1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-19 05:49:09 +02:00

62 Commits

Author SHA1 Message Date
Michael Niedermayer
9e3d09f435 avformat/asfdec_o: Check for EOF in asf_read_marker()
Fixes: Timeout
Fixes: 26460/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5710884393189376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-01-25 01:10:14 +01:00
Michael Niedermayer
0bee216ad4 avformat/asfdec_o: Check size vs. offset in detect_unknown_subobject()
Fixes: signed integer overflow: 2314885530818453566 + 7503032301549264928 cannot be represented in type 'long'
Fixes: 26639/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6024222100684800

Alternatively this could be ignored but then the end condition of the loop
would be hard to reach as avio_tell() is int64_t

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-01-20 21:26:46 +01:00
Andreas Rheinhardt
96443ab4b0 avformat/asfdec_o: Remove code duplication
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:59 +01:00
Andreas Rheinhardt
33870a6aa7 avformat/asfdec_o: Don't reset twice
A variable has been assigned a value twice consecutively; essentially
the same happens when one performs av_init_packet on an AVPacket after
a call to av_packet_unref.

Found via PVS-Studio (see ticket #8156).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:59 +01:00
Andreas Rheinhardt
bf4909f0a3 avformat/asfdec_o: Export metadata that applies to the whole file
The ASF specification of Metadata Objects' stream number is as follows:

"Specifies whether the entry applies to a specific digital media stream
or whether it applies to the whole file. A value of 0 in this field
indicates that it applies to the whole file; otherwise, the entry
applies only to the indicated stream number and must be between 1 and
127."

Yet the asf_o demuxer (the one originating from Libav) has always
treated such metadata as if it applied to a stream even though no stream
with a stream number may exist in a valid ASF file. This is fixed in
this commit; it affected e.g. the file
wma_with_metadata_library_object_tag_trimmed.wma from the FATE suite.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:20:54 +01:00
Andreas Rheinhardt
e83f27a21a avformat/asfdec_o: Don't segfault with lots of attached pics
The ASF file format has a limit of 127 streams and the "asf_o" demuxer
(the ASF demuxer from Libav) has an array of pointers for a structure
called ASFStream that is allocated on demand for every stream. Attached
pictures are not streams in the sense of the ASF specification, yet the
demuxer created an ASFStream for them; and in one codepath it also
forgot to check whether the array of ASFStreams is already full. The
result is a write beyond the end of the array and a segfault lateron.

Fixing this is easy: Don't create ASFStreams for attached picture
streams.

(Other results of the current state of affairs are unnecessary allocations
(of ASFStreams structures), the misparsing of valid files (there might not
be enough ASFStreams left for the valid streams if attached pictures take
up too many); furthermore, the ASFStreams created for attached pictures all
have the stream number 0, an invalid stream number (the valid range is
1-127). This means that invalid data (packets for a stream with stream
number 0) won't get rejected lateron.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-11-15 18:17:36 +01:00
Anton Khirnov
cea7c19cda lavf: move AVStream.*index_entries* to AVStreamInternal
Those are private fields, no reason to have them exposed in a public
header. Since there are some (semi-)public fields located after these,
even though this section is supposed to be private, keep some dummy
padding there until the next major bump to preserve ABI compatibility.
2020-10-28 14:59:28 +01:00
Andreas Rheinhardt
37140ebd87 avformat/id3v2: Remove unnecessary indirection
ff_id3v2_parse_apic/chapters/priv/priv_dict all had a parameter
extra_meta of type ID3v2ExtraMeta ** as if the functions wanted to make
*extra_meta point to something else. But they don't, so just use an
ID3v2ExtraMeta *.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-05-25 07:06:44 +02:00
Jun Zhao
ec3d3fc65d lavf/asfdec: Simplify the check conditions
Simplify the check conditions

Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
2019-11-04 10:24:58 +08:00
Carl Eugen Hoyos
4d8875ec23 lavf: Constify the probe function argument.
Reviewed-by: Lauri Kasanen
Reviewed-by: Tomas Härdin
2019-03-21 11:42:17 +01:00
Michael Niedermayer
2b46ebdbff avformat/asfdec_o: Check size_bmp more fully
Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-07-05 19:52:42 +02:00
Lukas Stabe
1fd80106be avformat: fix id3 chapters
These changes store id3 chapter data in ID3v2ExtraMeta and introduce
ff_id3v2_parse_chapters to parse them into the format context if needed.

