Fixes: signed integer overflow: -635424002382840000 * 16 cannot be represented in type 'long'
Fixes: 33612/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5704741108711424
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0ff60249a57cba00ab679ca6190a802cc0c7b9c7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: tickets/3933/128.jls
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 011006874cb46325b6bc83234f81879ff421c05f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036840103978 + 67637280 cannot be represented in type 'long'
Fixes: 33341/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6408154041679872
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit efdb56450418933965dc6e27f0b1625d25e44a8c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036854775805 + 4 cannot be represented in type 'long'
Fixes: 29927/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5579985228267520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f7c3484b2659063043100e8194d5790d2aa1a73c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 32 + 2147483647 cannot be represented in type 'int
Fixes: 32967/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5132856218222592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f8ec1da8ac8e3daf2403e744f166ea9557b2d333)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036846336888 + 4278255871 cannot be represented in type 'long'
Fixes: 32782/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6059216516284416
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee53bb2399d8f387ac93a18ba0600ca7b04ac634)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 44331634 * 65 cannot be represented in type 'int'
Fixes: 32120/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5760221223583744
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f40e9b13554d88cbdd6cd2b4a3da2cbea9590f5d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -1184429040541376544 * 32 cannot be represented in type 'long'
Fixes: 31788/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6236746338664448
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 641c1db22bb27752b925293ad93f68843baa43bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: shift exponent 251 is too large for 32-bit type 'int'
Fixes: 32147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5519111675314176
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c093eb30311b7148a4da1c7555498187c8cdf0db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of negative value -224
Fixes: 32144/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-4971479323246592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7e241a1b73bcca768f48ff1851e9e9f3f0752000)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This is marginally slower, but correct for all input values.
The previous implementation failed with certain input seeds, e.g.
"checkasm --test=hevc_idct 98".
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit f27e3ccf06ee19935d160164ca4a02f28cfc2a27)
Previously, only the size of a given tile was passed, making the
offset and size marked in VASliceParameterBufferAV1 invalid with
multiple tiles.
Signed-off-by: Fei Wang <fei.w.wang@intel.com>
(cherry picked from commit 9b131e8500709fc7e66bf9049fc0a8f2c302cf9e)
Fixes build failure on older SDKs without it.
Fixes#9242
(cherry picked from commit f9eb440e788c08c489bb1a6d24dbbe34f4597f1c)
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
They should be treated the same as APNG_DISPOSE_OP_NONE.
Broken in 5663301560.
Fixes#9184.
(cherry picked from commit aa726eaed9848bcf6f615d2d9e6e5dd6174ad570)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Otherwise the rate emulation logic in `transcode_step` never gets
hit, and the unavailability flag never gets reset, leading to an
eternal loop with some rate emulation use cases.
This change was missed during the rework of ffmpeg.c, in which
encoder initialization was moved further down the time line in
commit 67be1ce0c6de330b1c10d1d121819d8a74a7b1f5 . Previously,
as the encoder initialization had happened earlier, this state was
not possible (flow getting as far as hitting the rate emulation logic,
yet not having the encoder initialized yet).
Fixes#9160
(cherry picked from commit ec20b8130269260f3ae1e4642da26ba556814f84)
The SVQ1 decoder does not need mpegvideo or rl.c, but it uses stuff
from h263data.c. But since 61fe481586425a41d45e371de1e875b49882477d
h263data.c called ff_rl_init() and this of course led to build errors
when the SVQ1 decoder is enabled and mpegvideo disabled.
Fix this by moving ff_h263_init_rl_inter() to h263.c.
Fixes ticket #9224.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit e2301feabc2be18e1ee878dcdf643fd78b90c735)
Don't blindly copy all bytes in extradata past ChannelMappingFamily. Instead
check if ChannelMappingFamily is not 0 and then only write the correct amount
of bytes from ChannelMappingTable, as defined in the spec[1].
Fixes part of ticket #9190.
[1] https://opus-codec.org/docs/opus_in_isobmff.html#4.3.2
Signed-off-by: James Almer <jamrial@gmail.com>
NellyMoserEncodeContext.avctx is only set in init after these checks,
yet it is used by encode_end().
