| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Name suggested by Lynne, Gyan, Reto, Zane, Jan, Derek
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes: out of array read
Fixes: 32968/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSP2_fuzzer-5315296027082752
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit caaf4633117f77a545975dac18e85b8fcdbc9ce7)
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes: Invalid read of size 4
Fixes: ASAN_Deadlysignal.zip
Found-by: Hardik Shah <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0f6a3405e8987ad761a2d9139fdc95bbb6a61118)
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calling av_frame_make_writable() from decoders is tricky, especially
when frame threading is used. It is much simpler and safer to just make
a private copy of the frame.
This is not expected to have a major performance impact, since
APNG_DISPOSE_OP_BACKGROUND is not used often and
av_frame_make_writable() would typically make a copy anyway.
Found-by: James Almer <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit b593abda6c642cb0c3959752dd235c2faf66837f)
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
| |
Signed-off-by: Marton Balint <[email protected]>
(cherry picked from commit fb4da90fecdefa2508618ca835cd0250be940e04)
|
| |
|
|
|
|
|
|
|
| |
Ugly, but a lot less broken than it was.
Fixes ticket #9166.
Signed-off-by: Marton Balint <[email protected]>
(cherry picked from commit 5dc5f289cefe67457bd16f1950c56911e926385f)
|
| |
|
|
|
|
|
| |
The length does not cover the chunk type or CRC.
(cherry picked from commit ae08eec6a1f2129cd231a0ab664f0f17b854d138)
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This data cannot be stored in PNGDecContext.picture, because the
corresponding chunks may be read after the call to
ff_thread_finish_setup(), at which point modifying shared context data
is a race.
Store intermediate state in the context and then write it directly to
the output frame.
Fixes exporting frame metadata after 5663301560
Fixes #8972
Found-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 8d74baccff59192d395735036cd40a131a140391)
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
Do not store the image buffer pointer/linesize in the context, just
access them directly from the frame.
Stop assuming that linesize is the same for the current and last frame.
(cherry picked from commit 89ea5057bf47880145419341258eadb3635448cf)
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
|
| |
Saves an allocation+free and two frame copies per each frame.
(cherry picked from commit 5a50bd88db670f8c030a814e4cdb2a880dc1d4f4)
Signed-off-by: Anton Khirnov <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The (deprecated) field AVCodecContext.mpeg_quant has no range
restriction; MpegEncContext.mpeg_quant is restricted to 0..1.
If the former is set, the latter is overwritten with it without
checking the range. This can trigger an av_assert2() with the MPEG-4
encoder when writing said field.
Fix this by just setting MpegEncContext.mpeg_quant to 1 if
AVCodecContext.mpeg_quant is set.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit d393c45051ddaf6146e7e29ec2ea97035a727529)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pix_fmts of the LJPEG encoder already contain all supported pixel
formats (including the ones only supported when strictness is unofficial
or less); yet the check in ff_encode_preinit() ignored this list in case
strictness is unofficial or less. But the encoder presumed that it is
always applied and blacklists some of the entries in pix_fmts when
strictness is > unofficial. The result is that if one uses an entry not
on that list and sets strictness to unofficial, said entry passes both
checks and this can lead to segfaults lateron (e.g. when using gray).
Fix this by removing the exception for LJPEG in ff_encode_preinit().
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 6e8e9b7633d8b755e7a464a10ba5047f31cbd84d)
|
| |
|
|
|
| |
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 4666ce0aef395fc7dfa2a718e8d238e58e635d2a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For both the RealMedia as well as the IVR demuxer (which share the same
context) each AVStream's priv_data contains an AVPacket that might
contain data (even when reading the header) and therefore needs to be
unreferenced. Up until now, this has not always been done:
The RealMedia demuxer didn't do it when allocating a new stream's
priv_data failed although there might be other streams with packets to
unreference. (The reason for this was that until recently rm_read_close()
couldn't handle an AVStream without priv_data, so one had to choose
between a potential crash and a memleak.)
The IVR demuxer meanwhile never ever called read_close so that the data
already contained in packets leaks upon error.
This patch fixes both demuxers by adding the appropriate cleanup code.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 9a471c5437d34cd1e63520b47f50a0fa605a5688)
|
| |
|
|
|
|
|
|
|
|
|
| |
ff_vc1_decode_init_alloc_tables() had one error path that forgot to free
already allocated buffers; these would then be overwritten on the next
allocation attempt (or they would just not be freed in case this
happened during init, as the decoders for which it is used do not have
the FF_CODEC_CAP_INIT_CLEANUP set).
