Currently during parsing the extradata, h264_mp4toannexb checks for
overreads by adding the size of the current unit to the current position
pointer and comparing this to the end position of the extradata. But
pointer comparisons and pointer arithmetic are only defined if it does not
exceed the object it is used on (one past the last element of an array
is allowed, too). In practice, this might lead to overflows. Therefore
the check has been changed to use bytestream2_get_bytes_left() which
means that the pointers get subtracted and the result gets compared to
the available size.
Furthermore, the error code has been fixed.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This is done in order to improve readability. No functional change is
intended with this commit at all; in particular, the unsafe read
functions are used throughout as h264_extradata_to_annexb already
performs its own checks. (These checks will nevertheless be improved
in further commits.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
bytestream2_get_bytes_left returns an unsigned int; as a result,
it returns big positive numbers if an overread already happened,
making it unsuitable for scenarios where one wants to allow this
in a controlled way (because the buffer is actually padded so that
no segfaults can happen). So change it to return an ordinary int.
Also, bytestream2_get_bytes_left_p has been modified in the same way.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Dashdec can able to handle MPEG-2 TS streams by default as well,
used MP4Box to create the segmented MPEG-2 TS files for
verification.
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
Fixes: Multiple out of array accesses
Fixes: 20817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SIREN_fuzzer-5754041227542528.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It's a duplicate of the properly implemented nvdec libavcodec hwaccel
Reviewed-by: Timo Rothenpieler <timo@rothenpieler.org>
Signed-off-by: James Almer <jamrial@gmail.com>
Simplifies code considerably.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Reviewed-by: Timo Rothenpieler <timo@rothenpieler.org>
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: out of array access
Fixes: 20828/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_APM_fuzzer-5712770106654720
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
ff_alloc_extradata() already sets the size of the extradata so doing it
again is unnecessary.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Gyan Doshi <ffmpeg@gyani.pro>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The standard does not seem to require the counter to be zero based, but some
checker tools (MyriadBits MXFInspect, Interra Baton) have validations against 0
start...
Fixes ticket #6781.
Signed-off-by: Marton Balint <cus@passwd.hu>
The second ; in a double ;; is actually a null statement. It triggers
the typical declaration-after-statement compiler-warnings if it occurs
in the middle of several declarations (like here).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes#8094.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The second ; in a double ;; is actually a null statement. It triggers
the typical declaration-after-statement compiler-warnings if it occurs
in the middle of several declarations (like here).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
"In both cases.." and "Repeat this call until.." would be better to
be in a separate line.
http://ffmpeg.org/doxygen/trunk/group__lavc__encdec.html
Signed-off-by: Linjie Fu <linjie.fu@intel.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This allows for easy shortlog/log parsing, useful in determining
eligible members of the general assembly for the new FFmpeg voting
system.
Signed-off-by: Josh de Kock <josh@itanimul.li>
The capture_started variable was never set, it is simpler to call the stop
functions unconditionally if the interface is available.
Signed-off-by: Marton Balint <cus@passwd.hu>
