Fixes: signed integer overflow: 2099257366 * 2 cannot be represented in type 'int' Fixes: 27486/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-5112179134824448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/mov: Use av_mul_q() to avoid integer overflows
Fixes: signed integer overflow: 538976288 * 538976288 cannot be represented in type 'int' Fixes: 27473/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5758978289827840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/vp9dsp_template: Fix integer overflows in itxfm_wrapper
Fixes: signed integer overflow: 2147483641 + 32 cannot be represented in type 'int' Fixes: 27452/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5078752576667648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/rmdec: Reorder operations to avoid overflow
Fixes: signed integer overflow: -2147483648 - 14 cannot be represented in type 'int' Fixes: 27659/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5697250168406016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/rscc: Check inflated_buf size whan it is used
Fixes: out of array access Fixes: 27434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5196757675540480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Fixes: signed integer overflow: 999999999 * 8 cannot be represented in type 'int' Fixes: 30048/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5864289917337600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
sfan5 [Thu, 4 Feb 2021 01:33:17 +0000 (09:33 +0800)]
avformat/dashdec: Avoid segfault when URL template is unexpectedly missing
This isn't supposed to happen, but unfinished support for non-templated
manifests and lack of e.g. presentationTimeOffset handling can provoke
such a situation even with well-formed input.
Steven Liu [Mon, 18 Jan 2021 06:22:08 +0000 (14:22 +0800)]
avformat/dashdec: rename variable name for more readable
Rename is_init_section_common_audio to is_init_section_common_subtitle
for is_common_init_section_exist(c->subtitles, c->n_subtitles).
Because it is checked to subtitles, not audio.
Steven Liu [Mon, 18 Jan 2021 06:22:07 +0000 (14:22 +0800)]
avformat/dashdec: check init_section before use it.
because there have no Initialization in SegmentTemplate,
so it will have no init_section for init segment file.
but in the is_common_init_section_exist function it will be used for
check to url, url_offset and size, so check init_section
before use init_section.
And fix code style in is_common_init_section_exist,
make the code block short when it too long.
avformat/rtsp: Fix build failure when RTP demuxers are disabled
rtsp.c uses a check of the form "if (CONFIG_RTSP_DEMUXER && ...) {}"
with the intent to make the code compilable even though the part guarded
by this check contains calls to functions that don't exist when the RTSP
demuxer is disabled. Yet even then compilers still need a declaration of
all the functions in the dead code block and error out if not (due to
our usage of -Werror=implicit-function-declaration) and no such
declaration exists for a static function in rtsp.c. Simply adding a
declaration leads to a "used but never defined" warning, therefore this
commit resorts to an #if.
Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Jose Da Silva [Mon, 1 Feb 2021 03:51:10 +0000 (19:51 -0800)]
avcodec/xbmdec: get_nibble() minor speed increase, and binary reduction
Replace av_isxdigit(*ptr) and convert(*ptr) with get_nibble(*ptr) which
returns a valid nibble=={0x00..0x0f} or false==255 for all other values.
This way we only need to work with *ptr once instead of twice.
Removing inline av_isxdigit(x) functions also shrinks executable size.
Jose Da Silva [Mon, 1 Feb 2021 03:51:04 +0000 (19:51 -0800)]
avcodec/xbmdec: convert() minor speed increase
If we test for {0..9} first, we have tested for 10/16th of all possible
characters first and avoid testing the remaining 6/16th of all possible
characters, which can be either 6/16th lowercase or 6/16th uppercase.
Jose Da Silva [Mon, 1 Feb 2021 03:50:57 +0000 (19:50 -0800)]
avcodec/xbmenc: Pre-compute variables once for parse_str_int()
Some compilers are very intuitive, and others are not so much, so let's
pre-compute the variables e and keylen outside the for loop. Ensuring a
minor speed increase regardless of if compiler is smart enough to solve
this improvement for itself, or not.
Jose Da Silva [Mon, 1 Feb 2021 03:50:49 +0000 (19:50 -0800)]
avcodec/xbmenc: substitute end instead of recalculating end
Minor speed increase, end is calculated before entering parse_str_int(),
so let's take advantage of the value and avoid recalculating twice more.
This also allows parse_str_int() to work with file size larger than int.
Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 28509/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6310969680723968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/simple_idct: Fix undefined integer overflow in idct4row()
Fixes: signed integer overflow: -1498310196 - 902891776 cannot be represented in type 'int' Fixes: 28445/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5075163389493248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/wavdec: Check block_align vs. channels before combining them
Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6606935226974208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 42032 * 51092 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6679539648430080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 32 * -1795162112 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SOX_fuzzer-6724151473340416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SMACKER_fuzzer-6705429132476416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/sccdec: Use larger intermediate for ts/next_ts computation
Fixes: signed integer overflow: 92237203 * 33 cannot be represented in type 'int' Fixes: 26910/clusterfuzz-testcase-minimized-ffmpeg_dem_SCC_fuzzer-6603769487949824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of memory Fixes: 29985/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-6424425392111616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Tomas Härdin [Wed, 27 Jan 2021 13:08:55 +0000 (14:08 +0100)]
avformat/mxf: Establish register of local tags
Tags can be marked "not used" upfront, saving some space in the primer.
av_asserts0() is used to enforce that only tags that are in the primer can actually be written.
Sharing of MasteringDisplay ULs is now done via macros.
avformat/sbgdec: Use av_sat_add64() in str_to_time()
Fixes: signed integer overflow: 7279992792120000000 + 4611686018427387904 cannot be represented in type 'long long' Fixes: 29744/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6434060249464832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/rtpdec: Avoid allocations of small dynamic buffers
Besides avoiding allocations this also fixes a design defect of
ff_rtp_send_punch_packets: It did not return an error in case of
these allocations failed.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avcodec/vp3: Check input amount in theora_decode_header()
Fixes: Timeout Fixes: 29226/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-6195092572471296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/wavdec: Check avio_get_str16le() for failure
Fixes: out of array access Fixes: 29195/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5037853281222656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/dolby_e: Avoid code duplication when converting input
convert_input, a nontrivial auxiliary function used by both the general
parsing code as well as the decoder itself, has been duplicated in c7016e35a624a75bb5b82bee932ddfe28d013b3f; this commit removes said
duplication.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
These two functions are always called after another; after all, what
ff_dolby_e_parse_init does is obviously part of parsing the frame header.
Also move the DolbyEHeaderInfo into DBEContext so that parsing the frame
header only needs one struct (both users used a DBEContext immediately
followed by a separate DolbyEHeaderInfo).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Parsers are not forced to use a ParseContext and the other stuff from
parser.h which is just designed to help parsers recombining frames. But
this parser does not do this at all, i.e. the ParseContext is unused.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: index 26981 out of bounds for type 'ASFStreamData [128]' Fixes: 27334/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6197611002068992
Alternatively the array could be increased in size or the cases not fitting be ignored
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/utils: Use av_sat_sub64() in max_analyze_duration check
Fixes: signed integer overflow: 9223372036854710272 - -541165944832 cannot be represented in type 'long' Fixes: 27000/clusterfuzz-testcase-minimized-ffmpeg_dem_IVF_fuzzer-5643670608674816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/tedcaptionsdec: Check for overflow in parse_int()
Fixes: signed integer overflow: 1111111111111111111 * 10 cannot be represented in type 'long' Fixes: 26892/clusterfuzz-testcase-minimized-ffmpeg_dem_TEDCAPTIONS_fuzzer-5756045055754240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>