Fixes: signed integer overflow: -3483479120376300096 - 7442323944145700864 cannot be represented in type 'long'
Fixes: 383187489/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4561470580391936
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 361d24e6d9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized value (untested)
Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5505802505355264
Found-by: ossfuzz
Reported-by: Kacper Michajlow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96d45c3b21)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized value
Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6656646223298560-cut
Found-by: ossfuzz
Reported-by: Kacper Michajlow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e30d957a9b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Likely a tighter check can be done
Fixes: signed integer overflow: 3305606804154370442 * 8 cannot be represented in type 'long'
Fixes: 70449/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4771166007918592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4122406f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This basically ignores the overflow without undefined behavior, alternatively we could detect and error out
Fixes: signed integer overflow: 6310596683470275584 + 7660622966157213696 cannot be represented in type 'long'
Fixes: 70433/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5483347233538048
Fixes: 369662284/clusterfuzz-testcase-minimized-media_metadata_parser_fuzzer-5327368763670528
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 057b8c2066)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
As per section 3.11.1 of the IAMF spec, the sample rate used in Codec Config
for Opus shall be 48kHz, regardless of the original sample rate used during
encoding.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 76049d1c45)
When subblock durations are constant, the last block may be smaller and the
value needs to be calculated.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit fb5e8ea971)
Section 3.6.1 of the IAMF spec states "When constant_subblock_duration is equal to 0, the summation of all
subblock_duration in this parameter block SHALL be equal to duration.".
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d38fc25519)
ambisonics mode > 1 does not initialize any layer but layer 0
is unconditionally dereferenced
Fixes: poc-2024-11
Fixes: null pointer dereference
Found-by: 苏童 <220235212@seu.edu.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4cc1495aca)
And not just the first, as it was being done for lacing. The spec states that the
flag applies to everything inside the simple box.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit f656c00bd9)
Don't depend on the generic code setting this.
This is in preparation for a following change.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit f938b2b3f5)
They are needed for audio tracks with priming samples, where negative CTS
offsets can't be used.
Fixes ticket #11031.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit ecc7d5db9c)
avgBitrate == 0 is used to signal a VBR track, so if that value is propagated by an
encoder, don't overwrite it with a calculated value based on track size.
Part of a fix for ticket #11303.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 944212acad)
Pointers to specific entries in the array are stored in other structs, so
in the scenario where heif_item was reallocated when parsing an iloc box after
and iinf one, the pointers may end up referencing freed memory.
Fixes use-after-free with such samples.
Signed-off-by: James Almer <jamrial@gmail.com>
It's similar to av_get_frame_filename2 but with int64_t number
support. Make av_get_frame_filename* a wrapper over
ff_get_frame_filename.
Co-authored-by: Filip Mašić <shoutplenty@gmail.com>
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
(cherry picked from commit a2d9663241)
Otherwise, things like ICC profiles as read from the colr box meant for an item
with no stream (like a grid) may end up being added to the wrong stream.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 04182b5549)
I encountered this problem with NTP timestamps that are extremely old,
like from January, 1990.
Although RFC3550 suggests that the timestamps in the RTCP packets use
the actual wallclock, some implementations use other clocks, such as
the CLOCK_MONOTONIC on linux.
I'm my case, I'm dealing with packets from mediasoup.
Without this patch, start_time_realtime shows up in the distance future
instead of around Jan 1900.
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Fixes: signed integer overflow: 9223372036840103968 + 538976288 cannot be represented in type 'long'
Fixes: 70604/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4844090340999168
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036854775807 - -1927491430256034080 cannot be represented in type 'long'
Fixes: 70607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5282235077951488
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <git@haerdin.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Make sure it's not zero, and equal or bigger than number of channels
Fixes: Timeout / DOS
Fixes: 67143/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-4858720481771520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
Player applications can now enjoy seeking while playing back
a title. Accuracy is at the mercy of what libdvdnav exposes,
which is currently dvdnav_time_search().
Signed-off-by: Marth64 <marth64@proxyid.net>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.
ref: c28e5b597e
Signed-off-by: sfan5 <sfan5@live.de>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
If the segment is very small, avformat_find_stream_info
will read all audio/video data in this segment.
cur->is_restart_needed is set to 0 later in dash_read_packet,
and no chance to be set to 1 again in the read_data function.
Reproduction:
ffmpeg -f lavfi -i mandelbrot -f lavfi -i anullsrc -c:v vp8 \
-g 5 -r 5 -c:a libopus -use_template 0 -seg_duration 1 \
-t 15 -y test_720.mpd
ffprobe -show_packets test_720.mpd
