aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* avcodec/alsdec: Fix integer overflows of raw_samples in decode_var_block_data()Michael Niedermayer2020-01-061-2/+2
| | | | | | | | | | | | | This also makes the code consistent with the existing similar MUL64() in decode_var_block_data() Fixes: signed integer overflow: -7277630735906765035 + -3272193951413647896 cannot be represented in type 'long' Fixes: 16015/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5666552818434048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit fad3ec89b7a664b93b5e29bdb0db0cab0272a0c4) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/alsdec: Fix integer overflow of raw_samples in decode_blocks()Michael Niedermayer2020-01-061-2/+2
| | | | | | | | | | Fixes: signed integer overflow: 2147483424 - -1772303236 cannot be represented in type 'int' Fixes: 15708/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5067890362941440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ce652324062a2c72f92e40699797630ef7f1ec5a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/alsdec: fix mantisse shiftMichael Niedermayer2020-01-061-1/+5
| | | | | | | | | | Fixes: shift exponent -1 is negative Fixes: 16039/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5656825657032704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 02346292a334a51f6da802146b782bdb01ae9b4e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vc1_block: Fix invalid shifts in vc1_decode_i_blocks()Michael Niedermayer2020-01-061-2/+2
| | | | | | | | | | | Fixes: left shift of negative value -9 Fixes: 15299/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS2_fuzzer-5660922678345728 Fixes: 15557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5673351911047168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c9415e815a996d287850a3572ce2c1d663b9f657) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vc1_block: fix invalid shift in vc1_decode_p_mb()Michael Niedermayer2020-01-061-1/+1
| | | | | | | | | | Fixes: left shift of negative value -5 Fixes: 15294/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5733921754447872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit b153ba1c2e03d3148766a3ebf0e9c485197f30de) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/aacdec_template: fix integer overflow in imdct_and_windowing()Michael Niedermayer2020-01-061-1/+1
| | | | | | | | | | Fixes: signed integer overflow: 2147483645 + 4 cannot be represented in type 'int' Fixes: 15418/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5685269069561856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit da93e2b14218c4ab0fda60e21882a4633aac5748) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* libavcodec/iff: Use unsigned to avoid undefined behaviourAndreas Rheinhardt2020-01-061-17/+17
| | | | | | | | | | | | | The initialization of the uint32_t plane32_lut matrix uses left shifts of the form 1 << plane; plane can be as big as 31 which means that this is undefined behaviour as 1 will be simply an int. So make it unsigned to avoid this. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f12e662a3d3f489eec887b5f2ab20a550caed9cf) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/alsdec: Check for block_length <= 0 in read_var_block_data()Michael Niedermayer2020-01-061-1/+1
| | | | | | | | | | Fixes: left shift of negative value -1 Fixes: 15719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5685731105701888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit be4fb282f9fb00d9c267dcc477745e2e468e758f) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vqavideo: Set video sizeMichael Niedermayer2020-01-061-1/+1
| | | | | | | | | | Fixes: out of array access Fixes: 15919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-5657368257363968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 02f909dc24b1f05cfbba75077c7707b905e63cd2) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/sanm: Check extradata_size before allocationsMichael Niedermayer2020-01-061-5/+5
| | | | | | | | | | Fixes: Leaks Fixes: 15349/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5102530557640704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 172a43ce36e671fdab63afe1c06876bba91445b3) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/mss1: check for overread and forward errorsMichael Niedermayer2020-01-064-0/+18
| | | | | | | | | | | Fixes: Timeout (106sec -> 14ms) Fixes: 15576/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS1_fuzzer-5688080461201408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 43015afd7ce9055f1fa2d7648c3fcd9b7cfd7721) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/loco: Check for end of input in pixel decodeMichael Niedermayer2020-01-061-0/+4
| | | | | | | | | | | Fixes: Timeout (100sec -> 5sec) Fixes: 15509/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5724297261219840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 8305a4509af2908d88bb623deb816fdaa8056c83) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/dirac_parser: Fix overflow in dtsMichael Niedermayer2020-01-061-1/+1
| | | | | | | | | | | Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Fixes: 15568/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5634719611355136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 549fcba8fc83330763ccd3cc67233037c96bc6d9) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/ralf: Fix undefined pointer in decode_channel()Michael Niedermayer2020-01-061-1/+1
