git.ffmpeg.org Git - ffmpeg.git/log

avformat/img2dec: reject input images too big to fit into a single packet

Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.

Fixes #YWH-PGM40646-32

(cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)

avcodec/aarch64/idct: Add missing stddef

Fixes checkheaders on aarch64.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 52e911369553e1d2e8c4978172a5a302b91c8202)

fftools/ffprobe: support 2D arrays in print_list_fmt()

Should fix undefined behavior.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b119b3da1e772bcf152f487d6e39cbeea17d8f50)

all: apply linter fixes

tools/check_arm_indent: skip empty glob

forgejo: apply needed CI changes for 5.0

forgejo: backport CI to release/5.0

lavc/aarch64: Fix addp overflow in ff_pred16x16_plane_neon_10

The mismatch between neon and C functions can be reproduced
using the following bitstream and command line on aarch64 devices.

wget https://streams.videolan.org/ffmpeg/incoming/replay_intra_pred_16x16.h264
./ffmpeg -cpuflags 0 -threads 1 -i replay_intra_pred_16x16.h264 -f framemd5 -y md5_ref
./ffmpeg -threads 1 -i replay_intra_pred_16x16.h264 -f framemd5 -y md5_neon

Signed-off-by: Bin Peng <pengbin@visionular.com>
(cherry picked from commit 3115c0c0e6c27c689a02a7267dcf8e61fa2ac425)

lavc/aarch64: Fix ff_pred16x16_plane_neon_10

Fix test failure on aarch64:
./tests/checkasm/checkasm --test=h264pred 367840

Signed-off-by: Peng Bin <pengbin@visionular.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 72a3656e8468a394373b6397aacc906d7f7794c2)

lavc/aarch64: Fix ff_pred8x8_plane_neon_10

Fix test failure on aarch64:
./tests/checkasm/checkasm --test=h264pred 479612

The mismatch between neon and C functions can also be reproduced using the following bitstream and command line.

wget https://streams.videolan.org/ffmpeg/incoming/intra8x8pred_10bit.264
./ffmpeg -cpuflags 0 -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_ref
./ffmpeg -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_neon

Signed-off-by: Bin Peng <pengbin@visionular.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit decc9e643cc3ac5537f42b465e2637fbefbf41cc)

avcodec/x86/pngdsp: add missing emms at the end of add_png_paeth_prediction

Fixes unpredictable behavior with floats.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 57a29f2e7dd2374a1df27316c6cf7c0225e86758)

lsws/ppc/yuv2rgb_altivec: Fix build in non-VSX environments with Clang v2

v2: test for function if AltiVec is enabled instead of with AltiVec and without VSX

(cherry picked from commit 49c8f33262d7c113c71cee9cd30b990a92afa0a1)
Signed-off-by: Brad Smith <brad@comstyle.com>

lsws/ppc/yuv2rgb_altivec: Fix build in non-VSX environments with Clang

Add a check for the existence of the vec_xl() function. Clang provides
the function even with VSX not enabled.

(cherry picked from commit 30a8641465f7b7923e92d8724ef6a595fccb9e58)
Signed-off-by: Brad Smith <brad@comstyle.com>

avformat/mov: (v4) fix get_eia608_packet

The problem is reproducible with "Test for Quicktime 608 CC file.mov"
from https://samples.ffmpeg.org/MPEG2/subcc/

ffmpeg -i "Test for Quicktime 608 CC file.mov" -map 0 -c copy -y remuxed.mov

See https://trac.ffmpeg.org/ticket/11470

avcodec/libx265: unbreak build for X265_BUILD >= 213

Earlier, x265 made an API change to support alpha and
other multiple layer pictures. We added guards to accommodate
that in 1f801dfdb5

They have now reverted that API change in
https://bitbucket.org/multicoreware/x265_git/commits/78e5b703b1

Updated our wrapper guards to unbreak build again.

lavc/libx265: unbreak build for X265_BUILD >= 210

x265 added support for alpha starting with build 210.
While doing so, x265_encoder_encode() changed its fifth arg to
an array of pointers to x265_picture. This broke building lavc/libx265.c

This patch simply unbreaks the build and maintains existing single-layer
non-alpha encoding support.