Encoders using ff_id3v2_read, which previously parsed chapters into the
format context automatically, were adjusted to call
ff_id3v2_parse_chapters.

Signed-off-by: wm4 <nfxjfg@googlemail.com>
2017-10-05 17:10:23 +02:00
James Almer
1902bbbe72 Merge commit 'cd7a2e1502f174c725c0de82711d2c7649057574'
* commit 'cd7a2e1502f174c725c0de82711d2c7649057574':
  asfdec: fix reading files larger than 2GB

Merged-by: James Almer <jamrial@gmail.com>
2017-10-03 20:12:15 -03:00
James Almer
42f27d1b8e Merge commit '0539d84d985e811e5989ef27c13f7e2dda0f9b89'
* commit '0539d84d985e811e5989ef27c13f7e2dda0f9b89':
  asfdec: Account for different Format Data sizes

See 76853a3e0ce4d4ef09ffcca7307991b8db832cd4

Merged-by: James Almer <jamrial@gmail.com>
2017-09-28 00:28:38 -03:00
James Almer
e666c2b5ec Merge commit '8e67039c6312ba520945f2c01b7b14df056d5ed1'
* commit '8e67039c6312ba520945f2c01b7b14df056d5ed1':
  asfdec: Use the ASF stream count when iterating

Merged-by: James Almer <jamrial@gmail.com>
2017-09-26 18:50:30 -03:00
James Almer
4de591e6fb Merge commit '83548fe894cdb455cc127f754d09905b6d23c173'
* commit '83548fe894cdb455cc127f754d09905b6d23c173':
  lavf: fix usage of AVIOContext.seekable

Merged-by: James Almer <jamrial@gmail.com>
2017-03-21 17:02:30 -03:00
James Almer
1582e306a4 avformat/avlanguage: make av_convert_lang_to() internal
The header was never installed and the function is only used in libavformat

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
2016-07-19 21:43:14 -03:00
Clément Bœsch
8ef57a0d61 Merge commit '41ed7ab45fc693f7d7fc35664c0233f4c32d69bb'
* commit '41ed7ab45fc693f7d7fc35664c0233f4c32d69bb':
  cosmetics: Fix spelling mistakes

Merged-by: Clément Bœsch <u@pkh.me>
2016-06-21 21:55:34 +02:00
Clément Bœsch
c01f1157ac Merge commit '0f40c9098498ad90dbbd2380eb4269015e84bde4'
* commit '0f40c9098498ad90dbbd2380eb4269015e84bde4':
  Drop pointless assert.h #includes

Merged-by: Clément Bœsch <clement@stupeflix.com>
2016-06-21 15:26:20 +02:00
Derek Buitenhuis
6f69f7a8bf Merge commit '9200514ad8717c63f82101dc394f4378854325bf'
* commit '9200514ad8717c63f82101dc394f4378854325bf':
  lavf: replace AVStream.codec with AVStream.codecpar

This has been a HUGE effort from:
    - Derek Buitenhuis <derek.buitenhuis@gmail.com>
    - Hendrik Leppkes <h.leppkes@gmail.com>
    - wm4 <nfxjfg@googlemail.com>
    - Clément Bœsch <clement@stupeflix.com>
    - James Almer <jamrial@gmail.com>
    - Michael Niedermayer <michael@niedermayer.cc>
    - Rostislav Pehlivanov <atomnuker@gmail.com>

