Commits · 980224770abf0d59453bca239bde5288d0c257f8 · Samuel Mira / ffmpeg

Sep 12, 2021

avcodec/xpmdec: Move allocations down after more error checks · 98022477

Michael Niedermayer authored 3 years ago

Fixes: Timeout
Fixes: 37035/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5142718576721920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e5869283)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

98022477

network: Define ENOTCONN as WSAENOTCONN if not defined · fc76c603

Martin Storsjö authored 5 years ago


This fixes compilation with old mingw.org toolchains, which has got
much fewer errno.h entries.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6569e950)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

fc76c603

avformat/avidec: Use 64bit for frame number in odml index parsing · 36f962f3

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 1179337772 + 1392508928 cannot be represented in type 'int'
Fixes: 34088/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5846945303232512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a4c98c50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

36f962f3

avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() · 43a4d78e

Michael Niedermayer authored 3 years ago

Fixes: Timeout
Fixes: 36262/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4969052454912000

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 909faca9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

43a4d78e

avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata · bc9e0b6c

maryam ebrahimzadeh authored 3 years ago


As the second argument for init_get_bits (buf) can be crafted, a return value check for this function call is necessary.
'buf' is  part of  'AVPacket pkt'.
replace init_get_bits with init_get_bits8.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9ffa4949)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

bc9e0b6c

avcodec/webp: Check available space in loop in decode_entropy_coded_image() · 1e198bd9

Michael Niedermayer authored 3 years ago

Fixes: Timeout
Fixes: 35401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5714401821851648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5e00eab6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1e198bd9

avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode · f4700142

Michael Niedermayer authored 3 years ago

Fixes: out of array read
Fixes: 36331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-5140494328922112.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c59b5e3d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

f4700142

avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init · 071ecadd

Michael Niedermayer authored 3 years ago


Fixes: MemLeak
Fixes: 8281
Fixes: PoC_option158.jpg
Fixes: CVE-2020-22037

Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7bba0dd6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

071ecadd

avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() · f71c7a35

Michael Niedermayer authored 3 years ago

Fixes: Infinite loop
Fixes: 35591/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4503764022198272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f803635c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

f71c7a35

avcodec/vc1dec: Disable error concealment for *IMAGE · 2b4e4af6

Michael Niedermayer authored 3 years ago

The existing error concealment makes no sense for the image formats, they
use transformed source images which is different from keyframe + MC+difference
for which the error concealment is designed.
Of course feel free to re-enable this if you have a case where it works and
improves vissual results

Fixes: Timeout
Fixes: 36234/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6300306743885824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 643b2d49)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

2b4e4af6

avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() · 0b98a1d5

Michael Niedermayer authored 3 years ago

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 35593/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5182217725804544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8f2856a1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

0b98a1d5

avformat/wtvdec: Check for EOF before seeking back in parse_media_type() · d64fddb9

Michael Niedermayer authored 3 years ago

Fixes: Infinite loop
Fixes: 36311/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-4889181296918528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 89505d38)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

d64fddb9

avformat/wavdec: Use 64bit in new_pos computation · a415c253

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 129 * 16711680 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6742285317439488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9b57d2f0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

a415c253

avformat/sbgdec: Check for overflow in timestamp preparation · 5ebce16f

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6731040263634944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9dbed908)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

5ebce16f

avformat/dsicin: Check packet size for overflow · a4b9ac10

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 24672 + 2147483424 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DSICIN_fuzzer-6731325979623424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d1c47ec)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

a4b9ac10

avformat/bfi: check nframes · 0b5c5645

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_BFI_fuzzer-6737028768202752

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b4e77dfc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

0b5c5645

avformat/avidec: fix position overflow in avi_load_index() · 89fd36ad

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 9223372033098784808 + 4294967072 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6732488912273408

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 527821a2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

89fd36ad

avformat/asfdec_f: Check sizeX against padding · d15d67e6

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 2147483607 + 64 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6753897878257664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f034c2e3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

d15d67e6

avformat/aiffdec: Check for size overflow in header parsing · f95a80bb

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6723467048255488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bae2e197)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

f95a80bb

avcodec/aaccoder: Add minimal bias in search_for_ms() · c5935174

Michael Niedermayer authored 3 years ago


Fixes: floating point division by 0
Fixes: Ticket8218

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 75a099fc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

c5935174

avfilter/vf_mestimate: Check b_count · 7590dbf9

Michael Niedermayer authored 3 years ago


Fixes: left shift of negative value -1
Fixes: Ticket8270

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 06af6e10)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

