| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Fixes: signed integer overflow: 685813396 + 1803454769 cannot be represented in type 'int'
Fixes: 21073/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SIREN_fuzzer-5744900508483584
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
| |
Fixes: signed integer overflow: 1302123111085380114 - -8319005078741256972 cannot be represented in type 'long'
Fixes: 20991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5148554161291264
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
| |
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
|
| |
|
|
| |
It is not needed at all.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
There are no failure cases left in this function.
|
| |
|
|
|
| |
It is very fragile against fields being moved and hides what is actually
being copied. Copy all the fields explicitly instead.
|
| |
|
|
| |
It is always 0.
|
| | |
|
| |
|
|
|
|
|
| |
as well as includes of libavutil/timer.h.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This version is able to output multiple coefficients at a time and
is able to altogether remove actual golomb code parsing.
Its also able to partially recover the last coefficient in case
the packet is incomplete.
Total decoder performance gain for 8bit 420 1080p lossless: 40%.
Total decoder performance gain for 10bit 420 1080p lossless: 40%.
clang was able to vectorize the loop much better than
my handwritten assembly, but gcc was very naive and didn't.
Lookup table is a rewritten version of vc2hqdecode.
|
| |
|
|
|
|
|
|
|
| |
Fixes: out of array access
Fixes: 19734/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5673507031875584
Fixes: 19353/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5703944462663680
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Fixes: left shift of negative value -1
Fixes: 20859/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_PSX_fuzzer-5720391507247104
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
| |
Fixes: left shift of negative value -695
Fixes: 19232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5702856963522560
Fixes: 19555/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5741218147598336
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for WavPack DSD files to the existing WavPack decoder using
avcodec/dsd to perform the 8:1 decimation to 32-bit float samples. We must
serialize the dsd2pcm operation (cross-boundary filtering) but would like
to use frame-level multithreading for the CPU-intensive DSD decompression,
and this is accomplished with ff_thread_report/await_progress(). Because
the dsd2pcm operation is independent across channels we use slice-based
multithreading for that part.
Also a few things were removed from the existing WavPack decoder that
weren't being used (primarily the SavedContext stuff) and the WavPack
demuxer was enhanced to correctly determine the sampling rate of DSD
files (and of course to no longer reject them).
Signed-off-by: David Bryant <david@wavpack.com>
|
| | |
|
| | |
|
| |
|
|
| |
Fixes ticket #8565.
|
| |
|
|
| |
Fixes part of ticket #8565.
|
| |
|
|
|
|
|
|
|
|
|
| |
Slices that end after their header (meaning slices after the header
without any data before the rbsp_stop_one_bit or possibly without any
rbsp_stop_one_bit at all) are invalid and are now dropped. This ensures
that one doesn't run into two asserts in cbs_h2645_write_slice_data().
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: 19629/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_METADATA_fuzzer-5676822528524288
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Trailing zeroes are already discarded when splitting a fragment, which
makes the code to remove them when decomposing slices dead code.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Up until now, v4l2_m2m would write via snprintf() into an intermediate
buffer and then copy from there (via strncpy()) to the end buffer. This
commit changes this by removing the intermediate buffer.
The call to strncpy() was actually of the form strncpy(dst, src,
strlen(src) + 1) which is unsafe in general, but safe in this instance
because dst and src were both of the same size and src was a proper
zero-terminated string. But this nevertheless led to a compiler warning
"‘strncpy’ specified bound depends on the length of the source argument
[-Wstringop-overflow=]" in GCC 9.2. strlen() was unnecessary anyway.
Reviewed-by: Andriy Gelman <andriy.gelman@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
|
| |
|
|
| |
Signed-off-by: vectronic <hello.vectronic@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use desc->log2_chroma_w/h to calculate the sps->conf_win_right/bottom_offset.
Based on Table 6-1, SubWidthC and SubHeightC depend on chroma format(log2_chroma_w/h).
Based on D-28 and D-29, set the correct cropped width/height.
croppedWidth = pic_width_in_luma_samples −
SubWidthC * ( conf_win_right_offset + conf_win_left_offset );
croppedHeight = pic_height_in_luma_samples −
SubHeightC * ( conf_win_bottom_offset + conf_win_top_offset );
Signed-off-by: Linjie Fu <linjie.fu@intel.com>
|
| |
|
|
|
|
| |
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
| |
3469cfab added a check for whether the extradata coincided with the
beginning of the packet's data in order not to add extradata to packets
that already have it. But the check used was buggy for packets whose
size is smaller than the extradata's size. This commit fixes this.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Mainly reindentation, but some variables were also put into a smaller
scope.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Left shifts of signed values are undefined as soon as the result is
no longer representable in the target type. Therefore make nal_size
an uint32_t and drop the check for whether it is < 0.
2. The two checks for overreads (whether the length field is contained
in the packet and whether the actual unit is contained in the packet)
can be combined into one because the packet is padded, i.e. a potential
overread caused by reading the length field without checking whether
said length field is actually part of the packet's buffer is allowed
as one always stays within the padding. But one has to be aware of
a pitfall: The comparison must be performed in (at least) int64_t as
otherwise buf_end - buf might be promoted to uint32_t in which case
an already occured overread would appear as a very large number.
A comment explaining this has been added, too.
3. Units of size zero are now silently dropped; the earlier code would
instead read the first byte of the next length field (or the first byte
of padding) to infer the type of the current unit.
4. Futhermore, the earlier code returned the wrong error code. This has
been fixed, too.
