1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-24 13:56:33 +02:00

75 Commits

Author SHA1 Message Date
Michael Niedermayer
0e529f8a93
avformat/asfdec_o: Check size of index object
We subtract 24 so it must be at least 24

Fixes: CID1604482 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 891bc070f0294e564a02f9a71f6591b6a62c90cc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-07-25 20:36:12 +02:00
Andreas Rheinhardt
b800327f4c avformat/avformat: Add FFInputFormat, hide internals of AVInputFormat
This commit does for AVInputFormat what commit
59c9dc82f450638a3068deeb1db5c56f6d155752 did for AVOutputFormat:
It adds a new type FFInputFormat, moves all the internals
of AVInputFormat to it and adds a now reduced AVInputFormat
as first member.

This does not affect/improve extensibility of both public
or private fields for demuxers (it is still a mess due to lavd).

This is possible since 50f34172e0cca2cabc5836308ec66dbf93f5f2a3
(which removed the last usage of an internal field of AVInputFormat
in fftools).

(Hint: tools/probetest.c accesses the internals of FFInputFormat
as well, but given that it is a testing tool this is not considered
a problem.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2024-03-07 08:53:31 -03:00
Andreas Rheinhardt
0c6e5f321b avformat/avformat: Avoid including codec.h, frame.h
AVCodec is only ever used as an incomplete type (i.e. via a pointer
to an AVCodec) in avformat.h and it is not really part of the core
of avformat.h or libavformat; almost none of our internal users
make use of it (and none make use of hwcontext.h, which is implicitly
included). So switch to use struct AVCodec, but continue to include
codec.h for external users for compatibility.

Also, do the same for AVFrame and frame.h, which is implicitly included
by codec.h (via lavu/hwcontext.h).

Also, remove an unnecessary inclusion of <time.h>.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2023-09-07 00:30:08 +02:00
Michael Niedermayer
557aa7772e
avformat/asfdec_o: Check offset before adding index entry
Fixes: signed integer overflow: 9223372036854550860 + 530259564 cannot be represented in type 'long'
Fixes: 49093/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-4697179192688640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-10-20 21:42:20 +02:00
Michael Niedermayer
736e9e69d5
avformat/asfdec_o: Limit packet offset
avoids overflows with it

Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-09-24 17:57:36 +02:00
Michael Niedermayer
1f1a368169
avformat/asfdec_o: limit recursion depth in asf_read_unknown()
The threshold of 5 is arbitrary, both smaller and larger should work fine

Fixes: Stack overflow
Fixes: 50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-08-31 18:03:55 +02:00
Andreas Rheinhardt
35ec5c819b avformat/demux: Add new demux.h header
And move those stuff already in demuxer-only files to it.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2022-05-10 07:37:38 +02:00
Andreas Rheinhardt
40bdd8cc05 avformat: Avoid allocation for AVStreamInternal
Do this by allocating AVStream together with the data that is
currently in AVStreamInternal; or rather: Put AVStream at the
beginning of a new structure called FFStream (which encompasses
more than just the internal fields and is a proper context in its own
right, hence the name) and remove AVStreamInternal altogether.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-09-17 13:22:25 +02:00
Andreas Rheinhardt
bc70684e74 avformat: Constify all muxer/demuxers
This is possible now that the next-API is gone.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: James Almer <jamrial@gmail.com>
2021-04-27 11:48:06 -03:00
Michael Niedermayer
098314e1e5 avformat/asfdec_o: Use ff_get_extradata()
Fixes: OOM
Fixes: 27240/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5937469859823616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-24 11:36:47 +02:00
Andreas Rheinhardt
dfeb9b3a8b avformat/asf: Factor common code out
Both functions to read attached pictures coincide since
e83f27a21a6d2f602b55e541ef66e365400e9827 (save for some log messages
in case av_dict_set failed).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-03-31 22:01:36 +02:00
James Almer
3c69e5cd6f avformat/asfdec_o: use av_packet_alloc() to allocate packets
Signed-off-by: James Almer <jamrial@gmail.com>
2021-03-17 15:06:48 -03:00
Michael Niedermayer
06e5c79194 avformat/asfdec_o: Check lang_idx
Fixes: index 26981 out of bounds for type 'ASFStreamData [128]'
Fixes: 27334/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6197611002068992

