1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-26 19:01:44 +02:00
Commit Graph

101813 Commits

Author SHA1 Message Date
Andreas Rheinhardt
3c151e7999 avfilter/vf_codecview: Fix undefined left shifts of negative numbers
Affected the filter-codecview-mvs FATE-test.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:49:41 +02:00
Andreas Rheinhardt
a86f3e983e avcodec/g2meet: Fix undefined NULL + 0
Affected the g2m4 FATE-test.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:48:01 +02:00
Andreas Rheinhardt
bbf8431b1b avutil/base64: Fix undefined NULL + 0
Affected the base64 FATE test.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:47:00 +02:00
Andreas Rheinhardt
566bf56791 avcodec/vmdvideo: Fix NULL + 0
Affected the FATE tests filter-gradfun-sample and sierra-vmd-video.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:45:54 +02:00
Andreas Rheinhardt
8429661db8 avcodec/mss12: Don't apply non-zero offset to null pointer
Affected the FATE tests mss2-wmv and mss1-pal.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:44:40 +02:00
Andreas Rheinhardt
dd9cbd1cc3 avcodec/lcldec: Fix undefined NULL + 0
Affected the FATE tests vsynth*-zlib, mszh and zlib.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:41:31 +02:00
Andreas Rheinhardt
911fe69c5f avcodec/qtrleenc: Fix negative linesizes, don't use NULL + offset
Before commit f1e17eb446, the qtrle
encoder had undefined pointer arithmetic: Outside of a loop, two
pointers were set to point to the ith element (with index i-1) of
a line of a frame. At the end of each loop iteration, these pointers
were decremented, so that they pointed to the -1th element of the line
after the loop. Furthermore, one of these pointers can be NULL (in which
case all pointer arithmetic is automatically undefined behaviour).

Commit f1e17eb44 added a check in order to ensure that the elements
never point to the -1th element of the array: The pointers are only
decremented if they are bigger than the frame's base pointer
(i.e. AVFrame.data[0]). Yet this check does not work at all in case of
negative linesizes; furthermore in case the pointer that can be NULL is
NULL initializing it still involves undefined pointer arithmetic.

This commit fixes both of these issues: First, non-NULL pointers are
initialized to point to the element after the ith element and
decrementing is moved to the beginning of the loop. Second, if a pointer
is NULL, it is just made to point to the other pointer, as this allows
to avoid checks before decrementing it.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:41:20 +02:00
Andreas Rheinhardt
d5fc16a6a8 avcodec/qtrleenc: Use keyframe when no previous frame is available
If keeping a reference to an earlier frame failed, the next frame must
be an I frame for lack of reference frame. This commit implements this.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:15:52 +02:00
Andreas Rheinhardt
64977ed7ae libswresample/audioconvert: Fix undefined NULL + 0
Affected 26 FATE tests like swr-resample_async-s16p-44100-8000.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:15:20 +02:00
Andreas Rheinhardt
f83976344e avcodec/proresdec2: Don't apply non-zero offset to null pointer
Affected ProRes without alpha; affected 32 FATE tests, e.g. prores-422,
prores-422_proxy, prores-422_lt or matroska-prores-header-insertion-bz2.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:13:50 +02:00
Andreas Rheinhardt
4863671d88 avcodec/mpegvideo_enc: Don't apply non-zero offset to null pointer
Affected many FATE tests (mostly vsynth ones).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:06:33 +02:00
Andreas Rheinhardt
9eadd616b7 avfilter/af_hdcd: Fix undefined shifts
Affected the filter-hdcd-* FATE tests.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:06:02 +02:00
Andreas Rheinhardt
659a925939 avcodec/dcaenc: Fix undefined left shift of negative numbers
Affected the acodec-dca and acodec-dca2 FATE tests.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-04-01 14:01:47 +02:00
Andreas Rheinhardt
0c7d02844c tests/matroska: Add test for remuxing annex B H.264 into Matroska
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-04-01 10:45:28 +02:00
Michael Niedermayer
79ac8d5546 avcodec/pnm_parser: Check image size addition for overflow
Fixes: assertion failure
Fixes: out of array access
Fixes: 32664/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6533642202513408.fuzz
Fixes: 32669/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-6001928875147264

