FFmpeg

mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-24 13:56:33 +02:00

Author	SHA1	Message	Date
Michael Niedermayer	624f15e77d	avformat/mpeg: Check len in mpegps_probe() Fixes: CID1473590 Untrusted loop bound Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ca237a841e9e78ac02694124d81ff78c74b0bf72) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:20 +02:00
Michael Niedermayer	a4f8bb40e1	avformat/mxfenc: resurrects the error print Fixes: CID1524681 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a469e48b6dd8c9dfd0cd7dba7b28d1987168ed8b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:20 +02:00
Michael Niedermayer	886045ca87	avformat/img2dec: assert no pipe on ts_from_file Help coverity with CID1500302 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4824156fa06bd60b27f9f0673fbd6a3cfc780e56) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:18 +02:00
Michael Niedermayer	8941956c32	avformat/mov: Check edit list for overflow Fixes: 67492/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5778297231310848 Fixes: signed integer overflow: 2314885530818453536 + 7782220156096217088 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2882d30e3acfc3155e2be11db653c7c721f94f34) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:16 +02:00
Michael Niedermayer	40cca1cf87	avformat/mxfdec: Check container_ul->desc before use Fixes: CID1592939 Dereference after null check Sponsored-by: Sovereign Tech Fund Reviewed-by: Tomas Härdin <git@haerdin.se> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4cab028bd0e381f2ed4ccb7f139407f1f6f537c0) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:12 +02:00
Michael Niedermayer	d44a75849c	avformat/mov: Use int64_t in intermediate for corrected_dts Fixes: CID1500312 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 034054b3706bea8524cf8846813e17636ca5ab33) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:10 +02:00
Michael Niedermayer	488aa52371	avformat/mov: Use 64bit in intermediate for current_dts Fixes: CID1500304 Unintentional integer overflow Fixes: CID1500318 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0c977d37aad609f6ed7d148c012da8bc83df8f0b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:10 +02:00
Michael Niedermayer	9e6950dcb4	avformat/matroskadec: Assert that num_levels is non negative Maybe Closes: CID1452496 Uninitialized scalar variable Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 019fce18bb0628ac8bc47a81d647a23d604b6123) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:09 +02:00
Michael Niedermayer	871c89e0ba	avformat/libzmq: Check av_strstart() Fixes: CID1453457 Unchecked return value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0263b6a48caaff839e4c28df15b299b89c7da92d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:09 +02:00
Michael Niedermayer	b8ee22e1dd	avformat/img2dec: Little JFIF / Exif cleanup This changes the behavior and makes it behave how it probably was intended. Either way this is unlikely to result in any user visible change Fixes: CID1494637 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5712f36dd0ee0144b92edd2147e24b3724d7ec89) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:09 +02:00
Michael Niedermayer	2ea4dfd684	avformat/img2dec: Move DQT after unrelated if() Fixes: CID1494636 Missing break in switch Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 7d04c6016b0971fecb890d3a0afe4e6706a1a68e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:08 +02:00
Michael Niedermayer	54f57cb532	avformat/imfdec: Simplify get_next_track_with_minimum_timestamp() This also makes the code more robust Fixes: CID1512414 Uninitialized pointer read Sponsored-by: Sovereign Tech Fund Reviewed-by: Pierre-Anthony Lemieux <pal@sandflow.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f10493f6fc2a79f706138d90420a4369b9655a47) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:08 +02:00
Michael Niedermayer	b09cadf2ef	avformat/sdp: Check before appending "," Found by reviewing code related to CID1500301 String not null terminated Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5b82852519e92a2b94de0f22da1a81df5b3e0412) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:07 +02:00
