If sc->tts_count is not 0, then the sample index has already been built.
Fixes: Null-dereference READ
Fixes: 396192874/clusterfuzz-testcase-minimized-audio_decoder_fuzzer-4589309789143040
Signed-off-by: James Almer <jamrial@gmail.com>
Some files keep extra metadata such as 'name' fields within udta, and
it is useful for Wine to access them with the "export_all" option so
they can then be exposed to Windows applications.
Signed-off-by: Rémi Bernon <rbernon@codeweavers.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
Using audio_substream_id for AVStream ids is not ideal give that in containers
like mp4, the IAMF structure is opaque to the outside and other streams may
share such id values.
Signed-off-by: James Almer <jamrial@gmail.com>
This fix ensures that the loop stops early on EOF. The issue occurs
because mov_read_infe() performs a version check and skips unsupported
versions. The problem is that seeking within the stream clears the EOF
flag, causing avio_feof() to not function as expected. This is resolved
by moving the EOF check after reading the size and type, ensuring the
EOF flag is set when necessary.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 7803923888585309955 - -3407677434275325337 cannot be represented in type 'int64_t' (aka 'long')
Fixes: 377736723/clusterfuzz-testcase-minimized-media_pipeline_integration_fuzzer-5052449500889088
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: undefined NULL pointer use
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-6363211175493632
This performs equivalent sanity checks as are done in mov_read_trak()
before mov_build_index()
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
if sc->tts_count is 0, this condition will wrap around to UINT_MAX and the
code will try to dereference a NULL pointer.
Fixes ticket #11417
Signed-off-by: James Almer <jamrial@gmail.com>
The amount of tiles does not necessarely need to match the amount of streams referenced
in the grid, as there could be duplicates.
Don't silently ignore EEXIST return codes from avformat_stream_group_add_stream() and
instead store the index of the duplicate stream.
Signed-off-by: James Almer <jamrial@gmail.com>
After introduction of ff_dvdclut_palette_extradata_cat() to convert
DVD subtitle palettes from YUV to RGB, a leak is introduced because
of the call to ff_alloc_extradata(). This is not necessary, instead
we should free the extradata because ff_bprint_to_codecpar_extradata()
will finalize the bprint'ed string to the codecpar and set the length.
Fixes leak introduced in 3b0e6c0ecc.
Signed-off-by: Marth64 <marth64@proxyid.net>
Also fix checks for sc->stts_count that assume it may not be in sync with
sample count.
Missed in 865c73c86f. Fixes parsing durations in
some cases.
Signed-off-by: James Almer <jamrial@gmail.com>
Pointers to specific entries in the array are stored in other structs, so
in the scenario where heif_item was reallocated when parsing an iloc box after
and iinf one, the pointers may end up referencing freed memory.
Fixes use-after-free with such samples.
Signed-off-by: James Almer <jamrial@gmail.com>
This basically ignores the overflow without undefined behavior, alternatively we could detect and error out
Fixes: signed integer overflow: 6310596683470275584 + 7660622966157213696 cannot be represented in type 'long'
Fixes: 70433/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5483347233538048
Fixes: 369662284/clusterfuzz-testcase-minimized-media_metadata_parser_fuzzer-5327368763670528
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Based on a patch by Hacene Bouaroua.
Fixes ticket #11171.
Co-authored-by: Hacene Bouaroua <hbouaroua@freebox.fr>
Signed-off-by: James Almer <jamrial@gmail.com>
Otherwise, things like ICC profiles as read from the colr box meant for an item
with no stream (like a grid) may end up being added to the wrong stream.
Signed-off-by: James Almer <jamrial@gmail.com>
Found by fuzzer.
Bug: https://crbug.com/356720789
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
We assign a 64bit variable to it before checking
Fixes: CID1604544 Overflowed integer argument
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It's meant to override any codec specific (but still container level)
information, but its position is not guaranteed, so apply the values after the
entire trak structure has been parsed.
Also, replace the ugly roundabout int -> double -> int method to set SAR from
existing dimensions while at it.
Signed-off-by: James Almer <jamrial@gmail.com>
