"The entries in an IFD must be sorted in ascending order by Tag. Note that this is
not the order in which the fields are described in this document."
This way various dimensions, sample and bit sizes cannot be changed at
arbitrary times which reduces the potential for bugs.
The tag reading code also on various places assumes that numerically previous
tags have already been parsed, so this needs to be enforced one way or another.
If this commit causes problems with real world files which are not easy to fix
then some other form of checks are needed to ensure the various dependencies
in the tag reading are not violated.
Fixes: out of array access
Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad29f9e47cb848e11ee1d358d2bae15cd35ef04b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Assertion failure
Fixes: 24612/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6600899842277376.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8931c55789a69f717b4a6954c5bb7acf5475a134)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: division by zero
Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit be090da25f734460f3105075456877b8a66185c1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int'
Fixes: 24011/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5486376610168832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d51d569cf68f78aaea8464a156c847a0e294726a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 24457/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5760093644390400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffa6072fc727a14680a85449259f6b49b47587e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Later the decorrelate_stereo call is guarded by channels == 2
and non-zero decorr_left_weight. Make sure decorr_shift is in
the expected shift range for that case.
Fixes: shift exponent 128 is too large for 32-bit type 'int'
Fixes: 23860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5751138914402304
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Alexander Strasser <eclipse7@gmx.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4333718b357a9ad195031e5d0ea080d37677b795)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: crash.asf
Found-by: anton listov <greyfarn7@yandex.ru>
Reviewed-by: anton listov <greyfarn7@yandex.ru>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 081e3001edb67dcd55fe0f68505df1fce667476d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
No audio stream is created unconditionally and if none has been created,
no packet with stream_index 1 may be returned. This fixes an assert in
ff_read_packet() in libavformat/utils reported in ticket #8782.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ec59dc73f0cc8930bf5dae389cd76d049d537ca7)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 806a4d5187aeb82b97898683242886ed1e84f894)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 8683744 * 256 cannot be represented in type 'int'
Fixes: 23527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679885932822528
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9f7b252cdf2d0e0f79d16dc7cd575d1884239863)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 155 + 2147483647 cannot be represented in type 'int'
Fixes: 23421/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5652849097965568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ddc5e1f3cebca25ade54ee68159d305f210bf5f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Found-by: "Steinar H. Gunderson" <steinar+ffmpeg@gunderson.no>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea28ce9bc13803ccef97850388ddc9a73998a23e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Until now, we would have only attempted to utilize already decrypted
data if it was enough to fill the size of buffer requested, that could
very well be up to 32 kilobytes.
With keep-alive connections this would just lead to recv blocking
until rw_timeout had been reached, as the connection would not be
officially closed after each transfer. This would also lead to a
loop, as such timed out I/O request would just be attempted again.
By just returning the available decrypted data, keep-alive based
connectivity such as HLS playback is fixed with schannel.
(cherry picked from commit 6f8826e4aaddf1ee6cf3f333ed0e392a748382fe)
The dec_buf seems to be properly managed between read calls,
and we have no logic to decrypt before attempting socket I/O.
Thus - until now - such data would not be decrypted in case of
connections such as HTTP keep-alive, as the recv call would
always get executed first, block until rw_timeout, and then get
retried by retry_transfer_wrapper.
Thus - if data is received - decrypt all of it right away. This way
it is available for the following requests in case they can be
satisfied with it.
(cherry picked from commit 39977fff20048f1798a95c593d6034a0e73ebbe5)
Fixes: runtime error: passing uninitialized value to FreeContextBuffer
causes a crash
Signed-off-by: Paweł Wegner <pawel.wegner95@gmail.com>
(cherry picked from commit 85c00643b763bc62f3a15c19df44c3f1312bfe81)
The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit
is so big that it extends beyond the end of the input packet; it does so
only implicitly by using the checked version of the bytestream2 API.
But this has downsides compared to real checks: It can lead to huge
allocations (up to 2GiB) even when the input packet is just a few bytes.
And furthermore it leads to uninitialized data being output.
So add a check to error out early if it happens.
Also check directly whether there is enough data for the length field.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ea1b71e82f5a1752d59d3bfb9704092a79eba6b5)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The earlier version of the webm_chunk muxer had several bugs:
1. If the first packet of an audio stream didn't have a PTS of zero,
then no chunk will be started before a packet is delivered to the
underlying Matroska/WebM muxer, i.e. the AVFormatContext used to write
these packets had a NULL as AVIOContext for output. This is behind the
crash in ticket #5752.
2. If an error happens during writing a packet, the underlyimg
Matroska/WebM muxer context is freed. This leads to a use-after-free
coupled with a double-free in webm_chunk_write_trailer (which supposes
that the underlying AVFormatContext is still valid).
3. Even when no error occurs at all, webm_chunk_write_trailer is still
buggy: After the underlying Matroska/WebM muxer has written its trailer,
ending the chunk implicitly flushes it again which is illegal at this
point.
These bugs have been fixed.