Michael Niedermayer	e292a764c0	avformat/fwse: Remove always false expression Fixes: CID1460758 Operands don't affect result Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 348c3a7ffe0c3aecf35f1a26a9f321a4e608dab7) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:02 +02:00
Michael Niedermayer	376e36d253	avformat/asfdec_f: Use 64bit for preroll computation Fixes: CID1500342 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 70b499476213a198ac0f39450cddaea4b34662f5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:01 +02:00
Michael Niedermayer	c684c13ee4	avformat/argo_asf: Use 64bit in offset intermediate Fixes: CID1467435 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d9d1f65308d40502015272a3d1cc9f805c77e075) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:01 +02:00
Michael Niedermayer	bf5aba6b88	avformat/ape: Use 64bit for final frame size Fixes: CID1505963 Unintentional integer overflow Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a2b8d03347930c051358fcbbdc557e57e157d9c9) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:01 +02:00
Michael Niedermayer	78ad74a20a	avformat/ac4dec: Check remaining space in ac4_probe() Fixes: CID1538298 Untrusted loop bound Fixes: undefined behavior Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2f04cb673cb394b6e1cda160af8faa733b62bae2) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:34:00 +02:00
Michael Niedermayer	4b11e29881	avformat/demux: resurrect dead stores Fixes: CID1473512 Unused value Fixes: CID1529228 Unused value Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 33da5f4e2717cc947cf44ad9a52668694ea4ee82) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-07-25 20:33:57 +02:00
James Almer	1ef18d0223	avformat/iamf_writer: disallow Opus extradata with mapping family other than 0 Clause 3.11.1 of IAMF[1] states the Opus ID Header should conform to ChannelMappingFamily == 0. [1]https://aomediacodec.github.io/iamf/#opus-specific Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 2aab4e4cc0b4a666c7e5a752b25a337710b20bdb)	2024-07-19 21:08:08 -03:00
James Almer	fdd3e3504e	avformat/iamf_parse: sanitize audio_roll_distance values Ensure the values are spec complaint and that no integer overflow can happen. Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 9ce065c90decf1a07a810ccb699a491d41a720d2)	2024-07-19 21:08:08 -03:00
James Almer	db90c46fff	avformat/iamf: byteswap values in OpusHeader Clause 3.11.1 of IAMF[1] states the values are stored in big endian, in contrast to the Ogg Encapsulation for Opus[2] where they are in little endian. [1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#opus-specific [2]https://datatracker.ietf.org/doc/html/rfc7845#section-5.1 Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 7dabad079b783e921747de96597ea47cab244a11)	2024-07-18 23:38:51 -03:00
James Almer	5fc5b33319	avformat/iamf: rename Codec Config seek_preroll to audio_roll_distance The semantics for the field are different than the one in AVCodecParameters, so use the name defined in the IAMF spec to prevent confusion. Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 54b8d5e201c97464625cfb6cfd851ed80976aa44)	2024-07-18 23:38:04 -03:00
Felicia Lim	5e43483206	avformat/iamf_writer: fix coded audio_roll_distance values 'seek_preroll' corresponds to 'audio_roll_distance' in IAMF[1] [1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#audio_roll_distance Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 2094f4029563d8fe5e62663bc04fc1f109448182)	2024-07-18 23:38:04 -03:00
Felicia Lim	df2d21a47b	avformat/iamf_writer: fix PCM endian-ness flag The value was swapped from what's defined in clause 3.11.4 of IAMF[1] [1]https://aomediacodec.github.io/iamf/#lpcm-specific Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 709a5687ed13a153b7ccbe096c1fa8783733f1d9)	2024-07-18 23:38:04 -03:00
