Fixes: signed integer overflow: 9151595917793558550 + 297519050751678697 cannot be represented in type 'long'
Fixes: 15496/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5722866475073536
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5c46fdf305)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 32 * 538976288 cannot be represented in type 'int'
Fixes: 15633/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5752273981931520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 39a6a79bcb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: division by 0
Fixes: 15480/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5746727434321920
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f57e97dfd9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 15271/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5735262606327808
Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c30ff3888)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 15123/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5738039235575808
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 112eb17a2b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of negative value -14614752
Fixes: 15174/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5670543606415360
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dd357d76e5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 904444 * 3600 cannot be represented in type 'int'
Fixes: 15113/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5764083346833408
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2a0f23b9d6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa003019ab)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 84026453 * 28 cannot be represented in type 'int'
Fixes: 15111/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5675630072430592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c6c4129b4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf3ee6a130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1a74b04737)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3b5b977c9f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The last argument of av_strlcpy is supposed to contain the size of the
destination buffer, but it was filled with the size of the source
string, effectively negating its very purpose.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 73ef1f47f5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized variables
Fixes: blank.aa
Found-by: Chamal De Silva <chamal.desilva@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ed188f6dcd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Found-by: Wenxiang Qian
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b687b549aa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 85f91ed760)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a142ffdcae)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: memleak
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5649187601121280
Reported-by: Chris Cunningham <chcunningham@google.com>
Tested-by: Chris Cunningham <chcunningham@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d1afa7284c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Bad content may contain stsc boxes with a first_chunk index that
exceeds stco.entries (chunk_count). This ammends the existing check to
include cases where chunk_count == 0. It also patches up the case
when stsc refers to unknown chunks, but stts has no samples (so we
can simply ignore stsc).
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c15449ca9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Detecting missing tfhd avoids re-using tfhd track info from the previous
moof. For files with multiple tracks, this may make a mess of the
avindex and fragindex, which can later trigger av_assert0 in
mov_read_trun().
Reviewed-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ea87e5d9e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: OOM
Found-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 497c9b0cce)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Infinite loop
Found-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0b50f27635)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab1319d82f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avio_read may return EOF, leaving the mimetype array unitialized. fail
early when this occurs to avoid using the array in an unitialized state.
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee1e39a576)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a95b73abc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.
Reviewed-by: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9f7b6f7a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 cannot be represented in type 'long'
Fixes: find_stream_info_usan
Reported-by: Thomas Guilbert <tguilbert@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e19cfcfa3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Entries are always at least 8 bytes per the parsing code, so if we
see an impossible entry count avoid massive allocations. This is
similar to an existing check in mov_read_stsc().
Since ff_mov_read_stsd_entries() does eof checks, an alternative
approach could be to clamp the entry count to atom.size / 8.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 320b631a99)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The specification states "NSV files may contain a single file header. "
Fixes: out of array access
Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421
Found-by: Paul Ch <paulcher@icloud.com>
Tested-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 78d4b6bd43)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: infinite loop
Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04
Found-by: Paul Ch <paulcher@icloud.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e71cb2c8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: long running loop
Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6
Found-by: Paul Ch <paulcher@icloud.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c2eec1762d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The version 1 needs the channel count and would divide by 0
Fixes: division by 0
Fixes: fpe_movenc.c_1108_1.ogg
Fixes: fpe_movenc.c_1108_2.ogg
Fixes: fpe_movenc.c_1108_3.wav
Found-by: #CHEN HONGXU# <HCHEN017@e.ntu.edu.sg>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fa19fbcf71)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: ffmpeg_bof_1.avi
Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ed22dc2221)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a
Found-by: Paul Ch <paulcher@icloud.com>
1st hunk by Paul Ch <paulcher@icloud.com>
Tested-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cced03dd66)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use after free()
Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362
Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a7e032a277)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7
Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b46ebdbff)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
