mov_read_stsz() did not ensure that every bit of a buffer is addressable
by an int as is required by the get_bits API, leading to a crash in
ticket #9344. Fix this by restricting the size more thoroughly.
The file from said ticket will then be considered invalid; in the
future, we might read and process the data in chunks to actually support
such files.
Fixes ticket #9344.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes: signed integer overflow: 9223372036854775807 + 1442840321 cannot be represented in type 'long'
Fixes: 33670/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6644379491106816
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 36340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5872546875572224.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The accepted values for GopOptFlag are MFX_GOP_CLOSED (1) and
MFX_GOP_STRICT (2).
Signed-off-by: Haihao Xiang <haihao.xiang@intel.com>
Signed-off-by: Zhong Li <zhongli_dev@126.com>
Don't attempt to increase the cursor pointer if it was \0.
Fixes invalid reads.
Reviewed-by: Marton Balint <cus@passwd.hu>
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: James Almer <jamrial@gmail.com>
Having the override before autodetection meant that the overridden
value got overwritten by the autodetected result each time,
effectively disabling the ability to utilize the `-top` option
for override purposes.
Somehow I missed this in fbb44bc51a ,
even though the lines were within the context. Probably the code
originally being after this logic had something to do with it,
but previously it only touched the avformat context's codecpar,
which did not affect the encoder codec context whatsoever.
Fixes#9320Fixes#9339
The magic constants come from the unofficial "ITU-R BS.1770-1 filter
specifications"¹ by Raiden (libebur128) which relies on "Parameter
Quantization in Direct-Form Recursive Audio Filters"² by Brian
Neunaber.
The constants seem to include a quantization bias, for example:
- Vb is supposed to be exactly √Vh in a high shelf filter
- the Pre-filter Gain should likely be 4dB
- Pre Q and RLB Q are respectively very close to √½ and ½
Those are not adjusted to prevent the values from drifting away from
the official specifications.
An alternative to this approach would be to requantize on the fly as
proposed by pbelkner³, where the 48kHz code path would use the exact
specifications constants while derivating constants for other
frequencies.
[1]: https://www.scribd.com/document/49991813/ITU-R-BS-1770-1-filters
[2]: https://www.scribd.com/document/6531763/Direct-Form-Filter-Parameter-Quantization
[3]: https://hydrogenaud.io/index.php?topic=86116.msg740092#msg740092
Use avfilter_graph_alloc() instead of av_mallocz(sizeof(AVFilterGraph))
to allocate an AVFilterGraph; this also properly allocates the graph's
internal. The current code just happened to work because it did not
make any use of said internal.
Also check the allocation; this fixes Coverity #1292528.
Reviewed-by: Jan Ekström <jeebjp@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
There would be a segfault in case of (likely memory allocation) failure.
Fixes Coverity issue #1322338.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The code savings more than offset the size of the table
(1936B vs 768B with GCC 10.3 at -O3).
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This has been broken in 25c8507818,
because the hacks for headers that are incompatible with building
for the host in libavcodec/tableprint_vlc.h have not been adjusted.
Moving AV_INPUT_BUFFER_PADDING_SIZE to defs.h which is valid for
both the target as well as the host allowed to remove some of the hacks.
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes: signed integer overflow: 8511838621821575200 - -3954125146725285889 cannot be represented in type 'long'
Fixes: 33414/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6610119325515776
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
These have mostly been added because of FF_API_*; yet when these were
removed, removing the header has been forgotten.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
These inclusions are not necessary, as cpu.h is already included
wherever it is needed (via direct inclusion or via the arch-specific
headers).
Also remove other unnecessary cpu.h inclusions from ordinary
non-headers.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