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-01 10:10:21 +02:00
Michael Niedermayer
c01cd2a8b2 avcodec/lscrdec: Check length in decode_idat()
Fixes: out of array access
Fixes: 32264/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LSCR_fuzzer-6684504010915840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-01 10:10:21 +02:00
Michael Niedermayer
6055b93379 tools/target_dem_fuzzer: Fix packet leak
Fixes: 32121/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-4512973109460992

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-01 10:10:21 +02:00
Michael Niedermayer
f7a5150447 avformat/imx: Check palette chunk size
Fixes: out of array write
Fixes: 32116/clusterfuzz-testcase-minimized-ffmpeg_dem_SIMBIOSIS_IMX_fuzzer-6702533894602752

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-01 10:10:21 +02:00
Michael Niedermayer
497ea04dbd avcodec/h265_metadata_bsf: Check nb_units before accessing the first in h265_metadata_update_fragment()
Fixes: null pointer dereference
Fixes: 32113/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-4803262287052800

Same as 0c48c332ee

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-01 10:10:21 +02:00
Michael Niedermayer
cf2fd9204b avformat/rmdec: use larger intermediate type for audio_framesize * sub_packet_h check
Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int'
Fixes: 31406/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5024692843970560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-01 10:10:21 +02:00
Michael Niedermayer
9e8475c7c7 avcodec/exr: Check oe in huf_decode() before use
Fixes: out of array access
Fixes: 31386/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5773234709594112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-01 10:10:21 +02:00
Martin Storsjö
b484e140ef tls_gnutls: Print the underlying IO error message and pass the error code through
Signed-off-by: Martin Storsjö <martin@martin.st>
2021-04-01 09:05:10 +03:00
Martin Storsjö
84ad471fce tls_openssl: Improve quality of printed error messages, pass IO error codes through
Print every error in the stack, if more than one, and don't print
bogus errors if there's none logged within OpenSSL.

Retain the underlying IO error code, print an error message out of
it, and pass the error code on to the caller.

Signed-off-by: Martin Storsjö <martin@martin.st>
2021-04-01 09:05:10 +03:00
Gyan Doshi
eac77f7cf0 rtpenc_mpegts: add AVClass to the muxer context 2021-04-01 09:34:58 +05:30
Michael Niedermayer
ceae92cb29 avcodec/h264_slice: Check input SPS in ff_h264_update_thread_context()
Fixes: crash
Fixes: check_pkt.mp4

Found-by: Rafael Dutra <rafael.dutra@cispa.de>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-03-31 23:09:35 +02:00
Michael Niedermayer
76cea1d2ce avcodec/mpegpicture: Keep ff_mpeg_framesize_alloc() failure state consistent
Fixes: null pointer dereference
Fixes: ff_put_pixels16_sse2.mp4

Found-by: Rafael Dutra <rafael.dutra@cispa.de>
Regression-since: 4b2863ff01
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-03-31 23:09:35 +02:00
Michael Niedermayer
6cc65d3d67 avformat/mpc8: check for size overflow in mpc8_get_chunk_header()
Fixes: signed integer overflow: -9223372036854775760 - 50 cannot be represented in type 'long'
Fixes: 31673/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-580134751869337

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-03-31 23:09:35 +02:00
Michael Niedermayer
c1fe1114bc avformat/mov: Do not zero memory that is written too or unused
Fixes: OOM
Fixes: 31220/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6033383962574848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-03-31 23:09:35 +02:00
Michael Niedermayer
87d87e6587 avcodec/mpegvideo: Update chroma_?_shift in ff_mpv_common_frame_size_change()
Fixes: out of array access
Fixes: 31201/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4627865612189696.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-03-31 23:09:35 +02:00
Michael Niedermayer
2611d20d35 avformat/mov: Ignore multiple STSC / STCO
Fixes: STSC / STCO inconsistency and assertion failure
Fixes: crbug1184666.mp4

