Timo Rothenpieler [Fri, 2 Jan 2026 19:00:45 +0000 (20:00 +0100)]
forgejo: backport CI job names
Timo Rothenpieler [Wed, 31 Dec 2025 02:41:21 +0000 (03:41 +0100)]
avformat/img2dec: reject input images too big to fit into a single packet
Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.
Fixes #YWH-PGM40646-32
(cherry picked from commit
f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)
Andreas Rheinhardt [Sun, 8 Aug 2021 17:03:49 +0000 (19:03 +0200)]
avcodec/aarch64/idct: Add missing stddef
Fixes checkheaders on aarch64.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit
52e911369553e1d2e8c4978172a5a302b91c8202)
Timo Rothenpieler [Sun, 30 Nov 2025 20:39:04 +0000 (21:39 +0100)]
tools/check_arm_indent: skip empty glob
Timo Rothenpieler [Sun, 30 Nov 2025 20:29:43 +0000 (21:29 +0100)]
all: apply linter fixes
Timo Rothenpieler [Sun, 30 Nov 2025 15:58:33 +0000 (16:58 +0100)]
forgejo: apply needed CI changes for 4.4
Timo Rothenpieler [Sun, 30 Nov 2025 15:25:19 +0000 (16:25 +0100)]
forgejo: backport CI to release/4.4
Michael Niedermayer [Mon, 1 Dec 2025 01:13:20 +0000 (02:13 +0100)]
update for 4.4.7
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Zhao Zhili [Fri, 14 Nov 2025 09:23:22 +0000 (17:23 +0800)]
avutil/common: cast GET_BYTE/GET_16BIT returned value
In case of GET_BYTE/GET_16BIT return signed value.
(cherry picked from commit
0ae8df5f2ceea82337a2456ef16f930faf160189)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 8 Nov 2025 22:22:56 +0000 (23:22 +0100)]
avcodec/utvideodec: Set B for the width= 1 case in restore_median_planar_il()
Fixes: use of uninitialized memory
Fixes:
439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-
5635866203848704
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
59db32b433ea9e7766ec7fac994860ed15d7ed7d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 31 Oct 2025 15:27:56 +0000 (16:27 +0100)]
avformat/rtpdec_rfc4175: Only change PayloadContext on success
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
c03e49dd1d8ee2dd21c24002dfac95644c830498)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 31 Oct 2025 15:28:49 +0000 (16:28 +0100)]
avformat/rtpdec_rfc4175: Check dimensions
Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175
Found-by: Joshua Rogers <joshua@joshua.hu>
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 31 Oct 2025 15:17:27 +0000 (16:17 +0100)]
avformat/rtpdec_rfc4175: Fix memleak of sampling
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
af3dee313223c722c34e8231cd6859188928a6e3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 31 Oct 2025 16:32:56 +0000 (17:32 +0100)]
avformat/http: Fix off by 1 error
Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte
Found-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
b518c027a0cb8d89c586fe241cc99b1c20bc0f50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 8 Nov 2025 00:17:46 +0000 (01:17 +0100)]
avcodec/exr: spelling
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
d80f8f36513ebff05c537adbe756e36036f80074)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
veygax [Sun, 2 Nov 2025 02:35:40 +0000 (02:35 +0000)]
avcodec/exr: use tile dimensions in pxr24 UINT case
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.
Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <veyga@veygax.dev>
(cherry picked from commit
162f75b5e6798b385bb3eadd8280eff52d03cf29)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 18 Sep 2025 22:20:36 +0000 (00:20 +0200)]
avcodec/exr: Simple check for available channels
The existing is_luma check is fragile as depending on the order
of channels it can be set or reset
No testcase
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
6e8cf0377fee75de9ad2cc87385ab3e8f2c87143)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 31 Oct 2025 22:08:45 +0000 (23:08 +0100)]
avformat/sctp: Check size in sctp_write()
Fixes: out of array access
No testcase
Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
5b98cea4bff2cbbb251b621a2b6c3ab76f814efa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 30 Oct 2025 22:20:41 +0000 (23:20 +0100)]
avformat/rtmpproto: consider command line argument lengths
Fixes: out of array access
Fixes: zeropath/rtmp-2025-10
Found-by: Joshua Rogers <joshua@joshua.hu>
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
83e0298de217a7108ee703806d6380e554007972)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 30 Oct 2025 22:05:57 +0000 (23:05 +0100)]
avformat/rtmpproto_ Check tcurl and flashver length
Fixes: out of array accesses
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
a64e037429f20873ec48f6c82aa145ab448e1399)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Mon, 6 Oct 2025 23:58:34 +0000 (01:58 +0200)]
avcodec/g723_1enc: Make min_err 64bit
This is intending to fix the case described in https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/thread/AAZ7GJPPUJI5SCVTDGJ6QL7UUEP56WOM/
Where FCBParam optim is used uninitialized
a min_err of 1<<30, allows the struct to be never initilialized as all
err (which is int32_t) can be larger than min_err. By increasing min_err
above the int32_t range this is no longer possible
Untested, as i do not have the testcase
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>i
(cherry picked from commit
909af3a571da830cc70a34f0c3946379bd12dfbe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 24 Oct 2025 18:29:23 +0000 (20:29 +0200)]
avformat/rtpenc_h264_hevc: Check space for nal_length_size in ff_rtp_send_h264_hevc()
Fixes: memcpy with negative size
Fixes: momo_trip-poc/input
Reported-by: Momoko Shiraishi <shiraishi@os.is.s.u-tokyo.ac.jp>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
d03483bd265b68db00c9b90f6f48dcf61c5c300d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Mon, 13 Oct 2025 12:32:45 +0000 (14:32 +0200)]
swscale/output: Fix integer overflow in yuv2ya16_X_c_template()
Found-by: colod colod <colodcolod7@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
0c6b7f9483a38657c9be824572b4c0c45d4d9fef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 18 Sep 2025 22:18:30 +0000 (00:18 +0200)]
avcodec/exr: Check that DWA has 3 channels
The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-
445394503-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
7896cc67c13037abba8941e39a74c56d26b775a7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 18 Sep 2025 15:32:46 +0000 (17:32 +0200)]
avcodec/exr: check ac_size
Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr
The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
8e078826da6f2a1dffa25162121b43b272f5e5fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 18 Sep 2025 19:28:04 +0000 (21:28 +0200)]
avcodec/exr: Round dc_w/h up
Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file
Fixes: out of array access
Fixes: BIGSLEEP-
445392027-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
c911e0001115bbda904ad103b12c27b9a3c0c265)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 11 Sep 2025 18:12:55 +0000 (20:12 +0200)]
avcodec/mjpegdec: Explain buf_size/width/height check
Suggested-by: Ramiro
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
61b6877637041a1f817ad9811c839b0feae2b8af)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Andreas Rheinhardt [Mon, 25 Mar 2024 15:54:25 +0000 (16:54 +0100)]
fftools/ffmpeg_mux_init: Fix double-free on error
MATCH_PER_STREAM_OPT iterates over all options of a given
OptionDef and tests whether they apply to the current stream;
if so, they are set to ost->apad, otherwise, the code errors
out. If no error happens, ost->apad is av_strdup'ed in order
to take ownership of this pointer.
But this means that setting it originally was premature,
as it leads to double-frees when an error happens lateron.
This can simply be reproduced with
ffmpeg -filter_complex anullsrc -apad bar -apad:n baz -f null -
This is a regression since
83ace80bfd80fcdba2c65fa1d554923ea931d5bd.
Fix this by using a temporary variable instead of directly
setting ost->apad. Also only strdup the string if it actually
is != NULL.
Reviewed-by: Marth64 <marth64@proxyid.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit
ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
8a1ccbd5dd76fb12ad75528038a9f7f50fee330d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Andreas Rheinhardt [Tue, 12 Mar 2024 22:23:17 +0000 (23:23 +0100)]
avformat/avidec: Fix integer overflow iff ULONG_MAX < INT64_MAX
Affects many FATE-tests, see
https://fate.ffmpeg.org/report.cgi?time=
20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit
7a089ed8e049e3bfcb22de1250b86f2106060857)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Andreas Rheinhardt [Fri, 11 Jul 2025 20:58:26 +0000 (22:58 +0200)]
avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
Otherwise it might be > buf_ptr in which case ffio_get_checksum()
could segfault (s->buf_ptr - s->checksum_ptr would be negative
which would be converted to something very big when converted
to unsigned for the update_checksum callback).
Fixes ticket #11233.
