c390234da2
avformat/wtvdec: Check length of read mpeg2_descriptor
...
Fixes: Use of uninitialized value
Fixes: 70900/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6286909377150976
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-08-08 19:10:05 +02:00
c95ea03104
avformat/wtvdec: clear sectors
...
The code can leave uninitialized holes in the array.
Fixes: use of uninitialized values
Fixes: 70883/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-6698694567591936
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-08-08 18:24:31 +02:00
b534e402d8
avformat/mov: ensure required number of bytes is read
...
Fixes: use-of-uninitialized-value
Found by OSS-Fuzz.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-08-08 18:23:39 +02:00
94165d1b79
avformat/iamf: use aligned intreadwrite macros where possible
...
Signed-off-by: James Almer <jamrial@gmail.com >
2024-08-07 00:16:21 -03:00
49a6e448d7
avformat/movenc: use stream indexes when generating track ids
...
In some scenarios nb_tracks isn't the same as nb_streams, so a given id may end
up being used for two separate streams.
e.g. when muxing an IAMF track followed by a video track, if the IAMF track
consists of several streams, the video track would end up having an id of 2,
which may also be used by one of the IAMF streams.
Signed-off-by: James Almer <jamrial@gmail.com >
2024-08-07 00:16:21 -03:00
792a9979eb
avformat/rtpproto: free ip filters on open error
...
Found by OSS-Fuzz.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-08-07 00:59:19 +02:00
8485f7a378
avformat/srtpproto: pass options to nested protocol
...
This fixes passing options dict.
Fixes some timeouts found by OSS-Fuzz.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-08-07 00:59:19 +02:00
2b5f000d3f
avformat/jpegxl_anim_dec: ensure input padding is zeroed
...
Fixes use of uninitialized value, reported by MSAN.
Found by OSS-Fuzz.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com >
Fixes: 70837/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-5089407768526848
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-08-05 23:17:46 +02:00
3978e81809
avformat/img2dec: Clear padding data after EOF
...
Fixes: use-of-uninitialized-value
Fixes: 70852/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5179190066872320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Kacper Michajlow <kasper93@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-08-05 23:17:46 +02:00
79a1cf30d1
avformat/wavdec: Check if there are 16 bytes before testing them
...
Fixes: use-of-uninitialized-value
Fixes: 70839/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5212907590189056
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-08-05 23:17:45 +02:00
5b87869c09
avformat/mov: fix track handling when mixing IAMF and video tracks
...
Fixes crashes when muxing the two together.
Signed-off-by: James Almer <jamrial@gmail.com >
2024-08-04 12:09:40 -03:00
ed96ac87a9
avformat/iamf_parse: Check for 0 samples
...
Fixes: division by zero
Fixes: 70561/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6199435013455872
Fixes: 70565/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5783790316748800
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-08-01 00:18:02 +02:00
92b317245c
avformat/mov: use AV_WL*A
...
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-29 21:33:31 -03:00
f1fcc3ca5f
avformat/matroskadec: use AV_WL32A
...
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-29 21:33:31 -03:00
e7d3ff8dcd
avformat/mov: check that child boxes of trak are only present inside it
...
Based on the check done for the stco box.
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-28 17:28:19 -03:00
2aa63784b5
avformat/mov: check that sample and chunk count is 1 for HEIF
...
Fixes NULL pointer dereference in broken/fuzzed streams.
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-28 17:28:19 -03:00
3d5d60d041
avformat/dump: implement dv_md_compression
2024-07-28 12:20:07 +02:00
ce8166a19c
avformat/mpegts: implement dv_md_compression
2024-07-28 12:20:07 +02:00
b3a9fab9da
avformat/dovi_isom: implement dv_md_compression
2024-07-28 12:20:07 +02:00
586f6fda1d
avformat/mov: add an EOF check in IPRP
...
Fixes: Timeout
Fixes: 69230/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6540512101203968
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-23 23:21:13 +02:00
55af81b5a4
Revert "avformat/udp: Fix temporary buffer race"
...
This is not needed
This reverts commit 7b2f67ea77
2024-07-23 23:21:13 +02:00
53d0f9afb4
avcodec/electronicarts: decode framerate
...
Reviewed-by: Peter Ross <pross@xvid.org >
2024-07-23 06:40:30 +10:00
696685df0c
avformat/xmv: Check this_packet_size
...
Fixes: CID1604489 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 17:02:12 +02:00
7734c583f7
avformat/webpenc: Check filesize in trailer
...
not sure this is possible
Fixes: CID1604446 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 17:02:12 +02:00
be30913538
avformat/ty: rec_size seems to only need 32bit
...
May help CID1604560 Overflowed integer argument
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 17:02:11 +02:00
41745e550a
avformat/tty: Check avio_size()
...
