Fixes: signed integer overflow: 6000 * -2147483648 cannot be represented in type 'int'
Fixes: 25700/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6578316302352384
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 688c1175ba91d0477cc461e5bfda210d6659a3b8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c635f2ce6c18d448e77605ee83b55bd8250f812)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 8398407 * 300 cannot be represented in type 'int'
Fixes: 23914/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4702539290509312
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa8935b395162f8438d1f055e671e92685ed1586)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 7958120835074169528 * 9 cannot be represented in type 'long long'
Fixes: 23382/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6230683226996736
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cf0c700b0c25f5d9fe50dd27086a06812822f11a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Assertion failure
Fixes: 24612/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6600899842277376.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8931c55789a69f717b4a6954c5bb7acf5475a134)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 24457/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5760093644390400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffa6072fc727a14680a85449259f6b49b47587e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
No audio stream is created unconditionally and if none has been created,
no packet with stream_index 1 may be returned. This fixes an assert in
ff_read_packet() in libavformat/utils reported in ticket #8782.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ec59dc73f0cc8930bf5dae389cd76d049d537ca7)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 806a4d5187aeb82b97898683242886ed1e84f894)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Until now, we would have only attempted to utilize already decrypted
data if it was enough to fill the size of buffer requested, that could
very well be up to 32 kilobytes.
With keep-alive connections this would just lead to recv blocking
until rw_timeout had been reached, as the connection would not be
officially closed after each transfer. This would also lead to a
loop, as such timed out I/O request would just be attempted again.
By just returning the available decrypted data, keep-alive based
connectivity such as HLS playback is fixed with schannel.
(cherry picked from commit 6f8826e4aaddf1ee6cf3f333ed0e392a748382fe)
The dec_buf seems to be properly managed between read calls,
and we have no logic to decrypt before attempting socket I/O.
Thus - until now - such data would not be decrypted in case of
connections such as HTTP keep-alive, as the recv call would
always get executed first, block until rw_timeout, and then get
retried by retry_transfer_wrapper.
Thus - if data is received - decrypt all of it right away. This way
it is available for the following requests in case they can be
satisfied with it.
(cherry picked from commit 39977fff20048f1798a95c593d6034a0e73ebbe5)
Fixes: signed integer overflow: 8 * 9223372036854774783 cannot be represented in type 'long'
Fixes: 23381/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4818340509122560
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 10cc82c35baabbb07ffec3faccb04d8928c39e4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The segments / url can be modified by the io read when reloading
This may be an alternative or additional fix for Ticket8673
as a further alternative the reload stuff could be disabled during
probing
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b5e39880fb7269b1b3577cee288e06aa3dc1dfa2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
fix ticket: 8673
set the default EXTINF duration to 1ms if duration is smaller than 1ms
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)
Fixes: signed integer overflow: 1394614304 * 2 cannot be represented in type 'int'
Fixes: 23491/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5697377020411904
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b6fbbe08c325415cc784df296058beb6604f0b9c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 1 - -9223372036854775808 cannot be represented in type 'long'
Fixes: 23490/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5133490093031424
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a8fb7612a97530bdd0b2549dacf91dcf71a3187a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: division by zero
Fixes: 23162/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4856420817436672
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0e15b01b4e463d12128db2c15de7741637548347)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long'
Fixes: 23167/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6425051741290496
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9a42a67c5ca198a3879b7f3663cc44ccbcaf0bd3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 22520/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5100297658826752
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1ba8484559661dfdbca36dbc17b203f33f62e26c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -9223372036854775808 - 45000 cannot be represented in type 'long'
Fixes: ticket8187
Found-by: Suhwan
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9874815b1aadadd7fd19aa6aabb7d9193f2f43d5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 30000299 * 256 cannot be represented in type 'int'
Fixes: ticket8184
Found-by: Suhwan
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 31f956acadd994b8c4e22b714aaffee0f527c827)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: stack-buffer-overflow-READ-0x0831fff1
Found-by: GalyCannon <galycannon@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit daa2482871dffa9af12fa6d874a3d2dedd73f42e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This avoids accessing an old, no longer valid buffer.
Fixes: out of array access
Fixes: crash_audio-2020
Found-by: le wu <shoulewoba@gmail.com>
Reviewed-by: Marton Balint <cus@passwd.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd74af14162c803f18e90bb12b52135e893d990c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The demuxer code assumes the existence of a video stream
Fixes: assertion failure
Fixes: 21512/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5699660783288320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 97c78caf3e8f7ec4df3d3123b5e8d0e7541319e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 8233/PPY6574574605_cut.mp3
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 20f7b4dfc9640c910655bd153c6996e9edd42ff0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with initialized data. Caught by
Chromium fuzzeras (crbug.com/1065731).
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5b967f56b6d85f62446836fc8ef64d0dcfcbda17)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Found by Chromium fuzzers (crbug.com/1057205).
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad91cf1f2f5793db5c6dd7ab9947fcc6d7832607)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with unitialized data. Caught by
Chromium fuzzers (crbug.com/1054229).
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b7c67b1ae3657058b32b9235119d07529ad5cce1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 2 * 1210064928 cannot be represented in type 'int'
Fixes: 20873/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5761116909338624
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c8140fe7324f264faacf7395b27e12531d1f13f7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: memleaks
Fixes: 21084/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5655975492321280
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96c04694550999cc214cae8c4a16d2d7ac0958bc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 2045163756 * 2 cannot be represented in type 'int'
Fixes: Ticket5132
Found-by: tsmith
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f3d8f517dbc42de8e2f97cc01bf5171bb05fbcc7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long'
Fixes: Ticket8149
Found-by: Suhwan
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 347920ca2102d762e4713f101a2e75811791e2b3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
When e2_pts == INT64_MIN and e1_pts >= 0 the calculation of
e2_pts - e1_pts will overflow an int64_t.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f15007afa90a3eb3639848d9702c1cc3ac3e896b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: bypassing of checks and assertion failure
Fixes: asan_1003879.mp4
Found-by: Clusterfuzz + asan
Reported-by: Thomas Guilbert <tguilbert@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1cd41840208bce7e690a4ccc48077567418a0aa8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fix two cases of memleaks:
1. The leak of dv_demux
2. The leak of dv_fctx upon dv_demux allocate failure
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3dc38a186b2326ce03e50969897ea703817ddb0)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
