We assign a 64bit variable to it before checking
Fixes: CID1604544 Overflowed integer argument
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 046d069552)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 67492/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5778297231310848
Fixes: signed integer overflow: 2314885530818453536 + 7782220156096217088 cannot be represented in type 'long'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2882d30e3a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: CID1500312 Unintentional integer overflow
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 034054b370)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
As defined in Section 8.7.3.2.1 of ISO 14496-12.
Any unsupported value will be rejected in mov_build_index() without outright
aborting demuxing.
Fixes ticket #11005.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 3146b77a7d)
We only support mdta as type, yet we were not skipping other types,
but rather reading key_size worth of bytes twice per entry.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 5a06d3810e)
Some files with no image items have them, and were working prior to the recent
HEIF parsing overhaul.
Ignore such boxes instead, to recover the old behavior.
Fixes a regression since d9fed9df2a.
Tested-by: Wu Jianhua <toqsxw@outlook.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 5b9db32ccc)
Stop reading keys and return AVERROR_INVALIDDATA if key_size
is larger than the amount of space left in the atom.
Bug: https://crbug.com/41496983
Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 8a23a145d8)
This reverts commit f6b7b473d4.
The image in the item boxes and the animation in the trak box are not
necessarely the same, so both should be exported.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit e37b233ee2)
The VP9 spec defines a SmDm box for this information, and the ISOBMFF spec defines a
mdvc one. If both are present, just ignore one of them.
This is in line with clli and CoLL boxes.
Fixes ticket #10711.
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int'
Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 67070/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5685384082161664
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
and rename it to FF_INFMT_INIT_CLEANUP. This flag is demuxer-only,
so this is the more appropriate place for it.
This does not preclude adding internal flags common to both
demuxer and muxer in the future.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This combination causes 0 size arrays to be allocated and to leak later
Fixes: memleak
Fixes: 64342/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4520993686945792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit does for AVInputFormat what commit
59c9dc82f4 did for AVOutputFormat:
It adds a new type FFInputFormat, moves all the internals
of AVInputFormat to it and adds a now reduced AVInputFormat
as first member.
This does not affect/improve extensibility of both public
or private fields for demuxers (it is still a mess due to lavd).
This is possible since 50f34172e0
(which removed the last usage of an internal field of AVInputFormat
in fftools).
(Hint: tools/probetest.c accesses the internals of FFInputFormat
as well, but given that it is a testing tool this is not considered
a problem.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
If it's the primary item, then it's expected to be ready for presentation even
outside of the grid it belongs to.
Signed-off-by: James Almer <jamrial@gmail.com>
It is undefined behaviour.
Fixes many failed tests with UBSan and GCC 13 like
"src/libavformat/mov.c:4229:44: runtime error: store to address
0x5572abe20f80 with insufficient space for an object of type 'struct
MOVIndexRange'"
(The line number does not refer to the line where &entry[-1]
is assigned.)
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This reverts commit eee3b7e2fb.
It has been made in an attempt to fix UBSan test failures with
GCC 13 (see e.g. [1]), but it did not help at all. So revert it,
but use av_malloc_array() instead of going back to av_malloc().
[1]: https://fate.ffmpeg.org/report.cgi?slot=x86_64-archlinux-gcc-ubsan&time=20240226182430
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Export each tile as its own stream, and the grid information as a Stream Group
of type TILE_GRID.
This also enables exporting other stream items like thumbnails, which may be
present in non tiled HEIF images too. For those, the primary stream will be
tagged with the default disposition.
Based on a patch by Swaraj Hota
Signed-off-by: James Almer <jamrial@gmail.com>
The `entries` value is read directly from the stream and used to
allocate memory. This change clamps `entries` to however many are
possible in the remaining atom or file size (whichever is smallest).
Fixes https://crbug.com/1429357
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Makes it robust against adding fields before it, which will be useful in
following commits.
Majority of the patch generated by the following Coccinelle script:
@@
typedef AVOption;
identifier arr_name;
initializer list il;
initializer list[8] il1;
expression tail;
@@
AVOption arr_name[] = { il, { il1,
- tail
+ .unit = tail
}, ... };
with some manual changes, as the script:
* has trouble with options defined inside macros
* sometimes does not handle options under an #else branch
* sometimes swallows whitespace
Fixes a regression since d9fed9df2a, where the single animated stream would
be exported twice as two independent streams.
Signed-off-by: James Almer <jamrial@gmail.com>