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
2016-04-10 20:59:55 +01:00
Hendrik Leppkes
be3963c8af Merge commit '066281372d90d63ca021b659abcb8faefd6bc4a6'
* commit '066281372d90d63ca021b659abcb8faefd6bc4a6':
  asfdec: Remove unused function parameters

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2016-01-19 08:47:48 +01:00
Andreas Cadhalpun
c29e87ad55 asfdec_o: check for too small size in asf_read_unknown
This fixes infinite loops due to seeking back.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:40:21 +01:00
Andreas Cadhalpun
0e32153e9c asfdec_o: break if EOF is reached after asf_read_packet_header
asf_read_payload can unset eof_reached, so check it also before calling
that function.

This fixes infinite loops.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:39:46 +01:00
Andreas Cadhalpun
3776a72962 asfdec_o: make sure packet_size is non-zero before seeking
This fixes infinite loops due to seeking back.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:39:30 +01:00
Andreas Cadhalpun
74474750f1 asfdec_o: prevent overflow causing seekback
This fixes infinite loops.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:38:50 +01:00
Andreas Cadhalpun
0002d845e8 asfdec_o: check avio_skip in asf_read_simple_index
The loop can be very long, even though the file is very short.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:37:30 +01:00
Andreas Cadhalpun
aa18016996 asfdec_o: reject size > INT64_MAX in asf_read_unknown
Both avio_skip and detect_unknown_subobject use int64_t for the size
parameter.

This fixes a segmentation fault due to infinite recursion.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:37:13 +01:00
Andreas Cadhalpun
763c572801 asfdec_o: only set asf_pkt->data_size after sanity checks
Otherwise invalid values are used unchecked in the next run.
This can cause NULL pointer dereferencing.

Reviewed-by: Alexandra Hájková <alexandra.khirnova@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-01-15 00:36:41 +01:00
Hendrik Leppkes
bf67ae3cfa Merge commit '8375dc1dd101d51baa430f34c0bcadfa37873896'
* commit '8375dc1dd101d51baa430f34c0bcadfa37873896':
  asfdec: handle the case when the stream index has an invalid value better

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-11-29 15:32:39 +01:00
Hendrik Leppkes
7f5af80ba4 Merge commit 'ce70f28a1732c74a9cd7fec2d56178750bd6e457'
* commit 'ce70f28a1732c74a9cd7fec2d56178750bd6e457':
  avpacket: Replace av_free_packet with av_packet_unref

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-10-27 14:28:56 +01:00
Hendrik Leppkes
80fd622590 Merge commit '00cc10aee380f882507bac994ac469d8358d12e8'
* commit '00cc10aee380f882507bac994ac469d8358d12e8':
  asfdec: do not skip padding if offset is above packet size - padding

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-10-10 09:56:29 +02:00
Andreas Cadhalpun
8d6625642d doc: fix spelling errors
Reviewed-by: Lou Logan <lou@lrcd.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2015-10-09 22:09:08 +02:00
Hendrik Leppkes
de969904b1 Merge commit 'c0a49077ea4ff3a0ad30b9e33f1bb06ba9112aaa'
* commit 'c0a49077ea4ff3a0ad30b9e33f1bb06ba9112aaa':
  asfdec: add more checks for size left in asf packet buffer

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-09-12 15:18:05 +02:00
Hendrik Leppkes
8998caf0a4 Merge commit '77cf23668991bfd1fb69339f13e1511b4186b7b3'
* commit '77cf23668991bfd1fb69339f13e1511b4186b7b3':
  asfdec: alloc enough space for storing name in asf_read_metadata_obj

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-09-08 14:46:21 +02:00
Hendrik Leppkes
649b2e4c83 Merge commit '317cfaa5e09755ed0b34af512ec687963a67bdbf'
* commit '317cfaa5e09755ed0b34af512ec687963a67bdbf':
  asfdec: prevent the memory leak in the asf_read_metada_obj

