1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-12 19:18:44 +02:00
Commit Graph

72 Commits

Author SHA1 Message Date
Michael Niedermayer
557aa7772e
avformat/asfdec_o: Check offset before adding index entry
Fixes: signed integer overflow: 9223372036854550860 + 530259564 cannot be represented in type 'long'
Fixes: 49093/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-4697179192688640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-10-20 21:42:20 +02:00
Michael Niedermayer
736e9e69d5
avformat/asfdec_o: Limit packet offset
avoids overflows with it

Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-09-24 17:57:36 +02:00
Michael Niedermayer
1f1a368169
avformat/asfdec_o: limit recursion depth in asf_read_unknown()
The threshold of 5 is arbitrary, both smaller and larger should work fine

Fixes: Stack overflow
Fixes: 50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-08-31 18:03:55 +02:00
Andreas Rheinhardt
35ec5c819b avformat/demux: Add new demux.h header
And move those stuff already in demuxer-only files to it.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2022-05-10 07:37:38 +02:00
Andreas Rheinhardt
40bdd8cc05 avformat: Avoid allocation for AVStreamInternal
Do this by allocating AVStream together with the data that is
currently in AVStreamInternal; or rather: Put AVStream at the
beginning of a new structure called FFStream (which encompasses
more than just the internal fields and is a proper context in its own
right, hence the name) and remove AVStreamInternal altogether.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-09-17 13:22:25 +02:00
Andreas Rheinhardt
bc70684e74 avformat: Constify all muxer/demuxers
This is possible now that the next-API is gone.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: James Almer <jamrial@gmail.com>
2021-04-27 11:48:06 -03:00
Michael Niedermayer
098314e1e5 avformat/asfdec_o: Use ff_get_extradata()
Fixes: OOM
Fixes: 27240/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5937469859823616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-04-24 11:36:47 +02:00
Andreas Rheinhardt
dfeb9b3a8b avformat/asf: Factor common code out
Both functions to read attached pictures coincide since
e83f27a21a (save for some log messages
in case av_dict_set failed).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2021-03-31 22:01:36 +02:00
James Almer
3c69e5cd6f avformat/asfdec_o: use av_packet_alloc() to allocate packets
Signed-off-by: James Almer <jamrial@gmail.com>
2021-03-17 15:06:48 -03:00
Michael Niedermayer
06e5c79194 avformat/asfdec_o: Check lang_idx
Fixes: index 26981 out of bounds for type 'ASFStreamData [128]'
Fixes: 27334/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6197611002068992

Alternatively the array could be increased in size or the cases not fitting be ignored

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-01-29 19:36:46 +01:00
Michael Niedermayer
9e3d09f435 avformat/asfdec_o: Check for EOF in asf_read_marker()
Fixes: Timeout
Fixes: 26460/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5710884393189376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-01-25 01:10:14 +01:00
Michael Niedermayer
0bee216ad4 avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()
Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long'
Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800

Alternatively this could be ignored but then the end condition of the loop
would be hard to reach as avio_tell() is int64_t

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-01-20 21:26:46 +01:00
Andreas Rheinhardt
96443ab4b0 avformat/asfdec_o: Remove code duplication
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:59 +01:00
Andreas Rheinhardt
33870a6aa7 avformat/asfdec_o: Don't reset twice
A variable has been assigned a value twice consecutively; essentially
the same happens when one performs av_init_packet on an AVPacket after
a call to av_packet_unref.

Found via PVS-Studio (see ticket #8156).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:59 +01:00
Andreas Rheinhardt
bf4909f0a3 avformat/asfdec_o: Export metadata that applies to the whole file
The ASF specification of Metadata Objects' stream number is as follows:

"Specifies whether the entry applies to a specific digital media stream
or whether it applies to the whole file. A value of 0 in this field
indicates that it applies to the whole file; otherwise, the entry
applies only to the indicated stream number and must be between 1 and
127."

Yet the asf_o demuxer (the one originating from Libav) has always
treated such metadata as if it applied to a stream even though no stream
with a stream number may exist in a valid ASF file. This is fixed in
this commit; it affected e.g. the file
wma_with_metadata_library_object_tag_trimmed.wma from the FATE suite.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:54 +01:00
Andreas Rheinhardt
e83f27a21a avformat/asfdec_o: Don't segfault with lots of attached pics
The ASF file format has a limit of 127 streams and the "asf_o" demuxer
(the ASF demuxer from Libav) has an array of pointers for a structure
called ASFStream that is allocated on demand for every stream. Attached
pictures are not streams in the sense of the ASF specification, yet the
demuxer created an ASFStream for them; and in one codepath it also
forgot to check whether the array of ASFStreams is already full. The
result is a write beyond the end of the array and a segfault lateron.

Fixing this is easy: Don't create ASFStreams for attached picture
streams.

