ffmpeg

mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-06-15 20:10:32 +00:00

Author	SHA1	Message	Date
Michael Niedermayer	80e6143ad0	avcodec/pnmdec: Check input size against width*height assuming at least 1bit per pixel Fixes: Timeout Fixes: 481427018/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PHM_DEC_fuzzer-6315469467615232 Fixes: 485843949/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PHM_DEC_fuzzer-4753439270961152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `d707a4af80`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:56:48 +02:00
Michael Niedermayer	4fa2aea05f	avcodec/snowenc: avoid NULL ptr arithmetic Fixes: applying non-zero offset 16 to null pointer Fixes: 471614378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5967030642868224 Note: FF_PTR_ADD() does not work as this code has NULL + 123 cases where the pointer is unsused afterwards Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `cbbe68fb1a`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:11 +02:00
Michael Niedermayer	4e2b638ae4	avcodec/vp3: Sanity check cropping Fixes: Timeout Fixes: 476179563/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5231013478596608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `228b846407`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:10 +02:00
Michael Niedermayer	b6443fd97e	avcodec/mpegvideo_enc: Restructure ff_h263_encode_gob_header() relation to update_mb_info() Fixes: out of array access Found-by: Zhenpeng (Leo) Lin from depthfirst Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `8eecba02c7`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:09 +02:00
Michael Niedermayer	81f584b777	avcodec/exr: check tile_attr.x/ySize Fixes: division by zero Fixes: 473579863/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_DEC_fuzzer-5105281257504768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `c5ccc13fe0`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:09 +02:00
Michael Niedermayer	a558e19cca	avcodec/jpeg2000dec: fix integer overflow in dequantization_int_97() Fixes: signed integer overflow: 2147483640 + 32 cannot be represented in type 'int' Fixes: 473569764/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-5377306970619904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `fa2aec73ed`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:09 +02:00
Michael Niedermayer	54d10f30e9	avcodec/golomb: Fix get_ur_golomb_jpegls() with esclen = 0 If there is no escape case then reaching that branch is an error Fixes: shift exponent 32 is too large for 32-bit type 'uint32_t' (aka 'unsigned int') Fixes: 472335543/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-6682453243920384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `fb3012269e`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:08 +02:00
Michael Niedermayer	d1e507dc11	avcodec/jpeg2000dec: Handle M_b = -1 Fixes: runtime error: shift exponent -1 is negative Fixes: runtime error: shift exponent 32 is too large for 32-bit type 'int' Fixes: 471846062/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-5835290976780288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `bdea5aec2d`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:08 +02:00
Michael Niedermayer	369cb89794	avcodec/h264_parser: Check pts for overflow Fixes: signed integer overflow: 9223372036854775807 + 3546086691638400 cannot be represented in type 'int64_t' (aka 'long') Fixes: 471723681/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4841032488648704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `30a6b78bd4`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:08 +02:00
Michael Niedermayer	1443b7bf8e	avcodec/imm5: Dont pass EAGAIN on as is Fixes: Assertion consumed != (-(11)) failed at libavcodec/decode.c:465 Fixes: 471587358/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IMM5_fuzzer-4737412376100864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `7761b8fbac`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:07 +02:00
Michael Niedermayer	5ff3a1d730	avcodec/interplayacm: Check input for fill_block() Fixes: Timeout Fixes: 476763877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_ACM_fuzzer-4515681843609600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `2ab23ec729`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:07 +02:00
Michael Niedermayer	fb70572bfe	avcodec/hdrdec: Check input size before buffer allocation Fixes: Timeout Fixes: 471948155/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HDR_DEC_fuzzer-5679690418552832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `538824fd84`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:07 +02:00
