Michael Niedermayer
63637e457c
avcodec/h264_slice: Clear ref_counts on redundant slices
...
Fixes reading freed memory
Fixes: 568/clusterfuzz-testcase-6107186067406848
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit c03029a835michael@niedermayer.cc >
2017-02-08 19:22:05 +01:00
Michael Niedermayer
a1a14982ec
avcodec/pictordec: Fix logic error
...
Fixes: 559/clusterfuzz-testcase-6424225917173760
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8c2ea3030amichael@niedermayer.cc >
2017-02-07 21:33:20 +01:00
Michael Niedermayer
44ce16b7f9
avcodec/movtextdec: Fix decode_styl() cleanup
...
Fixes: null pointer dereference
Fixes: 555/clusterfuzz-testcase-5986646595993600
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e248522d1bmichael@niedermayer.cc >
2017-02-06 12:11:37 +01:00
Michael Niedermayer
7e1d9d25fe
avcodec/pngdec: Check trns more completely
...
Fixes out of array access
Fixes: 546/clusterfuzz-testcase-4809433909559296
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e477f09d0bmichael@niedermayer.cc >
2017-02-06 10:17:13 +01:00
Michael Niedermayer
d399f25bd1
avcodec/interplayvideo: Move parameter change check up
...
Fixes out of array read
Fixes: 544/clusterfuzz-testcase-5936536407244800.f8bd9b24_8ba77916_70c2c7be_3df6a2ea_96cd9f14
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit b1e2192007michael@niedermayer.cc >
2017-02-06 10:17:13 +01:00
Michael Niedermayer
7323a8ab29
avcodec/dca_lbr: Fix off by 1 error in freq check
...
Fixes out of array read
Fixes: 510/clusterfuzz-testcase-5737865715646464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 61f70416f8michael@niedermayer.cc >
2017-02-06 10:17:13 +01:00
Michael Niedermayer
aa20863f44
avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()
...
Fixes timeout
Fixes: 496/clusterfuzz-testcase-5805083497332736
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 3782656631michael@niedermayer.cc >
2017-02-06 10:17:13 +01:00
Andreas Cadhalpun
83269fd13b
pgssubdec: reset rle_data_len/rle_remaining_len on allocation error
...
The code relies on their validity and otherwise can try to access a NULL
object->rle pointer, causing segmentation faults.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 842e98b4d8Andreas.Cadhalpun@googlemail.com >
2017-02-01 02:28:09 +01:00
Michael Niedermayer
dc2d3856f3
avcodec/utils: correct align value for interplay
...
Fixes out of array access
Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 2080bc3371michael@niedermayer.cc >
2017-01-26 00:34:13 +01:00
Michael Niedermayer
dd36b3a06a
avcodec/vp56: Check for the bitstream end, pass error codes on
...
Fixes timeout
Fixes: 446/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_VP6_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 9e6a242755michael@niedermayer.cc >
2017-01-26 00:34:13 +01:00
Michael Niedermayer
14f555683a
avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()
...
Fixes timeout
Fixes: 445/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Fixes: 456/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_JPEGLS_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 755933cb5cmichael@niedermayer.cc >
2017-01-26 00:34:13 +01:00
Michael Niedermayer
bd6c1d5149
avcodec/pngdec: Fix off by 1 size in decode_zbuf()
...
Fixes out of array access
Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e371f031b9michael@niedermayer.cc >
2017-01-26 00:34:12 +01:00
Michael Niedermayer
3442c20c4d
avcodec/bsf: Fix av_bsf_list_free()
...
Negate null check
Fixes CID1396248
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 762bf6f4afmichael@niedermayer.cc >
2017-01-26 00:34:12 +01:00
Michael Niedermayer
7d222736c2
avcodec/omx: Do not pass negative value into av_malloc()
...
Fixes CID1396849
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit bd83c295fcmichael@niedermayer.cc >
2017-01-26 00:34:12 +01:00
Michael Niedermayer
cd81993070
avcodec/mjpegdec: Check for rgb before flipping
...
Fixes assertion failure due to unsupported case
Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 25d9643f11michael@niedermayer.cc >
2017-01-26 00:34:12 +01:00
Michael Niedermayer
0e6febff5a
avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
...
We are checking during encoding if there is enough space as version 4 needs that
check.
Fixes Ticket6005
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 38a7834bbbmichael@niedermayer.cc >
2016-12-11 00:21:53 +01:00
Michael Niedermayer
3f779aef79
avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
...