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-18 09:35:56 +02:00
Hendrik Leppkes
3d2d672828 Merge commit 'e5997152f54f790229c99f237f8eb6b5b1ee683a'
* commit 'e5997152f54f790229c99f237f8eb6b5b1ee683a':
  asf: Use time_t where needed

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-07 09:27:55 +02:00
Hendrik Leppkes
b54cf4b886 Merge commit '944f60866f507e3c0850ae9c2f30dac1da54587c'
* commit '944f60866f507e3c0850ae9c2f30dac1da54587c':
  asfdec: read values properly

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-07 09:27:49 +02:00
Hendrik Leppkes
190e521123 Merge commit 'fdbc544d29176ba69d67dd879df4696f0a19052e'
* commit 'fdbc544d29176ba69d67dd879df4696f0a19052e':
  asfdec: prevent the memory leak while reading metadata

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-02 12:32:10 +02:00
Hendrik Leppkes
2ab827389b Merge commit '33dc1913ab7aaefc991b3e665d1d0b5d0b088672'
* commit '33dc1913ab7aaefc991b3e665d1d0b5d0b088672':
  asfdec: remove improper assignement that caused wrong timestamps

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-02 10:41:56 +02:00
Hendrik Leppkes
07094e5e40 Merge commit '78491fe8cfed83d2aead95dafe26f0d3f999e961'
* commit '78491fe8cfed83d2aead95dafe26f0d3f999e961':
  asfdec: do not export empty metadata

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-02 10:41:45 +02:00
Hendrik Leppkes
988ddfea5e Merge commit 'cd4d9df22738e6f147521ccb72c7930db6050914'
* commit 'cd4d9df22738e6f147521ccb72c7930db6050914':
  asfdec: free AVDictionaries properly when closing the demuxer

Merged-by: Hendrik Leppkes <h.leppkes@gmail.com>
2015-08-02 10:34:18 +02:00
Michael Niedermayer
e1296b5fa4 Merge commit 'b5c1c16247ab7d166c84eaf4564e49a1535fdaaf'
* commit 'b5c1c16247ab7d166c84eaf4564e49a1535fdaaf':
  asfdec: do not align Data Object when Broadcast Flag is set

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-28 00:13:54 +02:00
Michael Niedermayer
29d147c94d Merge commit '059a934806d61f7af9ab3fd9f74994b838ea5eba'
* commit '059a934806d61f7af9ab3fd9f74994b838ea5eba':
  lavc: Consistently prefix input buffer defines

