Commit Graph

26148 Commits

Author SHA1 Message Date
Michael Niedermayer
615f29e301 avformat/rpl: Fix check for negative values
Fixes: signed integer overflow: 10 * -1923267925333400000 cannot be represented in type 'int64_t' (aka 'long')
Fixes: 378891963/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5714338935013376
Found-by: ossfuzz
Reported-by: Kacper Michajlow <kasper93@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eab65379bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:48 +01:00
Michael Niedermayer
cac9112bf3 avformat/mlvdec: Check avio_read()
Fixes: use-of-uninitialized-value
Fixes: 383170476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-4696002884337664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bb85423142)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:48 +01:00
Michael Niedermayer
a5ce143895 avformat/mov: dereference pointer after null check
Fixes: null pointer dereference
Fixes: 383397479/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4776829338058752

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 954d55c2a4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:47 +01:00
Michael Niedermayer
1cb5caeb5b avformat/matroskadec: Check pre_ns for overflow
Fixes: signed integer overflow: -3483479120376300096 - 7442323944145700864 cannot be represented in type 'long'
Fixes: 383187489/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4561470580391936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 361d24e6d9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:47 +01:00
Michael Niedermayer
9285b93143 avformat/qcp: Check for read failure in header
Fixes: Use of uninitialized value
Fixes: 71551/clusterfuzz-testcase-minimized-ffmpeg_dem_QCP_fuzzer-4647386712965120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f52b9d0583)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:43 +01:00
Michael Niedermayer
851bc9927d avformat/dxa: check bpc
Fixes: integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Fixes: 373971762/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-4880491112103936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7e020f2141)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:42 +01:00
Michael Niedermayer
3417e955c3 avformat/icodec: fix integer overflow with nb_pal
Fixes: runtime error: signed integer overflow
Fixes: 42536949/clusterfuzz-testcase-minimized-fuzzer_loadfile-6199846684393472
Found-by: ossfuzz
Reported-by: Kacper Michajlow
Tested-by: Kacper Michajlow
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 84569b6c22)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:40 +01:00
Michael Niedermayer
c7aa0c4ecd avformat/vividas: Check avio_read() for failure
Fixes: use of uninitialized value (untested)
Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5505802505355264

Found-by: ossfuzz
Reported-by: Kacper Michajlow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96d45c3b21)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:39 +01:00
Michael Niedermayer
445065e23a avformat/ilbc: Check avio_read() for failure
Fixes: use of uninitialized value
Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6656646223298560-cut

Found-by: ossfuzz
Reported-by: Kacper Michajlow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e30d957a9b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:38 +01:00
Michael Niedermayer
1f1b309f9e avformat/nistspheredec: Clear buffer
Fixes: use-of-uninitialized-value
Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-6515855798632448-cut

Found-by: ossfuzz
Reported-by: Kacper Michajlow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 898f6582eb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:38 +01:00
Michael Niedermayer
e2394166bf avformat/mccdec: Initialize and check rate.den
Fixes: Assertion c > 0 failed at libavutil/mathematics.c:61
Fixes: use-of-uninitialized-value
Fixes: 42537627/clusterfuzz-testcase-minimized-fuzzer_protocol_memory-5939605805793280

Found-by: ossfuzz
Reported-by: Kacper Michajlow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf8e43083f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:38 +01:00
Michael Niedermayer
241e87afa4 avformat/rpl: check channels
Fixes: 42537199/clusterfuzz-testcase-minimized-fuzzer_loadfile_direct-5447162658357248
Fixes: runtime error: signed integer overflow: -3330498059201358222 * 4 cannot be represented in type 'int64_t' (aka 'long')

Found-by: ossfuzz
Reported-by: Kacper Michajlow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit beca13a42e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:37 +01:00
Michael Niedermayer
0288fedf18 avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen
Fixes: use of uninitialized variable
Fixes: 368729566/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTS_fuzzer-6044501804646400

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit db7b4fc89f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:37 +01:00
Michael Niedermayer
6b02047811 avformat/mxfdec: Fix overflow in midpoint computation
Fixes: signed integer overflow: 4611686016549392399 + 9223372033098784800 cannot be represented in type 'long long'
Fixes: 368503277/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5928227458056192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 23088a5ff2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:36 +01:00
Michael Niedermayer
631976108c avformat/matroskadec: Check desc_bytes so bits fit in 64bit
Likely a tighter check can be done

Fixes: signed integer overflow: 3305606804154370442 * 8 cannot be represented in type 'long'
Fixes: 70449/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4771166007918592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4122406f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:33 +01:00
Michael Niedermayer
ba89c5d1eb avformat/mov: Avoid overflow in dts
This basically ignores the overflow without undefined behavior, alternatively we could detect and error out

Fixes: signed integer overflow: 6310596683470275584 + 7660622966157213696 cannot be represented in type 'long'
Fixes: 70433/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5483347233538048
Fixes: 369662284/clusterfuzz-testcase-minimized-media_metadata_parser_fuzzer-5327368763670528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 057b8c2066)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-01-03 18:28:32 +01:00
James Almer
4f5769e052 avformat/iamf_writer: ensure the stream groups are not empty
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit cedd9151f8)
2025-01-02 15:54:09 -03:00
James Almer
b168ed9b14 avformat/iamf_writer: fix setting num_samples_per_frame for OPUS
As per section 3.11.1 of the IAMF spec, the sample rate used in Codec Config
for Opus shall be 48kHz, regardless of the original sample rate used during
encoding.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 76049d1c45)
2024-12-19 22:12:15 -03:00
James Almer
871c69a28b avformat/iamf_parse: fix setting duration for the last subblock in a parameter definition
When subblock durations are constant, the last block may be smaller and the
value needs to be calculated.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit fb5e8ea971)
2024-12-19 22:12:15 -03:00
James Almer
888a6b54bc avformat/iamf_parse: add checks to parameter definition durations
Section 3.6.1 of the IAMF spec states "When constant_subblock_duration is equal to 0, the summation of all
subblock_duration in this parameter block SHALL be equal to duration.".