Reported-by: Du4t
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit
987c955cd7e972d9940284fa6ae7187ac858ebb1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Lynne [Sat, 8 Feb 2025 03:35:31 +0000 (04:35 +0100)]
aacenc_tns: clamp filter direction energy measurement
The issue is that:
float en[2];
...
tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
for (g = 0; g < tns->n_filt[w]; g++) {
tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
When using the AAC Main profile, n_filt = 3, and slant is by
default 2 (normal long frames), g can go above 1.
en is the evolution of energy in the frequency domain for every
band at the given window. E.g. whether the energy is concentrated
at the top of each band, or the bottom.
For 2-pole filters, its straightforward.
For 3-pole filters, we need more than 2 measurements.
This commit properly implements support for 3-pole filters, by measuring
the band energy across three areas.
Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
n_filt == 3.
Fixes https://trac.ffmpeg.org/ticket/11418
(cherry picked from commit
ed09aa28ae3b4509f00a24a9ebdeb084ee00736a)
(cherry picked from commit
f98f142da571653436596ccad2d09c7e39bfd4fb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Tue, 19 Aug 2025 01:12:37 +0000 (03:12 +0200)]
avcodec/dxv: Check coded_height, to avoid invalid av_clip()
Fixes: assertion failure
Fixes:
438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-
5850827739955200
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
cdee519d40e61bd65ba5b3fbec00acd50a08d0d9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Wed, 13 Aug 2025 11:11:23 +0000 (13:11 +0200)]
avcodec/aac/aacdec: dont allow ff_aac_output_configure() allocating a new frame if it has no frame
Fixes: null pointer dereference
Fixes: crash_test.mp4
Found-by: Intel PSIRT
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
fcf180d9ea27b7dc29658c9dc3488ae6fac3ebd9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Mon, 18 Aug 2025 15:20:49 +0000 (17:20 +0200)]
avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
0243cf89b137b093b02a5c61a76e28cec1d69ae9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 17 Aug 2025 13:31:48 +0000 (15:31 +0200)]
avcodec/sanm: Check w,h,left,top
The setup code fow w,h,left,top is complex, the code using it also falls in
at least 2 different classes, one using left/top the other not.
To ensure no out of array access happens we add this clear check.
Fixes: out of array access
Fixes:
439261995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-
5383455572819968
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
134fbfd1dcb59441e38d870ddd231772f4e8e127)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 15 Aug 2025 15:55:05 +0000 (17:55 +0200)]
avcodec/utvideodec: Clear plane_start array
in pack mode the array is passed into decode_plane() without being initialized or used
Fixes: use of uninitialized memory
Fixes:
438780119/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-
5464037027807232
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
2a22972db3b390d82dedbdbb5f44cc09a43912b5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 8 Aug 2025 10:25:55 +0000 (12:25 +0200)]
avcodec/dxv: Check that we initialize op_data
Fixes:
431665305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-
5339599339847680
Fixes: use of uninitialized memory
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
6a8c41dcacbba011e553fbf35518577321d1aadb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 9 Aug 2025 12:05:19 +0000 (14:05 +0200)]
avcodec/exr: Check for pixel type consistency in DWA
Fixes: out of array access
Fixes: BIGSLEEP-
436511754/testcase.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
0469d68acb52081ca8385b844b9650398242be0f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Kacper Michajłow [Sat, 9 Aug 2025 15:09:57 +0000 (17:09 +0200)]
avcodec/g726: init missing sample rate
Fixes:
416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_G726_DEC_fuzzer-
5695764455292928
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
(cherry picked from commit
c2f7dae70d27a8f5ca1e3fa43d96ff5c8bf032fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Kacper Michajłow [Sat, 9 Aug 2025 14:49:17 +0000 (16:49 +0200)]
avformat/lrcdec: limit input timestamp range to avoid overflows
Fixes: clusterfuzz-testcase-ffmpeg_dem_LRC_fuzzer-
5226140131459072
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
(cherry picked from commit
c74bc74398e7a1e235fdf51d0dd2dfb942626c82)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 8 Aug 2025 21:19:03 +0000 (23:19 +0200)]
avcodec/scpr3: Clear clr
clr is passing into decode_run_p() its not used when not set
but this possibly triggers msan (it doesnt locally)
Fixes?: use of uninintialized memory
Fixes?:
436997807/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-
6253316466606080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
354226037646d44701f0f2a84749fb2ea303f043)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 8 Aug 2025 13:03:56 +0000 (15:03 +0200)]
avcodec/ilbcdec: Clear cbvec when used with create_augmented_vector()
Fixes: use of uninitialized memory
Fixes:
42538134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-
6322020827070464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
9686fdd729a9caeeac0dc84dca2a65e4c9e5460b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 9 Aug 2025 09:38:07 +0000 (11:38 +0200)]
avcodec/jpeg2000dec: Make sure the 4 extra bytes allocated are initialized
Fixes: use of uninitialized memory
Fixes:
429130590/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-
5736930522497024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
d6fe3786cd8c06437756d407f727ff01cf1774ff)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Muhammad Faiz [Thu, 3 Jul 2025 13:47:58 +0000 (20:47 +0700)]
avfilter/avf_showcqt: fix unbounded index when copying to fft_data
When timeclamp and/or fps are low, j can be negative.
