This patch will cause the parser to abort if it detects an icc profile
with an invalid size. This is particularly important if the icc profile
is entropy-encoded with zero bits per symbol, as it can prevent a
seemingly infinite loop during parsing.
Fixes: infinite loop
Fixes: 62374/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer
-5551878085410816
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reported-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Leo Izen <leo.izen@gmail.com>
Also, avoid spurious end-of-line after side data entries, and improve
rendering of compact output, by adding an indication of the side data
type for each entry.
Also fixes issue:
http://trac.ffmpeg.org/ticket/9266
Do not use put_sbits() where only unsigned is stored.
Reduce size of data_check_present field.
Reduce size of table of codebook_extremes[].
Avoid anonymously typedeffed structs.
Use encoder private context to store parameters.
Fix wrapping when calculating offsets.
Restructure arrays in encoder private context so to keep
arrays belonging to same subblock into separate structure.
Disable matrix coefficients as they are sometimes
producing wrong results.
Fixes multiplane support on Nvidia.
Also, remove the ENCODE usage, even if the driver signals it as supported.
Currently, it's not used, and when it is used, it'll be gated behind
two extension checks.
Some clips (i.e. SLIST_B_Sony_9) will use PPS 0 and 8, before PPS 1-7.
vulkan_hevc expects {sps,pps,vps}_list to be filled in order, which
causes PPS 8 to not be added to the Vulkan session params when it is
being used by a picture.
This removes the expectation that these lists are filled in order. The
indicies into vps_list are saved since there are multiple usages of it.
This also fixes a bug with some clips (i.e. PPS_A_qualcomm_7) which use
all 64 available PPS slots, causing the old loop to think there are more
than 64 PPS-es.
SVT-AV1 does not support requesting keyframes at arbitrary points
by setting pic_type to EB_AV1_KEY_PICTURE. So set force_key_frames
to 1 only when gop_size == 1.
Please see the comments in
https://gitlab.com/AOMediaCodec/SVT-AV1/-/issues/2076 for a bit more
details.
Signed-off-by: Vignesh Venkatasubramanian <vigneshv@google.com>
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
These flags will be overwritten later in ff_mpv_frame_start().
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
It has currently not been done for H263, H263P and MPEG4.
Doing so avoids having to initialize the IDCT permutation
lateron when decoding packets in order to be able to parse
a quant matrix; it means that every mpegvideo decoder always
has an initialized IDCTDSPContext after init.
Initializing is done generically in ff_mpv_decode_init().
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Up until now, ff_mpeg_update_thread_context() zeroes
the context to initialize on initialization failure.
This has been added in e1d7d4bd13.
Just as now, ff_mpeg_update_thread_context() simply
copied the src MpegEncContext over the dst MpegEncContext
to initialize it, but clear_context() was only added in
b160fc290c, so that cleaning up
on init failure was a minefield if performed.
It was not always performed, namely not before the first
allocation needed to be freed. In the fuzzer sample that
led to e1d7d4bd13, the call
to av_image_check_size() failed and before said commit,
the context contained lots of pointers from the src context,
leading to assert violations lateron.
Of course, the proper fix for this is resetting the pointers
(or even better, not copying them in the first place), so
this zeroing is unnecessary since commit
b160fc290c. It is also harmful,
because it makes initializing something only once during init
more complicated; See the h264chroma handling in the diff
for an example. Therefore it is removed.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Before 998c9f15d1, the IDCTDSPContext
has only been initialized in ff_mpv_common_init() which is deferred
until immediately before decoding a picture; to nevertheless parse
the quant matrices in sequence headers or quant matrix extensions,
a dummy (identity) permutation has been stored in the codec's init
function; after ff_mpv_common_init() which could change the permutation
the matrices were repermutated.
Yet since said commit, the IDCTDSPContext is initialized during init
and does not change afterwards (unless the user forces different CPU
flags), so there is no need to reinitialize it; the repermutation code
can be removed as well.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes: out of array access
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6035022714634240
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-6422176201572352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -2147483506 + -801380 cannot be represented in type 'int'
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6578985923117056
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 148676193 - -2006512262 cannot be represented in type 'int'
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5963163952349184
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -1364715454 + -1468954671 cannot be represented in type 'int'
Fixes: 62093/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5538774254485504
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: 62171/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5644657180409856
Fixes: signed integer overflow: 2 * 1079352273 cannot be represented in type 'int'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: mem leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-6666804266926080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 4 * 2307917133220067266 cannot be represented in type 'long'
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6307690022043648
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 538976288 - -9223372036854775808 cannot be represented in type 'long'
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6275845531238400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
the type is also changed to int as it is interpreted as int in av_get_packet()
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-6593408795279360
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4613908817903616
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long'
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 91542414454000000 - -9154241494546000000 cannot be represented in type 'long'
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-4739147999084544
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This revectors the inner loop to reverse vectors element in vectors,
thus eliminating the negative register stride. Note that RVV does not
have a vector reverse instruction, so this uses a gather.
It is already done generically in update_context_from_thread()
before this function is called.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This has been done for the luma plane of missing FLV1 and H263
references.
Also remove code duplication by reusing gray_frame(), which
has been renamed to color_frame() for this purpose.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes segfaults with -debug +nomc -flags +gray (presuming
a build with --enable-gray).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
In this case any timestamps are guessed by compute_pkt_fields() in
libavformat. Since we are decoding the stream, we have more accurate
information from the decoder and do not need any guesses.
Eliminates spurious PTS gaps in a number of FATE tests.
Also avoids dropping the majority of frames in fate-dirac*
* export AVCodecParserContext.picture_structure.
* when there are two field pictures in the packet, set
the interlacing parameters accordingly:
* repeat_pict=1 and picture_structure=FRAME to indicate 2 fields
* field_order to indicate the first field of the two