Andreas Rheinhardt
010281ed23
avformat/mpegenc: Ensure packet queue stays valid
...
The MPEG-PS muxer uses a custom queue of custom packets. To keep track
of it, it has a pointer (named predecode_packet) to the head of the
queue and a pointer to where the next packet is to be added (it points
to the next-pointer of the last element of the queue); furthermore,
there is also a pointer that points into the queue (called premux_packet).
The exact behaviour was as follows: If premux_packet was NULL when a
packet is received, it is taken to mean that the old queue is empty and
a new queue is started. premux_packet will point to the head of said
queue and the next_packet-pointer points to its next pointer. If
predecode_packet is NULL, it will also made to point to the newly
allocated element.
But if premux_packet is NULL and predecode_packet is not, then there
will be two queues with head elements premux_packet and
predecode_packet. Yet only elements reachable from predecode_packet are
ever freed, so the premux_packet queue leaks.
Worse yet, when the predecode_packet queue will be eventually exhausted,
predecode_packet will be made to point into the other queue and when
predecode_packet will be freed, the next pointer of the preceding
element of the queue will still point to the element just freed. This
element might very well be still reachable from premux_packet which
leads to use-after-frees lateron. This happened in the tickets mentioned
below.
Fix this by never creating two queues in the first place by checking for
predecode_packet to know whether the queue is empty. If premux_packet is
NULL, then it is set to the newly allocated element of the queue.
Fixes tickets #6887 , #8188 and #8266 .
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com >
(cherry picked from commit cfce16449c
2021-10-19 19:05:16 -03:00
Andreas Rheinhardt
f7c9b1ed56
avformat/movenc: Fix segfault when remuxing rtp hint stream
...
When remuxing an rtp hint stream (or any stream with the tag "rtp "),
the mov muxer treats this as one of the rtp hint tracks it creates
internally when ordered to do so; yet this track lacks the
AVFormatContext for the hinting rtp muxer, leading to segfaults in
mov_write_udta_sdp() if a "trak" atom is written for this stream; if not,
the stream's codecpar is freed by mov_free() as if the mov muxer owned
it (it does for the internally created "rtp " tracks), but without
resetting st->codecpar, leading to double-frees lateron. This commit
therefore ignores said tag which makes rtp hint streams unremuxable.
This fixes tickets #8181 and #8186 .
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com >
(cherry picked from commit 22c3cd1760
2021-10-19 19:03:19 -03:00
Baptiste Coudurier
3c4e1a56e3
avformat/mxfenc: fix index byte count in partition header
2021-10-19 19:01:36 -03:00
Michael Niedermayer
a5d2008e2a
Changelog: update
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2021-10-17 19:42:14 +02:00
Lynne
d7bd4f73a7
configure: update copyright year
...
(cherry picked from commit 63505fc60amichael@niedermayer.cc >
2021-10-16 21:19:24 +02:00
Michael Niedermayer
9d8945bd49
avformat/wavdec: Check smv_block_size
...
Fixes: Timeout
Fixes: 39554/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-4915221701984256
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 849138f476michael@niedermayer.cc >
2021-10-16 21:19:24 +02:00
Michael Niedermayer
770b4de8d1
avformat/rmdec: Check for multiple audio_stream_info
...
Fixes: memleak
Fixes: 39166/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5153276690038784
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8fe3566b8fmichael@niedermayer.cc >
2021-10-16 21:19:24 +02:00
Michael Niedermayer
3c81d7025e
avcodec/apedec: Use 64bit to avoid overflow
...
Fixes: runtime error: signed integer overflow: 727298502 * 3 cannot be represented in type 'int'
Fixes: 39172/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-638602483033702
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit f059b56195michael@niedermayer.cc >
2021-10-16 21:19:24 +02:00
Michael Niedermayer
9236882745
avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830()
...
Fixes: signed integer overflow: -2145648640 - 3357696 cannot be represented in type 'int'
Fixes: 38899/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5358815017566208
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit ad517ee6e4michael@niedermayer.cc >
2021-10-16 21:19:24 +02:00
Michael Niedermayer
186222fa56
oavformat/avidec: Check offset in odml
...
Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long'
Fixes: 38787/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4859845799444480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 255a7b423emichael@niedermayer.cc >
2021-10-16 21:19:24 +02:00
Michael Niedermayer
e295b5f3d3
avformat/mpegts: use actually read packet size in mpegts_resync special case
...
Fixes: infinite loop
Fixes: 37986/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5292311517462528 -
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Marton Balint <cus@passwd.hu >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 83b2e4c8f1michael@niedermayer.cc >
2021-10-16 21:19:24 +02:00
Timo Rothenpieler
0699b0836d
avfilter/scale_npp: fix non-aligned output frame dimensions
2021-10-07 18:31:41 +02:00
Michael Niedermayer
ef2efaa78b
Update for 4.1.8
2021-10-06 13:43:40 +02:00
Michael Niedermayer
ff48f4aad7
swscale/alphablend: Fix slice handling
...