Fix Ticket11640
(cherry picked from commit
35ea45835484b90490e7d1704ef99ccb7b775578)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 10 May 2025 22:58:26 +0000 (00:58 +0200)]
avcodec/aacsbr_template: Check ilb
Fixes: index 50 out of bounds for type 'INTFLOAT [40][2]'
Fixes:
401661737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-
4866055713652736
Someone knowing AAC well should review this, there is likely a nicer fix
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
01a1b99fc2ccdf713abfa5203e36fbf5816e1b5f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Wed, 6 Aug 2025 11:09:26 +0000 (13:09 +0200)]
avcodec/utvideodec: Set B for the width= 1 case
Fixes: use of uninitialized meory
Fixes:
428034093/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-
6195630160805888
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
032dfe8584c4675f3253ebb5e333e834f55f7562)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Wed, 6 Aug 2025 11:36:06 +0000 (13:36 +0200)]
avcodec/ffv1: Clear state on alloc
Fixes: use of uninitialized memory
Fixes:
428969823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_DEC_fuzzer-
5909681623334912
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
70fc46d185663dbea0995bf868d66b58b388119e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Tue, 5 Aug 2025 21:42:23 +0000 (23:42 +0200)]
avcodec/jpeg2000dec: implement cdef remapping during pixel format matching
Fixes: out of array access
Fixes: poc.jp2
Found-by: Andy Nguyen <theflow@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
01a292c7e36545ddeb3c7f79cd02e2611cd37d73)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Tue, 5 Aug 2025 21:18:47 +0000 (23:18 +0200)]
avcodec/jpeg2000dec: move cdef default check into get_siz()
This way cdef is at its final value earlier
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
104d6846c1be0cb757dc95d5801a416f4d7c687d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Wed, 6 Aug 2025 08:08:14 +0000 (10:08 +0200)]
avcodec/exr: Check rle_raw_data and surroundings
Fixes: out of array read
Fixes: BIGSLEEP-
436510153/dwa_uncompress_read.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
0d9c003d76383e82b57b6d5aa33776709d0cda2c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Wed, 6 Aug 2025 08:35:15 +0000 (10:35 +0200)]
avcodec/exr: Dont access outside xsize/ysize
Fixes: out of array access
Fixes: BIGSLEEP-
436510316/dwa_uncompress_write.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
f45da79b2c336c5f8f3e563d72b8a22fecdcde0c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Jiasheng Jiang [Wed, 6 Aug 2025 14:54:22 +0000 (14:54 +0000)]
examples: Add check and replace av_free() to avoid potential memory errors
Add check for the return value of av_packet_alloc() to avoid potential NULL pointer dereference.
Moreover, replace redundant av_free() with fprintf().
Fixes:
9a38184a14 ("examples/decode_audio: allocate the packet dynamically")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
c64cff64a22a59c0c02281ee9fd9d89963d14d16)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Jiasheng Jiang [Sun, 3 Aug 2025 23:31:27 +0000 (23:31 +0000)]
libavcodec/tests/snowenc: Add av_free() to avoid memory leak
Add av_free() to free s.temp_dwt_buffer and s.temp_idwt_buffer at the end of the function to avoid memory leak.
