FFmpeg

Commit Graph

Author	SHA1	Message	Date
Michael Niedermayer	074187d599	avcodec/mpeg4videodec: Clear partitioned frame in decode_studio_vop_header() partitioned_frame is also set/cleared in decode_vop_header() Fixes: out of array read Fixes: 9789/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5638681627983872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	6 years ago
Michael Niedermayer	b737317a88	avcodec/mpeg4videodec: Fix typo in sprite delta check Fixes: Integer overflow Fixes: 10890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5636062181851136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	6 years ago
Michael Niedermayer	c88afa44c4	avcodec/mpeg4videodec: Fix undefined shift in get_amv() Fixes: runtime error: shift exponent -1 is negative Fixes: 9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	6 years ago
Michael Niedermayer	fb7b0347b3	avcodec/mpeg4videodec: Check rice_prefix_code Fixes: out of array read Fixes: 10064/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5766801384800256 Fixes: 10225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5071833448054784 Fixes: 10261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5115048024866816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	6 years ago
Kieran Kunhya	844ff49469	mpeg4video: Add Studio DPCM support	6 years ago
Michael Niedermayer	168d8d56bf	avcodec/mpeg4videodec: Fix slice end detection in mpeg4_decode_studio_mb() Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	6 years ago
Michael Niedermayer	5aba5b89d0	avcodec/mpeg4videodec: Check for bitstream end in read_quant_matrix_ext() Fixes: out of array read Fixes: asff-crash-0e53d0dc491dfdd507530b66562812fbd4c36678 Found-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	6 years ago
Michael Niedermayer	bd27a9364c	avcodec/mpeg4videodec: Remove use of FF_PROFILE_MPEG4_SIMPLE_STUDIO as indicator of studio profile The profile field is changed by code inside and outside the decoder, its not a reliable indicator of the internal codec state. Maintaining it consistency with studio_profile is messy. Its easier to just avoid it and use only studio_profile Fixes: assertion failure Fixes: ffmpeg_crash_9.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	6 years ago
Michael Niedermayer	2aa9047486	avcodec/mpeg4videodec: Check read profile before setting it Fixes: null pointer dereference Fixes: ffmpeg_crash_7.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	6 years ago
Michael Niedermayer	2fc108f60f	avcodec/mpeg4videodec: Clear bits_per_raw_sample if it has originated from a previous instance Fixes: assertion failure Fixes: ffmpeg_crash_5.avi Found-by: Thuan Pham <thuanpv@comp.nus.edu.sg>, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	ba97d75ac6	avcodec/mpeg4video: Detect reference studio streams as studio streams Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	b3a18511cc	avcodec/mpeg4videodec: Check bps (VOL header) before VOP for studio profile Fixes: runtime error: shift exponent -1 is negative Fixes: 7486/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4977380939530240 Fixes: runtime error: index 36 out of bounds for type 'const uint8_t [32]' Fixes: 7566/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-6536620682510336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	9e5d0860c0	avcodec/mpeg4videodec: Do not corrupt bits_per_raw_sample Reviewed-by: Kieran Kunhya <kierank@obe.tv> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	9f73ae31e0	avcodec/mpeg4videode: Eliminate out of loop VOP startcode reading for studio profile Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	177133a0f4	avcodec/mpeg4videodec: Split decode_studio_vol_header() out of decode_studiovisualobject() Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	e03bf251d8	avcodec/mpeg4videodec: Move decode_studiovisualobject() parsing in the branch for visual object parsing Fixes: runtime error: shift exponent -1 is negative Fixes: 7510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5024523356209152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
James Almer	2f27370111	avcodec/mpeg4videodec: unbreak multithreading decoding Should fix double free related crashes. Signed-off-by: James Almer <jamrial@gmail.com>	7 years ago
James Almer	a866cc3ad3	avcodec/mpeg4videodec: free studio profile VLCs when closing the decoder Fixes memleaks. Signed-off-by: James Almer <jamrial@gmail.com>	7 years ago
Kieran Kunhya	f9d3841ae6	mpeg4video: Add support for MPEG-4 Simple Studio Profile. This is a profile supporting > 8-bit video and has a higher quality DCT	7 years ago
Michael Niedermayer	db77230894	avcodec/mpeg4videodec: Use more specific error codes Forward error codes where possible. Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	63a4bdbf3b	avcodec/mpeg4videodec: Ignore multiple VOL headers Fixes: Ticket7005 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	d4967c04e0	avcodec/mpeg4videodec: Avoid possibly aliasing violating casts Found-by: kierank Reviewed-by: Kieran Kunhya <kieran618@googlemail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	05f4703a16	avcodec/mpeg4videodec: Check mb_num also against 0 The spec implies that 0 is invalid in addition to the existing checks Found-by: <kierank> Reviewed-by: Kieran Kunhya <kieran618@googlemail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Mark Thompson	e6a1dfc9ce	mpeg4videodec: Fix unused variable warning video_format is not used.	7 years ago
Michael Niedermayer	4b2a186ef0	avcodec/mpeg4videodec: Add support for parsing and exporting video_range Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Mark Thompson	2fcb009011	lavc: Add hardware config metadata for decoders supporting hardware output This includes a pointer to the associated hwaccel for decoders using hwaccels - these will be used later to implement the hwaccel setup without needing a global list. Also added is a new file listing all hwaccels as external declarations - this will be used later to generate the hwaccel list at configure time.	7 years ago
