- 05 Jun, 2017 1 commit
-
-
Sysiphus authoredThis reduces the attack surface of local file-system information leaking. It prevents the existing exploit leading to an information leak. As well as similar hypothetical attacks. Leaks of information from files and symlinks ending in common multimedia extensions are still possible. But files with sensitive information like private keys and passwords generally do not use common multimedia filename extensions. It does not stop leaks via remote addresses in the LAN. The existing exploit depends on a specific decoder as well. It does appear though that the exploit should be possible with any decoder. The problem is that as long as sensitive information gets into the decoder, the output of the decoder becomes sensitive as well. The only obvious solution is to prevent access to sensitive information. Or to disable hls or possibly some of its feature. More complex solutions like checking the path to limit access to only subdirectories of the hls path may work as an alternative. But such solutions are fragile and tricky to implement portably and would not stop every possible attack nor would they work with all valid hls files. Developers have expressed their dislike / objected to disabling hls by default as well as disabling hls with local files. There also where objections against restricting remote url file extensions. This here is a less robust but also lower inconvenience solution. It can be applied stand alone or together with other solutions. limiting the check to local files was suggested by nevcairiel Found-by: Emil Lerner and Pavel Cheremushkin Reported-by:
Thierry Foucu <tfoucu@google.com> Signed-off-by:
Michael Niedermayer <michael@niedermayer.cc>
-
- 04 Jun, 2017 14 commits
-
-
Kevin Mark authored
This new FATE test for the scale2ref filter makes use of the recently added scale2ref-specific variables to maintain the aspect ratio of a test input. Filtergraph explanation: [main] has an AR of 4:3. [ref] has an AR of 16:9. 640 / 4 = 160. So the new width for [main] is 160. 160 / ((320 / 240) * (1 / 1)) = 160 / (4 / 3) = 120. So the new height for [main] is 120. 160 / 120 = 4 / 3 so [main]'s aspect ratio has been maintained while using [ref]'s width as a reference point. [ref] is nullsink'd since it is left unchanged by scale2ref (and so shouldn't need to be tested). If we were to use "iw/4:-1" in place of "iw/4:ow/mdar": 640 / 4 = 160. So the new width for [main] would be 160. 360 / 4 = 90. So the new height for [main] would be 90. 160 / 90 = 16 / 9 so [main] now has the same aspect ratio as [ref] which is probably what you do not want. This is currently the only test for scale2ref. Signed-off-by:
Kevin Mark <kmark937@gmail.com> Signed-off-by:
-
Michael Niedermayer authored
The RGB555 PACKBITSRGN case tries to read a palette, if such palette is actually stored then it accesses a null pointer. All 16bit samples i could find use DIRECTBITSRGN. Fixes: 2065/clusterfuzz-testcase-minimized-6298930457346048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
This also increases the range of input values supported as well as decreasing the operation dependencies in the main loop, improving speed on modern CPUs. Fixes part of: 2045/clusterfuzz-testcase-minimized-6751255865065472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
Signed-off-by: -
Paul B Mahol authored
Signed-off-by:Paul B Mahol <onemda@gmail.com>
-
Michael Niedermayer authored
avcodec/wavpack: Fix runtime error: signed integer overflow: 2081021665 - -130689706 cannot be represented in type 'int' Fixes: 2038/clusterfuzz-testcase-minimized-4521466148159488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
Fixes: 2010/clusterfuzz-testcase-minimized-6209288450080768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
Fixes: Timeout Fixes: 2006/clusterfuzz-testcase-minimized-5766515037044736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
James Almer authored
Atempt to read and propagate only full ADTS frames and not other data, like id3v1 or APETags at the end of the file. Fixes ticket #6437. Reviewed-by:
James Almer <jamrial@gmail.com>
-
Paul B Mahol authored
Signed-off-by: -
Marton Balint authored
Reviewed-by:
Marton Balint <cus@passwd.hu>
-
Marton Balint authored
Fixes ticket #6397. Reviewed-by:
-
Michael Niedermayer authored
Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
- 03 Jun, 2017 6 commits
-
-
Michael Niedermayer authored
Signed-off-by: -
Michael Niedermayer authored
Fixes: Timeout Fixes: 1213/clusterfuzz-testcase-minimized-6022987469815808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
This reorders the operations so as to avoid computations with the above arguments before they have been initialized. Fixes part of 1708/clusterfuzz-testcase-minimized-5035111957397504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
The loglevel is choosen so that the main filename and any images of multi image sequences are shown only at debug level to avoid clutter. This makes exploits in playlists more visible. As they would show accesses to private/sensitive files Signed-off-by: -
Kevin Mark authored
ff_scale_eval_dimensions blindly assumes that two inputs are always available as of 3385989b. This is notably not the case when the function is called for the scale filter. With the scale filter inputs[1] does not exist. ff_scale_eval_dimensions now has an updated scale2ref check that makes certain two inputs are actually available before attempting to access the second one. Thanks to James Almer for reporting this bug. This should fix the 820 Valgrind tests I single-handedly managed to break. Signed-off-by:
-
James Almer authored
Move the unpacking outside of the loop. 5% to 10% faster. Suggested-by: ubitux Signed-off-by:
-
- 02 Jun, 2017 6 commits
-
-
James Almer authored
