Fixes: read of uninitialized memory
Fixes: 488256339/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-6347338118660096
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6023ad715c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 88eb772900)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: redirect to non rtsp protocol
Fixes: YWH-PGM40646-41
Found-by: BapToutatis
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea9e85e549)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -63 - 2147483594 cannot be represented in type 'int'
Fixes: 486530208/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-4694818252193792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 32e4ddeda3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -8659510451449931520 - 2205846422852077376 cannot be represented in type 'int64_t' (aka 'long')
Fixes: 486358507/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4896911086911488
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a4d40f853a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
scratch[20] doesnt exist in version 0
Fixes: use of uninitialized memory
Fixes: 471664627/clusterfuzz-testcase-minimized-ffmpeg_dem_SEGAFILM_fuzzer-4738726971637760
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit b2f1657087)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long long'); cast to an unsigned type to negate this value to itself
Fixes: 473334102/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5109540931829760
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0465a9bb8f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The ssrc option used AV_OPT_TYPE_INT with range [INT_MIN, INT_MAX],
but the underlying struct field is uint32_t and RFC 3550 defines SSRC
as a 32-bit identifier covering the full [0, UINT32_MAX] range. This
caused ffmpeg to reject any SSRC value above INT_MAX (~2.1 billion),
which is roughly half of all valid values.
The auto-generated fallback path (av_get_random_seed()) already
returns uint32_t and can produce values above INT_MAX, creating an
inconsistency where the automatic path succeeds but the explicit
-ssrc option rejects the same value.
Change the option to AV_OPT_TYPE_UINT with range [0, UINT32_MAX]
to match the field type and allow the full identifier space.
Fixes ticket #9080.
Signed-off-by: Neko Asakura <neko.asakura@outlook.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 69568479a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 14 + 2147483647 cannot be represented in type 'int'
Fixes: 471688026/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-5616495813263360
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 237d03717f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
Fixes: 471604230/clusterfuzz-testcase-minimized-ffmpeg_dem_LRC_fuzzer-5474264750030848
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bce0e22133)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 82fbb04d07)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Idea from: BapToutatis and also curl and wget have equivalent options
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ba3639bc90)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
More complete fix for #YWH-PGM40646-32
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 521d18cea3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: VULN-8
Found-by: Zhenpeng (Leo) Lin from depthfirst
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 19c78cd6d9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: VULN-6/poc.raw
Found-by: Zhenpeng (Leo) Lin from depthfirst
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ca1c1f29ce)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access if a filter-graph is used the injects changing dimensions
Found-by: Zhenpeng (Leo) Lin from depthfirst
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b740b85872)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reset `sc->stsd_count` before parsing entries. This number doesn't get
reset, which means that multiple parse passes can increment it past the
`sc->extradata` array end and cause OOB writes.
(cherry picked from commit a58cb16e27)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized memory
Fixes: 471771529/clusterfuzz-testcase-minimized-ffmpeg_dem_SCD_fuzzer-5328203515494400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5007428e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
We did check video codecs but not audio
Fixes: Assertion failure (on codec_id) in parser.c
Fixes: 472097507/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6016386662203392
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5fa7d588f5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Was inadvertently broken in the switch to ffio_read_size().
Fixes: 6dd83fab44
PR: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21650
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
(cherry picked from commit b628cafd48)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: overread
No testcase
Found-by: Marton Balint
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1fd718c6a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: VULN-7/poc.ts
Found-by: Zhenpeng (Leo) Lin from depthfirst
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5975149603)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
before this commit ffmpeg get Heap Buffer Overflow in DASH Demuxer
via Negative Start Number.
Check the value from mpd xml, set the value to 0 if get negative value.
Fixes: heap buffer overflow
Found-by: Zhenpeng (Leo) Lin from depthfirst
(cherry picked from commit a97632827d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Exporting unknown layouts as unspec type is pointless in a format that expects
the user to remix the channels in location specific ways.
This simplifies assumptions and reduces the chances of heap buffer overflows.
Fixes: heap-buffer-overflow
Fixes: clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6363647720095744
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 41a2eb735c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: #YWH-PGM40646-10
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b9227d49ea)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e974b2c45)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: integer overflow
Fixes: signed integer overflow: 9223372036854775807 + 2039324394 cannot be represented in type 'int64_t' (aka 'long')
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d1985442e1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Since af97c9865f,
the return value of avio_read() has been compared against
an uint32_t, so that the int is promoted to uint32_t for
the comparison (on common systems with 32bit ints). The upshot was
that errors returned from avio_read() were ignored, so that
the buffer could be uninitialized on success.
Fix this by using ffio_read_size() instead.
Fixes: MemorySanitizer: use-of-uninitialized-value
Fixes: 443923343/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-5458132865449984
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 4aed9db83c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
read_frame_internal() may result in a stream being modified without also
returning a packet from it. Given said function only bothered to update the
internal stream context for the returned packet, the result would be a desync
between the stream's AVCodecParameters and the internal AVCodecContext.
This change makes sure all streams are updated within the
avformat_find_stream_info() loop.
Fixes #YWH-PGM40646-20
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit c9c95f6f32)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
An ASAN heap-buffer-overflow in scalable_channel_layout_config was caused by an
unchecked assumption that the channel layout of a scalable audio layer is a
superset of the previous layer's channel layout.
scalable_channel_layout_config constructs a channel layout map by copying
channels from the previous layer and adding new ones. The memory allocation is
based on the target loudspeaker_layout. However, if the target layout doesn't
encompass all previous channels (e.g., Mono to Stereo), copying previous
channels followed by adding current ones could exceed the allocated size,
causing a heap buffer overflow.
This commit adds an exception for the know case of Mono -> Stereo, and a check
to ensure the previous layer's channel layout is a subset of the current
layer's layout by comparing their masks. If the condition isn't met,
an error is returned.
Fixes: https://issues.oss-fuzz.com/issues/464965414
Co-authored-by: Oliver Chang <ochang@google.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 2d5abf27e5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes ticket #22890.
The ff_hls_senc_parse_audio_setup_info function passes setup_data to
parsers like avpriv_ac3_parse_header and init_get_bits8 which require
the buffer to be padded with AV_INPUT_BUFFER_PADDING_SIZE bytes at the end.
(cherry picked from commit 71d5fa8d4d)
Signed-off-by: Marvin Scholz <epirat07@gmail.com>
This was a regression introduced in 292c1df7c1.
Since we don't know the length of the stts data until after building the
index, since we're generating it, we need to merge any ctts data after,
since otherwise tts_count is set to 0, and no packets will be output.
We can't remove the merge entirely, because uncompressed PCM with
a ctts atom is technically valid (e.g. a constant CTS offset).
This fixes old-style uncompressed PCM demuxing.
Fixes#11490.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
(cherry picked from commit ae03b629db)
forward errors and cleanup in teh failure cases
Fixes: freeing uninitialized pointers
Fixes: 487160965/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6525162874011648
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f10c0ae276)
The check for item presence was insufficient as it would result in the last
item in the array being overwritten if it existed even if the id didn't match.
Fixes: Assertion ref failed at src/libavformat/mov.c:10649
Fixes: clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5312542695292928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 28c330d0f3)
Given the entire iamf struct is inside a single Track, if the first iamf stream
(which is the one sharing the index and id from the Track) was to be disabled,
then packets from every iamf stream would be discarded.
Fix this by actually going through the entire iamf Sample and discarding those
from the disabled streams only.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 16ee3d8d99)
