avcodec/vp3dsp: Use unsigned constant to avoid undefined integer overflow in ff_vp3dsp_set_bounding_values()
Fixes: signed integer overflow: 64 * 33686018 cannot be represented in type 'int' Fixes: 26911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-4904975073017856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/icodec: Check for zero streams and stream creation failure
Fixes: NULL pointer dereference Fixes: 26814/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5758487797432320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Martin Storsjö [Fri, 30 Oct 2020 10:59:03 +0000 (12:59 +0200)]
aviobuf: Increase the default SHORT_SEEK_THRESHOLD to 32 KB
The previous threshold, 4 KB, maybe was reasonable when it was set
(in 2010), but in today's settings and with typical network speeds
and data sizes, it's pretty small. 32 KB probably is a more reasonable
default now, regardless of input.
This changes the test references for two seek tests.
When using the normal seek function, which boils down to the lseek(2)
function, a seek to an out of bounds position doesn't return an error,
but that condition is only reported when doing the subsequent read
(which returns EOF). When doing more seeks by fast forwarding, the
fact that the seeked to destination is out of bounds is noticed and
reported sooner in these cases.
avformat/sbgdec: Check that end is not before start
Fixes: signed integer overflow: -9223372036854775808 + -5279949906739200 cannot be represented in type 'long' Fixes: 26908/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6329610851319808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
James Almer [Tue, 27 Oct 2020 21:25:06 +0000 (18:25 -0300)]
avcodec/cbs_av1: add a range check to tg_end
Section 6.10.1 of the AV1 spec states:
It is a requirement of bitstream conformance that the value of tg_start is
equal to the value of TileNum at the point that tile_group_obu is invoked.
It is a requirement of bitstream conformance that the value of tg_end is
greater than or equal to tg_start.
Limin Wang [Wed, 11 Nov 2020 10:26:26 +0000 (18:26 +0800)]
avformat/rtsp: move SDP_MAX_SIZE macro definition to header file
move comments for the size of SDP_MAX_SIZE here:
Some SDP lines, particularly for Realmedia or ASF RTSP streams,
contain long SDP lines containing complete ASF Headers (several
kB) or arrays of MDPR (RM stream descriptor) headers plus
"rulebooks" describing their properties. Therefore, the SDP line
buffer is large.
The Vorbis FMTP line can be up to 16KB - see xiph_parse_sdp_line
in rtpdec_xiph.c.
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
Fixes: assertion failure Fixes: 26905/clusterfuzz-testcase-minimized-ffmpeg_dem_LVF_fuzzer-5724267599364096.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
At the end of its decode function, the decoder sets *got_frame to 1 and
then checks whether ret is < 0; if so, it is returned, otherwise
avpkt->size is. But it is impossible for ret to be < 0 here and if it
were, it would be nonsense to set *got_frame to 1 before this. Therefore
just return avpkt->size unconditionally.
Without this metadata section the ffmpeg utility thinks that the AMF encoder
does not support input from D3D11 and DXVA2 hardware surfaces, causing
hardware pipelines to fail.
tools/target_dem_fuzzer: Consider it an EIO when reading position wraps around 64bit
Fixes: signed integer overflow: 9223372036854775807 + 564 cannot be represented in type 'long' Fixes: 26494/clusterfuzz-testcase-minimized-ffmpeg_dem_VOC_fuzzer-576754158849228 Fixes: 26549/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-4844306424397824
FIxes: 26875/clusterfuzz-testcase-minimized-ffmpeg_dem_C93_fuzzer-5996226782429184
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access Fixes: 26816/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-6282861159907328.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint <cus@passwd.hu> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array write Fixes: 26821/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_SWF_fuzzer-5764465137811456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
This patch adds a select_region option to the xcbgrab input device.
If set to 1, the user will be prompted to select the grabbing area
graphically by clicking and dragging. A rectangle will be drawn to
mark the grabbing area. A single click with no dragging will select
the whole screen. The option overwrites the video_size, grab_x, and
grab_y options if set by the user.
For testing, just set the select_region option as follows:
The drawing happens directly on the root window using standard rubber
banding techniques, so it is very efficient and doesn't depend on any
X extensions or compositors.
During init the mts2 decoder allocates several VLCs and then several
buffers in a loop; if one of the latter allocations fails, only the VLCs
are freed, not any buffers that might already have been successfully
allocated. This commit fixes this by setting the
FF_CODEC_CAP_INIT_CLEANUP flag.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avformat/bintext: Check width in idf_read_header()
Fixes: division by 0 Fixes: 26802/clusterfuzz-testcase-minimized-ffmpeg_dem_IDF_fuzzer-5180591554953216.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Bigger sizes are misinterpreted as negative numbers by the API Fixes: infinite loop Fixes: 26611/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4890614975692800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/vividas: improve extradata packing checks in track_header()
Fixes: out of array accesses Fixes: 26622/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6581200338288640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Zane van Iperen [Tue, 3 Nov 2020 13:41:53 +0000 (23:41 +1000)]
avformat/argo_brp: remove block_align check for audio
Causes a divide-by-zero in the rare case where:
- the file has an audio stream,
- the first audio frame isn't within the first BRP_BASF_LOOKAHEAD frames,
- an audio frame is encountered later, and
- its chunk header (except num_blocks) contains all zeros
(matching the uninitialised structure in the context)
The decoder will discard any garbage data, so the check isn't really needed.
Fixes: division by 0 Fixes: 26667/clusterfuzz-testcase-minimized-ffmpeg_dem_ARGO_BRP_fuzzer-5645146928185344.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
avformat/apngdec: Check fcTL chunk length when reading header
Reading the header terminates when an fcTL chunk is encountered in which
case read_header returned success without checking the length of said
chunk. Yet when read_packet processes this chunk, it checks for the
length to be 26 and errors out otherwise. So do so when reading the header,
too.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
apng data consists of parts containing a small header (including a
four-byte size field) and a data part; the size field does not account
for everything and is actually twelve bytes short of the actual size. In
order to make sure that the size fits into an int, the size field is
checked for being > INT_MAX; yet this does not account for the + 12 and
upon conversion to int (which happens when calling append_extradata()),
the size parameter can still wrap around. In this case the currently
used check would lead to undefined signed integer overflow.
Furthermore, append_extradata() appends the new data to the already
existing extradata and therefore needs to make sure that the combined
size of new and old data as well as padding fits into an int. The check
used for this is "if (old_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE -
new_size)". If new_size is > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE
the right side becomes negative if the types are signed (as they are
now); yet changing this to "if (new_size > INT_MAX -
AV_INPUT_BUFFER_PADDING_SIZE - old_size)" is better as this also works
for unsigned types (where it is of course presumed that INT_MAX is
replaced by the corresponding maximum for the new type).
Both of these issues have been fixed.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avformat/apngdec: Return error for incomplete header
If avio_read() could read anything, it returns the number of bytes read,
even if it could not read as much as the caller desired.
apng_read_header() only checked the return value of its avio_read() calls
for being negative and this meant that it was possible for an incomplete
header to not be detected. The return value of the last successfull call
has been returned instead. This commit changes this.
Fixes: OOM Fixes: 26608/clusterfuzz-testcase-minimized-ffmpeg_dem_APNG_fuzzer-4839491644424192 Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out array read Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>