Fixes: part of 670190.ogg
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8258e36385michael@niedermayer.cc >
2016-12-11 00:21:53 +01:00
Michael Niedermayer
aec21cd840
avcodec/ffv1enc: Fix size of first slice
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit cff1c0edaamichael@niedermayer.cc >
2016-12-11 00:21:53 +01:00
Michael Niedermayer
af1e19b9e4
avcodec/flacdec: Fix undefined shift in decode_subframe()
...
Fixes undefined behavior
Fixes: 639961-media
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 1f5630af51michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
334901aea0
avcodec/get_bits: Fix get_sbits_long(0)
...
Fixes undefined behavior
Fixes: 640889-media
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit c72fa43234michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
a772aaf5dc
avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
...
Fixes undefined behavior
Fixes: 640912-media
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 83a75bf6c3michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
c39e8d05f5
avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
...
Fixes: left shift of negative value
Fixes: 668346-media
Found-by: Matt Wolenetz <wolenetz@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit acc163c6abmichael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
2fb7eb05dc
avcodec/flac_parser: Update nb_headers_buffered
...
Fixes infinite loop
Fixes: fuzz.flac
Found-by: Frank Liberato <liberato@google.com >
Reviewed-by: Frank Liberato <liberato@google.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 2475858889michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
Michael Niedermayer
2d51cb1d0a
avcodec/me_cmp: Fix median_sad size
...
Fixes out of array read
Fixes: COV1396255
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit d9883ded34michael@niedermayer.cc >
2016-12-06 00:07:50 +01:00
James Almer
c269c43a83
avcodec/aac_adtstoasc_bsf: validate and forward extradata if the stream is already ASC
...
Fixes ticket #5973
Reviewed-by: Hendrik Leppkes <h.leppkes@gmail.com >
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit 6e1902bab4
2016-11-25 18:51:00 -03:00
Andreas Cadhalpun
d147114b9d
mss2: only use error correction for matching block counts
...
This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2
with coded_width/coded_height larger than width/height.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 2566ad98b0Andreas.Cadhalpun@googlemail.com >
2016-11-25 22:22:19 +01:00
Andreas Cadhalpun
a6a2d9d1e5
libopusdec: default to stereo for invalid number of channels
...
This fixes an out-of-bounds read if avc->channels is 0.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 8c8f543b81Andreas.Cadhalpun@googlemail.com >
2016-11-25 22:22:11 +01:00
Andreas Cadhalpun
1dc59aaf61
pgssubdec: only set w/h/linesize when allocating data
...
Rects with positive w/h/linesize but no data are invalid.
Reviewed-by: Petri Hintukainen <phintuka@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 995512328eAndreas.Cadhalpun@googlemail.com >
2016-11-25 22:21:52 +01:00
Andreas Cadhalpun
d8364f4e1d
smacker: limit recursion depth of smacker_decode_bigtree
...
This fixes segmentation faults due to stack-overflow caused by too deep
recursion.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 946ecd19eaAndreas.Cadhalpun@googlemail.com >
2016-11-25 22:21:39 +01:00
Michael Niedermayer
e9f3cc7fc7
avcodec/ass_split: Change order of operations in ass_split_section()
...
This matches the other branch
Fixes out of array read
Fixes: 4d142ca76d39fe685effcf5017098723/asan_heap-oob_31ae824_8611_348fdb64f9009b63c8a8eae9a0e497c5.mkv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit ae514b1254michael@niedermayer.cc >
2016-11-23 20:29:31 +01:00
James Almer
ee56777379
avcodec/rawdec: check for side data before checking its size
...
Fixes valgrind warnings about usage of uninitialized values.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit 51e329918d
2016-11-19 23:50:37 -03:00
James Almer
3bd7ad58a7
avcodec/avpacket: fix leak on realloc in av_packet_add_side_data()
...
If realloc fails, the pointer is overwritten and the previously allocated
buffer is leaked, which goes against the expected behavior of keeping the
packet unchanged in case of error.
Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit 574929d8b6
2016-11-19 20:24:54 -03:00
James Almer
cf655d1643
Revert "apngdec: use side data to pass extradata to the decoder"
...
This reverts commit e0c6b32046jamrial@gmail.com >
(cherry picked from commit 16c429166d
2016-11-18 12:33:21 -03:00
Martin Vignali
08f26d99b5
libavcodec/exr : fix channel size calculation for uint32 channel
...
uint32 need 4 bytes not 1.
Fix decoding when there is half/float and uint32 channel.
This fixes crashes due to pointer corruption caused by invalid writes.