Michael Niedermayer	7669fbe043	avcodec/tmv: Move space check before buffer allocation Fixes: Timeout Fixes: 471664630/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TMV_fuzzer-5291752530706432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `55bb6e2646`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:07 +02:00
Michael Niedermayer	b5c165df28	avcodec/flashsv: Check for input space before (re)allocating frame Fixes: Timeout Fixes: 471605680/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLASHSV2_DEC_fuzzer-6210773459468288 Fixes: 471605920/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLASHSV_DEC_fuzzer-6230719287590912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `4446dfb0e3`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:06 +02:00
Michael Niedermayer	27bba208eb	avcodec/mdec: Check input space vs minimal block size Fixes: Timeout Fixes: 481006706/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MDEC_fuzzer-6122832651419648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `40cafc25cf`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:06 +02:00
Michael Niedermayer	ae390f95dd	avcodec/h264_parser: Check remaining input length in loop in scan_mmco_reset() Fixes: read of uninitialized memory Fixes: 476177761/clusterfuzz-testcase-minimized-ffmpeg_dem_H264_fuzzer-6400884824408064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `73681f888d`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:06 +02:00
Michael Niedermayer	2d17c4ec9a	avcodec/exr: fix AVERROR typo Fixes: out of array read Fixes: 485866440/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_DEC_fuzzer-4520520419966976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `7e10579f49`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:06 +02:00
Michael Niedermayer	c8358db269	avcodec/jpeg2000htdec: Check Lcup and Lref Fixes: use of uninitialized memory Fixes: 482494999/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-6467586186608640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `99515a3342`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:06 +02:00
Michael Niedermayer	98c69e607f	avcodec/libtheoraenc: make keyframe mask unsigned and handle its larger range Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 473579864/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBTHEORA_fuzzer-5835688160591872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `c98346ffaa`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:05 +02:00
Michael Niedermayer	dc40fcf249	avcodec/rv60dec: check last_size Fixes: signed integer overflow: 1878131215 + 2013265920 cannot be represented in type 'int' Fixes: 472729732/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-4893818005815296 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `360a4025fb`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:05 +02:00
Michael Niedermayer	fa4f27bba2	avcodec/cfhd: Check transform type before continuing Fixes: null pointer dereference Fixes: 471768165/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_DEC_fuzzer-6187504467509248 The first frame allocates buffers with one transform type the second frame sets up another transform type but the code to reallocate buffers is never triggered Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `52b676bb29`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:05 +02:00
Michael Niedermayer	80e5f621ce	avcodec/cfhd: Add CFHDSegment enum and named identifiers Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `2263e05e41`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:05 +02:00
Michael Niedermayer	b103704b76	avcodec/hevc/ps: Check bit_depth_cm in/out relation Fixes: Assertion n>0 && n<=25 failed at ./libavcodec/get_bits.h:3 Fixes: 472463689/clusterfuzz-testcase-minimized-ffmpeg_dem_HXVS_fuzzer-6012944883449856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `5ec37f61b2`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:05 +02:00
Michael Niedermayer	1231db8097	avcodec/bmp: fix indention Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `50adb62670`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:03 +02:00
Michael Niedermayer	cac7efdfaa	avcodec/exr: Handle axmax like bxmin in `04d7a6d3db` Fixes: out of array access Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_DEC_fuzzer-6718455383654400 Fixes: 471611870/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_DEC_fuzzer-6645447302381568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `33b3dbaf15`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:03 +02:00
Michael Niedermayer	b3a9dc150d	avcodec/prores_raw: Tiles of width less than 16 result in undefined behavior Fixes: passing zero to __builtin_clz(), which is not a valid argument Fixes: 471569982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_RAW_DEC_fuzzer-5832576221904896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `be1fd6d9d4`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:02 +02:00
