible-xs-block{display:block!important}}@media (max-width:767px){.visible-xs-inline{display:inline!important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block!important}table.visible-sm{display:table}tr.visible-sm{display:table-row!important}th.visible-sm,td.visible-sm{display:table-cell!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline!important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block!important}table.visible-md{display:table}tr.visible-md{display:table-row!important}th.visible-md,td.visible-md{display:table-cell!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline!important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block!important}}@media (min-width:1200px){.visible-lg{display:block!important}table.visible-lg{display:table}tr.visible-lg{display:table-row!important}th.visible-lg,td.visible-lg{display:table-cell!important}}@media (min-width:1200px){.visible-lg-block{display:block!important}}@media (min-width:1200px){.visible-lg-inline{display:inline!important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block!important}}@media (max-width:767px){.hidden-xs{display:none!important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none!important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none!important}}@media (min-width:1200px){.hidden-lg{display:none!important}}.visible-print{display:none!important}@media print{.visible-print{display:block!important}table.visible-print{display:table}tr.visible-print{display:table-row!important}th.visible-print,td.visible-print{display:table-cell!important}}.visible-print-block{display:none!important}@media print{.visible-print-block{display:block!important}}.visible-print-inline{display:none!important}@media print{.visible-print-inline{display:inline!important}}.visible-print-inline-block{display:none!important}@media print{.visible-print-inline-block{display:inline-block!important}}@media print{.hidden-print{display:none!important}} From 26e74a7fa016a696d0783922fa51bc62330fd449 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:37:11 +0100 Subject: [PATCH 1556/1764] avformat/mov: Disallow FTYP after streams Fixes: Assertion !c->fc->nb_streams failed at libavformat/mov.c:7799 Fixes: 63875/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5479178702815232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 19fcf4313148e86aa47d81a8d5d5e8d056f1f906) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 76fddf04eb..917202672c 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1129,6 +1129,8 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; + if (c->fc->nb_streams) + return AVERROR_INVALIDDATA; if (strcmp(type, "qt ")) c->isom = 1; From cbc25c8cc8c52efa64cda14bdf92506103959e55 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Nov 2023 01:44:07 +0100 Subject: [PATCH 1557/1764] avcodec/4xm: Check for cfrm exhaustion Fixes: index -1 out of bounds for type 'CFrameBuffer [100]' Fixes: 63877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5854263397711872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bb0a684d93f793457f7bff3940a1398eb9e91703) Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 5321b103af..2ea7c00be3 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -884,6 +884,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, } if (i >= CFRAME_BUFFER_COUNT) { + if (free_index < 0) + return AVERROR_INVALIDDATA; i = free_index; f->cfrm[i].id = id; } From 01a8c87e155481cb7219a8c49045873ce8a8ec31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 18 Oct 2021 12:31:38 +0300 Subject: [PATCH 1558/1764] seek: Fix crashes in ff_seek_frame_binary if built with latest Clang 14 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Passing an uninitialized variable as argument to a function is undefined behaviour (UB). The compiler can assume that UB does not happen. Hence, the compiler can assume that the variables are never uninitialized when passed as argument, which means that the codepaths that initializes them must be taken. In ff_seek_frame_binary, this means that the compiler can assume that the codepaths that initialize pos_min and pos_max are taken, which means that the conditions "if (sti->index_entries)" and "if (index >= 0)" can be optimized out. Current Clang git versions (upcoming Clang 14) enabled an optimization that does this, which broke the current version of this function (which intentionally left the variables uninitialized, but silencing warnings about being uninitialized). See [1] for discussion on the matter. [1] https://reviews.llvm.org/D105169#3069555 Signed-off-by: Martin Storsjö (cherry picked from commit ab792634197e364ca1bb194f9abe36836e42f12d) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index cc1e574ddd..808c02edbb 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2121,7 +2121,7 @@ int ff_seek_frame_binary(AVFormatContext *s, int stream_index, int64_t target_ts, int flags) { AVInputFormat *avif = s->iformat; - int64_t av_uninit(pos_min), av_uninit(pos_max), pos, pos_limit; + int64_t pos_min = 0, pos_max = 0, pos, pos_limit; int64_t ts_min, ts_max, ts; int index; int64_t ret; From a823657ee0123ec00d0fc2d21c1874cfa1b6d5bd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Dec 2023 00:26:03 +0100 Subject: [PATCH 1559/1764] avformat/mov: Ignore duplicate ftyp Fixes: switch_1080p_720p.mp4 Found-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 4cdf2c7f768015c74078544d153f243b6d9b9ac5) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 917202672c..555cd4415a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1129,8 +1129,12 @@ static int mov_read_ftyp(MOVContext *c, AVIOContext *pb, MOVAtom atom) int ret = ffio_read_size(pb, type, 4); if (ret < 0) return ret; - if (c->fc->nb_streams) - return AVERROR_INVALIDDATA; + if (c->fc->nb_streams) { + if (c->fc->strict_std_compliance >= FF_COMPLIANCE_STRICT) + return AVERROR_INVALIDDATA; + av_log(c->fc, AV_LOG_DEBUG, "Ignoring duplicate FTYP\n"); + return 0; + } if (strcmp(type, "qt ")) c->isom = 1; From 13342df7af5e94b5175cb25b8a4fdefc32456e01 Mon Sep 17 00:00:00 2001 From: Brad Smith Date: Sun, 24 Dec 2023 14:33:31 -0500 Subject: [PATCH 1560/1764] configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm Fixes the build. It's a requirement when utilizing PIE. Signed-off-by: Brad Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 6066c430e33b4cbf5dc8ff8b3a6d149f51d20300) Signed-off-by: Michael Niedermayer --- configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure b/configure index 576a950ea3..60977cd3f2 100755 --- a/configure +++ b/configure @@ -4941,6 +4941,7 @@ case $target_os in ;; netbsd) disable symver + enable section_data_rel_ro oss_indev_extralibs="-lossaudio" oss_outdev_extralibs="-lossaudio" enabled gcc || check_ldflags -Wl,-zmuldefs @@ -4957,6 +4958,7 @@ case $target_os in disable symver ;; freebsd) + enable section_data_rel_ro ;; bsd/os) add_extralibs -lpoll -lgnugetopt From 996d28243013091677b21a9737360ded3cfbfd77 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:23:33 +0100 Subject: [PATCH 1561/1764] avcodec/jpeglsdec: Check Jpeg-LS LSE Fixes: signed integer overflow: 2147478526 + 33924 cannot be represented in type 'int' Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 64243/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5195717848989696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c72a20f01a6122e1832f73801ea5f54b188abea3) Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 59fb304a83..0200c51453 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -373,6 +373,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, state->T3 = s->t3; state->reset = s->reset; ff_jpegls_reset_coding_parameters(state, 0); + + /* Testing parameters here, we cannot test in LSE or SOF because + * these interdepend and are allowed in either order + */ + if (state->maxval >= (1<bpp) || + state->T1 > state->T2 || + state->T2 > state->T3 || + state->T3 > state->maxval || + state->reset > FFMAX(255, state->maxval)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + ff_jpegls_init_state(state); if (s->bits <= 8) From 70c1aaf5ee513ce432df474bcfb27afa377e81b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2023 22:37:49 +0100 Subject: [PATCH 1562/1764] avformat/mov: do not set sign bit for chunk_offsets Fixes: signed integer overflow: 2314885530818453536 - -7412889664301817824 cannot be represented in type 'long' Fixes: 64296/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6304027146846208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cfc0a68d4d3192779e356a852e71b8218e7a00ab) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 555cd4415a..d1956aca93 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1818,8 +1818,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries && !pb->eof_reached; i++) sc->chunk_offsets[i] = avio_rb32(pb); else if (atom.type == MKTAG('c','o','6','4')) - for (i = 0; i < entries && !pb->eof_reached; i++) + for (i = 0; i < entries && !pb->eof_reached; i++) { sc->chunk_offsets[i] = avio_rb64(pb); + if (sc->chunk_offsets[i] < 0) { + av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n"); + sc->chunk_offsets[i] = 0; + } + } else return AVERROR_INVALIDDATA; From 6750d82cba10ebfa1694765b7a3007855360da96 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 24 Dec 2023 20:50:51 +0100 Subject: [PATCH 1563/1764] avfilter/vf_gradfun: Do not overread last line The code works in steps of 2 lines and lacks support for odd height Implementing odd height support is better but for now this fixes the out of array access Fixes: out of array access Fixes: tickets/10702/poc6ffmpe Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit e4d2666bdc3dbd177a81bbf428654a5f2fa3787a) Signed-off-by: Michael Niedermayer --- libavfilter/vf_gradfun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c index f63128d72e..da4c01a546 100644 --- a/libavfilter/vf_gradfun.c +++ b/libavfilter/vf_gradfun.c @@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi for (y = 0; y < r; y++) ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2); for (;;) { - if (y < height - r) { + if (y + 1 < height - r) { int mod = ((y + r) / 2) % r; uint16_t *buf0 = buf + mod * bstride; uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride; From 4a8ced17d097765b7d6ee088963b9de34377d546 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 23 Dec 2023 04:03:01 +0100 Subject: [PATCH 1564/1764] avfilter/af_stereowiden: Check length Fixes: out of array access Fixes: tickets/10746/poc13ffmpeg Found-by: Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07) Signed-off-by: Michael Niedermayer --- libavfilter/af_stereowiden.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/af_stereowiden.c b/libavfilter/af_stereowiden.c index 24146ff1df..5925addcbd 100644 --- a/libavfilter/af_stereowiden.c +++ b/libavfilter/af_stereowiden.c @@ -74,6 +74,8 @@ static int config_input(AVFilterLink *inlink) s->length = s->delay * inlink->sample_rate / 1000; s->length *= 2; + if (s->length == 0) + return AVERROR(EINVAL); s->buffer = av_calloc(s->length, sizeof(*s->buffer)); if (!s->buffer) return AVERROR(ENOMEM); From 4d4c58c0f8655c2689123cf7d257c2284cc6a819 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 21:49:48 +0100 Subject: [PATCH 1565/1764] avfilter/af_alimiter: Check nextpos before use Fixes: out of array read Fixes: tickets/10744/poc11ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a88b06f9ee8c88f78bdd614fc25283225223e858) Signed-off-by: Michael Niedermayer --- libavfilter/af_alimiter.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_alimiter.c b/libavfilter/af_alimiter.c index 46211a710a..a7f8879059 100644 --- a/libavfilter/af_alimiter.c +++ b/libavfilter/af_alimiter.c @@ -176,10 +176,11 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } else { for (i = s->nextiter; i < s->nextiter + s->nextlen; i++) { int j = i % buffer_size; - double ppeak, pdelta; + double ppeak = 0, pdelta; - ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? - fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); + if (nextpos[j] >= 0) + ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ? + fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]); pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels); if (pdelta < nextdelta[j]) { nextdelta[j] = pdelta; From a01849d11e5cc12135aab57ad8d296434e8a9ab6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:25:25 +0100 Subject: [PATCH 1566/1764] avfilter/vf_swaprect: assert that rectangles are within memory Signed-off-by: Michael Niedermayer (cherry picked from commit 9d1ba698d2bed1d4bed731b3be62e84d72c35476) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index f96f897818..c9da2806bd 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -18,6 +18,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/eval.h" #include "libavutil/imgutils.h" @@ -179,6 +180,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) y2[1] = y2[2] = FF_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; + + av_assert0(FFMAX(x1[1], x2[1]) + pw[1] <= lw[1]); + av_assert0(FFMAX(y1[1], y2[1]) + ph[1] <= lh[1]); + for (p = 0; p < s->nb_planes; p++) { if (ph[p] == ah[p] && pw[p] == aw[p]) { uint8_t *src = in->data[p] + y1[p] * in->linesize[p] + x1[p] * s->pixsteps[p]; From 6c8b1116a88bbef3f9f2a427060fa0f74120fa5a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:26:22 +0100 Subject: [PATCH 1567/1764] avfilter/vf_swaprect: Use height for vertical variables Signed-off-by: Michael Niedermayer (cherry picked from commit 9f4c5bd7d23eb94afe85290e03748f52483102b8) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index c9da2806bd..9f7b6f2ec8 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -147,10 +147,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) w = dw; h = dh; x1[0] = dx1; y1[0] = dy1; x2[0] = dx2; y2[0] = dy2; x1[0] = av_clip(x1[0], 0, inlink->w - 1); - y1[0] = av_clip(y1[0], 0, inlink->w - 1); + y1[0] = av_clip(y1[0], 0, inlink->h - 1); x2[0] = av_clip(x2[0], 0, inlink->w - 1); - y2[0] = av_clip(y2[0], 0, inlink->w - 1); + y2[0] = av_clip(y2[0], 0, inlink->h - 1); ah[1] = ah[2] = FF_CEIL_RSHIFT(h, s->desc->log2_chroma_h); ah[0] = ah[3] = h; From 1b8ef074c1f3b0767a01025a1bfa2881496cf73f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Dec 2023 22:27:08 +0100 Subject: [PATCH 1568/1764] avfilter/vf_swaprect: round coordinates down Fixes: out of array access: Fixes: tickets/10745/poc12ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit 7deaca71b32c556620e05954ca2d13fbe9aacf1f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_swaprect.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_swaprect.c b/libavfilter/vf_swaprect.c index 9f7b6f2ec8..86d69ff4d4 100644 --- a/libavfilter/vf_swaprect.c +++ b/libavfilter/vf_swaprect.c @@ -170,14 +170,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) lw[1] = lw[2] = FF_CEIL_RSHIFT(inlink->w, s->desc->log2_chroma_w); lw[0] = lw[3] = inlink->w; - x1[1] = x1[2] = FF_CEIL_RSHIFT(x1[0], s->desc->log2_chroma_w); + x1[1] = x1[2] = (x1[0] >> s->desc->log2_chroma_w); x1[0] = x1[3] = x1[0]; - y1[1] = y1[2] = FF_CEIL_RSHIFT(y1[0], s->desc->log2_chroma_h); + y1[1] = y1[2] = (y1[0] >> s->desc->log2_chroma_h); y1[0] = y1[3] = y1[0]; - x2[1] = x2[2] = FF_CEIL_RSHIFT(x2[0], s->desc->log2_chroma_w); + x2[1] = x2[2] = (x2[0] >> s->desc->log2_chroma_w); x2[0] = x2[3] = x2[0]; - y2[1] = y2[2] = FF_CEIL_RSHIFT(y2[0], s->desc->log2_chroma_h); + y2[1] = y2[2] = (y2[0] >> s->desc->log2_chroma_h); y2[0] = y2[3] = y2[0]; From 0b8a2e6c0c40252541db8e7918791601aa99414e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:09:31 +0200 Subject: [PATCH 1569/1764] avfilter/vf_vidstabdetect: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit bb04235d728a2b85d6cbe14dd60184faa932c855) Signed-off-by: Michael Niedermayer --- libavfilter/vf_vidstabdetect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_vidstabdetect.c b/libavfilter/vf_vidstabdetect.c index 63a178a0c2..5e80e145d5 100644 --- a/libavfilter/vf_vidstabdetect.c +++ b/libavfilter/vf_vidstabdetect.c @@ -175,7 +175,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) } if (vsMotionDetection(md, &localmotions, &frame) != VS_OK) { av_log(ctx, AV_LOG_ERROR, "motion detection failed"); - return AVERROR(AVERROR_EXTERNAL); + return AVERROR_EXTERNAL; } else { if (vsWriteToFile(md, s->f, &localmotions) != VS_OK) { int ret = AVERROR(errno); From 2c30c938f9d015a97464bed7de6d0956ab2279d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 2 Oct 2023 16:10:22 +0200 Subject: [PATCH 1570/1764] avformat/flacdec: Avoid double AVERRORS Signed-off-by: Michael Niedermayer (cherry picked from commit 029294ff541c9c85092f81dd45f18081d234f0d5) Signed-off-by: Michael Niedermayer --- libavformat/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index a032378045..96dad46afa 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -66,7 +66,7 @@ static int flac_read_header(AVFormatContext *s) /* process metadata blocks */ while (!avio_feof(s->pb) && !metadata_last) { if (avio_read(s->pb, header, 4) != 4) - return AVERROR(AVERROR_INVALIDDATA); + return AVERROR_INVALIDDATA; flac_parse_block_header(header, &metadata_last, &metadata_type, &metadata_size); switch (metadata_type) { From fd3f7522a29078bdf64ce2a21045f7de472bf56c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 02:51:32 +0100 Subject: [PATCH 1571/1764] avfilter/vf_minterpolate: Check pts before division Fixes: FPE Fixes: tickets/10758/poc20ffmpeg Discovered by Zeng Yunxiang Signed-off-by: Michael Niedermayer (cherry picked from commit 68146f06f852078866b3ef1564556e3a272920c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_minterpolate.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index 6c5c264005..7d5765e264 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -1062,8 +1062,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out) pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den, (int64_t) outlink->time_base.den * inlink->time_base.num); - alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); - alpha = av_clip(alpha, 0, ALPHA_MAX); + if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) { + alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); + alpha = av_clip(alpha, 0, ALPHA_MAX); + } else { + av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n"); + alpha = 0; + } if (alpha == 0 || alpha == ALPHA_MAX) { av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf); From c47825e94f5b05728e781cd9a1bcaa96e85ce3d7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:06:39 +0100 Subject: [PATCH 1572/1764] avcodec/mpegvideo_enc: Dont copy beyond the image Fixes: out of array access Fixes: tickets/10754/poc17ffmpeg Discovered by Zeng Yunxiang. Signed-off-by: Michael Niedermayer (cherry picked from commit a066b8a809fa6d8b31398d41787822803f8762f2) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 3fe7a0012c..c371c25d30 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1349,7 +1349,7 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) dst += INPLACE_OFFSET; if (src_stride == dst_stride) - memcpy(dst, src, src_stride * h); + memcpy(dst, src, src_stride * h - src_stride + w); else { int h2 = h; uint8_t *dst2 = dst; From 51c1485abe9c8f8a14a6d0a605b4ceee457c6c94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 03:09:52 +0100 Subject: [PATCH 1573/1764] avcodec/mpegvideo_enc: Use ptrdiff_t for stride Signed-off-by: Michael Niedermayer (cherry picked from commit e063c1d079086150580ed7a9ad076da122e27f76) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index c371c25d30..1206950914 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1330,8 +1330,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) &v_chroma_shift); for (i = 0; i < 3; i++) { - int src_stride = pic_arg->linesize[i]; - int dst_stride = i ? s->uvlinesize : s->linesize; + ptrdiff_t src_stride = pic_arg->linesize[i]; + ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? h_chroma_shift : 0; int v_shift = i ? v_chroma_shift : 0; int w = s->width >> h_shift; From 7ea72140a56e09e6e8372930d4ccb1406a1fc2dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:10:41 +0100 Subject: [PATCH 1574/1764] avfilter/signature_lookup: dont leave uncleared pointers in sll_free() Signed-off-by: Michael Niedermayer (cherry picked from commit 6c504829514333439d15deb5717567fb4bdbbee0) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 272c717c77..c04bc944f1 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -37,6 +37,16 @@ #define STATUS_END_REACHED 1 #define STATUS_BEGIN_REACHED 2 +static void sll_free(MatchingInfo **sll) +{ + while (*sll) { + MatchingInfo *tmp = *sll; + *sll = tmp->next; + tmp->next = NULL; + av_free(tmp); + } +} + static void fill_l1distlut(uint8_t lut[]) { int i, j, tmp_i, tmp_j,count; @@ -520,16 +530,6 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * return bestmatch; } -static void sll_free(MatchingInfo *sll) -{ - void *tmp; - while (sll) { - tmp = sll; - sll = sll->next; - av_freep(&tmp); - } -} - static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc, StreamContext *first, StreamContext *second, int mode) { CoarseSignature *cs, *cs2; @@ -572,7 +572,7 @@ static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext *sc "ratio %f, offset %d, score %d, %d frames matching\n", bestmatch.first->index, bestmatch.second->index, bestmatch.framerateratio, bestmatch.offset, bestmatch.score, bestmatch.matchframes); - sll_free(infos); + sll_free(&infos); } } while (find_next_coarsecandidate(sc, second->coarsesiglist, &cs, &cs2, 0) && !bestmatch.whole); return bestmatch; From c81cf184c5513d81324799cc72c1e814ef4957f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 5 Feb 2024 12:40:30 +0100 Subject: [PATCH 1575/1764] avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure Fixes: CID 1403229 Dereference after null check Signed-off-by: Michael Niedermayer (cherry picked from commit 98ae1ad7cf16bd10a4fa79f676439edc4da7cba6) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index c04bc944f1..89ccd2f9cd 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -299,6 +299,11 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont if (!c->next) av_log(ctx, AV_LOG_FATAL, "Could not allocate memory"); c = c->next; + + } + if (!c) { + sll_free(&cands); + goto error; } c->framerateratio = (i+1.0) / 30; c->score = hspace[i][j].score; @@ -315,6 +320,7 @@ static MatchingInfo* get_matching_parameters(AVFilterContext *ctx, SignatureCont } } } + error: for (i = 0; i < MAX_FRAMERATE; i++) { av_freep(&hspace[i]); } From c3cbefbdffd7a461f6ba36104fb51aff9f6c1dab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jan 2024 02:37:57 +0100 Subject: [PATCH 1576/1764] avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers Signed-off-by: Michael Niedermayer (cherry picked from commit f465badb062c8023bc245f4878e7a6a082afc416) Signed-off-by: Michael Niedermayer --- libavutil/rational.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavutil/rational.h b/libavutil/rational.h index 5c6b67b4e9..3ab7f59bd7 100644 --- a/libavutil/rational.h +++ b/libavutil/rational.h @@ -168,6 +168,10 @@ static av_always_inline AVRational av_inv_q(AVRational q) * In case of infinity, the returned value is expressed as `{1, 0}` or * `{-1, 0}` depending on the sign. * + * In general rational numbers with |num| <= 1<<26 && |den| <= 1<<26 + * can be recovered exactly from their double representation. + * (no exceptions were found within 1B random ones) + * * @param d `double` to convert * @param max Maximum allowed numerator and denominator * @return `d` in AVRational form From 0977cf003d337bd8235cb8c110a6266b93f5d5eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 3 Feb 2024 20:11:56 +0100 Subject: [PATCH 1577/1764] avcodec/indeo3: Round dimensions up in allocate_frame_buffers() Fixes: Ticket6581 Signed-off-by: Michael Niedermayer (cherry picked from commit 3be80ce299d0073118ae42f5d99c14f912751d93) Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 71d478c9fc..41d5132509 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -169,6 +169,9 @@ static av_cold int allocate_frame_buffers(Indeo3DecodeContext *ctx, int luma_size, chroma_size; ptrdiff_t luma_pitch, chroma_pitch; + luma_width = FFALIGN(luma_width , 2); + luma_height = FFALIGN(luma_height, 2); + if (luma_width < 16 || luma_width > 640 || luma_height < 16 || luma_height > 480 || luma_width & 3 || luma_height & 3) { From 0898209a4810c3268c35f0949033bfced8d96424 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:04:13 +0100 Subject: [PATCH 1578/1764] swscale/utils: Allocate more dithererror Fixes: out of array read Signed-off-by: Michael Niedermayer (cherry picked from commit 18f26f8a2f8dc3b9ec3ac3ab8e03fce15cc8c88d) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 1786b937b4..53153ef8a2 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1714,7 +1714,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, } for (i = 0; i < 4; i++) - FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+2) * sizeof(int), fail); + FF_ALLOCZ_OR_GOTO(c, c->dither_error[i], (c->dstW+3) * sizeof(int), fail); c->needAlpha = (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && isALPHA(c->dstFormat)) ? 