avcodec/aacdec_fixed: Limit index in vector_pow43()
Fixes: out of array access Fixes: 26087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5724825462767616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/kvag: Fix integer overflow in bitrate computation
Fixes: signed integer overflow: 1077952576 * 4 cannot be represented in type 'int' Fixes: 26152/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5674758518341632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/h264_slice: fix undefined integer overflow with POC in error concealment
Alternatively the POC could be changed to 64bit. the large values seem to be within what is allowed.
Fixes: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 26076/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5711127201447936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
tools/target_dec_fuzzer: assume that discarded audio packets produced max samples
We do not know how many samples these produce as its not exported.
Alternatively we could export that but as long as its not we better
assume its more than 0 as otherwise the thresholds would not work
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This is more than 10 times the size of the largest i found. And also alot more
than our encoder could handle (our encoder is limited to max 31)
Without any limit megabyte+ sized blocks can be reallocated millions of times.
Sadly the SCTE-20 spec does not seem to contain any hard limit directly, so this limit here
is arbitrary
Fixes: Timeout (25sec -> 152ms) Fixes: 25714/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-5713633336885248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of memory Fixes: 25588/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PHOTOCD_fuzzer-6612945080156160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -14671840 * 8224 cannot be represented in type 'int' Fixes: 24793/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5101884323659776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The ASUS V2 format is designed for a little-endian bitstream reader, yet
our encoder used an ordinary big-endian bitstream writer to write it;
the bits of every byte were swapped at the end and some data (namely the
numbers not in static tables) had to be bitreversed before writing it at
all, so that it would be reversed twice.
This commit stops doing so; instead, a little-endian bitstream writer is
used. This also necessitated to switch certain static tables, which
required trivial modifications to the decoder (that uses the same
tables).
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Up until now the ASV2 decoder used an ordinary big-endian bitreader to
read data actually destined for a little-endian bitreader; this is done
by reversing the whole input packet bitwise, using the big-endian
bigreader and reversing (and shifting) the result again. This commit
stops this and instead uses a little-endian bitreader directly.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: signed integer overflow: -895002 * 2400 cannot be represented in type 'int' Fixes: 26052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5431812577558528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/smacker: Check remaining bits in SMK_BLK_FULL
Fixes: out of array access Fixes: 26047/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5083031667474432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: off by 1 error Fixes: index 5 out of bounds for type 'COOKSubpacket [5]' Fixes: 25772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5762459498184704.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/utils: Check for overflow with ATRAC* in get_audio_frame_duration()
Fixes: signed integer overflow: 1024 * 13129048 cannot be represented in type 'int' Fixes: 26378/clusterfuzz-testcase-minimized-ffmpeg_dem_CODEC2RAW_fuzzer-5634018353348608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/icodec: Change order of operations to avoid NULL dereference
Fixes: SEGV on unknown address 0x000000000000 Fixes: 26379/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5709011753893888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Marton Balint [Fri, 9 Oct 2020 19:37:07 +0000 (21:37 +0200)]
avformat/libsrt: fix cleanups on failed libsrt_open() and libsrt_setup()
- Call srt_epoll_release() to avoid fd leak on libsrt_setup() error.
- Call srt_cleanup() on libsrt_open() failure.
- Fix return value and method on mode parsing failure.
Based on a patch by Nicolas Sugino <nsugino@3way.com.ar>.
Andriy Gelman [Wed, 14 Oct 2020 04:38:22 +0000 (00:38 -0400)]
avcodec/movtextenc: fix writing to bytestream on BE arches
Fixes fate-binsub-movtextenc on PPC64
Currently tags are written in reverse order on BE arches. This is fixed
by using MKBETAG() and AV_RB32() to be arch agnostics.
Also s->font_count is of type int. On BE arches with 32bit int,
count = AV_RB16(&s->font_count) will read two most significant bytes
instead of the least significant bytes. This is fixed by assigning
s->font_count to count first.
The final change is modifying the type of len. On BE arches
the most significant byte of the int was written instead of the least
significant byte.
Fixes: signed integer overflow: 1073741827 * 8 cannot be represented in type 'int' Fixes: 25621/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6304841641754624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/vp9dsp_template: Fix integer overflows in idct16_1d()
Fixes: signed integer overflow: -190760 * 11585 cannot be represented in type 'int' Fixes: 25471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5743354917421056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Timeout (minutes to less than 1sec) Fixes: 25682/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ANSI_fuzzer-6320712032452608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 29 + 2147483640 cannot be represented in type 'int' Fixes: 25413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5697909331591168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/mobiclip: Check that Motion vectors are within the input frame
The MV checks did not consider the width and height of the block, also they
had some off by 1 errors. This resulted in undefined behavior and crashes.