Felicia Lim	a3bc5cd841	avformat/movenc: fix channel count and samplerate fields for IAMF tracks Clause 6.2.3 of IAMF[1] states both of these shall be set to 0. [1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#iasampleentry-section Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 180c869faf96dbf1396fa3aba43b7488f9a7090b)	2024-07-18 23:38:04 -03:00
James Almer	507348799c	avformat/iamf_parse: keep substream count consistent Fixes: member access within null pointer of type 'IAMFSubStream' (aka 'struct IAMFSubStream') Fixes: 69795/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6216287009701888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit b248dace929e97b10de17663caab32fbb1c42f0f)	2024-07-18 23:33:38 -03:00
James Almer	29d626ea85	avformat/iamf_parse: add missing padding to AAC extradata Fixes: out of array access Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 0ae157b3603f27d8057febd8f2680ac1030722ee)	2024-07-18 23:33:38 -03:00
Michael Niedermayer	3d4d2897e6	avformat/iamf_parse: 0 layers are not allowed Fixes: out of array access Fixes: 68302/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4665793796177920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer <jamrial@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 7fab9b97613e5ec6954fb8118f9ca43f04847cfe)	2024-07-18 23:33:38 -03:00
Michael Niedermayer	ce939aa59a	avformat/iamf_parse: consider nb_substreams when accessing substreams array Fixes: out of array access Fixes: 68584/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6256656668229632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer <jamrial@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c69e6cccd7e14fc6ee9df179f19e9de2cecba3d8)	2024-07-18 23:33:38 -03:00
Michael Niedermayer	fd789a087e	avformat/iamf_parse: Remove dead case Fixes: CID1559546 Logically dead code Sponsored-by: Sovereign Tech Fund Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c21fb3624bb7e10f9ee5a182bf9cfbf64990c78e)	2024-07-18 23:33:37 -03:00
James Almer	28b1dbb4ee	avformat/mov: add more checks for infe atom size Signed-off-by: James Almer <jamrial@gmail.com>	2024-07-04 13:47:42 -03:00
James Almer	dc51d491cf	avformat/mov: check for EOF inside the infe list parsing loop Signed-off-by: James Almer <jamrial@gmail.com>	2024-07-04 13:47:42 -03:00
James Almer	fbe52bd65c	avformat/mov: check extent_offset calculation for overflow Signed-off-by: James Almer <jamrial@gmail.com>	2024-07-04 13:47:42 -03:00
James Almer	b44758d8e4	avformat/mov: check that iloc offset values fit on an int64_t Signed-off-by: James Almer <jamrial@gmail.com>	2024-07-04 13:47:42 -03:00
Andreas Rheinhardt	45765b7c2e	avformat/flacdec: Reorder allocations to avoid leak on error Fixes Coverity issue #1591795. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> (cherry picked from commit b50c5d02900363c17560cf79e2af0ca3073ee81a)	2024-05-25 01:46:13 +02:00
Andreas Rheinhardt	a08da68e0a	avformat/movenc: Check av_malloc() Fixes Coverity issue #1596735. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> (cherry picked from commit 601873263e618e2dc2b615ae95e605575171ee30)	2024-05-25 01:44:01 +02:00
James Almer	17674b150f	avformat/mov: store sample_sizes as unsigned ints As defined in Section 8.7.3.2.1 of ISO 14496-12. Any unsupported value will be rejected in mov_build_index() without outright aborting demuxing. Fixes ticket #11005. Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 3146b77a7d314f55b8ec5d8ce6fda2c5db049a27)	2024-05-24 20:10:11 -03:00
James Almer	85d4df3873	avformat/vvc: fix parsing sps_subpic_id The length of the sps_subpic_id[i] syntax element is sps_subpic_id_len_minus1 + 1 bits. Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 2d84ee374528a8a8eed345a8147e146a0112e43a)	2024-05-22 17:52:30 -03:00
James Almer	1a6995c6d6	avformat/vvc: initialize some ptl flags Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 3bd7e3a336822c75865930f7fafb36d1a1c4c3c3)	2024-05-22 17:52:27 -03:00