1 : 0; From 8b79265d2dd58b471d62c3a3b5deb10e47207e1f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Feb 2024 01:34:25 +0100 Subject: [PATCH 1579/1764] swscale/swscale: Check srcSliceH for bayer Fixes: Assertion srcSliceH > 1 failed at libswscale/swscale_unscaled.c:1359 Signed-off-by: Michael Niedermayer (cherry picked from commit 64098d0cd8ab1d27f78a335ca684f00a419b2160) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 1b88a2633e..110a5a5fd7 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -778,7 +778,8 @@ int attribute_align_arg sws_scale(struct SwsContext *c, if ((srcSliceY & (macro_height-1)) || ((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) || - srcSliceY + srcSliceH > c->srcH) { + srcSliceY + srcSliceH > c->srcH || + (isBayer(c->srcFormat) && srcSliceH <= 1)) { av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", srcSliceY, srcSliceH); return AVERROR(EINVAL); } From 8bc8b35a37960f6b391fb86c7431ba9a844241a3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 20 Feb 2024 03:32:38 +0100 Subject: [PATCH 1580/1764] libswscale/utils: Fix bayer to yuvj Fixes: out of array access. Earlier code assumes that a unscaled bayer to yuvj420 converter exists but the later code then skips yuvj420 Signed-off-by: Michael Niedermayer (cherry picked from commit e9cc9e492f987ce23ce8c514258a17952dd20401) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 53153ef8a2..ba6d81678a 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -1789,7 +1789,7 @@ av_cold int sws_init_context(SwsContext *c, SwsFilter *srcFilter, /* unscaled special cases */ if (unscaled && !usesHFilter && !usesVFilter && - (c->srcRange == c->dstRange || isAnyRGB(dstFormat))) { + (c->srcRange == c->dstRange || isAnyRGB(dstFormat) || isBayer(srcFormat))) { ff_get_unscaled_swscale(c); if (c->swscale) { From 8ff0d307b86fc0083246cca5a5e06700ccd1d8d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 27 Feb 2024 22:27:03 +0100 Subject: [PATCH 1581/1764] avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() Fixes: timeout Fixes: 66326/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-6295291863040000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dc89cf804a811c0d25f4649a99f7fab4b5b416fa) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index d0d5b7082d..c3656a994c 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1451,6 +1451,9 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc, unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); vorbis_codebook codebook = vc->codebooks[vqbook]; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + if (vr_type == 0) { voffs = voffset+j*vlen; From 6d4e1d691347811a40e8680bd69a1ee5beaf9116 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Feb 2024 19:38:41 +0100 Subject: [PATCH 1582/1764] avcodec/proresenc_kostya: Remove bug similarity text According to kostya, it is not based on Wassermans encoder CC: Kostya Shishkov CC: Anatoliy Wasserman Signed-off-by: Michael Niedermayer (cherry picked from commit e0e30e07a1755c4f7829f64d35dc07e399c02c6e) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index 149dc81b3c..a3a52de440 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -3,9 +3,6 @@ * * Copyright (c) 2012 Konstantin Shishkov * - * This encoder appears to be based on Anatoliy Wassermans considering - * similarities in the bugs. - * * This file is part of FFmpeg. * * FFmpeg is free software; you can redistribute it and/or From dccb2d95ec67cb86d7a2168c99c3839df29b8977 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 20 Mar 2024 03:51:05 +0100 Subject: [PATCH 1583/1764] avformat/id3v2: read_uslt() check for the amount read Fixes: timeout Fixes: 66783/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5356884892647424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c0f4abe2aa0117a10fb651f2c1c030d4cd516081) Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index a38cb5a6db..d7053392d8 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -364,7 +364,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, int taglen, int encoding; int ok = 0; - if (taglen < 1) + if (taglen < 4) goto error; encoding = avio_r8(pb); From 2eb0e9d16898c6c4f54bb0e6075e4e3f6a84f18d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:38:17 +0200 Subject: [PATCH 1584/1764] avformat/cafdec: dont seek beyond 64bit Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d973fcbcc2f944752ff10e6a76b0b2d9329937a7) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 3c6d6922a0..c74d3dc481 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -222,7 +222,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size) } } - if (avio_tell(pb) - ccount > size) { + if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) { av_log(s, AV_LOG_ERROR, "error reading packet table\n"); return AVERROR_INVALIDDATA; } From fd02b195bf9f5f1cd28cd41108d8c3c3cd20b3cc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:51:29 +0200 Subject: [PATCH 1585/1764] avformat/dxa: Adjust order of operations around block align Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464 Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 0d820c7413..c94665676a 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s) if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; - c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align; } c->bytes_left = fsize; c->wavpos = avio_tell(pb); From 037cfbe417b3b5be69b8b82a8d03a48af81b4dcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Sep 2023 00:45:33 +0200 Subject: [PATCH 1586/1764] avformat/cafdec: Check that data chunk end fits within 64bit Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented in type 'long long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b792e4d4c772b7b5ef8ea32be187a871000e50c2) Signed-off-by: Michael Niedermayer --- libavformat/cafdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index c74d3dc481..dd6c5c0f7a 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -294,6 +294,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 4); /* edit count */ caf->data_start = avio_tell(pb); caf->data_size = size < 0 ? -1 : size - 4; + if (caf->data_start < 0 || caf->data_size > INT64_MAX - caf->data_start) + return AVERROR_INVALIDDATA; + if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL)) avio_skip(pb, caf->data_size); found_data = 1; From b1374b8bd236b999dec04d4422b29fae4e5f08b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 02:52:04 +0100 Subject: [PATCH 1587/1764] avcodec/truemotion1: Height not being a multiple of 4 is unsupported mb_change_bits is given space based on height >> 2, while more data is read Fixes: out of array access Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5201925062590464.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ebdcf9849905fdd67dcd3ab93e55e47ded35fda2) Signed-off-by: Michael Niedermayer --- libavcodec/truemotion1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index 602de99f10..60c5a812d1 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -407,6 +407,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s) return AVERROR_PATCHWELCOME; } + if (s->h & 3) { + avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4"); + return AVERROR_PATCHWELCOME; + } + if (s->w != s->avctx->width || s->h != s->avctx->height || new_pix_fmt != s->avctx->pix_fmt) { av_frame_unref(s->frame); From ec9fecaa9081630188cca080198941e5fc94a9af Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:27:39 +0100 Subject: [PATCH 1588/1764] avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104 Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3d8d778a68531b406455f8090d81216ef374ab75) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 2ca7dbecc6..8d9ed6e57d 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -173,7 +173,7 @@ static int fps_from_frame_rate(AVRational rate) { if (!rate.den || !rate.num) return -1; - return (rate.num + rate.den/2) / rate.den; + return (rate.num + rate.den/2LL) / rate.den; } int av_timecode_check_frame_rate(AVRational rate) From 73e2d87b9203e012b80910854423742a599a5446 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:36:40 +0100 Subject: [PATCH 1589/1764] avformat/rpl: Use 64bit for total_audio_size and check it Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4677434693517312 Fixes: signed integer overflow: 5555555555555555556 * 8 cannot be represented in type 'long long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 878625812f164fbb733f442965235656d9eaccc8) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 64a711a548..b7d3862e89 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -117,7 +117,7 @@ static int rpl_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; RPLContext *rpl = s->priv_data; AVStream *vst = NULL, *ast = NULL; - int total_audio_size; + int64_t total_audio_size; int error = 0; uint32_t i; @@ -272,6 +272,8 @@ static int rpl_read_header(AVFormatContext *s) if (ast) av_add_index_entry(ast, offset + video_size, total_audio_size, audio_size, audio_size * 8, 0); + if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8) + return AVERROR_INVALIDDATA; total_audio_size += audio_size * 8; } From 569eb2f6559ed96c66e681b72826faf07be8f177 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:39:49 +0100 Subject: [PATCH 1590/1764] avformat/sbgdec: Check for negative duration Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bed22d597b78999151e3bde0768b7fe763fc2a6) Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index f37fa9145b..3bd8c281de 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -384,7 +384,7 @@ static int parse_options(struct sbg_parser *p) case 'L': FORWARD_ERROR(parse_optarg(p, opt, &oarg)); r = str_to_time(oarg.s, &p->scs.opt_duration); - if (oarg.e != oarg.s + r) { + if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { snprintf(p->err_msg, sizeof(p->err_msg), "syntax error for option -L"); return AVERROR_INVALIDDATA; From 318ab4d2e2a8c7c7296c662133412170dcd0539a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 00:57:33 +0100 Subject: [PATCH 1591/1764] avformat/matroskadec: Check timescale Fixes: 3.82046e+18 is outside the range of representable values of type 'unsigned int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6381436594421760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e849eb23432e45d0a1fda3901bb84eff0ce91282) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index d24d317257..87820d519a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2412,6 +2412,10 @@ static int matroska_parse_tracks(AVFormatContext *s) if (track->time_scale < 0.01) track->time_scale = 1.0; + + if (matroska->time_scale * track->time_scale > UINT_MAX) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale, 1000 * 1000 * 1000); /* 64 bit pts in ns */ From f91d171d293f081a75650165cefbe6c4307b6944 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 26 Mar 2024 01:00:13 +0100 Subject: [PATCH 1592/1764] avformat/westwood_vqa: Fix 2g packets Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661) Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index 15deef6061..0c77fd6e1a 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -232,7 +232,7 @@ static int wsvqa_read_packet(AVFormatContext *s, break; case SND2_TAG: /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ - pkt->duration = (chunk_size * 2) / wsvqa->channels; + pkt->duration = (chunk_size * 2LL) / wsvqa->channels; break; } break; From ea2a7937ce79b5a2371d446deaef55ec54b4290e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 12 Feb 2024 19:40:07 +0100 Subject: [PATCH 1593/1764] avfilter/vf_signature: Dont crash on no frames Signed-off-by: Michael Niedermayer (cherry picked from commit 3d5f03bbc8bba2929cc09b07d2731ae5d392e772) Signed-off-by: Michael Niedermayer --- libavfilter/vf_signature.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index 8bdd7f55a2..81b0f6c3a7 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -390,6 +390,9 @@ static int xml_export(AVFilterContext *ctx, StreamContext *sc, const char* filen FILE* f; unsigned int pot3[5] = { 3*3*3*3, 3*3*3, 3*3, 3, 1 }; + if (!sc->coarseend->last) + return AVERROR(EINVAL); // No frames ? + f = fopen(filename, "w"); if (!f) { int err = AVERROR(EINVAL); From 622e11ce114f4e42722b65a96adb0f4f28c2ed5d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 29 Mar 2024 03:35:18 +0100 Subject: [PATCH 1594/1764] avformat/mxfdec: Check first case of offset_temp computation for overflow This is kind of ugly Fixes: signed integer overflow: 255 * 1157565362826411919 cannot be represented in type 'long' Fixes: 67313/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6250434245230592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6ed6f6e8dffcf777c336869f56002da588e2de8) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 06a7af425c..7bcc3957b4 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1346,9 +1346,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t if (edit_unit < s->index_start_position + s->index_duration) { int64_t index = edit_unit - s->index_start_position; - if (s->edit_unit_byte_count) + if (s->edit_unit_byte_count) { + if (index > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * index > INT64_MAX - offset_temp) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * index; - else if (s->nb_index_entries) { + } else if (s->nb_index_entries) { if (s->nb_index_entries == 2 * s->index_duration + 1) index *= 2; /* Avid index */ From bfd0d096370e2464f3f0e081eeddc491900b53be Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Mar 2024 19:51:43 +0100 Subject: [PATCH 1595/1764] avformat/movenc: Check that cts fits in 32bit Fixes: Assertion av_rescale_rnd(start_dts, mov->movie_timescale, track->timescale, AV_ROUND_DOWN) <= 0 failed at libavformat/movenc.c:3694 Fixes: poc2 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer (cherry picked from commit d88c284c18bf6cd3dd24a7c86b5e496dd3037405) Signed-off-by: Michael Niedermayer --- libavformat/movenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index b5c1c99a53..926b8e15ff 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5038,6 +5038,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) if (ret < 0) return ret; + if (pkt->pts != AV_NOPTS_VALUE && + (uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - pkt->pts)) { + av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n"); + return AVERROR_PATCHWELCOME; + } + if (mov->flags & FF_MOV_FLAG_FRAGMENT) { int ret; if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) { From db0f173b3ef889f9f14a67eebc7fe43f3ba4f780 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Apr 2024 18:29:46 +0200 Subject: [PATCH 1596/1764] avformat/mxfdec: Make edit_unit_byte_count unsigned Suggested-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit f30fe5e8d002e15f07eaacf720c5654097cb62df) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 7bcc3957b4..cad07fe6e6 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -197,7 +197,7 @@ typedef struct MXFDescriptor { typedef struct MXFIndexTableSegment { UID uid; enum MXFMetadataSetType type; - int edit_unit_byte_count; + unsigned edit_unit_byte_count; int index_sid; int body_sid; AVRational index_edit_rate; From 56434954c43844efc022b3e3da3a106eaad5a20a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:31:40 +0200 Subject: [PATCH 1597/1764] swscale/utils: Fix xInc overflow Fixes: signed integer overflow: 2 * 1073741824 cannot be represented in type 'int' Fixes: 67802/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6249515855183872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1a9eda65d027e0167f7363e0514f71311ac5d8d1) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index ba6d81678a..c3e4508b0a 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -496,7 +496,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, filter[i * filterSize + j] = coeff; xx++; } - xDstInSrc += 2 * xInc; + xDstInSrc += 2LL * xInc; } } From 184322d378d63976e5bf40b2ac53a8e4541b69b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 4 Apr 2024 00:38:20 +0200 Subject: [PATCH 1598/1764] avformat/mxfdec: Check index_edit_rate Fixes: Assertion b >=0 failed at libavutil/mathematics.c:62 Fixes: 67811/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5108429687422976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ed49391961999f028e0bc55767d0eef6eeb15e49) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index cad07fe6e6..1d6e81f670 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -951,6 +951,9 @@ static int mxf_read_index_table_segment(void *arg, AVIOContext *pb, int tag, int case 0x3F0B: segment->index_edit_rate.num = avio_rb32(pb); segment->index_edit_rate.den = avio_rb32(pb); + if (segment->index_edit_rate.num <= 0 || + segment->index_edit_rate.den <= 0) + return AVERROR_INVALIDDATA; av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", segment->index_edit_rate.num, segment->index_edit_rate.den); break; From b6dbfbc7895e6998c66a13c671d6b1dbd358320f Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Tue, 13 Feb 2024 14:20:55 +0100 Subject: [PATCH 1599/1764] fate/subtitles: Ignore line endings for sub-scc test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since 7bf1b9b35769b37684dd2f18a54f01d852a540c8, the test produces ordinary \n, yet this is not what the reference file used for the most time, leading to test failures. Reviewed-by: Martin Storsjö Signed-off-by: Andreas Rheinhardt (cherry picked from commit 99d33cc661fbd04e8657831b818042b11f1862a2) Signed-off-by: Michael Niedermayer --- tests/fate/subtitles.mak | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/fate/subtitles.mak b/tests/fate/subtitles.mak index 8c310adeff..f804f826fc 100644 --- a/tests/fate/subtitles.mak +++ b/tests/fate/subtitles.mak @@ -99,6 +99,7 @@ fate-sub-charenc: CMD = fmtstdout ass -sub_charenc cp1251 -i $(TARGET_SAMPLES)/s FATE_SUBTITLES-$(call DEMDEC, SCC, CCAPTION) += fate-sub-scc fate-sub-scc: CMD = fmtstdout ass -ss 57 -i $(TARGET_SAMPLES)/sub/witch.scc +fate-sub-scc: CMP = diff FATE_SUBTITLES-$(call ENCMUX, ASS, ASS) += $(FATE_SUBTITLES_ASS-yes) FATE_SUBTITLES += $(FATE_SUBTITLES-yes) From 180f8216cdb643deff9255f3fa6cc09d517e52d4 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:38 +0100 Subject: [PATCH 1600/1764] aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. Under these conditions like seen by Firefox a read beyond the end of the buffer results in a segfault. After the over-read is reduced to a single pixel it's reasonable to use VP9's emulated edge motion compensation for this. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 430c38f698a65d597e863330810b05e083682be6) --- libavcodec/aarch64/vp9mc_neon.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/libavcodec/aarch64/vp9mc_neon.S b/libavcodec/aarch64/vp9mc_neon.S index f67624ca04..7cdcd675ed 100644 --- a/libavcodec/aarch64/vp9mc_neon.S +++ b/libavcodec/aarch64/vp9mc_neon.S @@ -260,6 +260,9 @@ function \type\()_8tap_\size\()h_\idx1\idx2 // reduced dst stride .if \size >= 16 sub x1, x1, x5 +.elseif \size == 4 + add x12, x2, #8 + add x13, x7, #8 .endif // size >= 16 loads two qwords and increments x2, // for size 4/8 it's enough with one qword and no @@ -278,9 +281,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 ld1 {v4.8b, v5.8b, v6.8b}, [x2], #24 ld1 {v16.8b, v17.8b, v18.8b}, [x7], #24 -.else +.elseif \size == 8 ld1 {v4.8b, v5.8b}, [x2] ld1 {v16.8b, v17.8b}, [x7] +.else // \size == 4 + ld1 {v4.8b}, [x2] + ld1 {v16.8b}, [x7] + ld1 {v5.s}[0], [x12], x3 + ld1 {v17.s}[0], [x13], x3 .endif uxtl v4.8h, v4.8b uxtl v5.8h, v5.8b From 80ef3328b5594595faa40d1e2f3f4b09fd64e514 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:39 +0100 Subject: [PATCH 1601/1764] arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter This reduces the amount the horizontal filters read beyond the filter width to a consistent 1 pixel. The data is not used so this is usually not noticeable. It becomes a problem when the application allocates frame buffers only for the aligned picture size and the end of it is at a page boundary. This happens for picture sizes which are a multiple of the page size like 1280x640. The frame buffer allocation is based on its most likely done via mmap + MAP_ANONYMOUS so start and end of the buffer are page aligned and the previous and next page are not necessarily mapped. This mirrors the aarch64 change. Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit f3662562156c9b908588b1e58e4203fd09217cb6) --- libavcodec/arm/vp9mc_neon.S | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/arm/vp9mc_neon.S b/libavcodec/arm/vp9mc_neon.S index bd8cda7c30..2ec729bb31 100644 --- a/libavcodec/arm/vp9mc_neon.S +++ b/libavcodec/arm/vp9mc_neon.S @@ -279,11 +279,13 @@ function \type\()_8tap_\size\()h_\idx1\idx2 sub r1, r1, r5 .endif @ size >= 16 loads two qwords and increments r2, - @ for size 4/8 it's enough with one qword and no - @ postincrement + @ size 4 loads 1 d word, increments r2 and loads 1 32-bit lane + @ for size 8 it's enough with one qword and no postincrement .if \size >= 16 sub r3, r3, r5 sub r3, r3, #8 +.elseif \size == 4 + sub r3, r3, #8 .endif @ Load the filter vector vld1.16 {q0}, [r12,:128] @@ -295,9 +297,14 @@ function \type\()_8tap_\size\()h_\idx1\idx2 .if \size >= 16 vld1.8 {d18, d19, d20}, [r2]! vld1.8 {d24, d25, d26}, [r7]! -.else +.elseif \size == 8 vld1.8 {q9}, [r2] vld1.8 {q12}, [r7] +.else @ size == 4 + vld1.8 {d18}, [r2]! + vld1.8 {d24}, [r7]! + vld1.32 {d19[0]}, [r2] + vld1.32 {d25[0]}, [r7] .endif vmovl.u8 q8, d18 vmovl.u8 q9, d19 From 970ca1e0f25951734ca7038144968df927dd7e6a Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 3 Jan 2025 01:54:40 +0100 Subject: [PATCH 1602/1764] vp9: recon: Use emulated edge to prevent buffer overflows The arm/aarch64 horizontal filter reads one additional pixel beyond what the filter uses. This can become an issue if the application does not allocate larger buffers than what's required for the pixel data. If the motion vector points to the bottom right edge of the picture this becomes a read buffer overflow. This triggers segfaults in Firefox for video resolutions which result in a page aligned picture size like 1280x640. Prevent this by using emulated edge in this case. Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185 Signed-off-by: Janne Grunau Signed-off-by: Ronald S. Bultje (cherry picked from commit 060464105bdca82b8cfb91c7a6fb56df4c7cd9d0) --- libavcodec/vp9recon.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/vp9recon.c b/libavcodec/vp9recon.c index 49bb04e1f4..363fc3cf26 100644 --- a/libavcodec/vp9recon.c +++ b/libavcodec/vp9recon.c @@ -318,7 +318,11 @@ static av_always_inline void mc_luma_unscaled(VP9TileData *td, vp9_mc_func (*mc) // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref - !!my * 3 * ref_stride - !!mx * 3 * bytesperpixel, @@ -357,7 +361,11 @@ static av_always_inline void mc_chroma_unscaled(VP9TileData *td, vp9_mc_func (*m // The arm/aarch64 _hv filters read one more row than what actually is // needed, so switch to emulated edge one pixel sooner vertically // (!!my * 5) than horizontally (!!mx * 4). + // The arm/aarch64 _h filters read one more pixel than what actually is + // needed, so switch to emulated edge if that would read beyond the bottom + // right block. if (x < !!mx * 3 || y < !!my * 3 || + ((ARCH_AARCH64 || ARCH_ARM) && (x + !!mx * 5 > w - bw) && (y + !!my * 5 + 1 > h - bh)) || x + !!mx * 4 > w - bw || y + !!my * 5 > h - bh) { s->vdsp.emulated_edge_mc(td->edge_emu_buffer, ref_u - !!my * 3 * src_stride_u - !!mx * 3 * bytesperpixel, From 4767a711c131ee4058000076044bdc42b4c2254d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Sat, 15 May 2021 00:42:38 +0300 Subject: [PATCH 1603/1764] ffbuild: Avoid using the --preprocessor argument to windres MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead use --preprocessor-arg; in binutils 2.36, the --preprocessor flag was changed so that it no longer accepts a string containing multiple arguments, but the whole --preprocessor argument is treated as the path to the preprocessor executable (where the path can contain spaces). It's currently unclear whether this behaviour will stay or if it is going to be reverted in the future, see discussion at [1]. Just to be safe, avoid using the --preprocessor argument. Don't redeclare the full preprocessing command, but just add the $(CC_DEPFLAGS) options. Based on a patch by Kyle Schwartz. [1] https://sourceware.org/bugzilla/show_bug.cgi?id=27594 Signed-off-by: Martin Storsjö --- configure | 1 - ffbuild/common.mak | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index 60977cd3f2..1d591ae103 100755 --- a/configure +++ b/configure @@ -6917,7 +6917,6 @@ LD_LIB=$LD_LIB LD_PATH=$LD_PATH DLLTOOL=$dlltool WINDRES=$windres -DEPWINDRES=$dep_cc DOXYGEN=$doxygen LDFLAGS=$LDFLAGS LDEXEFLAGS=$LDEXEFLAGS diff --git a/ffbuild/common.mak b/ffbuild/common.mak index e168fb2cfd..468b323715 100644 --- a/ffbuild/common.mak +++ b/ffbuild/common.mak @@ -83,7 +83,7 @@ COMPILE_NVCC = $(call COMPILE,NVCC) -$(if $(ASMSTRIPFLAGS), $(STRIP) $(ASMSTRIPFLAGS) $@) %.o: %.rc - $(WINDRES) $(IFLAGS) --preprocessor "$(DEPWINDRES) -E -xc-header -DRC_INVOKED $(CC_DEPFLAGS)" -o $@ $< + $(WINDRES) $(IFLAGS) $(foreach ARG,$(CC_DEPFLAGS),--preprocessor-arg "$(ARG)") -o $@ $< %.i: %.c $(CC) $(CCFLAGS) $(CC_E) $< From 46d12dce135c1c8f45f4002bc6ba1fcaadd889d1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:43:19 +0200 Subject: [PATCH 1604/1764] avfilter/signature_lookup: Fix 2 differences to the refernce SW Fixes: CID1403227 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 25cb66369e7b81bd280f0bdd6d51a0e2e11881e3) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 89ccd2f9cd..690d256cdb 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -501,10 +501,10 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * continue; /* matching sequence is too short */ if ((double) goodfcount / (double) fcount < sc->thit) continue; - if ((double) goodfcount*0.5 < FFMAX(gooda, goodb)) + if ((double) goodfcount*0.5 <= FFMAX(gooda, goodb)) continue; - meandist = (double) goodfcount / (double) distsum; + meandist = (double) distsum / (double) goodfcount; if (meandist < minmeandist || status == STATUS_END_REACHED | STATUS_BEGIN_REACHED || From de74a4e269f29348017d01f9c78f3b19ced45b9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 Apr 2024 00:57:43 +0200 Subject: [PATCH 1605/1764] avfilter/signature_lookup: Dont copy uninitialized stuff around Fixes: CID1403238 Uninitialized pointer read Fixes: CID1403239 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e7174e66ac6025cea4b8e590525314d3aea6a134) Signed-off-by: Michael Niedermayer --- libavfilter/signature_lookup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c index 690d256cdb..ba0dcfbf34 100644 --- a/libavfilter/signature_lookup.c +++ b/libavfilter/signature_lookup.c @@ -453,14 +453,14 @@ static MatchingInfo evaluate_parameters(AVFilterContext *ctx, SignatureContext * } if (tolerancecount > 2) { - a = aprev; - b = bprev; if (dir == DIR_NEXT) { /* turn around */ a = infos->first; b = infos->second; dir = DIR_PREV; } else { + a = aprev; + b = bprev; break; } } From 5ad66bb28a5987e242c45f81247104dc6a590bc8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 Apr 2024 00:09:02 +0200 Subject: [PATCH 1606/1764] avcodec/hevcdec: Check ref frame Fixes: NULL pointer dereferences Fixes: 68197/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6382538823106560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 5eb05f44503da3fdff82f1fed8ee2706d9841a9a) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 027423c3af..dc2f4f74ff 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -1822,13 +1822,13 @@ static void hls_prediction_unit(HEVCContext *s, int x0, int y0, if (current_mv.pred_flag & PF_L0) { ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; - if (!ref0 || !ref0->frame->data[0]) + if (!ref0 || !ref0->frame) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; - if (!ref1 || !ref1->frame->data[0]) + if (!ref1 || !ref1->frame) return; hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH); } From 1c0b87d26393326451009e8ef08fd2129426af28 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:35 +0200 Subject: [PATCH 1607/1764] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int' Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a56559e688ffde40fcda5588123ffcb978da86d7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index b740120f54..6323d3323c 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -932,8 +932,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -957,20 +957,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -978,8 +978,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1003,20 +1003,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From 56282bd3c3a514dcbe287e34e478c0c9ee37c036 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 26 Apr 2024 05:08:36 +0200 Subject: [PATCH 1608/1764] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() Fixes: signed integer overflow: -1082982400 + -1079364728 cannot be represented in type 'int' Fixes: 67910/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5329011971522560 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1330a73ccadd855542ac4386f75fd72ff0ab5ea1) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 6323d3323c..42fa46aa61 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1151,7 +1151,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < dstW; i++) { - int Y = (buf0[i]) >> 2; + SUINT Y = (buf0[i]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1170,9 +1170,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1184,7 +1184,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0xffff<<14; for (i = 0; i < dstW; i++) { - int Y = (buf0[i] ) >> 2; + SUINT Y = (buf0[i] ) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1203,9 +1203,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From f119b562d20bc309f007501bb38cd897116beee9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 8 Apr 2024 18:38:42 +0200 Subject: [PATCH 1609/1764] avcodec/mpegvideo_enc: Fix 1 line and one column images Fixes: Ticket10952 Fixes: poc21ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 1206950914..ff16cd7d4a 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1334,8 +1334,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize; int h_shift = i ? h_chroma_shift : 0; int v_shift = i ? v_chroma_shift : 0; - int w = s->width >> h_shift; - int h = s->height >> v_shift; + int w = AV_CEIL_RSHIFT(s->width , h_shift); + int h = AV_CEIL_RSHIFT(s->height, v_shift); uint8_t *src = pic_arg->data[i]; uint8_t *dst = pic->f->data[i]; int vpad = 16; From a31b19aec5aff0143e3b9d61f493762e382489f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:13:17 +0200 Subject: [PATCH 1610/1764] libavutil/base64: Try not to write over the array end Signed-off-by: Michael Niedermayer (cherry picked from commit 2d216566f258badd07bc58de1e089b6e4175dc46) Signed-off-by: Michael Niedermayer --- libavutil/base64.