Alternatively the array could be increased in size or the cases not fitting be ignored

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-01-29 19:36:46 +01:00
Michael Niedermayer
9e3d09f435 avformat/asfdec_o: Check for EOF in asf_read_marker()
Fixes: Timeout
Fixes: 26460/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5710884393189376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-01-25 01:10:14 +01:00
Michael Niedermayer
0bee216ad4 avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()
Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long'
Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800

Alternatively this could be ignored but then the end condition of the loop
would be hard to reach as avio_tell() is int64_t

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-01-20 21:26:46 +01:00
Andreas Rheinhardt
96443ab4b0 avformat/asfdec_o: Remove code duplication
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:59 +01:00
Andreas Rheinhardt
33870a6aa7 avformat/asfdec_o: Don't reset twice
A variable has been assigned a value twice consecutively; essentially
the same happens when one performs av_init_packet on an AVPacket after
a call to av_packet_unref.

Found via PVS-Studio (see ticket #8156).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:59 +01:00
Andreas Rheinhardt
bf4909f0a3 avformat/asfdec_o: Export metadata that applies to the whole file
The ASF specification of Metadata Objects' stream number is as follows:

"Specifies whether the entry applies to a specific digital media stream
or whether it applies to the whole file. A value of 0 in this field
indicates that it applies to the whole file; otherwise, the entry
applies only to the indicated stream number and must be between 1 and
127."

Yet the asf_o demuxer (the one originating from Libav) has always
treated such metadata as if it applied to a stream even though no stream
with a stream number may exist in a valid ASF file. This is fixed in
this commit; it affected e.g. the file
wma_with_metadata_library_object_tag_trimmed.wma from the FATE suite.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:54 +01:00
Andreas Rheinhardt
e83f27a21a avformat/asfdec_o: Don't segfault with lots of attached pics
The ASF file format has a limit of 127 streams and the "asf_o" demuxer
(the ASF demuxer from Libav) has an array of pointers for a structure
called ASFStream that is allocated on demand for every stream. Attached
pictures are not streams in the sense of the ASF specification, yet the
demuxer created an ASFStream for them; and in one codepath it also
forgot to check whether the array of ASFStreams is already full. The
result is a write beyond the end of the array and a segfault lateron.

Fixing this is easy: Don't create ASFStreams for attached picture
streams.

(Other results of the current state of affairs are unnecessary allocations
(of ASFStreams structures), the misparsing of valid files (there might not
be enough ASFStreams left for the valid streams if attached pictures take
up too many); furthermore, the ASFStreams created for attached pictures all
have the stream number 0, an invalid stream number (the valid range is
1-127). This means that invalid data (packets for a stream with stream
number 0) won't get rejected lateron.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:17:36 +01:00
Anton Khirnov
cea7c19cda lavf: move AVStream.*index_entries* to AVStreamInternal
Those are private fields, no reason to have them exposed in a public
header. Since there are some (semi-)public fields located after these,
even though this section is supposed to be private, keep some dummy
padding there until the next major bump to preserve ABI compatibility.
2020-10-28 14:59:28 +01:00
Andreas Rheinhardt
37140ebd87 avformat/id3v2: Remove unnecessary indirection
ff_id3v2_parse_apic/chapters/priv/priv_dict all had a parameter
extra_meta of type ID3v2ExtraMeta ** as if the functions wanted to make
*extra_meta point to something else. But they don't, so just use an
ID3v2ExtraMeta *.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-05-25 07:06:44 +02:00
Jun Zhao
ec3d3fc65d lavf/asfdec: Simplify the check conditions
Simplify the check conditions

Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
2019-11-04 10:24:58 +08:00
Carl Eugen Hoyos
4d8875ec23 lavf: Constify the probe function argument.
Reviewed-by: Lauri Kasanen
Reviewed-by: Tomas Härdin
2019-03-21 11:42:17 +01:00
Michael Niedermayer
2b46ebdbff avformat/asfdec_o: Check size_bmp more fully
Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-07-05 19:52:42 +02:00
Lukas Stabe
1fd80106be avformat: fix id3 chapters
These changes store id3 chapter data in ID3v2ExtraMeta and introduce
ff_id3v2_parse_chapters to parse them into the format context if needed.

