Michael Niedermayer
30047c052d
avcodec/fmvc: Check if header fields are available before allocating the image
...
Fixes: Timeout (15sec -> 0.5sec)
Fixes: 14846/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FMVC_fuzzer-5068322120400896
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 561cc161camichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
039c7d21f6
avcodec/bink: Reorder operations in init to avoid memleak on error
...
Fixes: Direct leak of 536 byte(s) in 1 object(s)
Fixes: 15266/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5629530426834944
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 2603f25d32michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
c8f7f583c0
avcodec/bitstream: Check for more conflicting codes in build_table()
...
Fixes: out of array read
Fixes: 14563/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5646451545210880
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit a7e3b271fcmichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
8d2d04569a
avcodec/bitstream: Check for integer code truncation in build_table()
...
Fixes: out of array read
Fixes: 14563/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5646451545210880
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e78b0f8374michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
b8bb86efe7
avcodec/mjpegdec: Check for non ls PAL8
...
Fixes: Null-dereference READ in av_malloc
Fixes: 15002/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5643474625363968
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 442375fee7michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
84b444aa78
avcodec/interplayvideo: check decoding_map_size with video_data_size
...
Fixes: Timeout (90543 ms -> 59 ms)
Fixes: 14721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer-5697492148027392
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 914d6a7c1amichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
a2927d38cb
avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle
...
Fixes: signed integer overflow: -2142516591 + -267814575 cannot be represented in type 'int'
Fixes: 14450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5716105319940096
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 4896fa18admichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
ac7d876723
avcodec/mss4: Check input size against skip bits
...
Fixes: Timeout (17sec -> 20ms)
Fixes: 14615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-5093007763701760
Fixes: 14797/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-5651696119709696
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 0fef412dffmichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
ddf153b139
avcodec/diracdec: Fix integer overflow in global_mv()
...
Fixes: signed integer overflow: 16384 * 196607 cannot be represented in type 'int'
Fixes: 14810/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5091232683917312
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit a99ffb5bb4michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
14a62019bb
avcodec/vmnc: Check available space against chunks before reget_buffer()
...
Fixes: Timeout (16sec -> 60ms)
Fixes: 14673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMNC_fuzzer-5640217517621248
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 279d9a84afmichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
5866e20b01
avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure)
...
Fixes: NULL pointer dereference
Fixes: 14723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5654612436058112
Fixes: 14724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5712607111020544
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit cf3156e762michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
1dc80a7d4e
avcodec/aacdec_fixed: Handle more extreem cases in noise_scale()
...
Its unclear if these cases have any relevance in real files
Fixes: shift exponent -2 is negative
Fixes: 14489/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5681941631729664
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 3d14663f83michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
1b2691fe1a
avcodec/aacdec_template: Merge 3 #ifs related to noise handling
...
Fewer #if and fewer lines
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit bc33c99d56michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
e575ac8d84
avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify
...
(cherry picked from commit 3d5863d739michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
eec89990b5
avcodec/truemotion2: Fix several integer overflows in tm2_update_block()
...
Fixes: signed integer overflow: -1877966852 + -469491713 cannot be represented in type 'int'
Fixes: 14561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5167608359288832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8eecf761a6michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
0ecde06ee7
avcodec/cpia: Check input size also against linesizes and EOL
...
Fixes: Timeout (14sec -> 29ms)
Fixes: 14733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CPIA_fuzzer-5707022445576192
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Carl Eugen Hoyos <ceffmpeg@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 3c0bfa7d1amichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
9f8d2716a6
avcodec/hq_hqa: Check available space before reading slice offsets
...
Fixes: Timeout (43sec -> 18sec)
Fixes: 14556/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5673543024508928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 407e7c34camichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
ae1c6169b6
avcodec/fits: Check bitpix
...
Reference: Table 8: Interpretation of valid BITPIX value from FITS standard 4.0
Fixes: runtime error: division by zero
Fixes: 14581/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5652382425284608
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 0b5c93b276michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
cc5257aa27
avcodec/jvdec: Use ff_get_buffer() when the content is not reused
...
Fixes: Timeout (11sec -> 5sec)
Fixes: 14473/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JV_fuzzer-5761630857592832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 09edcd3572michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
0fe00cdc54
avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block()
...