| | | | | | | | | Fixes: 16203/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5086088934195200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 3c06ba171697b665ef4b2b47fe0008199b3eff86) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/ralf: Fix integer overflow in apply_lpc()Michael Niedermayer2020-01-061-1/+1
| | | | | | | | | | Fixes: signed integer overflow: 1603085316 + 1238786562 cannot be represented in type 'int' Fixes: 16203/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5086088934195200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ccca484324e04dff4cb81d0f9018ae828e6b5c89) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vorbisdec: Implement vr->classifications = 1Michael Niedermayer2020-01-061-2/+7
| | | | | | | | | | | | | It appears no valid file uses this, so this is not testable with a valid file. Fixes: assertion failure Fixes: 16187/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5638880618872832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5a5f12e3b3f2177ede5839ff4141228666b8436f) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vorbisdec: Check parameters in vorbis_floor0_decode() before divideMichael Niedermayer2020-01-061-0/+3
| | | | | | | | | | Fixes: division by zero Fixes: 16183/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5688966782648320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit aecc9b96d613f54d772e9475738bb54e0e1f182e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/realtextdec: Check for duplicate extradata in realtext_read_header()Michael Niedermayer2020-01-061-0/+4
| | | | | | | | | | Fixes: memleak Fixes: 16140/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5684008052064256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 652ea23cb34bc59b38c0088865600e2b86079815) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/cbs_av1_syntax_template: Check ref_frame_idx before useMichael Niedermayer2020-01-061-3/+4
| | | | | | | | | | | | Fixes: index -1 out of bounds for type 'AV1ReferenceFrameState [8]' Fixes: 16079/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5758807440883712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer <jamrial@gmail.com> See: [FFmpeg-devel] [PATCH 05/13] avcodec/cbs_av1_syntax_template: Check ref_frame_idx before use Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 8174e5c77d8a94b57b6b1bcbb90728cf8b08ab6b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/apedec: Fix 2 signed overflowsMichael Niedermayer2020-01-061-2/+2
| | | | | | | | | | | Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: signed integer overflow: 2049431315 + 262759074 cannot be represented in type 'int' Fixes: 16012/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5719016003338240 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 392c028cd23d128f33d93b2159eed5de42f72b4d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/mss3: Check for the rac stream being invalid in rac_normalize()Michael Niedermayer2020-01-061-0/+4
| | | | | | | | | | Fixes: out of array read Fixes: 15982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSA1_fuzzer-5630676251967488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 99a172f3f4d0bef024c6293f575caaaddce0b267) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vc1_block: Check get_vlc2() return before useMichael Niedermayer2020-01-061-0/+2
| | | | | | | | | | Fixes: index -1 out of bounds for type 'const uint8_t [185][2]' Fixes: 15720/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSS2_fuzzer-5666071933091840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2cb1f797350875ec45cb20d59dc0684fcbac20fc) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/apedec: Do not partially clear data arrayMichael Niedermayer2020-01-061-1/+2
| | | | | | | | | | Fixes: Assertion failure and memleak Fixes: 15709/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5182435093905408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 8e4b522c9146b9c14579ae7381fb1043b7423578) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/atrac9dec: Check grad_range[1] more tightlyMichael Niedermayer2020-01-061-1/+1
| | | | | | | | | | | | | | Alternatively the array could be made bigger but the extra values would not be read without other changes. Fixes: Out of array access Fixes: 15658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5738260074070016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne <dev@lynne.ee> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 208225bd782207aaf2b380522f96fd4fe4dc3441) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/hnm4video: Forward errors of decode_interframe_v4()Michael Niedermayer2020-01-061-10/+14
| | | | | | | | | | | Fixes: Timeout (108sec -> 160ms) Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9af8ce754b705c36ad4d2b6fd0f73f87ca4381c4) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/clearvideo: fix invalid shift in tile size checkMichael Niedermayer2020-01-061-1/+1
| | | | | | | | | | Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 15631/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5690110605000704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5dc94924d0fbdedba4356c21ec7de0347b8e4757) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vp3: Check that theora is theoraMichael Niedermayer2020-01-061-0/+4