Fixes #11130

configure: improve check for POSIX ioctl

Instead of relying on system #ifdefs which may or may not be correct,
detect the POSIX ioctl signature at configure time.

(cherry picked from commit 00b64fca55a3a009c9d0e391c85f4fd3291e5d12)
Signed-off-by: Brad Smith <brad@comstyle.com>

configure: restore autodetection of v4l2 and fbdev

The detection logic for v4l2 and fbdev was accidentally modified to
depend on v4l2-m2m in 43b3412.

(cherry picked from commit 7405f1ad5351cc24b91a0227aeeaf24ff9d12278)
Signed-off-by: Brad Smith <brad@comstyle.com>

configure: use just the pkg-config for sndio

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f6d846459043786eb859ff1c95af30e6fbc2d0e4)
Signed-off-by: Brad Smith <brad@comstyle.com>

avformat/hlsenc: correctly reset subtitle stream counter per-varstream

Without resetting it, if there was a previous set of varstreams with
subtitles, it would subtract from all the streams, leading to chaos and
segfaults when trying to access for example stream -1.

lavc/vp9: reset segmentation fields when segmentation isn't enabled

Fields under the segmentation switch are never reset on a new frame, and
retain the value from the previous frame. This bugs out a bunch of
hwaccel drivers when segmentation is disabled but update_map isn't
reset because they don't ignore values behind switches. This commit also
resets the temporal field, though it may not be required.

We also do this for vp8 [1] so this commit is just mirroring the vp8
logic.

This fixes an issue with certain samples [2] that causes blocky
artifacts with vaapi, d3d11va and cuda (and possibly others).
Mesa worked around [3] this by ignoring these fields if
segmentation.enabled is 0, but d3d11va still displays blocky artifacts.

[1] https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/2e877090f958131accb8c7e5ac10e5b9865d1735:/libavcodec/vp8.c#l797
[2] https://github.com/mpv-player/mpv/issues/13533
[3] https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27816

Signed-off-by: llyyr <llyyr.public@gmail.com>

configure: enable ffnvcodec, nvenc, nvdec for FreeBSD

Signed-off-by: Brad Smith <brad@comstyle.com>
(cherry picked from commit 43b1a956789bf0d5796769427d40c78e460c247f)
Signed-off-by: Brad Smith <brad@comstyle.com>

avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash

Regression since fd172185580c1ccdcfb90bbfdb59fa806fad3117;
triggered by vp4/KTkvw8dg1J8.avi in the FATE suite, but not
when running fate as this code is not used when the bitexact
flag is set.

Bisecting done by ami_stuff, patch from user Mika Fischer
in ticket #10027 (which this commit fixes).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit c3ca90a92e7211aef8ad1d044518a34f6ba137d7)

avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD

Use the machdep.altivec sysctl on NetBSD for AltiVec detection
as is done with OpenBSD.

(cherry picked from commit 115c96b9bd53e775f425f23d5b73fa0a9dedbd08)
Signed-off-by: Brad Smith <brad@comstyle.com>

avutil/ppc/cpu: Use proper header for OpenBSD PPC CPU detection

Use the proper header for PPC CPU detection code. sys/param.h includes
sys/types, but sys/types.h is the more appropriate header to be used
here.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit beaf172d75da1580532e241be5ff546c806abd41)
Signed-off-by: Brad Smith <brad@comstyle.com>

lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's

The proper type was used until 73251678c83cbe24d08264da693411b166239bc7.

This covers all of the OS's that currently have V4L2 support, permutations
of Linux glibc/musl, Android bionic, FreeBSD, NetBSD, OpenBSD, Solaris.

Copied from FreeBSD ports patch.

Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit 9e674b31606c805dd31b4bb754364a72a5877238)
Signed-off-by: Brad Smith <brad@comstyle.com>

avformat/mov: Check if a key is longer than the atom containing it

Stop reading keys and return AVERROR_INVALIDDATA if key_size
is larger than the amount of space left in the atom.

Bug: https://crbug.com/41496983
Signed-off-by: Eugene Zemtsov <eugene@chromium.org>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 8a23a145d85964950123952d897b89c2c2b1b8c5)

avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer

avformat/mov: don't abort on duplicate Mastering Display Metadata boxes

The VP9 spec defines a SmDm box for this information, and the ISOBMFF spec defines a
mdvc one. If both are present, just ignore one of them.
This is in line with clli and CoLL boxes.