Found-by: Chromium ASAN fuzzer
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-03-31 23:09:35 +02:00
Michael Niedermayer
b37ff29e0e avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields()
Fixes: signed integer overflow: -9223372032574480351 - 4294967296 cannot be represented in type 'long long'
Fixes: 30022/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5568610275819520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-03-31 23:09:35 +02:00
Michael Niedermayer
1cf96ce269 avfilter/vf_scale: Fix adding 0 to NULL (which is UB) in scale_slice()
Found-by: Jeremy Leconte <jleconte@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-03-31 23:09:35 +02:00
Michael Niedermayer
522a5259e9 avutil/common: Add FF_PTR_ADD()
Suggested-by: Andreas Rheinhardt
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-03-31 23:09:35 +02:00
Andreas Rheinhardt
dfeb9b3a8b avformat/asf: Factor common code out
Both functions to read attached pictures coincide since
e83f27a21a (save for some log messages
in case av_dict_set failed).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-03-31 22:01:36 +02:00
Andreas Rheinhardt
84ac35ecb8 avcodec/mjpegenc: Fix segfault when freeing incomplete context
When allocating the MJpegContext fails (or if the dimensions run afoul
of the 65500x65500 limit), an attempt to free a subbuffer of said
context leads to a segfault in ff_mjpeg_encode_close().
Seems to be a regression since 467d9e27e0.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-03-31 14:37:05 +02:00
Andreas Rheinhardt
e5d6af7b35 avcodec/tiff: Avoid forward declarations
In this case it also fixes a potential for compilation failures:
Not all compilers can handle the case in which a function with
a forward declaration declared with an attribute to always inline it
is called before the function body appears. E.g. GCC 4.2.1 on OS X 10.6
doesn't like it.

Reviewed-by: Pavel Koshevoy <pkoshevoy@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-03-31 14:08:38 +02:00
Andreas Rheinhardt
d4575982f4 tests/matroska: Add test for WebVTT in WebM
Specifically test that the WebVTT flavour is correctly mapped to
the Matroska/WebM CodecID and back; and test that dispositions
unsupported by WebM are discarded even when they would be supported
by Matroska.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-03-31 11:51:58 +02:00
Andreas Rheinhardt
461d04d956 fftools/ffprobe: Add missing dispositions
Reviewed-by: Marton Balint <cus@passwd.hu>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-03-31 11:51:58 +02:00
Gyan Doshi
61ea0e3191 doc/demuxers: note support for flv variant KUX 2021-03-31 15:16:12 +05:30
Mark Plomer
6ef5d8ca86 avcodec/dv_profile: PAL DV files with dsf flag 0 - detect via pal flag and buf_size
Some old DV AVI files have the DSF-Flag of frames set to 0, although it
is PAL (maybe rendered with an old Ulead Media Studio Pro) ... this causes
ffmpeg/VLC-player to produce/play corrupted video (other players/editors
like VirtualDub work fine).

Fixes ticket #8333 and replaces/extends hack for ticket #2177

Signed-off-by: Marton Balint <cus@passwd.hu>
2021-03-30 19:57:34 +02:00
Alok Priyadarshi
62f486e793 avformat/rtpdec: Fix prft wallclock time.
Timestamp difference is available in media timebase (1/90K) where as
rtcp time is in the default microseconds timebase. This patch fixes
the calculated prft wallclock time by rescaling the timestamp delta
to the microseconds timebase.

