Age | Commit message (Collapse) | Author |
|
It appears this is not allowed "Each Segment Index box documents how a (sub)segment is divided into one or more subsegments
(which may themselves be further subdivided using Segment Index boxes)."
Fixes: Null pointer dereference
Fixes: Ticket9517
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4419433d77278cb742944c4514be5f72a04103c0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: signed integer overflow: -9223372036854775808 - 8 cannot be represented in type 'long'
Fixes: 43542/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5237670148702208
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d8d9d506a3de976b647bcbb8f76c7b8d30eff576)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long'
Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: Infinite loop
Fixes: 41351/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5433895854669824
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 59b4e7cbd87889c0bac710ac7f62782b637419a1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: STSC / STCO inconsistency and assertion failure
Fixes: crbug1184666.mp4
Found-by: Chromium ASAN fuzzer
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2611d20d353026f996cb9aaced8b35db37f490d4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: signed integer overflow: -2147483634 - 16 cannot be represented in type 'int'
Fixes: 28322/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5711888402612224
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 74c4c539538e36d8df02de2484b045010d292f2c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: Timeout, probably infinite loop
Fixes: 26559/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5391165484171264
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0afbaabdca2730d3f8d88719d64802d50b92d351)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 24457/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5760093644390400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffa6072fc727a14680a85449259f6b49b47587e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
mov_read_default
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 806a4d5187aeb82b97898683242886ed1e84f894)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d8d554f15a7a27cfeca81467cc9341a86f784e2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fix two cases of memleaks:
1. The leak of dv_demux
2. The leak of dv_fctx upon dv_demux allocate failure
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3dc38a186b2326ce03e50969897ea703817ddb0)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
|
The code for demuxing DV audio predates the introduction of refcounted
packets and when the latter was added, changes to the former were
forgotten. This meant that when avpriv_dv_produce_packet initialized the
packet containing the AVBufferRef, the AVBufferRef as well as the
underlying AVBuffer leaked; the actual packet data didn't leak: They
were directly freed, but not via their AVBuffer's free function.
https://samples.ffmpeg.org/ffmpeg-bugs/trac/ticket4671/dir1.tar.bz2
contains samples for this (enable_drefs needs to be enabled for them).
Moreover, errors in avpriv_dv_produce_packet were ignored; this has been
changed, too.
Furthermore, in the hypothetical scenario that the track has a palette,
this would leak, too, so reorder the code so that the palette code
appears after the DV audio code.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 61f5c6ab06fc61e0f9f8f8dab5595b8bb202df73)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
|
|
Found by Chromium fuzzers (crbug.com/1057205).
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad91cf1f2f5793db5c6dd7ab9947fcc6d7832607)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: Assertion failure
Fixes: crbug971646.mp4
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 696312c487d9d8c49a087017a829d1cdcbd68651)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Detecting missing tfhd avoids re-using tfhd track info from the previous
moof. For files with multiple tracks, this may make a mess of the
avindex and fragindex, which can later trigger av_assert0 in
mov_read_trun().
Reviewed-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ea87e5d9ea075d5b3c0f4f8c6c48e514b454cbe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.
