Fixes: null pointer dereference
Fixes: 32113/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-4803262287052800
Same as 0c48c332ee
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int'
Fixes: 31406/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5024692843970560
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 31386/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5773234709594112
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Print every error in the stack, if more than one, and don't print
bogus errors if there's none logged within OpenSSL.
Retain the underlying IO error code, print an error message out of
it, and pass the error code on to the caller.
Signed-off-by: Martin Storsjö <martin@martin.st>
Fixes: signed integer overflow: -9223372036854775760 - 50 cannot be represented in type 'long'
Fixes: 31673/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-580134751869337
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 31201/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4627865612189696.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -9223372032574480351 - 4294967296 cannot be represented in type 'long long'
Fixes: 30022/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5568610275819520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Both functions to read attached pictures coincide since
e83f27a21a (save for some log messages
in case av_dict_set failed).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
When allocating the MJpegContext fails (or if the dimensions run afoul
of the 65500x65500 limit), an attempt to free a subbuffer of said
context leads to a segfault in ff_mjpeg_encode_close().
Seems to be a regression since 467d9e27e0.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
In this case it also fixes a potential for compilation failures:
Not all compilers can handle the case in which a function with
a forward declaration declared with an attribute to always inline it
is called before the function body appears. E.g. GCC 4.2.1 on OS X 10.6
doesn't like it.
Reviewed-by: Pavel Koshevoy <pkoshevoy@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Specifically test that the WebVTT flavour is correctly mapped to
the Matroska/WebM CodecID and back; and test that dispositions
unsupported by WebM are discarded even when they would be supported
by Matroska.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Some old DV AVI files have the DSF-Flag of frames set to 0, although it
is PAL (maybe rendered with an old Ulead Media Studio Pro) ... this causes
ffmpeg/VLC-player to produce/play corrupted video (other players/editors
like VirtualDub work fine).
Fixes ticket #8333 and replaces/extends hack for ticket #2177
Signed-off-by: Marton Balint <cus@passwd.hu>
Timestamp difference is available in media timebase (1/90K) where as
rtcp time is in the default microseconds timebase. This patch fixes
the calculated prft wallclock time by rescaling the timestamp delta
to the microseconds timebase.
Signed-off-by: James Almer <jamrial@gmail.com>
A PutBitContext has a field called size_in_bits which is set to the
context's bitsize init_put_bits(); but it isn't used at all (the PutBits
API uses pointers directly and not bit indexes), so remove it (due to
ABI concerns the actual element is only removed at the next bump).
Furthermore, the multiplication inherent in setting this field can lead
to undefined integer overflows. This is particularly true for FFV1,
which uses a very big worst-case buffer (37*4*width*height; even
ordinary 1080p triggers an overflow). Ticket #8350 is about this
overflow which this commit fixes.
This means that the effective range of the PutBits API is no longer
restricted by the /8 as long as one isn't using put_bits_(count|left).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The function to write an ordinary (luma or chroma) plane as well as
the function for writing an alpha plane have some similarities:
They record the initial bitposition (despite said position always being
byte-aligned), flush the PutBitContext themselves and return the amount
of bytes they wrote.
This commit factors this out; it also replaces bitpositions by
bytepositions and it avoids recording the initial byteposition because
said information is already available from the position at the end of
the last plane.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Despite write_huff_codes() receiving an ordinary buffer (not a
PutBitContext), it returned the amount of data written in bits,
not in bytes. This has been changed: There is now no intermediate
bitcount any more.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Several encoders used code like the following to check for the amount of
bytes left in a PutBitContext:
pb->buf_end - pb->buf - (put_bits_count(pb) >> 3)
Besides the fact that using the pointers directly might pose
a maintainence burden in the future this also leads to suboptimal code:
The above code reads all three pointers (buf, buf_ptr and buf_end), but
touching buf is unnecessary and switching to put_bytes_left()
automatically fixes this.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Often a caller doesn't want the amount of bits written via a
PutBitContext, but the amount of bytes. This in particular happens
after one has flushed the PutBitContext (e.g. at the end of encoding,
when one wants to know the actual packet size). The current way of doing
this is with put_bits_count(pb)/8 (or (put_bits_count(pb) + 7)/8).
Yet this has some issues: It contains implicit multiplications and
divisions by 8 with a cast in between; it obscurs the intent; and
it restricts the size of the buffer to (currently) INT_MAX/8 (or
to 1/8 of the maximum of whatever put_bits_count() returns), although
said restriction is not really necessary for users that don't need
a bitcount.
Corresponding functions for the amount of bytes left have also been
addded.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The PutBits API checks the available space before every write,
so this check for overread is dead.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
We are already word-aligned here, so one can just as well flush the main
PutBitContext.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Compilation would fail if it were outcommented as it refers to a
nonexistent PutBitContext.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: Division by 0
Fixes: 30952/clusterfuzz-testcase-minimized-ffmpeg_BSF_SETTS_fuzzer-6601016202100736
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 539033600 - -1910497124 cannot be represented in type 'int'
Fixes: 30928/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5922630966312960
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 136323327 * 281474976710656 cannot be represented in type 'long'
Fixes: 30913/clusterfuzz-testcase-minimized-ffmpeg_dem_IVF_fuzzer-5753392189931520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This avoids crafted files from consuming excessive resources recomputing the clut after each pixel change
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The check has been added at a time when the code performed the
multiplication itself instead of deferring it to av_malloc_array()
and when our allocation functions used unsigned instead of size_t.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The check has been added at a time when the code performed the
multiplication itself instead of deferring it to av_malloc_array()
and when our allocation functions used unsigned instead of size_t.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
This check is outdated because the caller doesn't need to check that
the multiplication overflows when using av_realloc_array() (the code
in question used av_realloc() before that); furthermore, the check
is also a remnant of the time in which our allocation functions
didn't use size_t parameters.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
by keeping the variable uint32_t which in this situation is the natural
type anyway. This affected the FATE-test filter-paletteuse-sierra2_4a.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
by using a multiplication instead. The multiplication can never overflow
an int because the sin-factor is only an int16_t.
Affected the FATE-tests filter-concat and filter-concat-vfr.
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Affects the FATE-tests webm-dash-manifest-unaligned-video-streams,
webm-dash-manifest and webm-dash-manifest-representations.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>