The limit is based on hevcdec.c
Fixes: 20854/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5160442882424832
Fixes: out of array access
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
If the RPS we are predicting from has maximum size then at least one of
the pictures in it must be discarded before adding the current one.
Also revert 588114cea4, which added
now-redundant checks for the special case of a too-large RPS with all
pictures being in the same direction from the current one.
Fixes ticket #8622
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: out of array access
Fixes: 20446/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5707770718584832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit fixes the names and constants of the reserved NAL units
with nal_unit_type 22 resp. 23. They were "IRAP_IRAP_VLC2x", but are
actually "RSV_IRAP_VLC2x".
This also required a change to cbs_h265_syntax_template.c.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
payload_count is used to track the number of SEI payloads. It is also
used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei().
Currently, payload_count is set after for loop is completed. Hence if
there is an error and the function exits, the payload remains zero
causing a memleak.
This commit keeps track of payload_count inside the for loop to fix the
issue. Note that that the contents of current are initialized with
av_mallocz() so there is no need to zero initialize payload_count.
Found-by: libFuzzer
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
This follows the spec definition, and removes a field from the relevant
structs.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
The spec defines it as an array of signed values, inferred to 0 when not
present.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
Supports both prefix and suffix SEI, decoding all of the common SEI
types and some more obscure ones. Most of this is tested by the
existing tests in fate.
Similar to H264, cbs_h265_{read, write}_nal_unit() can handle HEVC
prefix SEI NAL units. Currently mastering display colour volume SEI
message is added only, we may add more SEI message if needed later
Signed-off-by: Haihao Xiang <haihao.xiang@intel.com>
Mark Thompson
Nuo Mi
James Almer
Martin Storsjö
Michael Niedermayer
Andreas Rheinhardt
Andriy Gelman
Andreas Rheinhardt
Haihao Xiang