Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 'int'
Fixes: 23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336
Fixes: 41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Return error codes when constructing a stream config fails, rather than
just disregarding the failure and continuing.
Propagate the error codes from av_sdp_create().
Fixes: out of array access
Fixes: 40054/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-6713285764841472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long'
Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: division by zero
Fixes: 42198/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5054366405492736.fuzz
Fixes: 42222/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-4561249331970048
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If 'opts' could not be allocated, exiting the program to avoid crash when release it.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Yu Yang <yuyang14@kuaishou.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Because the s->buffer has been freed by av_freep in avio_closep.
It should not av_freep the buffer in label fail after avio_closep.
Then just move the av_freep before avio_closep and remove the label fail.
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Reviewed-by: Zhao Zhili <zhilizhao@tencent.com>
Signed-off-by: Steven Liu <liuqi05@kuaishou.com>
This is possible by incrementing the counter of allocated rects
directly after said allocation succeeded.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Do this by actually incrementing the counter for the number
of rects at the right time.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Up until now, various subtitle decoders have not cleaned up
the AVSubtitle on error; this task must not be left to the user
because the documentation explicitly states that the AVSubtitle
"must be freed with avsubtitle_free if *got_sub_ptr is set"
(which it isn't on error).
Leaks happen upon failure in ff_ass_add_rect() or in
ass_decode_frame(); freeing generically also allows to remove
now redundant freeing code in pgssubdec and dvbsubdec.
While just at it, also reset got_sub_ptr generically on error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The caller of display_end_segment() frees the AVSubtitle on error
in case ENOMEM is returned or err_recognition is set to explode,
so display_end_segment() doesn't have to.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This piece of code has been added as FFmpeg's answer to
infinite loops in try_decode_frame() in commit
6072a19b4f. There is no loop
around try_decode_frame() any more, so this code can be removed.
This code is only triggered in case a) the codec parameter could
not be determined, b) the decode delay could not be guessed or
c) no packet was ever encountered and the encoder has the
AV_CODEC_CAP_CHANNEL_CONF. In these cases the new code will
no longer emit a "decoding for stream %d failed" message, which is
prima facie false. In case a) an additional "Could not find codec
parameters" message is (and will be) emitted. No warning will be
emitted any more in case b) (this happens e.g. with some
h264-conformance FATE-files).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
When flushing, try_decode_frame() itself loops until the desired
properties have been found or the decoder is drained.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This puts it directly near the NALU type which is more natural
and furthermore reduces the size of the structure because it
can be placed in padding (on 64-bit systems).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Forgotten in 03b82b3ab9.
(Moving data to the front is only done to make existing
initializations like H2645NAL nal = { NULL } not emit int->pointer
conversion warnings.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>