| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
Fixes: out if array read
Fixes: 40109/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-4805686811295744
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Mattias Wadman <mattias.wadman@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
| |
Reduces the risk of finding false frames that happens to have valid values and CRC.
Fixes ticket #9185 ffmpeg flac decoder incorrectly finds junk frame
https://trac.ffmpeg.org/ticket/9185
|
| |
|
|
|
|
|
| |
Possible now that the next pointer no longer exists.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes: Timeout
Fixes: out of array access
Fixes: 20274/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5649631988154368
Fixes: 19275/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5757535722405888
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Fixes: Integer overflow
Fixes: 17199/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5696145187143680
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
| |
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
| |
|
|
| |
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When flushing, MAX_FRAME_HEADER_SIZE bytes (always zero) are supposed to
be written to the fifo buffer in order to be able to check the rest of
the buffer for frame headers. It was intended to write these by writing
a small buffer of size MAX_FRAME_HEADER_SIZE to the buffer. But the way
it was actually done ensured that this did not happen:
First, it would be checked whether the size of the input buffer was zero,
in which case it buf_size would be set to MAX_FRAME_HEADER_SIZE and
read_end would be set to indicate that MAX_FRAME_HEADER_SIZE bytes need
to be written. Then it would be made sure that there is enough space in
the fifo for the data to be written. Afterwards the data is written. The
check used here is for whether buf_size is zero or not. But if it was
zero initially, it is MAX_FRAME_HEADER_SIZE now, so that not the
designated buffer for writing MAX_FRAME_HEADER_SIZE is written; instead
the padded buffer (from the stack of av_parser_parse2()) is used. This
works because AV_INPUT_BUFFER_PADDING_SIZE >= MAX_FRAME_HEADER_SIZE.
Lateron, buf_size is set to zero again.
Given that since 7edbd536, the actual amount of data read is no longer
automatically equal to buf_size, it is completely unnecessary to modify
buf_size at all. Moreover, modifying it is dangerous: Some allocations
can fail and because buf_size is never reset to zero in this codepath,
the parser might return a value > 0 on flushing.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
For a parser, the input buffer is always != NULL: In case of flushing,
the indicated size of the input buffer will be zero and the input buffer
will point to a zeroed buffer of size 0 + AV_INPUT_BUFFER_PADDING.
Therefore one does not need to check for whether said buffer is NULL or
not.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
| |
|
|
|
|
|
| |
Only decrement the number of buffered headers if a header has actually
been freed.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The flac parser uses a fifo to buffer its data. Consequently, when
searching for sync codes of flac packets, one needs to take care of
the possibility of wraparound. This is done by using an optimized start
code search that works on each of the continuous buffers separately and
by explicitly checking whether the last pre-wrap byte and the first
post-wrap byte constitute a valid sync code.
Moreover, the last MAX_FRAME_HEADER_SIZE - 1 bytes ought not to be searched
for (the start of) a sync code because a header that might be found in this
region might not be completely available. These bytes ought to be searched
lateron when more data is available or when flushing.
Unfortunately there was an off-by-one error in the calculation of the
length to search of the post-wrap buffer: It was too large, because the
calculation was based on the amount of bytes available in the fifo from
the last pre-wrap byte onwards. This meant that a header might be
parsed twice (once prematurely and once regularly when more data is
available); it could also mean that an invalid header will be treated as
valid (namely if the length of said invalid header is
MAX_FRAME_HEADER_SIZE and the invalid byte that will be treated as the
last byte of this potential header happens to be the right CRC-8).
Should a header be parsed twice, the second instance will be the best child
of the first instance; the first instance's score will be
FLAC_HEADER_BASE_SCORE - FLAC_HEADER_CHANGED_PENALTY ( = 3) higher than
the second instance's score. So the frame belonging to the first
instance will be output and it will be done as a zero length frame (the
difference of the header's offset and the child's offset). This has
serious consequences when flushing, as returning a zero length buffer
signals to the caller that no more data will be output; consequently the
last frames not yet output will be dropped.
Furthermore, a "sample/frame number mismatch in adjacent frames" warning
got output when returning the zero-length frame belonging to the first
header, because the child's sample/frame number of course didn't match
the expected sample frame/number given its parent.
filter/hdcd-mix.flac from the FATE-suite was affected by this (the last
frame was omitted) which is the reason why several FATE-tests needed to
be updated.