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 98060a198ef0bd213d0d0b029f8955fcd3be93d2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RealVideo 3.0 and 4.0 decoders call ff_mpv_common_init() only during
their init function and not during decode_frame(); when the size of the
frame changes, they call ff_mpv_common_frame_size_change(). Yet upon
error, said function calls ff_mpv_common_end() which frees the whole
MpegEncContext and not only those parts that
ff_mpv_common_frame_size_change() reinits. As a result, the context will
never be usable again; worse, because decode_frame() contains no check
for whether the context is initialized or not, it is presumed that it is
initialized, leading to segfaults. Basically the same happens if
rv34_decoder_realloc() fails.
This commit fixes this by only resetting the parts that
ff_mpv_common_frame_size_change() changes upon error and by actually
checking whether the context is in need of reinitialization in
ff_rv34_decode_frame().
Reviewed-by: Michael Niedermayer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 9abda1365c5e2d827eb673b6d98245163c868bf1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case of resolution changes rv20_decode_picture_header() closes and
reopens its MpegEncContext; it checks the latter for errors, yet when
an error happens, it might happen that no new attempt at
reinitialization is performed when decoding the next frame; this leads
to crashes lateron.
This commit fixes this by making sure that initialization will always
be attempted if the context is currently not initialized.
Reviewed-by: Michael Niedermayer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 8ffd3ef9d94f33b411348c594a49d994b55c9550)
|
| |
|
|
|
|
| |
Reviewed-by: Michael Niedermayer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 9bab7de175d7c942a6ebddae6ba0cacdf360827e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When slice-threading is used, ff_mpv_common_init() duplicates
the first MpegEncContext and allocates some buffers for each
MpegEncContext (the first as well as the copies). But the count of
allocated MpegEncContexts is not updated until after everything has
been allocated and if an error happens after the first one has been
allocated, only the first one is freed; the others leak.
This commit fixes this: The count is now set before the copies are
allocated. Furthermore, the copies are now created and initialized
before the first MpegEncContext, so that the buffers exclusively owned
by each MpegEncContext are still NULL in the src MpegEncContext so
that no double-free happens upon allocation failure.
Given that this effectively touches every line of the init code,
it has also been factored out in a function of its own in order to
remove code duplication with the same code in
ff_mpv_common_frame_size_change() (which was never called when using
more than one slice (and if it were, there would be potential
double-frees)).
Reviewed-by: Michael Niedermayer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit ff0706cde8b1a1f483e26c0ccac117c23b23d604)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ff_mpv_common_init()"
This mostly reverts commit 4b2863ff01b1fe93d9a518523c9098d17a9d8c6f.
Said commit removed the freeing code from ff_mpv_common_init(),
ff_mpv_common_frame_size_change() and ff_mpeg_framesize_alloc() and
instead added the FF_CODEC_CAP_INIT_CLEANUP to several codecs that use
ff_mpv_common_init(). This introduced several bugs:
a) Several decoders using ff_mpv_common_init() in their init function were
forgotten: This affected FLV, Intel H.263, RealVideo 3.0 and V4.0 as well as
VC-1/WMV3.
b) ff_mpv_common_init() is not only called from the init function of
codecs, it is also called from AVCodec.decode functions. If an error
happens after an allocation has succeeded, it can lead to memleaks;
furthermore, it is now possible for the MpegEncContext to be marked as
initialized even when ff_mpv_common_init() returns an error and this can
lead to segfaults because decoders that call ff_mpv_common_init() when
decoding a frame can mistakenly think that the MpegEncContext has been
properly initialized. This can e.g. happen with H.261 or MPEG-4.
c) Removing code for freeing from ff_mpeg_framesize_alloc() (which can't
be called from any init function) can lead to segfaults because the
check for whether it needs to allocate consists of checking whether the
first of the buffers allocated there has been allocated. This part has
already been fixed in 76cea1d2ce3f23e8131c8664086a1daf873ed694.
d) ff_mpv_common_frame_size_change() can also not be reached from any
AVCodec.init function; yet the changes can e.g. lead to segfaults with
decoders using ff_h263_decode_frame() upon allocation failure, because
the MpegEncContext will upon return be flagged as both initialized and
not in need of reinitialization (granted, the fact that
ff_h263_decode_frame() clears context_reinit before the context has been
reinited is a bug in itself). With the earlier version, the context
would be cleaned upon failure and it would be attempted to initialize
the context again in the next call to ff_h263_decode_frame().
