1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-28 20:53:54 +02:00
Commit Graph

23219 Commits

Author SHA1 Message Date
Limin Wang
95d12da559 avformat/rtsp: prefer to use MAX_URL_SIZE for url and command buffer
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
2020-12-05 09:00:53 +08:00
Michael Niedermayer
4f66dd13d0 avformat/mpc8: Check remaining space in mpc8_parse_seektable()
Fixes: Fixes infinite loop
Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-12-05 00:08:33 +01:00
Michael Niedermayer
72ca9f38e4 avformat/wavdec: Check for EOF in cues reading
Fixes: Timeout (>20sec -> 1ms)
Fixes: 26793/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-5674966852567040

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-12-05 00:08:33 +01:00
Michael Niedermayer
a834af133b avformat/vqf: Check len for COMM chunks
Fixes: Infinite loop
Fixes: 26696/clusterfuzz-testcase-minimized-ffmpeg_dem_VQF_fuzzer-5648269168082944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-12-05 00:08:33 +01:00
Michael Niedermayer
c34004d82f avformat/mov: Use av_sat_add64() in mov_read_sidx()
This avoids a potential integer overflow, no testcase is known

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-12-05 00:08:33 +01:00
Michael Niedermayer
7d75ecf8d2 avformat/mov: Avoid overflow in end computation in mov_read_custom()
Fixes: signed integer overflow: 18 + 9223372036854775799 cannot be represented in type 'long'
Fixes: 26731/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5696846019952640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-12-05 00:08:33 +01:00
Michael Niedermayer
d7f87a4b9e avformat/id3v2: Sanity check tlen before alloc and uncompress
Fixes: Timeout (>20sec -> 65ms)
Fixes: 26896/clusterfuzz-testcase-minimized-ffmpeg_dem_DAUD_fuzzer-5691024049176576
Fixes: 27627/clusterfuzz-testcase-minimized-ffmpeg_dem_AEA_fuzzer-4907019324358656

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-12-05 00:08:33 +01:00
Michael Niedermayer
9dc3301745 avformat/cafdec: Check the return code from av_add_index_entry()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-29 16:10:56 +01:00
Michael Niedermayer
eb46939e3a avformat/cafdec: Check for EOF in index read loop
Fixes: OOM
Fixes: 27398/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-541296033975500

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-29 16:10:55 +01:00
Michael Niedermayer
5eed718087 avformat/cafdec: Check that bytes_per_packet and frames_per_packet are non negative
These fields are not signed in the spec (1.0) so they cannot be negative
Changing bytes_per_packet to unsigned would not solve this as it is exported
as block_align which is signed

Fixes: Infinite loop
Fixes: 26492/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5632087614554112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-29 16:10:55 +01:00
Michael Niedermayer
4bdb7966fa avformat/mpegts: Limit iterations of get_packet_size()
This is a pathological case where the fuzzer provides only 2 bytes per iteration.

Fixes: Timeout (>30 -> 0.9sec)
Fixes: 26488/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTS_fuzzer-5911031077142528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-29 16:10:55 +01:00
Andriy Gelman
f3891430fc avformat/rtspdec: fix potential mem leak in listen mode
Currently a repeating setup request (with the same stream id) will
simply overwrite rtp_handle/transport_priv without freeing the
resources first. This is fixed by closing the previous setup request.

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-11-28 12:27:53 -05:00
Andriy Gelman
b0019b909b avformat/rtspdec: show method request in log
Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-11-28 12:26:59 -05:00
Michael Niedermayer
0897402ac8 avformat/mpc8: correct integer overflow in mpc8_parse_seektable()
Fixes: signed integer overflow: -4683718486770919638 * 2 cannot be represented in type 'long'
Fixes: 26704/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6327056939614208
Fixes: 27550/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6259212652642304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-27 00:25:42 +01:00
Michael Niedermayer
ad3e495657 avformat/mpc8: correct 32bit timestamp truncation
Fixes: left shift of 65536 by 15 places cannot be represented in type 'int'
Fixes: 26801/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-5164313092030464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-27 00:25:42 +01:00
Michael Niedermayer
3b8a263c4f avformat/mov: Fix memleak in dref reading
Fixes: leak in mov_read_dref()
Fixes: 26698/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5638785444085760
Fixes: 27554/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6256643054239744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-27 00:25:42 +01:00
Andreas Rheinhardt
029cf6a91c avformat/flacenc: Fix memleak when writing attached pictures fails
The FLAC muxer currently stores an attached picture corresponding to an
AVStream in AVStream.priv_data. The AVPacket contained therein is
unreferenced after it has been written. The AVPacket structure itself is
then freed generically as AVStream.priv_data.

And this can lead to memleaks if an attached picture is not written:
It might be because the trailer is never written or because writing
a previous attached picture failed in case error_recognition is set
to explode.

