Stowage/ffmpeg
2
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-04 14:40:26 +00:00
Code Issues Projects Releases Packages Wiki Activity
124380 commits 39 branches 423 tags 256 MiB
Commit graph

54116 commits

Author SHA1 Message Date
James Almer
1a2c16fe51 avcodec/av1dec: check that primary_ref_frame is within range 
Fixes CVE-2026-30997

Fixes: Out-of-Bounds Access
Found-by: Xinghang Lv
Signed-off-by: James Almer <jamrial@gmail.com>
 2026-05-03 15:55:21 -03:00
Andreas Rheinhardt
da195b1e84 avcodec/qsvenc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:10 +02:00
Andreas Rheinhardt
e1115751dd avcodec/nvenc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:07 +02:00
Andreas Rheinhardt
095897060a avcodec/libzvbi-teletextdec: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:05 +02:00
Andreas Rheinhardt
a9b97d070e avcodec/libxvid: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:03 +02:00
Andreas Rheinhardt
dc12dd82a1 avcodec/libxavs2: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:23:00 +02:00
Andreas Rheinhardt
8881e1a52c avcodec/libvpxenc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:58 +02:00
Andreas Rheinhardt
64bea20837 avcodec/libopusenc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:56 +02:00
Andreas Rheinhardt
d8b02fdb9f avcodec/libaomenc: Use av_fallthrough to mark fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:53 +02:00
Andreas Rheinhardt
3cf225b5f8 avcodec/aac/aacdec: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:42 +02:00
Andreas Rheinhardt
d29cbb87c3 avcodec/aac/aacdec: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:39 +02:00
Andreas Rheinhardt
cf5191fac7 avcodec/hevc/hevcdec: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:37 +02:00
Andreas Rheinhardt
0cbf77e843 avcodec/hevc/hevcdec: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:34 +02:00
Andreas Rheinhardt
e61c940654 avcodec/mpegvideo_enc: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:31 +02:00
Andreas Rheinhardt
04ba5e7537 avcodec/mpegvideo_enc: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:29 +02:00
Andreas Rheinhardt
7b4b658a87 avcodec/mpegvideo_motion: Add av_unreachable, fix fallthrough warnings 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:27 +02:00
Andreas Rheinhardt
4b58570ff7 avcodec/sga: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:24 +02:00
Andreas Rheinhardt
392ce463a5 avcodec/tiff: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:18 +02:00
Andreas Rheinhardt
25b7166fe3 avcodec/tiff: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:16 +02:00
Andreas Rheinhardt
05a8e89474 avcodec/tta: Fix shadowing 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:13 +02:00
Andreas Rheinhardt
5a7558a0a2 avcodec/tta: Add av_fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:11 +02:00
Andreas Rheinhardt
9eeca76cbe avcodec/vdpau_mpeg12: Use av_fallthrough to mark fallthrough 
Reviewed-by: Ramiro Polla <ramiro.polla@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 2026-05-03 18:22:07 +02:00
Michael Niedermayer
2e32276872 avcodec/aac/aacdec_usac_mps212: fix attach_lsb() OOB after huff_decode 
Fixes: VS-FF-2026-0001/poc.wav

Reported-by: Vuln Seeker Cyber Security Team
 2026-05-03 15:11:28 +00:00
Michael Niedermayer
118bddf0ce
avcodec/dfpwmdec: Check nb_samples 
Fixes: integer overflow

Found-by: Dhiraj Mishra <mishra.dhiraj95@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 16:56:43 +02:00
Michael Niedermayer
7ae36ceba9 avcodec/alsdec: do not set nbits invalidly 
note that the spec actually disallows the 0 case too but we are
a little lenient here so the full 24bit twos-complement range can be handled

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 14:54:27 +00:00
Michael Niedermayer
b45a6d3f76 avcodec/adpcm: signed integer overflow in ADPCM_N64 
Fixes: signed integer overflow

Found-by: Marius Momeu <marius.momeu@berkeley.edu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:26:34 +00:00
Michael Niedermayer
0f5705959d avcodec/hevc/ps: validate rep_format dimensions in multi-layer SPS 
When an SPS uses the multi-layer extension (nuh_layer_id > 0 with
sps_max_sub_layers_minus1 == 7), width and height are taken from the
VPS rep_format without the av_image_check_size() validation that the
direct path performs.  HEVC F.7.4.3.1.1 requires rep_format pic
dimensions to satisfy the constraints in 7.4.3.2.1, including
"pic_width_in_luma_samples shall not be equal to 0".

Run the same av_image_check_size() check in the multi-layer-extension
path so the SPS is rejected before it reaches setup_pps().

Fixes: VS-FF-2026-0003/poc.flv
Fixes: out of array access

Found-by: Vuln Seeker Cyber Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:26:06 +00:00
Marius Momeu
ff3223b5d6 avcodec/ralf: Add the missing return statement after the error log 
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:25:30 +00:00
Michael Niedermayer
2a991a3475 avcodec/zmbv: reject XOR data that overruns the decompression buffer 
Add a per-block bounds check at the start of each XOR block so the
read is rejected before src crosses decomp_len, and propagate the
error from decode_frame().