Encoders using ff_id3v2_read, which previously parsed chapters into the
format context automatically, were adjusted to call
ff_id3v2_parse_chapters.

Signed-off-by: wm4 <nfxjfg@googlemail.com>
2017-10-05 17:10:23 +02:00
James Almer
1902bbbe72 Merge commit 'cd7a2e1502f174c725c0de82711d2c7649057574'
* commit 'cd7a2e1502f174c725c0de82711d2c7649057574':
  asfdec: fix reading files larger than 2GB

Merged-by: James Almer <jamrial@gmail.com>
2017-10-03 20:12:15 -03:00
James Almer
42f27d1b8e Merge commit '0539d84d985e811e5989ef27c13f7e2dda0f9b89'
* commit '0539d84d985e811e5989ef27c13f7e2dda0f9b89':
  asfdec: Account for different Format Data sizes

See 76853a3e0ce4d4ef09ffcca7307991b8db832cd4

Merged-by: James Almer <jamrial@gmail.com>
2017-09-28 00:28:38 -03:00
James Almer
e666c2b5ec Merge commit '8e67039c6312ba520945f2c01b7b14df056d5ed1'
* commit '8e67039c6312ba520945f2c01b7b14df056d5ed1':
  asfdec: Use the ASF stream count when iterating

Merged-by: James Almer <jamrial@gmail.com>
2017-09-26 18:50:30 -03:00
James Almer
4de591e6fb Merge commit '83548fe894cdb455cc127f754d09905b6d23c173'
* commit '83548fe894cdb455cc127f754d09905b6d23c173':
  lavf: fix usage of AVIOContext.seekable

Merged-by: James Almer <jamrial@gmail.com>
2017-03-21 17:02:30 -03:00
James Almer
1582e306a4 avformat/avlanguage: make av_convert_lang_to() internal
The header was never installed and the function is only used in libavformat

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
2016-07-19 21:43:14 -03:00
Clément Bœsch
8ef57a0d61 Merge commit '41ed7ab45fc693f7d7fc35664c0233f4c32d69bb'
* commit '41ed7ab45fc693f7d7fc35664c0233f4c32d69bb':
  cosmetics: Fix spelling mistakes

Merged-by: Clément Bœsch <u@pkh.me>
2016-06-21 21:55:34 +02:00
Clément Bœsch
c01f1157ac Merge commit '0f40c9098498ad90dbbd2380eb4269015e84bde4'
* commit '0f40c9098498ad90dbbd2380eb4269015e84bde4':
  Drop pointless assert.h #includes

Merged-by: Clément Bœsch <clement@stupeflix.com>
2016-06-21 15:26:20 +02:00
Derek Buitenhuis
6f69f7a8bf Merge commit '9200514ad8717c63f82101dc394f4378854325bf'
* commit '9200514ad8717c63f82101dc394f4378854325bf':
  lavf: replace AVStream.codec with AVStream.codecpar

This has been a HUGE effort from:
    - Derek Buitenhuis <derek.buitenhuis@gmail.com>
    - Hendrik Leppkes <h.leppkes@gmail.com>
    - wm4 <nfxjfg@googlemail.com>
    - Clément Bœsch <clement@stupeflix.com>
    - James Almer <jamrial@gmail.com>
    - Michael Niedermayer <michael@niedermayer.cc>
    - Rostislav Pehlivanov <atomnuker@gmail.com>

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-04-10 20:59:55 +01:00
Hendrik Leppkes
be3963c8af Merge commit '066281372d90d63ca021b659abcb8faefd6bc4a6'
* commit '066281372d90d63ca021b659abcb8faefd6bc4a6':
  asfdec: Remove unused function parameters

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2016-01-19 08:47:48 +01:00
Andreas Cadhalpun
c29e87ad55 asfdec_o: check for too small size in asf_read_unknown
This fixes infinite loops due to seeking back.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:40:21 +01:00
Andreas Cadhalpun
0e32153e9c asfdec_o: break if EOF is reached after asf_read_packet_header
asf_read_payload can unset eof_reached, so check it also before calling
that function.

