Fixes: memleak
Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: Integer overflow
Fixes: 40973/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6739312704618496

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Suggested-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: Timeout
Fixes: 35877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5407292819374080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Fixes: shift exponent 4294967163 is too large for 32-bit type 'int'
Fixes: 41449/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6183636217495552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

If memory allocation fails, ERROR(ENOMEM) '-12' will be returned.
When resample() is done first, the negative size param would cause buffer-overflow and SEGV in swri_rematrix().
When swri_rematrix() is run first, resample() would not cause an error but Err num as a wrong parameter passing.
Err num should be returned immediately. And remove an unneeded term from an assert.

coredump info:
    #0 0x499517 in posix_memalign (/home/r1/ffmpeg/ffmpeg_4.4.1+0x499517)
    #1 0x6c1f0b4 in av_malloc /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:86:9
    #2 0x6c208fe in av_mallocz /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:239:17
    #3 0x6c207ad in av_mallocz_array /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:195:12
    #4 0x654b2e5 in swri_realloc_audio /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:418:14
    #5 0x654f9a1 in swr_convert_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:601:17
    #6 0x654d2c0 in swr_convert /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:766:19
    #7 0x186cf56 in flush_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:251:13
    #8 0x186a454 in request_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:288:20
    #9 0x787d9c in ff_request_frame_to_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:459:15
    #10 0x7877f1 in forward_status_change /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1257:19
    #11 0x77ed7e in ff_filter_activate_default /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1288:20
    #12 0x77e4e1 in ff_filter_activate /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1441:11
    #13 0x793b3f in ff_filter_graph_run_once /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1403:12
    #14 0x7a7bee in get_frame_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:131:19
    #15 0x7a7287 in av_buffersink_get_frame_flags /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:142:12
    #16 0x792888 in avfilter_graph_request_oldest /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1356:17
    #17 0x5d07df in transcode_from_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4639:11
    #18 0x59e557 in transcode_step /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4729:20
    #19 0x593970 in transcode /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4805:15
    #20 0x58f7a4 in main /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:5010:9
    #21 0x7f6fd2dee0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: negative-size-param (/home/r1/ffmpeg/ffmpeg_4.4.1+0x497e67) in __asan_memcpy

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Signed-off-by: Limin Wang <lance.lmwang@gmail.com>

Signed-off-by: Limin Wang <lance.lmwang@gmail.com>

Signed-off-by: Limin Wang <lance.lmwang@gmail.com>

Signed-off-by: Limin Wang <lance.lmwang@gmail.com>

There are three types of style entries which are redundant:
a) Entries with length zero. They are already discarded.
b) Entries that are equivalent to the default style:
They can be safely discarded.
c) Entries that are equivalent to the immediately preceding style
if the start of the current style coincides with the end of the
preceding style. In this case the styles can be merged.

This commit implements discarding/merging in cases b) and c).
This fixes ticket #9548. In said ticket each packet contained
exactly one style entry that covered the complete packet with
the exception of the last character (probably created by a tool
that didn't know that the style's end is exclusive). Said style
coincided with the default style, leading to a superfluous reset,
which is now gone.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Reduces the amount of conversions.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Both TextSampleEntry and TextSample can contain StyleRecords;
yet both the code as well as the structures for them were duplicated.
This commit changes this.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Giving elements of a structure called StyleBox names like
"style_start" or "style_end" is redundant, especially given
that the relevant variables are also called style.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Don't use different src and dst in av_tea_crypt(); use in-place
modifications instead. Also let av_tea_crypt() encrypt all three
blocks in one call.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

We use ECB, not CBC mode here, so one does not need to reinitialize
the context; for the same reason, one can also just let av_tea_crypt()
loop over the blocks, avoiding a loop here.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Up until now, the packets have been read in blocks of at most
eight bytes at a time; then these blocks have been decrypted
and copied into a buffer on the stack (that was double the size
needed...). From there they have been copied to the dst packet.

This commit changes this: The data is read in one go; and
the decryption avoids temporary buffers, too, by making
use of the fact that src and dst of av_tea_crypt() can coincide.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Due to this bush.aa (from the FATE suite) exported garbage metadata
with key "_040930".

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Most callers want it that way anyway.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

av_image_copy() expects an array of four pointers according to its
declaration; although it currently only touches pointers that
are actually in use (depending upon the pixel format) this might
change at any time (as has already happened for the linesizes
in d7bc52bf).

This fixes a -Wstringop-overflow= warning with GCC 11.2.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>

Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>

The concatf protocol returns an opaque error on open if
concatf list file contains trailing newlines.

Signed-off-by: Gyan Doshi <ffmpeg@gyani.pro>
Reviewed-by: James Almer <jamrial@gmail.com>

Do not continue as if nothing happened.

do_video_out() is the wrong place for it, since the necessary
information is already known when creating the stream and its value
should never change.

There is never a reason to do this, using symbolic names is always
preferred.

Symbolic names are always preferable.

Stop explicitly defining VSCFR and DROP values, which were never
documented.

If the input stream framerate is known, it will be configured on the
relevant filtergraph input and get propagated to the output stream in
the above line. That makes these assignments redundant.

Instead of storing the protocol pointer in the opaque iteration state,
store just the index of the next protocol, similarly to how
ff_urlcontext_child_class_iterate() works.

img2enc keeps a private (and possibly truncated) copy of the url that is
never modified. Just use AVFormatContext.url instead.

Silences e.g. the following warning in gcc 10:
src/libavformat/ftp.c: In function ‘ftp_move’:
src/libavformat/ftp.c:1122:46: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4091 [-Wformat-truncation=]
 1122 |     snprintf(command, sizeof(command), "RNTO %s\r\n", path);
      |                                              ^~       ~~~~
src/libavformat/ftp.c:1122:5: note: ‘snprintf’ output between 8 and 4103 bytes into a destination of size 4096
 1122 |     snprintf(command, sizeof(command), "RNTO %s\r\n", path);
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~