- 10 12月, 2019 4 次提交
-
-
由 Michael Niedermayer 提交于
Fixes: signed integer overflow: 2147483188 + 2048 cannot be represented in type 'int' Fixes: 18741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUESPEECH_fuzzer-5748950460268544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Michael Niedermayer 提交于
Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Andreas Rheinhardt 提交于
ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both key and value are freed on error (and owned by the destination dictionary on success), so that freeing them again on error is a double-free and therefore forbidden. But it nevertheless happened. Fixes CID 1452489 and 1452421. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Gyan Doshi 提交于
scale.c is too generic; scale_eval is more representative
-
- 09 12月, 2019 1 次提交
-
-
由 Andreas Rheinhardt 提交于
contained in Vorbis comments in the CodecPrivate of flac tracks. Moreover, it also tests header removal compression. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
- 08 12月, 2019 6 次提交
-
-
由 Michael Niedermayer 提交于
This should improve coverage Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Gyan Doshi 提交于
Adjustment of evaluated values shifted to ff_adjust_scale_dimensions Shifted code for force_original_aspect_ratio and force_divisble_by from vf_scale so it is now available for scale_cuda, scale_npp and scale_vaapi as well.
-
由 Andreas Rheinhardt 提交于
This test contains a track with zlib compressed CodecPrivate in addition to compressed frames; the former was unchecked before. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Michael Niedermayer 提交于
avcodec/atrac9dec: Check q_unit_cnt more completely before using it to access at9_tab_band_ext_group Fixes: index 8 out of bounds for type 'const uint8_t [8][3]' Fixes: 19127/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5709394985091072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: NLynne <dev@lynne.ee> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 hwrenx 提交于
Signed-off-by: Nhwrenx <hwrenx@126.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 James Almer 提交于
Signed-off-by: NJames Almer <jamrial@gmail.com>
-
- 07 12月, 2019 5 次提交
-
-
由 James Almer 提交于
Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Andreas Rheinhardt 提交于
ProRes in Matroska is supposed to not contain the first atom header (containing a size field and the tag "icpf") and therefore the Matroska demuxer has to recreate it; this involves an allocation and copy, of course. Whether the old buffer (containing the data without the atom header) needs to be freed or not depends upon whether it is what was directly read (in which case it is owned by an AVBuffer) or whether it has been allocated when reversing the track's content compression (e.g. zlib compression) that Matroska supports. So there are three pointers involved: The one pointing to the directly read data (owned by the AVBuffer), the one pointing to the currently valid data (which coincides with the former if no content compression needed to be reverted) and the one pointing to the new data with the first atom header. The check for whether to free the second of these is simply whether the first two are different. This works mostly, but there is a complication: Some muxers don't strip the first atom header away and in this case, it is also not reinserted and no new buffer is allocated; instead, the second and the third pointers agree. In this case, one must never free the second buffer. Yet it is currently done if the track is e.g. zlib compressed. This commit fixes this. This is a regression since b8e75a2a. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Jun Zhao 提交于
This happens if ffurl_open_whitelist fails and stream is unset. Signed-off-by: NJun Zhao <barryjzhao@tencent.com>
-
由 Jun Zhao 提交于
Fix the memory leak in error handle path. Reviewed-by: NMichael Niedermayer <michael@niedermayer.cc> Signed-off-by: NJun Zhao <barryjzhao@tencent.com>
-
由 Andriy Gelman 提交于
In the worst case the startcode prefix has 4 bytes. This fixes a trigerred assertion: Assertion dp <= max_size failed at libavcodec/cbs_h2645.c:1451 Found-by:libFuzzer Reviewed-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NAndriy Gelman <andriy.gelman@gmail.com>
-
- 06 12月, 2019 15 次提交
-
-
由 Limin Wang 提交于
Signed-off-by: NLimin Wang <lance.lmwang@gmail.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Michael Niedermayer 提交于
Fixes: Infinite loop Fixes: 19183/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5666216765292544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: NPaul B Mahol <onemda@gmail.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Limin Wang 提交于
Signed-off-by: NLimin Wang <lance.lmwang@gmail.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Limin Wang 提交于
Signed-off-by: NLimin Wang <lance.lmwang@gmail.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 leozhang 提交于
Signed-off-by: Nleozhang <leozhang@qiyi.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Ting Fu 提交于
Signed-off-by: NTing Fu <ting.fu@intel.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Limin Wang 提交于
Signed-off-by: NLimin Wang <lance.lmwang@gmail.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Marton Balint 提交于
This avoids a memcpy improving performance if SHM is not used. Signed-off-by: NMarton Balint <cus@passwd.hu>
-
由 Gyan Doshi 提交于
Width and height expressions can refer to each other. Width is evaluated twice to allow for reference to output height. So we should not error out upon failure of first evaluation of width.
