| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |
|
|
|
|
| |
Even if such files are invalid, they can be decoded just fine.
Also stored tiles may have bigger dimensions than displayed ones,
so do not abort decoding in such cases.
|
| |
|
|
|
|
|
|
|
|
|
| |
According to the spec bits per sample should be used
Fix invalid shift with bpp=32
Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 23507/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4815432665268224
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Although the ICC specifications say to check for this, libtiff doesn't
and neither does any other TIFF implementation, and the TIFF specs
say that Photoshop has a different way to encapsulate ICC profiles,
and are asking for advice on how to deal with it.
So basically, photoshop puts a different type than what's specified,
no other implementation checks for this, we do because we tried to
follow the specs although its harmless to not, and ran into this bug
because we didn't know about it.
|
| |
|
|
|
|
|
|
| |
Fixes: out of array access
Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"The entries in an IFD must be sorted in ascending order by Tag. Note that this is
not the order in which the fields are described in this document."
This way various dimensions, sample and bit sizes cannot be changed at
arbitrary times which reduces the potential for bugs.
The tag reading code also on various places assumes that numerically previous
tags have already been parsed, so this needs to be enforced one way or another.
If this commit causes problems with real world files which are not easy to fix
then some other form of checks are needed to ensure the various dependencies
in the tag reading are not violated.
Fixes: out of array access
Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Fixes: Assertion failure
Fixes: 24707/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5179910197608448
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Fixes: out of array access
Fixes: 24604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4843529818603520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Fixes: division by zero
Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Fixes: out of array read
Fixes: 24034/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5111884337119232
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Fixes: out of array access
Fixes: 23888/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6021365974171648.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Fixes: out of array access
Fixes: 23589/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5110559589793792.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Fixes: assertion failure
Fixes: 23422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5746026064642048
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
| |
TIFF 6 spec: "Do not use both strip-oriented and tile-oriented fields in the same TIFF file."
Fixes: null pointer use, crash
Fixes: crash-762680f9d1b27f9b9085e12887ad44893fb2b020
Found-by: Shiziru <lunasl@protonmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
| |
Reviewed-by: Carl Eugen Hoyos <ceffmpeg@gmail.com>
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
|
| |
|
|
|
|
|
|
| |
line
Found-by: 黄宁 <tsukimurarin@163.com>
Reviewed-by: Nick Renieris <velocityra@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
| |
The DNG code hardcodes plane 0 at some places, so its better to disallow cases
that have more planes.
Fixes: eg_crash
Found-by: 黄宁 <tsukimurarin@163.com>
Reviewed-by: Nick Renieris <velocityra@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
| |
This is less confusing
Reviewed-by: Nick Renieris <velocityra@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
dng spec 1.5.0.0
"BitsPerSample
Supported values are from 8 to 32 bits/sample. The depth must be the same for each sample if
SamplesPerPixel is not equal to 1."
Fixes: eg_crash
Found-by: 黄宁 <tsukimurarin@163.com>
Reviewed-by: Nick Renieris <velocityra@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
init_thread_copy
The current design, where
- proper init is called for the first per-thread context
- first thread's private data is copied into private data for all the
other threads
- a "fixup" function is called for all the other threads to e.g.
allocate dynamically allocated data
is very fragile and hard to follow, so it is abandoned. Instead, the
same init function is used to init each per-thread context. Where
necessary, AVCodecInternal.is_copy can be used to differentiate between
the first thread and the other ones (e.g. for decoding the extradata
just once).
|
| | |
|
| |
|
|
|
|
|
| |
Fixes ticket #8327.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Fixes: memleaks
Fixes: 17813/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5145600206569472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
| |
This reverts commit eb5d0f18ff609ba2280cea4e2c6286d216c8756b.
Together with 89f464e9, it breaks decoding of tiff files like fate-suite/exif/image_small.tiff
|
| | |
|
| |
|
|
| |
Remove endianess hack.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
"LinearRaw" is a value that the PhotometricInterpretation tag can be set
to on DNG images that contain color information for all channels instead
of being bayer-encoded ("CFA" value).
The DNG decoder is complete enough that we can enable this now.
Sample:
- http://www.rawsamples.ch/raws/nikon/SCANNER_NIKON_LS5000.DNG
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Initialized to `(2 ^ BitsPerSample) - 1` as per the DNG Specification.