The problem was introduced in commit
03152e74dfAndreas.Cadhalpun@googlemail.com >
(cherry picked from commit 52da3f6f70Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:37:05 +01:00
Andreas Cadhalpun
c7d38efbc2
exr: fix out-of-bounds read
...
channel_index can be -1.
This problem was introduced in commit
2dd7b46132onemda@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit ffdc5d09e4Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:19:01 +01:00
Andreas Cadhalpun
cbc9d46066
libschroedingerdec: fix leaking of framewithpts
...
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 3c0328d58dAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:56 +01:00
Andreas Cadhalpun
2b863d4e9b
libschroedingerdec: don't produce empty frames
...
They are not valid and can cause problems/crashes for API users.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit a86ebbf7f6Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:53 +01:00
Andreas Cadhalpun
598016b85f
dds: limit 4 bpp handling to AV_PIX_FMT_PAL8
...
This fixes NULL pointer dereferencing for formats, where frame->data[1]
is not allocated.
The problem was introduced in commit
257fbc3af4onemda@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 90ebf3c428Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:48 +01:00
Andreas Cadhalpun
a2c7840a6b
mlz: limit next_code to data buffer size
...
This fixes a heap-buffer-overflow detected by AddressSanitizer.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 1abcd972c4Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:18:42 +01:00
Andreas Cadhalpun
039a3e6db8
pnmdec: make sure v is capped by maxval
...
Otherwise put_bits can be called with a value that doesn't fit in the
sample_len, causing an assertion failure.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit cdb5479c9dAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:17:58 +01:00
Andreas Cadhalpun
d8affeea82
smvjpegdec: make sure cur_frame is not negative
...
This fixes a heap-buffer-overflow detected by AddressSanitizer.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 360bc0d90aAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:17:20 +01:00
Andreas Cadhalpun
581cce0cca
dvbsubdec: fix division by zero in compute_default_clut
...
This problem was introduced in commit
4b90dcb849michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit c82b8ef0e4Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:15:52 +01:00
Andreas Cadhalpun
1ed4b52732
proresdec_lgpl: explicitly check coff[3] against slice_data_size
...
The implicit checks via v_data_size and a_data_size don't work in the case
'(hdr_size > 7) && !ctx->alpha_info'.
This fixes segmentation faults due to invalid reads.
This problem was introduced in commit
547c2f002amichael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 1e33035ee7Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:15:47 +01:00
Andreas Cadhalpun
72a2d6ff56
escape124: reject codebook size 0
...
It causes a cb_depth of 32, leading to assertion failures in get_bits.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 226d35c845Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:15:42 +01:00
Andreas Cadhalpun
1e4979f780
mpegaudio_parser: don't return AVERROR_PATCHWELCOME
...
The API does not allow returning AVERROR codes.
It triggers an assert in av_parser_parse2.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 5249706e9dAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:14:01 +01:00
Andreas Cadhalpun
c72ac9ffd0
lzf: update pointer p after realloc
...
This fixes heap-use-after-free detected by AddressSanitizer.
Reviewed-by: Luca Barbato <lu_zero@gentoo.org >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit bb6a7b6f75Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:13:19 +01:00
Andreas Cadhalpun
31cebfe789
diracdec: check return code of get_buffer_with_edge
...
If it fails, buffers aren't allocated, causing NULL pointer dereferencing.
Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit db79dedb1aAndreas.Cadhalpun@googlemail.com >
2016-11-17 23:13:14 +01:00
Andreas Cadhalpun
b9a24cee3b
diracdec: clear slice_params_num_buf on allocation failure
...
Otherwise it can be non-zero next time decode_lowdelay is called, causing
slice_params_buf not to be allocated, leading to a NULL pointer dereference.
The problem was introduced in commit
dcad4677d6atomnuker@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 24d20496d2Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:13:05 +01:00
Andreas Cadhalpun
08b1fd6afb
diracdec: use correct buffer for slice_params_buf realloc
...
This fixes a double-free detected by AddressSanitizer.
The problem was introduced in commit
dcad4677d6atomnuker@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 8a4ea96448Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:12:58 +01:00
Andreas Cadhalpun
35cb0c47bc
ppc: pixblockdsp: do unaligned block accesses correctly again
...
This was broken by the following Libav commit:
4c387c7#5508 .
Reviewed-by: Carl Eugen Hoyos <ceffmpeg@gmail.com >
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com >
(cherry picked from commit 3932ccc472Andreas.Cadhalpun@googlemail.com >
2016-11-17 23:12:50 +01:00
