- 01 Dec, 2019 9 commits
-
-
Michael Niedermayer authored
Fixes: signed integer overflow: 4 * 538976288 cannot be represented in type 'int' Fixes: 18622/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5092166174507008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
This avoids problems if the function is called twice Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
ff_flac_parse_picture() parses a buffer containing a flac metadata picture block by wrapping it in an AVIOContext and using the AVIOContext API. Consequently, when not enough data could be read AVERROR(EIO) was returned although reading didn't really fail: A block that contains a subfield whose size field indicates that it is so big as to extend beyond the buffer is just invalid. This commit changes this by using the bytestream2 API instead; furthermore, the checks for whether there is enough data left are performed before allocating a buffer for said data. Finally, if the length of the picture description is bigger than INT_MAX, it will now raise an error. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
During parsing a flac picture metadata block, the mimetype is read as follows: Its 32b size field is read and checked for being in the range 1..63; afterwards, the actual mimetype-string is read into a buffer of size 64, where the length to read is the minimum of the length field and the size of the destination buffer -1. Then an assert guards that length is indeed < the size of the destination buffer before the string in the buffer is zero-terminated. The FFMIN as well as the assert are actually redundant, as it has been checked that the string (even after terminating) fits into the buffer. In order to make this clear, reword the check "len >= 64" to "len >= sizeof(mimetype)" and drop the FFMIN as well as the assert. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Steven Liu authored
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
-
Steven Liu authored
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
-
Steven Liu authored
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
-
Steven Liu authored
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Reviewed-by: Jeyapal, Karthick <kjeyapal@akamai.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
-
- 30 Nov, 2019 4 commits
-
-
James Almer authored
Signed-off-by: James Almer <jamrial@gmail.com>
-
Andriy Gelman authored
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com> Signed-off-by: James Almer <jamrial@gmail.com>
-
Andreas Rheinhardt authored
This happens if allocating extradata fails and s->remove is unset. Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: James Almer <jamrial@gmail.com>
-
James Almer authored
Skip the avcC specific size bytes and the NAL header bits. Signed-off-by: James Almer <jamrial@gmail.com>
-
- 29 Nov, 2019 10 commits
-
-
James Almer authored
Signed-off-by: James Almer <jamrial@gmail.com>
-
James Almer authored
This is required to demux annexb samples when a decoder isn't available. Signed-off-by: James Almer <jamrial@gmail.com>
-
James Almer authored
This uses a raw h264 bitstream as source, in order to test the avcC generation code. Signed-off-by: James Almer <jamrial@gmail.com>
-
James Almer authored
Signed-off-by: James Almer <jamrial@gmail.com>
-
Zhao Zhili authored
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Paul B Mahol authored
-
Paul B Mahol authored
-
Jun Zhao authored
fix potential null pointer dereference Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
-
Jun Zhao authored
check avformat_new_stream() return. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
-
- 28 Nov, 2019 17 commits
-
-
Limin Wang authored
Signed-off-by: Limin Wang <lance.lmwang@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Put an AVIOContext whose lifetime doesn't extend beyond the function where it is allocated on the stack instead of allocating and freeing it. This also avoids the need to free it, which in this case fixes possible memleaks on error. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
James Almer authored
Signed-off-by: James Almer <jamrial@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small dynamic buffers. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small dynamic buffers (i.e. small master elements). Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small tags. Furthermore, it simplifies freeing. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small extradata. Furthermore, it simplifies freeing. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small headers. Furthermore, it simplifies freeing. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small tags. Furthermore, it simplifies freeing. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
Up until now, using a dynamic buffer entailed at least three allocations: One for the AVIOContext, one for the AVIOContext's opaque (which, among other things, contains the small write buffer), and one for the big buffer that is independently allocated that is returned when calling avio_close_dyn_buf(). It is possible to avoid the third allocation if one doesn't use a packetized dynamic buffer, if all the data written so far fit into the write buffer and if one does not require the actual (big) buffer to have an indefinite lifetime. This is done by making avio_get_dyn_buf() return a pointer to the data in the write buffer if nothing has been written to the main buffer yet. The dynamic buffer will then be freed using ffio_free_dynamic_buffer (which needed to be modified not to call avio_close_dyn_buf() internally). So a typical use-case like: size = avio_close_dyn_buf(dyn_pb, &buf); do something with buf av_free(buf); can be converted to: size = avio_get_dyn_buf(dyn_pb, &buf); do something with buf ffio_free_dynamic_buffer(&dyn_pb); In more complex scenarios this can simplify freeing as well, because it is now clear that freeing always has to be performed via ffio_free_dynamic_buffer(). Of course, in case this saves an allocation it also saves a memcpy. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Limin Wang authored
Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Limin Wang <lance.lmwang@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
The extradata is not changed at all. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Zhao Zhili authored
webp decoder doesn't set update_thread_context field $ ffmpeg -i rgb_q80.webp -f null - [webp @ 0x7ffbd5823200] Multiple ff_thread_finish_setup() calls Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Limin Wang authored
Signed-off-by: Limin Wang <lance.lmwang@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Linjie Fu authored
Signed-off-by: Linjie Fu <linjie.fu@intel.com>
-
Zhong Li authored
Reviewed-by: Gyan Doshi <ffmpeg@gyani.pro> Signed-off-by: Zhong Li <zhongli_dev@126.com>
-
Zhong Li authored
Signed-off-by: Zhong Li <zhongli_dev@126.com>
-