Commits · a2e14839dcf04e03110bc3a7c7b154eb7cbacfaf · Samuel Mira / ffmpeg

Oct 10, 2022
- Changelog: update · a2e14839
  Michael Niedermayer authored 2 years ago
  
  Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  n4.1.10
  
  a2e14839
Oct 09, 2022

avcodec/dstdec: Check for overflow in build_filter() · c814c2a1

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 1917019860 + 265558963 cannot be represented in type 'int'
Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-4833165046317056

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8008940d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

c814c2a1

avformat/spdifdec: Use 64bit to compute bit rate · 056695bf

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 32 * 553590816 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6564974517944320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4075f0ce)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

056695bf

avformat/xwma: Use av_rescale() for duration computation · ae5b1998

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 34242363648 * 538976288 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6577923913547776

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c789f75)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

ae5b1998

avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation · 02402b49

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 72128794995445727 * 240 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_SDS_fuzzer-6628185583779840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa8eb1be)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

02402b49

avformat/rmdec: check tag_size · 74b61efa

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6598073725353984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2cb7ee8a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

74b61efa

avformat/nutdec: Check fields · e474173f

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6566001610719232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c146406)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

e474173f

avformat/dxa: avoid bpc overflows · 167c0dcf

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 93db0f07)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

167c0dcf

avformat/cafdec: Check that nb_frasmes fits within 64bit · 9fb728dd

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 1099511693312 * 538976288 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6565048815845376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d4bb4e37)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

9fb728dd

avformat/asfdec_o: Limit packet offset · 955ed9b6

Michael Niedermayer authored 2 years ago

avoids overflows with it

Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 736e9e69)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

955ed9b6

avformat/ape: Check frames size · 3e208ef0

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 9223372036854775806 + 3 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APE_fuzzer-6389264140599296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d0349c99)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

3e208ef0

avformat/icodec: Check nb_pal · 80ec0ca9

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 538976288 * 4 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-6690068904935424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit db73ae0d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

80ec0ca9

avformat/aiffdec: Use 64bit for block_duration use · d52ed1be

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9303ba27)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

d52ed1be

avformat/aiffdec: Check block_duration · 9959b6e2

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 3 * -2147483648 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6668935979728896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c2b6265)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

9959b6e2

avformat/mxfdec: only probe max run in · e55980d3

Michael Niedermayer authored 2 years ago


Suggested-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1182bbb2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

e55980d3

avformat/mxfdec: Check run_in is within 65536 · 045ed347

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 9223372036854775807 - -2146905566 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6570996594769920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 77860978)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

045ed347

avcodec/apedec: Fix integer overflow in filter_3800() · a101c977

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: -2147448926 + -198321 cannot be represented in type 'int'
Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5739619273015296
Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6744428485672960

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f05247f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

a101c977

avcodec/tta: Check 24bit scaling for overflow · 7d5e8bdb

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: -8427924 * 256 cannot be represented in type 'int'
Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5409428670644224

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3993345f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

7d5e8bdb

libavformat/hls: Free keys · 53f3a251

Michael Niedermayer authored 2 years ago

Fixes: memleak
Fixes: 50703/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6399058578636800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d32a9f31)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

53f3a251

avcodec/fmvc: Move frame allocation to a later stage · f0fb0702

Michael Niedermayer authored 2 years ago


This way more things are checked before allocation

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9783749c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

f0fb0702

avcodec/speedhq: Check width · c2633805

Michael Niedermayer authored 2 years ago

Fixes: out of array access
Fixes: 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400

Alternatively the buffer size can be increased

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0395f9e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

c2633805

avcodec/bink: disallow odd positioned scaled blocks · b2222721

Michael Niedermayer authored 2 years ago

Fixes: out of array access
Fixes: 47911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6194020855971840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b14104a6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

b2222721

avformat/asfdec_o: limit recursion depth in asf_read_unknown() · bf29c080

Michael Niedermayer authored 2 years ago

The threshold of 5 is arbitrary, both smaller and larger should work fine

Fixes: Stack overflow
Fixes: 50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f1a3681)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

bf29c080

doc/git-howto.texi: Document commit signing · 8f443328

Michael Niedermayer authored 2 years ago


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ced0dc80)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

