Stowage/ffmpeg
2
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-04 22:50:24 +00:00
Code Issues Projects Releases Packages Wiki Activity
124380 commits 39 branches 423 tags 257 MiB
Commit graph

124380 commits

This branch
This branch
All branches
Author SHA1 Message Date
James Almer
1a2c16fe51 avcodec/av1dec: check that primary_ref_frame is within range 
Fixes CVE-2026-30997

Fixes: Out-of-Bounds Access
Found-by: Xinghang Lv
Signed-off-by: James Almer <jamrial@gmail.com>
 2026-05-03 15:55:21 -03:00
Romain Beauxis
f80431dc4e .forgejo/CODEOWNERS: fix ogg pattern for @toots 2026-05-03 17:05:25 +00:00
James Almer
3393dc3020 avformat/dashdec: propagate parsing requirement from the underlying demuxer 
Signed-off-by: James Almer <jamrial@gmail.com>
 2026-05-03 17:00:17 +00:00
James Almer
e76bfba1cf avformat/mov: request parsing for LCEVC streams 
Given that no standalone decoder will be present, use a parser to get stream
information that's not reported by the container.

Signed-off-by: James Almer <jamrial@gmail.com>
 2026-05-03 17:00:17 +00:00
Andreas Rheinhardt
da195b1e84 avcodec/qsvenc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:10 +02:00
Andreas Rheinhardt
e1115751dd avcodec/nvenc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:07 +02:00
Andreas Rheinhardt
095897060a avcodec/libzvbi-teletextdec: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:05 +02:00
Andreas Rheinhardt
a9b97d070e avcodec/libxvid: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:03 +02:00
Andreas Rheinhardt
dc12dd82a1 avcodec/libxavs2: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:00 +02:00
Andreas Rheinhardt
8881e1a52c avcodec/libvpxenc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:58 +02:00
Andreas Rheinhardt
64bea20837 avcodec/libopusenc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:56 +02:00
Andreas Rheinhardt
d8b02fdb9f avcodec/libaomenc: Use av_fallthrough to mark fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:53 +02:00
Andreas Rheinhardt
02391996f8 avfilter/vf_stereo3d: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:51 +02:00
Andreas Rheinhardt
5144b51151 avfilter/vf_super2xsai: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:49 +02:00
Andreas Rheinhardt
21c2d38537 avformat/rmdec: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:46 +02:00
Andreas Rheinhardt
2fd9d69034 avformat/rmdec: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:44 +02:00
Andreas Rheinhardt
3cf225b5f8 avcodec/aac/aacdec: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:42 +02:00
Andreas Rheinhardt
d29cbb87c3 avcodec/aac/aacdec: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:39 +02:00
Andreas Rheinhardt
cf5191fac7 avcodec/hevc/hevcdec: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:37 +02:00
Andreas Rheinhardt
0cbf77e843 avcodec/hevc/hevcdec: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:34 +02:00
Andreas Rheinhardt
e61c940654 avcodec/mpegvideo_enc: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:31 +02:00
Andreas Rheinhardt
04ba5e7537 avcodec/mpegvideo_enc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:29 +02:00
Andreas Rheinhardt
7b4b658a87 avcodec/mpegvideo_motion: Add av_unreachable, fix fallthrough warnings 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:27 +02:00
Andreas Rheinhardt
4b58570ff7 avcodec/sga: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:24 +02:00
Andreas Rheinhardt
392ce463a5 avcodec/tiff: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:18 +02:00
Andreas Rheinhardt
25b7166fe3 avcodec/tiff: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:16 +02:00
Andreas Rheinhardt
05a8e89474 avcodec/tta: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:13 +02:00
Andreas Rheinhardt
5a7558a0a2 avcodec/tta: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:11 +02:00
Andreas Rheinhardt
9eeca76cbe avcodec/vdpau_mpeg12: Use av_fallthrough to mark fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:07 +02:00
Andreas Rheinhardt
2d0d937ed2 swscale/ops_chain: Use av_fallthrough to mark fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:05 +02:00
Andreas Rheinhardt
a867648555 swscale/x86/swscale: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:03 +02:00
Andreas Rheinhardt
e241a45548 swscale/x86/swscale: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:21:45 +02:00
Michael Niedermayer
2e32276872 avcodec/aac/aacdec_usac_mps212: fix attach_lsb() OOB after huff_decode 
Fixes: VS-FF-2026-0001/poc.wav

Reported-by: Vuln Seeker Cyber Security Team
 2026-05-03 15:11:28 +00:00
Michael Niedermayer
118bddf0ce
avcodec/dfpwmdec: Check nb_samples 
Fixes: integer overflow

Found-by: Dhiraj Mishra <mishra.dhiraj95@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 16:56:43 +02:00
Michael Niedermayer
7ae36ceba9 avcodec/alsdec: do not set nbits invalidly 
note that the spec actually disallows the 0 case too but we are
a little lenient here so the full 24bit twos-complement range can be handled