Conflicts:
	doc/examples/decoding_encoding.c
	libavcodec/4xm.c
	libavcodec/aac_adtstoasc_bsf.c
	libavcodec/aacdec.c
	libavcodec/aacenc.c
	libavcodec/ac3dec.h
	libavcodec/asvenc.c
	libavcodec/avcodec.h
	libavcodec/avpacket.c
	libavcodec/dvdec.c
	libavcodec/ffv1enc.c
	libavcodec/g2meet.c
	libavcodec/gif.c
	libavcodec/h264.c
	libavcodec/h264_mp4toannexb_bsf.c
	libavcodec/huffyuvdec.c
	libavcodec/huffyuvenc.c
	libavcodec/jpeglsenc.c
	libavcodec/libxvid.c
	libavcodec/mdec.c
	libavcodec/motionpixels.c
	libavcodec/mpeg4videodec.c
	libavcodec/mpegvideo.c
	libavcodec/noise_bsf.c
	libavcodec/nuv.c
	libavcodec/nvenc.c
	libavcodec/options.c
	libavcodec/parser.c
	libavcodec/pngenc.c
	libavcodec/proresenc_kostya.c
	libavcodec/qsvdec.c
	libavcodec/svq1enc.c
	libavcodec/tiffenc.c
	libavcodec/truemotion2.c
	libavcodec/utils.c
	libavcodec/utvideoenc.c
	libavcodec/vc1dec.c
	libavcodec/wmalosslessdec.c
	libavformat/adxdec.c
	libavformat/aiffdec.c
	libavformat/apc.c
	libavformat/apetag.c
	libavformat/avidec.c
	libavformat/bink.c
	libavformat/cafdec.c
	libavformat/flvdec.c
	libavformat/id3v2.c
	libavformat/isom.c
	libavformat/matroskadec.c
	libavformat/mov.c
	libavformat/mpc.c
	libavformat/mpc8.c
	libavformat/mpegts.c
	libavformat/mvi.c
	libavformat/mxfdec.c
	libavformat/mxg.c
	libavformat/nutdec.c
	libavformat/oggdec.c
	libavformat/oggparsecelt.c
	libavformat/oggparseflac.c
	libavformat/oggparseopus.c
	libavformat/oggparsespeex.c
	libavformat/omadec.c
	libavformat/rawdec.c
	libavformat/riffdec.c
	libavformat/rl2.c
	libavformat/rmdec.c
	libavformat/rtpdec_latm.c
	libavformat/rtpdec_mpeg4.c
	libavformat/rtpdec_qdm2.c
	libavformat/rtpdec_svq3.c
	libavformat/sierravmd.c
	libavformat/smacker.c
	libavformat/smush.c
	libavformat/spdifenc.c
	libavformat/takdec.c
	libavformat/tta.c
	libavformat/utils.c
	libavformat/vqf.c
	libavformat/westwood_vqa.c
	libavformat/xmv.c
	libavformat/xwma.c
	libavformat/yop.c

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-27 23:15:19 +02:00
Michael Niedermayer
90696ef368 Merge commit '9e8627a1ff9207b9e272d248da2e1bd0cc6fe2fe'
* commit '9e8627a1ff9207b9e272d248da2e1bd0cc6fe2fe':
  asfdec: interpret the first flag in an asf packet as length flag

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-27 12:27:35 +02:00
Michael Niedermayer
0a03271ef6 Merge commit '7f388c0fabc51eca3106e7cc443393269435ab52'
* commit '7f388c0fabc51eca3106e7cc443393269435ab52':
  asfdec: remove the wrong condition

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-23 12:45:00 +02:00
Michael Niedermayer
40e8ade9eb Merge commit 'aed7715b8fa295980c221f1cd095d42cd3bd74a6'
* commit 'aed7715b8fa295980c221f1cd095d42cd3bd74a6':
  asfdec: increment nb_streams right after the stream allocation

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-23 11:43:56 +02:00
Michael Niedermayer
cd4c878934 Merge commit 'ee80f834cbb6dbacdc1efb4c658a7d775e82ebff'
* commit 'ee80f834cbb6dbacdc1efb4c658a7d775e82ebff':
  asfdec: set nb_streams to 0 in the asf_read_close

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-23 11:34:40 +02:00
Michael Niedermayer
6b9be608ce Merge commit '2a187a074a7f5ad9f01f72ac9715ddfcb2dbb8ec'
* commit '2a187a074a7f5ad9f01f72ac9715ddfcb2dbb8ec':
  asfdec: avoid crash in the case when chunk_len is 0 or pkt_len is 0

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-22 17:13:18 +02:00
Michael Niedermayer
fa7defc89a Merge commit '93f16f338f9e8aba0c006752eb3afc3fe6e137fd'
* commit '93f16f338f9e8aba0c006752eb3afc3fe6e137fd':
  asfdec: close the demuxer properly when read_header is failing

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-22 17:06:22 +02:00
Michael Niedermayer
fce350be0e Merge commit '5655236a67203d923755f285584c6e68abe7e33f'
* commit '5655236a67203d923755f285584c6e68abe7e33f':
  asfdec: factor out seeking to the Data Object outside while

Merged-by: Michael Niedermayer <michael@niedermayer.cc>
2015-07-22 16:53:26 +02:00