The code following makes no attempt to initialize all of the buffer
Fixes: use of uninitialized value
Fixes: 70980/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5329909059223552
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7eeeda703b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
header is previously declared as an int argument then
shadowed in the scope of the loop as a AV1RawOBUHeader.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit 8e8260aabf)
Fix test failure on aarch64:
./tests/checkasm/checkasm --test=h264pred 367840
Signed-off-by: Peng Bin <pengbin@visionular.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 72a3656e84)
Fix test failure on aarch64:
./tests/checkasm/checkasm --test=h264pred 479612
The mismatch between neon and C functions can also be reproduced using the following bitstream and command line.
wget https://streams.videolan.org/ffmpeg/incoming/intra8x8pred_10bit.264
./ffmpeg -cpuflags 0 -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_ref
./ffmpeg -threads 1 -i intra8x8pred_10bit.264 -f framemd5 -y md5_neon
Signed-off-by: Bin Peng <pengbin@visionular.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit decc9e643c)
The arm/aarch64 horizontal filter reads one additional pixel beyond what
the filter uses. This can become an issue if the application does not
allocate larger buffers than what's required for the pixel data. If the
motion vector points to the bottom right edge of the picture this
becomes a read buffer overflow. This triggers segfaults in Firefox for
video resolutions which result in a page aligned picture size like
1280x640.
Prevent this by using emulated edge in this case.
Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185
Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 060464105b)
This reduces the amount the horizontal filters read beyond the filter
width to a consistent 1 pixel. The data is not used so this is usually
not noticeable. It becomes a problem when the application allocates
frame buffers only for the aligned picture size and the end of it is at
a page boundary. This happens for picture sizes which are a multiple of
the page size like 1280x640. The frame buffer allocation is based on
its most likely done via mmap + MAP_ANONYMOUS so start and end of the
buffer are page aligned and the previous and next page are not
necessarily mapped.
This mirrors the aarch64 change.
Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f366256215)
This reduces the amount the horizontal filters read beyond the filter
width to a consistent 1 pixel. The data is not used so this is usually
not noticeable. It becomes a problem when the application allocates
frame buffers only for the aligned picture size and the end of it is at
a page boundary. This happens for picture sizes which are a multiple of
the page size like 1280x640. The frame buffer allocation is based on
its most likely done via mmap + MAP_ANONYMOUS so start and end of the
buffer are page aligned and the previous and next page are not
necessarily mapped.
Under these conditions like seen by Firefox a read beyond the end of the
buffer results in a segfault.
After the over-read is reduced to a single pixel it's reasonable to use
VP9's emulated edge motion compensation for this.
Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=1881185
Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 430c38f698)
Fixes: signed integer overflow: 529008646 * 8 cannot be represented in type 'int'
Fixes: 383379145/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6674045107503104
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9327093079)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 70734/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4741427068731392
Fixes: 383194070/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5302387708854272
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Lynne <dev@lynne.ee>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 682d710bcb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 70991/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WEBP_fuzzer-5544067620995072
Fixes: use of uninintailized value
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c1e732ad2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Use of uninitialized value
Fixes: 71350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-6322020827070464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4482218440)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This does not replicate on my setup, thus this is a blind fix based on ossfuzz trace
Fixes: use of uninitialized value
Fixes: 71747/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5427736120721408
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4fc43e45f9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Use of uninitialized memory
Fixes: 71546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-5607656650244096
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4949e34d96)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Comply with "For purposes other than determining the amount of data in the decoding units
of the bitstream, decoders shall ignore all data that follow the value 63 for nuh_layer_id in a NAL unit"
Rec. ITU-T H.265 v8 (08/2021) Page 67
Fixes: index 63 out of bounds for type 'const int8_t[63]' (aka 'const signed char[63]')
Fixes: clusterfuzz-testcase-fuzzer_loadfile-5109286752026624
Reported-by: Kacper Michajlow <kasper93@gmail.com>
Found-by: ossfuzz
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 360e7cafd0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Null pointer dereference
Fixes: sample1.dng
Found-by: South East <8billion.people@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d8285633d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d147b3d7ec)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 81a360a5ed)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2542e9296c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c1edec3a24)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 10e5af15bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e52b15258)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Ticket5548
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b7ff66a358)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 556c767786)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7151081e33)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
We always write minimal slices, the size calculation is wrong in some
corner cases but as its always 1x1 (minus1) we can for now just hard-code it
This helps with ticket 5548
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d514655bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
"Fixes" Ticket7063
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 417b163c00)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Should ensure avcodec_send_packet() doesn't return EAGAIN in scenarios where it's not
meant to (e.g., ffmpeg_dec.c where avcodec_receive_frame() is called in a loop to drain
all produced frames before trying to submit more packets).
Fixes ticket #11377.
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d1d9b0813a)
Ensure downmixed is only set once during init, as it used to be.
Fixes a regression since acbb2777e2.
Fixes ticket #11321
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 0e07a70611)
xHE-AAC is a profile where some frames depend on other key frames, named IPF.
By setting the codec as Intra Only, all frames output by decoders and all
packets output by encoders/demuxers will be unconditionally flaged as
keyframes, which is incorrect.
Should fix ticket #11272.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 40bd6d8355)
Don't depend on the generic code setting this.
This is in preparation for a following change.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 8d2d2519e0)
Don't depend on the generic code setting this.
This is in preparation for a following change.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 99f87251e0)
Don't depend on the generic code setting this.
This is in preparation for a following change.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 281b7fc02e)
Don't depend on the generic code setting this.
This is in preparation for a following change.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 495c891e39)
Don't depend on the generic code setting this.
This is in preparation for a following change.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d3dd14bf5b)
Don't depend on the generic code setting this.
This is in preparation for a following change.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit ffdace5ad4)
Don't depend on the generic code setting this.
This is in preparation for a following change.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit faea08b722)
Needed to signal the muxer that the stream is VBR.
Finishes fixing ticket #11303.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 46c6ca3ed1)
And ensure the buffer is synced between threads.
Based on a patch by Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit e33b162c7d)
This removes the ABI breaking use of sizeof(AVFilmGrainParams), and achieves the
same size reduction to decoder structs as 08b1bffa49.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit fd4a2c9b02)
After the branch, the expected SEW/LMUL ratio is 1 byte/vector.
So we have to set the same ratio before branching (QEMU does not care,
but real hardware does).
(cherry picked from commit bbb0fdedb7)
The JPEG XL parser has an entropy decoder inside, which supports LZ77
length-distance pairs. If the first symbol from the entropy stream is an
LZ77 pair, the bitstream is invalid, so we should abort immediately rather
than attempt to read it anyway (which would read from the uninitialized
starting window).
Reported-by: Kacper Michajłow <kasper93@gmail.com>
Found-by: ossfuzz
Fixes: 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut
Fixes: 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut
Signed-off-by: Leo Izen <leo.izen@gmail.com>
This commit introduced a regression to VVC_HDR_UHDTV1_OpenGOP_3840x2160_50fps_HLG10_mosaic.ts.
Root Cause:
The AV_CEIL_RSHIFT(a, b) macro uses bit tricks that work only when -a is a negative value.
However, due to integer promotion rules, this behavior does not extend to the unsigned int type.
See "6.3.1.1 Boolean, characters, and integers" in the "ISO/IEC 9899" for details.
Reported-by: Frank Plowman <post@frankplowman.com>
(cherry picked from commit c49001e338)
And wrap the implemtation in preprocessor checks.
Should fix ticket #11282.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 9ec042c1aa)