Fixes ticket #5937.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The FLACHeaderMarker structure contained a pointer to an array of int;
said array was always allocated and freed at the same time as its
referencing FLACHeaderMarker; the pointer was never modified to point to
a different array and each FLACHeaderMarker had its own unique array.
Furthermore, all these arrays had a constant size. Therefore include
this array in the FLACHeaderMarker struct.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
FLAC sync codes contain a byte equal to 0xFF and so the function that
searches for sync codes first searched for this byte. It did this by
checking four bytes at once; these bytes have been read via AV_RB32, but
the test works just as well with native endianness.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
| |
|
|
|
|
|
|
| |
Fixes: crbug/827204
Reported-by: Frank Liberato <liberato@google.com>
Reviewed-by: Frank Liberato <liberato@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |\
| |
| |
| |
| |
| |
| | |
* commit '800d91d348c89fc8ca3fbec7696ab1ec8787acc6':
Drop pointless void* casts
Merged-by: James Almer <jamrial@gmail.com>
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes infinite loop
Fixes: fuzz.flac
Found-by: Frank Liberato <liberato@google.com>
Reviewed-by: Frank Liberato <liberato@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| | |
| |
| |
| |
| |
| | |
Fixes Ticket5343
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| | |
| |
| |
| |
| |
| | |
Fixes regression from Ticket5428
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |\|
| |
| |
| |
| |
| |
| | |
* commit 'b18346817d57c96cc47811cf78b26653e96bd304':
flac: fix realloc loop with invalid flac files
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| | |
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
|
| | |
| |
| |
| |
| |
| |
| | |
Fixes assertion failure
Fixes Ticket4269
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| | |
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| | |
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| | |
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| | |
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| |
| | |
Found-by: CSA
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| | |
Signed-off-by: Lukasz Marek <lukasz.m.luki2@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Lukasz Marek <lukasz.m.luki2@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
The Windows runtime aborts if it finds %t or %z.
Fixes ticket #3472.
Reviewed-by: Ronald Bultje
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
PARSER_FLAG_COMPLETE_FRAMES is set
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| | |
Signed-off-by: Paul B Mahol <onemda@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Should fix https://ffmpeg.org/trac/ffmpeg/ticket/2552
Only did minimal testing on a few files and fate.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* commit '6fee1b90ce3bf4fbdfde7016e0890057c9000487':
avcodec: Add av_cold attributes to init functions missing them
Conflicts:
libavcodec/aacpsy.c
libavcodec/atrac3.c
libavcodec/dvdsubdec.c
libavcodec/ffv1.c
libavcodec/ffv1enc.c
libavcodec/h261enc.c
libavcodec/h264_parser.c
libavcodec/h264dsp.c
libavcodec/h264pred.c
libavcodec/libschroedingerenc.c
libavcodec/libxvid_rc.c
libavcodec/mpeg12.c
libavcodec/mpeg12enc.c
libavcodec/proresdsp.c
libavcodec/rangecoder.c
libavcodec/videodsp.c
libavcodec/x86/proresdsp_init.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
| | | |
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* commit 'a5f8873620ce502d37d0cc3ef93ada2ea8fb8de7':
silly typo fixes
Conflicts:
doc/protocols.texi
libavcodec/aacpsy.c
libavformat/utils.c
tools/patcheck
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
This is unnecessary, as ff_flac_set_channel_layout can handle any number of channels.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
|
| | |
| |
| |
| | |
This is unnecessary, as ff_flac_set_channel_layout can handle any number of channels.
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* qatar/master:
flac: only set channel layout if not previously set or on channel count change
prepare 9_beta3 release
Conflicts:
RELEASE
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| | |
Fixes Bug 402
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* commit '50a65e7a540ce6747f81d6dbf6a602ad35be77ff': (24 commits)
vmdaudio: set channel layout
twinvq: validate sample rate code
twinvq: set channel layout
twinvq: validate that channels is not <= 0
truespeech: set channel layout
sipr: set channel layout
shorten: validate that the channel count in the header is not <= 0
ra288dec: set channel layout
ra144dec: set channel layout
qdm2: remove unneeded checks for channel count
qdm2: make sure channels is not <= 0 and set channel layout
qcelpdec: set channel layout
nellymoserdec: set channels to 1
libopencore-amr: set channel layout for amr-nb or if not set by the user
libilbc: set channel layout
dpcm: use AVCodecContext.channels instead of keeping a private copy
imc: set channels to 1 instead of validating it
gsmdec: always set channel layout and sample rate at initialization
libgsmdec: always set channel layout and sample rate at initialization
g726dec: do not validate sample rate
...