James Almer	921d7af6e9	avcodec/mpeg4videodec: fix preprocessor check for the nvdec hwaccel Signed-off-by: James Almer <jamrial@gmail.com>	7 years ago
Mark Thompson	758fbc54fe	lavc: Add hardware config metadata for decoders supporting hardware output This includes a pointer to the associated hwaccel for decoders using hwaccels - these will be used later to implement the hwaccel setup without needing a global list. Also added is a new file listing all hwaccels as external declarations - this will be used later to generate the hwaccel list at configure time.	7 years ago
Michael Niedermayer	0e7865ce41	avcodec/mpeg4videodec: Check also for negative versions in the validity check Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Dale Curtis	7010dd98b5	Fix undefined shift on assumed 8-bit input. decode_user_data() attempts to create an integer \|build\| value with 8 bits of spacing for 3 components. However each component is an int32_t, so shifting each component is undefined for values outside of the 8 bit range. This patch simply clamps input to 8-bits per component and prints out a warning that the values were clamped. Signed-off-by: Dale Curtis <dalecurtis@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	e38f280fec	avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta Fixes: runtime error: signed integer overflow: -104713 * 65536 cannot be represented in type 'int' Fixes: 3453/clusterfuzz-testcase-minimized-5555554657239040 Fixes: 3528/clusterfuzz-testcase-minimized-6283628420005888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	7735ed2974	avcodec/mpeg4videodec: Clear mcsel before decoding an image Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int' Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	7 years ago
Michael Niedermayer	4976a3411f	avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 Fixes: runtime error: shift exponent -1 is negative Fixes: 2338/clusterfuzz-testcase-minimized-5153426541379584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	5443c4bdf4	avcodec/mpeg4videodec: Fix overflow in virtual_ref computation Fixes: runtime error: signed integer overflow: 262144 * -16120 cannot be represented in type 'int' Fixes: 2292/clusterfuzz-testcase-minimized-6156080415506432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	12245ab1f6	avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. Fixes: runtime error: signed integer overflow: -268386304 * 16 cannot be represented in type 'int' Fixes: 2204/clusterfuzz-testcase-minimized-5616756909408256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	0a87be404a	avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case Fixes: runtime error: signed integer overflow: 131072 + 2147352576 cannot be represented in type 'int' Fixes: 2192/clusterfuzz-testcase-minimized-5370387988742144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	18bca25adb	avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' Fixes: 2106/clusterfuzz-testcase-minimized-6136503639998464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	efeb47fd5d	avcodec/mpeg4videodec: Check for multiple VOL headers Fixes multiple: runtime error: signed integer overflow: 2147115008 + 413696 cannot be represented in type 'int' Fixes: 1723/clusterfuzz-testcase-minimized-5309409372667904 Fixes: 1727/clusterfuzz-testcase-minimized-5900685306494976 Fixes: 1737/clusterfuzz-testcase-minimized-5922321338466304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	467677769a	avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode Fixes: Integer overflow Fixes: 1572/clusterfuzz-testcase-minimized-4578773729017856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	c1c3a14073	libavcodec/mpeg4videodec: Convert sprite_offset to 64bit This avoids intermediates from overflowing (the final values are checked) Fixes: runtime error: signed integer overflow: -167712 + -2147352576 cannot be represented in type 'int' Fixes: 1298/clusterfuzz-testcase-minimized-5955580877340672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Sean McGovern	6ac0e78183	mpeg4videodec: raise an error if sprite_trajectory.table is NULL CC: libav-stable@libav.org Bug-Id: 1012	8 years ago
Michael Niedermayer	e2a4f1a9eb	avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' Fixes: 736/clusterfuzz-testcase-5580263943831552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	fab13bbbcd	avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' This checks the sprite delta intermediates for overflow Fixes: 716/clusterfuzz-testcase-4890287480504320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	eb41956636	avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() Also clear the state on errors Fixes integer overflows in 701/clusterfuzz-testcase-6594719951880192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	25e93aacc2	avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 Fixes: 674/clusterfuzz-testcase-6713275880308736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	76ba09d182	avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows This is not necessarily specific to fuzzed files Fixes: Multiple integer overflows Fixes: 656/clusterfuzz-testcase-6463814516080640 Fixes: 658/clusterfuzz-testcase-6691260146384896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	6871df02d9	avcodec/mpeg4videodec: Check sprite_offset in addition to shifts Fixes: 651/clusterfuzz-testcase-5710668915277824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	6179dc8aa7	avcodec/mpeg4video: Fix runtime error: left shift of negative value Fixes: 644/clusterfuzz-testcase-4726434209726464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Michael Niedermayer	aa2b75263e	avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative Fixes: 612/clusterfuzz-testcase-4707817137111040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>	8 years ago
Anton Khirnov	fd9212f2ed	Mark some arrays that never change as const.	8 years ago

1 2 3 4 5 ...

300 Commits (3fc7b69496fd586a609f9c8a2f1ed17e46bf5fff)