Fixes: 13655/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5120559430500352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8ea211ab79)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The function in case of n=0 would read more bytes than 0.
The end pointer could be beyond the allocated space, which
is undefined.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6f0e9a8634)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized variables
Fixes: blank.aa
Found-by: Chamal De Silva <chamal.desilva@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ed188f6dcd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: index 20 out of bounds for type 'const char *[4][128]'
Fixes: 14367/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CCAPTION_fuzzer-5718819672162304
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f17e8e90bb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It seems the specification does not limit the value to 32bit
Fixes: signed integer overflow: -109611143 * 24 cannot be represented in type 'int'
Fixes: 13477/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5648337460527104
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 837820f385)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 255 + 2147483634 cannot be represented in type 'int'
Fixes: 13472/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5712444142387200
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0ad0533e91)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Out of array access
Fixes: 13984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5734128093233152
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a0ec1511e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This can happen when av_bsf_free() is called on av_bsf_alloc() failure.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d889ae3396)
Recently we encountered an issue when decoding a h.263 file:
FFmpeg will freeze when decoding h.263 video with NVDEC. Turns out this is not directly related to NVDEC but is a problem that shows with several other HW decoders like VDPAU, though the exact kind of error is different (either error messages or freezing[1]). The root cause is that ff_thread_finish_setup() is called twice per frame from ff_h263_decode_frame(). This is not supported by ff_thread_finish_setup() and specifically checked for and warned against in the functions code. The issue is also specific to hw accelerated decoding only as the second call to ff_thread_finish_setup() is only issued when hw acceleration is on. The fix is simple: add a check that the first call is only send when hw acceleration is off, and the second call only when hw acceleration is on (see attached patch). This works fine as far as I was able to test with vdpau and nvdec/nvcuvid hw decoding. The patch also adds NVDEC to the hw config list if available.
I also noticed a secondary issue when browsing through the code which is that, according to documentation, ff_thread_finish_setup() should only be called if the codec implements update_thread_context(), which h263dec does not. The patch does not address this and I'm not sure any action needs to be taken here at all.
[1] This is depending on whether or not the hw decoder sets the HWACCEL_CAPS_ASYNC_SAFE flag
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
The alloc_size attribute is valid only on functions that return a
pointer. GCC 9 (not yet released) warns about invalid usage:
./libavutil/mem.h:342:1: warning: 'alloc_size' attribute ignored on a function returning int' [-Wattributes]
342 | av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size);
| ^~~~~~~~~~~~~
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4361293fcf)
Fixes: NULL pointer dereference and out of array access
Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432
Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304
This also fixes the return code for explode mode
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 54655623a8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Found by Mingi Cho, Seoyoung Kim, and Taekyoung Kwon
of the Information Security Lab, Yonsei University.
(cherry picked from commit 1e34014010)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 1111638592 - -2122219136 cannot be represented in type 'int'
Fixes: 13441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5732769815068672
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1223696c72)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reference: ETSI EN 300 743 V1.2.1 7.2.2 Region composition segment
Fixes: Timeout
Fixes: 13325/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVBSUB_fuzzer-5143979392237568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a8c5ae4511)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Testcase: 13169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5666354038833152
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5cf42f65b6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: signed integer overflow: 2147483598 + 128 cannot be represented in type 'int'
Fixes: 12926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5705100733972480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4801eea0d4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This speeds up the testcase by a factor of 4
Fixes: Timeout
Fixes: 13100/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-5767533905313792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e4289cb253)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fc32e08941)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The frame is not needed that early so obtaining it later avoids
the costly operation in case other checks fail.
Fixes: Timeout (14sec -> 4sec)
Fixes: 13140/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-5738330308739072
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 177b40890c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: signed integer overflow: 2147421862 - -33624063 cannot be represented in type 'int'
Fixes: 12885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5733516975800320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5ccf296e74)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Found-by: Wenxiang Qian
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b687b549aa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 85f91ed760)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a142ffdcae)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: memleak
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5649187601121280
Reported-by: Chris Cunningham <chcunningham@google.com>
Tested-by: Chris Cunningham <chcunningham@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d1afa7284c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 1377/clusterfuzz-testcase-minimized-5487049807233024
Fixes: assertion failure in sbr_sum_square_c()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4cde7e62db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Bad content may contain stsc boxes with a first_chunk index that
exceeds stco.entries (chunk_count). This ammends the existing check to
include cases where chunk_count == 0. It also patches up the case
when stsc refers to unknown chunks, but stts has no samples (so we
can simply ignore stsc).
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c15449ca9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Detecting missing tfhd avoids re-using tfhd track info from the previous
moof. For files with multiple tracks, this may make a mess of the
avindex and fragindex, which can later trigger av_assert0 in
mov_read_trun().
Reviewed-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ea87e5d9e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
In such a duplication the previous gets overwritten and leaks
Fixes: memleak
Fixes: 12510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5694439226343424
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e35c3d887b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: OOM
Found-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 497c9b0cce)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Infinite loop
Found-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0b50f27635)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This is strongly based on code by Marton Balint, and depends on the previous commit
Fixes: Timeout
Fixes: 11502/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920
Before: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 in 11209 ms
After: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 in 4104 ms
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Marton Balint <cus@passwd.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f64c0dffa1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer
James Almer
Carl Eugen Hoyos
Stefan Schoenefeld
Mark Harris
Wenxiang Qian
Kevin Backhouse via RT
chcunningham