Therefore free the packets properly (i.e. with av_packet_free())
in the muxer's deinit function.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-26 13:32:30 +01:00
Jan Ekström
4688017d9a avformat/av1: add support for passing through MP4/Matroska av1c 2020-11-24 10:13:55 +02:00
Michael Niedermayer
1278f117d7 avformat/avs: Use 64bit for the avio_tell() output
Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long'
Fixes: 26549/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4844306424397824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-22 17:45:17 +01:00
Michael Niedermayer
40348637be avformat/moflex: Check pkt_size
Fixes: Timeout (>20sec -> 1ms)
Fixes: 26527/clusterfuzz-testcase-minimized-ffmpeg_dem_MOFLEX_fuzzer-6308307310215168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-22 17:45:17 +01:00
Leo Izen
f5dcaf2daa avformat/movenc: allow Apple Lossless inside mp4
The 'alac' identifier has been registered to ISO and thus towards
ISOBMFF at the MP4 registration authority. The existing non-MOV
mux mode matches the official ALAC-in-MP4 specification.
2020-11-22 14:28:31 +02:00
Michael Niedermayer
a207df2acb avformat/wavdec: More complete size check in find_guid()
Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long'
Fixes: 27341/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5442833206738944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-21 22:09:51 +01:00
Michael Niedermayer
8b50e8bc29 avformat/iff: Check size before skip
Fixes: Infinite loop
Fixes: 27292/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5731168991051776

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-21 22:09:51 +01:00
Michael Niedermayer
ebf4bc629e avformat/rmdec: Check for EOF in index packet reading
Fixes: Timeout(>10sec -> 1ms)
Fixes: 27284/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6304211110985728

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-21 22:09:51 +01:00
Andriy Gelman
4fe9e2fc16 avformat/rtsp: don't forget to call ff_network_close() on error
In sdp_read_header() some ff_network_close() calls were missed.

Also in rtp_read_header() update comment to explain why a single
call to ff_network_close() is enough to cover all cases even if
sdp_read_header() returns an error.

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-11-21 10:15:52 -05:00
Andriy Gelman
78537aa52f avformat/rtsp: set return variable in error path
In this error path ret still stores the number of bytes read in
ffurl_read().

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-11-21 10:15:46 -05:00
Andriy Gelman
9a70b6f5b8 avformat/rtspdec: cosmetics
Make error check style consistent with rest of function.

Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-11-21 10:13:36 -05:00
Andriy Gelman
122fcf1f40 avformat/rtspdec: fix mem leaks in connect mode if init fails
Fixes #6334

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-11-21 10:13:28 -05:00
Andriy Gelman
38bc4ba142 avformat/rtspdec: fix mem leaks in listen mode if init fails
Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-11-21 10:13:16 -05:00
Andriy Gelman
423d06e0e2 avformat/rtspdec: add network init to listen mode
As per the docs network initialization is required before ff_url_join().
Furthermore, because the ff_network_init() was skipped, this makes
one additional call to ff_network_close() if the stream exits without
errors.

The was forgotten in the origin commit of the listen mode:
a8ad6ffafe

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-11-21 10:11:38 -05:00
Steve Lhomme
5bd870a212 avformat/matroskadec: only use the track duration if it exists
No need to multiplying/dividing when we know it's zero.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2020-11-20 15:20:24 +01:00
Steve Lhomme
3a2b786db0 avformat/matroskadec: adjust the cluster time to the track timebase
The Block timestamp read in matroska_parse_block() is in track timebase and is
passed on as such to the AVPacket which uses this timebase.

In the normal case the Cluster and Track timebases are the same because the
track->time_scale is 1.0. But when it is not the case, the values in Cluster
timebase need to be transformed in Track timebase so they can be added
together.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2020-11-20 15:20:24 +01:00
Steve Lhomme
b00d2210e4 avformat/matroskadec: add a warning when the track TimestampScale won't be used
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2020-11-20 15:20:24 +01:00
Martin Storsjö
104e5233f0 http: Check for AVERROR_EOF in the check for premature end
When the check was added (in 3668701f96, in 2015), some IO
functions returned 0 on EOF (in particular, the TCP protocol
did, but the TLS protocol returned AVERROR_EOF). Since
0e1f771d22 in 2017, the TCP protocol also returns AVERROR_EOF
instead of 0, making the check for premature end never have the
intended effect.

Signed-off-by: Martin Storsjö <martin@martin.st>
2020-11-20 10:37:24 +02:00
Marton Balint
bf19833ae2 avformat/mpegts: make sure mpegts_read_header always stops at the first pmt
mpegts_read_header stops parsing the file at the first PMT. However the check
that ensured this was wrong because streams can also be added before the first
PMT is received (e.g. EIT).

So let's make sure we are in the header reading phase by checking if ts->pkt is
unset instead of checking if the number of streams found so far is 0.

