aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
Commit message (Collapse)AuthorAgeFilesLines
* avcodec/magicyuv: Check slice size before reading flags and predMichael Niedermayer2021-10-091-0/+3
| | | | | | | | | | | Fixes: heap-buffer-overflow Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0dc42147b6843b133d4fa46bf1c2568a837b4bec) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/exr: Check limits to avoid overflow in delta computationMichael Niedermayer2021-10-091-4/+15
| | | | | | | | | | | Fixes: signed integer overflow: 553590816 - -2145378049 cannot be represented in type 'int' Fixes: 26315/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5938755121446912 Fixes: 26340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5644316208529408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 6910e0f4e5c40b5b902e4dd87256327d860d53f5) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/h264idct_template: Fix integer overflow in ↵Michael Niedermayer2021-10-091-1/+1
| | | | | | | | | | | | ff_h264_chroma422_dc_dequant_idct() Fixes: signed integer overflow: 241173056 + 1953511200 cannot be represented in type 'int' Fixes: 26086/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5068366420901888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d1983628394e076001cc67d85656f9842b7282a3) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/aacdec_fixed: Limit index in vector_pow43()Michael Niedermayer2021-10-091-2/+2
| | | | | | | | | | Fixes: out of array access Fixes: 26087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5724825462767616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4f83a536384afda45acb6d7cdd22017c8c314f9e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/smacker: Check remaining bits in SMK_BLK_FULLMichael Niedermayer2021-10-091-0/+2
| | | | | | | | | | Fixes: out of array access Fixes: 26047/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5083031667474432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 42ded4d1e6fb0086a235dc584118414ae2bf30c9) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/cook: Check subpacket index against maxMichael Niedermayer2021-10-091-4/+4
| | | | | | | | | | | Fixes: off by 1 error Fixes: index 5 out of bounds for type 'COOKSubpacket [5]' Fixes: 25772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5762459498184704.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5a2a7604da5f7a2fc498d1d5c90bd892edac9ce8) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge ↵Michael Niedermayer2021-10-091-2/+3
| | | | | | | | | | | case in intra_pred Fixes: pixel decode issue.ts Fixes: raw frame.hevc Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 3fbf8737923ac49754946a2505367630544b87f1) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/exr: Fix overflow with many blocksMichael Niedermayer2021-10-091-1/+1
| | | | | | | | | | Fixes: signed integer overflow: 1073741827 * 8 cannot be represented in type 'int' Fixes: 25621/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6304841641754624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 7265b7d904f86ec1c681222310c739f92ba55e5e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vp9dsp_template: Fix integer overflows in idct16_1d()Michael Niedermayer2021-10-091-26/+26
| | | | | | | | | | Fixes: signed integer overflow: -190760 * 11585 cannot be represented in type 'int' Fixes: 25471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5743354917421056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 394e8bb385a351091cb1ba0be986f3bbb15039fd) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offsetMichael Niedermayer2021-10-091-0/+5
| | | | | | | | | | Fixes: signed integer overflow: 29 + 2147483640 cannot be represented in type 'int' Fixes: 25413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5697909331591168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 106f11f68af643ad1f372b840d38a0a30c6e9bcf) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/exr: Check line size for overflowMichael Niedermayer2021-10-091-0/+6
| | | | | | | | | | Fixes: signed integer overflow: 570425356 * 6 cannot be represented in type 'int Fixes: 25929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5099197739827200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9b72cea4463dd2fabcd9ba1454a0855e521d0148) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/exr: Check xdelta, ydeltaMichael Niedermayer2021-10-091-1/+3
| | | | | | | | | | Fixes: assertion failure Fixes: 25617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5648746061496320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 6949df35d0c69ae91bb0f49069e0703deb9bd676) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/takdsp: Fix negative shift in decorrelate_sf()Michael Niedermayer2021-10-091-1/+1
| | | | | | | | | | Fixes: left shift of negative value -4 Fixes: 25723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6250580752990208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4f54f530039db149808478796e8389c14eb73095) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420()Michael Niedermayer2021-10-091-1/+1