Fixes: signed integer overflow: -2147483648 + -1 cannot be represented in type 'int'
Fixes: 14107/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5694078680825856
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit f4a1b8d409michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
b131d7653e
avcodec/jpeg2000: Check stepsize before using it
...
Fixes: value 1.87633e+10 is outside the range of representable values of type 'int'
Fixes: Undefined behavior
Fixes: 14246/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5758393601490944
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 06ef186fa1michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
85b8a4d2c7
avcodec/aacdec_fixed: Fix undefined shift in noise_scale()
...
Fixes: 13655/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5120559430500352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8ea211ab79michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
7751626787
avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside
...
Fixes: index 20 out of bounds for type 'const char *[4][128]'
Fixes: 14367/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CCAPTION_fuzzer-5718819672162304
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit f17e8e90bbmichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
b27afd717d
avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform()
...
Fixes: assertion failure
Fixes: 14078/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5760571284127744
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 110dce9633michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
76f6712057
avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation
...
It seems the specification does not limit the value to 32bit
Fixes: signed integer overflow: -109611143 * 24 cannot be represented in type 'int'
Fixes: 13477/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5648337460527104
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 837820f385michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
12a6305799
avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks()
...
Fixes: signed integer overflow: 255 + 2147483634 cannot be represented in type 'int'
Fixes: 13472/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5712444142387200
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 0ad0533e91michael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
Michael Niedermayer
1a71be4eaa
avcodec/rscc: Check that the to be uncompressed input is large enough
...
Fixes: Out of array access
Fixes: 13984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5734128093233152
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 3a0ec1511emichael@niedermayer.cc >
2019-11-14 23:30:37 +01:00
James Almer
45bf2f4d72
avcodec/bsf: check that AVBSFInternal was allocated before dereferencing it
...
This can happen when av_bsf_free() is called on av_bsf_alloc() failure.
Reviewed-by: Paul B Mahol <onemda@gmail.com >
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit d889ae3396
2019-09-23 10:09:16 -03:00
Stefan Schoenefeld
31161bc969
avcodec/h263dec: fix hwaccel decoding
...
Recently we encountered an issue when decoding a h.263 file:
FFmpeg will freeze when decoding h.263 video with NVDEC. Turns out this is not directly related to NVDEC but is a problem that shows with several other HW decoders like VDPAU, though the exact kind of error is different (either error messages or freezing[1]). The root cause is that ff_thread_finish_setup() is called twice per frame from ff_h263_decode_frame(). This is not supported by ff_thread_finish_setup() and specifically checked for and warned against in the functions code. The issue is also specific to hw accelerated decoding only as the second call to ff_thread_finish_setup() is only issued when hw acceleration is on. The fix is simple: add a check that the first call is only send when hw acceleration is off, and the second call only when hw acceleration is on (see attached patch). This works fine as far as I was able to test with vdpau and nvdec/nvcuvid hw decoding. The patch also adds NVDEC to the hw config list if available.
I also noticed a secondary issue when browsing through the code which is that, according to documentation, ff_thread_finish_setup() should only be called if the codec implements update_thread_context(), which h263dec does not. The patch does not address this and I'm not sure any action needs to be taken here at all.
[1] This is depending on whether or not the hw decoder sets the HWACCEL_CAPS_ASYNC_SAFE flag
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org >
2019-08-04 16:24:54 +02:00
Michael Niedermayer
9ccc633068
avcodec/hevcdec: Avoid only partly skiping duplicate first slices
...
Fixes: NULL pointer dereference and out of array access
Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432
Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304
This also fixes the return code for explode mode
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 54655623a8michael@niedermayer.cc >
2019-03-27 08:48:30 +01:00
Carl Eugen Hoyos
d31940f04e
lavc/bmp: Avoid a heap buffer overwrite for 1bpp input.
...
Found by Mingi Cho, Seoyoung Kim, and Taekyoung Kwon
of the Information Security Lab, Yonsei University.
(cherry picked from commit 1e34014010michael@niedermayer.cc >
2019-03-27 08:47:30 +01:00
Michael Niedermayer
807d443c7e
avcodec/truemotion2: Fix integer overflow in tm2_null_res_block()
...
Fixes: signed integer overflow: 1111638592 - -2122219136 cannot be represented in type 'int'
Fixes: 13441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5732769815068672
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 1223696c72michael@niedermayer.cc >
2019-03-25 15:32:07 +01:00
Michael Niedermayer
5e09dc8afe
avcodec/dfa: Check the chunk header is not truncated
...
