1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Commit Graph

333 Commits

Author SHA1 Message Date
Michael Niedermayer
5af1fe5693
avformat/rmdec: use 64bit for audio_framesize checks
It is not entirely clear what would prevent such overflow so even if it is
not possible, it is better to use 64bit

Fixes: CID1491898 Unintentional integer overflow

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 665be4fa2f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-07-24 16:52:38 +02:00
Michael Niedermayer
2cb7ee8a36
avformat/rmdec: check tag_size
Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6598073725353984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-09-24 18:28:19 +02:00
Andreas Rheinhardt
35ec5c819b avformat/demux: Add new demux.h header
And move those stuff already in demuxer-only files to it.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2022-05-10 07:37:38 +02:00
Andreas Rheinhardt
b9f6d416ec avformat/utils: Move stream_options, avformat_new_stream to options.c
This is the appropriate place given that AVStream is about to
become an AVOpt-enabled struct.
Also move av_disposition_(to|from)_string, as these are tied
to the disposition stream option.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2022-05-10 07:28:54 +02:00
Vittorio Giovara
82f728828e rm: convert to new channel layout API
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
2022-03-15 09:42:36 -03:00
Michael Niedermayer
15a646e501 avformat/rmdec: Better duplicate tags check
Fixes: memleaks
Fixes: 44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-03-08 00:47:21 +01:00
Michael Niedermayer
8fe3566b8f avformat/rmdec: Check for multiple audio_stream_info
Fixes: memleak
Fixes: 39166/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5153276690038784

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-09 11:42:16 +02:00
Andreas Rheinhardt
40bdd8cc05 avformat: Avoid allocation for AVStreamInternal
Do this by allocating AVStream together with the data that is
currently in AVStreamInternal; or rather: Put AVStream at the
beginning of a new structure called FFStream (which encompasses
more than just the internal fields and is a proper context in its own
right, hence the name) and remove AVStreamInternal altogether.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-09-17 13:22:25 +02:00
Michael Niedermayer
e2c2872393 avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4
Fixes: runtime error: signed integer overflow: 65312 * 65535 cannot be represented in type 'int'
Fixes: 32832/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-4817710040088576

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-15 19:55:17 +02:00
Andreas Rheinhardt
48de45ea59 avformat/rmdec: Simplify cleanup after read_header failure
by setting the FF_FMT_INIT_CLEANUP flag.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-07-08 13:32:15 +02:00
Michael Niedermayer
06d174e289 avformat/rmdec: Check old_format len for overflow
Maybe such large values could be disallowed earlier and closer to where
they are set.

Fixes: signed integer overflow: 538976288 * 8224 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6704350354341888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-06-18 18:58:25 +02:00
James Almer
b9c5fdf602 avformat: move AVStream.{parser,need_parsing} to AVStreamInternal
Those are private fields, no reason to have them exposed in a public
header.

Signed-off-by: James Almer <jamrial@gmail.com>
2021-05-07 09:27:21 -03:00
Andreas Rheinhardt
bc70684e74 avformat: Constify all muxer/demuxers
This is possible now that the next-API is gone.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: James Almer <jamrial@gmail.com>
2021-04-27 11:48:06 -03:00
Andreas Rheinhardt
4666ce0aef avformat/rmdec: Don't rely on unspecified order of evaluation
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-04-08 11:05:16 +02:00
Andreas Rheinhardt
9a471c5437 avformat/rmdec: Fix memleaks upon read_header failure
For both the RealMedia as well as the IVR demuxer (which share the same
context) each AVStream's priv_data contains an AVPacket that might
contain data (even when reading the header) and therefore needs to be
unreferenced. Up until now, this has not always been done:

The RealMedia demuxer didn't do it when allocating a new stream's
priv_data failed although there might be other streams with packets to
unreference. (The reason for this was that until recently rm_read_close()
couldn't handle an AVStream without priv_data, so one had to choose
between a potential crash and a memleak.)

The IVR demuxer meanwhile never ever called read_close so that the data
already contained in packets leaks upon error.