Fixes:
5d48e4eafa ("Merge commit '
a6a750c7ef240b72ce01e9653343a0ddf247d196'")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
446cfbfb7446208bd1592bbc0ac18ac744543563)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Kacper Michajłow [Wed, 6 Aug 2025 17:49:11 +0000 (19:49 +0200)]
avcodec/mpc8: init avctx->sample_rate
Fixes frame validation.
Fixes:
416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC8_fuzzer-
5765557242888192
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
(cherry picked from commit
09cb2d41d1862c2f9b3b66311ede28527d703700)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 2 Aug 2025 16:55:26 +0000 (18:55 +0200)]
avformat/hls: add cmfv/cmfa exceptions
Fixes: Ticket11526
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
f3c3a6ecfb230c56a8ff9d219d79d5981b2aa4f3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Kacper Michajłow [Wed, 23 Jul 2025 18:04:53 +0000 (20:04 +0200)]
avformat/lrcdec: support arbitrary precision timestamp
Apparently files with milliseconds exist in the wild. And since it cost
nothing to support arbitrary number of digits, extend format to support
that.
Depending on number of digits, the time base of fractional part is
changing. Most LRCs use 2 digits and centiseconds base, but subs with 3
digits and miliseconds exist too.
Set internal time base to AV_TIME_BASE, which in parcitice allows to
hold microseconds with 6 digits. Totally artificial, but who knows maybe
someone wants that.
Fixes: #11677
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
(cherry picked from commit
bc3cc0a6af44adc63caf4e5097fcfebd7a7475b4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Mon, 4 Aug 2025 19:08:47 +0000 (21:08 +0200)]
avcodec/ffv1dec: Disable frame threading due to race condition
Slice threading remains available!
The race condition fix is in
8d5efc218245c3f0559f48837b3e63e2932525e0
and
bcf08c11710cab5db8eb3d0774e1a93e322fb821
Backport of these is welcome
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Jiasheng Jiang [Sun, 3 Aug 2025 20:32:23 +0000 (20:32 +0000)]
libavcodec/tests/motion: Add check for avcodec_alloc_context3()
Add check for the return value of avcodec_alloc_context3() to avoid potential NULL pointer dereference.
Fixes:
5d48e4eafa ("Merge commit '
a6a750c7ef240b72ce01e9653343a0ddf247d196'")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
55d234b4330d1588eb127cf2283a442ee341f2c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Jiasheng Jiang [Sun, 3 Aug 2025 19:14:38 +0000 (19:14 +0000)]
avcodec/tests/avpacket: Add av_free() to avoid memory leak
Add av_free() to free extra_data if av_packet_add_side_data() fails.
Fixes:
da3c69a5a9 ("Added test for libavcodec/avpacket.c")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
008679ec162d1769afd706af5b1ce7a593f13f2b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Jiasheng Jiang [Sat, 2 Aug 2025 23:28:48 +0000 (23:28 +0000)]
examples: Add av_freep to avoid potential memory leak
Add av_freep() to free avio_ctx_buffer if avio_alloc_context fails
to avoid potential memory leak.
Fixes:
5fc4dea39c ("examples: add avio_reading.c example")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
9ca58424ded24e931fed329174c28244b67d5670)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Jiasheng Jiang [Sun, 3 Aug 2025 20:09:38 +0000 (20:09 +0000)]
avcodec/tests/avpacket: Add av_packet_free() to avoid memory leak
Add av_packet_free() to free avpkt_clone and avpkt in the error paths to avoid potential memory leak.