Fixes: Timeout (11sec -> 3sec)
Fixes: 13218/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-5661074316066816
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit f20760fadbmichael@niedermayer.cc >
2019-03-24 10:38:52 +01:00
Michael Niedermayer
51d29541cb
avcodec/dvbsubdec: Check object position
...
Reference: ETSI EN 300 743 V1.2.1 7.2.2 Region composition segment
Fixes: Timeout
Fixes: 13325/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVBSUB_fuzzer-5143979392237568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit a8c5ae4511michael@niedermayer.cc >
2019-03-24 10:38:52 +01:00
Michael Niedermayer
d2fd2921e3
avcodec/cdgraphics: Use ff_set_dimensions()
...
Fixes: Timeout (17 sec -> 65 milli sec)
Fixes: 13264/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5711167941509120
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 9a9f0e239cmichael@niedermayer.cc >
2019-03-24 10:38:52 +01:00
Michael Niedermayer
6689435190
avcodec/scpr: Fix use of uninitialized variable
...
Fixes: Undefined shift
Fixes: 12911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5677102915911680
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 53248acfb3michael@niedermayer.cc >
2019-03-24 10:38:52 +01:00
Michael Niedermayer
f2e3eae204
avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes
...
Fixes: Timeout (27 sec -> 39 milli sec)
Fixes: 13151/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QPEG_fuzzer-5717536023248896
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit b819472995michael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
7cc9a20791
avcodec/aic: Check remaining bits in aic_decode_coeffs()
...
Fixes: Timeout (78 seconds -> 2 seconds)
Fixes: 13186/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-5639516533030912
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 951bb7632fmichael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
98fa61c020
avcodec/gdv: Check for truncated tags in decompress_5()
...
Testcase: 13169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5666354038833152
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 5cf42f65b6michael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
6abc6acd50
avcodec/bethsoftvideo: Check block_type
...
Fixes: Timeout (17 seconds -> 1 second)
Fixes: 13184/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BETHSOFTVID_fuzzer-5711446296494080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit b8ecadec05michael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
7a25b3192d
avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int()
...
Fixes: runtime error: signed integer overflow: 2147483598 + 128 cannot be represented in type 'int'
Fixes: 12926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5705100733972480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 4801eea0d4michael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
902c96ae16
avcodec/error_resilience: Use a symmetric check for skipping MV estimation
...
This speeds up the testcase by a factor of 4
Fixes: Timeout
Fixes: 13100/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-5767533905313792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e4289cb253michael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
49f8873f8b
avcodec/mlpdec: Insuffient typo
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit fc32e08941michael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
edf0297c61
avcodec/zmbv: obtain frame later
...
The frame is not needed that early so obtaining it later avoids
the costly operation in case other checks fail.
Fixes: Timeout (14sec -> 4sec)
Fixes: 13140/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-5738330308739072
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 177b40890cmichael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
3891dbf4cf
avcodec/jvdec: Check available input space before decode8x8()
...
Fixes: Timeout (78 sec -> 15 millisec)
Fixes: 13147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JV_fuzzer-5727107827630080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 61523683c5michael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
8ddad9f9cd
avcodec/h264_direct: Fix overflow in POC comparission
...
Fixes: runtime error: signed integer overflow: 2147421862 - -33624063 cannot be represented in type 'int'
Fixes: 12885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5733516975800320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 5ccf296e74michael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Kevin Backhouse via RT
e2ae3419ff
avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces
...
Fixes: [Semmle Security Reports #19439 ]
Fixes: dos_sscanf2.mkv
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 894995c41emichael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Kevin Backhouse via RT
9191218d11
avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning
...
Fixes: [Semmle Security Reports #19438 ]
Fixes: dos_sscanf1.mkv
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 1f00c97bc3michael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
80603682ff
avcodec/sbrdsp_fixed.c: remove input value limit for sbr_sum_square_c()
...
Fixes: 1377/clusterfuzz-testcase-minimized-5487049807233024
Fixes: assertion failure in sbr_sum_square_c()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 4cde7e62dbmichael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
Michael Niedermayer
4946bda473
avcodec/pgssubdec: Check for duplicate display segments
...
In such a duplication the previous gets overwritten and leaks
Fixes: memleak
Fixes: 12510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5694439226343424
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit e35c3d887bmichael@niedermayer.cc >
2019-03-24 10:38:51 +01:00