Reviewed-by: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9f7b6f7a9fdffa0ab8f3aa84a1f701cf5b3a6e9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Reviewed-by: Sasi Inguva <isasi@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8176799f31b23849382623f0f9001acc5edf7c76)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
mov_read_stsc()
Fixes: #7165
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fe84f70819d6f5aab3c4823290e0d32b99d6de78)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Without this some operations might overflow (undefined behavior)
even though the index adding loop would never execute
No testcase known
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 56e76bd0579cc7f7b28860885d9e569a39daf41b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes regression with playback of GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a
See: crbug 822666
Found-by: "Mattias Wadman <mattias.wadman@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c2d689c56646cce64d02a3b75f61c12c5589260)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes assertion failure
Fixes: crbug 822547, crbug 822666 and crbug 823009
Affects: aark15sd_9A62E2FA.mp4
Found-by: ClusterFuzz
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type
Fixes: Chromium bug 791349
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Signed-off-by: Jacob Trimble <modmaker@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d9cf3bf16b94cd9db10dabad695c69c5cff4f58)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a6fdd75fe6440d2f4150cb456a9078aa68b00fdb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: Missing EOF check in loop
No testcase
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow
Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support values beyond INT_MAX
Also the check is moved to a more common place and before integer truncation
(cherry picked from commit 2d453188c2303da641dafb048dc1806790526dfd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support larger lengths
(cherry picked from commit fd30e4d57fe5841385f845440688505b88c0f4a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes integer overflow
Fixes: poc.mp4
Found-by: ajax secure <ajax4sec@hotmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8a3221cc67a516dfc1700bdae3566ec52c7ee823)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
(cherry picked from commit 22dbc1caaf13e4bb17c9e0164a5b1ccaf490e428)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
(cherry picked from commit 3617e69d50dd9dd07b5011dfb9477a9d1a630354)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
This feature is mostly only used by NLE software, and is
both of dubious value being enabled by default, and a
possible security risk.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 712d962a6a29b1099cd872cfb07867175a93ac4c)
Conflicts:
libavformat/isom.h
libavformat/mov.c
libavformat/version.h
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: Endangered\ Species\ 1x01\ Collecting\ Merl.mp4
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d3b6a9abacc9df124388ca2c38bf9456570f5d59)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes Ticket5047
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 861f47ddf463926da2cba9e12665e7f004419f4b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes trac #3842
(cherry picked from commit 4ab56667594842283dc5ae07f0daba2a2cb4d3af)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Reviewed-by: Lou Logan <lou@lrcd.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 8d6625642db064a45224cb7a8e037f6e79a6554d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
|
|
Fixes integer overflow
Fixes: unknown_unknown_31b_795_cov_1818643045_raybauduc.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: unknown_unknown_19e_414_cov_764838672_bellhamlam.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes ticket #4747.
|
|
|
|
ff_dlog checks compilability, and is non-public. av_dlog is deprecated
and no longer exists if FF_API_DLOG=0.
|
|
Commit 0a551cbe introduced "activation_bytes" option, and not specifying
this option (while calling ffmpeg / ffprobe) causes the program to quit