(Other results of the current state of affairs are unnecessary allocations
(of ASFStreams structures), the misparsing of valid files (there might not
be enough ASFStreams left for the valid streams if attached pictures take
up too many); furthermore, the ASFStreams created for attached pictures all
have the stream number 0, an invalid stream number (the valid range is
1-127). This means that invalid data (packets for a stream with stream
number 0) won't get rejected lateron.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:17:36 +01:00
Anton Khirnov
cea7c19cda lavf: move AVStream.*index_entries* to AVStreamInternal
Those are private fields, no reason to have them exposed in a public
header. Since there are some (semi-)public fields located after these,
even though this section is supposed to be private, keep some dummy
padding there until the next major bump to preserve ABI compatibility.
2020-10-28 14:59:28 +01:00
Andreas Rheinhardt
37140ebd87 avformat/id3v2: Remove unnecessary indirection
ff_id3v2_parse_apic/chapters/priv/priv_dict all had a parameter
extra_meta of type ID3v2ExtraMeta ** as if the functions wanted to make
*extra_meta point to something else. But they don't, so just use an
ID3v2ExtraMeta *.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-05-25 07:06:44 +02:00
Jun Zhao
ec3d3fc65d lavf/asfdec: Simplify the check conditions
Simplify the check conditions

Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
2019-11-04 10:24:58 +08:00
Carl Eugen Hoyos
4d8875ec23 lavf: Constify the probe function argument.
Reviewed-by: Lauri Kasanen
Reviewed-by: Tomas Härdin
2019-03-21 11:42:17 +01:00
Michael Niedermayer
2b46ebdbff avformat/asfdec_o: Check size_bmp more fully
Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-07-05 19:52:42 +02:00
Lukas Stabe
1fd80106be avformat: fix id3 chapters
These changes store id3 chapter data in ID3v2ExtraMeta and introduce
ff_id3v2_parse_chapters to parse them into the format context if needed.

Encoders using ff_id3v2_read, which previously parsed chapters into the
format context automatically, were adjusted to call
ff_id3v2_parse_chapters.

Signed-off-by: wm4 <nfxjfg@googlemail.com>
2017-10-05 17:10:23 +02:00
James Almer
1902bbbe72 Merge commit 'cd7a2e1502f174c725c0de82711d2c7649057574'
* commit 'cd7a2e1502f174c725c0de82711d2c7649057574':
  asfdec: fix reading files larger than 2GB

Merged-by: James Almer <jamrial@gmail.com>
2017-10-03 20:12:15 -03:00
James Almer
42f27d1b8e Merge commit '0539d84d985e811e5989ef27c13f7e2dda0f9b89'
* commit '0539d84d985e811e5989ef27c13f7e2dda0f9b89':
  asfdec: Account for different Format Data sizes

See 76853a3e0c

Merged-by: James Almer <jamrial@gmail.com>
2017-09-28 00:28:38 -03:00
James Almer
e666c2b5ec Merge commit '8e67039c6312ba520945f2c01b7b14df056d5ed1'
* commit '8e67039c6312ba520945f2c01b7b14df056d5ed1':
  asfdec: Use the ASF stream count when iterating

Merged-by: James Almer <jamrial@gmail.com>
2017-09-26 18:50:30 -03:00
James Almer
4de591e6fb Merge commit '83548fe894cdb455cc127f754d09905b6d23c173'
* commit '83548fe894cdb455cc127f754d09905b6d23c173':
  lavf: fix usage of AVIOContext.seekable

Merged-by: James Almer <jamrial@gmail.com>
2017-03-21 17:02:30 -03:00
James Almer
1582e306a4 avformat/avlanguage: make av_convert_lang_to() internal
The header was never installed and the function is only used in libavformat

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
2016-07-19 21:43:14 -03:00
Clément Bœsch
8ef57a0d61 Merge commit '41ed7ab45fc693f7d7fc35664c0233f4c32d69bb'
* commit '41ed7ab45fc693f7d7fc35664c0233f4c32d69bb':
  cosmetics: Fix spelling mistakes

Merged-by: Clément Bœsch <u@pkh.me>
2016-06-21 21:55:34 +02:00
Clément Bœsch
c01f1157ac Merge commit '0f40c9098498ad90dbbd2380eb4269015e84bde4'
* commit '0f40c9098498ad90dbbd2380eb4269015e84bde4':
  Drop pointless assert.h #includes

Merged-by: Clément Bœsch <clement@stupeflix.com>
2016-06-21 15:26:20 +02:00
Derek Buitenhuis
6f69f7a8bf Merge commit '9200514ad8717c63f82101dc394f4378854325bf'
* commit '9200514ad8717c63f82101dc394f4378854325bf':
  lavf: replace AVStream.codec with AVStream.codecpar

This has been a HUGE effort from:
    - Derek Buitenhuis <derek.buitenhuis@gmail.com>
    - Hendrik Leppkes <h.leppkes@gmail.com>
    - wm4 <nfxjfg@googlemail.com>
    - Clément Bœsch <clement@stupeflix.com>
    - James Almer <jamrial@gmail.com>
    - Michael Niedermayer <michael@niedermayer.cc>
    - Rostislav Pehlivanov <atomnuker@gmail.com>

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-04-10 20:59:55 +01:00
Hendrik Leppkes
be3963c8af Merge commit '066281372d90d63ca021b659abcb8faefd6bc4a6'
* commit '066281372d90d63ca021b659abcb8faefd6bc4a6':
  asfdec: Remove unused function parameters

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2016-01-19 08:47:48 +01:00
Andreas Cadhalpun
c29e87ad55 asfdec_o: check for too small size in asf_read_unknown
This fixes infinite loops due to seeking back.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:40:21 +01:00
Andreas Cadhalpun
0e32153e9c asfdec_o: break if EOF is reached after asf_read_packet_header
asf_read_payload can unset eof_reached, so check it also before calling
that function.