Fixes #8290.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Up until now, h264_mp4toannexb would grow the output packet's buffer by
the desired amount every time another NAL unit of the input packet has
been read; this commit changes this: The input buffer is now essentially
parsed twice, once to determine the final size of the output packet and
once to write the output packet's data.
Fixes: Timeout
Fixes: 19322/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-5688407821123584
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
| |
h264_mp4toannexb_filter currently uses both indices/offsets as well as
direct pointers comparisons for the checks whether one has reached or
even surpassed the end. This commit removes the offsets.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If processing an input NAL unit triggers the insertion of data from
extradata in front of said NAL unit, the output packet is grown (i.e.
reallocated) once to accomodate both the new extradata as well as the
input NAL unit itself; this has been changed: In such a situation, the
packet is now grown twice. While this is bad for performance, it allows
to simplify the code and ultimately to stop reallocating the packet
altogether.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to the H.264 specifications, the only NAL units that need to
have four byte startcodes in H.264 Annex B format are SPS/PPS units and
units that start a new access unit. Before af7e953a, the first of these
conditions wasn't upheld as already existing in-band parameter sets
would not automatically be written with a four byte startcode, but only
when they already were at the beginning of their input packets. But it
made four byte startcodes be used too often as every unit that is written
together with a parameter set that is inserted from extradata received a
four byte startcode although a three byte start code would suffice
unless the unit itself were a parameter set.
FATE has been updated to reflect the changes. Although the patch leaves
the extradata unchanged, the size of the extradata according to the FATE
reports changes. This is due to a quirk in ff_h2645_packet_split which
is used by extract_extradata: If the input is Annex B, the first zero of
a four byte startcode is considered a part of the last unit (if any).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Up until now, h264_mp4toannexb stored the offset of the first SPS and
the first PPS in the (output) extradata in its context and used these
two numbers together with the size of the extradata and the pointer to
the extradata to determine what to insert when inserting extradata. This
led to some very long lines like "s->pps_offset != -1 ? s->pps_offset :
ctx->par_out->extradata_size - s->sps_offset". Therefore now pointers to
SPS and PPS are stored along with their respective sizes, so that e.g.
the above line can be changed to "s->sps_size".
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The format of an AVCDecoderConfigurationRecord, the out-of-band
extradata of H.264 in mp4, is as follows: First four bytes containing
version, profile and level, one byte for the length size and one byte
each for the number of SPS, followed by the SPS (each with its own size
field), followed by a byte containing the number of PPS followed by the
PPS with their size fields. While the number of SPS/PPS may be zero, the
bytes containing these numbers are mandatory. Yet the byte containing
the number of PPS has been ignored in two places:
1. In the initial check for whether the extradata can contain an
AVCDecoderConfigurationRecord. The minimum size is 7, not 6.
2. No check is made for whether the extradata ended right after the last
byte of the last SPS of the SPS array. Instead the first byte of the
padding is read as if it were part of the extradata and contained the
number of PPS (namely zero, given that the padding is zeroed). No error
or warning was ever raised.
This has been changed. Such truncated extradata is now considered
invalid; the check for 2. has been incorporated into the general size
check.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
Before reading a 16bit size field during parsing of extradata, no check
is performed to make sure that said length field is actually contained
in the extradata. Given that this overread is not dangerous (the extradata
is supposed to be padded), only a comment for it has been added; the error
itself will be detected as part of the normal check for overreads.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently during parsing the extradata, h264_mp4toannexb checks for
overreads by adding the size of the current unit to the current position
pointer and comparing this to the end position of the extradata. But
pointer comparisons and pointer arithmetic are only defined if it does not
exceed the object it is used on (one past the last element of an array
is allowed, too). In practice, this might lead to overflows. Therefore
the check has been changed to use bytestream2_get_bytes_left() which
means that the pointers get subtracted and the result gets compared to
the available size.
Furthermore, the error code has been fixed.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is done in order to improve readability. No functional change is
intended with this commit at all; in particular, the unsafe read
functions are used throughout as h264_extradata_to_annexb already
performs its own checks. (These checks will nevertheless be improved
in further commits.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
bytestream2_get_bytes_left returns an unsigned int; as a result,
it returns big positive numbers if an overread already happened,
making it unsuitable for scenarios where one wants to allow this
in a controlled way (because the buffer is actually padded so that
no segfaults can happen). So change it to return an ordinary int.
Also, bytestream2_get_bytes_left_p has been modified in the same way.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
| |
successfull uncompressed_header()
Fixes: assertion failure
Fixes: 19301/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_MERGE_fuzzer-5743212006473728
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
| |
Fixes: Multiple out of array accesses
Fixes: 20817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SIREN_fuzzer-5754041227542528.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
| |
Simplifies code considerably.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Reviewed-by: Timo Rothenpieler <timo@rothenpieler.org>
Signed-off-by: James Almer <jamrial@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Fixes: out of array access
Fixes: 20828/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_APM_fuzzer-5712770106654720
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
| |
The second ; in a double ;; is actually a null statement. It triggers
the typical declaration-after-statement compiler-warnings if it occurs
in the middle of several declarations (like here).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
| |
Signed-off-by: Linjie Fu <linjie.fu@intel.com>
Reviewed-by: Andriy Gelman <andriy.gelman@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
| |
|
|
|
|
|
|
|
|
| |
"In both cases.." and "Repeat this call until.." would be better to
be in a separate line.
http://ffmpeg.org/doxygen/trunk/group__lavc__encdec.html
Signed-off-by: Linjie Fu <linjie.fu@intel.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
