Fixes: signed integer overflow: -776522110086937600 * 16 cannot be represented in type 'long'
Fixes: 40563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6644829447127040
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a64a4c582)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: integer overflow
Fixes: 40313/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4814761406103552
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 905588df97)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 93f7776921)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1b04836dff)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
We still own it on failure, and there's no point trying to feed it again.
This should address the issue reported in dav1d #383 and part of VLC #26259.
Signed-off-by: James Almer <jamrial@gmail.com>
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 141f3053ba)
The DNXHD encoder's context contains an array of 32 pointers to
DNXHDEncContexts used in case of slice threading; when trying
to use more than 32 threads with slice threading, the encoder's init
function errors out, but the close function takes avctx->thread_count
at face value and tries to free inexistent elements of the array,
leading to potential crashes.
Fix this by modifying the check used to decide whether the slice
contexts should be freed.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit eb583b3cb9)
ff_wma_init() can fail without freeing everything it has allocated;
so add the FF_CODEC_CAP_INIT_CLEANUP to the codecs using it.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit fcdb012a10)
Currently an error from init could be overwritten by successfully
setting the enable expression.
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 10ad3cd798)
silk_lsp2poly()'s declaration contained arrays with array sizes;
yet these array sizes exceeded the number of actually accessed array
elements (which is related to another parameter) and this leads to
-Wstringop-overflow= warnings from GCC 11, because the arrays provided
by callers are only large enough for the actually used elements.
So replace the incorrect array sizes with comments containing
the correct array sizes. Given that these sizes are not compile-time
constants, they can only be communicated via a comment.
Reported by Paul B Mahol.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 4b15474316)
The terminating '\0' is no longer included in the size of
the extradata output by the demuxer since commit
36e61e24e7.
E.g. if one remuxes the JACOsub sample JACOsub_capability_tester.jss
from the FATE suite, one receives a file not recognized as JACOsub
before this patch.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 54e8dcce8e)
Do this by using the AVStream's priv_data for the buffer holding
the packet size data.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit d94b641b4a)
If an array for the packet sizes could not be successfully reallocated
when writing a packet, the CAF muxer frees said array, but does not
reset the number of valid bytes. As a result, when the trailer is
written later, avio_write tries to read that many bytes from NULL,
which segfaults.
Fix this by not freeing the array in case of error; also, postpone
writing the packet data after having successfully (re)allocated the
array, so that even on allocation error the file can be correctly
finalized.
Also remove an unnecessary resetting of the number of size entries
used at the end.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 19a6b51fe6)
(As long as avio_write() only accepts an int, it makes no sense
to try to support sizes that don't fit into an int.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 42fe438482)
There can only be a maximum of 255 entries in a tfrf tag, so using
more makes no sense; moreover, several size computations can overflow
in this case. Fix this by limiting it to 255.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 1cf3c59b58)
avutil_version() currently performs several checks before
just returning the version. There is a static int that aims
to ensure that these tests are run only once. The reason is that
there used to be a slightly expensive check, but it has been removed
in 92e3a6fdac. Today running only
once is unnecessary and can be counterproductive: GCC 10 optimizes
all the actual checks away, but the checks_done variable and the code
setting it has been kept. Given that this check is inherently racy
(it uses non-atomic variables), it is best to just remove it.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit ff80090374)
Up until now, the scc demuxer not only read the line that it intends
to process, but also the next line, in order to be able to calculate
the duration of the current line. This approach leads to unnecessary
complexity and also to bugs: For the last line, the timing of the
next subtitle is not only logically indeterminate, but also
uninitialized and the same applies to the duration of the last packet
derived from it.* Worse yet, in case of e.g. an empty file, it is not
only the duration that is uninitialized, but the whole timing as well
as the line buffer itself.** The latter is used in av_strtok(), which
could lead to crashes. Furthermore, the current code always outputs
at least one packet, even for empty files.
This commit fixes all of this: It stops using two lines at a time;
instead only the current line is dealt with and in case there is
a packet after that, the duration of the last packet is fixed up
after having already parsed it; consequently the duration of the
last packet is left in its default state (meaning "unknown/up until
the next subtitle"). If no further line could be read, processing
is stopped; in particular, no packet is output for an empty file.
*: Due to stack reuse it seems to be zero quite often; for the same
reason Valgrind does not report any errors for a normal input file.
**: While ff_subtitles_read_line() claims to always zero-terminate
the buffer like snprintf(), it doesn't do so if it didn't read anything.