This is a regression since 0a56bfa71f751a2b25da8d060a019c1c75ca9d7b.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 652279e35becae7b4c0b6b73e4f6c074e8a8b77c)
Relying on the order of the enum is bad.
It clashes with the new presets having to sit at the end of the list, so
that they can be properly filtered out by the options parser on builds
with older SDKs.
So this refactors nvenc.c to instead rely on the internal NVENC_LOSSLESS
flag. For this, the preset mapping has to happen much earlier, so it's
moved from nvenc_setup_encoder to nvenc_setup_device and thus runs
before the device capability check.
Fixes: out of array read
Fixes: 32968/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSP2_fuzzer-5315296027082752
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit caaf4633117f77a545975dac18e85b8fcdbc9ce7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Invalid read of size 4
Fixes: ASAN_Deadlysignal.zip
Found-by: Hardik Shah <hardik05@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0f6a3405e8987ad761a2d9139fdc95bbb6a61118)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Calling av_frame_make_writable() from decoders is tricky, especially
when frame threading is used. It is much simpler and safer to just make
a private copy of the frame.
This is not expected to have a major performance impact, since
APNG_DISPOSE_OP_BACKGROUND is not used often and
av_frame_make_writable() would typically make a copy anyway.
Found-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b593abda6c642cb0c3959752dd235c2faf66837f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Ugly, but a lot less broken than it was.
Fixes ticket #9166.
Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit 5dc5f289cefe67457bd16f1950c56911e926385f)
The length does not cover the chunk type or CRC.
(cherry picked from commit ae08eec6a1f2129cd231a0ab664f0f17b854d138)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This data cannot be stored in PNGDecContext.picture, because the
corresponding chunks may be read after the call to
ff_thread_finish_setup(), at which point modifying shared context data
is a race.
Store intermediate state in the context and then write it directly to
the output frame.
Fixes exporting frame metadata after 5663301560
Fixes#8972
Found-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 8d74baccff59192d395735036cd40a131a140391)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Do not store the image buffer pointer/linesize in the context, just
access them directly from the frame.
Stop assuming that linesize is the same for the current and last frame.
(cherry picked from commit 89ea5057bf47880145419341258eadb3635448cf)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Saves an allocation+free and two frame copies per each frame.
(cherry picked from commit 5a50bd88db670f8c030a814e4cdb2a880dc1d4f4)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The (deprecated) field AVCodecContext.mpeg_quant has no range
restriction; MpegEncContext.mpeg_quant is restricted to 0..1.
If the former is set, the latter is overwritten with it without
checking the range. This can trigger an av_assert2() with the MPEG-4
encoder when writing said field.
Fix this by just setting MpegEncContext.mpeg_quant to 1 if
AVCodecContext.mpeg_quant is set.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit d393c45051ddaf6146e7e29ec2ea97035a727529)
The pix_fmts of the LJPEG encoder already contain all supported pixel
formats (including the ones only supported when strictness is unofficial
or less); yet the check in ff_encode_preinit() ignored this list in case
strictness is unofficial or less. But the encoder presumed that it is
always applied and blacklists some of the entries in pix_fmts when
strictness is > unofficial. The result is that if one uses an entry not
on that list and sets strictness to unofficial, said entry passes both
checks and this can lead to segfaults lateron (e.g. when using gray).
Fix this by removing the exception for LJPEG in ff_encode_preinit().
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 6e8e9b7633d8b755e7a464a10ba5047f31cbd84d)
For both the RealMedia as well as the IVR demuxer (which share the same
context) each AVStream's priv_data contains an AVPacket that might
contain data (even when reading the header) and therefore needs to be
unreferenced. Up until now, this has not always been done:
The RealMedia demuxer didn't do it when allocating a new stream's
priv_data failed although there might be other streams with packets to
unreference. (The reason for this was that until recently rm_read_close()
couldn't handle an AVStream without priv_data, so one had to choose
between a potential crash and a memleak.)
The IVR demuxer meanwhile never ever called read_close so that the data
already contained in packets leaks upon error.
This patch fixes both demuxers by adding the appropriate cleanup code.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 9a471c5437d34cd1e63520b47f50a0fa605a5688)