Also make sure that `BlackLevel < WhiteLevel`.
This fixes decoding for "X7 CinemaDNG" samples here:
- https://www.dji.com/gr/zenmuse-x7/info#downloads
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
| |
DNG samples here can now be decoded:
- https://www.photographyblog.com/previews/pentax_k1_photos
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
| |
10-bit sample: http://www.rawsamples.ch/raws/phones/RAW_ONEPLUS_ONE-A0001.DNG
14-bit sample: https://drive.google.com/open?id=0B4JyRT3Lth5HVndyOTVOdWktM3J4TFEydTk1MnY3RWlpSzVB
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
|
| |
This enables decoding of DNG images generated by the 'DJI Zenmuse X7'
digital camera
Samples: https://www.dji.com/gr/zenmuse-x7/info#downloads
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Also, ensure no false positives when determining DNG bayer images, by
setting them in tiff.c instead of relying on a heuristic. There's no
way to determine this just from the JPEG data, so we have to pass this
information from outside the MJPEG decoder.
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
| |
This fixes "X7 RAW" and "X7 CinemaDNG" samples here:
- https://www.dji.com/gr/zenmuse-x7/info#downloads
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
| |
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
When the height is equal to the tile length (full-height tile)
after `height % tile_length` is applied with the current code,
it results in the operating tile_length to be 0. This commit
makes this leftover logic only applies if it's necessary.
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
| |
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
| |
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Used a technique similar to lavc/tdsc.c for invoking the MJPEG decoder.
This commit adds support for:
- DNG tiles
- DNG tile huffman lossless JPEG decoding
- DNG 8-bpp ("packed" as dcraw calls it) decoding
- DNG color scaling [1]
- LinearizationTable tag
- BlackLevel tag
[1]: As specified in the DNG Specification - Chapter 5
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This may break some valid tiff files, it appears the specification does not require
the offsets to be increasing. They increase in the 2 test files i have though except
the last offset which is 0 (an end marker) and for which a special case is added to
avoid asking for a sample for that end marker.
See: [FFmpeg-devel] [PATCH 2/2] avcodec/tiff: Detect infinite retry loop
for an alternative implementation
Fixes: Timeout (Infinite -> Finite)
Fixes: 15706/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5114674904825856
This variant was requested by paul on IRC
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Additionally:
- Renamed TIFF_WHITE_LEVEL to DNG_WHITE_LEVEL since it is specified
in the DNG spec.
- Added/changed some comments to be more precise in differentiating
between TIFF, TIFF/EP and DNG values.
Related to ticket: https://trac.ffmpeg.org/ticket/4364
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SubIFDs that were part of more than single-sized "SubIFDs" tags were
being ignored due to existing code ignoring that case.
This patch makes is so the first entry is read, which is not ideal
but enough for some DNG images present in the wild to be decodeable
More specifically, the first SubIFD which we would process with this
patch is the main image and the second one is a second thumbnail,
which is not as important to decode.
In DNG images with the .tiff extension, it solves the issue where
the TIFF thumbnail in IFD 0 was incorrectly parsed (related
confusion: [1]).
Embedded thumbnails for DNG images can still be decoded with the
"-thumbnail" option.
Related to ticket: https://trac.ffmpeg.org/ticket/4364
[1]: https://superuser.com/questions/546879/creating-video-from-dng-images-with-ffmpeg
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Adds the "-thumbnail" option, that works like the current "-subifd"
option, but only for non-full-sized images.
This is particularly useful for DNG images (see next commit) that
have SubIFDs that are not necessarily thumbnails.
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
| |
Option "-page N" (page index N starts from 1) can now be used to specify which TIFF page/subfile to decode.
Signed-off-by: Nick Renieris <velocityra@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes: Out of array access, assertion failure
Fixes: 13851/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5754570929602560
Fixes: 13869/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5695998313103360
Fixes: 13873/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5077273645940736
Fixes: 13874/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5756396757319680
Fixes: 13877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5741026750234624
Fixes: 13880/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5649148809838592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Carl Eugen Hoyos <ceffmpeg@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
| |
Fixes ticket #7675.
|
| | |
|
| |
|
|
|
|
|
|
| |
Fixes: Assertion failure
Fixes: 11898/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5759794191794176
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
| |
Fixes ticket #3459.
|
