Fixes: signed integer overflow: -1795675744 + -1926578528 cannot be represented in type 'int'
Fixes: 17741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5131336402075648
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 62220 * 262144 cannot be represented in type 'int'
Fixes: 17145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5667394743173120
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: NULL pointer dereference
Fixes: 18331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5652847445671936
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
zmbv has only one function for decoding intra frames, namely
decode_intra; and yet up until now it has been called via a function
pointer. This has been changed.
This also removes spec-incompliant conversions between function pointers
and pointers of type void * and thereby fixes the warning "ISO C forbids
assignment between function pointer and ‘void *’" that GCC emits with
the -pedantic option.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1. Since bd90a2ec, mpeg4_unpack_bframes caches whole packets instead of
just the pointer to the buffer and the buffer's size in order to be able
to make use of refcounting to avoid copying of data; this unfortunately
introduced copies of packet structures and side data (if existing),
although the only fields that are needed are the buffer-related ones
(data, size and buf). This can be changed without compromising the
advantages of refcounting by storing a reference to the buffer.
2. This change also makes it easy to use only one packet throughout
so that an allocation and free of an AVPacket structure per filtered
packet can be saved by switching to ff_bsf_get_packet_ref.
3. Furthermore, this commit also fixes a memleak introduced in bd90a2ec:
If a stored b_frame with side data was used for a later frame, the side
data would leak when the input frame's properties were copied into the
output frame.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in type 'int'
Fixes: 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Up until now, the vp9_superframe bsf used distinct packets for input and
output. But at no point in the bsf are the input and output packets used
at the same time (except during a call to av_packet_move_ref()), so that
one can avoid using two packets if one switches to ff_bsf_get_packet_ref
at the same time. This also saves one malloc+free of an AVPacket
structure per filtered packet.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: signed integer overflow: 518484152 + 1868182638 cannot be represented in type 'int'
Fixes: 17732/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SBC_fuzzer-5663738132168704
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -2147483360 - 631 cannot be represented in type 'int'
Fixes: 17701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_EA_EACS_fuzzer-5711517319692288
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: shift exponent 1008 is too large for 32-bit type 'int'
Fixes: 17700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5707633436131328
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -69555262 * 31 cannot be represented in type 'int'
Fixes: 17698/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5728970447781888
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: index -49 out of bounds for type 'int16_t [192]'
Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of negative value -12
Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of negative value -30635
Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of negative value -1
Fixes: 17683/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_EA_R2_fuzzer-5111690013704192
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Removed (new_size - pkt->nals_allocated) because this value is always 1
during the call.
Based on commit 78b86c30d3860135042505dd4a9cbd95c4e6257d.
Signed-off-by: James Almer <jamrial@gmail.com>
Without reseting nal_buffer_size, av_fast_realloc will fail if
ff_h2645_packet_split is called with the unitialized pkt as argument.
Signed-off-by: James Almer <jamrial@gmail.com>
Change the stride argument to ptrdiff_t in the following functions:
ff_put_no_rnd_vc1_chroma_mc8_mmi, ff_put_no_rnd_vc1_chroma_mc4_mmi,
ff_avg_no_rnd_vc1_chroma_mc8_mmi, ff_avg_no_rnd_vc1_chroma_mc4_mmi.
Reviewed-by: Shiyou Yin <yinshiyou-hf@loongson.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
zmbvenc allocates a buffer for a picture with padding on all four sides:
The stride is choosen so large that it already contains padding on the
right; the height also includes padding rows. The padding on the right
of each row is also reused as padding for the left of the next row. So
one still needs to add padding on the left for the first row. This is done
by offsetting the actual pointer used to access the picture from the
pointer returned by av_mallocz and the formula for this offset was
wrong, because it ignored that a pixel can take more than one byte when
calculating the offset resulting from the left padding of the first row.
This fixes accesses outside of the allocated buffer that were reported
in tickets #7980 and #7994. No writes were ever attempted outside of
the buffer.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: memleaks
Fixes: 18023/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5642535011090432
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: shift exponent -2 is negative
Fixes: 17736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F16LE_fuzzer-5742815929171968
Fixes: 17998/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F24LE_fuzzer-5716980383875072
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
GPU copy enables or disables GPU accelerated copying between video
and system memory. This may lead to a notable performance improvement.
Memory must be sequent and aligned with 128x64.
CMD:
ffmpeg -init_hw_device qsv=hw -filter_hw_device hw -c:v h264_qsv
-gpu_copy on -i input.h264 -f null -
or:
ffmpeg -c:v h264_qsv -gpu_copy on -i input.h264 -f null -
Signed-off-by: Linjie Fu <linjie.fu@intel.com>
Signed-off-by: ChaoX A Liu <chaox.a.liu@intel.com>
Signed-off-by: Zhong Li <zhong.li@intel.com>
the data_start is after reading 12 bytes and if its subtracted
at the very end the intermediate might overflow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This seeks to the position the previous call to dxv_decompress_opcodes()
positioned us in case of success
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