| | | | | | | | | | | | | Theora is forced to be non zero if it is zero and a sample is asked for, as suggested by reimar Fixes: Timeout (2min -> 600ms) Fixes: 15366/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5737849938247680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit b4bf7226aff28e9ca379c5a3dedf745a2d316739) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vc1_pred: Fix invalid shift in scaleforsame()Michael Niedermayer2020-01-061-1/+1
| | | | | | | | | | Fixes: left shift of negative value -1 Fixes: 15531/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5759556258365440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 6dfda35dd29d2e2a86554d2c05d957a09ab79b0c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vc1_block: Fix integer overflow in ff_vc1_pred_dc()Michael Niedermayer2020-01-061-3/+3
| | | | | | | | | | Fixes: signed integer overflow: 32796 * 65536 cannot be represented in type 'int' Fixes: 15430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5735424087031808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f31ed8f3b00ec7afe87092798bf0b397f6e19ed5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/truemotion2: Fix several integer overflows in tm2_motion_block()Michael Niedermayer2020-01-061-4/+4
| | | | | | | | | | Fixes: 15524/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5173148372172800 Fixes: signed integer overflow: 13701388 - -2134868270 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9a353ea8766206bd302f3f12ca1d226237542908) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/apedec: make left/right unsigned to avoid undefined behaviorMichael Niedermayer2020-01-061-2/+2
| | | | | | | | | | Fixes: signed integer overflow: 755176387 + 1515360583 cannot be represented in type 'int' Fixes: 15506/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5706859232624640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit bf778af1493b0814696307432763246fb53c75e7) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/apedec: Fix multiple integer overflows and undefined behaviorin ↵Michael Niedermayer2020-01-061-5/+5
| | | | | | | | | | | | | | | | filter_3800() Fixes: left shift of negative value -4 Fixes: signed integer overflow: -15091694 * 167 cannot be represented in type 'int' Fixes: signed integer overflow: 1898547155 + 453967445 cannot be represented in type 'int' Fixes: 15258/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5759095564402688 Fixes: signed integer overflow: 962196438 * 31 cannot be represented in type 'int' Fixes: 15364/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718799845687296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 267eb2ab7f87696e1a156ca9a5ff1b1628d170c1) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/mpc: deallocate frames array on errorsMichael Niedermayer2020-01-061-2/+5
| | | | | | | | | | Fixes: memleak on error path Fixes: 15984/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5679918412726272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit da5039415c2bd625085d15e6c92e0b64eefddcbf) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/eatqi: Check for minimum frame sizeMichael Niedermayer2020-01-061-0/+3
| | | | | | | | | | | | | | The minimum header is 8 bytes, the smallest bitstream that is passed to the MB decode code is 4 bytes Fixes: Timeout (35sec -> 18sec) Fixes: 15800/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATQI_fuzzer-5684154517159936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5ffb8e879389fb0642654e3233cfeca1f9841e52) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/eatgv: Check remaining size after the keyframe headerMichael Niedermayer2020-01-061-0/+3
| | | | | | | | | | | | The minimal size which unpack() will not fail on is 5 bytes Fixes: Timeout (14sec -> 77ms) (testcase 15508) Fixes: 15508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGV_fuzzer-5700053513011200 Fixes: 15996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGV_fuzzer-5751353223151616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 009ec8dc3345353b1cd2316423918533fcb89552) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/assdec: undefined use of memcpy()Michael Niedermayer2020-01-061-1/+2
| | | | | | | | | | | Fixes: null pointer passed as argument 2, which is declared to never be null Fixes: 16008/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SSA_fuzzer-5650582821404672 (this is a separate issue found in this testcase) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 47b6ca0b022a413e392707464f2423795aa89bfb) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/brenderpix: Check input size before allocating imageMichael Niedermayer2020-01-061-1/+4
| | | | | | | | | | | | | | | An incomplete image is not supported prior to this and will not produce any output. This commit moves the failure before time consuming operations. Fixes: Timeout (81sec -> 76ms) Fixes: 15723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BRENDER_PIX_fuzzer-5147265653538816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 38b6c48c4300343f4703019a90a332773e64e11b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* lafv/wavdec: Fail bext parsing on incomplete readsMatt Wolenetz2020-01-061-5/+7