This patch fixes both demuxers by adding the appropriate cleanup code.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-04-08 11:05:16 +02:00
Michael Niedermayer
cf2fd9204b avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check
Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int'
Fixes: 31406/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5024692843970560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-01 10:10:21 +02:00
Michael Niedermayer
d558c9f237 avformat/rmdec: Check codec_length without overflow
Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int'
Fixes: 30333/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5175286983426048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-02-16 19:02:24 +01:00
Michael Niedermayer
a8fe78decd avformat/rmdec: Check remaining space in debug av_log() loop
Fixes: Timeout (long -> 2 ms)
Fixes: 26709/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5665833403285504
Fixes: 27522/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6321071221112832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-02-10 21:18:17 +01:00
Michael Niedermayer
b12e713b80 avformat/rmdec: Reorder operations to avoid overflow
Fixes: signed integer overflow: -2147483648 - 14 cannot be represented in type 'int'
Fixes: 27659/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5697250168406016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-02-04 17:26:07 +01:00
Michael Niedermayer
3c41d0bfd6 avformat/rmdec: Fix codecdata_length overflow check
Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int'
Fixes: 28509/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6310969680723968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-02-02 13:12:12 +01:00
Michael Niedermayer
ebf4bc629e avformat/rmdec: Check for EOF in index packet reading
Fixes: Timeout(>10sec -> 1ms)
Fixes: 27284/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6304211110985728

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-21 22:09:51 +01:00
Michael Niedermayer
441fd1bd7d avformat/rmdec: remove unneeded memset() on packet allocation
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-04 23:30:53 +01:00
Michael Niedermayer
728330462c avformat/rmdec: Make expected_len 64bit
Fixes: signed integer overflow: 1347551268 * 14 cannot be represented in type 'int'
Fixes: 26458/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5655364324032512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-25 09:49:40 +01:00
Michael Niedermayer
aee8477c6b avformat/rmdec: sanity check coded_framesize
Fixes: signed integer overflow: -14671840 * 8224 cannot be represented in type 'int'
Fixes: 24793/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5101884323659776

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-18 20:42:20 +02:00
Andreas Rheinhardt
5aafdb4e5f avformat/rmdec: Fix potential crash on allocation failure
The RealMedia demuxer uses the priv_data of its streams to store a
structure containing an AVPacket. These packets are unreferenced in the
read_close function, yet said function simply presumed that the
priv_data has been successfully allocated. This implies that it mustn't
be called when an allocation of priv_data fails; but this can happen
since commit 35bbc1955a if one has a
stream with multiple substreams (also exported as AVStream) and if
allocating the priv_data for one of these substreams fails.

This has been fixed by making sure that read_close can handle the case
in which priv_data has not been successfully allocated.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-09-19 20:26:53 +02:00
Andreas Rheinhardt
4cc43d30c3 avformat/rmdec: Actually return value < 0 on read_header failure
The RealMedia demuxer's read_header function initially initializes ret,
the variable designated for the return variable to -1. Afterwards, chunks
of the file are parsed in a loop until an error happens or until the actual
frame data is encountered. If the first function whose return
value is put into ret doesn't fail, then ret contains a value >= 0
(actually == 0) and this is what will be returned if an error is
encountered afterwards.

This is a regression since 35bbc1955a.
Before that, ret had never been overwritten with a nonnegative value.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-09-19 20:26:50 +02:00
Andreas Rheinhardt
45e7c67aff avformat: Improve returned error codes
This commit improves returned error codes by forwarding error codes. In
some instances, the hardcoded returned error codes made no sense at all:
The normal error code for failure of av_new_packet() is AVERROR(ENOMEM),
yet there were instances where AVERROR(EIO) was returned.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-01-08 01:32:26 +01:00
Andreas Rheinhardt
c1e439d7e9 avformat: Forward errors where possible
It is not uncommon to find code where the caller thinks to know better
what the return value should be than the callee. E.g. something like
"if (av_new_packet(pkt, size) < 0) return AVERROR(ENOMEM);". This commit
changes several instances of this to instead forward the actual error.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-12 19:25:33 +01:00
Michael Niedermayer
7e665e4a81 avformat/rmdec: Initialize and sanity check offset in ivr_read_header()
Fixes: signed integer overflow: -9223372036854775808 - 17 cannot be represented in type 'long'
Fixes: 18768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5674385247830016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-10 16:09:14 +01:00
Andreas Rheinhardt
296f769fdc avformat/rmdec: Use av_packet_move_ref() for packet ownership transfer
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-04 20:17:00 +01:00
James Almer
4c34ed65f6 avformat/rmdec.c: fix brackets around arguments
Regression since 78f52b4fe3

Signed-off-by: James Almer <jamrial@gmail.com>
2019-09-15 11:04:33 -03:00
James Almer
78f52b4fe3 avformat/rmdec.c: fix left shift of negative value in rm_sync()
Fixes ticket 8143.

Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
2019-09-15 10:31:19 -03:00
Carl Eugen Hoyos
4d8875ec23 lavf: Constify the probe function argument.
Reviewed-by: Lauri Kasanen
Reviewed-by: Tomas Härdin
2019-03-21 11:42:17 +01:00
Michael Niedermayer
c2eec1762d avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()
Fixes: long running loop
Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6

Found-by: Paul Ch <paulcher@icloud.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-08-17 21:53:13 +02:00
Michael Niedermayer
a7e032a277 avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata()
Fixes: use after free()
Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-07-05 19:52:42 +02:00
Paul B Mahol
46129b4044 avformat/rmdec: make use of avio_get_str()
Also do not set empty metadata.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
2018-04-02 22:44:26 +02:00
James Almer
fe421d4dee Merge commit '95ce02b35d3d1bb16111031df1d82a6e4d894d36'
* commit '95ce02b35d3d1bb16111031df1d82a6e4d894d36':
  rmdec: don't ignore the return value of av_get_packet()

See 65b83ce01b

Merged-by: James Almer <jamrial@gmail.com>
2017-11-07 19:17:26 -03:00
孙浩 and 张洪亮(望初)
124eb202e7 avformat/rmdec: Fix DoS due to lack of eof check
Fixes: loop.ivr

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-08-27 19:23:13 +02:00
Sean McGovern
95ce02b35d rmdec: don't ignore the return value of av_get_packet() 2017-07-17 07:08:13 -04:00
Clément Bœsch
549045254c Fix all -Wformat warnings raised by DJGPP 2017-03-29 14:49:29 +02:00
Clément Bœsch
bec96a7286 lavf: use av_fourcc2str() where appropriate 2017-03-29 14:49:29 +02:00
James Almer
4de591e6fb Merge commit '83548fe894cdb455cc127f754d09905b6d23c173'
* commit '83548fe894cdb455cc127f754d09905b6d23c173':
  lavf: fix usage of AVIOContext.seekable

Merged-by: James Almer <jamrial@gmail.com>
2017-03-21 17:02:30 -03:00
Clément Bœsch
3eed90b1ed Merge commit 'd9442d13033a24b14ebae149dcdb42709430e2d9'
* commit 'd9442d13033a24b14ebae149dcdb42709430e2d9':
  rm: Drop broken disabled cruft

Merged-by: Clément Bœsch <u@pkh.me>
2017-03-19 15:49:47 +01:00
Paul B Mahol
40cf943714 avcodec: add SIPR parser
Fixes #2056.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
2017-01-16 10:24:01 +01:00
Diego Biurrun
0b77a59336 Use correct printf conversion specifiers for POSIX integer types 2016-12-23 19:30:00 +01:00
Andreas Cadhalpun
de4ded0636 rmdec: validate block alignment
This fixes division by zero crashes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-23 00:57:10 +01:00
Anton Khirnov
83548fe894 lavf: fix usage of AVIOContext.seekable
It is supposed to be a flag. The only currently defined value is
AVIO_SEEKABLE_NORMAL, but other ones may be added in the future.
However all the current lavf code treats this field as a bool (mainly
for historical reasons).
Change all those cases to properly check for AVIO_SEEKABLE_NORMAL.
2016-09-30 16:54:33 +02:00
Diego Biurrun
d9442d1303 rm: Drop broken disabled cruft 2016-08-17 12:16:42 +02:00
Carl Eugen Hoyos
8ee113afa1 lavf/rmdec: Do not return EIO on EOF.
Reported-by: applemax82
2016-08-02 16:16:31 +02:00
Michael Niedermayer
0219dc6c07 avformat/rmdec: Clear extradata when extradata_size is cleared
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-07-29 12:12:18 +02:00