Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 'int'
Fixes: 23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336
Fixes: 41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 40054/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-6713285764841472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This is possible by incrementing the counter of allocated rects
directly after said allocation succeeded.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Do this by actually incrementing the counter for the number
of rects at the right time.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Up until now, various subtitle decoders have not cleaned up
the AVSubtitle on error; this task must not be left to the user
because the documentation explicitly states that the AVSubtitle
"must be freed with avsubtitle_free if *got_sub_ptr is set"
(which it isn't on error).
Leaks happen upon failure in ff_ass_add_rect() or in
ass_decode_frame(); freeing generically also allows to remove
now redundant freeing code in pgssubdec and dvbsubdec.
While just at it, also reset got_sub_ptr generically on error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The caller of display_end_segment() frees the AVSubtitle on error
in case ENOMEM is returned or err_recognition is set to explode,
so display_end_segment() doesn't have to.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This puts it directly near the NALU type which is more natural
and furthermore reduces the size of the structure because it
can be placed in padding (on 64-bit systems).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Forgotten in 03b82b3ab9.
(Moving data to the front is only done to make existing
initializations like H2645NAL nal = { NULL } not emit int->pointer
conversion warnings.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Possible now that the child_class_next API is gone.
Tested-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
ffmal_add_packet() basically duplicated the logic in
av_packet_make_refcounted() with the added twist that it always
created a reference even if one is already available.
This commit stops doing this.
Tested-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
extra_data and normal packets (from ff_decode_get_packet) processing do
not overlap, thus we can re-use the spare AVPacket to send to
ffmmal_add_packet.
Furthermore, this removes allocation of AVPacket on the stack and stops
using deprecated av_init_packet.
Tested-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Ho Ming Shun <cyph1984@gmail.com>
MMAL is an fundamentally an asynchronous decoder, which was a bad fit
for the legacy dataflow API. Often multiple packets are enqueued before
a flood of frames are returned from MMAL.
The previous lockstep dataflow meant that any delay in returning packets
from the VPU would cause ctx->queue_decoded_frames to grow with no way
of draining the queue.
Testing this with mpv streaming from a live RTSP source visibly reduced
latency introduced by frames waiting in queue_decoded_frames from
roughly 2s to 0.
Tested-by: Cameron Gutman <aicommander@gmail.com>
Signed-off-by: Ho Ming Shun <cyph1984@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes crashes if the font name is NULL (which it is if a \fn tag
is not followed by a font name).
Signed-off-by: Charlie Monroe <charlie@charliemonroe.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Improves readability and avoids a redundant index variable
that was mistakenly called "tracksize".
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The current checks just check whether the boxes fit into the remaining
size of the packet instead of whether they actually fit into the box
size. This has been changed; part of this change is to pass the size of
the box (minus the box header) as parameter instead of a pointer to
the AVPacket by which the box parsing function is supposed to
recalculate whether enough data is available.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The base size of a box refers to the size the box has in a file,
not in memory; so size_t is not their natural type. Therefore use
a plain unsigned which is smaller on 64bit systems and still big
enough to represent any conceivable base size.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
