ffmpeg

Author	SHA1	Message	Date
Michael Niedermayer	140626b386	avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed() Fixes undefined behavior Fixes: 640912-media Found-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 83a75bf6c31b3c0ce2ca7e1426d1f2e3df634239) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	4a2f30eeff	avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c Fixes: left shift of negative value Fixes: 668346-media Found-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit acc163c6ab52d2235767852262c64c7f6b273d1c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	c2e4ced78e	avformat/oggparsespeex: Check frames_per_packet and packet_size The speex specification does not seem to restrict these values, thus the limits where choosen so as to avoid multiplicative overflow Fixes undefined behavior Fixes: 635422.ogg Found-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	cc27b8e09f	avformat/utils: Check start/end before computing duration in update_stream_timings() Fixes undefined behavior Fixes: 637428.ogg Found-by: Matt Wolenetz <wolenetz@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 90da187f1d334422477886a19eca3c1da29c59a7) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	0d8a17410b	avcodec/flac_parser: Update nb_headers_buffered Fixes infinite loop Fixes: fuzz.flac Found-by: Frank Liberato <liberato@google.com> Reviewed-by: Frank Liberato <liberato@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2475858889cde6221677473b663df6f985add33d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	60ca730d21	avformat/idroqdec: Check chunk_size for being too large Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 744a0b5206634e5de04d5c31f08cc3640faf800d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	ebe104e827	avformat/utils: Fix type mismatch Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a06e84b56e936ff3ca090f53d81f9cbc3514e0e0) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	42a20f1fea	avformat/mpeg: Adjust vid probe threshold to correct mis-detection Fixes: _ij.mp3 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4e5049a2303ae7fe74216a83206239e4de42c965) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	936d07ab25	avcodec/rv40: Test remaining space in loop of get_dimension() Fixes infinite loop Fixes: 178/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_RV40_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 1546d487cf12da37d90a080813f8d57ac33036bf) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	571d4af281	avcodec/ituh263dec: Avoid spending a long time in slice sync Fixes: 177/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_FLV1_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2baf36caed98cfdc7f6a2086fbf26f1a172f16cf) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	5f3043e51c	avcodec/movtextdec: Add error message for tsmb_size check Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0eb319800567b79ca6b4cf0d90904318641b9e50) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	096aab12a3	avcodec/movtextdec: Fix tsmb_size check==0 check Fixes: 173/fuzz-3-ffmpeg_SUBTITLE_AV_CODEC_ID_MOV_TEXT_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a609905723c01e356d35146425c3d45c090aae7b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	04310c11aa	avcodec/movtextdec: Fix potential integer overflow Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 6ea27157682200e5f78cadcabdb009eccd9dd9b1) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	eaf2f750c3	avcodec/sunrast: Fix input buffer pointer check Fixes: out of array read Fixes: poc.dat Found-by: Bingchang, Liu @VARAS of IIE Tested-by: bc L <l.bing.chang.bc@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 37138338ff602803d174b13fecd363a083bc2f9a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	755d6e4190	avcodec/tscc: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 979bca513424879ed0c653cb1b55fc4156a89576) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	a190ca54f4	avcodec/rawdec: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5f0bc0215a0f7099a2bcba5dced2e045e70fee61) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	6f1ef60d50	avcodec/msvideo1: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 161ccdaa06d1d109e8f77d2535bda11ce02720f5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	02ac02e2ac	avcodec/qpeg: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 16793504dfba44e738655807db3274301b9bc690) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	1f8452b428	avcodec/qtrle: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 7d196f2a5a48faf25fd904b33b1fd239daae9840) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	d98d006eef	avcodec/msrle: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a6330119a099840c5279697cf80cb768df97a90a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	dec89aee89	avcodec/kmvc: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2d99101d0964f754822fb4af121c4abc69047dba) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	e23f86d2fb	avcodec/idcinvideo: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a2b8dde65947bfabf42269e124ef83ecf9c5974a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	4f2716da68	avcodec/cinepak: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 121be310607879841d19a34d9f16d4fe9ba7f18c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	668e47e9fd	avcodec/8bps: Check side data size before use Fixes out of array read Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 042faa847feea820451c474af0034fd3de9cff82) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	e90fbc86c1	avformat/flvdec: Fix regression loosing streams Fixes: unknown_video.flv Found-by: Thierry Foucu <tfoucu@google.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 077939626eeaa0c1364065414c18ab9b3a072281) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	37ff66d1bd	avcodec/dvdsubdec: Fix off by 1 error Fixes out of array read Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c92f55847a3d9cd12db60bfcd0831ff7f089c37c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	b6b7034416	avformat/isom: Fix old API regression with exporting max bitrate Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d88a6bedb9bc51eff35578a0b08d1088ee53bcda) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	b7940ecb5a	avcodec/dvdsubdec: Fix buf_size check Fixes out of array access Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Ronald S. Bultje	2dcc0bce39	vp9: change order of operations in adapt_prob(). This is intended to workaround bug "665 Integer Divide Instruction May Cause Unpredictable Behavior" on some early AMD CPUs, which causes a div-by-zero in this codepath, such as reported in Mozilla bug #1293996. Note that this isn't guaranteed to fix the bug, since a compiler is free to reorder instructions that don't depend on each other. However, it appears to fix the bug in Firefox, and a similar patch was applied to libvpx also (see Chrome bug #599899). (cherry picked from commit be885da3427c5d9a6fa68229d16318afffe67193) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Michael Niedermayer	0e3dc45ce8	avcodec/interplayvideo: Check side data size before use Fixes out of array read Found-by: Thomas Garnier using libFuzzer Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 85d23e5cbc9ad6835eef870a5b4247de78febe56) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2016-12-05 18:29:12 +01:00