Fixes:
da3c69a5a9 ("Added test for libavcodec/avpacket.c")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
ab040e25657436e88a62624b3751a583dfe4e123)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 2 Aug 2025 23:47:54 +0000 (01:47 +0200)]
avcodec/fits: Clear naxis
Fixes: Use of uninitialized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_DEC_fuzzer-
5602250833854464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
1687daa93c131f929495c7ab0509d2e5c98b40f5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 3 Aug 2025 12:52:36 +0000 (14:52 +0200)]
avcodec/vqavideo; Check bytestream2_get_buffer() reading next_codebook_buffer
Fixes: use of uninintilaized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-
6235973619351552
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
44864dbbb9b87d13d8f4ec92fb8536be0f9dbbc4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 3 Aug 2025 06:33:40 +0000 (08:33 +0200)]
avcodec/lzf: Check for input space
Fixes: use of uninitialized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-
5597015691296768
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
610d368d9bc3f1b7073a0b33e352f8bd7db24c7e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 3 Aug 2025 12:39:53 +0000 (14:39 +0200)]
avcodec/imc: Clear padding of buf16
Fixes: use of uninitialized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IAC_fuzzer-
6685890556788736
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
715df4b1ff398758ca1b8a82c3d16940bc63fc56)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 3 Aug 2025 12:34:59 +0000 (14:34 +0200)]
avcodec/cri: Check bytestream2_get_buffer() for end
Fixes: use of uninintialized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-
5910856640823296
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
ea3851bebf91a96b11d16be2b36bf88111e30e36)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 3 Aug 2025 12:34:25 +0000 (14:34 +0200)]
avcodec/cri: Factor read_len out
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
d9bf3c141bb96dd285477278400b8349e9f964b0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Mon, 28 Jul 2025 21:41:56 +0000 (23:41 +0200)]
avformat/dashdec: Allocate space for appended "/"
Fixes: writing 1 byte over the end of the array
Fixes: BIGSLEEP-
433502298/test.xml
Found-by: Google Big Sleep
A prettier solution is welcome!
A testcase exists only for the baseurl case
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
ce0a655f85c1144d19a4acad59afbb92e4997e30)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Wed, 23 Jul 2025 23:05:40 +0000 (01:05 +0200)]
avformat/mxg: clear AV_INPUT_BUFFER_PADDING_SIZE
Fixes: use of uninitialized memory
Fixes:
427532813/clusterfuzz-testcase-minimized-ffmpeg_dem_MXG_fuzzer-
5661938917113856
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
1b12e919cfe3bf69038225794330d14575fb78d0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Wed, 23 Jul 2025 11:16:33 +0000 (13:16 +0200)]
avformat/mov: make sure file_checksum is fully initialized
Fixes: use of uninitialized memory
Fixes:
394990189/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-
6431722199908352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
8b16e1ddd9c0bc4ca90447d481186216cfdce0fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Tue, 22 Jul 2025 23:57:54 +0000 (01:57 +0200)]
avformat/asfdec_f: Check amount of value read
Fixes: use of uninitialized memory
Fixes:
403675492/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-
4754281823797248
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
fa197924a66d83106c5d4dadb8610a1c526afd67)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 13 Jul 2025 01:10:27 +0000 (03:10 +0200)]
avformat/concatdec: Clip duration in one more case in get_best_effort_duration()
Fixes: signed integer overflow: 40000 - -
9223372036854770000 cannot be represented in type 'long'
Fixes:
427262541/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-
4831506940100608
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
8cdb47e47a7a53a3c635a71bf712d79119eb86b4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Tue, 15 Jul 2025 22:01:07 +0000 (00:01 +0200)]
avcodec/ffv1dec: Check k in get_vlc_symbol()
The true problem happens in several previous get_vlc_symbol()
but checking that is more expensive (involving FFABS())
here its just a simple check between 2 variables we have.
Fixes: Assertion log >= k failed at libavcodec/golomb.h:406
Fixes:
429296194/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_DEC_fuzzer-
4691594622337024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
051e0d7744dbb45f680bbfa72bfead947b11ef2f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Tue, 15 Jul 2025 20:19:24 +0000 (22:19 +0200)]
avcodec/cfhd: Check idwt_buf size before allocation
Fixes: OOM
Fixes:
428760799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_DEC_fuzzer-
5685176435015680
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
2d72bf6fe0793c3f069ba181a0e733dcc9f28180)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Tue, 15 Jul 2025 21:28:09 +0000 (23:28 +0200)]
avcodec/ivi: Check luma/chroma mb_size
Fixes: shift exponent -1 is negative
Fixes:
429011224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-
5031059358285824
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
c0f1c3e18579c249cc729bc6033c034f6a6f7426)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
James Almer [Sun, 13 Jul 2025 23:01:26 +0000 (20:01 -0300)]
avcodec/motion_est: don't add offsets to NULL pointers
Fixes: libavcodec/motion_est.c:94:31: runtime error: applying zero offset to null pointer
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit
585a8d53576f19a14394d7728ed2831e1bee8dbf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
James Almer [Sun, 13 Jul 2025 22:50:57 +0000 (19:50 -0300)]
swscale/swscale_unscaled: don't add offsets to NULL pointers
Fixes: libswscale/swscale_unscaled.c:916:20: runtime error: applying zero offset to null pointer
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit
af9b43455a972841154b194057a79ee8b606e727)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 19 Jun 2025 21:02:25 +0000 (23:02 +0200)]