Michael Niedermayer	0cefd4eed8	avcodec/vp9: Reallocate on resolution change which does not change tile_cols Fixes: out of array access on resolution change with slices threads Fixes: VULN-10/poc.ivf Found-by: Zhenpeng (Leo) Lin from depthfirst Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `38230db7b9`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:02 +02:00
Michael Niedermayer	a4dd125a93	avcodec/adpcm: Check input buffer size Larger values will lead to integer overflows in intermediates No testcase Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `5f84a7263e`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:01 +02:00
Michael Niedermayer	eacb47ec20	avcodec/hevc/sei: Use get_bits64() in decode_nal_sei_3d_reference_displays_info() Fixes: Assertion n>=0 && n<=32 failed at ./libavcodec/get_bits.h:426 Fixes: 468435217/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4644127078940672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `8f57b04fe5`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:00 +02:00
Michael Niedermayer	e69d189467	avcodec/dca_xll: Clear padding in ff_dca_xll_parse() Fixes: Use of uninitialized memory Fixes: 472020020/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DCA_DEC_fuzzer-6433045331902464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `af86f0ffcc`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:50:00 +02:00
Michael Niedermayer	0f27dc4d16	avcodec/lzf: Remove size messing from ff_lzf_uncompress() size represents the output size randomly changing it but not reseting it on errors leaks uninitialized memory. Fixes: 475000819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5571269310611456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `0f35146e27`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:59 +02:00
Michael Niedermayer	24aff962a0	avcodec/dxv: Clear tex_data padding on reallocation dxv assumes that newly reallocated memory in tex_data is not uninitialized thus we have to do that too in case of reallocation in ff_lzf_uncompress() Fixes: 475000819/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5571269310611456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `189bc0aaf5`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:59 +02:00
Michael Niedermayer	c65d5994a5	avcodec/ffv1enc: refine end condition In the case where the last sorted value was -1u and we where on the first pass of run1 we failed to fill the last few values of bitmap No real world testcase is known Fixes: use of uninitialized memory Fixes: 460333808/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-6370167888347136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `5db50e8775`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:59 +02:00
Michael Niedermayer	03fde0d4de	avcodec/dca_xll: Check get_rice_array() Fixes: use of uninitialized memory Fixes: 451655450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DCA_DEC_fuzzer-6527248623796224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `11a5afea31`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:59 +02:00
Oliver Chang	91146cb57a	avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame The `sub_packet` index in `QDM2Context` was not reset to 0 when `qdm2_decode_frame` started processing a new packet. If an error occurred during the decoding of a previous packet, `sub_packet` would retain a non-zero value. In subsequent calls to `qdm2_decode_frame` with a new packet, this non-zero `sub_packet` value caused `qdm2_decode` to skip `qdm2_decode_super_block`. This function is responsible for initializing packet lists with pointers to the current packet's data. Skipping it led to the use of stale pointers from the previous (freed) packet, resulting in a heap-use-after-free vulnerability. This patch explicitly resets `s->sub_packet = 0` at the beginning of `qdm2_decode_frame`, ensuring correct initialization for each new packet. Fixes: OSS-Fuzz issue 476179569 (https://issues.oss-fuzz.com/issues/476179569). (cherry picked from commit `a795ca89fa`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:58 +02:00
Michael Niedermayer	55558aaf8b	avcodec/jpeg2000dec: allow bpno of -1 Fixes: tickets/4663/levels30.jp2 The file decodes without error messages and no integer overflows The file before the broader M_b check did decode with error messages and integer overflows but also no visual artifacts Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `2df0ef601a`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:58 +02:00
Michael Niedermayer	1fd88e27de	avcodec/jpeg2000dec: Print bpno level when erroring out Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `8a3c7c9c32`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:58 +02:00