This fixes infinite loops.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:39:46 +01:00
Andreas Cadhalpun
3776a72962 asfdec_o: make sure packet_size is non-zero before seeking
This fixes infinite loops due to seeking back.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:39:30 +01:00
Andreas Cadhalpun
74474750f1 asfdec_o: prevent overflow causing seekback
This fixes infinite loops.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:38:50 +01:00
Andreas Cadhalpun
0002d845e8 asfdec_o: check avio_skip in asf_read_simple_index
The loop can be very long, even though the file is very short.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:37:30 +01:00
Andreas Cadhalpun
aa18016996 asfdec_o: reject size > INT64_MAX in asf_read_unknown
Both avio_skip and detect_unknown_subobject use int64_t for the size
parameter.

This fixes a segmentation fault due to infinite recursion.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:37:13 +01:00
Andreas Cadhalpun
763c572801 asfdec_o: only set asf_pkt->data_size after sanity checks
Otherwise invalid values are used unchecked in the next run.
This can cause NULL pointer dereferencing.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:36:41 +01:00
Hendrik Leppkes
bf67ae3cfa Merge commit '8375dc1dd101d51baa430f34c0bcadfa37873896'
* commit '8375dc1dd101d51baa430f34c0bcadfa37873896':
  asfdec: handle the case when the stream index has an invalid value better

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-11-29 15:32:39 +01:00
Hendrik Leppkes
7f5af80ba4 Merge commit 'ce70f28a1732c74a9cd7fec2d56178750bd6e457'
* commit 'ce70f28a1732c74a9cd7fec2d56178750bd6e457':
  avpacket: Replace av_free_packet with av_packet_unref

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-10-27 14:28:56 +01:00
Hendrik Leppkes
80fd622590 Merge commit '00cc10aee380f882507bac994ac469d8358d12e8'
* commit '00cc10aee380f882507bac994ac469d8358d12e8':
  asfdec: do not skip padding if offset is above packet size - padding

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-10-10 09:56:29 +02:00
Andreas Cadhalpun
8d6625642d doc: fix spelling errors
Reviewed-by: Lou Logan <lou@lrcd.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-10-09 22:09:08 +02:00
Hendrik Leppkes
de969904b1 Merge commit 'c0a49077ea4ff3a0ad30b9e33f1bb06ba9112aaa'
* commit 'c0a49077ea4ff3a0ad30b9e33f1bb06ba9112aaa':
  asfdec: add more checks for size left in asf packet buffer

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-09-12 15:18:05 +02:00
Hendrik Leppkes
8998caf0a4 Merge commit '77cf23668991bfd1fb69339f13e1511b4186b7b3'
* commit '77cf23668991bfd1fb69339f13e1511b4186b7b3':
  asfdec: alloc enough space for storing name in asf_read_metadata_obj

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-09-08 14:46:21 +02:00
Hendrik Leppkes
649b2e4c83 Merge commit '317cfaa5e09755ed0b34af512ec687963a67bdbf'
* commit '317cfaa5e09755ed0b34af512ec687963a67bdbf':
  asfdec: prevent the memory leak in the asf_read_metada_obj

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-18 09:35:56 +02:00
Hendrik Leppkes
3d2d672828 Merge commit 'e5997152f54f790229c99f237f8eb6b5b1ee683a'
* commit 'e5997152f54f790229c99f237f8eb6b5b1ee683a':
  asf: Use time_t where needed

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-07 09:27:55 +02:00
Hendrik Leppkes
b54cf4b886 Merge commit '944f60866f507e3c0850ae9c2f30dac1da54587c'
* commit '944f60866f507e3c0850ae9c2f30dac1da54587c':
  asfdec: read values properly

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-07 09:27:49 +02:00