And even if it did, it would not necessarily help here: The current
code jumps over 12 bytes that it deems to have read even when it
hasn't.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 60e12318bb)
It claims to always zero-terminate its buffer like snprintf(),
yet it does it not on EOF. Because of this the mcc demuxer
used uninitialized values when reading an empty input file.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 8766361fc1)
Happened for all slaves which didn't use the FIFO.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 3a27fcb168)
Fix this by switching to av_dynarray_add_nofree() which is more
natural anyway because the entries of the array are pointers.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 05c1f78a72)
av_image_copy() expects an array of four pointers according to its
declaration; although it currently only touches pointers that
are actually in use (depending upon the pixel format) this might
change at any time (as has already happened for the linesizes
in d7bc52bf45).
This fixes ticket #9264 as well as a warning from GCC 11.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 9b17273c77)
When an flite filter instance is uninitialized and the refcount
of the corresponding voice_entry reaches zero, the voice is
unregistered, yet the voice_entry's pointer to the voice is not reset.
(Whereas some other pointers are needlessly reset.)
Because of this a new flite filter instance will believe said voice
to already be registered, leading to use-after-frees.
Fix this by resetting the right pointer instead of the wrong ones.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 18ddb25c7a)
Could also happen if initializing flite failed* or if an unknown voice
has been selected or if registering the voice failed.
*: which it currently can't, because it is a no-op.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 304cc03798)
This reverts commit 723c37d3b7.
Said commit was in preparation for auto-inserting the idet filter.
This has never happened; even if it did, the code is wrong, because
it segfaults if the filter instance doesn't have a name (having one
is not mandatory). Furthermore, it is documented for libavfilter to
not assign any semantics to the name, which this check violates.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit f626a3d0e0)
h263_get_motion_length() forgot to take an absolute value;
as a consequence, a negative index was used to access an array.
This leads to potential crashes, but mostly it just accesses what
is to the left of ff_mvtab (unless one uses ASAN), thereby defeating
the purpose of the AV_CODEC_FLAG2_NO_OUTPUT because the sizes of
the returned packets differ from the sizes the encoder would actually
have produced.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 9207dc3b0d)
Fixes ticket #9537.
Probably a regression since 2b32068916.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit d1b47f3bfc)
Regression since af043b839c.
Fixes ticket #9409.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit bb89a2f64f)
av_image_copy() expects an array of four pointers and linesizes
according to its declaration; it currently only pointers that are
actually in use (depending upon the pixel format), but this might
change at any time. It has already happened for the linesizes in
d7bc52bf45 and so increasing their
array fixes a stack-buffer overread.
This fixes a -Wstringop-overflow= and -Wstringop-overread warning
from GCC 11.2.
Reviewed-by: Linjie Fu <linjie.justin.fu@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit b0b90100bf)
av_image_copy() expects an array of four pointers according to its
declaration; although it currently only touches pointers that
are actually in use (depending upon the pixel format) this might
change at any time (as has already happened for the linesizes
in d7bc52bf45).
This fixes a -Wstringop-overflow= warning with GCC 11.2.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit b09ea67b40)
Due to this bush.aa (from the FATE suite) exported garbage metadata
with key "_040930".
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 0a76f8217e)
Forgotten in 555f5c1fc5.
Reviewed-by: Zane van Iperen <zane@zanevaniperen.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit df4cb384fb)
This fixes compilation errors in case nvenc is enabled
(e.g. autodected) with both nvenc-based encoders disabled
because nvenc uses ff_alloc_a53_sei(), yet only the nvenc-based
encoders require atsc_a53.
(This error does not manifest itself in case of static linking
(nothing pulls in nvenc.o), but it exists with shared builds.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
- quantizer delta and matrix level specific.
- support loop filter delta.
- support use superres.
Signed-off-by: Fei Wang <fei.w.wang@intel.com>
(cherry picked from commit 84c73102d9)
VAAPI needs 2 output surface for film grain frame. One used for
reference and the other used for applying film grain and pushing
to downstream.
Signed-off-by: Fei Wang <fei.w.wang@intel.com>
(cherry picked from commit 7871144cf8)
For film grain clip, vaapi_av1 decoder will cache additional 8
surfaces that will be used to store frames which apply film grain.
So increase the pool size by plus 8 to avoid leak of surface.
Signed-off-by: Fei Wang <fei.w.wang@intel.com>
(cherry picked from commit 53403158cc)
Defined in spec 5.9.24/5.9.25. Since function void
global_motion_params(AV1DecContext *s) already updates
gm type/params, the wminvalid parameter only need to get
the value from cur_frame.gm_invalid.
Signed-off-by: Tong Wu <tong1.wu@intel.com>
(cherry picked from commit 4e7a7d75e3)