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/base64.c b/libavutil/base64.c index 25ae8c411c..2c1c94fc37 100644 --- a/libavutil/base64.c +++ b/libavutil/base64.c @@ -120,10 +120,12 @@ int av_base64_decode(uint8_t *out, const char *in_str, int out_size) } out3: - *dst++ = v >> 10; + if (end - dst) + *dst++ = v >> 10; v <<= 2; out2: - *dst++ = v >> 4; + if (end - dst) + *dst++ = v >> 4; out1: out0: return bits & 1 ? AVERROR_INVALIDDATA : dst - out; From c435cd2d9973cab1733367f55dd2fa96db0b0cdc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 03:14:16 +0200 Subject: [PATCH 1611/1764] avutil/tests/base64: Check with too short output array Signed-off-by: Michael Niedermayer (cherry picked from commit c304784a86cc7e2af211ed80ce2121e788680a8e) Signed-off-by: Michael Niedermayer --- libavutil/tests/base64.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavutil/tests/base64.c b/libavutil/tests/base64.c index 400e01cefe..66d0fdc1fc 100644 --- a/libavutil/tests/base64.c +++ b/libavutil/tests/base64.c @@ -64,6 +64,16 @@ static int test_encode_decode(const uint8_t *data, unsigned int data_size, printf("Failed: decode to NULL buffer\n"); return 1; } + if (data_size > 0 && (data2_size = av_base64_decode(data2, encoded, data_size - 1)) != data_size - 1) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } + if (data_size > 1 && (data2_size = av_base64_decode(data2, encoded, data_size - 2)) != data_size - 2) { + printf("Failed: out of array write\n" + "Encoded:\n%s\n", encoded); + return 1; + } if (strlen(encoded)) { char *end = strchr(encoded, '='); if (!end) From 6a2ad69370ef17add5e28314c0d8a36c385bb193 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 20:50:44 +0200 Subject: [PATCH 1612/1764] avcodec/lpc: copy levenson coeffs only when they have been computed Fixes: CID1473514 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c2d897f3566fdf5c190583c6f5197ead5abec2ed) Signed-off-by: Michael Niedermayer --- libavcodec/lpc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index c990cfc6c3..fc97ce3ae0 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -243,8 +243,10 @@ int ff_lpc_calc_coefs(LPCContext *s, double av_uninit(weight); memset(var, 0, FFALIGN(MAX_LPC_ORDER+1,4)*sizeof(*var)); - for(j=0; j 1) + for(j=0; j Date: Sat, 4 May 2024 23:29:26 +0200 Subject: [PATCH 1613/1764] avcodec/fmvc: remove dead assignment Fixes: CID1529220 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96c116254527cc40b386f14b77e17fbe2388d5da) Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 112b2d4714..fe492e9b71 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -100,7 +100,6 @@ static int decode_type2(GetByteContext *gb, PutByteContext *pb) continue; } } - repeat = 0; } repeat = 1; } From 57ecf48db34c77ea2c03797fb98728cc77e9bf89 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 10 May 2024 16:07:04 +0200 Subject: [PATCH 1614/1764] avcodec/jpeg2000dec: remove ST=3 case MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: CID1460979 Logically dead code Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4ed4f9a6c0a99c823706bfc4bb4df53f963f2f5a) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index e2af977788..3ef21467e1 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -822,9 +822,6 @@ static uint8_t get_tlm(Jpeg2000DecoderContext *s, int n) case 2: bytestream2_get_be16(&s->g); break; - case 3: - bytestream2_get_be32(&s->g); - break; } if (SP == 0) { bytestream2_get_be16(&s->g); From 7be3a9dbdac30c78cc07d71e29e9e7df2123f308 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 18 May 2024 00:32:43 +0200 Subject: [PATCH 1615/1764] avcodec/vble: Check av_image_get_buffer_size() for failure Fixes: CID1461482 Improper use of negative value Sponsored-by: Sovereign Tech Fund Reviewed-.by: "Xiang, Haihao" Signed-off-by: Michael Niedermayer (cherry picked from commit dd5379db5d83d8b06654582afe327daa6be678a3) Signed-off-by: Michael Niedermayer --- libavcodec/vble.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vble.c b/libavcodec/vble.c index c25ee98697..d2945fcae6 100644 --- a/libavcodec/vble.c +++ b/libavcodec/vble.c @@ -193,6 +193,9 @@ static av_cold int vble_decode_init(AVCodecContext *avctx) ctx->size = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + if (ctx->size < 0) + return ctx->size; + ctx->val = av_malloc_array(ctx->size, sizeof(*ctx->val)); if (!ctx->val) { From 078ea6ad6c65db9240dd85cb2d0b6ebcc1b34fd8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 11 May 2024 22:08:21 +0200 Subject: [PATCH 1616/1764] avcodec/mpeg4videodec: assert impossible wrap points Helps: CID1473517 Uninitialized scalar variable Helps: CID1473497 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 8fc649b931a3cbc3a2dd9b50b75a9261a2fb4b49) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 5174a3a1b6..79e1b2068f 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -341,6 +341,8 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; + default: + av_assert0(0); } /* try to simplify the situation */ if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && From 9f7302dd9419f9b20607d65199c37fc2bcd08171 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 12 May 2024 00:13:58 +0200 Subject: [PATCH 1617/1764] avcodec/mpegvideo_enc: Fix potential overflow in RD Fixes: CID1500285 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b6b2b01025e016ce29e5add57305384a663edcfc) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index ff16cd7d4a..ee245f2d97 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1570,7 +1570,7 @@ static int estimate_best_b_count(MpegEncContext *s) goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); } /* get the delayed frames */ @@ -1579,7 +1579,7 @@ static int estimate_best_b_count(MpegEncContext *s) ret = out_size; goto fail; } - rd += (out_size * lambda2) >> (FF_LAMBDA_SHIFT - 3); + rd += (out_size * (uint64_t)lambda2) >> (FF_LAMBDA_SHIFT - 3); rd += c->error[0] + c->error[1] + c->error[2]; From d99388d6c37a2103358e2a1062d2d6beac1f71e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 00:50:02 +0200 Subject: [PATCH 1618/1764] avdevice/dshow: fix badly indented line Signed-off-by: Michael Niedermayer (cherry picked from commit c4004605b2fa6e2ecbd1cfc2a1da382e4f5237a5) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index f2453e6114..16d1cc9993 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -777,7 +777,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, goto error; } } - if (ctx->device_filter[otherDevType]) { + if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { From aac5ed8cf76d2b57d8913a90901e6a40f4ee126f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 21:55:44 +0200 Subject: [PATCH 1619/1764] avutil/tests/dict: Check av_dict_set() before get for failure Failure is possible due to strdup() Fixes: CID1516764 Dereference null return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e8a1e1899d9ededd78f8ec4722fe80c345bbf8f7) Signed-off-by: Michael Niedermayer --- libavutil/tests/dict.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/tests/dict.c b/libavutil/tests/dict.c index 56e98557a7..4c526f72f4 100644 --- a/libavutil/tests/dict.c +++ b/libavutil/tests/dict.c @@ -122,12 +122,15 @@ int main(void) //valgrind sensible test printf("\nTesting av_dict_set() with existing AVDictionaryEntry.key as key\n"); - av_dict_set(&dict, "key", "old", 0); + if (av_dict_set(&dict, "key", "old", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); - av_dict_set(&dict, e->key, "new val OK", 0); + if (av_dict_set(&dict, e->key, "new val OK", 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); - av_dict_set(&dict, e->key, e->value, 0); + if (av_dict_set(&dict, e->key, e->value, 0) < 0) + return 1; e = av_dict_get(dict, "key", NULL, 0); printf("%s\n", e->value); av_dict_free(&dict); From ec14490da30bfabcb85b545047b3ae000bf235d0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 20 May 2024 22:52:38 +0200 Subject: [PATCH 1620/1764] avutil/tests/opt: Check av_set_options_string() for failure This is test code after all so it should test things Fixes: CID1518990 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e3481730ed9b3b781a0d85370826bcc57d601958) Signed-off-by: Michael Niedermayer --- libavutil/tests/opt.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/tests/opt.c b/libavutil/tests/opt.c index 568eb45668..9bbb78ccda 100644 --- a/libavutil/tests/opt.c +++ b/libavutil/tests/opt.c @@ -171,6 +171,7 @@ int main(void) { TestContext test_ctx = { 0 }; char *buf; + int ret; test_ctx.class = &test_class; av_log_set_level(AV_LOG_QUIET); @@ -181,8 +182,10 @@ int main(void) av_opt_free(&test_ctx); memset(&test_ctx, 0, sizeof(test_ctx)); test_ctx.class = &test_class; - av_set_options_string(&test_ctx, buf, "=", ","); + ret = av_set_options_string(&test_ctx, buf, "=", ","); av_free(buf); + if (ret < 0) + printf("Error ret '%d'\n", ret); if (av_opt_serialize(&test_ctx, 0, 0, &buf, '=', ',') >= 0) { printf("%s\n", buf); av_free(buf); From b68c97fd870c45735a8618f3cfd8c8b249b175b5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 21 May 2024 01:35:08 +0200 Subject: [PATCH 1621/1764] swscale/yuv2rgb: Use 64bit for brightness computation This will not overflow for normal values Fixes: CID1500280 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bfc22f364d31d8f2dc2acae1bd03d5894a00b8c5) Signed-off-by: Michael Niedermayer --- libswscale/yuv2rgb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/yuv2rgb.c b/libswscale/yuv2rgb.c index 9b86c4c181..42ddecd24f 100644 --- a/libswscale/yuv2rgb.c +++ b/libswscale/yuv2rgb.c @@ -817,7 +817,7 @@ av_cold int ff_yuv2rgb_c_init_tables(SwsContext *c, const int inv_table[4], cbu = (cbu * contrast * saturation) >> 32; cgu = (cgu * contrast * saturation) >> 32; cgv = (cgv * contrast * saturation) >> 32; - oy -= 256 * brightness; + oy -= 256LL * brightness; c->uOffset = 0x0400040004000400LL; c->vOffset = 0x0400040004000400LL; From 3b5e8468fe6bbdcb78e46e1cc2f371a9b9a69bbc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 23 May 2024 01:51:53 +0200 Subject: [PATCH 1622/1764] avformat/ape: Use 64bit for final frame size Fixes: CID1505963 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a2b8d03347930c051358fcbbdc557e57e157d9c9) Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index c3cc7b6445..78ffdd3540 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -315,7 +315,7 @@ static int ape_read_header(AVFormatContext * s) final_size -= final_size & 3; } if (file_size <= 0 || final_size <= 0) - final_size = ape->finalframeblocks * 8; + final_size = ape->finalframeblocks * 8LL; ape->frames[ape->totalframes - 1].size = final_size; for (i = 0; i < ape->totalframes; i++) { From 8359c315c0ad88fd731ff9420e5540143da53c0f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:31 +0200 Subject: [PATCH 1623/1764] avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation This issue cannot happen with the current function parameters Fixes: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 847a53f264db0b22dcc5a23ca9ade71a627f1c6c) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 80b33bee79..44ef51bb6b 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -52,7 +52,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; } - err2 += (array[j] - ref[j]) * (array[j] - ref[j]); + err2 += (array[j] - ref[j]) * (int64_t)(array[j] - ref[j]); array[j] = ref[j]; } ff_dwt_destroy(s); From 9cdea8e1b73fa6f894d8ffeab8cce3a24cc20521 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 22:07:32 +0200 Subject: [PATCH 1624/1764] avcodec/tests/jpeg2000dwt: Use 64bit in comparission Found while reviewing: CID1500309 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 12391b732f811fc6e868be2f08dc188e508d2567) Signed-off-by: Michael Niedermayer --- libavcodec/tests/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/jpeg2000dwt.c b/libavcodec/tests/jpeg2000dwt.c index 44ef51bb6b..a6cf9f6824 100644 --- a/libavcodec/tests/jpeg2000dwt.c +++ b/libavcodec/tests/jpeg2000dwt.c @@ -47,7 +47,7 @@ static int test_dwt(int *array, int *ref, int border[2][2], int decomp_levels, i return 1; } for (j = 0; j max_diff) { + if (FFABS(array[j] - (int64_t)ref[j]) > max_diff) { fprintf(stderr, "missmatch at %d (%d != %d) decomp:%d border %d %d %d %d\n", j, array[j], ref[j],decomp_levels, border[0][0], border[0][1], border[1][0], border[1][1]); return 2; From 3f9d4fab41d57fa75eea78639efd4d1be5ae7e4e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 19 May 2024 04:49:15 +0200 Subject: [PATCH 1625/1764] avcodec/wavpackenc: Use unsigned for potential 31bit shift Fixes: CID1465481 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 6f976db251864ad698c935130370774783bf12f4) Signed-off-by: Michael Niedermayer --- libavcodec/wavpackenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpackenc.c b/libavcodec/wavpackenc.c index bc896f15e5..ab5812baa5 100644 --- a/libavcodec/wavpackenc.c +++ b/libavcodec/wavpackenc.c @@ -1990,7 +1990,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); @@ -2019,7 +2019,7 @@ static void encode_flush(WavPackEncodeContext *s) put_bits(pb, 31, 0x7FFFFFFF); cbits -= 31; } else { - put_bits(pb, cbits, (1 << cbits) - 1); + put_bits(pb, cbits, (1U << cbits) - 1); cbits = 0; } } while (cbits); From afad059c7b447fe8f9f584b814cf26a62fe5d4a9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 17 May 2024 00:46:24 +0200 Subject: [PATCH 1626/1764] avcodec/tests/dct: Use 64bit in intermediate for error computation Fixes: CID1500284 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 161d0aa2a8d18f1f8a01cbc4c1061eadcbe592e5) Signed-off-by: Michael Niedermayer --- libavcodec/tests/dct.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/tests/dct.c b/libavcodec/tests/dct.c index b44c66f427..a17f6c28fb 100644 --- a/libavcodec/tests/dct.c +++ b/libavcodec/tests/dct.c @@ -222,8 +222,8 @@ static int dct_error(const struct algo *dct, int test, int is_idct, int speed, c v = abs(err); if (v > err_inf) err_inf = v; - err2_matrix[i] += v * v; - err2 += v * v; + err2_matrix[i] += v * (int64_t)v; + err2 += v * (int64_t)v; sysErr[i] += block[i] - block1[i]; blockSumErr += v; if (abs(block[i]) > maxout) From 1bffffad5b0073ba63c4443a4ec23709caf4e05b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 1627/1764] avcodec/vp8: Check mutex init Fixes: CID1598556 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4ac7405aafb8e66dff2ac926f33b7ff755f224cf) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index bc0ba46014..92b759859a 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -191,7 +191,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) return AVERROR(ENOMEM); } #if HAVE_THREADS - pthread_mutex_init(&s->thread_data[i].lock, NULL); + ret = pthread_mutex_init(&s->thread_data[i].lock, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } pthread_cond_init(&s->thread_data[i].cond, NULL); #endif } From fb978f6ee473a63d14d4c9cb243d5dd108b56c2e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 23:50:40 +0200 Subject: [PATCH 1628/1764] avcodec/vp8: Check cond init Fixes: CID1598563 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9b76e49061a321467df23f7b1c8e8e715c8dec71) Signed-off-by: Michael Niedermayer --- libavcodec/vp8.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 92b759859a..1e45af2992 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -196,7 +196,11 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) free_buffers(s); return AVERROR(ret); } - pthread_cond_init(&s->thread_data[i].cond, NULL); + ret = pthread_cond_init(&s->thread_data[i].cond, NULL); + if (ret) { + free_buffers(s); + return AVERROR(ret); + } #endif } From 9722437217fabfc8bb645aed21b2590e5e7be7ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:07:40 +0200 Subject: [PATCH 1629/1764] avformat/sdp: Check before appending "," Found by reviewing code related to CID1500301 String not null terminated Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5b82852519e92a2b94de0f22da1a81df5b3e0412) Signed-off-by: Michael Niedermayer --- libavformat/sdp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sdp.c b/libavformat/sdp.c index 0242ca379c..f57c6e5b0a 100644 --- a/libavformat/sdp.c +++ b/libavformat/sdp.c @@ -195,6 +195,8 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) continue; } if (p != (psets + strlen(pset_string))) { + if (p - psets >= MAX_PSET_SIZE) + goto fail_in_loop; *p = ','; p++; } @@ -204,6 +206,7 @@ static char *extradata2psets(AVFormatContext *s, AVCodecParameters *par) } if (!av_base64_encode(p, MAX_PSET_SIZE - (p - psets), r, r1 - r)) { av_log(s, AV_LOG_ERROR, "Cannot Base64-encode %"PTRDIFF_SPECIFIER" %"PTRDIFF_SPECIFIER"!\n", MAX_PSET_SIZE - (p - psets), r1 - r); +fail_in_loop: av_free(psets); av_free(tmpbuf); From 296d2e6f3c994da3f9c8cf1f638e8e61d1fcfb08 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Apr 2024 00:53:51 +0200 Subject: [PATCH 1630/1764] fftools/cmdutils: Add protective () to FLAGS issue found while reviewing CID1452612 Free of array-typed value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d9b9fc4be26014eb7221d9bbc297a5323d5ad40b) Signed-off-by: Michael Niedermayer --- fftools/cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c index 3d428f3eea..ce0ce510e2 100644 --- a/fftools/cmdutils.c +++ b/fftools/cmdutils.c @@ -540,7 +540,7 @@ static const AVOption *opt_find(void *obj, const char *name, const char *unit, return o; } -#define FLAGS (o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0 +#define FLAGS ((o->type == AV_OPT_TYPE_FLAGS && (arg[0]=='-' || arg[0]=='+')) ? AV_DICT_APPEND : 0) int opt_default(void *optctx, const char *opt, const char *arg) { const AVOption *o; From 047d7dca52cc27969a1f2b91af6a55fbb838d9ec Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 00:28:16 +0200 Subject: [PATCH 1631/1764] avformat/img2dec: Move DQT after unrelated if() Fixes: CID1494636 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7d04c6016b0971fecb890d3a0afe4e6706a1a68e) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 2585634e7c..5f9f6d18d9 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -727,7 +727,6 @@ static int jpeg_probe(AVProbeData *p) return 0; state = EOI; break; - case DQT: case APP0: case APP1: case APP2: @@ -744,6 +743,7 @@ static int jpeg_probe(AVProbeData *p) case APP13: case APP14: case APP15: + case DQT: /* fallthrough */ case COM: i += AV_RB16(&b[i + 2]) + 1; break; From 4402b85c66f80f387a1e01c3d4bf6b89abb98150 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 3 Jun 2024 19:51:49 +0200 Subject: [PATCH 1632/1764] avfilter/vf_rotate: Check ff_draw_init2() return value Fixes: NULL pointer dereference Fixes: 3_343 Found-by: De3mond Signed-off-by: Michael Niedermayer (cherry picked from commit 9c9f095e30c196c0e3d510dc5300182ddb49a803) Signed-off-by: Michael Niedermayer --- libavfilter/vf_rotate.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_rotate.c b/libavfilter/vf_rotate.c index 371ff7f722..61a331f53a 100644 --- a/libavfilter/vf_rotate.c +++ b/libavfilter/vf_rotate.c @@ -295,7 +295,9 @@ static int config_props(AVFilterLink *outlink) double res; char *expr; - ff_draw_init(&rot->draw, inlink->format, 0); + ret = ff_draw_init(&rot->draw, inlink->format, 0); + if (ret < 0) + return ret; ff_draw_color(&rot->draw, &rot->color, rot->fillcolor); rot->hsub = pixdesc->log2_chroma_w; From 07154aa7fe2715789c24b1c4691d88adb3b48ee9 Mon Sep 17 00:00:00 2001 From: Lynne Date: Mon, 1 Jan 2024 00:00:00 +0000 Subject: [PATCH 1633/1764] configure: update copyright year (cherry picked from commit b95ee2ec5f84054de8bf6db9fe1b1119d569f269) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 1d591ae103..c8743b2477 100755 --- a/configure +++ b/configure @@ -7001,7 +7001,7 @@ cat > $TMPH < Date: Sun, 16 Jun 2024 22:32:03 +0200 Subject: [PATCH 1634/1764] MAINTAINERS: Update the entries for the release maintainer for FFmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97ecfb5a193c43eef2e47b3e45afd3fc629c107d) Signed-off-by: Michael Niedermayer --- MAINTAINERS | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index fcff7884e2..784de19ee8 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -563,10 +563,12 @@ wm4 Releases ======== +7.0 Michael Niedermayer +6.1 Michael Niedermayer +5.1 Michael Niedermayer +4.4 Michael Niedermayer +3.4 Michael Niedermayer 2.8 Michael Niedermayer -2.7 Michael Niedermayer -2.6 Michael Niedermayer -2.5 Michael Niedermayer If you want to maintain an older release, please contact us From 4a2cf66d5c1cf4e9ea91d0b0e7b05b8401f3136f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:23 +0200 Subject: [PATCH 1635/1764] avcodec/snowenc: MV limits due to mv_penalty table size Fixes: out of array read Fixes: 69673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5476592894148608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9292aff320d7b5048b371b1babea2f9b3c4e69) Signed-off-by: Michael Niedermayer --- libavcodec/snowenc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/snowenc.c b/libavcodec/snowenc.c index 77d3221624..ac69484086 100644 --- a/libavcodec/snowenc.c +++ b/libavcodec/snowenc.c @@ -267,6 +267,7 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)); int s_context= 2*left->level + 2*top->level + tl->level + tr->level; int ref, best_ref, ref_score, ref_mx, ref_my; + int range = MAX_MV >> (1 + qpel); av_assert0(sizeof(s->block_state) >= 256); if(s->keyframe){ @@ -308,6 +309,11 @@ static int encode_q_branch(SnowContext *s, int level, int x, int y){ c->xmax = - (x+1)*block_w + (w<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; c->ymax = - (y+1)*block_w + (h<<(LOG2_MB_SIZE - s->block_max_depth)) + 16-3; + c->xmin = FFMAX(c->xmin,-range); + c->xmax = FFMIN(c->xmax, range); + c->ymin = FFMAX(c->ymin,-range); + c->ymax = FFMIN(c->ymax, range); + if(P_LEFT[0] > (c->xmax<xmax< (c->ymax<ymax< (c->xmax<xmax< Date: Tue, 18 Jun 2024 15:48:24 +0200 Subject: [PATCH 1636/1764] avcodec/jfdctint_template: Fewer integer anomalies Fixes: signed integer overflow: 105788 * -20995 cannot be represented in type 'int' Fixes: signed integer overflow: 923211729 + 2073948236 cannot be represented in type 'int' Fixes: signed integer overflow: 1281179284 + 2073948236 cannot be represented in type 'int' Fixes: 68975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6266769177116672 Fixes: 68997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-6284237161431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 228f255b5d9b839149cd53f0537ce76b068228ae) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index 67fb77b5e1..2f4e28b3a3 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -69,7 +69,7 @@ #define GLOBAL(x) x #define RIGHT_SHIFT(x, n) ((x) >> (n)) #define MULTIPLY16C16(var,const) ((var)*(const)) -#define DESCALE(x,n) RIGHT_SHIFT((x) + (1 << ((n) - 1)), n) +#define DESCALE(x,n) RIGHT_SHIFT((int)(x) + (1 << ((n) - 1)), n) /* @@ -175,7 +175,7 @@ #if BITS_IN_JSAMPLE == 8 && CONST_BITS<=13 && PASS1_BITS<=2 #define MULTIPLY(var,const) MULTIPLY16C16(var,const) #else -#define MULTIPLY(var,const) ((var) * (const)) +#define MULTIPLY(var,const) (int)((var) * (unsigned)(const)) #endif @@ -261,7 +261,7 @@ FUNC(ff_jpeg_fdct_islow)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From 810d68262fd80b713e120815e2ede54c4c9056f7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 23:42:37 +0200 Subject: [PATCH 1637/1764] avcodec/r210enc: Use av_rescale for bitrate Fixes: signed integer overflow: 281612954574848 * 65344 cannot be represented in type 'long' Fixes: 68956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_R210_fuzzer-6459074458746880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d34d4b6a7ce7fa72239c47d22ab6592d0687ac86) Signed-off-by: Michael Niedermayer --- libavcodec/r210enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/r210enc.c b/libavcodec/r210enc.c index a55e5434f3..e21960208a 100644 --- a/libavcodec/r210enc.c +++ b/libavcodec/r210enc.c @@ -31,7 +31,7 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->bits_per_coded_sample = 32; if (avctx->width > 0) - avctx->bit_rate = ff_guess_coded_bitrate(avctx) * aligned_width / avctx->width; + avctx->bit_rate = av_rescale(ff_guess_coded_bitrate(avctx), aligned_width, avctx->width); return 0; } From 69a05f36c36f50d3d5d2c99a0bb8aca1e3f11ee7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 19:33:02 +0200 Subject: [PATCH 1638/1764] avcodec/targaenc: Allocate space for the palette Fixes: out of array access Fixes: 68927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5105665067515904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a7220bd5c1871827ee0edba14fc88f63173e169) Signed-off-by: Michael Niedermayer --- libavcodec/targaenc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/targaenc.c b/libavcodec/targaenc.c index 79030a012b..e939b90414 100644 --- a/libavcodec/targaenc.c +++ b/libavcodec/targaenc.c @@ -21,6 +21,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -88,10 +89,11 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, TargaContext *s = avctx->priv_data; int bpp, picsize, datasize = -1, ret, i; uint8_t *out; + int maxpal = 32*32; picsize = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); - if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45, 0)) < 0) + if ((ret = ff_alloc_packet2(avctx, pkt, picsize + 45 + maxpal, 0)) < 0) return ret; /* zero out the header and only set applicable fields */ @@ -124,6 +126,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt, AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4)); } out += 32 * pal_bpp; /* skip past the palette we just output */ + av_assert0(32 * pal_bpp <= maxpal); break; } case AV_PIX_FMT_GRAY8: From 39d6c6e7f597c8aafece6bb24032fbd1685c7c61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:51:22 +0200 Subject: [PATCH 1639/1764] swscale/output: alpha can become negative after scaling, use multiply Fixes: left shift of negative value -3245 Fixes: 69047/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6571511551950848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c5b6e865a6b1b9c3a471fc06143f11e69d71b) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 42fa46aa61..7d8a435839 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -946,8 +946,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -992,8 +992,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, Y2 += (1 << 13) - (1 << 29); if (hasAlpha) { - A1 = abuf0[i * 2 ] << 11; - A2 = abuf0[i * 2 + 1] << 11; + A1 = abuf0[i * 2 ] * (1 << 11); + A2 = abuf0[i * 2 + 1] * (1 << 11); A1 += 1 << 13; A2 += 1 << 13; @@ -1161,7 +1161,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } @@ -1194,7 +1194,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, Y += (1 << 13) - (1 << 29); if (hasAlpha) { - A = abuf0[i] << 11; + A = abuf0[i] * (1 << 11); A += 1 << 13; } From dd47be8438e2fdd6f89071ef5cca7a04c3b9178c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2024 01:59:23 +0200 Subject: [PATCH 1640/1764] swscale/output: Avoid