Fixes: out of array access Fixes: 1643/clusterfuzz-testcase-minimized-6117573403869184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/flicvideo: Check frame_size before decrementing
Fixes: runtime error: signed integer overflow: -2147483627 - 22 cannot be represented in type 'int' Fixes: 1637/clusterfuzz-testcase-minimized-5376582493405184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/scpr: mask bits to prevent out of array read
Fixes: 1615/clusterfuzz-testcase-minimized-6625214647500800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Add dxva2_pool_release_dummy() and use it in call to
av_buffer_create() in dxva2_pool_alloc().
Prior to this change, av_buffer_create() was called with NULL for the
third argument, which indicates that av_buffer_default_free() should
be used to free the buffer's data. Eventually, it gets to
buffer_pool_free() and calls buf->free() on a surface object (which is
av_buffer_default_free()).
This can result in a crash when the debug version of the C-runtime is
used on Windows. While it doesn't appear to result in a crash when
the release version of the C-runtime is used on Windows, it likely
results in memory corruption, since av_free() is being called on
memory that was allocated using
IDirectXVideoAccelerationService::CreateSurface().
Signed-off-by: Aaron Levinson <alevinsn@aracnet.com> Reviewed-by: wm4 <nfxjfg@googlemail.com> Reviewed-by: Steven Liu <lingjiujianke@gmail.com> Reviewed-by: Mark Thompson <sw@jkqxz.net>
Enables rendering of SVG images. This is possible since SVG images
still contain and specify the dimensions in pixels to which they've
been drawn to and thus enable browsers to display them without any
external data. Users can still override and generate images with
arbitrary resolutions.
Daniil Cherednik [Thu, 11 May 2017 21:12:07 +0000 (21:12 +0000)]
avcodec/dcaenc: Do not abort process in case of bitrate deficit
Old behaviour - abort if at least one subband has 1bit quantizer
and consumed_bits still greater than frame_bits size. It was
a bit strange - we still could reduce bits consumption by reducing
SNR for other subbands. Same strange logic with upper threshold -
stop bits allocation if at least one subband reach 26bits.
New behaviour - if consumed_bits greater than frame_bits and all
subbands has 1 bit quantizer we restart bits allocation and allow
zero subbands.
Fixes divission by 0 Fixes: clusterfuzz-testcase-minimized-5592896440893440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Hendrik Leppkes [Fri, 21 Apr 2017 23:25:40 +0000 (01:25 +0200)]
movenc/isom: update vpcC box to version 1.0 of the specification
This brings our generation of the vpcC box up to date to version 1.0
of the VP Codec ISO Media File Format Binding.
Specifically, color/transfer properties are now written with values
based on ISO/IEC 23001-8, which is the same reference specification the
AVColor* enumerations are based on.
wm4 [Mon, 15 May 2017 09:27:24 +0000 (11:27 +0200)]
videotoolbox: add hwcontext support
This adds tons of code for no other benefit than making VideoToolbox
support conform with the new hwaccel API (using hw_device_ctx and
hw_frames_ctx).
Since VideoToolbox decoding does not actually require the user to
allocate frames, the new code does mostly nothing.
One benefit is that ffmpeg_videotoolbox.c can be dropped once generic
hwaccel support for ffmpeg.c is merged from Libav.
Does not consider VDA or VideoToolbox encoding.
Fun fact: the frame transfer functions are copied from vaapi, as the
mapping makes copying generic boilerplate. Mapping itself is not
exported by the VT code, because I don't know how to test.
Fixes: out of array read Fixes: 1557/clusterfuzz-testcase-minimized-6535013757616128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/mlpdec: Check that there is enough data for headers
Fixes: out of array access Fixes: 1541/clusterfuzz-testcase-minimized-6403410590957568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It is needed in some corner cases that seem not to be forbidden Fixes: out of array index Fixes: 1538/clusterfuzz-testcase-minimized-4696904925446144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/aacsbr_template: Do not change bs_num_env before its checked
Fixes: 1489/clusterfuzz-testcase-minimized-5075102901207040 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read Fixes: 1508/clusterfuzz-testcase-minimized-5011336327069696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Most of these were found through code review in response to
fixing 1466/clusterfuzz-testcase-minimized-5961584419536896
There is thus no testcase for most of this.
The initial issue was Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/avcodec: Limit the number of side data elements per packet
Fixes: 1293/clusterfuzz-testcase-minimized-6054752074858496
See: [FFmpeg-devel] [PATCH] avcodec/avcodec: Limit the number of side data elements per packet
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/mss3: Fix runtime error: signed integer overflow: -2146318336 - 2139696256 cannot be represented in type 'int'
Fix is similar to rac_get_model_sym() Fixes: 1483/clusterfuzz-testcase-minimized-6386507814273024 Fixes: 1485/clusterfuzz-testcase-minimized-6639880215986176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: left shift of negative value -1 Fixes: 1480/clusterfuzz-testcase-minimized-5188321007370240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* commit '1202b712690c14f0efb06e4ad8b06c5b3df6822a':
theora: export cropping information instead of handling it internally
h264dec: export cropping information instead of handling it internally
h264dec: be more explicit in handling container cropping
hevcdec: export cropping information instead of handling it internally
This commit is a noop.
This changes the cropping behavior, when it's supposedly only meant to move
it outside of the decoder.
See https://ffmpeg.org/pipermail/ffmpeg-devel/2017-May/211239.html for the
discussion about it.
avcodec/scpr: Check y in first line loop in decompress_i()
Fixes: out of array access Fixes: 1478/clusterfuzz-testcase-minimized-5285486908145664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: randomly writing over the array end Fixes: 1473/clusterfuzz-testcase-minimized-5768907824562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
lavc/aarch64/simple_idct: fix iOS build without gas-preprocessor
Separates macro arguments with commas and passes .4H/.8H as macro
arguments instead of 4H/8H (the later form being interpreted as an
hexadecimal value).