Fixes: signed integer overflow: 2 * 1881153568 cannot be represented in type 'int'
Fixes: 17996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5687126468853760
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Identical to avpriv_mpeg4audio_get_config() except taking a size argument in
bytes, and featuring a new logging context paremeter.
Schedule avpriv_mpeg4audio_get_config() for removal as soon as major is bumped
as well.
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: signed integer overflow: 2147483645 + 4 cannot be represented in type 'int'
Fixes: 15418/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5685269069561856
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Such streams are invalid according to
4.5.2.1 Top level payloads for the audio object types AAC main, AAC SSR, AAC LC and AAC LTP
4.5.2.1.1 Definitions
...cIn the raw_data_block(), several instances of the
same syntactic element may occur, but must have a different 4 bit
element_instance_tag, except for data_stream_element()'s and
fill_element()'s.
Fixes: Ticket7477
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
- enable the parsing code
- use the new buffer instead of replacing the context one
- do not push/pop configuration, just discard the exiting one
- propagate errors correctly
This will result in poor quality audio for SSR streams, but they
will at least demux and decode without error; partially fixing
ticket #1693.
This pulls in the decode_gain_control() function from the
ffmpeg summer-of-code repo (original author Maxim Gavrilov) at
svn://svn.mplayerhq.hu/soc/aac/aac.c with some minor modifications
and adds AOT_AAC_SSR to decode_audio_specific_config_gb().
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Co-authored-by: Maxim Gavrilov <maxim.gavrilov@gmail.com>
Fixes: signed integer overflow: -1625276744 + -1041893960 cannot be represented in type 'int'
Fixes: 5948/clusterfuzz-testcase-minimized-5791479856365568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Previous version reviewed-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 2581/clusterfuzz-testcase-minimized-4681474395602944
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: signed integer overflow: -2147483648 - 1202286525 cannot be represented in type 'int'
Fixes: 2071/clusterfuzz-testcase-minimized-6036414271586304
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The only use of that argument was for Opus downmixing which is very rare
and better done after the mdcts.
Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Fixes: runtime error: shift exponent 1073741824 is too large for 32-bit type 'int'
Fixes: 1654/clusterfuzz-testcase-minimized-5151903795118080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: 1072/clusterfuzz-testcase-6456688074817536
Fixes: 1398/clusterfuzz-testcase-minimized-4576913622302720
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Apparently the demuxer outputs the wrong padding for HE-AAC (based on
the raw sample rate, or so). aacdec contains a hack to adjust the muxer
padding accordingly before it's used to trim the decoder output. This
modified the packet side data, which in combination with the old
decoding API would change the packet the user passed to the decoder.
This is clearly not allowed, and it breaks running some gapless fate
tests with "-fflags +keepside" applied (without keepside, the packet
metadata is typically newly allocated, essentially making a copy and not
modifying the user's input packet).
This should probably be fixed in the demuxer (and consequently also the
muxer), but for now only fix the immediate problem.
Regression since 946ed78f5f (2012).
Handles strides (needed for Opus transients), does pre-reindexing and folding
without needing a copy.
Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
A strict reading of the spec seems to imply that it should be aligned to
the start of the element instance tag, but that would break all of the
samples with PCEs.
It seems like a well formed LATM stream should have its PCE in the ASC
rather than inband.
Fixes ticket 4544
Fixes index out of bounds error
Fixes: aac_index_out_of_bounds.wmv
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
AAC-Fixed decoder segfaulted. This commit makes the aac encoder
and decoder init the table twice in case of transcoding again.
Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Since the ff_aac_tableinit() can be called by both the encoder and
the decoder (in case of transcoding) this commit shares the AVOnce
variable to prevent this.
Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
This is similar to commit ec38a1b for aac_decode_frame_int.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
2nd channel makes sense only for CPE type.
Skip 2nd channel in preparation for resampler (in spectral_to _sample())
depending on block type.
Fixes fate failure with clang ftrapv.
Signed-off-by: Nedeljko Babic <nedeljko.babic@imgtec.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
There was fixed number of loops (2048) in preparation for resampler, so
when number of samples is smaller than this, there would be an overflow on
ret_buf.
For some reason this behavior popped out only under valgrind with
--disable-memory-poisoning option.
This is now fixed and number of loops depends on actual number of samples.
Signed-off-by: Nedeljko Babic <nedeljko.babic@rt-rk.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Move existing code to the new template files
Signed-off-by: Nedeljko Babic <nedeljko.babic@imgtec.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Carl Eugen Hoyos
Michael Niedermayer
James Almer
Vittorio Giovara
Dale Curtis
Paul B Mahol
Nicolas Sugino
Rostislav Pehlivanov
wm4
Alex Converse
Carl Eugen Hoyos
Reimar Döffinger
Andreas Cadhalpun
Hendrik Leppkes
Derek Buitenhuis
Emanuel Czirai
Nedeljko Babic
Nedeljko Babic
Djordje Pesut
Jovan Zelincevic
Michael Niedermayer