Fixes#5752.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 8c6ee7626bcce7c270360f33b60dc7ef99939fc3)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
ttaenc contained (1 << unary) - 1 as an argument for a function
expecting an unsigned int. unary can be as big as 31 in this case.
The type of the shift and the whole expression is int, because 1 fits
into an integer, so that the behaviour is undefined if unary == 31
as the result of the shift can't be represented in an int §. Subtraction
by 1 (which makes the result of the whole expression representable in
an int) doesn't change that this is undefined (it usually leads to
signed integer overflow which is undefined, too).
The solution is simple: Make 1 unsigned to change the type of the
whole expression to unsigned int (as the function expects anyway).
Fixes ticket #8153.
§: This of course presupposes the common int range of -2^31..2^31-1
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ab488a5407f833ecc66e8fa4c537dc4852db720)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Freeing this was forgotten in ad899522.
Fixes#8315 and #8316.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6f2a3958cfac135c60b509a61a4fd39432d8f9a9)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Affected every usage of vf_xbr, e.g. the FATE-tests filter-2xbr,
filter-3xbr, filter-4xbr.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4294dc3589a3ab973b10a85b576ff15e3ffb000d)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Affected every usage of this filter; in particular, it affected the
FATE-tests filter-2xbr, filter-3xbr and filter-4xbr.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fa211943265ca991548a4cc2f85a6df9cedcd092)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Affected the vsynth*-jpeg2000 and the vsynth*-jpeg2000-97 FATE tests
(where * ranges over { 1, 2, 3, _lena }) as well as ticket #7983.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5cf593adcd79a7c9502dc2725e1f0681ada36aef)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes ticket #8160.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 324487b596fbcda0a5753c7bb7b2e96e9d512479)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Affected 61 FATE-tests: 60 vsynth tests and lavf-mxf_opatom.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b7f156e8cbdf3256c7860c62ebb7a6c3002cbb03)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Affected the FATE-tests vsynth_lena-dv-411, vsynth1-dv-411,
vsynth2-dv-411 and hevc-paramchange-yuv420p.yuv420p10.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e2646e23be69bdef1e41d4decee1a4298701b8d1)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
This affected many FATE-tests: The number of failing tests went down
from 663 to 344. (Both numbers exclude tests that failed because of
unaligned accesses in code that is inside #if HAVE_FAST_UNALIGNED.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 736c7c20e7819811dc59f43490563789b192eb6e)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Affected the FATE-tests exr-rgb-scanline-pxr24-half-uint32-13x9 and
exr-rgb-scanline-pxr24-uint32.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8b0f949906116c40b6f1e55a1bce4447ada3219c)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes the movenc FATE-test.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 646799b42fd59ee79920e472795bf881b78bb5ce)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes the acodec-pcm-u16[lb]e FATE-tests.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 69473bec6f38fefc9a433d95f8e00de101299592)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes ticket #8161 and the acodec-wavpack FATE-test.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 84974c6fb542cf019904016c2165d9a62db9f312)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes the FATE-tests unknown_layout-ac3, ac3-fixed-encode, ac3-encode
and eac3-encode. It furthermore fixes the ac3-encoder bugs mentioned in
tickets #7994, #8144 and #8159.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2f289ec914cc7e8133858d4f9e8d91dab685ae44)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes the tdsc FATE-test.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 86bef10e7aee338a4df60c57904c16e33509e76e)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes ticket #8154.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b1fcba8ddcb7d29299ea28403fb597640a7288b)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Only read str_size bytes from offset 30 of extradata if the extradata is
indeed at least 30 + str_size bytes long.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ff3fad6b0edb13dd664403b01bc00309f035b110)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
mov_read_custom tries to read three strings belonging to three different
tags. When an already encountered tag is encountered again, a new buffer
for the string to be read is allocated and stored in the pointer
destined for this particular tag. But in this scenario, said pointer
already holds the address of the string read earlier, leading to a leak.
This commit therefore aborts the reading process upon encountering
an already encountered tag.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit dfef1d5e3cd4dfead84416a01e6c9ff0da50b34d)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The argument pertaining to a printf %s conversion specifier must not
be NULL, even if the precision (i.e. the number of characters to write)
is zero. If it is NULL, it is undefined behaviour.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 6de6ce7bc80e874099895b6c73977bc2efb06a4d)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c784fe8b867e42a1c8d2c48d7046e3e0cce7ec31)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 67434afa7fcb2b411b10a4d09fb30cd3a5907c2c)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if allocating the AVStream for the subtitles fails.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 337783b118d4cc265759c103b672dd5d5d3e7cb8)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a708f652737eba08607df84394ca4bec6b458736)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 9751d7515222c7b58d0c6fb31aec6e0464c0f338)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit e13874b9eae4e156ca1c478e6d59d3461bbdc09f)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c70409957c7332971f0e147729d769f6d2f95390)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3c63e67bb00fa7d96595203d01a576df651e275)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle
or when creating extradata.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f161f8e4ad10c8ae5b2e97870e09bc6a421408eb)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>