We assign a 64bit variable to it before checking
Fixes: CID1604544 Overflowed integer argument
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
We subtract 24 so it must be at least 24
Fixes: CID1604482 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: index -2 out of bounds for type 'const enum AVCodecID [3]'
Fixes: 69866/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4971166119821312
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036854775807 - -1 cannot be represented in type 'long'
Fixes: 68578/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6032171648221184
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The semantics for the field are different than the one in AVCodecParameters,
so use the name defined in the IAMF spec to prevent confusion.
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: member access within null pointer of type 'IAMFSubStream' (aka 'struct IAMFSubStream')
Fixes: 69795/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6216287009701888
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
fd_dup is unused when fd and pipe have been disabled. This also
fix build error with wasi since 'dup' isn't available.
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
When -trim option is used (by default), padding cells
at the beginning of the title are supposed to be ignored.
The current implementation does the ignoring after we
have locked on to the PGC navigation event stream,
but does not set the PGC/PG state properly.
This causes false positives and errors on some discs
due to a search for a program stream cell that
never succeeds. User would have to know to disable
the -trim option to work around the issue.
Simplify the logic and move it to the NAV packet
event handling, in turn implementing the behaviour
correctly and fixing the trim function for impacted discs.
Signed-off-by: Marth64 <marth64@proxyid.net>
Remove initializing ret = 0, in areas where ret is
only used to hold an error value, immediately returned,
and the function would otherwise return a literal 0.
Signed-off-by: Marth64 <marth64@proxyid.net>
Some discs (usually same ones with padding cells), also have empty
padding PTTs / chapters to accompany them. This results, for example,
in an extra chapter marker that starts and ends at 0 (no duration).
Don't add these empty chapter markers.
Signed-off-by: Marth64 <marth64@proxyid.net>
Found while reviewing: CID1494441 Untrusted value as argument
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It is not entirely clear what would prevent such overflow so even if it is
not possible, it is better to use 64bit
Fixes: CID1491898 Unintentional integer overflow
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It's meant to override any codec specific (but still container level)
information, but its position is not guaranteed, so apply the values after the
entire trak structure has been parsed.
Also, replace the ugly roundabout int -> double -> int method to set SAR from
existing dimensions while at it.
Signed-off-by: James Almer <jamrial@gmail.com>
And av_stream_get_codec_timebase().
They were both added for ffmpeg CLI, which no longer calls either of
them. Furthermore the notion of "internal stream timing info" that needs
to be transferred with a special magic API function is fundamentally
flawed and should be removed.
Use the already available AVCodecParameters pointer instead.
Shortens lines.
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The check "left >= INT_MAX - right" is supposed to check for
whether left + right does not overflow/wraparound, but given that
left and top are uint32_t INT_MAX - right can already wraparound
for big values of right (and ordinary 32-bit ints):
If right == UINT32_MAX, INT_MAX - right is INT_MAX + 1;
for left in 0..par->width both checks will be passed.
Fix this and simplify the check by using 64-bit types,
where the addition is guaranteed not to overflow.
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes: CID1551679 Data race condition
Fixes: CID1551687 Data race condition
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Found while reviewing CID1452449 Uninitialized scalar variable
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It seems reply1 is initialized by ff_rtsp_send_cmd() in most cases but there
are code paths like "continue" which look like they could skip it but even if not
writing this so a complex loop after several layers of calls initialized a local
variable through a pointer is just bad design.
This patch simply initialized the variable.
Fixes: CID1473532 Uninitialized scalar variable
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Found while reviewing CID1473532 Uninitialized scalar variable
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer
James Almer
Felicia Lim
Zhao Zhili
Marth64
Anton Khirnov
Andreas Rheinhardt