avcodec/psd: Move frame allocation after RLE processing
Fixes: Timeout
Fixes:
410609448/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PSD_fuzzer-
6267226128973824
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
67559760c6636b9c1643e4870bfe8c98244803d1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 3 Jul 2025 01:01:11 +0000 (03:01 +0200)]
avcodec/smacker: Move buffer allocation to later
Reduces allocations on random input
Fixes:
421650030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-
6144441767493632
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
9899c8c00bb7674fe3cf5c8483b522c6c78e1248)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Kacper Michajłow [Thu, 3 Jul 2025 21:08:23 +0000 (23:08 +0200)]
avcodec/opus: don't materialize buf pointer from null
Fixes: avcodec/opus/dec.c: runtime error: applying non-zero offset 10 to null pointer
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
3b6ec5abb5fb3cffdfcd25f834c43e53cab2cabe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 21 Jun 2025 00:01:22 +0000 (02:01 +0200)]
avformat/iff: Check nb_channels == 0 in CHNL
Fixes: division by 0
Fixes:
418396712/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-
6104388018176000
Fixes:
418478219/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-
4569544410857472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
5b1301004bdade13e3fee22081459e339ddd2637)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
James Almer [Sun, 22 Jun 2025 13:51:06 +0000 (10:51 -0300)]
avcodec/mss2dsp: use FF_PTR_ADD to add offsets to a pointer
Fixes: libavcodec/mss2dsp.c:59:14: runtime error: applying zero offset to null pointer
Tested-by: Kacper Michajlow <kasper93@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit
b1172b8cc615a884d4051517d7356d5842939bb6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Marton Balint [Sat, 10 Apr 2021 09:59:00 +0000 (11:59 +0200)]
avformat/hls: check return value of new_init_section()
Fixes part of ticket #8931.
Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit
28c83584e8f3cd747c1476a74cc2841d3d1fa7f3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Andreas Rheinhardt [Sun, 24 Sep 2023 11:15:48 +0000 (13:15 +0200)]
avcodec/rkmppdec: Fix double-free on error
After having created the AVBuffer that is put into frame->buf[0],
ownership of several objects (namely an AVDRMFrameDescriptor,
an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
has passed to the AVBuffer and therefore to the frame.
Yet it has nevertheless been freed manually on error
afterwards, which would lead to a double-free as soon
as the AVFrame is unreferenced.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit
4513300989502090c4fd6560544dce399a8cd53c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Andreas Rheinhardt [Wed, 13 Mar 2024 01:10:26 +0000 (02:10 +0100)]
avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access
h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2]
belong together and the former allows the range 0..6,
so the latter needs to support 0..3. But it has only three
elements. Add another one.
The value for the last element has been guesstimated
from subpel_filters in libavcodec/vp8dsp.c.
This is also intended to fix FATE-failures with UBSan here:
https://fate.ffmpeg.org/report.cgi?time=
20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Tested-by: Sean McGovern <gseanmcg@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit
09e6840cf7a3ee07a73c3ae88a020bf27ca1a667)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
James Almer [Tue, 16 Sep 2025 01:18:52 +0000 (22:18 -0300)]
avcodec/x86/pngdsp: add missing emms at the end of add_png_paeth_prediction
Fixes unpredictable behavior with floats.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit
57a29f2e7dd2374a1df27316c6cf7c0225e86758)
Michael Niedermayer [Thu, 15 May 2025 23:38:40 +0000 (01:38 +0200)]
Changelog: Update
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 11 May 2025 21:09:07 +0000 (23:09 +0200)]
avcodec/takdec: Check remaining space for first predictors
Fixes: Timeout
Fixes:
403673829/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-
5498240154009600
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
8e6db875afcd147d48718130fde4a05c3ac406db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 10 May 2025 23:35:29 +0000 (01:35 +0200)]
avcodec/svq3: Check there are bits left before decompression
Fixes: out of array read
Fixes:
402587670/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-
6343867775647744
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
c06f5b3ab97b1b1d0420309201568e38b3920860)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 10 May 2025 23:08:06 +0000 (01:08 +0200)]
avcodec/sonic: Check num_taps
The encoder uses max 128 taps, which is quiet a lot already
If work is done to improve sonic, it will be more radical than changing the taps
Fixes: Timeout
Fixes:
402539974/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-
6122944271286272
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
fd0a792766c8ae513dd849fc47fa9e899cc5664b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sat, 10 May 2025 21:39:53 +0000 (23:39 +0200)]
avformat/mov: reject negative ELST durations
Fixes: multiple integer overflows
Fixes:
401016767/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-
6242067591790592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
9fc2702f6f502064d0d2d75c97ece33f4b56eb84)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Fri, 9 May 2025 23:55:27 +0000 (01:55 +0200)]
avformat/avidec: Ignore duplicate GAB2
Fixes: memleak
Fixes:
398401912/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-
4669849976766464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
6a47046981d05c59f6ac766d5fbf6586261a216f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Wed, 16 Apr 2025 00:25:00 +0000 (02:25 +0200)]
avcodec/h264_mb: Fix tmp_cr for arm
When decoding a bitstream with weighted-bipred enabled,
the results on ARM and x86 platforms may differ.