| | | | | | | | | | | Fixes: left shift of negative value -640 Fixes: 26044/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-5631057602543616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 3291d994b76db4b6e67c8467367ce68f79785e60) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vc1_block: Fix integer overflow in ac valueMichael Niedermayer2021-10-091-2/+2
| | | | | | | | | | Fixes: signed integer overflow: 25488 * 87381 cannot be represented in type 'int' Fixes: 24765/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5108259565076480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 3056e19e68122b9464b24870488f8faca4e78ea8) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/dxtory: Fix negative shift in dx2_decode_slice_410()Michael Niedermayer2021-10-091-1/+1
| | | | | | | | | | | Fixes: left shift of negative value -768 Fixes: 25574/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-6012596027916288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit abebd87764992dc22c82802bdc75d40aac14ab86) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/sonic: Check channels before deallocatingMichael Niedermayer2021-10-091-3/+1
| | | | | | | | | | | Fixes: heap-buffer-overflow Fixes: 25744/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5172961169113088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f249981976b18438cfb646183d4c21fb051e1ad4) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/ansi: Check nb_args for overflowMichael Niedermayer2021-10-091-1/+2
| | | | | | | | | Fixes: Integer overflow (no testcase) Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit bc0e776c9aaf06f437bf21e05a713fd54dc85400) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/diracdsp: Fix integer anomaly in dequant_subband_*Michael Niedermayer2021-10-091-3/+3
| | | | | | | | | | Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself Fixes: 23760/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-604209011412172 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ca3c6c981aa5b0af8a5576020b79fdd3cdf9ae9e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/wmalosslessdec: Check remaining space before padding and channel residueMichael Niedermayer2021-10-091-0/+2
| | | | | | | | | | Fixes: Timeout (1101sec -> 0.4sec) Fixes: 24491/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5725337036783616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit c467adf3bf9bb4b7fd28956ec698d884e63f145d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth()Michael Niedermayer2021-10-091-4/+4
| | | | | | | | | | | | Fixes: -2.4187e+09 is outside the range of representable values of type 'int' Fixes: signed integer overflow: -14512205 + -2147483648 cannot be represented in type 'int' Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Fixes: 23528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2b9f39689ab19c68ff37b5a4ac71e8fb7f58c487) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINEMichael Niedermayer2021-10-091-1/+1
| | | | | | | | | | | Fixes: signed integer overflow: -1429092 * -32596 cannot be represented in type 'int' Fixes: 24419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5157849974702080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a0da95df77a528251a326fc8b7e2ff48c60e41d0) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d()Michael Niedermayer2021-10-091-8/+8
| | | | | | | | | | Fixes: signed integer overflow: 998938090 + 1169275991 cannot be represented in type 'int' Fixes: 23411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-4644692330545152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d182d8f10cf69c59ef9c21df4b06e5478df063ef) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/cfhd: Check transform typeMichael Niedermayer2021-10-091-0/+4
| | | | | | | | | | Fixes: out of array access Fixes: 24823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4855119863349248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 659658d08bb2e7219001795c78efd24f381446e2) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/tiff: Restrict tag order based on specificationMichael Niedermayer2021-10-091-0/+8
| | | | | | | | | | | | | | | | | | | | | | "The entries in an IFD must be sorted in ascending order by Tag. Note that this is not the order in which the fields are described in this document." This way various dimensions, sample and bit sizes cannot be changed at arbitrary times which reduces the potential for bugs. The tag reading code also on various places assumes that numerically previous tags have already been parsed, so this needs to be enforced one way or another. If this commit causes problems with real world files which are not easy to fix then some other form of checks are needed to ensure the various dependencies in the tag reading are not violated. Fixes: out of array access Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ad29f9e47cb848e11ee1d358d2bae15cd35ef04b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/tiff: Check bpp/bppcount for 0Michael Niedermayer2021-10-091-3/+3
| | | | | | | | | | Fixes: division by zero Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit be090da25f734460f3105075456877b8a66185c1) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/snowdec: Sanity check hcoeffMichael Niedermayer2021-10-091-1/+4
| | | | | | | | | | Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 24011/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5486376610168832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d51d569cf68f78aaea8464a156c847a0e294726a) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/alac: Check decorr_shift to avoid invalid shiftMichael Niedermayer2021-10-091-0/+3
| | | | | | | | | | | | | | | Later the decorrelate_stereo call is guarded by channels == 2 and non-zero decorr_left_weight. Make sure decorr_shift is in the expected shift range for that case. Fixes: shift exponent 128 is too large for 32-bit type 'int' Fixes: 23860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5751138914402304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Alexander Strasser <eclipse7@gmx.net> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 4333718b357a9ad195031e5d0ea080d37677b795) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/tdsc: Fix tile checksMichael Niedermayer2021-10-091-11/+10
| | | | | | | | | | | Fixes: out of array access Fixes: crash.asf Found-by: anton listov <greyfarn7@yandex.ru> Reviewed-by: anton listov <greyfarn7@yandex.ru> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 081e3001edb67dcd55fe0f68505df1fce667476d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/apedec: Fix undefined integer overflow with 24bitMichael Niedermayer2021-10-091-1/+1
| | | | | | | | | | Fixes: signed integer overflow: 8683744 * 256 cannot be represented in type 'int' Fixes: 23527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679885932822528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9f7b252cdf2d0e0f79d16dc7cd575d1884239863) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/loco: Fix integer overflow with large values from loco_get_rice()Michael Niedermayer2021-10-091-1/+1
| | | | | | | | | | Fixes: signed integer overflow: 155 + 2147483647 cannot be represented in type 'int' Fixes: 23421/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5652849097965568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 3ddc5e1f3cebca25ade54ee68159d305f210bf5f) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/pnmdec: Fix misaligned readsMichael Niedermayer2021-10-091-4/+4
| | | | | | | Found-by: "Steinar H. Gunderson" <steinar+ffmpeg@gunderson.no> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ea28ce9bc13803ccef97850388ddc9a73998a23e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/utils: Check close before calling itMichael Niedermayer2021-01-021-1/+1
| | | | | | | | | | Fixes: NULL pointer dereference Fixes: 15733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IDF_fuzzer-5658616977162240 Reviewed-by: Paul B Mahol <onemda@gmail.com> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 8df6884832ec413cf032dfaa45c23b1c7876670c)
* avcodec/ttaenc: Fix undefined shiftAndreas Rheinhardt2020-07-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | ttaenc contained (1 << unary) - 1 as an argument for a function expecting an unsigned int. unary can be as big as 31 in this case. The type of the shift and the whole expression is int, because 1 fits into an integer, so that the behaviour is undefined if unary == 31 as the result of the shift can't be represented in an int §. Subtraction by 1 (which makes the result of the whole expression representable in an int) doesn't change that this is undefined (it usually leads to signed integer overflow which is undefined, too). The solution is simple: Make 1 unsigned to change the type of the whole expression to unsigned int (as the function expects anyway). Fixes ticket #8153. §: This of course presupposes the common int range of -2^31..2^31-1 Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 3ab488a5407f833ecc66e8fa4c537dc4852db720) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/jpeg2000dwt: Fix undefined shifts of negative numbersAndreas Rheinhardt2020-07-031-1/+1
| | | | | | | | | | Affected the vsynth*-jpeg2000 and the vsynth*-jpeg2000-97 FATE tests (where * ranges over { 1, 2, 3, _lena }) as well as ticket #7983. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5cf593adcd79a7c9502dc2725e1f0681ada36aef) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/ituh263dec: Fix undefined left shift of negative numberAndreas Rheinhardt2020-07-031-1/+1
| | | | | | | | | Fixes ticket #8160. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 324487b596fbcda0a5753c7bb7b2e96e9d512479) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/dnxhdenc: Fix undefined left shifts of negative numbersAndreas Rheinhardt2020-07-031-3/+3
| | | | | | | | | Affected 61 FATE-tests: 60 vsynth tests and lavf-mxf_opatom. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit b7f156e8cbdf3256c7860c62ebb7a6c3002cbb03) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/pcm: Fix undefined shiftsAndreas Rheinhardt2020-07-031-2/+2
| | | | | | | | Fixes the acodec-pcm-u16[lb]e FATE-tests. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit 69473bec6f38fefc9a433d95f8e00de101299592) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/wavpackenc: Fix undefined shiftsAndreas Rheinhardt2020-07-031-3/+3