Fixes ticket #10711.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 189c32f53659b8f9dc402765905fc12a321ab1ac)

doc/html: fix styling issue with Texinfo 7.0

Texinfo 7.0 produces quite different HTML to Texinfo 6.8. Without
this change, enumerated option flags (i.e. Possible values of x
are...) render as white text on a white background with Texinfo 7.0
and are unreadable. This change removes a style for the selector
`.table .table` which causes the background to turn white for these
elements. As far as I can tell, it is not actually used anywhere in
files generated by Texinfo 6.8.

Signed-off-by: Frank Plowman <post@frankplowman.com>
(cherry picked from commit f16900bda23414caf9ec3f9dc50db7d4caf59a8b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

doc/html: support texinfo 7.0

Resolves trac ticket #10636 (http://trac.ffmpeg.org/ticket/10636).

Texinfo 7.0, released in November 2022, changed the names of various
functions. Compiling docs with Texinfo 7.0 resulted in warnings and
improperly formatted documentation. More old names appear to have
been removed in Texinfo 7.1, released October 2023, which causes docs
compilation to fail.

This commit addresses the issue by adding logic to switch between the old
and new function names depending on the Texinfo version. Texinfo 6.8
produces identical documentation before and after the patch.

CC
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1938238.html
https://bugs.gentoo.org/916104

Signed-off-by: Frank Plowman <post@frankplowman.com>
(cherry picked from commit f01fdedb69e4accb1d1555106d8f682ff1f1ddc7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/libsvtav1: remove compressed_ten_bit_format and simplify alloc_buffer

compressed_ten_bit_format has been deprecated upstream and has no effect
and can be removed. Plus, technically it was never used in the first place
since it would require the app (ffmpeg) to set it and do additional
processing of the input frames.

Also simplify alloc_buffer by removing calculations relating to the
non-existant processing.

Signed-off-by: Christopher Degawa <christopher.degawa@intel.com>

avcodec/x86/mathops: clip constants used with shift instructions within inline assembly

Fixes assembling with binutil as >= 2.41

Signed-off-by: James Almer <jamrial@gmail.com>

avcodec/av1dec: fix matrix coefficients exposed by codec context

`colorspace` in avcodec terms means `matrix coefficients`.

Reviewed-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 37936b09ce316c32c456539afeb748d472088135)

avcodec/nvdec: don't free NVDECContext->bitstream

Ensure all hwaccels that allocate a buffer use NVDECContext->bitstream_internal
instead. Otherwise, if FFHWAccel->end_frame() isn't called before
FFHWAccel->uninit(), an attempt to free a stale pointer to memory not owned by
the hwaccel could take place.

Reviewed-by: Timo Rothenpieler <timo@rothenpieler.org>
Signed-off-by: James Almer <jamrial@gmail.com>

avcodec/vdpau_mpeg4: fix order of quant matrix coefficients

The matrix coefficients are stored permutated for the IDCT,
rather then in plain raster order, and need to be un-permutated
for the hardware.

avcodec/vdpau_mpeg12: fix order of quant matrix coefficients

The matrix coefficients are stored permutated for the IDCT,
rather then in plain raster order, and need to be un-permutated
for the hardware.

avcodec/nvdec_mpeg4: fix order of quant matrix coefficients

The matrix coefficients are stored permutated for the IDCT,
rather then in plain raster order, and need to be un-permutated
for the hardware.

avcodec/nvdec_mpeg2: fix order of quant matrix coefficients

The matrix coefficients are stored permutated for the IDCT,
rather then in plain raster order, and need to be un-permutated
for the hardware.

fftools/ffmpeg: avoid possible invalid reads with short -tag values

Fixes #10319 and #10309.

Based on 89c9a3ac3542c3684e511607d88b265bfa6aa64f.

(cherry picked from commit 1e413487bf8ff413796d1cf1d9adafcd36f04444)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

avcodec/nvenc: fix b-frame DTS behavior with fractional framerates

When using fractional framerates (or any fraction with a numerator != 1),
DTS values for packets would be calculated incorrectly.