undefined overflow in yuv2rgb_write_full() Fixes: signed integer overflow: -140140 * 16525 cannot be represented in type 'int' Fixes: 68859/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4516387130245120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c221c7422f07f2245db5c4cdc958b42ca25eb2b7) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 7d8a435839..1c8289bd83 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1634,9 +1634,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c, Y -= c->yuv2rgb_y_offset; Y *= c->yuv2rgb_y_coeff; Y += 1 << 21; - R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff; - G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff; - B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff; + R = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2r_coeff; + G = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2g_coeff + U*(unsigned)c->yuv2rgb_u2g_coeff; + B = (unsigned)Y + U*(unsigned)c->yuv2rgb_u2b_coeff; if ((R | G | B) & 0xC0000000) { R = av_clip_uintp2(R, 30); G = av_clip_uintp2(G, 30); From c5fe1087e3668fce252bd58c52f4110d0f3052d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 30 Jun 2024 22:23:06 +0200 Subject: [PATCH 1641/1764] fftools/ffmpeg: Check read() for failure Fixes: CID1591932 Ignoring number of bytes read Sponsored-by: Sovereign Tech Fund Reviewed-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 34fd247c3bf06418c1eaafacf0d6052e3bbe4f5e) Signed-off-by: Michael Niedermayer --- fftools/ffmpeg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index b07c086aa2..351e7f684a 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -443,8 +443,9 @@ static int read_key(void) } //Read it if(nchars != 0) { - read(0, &ch, 1); - return ch; + if (read(0, &ch, 1) == 1) + return ch; + return 0; }else{ return -1; } From dfe833c8be0be7df54644f9cdd7dd806b1bc83dd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 25 Mar 2024 03:13:50 +0100 Subject: [PATCH 1642/1764] avformat/mov: Check edit list for overflow Fixes: 67492/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5778297231310848 Fixes: signed integer overflow: 2314885530818453536 + 7782220156096217088 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2882d30e3acfc3155e2be11db653c7c721f94f34) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index d1956aca93..8bebf9d8d5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2916,6 +2916,10 @@ static int get_edit_list_entry(MOVContext *mov, } *edit_list_duration = av_rescale(*edit_list_duration, msc->time_scale, global_timescale); + + if (*edit_list_duration + (uint64_t)*edit_list_media_time > INT64_MAX) + *edit_list_duration = 0; + return 1; } From 91d1251821a9ee09aa19ca2d933adc96cd4a5d6e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 May 2024 04:15:50 +0200 Subject: [PATCH 1643/1764] avformat/img2dec: assert no pipe on ts_from_file Help coverity with CID1500302 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4824156fa06bd60b27f9f0673fbd6a3cfc780e56) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 5f9f6d18d9..9b4203bbb5 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -23,6 +23,7 @@ #define _DEFAULT_SOURCE #define _BSD_SOURCE #include +#include "libavutil/avassert.h" #include "libavutil/avstring.h" #include "libavutil/log.h" #include "libavutil/opt.h" @@ -465,6 +466,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) pkt->flags |= AV_PKT_FLAG_KEY; if (s->ts_from_file) { struct stat img_stat; + av_assert0(!s->is_pipe); // The ts_from_file option is not supported by piped input demuxers if (stat(filename, &img_stat)) { res = AVERROR(EIO); goto fail; From ccd2e6f76e662655a0b3bed9c404c3c5d35dab4d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:25 +0200 Subject: [PATCH 1644/1764] avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure Fixes: CID1591939 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 4c285bb2789667bcf014ede8b0ab06ebbbee833f) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index 16d1cc9993..b00df6585e 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -872,7 +872,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, av_log(avctx, AV_LOG_ERROR, "Could not create CaptureGraphBuilder2\n"); goto error; } - ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); + r = ICaptureGraphBuilder2_SetFiltergraph(graph_builder2, graph); if (r != S_OK) { av_log(avctx, AV_LOG_ERROR, "Could not set graph for CaptureGraphBuilder2\n"); goto error; From a8934f906ec25749d35e2f331a76d1f5025184ca Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 00:19:01 +0200 Subject: [PATCH 1645/1764] avformat/mpeg: Check len in mpegps_probe() Fixes: CID1473590 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit ca237a841e9e78ac02694124d81ff78c74b0bf72) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index b3daaaf637..ce934a4739 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -78,6 +78,9 @@ static int mpegps_probe(AVProbeData *p) int pes = endpes <= i && check_pes(p->buf + i, p->buf + p->buf_size); int pack = check_pack_header(p->buf + i); + if (len > INT_MAX - i) + break; + if (code == SYSTEM_HEADER_START_CODE) sys++; else if (code == PACK_START_CODE && pack) From 7d11ca16481718fa09cdefb3f6d74846beb8e4ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 01:50:00 +0200 Subject: [PATCH 1646/1764] avformat/rdt: Check pkt_len Fixes: CID1473553 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0d0373de3bc6aa6fa5c71247191afccfaf20723d) Signed-off-by: Michael Niedermayer --- libavformat/rdt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rdt.c b/libavformat/rdt.c index b69827fcbf..afe05a31ae 100644 --- a/libavformat/rdt.c +++ b/libavformat/rdt.c @@ -204,6 +204,8 @@ ff_rdt_parse_header(const uint8_t *buf, int len, return -1; /* not followed by a data packet */ pkt_len = AV_RB16(buf+3); + if (pkt_len > len) + return AVERROR_INVALIDDATA; buf += pkt_len; len -= pkt_len; consumed += pkt_len; From 7036d7a8c72533e7e0412aa632d920745d32d6c2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 11 Jun 2024 23:43:37 +0200 Subject: [PATCH 1647/1764] avfilter/vf_avgblur: Check plane instead of AVFrame Fixes: CID1551694 Use after free (false positive based on assuming that out == in and one is freed and one used) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c296d4fdec198a32ea3995e312cede7be83352c7) Signed-off-by: Michael Niedermayer --- libavfilter/vf_avgblur.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/vf_avgblur.c b/libavfilter/vf_avgblur.c index 3e268bb6ee..81321e1efd 100644 --- a/libavfilter/vf_avgblur.c +++ b/libavfilter/vf_avgblur.c @@ -273,7 +273,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) const int width = s->planewidth[plane]; if (!(s->planes & (1 << plane))) { - if (out != in) + if (out->data[plane] != in->data[plane]) av_image_copy_plane(out->data[plane], out->linesize[plane], in->data[plane], in->linesize[plane], width * ((s->depth + 7) / 8), height); From 529aecc37b19a6946214ead04fe5cf6ea57adf56 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 1 Jul 2024 23:18:47 +0200 Subject: [PATCH 1648/1764] tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() Signed-off-by: Michael Niedermayer (cherry picked from commit 380a8213b165d1fda419c566241d2641cb6f5c3c) Signed-off-by: Michael Niedermayer --- tools/coverity.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/coverity.c b/tools/coverity.c index 19a132a976..541e108238 100644 --- a/tools/coverity.c +++ b/tools/coverity.c @@ -31,6 +31,17 @@ #define NULL (void *)0 +typedef long long int64_t; + +enum AVRounding { + AV_ROUND_ZERO = 0, + AV_ROUND_INF = 1, + AV_ROUND_DOWN = 2, + AV_ROUND_UP = 3, + AV_ROUND_NEAR_INF = 5, + AV_ROUND_PASS_MINMAX = 8192, +}; + // Based on https://scan.coverity.com/models void *av_malloc(size_t size) { int has_memory; @@ -77,3 +88,10 @@ void *av_free(void *ptr) { __coverity_mark_as_afm_freed__(ptr, "av_free"); } + +int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) { + __coverity_negative_sink__(b); + __coverity_negative_sink__(c); + + return (double)a * (double)b / (double)c; +} From 5f93a294c1f8f0ebcb8cbd6a80d351887be1105f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 10 Jun 2024 23:41:07 +0200 Subject: [PATCH 1649/1764] avfilter/af_pan: check nb_output_channels before use Fixes: CID1500281 Out-of-bounds write Fixes: CID1500331 Out-of-bounds write Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 5fe8bf4aa51350b14d0babd47b0314232e703caf) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index d8a63a7952..fb91acc3c6 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -125,6 +125,14 @@ static av_cold int init(AVFilterContext *ctx) if (ret < 0) goto fail; + if (pan->nb_output_channels > MAX_CHANNELS) { + av_log(ctx, AV_LOG_ERROR, + "af_pan supports a maximum of %d channels. " + "Feel free to ask for a higher limit.\n", MAX_CHANNELS); + ret = AVERROR_PATCHWELCOME; + goto fail; + } + /* parse channel specifications */ while ((arg = arg0 = av_strtok(NULL, "|", &tokenizer))) { /* channel name */ From faec74ed04a586fe85bc1c078b358aac118da493 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 10:17:42 +0200 Subject: [PATCH 1650/1764] avformat/rtpenc_vc2hq: Check sizes Fixes: CID1452585 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7a9ddb705152d5090d2cb815f905bf592cc487f5) Signed-off-by: Michael Niedermayer --- libavformat/rtpenc_vc2hq.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rtpenc_vc2hq.c b/libavformat/rtpenc_vc2hq.c index 085204fa64..cf548191d2 100644 --- a/libavformat/rtpenc_vc2hq.c +++ b/libavformat/rtpenc_vc2hq.c @@ -45,7 +45,7 @@ static void send_packet(AVFormatContext *ctx, uint8_t parse_code, int info_hdr_s ff_rtp_send_data(ctx, rtp_ctx->buf, RTP_VC2HQ_PL_HEADER_SIZE + info_hdr_size + size, rtp_m); } -static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) +static int send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int interlaced) { RTPMuxContext *rtp_ctx = ctx->priv_data; GetBitContext gc; @@ -54,6 +54,9 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int uint16_t frag_len; char *info_hdr = &rtp_ctx->buf[4]; + if (size < DIRAC_PIC_NR_SIZE) + return AVERROR(EINVAL); + pic_nr = AV_RB32(&buf[0]); buf += DIRAC_PIC_NR_SIZE; size -= DIRAC_PIC_NR_SIZE; @@ -97,6 +100,7 @@ static void send_picture(AVFormatContext *ctx, const uint8_t *buf, int size, int send_packet(ctx, DIRAC_RTP_PCODE_HQ_PIC_FRAGMENT, 16, buf, frag_len, interlaced, second_field, size > 0 ? 0 : 1); buf += frag_len; } + return 0; } void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame_size, int interlaced) @@ -110,16 +114,21 @@ void ff_rtp_send_vc2hq(AVFormatContext *ctx, const uint8_t *frame_buf, int frame parse_code = unit[4]; unit_size = AV_RB32(&unit[5]); + if (unit_size > end - unit) + break; + switch (parse_code) { /* sequence header */ /* end of sequence */ case DIRAC_PCODE_SEQ_HEADER: case DIRAC_PCODE_END_SEQ: - send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_packet(ctx, parse_code, 0, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, 0, 0, 0); break; /* HQ picture */ case DIRAC_PCODE_PICTURE_HQ: - send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); + if (unit_size >= DIRAC_DATA_UNIT_HEADER_SIZE) + send_picture(ctx, unit + DIRAC_DATA_UNIT_HEADER_SIZE, unit_size - DIRAC_DATA_UNIT_HEADER_SIZE, interlaced); break; /* parse codes without specification */ case DIRAC_PCODE_AUX: From cfd06ff4fec90f0ebcf9ade8bb47cbcc5ff5dd26 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:23:47 +0200 Subject: [PATCH 1651/1764] avformat/rtsp: use < 0 for error check Found while reviewing CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9bb38ba2b782cdb6052ddcb415ef1554b0462401) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 9532155c74..52b4c7b7a6 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1382,7 +1382,7 @@ retry: cur_auth_type = rt->auth_state.auth_type; if ((ret = rtsp_send_cmd_with_content_async(s, method, url, header, send_content, - send_content_length))) + send_content_length)) < 0) return ret; if ((ret = ff_rtsp_read_reply(s, reply, content_ptr, 0, method) ) < 0) From 3112c5043934d79e5f7cbac350eae3452c9e53c3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 18:28:49 +0200 Subject: [PATCH 1652/1764] avformat/rtsp: initialize reply1 It seems reply1 is initialized by ff_rtsp_send_cmd() in most cases but there are code paths like "continue" which look like they could skip it but even if not writing this so a complex loop after several layers of calls initialized a local variable through a pointer is just bad design. This patch simply initialized the variable. Fixes: CID1473532 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 498ce4e8b82e2312690613df45f87e592dcb91a9) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 52b4c7b7a6..d4e9fe4730 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1415,6 +1415,8 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, char cmd[2048]; const char *trans_pref; + memset(&reply1, 0, sizeof(reply1)); + if (rt->transport == RTSP_TRANSPORT_RDT) trans_pref = "x-pn-tng"; else if (rt->transport == RTSP_TRANSPORT_RAW) From 64d201f9139428770529aac21f6d7f3d52575dbe Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 19:43:15 +0200 Subject: [PATCH 1653/1764] avformat/rtsp: Check that lower transport is handled in one of the if() Fixes: CID1473554 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8200d382503f5fd839a72af7ba93d53880ad4b7) Signed-off-by: Michael Niedermayer --- libavformat/rtsp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index d4e9fe4730..1d55f22ea2 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1527,7 +1527,11 @@ int ff_rtsp_make_setup_request(AVFormatContext *s, const char *host, int port, else if (lower_transport == RTSP_LOWER_TRANSPORT_UDP_MULTICAST) { snprintf(transport, sizeof(transport) - 1, "%s/UDP;multicast", trans_pref); + } else { + err = AVERROR(EINVAL); + goto fail; // transport would be uninitialized } + if (s->oformat) { av_strlcat(transport, ";mode=record", sizeof(transport)); } else if (rt->server_type == RTSP_SERVER_REAL || From 32a4930fd31ce32e9f9e904e66dcfcd0b5614900 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 8 Jun 2024 20:46:28 +0200 Subject: [PATCH 1654/1764] avformat/subfile: Assert that whence is a known case This may help CID1452449 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 426d8c84c37064eef93bbcfaffd886d00a9a4ee8) Signed-off-by: Michael Niedermayer --- libavformat/subfile.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/subfile.c b/libavformat/subfile.c index 497cf85211..2048da1bc7 100644 --- a/libavformat/subfile.c +++ b/libavformat/subfile.c @@ -128,6 +128,8 @@ static int64_t subfile_seek(URLContext *h, int64_t pos, int whence) case SEEK_END: new_pos = c->end + c->pos; break; + default: + av_assert0(0); } if (new_pos < c->start) return AVERROR(EINVAL); From cba83cd8a543ef85f24babd584c50db9939a7083 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 00:09:24 +0200 Subject: [PATCH 1655/1764] avformat/tls_schannel: Initialize ret Fixes: CID1591881 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f022afea77ced5067f511530dd8ff137967db1d9) Signed-off-by: Michael Niedermayer --- libavformat/tls_schannel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tls_schannel.c b/libavformat/tls_schannel.c index b53a36aaac..94cbcebd60 100644 --- a/libavformat/tls_schannel.c +++ b/libavformat/tls_schannel.c @@ -389,7 +389,7 @@ static int tls_read(URLContext *h, uint8_t *buf, int len) SECURITY_STATUS sspi_ret = SEC_E_OK; SecBuffer inbuf[4]; SecBufferDesc inbuf_desc; - int size, ret; + int size, ret = 0; int min_enc_buf_size = len + SCHANNEL_FREE_BUFFER_SIZE; /* If we have some left-over data from previous network activity, From 199b3e3093fb9a1c6b7c63fe091b657a83bddcc6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:41 +0200 Subject: [PATCH 1656/1764] avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor Fixes: CID1591909 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 698ed0d5a5a3a1219179facb5538eea463fae13f) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_d3d11va.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_d3d11va.c b/libavutil/hwcontext_d3d11va.c index 52683b92cd..1524c886d0 100644 --- a/libavutil/hwcontext_d3d11va.c +++ b/libavutil/hwcontext_d3d11va.c @@ -137,7 +137,7 @@ static AVBufferRef *wrap_texture_buf(ID3D11Texture2D *tex, int index) desc->texture = tex; desc->index = index; - buf = av_buffer_create((uint8_t *)desc, sizeof(desc), free_texture, tex, 0); + buf = av_buffer_create((uint8_t *)desc, sizeof(*desc), free_texture, tex, 0); if (!buf) { ID3D11Texture2D_Release(tex); av_free(desc); From 1b9e394ab1a978866ed8aded3bab851b33815f8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Jun 2024 17:47:43 +0200 Subject: [PATCH 1657/1764] avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 Fixes: CID1591944 Wrong sizeof argument Sponsored-by: Sovereign Tech Fund Reviewed-by: Steve Lhomme Signed-off-by: Michael Niedermayer (cherry picked from commit 628ba061c8d5ae018c3e8aa8ce05b8dfcdfd8410) Signed-off-by: Michael Niedermayer --- libavutil/hwcontext_dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/hwcontext_dxva2.c b/libavutil/hwcontext_dxva2.c index 665c2d6d74..d426119259 100644 --- a/libavutil/hwcontext_dxva2.c +++ b/libavutil/hwcontext_dxva2.c @@ -137,7 +137,7 @@ static AVBufferRef *dxva2_pool_alloc(void *opaque, int size) if (s->nb_surfaces_used < hwctx->nb_surfaces) { s->nb_surfaces_used++; return av_buffer_create((uint8_t*)s->surfaces_internal[s->nb_surfaces_used - 1], - sizeof(*hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); + sizeof(**hwctx->surfaces), dxva2_pool_release_dummy, 0, 0); } return NULL; From 8716ce6c2070e929224542513a21ff5a7d8ae8fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 21:57:40 +0200 Subject: [PATCH 1658/1764] avformat/rmdec: use 64bit for audio_framesize checks It is not entirely clear what would prevent such overflow so even if it is not possible, it is better to use 64bit Fixes: CID1491898 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 665be4fa2f47910bf85a6f17b6cac9dabc6591f0) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index c89fba4e7f..bf1f8681d1 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -272,9 +272,9 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2LL + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2LL*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } From f6c9f94998e937e3322740163a795bafd9b42165 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Jun 2024 23:05:47 +0200 Subject: [PATCH 1659/1764] avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly Found while reviewing: CID1530313 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cedbef03946625bc0f7f96e9f77ad59c512b9900) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 1eeae17337..64e014aa19 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -437,7 +437,6 @@ static int amf_tag_skip(GetByteContext *gb) { AMFDataType type; unsigned nb = -1; - int parse_key = 1; if (bytestream2_get_bytes_left(gb) < 1) return -1; @@ -462,13 +461,12 @@ static int amf_tag_skip(GetByteContext *gb) bytestream2_skip(gb, 10); return 0; case AMF_DATA_TYPE_ARRAY: - parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: - while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { + while (type != AMF_DATA_TYPE_ARRAY || nb-- > 0) { int t; - if (parse_key) { + if (type != AMF_DATA_TYPE_ARRAY) { int size = bytestream2_get_be16(gb); if (!size) { bytestream2_get_byte(gb); From 0a4c165f410edf4cbceff03443b368ca1c93a195 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 18 Jun 2024 15:48:26 +0200 Subject: [PATCH 1660/1764] avcodec/proresenc_kostya: use unsigned alpha for rotation Fixes: left shift of negative value -208 Fixes: 69073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-4745020002336768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93e0265e27e6dd567812a8661988109421c5447a) Signed-off-by: Michael Niedermayer --- libavcodec/proresenc_kostya.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c index a3a52de440..7521f21691 100644 --- a/libavcodec/proresenc_kostya.c +++ b/libavcodec/proresenc_kostya.c @@ -305,7 +305,7 @@ static void get_slice_data(ProresContext *ctx, const uint16_t *src, static void get_alpha_data(ProresContext *ctx, const uint16_t *src, ptrdiff_t linesize, int x, int y, int w, int h, - int16_t *blocks, int mbs_per_slice, int abits) + uint16_t *blocks, int mbs_per_slice, int abits) { const int slice_width = 16 * mbs_per_slice; int i, j, copy_w, copy_h; From 515c20cbf15e662ef148f959b6b63726c216fe8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Jul 2024 17:49:56 +0200 Subject: [PATCH 1661/1764] avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit width and height > 32bit is not supported and its easier to check in a central place Signed-off-by: Michael Niedermayer (cherry picked from commit ba63e329572b74207045fd82c93fcc0fa0479bc4) Signed-off-by: Michael Niedermayer --- libavutil/imgutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 4f3cf86dca..8e785c8464 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -261,7 +261,7 @@ int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enu stride = 8LL*w; stride += 128*8; - if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) { + if (w==0 || h==0 || w > INT32_MAX || h > INT32_MAX || stride >= INT_MAX || stride*(h + 128ULL) >= INT_MAX) { av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h); return AVERROR(EINVAL); } From 22924742c921947c63b80516a465e80c43f1e86d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:42 +0200 Subject: [PATCH 1662/1764] avcodec/xsubdec: Check parse_timecode() Fixes: CID1604490 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 96fd9417e250540f228d1ad5b43a77c120208eba) Signed-off-by: Michael Niedermayer --- libavcodec/xsubdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/xsubdec.c b/libavcodec/xsubdec.c index 05c4a64ee5..569eb4e0ce 100644 --- a/libavcodec/xsubdec.c +++ b/libavcodec/xsubdec.c @@ -57,6 +57,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, int64_t packet_time = 0; GetBitContext gb; int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); + int64_t start_display_time, end_display_time; // check that at least header fits if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { @@ -71,8 +72,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (avpkt->pts != AV_NOPTS_VALUE) packet_time = av_rescale_q(avpkt->pts, AV_TIME_BASE_Q, (AVRational){1, 1000}); - sub->start_display_time = parse_timecode(buf + 1, packet_time); - sub->end_display_time = parse_timecode(buf + 14, packet_time); + + sub->start_display_time = start_display_time = parse_timecode(buf + 1, packet_time); + sub->end_display_time = end_display_time = parse_timecode(buf + 14, packet_time); + if (sub->start_display_time != start_display_time || + sub-> end_display_time != end_display_time) { + av_log(avctx, AV_LOG_ERROR, "time code not representable in 32bit\n"); + return -1; + } buf += 27; // read header From 158f48acab920003b1115bbd944a79201fbb51ad Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:45 +0200 Subject: [PATCH 1663/1764] avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() Found while reviewing code related to CID1604409 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 7cf5b83f6fa367f99aefc1321bafc0a7e8db33cd) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 06f5c69960..4d222da6de 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -303,6 +303,8 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, /** * read unsigned golomb rice code (jpegls). + * + * @returns -1 on error */ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int esc_len) @@ -380,6 +382,8 @@ static inline int get_sr_golomb(GetBitContext *gb, int k, int limit, /** * read signed golomb rice code (flac). + * + * @returns INT_MIN on error */ static inline int get_sr_golomb_flac(GetBitContext *gb, int k, int limit, int esc_len) From f44ba23251cf3733f7174010c8fc1d4480b7953a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:46 +0200 Subject: [PATCH 1664/1764] avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() Found by code review related to CID1604563 Overflowed return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b2aaeb81f65aaa61238d74a77034b118055340d3) Signed-off-by: Michael Niedermayer --- libavcodec/golomb.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index 4d222da6de..86bffa09bc 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -282,6 +282,7 @@ static inline int get_ur_golomb(GetBitContext *gb, int k, int limit, log = av_log2(buf); if (log > 31 - limit) { + av_assert2(log >= k); buf >>= log - k; buf += (30U - log) << k; LAST_SKIP_BITS(re, gb, 32 + k - log); From fb924d8bc151d90db3d49cbb3a7528ddc87b1f9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:48 +0200 Subject: [PATCH 1665/1764] avcodec/iff: Use signed count This is more a style fix than a bugfix (CID1604392 Overflowed constant) Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cfe66dfebb8a1e1394bcf834b6cc785f280ccecf) Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index dbd51cb895..40584d8941 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -583,7 +583,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, GetByteContext *gb) { GetByteContext cmds; - unsigned count; + int count; int i, y_pos = 0, x_pos = 0; if (bytestream2_get_be32(gb) != MKBETAG('V', 'D', 'A', 'T')) @@ -591,7 +591,7 @@ static int decode_byterun2(uint8_t *dst, int height, int line_size, bytestream2_skip(gb, 4); count = bytestream2_get_be16(gb) - 2; - if (bytestream2_get_bytes_left(gb) < count) + if (count < 0 || bytestream2_get_bytes_left(gb) < count) return 0; bytestream2_init(&cmds, gb->buffer, count); From adb8ef8bc6c3201f2c5b354346de16cbb8f0e4ce Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:51 +0200 Subject: [PATCH 1666/1764] avcodec/loco: check get_ur_golomb_jpegls() for failure Fixes: CID1604400 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b9899866418cb3bd930846271470e3096917f5f6) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index f9655c0bf5..28d0607502 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -89,10 +89,15 @@ static inline int loco_get_rice(RICEContext *r) return 0; } v = get_ur_golomb_jpegls(&r->gb, loco_get_rice_param(r), INT_MAX, 0); + if (v == -1) + return INT_MIN; loco_update_rice_param(r, (v + 1) >> 1); if (!v) { if (r->save >= 0) { - r->run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + int run = get_ur_golomb_jpegls(&r->gb, 2, INT_MAX, 0); + if (run == -1) + return INT_MIN; + r->run = run; if (r->run > 1) r->save += r->run + 1; else From 586115089888195a0378b67c6e66da958f0fabcc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:52 +0200 Subject: [PATCH 1667/1764] avcodec/loco: Check loco_get_rice() for failure Fixes: CID1604495 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit d55327684349b4db5d5905eefaa7d2aec597908d) Signed-off-by: Michael Niedermayer --- libavcodec/loco.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/loco.c b/libavcodec/loco.c index 28d0607502..ae2c1a44ce 100644 --- a/libavcodec/loco.c +++ b/libavcodec/loco.c @@ -154,6 +154,8 @@ static int loco_decode_plane(LOCOContext *l, uint8_t *data, int width, int heigh /* restore top left pixel */ val = loco_get_rice(&rc); + if (val == INT_MIN) + return AVERROR_INVALIDDATA; data[0] = 128 + val; /* restore top line */ for (i = 1; i < width; i++) { From dfc53db0d51932b86ee3a9b170215a28d5e25550 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:55 +0200 Subject: [PATCH 1668/1764] avcodec/motion_est: Fix score squaring overflow Fixes: CID1604552 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit f18b442370d714b930e3e983c2e5d789229f3356) Signed-off-by: Michael Niedermayer --- libavcodec/motion_est.