The reason for the inconsistency is that the value of
STRIDE_ALIGN differs between platforms. And STRIDE_ALIGN
is set to the buffer stride of temporary buffers for U
and V components in mc_part_weighted.
If the buffer stride is 32 or 64 (as on x86 platforms),
the U and V pixels can be interleaved row by row without
overlapping, resulting in correct output.
However, on ARM platforms where the stride is 16,
the V component did overwrite part of the U component's pixels,
leading to incorrect predicted pixels.
The bug can be reproduced by the following bitstream.
https://trac.ffmpeg.org/attachment/ticket/11357/inter_weighted_bipred2.264
Fixes: ticket 11357
Commit-msg-mostly-by: Bin Peng <pengbin@visionular.com>
Reviewed-by: Bin Peng <pengbin@visionular.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
74fd2c3ddbaf1fef5c4777784aa72b5747ad389c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 6 Apr 2025 14:49:31 +0000 (16:49 +0200)]
avcodec/vorbisdec: Dont treat overread as error
This differs from libvorbis by
stddev: 2.44 PSNR: 88.58 MAXDIFF: 41 bytes: 834304/ 834304
for the file from the ticket
Fixes: Ticket11427
Regression since:
dc89cf804a811c0d25f4649a99f7fab4b5b416fa
This is a similar solution to what james proposed earlier in
[FFmpeg-devel] [PATCH] avcodec/vorbisdec: don't abort on EOD when decoding residuals
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
fd5a3c5fed2c190446b2beb9bc532887db360cf7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Thu, 1 May 2025 19:20:31 +0000 (21:20 +0200)]
libpostproc: check minimum size
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
917c15435ae2e11a90de5d1a1153405bd3686fbe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Tue, 29 Apr 2025 23:05:18 +0000 (01:05 +0200)]
avformat/hls: Fix flash1.bogulus.cfd support
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
75be669ca1c986cc3510a5ad847e82785e2682e0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Tue, 29 Apr 2025 23:37:27 +0000 (01:37 +0200)]
avformat/hls: Split allowed_segment_extensions off allowed_extensions
This allows the user to set only the one that is needed to ALL or a
specific "wrong" extension like html
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
f99f223eb1ac9a6e36dab0e31756369214b5564f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 6 Apr 2025 16:52:05 +0000 (18:52 +0200)]
avformat/hls: Fix Youtube AAC
Fixes: Ticket11435
Fixes: yt-dlp -f 234+270 https://www.youtube.com/live/l8PMl7tUDIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
48c0dba23b3ce8c2bcb180bd2c8029c3c2875424)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 6 Apr 2025 10:47:34 +0000 (12:47 +0200)]
avformat/hls: add fmp4 to allowed_extensions
Fixes: yt-dlp/issues/12700
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
d82016c7302e0ede8626fc3d92f1418c567fbab4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer [Sun, 6 Apr 2025 10:43:12 +0000 (12:43 +0200)]
avformat/hls: Add ec3 to allowed_extensions
Fixes part of Ticket11435
Fixes: Elisa Viihde (Finnish online recording service)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit
68644994fd7cf55613e8b17bcc95b29226285ec5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
projects / ffmpeg.git / log