Signed-off-by: Kyle Manning <tt2468@irltoolkit.com>
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>

update for 5.0.3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/tests/snowenc: Fix 2nd test

(cherry picked from commit 163013c72452621624f634c706824c77222b77c5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/tests/snowenc: return a failure if DWT/IDWT mismatches

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 771c266c0be29e6a1001fbd6795dd343147da1f2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/snowenc: Fix visual weight calculation

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5b5fcadea059ab458a886261a5b7a1cc134b517a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/tests/snowenc: unbreak DWT tests

the IDWT data type mismatched current code

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8b3351bbead47f7f306621b45c8f2391b6bd23d2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/nutdec: Add check for avformat_new_stream

Check for failure of avformat_new_stream() and propagate
the error code.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9cf652cef49d74afe3d454f27d49eb1a1394951e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/vp3: Add missing check for av_malloc

Since the av_malloc() may fail and return NULL pointer,
it is needed that the 's->edge_emu_buffer' should be checked
whether the new allocation is success.

Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048")
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
(cherry picked from commit 656cb0450aeb73b25d7d26980af342b37ac4c568)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/mpeg12dec: Check input size

Fixes: Timeout
Fixes: 53599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IPU_fuzzer-4950102511058944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c130d6911f5b09bfc648f6ae678c4c0749f61bb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/escape124: Fix some return codes

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 98df605f7a8e80471a113f7beb0983c90aa84525)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/escape124: fix signdness of end of input check

Fixes: Timeout
Fixes: 56561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-5560363635834880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 87ad0a5dd7d12c91badc215c3b5d6745fa7acb02)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Use https for repository links

Reviewed-by: Stefano Sabatini <stefasab@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 011f30fc8205eff8e775d04afb98e02685cd8a7a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/rpzaenc: stop accessing out of bounds frame

(cherry picked from commit 92f9b28ed84a77138105475beba16c146bdaf984)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/smcenc: stop accessing out of bounds frame

(cherry picked from commit 13c13109759090b7f7182480d075e13b36ed8edd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/motionpixels: Mask pixels to valid values

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-6724203352555520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ac6eec1fc258efce219e4fccb84312a1b13a7a23)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/xpmdec: Check size before allocation to avoid truncation

Fixes:OOM
Fixes:out of array access (no testcase)
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95f0f84dae4f040d91f1e60dc5438612c58e8906)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea9deafd3b13233802c4548c4c58a707d76805a3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/bink: Fix off by 1 error in ref end

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6657932926517248

Alterantivly to this it is possibly to allocate a bigger array

Note: oss-fuzz assigned this issue to a unrelated theora bug so the bug number matches that

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 49487045dde6f69194332aac51fd4e598e19c7b6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/utils: Ensure linesize for SVQ3

Fixes: Assertion block_w * sizeof(uint8_t) <= ((buf_linesize) >= 0 ? (buf_linesize) : (-(buf_linesize))
Fixes: 54861/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5352418248622080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4eef658ca59d3d6ba46ab52a36d7faf5fe820874)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/utils: allocate a line more for VC1 and WMV3

Fixes: out of array read on 32bit
Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848

The chroma MC code reads over the currently allocated frame.
Alternative fixes would be allocating a few bytes more at the end instead of a whole
line extra or to adjust the threshold where the edge emu code is activated

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 01636a63d452c592ece35af6f72bb7affcad58f2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things

Fixes: subtraction of unsigned offset from 0xf6602770 overflowed to 0xf6638c80
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-495074400600064

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0150cd41c2d3c01050a6c4f3df1de511a217913)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/pngdec: dont skip/read chunk twice

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6668158952144896.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit df1a38d5200e14a29903f1027b4548d595c7ff8a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/pngdec: Check deloco index more exactly

Fixes: out of array access:
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6716193709096960

Alternatively it should be possible to limit this to 3 plane RGB 8 /16bit to ensure the size is what it should be

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d5bae704068dc37191280e024eecb8d02b762b28)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/ffv1dec: Check that num h/v slices is supported

Fixes: out of array access
Fixes: 55597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4898293416329216

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8ead0ae68eb64ad325efafd686c434727f3d666a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/mov: Check samplesize and offset to avoid integer overflow

Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long'
Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53c1f5c2e28e54ea8174b196d5cf4a158907395a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/pictordec: Remove mid exit branch

This causes the RLE decoder to exit before applying the last RLE run
All images i tested with are unchanged, this makes the special case
for handling the last run unused for non truncated images.

Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 88f0e05c72f0de0cae3d9f0c5644f1965632b641)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/eac3dec: avoid float noise in fixed mode addition to overflow

Fixes: 2.28595e+09 is outside the range of representable values of type 'int'
Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2f48d227c153fa6f0a2156f3e8d18ea1bfedf18d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/utils: use 32pixel alignment for bink

bink supports 16x16 blocks in chroma planes thus we need to allocate enough.
Fixes: out of array access
Fixes: 55026/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6013915371012096
Reviewed-by: Peter Ross <pross@xvid.org>
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b95b2c8492fc1b52afd8fbe67b3be3cd518485d6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/scpr3: Check bx

Fixes: Out of array access
Fixes: 55102/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-4877396618903552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cc7e984a05b28dcfaaaad95afa061be71b4ba7fc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/012v: Order operations for odd size handling

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6714182078955520.fuzz
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6698145212137472.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4d42d82563d806b5610c0c91497e24ef7f37d4cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/eatgq: : Check index increments in tgq_decode_block()

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e7755b433e913e32bb061f17d5ecfcbcfef995b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/h274: fix include

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 379e43e6ec4a7da692be3c7b8039e6c716adbf68)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/scpr: Test bx before use

Fixes: out of array access on 32bit
Fixes: 54850/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5302669294305280

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1b59de3770b2e3f7f44ec4adba27c88b79adaaec)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/mxfdec: Use 64bit in remainder

Fixes: signed integer overflow: 48000 * 223587 cannot be represented in type 'int'
Fixes: 54513/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5817594836025344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <git@haerdin.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64a04fc165d453fe49906b228ac16385eda28564)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/sunrast: Fix maplength check

Fixes: out of bounds read

Found-by: Ibrahim Mohamed <ielsayed@meta.com>
Reviewed-by; Ibrahim Mohamed <ielsayed@meta.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f8a2a65078eaac37eae4a0d7ef440849a9d8f5b5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/wavpack: Avoid undefined shift in get_tail()

Fixes: left shift of 1208485947 by 1 places cannot be represented in type 'int'
Fixes: 54058/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5827521084260352

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8374a747af247d45eb466fcb4aee90f3ae798aad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/wavpack: Check for end of input in wv_unpack_dsd_high()

Fixes: Timeout
Fixes: 50793/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-4980185027444736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ad7403bcee47e7c5e99a9c0266935e0da50c9d2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/id3v2: Check taglen in read_uslt()

Fixes: Timeout (read mostly the same data repeatly)
Fixes: 52457/clusterfuzz-testcase-minimized-ffmpeg_dem_ALP_fuzzer-6610706313379840
Fixes: 53098/clusterfuzz-testcase-minimized-ffmpeg_dem_SOL_fuzzer-6481382981632000

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a798af91d7d1fc31cfc1ae09cc6ab3907304f44f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/tiff: Ignore tile_count

Fixes: out of array access
Fixes: 52427/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4849108968144896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 65ce417828cc6f5209d8467bc7755f0c59e9aa49)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/ffv1dec: restructure slice coordinate reading a bit

Fixes: signed integer overflow: -1094995528 * 8224 cannot be represented in type 'int'
Fixes: 53508/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-474551033462784

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 74b6ac7ebb5c1e06a5fdfa29f79a18599942dbfa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/mlpdec: Check max matrix instead of max channel in noise check

This is a regression since: adaa06581c5444c94eef72d61b8166f096e2687a
Before this, max_channel and max_matrix_channel where compared for equality

Fixes: out of array access
Fixes: 53340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-514959011885875

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa79560de5e9596ada0345e5d12aa00dbeddaaa6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

swscale/input: Use more unsigned intermediates

Same principle as previous commit, with sufficiently huge rgb2yuv table
values this produces wrong results and undefined behavior.
The unsigned produces the same incorrect results. That is probably
ok as these cases with huge values seem not to occur in any real
use case.