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 06d6726588michael@niedermayer.cc >
2021-10-06 12:06:15 +02:00
Michael Niedermayer
c59e2d2f03
avcodec/mxpegdec: Check for AVDISCARD_ALL
...
Fixes: Fixes NULL pointer dereference
Fixes: 36610/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6052641783283712
Fixes: 37907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-4725170850365440
Fixes: 37904/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-6367889262247936
Fixes: 38085/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MXPEG_fuzzer-5175270823297024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 20afd3a63amichael@niedermayer.cc >
2021-10-06 12:06:15 +02:00
Michael Niedermayer
800e7d83e8
avcodec/flicvideo: Check remaining bytes in FLI*COPY
...
Fixes: Timeout
Fixes: 37795/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4846536543043584
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 5f835efbcamichael@niedermayer.cc >
2021-10-06 12:06:15 +02:00
Michael Niedermayer
512a132e4c
avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127
...
Fixes: index 128 out of bounds for type 'uint16_t [128]'
Fixes: 38651/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6296416058736640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 85413a5ae6michael@niedermayer.cc >
2021-10-06 12:06:15 +02:00
Michael Niedermayer
448e9ce5e5
avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return
...
Fixes: invalid shift
Fixes: 37018/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-5290280902328320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 5a95abcce4michael@niedermayer.cc >
2021-10-06 12:06:15 +02:00
Michael Niedermayer
552430993d
avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable
...
Fixes: error: 1.66789e+11 is outside the range of representable values of type 'int'
Fixes: Ticket8201
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 245017ec8amichael@niedermayer.cc >
2021-10-06 12:06:15 +02:00
Michael Niedermayer
25f9794e56
avcodec/apedec: Fix integer overflow in intermediate
...
Fixes: signed integer overflow: 559334865 * 4 cannot be represented in type 'int'
Fixes: 37929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6751932295806976
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 90da43557fmichael@niedermayer.cc >
2021-10-06 12:06:15 +02:00
Michael Niedermayer
ea9fc9676c
avformat/mvdec: Do not set invalid sample rate
...
Fixes: signed integer overflow: -682581959642593728 * 16 cannot be represented in type 'long'
Fixes: 37883/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5311691517198336
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 737e6bf216michael@niedermayer.cc >
2021-10-06 12:06:15 +02:00
Michael Niedermayer
a214f6e238
avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4
...
Fixes: runtime error: signed integer overflow: 65312 * 65535 cannot be represented in type 'int'
Fixes: 32832/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-4817710040088576
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e2c2872393michael@niedermayer.cc >
2021-10-06 12:06:15 +02:00
Michael Niedermayer
ecb7f15b7b
avformat/mov: Check for duplicate clli
...
Fixes: memleak
Fixes: 35261/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4869656287510528
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 9a222f140emichael@niedermayer.cc >
2021-10-06 11:44:12 +02:00
Michael Niedermayer
f997f89071
avformat/jacosubdec: Check for min in t overflow in get_shift()
...
Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 34651/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5157941012463616
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 989febfbd0michael@niedermayer.cc >
2021-10-06 11:44:12 +02:00
Michael Niedermayer
6992f5f665
avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet()
...
Fixes: Out of array access
Fixes: 37030/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5387719147651072
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 3dd5a8a135michael@niedermayer.cc >
2021-10-06 11:44:12 +02:00
Paul B Mahol
d7490ef341
avfilter/vf_bwdif: fix heap-buffer overflow
...
Fixes #8261
(cherry picked from commit 8c3166e1c3jamrial@gmail.com >
2021-09-13 16:51:43 -03:00
Paul B Mahol
8c9ff740a3
avfilter/vf_bm3d: fix heap-buffer overflows
...
Fixes #8262
(cherry picked from commit 0749082eb9jamrial@gmail.com >
2021-09-13 16:51:43 -03:00
Paul B Mahol
f1fc3fe317
avfilter/vf_floodfill: finish early if source and destination fill matches
...
Fixes #8236
(cherry picked from commit 1331e00179jamrial@gmail.com >
2021-09-13 16:51:43 -03:00
Paul B Mahol
ac5a7d5a67
avfilter/vf_edgedetect: fix heap-buffer overflow
...
Fixes #8275
(cherry picked from commit de598f82f8jamrial@gmail.com >
2021-09-13 16:51:43 -03:00
Paul B Mahol
da3d6068f3
avfilter/vf_w3fdif: deny processing small videos
...
Fixes #8243
(cherry picked from commit 0e68e8c93fjamrial@gmail.com >
2021-09-13 16:51:43 -03:00
Paul B Mahol
df5e017709
avfilter/af_afade: fix heap-buffer overflow
...
Fixes #8276
(cherry picked from commit e1b89c76f6jamrial@gmail.com >
2021-09-13 16:50:46 -03:00
Paul B Mahol
29f1cf0c0f
avfilter/vf_colorconstancy: fix overreads in gauss array
...
Fixes #8250
(cherry picked from commit a7fd127970jamrial@gmail.com >
2021-09-13 16:50:33 -03:00
Paul B Mahol
e06e89f627
avcodec/pngenc: remove monowhite from apng formats
...