While a) could be fixed by adding the missing FF_CODEC_CAP_INIT_CLEANUP,
keeping the current approach would entail adding cleanup code to several
other places because of b). Therefore ff_mpv_common_init() is again made
to clean up after itself; the changes to the wmv2 decoder and the SVQ1
encoder have not been reverted: The former fixed a memleak, the latter
allowed to remove cleanup code.
Fixes: double free
Fixes: ff_free_picture_tables.mp4
Fixes: ff_mpeg_update_thread_context.mp4
Fixes: decode_colskip.mp4
Fixes: memset.mp4
Reviewed-by: Michael Niedermayer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit d4b9e117ceb6356cbcdc9ca81ec9c6c4b90efdae)
|
| |
|
|
|
|
|
| |
There might be segfaults on failure.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit e93875b756b575438d7b825332739719d4fbc600)
|
| |
|
|
|
|
|
|
|
|
| |
If only one of the two arrays used for the ICC profile could be
successfully allocated, it might be overwritten and leak when
the next ICC entry is encountered. Fix this by using a common struct,
so that one has only one array to allocate.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit a5b2f06b0c69221e375edd918a335c68b33d5667)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In this case it also fixes a potential for compilation failures:
Not all compilers can handle the case in which a function with
a forward declaration declared with an attribute to always inline it
is called before the function body appears. E.g. GCC 4.2.1 on OS X 10.6
doesn't like it.
Reviewed-by: Pavel Koshevoy <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit e5d6af7b35d97f5c1252ecf8bd61f3295909fb6c)
|
| |
|
|
|
| |
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 659996094074b0c34904c2fd391c4a12bbf58211)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Up until now, initializing the mutexes/condition variables wasn't
checked by ff_frame_thread_init(). This commit changes this.
Given that it is not documented to be save to destroy a zeroed but
otherwise uninitialized mutex/condition variable, one has to choose
between two approaches: Either one duplicates the code to free them
in ff_frame_thread_init() in case of errors or one records which have
been successfully initialized. This commit takes the latter approach:
For each of the two structures with mutexes/condition variables
an array containing the offsets of the members to initialize is added.
Said array is used both for initializing and freeing and the only thing
that needs to be recorded is how many of these have been successfully
initialized.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit c85fcc96b79a502b1d2cd022c6f0c638e4527732)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case an error happened when setting up the child threads,
ff_frame_thread_init() would up until now call ff_frame_thread_free()
to clean up all threads set up so far, including the current, not
properly initialized one.
But a half-allocated context needs special handling which
ff_frame_thread_frame_free() doesn't provide.
Notably, if allocating the AVCodecInternal, the codec's private data
or setting the options fails, the codec's close function will be
called (if there is one); it will also be called if the codec's init
function fails, regardless of whether the FF_CODEC_CAP_INIT_CLEANUP
is set. This is not supported by all codecs; in ticket #9099 it led
to a crash.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit e9b66175793e5c2af19beefe8e143f6e4901b5df)
|
| |
|
|
|
| |
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 24ee1514021e2a2419b1ae9a779e6a18a4add064)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
buf_size
Some old DV AVI files have the DSF-Flag of frames set to 0, although it
is PAL (maybe rendered with an old Ulead Media Studio Pro) ... this causes
ffmpeg/VLC-player to produce/play corrupted video (other players/editors
like VirtualDub work fine).
Fixes ticket #8333 and replaces/extends hack for ticket #2177
Signed-off-by: Marton Balint <[email protected]>
(cherry picked from commit 6ef5d8ca86c1d17e486300daa476dc6e0799f2f6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids use of uninitialized data
also several checks are inside the band reading code
so it is important that it is run at least once
Fixes: out of array accesses
Fixes: 28209/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5684714694377472
Fixes: 32124/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5425980681355264
Fixes: 30519/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4558757155700736
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit da8c86dd8be244100da226a11b416c20d0c914d6)
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
| |
and BandSecondPass
Previously the code skipped all security checks when these where encountered but prior data was incorrect.
