This fix copies a couple of casts from surrounding functions.
See https://crbug.com/432528781 for stack trace details.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: writing over the end of the array
Fixes: BIGSLEEP-434637586/payload
Regression since: b22ce90d42
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Prior to this patch, kth_order_egk_decode could read arbitrarily
large values which then overflowed and caused various issues.
Patch fixes this by making kth_order_egk_decode falliable,
requiring the caller to specify an upper bound and returning an
error if the read value would exceed that bound.
This patch resolves the same issue as
eb52251c0a, but I think this is the proper
fix as it also addresses issues with syntax elements besides
ff_vvc_num_signalled_palette_entries.
Signed-off-by: Frank Plowman <post@frankplowman.com>
Fixes: 410609432/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-4935159201988608
Fixes: out of array access
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Manuel Lauss <manuel.lauss@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized memory
Fixes: 422217206/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-4786889444098048
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized memory
Fixes: 421954767/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-515682786246656
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized memory
Fixes: 378102648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5896308499480576
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The only offical profile i could find (ALS simple profile) has a max of 15 while the bitstream allows 1023
which is very slow.
We do have a fate sample with 1023
Fixes: Timeout
Fixes: 429645375/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5377900448907264
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Instead of scanning backwards for the end of RPU payload, parse it and
report if we didn't land at the terminator byte.
Current expectation was that we can have additional zero bytes after RPU
payload, which were skipped to find playload end. That's not always the
case. So loosen this requirement.
This fixes files where there is additional non-zeroed padding after the
end of the RPU in NALU.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
The asumption is that DCE will remove references to those functions.
However some compilers with certain instrumentation enabled doesn't DCE
those at all, resulting in linking failure. Tested with cl.exe -RTCu -RTCs.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
The asumption is that DCE will remove references to those functions.
However some compilers with certain instrumentation enabled doesn't DCE
those at all, resulting in linking failure. Tested with cl.exe -RTCu -RTCs.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
When codec->write_sequence_header is not defined, bit_len was undefined,
and while data bufer was zeroed we could just overread it. Do nothing
when we don't have anything to write.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
If a frame size is absolutely massive, this can spin the parser as it
attempts to decode a permuted TOC. We add a sanity check here for eight
times the size of the image for an internal frame to prevent malicious
bitstreams from slowing the parser down to a crawl.
Signed-off-by: Leo Izen <leo.izen@gmail.com>
Reported-by: Kacper Michajłow <kasper93@gmail.com>
It's RGB, so check instead if it's packed or planar.
Fixes: libavcodec/ffv1dec.c:461:43: runtime error: applying zero offset to null pointer
Signed-off-by: James Almer <jamrial@gmail.com>
The true problem happens in several previous get_vlc_symbol()
but checking that is more expensive (involving FFABS())
here its just a simple check between 2 variables we have.
Fixes: Assertion log >= k failed at libavcodec/golomb.h:406
Fixes: 429296194/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_DEC_fuzzer-4691594622337024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This was in else branch of `#if 1` since ever. No need to keep dead code
like that, if anyone needs it they can get it from git history.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
- Changes in mov_write_video_tag function to handle APV elementary stream
- Provided structure APVDecoderConfigurationRecord that specifies the decoder configuration information for APV video content
Co-Authored-by: James Almer <jamrial@gmail.com>
Signed-off-by: Dawid Kozinski <d.kozinski@samsung.com>
Signed-off-by: James Almer <jamrial@gmail.com>
The issue is that:
float en[2];
...
tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
for (g = 0; g < tns->n_filt[w]; g++) {
tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
When using the AAC Main profile, n_filt = 3, and slant is by
default 2 (normal long frames), g can go above 1.
en is the evolution of energy in the frequency domain for every
band at the given window. E.g. whether the energy is concentrated
at the top of each band, or the bottom.
For 2-pole filters, its straightforward.
For 3-pole filters, we need more than 2 measurements.
This commit properly implements support for 3-pole filters, by measuring
the band energy across three areas.
Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
n_filt == 3.
Fixes https://trac.ffmpeg.org/ticket/11418
Add check for the return value of av_malloc_array() and av_calloc()
to avoid potential NULL pointer dereference.
Fixes: dcfd24b10c ("avcodec/alsdec: Implement floating point sample data decoding")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Happens since 4fc874ef08
when this code is called via error resilience.
Also do the same for wmv2dec.c.
Fixes the vsynth_{1,2,3,_lena}-mpeg4-error and wmv2-drm-dec FATE-tests.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