WebM supports a subset of elements from the Chapters master. See https://www.webmproject.org/docs/container/#chapters Addresses ticket #6425 Reviewed-by:
James Zern <jzern@google.com> Signed-off-by:
-
Michael Niedermayer authored
avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') Fixes: 2005/clusterfuzz-testcase-minimized-5744226438479872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
avcodec/snowdec: Fix runtime error: signed integer overflow: 1404 * 8388608 cannot be represented in type 'int' Fixes: 2004/clusterfuzz-testcase-minimized-5533262866808832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Shivraj Patil authored
The current upstreamed code has been written and tested for Little Endian systems. We do have plans to add the Big Endian support in near future, but till that time, need to disable all to avoid its usage and failures. Signed-off-by:
Shivraj Patil <shivraj.patil@imgtec.com> Signed-off-by:
-
Ganapathy Kasi authored
hw accelerated transcode (h264_cuvid -> h264_nvenc with -hwaccel cuvid) was broken after the filtergraph initialization was changed to intialize decoder first followed by encoder (commit af1761f7). During initialzing encoder with bframes, local buffers are allocated internally in encoder which fails since no cuda context is available. Now pushing the correct cuda context before encoder initialization fixes the issue. Also adding push/pop cuda ctx during create/destroy/map/unmap resources and destroy encoder session. Signed-off-by:
Timo Rothenpieler <timo@rothenpieler.org>
-
James Almer authored
About 2x faster than the c version. Signed-off-by:
-
- 01 Jun, 2017 13 commits
-
-
Kevin Mark authored
Variables pertaining to the main video are now available when using the scale2ref filter. This allows, as an example, scaling a video with another as a reference point while maintaining the original aspect ratio of the primary/non-reference video. Consider the following graph: scale2ref=iw/6:-1 [main][ref] This will scale [main] to 1/6 the width of [ref] while maintaining the aspect ratio. This works well when the AR of [ref] is equal to the AR of [main] only. What the above filter really does is maintain the AR of [ref] when scaling [main]. So in all non-same-AR situations [main] will appear stretched or compressed to conform to the same AR of the reference video. Without doing this calculation externally there is no way to scale in reference to another input while maintaining AR in libavfilter. To make this possible, we introduce eight new constants to be used in the w and h expressions only in the scale2ref filter: * main_w/main_h: width/height of the main input video * main_a: aspect ratio of the main input video * main_sar: sample aspect ratio of the main input video * main_dar: display aspect ratio of the main input video * main_hsub/main_vsub: horiz/vert chroma subsample vals of main * mdar: a shorthand alias of main_dar Of course, not all of these constants are needed for maintaining the AR, but adding additional constants in line of what is available for in/out allows for other scaling possibilities I have not imagined. So to now scale a video to 1/6 the size of another video using the width and maintaining its own aspect ratio you can do this: scale2ref=iw/6:ow/mdar [main][ref] This is ideal for picture-in-picture configurations where you could have a square or 4:3 video overlaid on a corner of a larger 16:9 feed all while keeping the scaled video in the corner at its correct aspect ratio and always the same size relative to the larger video. I've tried to re-use as much code as possible. I could not find a way to avoid duplication of the var_names array. It must now be kept in sync with the other (the normal one and the scale2ref one) for everything to work which does not seem ideal. For every new variable introduced/removed into/from the normal scale filter one must be added/removed to/from the scale2ref version. Suggestions on how to avoid var_names duplication are welcome. var_values has been increased to always be large enough for the additional scale2ref variables. I do not forsee this being a problem as the names variable will always be the correct size. From my understanding of av_expr_parse_and_eval it will stop processing variables when it runs out of names even though there may be additional (potentially uninitialized) entries in the values array. The ideal solution here would be using a variable-length array but that is unsupported in C90. This patch does not remove any functionality and is strictly a feature patch. There are no API changes. Behavior does not change for any previously valid inputs. The applicable documentation has also been updated. Signed-off-by:
-
Michael Niedermayer authored
Fixes: Timeout Fixes: 2001/clusterfuzz-testcase-minimized-6187599389523968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
Fixes: 1967/clusterfuzz-testcase-minimized-5757031199801344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Michael Niedermayer authored
avcodec/cfhd: Fix runtime error: signed integer overflow: 65280 * 65288 cannot be represented in type 'int' Fixes: 1925/clusterfuzz-testcase-minimized-5564569688735744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by:
-
Paul B Mahol authored
Signed-off-by: -
Vittorio Giovara authored
-
Vittorio Giovara authored
-
James Almer authored
Should prevents future conflicts with the similarly named floatdsp tests
-
Timo Rothenpieler authored
-
Timo Rothenpieler authored
-
Timo Rothenpieler authored
-
Timo Rothenpieler authored
-
Srinath K R authored
AVCodecContext::refs is used to control the DPB size to be used by the encoder. The default value for AVCodecContext::refs as set in libavcodec/options_table.h is 1. This patch sets AVCodecContext::refs to 0 for h264_nvenc and hevc_nvenc in order to let the driver take the decision of the correct DPB size to use in all cases. Signed-off-by:
Srinath K R <skr@nvidia.com> Signed-off-by:
-
