- 07 Oct, 2019 8 commits
-
-
Andreas Rheinhardt authored
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
When flushing, MAX_FRAME_HEADER_SIZE bytes (always zero) are supposed to be written to the fifo buffer in order to be able to check the rest of the buffer for frame headers. It was intended to write these by writing a small buffer of size MAX_FRAME_HEADER_SIZE to the buffer. But the way it was actually done ensured that this did not happen: First, it would be checked whether the size of the input buffer was zero, in which case it buf_size would be set to MAX_FRAME_HEADER_SIZE and read_end would be set to indicate that MAX_FRAME_HEADER_SIZE bytes need to be written. Then it would be made sure that there is enough space in the fifo for the data to be written. Afterwards the data is written. The check used here is for whether buf_size is zero or not. But if it was zero initially, it is MAX_FRAME_HEADER_SIZE now, so that not the designated buffer for writing MAX_FRAME_HEADER_SIZE is written; instead the padded buffer (from the stack of av_parser_parse2()) is used. This works because AV_INPUT_BUFFER_PADDING_SIZE >= MAX_FRAME_HEADER_SIZE. Lateron, buf_size is set to zero again. Given that since 7edbd536, the actual amount of data read is no longer automatically equal to buf_size, it is completely unnecessary to modify buf_size at all. Moreover, modifying it is dangerous: Some allocations can fail and because buf_size is never reset to zero in this codepath, the parser might return a value > 0 on flushing. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
For a parser, the input buffer is always != NULL: In case of flushing, the indicated size of the input buffer will be zero and the input buffer will point to a zeroed buffer of size 0 + AV_INPUT_BUFFER_PADDING. Therefore one does not need to check for whether said buffer is NULL or not. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
Only decrement the number of buffered headers if a header has actually been freed. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
The flac parser uses a fifo to buffer its data. Consequently, when searching for sync codes of flac packets, one needs to take care of the possibility of wraparound. This is done by using an optimized start code search that works on each of the continuous buffers separately and by explicitly checking whether the last pre-wrap byte and the first post-wrap byte constitute a valid sync code. Moreover, the last MAX_FRAME_HEADER_SIZE - 1 bytes ought not to be searched for (the start of) a sync code because a header that might be found in this region might not be completely available. These bytes ought to be searched lateron when more data is available or when flushing. Unfortunately there was an off-by-one error in the calculation of the length to search of the post-wrap buffer: It was too large, because the calculation was based on the amount of bytes available in the fifo from the last pre-wrap byte onwards. This meant that a header might be parsed twice (once prematurely and once regularly when more data is available); it could also mean that an invalid header will be treated as valid (namely if the length of said invalid header is MAX_FRAME_HEADER_SIZE and the invalid byte that will be treated as the last byte of this potential header happens to be the right CRC-8). Should a header be parsed twice, the second instance will be the best child of the first instance; the first instance's score will be FLAC_HEADER_BASE_SCORE - FLAC_HEADER_CHANGED_PENALTY ( = 3) higher than the second instance's score. So the frame belonging to the first instance will be output and it will be done as a zero length frame (the difference of the header's offset and the child's offset). This has serious consequences when flushing, as returning a zero length buffer signals to the caller that no more data will be output; consequently the last frames not yet output will be dropped. Furthermore, a "sample/frame number mismatch in adjacent frames" warning got output when returning the zero-length frame belonging to the first header, because the child's sample/frame number of course didn't match the expected sample frame/number given its parent. filter/hdcd-mix.flac from the FATE-suite was affected by this (the last frame was omitted) which is the reason why several FATE-tests needed to be updated. Fixes ticket #5937. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
The FLACHeaderMarker structure contained a pointer to an array of int; said array was always allocated and freed at the same time as its referencing FLACHeaderMarker; the pointer was never modified to point to a different array and each FLACHeaderMarker had its own unique array. Furthermore, all these arrays had a constant size. Therefore include this array in the FLACHeaderMarker struct. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
FLAC sync codes contain a byte equal to 0xFF and so the function that searches for sync codes first searched for this byte. It did this by checking four bytes at once; these bytes have been read via AV_RB32, but the test works just as well with native endianness. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
They are not allowed outside of functions. Fixes the warning "ISO C does not allow extra ‘;’ outside of a function [-Wpedantic]" when compiling with GCC and -pedantic. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
- 06 Oct, 2019 4 commits
-
-
Michael Niedermayer authored
Fixes: Timeout (17sec ->281ms) Fixes: 17833/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5638346914660352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: James Almer <jamrial@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Fixes: left shift of 1 by 31 places cannot be represented in type 'int'. Affected the FATE-tests vsynth1-cinepak, vsynth2-cinepak and vsynth_lena-cinepak. Also fixes ticket #8220. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Jun Zhao authored
Correct the flags for AVCodecContext.flags2. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
-
Jun Zhao authored
fix indentation. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Gyan Doshi <ffmpeg@gyani.pro> Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
-
- 03 Oct, 2019 3 commits
-
-
Michael Niedermayer authored
Fixes: memleaks Fixes: 17813/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5145600206569472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: left shift of negative value -6 Fixes: 17810/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5638541240958976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: null pointer dereference Fixes: signed integer overflow: 512 * 2147483647 cannot be represented in type 'int' Fixes: 17809/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5634409947987968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