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index ec3b6cfbba..13424886c0 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1462,7 +1462,7 @@ static inline int direct_search(MpegEncContext * s, int mb_x, int mb_y) s->b_direct_mv_table[mot_xy][0]= 0; s->b_direct_mv_table[mot_xy][1]= 0; - return 256*256*256*64; + return 256*256*256*64-1; } c->xmin= xmin; From ce0fc150ec11ace9c6526c78d29b2aff9bc7a93b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 5 Jul 2024 02:21:56 +0200 Subject: [PATCH 1669/1764] avcodec/pixlet: Simplify pfx computation Found by reviewing code related to CID1604365 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 0474614e6cf8edcd0077b95772c29fae894a7db9) Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 611a5cd200..5fc4ed97b7 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -228,8 +228,8 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, i if (cnt1 >= length) { cnt1 = get_bits(b, nbits); } else { - pfx = 14 + ((((uint64_t)(value - 14)) >> 32) & (value - 14)); - if (pfx < 1 || pfx > 25) + pfx = FFMIN(value, 14); + if (pfx < 1) return AVERROR_INVALIDDATA; cnt1 *= (1 << pfx) - 1; shbits = show_bits(b, pfx); From 0a57535109c8a1721566c4dcd9b249a6b54c3887 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 5 May 2024 01:51:59 +0200 Subject: [PATCH 1670/1764] avcodec/flac_parser: Assert that we do not overrun the link_penalty array Helps: CID1454676 Out-of-bounds read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 9af348bd1aa41ea10d6719c56ed2b4eda97642f3) Signed-off-by: Michael Niedermayer --- libavcodec/flac_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index db6765f34c..07b140cd90 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -367,6 +367,8 @@ static int check_header_mismatch(FLACParseContext *fpc, for (i = 0; i < FLAC_MAX_SEQUENTIAL_HEADERS && curr != child; i++) curr = curr->next; + av_assert0(i < FLAC_MAX_SEQUENTIAL_HEADERS); + if (header->link_penalty[i] < FLAC_HEADER_CRC_FAIL_PENALTY || header->link_penalty[i] == FLAC_HEADER_NOT_PENALIZED_YET) { FLACHeaderMarker *start, *end; From d3b625a5514cffbfdd986e9293cc0c24b6ed2c9f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:34:48 +0200 Subject: [PATCH 1671/1764] avdevice/dshow_filter: Use wcscpy_s() Fixes: CID1591929 Copy into fixed size buffer Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit daf61dddc8e27424c320d5c3abe3e0c5182cd5c0) Signed-off-by: Michael Niedermayer --- libavdevice/dshow_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow_filter.c b/libavdevice/dshow_filter.c index db4bff60f8..7be560ca61 100644 --- a/libavdevice/dshow_filter.c +++ b/libavdevice/dshow_filter.c @@ -146,7 +146,7 @@ libAVFilter_JoinFilterGraph(libAVFilter *this, IFilterGraph *graph, this->info.pGraph = graph; if (name) - wcscpy(this->info.achName, name); + wcscpy_s(this->info.achName, sizeof(this->info.achName) / sizeof(wchar_t), name); return S_OK; } From d71876ec5cb07f99fb378df1f6fd95047eefb3b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 27 May 2024 01:52:24 +0200 Subject: [PATCH 1672/1764] avdevice/dshow: Check device_filter_unique_name before use Fixes: CID1591931 Explicit null dereferenced Sponsored-by: Sovereign Tech Fund Reviewed-by: Roger Pack Signed-off-by: Michael Niedermayer (cherry picked from commit 175c19166824bd93b02f60c5178365014212366e) Signed-off-by: Michael Niedermayer --- libavdevice/dshow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavdevice/dshow.c b/libavdevice/dshow.c index b00df6585e..8c7f71e0e7 100644 --- a/libavdevice/dshow.c +++ b/libavdevice/dshow.c @@ -780,7 +780,7 @@ dshow_open_device(AVFormatContext *avctx, ICreateDevEnum *devenum, if (ctx->device_filter[otherDevType]) { // avoid adding add two instances of the same device to the graph, one for video, one for audio // a few devices don't support this (could also do this check earlier to avoid double crossbars, etc. but they seem OK) - if (strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { + if (!device_filter_unique_name || strcmp(device_filter_unique_name, ctx->device_unique_name[otherDevType]) == 0) { av_log(avctx, AV_LOG_DEBUG, "reusing previous graph capture filter... %s\n", device_filter_unique_name); IBaseFilter_Release(device_filter); device_filter = ctx->device_filter[otherDevType]; From ecb722a6ec155fa6601dc0eea51cc3b9795b3e6c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 20 Jun 2024 00:44:08 +0200 Subject: [PATCH 1673/1764] avcodec/mpegvideo_enc: Do not duplicate pictures on shifting Fixes: out of array access Fixes: 69098/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-6107989688778752 Fixes: 69599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4848626296225792.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9c8881cb3534b257d6e6539f563006599cd96b48) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index ee245f2d97..28b50cc5df 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -1392,6 +1392,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg) /* shift buffer entries */ for (i = flush_offset; i < MAX_PICTURE_COUNT /*s->encoding_delay + 1*/; i++) s->input_picture[i - flush_offset] = s->input_picture[i]; + for (int i = MAX_B_FRAMES + 1 - flush_offset; i <= MAX_B_FRAMES; i++) + s->input_picture[i] = NULL; s->input_picture[encoding_delay] = (Picture*) pic; From b34ec0c16df4be0aa0b8a1e7273af6a78b41264b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 22:43:22 +0200 Subject: [PATCH 1674/1764] avcodec/vc2enc: Fix overflows with storing large values Fixes: left shift of 1431634944 by 2 places cannot be represented in type 'int' Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 69061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6325700826038272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit af9935835335cae1ae5a4ec7fc14c1b5e25c1f2d) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 00d5847cdc..be64c1d6fb 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -187,7 +187,9 @@ typedef struct VC2EncContext { static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) { int i; - int pbits = 0, bits = 0, topbit = 1, maxval = 1; + int bits = 0; + unsigned topbit = 1, maxval = 1; + uint64_t pbits = 0; if (!val++) { put_bits(pb, 1, 1); @@ -204,12 +206,13 @@ static av_always_inline void put_vc2_ue_uint(PutBitContext *pb, uint32_t val) for (i = 0; i < bits; i++) { topbit >>= 1; + av_assert2(pbits <= UINT64_MAX>>3); pbits <<= 2; if (val & topbit) pbits |= 0x1; } - put_bits(pb, bits*2 + 1, (pbits << 1) | 1); + put_bits64(pb, bits*2 + 1, (pbits << 1) | 1); } static av_always_inline int count_vc2_ue_uint(uint32_t val) From e7724960d3a35d15e41b13f9900b4dbcdf023447 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 19 Jun 2024 23:55:01 +0200 Subject: [PATCH 1675/1764] avcodec/utvideoenc: Use unsigned shift to build flags Fixes: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 69083/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-5608202363273216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69e90491f15d8eef643f8dfd1b75805829496678) Signed-off-by: Michael Niedermayer --- libavcodec/utvideoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideoenc.c b/libavcodec/utvideoenc.c index 840742caf7..490604a44e 100644 --- a/libavcodec/utvideoenc.c +++ b/libavcodec/utvideoenc.c @@ -233,7 +233,7 @@ FF_ENABLE_DEPRECATION_WARNINGS * - Compression mode (none/huff) * And write the flags. */ - c->flags = (c->slices - 1) << 24; + c->flags = (c->slices - 1U) << 24; c->flags |= 0 << 11; // bit field to signal interlaced encoding mode c->flags |= c->compression; From 4d93064b958c6c5762090f3a239ebbea07ba31e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 16 Jul 2024 23:44:04 +0200 Subject: [PATCH 1676/1764] swscale/output: Fix integer overflows in yuv2rgba64_X_c_template Fixes: signed integer overflow: -1082982400 + -1068681048 cannot be represented in type 'int' Fixes: 69995/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6285740271534080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bcab9789ef750670277956e79736bca442aec2ff) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 1c8289bd83..cfc05512c5 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -786,8 +786,8 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, for (i = 0; i < ((dstW + 1) >> 1); i++) { int j; - int Y1 = -0x40000000; - int Y2 = -0x40000000; + unsigned Y1 = -0x40000000; + unsigned Y2 = -0x40000000; int U = -(128 << 23); // 19 int V = -(128 << 23); int R, G, B; @@ -815,9 +815,9 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, } // 8 bits: 12+15=27; 16 bits: 12+19=31 - Y1 >>= 14; // 10 + Y1 = (int)Y1 >> 14; // 10 Y1 += 0x10000; - Y2 >>= 14; + Y2 = (int)Y2 >> 14; Y2 += 0x10000; U >>= 14; V >>= 14; @@ -836,20 +836,20 @@ yuv2rgba64_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8 bits: 30 - 22 = 8 bits, 16 bits: 30 bits - 14 = 16 bits - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From a186a9a984a20034a7753e0844b7d8d406e23263 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 17:38:08 +0200 Subject: [PATCH 1677/1764] avformat/asfdec_o: Check size of index object We subtract 24 so it must be at least 24 Fixes: CID1604482 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 891bc070f0294e564a02f9a71f6591b6a62c90cc) Signed-off-by: Michael Niedermayer --- libavformat/asfdec_o.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 303ee71cd5..fab19d7f9f 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -981,6 +981,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g) int64_t offset; uint64_t size = avio_rl64(pb); + if (size < 24) + return AVERROR_INVALIDDATA; + // simple index objects should be ordered by stream number, this loop tries to find // the first not indexed video stream for (i = 0; i < asf->nb_streams; i++) { From 3155d06b198ea791c256714b537518d29d7645c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 18:40:46 +0200 Subject: [PATCH 1678/1764] avformat/hnm: Check *chunk_size Fixes: CID1604419 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 291356f58b8a1af491c692a89e6c4e70e9496f9d) Signed-off-by: Michael Niedermayer --- libavformat/hnm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/hnm.c b/libavformat/hnm.c index 9ad457ac83..1ffed1a9b5 100644 --- a/libavformat/hnm.c +++ b/libavformat/hnm.c @@ -141,6 +141,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) if (hnm->superchunk_remaining == 0) { /* parse next superchunk */ superchunk_size = avio_rl24(pb); + if (superchunk_size < 4) + return AVERROR_INVALIDDATA; avio_skip(pb, 1); hnm->superchunk_remaining = superchunk_size - 4; @@ -151,7 +153,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt) chunk_id = avio_rl16(pb); avio_skip(pb, 2); - if (chunk_size > hnm->superchunk_remaining || !chunk_size) { + if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) { av_log(s, AV_LOG_ERROR, "invalid chunk size: %"PRIu32", offset: %"PRId64"\n", chunk_size, avio_tell(pb)); From ed5a7a6c9ac34462f9536b90a6a918e6ce67e2dc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 19:29:14 +0200 Subject: [PATCH 1679/1764] avformat/mm: Check length Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 139bf412464e62a83984cd49093936dcaa7a0865) Signed-off-by: Michael Niedermayer --- libavformat/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mm.c b/libavformat/mm.c index de5f9d6161..8406517958 100644 --- a/libavformat/mm.c +++ b/libavformat/mm.c @@ -94,7 +94,7 @@ static int read_header(AVFormatContext *s) type = avio_rl16(pb); length = avio_rl32(pb); - if (type != MM_TYPE_HEADER) + if (type != MM_TYPE_HEADER || length < 10) return AVERROR_INVALIDDATA; /* read header */ From 7d0db1511c37c5cbee9eb1b449d41c07ba842cdc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:03:45 +0200 Subject: [PATCH 1680/1764] avformat/mov: Use 64bit for str_size We assign a 64bit variable to it before checking Fixes: CID1604544 Overflowed integer argument Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 046d069552f5c2824f36fcf95d409670208dc94b) Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8bebf9d8d5..d8b7922706 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -306,7 +306,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom) char *str = NULL; const char *key = NULL; uint16_t langcode = 0; - uint32_t data_type = 0, str_size, str_size_alloc; + uint32_t data_type = 0, str_size_alloc; + uint64_t str_size; int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL; int raw = 0; int num = 0; From 99ac5be16b87260764d435f8d3e874b61c5b5457 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:17:00 +0200 Subject: [PATCH 1681/1764] avformat/mp3dec; Check for avio_size() failure Fixes: CID1608710 Improper use of negative value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit bb936a1a720856a51c48bf907475daa8065920c9) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 7720a8c19f..4d2529cd31 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -121,9 +121,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration int fill_index = (mp3->usetoc || fast_seek) && duration > 0; if (!filesize && - !(filesize = avio_size(s->pb))) { + (filesize = avio_size(s->pb)) <= 0) { av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n"); fill_index = 0; + filesize = 0; } for (i = 0; i < XING_TOC_COUNT; i++) { From de4bb6d706976dcaeebc2f8d45220023fed370d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:20:53 +0200 Subject: [PATCH 1682/1764] avformat/mp3dec: Check header_filesize Fixes: CID1608714 Division or modulo by float zero Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit cea4dbc903eaf8cb7a4ea53b281deff495ff8fa0) Signed-off-by: Michael Niedermayer --- libavformat/mp3dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c index 4d2529cd31..2ddf8aa5ae 100644 --- a/libavformat/mp3dec.c +++ b/libavformat/mp3dec.c @@ -569,7 +569,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp, if (best_pos < 0) return best_pos; - if (mp3->is_cbr && ie == &ie1 && mp3->frames) { + if (mp3->is_cbr && ie == &ie1 && mp3->frames && mp3->header_filesize > 0) { int frame_duration = av_rescale(st->duration, 1, mp3->frames); ie1.timestamp = frame_duration * av_rescale(best_pos - s->internal->data_offset, mp3->frames, mp3->header_filesize); } From 99bf5d92de35fa8a93258aeff5faf7eb8663e93c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:29:10 +0200 Subject: [PATCH 1683/1764] avformat/nsvdec: Check asize for PCM Fixes: CID1604527 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit e83e24650489e63f6b31e8c72a973db6367947b9) Signed-off-by: Michael Niedermayer --- libavformat/nsvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 4ec0a0e488..0ddc60fb9e 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -603,7 +603,7 @@ null_chunk_retry: pkt = &nsv->ahead[NSV_ST_AUDIO]; /* read raw audio specific header on the first audio chunk... */ /* on ALL audio chunks ?? seems so! */ - if (asize && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { + if (asize >= 4 && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) { uint8_t bps; uint8_t channels; uint16_t samplerate; From 3b356b312081f1094d90441e0a8af015c11289d3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:44:45 +0200 Subject: [PATCH 1684/1764] avformat/sapdec: Check ffurl_get_file_handle() for error Fixes: CID1604506 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 3e305a0e703843765d4dd7042092c3a38c0f97af) Signed-off-by: Michael Niedermayer --- libavformat/sapdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sapdec.c b/libavformat/sapdec.c index 522b38d10a..92857fee28 100644 --- a/libavformat/sapdec.c +++ b/libavformat/sapdec.c @@ -195,6 +195,9 @@ static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt) struct pollfd p = {fd, POLLIN, 0}; uint8_t recvbuf[RTP_MAX_PACKET_LENGTH]; + if (fd < 0) + return fd; + if (sap->eof) return AVERROR_EOF; From c0d4a0c726fcf7687f9af6d67091ef443e32b264 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:49:08 +0200 Subject: [PATCH 1685/1764] avformat/sauce: Check avio_size() for failure Fixes: CID1604592 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 759aae590c0298414db4d2925a33b084d7f9e7f9) Signed-off-by: Michael Niedermayer --- libavformat/sauce.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/sauce.c b/libavformat/sauce.c index 5ac9ca9d14..a9ee9697a3 100644 --- a/libavformat/sauce.c +++ b/libavformat/sauce.c @@ -34,7 +34,12 @@ int ff_sauce_read(AVFormatContext *avctx, uint64_t *fsize, int *got_width, int g AVIOContext *pb = avctx->pb; char buf[36]; int datatype, filetype, t1, t2, nb_comments; - uint64_t start_pos = avio_size(pb) - 128; + int64_t start_pos = avio_size(pb); + + if (start_pos < 128) + return AVERROR_INVALIDDATA; + + start_pos -= 128; avio_seek(pb, start_pos, SEEK_SET); if (avio_read(pb, buf, 7) != 7) From 4ead93ffea0529fb1f66cf02ead56f96311cfc73 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 20:58:21 +0200 Subject: [PATCH 1686/1764] avformat/siff: Basic pkt_size check Fixes: half of CID1258461 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 124a97dd8b7636fb52e042b2e85a44cce40ab5e7) Signed-off-by: Michael Niedermayer --- libavformat/siff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/siff.c b/libavformat/siff.c index e4da95ee0b..9f7c004df5 100644 --- a/libavformat/siff.c +++ b/libavformat/siff.c @@ -198,7 +198,10 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt) if (c->cur_frame >= c->frames) return AVERROR_EOF; if (c->curstrm == -1) { - c->pktsize = avio_rl32(s->pb) - 4; + unsigned pktsize = avio_rl32(s->pb); + if (pktsize < 4) + return AVERROR_INVALIDDATA; + c->pktsize = pktsize - 4; c->flags = avio_rl16(s->pb); if (c->flags & VB_HAS_AUDIO && !c->has_audio) return AVERROR_INVALIDDATA; From 09d35aec7fc333335aac8a00c718c32481d0d2b9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 21:05:20 +0200 Subject: [PATCH 1687/1764] avformat/tty: Check avio_size() Fixes: CID1220824 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 41745e550a0274571bd9fbfb12b36ff1743d4e9c) Signed-off-by: Michael Niedermayer --- libavformat/tty.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/tty.c b/libavformat/tty.c index 60f7e9f87e..954aafe33b 100644 --- a/libavformat/tty.c +++ b/libavformat/tty.c @@ -113,13 +113,16 @@ static int read_header(AVFormatContext *avctx) s->chars_per_frame = FFMAX(av_q2d(st->time_base)*s->chars_per_frame, 1); if (avctx->pb->seekable & AVIO_SEEKABLE_NORMAL) { - s->fsize = avio_size(avctx->pb); - st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; + int64_t fsize = avio_size(avctx->pb); + if (fsize > 0) { + s->fsize = fsize; + st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame; - if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) - efi_read(avctx, s->fsize - 51); + if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0) + efi_read(avctx, s->fsize - 51); - avio_seek(avctx->pb, 0, SEEK_SET); + avio_seek(avctx->pb, 0, SEEK_SET); + } } fail: From 507f99363561a13d02817a026e32b4809d30d447 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:37:54 +0200 Subject: [PATCH 1688/1764] avformat/xmv: Check this_packet_size Fixes: CID1604489 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 696685df0ccf437083d15f40358a6ec86f5748ac) Signed-off-by: Michael Niedermayer --- libavformat/xmv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/xmv.c b/libavformat/xmv.c index 96c7f0372c..ee713f5cab 100644 --- a/libavformat/xmv.c +++ b/libavformat/xmv.c @@ -223,6 +223,8 @@ static int xmv_read_header(AVFormatContext *s) /* Initialize the packet context */ xmv->next_packet_offset = avio_tell(pb); + if (this_packet_size < xmv->next_packet_offset) + return AVERROR_INVALIDDATA; xmv->next_packet_size = this_packet_size - xmv->next_packet_offset; xmv->stream_count = xmv->audio_track_count + 1; From ddab39d1ff3e9db5a7c8454e0a6c6001214f4448 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 22:55:31 +0200 Subject: [PATCH 1689/1764] avutil/buffer: Check ff_mutex_init() for failure Fixes: CID1604487 Unchecked return value Fixes: CID1604494 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 82f5b20ff5be4fccbf42f4b90f155db0076c0462) Signed-off-by: Michael Niedermayer --- libavutil/buffer.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavutil/buffer.c b/libavutil/buffer.c index 8d1aa5fa84..7884dbf053 100644 --- a/libavutil/buffer.c +++ b/libavutil/buffer.c @@ -223,7 +223,10 @@ AVBufferPool *av_buffer_pool_init2(int size, void *opaque, if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->opaque = opaque; @@ -241,7 +244,10 @@ AVBufferPool *av_buffer_pool_init(int size, AVBufferRef* (*alloc)(int size)) if (!pool) return NULL; - ff_mutex_init(&pool->mutex, NULL); + if (ff_mutex_init(&pool->mutex, NULL)) { + av_free(pool); + return NULL; + } pool->size = size; pool->alloc = alloc ? alloc : av_buffer_alloc; From 98f0ceb4e91edf3e70d5d94db3698c36eef45ea6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:04:42 +0200 Subject: [PATCH 1690/1764] avutil/frame: Check log2_crop_align Fixes: CID1604586 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 15540b3d28676d5e797764a04f6681dcd01736f8) Signed-off-by: Michael Niedermayer --- libavutil/frame.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/frame.c b/libavutil/frame.c index d5fd2932e3..bc614ae3fd 100644 --- a/libavutil/frame.c +++ b/libavutil/frame.c @@ -867,7 +867,7 @@ int av_frame_apply_cropping(AVFrame *frame, int flags) if (log2_crop_align < min_log2_align) return AVERROR_BUG; - if (min_log2_align < 5) { + if (min_log2_align < 5 && log2_crop_align != INT_MAX) { frame->crop_left &= ~((1 << (5 + log2_crop_align - min_log2_align)) - 1); calc_cropping_offsets(offsets, frame, desc); } From 8bc12fa45fffb0be2da4a4dab6840ca84aa6a45a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 11 Jul 2024 23:27:34 +0200 Subject: [PATCH 1691/1764] avutil/slicethread: Check pthread_*_init() for failure Fixes: CID1604383 Unchecked return value Fixes: CID1604439 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 23851c9ee0f231122c58955e795e17cfe8ca5d98) Signed-off-by: Michael Niedermayer --- libavutil/slicethread.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/libavutil/slicethread.c b/libavutil/slicethread.c index c43f87a2aa..13687bfac0 100644 --- a/libavutil/slicethread.c +++ b/libavutil/slicethread.c @@ -98,6 +98,7 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, { AVSliceThread *ctx; int nb_workers, i; + int ret; #if HAVE_W32THREADS w32thread_init(); @@ -135,16 +136,37 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv, atomic_init(&ctx->first_job, 0); atomic_init(&ctx->current_job, 0); - pthread_mutex_init(&ctx->done_mutex, NULL); - pthread_cond_init(&ctx->done_cond, NULL); + ret = pthread_mutex_init(&ctx->done_mutex, NULL); + if (ret) { + av_freep(&ctx->workers); + av_freep(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&ctx->done_cond, NULL); + if (ret) { + ctx->nb_threads = main_func ? 0 : 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } ctx->done = 0; for (i = 0; i < nb_workers; i++) { WorkerContext *w = &ctx->workers[i]; int ret; w->ctx = ctx; - pthread_mutex_init(&w->mutex, NULL); - pthread_cond_init(&w->cond, NULL); + ret = pthread_mutex_init(&w->mutex, NULL); + if (ret) { + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } + ret = pthread_cond_init(&w->cond, NULL); + if (ret) { + pthread_mutex_destroy(&w->mutex); + ctx->nb_threads = main_func ? i : i + 1; + avpriv_slicethread_free(pctx); + return AVERROR(ret); + } pthread_mutex_lock(&w->mutex); w->done = 0; From ec4f24805ea67fbf6aa35bd4fee8c32c76631d11 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 23 Jun 2024 23:17:24 +0200 Subject: [PATCH 1692/1764] avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices An alternative would be to leave the context unchanged on failure of hls_slice_header() Fixes: out of array access Fixes: NULL pointer dereference Fixes: 69584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5931086299856896 Fixes: 69724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5104066422702080 Fixes: 70422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5908731129298944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5d9544cfb03d8597aa2b0037def3a4679949cec6) Signed-off-by: Michael Niedermayer --- libavcodec/hevcdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index dc2f4f74ff..3310dd16cd 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -536,6 +536,10 @@ static int hls_slice_header(HEVCContext *s) if (s->ps.pps->dependent_slice_segments_enabled_flag) sh->dependent_slice_segment_flag = get_bits1(gb); + if (sh->dependent_slice_segment_flag && !s->slice_initialized) { + av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); + return AVERROR_INVALIDDATA; + } slice_address_length = av_ceil_log2(s->ps.sps->ctb_width * s->ps.sps->ctb_height); @@ -804,9 +808,6 @@ static int hls_slice_header(HEVCContext *s) } else { sh->slice_loop_filter_across_slices_enabled_flag = s->ps.pps->seq_loop_filter_across_slices_enabled_flag; } - } else if (!s->slice_initialized) { - av_log(s->avctx, AV_LOG_ERROR, "Independent slice segment missing.\n"); - return AVERROR_INVALIDDATA; } sh->num_entry_point_offsets = 0; @@ -2877,8 +2878,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal) case HEVC_NAL_RASL_N: case HEVC_NAL_RASL_R: ret = hls_slice_header(s); - if (ret < 0) + if (ret < 0) { + // hls_slice_header() does not cleanup on failure thus the state now is inconsistant so we cannot use it on depandant slices + s->slice_initialized = 0; return ret; + } if (ret == 1) { ret = AVERROR_INVALIDDATA; goto fail; From 7fb253b20dea86cfa385dafe62f356137d79b859 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 19:21:41 +0200 Subject: [PATCH 1693/1764] avcodec/proresdec: Consider negative bits left Fixes: 70036/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_fuzzer-6298797647396864 Fixes: shift exponent 40 is too large for 32-bit type 'uint32_t' (aka 'unsigned int') Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 419eee63565f81aca67b29582297841c59deaab8) Signed-off-by: Michael Niedermayer --- libavcodec/proresdec2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c index 2ebda78a7a..594005550e 100644 --- a/libavcodec/proresdec2.c +++ b/libavcodec/proresdec2.c @@ -338,7 +338,7 @@ static av_always_inline int decode_ac_coeffs(AVCodecContext *avctx, GetBitContex for (pos = block_mask;;) { bits_left = gb->size_in_bits - re_index; - if (!bits_left || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) + if (bits_left <= 0 || (bits_left < 32 && !SHOW_UBITS(re, gb, bits_left))) break; DECODE_CODEWORD(run, run_to_cb[FFMIN(run, 15)], LAST_SKIP_BITS); From c22eb904fd9ea3d77f75a430fef6851eacdda448 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 Jul 2024 22:29:15 +0200 Subject: [PATCH 1694/1764] avcodec/vaapi_encode: Check hwctx Fixes: null pointer dereference Fixes: 70376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_VAAPI_fuzzer-4733551250046976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3cd077e2820679e8b9f8eb10954b4f5701191c48) Signed-off-by: Michael Niedermayer --- libavcodec/vaapi_encode.