| | | | | | | | Fixes ticket #8161 and the acodec-wavpack FATE-test. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit 84974c6fb542cf019904016c2165d9a62db9f312) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/ac3enc: Fix invalid shiftAndreas Rheinhardt2020-07-031-1/+1
| | | | | | | | | | | Fixes the FATE-tests unknown_layout-ac3, ac3-fixed-encode, ac3-encode and eac3-encode. It furthermore fixes the ac3-encoder bugs mentioned in tickets #7994, #8144 and #8159. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2f289ec914cc7e8133858d4f9e8d91dab685ae44) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/tdsc: Fix undefined shiftsAndreas Rheinhardt2020-07-031-3/+3
| | | | | | | | | Fixes the tdsc FATE-test. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 86bef10e7aee338a4df60c57904c16e33509e76e) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/cavsdsp: Fix undefined left shifts of negative numbersAndreas Rheinhardt2020-07-031-26/+26
| | | | | | | | | | | | | | Affected the ffmpeg-filter_colorkey FATE-test (but only if the C version of idct8_add is used and not e.g. the x86 SSE2 version). Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Fixes: left shift of negative value -107 Fixes: 20398/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5725389278412800 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0f0f2ab0c3b3d04e904db97b07ae829c72c91778) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/ra144enc: Fix invalid left shift of negative numberAndreas Rheinhardt2020-07-031-2/+2
| | | | | | | | | | | | by replacing it with a multiplication. Said multiplication can't overflow an int32_t because lpc_coefs is limited to 16 bit precision. Fixes the FACE-test acodec-ra144 as well as part of #8217. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit e3fb9af6f1353f30855eaa1cbd5befaf06e303b8) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/adxenc: Avoid undefined left shift of negative numbersAndreas Rheinhardt2020-07-031-3/+3
| | | | | | | | | | | | Replace "((a << shift) + b) >> shift" by "a + (b >> shift)". This avoids a left shift which also happens to trigger undefined behaviour in case "a" is negative. This affected the FATE-tests acodec-adpcm-adx and acodec-adpcm-adx-trellis; it also fixes ticket #8008. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 59a9d65e0d790821f88527a82569f56eb2f8a9be) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/adpcm: Fix undefined left shifts of negative numbersAndreas Rheinhardt2020-07-031-8/+8
| | | | | | | | | | Affected the adpcm-afc, adpcm-ea-1, adpcm-ea-2, adpcm-ea-maxis-xa, adpcm-thp and ea-cdata FATE-tests. Also fixes ticket #8487. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 3ad8af51b7c0a968ac3fd62964780d4ff9136c5a) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/proresenc_anatoliy: Fix invalid left shift of negative numberAndreas Rheinhardt2020-07-031-1/+1
| | | | | | | | | | | | | | This fixes ticket #7997 as well as the vsynth*-prores_# FATE-tests (where * ranges over { 1, 2, 3, _lena } and # over { , _int, _444, _444_int }). (Given that prev_dc is in the range -0xC000..0x3FFF, no overflow can happen upon multiplication with 2.) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 198081efb7c7343349f0a7acc836f001c511e990) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/hevc_mp4toannexb_bsf: Check NAL size against available inputAndreas Rheinhardt2020-07-031-1/+5
| | | | | | | | | | | | | | | | | The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit is so big that it extends beyond the end of the input packet; it does so only implicitly by using the checked version of the bytestream2 API. But this has downsides compared to real checks: It can lead to huge allocations (up to 2GiB) even when the input packet is just a few bytes. And furthermore it leads to uninitialized data being output. So add a check to error out early if it happens. Also check directly whether there is enough data for the length field. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit ea1b71e82f5a1752d59d3bfb9704092a79eba6b5) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/bitstream: Don't check for undefined behaviour after it happenedAndreas Rheinhardt2020-07-031-1/+1
| | | | | | | Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit 5e196dac22cc510db104922f99626a03b453ef4a) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avcodec/dstdec: Replace AC overread check by sample rate checkMichael Niedermayer2020-07-021-0/+6
| | | | | | | | | | | | | | | | Real files do skip coding 0 bits at the end, thus this kind of check does not work reliable. Fixes: Ticket 8770 Fixes: dst-256fs44-6ch-refdstencoder.dff The samplerate is specified in ISO/IEC 14496-3:2005(E) as one of 3 fixed values, this also can be used to limit the duration and avoid the timeout This reverts commit f6df99dba1ae64b05d08fba8160d13eb9795042f. (cherry picked from commit 1679f23beb3cfc3639352b3cbe7c08c00189c6b0) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avcodec/pngdec: Check for fctl after idatMichael Niedermayer2020-07-011-0/+5
| | | | | | | | | | Fixes: out of array access Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 65b1ba680fb67902a9c876a49d0146eaae5a1c3d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-04 08:27:51 +0000