Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fix a NULL dereference and leaks.
Signed-off-by: Kusanagi Kouichi <slash@ac.auone-net.jp>
Signed-off-by: Marton Balint <cus@passwd.hu>

This should improve coverage
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

This should increase coverage
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

6144 byte alignment is needed.
Signed-off-by: Marton Balint <cus@passwd.hu>

Signed-off-by: Marton Balint <cus@passwd.hu>

Signed-off-by: Marton Balint <cus@passwd.hu>

Signed-off-by: Marton Balint <cus@passwd.hu>

This sets the range of the first automatically assigned PMT PID or elementary
stream PID parameters to [0x20, 0x1ffa]. You can still assign manually a PID
for a stream using AVStream->id in the wider [0x10, 0x1ffe] range as specified
by ISO13818-1. But since DVB and ATSC both reserves some PIDs, let's not allow
them to be automatically assigned.

Also make sure that assigned PID numbers are valid and fix the error message
for the previous PID collision checks.
Signed-off-by: Marton Balint <cus@passwd.hu>

Signed-off-by: Guo, Yejun <yejun.guo@intel.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Introduced since 07793962.
Signed-off-by: Linjie Fu <linjie.fu@intel.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

The unsharp filter uses an array of arrays of uint32_t, each of which is
separately allocated. These arrays also need to freed separately; but
before doing so, one needs to check whether the array of arrays has
actually been allocated, otherwise one would dereference a NULL pointer.
This fixes #8408.

Furthermore, the array of arrays needs to be zero-initialized so that
no uninitialized pointer will be freed in case an allocation of one of
the individual arrays fails.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Signed-off-by: James Almer <jamrial@gmail.com>

This fixes marking keyframes in svc samples.
Signed-off-by: James Almer <jamrial@gmail.com>

Signed-off-by: James Almer <jamrial@gmail.com>

Signed-off-by: James Almer <jamrial@gmail.com>

This reverts commit 8174e5c7.

It's no longer needed after the previous commit.
Signed-off-by: James Almer <jamrial@gmail.com>

Defined in Section 7.8

This finishes implementing support for frames using
frame_refs_short_signaling.
Signed-off-by: James Almer <jamrial@gmail.com>

Fixes: Timeout (80sec -> 33sec)
Fixes: 18668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5710836719157248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

This optimizes the code slightly (116 -> 80sec)
Testcase: 18668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5710836719157248
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

buf_size is not updated as buf is advanced so it is wrong after the first
iteration

Fixes: Timeout (160sec -> 27sec)
Fixes: 18658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5729784269373440

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

This will be used in the next commit
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

The 0 case was added with the support for multiple packets. It
appears unintended and causes extra complexity and out of array
accesses (though within padding)

No testcase
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

This combination would assume different block sizes throughout the code so its
better to error out.

Fixes: signed integer overflow: -1082385168 * 2 cannot be represented in type 'int'
Fixes: 19110/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5643993950191616
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int'
Fixes: 18643/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5672182449700864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: Assertion failure
Fixes: 18630/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5201588654440448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: signed integer overflow: 50176 * 262144 cannot be represented in type 'int'
Fixes: 18629/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5182370286403584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: signed integer overflow: 4 * 538976288 cannot be represented in type 'int'
Fixes: 18622/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5092166174507008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

This avoids problems if the function is called twice
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

ff_flac_parse_picture() parses a buffer containing a flac metadata
picture block by wrapping it in an AVIOContext and using the AVIOContext
API. Consequently, when not enough data could be read AVERROR(EIO) was
returned although reading didn't really fail: A block that contains a
subfield whose size field indicates that it is so big as to extend
beyond the buffer is just invalid.

This commit changes this by using the bytestream2 API instead;
furthermore, the checks for whether there is enough data left are
performed before allocating a buffer for said data.

Finally, if the length of the picture description is bigger than
INT_MAX, it will now raise an error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

During parsing a flac picture metadata block, the mimetype is read as
follows: Its 32b size field is read and checked for being in the range
1..63; afterwards, the actual mimetype-string is read into a buffer of
size 64, where the length to read is the minimum of the length field and
the size of the destination buffer -1. Then an assert guards that length
is indeed < the size of the destination buffer before the string in the
buffer is zero-terminated.

The FFMIN as well as the assert are actually redundant, as it has
been checked that the string (even after terminating) fits into the
buffer. In order to make this clear, reword the check "len >= 64" to
"len >= sizeof(mimetype)" and drop the FFMIN as well as the assert.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Jun Zhao <barryjzhao@tencent.com>
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Jun Zhao <barryjzhao@tencent.com>
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Jun Zhao <barryjzhao@tencent.com>
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Jun Zhao <barryjzhao@tencent.com>
Reviewed-by: Jeyapal, Karthick <kjeyapal@akamai.com>
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>

Signed-off-by: James Almer <jamrial@gmail.com>