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c index 590f4be4ed..45703df3f1 100644 --- a/libavcodec/vaapi_encode.c +++ b/libavcodec/vaapi_encode.c @@ -1561,12 +1561,14 @@ av_cold int ff_vaapi_encode_close(AVCodecContext *avctx) } if (ctx->va_context != VA_INVALID_ID) { - vaDestroyContext(ctx->hwctx->display, ctx->va_context); + if (ctx->hwctx) + vaDestroyContext(ctx->hwctx->display, ctx->va_context); ctx->va_context = VA_INVALID_ID; } if (ctx->va_config != VA_INVALID_ID) { - vaDestroyConfig(ctx->hwctx->display, ctx->va_config); + if (ctx->hwctx) + vaDestroyConfig(ctx->hwctx->display, ctx->va_config); ctx->va_config = VA_INVALID_ID; } From 5c27f6850715153229ba97c77b05fa3ce653b15f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 17 Jun 2024 13:31:02 +0200 Subject: [PATCH 1695/1764] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow The snow encoder uses block based motion estimation which can read out of array if insufficient alignment is used It may be better to only apply this for the encoder, as it would safe a few bytes of memory for the decoder. Until then, this fixes the issue in a simple way. Fixes: out of array access Fixes: 68963/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4979988435632128 Fixes: 68969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6239933667803136.fuzz Fixed: 70497/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5751882631413760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 58fbeb59e74ac9a4ca81e9bc44141abcbff8ab6d) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 5687337284..be209b5607 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -372,6 +372,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, if (s->codec_id == AV_CODEC_ID_SVQ1) { w_align = 64; h_align = 64; + } else if (s->codec_id == AV_CODEC_ID_SNOW) { + w_align = 16; + h_align = 16; } break; case AV_PIX_FMT_RGB555: From f6adefd4cdc8a867a77a3b787c4e40f57aaa011f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 31 Jul 2024 21:43:39 +0200 Subject: [PATCH 1696/1764] avcodec/snow: Fix off by 1 error in run_buffer Fixes: out of array access Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 06f5ed40f8fceb2542add052c57608121eda2f41) Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index a3e6afc86a..584be1578c 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -491,7 +491,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){ FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->spatial_dwt_buffer, width, height * sizeof(DWTELEM), fail); //FIXME this does not belong here FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_dwt_buffer, width, sizeof(DWTELEM), fail); FF_ALLOCZ_ARRAY_OR_GOTO(avctx, s->temp_idwt_buffer, width, sizeof(IDWTELEM), fail); - FF_ALLOC_ARRAY_OR_GOTO(avctx, s->run_buffer, ((width + 1) >> 1), ((height + 1) >> 1) * sizeof(*s->run_buffer), fail); + FF_ALLOC_ARRAY_OR_GOTO(avctx, s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1, sizeof(*s->run_buffer), fail); for(i=0; i Date: Sat, 3 Aug 2024 19:45:15 +0200 Subject: [PATCH 1697/1764] avformat/wavdec: Check if there are 16 bytes before testing them Fixes: use-of-uninitialized-value Fixes: 70839/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5212907590189056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79a1cf30d1289f90da682263ba160f6e4a5a7bf1) Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 3a8bc882d8..ccd2f1f5d1 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -791,8 +791,7 @@ static int w64_read_header(AVFormatContext *s) uint8_t guid[16]; int ret; - avio_read(pb, guid, 16); - if (memcmp(guid, ff_w64_guid_riff, 16)) + if (avio_read(pb, guid, 16) != 16 || memcmp(guid, ff_w64_guid_riff, 16)) return AVERROR_INVALIDDATA; /* riff + wave + fmt + sizes */ From ec84a7de4722b1d02cc71d94be6201f25ddd602e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:00:35 +0200 Subject: [PATCH 1698/1764] avformat/img2dec: Clear padding data after EOF Fixes: use-of-uninitialized-value Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 3978e81809a3daf278199849f7bbeacbffb9fa09) Signed-off-by: Michael Niedermayer --- libavformat/img2dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index 9b4203bbb5..db9012d5ec 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -514,6 +514,7 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } goto fail; } else { + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); s->img_count++; s->img_number++; s->pts++; From 8a173a9bf4ee76b5c90836f0b061b00e986f4849 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= Date: Thu, 27 Jun 2024 02:40:35 +0200 Subject: [PATCH 1699/1764] avcodec/parser: ensure input padding is zeroed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes use of uninitialized value, reported by MSAN. Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320 Signed-off-by: Michael Niedermayer (cherry picked from commit 5dfc0cc84129758b4eab2acdc3e186c3116deacd) Signed-off-by: Michael Niedermayer --- libavcodec/parser.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/parser.c b/libavcodec/parser.c index 1b50f40b20..d995c306c6 100644 --- a/libavcodec/parser.c +++ b/libavcodec/parser.c @@ -284,6 +284,7 @@ int ff_combine_frame(ParseContext *pc, int next, } pc->buffer = new_buffer; memcpy(&pc->buffer[pc->index], *buf, *buf_size); + memset(&pc->buffer[pc->index + *buf_size], 0, AV_INPUT_BUFFER_PADDING_SIZE); pc->index += *buf_size; return -1; } From acc28553d1da5a9339a8807d5368da23b997ec59 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:51 +0200 Subject: [PATCH 1700/1764] avformat/wtvdec: clear sectors The code can leave uninitialized holes in the array. Fixes: use of uninitialized values Fixes: 70883/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6698694567591936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c95ea0310468e0a0906fa7d590ff7406c39d6991) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 124d8f4b9c..116f0d6a8b 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -183,7 +183,7 @@ static AVIOContext * wtvfile_open_sector(unsigned first_sector, uint64_t length, int nb_sectors1 = read_ints(s->pb, sectors1, WTV_SECTOR_SIZE / 4); int i; - wf->sectors = av_malloc_array(nb_sectors1, 1 << WTV_SECTOR_BITS); + wf->sectors = av_calloc(nb_sectors1, 1 << WTV_SECTOR_BITS); if (!wf->sectors) { av_free(wf); return NULL; From c6083eee1a48b5c636035aa39a7fcd14aec00dcd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 7 Aug 2024 00:18:53 +0200 Subject: [PATCH 1701/1764] avformat/wtvdec: Check length of read mpeg2_descriptor Fixes: Use of uninitialized value Fixes: 70900/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6286909377150976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit c390234da2e3c7a8884f5592f0b9b4928c482b3e) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 116f0d6a8b..672baa0360 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -863,7 +863,8 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p } buf_size = FFMIN(len - consumed, sizeof(buf)); - avio_read(pb, buf, buf_size); + if (avio_read(pb, buf, buf_size) != buf_size) + return AVERROR_INVALIDDATA; consumed += buf_size; ff_parse_mpeg2_descriptor(s, st, 0, &pbuf, buf + buf_size, NULL, 0, 0, NULL); } From 7c9f2e65de8a6010ee99d456cbf45d518745be61 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 13 Jul 2024 09:16:48 +0200 Subject: [PATCH 1702/1764] avformat/lmlm4: Eliminate some AVERROR(EIO) Found by code review related to CID732224 Overflowed constant Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 191a685010319cb0d248771574c7c61d76e4eb95) Signed-off-by: Michael Niedermayer --- libavformat/lmlm4.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/lmlm4.c b/libavformat/lmlm4.c index d0cf8feb03..6131059f9a 100644 --- a/libavformat/lmlm4.c +++ b/libavformat/lmlm4.c @@ -94,15 +94,15 @@ static int lmlm4_read_packet(AVFormatContext *s, AVPacket *pkt) if (frame_type > LMLM4_MPEG1L2 || frame_type == LMLM4_INVALID) { av_log(s, AV_LOG_ERROR, "invalid or unsupported frame_type\n"); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if (packet_size > LMLM4_MAX_PACKET_SIZE || packet_size<=8) { av_log(s, AV_LOG_ERROR, "packet size %d is invalid\n", packet_size); - return AVERROR(EIO); + return AVERROR_INVALIDDATA; } if ((ret = av_get_packet(pb, pkt, frame_size)) <= 0) - return AVERROR(EIO); + return ret < 0 ? ret : AVERROR(EIO); avio_skip(pb, padding); From 8d570b477e3ec786c4ee5a1d406f2230e083ab74 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:13:28 +0200 Subject: [PATCH 1703/1764] avcodec/dxva2: Initialize dxva_size and check it Related: CID1591878 Uninitialized scalar variable Related: CID1591928 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit c8c59e99295f9ef572b5d6f0fd9075bb2b79acbd) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index afcd361ef6..142d2f45eb 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -799,7 +799,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, unsigned type, const void *data, unsigned size, unsigned mb_count) { - void *dxva_data; + void *dxva_data = NULL; unsigned dxva_size; int result; HRESULT hr = 0; @@ -821,7 +821,7 @@ int ff_dxva2_commit_buffer(AVCodecContext *avctx, type, (unsigned)hr); return -1; } - if (size <= dxva_size) { + if (dxva_data && size <= dxva_size) { memcpy(dxva_data, data, size); #if CONFIG_D3D11VA From 3945020ab5e93b7706a583f320a24d9b8a83c3ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:23:16 +0200 Subject: [PATCH 1704/1764] avcodec/dxva2: Initialize ConfigBitstreamRaw Related: CID1591894 Uninitialized scalar variable Related: CID1591906 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 489c05b9c3ea7d856b7a81abce247721b3b3d6e8) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 142d2f45eb..1dff1a4e03 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -104,7 +104,7 @@ static int dxva_get_decoder_configuration(AVCodecContext *avctx, for (i = 0; i < cfg_count; i++) { unsigned score; - UINT ConfigBitstreamRaw; + UINT ConfigBitstreamRaw = 0; GUID guidConfigBitstreamEncryption; #if CONFIG_D3D11VA From d0fb119755457148b958587c13a493d3985fe16e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:28:04 +0200 Subject: [PATCH 1705/1764] avcodec/dxva2: initialize validate Related: CID1591915 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 2232c4cc8c3d64dec4e4399b58e057f5dbb9ff98) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index 1dff1a4e03..d961d7d545 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -255,7 +255,7 @@ static int dxva_get_decoder_guid(AVCodecContext *avctx, void *service, void *sur *decoder_guid = ff_GUID_NULL; for (i = 0; dxva_modes[i].guid; i++) { const dxva_mode *mode = &dxva_modes[i]; - int validate; + int validate = 0; if (!dxva_check_codec_compatibility(avctx, mode)) continue; From bc687c63a03cec646f39520486e1c90fede0e78d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 26 May 2024 22:33:11 +0200 Subject: [PATCH 1706/1764] avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() Related: CID1591924 Uninitialized scalar variable Related: CID1591938 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 1d6a2aebae202652feb5964a2d62bdba4e5cc6e4) Signed-off-by: Michael Niedermayer --- libavcodec/dxva2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dxva2.c b/libavcodec/dxva2.c index d961d7d545..a1a0f6b8bd 100644 --- a/libavcodec/dxva2.c +++ b/libavcodec/dxva2.c @@ -899,7 +899,7 @@ int ff_dxva2_common_end_frame(AVCodecContext *avctx, AVFrame *frame, #endif DECODER_BUFFER_DESC *buffer = NULL, *buffer_slice = NULL; int result, runs = 0; - HRESULT hr; + HRESULT hr = -1; unsigned type; FFDXVASharedContext *sctx = DXVA_SHARED_CONTEXT(avctx); From 7d2f1817bf990227983d533e3bb17385b381a2e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 6 Aug 2024 18:02:58 +0200 Subject: [PATCH 1707/1764] avformat/segafilm: Set keyframe Fixes: use of uninitialized value Fixes: 70871/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-5883617752973312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dc7dfe65aaa21801a907c66592b92b05da921dc) Signed-off-by: Michael Niedermayer --- libavformat/segafilm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index ca0b516804..5be06ed738 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -239,6 +239,7 @@ static int film_read_header(AVFormatContext *s) else if (film->audio_type != AV_CODEC_ID_NONE) audio_frame_counter += (film->sample_table[i].sample_size / (film->audio_channels * film->audio_bits / 8)); + film->sample_table[i].keyframe = 1; } else { film->sample_table[i].stream = film->video_stream_index; film->sample_table[i].pts = AV_RB32(&scratch[8]) & 0x7FFFFFFF; From 730e9281f56beb93901f535601348301be5cc9ae Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 21:27:44 +0200 Subject: [PATCH 1708/1764] avformat/mpeg: Check an avio_read() for failure Fixes: use-of-uninitialized-value Fixes: 70849/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGPS_fuzzer-4684401009557504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66ee75d76ce56a3553a99d67e74b8a9970c18f5b) Signed-off-by: Michael Niedermayer --- libavformat/mpeg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index ce934a4739..caac7a9b42 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -540,7 +540,9 @@ redo: static const unsigned char avs_seqh[4] = { 0, 0, 1, 0xb0 }; unsigned char buf[8]; - avio_read(s->pb, buf, 8); + ret = avio_read(s->pb, buf, 8); + if (ret != 8) + return AVERROR_INVALIDDATA; avio_seek(s->pb, -8, SEEK_CUR); if (!memcmp(buf, avs_seqh, 4) && (buf[6] != 0 || buf[7] != 1)) codec_id = AV_CODEC_ID_CAVS; From 3a8550436511254a3cbcf49685c4ec01c09be38b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:10:48 +0200 Subject: [PATCH 1709/1764] avcodec/shorten: clear padding Fixes: use-of-uninitialized-value Fixes: 70854/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5533480570650624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e44349ee88418ac16051bbc9231c1bfdc25d3504) Signed-off-by: Michael Niedermayer --- libavcodec/shorten.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4134af74cf..762bca0df3 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -558,6 +558,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, buf = &s->bitstream[s->bitstream_index]; buf_size += s->bitstream_size; s->bitstream_size = buf_size; + memset(buf + buf_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); /* do not decode until buffer has at least max_framesize bytes or * the end of the file has been reached */ From 45c96c41ebedb324bf6393675cdf9b04c27635b3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 4 Aug 2024 22:30:03 +0200 Subject: [PATCH 1710/1764] avcodec/aic: Clear slice_data Fixes: use-of-uninitialized-value Fixes: 70865/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-4874102695854080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de3f6c8888bcf3df4ca6cb265a83507b95c884cd) Signed-off-by: Michael Niedermayer --- libavcodec/aic.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index 77f342e6d6..a94619b8d2 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -460,8 +460,7 @@ static av_cold int aic_decode_init(AVCodecContext *avctx) } } - ctx->slice_data = av_malloc_array(ctx->slice_width, AIC_BAND_COEFFS - * sizeof(*ctx->slice_data)); + ctx->slice_data = av_calloc(ctx->slice_width, AIC_BAND_COEFFS * sizeof(*ctx->slice_data)); if (!ctx->slice_data) { av_log(avctx, AV_LOG_ERROR, "Error allocating slice buffer\n"); From 9973a54eced54efeae76fedb2214745ee59ba270 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Aug 2024 01:11:50 +0200 Subject: [PATCH 1711/1764] avcodec/avcodec: Warn about data returned from get_buffer*() Text based on suggestion by: epirat07@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 93444c46fce195e378c4ebb1a20ea662e7f0123b) Signed-off-by: Michael Niedermayer --- libavcodec/avcodec.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 771d59d726..02c2666313 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -2631,6 +2631,10 @@ typedef struct AVCodecContext { * this callback and filled with the extra buffers if there are more * buffers than buf[] can hold. extended_buf will be freed in * av_frame_unref(). + * Decoders will generally initialize the whole buffer before it is output + * but it can in rare error conditions happen that uninitialized data is passed + * through. \important The buffers returned by get_buffer* should thus not contain sensitive + * data. * * If AV_CODEC_CAP_DR1 is not set then get_buffer2() must call * avcodec_default_get_buffer2() instead of providing buffers allocated by From c4faa5356e58dfe382f2a4382ae3d1dce73cd4b8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 19 Aug 2024 17:02:12 +0200 Subject: [PATCH 1712/1764] avformat/apetag: Check APETAGEX Fixes: Use of uninitialized value Fixes: 71074/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5697034877730816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 796ff2d599449ed798b69ab798ebcbcc0a5853f5) Signed-off-by: Michael Niedermayer --- libavformat/apetag.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/apetag.c b/libavformat/apetag.c index cdc602e1a9..2037cb0328 100644 --- a/libavformat/apetag.c +++ b/libavformat/apetag.c @@ -129,7 +129,8 @@ int64_t ff_ape_parse_tag(AVFormatContext *s) avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET); - avio_read(pb, buf, 8); /* APETAGEX */ + if(avio_read(pb, buf, 8) != 8) /* APETAGEX */ + return 0; if (strncmp(buf, APE_TAG_PREAMBLE, 8)) { return 0; } From b7892cd8357c73a5400e1a70f9fe39fa22b54776 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 15 Aug 2024 00:37:04 +0200 Subject: [PATCH 1713/1764] avcodec/wmavoice: Do not use uninitialized pitch[0] Fixes: use of uninitialized value Fixes: 70850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-4806127362048000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53387079301690f1bd38b97fdf31d63194201d17) Signed-off-by: Michael Niedermayer --- libavcodec/wmavoice.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c index 16a04e3677..6802cd62ef 100644 --- a/libavcodec/wmavoice.c +++ b/libavcodec/wmavoice.c @@ -1487,6 +1487,8 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, /* Parse frame type ("frame header"), see frame_descs */ int bd_idx = s->vbm_tree[get_vlc2(gb, frame_type_vlc.table, 6, 3)], block_nsamples; + pitch[0] = INT_MAX; + if (bd_idx < 0) { av_log(ctx, AV_LOG_ERROR, "Invalid frame type VLC code, skipping\n"); @@ -1604,6 +1606,9 @@ static int synth_frame(AVCodecContext *ctx, GetBitContext *gb, int frame_idx, double i_lsps[MAX_LSPS]; float lpcs[MAX_LSPS]; + if(frame_descs[bd_idx].fcb_type >= FCB_TYPE_AW_PULSES && pitch[0] == INT_MAX) + return AVERROR_INVALIDDATA; + for (n = 0; n < s->lsps; n++) // LSF -> LSP i_lsps[n] = cos(0.5 * (prev_lsps[n] + lsps[n])); ff_acelp_lspd2lpc(i_lsps, lpcs, s->lsps >> 1); From c28eaa1696454e141779ccbd90414c17fb4d8a81 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:03:55 +0200 Subject: [PATCH 1714/1764] avcodec/vc2enc: basic sanity check on slice_max_bytes Fixes: left shift of 896021632 by 3 places cannot be represented in type 'int' Fixes: 70544/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6685593652756480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6df9a0292ca6c29ef3b220fbf9b257924cabf035) Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index be64c1d6fb..9e20d2a977 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1025,7 +1025,7 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, s->slice_max_bytes = SSIZE_ROUND(s->slice_max_bytes); s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); - if (s->slice_min_bytes < 0) + if (s->slice_min_bytes < 0 || s->slice_max_bytes > INT_MAX >> 3) return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); From c61cab713b66064fea74f4a3ff2767f7ab2a812e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 20:08:42 +0200 Subject: [PATCH 1715/1764] swscale/swscale: Use unsigned operation to avoid undefined behavior I have not checked that the constant is correct, this just fixes the undefined behavior Fixes: signed integer overflow: -646656 * 3517 cannot be represented in type 'int Fixes: 70559/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5209368631508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 44c5641ae82387fcfce94820f5b53ce8e9dcd27f) Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index 110a5a5fd7..a727ae3a9d 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -219,7 +219,7 @@ static void lumRangeFromJpeg16_c(int16_t *_dst, int width) int i; int32_t *dst = (int32_t *) _dst; for (i = 0; i < width; i++) - dst[i] = (dst[i]*(14071/4) + (33561947<<4)/4)>>12; + dst[i] = ((int)(dst[i]*(14071U/4) + (33561947<<4)/4)) >> 12; } From 94acfdb3a2de16fa4ba85ec6eba26987433bb8da Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:51:53 +0200 Subject: [PATCH 1716/1764] swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() Fixes: signed integer overflow: -1082982400 + -1083218484 cannot be represented in type 'int' Fixes: 70657/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6707819712675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd80c97391969f9dbb312d6c498211ad85bb67cb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index cfc05512c5..6b13273932 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -876,8 +876,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], av_assert2(uvalpha <= 4096U); for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; - int Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; + unsigned Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; + unsigned Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14; int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14; int R, G, B; @@ -901,20 +901,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From de9b2a2b351434d2eb8ca423b11d0b2445f4ac32 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 12 Sep 2024 22:29:04 +0200 Subject: [PATCH 1717/1764] avformat/mxfdec: More offset_temp checks MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: signed integer overflow: 9223372036854775807 - -1927491430256034080 cannot be represented in type 'long' Fixes: 70607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5282235077951488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 5a96aa435af0d66bdec52ee115cf4dd971855fcd) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 1d6e81f670..6bd371c879 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1378,6 +1378,11 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out); } else { /* EditUnitByteCount == 0 for VBR indexes, which is fine since they use explicit StreamOffsets */ + if (s->edit_unit_byte_count && (s->index_duration > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * s->index_duration > INT64_MAX - offset_temp) + ) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * s->index_duration; } } From d0f70898713abf6384b8e062f1960e93baf07e60 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 19 Sep 2024 21:57:09 +0200 Subject: [PATCH 1718/1764] avcodec/jfdctint_template: use unsigned z* in row_fdct() Fixes: signed integer overflow: 856827136 + 2123580416 cannot be represented in type 'int' Fixes: 70772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-5180569961431040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f27c8b04d3059fa538db8f2db6503cbb586eb3ad) Signed-off-by: Michael Niedermayer --- libavcodec/jfdctint_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c index 2f4e28b3a3..126c3d913c 100644 --- a/libavcodec/jfdctint_template.c +++ b/libavcodec/jfdctint_template.c @@ -183,7 +183,7 @@ static av_always_inline void FUNC(row_fdct)(int16_t *data) { int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7; int tmp10, tmp11, tmp12, tmp13; - int z1, z2, z3, z4, z5; + unsigned z1, z2, z3, z4, z5; int16_t *dataptr; int ctr; From e253f3735d892881715d12054667a00c4cea6fc6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 20:31:58 +0200 Subject: [PATCH 1719/1764] avcodec/svq3: Check for minimum size input Fixes: Timeout Fixes: 71295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-4999941125111808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 050b5e85cbe61414ba9b78f76a04b2488e816f42) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index d8d5131f54..300941b1e0 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -1439,6 +1439,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; + if (avpkt->size < s->mb_width * s->mb_height / 8) + return AVERROR_INVALIDDATA; + s->pict_type = s->slice_type; if (s->pict_type != AV_PICTURE_TYPE_B) From 0e997798c102d2f874d1fea4b8f48abcd05cdf9a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 22 Sep 2024 23:15:35 +0200 Subject: [PATCH 1720/1764] avcodec/xan: Add basic input size check Fixes: Timeout Fixes: 71739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XAN_WC3_fuzzer-6170301405134848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe Signed-off-by: Michael Niedermayer (cherry picked from commit 56bef2fd58d0ed30dbe940083c30ada2b0404491) Signed-off-by: Michael Niedermayer --- libavcodec/xan.