Fixes: signed integer overflow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ba209e3d5142fd31bb6c3e05c5b183118a278afc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/alsdec: The minimal block is at least 7 bits

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5280947fb6db37063334eae5b467cecd2417b063)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/replaygain: avoid undefined / negative abs

Fixes: signed integer overflow: -2147483648 * 100000 cannot be represented in type 'int'
Fixes: 52060/clusterfuzz-testcase-minimized-ffmpeg_dem_MP3_fuzzer-5131616708329472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2532b20b17ec557f1b925bfc41c00e7d4e17356c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

swscale/output: Bias 16bps output calculations to improve non overflowing range

Fixes: integer overflow
Fixes: ./ffmpeg -f rawvideo -video_size 66x64 -pixel_format yuva420p10le -i ~/videos/overflow_input_w66h64.yuva420p10le -filter_complex "scale=flags=bicubic+full_chroma_int+full_chroma_inp+bitexact+accurate_rnd:in_color_matrix=bt2020:out_color_matrix=bt2020:in_range=full:out_range=full,format=rgba64[out]" -pixel_format rgba64 -map '[out]' -y overflow_w66h64.png

Found-by: Drew Dunne <asdunne@google.com>
Tested-by: Drew Dunne <asdunne@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0f0afc7fb5d30c40108d81b320823d8f5c9fbedc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/speedhq: Check buf_size to be big enough for DC

Fixes: Timeout
Fixes: 51919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-6023716480090112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9184d3d7b64459e975f26284a7b2e26cbf76480b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/ffv1dec: Fail earlier if prior context is corrupted

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4df91e2215a79546a7f08faa457c05182646b302)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avfilter/vf_untile: swap the chroma shift values used for plane offsets

Fixes ticket #10265

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit dc61d5cf195bc6de9263883c42a58348863e6d4f)

hwcontext_vulkan: remove optional encode/decode extensions from the list

They're not currently used, so they don't need to be there.
Vulkan stabilized the decode extensions less than a week ago, and their
name prefixes were changed from EXT to KHR. It's a bit too soon to be
depending on it, so rather than bumping, just remove these for now.

(cherry picked from commit eb0455d64690eed0068e5cb202f72ecdf899837c)

avcodec/nvenc: fix vbv buffer size in cq mode

The CQ calculation gets thrown off and behaves very nonsensical
if it isn't set to 0.

avcodec/mjpegenc: take into account component count when writing the SOF header size

Fixes ticket #10069

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 100939695307743396e30e6310d2ea9cf42f9aab)

Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

swscale: aarch64: Fix yuv2rgb with negative strides

Treat the 32 bit stride registers as signed.

Alternatively, we could make the stride arguments ptrdiff_t instead
of int, and changing all of the assembly to operate on these
registers with their full 64 bit width, but that's a much larger
and more intrusive change (and risks missing some operation, which
would clamp the intermediates to 32 bit still).

Fixes: https://trac.ffmpeg.org/ticket/9985

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit cb803a0072cb98945dcd3f1660bd2a975650ce42)
Signed-off-by: Martin Storsjö <martin@martin.st>

avcodec/atrac3plusdec: fix compilation failure after last commit

Signed-off-by: James Almer <jamrial@gmail.com>

avcodec/atrac3plus: reorder channels to match the output layout

The order in which the channels are coded in the bitstream do not always follow
the native, bitmask-based order of channels both signaled by the WAV container
and forced by this same decoder. This is the case with layouts containing an
LFE channel, as it's always coded last.

Fixes ticket #9964.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 3819719099df601c470e961b9d49b9100c65641b)

avcodec/aacdec: fix parsing streams with channel configuration 11

Set the correct amount of tags in tags_per_config[].
Also, there are no channels that correspond to a side element in this
configuration, so reflect this in the list of known/supported channel layouts.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 8c7d3b43cc1e41de62733eb90dda7e061778f390)

Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/speexdec: Check channels > 2

More than 2 channels seems unsupported, the code seems to just output empty extra channels

Fixes: Timeout
Fixes: 51569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-5511509165342720

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 77164b2344eb67d61f973ebbbc8e0b88aaae027b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/vividas: Check packet size

Fixes: signed integer overflow: 119760682 - -2084600173 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-6745781167587328

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5f44489cc5d4f3767f6ad2ad067ee6a3f78374bb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>