Conflicts:
libavcodec/dpcm.c
libavcodec/qdm2.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| |
| | |
Although the libFLAC decoder cannot handle such a change, it is allowed by the
spec and could potentially occur with live streams.
|
| | |
| |
| |
| |
| |
| |
| | |
see trac 1345
https://ffmpeg.org/trac/ffmpeg/ticket/1345
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| | |
| |
| |
| | |
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* commit '36ef5369ee9b336febc2c270f8718cec4476cb85':
Replace all CODEC_ID_* with AV_CODEC_ID_*
lavc: add AV prefix to codec ids.
Conflicts:
doc/APIchanges
doc/examples/decoding_encoding.c
doc/examples/muxing.c
ffmpeg.c
ffprobe.c
ffserver.c
libavcodec/8svx.c
libavcodec/avcodec.h
libavcodec/dnxhd_parser.c
libavcodec/dvdsubdec.c
libavcodec/error_resilience.c
libavcodec/h263dec.c
libavcodec/libvorbisenc.c
libavcodec/mjpeg_parser.c
libavcodec/mjpegenc.c
libavcodec/mpeg12.c
libavcodec/mpeg4videodec.c
libavcodec/mpegvideo.c
libavcodec/mpegvideo_enc.c
libavcodec/pcm.c
libavcodec/r210dec.c
libavcodec/utils.c
libavcodec/v210dec.c
libavcodec/version.h
libavdevice/alsa-audio-dec.c
libavdevice/bktr.c
libavdevice/v4l2.c
libavformat/asfdec.c
libavformat/asfenc.c
libavformat/avformat.h
libavformat/avidec.c
libavformat/caf.c
libavformat/electronicarts.c
libavformat/flacdec.c
libavformat/flvdec.c
libavformat/flvenc.c
libavformat/framecrcenc.c
libavformat/img2.c
libavformat/img2dec.c
libavformat/img2enc.c
libavformat/ipmovie.c
libavformat/isom.c
libavformat/matroska.c
libavformat/matroskadec.c
libavformat/matroskaenc.c
libavformat/mov.c
libavformat/movenc.c
libavformat/mp3dec.c
libavformat/mpeg.c
libavformat/mpegts.c
libavformat/mxf.c
libavformat/mxfdec.c
libavformat/mxfenc.c
libavformat/nsvdec.c
libavformat/nut.c
libavformat/oggenc.c
libavformat/pmpdec.c
libavformat/rawdec.c
libavformat/rawenc.c
libavformat/riff.c
libavformat/sdp.c
libavformat/utils.c
libavformat/vocenc.c
libavformat/wtv.c
libavformat/xmv.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Fixes Ticket1121
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* qatar/master:
asf: only set index_read if the index contained entries.
cabac: add overread protection to BRANCHLESS_GET_CABAC().
cabac: increment jump locations by one in callers of BRANCHLESS_GET_CABAC().
cabac: remove unused argument from BRANCHLESS_GET_CABAC_UPDATE().
cabac: use struct+offset instead of memory operand in BRANCHLESS_GET_CABAC().
h264: add overread protection to get_cabac_bypass_sign_x86().
h264: reindent get_cabac_bypass_sign_x86().
h264: use struct offsets in get_cabac_bypass_sign_x86().
h264: fix overreads in cabac reader.
wmall: fix seeking.
lagarith: fix buffer overreads.
dvdec: drop unnecessary dv_tablegen.h #include
build: fix doc generation errors in parallel builds
Replace memset(0) by zero initializations.
faandct: Remove FAAN_POSTSCALE define and related code.
dvenc: print allowed profiles if the video doesn't conform to any of them.
avcodec_encode_{audio,video}: only reallocate output packet when it has non-zero size.
FATE: add a test for vp8 with changing frame size.
fate: add kgv1 fate test.
oggdec: calculate correct timestamps in Ogg/FLAC
Conflicts:
libavcodec/4xm.c
libavcodec/cook.c
libavcodec/dvdata.c
libavcodec/dvdsubdec.c
libavcodec/lagarith.c
libavcodec/lagarithrac.c
libavcodec/utils.c
tests/fate/video.mak
Merged-by: Michael Niedermayer <michaelni@gmx.at>
|