Also replace an always true condition by an assert
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 3b88c88fa1888c47b0767d84bfebf1fd656c7846)
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes: out of array accesses
Fixes: 29754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6333598414274560
Fixes: 30519/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6298424511168512
Fixes: 30739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5011292836462592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 20473a93d2a385a7137ef03e8b2604fa5e79eaa7)
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
|
| |
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 3ce8d092448827842c451807f03010ad5129fd8f)
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
|
| |
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit dc57762cb43619f91fd2a5d95510fa3b14cfeaaf)
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
|
| |
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit e1484bc455dff500f8b35b58d434924bca0e03d6)
Signed-off-by: Michael Niedermayer <[email protected]>
|
| |
|
|
|
|
| |
Reviewed-by: Michael Niedermayer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit d5ddfec6c3ce0ff743e3d67c42a1a59d3afe8e8c)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using external Huffman tables fails during init, the decoder
reverts back to using the default Huffman tables; and when doing so,
the current VLC tables leak because init_default_huffman_tables()
doesn't free them before overwriting them.
Sample:
samples.ffmpeg.org/archive/all/avi+mjpeg+pcm_s16le++mjpeg-interlace.avi
Reviewed-by: Michael Niedermayer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 3cc685b7bcc2bcc781b5632bf2e0af6ed941ae27)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
render_charset() used static buffers that are always completely
initialized before every use, so that it is unnecessary for the
values in these arrays to be kept after leaving the function.
Given that this is not only unnecessary, but harmful due to the
possibility of data races if several instances of a64multi/a64multi5
run simultaneously these buffers have been replaced by ordinary buffers
on the stack (they are small enough for this).
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 0ca09335aa47fee181c36187143403811b5452f6)
|
| |
|
|
|
| |
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 5c0f6d53da154ef51933eb5820424612aedda50d)
|
| |
|
|
|
|
|
|
| |
The current code tries the access the codecpar of a nonexistent
audio stream when seeking. Stop that. Fixes ticket #9121.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit af867e59d9ac3db5aaf7df4691f032e14ea51588)
|
| |
|
|
|
|
|
| |
Fixes potential heap-buffer-overflow.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit f38f791a23a8acade7ea6554c80455dce7543dbd)
|
| |
|
|
|
| |
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 0062aca592868e9fd7b6fcb322747d42d71e7315)
|
| |
|
|
|
| |
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 85aed2e390799dc4037a6f0b95310dfda44fa6eb)
|
| |
|
|
|
|
|
| |
An AVMD5 struct would leak if an error happened after its allocation.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 56bd071e5487fcf516d942bbc84d7a77b0bdf9b6)
|
| |
|
|
|
|
|
|
| |
A buffer may leak in case of YUVA444P10 with dimensions that are not
both divisible by 16.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit d789d72d30d8cb6c0a9b5b1140589da1eae44e1e)
|
| |
|
|
|
|
|
|
| |
When allocating a BSF fails, it could happen that the BSF's close
function has been called despite a failure to allocate the private data.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 9bf2b32da048732ad79e075dfefd40777e9f935a)
|
| |
|
|
|
|
|
|
| |
Fixes a crash with ISOBMFF extradata containing no OBUs.
Reviewed-by: James Almer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 8081a0b10f5325b60e885d8823593485019b8a18)
|
| |
|
|
|
|
|
|
| |
This is a regression since switching to the generic CBS BSF code.
Reviewed-by: James Almer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit b917218c35d240d9266c163103353e51facb0cae)
|
| |
|
|
|
| |
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit f0042e573e13858ab16b08ad9899eb8c908cd058)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DSS demuxer currently decrements a counter that should be positive
at the beginning of read_packet; should it become negative, it means
that the data to be read can't be read contiguosly, but has to be read
in two parts. In this case the counter is incremented again after the
first read if said read succeeded; if not, the counter stays negative.
This can lead to problems in further read_packet calls; in tickets #9020
and #9023 it led to segfaults if one tries to seek lateron if the seek
failed and generic seek tried to read from the beginning. But it could
also happen when av_new_packet() failed and the user attempted to read
again afterwards.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit afa511ad34452b1806a6cfa2dd785168140843e6)
|
| |
|
|
|
|
|
| |
There would be leaks in case of failure.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 543e4a194252050cf1abcded7c75e4b889e3db4f)
|