Monowhite pixel format is not supported, and it does not make sense
to add support for it.
Fixes #7989
(cherry picked from commit 5d9f44da46jamrial@gmail.com >
2021-09-13 16:50:33 -03:00
Paul B Mahol
aef4cbec69
avfilter/vf_datascope: fix heap buffer overflow
...
Fixes #8309
(cherry picked from commit d4d6b7b035jamrial@gmail.com >
2021-09-13 16:50:33 -03:00
Paul B Mahol
d60effdf83
avfilter/vf_fieldmatch: fix heap-buffer overflow
...
Also fix use of uninitialized values.
Fixes #8239
(cherry picked from commit ce5274c138jamrial@gmail.com >
2021-09-13 16:50:33 -03:00
Paul B Mahol
c79606f233
avfilter/vf_fieldorder: fix heap-buffer overflow
...
Fixes #8264
(cherry picked from commit 07050d7bdcjamrial@gmail.com >
2021-09-13 16:50:32 -03:00
Paul B Mahol
69f5d4b7fd
avfilter/vf_bitplanenoise: fix overreads
...
Fixes #8244
(cherry picked from commit 0b56723874jamrial@gmail.com >
2021-09-13 16:50:32 -03:00
Paul B Mahol
540047eda8
avfilter/vf_edgedetect: check if height is big enough
...
Fixes #8260
(cherry picked from commit ccf4ab8c9ajamrial@gmail.com >
2021-09-13 16:50:32 -03:00
Paul B Mahol
3a9f384225
avfilter/af_tremolo: fix heap-buffer overflow
...
Fixes #8317
(cherry picked from commit 58bb9d3a3ajamrial@gmail.com >
2021-09-13 16:50:32 -03:00
Paul B Mahol
f5da6cff35
avfilter/vf_neighbor: check if width is 1
...
Fixes #8242
(cherry picked from commit e787f8fd7ejamrial@gmail.com >
2021-09-13 16:49:27 -03:00
Paul B Mahol
01f3824f6c
avfilter/vf_avgblur: fix heap-buffer overflow
...
Fixes #8274
(cherry picked from commit f069a9c2a6jamrial@gmail.com >
2021-09-13 16:49:13 -03:00
Michael Niedermayer
fbb83f3d41
Revert "avformat/wvdec: Check rate for overflow"
...
The code this fixes is not in release/4.1
Found-by: <mkver>
This reverts commit b81d1379c2
2021-09-10 16:04:39 +02:00
Michael Niedermayer
add3d4048d
Update for 4.1.7
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
2021-09-09 21:03:35 +02:00
James Almer
dfb9a3f7f3
avcodec/utils: don't return negative values in av_get_audio_frame_duration()
...
In some extrme cases, like with adpcm_ms samples with an extremely high channel
count, get_audio_frame_duration() may return a negative frame duration value.
Don't propagate it, and instead return 0, signaling that a duration could not
be determined.
Fixes ticket #9312
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit e01d306c64michael@niedermayer.cc >
2021-09-09 13:59:05 +02:00
Michael Niedermayer
608be8437b
avcodec/jpeg2000dec: Check that atom header is within bytsetream
...
Fixes: Infinite loop
Fixes: 36666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5912760671141888
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 3c659f8618michael@niedermayer.cc >
2021-09-09 13:59:05 +02:00
Michael Niedermayer
5240beb4c5
avcodec/apedec: Fix 2 integer overflows in filter_3800()
...
Fixes: signed integer overflow: 1683879955 - -466265224 cannot be represented in type 'int'
Fixes: 37419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6074294407921664
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 33feb527ffmichael@niedermayer.cc >
2021-09-09 13:59:05 +02:00
Michael Niedermayer
29d6be42d1
avcodec/xpmdec: Move allocations down after more error checks
...
Fixes: Timeout
Fixes: 37035/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5142718576721920
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e58692837cmichael@niedermayer.cc >
2021-09-09 13:59:05 +02:00
Martin Storsjö
feba3d29be
network: Define ENOTCONN as WSAENOTCONN if not defined
...
This fixes compilation with old mingw.org toolchains, which has got
much fewer errno.h entries.
Signed-off-by: Martin Storsjö <martin@martin.st >
(cherry picked from commit 6569e9505cmichael@niedermayer.cc >
2021-09-09 13:59:05 +02:00
Michael Niedermayer
3837ebef6e
avformat/avidec: Use 64bit for frame number in odml index parsing
...
Fixes: signed integer overflow: 1179337772 + 1392508928 cannot be represented in type 'int'
Fixes: 34088/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5846945303232512
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit a4c98c507emichael@niedermayer.cc >
2021-09-09 13:59:05 +02:00
Michael Niedermayer
772e8bf0e7
avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac()
...
Fixes: Timeout
Fixes: 36262/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4969052454912000
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 909faca929michael@niedermayer.cc >
2021-09-09 13:59:05 +02:00