| | | | | | | | | | | | | | | | | | | avio_read can successfully return even when less than the requested amount of input was read. wavdec's bext parsing mistakenly assumed a successful avio_read always read the full amount that was requested. The result could be dictionary tags populated with partially uninitialized values. This change also fixes a broken assertion in wav_parse_bext_string that was off-by-one, though no known current usage of that method hits that broken case. Chromium bug: 987270 Signed-off-by: Matt Wolenetz <wolenetz@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 052d41377a02f480f8e7135c0f7d418e9a405215) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/utils: fix leak of subtitle_header on error pathMichael Niedermayer2020-01-061-0/+1
| | | | | | | | | | | | Fixes: memleak Fixes: 15528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_STL_fuzzer-5735993371525120 Fixes: 15792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SAMI_fuzzer-5737754232619008 Fixes: 16008/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SSA_fuzzer-5650582821404672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 923d5c489fd4ffd0b9dbfdc6c14f594bd134ab47) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/utils: Check close before calling itMichael Niedermayer2020-01-061-1/+1
| | | | | | | | | | | Fixes: NULL pointer dereference Fixes: 15733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IDF_fuzzer-5658616977162240 Reviewed-by: Paul B Mahol <onemda@gmail.com> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 8df6884832ec413cf032dfaa45c23b1c7876670c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* tools/target_dec_fuzzer: Free parser in case of avcodec_open2() failureMichael Niedermayer2020-01-061-0/+1
| | | | | | | | | | Fixes: memleak Fixes: part of 15529/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-5140143700180992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 508ce5839e0bf78ce8813eb1b38cce0d416a408e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vorbisdec: Check vlc for floor0 dec vector offsetMichael Niedermayer2020-01-061-2/+4
| | | | | | | | | | Fixes: out of array access Fixes: 15649/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5729191309344768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 99f95f39c6978f0d91e42b3bced126a98173dbef) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vorbisdec: amplitude bits can be more than 25 bitsMichael Niedermayer2020-01-061-3/+4
| | | | | | | | | | Fixes: assertion failure, invalid shift Fixes: 15583/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5640157484548096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 308771a73870863d1b4f630234fbb5bc7aec8252) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avutil/softfloat_ieee754: Fix odd bit position for exponent and sign in ↵Michael Niedermayer2020-01-061-1/+1
| | | | | | | | av_bits2sf_ieee754() Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 82e389d066923412dd945543418e8cb6c63d0997) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/apedec: Fix various integer overflowsMichael Niedermayer2020-01-061-4/+4
| | | | | | | | | | | | Fixes: signed integer overflow: -538976267 * 31 cannot be represented in type 'int' Fixes: left shift of 65312 by 16 places cannot be represented in type 'int' Fixes: 15255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718831688843264 Fixes: 15547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5691384901664768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 240bf0e5960fca424e43b7ab1048897fdecabf26) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/apedec: Fix multiple integer overflows in predictor_update_filter()Michael Niedermayer2020-01-061-1/+1
| | | | | | | | | | Fixes: signed integer overflow: -829262115 + -1410750414 cannot be represented in type 'int' Fixes: 15251/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5651742252859392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0af08cb803844b9eba4ff3e552c26452ec6fa7d2) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/alsdec: fix undefined shift in multiply()Michael Niedermayer2020-01-061-1/+1
| | | | | | | | | | Fixes: left shift of negative value -6 Fixes: 15564/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5701655938465792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit b880b3b236ddd00f85ea502b4c17a145fd26c790) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/alsdec: Fix 2 integer overflowsMichael Niedermayer2020-01-061-2/+2
| | | | | | | | | | Fixes: signed integer overflow: 1270564968 + 904828220 cannot be represented in type 'int' Fixes: 15402/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5755426823471104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9cd0d94f59d05e7bfaae9690e827752e7717eda3) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/flicvideo: Make line_packets intMichael Niedermayer2020-01-061-6/+6
| | | | | | | | | | Fixes: signed integer overflow: -32768 * 196032 cannot be represented in type 'int' Fixes: 15300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5733319519502336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 54bd47f861e8cdc74aea816ebfbbaac25fefd0d1) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/dvbsubdec: Use ff_set_dimensions()Michael Niedermayer2020-01-061-2/+3
| | | | | | | | | | | Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15740/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVBSUB_fuzzer-5641749164195840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5941b7f615b0c0cab0d8f8613b918de75d3c1222) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 07:36:44 +0000