8f443328

libavcodec/8bps: Check that line lengths fit within the buffer · 82e77e0d

Michael Niedermayer authored 2 years ago

Fixes: Timeout
Fixes: undefined pointer arithmetic
Fixes: 50330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5436287485607936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2316d5ec)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

82e77e0d

libavformat/iff: Check for overflow in body_end calculation · 37139adf

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long'
Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bcb46903)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

37139adf

avformat/avidec: Prevent entity expansion attacks · 2f2a3397

Michael Niedermayer authored 2 years ago


Fixes: Timeout
Fixes no testcase, this is the same idea as similar attacks against XML parsers

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f3e823c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

2f2a3397

avcodec/h263dec: Sanity check against minimal I/P frame size · 4d537913

Michael Niedermayer authored 2 years ago

Fixes: Timeout
Fixes: 49718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4874987894341632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ca4ff9c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

4d537913

avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel · ec9af84d

Michael Niedermayer authored 2 years ago

This is somewhat redundant with the is_decoded check. Maybe
there is a nicer solution

Fixes: Null pointer dereference
Fixes: 49584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5297367351427072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3b51e199)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

ec9af84d

MAINTAINERS: Add ED25519 key for signing my commits in the future · 8229f432

Michael Niedermayer authored 2 years ago


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 05225180)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

8229f432

avcodec/hevc_filter: copy_CTB() only within width&height · 0bea6b5d

Michael Niedermayer authored 2 years ago

Fixes: out of array access
Fixes: 49271/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5424984922652672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 009ef35d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

0bea6b5d

avformat/flvdec: Check for EOF in index reading · f198ffcf

Michael Niedermayer authored 2 years ago

Fixes: Timeout
Fixes: 47992/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6020443879899136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ceff5d7b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

f198ffcf

avformat/nutdec: Check get_packetheader() in mainheader · 5cefe5d3

Michael Niedermayer authored 2 years ago

Fixes; Timeout
Fixes: 48794/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6524604713140224

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b5de084a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

5cefe5d3

avformat/asfdec_f: Use 64bit for packet start time · c9d82712

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
Fixes: 49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8ed78486)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

c9d82712

avcodec/lagarith: Check dst/src in zero run code · 85d59a6a

Michael Niedermayer authored 2 years ago

Fixes: out of array access
Fixes: 48799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4764457825337344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9450f759)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

85d59a6a

avcodec/h264dec: Skip late SEI · 99f1f07b

Michael Niedermayer authored 2 years ago


Fixes: Race condition
Fixes: clusterfuzz-testcase-minimized-mediasource_MP2T_AVC_pipeline_integration_fuzzer-6282675434094592

Found-by: google ClusterFuzz
Tested-by: Dan Sanders <sandersd@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f7dd408d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

99f1f07b

avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() · 5deba24c

Michael Niedermayer authored 2 years ago

Fixes: signed integer overflow: 2147483645 + 16 cannot be represented in type 'int'
Fixes: 46993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4759025234870272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1537f405)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

5deba24c

avfilter/vf_signature: Fix integer overflow in filter_frame() · b3fdcaca

Michael Niedermayer authored 2 years ago


Fixes: CID1403233

The second of the 2 changes may be unneeded but will help coverity

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dd604067)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

b3fdcaca

avformat/rtsp: break on unknown protocols · 6c1a7a82

Michael Niedermayer authored 2 years ago


This function needs more cleanup and it lacks error handling

Fixes: use of uninitialized memory
Fixes: CID700776

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 73c0fd27)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

6c1a7a82

avcodec/hevcdsp_template: stay within tables in sao_band_filter() · 8a4e3bc1

Michael Niedermayer authored 2 years ago

Fixes: out of array read
Fixes: 47875/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5719393113341952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9c5250a5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

8a4e3bc1