This fixes infinite loops.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:39:46 +01:00
Andreas Cadhalpun
3776a72962 asfdec_o: make sure packet_size is non-zero before seeking
This fixes infinite loops due to seeking back.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:39:30 +01:00
Andreas Cadhalpun
74474750f1 asfdec_o: prevent overflow causing seekback
This fixes infinite loops.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:38:50 +01:00
Andreas Cadhalpun
0002d845e8 asfdec_o: check avio_skip in asf_read_simple_index
The loop can be very long, even though the file is very short.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:37:30 +01:00
Andreas Cadhalpun
aa18016996 asfdec_o: reject size > INT64_MAX in asf_read_unknown
Both avio_skip and detect_unknown_subobject use int64_t for the size
parameter.

This fixes a segmentation fault due to infinite recursion.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:37:13 +01:00
Andreas Cadhalpun
763c572801 asfdec_o: only set asf_pkt->data_size after sanity checks
Otherwise invalid values are used unchecked in the next run.
This can cause NULL pointer dereferencing.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:36:41 +01:00
Hendrik Leppkes
bf67ae3cfa Merge commit '8375dc1dd101d51baa430f34c0bcadfa37873896'
* commit '8375dc1dd101d51baa430f34c0bcadfa37873896':
  asfdec: handle the case when the stream index has an invalid value better

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-11-29 15:32:39 +01:00
Hendrik Leppkes
7f5af80ba4 Merge commit 'ce70f28a1732c74a9cd7fec2d56178750bd6e457'
* commit 'ce70f28a1732c74a9cd7fec2d56178750bd6e457':
  avpacket: Replace av_free_packet with av_packet_unref

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-10-27 14:28:56 +01:00
Hendrik Leppkes
80fd622590 Merge commit '00cc10aee380f882507bac994ac469d8358d12e8'
* commit '00cc10aee380f882507bac994ac469d8358d12e8':
  asfdec: do not skip padding if offset is above packet size - padding

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-10-10 09:56:29 +02:00
Andreas Cadhalpun
8d6625642d doc: fix spelling errors
Reviewed-by: Lou Logan <lou@lrcd.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-10-09 22:09:08 +02:00
Hendrik Leppkes
de969904b1 Merge commit 'c0a49077ea4ff3a0ad30b9e33f1bb06ba9112aaa'
* commit 'c0a49077ea4ff3a0ad30b9e33f1bb06ba9112aaa':
  asfdec: add more checks for size left in asf packet buffer

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-09-12 15:18:05 +02:00
Hendrik Leppkes
8998caf0a4 Merge commit '77cf23668991bfd1fb69339f13e1511b4186b7b3'
* commit '77cf23668991bfd1fb69339f13e1511b4186b7b3':
  asfdec: alloc enough space for storing name in asf_read_metadata_obj

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-09-08 14:46:21 +02:00
Hendrik Leppkes
649b2e4c83 Merge commit '317cfaa5e09755ed0b34af512ec687963a67bdbf'
* commit '317cfaa5e09755ed0b34af512ec687963a67bdbf':
  asfdec: prevent the memory leak in the asf_read_metada_obj

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-18 09:35:56 +02:00
Hendrik Leppkes
3d2d672828 Merge commit 'e5997152f54f790229c99f237f8eb6b5b1ee683a'
* commit 'e5997152f54f790229c99f237f8eb6b5b1ee683a':
  asf: Use time_t where needed

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-07 09:27:55 +02:00
Hendrik Leppkes
b54cf4b886 Merge commit '944f60866f507e3c0850ae9c2f30dac1da54587c'
* commit '944f60866f507e3c0850ae9c2f30dac1da54587c':
  asfdec: read values properly

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-07 09:27:49 +02:00
Hendrik Leppkes
190e521123 Merge commit 'fdbc544d29176ba69d67dd879df4696f0a19052e'
* commit 'fdbc544d29176ba69d67dd879df4696f0a19052e':
  asfdec: prevent the memory leak while reading metadata

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-02 12:32:10 +02:00
Hendrik Leppkes
2ab827389b Merge commit '33dc1913ab7aaefc991b3e665d1d0b5d0b088672'
* commit '33dc1913ab7aaefc991b3e665d1d0b5d0b088672':
  asfdec: remove improper assignement that caused wrong timestamps

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-02 10:41:56 +02:00
Hendrik Leppkes
07094e5e40 Merge commit '78491fe8cfed83d2aead95dafe26f0d3f999e961'
* commit '78491fe8cfed83d2aead95dafe26f0d3f999e961':
  asfdec: do not export empty metadata

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-02 10:41:45 +02:00