Andreas Cadhalpun	072246993a	mss2: only use error correction for matching block counts This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2 with coded_width/coded_height larger than width/height. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 2566ad98b01538ea589e5ee07b69fc566aadc348) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:08 +01:00
Andreas Cadhalpun	5d1502d4b6	softfloat: decrease MIN_EXP to cover full float range floats are not necessarily normalized, so a normalized softfloat needs MIN_EXP lowered by 23 to cover that range. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 2d6f46d801bab990b7e742b8a8e5c5b0cb70a80e) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:08 +01:00
Andreas Cadhalpun	e70caba384	libopusdec: default to stereo for invalid number of channels This fixes an out-of-bounds read if avc->channels is 0. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 8c8f543b81aa2b50bb6a6cfd370a0061281492a3) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:08 +01:00
Andreas Cadhalpun	d0f8741a5a	flvdec: require need_context_update when changing codec id Otherwise the codec context and codecpar might disagree on the codec id, triggering asserts in av_parser_parse2. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 98b3a7979f2ff64cacfba4d8925faa28fc657c51) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:07 +01:00
Andreas Cadhalpun	9b506280dd	pgssubdec: only set w/h/linesize when allocating data Rects with positive w/h/linesize but no data are invalid. Reviewed-by: Petri Hintukainen <phintuka@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 995512328ed84bb737bc364e4ef6fba1994f062a) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:07 +01:00
Andreas Cadhalpun	312757eb84	sbgdec: prevent NULL pointer access Reviewed-by: Josh de Kock <josh@itanimul.li> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit dbefbb61b785cd77810c032f5cdb499d2a92df07) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:07 +01:00
Andreas Cadhalpun	e2de6f31c0	rmdec: validate block alignment This fixes division by zero crashes. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit de4ded06366e5767d0af277a61d9a56b8c8f9c19) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:07 +01:00
Andreas Cadhalpun	53e1493cb5	smacker: limit recursion depth of smacker_decode_bigtree This fixes segmentation faults due to stack-overflow caused by too deep recursion. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 946ecd19ea752399bccc751c9339ff74b815587e) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:07 +01:00
Andreas Cadhalpun	315f1dea84	mxfdec: fix NULL pointer dereference in mxf_read_packet_old Metadata streams have priv_data set to NULL. Reviewed-by: Josh de Kock <josh@itanimul.li> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit fdb8c455b637f86e2e85503b7e090fa448164398) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:07 +01:00
Andreas Cadhalpun	b4f42e5c85	ffmdec: validate codec parameters A negative extradata size for example gets passed to memcpy in avcodec_parameters_from_context causing a segmentation fault. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 1c7da19a4b45f5623cb3955b29b9a581026e3c61) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:07 +01:00
Andreas Cadhalpun	cb936d6266	exr: reindent after previous commit Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit ce3147eb198770b558acf6c05f33cb807a413707) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:06 +01:00
Andreas Cadhalpun	71378e7937	exr: fix out-of-bounds read channel_index can be -1. This problem was introduced in commit 2dd7b46132e2801ef34fe1b5c27e0113cdcfa2f9. Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit ffdc5d09e498bee8176c9e35df101c01c546a738) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:06 +01:00
Andreas Cadhalpun	f70e9726dc	libschroedingerdec: fix leaking of framewithpts Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 3c0328d58d98664b05efdd377d3fe66a569d385e) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:06 +01:00
Andreas Cadhalpun	89a22d3fbf	libschroedingerdec: don't produce empty frames They are not valid and can cause problems/crashes for API users. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit a86ebbf7f641bc797002ddea7fb517759722cd1b) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:06 +01:00
Andreas Cadhalpun	d000e66c4f	softfloat: handle -INT_MAX correctly This is similar to commit 9ac61e73d0843ec4b83f4e3d47eded73234e406e. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 0edd569466eb45b134690b9f4efbb57eda86f58d) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:06 +01:00
Andreas Cadhalpun	52d8c1e474	filmstripdec: correctly check image dimensions This prevents a division by zero in read_packet. Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 25012c56448a48487cdc9699465e640871dbcd60) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:06 +01:00
Andreas Cadhalpun	a5ba9eab44	pnmdec: make sure v is capped by maxval Otherwise put_bits can be called with a value that doesn't fit in the sample_len, causing an assertion failure. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit cdb5479c9ddc886f0b8661db585405ebab343e80) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:06 +01:00
Andreas Cadhalpun	eaf79ac2d9	smvjpegdec: make sure cur_frame is not negative This fixes a heap-buffer-overflow detected by AddressSanitizer. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 360bc0d90aa66cf21e9f488e77d21db18e01ec9c) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:05 +01:00
Andreas Cadhalpun	c35a140e71	icodec: correctly check avio_read return value It can read less than the requested amount, in which case buf contains uninitialized data, causing problems like segmentation faults later on. Also make sure that image->size is positive, so that it can't match a negative error code. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:05 +01:00
Andreas Cadhalpun	5c2e26275c	dvbsubdec: fix division by zero in compute_default_clut This problem was introduced in commit 4b90dcb8493552c17a811c8b1e6538dae4061f9d. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit c82b8ef0e4f226423ddd644bfe37e6a15d070924) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:28:05 +01:00

... 8 9 10 11 12 ...

81413 Commits