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 1ccf164847..c8f098d17c 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -614,6 +614,9 @@ static int xan_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } + if (buf_size < 9) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret; From 1c68f225cd6f8b141a072e5e097ccb4b3314881d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 24 Sep 2024 23:43:09 +0200 Subject: [PATCH 1721/1764] avcodec/ffv1enc: Fix >8bit context size Fixes: Ticket5405 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit a9c83e43f2fc9128e20851291b0270add1a6b95f) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 2759db31d3..b36a245327 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -720,19 +720,21 @@ FF_ENABLE_DEPRECATION_WARNINGS s->quant_tables[1][2][i]= 11*11*quant5 [i]; s->quant_tables[1][3][i]= 5*11*11*quant5 [i]; s->quant_tables[1][4][i]= 5*5*11*11*quant5 [i]; + s->context_count[0] = (11 * 11 * 11 + 1) / 2; + s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; } else { s->quant_tables[0][0][i]= quant9_10bit[i]; - s->quant_tables[0][1][i]= 11*quant9_10bit[i]; - s->quant_tables[0][2][i]= 11*11*quant9_10bit[i]; + s->quant_tables[0][1][i]= 9*quant9_10bit[i]; + s->quant_tables[0][2][i]= 9*9*quant9_10bit[i]; s->quant_tables[1][0][i]= quant9_10bit[i]; - s->quant_tables[1][1][i]= 11*quant9_10bit[i]; - s->quant_tables[1][2][i]= 11*11*quant5_10bit[i]; - s->quant_tables[1][3][i]= 5*11*11*quant5_10bit[i]; - s->quant_tables[1][4][i]= 5*5*11*11*quant5_10bit[i]; + s->quant_tables[1][1][i]= 9*quant9_10bit[i]; + s->quant_tables[1][2][i]= 9*9*quant5_10bit[i]; + s->quant_tables[1][3][i]= 5*9*9*quant5_10bit[i]; + s->quant_tables[1][4][i]= 5*5*9*9*quant5_10bit[i]; + s->context_count[0] = (9 * 9 * 9 + 1) / 2; + s->context_count[1] = (9 * 9 * 5 * 5 * 5 + 1) / 2; } } - s->context_count[0] = (11 * 11 * 11 + 1) / 2; - s->context_count[1] = (11 * 11 * 5 * 5 * 5 + 1) / 2; memcpy(s->quant_table, s->quant_tables[s->context_model], sizeof(s->quant_table)); From b4d26a6333ce573f3573c219cee36ecec1ae5cd7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Sep 2024 23:42:50 +0200 Subject: [PATCH 1722/1764] avcodec/ffv1enc: 2Pass mode is not possible with golomb coding "Fixes" Ticket7063 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 417b163c00555ccda201a963e797bfa663a26ff5) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index b36a245327..44285248dc 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -520,6 +520,11 @@ static av_cold int encode_init(AVCodecContext *avctx) avctx->slices > 1) s->version = FFMAX(s->version, 2); + if ((avctx->flags & (AV_CODEC_FLAG_PASS1 | AV_CODEC_FLAG_PASS2)) && s->ac == AC_GOLOMB_RICE) { + av_log(avctx, AV_LOG_ERROR, "2 Pass mode is not possible with golomb coding\n"); + return AVERROR(EINVAL); + } + // Unspecified level & slices, we choose version 1.2+ to ensure multithreaded decodability if (avctx->slices == 0 && avctx->level < 0 && avctx->width * avctx->height > 720*576) s->version = FFMAX(s->version, 2); From db47d9ecb79ef4d9181163a534862283417a56f2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 6 Oct 2023 22:23:33 +0200 Subject: [PATCH 1723/1764] avcodec/ffv1enc: Slice combination is unsupported We always write minimal slices, the size calculation is wrong in some corner cases but as its always 1x1 (minus1) we can for now just hard-code it This helps with ticket 5548 Signed-off-by: Michael Niedermayer (cherry picked from commit 7d514655bfa47c6e5cc1b81fbba8e750e368036e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 44285248dc..bcecb168ca 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -922,8 +922,8 @@ static void encode_slice_header(FFV1Context *f, FFV1Context *fs) put_symbol(c, state, (fs->slice_x +1)*f->num_h_slices / f->width , 0); put_symbol(c, state, (fs->slice_y +1)*f->num_v_slices / f->height , 0); - put_symbol(c, state, (fs->slice_width +1)*f->num_h_slices / f->width -1, 0); - put_symbol(c, state, (fs->slice_height+1)*f->num_v_slices / f->height-1, 0); + put_symbol(c, state, 0, 0); + put_symbol(c, state, 0, 0); for (j=0; jplane_count; j++) { put_symbol(c, state, f->plane[j].quant_table_index, 0); av_assert0(f->plane[j].quant_table_index == f->context_model); From 9a0d56f8f796f02800d20c39b07c6b00957553f9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:04:58 +0200 Subject: [PATCH 1724/1764] avcodec/ffv1enc: Correct error message about unsupported version Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 556c767786e9e3c072f7666d60a68a31a3400438) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index bcecb168ca..772c96fdad 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -549,7 +549,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->version = FFMAX(s->version, 3); if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { - av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); + av_log(avctx, AV_LOG_ERROR, "Version 2 or 4 needed for requested features but version 2 or 4 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; } From b6f2250c125b1ca37e7e4d6f0f335a1729b02f49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 28 Jul 2024 22:08:23 +0200 Subject: [PATCH 1725/1764] avformat/matroskadec: Check desc_bytes so bits fit in 64bit Likely a tighter check can be done Fixes: signed integer overflow: 3305606804154370442 * 8 cannot be represented in type 'long' Fixes: 70449/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4771166007918592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c4122406f6d2726aea833480a2a8e345833dd881) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 87820d519a..3521dd2d3e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3832,7 +3832,7 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; - if (desc_bytes <= 0) + if (desc_bytes <= 0 || desc_bytes > INT64_MAX/8) return -1; desc_sec = desc_ns / nano_seconds_per_second; From d5a26a396dd29c45664e4a39df6294fa8a0805eb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Oct 2024 22:06:40 +0200 Subject: [PATCH 1726/1764] avcodec/ffv1enc: Prevent generation of files with broken slices Fixes: Ticket5548 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit b7ff66a35804275b25c1176cad560540785e8750) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1.c | 7 +++++++ libavcodec/ffv1.h | 1 + libavcodec/ffv1enc.c | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index a14dd2aab2..50093100bb 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -114,6 +114,13 @@ av_cold int ff_ffv1_init_slices_state(FFV1Context *f) return 0; } +int ff_need_new_slices(int width, int num_h_slices, int chroma_shift) { + int mpw = 1<bits_per_raw_sample+1) * plane_count > 8<<24) continue; + if (s->version < 4) + if ( ff_need_new_slices(avctx->width , s->num_h_slices, s->chroma_h_shift) + ||ff_need_new_slices(avctx->height, s->num_v_slices, s->chroma_v_shift)) + continue; if (avctx->slices == s->num_h_slices * s->num_v_slices && avctx->slices <= MAX_SLICES || !avctx->slices) goto slices_ok; } From 1f5977e95cdceefd150503fd3659b8274873f5b2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 10 Oct 2024 20:39:23 +0200 Subject: [PATCH 1727/1764] avcodec/ffv1dec: Fix end computation with ec=2 Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer (cherry picked from commit 10e5af15bf220d9da128ca12d2d474ff6ab0076e) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 6e23f8799f..ea04e0bc75 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -362,7 +362,7 @@ static int decode_slice(AVCodecContext *c, void *arg) if (fs->ac != AC_GOLOMB_RICE && f->version > 2) { int v; get_rac(&fs->c, (uint8_t[]) { 129 }); - v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*f->ec; + v = fs->c.bytestream_end - fs->c.bytestream - 2 - 5*!!f->ec; if (v) { av_log(f->avctx, AV_LOG_ERROR, "bytestream end mismatching by %d\n", v); fs->slice_damaged = 1; From 5f0067652be8773ddcc7142831c63f4484873df2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 16 Oct 2024 14:39:20 +0200 Subject: [PATCH 1728/1764] avcodec/rangecoder: only perform renorm check/loop for callers that need it Signed-off-by: Michael Niedermayer (cherry picked from commit d147b3d7ecba2bd40cb45284f920238da97a95ee) Signed-off-by: Michael Niedermayer --- libavcodec/rangecoder.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/rangecoder.h b/libavcodec/rangecoder.h index 44af88b8f5..3e1b14b5cb 100644 --- a/libavcodec/rangecoder.h +++ b/libavcodec/rangecoder.h @@ -54,7 +54,6 @@ void ff_build_rac_states(RangeCoder *c, int factor, int max_p); static inline void renorm_encoder(RangeCoder *c) { // FIXME: optimize - while (c->range < 0x100) { if (c->outstanding_byte < 0) { c->outstanding_byte = c->low >> 8; } else if (c->low <= 0xFF00) { @@ -73,7 +72,6 @@ static inline void renorm_encoder(RangeCoder *c) c->low = (c->low & 0xFF) << 8; c->range <<= 8; - } } static inline int get_rac_count(RangeCoder *c) @@ -100,7 +98,8 @@ static inline void put_rac(RangeCoder *c, uint8_t *const state, int bit) *state = c->one_state[*state]; } - renorm_encoder(c); + while (c->range < 0x100) + renorm_encoder(c); } static inline void refill(RangeCoder *c) From 87006667525985f493b60aa80148c193c0301bfc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Oct 2024 23:44:00 +0200 Subject: [PATCH 1729/1764] avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen Fixes: use of uninitialized variable Fixes: 368729566/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTS_fuzzer-6044501804646400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7b4fc89fb18d5ff0a1426bd433c234555a3fff) Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 3342193868..0074311e20 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1514,6 +1514,8 @@ static int mp4_read_iods(AVFormatContext *s, const uint8_t *buf, unsigned size, MP4DescrParseContext d; int ret; + d.predefined_SLConfigDescriptor_seen = 0; + ret = init_MP4DescrParseContext(&d, s, buf, size, descr, max_descr_count); if (ret < 0) return ret; From 197cf584076f54567b9a90136f43ca564263d6db Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Nov 2024 18:23:50 +0100 Subject: [PATCH 1730/1764] INSTALL: explain the circular dependency issue and solution Sponsored-by: Sovereign Tech Fund Reviewed-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit df00705e0010cc2c53d17d51944f847c2c852189) Signed-off-by: Michael Niedermayer --- INSTALL.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/INSTALL.md b/INSTALL.md index 5db912231c..3bc665b9c1 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -15,3 +15,11 @@ NOTICE ------ - Non system dependencies (e.g. libx264, libvpx) are disabled by default. + +NOTICE for Package Maintainers +------------------------------ + + - It is recommended to build FFmpeg twice, first with minimal external dependencies so + that 3rd party packages, which depend on FFmpegs libavutil/libavfilter/libavcodec/libavformat + can then be built. And last build FFmpeg with full dependancies (which may in turn depend on + some of these 3rd party packages). This avoids circular dependencies during build. From 2ac5f60d173714243aee46d6254b76e44feddab0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:43:21 +0100 Subject: [PATCH 1731/1764] avformat/nistspheredec: Clear buffer Fixes: use-of-uninitialized-value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6515855798632448-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 898f6582eb51bf77b1f88e8f55eab67ee6ee13b8) Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index ea59f3eb25..5f5699d8be 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -34,7 +34,7 @@ static int nist_probe(AVProbeData *p) static int nist_read_header(AVFormatContext *s) { - char buffer[256], coding[32] = "pcm", format[32] = "01"; + char buffer[256]= {0}, coding[32] = "pcm", format[32] = "01"; int bps = 0, be = 0; int32_t header_size = -1; AVStream *st; From 6ecbd8bbcae6cc20ad9eef295b6f9ef8a75e35cf Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 20:47:07 +0100 Subject: [PATCH 1732/1764] avformat/ilbc: Check avio_read() for failure Fixes: use of uninitialized value Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6656646223298560-cut Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit e30d957a9bacf7f7307c640aa0bd1e70cb3bbe7e) Signed-off-by: Michael Niedermayer --- libavformat/ilbc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ilbc.c b/libavformat/ilbc.c index 50e3c3cc76..cfba8ae308 100644 --- a/libavformat/ilbc.c +++ b/libavformat/ilbc.c @@ -74,7 +74,8 @@ static int ilbc_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 9); + if (avio_read(pb, header, 9) != 9) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) From 7cdefdb2ff8bfce154a97558e011560151310e69 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 16 Nov 2024 21:32:53 +0100 Subject: [PATCH 1733/1764] doc/developer: Document relationship between git accounts and MAINTAINERS This should have been documented long ago and i thought it was Signed-off-by: Michael Niedermayer (cherry picked from commit 7051825b0171bd5d566c5a5cc78852c5f3aa3072) Signed-off-by: Michael Niedermayer --- doc/developer.texi | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/doc/developer.texi b/doc/developer.texi index 98540c8f99..e660dadee6 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -743,6 +743,25 @@ In case you need finer control over how valgrind is invoked, use the @code{--target-exec='valgrind } option in your configure line instead. +@anchor{Maintenance} +@chapter Maintenance process + +@anchor{MAINTAINERS} +@section MAINTAINERS + +The developers maintaining each part of the codebase are listed in @file{MAINTAINERS}. +Being listed in @file{MAINTAINERS}, gives one the right to have git write access to +the specific repository. + +@anchor{Becoming a maintainer} +@section Becoming a maintainer + +People add themselves to @file{MAINTAINERS} by sending a patch like any other code +change. These get reviewed by the community like any other patch. It is expected +that, if someone has an objection to a new maintainer, she is willing to object +in public with her full name and is willing to take over maintainership for the area. + + @anchor{Release process} @section Release process From 06942392a0e3af535f6f4cdb7ca214274e24432a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 3 Nov 2024 11:07:27 +0100 Subject: [PATCH 1734/1764] avformat/icodec: fix integer overflow with nb_pal Fixes: runtime error: signed integer overflow Fixes: 42536949/clusterfuzz-testcase-minimized-fuzzer_loadfile-6199846684393472 Found-by: ossfuzz Reported-by: Kacper Michajlow Tested-by: Kacper Michajlow Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 84569b6c22cb4eda9c682aabeb5f658112126780) Signed-off-by: Michael Niedermayer --- libavformat/icodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 23cd91412d..5fb861df69 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -204,7 +204,7 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } - if (image->nb_pal > INT_MAX / 4 - 14 - 40) + if (image->nb_pal > INT_MAX / 4 - 14 - 40U) return AVERROR_INVALIDDATA; AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); From f15e004be683d1d2005587648e428251ca6c1b82 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 00:08:03 +0200 Subject: [PATCH 1735/1764] swscale/slice: clear allocated memory in alloc_lines() Fixes: use of uninitialized memory in hScale16To15_c() Fixes: 373924007/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5841199968092160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aeec39f3c1be82863efe64ce95242de58e075e8f) Signed-off-by: Michael Niedermayer --- libswscale/slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/slice.c b/libswscale/slice.c index f242c04a40..1af2b1f5a5 100644 --- a/libswscale/slice.c +++ b/libswscale/slice.c @@ -59,7 +59,7 @@ static int alloc_lines(SwsSlice *s, int size, int width) for (j = 0; j < n; ++j) { // chroma plane line U and V are expected to be contiguous in memory // by mmx vertical scaler code - s->plane[i].line[j] = av_malloc(size * 2 + 32); + s->plane[i].line[j] = av_mallocz(size * 2 + 32); if (!s->plane[i].line[j]) { free_lines(s); return AVERROR(ENOMEM); From 764aa5238f32fbf49c3dcdf4d2c44319aec13cf6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Oct 2024 01:15:53 +0200 Subject: [PATCH 1736/1764] avformat/dxa: check bpc Fixes: integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 373971762/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-4880491112103936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7e020f21413269418180eea7933a94ecb6bf2ef8) Signed-off-by: Michael Niedermayer --- libavformat/dxa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/dxa.c b/libavformat/dxa.c index c94665676a..a904746a6e 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -119,6 +119,8 @@ static int dxa_read_header(AVFormatContext *s) avio_skip(pb, fsize); } c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if (c->bpc < 0) + return AVERROR_INVALIDDATA; if(ast->codecpar->block_align) { if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) return AVERROR_INVALIDDATA; From 6c9f3e222e1bfab30f68a5612cf999c92194c915 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 16:00:01 +0200 Subject: [PATCH 1737/1764] avcodec/webp: Check ref_x/y Fixes: 70991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5544067620995072 Fixes: use of uninintailized value Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7c1e732ad2e240af5afe9ffea443c91bb233aa65) Signed-off-by: Michael Niedermayer --- libavcodec/webp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 1e97487ebf..54feed0011 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -739,6 +739,9 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, ref_x = FFMAX(0, ref_x); ref_y = FFMAX(0, ref_y); + if (ref_y == y && ref_x >= x) + return AVERROR_INVALIDDATA; + /* copy pixels * source and dest regions can overlap and wrap lines, so just * copy per-pixel */ From e6f9fe73e2ca0ffecdb80d47bcae4e9db459a907 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 21:36:11 +0100 Subject: [PATCH 1738/1764] avformat/matroskadec: Check pre_ns for overflow Fixes: signed integer overflow: -3483479120376300096 - 7442323944145700864 cannot be represented in type 'long' Fixes: 383187489/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4561470580391936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 361d24e6d920e4f7e4e5fa1fd6fbb6922bff35f2) Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 3521dd2d3e..636e4645bc 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3817,9 +3817,10 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // The prebuffer ends in the last Cue. Estimate how much data was // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; - pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; - if (pre_ns <= 0) + if (desc_end.end_time_ns <= desc_end.start_time_ns || + desc_end.end_time_ns - (uint64_t)desc_end.start_time_ns > INT64_MAX) return -1; + pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); From 250912e23f801388d4e7910fe2a3b5d34ab3d30b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 11 Dec 2024 22:37:07 +0100 Subject: [PATCH 1739/1764] avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV Fixes: signed integer overflow: 529008646 * 8 cannot be represented in type 'int' Fixes: 383379145/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6674045107503104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93270930798da368d5b1954a73ef7ff9dfa48f73) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index be209b5607..a5a01f9039 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1881,7 +1881,7 @@ static int get_audio_frame_duration(enum AVCodecID id, int sr, int ch, int ba, case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8LL); break; case AV_CODEC_ID_ADPCM_IMA_DK3: tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); From dcfacf4ee5f4febee97864d7bd2b0d4e5f410ec7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 25 Dec 2024 05:13:02 +0100 Subject: [PATCH 1740/1764] avformat/mlvdec: Check avio_read() Fixes: use-of-uninitialized-value Fixes: 383170476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-4696002884337664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit bb85423142103d694d97bad1967bd3dc55440e71) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 9d14e93396..c5bb3eea16 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -80,13 +80,15 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); + int ret; + if (!value) { avio_skip(pb, size); return; } - avio_read(pb, value, size); - if (!value[0]) { + ret = avio_read(pb, value, size); + if (ret != size || !value[0]) { av_free(value); return; } From b322533a60ee2a9d0d1f63028eb48c61d3a763ff Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 18 Nov 2024 04:09:11 +0100 Subject: [PATCH 1741/1764] avformat/rpl: Fix check for negative values Fixes: signed integer overflow: 10 * -1923267925333400000 cannot be represented in type 'int64_t' (aka 'long') Fixes: 378891963/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5714338935013376 Found-by: ossfuzz Reported-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit eab65379bf89c55d8ec4bc6f00e04f15b37d3d85) Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index b7d3862e89..d790ae2f29 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -101,7 +101,7 @@ static AVRational read_fps(const char* line, int* error) line++; for (; *line>='0' && *line<='9'; line++) { // Truncate any numerator too large to fit into an int64_t - if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) + if (num > (INT64_MAX - 9) / 10ULL || den > INT64_MAX / 10ULL) break; num = 10 * num + (*line - '0'); den *= 10; From f41be82acab42efbd42af327b2e95e4919143d37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 11 Aug 2024 22:53:47 +0200 Subject: [PATCH 1742/1764] avformat/mxfdec: Check that key was read sucessfull Fixes: use of uninitialized value Fixes: 70932/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4870202133643264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4c62cbcae2612acbc7ab5e8a7e7815674a6e8df4) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 6bd371c879..892729fb99 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1101,7 +1101,8 @@ static int mxf_read_indirect_value(void *arg, AVIOContext *pb, int size) if (size <= 17) return 0; - avio_read(pb, key, 17); + if (avio_read(pb, key, 17) != 17) + return AVERROR_INVALIDDATA; /* TODO: handle other types of of indirect values */ if (memcmp(key, mxf_indirect_value_utf16le, 17) == 0) { return mxf_read_utf16le_string(pb, size - 17, &tagged_value->value); From d7f72f7a8499080be0510691cf92f93d918a41a4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 16 Aug 2024 14:47:42 +0200 Subject: [PATCH 1743/1764] avformat/rmdec: check that buf if completely filled Fixes: use of uninitialized value Fixes: 70988/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5298245077630976 Signed-off-by: Michael Niedermayer (cherry picked from commit 9578c135d00dd9cc01491b8559d7fad5a387e90d) Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index bf1f8681d1..396d2d6ad9 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -192,7 +192,8 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, st->codecpar->channels = avio_rb16(pb); if (version == 5) { ast->deint_id = avio_rl32(pb); - avio_read(pb, buf, 4); + if (avio_read(pb, buf, 4) != 4) + return AVERROR_INVALIDDATA; buf[4] = 0; } else { AV_WL32(buf, 0); From f4dd0a5fc725879c9a2699c19d9465581531a6fb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 6 Jan 2025 22:01:39 +0100 Subject: [PATCH 1744/1764] avfilter/af_pan: Fix sscanf() use Fixes: Memory Data Leak Found-by: Simcha Kosman Signed-off-by: Michael Niedermayer (cherry picked from commit b5b6391d64807578ab872dc58fb8aa621dcfc38a) Signed-off-by: Michael Niedermayer --- libavfilter/af_pan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c index fb91acc3c6..885d18cfba 100644 --- a/libavfilter/af_pan.c +++ b/libavfilter/af_pan.c @@ -177,7 +177,7 @@ static av_cold int init(AVFilterContext *ctx) sign = 1; while (1) { gain = 1; - if (sscanf(arg, "%lf%n *%n", &gain, &len, &len)) + if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1) arg += len; if (parse_channel_name(&arg, &in_ch_id, &named)){ av_log(ctx, AV_LOG_ERROR, From 922b6e6a2d17cd921abaa7849cd523350c14a3a2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 03:25:09 +0100 Subject: [PATCH 1745/1764] swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() Fixes: signed integer overflow: -1082982400 + -1195645138 cannot be represented in type 'int' Fixes: 376136843/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4791844321427456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 56faee21c136942c491f30a2e82cfbbfce180beb) Signed-off-by: Michael Niedermayer --- libswscale/output.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 6b13273932..a13e794f2d 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1075,9 +1075,9 @@ yuv2rgba64_full_X_c_template(SwsContext *c, const int16_t *lumFilter, B = U * c->yuv2rgb_u2b_coeff; // 8bit: 30 - 22 = 8bit, 16bit: 30bit - 14 = 16bit - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y)>>14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y)>>14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + (unsigned)Y)>>14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + (unsigned)Y)>>14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From c58836887d6f5090906bbb06e6e5f2a3953a4e30 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 22:27:18 +0100 Subject: [PATCH 1746/1764] avcodec/aacsbr_template: Clear n_q on error Fixes: index 5 out of bounds for type 'uint8_t [5]' Fixes: 377748135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5167109774049280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3f029bfb7f9ca1c73fecb8d0eacf3c4e0550f771) Signed-off-by: Michael Niedermayer --- libavcodec/aacsbr_template.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 3fe78d5b62..8779657da9 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -580,6 +580,7 @@ static int sbr_make_f_derived(AACContext *ac, SpectralBandReplication *sbr) if (sbr->n_q > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Too many noise floor scale factors: %d\n", sbr->n_q); + sbr->n_q = 1; return -1; } From 7da68e087983c7074b7d95509c8234ce667f8a3d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 1 Dec 2024 23:30:55 +0100 Subject: [PATCH 1747/1764] avcodec/vc1dec: Clear block_index in vc1_decode_reset() Fixes: 377965565/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4504434689769472 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251de1791e645f16e80b09d82999d4a5e24b1ad1) Signed-off-by: Michael Niedermayer --- libavcodec/vc1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index c325af2d7e..97c1ff2200 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -608,6 +608,7 @@ av_cold int ff_vc1_decode_end(AVCodecContext *avctx) av_freep(&v->hrd_rate); av_freep(&v->hrd_buffer); ff_mpv_common_end(&v->s); + memset(v->s.block_index, 0, sizeof(v->s.block_index)); av_freep(&v->mv_type_mb_plane); av_freep(&v->direct_mb_plane); av_freep(&v->forward_mb_plane); From bc13387c5b50f19e7fc8b4d6a95b0fba613fd6d9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 9 Jan 2025 21:35:06 +0100 Subject: [PATCH 1748/1764] avcodec/ffv1enc: Fix handling of 32bit unsigned symbols This may be needed for floats Sponsored-by: Sovereign Tech Fund Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 402824e9e99461f1c9e74a6730ced40894669560) Signed-off-by: Michael Niedermayer --- libavcodec/ffv1enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 83b7f98641..d662c195b3 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -200,7 +200,7 @@ static av_always_inline av_flatten void put_symbol_inline(RangeCoder *c, } while (0) if (v) { - const int a = FFABS(v); + const unsigned a = is_signed ? FFABS(v) : v; const int e = av_log2(a); put_rac(c, state + 0, 0); if (e <= 9) { From 51dd93b44c9b28a7941ce1d72ab4d0dbab1b802b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 8 Jan 2025 02:59:28 +0100 Subject: [PATCH 1749/1764] avcodec/mpegvideo_enc: Check FLV1 resolution limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Found-by: Elias Myllymäki Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 827c073154f4cc17d1bd3777dff3b58370210bcb) Signed-off-by: Michael Niedermayer --- libavcodec/mpegvideo_enc.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index 28b50cc5df..81aefae085 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -575,6 +575,12 @@ FF_ENABLE_DEPRECATION_WARNINGS av_log(avctx, AV_LOG_ERROR, "H.263 does not support resolutions above 2048x1152\n"); return -1; } + if (s->codec_id == AV_CODEC_ID_FLV1 && + (avctx->width > 65535 || + avctx->height > 65535 )) { + av_log(avctx, AV_LOG_ERROR, "FLV does not support resolutions above 16bit\n"); + return AVERROR(EINVAL); + } if ((s->codec_id == AV_CODEC_ID_H263 || s->codec_id == AV_CODEC_ID_H263P) && ((avctx->width &3) || From de248843526a9c4378de5656bc604016e6a6b495 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 15 Jan 2025 03:30:21 +0100 Subject: [PATCH 1750/1764] avutil/avstring: dont mess with NULL pointers in av_match_list() Fixes: applying zero offset to null pointer Signed-off-by: Michael Niedermayer (cherry picked from commit c6c54943d161812b3c4034116cb14f3f5c05dc43) Signed-off-by: Michael Niedermayer --- libavutil/avstring.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavutil/avstring.c b/libavutil/avstring.c index 4c068f5bc5..4ab608c2c9 100644 --- a/libavutil/avstring.c +++ b/libavutil/avstring.c @@ -451,10 +451,12 @@ int av_match_list(const char *name, const char *list, char separator) if (k && (!p[k] || p[k] == separator)) return 1; q = strchr(q, separator); - q += !!q; + if(q) + q++; } p = strchr(p, separator); - p += !!p; + if (p) + p++; } return 0; From ad5b7b03127c08befa9ddbcd45883c0951559e40 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 01:46:49 +0100 Subject: [PATCH 1751/1764] avformat/vqf: Check avio_read() in add_metadata() Fixes: use of uninitialized data Fixes: 383825642/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5380168801124352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c43dbecbdad152a91eadc7538b545852eee562ae) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index f43a20d6fc..44cbe0782f 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -61,7 +61,8 @@ static void add_metadata(AVFormatContext *s, uint32_t tag, buf = av_malloc(len+1); if (!buf) return; - avio_read(s->pb, buf, len); + if (len != avio_read(s->pb, buf, len)) + return; buf[len] = 0; AV_WL32(key, tag); av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); From ceffbe46335856ed949330b95ea4cc3bf898ee0b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 31 Dec 2024 04:13:25 +0100 Subject: [PATCH 1752/1764] avformat/vqf: Propagate errors from add_metadata() Suggested-by: Marton Balint Reviewed-by: Alexander Strasser Signed-off-by: Michael Niedermayer (cherry picked from commit 49fa3f6c5ba6d43cc4b3ade4f8d9dc2fdbc71f0a) Signed-off-by: Michael Niedermayer --- libavformat/vqf.