Fixes: memleak on error path
Fixes: 15984/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5679918412726272
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit da5039415c2bd625085d15e6c92e0b64eefddcbf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avio_read can successfully return even when less than the requested
amount of input was read. wavdec's bext parsing mistakenly assumed a
successful avio_read always read the full amount that was requested.
The result could be dictionary tags populated with partially
uninitialized values.
This change also fixes a broken assertion in wav_parse_bext_string that
was off-by-one, though no known current usage of that method hits that
broken case.
Chromium bug: 987270
Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 052d41377a02f480f8e7135c0f7d418e9a405215)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9151595917793558550 + 297519050751678697 cannot be represented in type 'long'
Fixes: 15496/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5722866475073536
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5c46fdf305caac8bf2f270e69e60ae3d614df468)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 32 * 538976288 cannot be represented in type 'int'
Fixes: 15633/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5752273981931520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 39a6a79bcbe3c2d239ed207a34c5fb3ca7bfdaf0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: division by 0
Fixes: 15480/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5746727434321920
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f57e97dfd9539bc3f4f97a76ebc001f0b055cb88)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 15271/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5735262606327808
Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c30ff38880570377168096417f714b21102b343)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 15123/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5738039235575808
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 112eb17a2bbf6d02f81fdf0743b353a6b010aedc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of negative value -14614752
Fixes: 15174/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5670543606415360
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dd357d76e5faf3ce6fc46ffb924cf30f1cb54af9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 904444 * 3600 cannot be represented in type 'int'
Fixes: 15113/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5764083346833408
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2a0f23b9d647ad84e0351b43ca4b552add00c8dc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa003019ab9ec5ef7e7b3ff9d6262d3472b427eb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 84026453 * 28 cannot be represented in type 'int'
Fixes: 15111/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5675630072430592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c6c4129b4cc3b9e0b3a527a5a15c904ec6ae3b6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf3ee6a13053d37a0c5022a324624e89f0bce8c5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1a74b04737f08e2e11a02ada280407889f6cadb1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3b5b977c9f96e2c3803317ad75253801bc571791)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The last argument of av_strlcpy is supposed to contain the size of the
destination buffer, but it was filled with the size of the source
string, effectively negating its very purpose.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 73ef1f47f59333328264a968c8fbbcfb0bf0643f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized variables
Fixes: blank.aa
Found-by: Chamal De Silva <chamal.desilva@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ed188f6dcdf0935c939ed813cf8745d50742014b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 bytes (id3v2 header amount of bytes) were being read before any checks
were made on the bitstream. The result was that we were overreading into
the next frame if the current one was 8 or 9 bytes long.
Fixes tickets #7271 and #7869.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d88193c2196cf5342424aaa7a44b046c71c2527a)
No testcase
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ff13a92a6f8413402f5b3cacedda7c10d350b487)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Found-by: Wenxiang Qian
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b687b549aa0fb115861b1343208de8c2630803bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 85f91ed760a517c0d5fcf692d40a5a9d7efa9476)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a142ffdcaec06fcbf7d4b00dbb0e5ddfb9e3344d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: memleak
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5649187601121280
Reported-by: Chris Cunningham <chcunningham@google.com>
Tested-by: Chris Cunningham <chcunningham@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d1afa7284c3feba4debfebf1b9cf8ad67640e34a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Bad content may contain stsc boxes with a first_chunk index that
exceeds stco.entries (chunk_count). This ammends the existing check to
include cases where chunk_count == 0. It also patches up the case
when stsc refers to unknown chunks, but stts has no samples (so we
can simply ignore stsc).
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c15449ca9a5bfa387868ac55628397273da761f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Detecting missing tfhd avoids re-using tfhd track info from the previous
moof. For files with multiple tracks, this may make a mess of the
avindex and fragindex, which can later trigger av_assert0 in
mov_read_trun().
Reviewed-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ea87e5d9ea075d5b3c0f4f8c6c48e514b454cbe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: OOM
Found-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 497c9b0cce559d43607bbbd679fe42f1d7e9040e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Infinite loop
Found-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0b50f27635f684ec0526e9975c9979f35bbf486b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Not currently supported.
(cherry picked from commit db109373d87b1fa5fe9f3d027d1bb752f725b74a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab1319d82f0c77308792fa2d88cbfc73c3e47cb7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avio_read may return EOF, leaving the mimetype array unitialized. fail
early when this occurs to avoid using the array in an unitialized state.
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee1e39a576977fd38c3b94fc56125d31d38833e9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a95b73abc868995b08ca2b4d8bbf2cda43184f8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.
Reviewed-by: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9f7b6f7a9fdffa0ab8f3aa84a1f701cf5b3a6e9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Without this FTP just hangs on eof...
Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit 6a034adf7516fde8733064ed7ba5c77554298047)
Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 cannot be represented in type 'long'
Fixes: find_stream_info_usan
Reported-by: Thomas Guilbert <tguilbert@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0a41a8bf2945e59db7a0773ebce11a26b95d45b6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Entries are always at least 8 bytes per the parsing code, so if we
see an impossible entry count avoid massive allocations. This is
similar to an existing check in mov_read_stsc().
Since ff_mov_read_stsd_entries() does eof checks, an alternative
approach could be to clamp the entry count to atom.size / 8.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