Fixes: CID1220824 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 17:02:11 +02:00
124a97dd8b
avformat/siff: Basic pkt_size check
...
Fixes: half of CID1258461 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 17:02:11 +02:00
759aae590c
avformat/sauce: Check avio_size() for failure
...
Fixes: CID1604592 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 17:02:10 +02:00
3e305a0e70
avformat/sapdec: Check ffurl_get_file_handle() for error
...
Fixes: CID1604506 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:41:51 +02:00
e83e246504
avformat/nsvdec: Check asize for PCM
...
Fixes: CID1604527 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:41:43 +02:00
cea4dbc903
avformat/mp3dec: Check header_filesize
...
Fixes: CID1608714 Division or modulo by float zero
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:41:41 +02:00
bb936a1a72
avformat/mp3dec; Check for avio_size() failure
...
Fixes: CID1608710 Improper use of negative value
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:41:37 +02:00
046d069552
avformat/mov: Use 64bit for str_size
...
We assign a 64bit variable to it before checking
Fixes: CID1604544 Overflowed integer argument
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:41:35 +02:00
139bf41246
avformat/mm: Check length
...
Fixes: CID1220824 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:41:32 +02:00
291356f58b
avformat/hnm: Check *chunk_size
...
Fixes: CID1604419 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:41:23 +02:00
7e577165c1
avformat/hlsenc: Check ret
...
Fixes: CID1609624 Unused value
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:41:11 +02:00
bf61f811e7
avformat/bintext: Check avio_size() return
...
Fixes: CID1604503 Overflowed constant
Fixes: CID1604566 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:40:49 +02:00
891bc070f0
avformat/asfdec_o: Check size of index object
...
We subtract 24 so it must be at least 24
Fixes: CID1604482 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 16:40:48 +02:00
9b9e02f2ff
avformat/iamf_parse: Check for negative sample sizes
...
Fixes: index -2 out of bounds for type 'const enum AVCodecID [3]'
Fixes: 69866/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4971166119821312
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 15:35:08 +02:00
d8d288479d
avformat/mxfdec: Reorder elements of expression in bisect loop
...
Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long'
Fixes: 68578/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6032171648221184
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 15:29:25 +02:00
167bf8f61e
avformat/mov: Check extradata in mov_read_iacb()
...
Fixes: MemLeak
Fixes: 69853/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4660448545275904
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-21 15:29:24 +02:00
2aab4e4cc0
avformat/iamf_writer: disallow Opus extradata with mapping family other than 0
...
Clause 3.11.1 of IAMF[1] states the Opus ID Header should conform to ChannelMappingFamily == 0.
[1]https://aomediacodec.github.io/iamf/#opus-specific
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-19 21:07:32 -03:00
9ce065c90d
avformat/iamf_parse: sanitize audio_roll_distance values
...
Ensure the values are spec complaint and that no integer overflow can happen.
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-19 21:07:32 -03:00
7dabad079b
avformat/iamf: byteswap values in OpusHeader
...
Clause 3.11.1 of IAMF[1] states the values are stored in big endian, in
contrast to the Ogg Encapsulation for Opus[2] where they are in little endian.
[1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#opus-specific
[2]https://datatracker.ietf.org/doc/html/rfc7845#section-5.1
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-18 23:27:20 -03:00
54b8d5e201
avformat/iamf: rename Codec Config seek_preroll to audio_roll_distance
...
The semantics for the field are different than the one in AVCodecParameters,
so use the name defined in the IAMF spec to prevent confusion.
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-18 23:27:20 -03:00
2094f40295
avformat/iamf_writer: fix coded audio_roll_distance values
...
'seek_preroll' corresponds to 'audio_roll_distance' in IAMF[1]
[1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#audio_roll_distance
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-18 23:27:20 -03:00
709a5687ed
avformat/iamf_writer: fix PCM endian-ness flag
...
The value was swapped from what's defined in clause 3.11.4 of IAMF[1]
[1]https://aomediacodec.github.io/iamf/#lpcm-specific
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-18 23:27:20 -03:00
180c869faf
avformat/movenc: fix channel count and samplerate fields for IAMF tracks
...
Clause 6.2.3 of IAMF[1] states both of these shall be set to 0.
[1]https://aomediacodec.github.io/iamf/v1.0.0-errata.html#iasampleentry-section
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-18 23:27:20 -03:00
3de65f47e0
avformat/mov: don't export frame cropping stream side data when the clap box is a no-op
...
Signed-off-by: James Almer <jamrial@gmail.com >
2024-07-18 23:27:20 -03:00
b248dace92
avformat/iamf_parse: keep substream count consistent
...
Fixes: member access within null pointer of type 'IAMFSubStream' (aka 'struct IAMFSubStream')
Fixes: 69795/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6216287009701888
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2024-07-16 18:43:14 +02:00