Michael Niedermayer	b8145cff74	avcodec/jpeg2000dec: allow M_b == 31 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `e1472a4e0c`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:57 +02:00
Michael Niedermayer	e4bad481f0	avcodec/jpeg2000dec: Print M_b value when asking for a sample Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `2efffa9ecd`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:57 +02:00
Frank Plowman	cfa8e3ecfd	lavc/vvc: Fix unchecked error codes from set_qp_y Fixes: clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4957602162475008 (cherry picked from commit `f9740eb969`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:57 +02:00
Carl Eugen Hoyos	e3668e169d	lavc/j2kdec: Do not ignore colour association for packed formats Fixes ticket #9468. Signed-off-by: Carl Eugen Hoyos <ceffmpeg@gmail.com (cherry picked from commit `aab0c23cb8`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:56 +02:00
Ramiro Polla	a15094ef28	avcodec/mjpegdec: fix segfault on extern_huff and no extradata Regression since `1debadd58e`. (cherry picked from commit `96d8e19720`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:56 +02:00
Michael Niedermayer	4cdc14bde7	avcodec/exr: use av_realloc_array() Related to: #YWH-PGM40646-33 See: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21347 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `09ec2b397a`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:55 +02:00
Michael Niedermayer	41c3bda6a1	avcodec/omx: Check extradata size and nFilledLen No testcase, its unknown if this is a real issue Reported-by: Peter Teoh <htmldeveloper@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `fc8a614f3d`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:55 +02:00
Ruikai Peng	90684cdd9c	lavc/aacdec_usac: fix CPE channel index in ff_aac_usac_reset_state() fix a simple index bug in ff_aac_usac_reset_state() that writes past the end of ChannelElement.ch[2] for CPE ff_aac_usac_reset_state() loops over channels with j < ch, but incorrectly takes &che->ch[ch]. For CPE (ch == 2) this becomes che->ch[2], which is one past the end of ChannelElement.ch[2], and the subsequent memset() causes an intra-object out-of-bounds write. index the channel element with the loop variable (j). (cherry picked from commit `be82aef7cc`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:55 +02:00
Timo Rothenpieler	909d417b6b	avcodec/notchlc: zero-initialize history buffer Otherwise a specially crafted bitstream can potentially read uninitialized stack memory. Fixes #YWH-PGM40646-37 (cherry picked from commit `b5d6cfd55b`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:54 +02:00
Michael Niedermayer	f4201dc6a0	avcodec/mjpegdec: only test the size bound in sequential mjpeg The original fix was intended only for sequential mjpeg, but it was also used for progressive which broke. This commit fixes this regression Fixes: issue21225 The testcase 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904 still exits within 240ms Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `ecd2919174`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:53 +02:00
Michael Niedermayer	e69e8b6ac5	avcodec/jpeg2000htdec: Check pLSB Fixes: negative shift and other undefined shifts Fixes: 462335934/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-4538493775970304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `224b3ff82a`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:53 +02:00
Michael Niedermayer	bc7ab1a1bc	avcodec/jpeg2000dec: Make M_b check broader Fixes: shift exponent -1 is negative Fixes: 429330004/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-4733213845291008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit `d60c1d72c1`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:53 +02:00
Oliver Chang	60a34e5a19	avcodec/aacdec: Fix heap-use-after-free in USAC decoding A heap-use-after-free vulnerability was identified in `libavcodec/aac/aacdec.c`. When `che_configure` frees a `ChannelElement` (`ac->che[type][id]`), it failed to clear all references to it in `ac->tag_che_map`. `ac->tag_che_map` caches pointers to `ChannelElement`s and can contain cross-type mappings (e.g., a `TYPE_SCE` tag mapping to a `TYPE_LFE` element). In a USAC stream reconfiguration scenario, an LFE element was freed, but a stale pointer remained in `ac->tag_che_map`. Subsequent calls to `ff_aac_get_che` returned this dangling pointer, leading to a crash in `decode_usac_core_coder`. This commit fixes the issue by iterating over the entire `ac->tag_che_map` in `che_configure` and clearing any entries that point to the `ChannelElement` about to be freed, ensuring no dangling pointers remain. Fixes: https://issues.oss-fuzz.com/issues/440220467 (cherry picked from commit `d6458f6a8b`) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	2026-05-03 19:49:51 +02:00

1 2 3 4 5 ...

52702 commits