Fixes: out of array access
Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
"The entries in an IFD must be sorted in ascending order by Tag. Note that this is
not the order in which the fields are described in this document."
This way various dimensions, sample and bit sizes cannot be changed at
arbitrary times which reduces the potential for bugs.
The tag reading code also on various places assumes that numerically previous
tags have already been parsed, so this needs to be enforced one way or another.
If this commit causes problems with real world files which are not easy to fix
then some other form of checks are needed to ensure the various dependencies
in the tag reading are not violated.
Fixes: out of array access
Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 24604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4843529818603520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Section 5.9.7 of the spec states
UpscaledWidth = RefUpscaledWidth[ ref_frame_idx[ i ] ]
FrameWidth = UpscaledWidth
FrameHeight = RefFrameHeight[ ref_frame_idx[ i ] ]
RenderWidth = RefRenderWidth[ ref_frame_idx[ i ] ]
RenderHeight = RefRenderHeight[ ref_frame_idx[ i ] ]
Meaning FrameWidth must not be set to RefFrameWidth[ ref_frame_idx[ i ] ]
like we're currently doing.
Reviewed-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
Implement Section 7.21 "Reference frame loading process" and Section 7.20
"Reference frame update process" for show_existing_frame frames, as required by
the definition in Section 7.4 "Decode frame wrapup process".
Signed-off-by: James Almer <jamrial@gmail.com>
Validates the set channel layout as well as verifies that the received
layout to the function matches the reference layout, so that it matches
the implemented re-ordering logic.
Fixes#8845
This makes them available for all frames within a Temporal Unit.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
Currently if the frame buffers are full, the frame is unrefed and
dropped. Instead buffer the frame so that it is enqueued in the
next v4l2_receive_packet() call. The behavior was observed on
DragonBoard 410c.
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
Return proper error when frame buffers are full. This path is triggered
on the DragonBoard 410c since the encoding API change in commit
827d6fe73d.
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
Reviewed-by: Mark Thompson <sw@jkqxz.net>