7590dbf9

avformat/mov: do not ignore errors in mov_metadata_hmmt() · bbec731f

Michael Niedermayer authored 3 years ago

Fixes: Timeout
Fixes: 35637/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6311060272447488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c52c99a1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

bbec731f

avformat/mxfdec: Check size for shrinking · 00ecb221

Michael Niedermayer authored 3 years ago

av_shrink_packet() takes int size, so size must fit in int
Fixes: out of array access
Fixes: 35607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4875541323841536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 65b862ab)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

00ecb221

avcodec/dnxhddec: check and propagate function return value · e61b25e2

maryam ebr authored 3 years ago


Similar to CVE-2013-0868, here return value check for 'init_vlc' is needed.
crafted DNxHD data can cause unspecified impact.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 7150f957)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

e61b25e2

swscale/slice: Fix wrong return on error · e4f7328d

Michael Niedermayer authored 3 years ago


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7874d40f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

e4f7328d

swscale/slice: Check slice for allocation failure · a6f5191f

Michael Niedermayer authored 3 years ago


Fixes: null pointer dereference
Fixes: alloc_slice.mp4

Found-by: Rafael Dutra <rafael.dutra@cispa.de>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 997f9cfc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

a6f5191f

configure: Fix sem_timedwait probe · 9cfd59b5

Luca Barbato authored 7 years ago


(cherry-picked from libav commit 41262498)
Signed-off-by: James Almer <jamrial@gmail.com>

9cfd59b5

configure: add missing pthreads dependency to v4l2_m2m · 2e1e677c
James Almer authored 6 years ago
```
Signed-off-by: James Almer <jamrial@gmail.com>
```
2e1e677c

Sep 11, 2021

avformat/matroskadec: Fix handling of huge default durations · 94bb92e5

Michael Niedermayer authored 3 years ago

Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
Fixes: 33997/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6752039691485184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 343d950a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

94bb92e5

avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() · 73e81965

Michael Niedermayer authored 3 years ago


Fixes: floating point division by 0
Fixes: Ticket8213

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 70874e02)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

73e81965

avformat/ftp: Check for av_strtok() failure · afb35195

Michael Niedermayer authored 3 years ago


Fixes: CID1396258 Dereference null return value

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d407820)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

afb35195

tools/cws2fws: Check read() for failure · 375aa8f5

Michael Niedermayer authored 3 years ago


Fixes: CID1452579 Argument cannot be negative

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0b3cdd7c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

375aa8f5

avcodec/cpia: Fix missing src_size update · 3ecb97e4

Michael Niedermayer authored 3 years ago

Fixes: out of array read
Fixes: 35210/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CPIA_fuzzer-5669199688105984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cea05864)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

3ecb97e4

avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation · 2eb23b82

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 486539264 * 14 cannot be represented in type 'int'
Fixes: 35281/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6068262742917120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 00ae9b77)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

2eb23b82

avformat/rmdec: Check old_format len for overflow · 153833e4

Michael Niedermayer authored 3 years ago

Maybe such large values could be disallowed earlier and closer to where
they are set.

Fixes: signed integer overflow: 538976288 * 8224 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6704350354341888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 06d174e2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

153833e4

avformat/realtextdec: Check the pts difference before using it for the duration computation · 090e2d16

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 5404200000 - -9223372031709351616 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_REALTEXT_fuzzer-6737340551790592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fe12aa68)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

090e2d16

avformat/qcp: Avoid negative nb_rates · 0602cf0c

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 2 * -1725947872 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_QCP_fuzzer-6726807632084992

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1b865cc7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

0602cf0c

avformat/nutdec: Check tmp_size · 5ae0f402

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6739990530883584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1ca00b5e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

5ae0f402

avformat/msf: Check that channels doesnt overflow during extradata construction · 159ec5a6

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 2048 * 1122336 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6726959600107520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a1a27792)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

159ec5a6

avformat/mpc8: Check for position overflow in mpc8_handle_chunk() · c65e5a19

Michael Niedermayer authored 3 years ago

Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8ef25d11)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

c65e5a19