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/libavformat/vqf.c b/libavformat/vqf.c index 44cbe0782f..bfdca98066 100644 --- a/libavformat/vqf.c +++ b/libavformat/vqf.c @@ -49,23 +49,28 @@ static int vqf_probe(AVProbeData *probe_packet) return AVPROBE_SCORE_EXTENSION; } -static void add_metadata(AVFormatContext *s, uint32_t tag, +static int add_metadata(AVFormatContext *s, uint32_t tag, unsigned int tag_len, unsigned int remaining) { int len = FFMIN(tag_len, remaining); char *buf, key[5] = {0}; + int ret; if (len == UINT_MAX) - return; + return AVERROR_INVALIDDATA; buf = av_malloc(len+1); if (!buf) - return; - if (len != avio_read(s->pb, buf, len)) - return; + return AVERROR(ENOMEM); + + ret = avio_read(s->pb, buf, len); + if (ret < 0) + return ret; + if (len != ret) + return AVERROR_INVALIDDATA; buf[len] = 0; AV_WL32(key, tag); - av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); + return av_dict_set(&s->metadata, key, buf, AV_DICT_DONT_STRDUP_VAL); } static const AVMetadataConv vqf_metadata_conv[] = { @@ -117,6 +122,7 @@ static int vqf_read_header(AVFormatContext *s) do { int len; + int ret; chunk_tag = avio_rl32(s->pb); if (chunk_tag == MKTAG('D','A','T','A')) @@ -163,7 +169,9 @@ static int vqf_read_header(AVFormatContext *s) avio_skip(s->pb, FFMIN(len, header_size)); break; default: - add_metadata(s, chunk_tag, len, header_size); + ret = add_metadata(s, chunk_tag, len, header_size); + if (ret < 0) + return ret; break; } From f1515fa17d51365a44faf1e91009202730b2a351 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 02:53:45 +0100 Subject: [PATCH 1753/1764] avformat/wtvdec: Initialize buf ff_parse_mpeg2_descriptor() reads over what is initialized Fixes: use of uninitialized memory Fixes: 383825645/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5144130618982400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 17b019c517af26c6d2f0c6266938c60d36db1fa3) Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 672baa0360..92564b399a 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -850,7 +850,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p int stream_index = ff_find_stream_index(s, sid); if (stream_index >= 0) { AVStream *st = s->streams[stream_index]; - uint8_t buf[258]; + uint8_t buf[258] = {0}; const uint8_t *pbuf = buf; int buf_size; From 8c32f218fbea96724ad7296b89eeb2e924f84a88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 26 Dec 2024 03:07:51 +0100 Subject: [PATCH 1754/1764] avformat/ipmovie: Check signature_buffer read Fixes: use of uninitilaized data Fixes: 385167047/clusterfuzz-testcase-minimized-ffmpeg_dem_IPMOVIE_fuzzer-5941477505564672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 788abe0d253b2034af15876d7889265d4746df2b) Signed-off-by: Michael Niedermayer --- libavformat/ipmovie.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/ipmovie.c b/libavformat/ipmovie.c index 7f5a8c62ef..3f5605fadf 100644 --- a/libavformat/ipmovie.c +++ b/libavformat/ipmovie.c @@ -639,7 +639,8 @@ static int ipmovie_read_header(AVFormatContext *s) ipmovie->avf = s; - avio_read(pb, signature_buffer, sizeof(signature_buffer)); + if (avio_read(pb, signature_buffer, sizeof(signature_buffer)) != sizeof(signature_buffer)) + return AVERROR_INVALIDDATA; while (memcmp(signature_buffer, signature, sizeof(signature))) { memmove(signature_buffer, signature_buffer + 1, sizeof(signature_buffer) - 1); signature_buffer[sizeof(signature_buffer) - 1] = avio_r8(pb); From 67249b7cbfc29094da60ce4c378974feb9856ca7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Nov 2024 01:48:22 +0100 Subject: [PATCH 1755/1764] avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() Fixes: use of uninitialized memory Fixes: 375286238/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-6352546854141952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ef71552cf970876085d99834abdb8e429aea9730) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 62b83705b4..86eab41413 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -767,6 +767,8 @@ static void decode_gray_bitstream(HYuvContext *s, int count) for (i = 0; i < count && BITS_LEFT(re, &s->gb) > 0; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); } + for (; i < count; i++) + s->temp[0][2 * i] = s->temp[0][2 * i + 1] = 0; } else { for (i = 0; i < count; i++) { READ_2PIX(s->temp[0][2 * i], s->temp[0][2 * i + 1], 0); From 17c4b50908a9bb3210ff2d55937bbbe603a7cd2b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 23 Sep 2024 20:05:37 +0200 Subject: [PATCH 1756/1764] avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() Fixes: Use of uninitialized memory Fixes: 71444/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5448597561212928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ecc96f4d08d74b0590ab03f39f93f386910c4c0) Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 892729fb99..f95d113d1c 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -472,7 +472,8 @@ static int mxf_decrypt_triplet(AVFormatContext *s, AVPacket *pkt, KLVPacket *klv if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); - avio_read(pb, tmpbuf, 16); + if (avio_read(pb, tmpbuf, 16) != 16) + return AVERROR_INVALIDDATA; if (mxf->aesc) av_aes_crypt(mxf->aesc, tmpbuf, tmpbuf, 1, ivec, 1); if (memcmp(tmpbuf, checkv, 16)) From 5c072bd7e1e4c656ec1953b455d717ae97a1f13e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 30 Jan 2025 02:28:32 +0100 Subject: [PATCH 1757/1764] avcodec/h263dec: Check against previous dimensions instead of coded Fixes: out of array access Fixes: crash-a41ef3db699013f669b076f02f36942925f5a98c Found-by: Kacper Michajlow Reviewed-by: Kacper Michajlow Signed-off-by: Michael Niedermayer (cherry picked from commit 0fe33c99a26a06a6875c4abfb96362a65145264b) Signed-off-by: Michael Niedermayer --- libavcodec/h263dec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index b2939abd16..beb35690ae 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -414,7 +414,9 @@ int ff_h263_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, MpegEncContext *s = avctx->priv_data; int ret; int slice_ret = 0; + AVFrame *pict = data; + int bak_width, bak_height; /* no supplementary picture */ if (buf_size == 0) { @@ -478,6 +480,9 @@ retry: // we need the idct permutation for reading a custom matrix ff_mpv_idct_init(s); + bak_width = s->width; + bak_height = s->height; + /* let's go :-) */ if (CONFIG_WMV2_DECODER && s->msmpeg4_version == 5) { ret = ff_wmv2_decode_picture_header(s); @@ -500,11 +505,12 @@ retry: } if (ret < 0 || ret == FRAME_SKIPPED) { - if ( s->width != avctx->coded_width - || s->height != avctx->coded_height) { + if ( s->width != bak_width + || s->height != bak_height) { av_log(s->avctx, AV_LOG_WARNING, "Reverting picture dimensions change due to header decoding failure\n"); - s->width = avctx->coded_width; - s->height= avctx->coded_height; + s->width = bak_width; + s->height= bak_height; + } } if (ret == FRAME_SKIPPED) From 7dc39ecb8ff5ab53cccf2c9253ce06e8d2761a15 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 7 Feb 2025 02:33:21 +0100 Subject: [PATCH 1758/1764] avformat/mlvdec: fix size checks Fixes: heap-buffer-overflow Fixes: 391962476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-5746746587676672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 251d43aef0df9262f2688c1c848af993bbb67d08) Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index c5bb3eea16..8dab15ef09 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -420,19 +420,25 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt) if (size < 16) return AVERROR_INVALIDDATA; avio_skip(pb, 12); //timestamp, frameNumber - if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) + size -= 12; + if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { + if (size < 8) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); // cropPosX, cropPosY, panPosX, panPosY + size -= 8; + } space = avio_rl32(pb); + if (size < space + 4LL) + return AVERROR_INVALIDDATA; avio_skip(pb, space); + size -= space; if ((mlv->class[st->id] & (MLV_CLASS_FLAG_DELTA|MLV_CLASS_FLAG_LZMA))) { ret = AVERROR_PATCHWELCOME; } else if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) { ret = av_get_packet(pb, pkt, (st->codecpar->width * st->codecpar->height * st->codecpar->bits_per_coded_sample + 7) >> 3); } else { // AVMEDIA_TYPE_AUDIO - if (space > UINT_MAX - 24 || size < (24 + space)) - return AVERROR_INVALIDDATA; - ret = av_get_packet(pb, pkt, size - (24 + space)); + ret = av_get_packet(pb, pkt, size - 4); } if (ret < 0) From dae907d55171f052e3e4a018e9868d09c9638d37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 9 Feb 2025 01:28:17 +0100 Subject: [PATCH 1759/1764] avformat/iff: Check that we have a stream in read_dst_frame() Fixes: null pointer dereference Fixes: 385644864/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4551049565765632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 8668957ef604bd2b99175310638bc5031ae0d991) Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 52bc8c99c9..4663f27742 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -359,6 +359,9 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) uint64_t chunk_pos, data_pos, data_size; int ret = AVERROR_EOF; + if (s->nb_streams < 1) + return AVERROR_INVALIDDATA; + while (!avio_feof(pb)) { chunk_pos = avio_tell(pb); if (chunk_pos >= iff->body_end) From e6ef90db6cf9e00dcbef21216641cd335bd2ecd6 Mon Sep 17 00:00:00 2001 From: Cosmin Stejerean Date: Wed, 6 Dec 2023 18:39:32 +0800 Subject: [PATCH 1760/1764] avfilter/bwdif: account for chroma sub-sampling in min size calculation The current logic for detecting frames that are too small for the algorithm does not account for chroma sub-sampling, and so a sample where the luma plane is large enough, but the chroma planes are not will not be rejected. In that event, a heap overflow will occur. This change adjusts the logic to consider the chroma planes and makes the change to all three bwdif implementations. Fixes #10688 Signed-off-by: Cosmin Stejerean Reviewed-by: Thomas Mundt Signed-off-by: Philip Langdale (cherry picked from commit 737ede405b11a37fdd61d19cf25df296a0cb0b75) Signed-off-by: Michael Niedermayer --- libavfilter/vf_bwdif.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavfilter/vf_bwdif.c b/libavfilter/vf_bwdif.c index 7290c9a4a2..029bc92bd1 100644 --- a/libavfilter/vf_bwdif.c +++ b/libavfilter/vf_bwdif.c @@ -505,12 +505,13 @@ static int config_props(AVFilterLink *link) if(s->mode&1) link->frame_rate = av_mul_q(link->src->inputs[0]->frame_rate, (AVRational){2,1}); - if (link->w < 3 || link->h < 4) { - av_log(ctx, AV_LOG_ERROR, "Video of less than 3 columns or 4 lines is not supported\n"); + s->csp = av_pix_fmt_desc_get(link->format); + + if (AV_CEIL_RSHIFT(link->w, s->csp->log2_chroma_w) < 3 || AV_CEIL_RSHIFT(link->h, s->csp->log2_chroma_h) < 4) { + av_log(ctx, AV_LOG_ERROR, "Video with planes less than 3 columns or 4 lines is not supported\n"); return AVERROR(EINVAL); } - s->csp = av_pix_fmt_desc_get(link->format); if (s->csp->comp[0].depth > 8) { s->filter_intra = filter_intra_16bit; s->filter_line = filter_line_c_16bit; From 2f8faa3ff142ccd210ed6bc6a17a1f0b67f4ec46 Mon Sep 17 00:00:00 2001 From: Lynne Date: Wed, 1 Jan 2025 18:03:33 +0900 Subject: [PATCH 1761/1764] configure: update copyright year On 01/01/2025 19:05, Peter Ross wrote: > FFmpeg turns 25 this year. (cherry picked from commit d3aa99a4f436e89773246339d9d363587a1d21df) Signed-off-by: Michael Niedermayer --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index c8743b2477..9a49bcc569 100755 --- a/configure +++ b/configure @@ -7001,7 +7001,7 @@ cat > $TMPH < Date: Tue, 11 Mar 2025 20:10:05 +0100 Subject: [PATCH 1762/1764] Update for 3.4.14 Signed-off-by: Michael Niedermayer --- Changelog | 247 +++++++++++++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 249 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index a3b9fef375..2602fac2e4 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,253 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.4.14: + configure: update copyright year + avfilter/bwdif: account for chroma sub-sampling in min size calculation + avformat/iff: Check that we have a stream in read_dst_frame() + avformat/mlvdec: fix size checks + avcodec/h263dec: Check against previous dimensions instead of coded + avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet() + avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream() + avformat/ipmovie: Check signature_buffer read + avformat/wtvdec: Initialize buf + avformat/vqf: Propagate errors from add_metadata() + avformat/vqf: Check avio_read() in add_metadata() + avutil/avstring: dont mess with NULL pointers in av_match_list() + avcodec/mpegvideo_enc: Check FLV1 resolution limits + avcodec/ffv1enc: Fix handling of 32bit unsigned symbols + avcodec/vc1dec: Clear block_index in vc1_decode_reset() + avcodec/aacsbr_template: Clear n_q on error + swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template() + avfilter/af_pan: Fix sscanf() use + avformat/rmdec: check that buf if completely filled + avformat/mxfdec: Check that key was read sucessfull + avformat/rpl: Fix check for negative values + avformat/mlvdec: Check avio_read() + avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV + avformat/matroskadec: Check pre_ns for overflow + avcodec/webp: Check ref_x/y + avformat/dxa: check bpc + swscale/slice: clear allocated memory in alloc_lines() + avformat/icodec: fix integer overflow with nb_pal + doc/developer: Document relationship between git accounts and MAINTAINERS + avformat/ilbc: Check avio_read() for failure + avformat/nistspheredec: Clear buffer + INSTALL: explain the circular dependency issue and solution + avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen + avcodec/rangecoder: only perform renorm check/loop for callers that need it + avcodec/ffv1dec: Fix end computation with ec=2 + avcodec/ffv1enc: Prevent generation of files with broken slices + avformat/matroskadec: Check desc_bytes so bits fit in 64bit + avcodec/ffv1enc: Correct error message about unsupported version + avcodec/ffv1enc: Slice combination is unsupported + avcodec/ffv1enc: 2Pass mode is not possible with golomb coding + avcodec/ffv1enc: Fix >8bit context size + avcodec/xan: Add basic input size check + avcodec/svq3: Check for minimum size input + avcodec/jfdctint_template: use unsigned z* in row_fdct() + avformat/mxfdec: More offset_temp checks + swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() + swscale/swscale: Use unsigned operation to avoid undefined behavior + avcodec/vc2enc: basic sanity check on slice_max_bytes + avcodec/wmavoice: Do not use uninitialized pitch[0] + avformat/apetag: Check APETAGEX + avcodec/avcodec: Warn about data returned from get_buffer*() + avcodec/aic: Clear slice_data + avcodec/shorten: clear padding + avformat/mpeg: Check an avio_read() for failure + avformat/segafilm: Set keyframe + avcodec/dxva2: initialize hr in ff_dxva2_common_end_frame() + avcodec/dxva2: initialize validate + avcodec/dxva2: Initialize ConfigBitstreamRaw + avcodec/dxva2: Initialize dxva_size and check it + avformat/lmlm4: Eliminate some AVERROR(EIO) + avformat/wtvdec: Check length of read mpeg2_descriptor + avformat/wtvdec: clear sectors + avcodec/parser: ensure input padding is zeroed + avformat/img2dec: Clear padding data after EOF + avformat/wavdec: Check if there are 16 bytes before testing them + avcodec/snow: Fix off by 1 error in run_buffer + avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow + avcodec/vaapi_encode: Check hwctx + avcodec/proresdec: Consider negative bits left + avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices + avutil/slicethread: Check pthread_*_init() for failure + avutil/frame: Check log2_crop_align + avutil/buffer: Check ff_mutex_init() for failure + avformat/xmv: Check this_packet_size + avformat/tty: Check avio_size() + avformat/siff: Basic pkt_size check + avformat/sauce: Check avio_size() for failure + avformat/sapdec: Check ffurl_get_file_handle() for error + avformat/nsvdec: Check asize for PCM + avformat/mp3dec: Check header_filesize + avformat/mp3dec; Check for avio_size() failure + avformat/mov: Use 64bit for str_size + avformat/mm: Check length + avformat/hnm: Check *chunk_size + avformat/asfdec_o: Check size of index object + swscale/output: Fix integer overflows in yuv2rgba64_X_c_template + avcodec/utvideoenc: Use unsigned shift to build flags + avcodec/vc2enc: Fix overflows with storing large values + avcodec/mpegvideo_enc: Do not duplicate pictures on shifting + avdevice/dshow: Check device_filter_unique_name before use + avdevice/dshow_filter: Use wcscpy_s() + avcodec/flac_parser: Assert that we do not overrun the link_penalty array + avcodec/pixlet: Simplify pfx computation + avcodec/motion_est: Fix score squaring overflow + avcodec/loco: Check loco_get_rice() for failure + avcodec/loco: check get_ur_golomb_jpegls() for failure + avcodec/iff: Use signed count + avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb() + avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac() + avcodec/xsubdec: Check parse_timecode() + avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit + avcodec/proresenc_kostya: use unsigned alpha for rotation + avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly + avformat/rmdec: use 64bit for audio_framesize checks + avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9 + avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor + avformat/tls_schannel: Initialize ret + avformat/subfile: Assert that whence is a known case + avformat/rtsp: Check that lower transport is handled in one of the if() + avformat/rtsp: initialize reply1 + avformat/rtsp: use < 0 for error check + avformat/rtpenc_vc2hq: Check sizes + avfilter/af_pan: check nb_output_channels before use + tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale() + avfilter/vf_avgblur: Check plane instead of AVFrame + avformat/rdt: Check pkt_len + avformat/mpeg: Check len in mpegps_probe() + avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure + avformat/img2dec: assert no pipe on ts_from_file + avformat/mov: Check edit list for overflow + fftools/ffmpeg: Check read() for failure + swscale/output: Avoid undefined overflow in yuv2rgb_write_full() + swscale/output: alpha can become negative after scaling, use multiply + avcodec/targaenc: Allocate space for the palette + avcodec/r210enc: Use av_rescale for bitrate + avcodec/jfdctint_template: Fewer integer anomalies + avcodec/snowenc: MV limits due to mv_penalty table size + MAINTAINERS: Update the entries for the release maintainer for FFmpeg + configure: update copyright year + avfilter/vf_rotate: Check ff_draw_init2() return value + avformat/img2dec: Move DQT after unrelated if() + fftools/cmdutils: Add protective () to FLAGS + avformat/sdp: Check before appending "," + avcodec/vp8: Check cond init + avcodec/vp8: Check mutex init + avcodec/tests/dct: Use 64bit in intermediate for error computation + avcodec/wavpackenc: Use unsigned for potential 31bit shift + avcodec/tests/jpeg2000dwt: Use 64bit in comparission + avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation + avformat/ape: Use 64bit for final frame size + swscale/yuv2rgb: Use 64bit for brightness computation + avutil/tests/opt: Check av_set_options_string() for failure + avutil/tests/dict: Check av_dict_set() before get for failure + avdevice/dshow: fix badly indented line + avcodec/mpegvideo_enc: Fix potential overflow in RD + avcodec/mpeg4videodec: assert impossible wrap points + avcodec/vble: Check av_image_get_buffer_size() for failure + avcodec/jpeg2000dec: remove ST=3 case + avcodec/fmvc: remove dead assignment + avcodec/lpc: copy levenson coeffs only when they have been computed + avutil/tests/base64: Check with too short output array + libavutil/base64: Try not to write over the array end + avcodec/mpegvideo_enc: Fix 1 line and one column images + swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() + swscale/output: Fix integer overflow in yuv2rgba64_1_c_template + avcodec/hevcdec: Check ref frame + avfilter/signature_lookup: Dont copy uninitialized stuff around + avfilter/signature_lookup: Fix 2 differences to the refernce SW + ffbuild: Avoid using the --preprocessor argument to windres + vp9: recon: Use emulated edge to prevent buffer overflows + arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter + fate/subtitles: Ignore line endings for sub-scc test + avformat/mxfdec: Check index_edit_rate + swscale/utils: Fix xInc overflow + avformat/mxfdec: Make edit_unit_byte_count unsigned + avformat/movenc: Check that cts fits in 32bit + avformat/mxfdec: Check first case of offset_temp computation for overflow + avfilter/vf_signature: Dont crash on no frames + avformat/westwood_vqa: Fix 2g packets + avformat/matroskadec: Check timescale + avformat/sbgdec: Check for negative duration + avformat/rpl: Use 64bit for total_audio_size and check it + avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() + avcodec/truemotion1: Height not being a multiple of 4 is unsupported + avformat/cafdec: Check that data chunk end fits within 64bit + avformat/dxa: Adjust order of operations around block align + avformat/cafdec: dont seek beyond 64bit + avformat/id3v2: read_uslt() check for the amount read + avcodec/proresenc_kostya: Remove bug similarity text + avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal() + libswscale/utils: Fix bayer to yuvj + swscale/swscale: Check srcSliceH for bayer + swscale/utils: Allocate more dithererror + avcodec/indeo3: Round dimensions up in allocate_frame_buffers() + avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers + avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure + avfilter/signature_lookup: dont leave uncleared pointers in sll_free() + avcodec/mpegvideo_enc: Use ptrdiff_t for stride + avcodec/mpegvideo_enc: Dont copy beyond the image + avfilter/vf_minterpolate: Check pts before division + avformat/flacdec: Avoid double AVERRORS + avfilter/vf_vidstabdetect: Avoid double AVERRORS + avfilter/vf_swaprect: round coordinates down + avfilter/vf_swaprect: Use height for vertical variables + avfilter/vf_swaprect: assert that rectangles are within memory + avfilter/af_alimiter: Check nextpos before use + avfilter/af_stereowiden: Check length + avfilter/vf_gradfun: Do not overread last line + avformat/mov: do not set sign bit for chunk_offsets + avcodec/jpeglsdec: Check Jpeg-LS LSE + configure: Enable section_data_rel_ro for FreeBSD and NetBSD aarch64 / arm + avformat/mov: Ignore duplicate ftyp + seek: Fix crashes in ff_seek_frame_binary if built with latest Clang 14 + avcodec/4xm: Check for cfrm exhaustion + avformat/mov: Disallow FTYP after streams + doc/html: fix styling issue with Texinfo 7.0 + doc/html: support texinfo 7.0 + doc/t2h.pm: fix missing TOC with texinfo 6.8 and above + doc/t2h.pm: fix missing CSS with texinfo 6.8 and above + avformat/matroskadec: Fix declaration-after-statement warnings + avformat/rtsp: Use rtsp_st->stream_index + avcodec/jpeg2000dec: Check image offset + avcodec/h2645_parse: Avoid EAGAIN + avcodec/xvididct: Make c* unsigned to avoid undefined overflows + avformat/tmv: Check video chunk size + avformat/xwma: sanity check bits_per_coded_sample + avformat/matroskadec: Check prebuffered_ns for overflow + avformat/wavdec: Check left avio_tell for overflow + avformat/tta: Better totalframes check + avformat/rpl: Check for number_of_chunks overflow + avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() + avformat/jacosubdec: Check timeres + avcodec/escape124: Do not return random numbers + avformat/avs: Check if return code is representable + avcodec/lcldec: Make PNG filter addressing match the code afterwards + avformat/westwood_vqa: Check chunk size + avformat/sbgdec: Check for period overflow + avcodec/xvididct: Fix integer overflow in idct_row() + avcodec/celp_math: avoid overflow in shift + avformat/format: Stop reading data at EOF during probing + avcodec/huffyuvdec: avoid undefined behavior with get_vlc2() failure + avcodec/hevcdec: Fix undefined memcpy() + avcodec/mpeg4videodec: more unsigned in amv computation + avcodec/tta: fix signed overflow in decorrelate + avcodec/xvididct: Fix integer overflow in idct_row() + avformat/avr: Check sample rate + avcodec/jpeg2000dec: Check for reduction factor and image offset + avutil/softfloat: Basic documentation for av_sincos_sf() + avutil/softfloat: fix av_sincos_sf() + avcodec/utils: fix 2 integer overflows in get_audio_frame_duration() + avcodec/hevcdec: Avoid null pointer dereferences in MC + avcodec/takdsp: Fix integer overflows + avcodec: Ignoring errors is only possible before the input end + + version 3.4.13: avcodec/noise_bsf: Check for wrapped frames avcodec/pngdec: Do not pass AVFrame into global header decode diff --git a/RELEASE b/RELEASE index 618659f09f..2a6849c69b 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.4.13 +3.4.14 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4c4a79466c..182907f463 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.4.13 +; PROJECT_NUMBER = 3.4.14 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 62e1c442633e8a09a1407a789cd2b50611850788 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Mar 2025 22:13:01 +0100 Subject: [PATCH 1763/1764] doc/Doxyfile: Fix typo Signed-off-by: Michael Niedermayer --- doc/Doxyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/Doxyfile b/doc/Doxyfile index 182907f463..0a1e3cb8df 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -; PROJECT_NUMBER = 3.4.14 +PROJECT_NUMBER = 3.4.14 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a From 9983d098ff0ee54bc3b77676dd885883bfbe4ffb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Sun, 16 Jul 2023 18:18:02 +0300 Subject: [PATCH 1764/1764] avcodec/x86/mathops: clip constants used with shift instructions within inline assembly Fixes assembling with binutil as >= 2.41 Signed-off-by: James Almer (cherry picked from commit effadce6c756247ea8bae32dc13bb3e6f464f0eb) --- libavcodec/x86/mathops.h | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/libavcodec/x86/mathops.h b/libavcodec/x86/mathops.h index 6298f5ed19..ca7e2dffc1 100644 --- a/libavcodec/x86/mathops.h +++ b/libavcodec/x86/mathops.h @@ -35,12 +35,20 @@ static av_always_inline av_const int MULL(int a, int b, unsigned shift) { int rt, dummy; + if (__builtin_constant_p(shift)) __asm__ ( "imull %3 \n\t" "shrdl %4, %%edx, %%eax \n\t" :"=a"(rt), "=d"(dummy) - :"a"(a), "rm"(b), "ci"((uint8_t)shift) + :"a"(a), "rm"(b), "i"(shift & 0x1F) ); + else + __asm__ ( + "imull %3 \n\t" + "shrdl %4, %%edx, %%eax \n\t" + :"=a"(rt), "=d"(dummy) + :"a"(a), "rm"(b), "c"((uint8_t)shift) + ); return rt; } @@ -113,19 +121,31 @@ __asm__ volatile(\ // avoid +32 for shift optimization (gcc should do that ...) #define NEG_SSR32 NEG_SSR32 static inline int32_t NEG_SSR32( int32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("sarl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("sarl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; } #define NEG_USR32 NEG_USR32 static inline uint32_t NEG_USR32(uint32_t a, int8_t s){ + if (__builtin_constant_p(s)) __asm__ ("shrl %1, %0\n\t" : "+r" (a) - : "ic" ((uint8_t)(-s)) + : "i" (-s & 0x1F) ); + else + __asm__ ("shrl %1, %0\n\t" + : "+r" (a) + : "c" ((uint8_t)(-s)) + ); return a; }