Signed-off-by: Marton Balint <cus@passwd.hu>
2020-11-19 21:22:07 +01:00
Limin Wang
3871326910 avformat/dvenc: check the format before vst and ast[i] are initialized
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
2020-11-19 22:39:30 +08:00
Limin Wang
da0faf10a3 avformat/dvenc: s->streams[i] -> st
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
2020-11-19 22:39:30 +08:00
Andreas Rheinhardt
96443ab4b0 avformat/asfdec_o: Remove code duplication
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:59 +01:00
Andreas Rheinhardt
33870a6aa7 avformat/asfdec_o: Don't reset twice
A variable has been assigned a value twice consecutively; essentially
the same happens when one performs av_init_packet on an AVPacket after
a call to av_packet_unref.

Found via PVS-Studio (see ticket #8156).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:59 +01:00
Andreas Rheinhardt
bf4909f0a3 avformat/asfdec_o: Export metadata that applies to the whole file
The ASF specification of Metadata Objects' stream number is as follows:

"Specifies whether the entry applies to a specific digital media stream
or whether it applies to the whole file. A value of 0 in this field
indicates that it applies to the whole file; otherwise, the entry
applies only to the indicated stream number and must be between 1 and
127."

Yet the asf_o demuxer (the one originating from Libav) has always
treated such metadata as if it applied to a stream even though no stream
with a stream number may exist in a valid ASF file. This is fixed in
this commit; it affected e.g. the file
wma_with_metadata_library_object_tag_trimmed.wma from the FATE suite.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:54 +01:00
Andreas Rheinhardt
e83f27a21a avformat/asfdec_o: Don't segfault with lots of attached pics
The ASF file format has a limit of 127 streams and the "asf_o" demuxer
(the ASF demuxer from Libav) has an array of pointers for a structure
called ASFStream that is allocated on demand for every stream. Attached
pictures are not streams in the sense of the ASF specification, yet the
demuxer created an ASFStream for them; and in one codepath it also
forgot to check whether the array of ASFStreams is already full. The
result is a write beyond the end of the array and a segfault lateron.

Fixing this is easy: Don't create ASFStreams for attached picture
streams.

(Other results of the current state of affairs are unnecessary allocations
(of ASFStreams structures), the misparsing of valid files (there might not
be enough ASFStreams left for the valid streams if attached pictures take
up too many); furthermore, the ASFStreams created for attached pictures all
have the stream number 0, an invalid stream number (the valid range is
1-127). This means that invalid data (packets for a stream with stream
number 0) won't get rejected lateron.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:17:36 +01:00
Limin Wang
5bb313e723 avformat/rtsp: av_rescale -> av_rescale_q
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
2020-11-14 09:09:28 +08:00
Michael Niedermayer
b33233bd53 avformat/icodec: Check for zero streams and stream creation failure
Fixes: NULL pointer dereference
Fixes: 26814/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5758487797432320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-13 17:46:47 +01:00
Michael Niedermayer
27ee67c00f avformat/icodec: Factor failure code out in read_header()
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-13 17:46:47 +01:00
Martin Storsjö
3fcfde2cea aviobuf: Increase the default SHORT_SEEK_THRESHOLD to 32 KB
The previous threshold, 4 KB, maybe was reasonable when it was set
(in 2010), but in today's settings and with typical network speeds
and data sizes, it's pretty small. 32 KB probably is a more reasonable
default now, regardless of input.

This changes the test references for two seek tests.

When using the normal seek function, which boils down to the lseek(2)
function, a seek to an out of bounds position doesn't return an error,
but that condition is only reported when doing the subsequent read
(which returns EOF). When doing more seeks by fast forwarding, the
fact that the seeked to destination is out of bounds is noticed and
reported sooner in these cases.

Signed-off-by: Martin Storsjö <martin@martin.st>
2020-11-12 14:05:43 +02:00
Michael Niedermayer
f6dc285fb5 avformat/bintext: Check width
Fixes: division by 0
Fixes: 26780/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5117945027756032
Fixes: 26998/clusterfuzz-testcase-minimized-ffmpeg_dem_ADF_fuzzer-5119352359354368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-11 17:05:24 +01:00
Michael Niedermayer
9ef60a66f1 avformat/sbgdec: Check that end is not before start
Fixes: signed integer overflow: -9223372036854775808 + -5279949906739200 cannot be represented in type 'long'
Fixes: 26908/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6329610851319808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-11-11 17:05:24 +01:00
Limin Wang
89429cf2f2 avformat/rtspdec: return proper error code
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
2020-11-11 18:32:56 +08:00
Limin Wang
aa1fab6934 avformat/rtsp: check return value of ffurl_read_complete
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
2020-11-11 18:32:56 +08:00
Limin Wang
001ccbc5cc avformat/rtsp: prefer to use variable instead of type
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
2020-11-11 18:32:56 +08:00