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 14:54:27 +00:00
Michael Niedermayer
43a0715e30 swscale/swscale_unscaled: adjust last line copy 
Fixes: out of array access
Fixes: DFVULN-694

*Reporter: Zhenpeng (Leo) Lin at depthfirst*

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 14:52:32 +00:00
Michael Niedermayer
7d0837a742 swscale/swscale: Check srcSliceY and srcSliceH 
Obviously noone should pass negative values, they make no sense, but better to
explicitly check

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 14:52:32 +00:00
Michael Niedermayer
2678bce860 avformat/avidec: check LIST size in avi_load_index() 
This avoids an unsigned integer underflow and passing that large value to ff_read_riff_info()
 2026-05-03 14:40:49 +00:00
depthfirst-dev[bot]
f1c3f1cae1 avformat/avidec: validate INFO list size before parsing 
Reject INFO list chunks that are too small to contain the expected
4-byte list type field before calling ff_read_riff_info().

The parser subtracts 4 from the list size when handing the remaining
payload to ff_read_riff_info(). If the chunk is smaller than 4 bytes,
that underflows the expected structure and should be treated as invalid
input.

Fixes: DFVULN-607

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*
 2026-05-03 14:40:49 +00:00
Michael Niedermayer
f47ca0a5e6 avformat/matroskadec: Check audio.sub_packet_h * audio.frame_size 
Fixes: out of array access
Fixes: poc_matroska.mkv

This issue requires manually increasing the malloc limit
(-max_alloc 4294967296)

Found-by: Guanni Qu <qguanni@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 14:39:45 +00:00
Michael Niedermayer
9d9250e5da avformat/pcm: Use 64bit for byte_rate 
Fixes: integer overflow

Found-by: Marius Momeu <marius.momeu@berkeley.edu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:26:34 +00:00
Michael Niedermayer
b45a6d3f76 avcodec/adpcm: signed integer overflow in ADPCM_N64 
Fixes: signed integer overflow

Found-by: Marius Momeu <marius.momeu@berkeley.edu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:26:34 +00:00
Michael Niedermayer
2d4ec46345 libavformat/xwma: fix overflow in seek position 
Fixes: signed integer overflow

Found-by: Marius Momeu <marius.momeu@berkeley.edu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:26:34 +00:00
Michael Niedermayer
0f5705959d avcodec/hevc/ps: validate rep_format dimensions in multi-layer SPS 
When an SPS uses the multi-layer extension (nuh_layer_id > 0 with
sps_max_sub_layers_minus1 == 7), width and height are taken from the
VPS rep_format without the av_image_check_size() validation that the
direct path performs.  HEVC F.7.4.3.1.1 requires rep_format pic
dimensions to satisfy the constraints in 7.4.3.2.1, including
"pic_width_in_luma_samples shall not be equal to 0".

Run the same av_image_check_size() check in the multi-layer-extension
path so the SPS is rejected before it reaches setup_pps().

Fixes: VS-FF-2026-0003/poc.flv
Fixes: out of array access

Found-by: Vuln Seeker Cyber Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:26:06 +00:00
Marius Momeu
e32b2c8886 avfilter/vf_kerndeint: Check for minimum height 
Fixes: out of array access

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:25:48 +00:00
Marius Momeu
ff3223b5d6 avcodec/ralf: Add the missing return statement after the error log 
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:25:30 +00:00
Michael Niedermayer
c568f40597 avfilter/vf_codecview: Clamp block to the visible frame region 
Fixes: write into the padding area of the frame

Found-by: Marius Momeu <marius.momeu@berkeley.edu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:23:21 +00:00
Michael Niedermayer
2a991a3475 avcodec/zmbv: reject XOR data that overruns the decompression buffer 
Add a per-block bounds check at the start of each XOR block so the
read is rejected before src crosses decomp_len, and propagate the
error from decode_frame().

Fixes: out of array read

Found-by: Seung Min Shin
 2026-05-03 13:22:37 +00:00
Michael Niedermayer
2f60af465a avcodec/rasc: fix heap use-after-free in decode_move() 
Use a separate scratch buffer (s->mv_scratch) for the type-0 pixel
copy so s->delta and mc are not disturbed for the lifetime of
decode_move().  The new buffer is freed in decode_close().

Found-by: Seung Min Shin
Patch based on suggsted fix by Seung Min Shin

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:20:27 +00:00
depthfirst-dev[bot]
8010aa2193 avformat/rtpdec_mpeg4: reject zero-length AU header sections 
Reject AU header sections with a signaled length of zero in
rtp_parse_mp4_au().

The AU-headers-length field specifies the length in bits of the AU header
section that immediately follows. A zero-length section is not useful input
for this parser and can lead to invalid downstream state, so reject it
up front together with oversized values.

*Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst*
*Patch validated by Zheng Yu at depthfirst*

Fixes: OOB read
 2026-05-03 13:19:55 +00:00