- 01 Dec, 2019 18 commits
-
-
Michael Niedermayer authored
This optimizes the code slightly (116 -> 80sec) Testcase: 18668/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5710836719157248 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
buf_size is not updated as buf is advanced so it is wrong after the first iteration Fixes: Timeout (160sec -> 27sec) Fixes: 18658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5729784269373440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
This will be used in the next commit Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
The 0 case was added with the support for multiple packets. It appears unintended and causes extra complexity and out of array accesses (though within padding) No testcase Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
This combination would assume different block sizes throughout the code so its better to error out. Fixes: signed integer overflow: -1082385168 * 2 cannot be represented in type 'int' Fixes: 19110/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5643993950191616 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 18643/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5672182449700864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: Assertion failure Fixes: 18630/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5201588654440448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: signed integer overflow: 50176 * 262144 cannot be represented in type 'int' Fixes: 18629/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5182370286403584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
Fixes: signed integer overflow: 4 * 538976288 cannot be represented in type 'int' Fixes: 18622/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5092166174507008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Michael Niedermayer authored
This avoids problems if the function is called twice Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
ff_flac_parse_picture() parses a buffer containing a flac metadata picture block by wrapping it in an AVIOContext and using the AVIOContext API. Consequently, when not enough data could be read AVERROR(EIO) was returned although reading didn't really fail: A block that contains a subfield whose size field indicates that it is so big as to extend beyond the buffer is just invalid. This commit changes this by using the bytestream2 API instead; furthermore, the checks for whether there is enough data left are performed before allocating a buffer for said data. Finally, if the length of the picture description is bigger than INT_MAX, it will now raise an error. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
During parsing a flac picture metadata block, the mimetype is read as follows: Its 32b size field is read and checked for being in the range 1..63; afterwards, the actual mimetype-string is read into a buffer of size 64, where the length to read is the minimum of the length field and the size of the destination buffer -1. Then an assert guards that length is indeed < the size of the destination buffer before the string in the buffer is zero-terminated. The FFMIN as well as the assert are actually redundant, as it has been checked that the string (even after terminating) fits into the buffer. In order to make this clear, reword the check "len >= 64" to "len >= sizeof(mimetype)" and drop the FFMIN as well as the assert. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Steven Liu authored
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
-
Steven Liu authored
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
-
Steven Liu authored
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
-
Steven Liu authored
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Reviewed-by: Jeyapal, Karthick <kjeyapal@akamai.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
-
- 30 Nov, 2019 4 commits
-
-
James Almer authored
Signed-off-by: James Almer <jamrial@gmail.com>
-
Andriy Gelman authored
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com> Signed-off-by: James Almer <jamrial@gmail.com>
-
Andreas Rheinhardt authored
This happens if allocating extradata fails and s->remove is unset. Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: James Almer <jamrial@gmail.com>
-
James Almer authored
Skip the avcC specific size bytes and the NAL header bits. Signed-off-by: James Almer <jamrial@gmail.com>
-
- 29 Nov, 2019 10 commits
-
-
James Almer authored
Signed-off-by: James Almer <jamrial@gmail.com>
-
James Almer authored
This is required to demux annexb samples when a decoder isn't available. Signed-off-by: James Almer <jamrial@gmail.com>
-
James Almer authored
This uses a raw h264 bitstream as source, in order to test the avcC generation code. Signed-off-by: James Almer <jamrial@gmail.com>
-
James Almer authored
Signed-off-by: James Almer <jamrial@gmail.com>
-
Zhao Zhili authored
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Paul B Mahol authored
-
Paul B Mahol authored
-
Jun Zhao authored
fix potential null pointer dereference Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
-
Jun Zhao authored
check avformat_new_stream() return. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
-
- 28 Nov, 2019 8 commits
-
-
Limin Wang authored
Signed-off-by: Limin Wang <lance.lmwang@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
Andreas Rheinhardt authored
Put an AVIOContext whose lifetime doesn't extend beyond the function where it is allocated on the stack instead of allocating and freeing it. This also avoids the need to free it, which in this case fixes possible memleaks on error. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
James Almer authored
Signed-off-by: James Almer <jamrial@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small dynamic buffers. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small dynamic buffers (i.e. small master elements). Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small tags. Furthermore, it simplifies freeing. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small extradata. Furthermore, it simplifies freeing. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-
Andreas Rheinhardt authored
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for small headers. Furthermore, it simplifies freeing. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
-