- 02 Oct, 2019 2 commits
-
-
Michael Niedermayer authored
Fixes: Timeout (100sec -> 0.7sec) Fixes: 8668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5174143888130048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
This basically checks if a pixel that was coded with prediction and residual could have been stored using a previous case. This avoids basically a string of 0 symbols stored in less than 50 bytes to hit a O(n²) codepath. Fixes: Timeout (too slow to wait -> immediately) Fixes: 8668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-4895946310680576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
- 01 Oct, 2019 1 commit
-
-
Carl Eugen Hoyos authored
Usage of strtok() was removed from x264, see also b02490a4
-
- 30 Sep, 2019 3 commits
-
-
Michael Niedermayer authored
Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Fixes: 17745/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5734628463214592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: signed integer overflow: 2 * -1306460384 cannot be represented in type 'int' Fixes: 17685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_fuzzer-5747390337777664 Fixes: 17688/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5739287210885120 Fixes: 17699/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-5678394531905536 Fixes: 17738/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5763415733174272 Fixes: 17746/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5703008159006720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: James Almer <jamrial@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: left shift of negative value -24576 Fixes: 17719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APTX_fuzzer-5710508002377728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
- 29 Sep, 2019 4 commits
-
-
Paul B Mahol authored
Fixes #7991.
-
Andreas Rheinhardt authored
When performing a comparison of a signed int and an unsigned int, the signed int is first converted to an unsigned int, so that negative values are being treated as big, positive values. This can become a problem in an overread check, namely when an overread already happened. So change the type of the variable containing the amount of bits that need to be left to signed. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
The maximum allowed index for an array access is FF_ARRAY_ELEMS - 1; yet the current code allowed FF_ARRAY_ELEMS. This wasn't dangerous in practice, as parameter sets with invalid ids were already filtered out during reading. Found via PVS-Studio (see ticket #8156). Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
James Almer authored
header.data_max and header.data_min are not necessarely set on all decoding scenarios. Fixes a Valgrind reported regression since cfa19377. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: James Almer <jamrial@gmail.com>
-
- 28 Sep, 2019 15 commits
-
-
Michael Niedermayer authored
Fixes: Timeout (30sec -> 25sec) Fixes: 17050/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-5719149803732992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
avcodec/ituh263dec: Make the condition for the studio slice start code match between ff_h263_resync() and ff_mpeg4_decode_studio_slice_header() If they mismatch an infinite loop can occur Fixes: Timeout (infinite loop) Fixes: 17043/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5695051748868096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: signed integer overflow: -1094995519 * 64 cannot be represented in type 'int' Fixes: 17030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5640695838146560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int' Fixes: 16976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4847262047404032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: left shift of negative value -2 Fixes: 16964/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5757853565976576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: left shift of negative value -7 Fixes: 16959/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5200360825683968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: overflow in aspect ratio calculation Fixes: signed integer overflow: 393215 * 14594 cannot be represented in type 'int' Fixes: 15728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5661588893204480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
"9.1.1.43 P Reference Distance (REFDIST)" "The value of REFDIST shall be less than, or equal to, 16." Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
We need to reset samples in this case to avoid being stuck with incorrect samples value. Fixes: OOM Fixes: Timeout Fixes: 16627/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5638059583864832 Fixes: 17089/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5672188463546368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: signed integer overflow: -14527961 - 2147483425 cannot be represented in type 'int' Fixes: 16380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5645957131141120 Fixes: 16968/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5716169901735936 Fixes: 17074/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5198710497083392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Values larger would fail subsequent tests. Fixes: signed integer overflow: 5 + 2147483646 cannot be represented in type 'int' Fixes: 16966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5695709549953024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Affected the vsynth*-jpeg2000 and the vsynth*-jpeg2000-97 FATE tests (where * ranges over { 1, 2, 3, _lena }) as well as ticket #7983. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Fixes ticket #8160. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Affected 61 FATE-tests: 60 vsynth tests and lavf-mxf_opatom. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
libavcodec/ffv1enc.c accessed an array of uint8_t [32] via array[0][j] in order to loop over all the uint8_t in this array of arrays. Of course this implied an out-of-bounds access for array[0] and UBSan complained about this. So replace this with nested loops; furthermore, factor this out into a function of its own to easily break out of the nested loops. This affected the FATE-tests vsynth1-ffv1, vsynth1-ffv1-v3-yuv420p, vsynth1-ffv1-v3-yuv422p10, vsynth1-ffv1-v3-yuv444p16, vsynth1-ffv1-v3-bgr0, vsynth1-ffv1-ffv1-v3-rgb48 as well as the corresponding vsynth2-*, vsynth3-* and the vsynth_lena-* tests. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-