-
由 Zhao Zhili 提交于
No functional changes. ref/unref vs add/sub is symmetrical. Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 James Almer 提交于
Reviewed-by: NMichael Niedermayer <michael@niedermayer.cc> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Michael Niedermayer 提交于
Fixes: fate-fitsdec-bitpix-64 Possibly Fixes: -nan is outside the range of representable values of type 'unsigned short' Possibly Fixes: 17769/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5678314672357376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Andreas Rheinhardt 提交于
If an error happens in vobsub_read_header() after allocating the AVFormatContext intended to read the sub-file, both the AVFormatContext as well as the data in the subtitles queues leaks. This has been fixed. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Andreas Rheinhardt 提交于
vobsub_read_header() uses an AVBPrint to write a string and up until now, it collected the string stored in the AVBPrint via av_bprint_finalize(), which might involve an allocation and copy of the string. But this is unnecessary, as the lifetime of the returned string does not exceed the lifetime of the AVBPrint. So use the string in the AVBPrint directly. This also makes it possible to easily fix a memleak: In certain error situations, the string stored in the AVBPrint would not be freed (if it was dynamically allocated). This has been fixed, too. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
由 Andreas Rheinhardt 提交于
When the VobSub demuxer was added, the fields it required were simply added to the MpegDemuxContext (if the VobSub demuxer was selected at all). The mpeg demuxer of course doesn't use these fields even if they are there; and the VobSub demuxer doesn't use the old ones: It opens an mpeg subdemuxer of its own and uses this where a mpeg demuxer is required. Hence the two contexts can be split, saving memory. Furthermore several headers can now be moved to the section that is guarded by #if CONFIG_VOBSUB_DEMUXER (this even includes avassert.h which was unguarded and has been added in 9cde9f70 despite not being used in that patch). Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NMichael Niedermayer <michael@niedermayer.cc>
-
- 05 12月, 2019 9 次提交
-
-
由 Andreas Rheinhardt 提交于
When parsing EBML lacing, for every number read, a new AVIOContext has been initialized (via ffio_init_context()) just for this number. This has been changed: The context is kept now. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Andreas Rheinhardt 提交于
When parsing the sizes of the frames in a lace fails, sometimes no error message was raised (e.g. when using xiph or fixed-size lacing). Only EBML lacing generated error messages (which were wrongly declared as AV_LOG_INFO), but even here not all errors resulted in an error message. So add a generic error message to catch them all. Moreover, if parsing one of the EBML numbers fails, ebml_read_num already emits its own error messages, so that all that is needed is a generic error message to indicate that this happened during parsing the sizes of the frames in a block; in other words, the error messages specific to parsing EBML lace numbers can be and have been removed. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Andreas Rheinhardt 提交于
870e7552 introduced validating the lace sizes when they are parsed and removed the old check; yet when merging this libav commit in 6902c3ac, the old check for whether the frame extends beyond the frame has been kept. It is unnecessary and has been removed. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Andreas Rheinhardt 提交于
Up until now, when an error happened in one of the inner loops in matroska_parse_laces, a variable designated for the return value has been set to an error value and break has been used to exit the current loop/case. This was done so that the end of matroska_parse_laces is reached, because said function allocated memory which is later used and freed in the calling function and passed at the end of matroska_parse_laces. But given that there is no allocation any more, one can now return immediately. And this commit does this. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Andreas Rheinhardt 提交于
The maximal number of frames in a lace can be 256; hence one has a not excessive upper bound on the size of an array that can hold the sizes of all the frames in a lace. Yet up until now, said array has been dynamically allocated. This has been changed. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Andreas Rheinhardt 提交于
It avoids the overhead of function calls. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Andreas Rheinhardt 提交于
Up until c4e0e314, the seek table has been included in the tta extradata, so that the size of said extradata was 22 (the size of a TTA1 header) + 4 * number of frames. The decoder rejected anything below a size of 30 and so the Matroska demuxer exported 30 byte long extradata, of which only 18 were set (it ignores a CRC-32 and simply leaves it at 0). But this is unnecessary since said commit, so reduce the size to 22. Furthermore, replace 30 by 22 in a comment about the extradata size in libavcodec/tta.c. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 Andreas Rheinhardt 提交于
That way one doesn't have to free later. In this case (concerning TTA extradata), this also fixes a memleak when the output samplerate is invalid. Signed-off-by: NAndreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: NJames Almer <jamrial@gmail.com>
-
由 James Almer 提交于
Signed-off-by: NJames Almer <jamrial@gmail.com>
-