Fixes: out of array access
Fixes: 40054/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-6713285764841472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This is possible by incrementing the counter of allocated rects
directly after said allocation succeeded.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Do this by actually incrementing the counter for the number
of rects at the right time.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Up until now, various subtitle decoders have not cleaned up
the AVSubtitle on error; this task must not be left to the user
because the documentation explicitly states that the AVSubtitle
"must be freed with avsubtitle_free if *got_sub_ptr is set"
(which it isn't on error).
Leaks happen upon failure in ff_ass_add_rect() or in
ass_decode_frame(); freeing generically also allows to remove
now redundant freeing code in pgssubdec and dvbsubdec.
While just at it, also reset got_sub_ptr generically on error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The caller of display_end_segment() frees the AVSubtitle on error
in case ENOMEM is returned or err_recognition is set to explode,
so display_end_segment() doesn't have to.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This puts it directly near the NALU type which is more natural
and furthermore reduces the size of the structure because it
can be placed in padding (on 64-bit systems).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Forgotten in 03b82b3ab9.
(Moving data to the front is only done to make existing
initializations like H2645NAL nal = { NULL } not emit int->pointer
conversion warnings.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Possible now that the child_class_next API is gone.
Tested-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
ffmal_add_packet() basically duplicated the logic in
av_packet_make_refcounted() with the added twist that it always
created a reference even if one is already available.
This commit stops doing this.
Tested-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
extra_data and normal packets (from ff_decode_get_packet) processing do
not overlap, thus we can re-use the spare AVPacket to send to
ffmmal_add_packet.
Furthermore, this removes allocation of AVPacket on the stack and stops
using deprecated av_init_packet.
Tested-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Ho Ming Shun <cyph1984@gmail.com>
MMAL is an fundamentally an asynchronous decoder, which was a bad fit
for the legacy dataflow API. Often multiple packets are enqueued before
a flood of frames are returned from MMAL.
The previous lockstep dataflow meant that any delay in returning packets
from the VPU would cause ctx->queue_decoded_frames to grow with no way
of draining the queue.
Testing this with mpv streaming from a live RTSP source visibly reduced
latency introduced by frames waiting in queue_decoded_frames from
roughly 2s to 0.
Tested-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Ho Ming Shun <cyph1984@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes crashes if the font name is NULL (which it is if a \fn tag
is not followed by a font name).
Signed-off-by: Charlie Monroe <charlie@charliemonroe.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Improves readability and avoids a redundant index variable
that was mistakenly called "tracksize".
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The current checks just check whether the boxes fit into the remaining
size of the packet instead of whether they actually fit into the box
size. This has been changed; part of this change is to pass the size of
the box (minus the box header) as parameter instead of a pointer to
the AVPacket by which the box parsing function is supposed to
recalculate whether enough data is available.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The base size of a box refers to the size the box has in a file,
not in memory; so size_t is not their natural type. Therefore use
a plain unsigned which is smaller on 64bit systems and still big
enough to represent any conceivable base size.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
There are three types of style entries which are redundant:
a) Entries with length zero. They are already discarded.
b) Entries that are equivalent to the default style:
They can be safely discarded.
c) Entries that are equivalent to the immediately preceding style
if the start of the current style coincides with the end of the
preceding style. In this case the styles can be merged.
This commit implements discarding/merging in cases b) and c).
This fixes ticket #9548. In said ticket each packet contained
exactly one style entry that covered the complete packet with
the exception of the last character (probably created by a tool
that didn't know that the style's end is exclusive). Said style
coincided with the default style, leading to a superfluous reset,
which is now gone.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Both TextSampleEntry and TextSample can contain StyleRecords;
yet both the code as well as the structures for them were duplicated.
This commit changes this.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Giving elements of a structure called StyleBox names like
"style_start" or "style_end" is redundant, especially given
that the relevant variables are also called style.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
av_image_copy() expects an array of four pointers according to its
declaration; although it currently only touches pointers that
are actually in use (depending upon the pixel format) this might
change at any time (as has already happened for the linesizes
in d7bc52bf45).
This fixes a -Wstringop-overflow= warning with GCC 11.2.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
av_image_copy() expects an array of four pointers and linesizes
according to its declaration; it currently only pointers that are
actually in use (depending upon the pixel format), but this might
change at any time. It has already happened for the linesizes in
d7bc52bf45 and so increasing their
array fixes a stack-buffer overread.
This fixes a -Wstringop-overflow= and -Wstringop-overread warning
from GCC 11.2.
Reviewed-by: Linjie Fu <linjie.justin.fu@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Old system is:
OSX version: 10.11.6
Apple LLVM version 8.0.0 (clang-800.0.42.1)
Target: x86_64-apple-darwin15.6.0
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
