Fixes: runtime error: signed integer overflow: 18133149658382192 - -9223090561878065151 cannot be represented in type 'long long'
Fixes: crbug 831552
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 37d46dc21d708192b12aa13617ebe6a117b07363)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: poc_0411
Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Tested-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 544324827e0131e43af1a54fb790a48a25fd7ba4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If there is a decoder initialization failure detected in avcodec_open2
after .init is called, allow graceful decoder .close to prevent leaking
libopus decoder allocations.
BUG=828526
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Limits based on 3GPP TS 26.245 V14.0.0
Fixes: Timeout
Fixes: 6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 249aca8f98ff7fb09c12ea68e23c862c62203b95)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int'
This was missed in b1bef755f617af9685b592d866b3eb7f3c4b02b1
Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c837918f50a7bbd6150afd340857ea43fe4717c7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for it. After removal, problem was gone.
Signed-off-by: Hendrik Schreiber <hs@tagtraum.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 647fd4b8292e3bfae30b1086aa842a5ee47ee868)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
I was not able to reproduce this, this fix is based on just the fuzzer log.
Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 197a4e8feed45b2e5868760240e83636818f32a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
example:
AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA };
int loss = 0;
AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, AV_PIX_FMT_BGRA, 1, &loss);
best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 354b26a3945eadd4ed8fcd801dfefad2566241de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 2018_03_23_poc.wav
Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea15915b2dc5aaa80c91879fbd183475a7e66e54)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Found-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5c75438b893539dd17998c489fb4c540fc5a6e48)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e529fe7633762cb26a665fb6dee3be29b15285cc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: NULL pointer dereference
Fixes: poc-201803.wav
Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64c9ce0abc0fd8774b523afda3ddb17c86caa86a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type
Fixes: Chromium bug 791349
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
No testcase, this was found during code review
Found-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3e7c847aaf5a298b62afae12b4ecfb8e12385998)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: shift exponent 48 is too large for 32-bit type 'int'
Fixes: Chromium bug 786793
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 010b7b30b721b90993e05e9ee6338e88bb8debb3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long'
Fixes: Chromium bug 791237
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Chromium bug 795653
Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long'
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 02ecda4aba69670ca744ccc640391b7621f01fb0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: signed integer overflow: 7738135736989908991 - -7898362169240453118 cannot be represented in type 'long'
Fixes: Chromium bug 796778
Reported-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1b1362e408cd6acb63fef126b814b0d16562aa8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Chromium bug 800123
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3934aa495d786845d9f541c84ee405c096938f76)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Out of array read
Fixes: heap_poc
Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in type 'int'
Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 47e65ad63b3d067445c4de41a7718b83fc07767c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 793347a54579ee954b58d336b82eed4a1786de21)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be represented in type 'int'
Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cbcbefdc3b4cbc917d2f8b2dd216fb12121a838b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Prevents use of uninitialized values.
Fixes ticket #7038.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 9482ec1b203e4cf51d7f60c85d261cc13f9a9d2f)
Fixes: 5567/clusterfuzz-testcase-minimized-5769966247739392
Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab6f571ef71967da7c7c1cfba483d3597c7357d5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: integer overflows
Reported-by: "Xiaohan Wang (王消寒)" <xhwang@chromium.org>
Based on limits in "8.5 Transform coefficient decoding process and picture
construction process prior to deblocking filter process"
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f26a63c4ee1bdbe21d7ab462cd66f8ba20b14244)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
When ff_h264_decode_mb_cavlc() failed due to wrong sl->qscale values,
e.g. dquant out of range, set the qscale to be a valid value before
returning -1 and exiting the function. The qscale value can be used
later e.g. in loop filter.
BUG=806122
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 71f39de2a57efc8db1d607b09c162c3b806cd45d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This fixes a hypothetical integer overflow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f2318aee8ca8df1c84092f7d6691a2d0df02c474)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Ticket7005
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 63a4bdbf3b732504e54cc2b9ec0886e6242a90bc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 5919/clusterfuzz-testcase-minimized-5859311382167552
Fixes: special case for theora (untested due to lack of sample)
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 570023eab3e2962b4ad8345a157c1e18ca1a6eca)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Timeout
Fixes: 5487/clusterfuzz-testcase-4696837035393024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08c220d26cff51ca2f6896b65aebfa3accc67290)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 5396/clusterfuzz-testcase-minimized-6558555529281536
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e50bd61e4ff97bd7fc6cbd7ec4ca514e17a70c4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int'
Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1bef755f617af9685b592d866b3eb7f3c4b02b1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It has native simultaneus 8 and 10 bit support.
(cherry picked from commit c6558e8840fbb2386bf8742e4d68dd6e067d262e)
(cherry picked from commit 96e8400553ae47f8f8df5b66cc268297ba38824c)
