Fixes: signed integer overflow: 129 * 16711680 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6742285317439488
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9b57d2f0a967195dc1c72fda8f3a983a0132a243)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 29195/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5037853281222656
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d7594ee751e621f6c7ef4d4977c4a3ce169ae0af)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long'
Fixes: 27341/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5442833206738944
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a207df2acb92d6366ab2f0f18ba35709066b8eec)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avio_read can successfully return even when less than the requested
amount of input was read. wavdec's bext parsing mistakenly assumed a
successful avio_read always read the full amount that was requested.
The result could be dictionary tags populated with partially
uninitialized values.
This change also fixes a broken assertion in wav_parse_bext_string that
was off-by-one, though no known current usage of that method hits that
broken case.
Chromium bug: 987270
Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 052d41377a02f480f8e7135c0f7d418e9a405215)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes integer overflow and out of array access
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d232196372f309a75ed074c4cef30578eec1782)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
use av_get_codec_tag_string() in wav_read_header() for printing the
faulty start code from riff header
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Make it more readable and display an error message in case an invalid
header is detected (the current version just returns
AVERROR_INVALIDDATA)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Fixes ticket #3862.
As a side effect, this also fixes aac_latm in wav.
Signed-off-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Values outside would not be possible due to limitations of jpeg itself
Fixes very long running loop
Fixes Ticket2977
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
A file with a prepended ID3 tag of an uneven length was found
in the wild.
Check if the wav data starts at an uneven offset and use that
information to correct the seeking calculation in wav_seek_tag,
which used to only seek to even byte positions.
Regression since ac87eaf856e0fb51917266b899bb15d19b907baf
Signed-off-by: Alexander Strasser <eclipse7@gmx.net>
WAV chunks must be even aligned. This patch skip the extra padding byte
if chunk size is odd.
Fixes ticket #2417.
Reviewed-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