early. Before this commit, ffprobe was capable of processing metadata in
.aax files.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
* commit '059a934806d61f7af9ab3fd9f74994b838ea5eba':
lavc: Consistently prefix input buffer defines
Conflicts:
doc/examples/decoding_encoding.c
libavcodec/4xm.c
libavcodec/aac_adtstoasc_bsf.c
libavcodec/aacdec.c
libavcodec/aacenc.c
libavcodec/ac3dec.h
libavcodec/asvenc.c
libavcodec/avcodec.h
libavcodec/avpacket.c
libavcodec/dvdec.c
libavcodec/ffv1enc.c
libavcodec/g2meet.c
libavcodec/gif.c
libavcodec/h264.c
libavcodec/h264_mp4toannexb_bsf.c
libavcodec/huffyuvdec.c
libavcodec/huffyuvenc.c
libavcodec/jpeglsenc.c
libavcodec/libxvid.c
libavcodec/mdec.c
libavcodec/motionpixels.c
libavcodec/mpeg4videodec.c
libavcodec/mpegvideo.c
libavcodec/noise_bsf.c
libavcodec/nuv.c
libavcodec/nvenc.c
libavcodec/options.c
libavcodec/parser.c
libavcodec/pngenc.c
libavcodec/proresenc_kostya.c
libavcodec/qsvdec.c
libavcodec/svq1enc.c
libavcodec/tiffenc.c
libavcodec/truemotion2.c
libavcodec/utils.c
libavcodec/utvideoenc.c
libavcodec/vc1dec.c
libavcodec/wmalosslessdec.c
libavformat/adxdec.c
libavformat/aiffdec.c
libavformat/apc.c
libavformat/apetag.c
libavformat/avidec.c
libavformat/bink.c
libavformat/cafdec.c
libavformat/flvdec.c
libavformat/id3v2.c
libavformat/isom.c
libavformat/matroskadec.c
libavformat/mov.c
libavformat/mpc.c
libavformat/mpc8.c
libavformat/mpegts.c
libavformat/mvi.c
libavformat/mxfdec.c
libavformat/mxg.c
libavformat/nutdec.c
libavformat/oggdec.c
libavformat/oggparsecelt.c
libavformat/oggparseflac.c
libavformat/oggparseopus.c
libavformat/oggparsespeex.c
libavformat/omadec.c
libavformat/rawdec.c
libavformat/riffdec.c
libavformat/rl2.c
libavformat/rmdec.c
libavformat/rtpdec_latm.c
libavformat/rtpdec_mpeg4.c
libavformat/rtpdec_qdm2.c
libavformat/rtpdec_svq3.c
libavformat/sierravmd.c
libavformat/smacker.c
libavformat/smush.c
libavformat/spdifenc.c
libavformat/takdec.c
libavformat/tta.c
libavformat/utils.c
libavformat/vqf.c
libavformat/westwood_vqa.c
libavformat/xmv.c
libavformat/xwma.c
libavformat/yop.c
Merged-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
* commit '7c6eb0a1b7bf1aac7f033a7ec6d8cacc3b5c2615':
lavc: AV-prefix all codec flags
Conflicts:
doc/examples/muxing.c
ffmpeg.c
ffmpeg_opt.c
ffplay.c
libavcodec/aacdec.c
libavcodec/aacenc.c
libavcodec/ac3dec.c
libavcodec/ac3enc_float.c
libavcodec/atrac1.c
libavcodec/atrac3.c
libavcodec/atrac3plusdec.c
libavcodec/dcadec.c
libavcodec/ffv1enc.c
libavcodec/h264.c
libavcodec/h264_loopfilter.c
libavcodec/h264_mb.c
libavcodec/imc.c
libavcodec/libmp3lame.c
libavcodec/libtheoraenc.c
libavcodec/libtwolame.c
libavcodec/libvpxenc.c
libavcodec/libxavs.c
libavcodec/libxvid.c
libavcodec/mpeg12dec.c
libavcodec/mpeg12enc.c
libavcodec/mpegaudiodec_template.c
libavcodec/mpegvideo.c
libavcodec/mpegvideo_enc.c
libavcodec/mpegvideo_motion.c
libavcodec/nellymoserdec.c
libavcodec/nellymoserenc.c
libavcodec/nvenc.c
libavcodec/on2avc.c
libavcodec/options_table.h
libavcodec/opus_celt.c
libavcodec/pngenc.c
libavcodec/ra288.c
libavcodec/ratecontrol.c
libavcodec/twinvq.c
libavcodec/vc1_block.c
libavcodec/vc1_loopfilter.c
libavcodec/vc1_mc.c
libavcodec/vc1dec.c
libavcodec/vorbisdec.c
libavcodec/vp3.c
libavcodec/wma.c
libavcodec/wmaprodec.c
libavcodec/x86/hpeldsp_init.c
libavcodec/x86/me_cmp_init.c
Merged-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
|
|
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
This reverts commit 9286de045968ad456d4e752651eec22de5e89060.
The change broke support for legit absolute file paths.
Reported-by: Maksym Veremeyenko <verem@m1stereo.tv>.
|
|
allowing a subset of relative pathes in references
Fixes Ticket4671
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Possibly fixes Ticket4671
the removed check is wrong and insufficient
Based on patch by Maksym Veremeyenko <verem@m1.tv>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|
|
Fixes: 260813283176b57b3c9974fe284eebc3_signal_sigsegv_7ffff713351a_991_xtrem_e2_m64q15_a32sxx.3gp with memlimit of 262144
Found-by: Samuel Groß, Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
|