Michael Niedermayer	4eccabcc26	avformat/concatdec: Check file Fixes: null pointer dereference Fixes: -stream_loop 1 -ss 00:00:05 -i zgclab/ffmpeg_crash/poc2 -codec:v copy -codec:a aac -y output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a5d1497f33afa17b6a3578b66638e69bf8a558de) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-05-22 22:04:36 +02:00
Michael Niedermayer	0e44de3b9b	avformat/mxfdec: Check body_offset Fixes: signed integer overflow: 538976288 - -9223372036315799520 cannot be represented in type 'long' Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5523457266745344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin <git@haerdin.se> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 20a6bfda0f7c6447ac94611736cee6e9ce6972a0) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-05-22 22:04:32 +02:00
Michael Niedermayer	dba4b859d8	avformat/kvag: Check sample_rate Fixes: Division by 0 Fixes: -copyts -start_at_zero -itsoffset 00:00:01 -itsscale 1 -ss 00:00:02 -i zgclab/ffmpeg_crash/poc1 output.mp4 Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c26a762ea1bf028a33554a5f7a18d8dd7d82f5a8) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2024-05-22 22:04:32 +02:00
Marton Balint	52132f4d6e	avformat/mp3dec: change bogus error message if read_header encounters EOF Because of ffio_ensure_seekback() a seek error normally should only happen if the end of file is reached during checking for the junk run-in. Also use proper error code. Signed-off-by: Marton Balint <cus@passwd.hu> (cherry picked from commit 49e018d6fee689af6b30b773d83f545d74b8d9aa)	2024-05-21 08:43:07 +02:00
Marton Balint	89ea8af0b3	avformat/mp3dec: simplify inner frame size check in mp3_read_header We are protecting the checked buffer with ffio_ensure_seekback(), so if the inner check fails with a seek error, that likely means the end of file was reached when checking for the next frame. This could also be the result of a wrongly guessed (larger than normal) frame size, so let's continue the loop instead of breaking out early. It will end sooner or later anyway. Signed-off-by: Marton Balint <cus@passwd.hu> (cherry picked from commit b75e604fe5cd7da9ca713f20d1ade18d50319aff)	2024-05-21 08:42:59 +02:00
Marton Balint	07ee3648b7	avformat/mp3dec: only call ffio_ensure_seekback once Otherwise the subsequent ffio_ensure_seekback calls destroy the buffer of the earlier. The worst case ~66kB seekback is so small it is easier to request it entirely. Fixes ticket #10837, a regression since 0d17f5228f4d3854066ec1001f69c7d1714b0df9. Signed-off-by: Marton Balint <cus@passwd.hu> (cherry picked from commit b0053172199b54a806a4147cda8567a2f1823bc0)	2024-05-21 08:41:49 +02:00
James Almer	a8b8b1042f	avformat/vvc: fix parsing some early VPS bitstream values vps_default_ptl_dpb_hrd_max_tid_flag needs to always be set, and vps_direct_ref_layer_flag needs to be read even when vps_max_tid_ref_present_flag is false. Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit a48203d51aa4836150f9379448f6b2a1d5ca9d36)	2024-05-20 14:27:42 -03:00
James Almer	5f23eecfba	avformat/vvc: fix writing general_constraint_info bytes The existing implementation was completely broken. Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit 415dfa89e29686786085c207fdebcf2c97883a33)	2024-05-20 14:27:42 -03:00
Michael Niedermayer	da8b2f9704	avformat/iamfdec: check nb_streams in header read Fixes: Assertion pkt->stream_index < (unsigned)s->nb_streams && "Invalid stream index.\n" failed at libavformat/demux.c:572 Fixes: 67890/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5166340789829632.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer <jamrial@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9f54c13bc4650c59fe2ffb04f5b85145f196fbb7)	2024-05-01 15:46:44 -03:00
James Almer	1e6382a6b7	avformat/mov: free the infe allocated item data on failure Fixes: memleak Fixes: 68212/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4963488540721152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Tested-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: James Almer <jamrial@gmail.com> (cherry picked from commit e09164940e4ff0b0ee9228f9d27385211160c6da)	2024-05-01 15:45:53 -03:00

1 2 3 4 5 ...

25848 Commits