Fixes: out of array access
Fixes: 19750/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RAWVIDEO_fuzzer-5074834119983104
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
PSEUDOPAL pixel formats are not paletted, but carried a palette with the
intention of allowing code to treat unpaletted formats as paletted. The
palette simply mapped the byte values to the resulting RGB values,
making it some sort of LUT for RGB conversion.
It was used for 1 byte formats only: RGB4_BYTE, BGR4_BYTE, RGB8, BGR8,
GRAY8. The first 4 are awfully obscure, used only by some ancient bitmap
formats. The last one, GRAY8, is more common, but its treatment is
grossly incorrect. It considers full range GRAY8 only, so GRAY8 coming
from typical Y video planes was not mapped to the correct RGB values.
This cannot be fixed, because AVFrame.color_range can be freely changed
at runtime, and there is nothing to ensure the pseudo palette is
updated.
Also, nothing actually used the PSEUDOPAL palette data, except xwdenc
(trivially changed in the previous commit). All other code had to treat
it as a special case, just to ignore or to propagate palette data.
In conclusion, this was just a very strange old mechnaism that has no
real justification to exist anymore (although it may have been nice and
useful in the past). Now it's an artifact that makes the API harder to
use: API users who allocate their own pixel data have to be aware that
they need to allocate the palette, or FFmpeg will crash on them in
_some_ situations. On top of this, there was no API to allocate the
pseuo palette outside of av_frame_get_buffer().
This patch not only deprecates AV_PIX_FMT_FLAG_PSEUDOPAL, but also makes
the pseudo palette optional. Nothing accesses it anymore, though if it's
set, it's propagated. It's still allocated and initialized for
compatibility with API users that rely on this feature. But new API
users do not need to allocate it. This was an explicit goal of this
patch.
Most changes replace AV_PIX_FMT_FLAG_PSEUDOPAL with FF_PSEUDOPAL. I
first tried #ifdefing all code, but it was a mess. The FF_PSEUDOPAL
macro reduces the mess, and still allows defining FF_API_PSEUDOPAL to 0.
Passes FATE with FF_API_PSEUDOPAL enabled and disabled. In addition,
FATE passes with FF_API_PSEUDOPAL set to 1, but with allocation
functions manually changed to not allocating a palette.
Fixes valgrind warnings about usage of uninitialized values.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
The line alignment for 1 bpp raw AV_PIX_FMT_MONOWHITE video (currently
used for AVI) was previously 4 bytes, which generated alignment warning
messages, not only for odd-width files. The alignment is now 16 bytes.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This patch aligns the lines of 1 bpp depth for QuickTime, and 2, 4 and 8
bpp depths for AVI and QuickTime, on 16-byte boundaries. At the same
time, the packet row stride is properly catered for.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Match the use of AV_PIX_FMT_PAL8 for 1-bit QuickTime Animation in
lavc/qtrle. To reiterate, 1-bit video is not necessary black & white in
QuickTime, merely bi-level. The two colors can be any color. The palette,
either included in the sample description, or the default Macintosh
palette (black & white for 1-bit video) will be set in lavf/qtpalette.
See the QuickTime File Format Specification for details.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Otherwise the too small buffer is directly used in the frame, causing
segmentation faults, when trying to use the frame.
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Fixes out of array access
Fixes: asan_heap-oob_22388d0_3435_cov_3297128910_small_roll5_FlashCine1.cine
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The bit packing method is communicted via codec_tag:
BIT[0] big-endian packing
BIT[16] 16-bit little endian packing
BIT[32] 32-bit little-endian packing
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This reverts commit 691dec6201.
The commit did not fix ticket #3215, it was fixed one commit earlier.
The revert may break other use-cases but they should be fixed differently,
the offending commit introduced too many problems.
Fixes ticket #3377.
Fixes ticket #3378.
Otherwise the created buffer can be smaller than buf_size, which results
in buffer overreads if the original image has extra padding on every line.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer
wm4
Muhammad Faiz
James Almer
Carl Eugen Hoyos
Mats Peterson
Mats Peterson
Andreas Cadhalpun
Clément Bœsch
Luca Barbato
Michael Niedermayer
Anton Khirnov
Peter Ross
Diego Biurrun
Hendrik Leppkes
Nicolas George