Fixes: out of array read

Found-by: Seung Min Shin
 2026-05-03 13:22:37 +00:00
Michael Niedermayer
2f60af465a avcodec/rasc: fix heap use-after-free in decode_move() 
Use a separate scratch buffer (s->mv_scratch) for the type-0 pixel
copy so s->delta and mc are not disturbed for the lifetime of
decode_move().  The new buffer is freed in decode_close().

Found-by: Seung Min Shin
Patch based on suggsted fix by Seung Min Shin

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 13:20:27 +00:00
Niels Provos
fd5023053a avcodec/hevc/refs: Check multiplication in alloc_frame() 
Fixes: integer overflow on 32bit
 2026-05-03 13:19:35 +00:00
Michael Niedermayer
1772386392 avcodec/h264: recompute per-slice direct mode state for every slice 
Regression since: 7f05c5cea0
Fixes: poc10
Fixes: null pointer dereference

Reported-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 12:42:47 +00:00
Michael Niedermayer
1886c3269d avcodec/h264_refs: Clear stale pointers from ref_list 
Testcase: poc10.bin

Reported-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 12:42:47 +00:00
Michael Niedermayer
a780d46d3b avcodec/leaddec: Check input data before allocating buffer 
Fixes: Timeout
Fixes: 471636089/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LEAD_fuzzer-6346348464242688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 12:40:44 +00:00
Michael Niedermayer
b801f1fe6d avcodec/pdvdec: Check input space before buffer allocation 
this rejects packets whose claimed decompressed frame would require a deflate ratio beyond the format's theoretical 1032:1 limit

Fixes: Timeout
Fixes: 474457186/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PDV_fuzzer-5366108782919680

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-03 10:25:54 +00:00
Gyan Doshi
4a2b643646 avcodec/mediacodecdec: declare correct class for audio decoders 
The class for video decoders had been assigned till date.
 2026-05-03 05:58:13 +00:00
Michael Niedermayer
23227a444d avcodec/wmaenc: Fix missing padding in extradata 
Reported-by: Kenan Alghythee <kalghy2@uic.edu>
 2026-05-03 02:36:54 +00:00
Michael Niedermayer
242ff799c7 avcodec/tdsc: remove double stride adjustment 
Fixes: out of array access

Found-by: Seung Min Shin
Patch based on suggested fix by Seung Min Shin
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-02 23:11:24 +00:00
Michael Niedermayer
05817dc7dd avcodec/notchlc: Check 255 loops 
Fixes: integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-02 21:39:02 +00:00
Michael Niedermayer
bf4eb194cf avcodec/tdsc: Better input size check 
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-02 21:13:01 +00:00
Michael Niedermayer
bb69a090a7 avcodec/tdsc: Check jpeg size 
Fixes: out of array read
Fixes: tdsc_tile_dim_mismatch.avi

Found-by: Ante Silovic <asilovic155@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-02 21:13:01 +00:00
Michael Niedermayer
af87d77514 avcodec/tdsc: Prettier uncompress() check 
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-02 21:13:01 +00:00
Michael Niedermayer
e9e6fb8798 avcodec/tdsc: Check tile_size 
Fixes: out of array read
Fixes: tdsc_war_groom_far4096.avi

Found by: Ante Silovic <asilovic155@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-02 21:13:01 +00:00
Michael Niedermayer
9572ab7f45 avcodec/decode: Better documentation for ff_set_dimensions() 
Clarify what is checked and that it avoids explicit generic overflow checks

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2026-05-02 21:11:47 +00:00
Kacper Michajłow
dba0b078c8 avcodec/vaapi_av1: reorder functions to avoid fwd decl 2026-05-01 23:59:06 +00:00
Kacper Michajłow
688f68bffa avcodec/vaapi_av1: fix leak of ref frames on init failure 
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
 2026-05-01 23:59:06 +00:00
Leo Izen
739fc9249c
avcodec/libjxlenc: fix frame->linesize raw pointer read 
These should say frame->linesize[0] as it does everywhere else this
variable is referenced. Fixes a typo bug.

Signed-off-by: Leo Izen <leo.izen@gmail.com>
 2026-05-01 07:40:25 -04:00
Leo Izen
05b5add006
avcodec/libjxlenc: check orientation tag metadata before reading 
We need to check that entry->count is nonzero and that entry->type is
AV_TIFF_SHORT before reading from the buffer, in case a maliciously
constructed IFD uses a zero-count or an unusual type (e.g. IFD) for it.

Signed-off-by: Leo Izen <leo.izen@gmail.com>
 2026-05-01 07:40:25 -04:00
Leo Izen
f1cab2d018
avcodec/exif_internal.h: improve return docs for ff_exif_get_buffer 
This commit improves the documentation for the return value of the
function ff_exif_get_buffer.

Signed-off-by: Leo Izen <leo.izen@gmail.com>
 2026-05-01 07:40:25 -04:00
Leo Izen
087ec68451
avcodec/exif.c: synthesize EXIF data from frame metadata and matrix 
If the displaymatrix is present, we should synthesize EXIF data from
the values there even if there is no EXIF attached to the frame.

Signed-off-by: Leo Izen <leo.izen@gmail.com>
 2026-05-01 07:40:25 -04:00