This commit instead errors out on these
Fixes: out of array read Fixes: 26080/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOBICLIP_fuzzer-5758146355920896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/mobiclip: set the bitstream size to the input
Fixes: out of array read Fixes: 25453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOBICLIP_fuzzer-5163575973511168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Such values are not supported by ff_subtitles_queue*
Fixes: signed integer overflow: 10 - -9223372036854775808 cannot be represented in type 'long' Fixes: 24193/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5714901855895552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/webp: Use LE VLC table for LE bitstream reader
The WebP format uses Huffman tables and the decoder therefore uses
VLC tables. Given that WebP is a LE format, a LE bitreader is used;
yet the VLC table is not created for a LE reader (the process used to
create the tables puts the last bit to be read in the lowest bit) and
therefore custom code for reading the VLCs that reverses the bits
read is used instead of get_vlc2(). This commit changes this to use
a table designed for LE bitreader which allows to use get_vlc2() directly.
The necessary reversing of the codes is delegated to
ff_init_vlc_sparse() (and is therefore only done during init and not
when actually reading the VLCs).
Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avcodec/vlc, bitstream: Allow to use BE codes to initialize LE VLC
This is easily possible because ff_init_vlc_sparse() already transforms
both LE as well as BE codes to a normal form internally before
processing them further. This will be used in subsequent commits.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avcodec/speedhq: Don't pretend reading DC can fail
It can't, because the tables used don't have any loose ends. This also
fixes a bug in the only caller of decode_dc_le(): It didn't check the
return value.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Before the LE bitstream reader was used in the Indeo 2 decoder,
a standard BE bitstream reader with swapped bits was used; when the LE
bitstream reader was added, the old code was only #ifdef'ed away and not
removed. Said code has several problems: It modifies the input packet
without ensuring that the packet is indeed writable; and it doesn't work
since 09c4e5c5988c0037d108c5fc2a137d9ad488f7f4 because said commit
removed the BE table used to initialize the VLC table. So just remove
this cruft from the actual decoder, too.
Also use INIT_LE_VLC_STATIC while at it.
Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
It currently uses 9 bits per table, but there are no codes with
nine bits at all, while there are codes with eight, ten and eleven bits.
So reducing the table size to eight bits will not reduce the amount of
codes that can be parsed in the first step, but it allows to reduce the
size of the motion-vector VLC.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: signed integer overflow: 570425356 * 6 cannot be represented in type 'int Fixes: 25929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5099197739827200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/adpcm: Check block align for AV_CODEC_ID_ADPCM_PSX
Regression since: ca49476ace90ddebc5f92d9d82297f77e528c21e Fixes: out of array write Fixes: 25786/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_PSX_fuzzer-5704869380620288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 872415232 * 7 cannot be represented in type 'int' Fixes: signed integer overflow: -2013265888 + -1744830464 cannot be represented in type 'int' Fixes: 25834/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOBICLIP_fuzzer-5471406434025472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Justin Ruggles [Fri, 2 Oct 2020 12:51:19 +0000 (08:51 -0400)]
Allow using only the mfra info for seeking using the fragment index
The mfra has enough information to enable seeking, and reading it is
behind an AVOption flag, so we shouldn't require that sidx information
also be present in order to seek using the fragment index.
avcodec/vp9: Fix stack-buffer overflow with VP9 VDPAU available
ccca62ef991f0a47dfa30c3e822d91294b8afe4c added new VP9 VDPAU profiles
and as a consequence AV_PIX_FMT_VDPAU can now be twice in the list of
pixel formats used for format negotiation by ff_thread_get_format(); yet
there is only one entry in said list reserved for VDPAU, leading to a
stack-buffer overflow. This commit fixes this by making sure that
AV_PIX_FMT_VDPAU will not occur twice in said list.
avcodec/sheervideo: Avoid code duplication when creating VLC tables
The SheerVideo decoder uses two VLC tables and these are in turn created
from structures (called SheerTable) that are naturally paired. This
commit unifies these pairs of SheerTables to arrays and unifies creating
the VLC tables.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avcodec/sheervideo: Reduce the size of static arrays
The SheerVideo decoder uses VLC tables which are currently stored in
large arrays that contain the length of each leaf of the corresponding
tree from left to right, taking 15.5KB of space. But all these arrays
follow a common pattern: First the entries are ascending and then they
are descending with lots of successive entries have the same value.
Therefore it makes sense to use a run-length encoding to store them, as
this commit does. Notice that the length 16 has to be treated specially
because there are arrays with more than 256 consecutive entries with
value 16 and because the length of the entries start to descend from
this length onward.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avcodec/sheervideo: Don't leave context in inconsistent state upon error
This has happened if the format changed midstream and if the new packet
is so small that it is instantaneously rejected: In this case the VLC
tables were for the new format, although the context says that they are
still the ones for the old format. It can also happen if the format
changed midstream and the allocation of the new tables fails. If the
next packet is a packet for the old format, the decoder thinks it
already has the correct VLC tables, leading to a segfault.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>