Signed-off-by: James Almer <jamrial@gmail.com>
2021-03-30 11:59:15 -03:00
Andreas Rheinhardt
e7cbbd9026 avcodec/put_bits: Don't set size_in_bits, fix overflow
A PutBitContext has a field called size_in_bits which is set to the
context's bitsize init_put_bits(); but it isn't used at all (the PutBits
API uses pointers directly and not bit indexes), so remove it (due to
ABI concerns the actual element is only removed at the next bump).

Furthermore, the multiplication inherent in setting this field can lead
to undefined integer overflows. This is particularly true for FFV1,
which uses a very big worst-case buffer (37*4*width*height; even
ordinary 1080p triggers an overflow). Ticket #8350 is about this
overflow which this commit fixes.

This means that the effective range of the PutBits API is no longer
restricted by the /8 as long as one isn't using put_bits_(count|left).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-03-30 12:36:32 +02:00
Andreas Rheinhardt
c81b8e04aa Avoid intermediate bitcount for number of bytes in PutBitContext
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-03-30 12:36:32 +02:00
Andreas Rheinhardt
73fb1b8a9b avcodec/dvenc: Avoid using PutBitContext fields directly
Also avoid using bitcounts in case one is actually byte-aligned.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-03-30 12:36:32 +02:00
Andreas Rheinhardt
f9d1528fc9 avcodec/proresenc_kostya: Factor flushing PutBitContext out
The function to write an ordinary (luma or chroma) plane as well as
the function for writing an alpha plane have some similarities:
They record the initial bitposition (despite said position always being
byte-aligned), flush the PutBitContext themselves and return the amount
of bytes they wrote.

This commit factors this out; it also replaces bitpositions by
bytepositions and it avoids recording the initial byteposition because
said information is already available from the position at the end of
the last plane.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-03-30 12:36:32 +02:00
Andreas Rheinhardt
df1c30f139 avcodec/utvideoenc: Don't use bitcounts when byte-aligned
Despite write_huff_codes() receiving an ordinary buffer (not a
PutBitContext), it returned the amount of data written in bits,
not in bytes. This has been changed: There is now no intermediate
bitcount any more.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-03-30 12:36:32 +02:00
Andreas Rheinhardt
67f6e7ed6d avcodec: Remove cumbersome way of checking for amount of bytes left
Several encoders used code like the following to check for the amount of
bytes left in a PutBitContext:
pb->buf_end - pb->buf - (put_bits_count(pb) >> 3)
Besides the fact that using the pointers directly might pose
a maintainence burden in the future this also leads to suboptimal code:
The above code reads all three pointers (buf, buf_ptr and buf_end), but
touching buf is unnecessary and switching to put_bytes_left()
automatically fixes this.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-03-30 12:36:32 +02:00
Andreas Rheinhardt
11ff9cb5e9 avcodec/put_bits: Add functions for amount of bytes written/left
Often a caller doesn't want the amount of bits written via a
PutBitContext, but the amount of bytes. This in particular happens
after one has flushed the PutBitContext (e.g. at the end of encoding,
when one wants to know the actual packet size). The current way of doing
this is with put_bits_count(pb)/8 (or (put_bits_count(pb) + 7)/8).

Yet this has some issues: It contains implicit multiplications and
divisions by 8 with a cast in between; it obscurs the intent; and
it restricts the size of the buffer to (currently) INT_MAX/8 (or
to 1/8 of the maximum of whatever put_bits_count() returns), although
said restriction is not really necessary for users that don't need
a bitcount.

Corresponding functions for the amount of bytes left have also been
addded.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-03-30 12:36:32 +02:00
Andreas Rheinhardt
e48f18e2d5 avcodec/vorbisenc, wmavoice: Use put_bits_left() where appropriate
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-03-30 12:36:32 +02:00
Andreas Rheinhardt
ddd0f5dbe9 avcodec/dvenc: Remove dead error message
The PutBits API checks the available space before every write,
so this check for overread is dead.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2021-03-30 12:36:31 +02:00