Fixes slow loops on fuzzed data
Fixes: 245/fuzz-3-ffmpeg_AUDIO_AV_CODEC_ID_FLAC_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
get_ue_golomb() cannot decode values larger than 8190 (the maximum
value that can be golomb encoded in 25 bits) and produces the error
"Invalid UE golomb code" if a larger value is encountered. Use
get_ue_golomb_long() instead (which supports 63 bits, up to 4294967294)
when valid h264/hevc values can exceed 8190.
This updates decoding of the following values: (maximum)
first_mb_in_slice 36863* for level 5.2
abs_diff_pic_num_minus1 131071
difference_of_pic_nums_minus1 131071
idr_pic_id 65535
recovery_frame_cnt 65535
frame_packing_arrangement_id 4294967294
frame_packing_arrangement_repetition_period 16384
display_orientation_repetition_period 16384
An alternative would be to modify get_ue_golomb() to handle encoded
values of up to 49 bits as was done for get_se_golomb() in a92816c.
In that case get_ue_golomb() could continue to be used for all of
these except frame_packing_arrangement_id.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Also correct the check to reject log < 7, because UPDATE_CACHE only
guarantees 25 meaningful bits.
This fixes undefined behavior:
runtime error: shift exponent is negative
Testing with START/STOP timers in get_ue_golomb, one for the first
branch (A) and one for the second (B), shows that there is practically no
slowdown, e.g. for the cavs decoder:
With the check in the B branch:
629 decicycles in get_ue_golomb B, 4194260 runs, 44 skips
433 decicycles in get_ue_golomb A,268434102 runs, 1354 skips
Without the check:
624 decicycles in get_ue_golomb B, 4194273 runs, 31 skips
433 decicycles in get_ue_golomb A,268434203 runs, 1253 skips
Since the B branch is executed far less often than the A branch, this
change is negligible, even more so for the h264 decoder, where the ratio
B/A is a lot smaller.
Fixes: mozilla bug 1230239
Fixes: fbeb8b2c7c996e9b91c6b1af319d7ebc/asan_heap-oob_195450f_2743_e8856ece4579ea486670be2b236099a0.bit
Found-by: Tyson Smith
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
This was only used in hevc muxing code so far.
This makes the return values match what get_se_golomb returns for
the same bitstream reader instances.
The logic for producing a signed golomb code out of an unsigned one
was based on the corresponding code in get_se_golomb, which operated
directly on the bitstream reader buffer - not on the equivalent
return value from get_ue_golomb.
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
* qatar/master:
golomb: use unsigned arithmetics in svq3_get_ue_golomb()
x86: float_dsp: fix loading of the len parameter on x86-32
takdec: fix initialisation of LOCAL_ALIGNED array
takdec: fix initialisation of LOCAL_ALIGNED array
Conflicts:
libavcodec/rv30.c
libavcodec/svq3.c
libavcodec/takdec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This prevents undefined behaviour of signed left shift if the coded
value is larger than 2^31. Large values are most likely invalid and
caused errors or by feeding random.
Validate every use of svq3_get_ue_golomb() and changed the place there
the return value was compared with negative numbers. dirac.c was clean,
fixed rv30 and svq3.
* qatar/master:
libopus: Remap channels using libopus' internal remapping.
Opus decoder using libopus
avcodec: document the use of AVCodecContext.delay for audio decoding
vc1dec: add flush function for WMV9 and VC-1 decoders
http: Increase buffer sizes to cope with longer URIs
nutenc: const correctness for ff_put_v_trace/put_s_trace function arguments
h264_refs: Fix debug tprintf argument types
golomb: const correctness for get_ue()/get_se() function arguments
get_bits: const correctness for get_bits_trace()/get_xbits_trace() arguments
Conflicts:
Changelog
libavcodec/Makefile
libavcodec/version.h
libavformat/http.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Fixes infinite loop in FLAC decoding in case of a truncated bitstream due to
the safe bitstream reader returning 0's at the end.
Fixes Bug 310.
CC:libav-stable@libav.org
* qatar/master:
docs: use -bsf:[vas] instead of -[vas]bsf.
mpegaudiodec: Prevent premature clipping of mp3 input buffer.
lavf: move the packet keyframe setting code.
oggenc: free comment header for all codecs
lcl: error out if uncompressed input buffer is smaller than framesize.
mjpeg: abort decoding if packet is too large.
golomb: use HAVE_BITS_REMAINING() macro to prevent infloop on EOF.
get_bits: add HAVE_BITS_REMAINING macro.
lavf/output-example: use new audio encoding API correctly.
lavf/output-example: more proper usage of the new API.
tiff: Prevent overreads in the type_sizes array.
tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned.
apetag: do not leak memory if avio_read() fails
apetag: propagate errors.
SBR DSP x86: implement SSE sbr_hf_g_filt
SBR DSP x86: implement SSE sbr_sum_square_sse
SBR DSP: use intptr_t for the ixh parameter.
Conflicts:
doc/bitstream_filters.texi
doc/examples/muxing.c
doc/ffmpeg.texi
libavcodec/golomb.h
libavcodec/x86/Makefile
libavformat/oggenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (22 commits)
als: prevent infinite loop in zero_remaining().
cook: prevent div-by-zero if channels is zero.
pamenc: switch to encode2().
svq1enc: switch to encode2().
dvenc: switch to encode2().
dpxenc: switch to encode2().
pngenc: switch to encode2().
v210enc: switch to encode2().
xwdenc: switch to encode2().
ttadec: use branchless unsigned-to-signed unfolding
avcodec: add a Sun Rasterfile encoder
sunrast: Move common defines to a new header file.
cdxl: fix video decoding for some files
cdxl: fix audio for some samples
apetag: add proper support for binary tags
ttadec: remove dead code
swscale: make access to filter data conditional on filter type.
swscale: update context offsets after removal of AlpMmxFilter.
prores: initialise encoder and decoder parts only when needed
swscale: make monowhite/black RGB-independent.
...
Conflicts:
Changelog
libavcodec/alsdec.c
libavcodec/dpxenc.c
libavcodec/golomb.h
libavcodec/pamenc.c
libavcodec/pngenc.c
libavformat/img2.c
libswscale/output.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (23 commits)
fix AC3ENC_OPT_MODE_ON/OFF
h264: fix HRD parameters parsing
prores: implement multithreading.
prores: idct sse2/sse4 optimizations.
swscale: use aligned move for storage into temporary buffer.
prores: extract idct into its own dspcontext and merge with put_pixels.
h264: fix invalid shifts in init_cavlc_level_tab()
intfloat_readwrite: fix signed addition overflows
mov: do not misreport empty stts
mov: cosmetics, fix for and if spacing
id3v2: fix NULL pointer dereference
mov: read album_artist atom
mov: fix disc/track numbers and totals
doc: fix references to obsolete presets directories for avconv/ffmpeg
flashsv: return more meaningful error value
flashsv: fix typo in av_log() message
smacker: validate channels and sample format.
smacker: check buffer size before reading output size
smacker: validate number of channels
smacker: Separate audio flags from sample rates in smacker demuxer.
...
Conflicts:
cmdutils.h
doc/ffmpeg.texi
libavcodec/Makefile
libavcodec/motion_est_template.c
libavformat/id3v2.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>