Defined in Section 7.8

This finishes implementing support for frames using
frame_refs_short_signaling.
Signed-off-by: James Almer <jamrial@gmail.com>

Fixes: Timeout (80sec -> 33sec)
Fixes: 18668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5710836719157248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

This optimizes the code slightly (116 -> 80sec)
Testcase: 18668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5710836719157248
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

buf_size is not updated as buf is advanced so it is wrong after the first
iteration

Fixes: Timeout (160sec -> 27sec)
Fixes: 18658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5729784269373440

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

This will be used in the next commit
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

The 0 case was added with the support for multiple packets. It
appears unintended and causes extra complexity and out of array
accesses (though within padding)

No testcase
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

This combination would assume different block sizes throughout the code so its
better to error out.

Fixes: signed integer overflow: -1082385168 * 2 cannot be represented in type 'int'
Fixes: 19110/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5643993950191616
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int'
Fixes: 18643/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5672182449700864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: Assertion failure
Fixes: 18630/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5201588654440448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: signed integer overflow: 50176 * 262144 cannot be represented in type 'int'
Fixes: 18629/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5182370286403584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: signed integer overflow: 4 * 538976288 cannot be represented in type 'int'
Fixes: 18622/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5092166174507008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

This avoids problems if the function is called twice
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

ff_flac_parse_picture() parses a buffer containing a flac metadata
picture block by wrapping it in an AVIOContext and using the AVIOContext
API. Consequently, when not enough data could be read AVERROR(EIO) was
returned although reading didn't really fail: A block that contains a
subfield whose size field indicates that it is so big as to extend
beyond the buffer is just invalid.

This commit changes this by using the bytestream2 API instead;
furthermore, the checks for whether there is enough data left are
performed before allocating a buffer for said data.

Finally, if the length of the picture description is bigger than
INT_MAX, it will now raise an error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

During parsing a flac picture metadata block, the mimetype is read as
follows: Its 32b size field is read and checked for being in the range
1..63; afterwards, the actual mimetype-string is read into a buffer of
size 64, where the length to read is the minimum of the length field and
the size of the destination buffer -1. Then an assert guards that length
is indeed < the size of the destination buffer before the string in the
buffer is zero-terminated.

The FFMIN as well as the assert are actually redundant, as it has
been checked that the string (even after terminating) fits into the
buffer. In order to make this clear, reword the check "len >= 64" to
"len >= sizeof(mimetype)" and drop the FFMIN as well as the assert.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Jun Zhao <barryjzhao@tencent.com>
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Jun Zhao <barryjzhao@tencent.com>
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Jun Zhao <barryjzhao@tencent.com>
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Jun Zhao <barryjzhao@tencent.com>
Reviewed-by: Jeyapal, Karthick <kjeyapal@akamai.com>
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>

Signed-off-by: James Almer <jamrial@gmail.com>

Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>

This happens if allocating extradata fails and s->remove is unset.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>

Skip the avcC specific size bytes and the NAL header bits.
Signed-off-by: James Almer <jamrial@gmail.com>

Signed-off-by: James Almer <jamrial@gmail.com>

This is required to demux annexb samples when a decoder isn't available.
Signed-off-by: James Almer <jamrial@gmail.com>

This uses a raw h264 bitstream as source, in order to test the avcC
generation code.
Signed-off-by: James Almer <jamrial@gmail.com>

Signed-off-by: James Almer <jamrial@gmail.com>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

fix potential null pointer dereference
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>

check avformat_new_stream() return.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>

Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Put an AVIOContext whose lifetime doesn't extend beyond the function where
it is allocated on the stack instead of allocating and freeing it. This
also avoids the need to free it, which in this case fixes possible
memleaks on error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Signed-off-by: James Almer <jamrial@gmail.com>

By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of
avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for
small dynamic buffers.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of
avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for
small dynamic buffers (i.e. small master elements).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of
avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for
small tags. Furthermore, it simplifies freeing.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>