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d38fc25519)
2024-12-19 22:12:15 -03:00
Michael Niedermayer
88126fc4ec avformat/iamf_parse: reject ambisonics mode > 1
ambisonics mode > 1 does not initialize any layer but layer 0
is unconditionally dereferenced

Fixes: poc-2024-11
Fixes: null pointer dereference
Found-by: 苏童 <220235212@seu.edu.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4cc1495aca)
2024-12-19 22:12:15 -03:00
James Almer
dc9d9b8636 avformat/mov: don't unconditionally set all audio packets in fragments as key frames
Some audio codecs, like TrueHD, have non key frames.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 8ddbc26ded)
2024-12-01 12:53:33 -03:00
James Almer
f1592a7ff1 avformat/matroskadec: set all frames in a keyframe simple box as keyframes
And not just the first, as it was being done for lacing. The spec states that the
flag applies to everything inside the simple box.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit f656c00bd9)
2024-12-01 12:53:33 -03:00
James Almer
13282e61b8 avformat/test/movenc: set audio packets as key frames
Don't depend on the generic code setting this.
This is in preparation for a following change.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit f938b2b3f5)
2024-12-01 12:53:33 -03:00
James Almer
33588a3749 avformat/movenc: write stss boxes for xHE-AAC
This is in preparation for a following change.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 23a1c021f2)
2024-12-01 12:53:33 -03:00
James Almer
e07d7c75db avformat/spdifdec: parse headers for audio codecs
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 4e6d31755b)
2024-12-01 12:53:33 -03:00
James Almer
8fa5fa1463 avformat/movenc: don't disable edit lists when writing CMAF output
They are needed for audio tracks with priming samples, where negative CTS
offsets can't be used.

Fixes ticket #11031.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit ecc7d5db9c)
2024-12-01 12:53:33 -03:00
James Almer
3513ccccb6 avformat/movenc: don't write a calculated avgBitrate when the provided one is unset
avgBitrate == 0 is used to signal a VBR track, so if that value is propagated by an
encoder, don't overwrite it with a calculated value based on track size.

Part of a fix for ticket #11303.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 944212acad)
2024-12-01 12:47:30 -03:00
James Almer
f8fcebae95 avformat/mov: use an array of pointers for heif_item
Pointers to specific entries in the array are stored in other structs, so
in the scenario where heif_item was reallocated when parsing an iloc box after
and iinf one, the pointers may end up referencing freed memory.

Fixes use-after-free with such samples.

Signed-off-by: James Almer <jamrial@gmail.com>
2024-11-17 12:14:17 -03:00
James Almer
23697c3f02 avformat/mov: split off heif item initialization to its own function
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d5eb0e7fb3)
2024-11-17 12:14:17 -03:00
James Almer
779b0fe015 avformat/mov: factorize getting the current item
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 58c265d956)
2024-11-17 12:14:17 -03:00
Zhao Zhili
8be6e56a53 avformat/img2enc: Fix integer truncation when frame_pts is enabled
Fix #11194

Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
(cherry picked from commit f56a54387b)
2024-10-03 23:25:43 +08:00
Zhao Zhili
ff93c1898d avformat/internal: Add ff_get_frame_filename
It's similar to av_get_frame_filename2 but with int64_t number
support. Make av_get_frame_filename* a wrapper over
ff_get_frame_filename.

Co-authored-by: Filip Mašić <shoutplenty@gmail.com>
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
(cherry picked from commit a2d9663241)
2024-10-03 22:47:51 +08:00
James Almer
12682eba2e avformat/mov: don't return the latest stream when an item stream is expected
Otherwise, things like ICC profiles as read from the colr box meant for an item
with no stream (like a grid) may end up being added to the wrong stream.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 04182b5549)
2024-09-30 17:28:44 -03:00
Michael Niedermayer
e1094ac45d */version.h: bump minor versions for release/7.1
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-09-24 17:07:30 +02:00
Michael Niedermayer
fde8637fda avformat/asf: Check picsize
Fixes: signed integer overflow: 1073750247 * 2 cannot be represented in type 'int'
Fixes: 70722/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5447231587549184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-09-24 15:37:15 +02:00
James Almer
0dd6f1d5bf avformat/mov: fix setting index of LCEVC enhancement stream
Signed-off-by: James Almer <jamrial@gmail.com>
2024-09-23 23:11:12 -03:00
Jonathan Baudanza
6b3f9c2e92 avformat/rtpdec: fix integer overflow in start_time_realtime calculation
I encountered this problem with NTP timestamps that are extremely old,
like from January, 1990.

Although RFC3550 suggests that the timestamps in the RTCP packets use
the actual wallclock, some implementations use other clocks, such as
the CLOCK_MONOTONIC on linux.

I'm my case, I'm dealing with packets from mediasoup.

Without this patch, start_time_realtime shows up in the distance future
instead of around Jan 1900.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
2024-09-23 17:08:33 +02:00
James Almer
5fa9c4e596 avformat/mov: support for LCEVC tracks
Co-authored-by: V-Nova Team <systems@v-nova.com>
Signed-off-by: James Almer <jamrial@gmail.com>
2024-09-19 10:01:24 -03:00
James Almer
ba0ef0860f avformat: add an LCEVC stream group
Signed-off-by: James Almer <jamrial@gmail.com>
2024-09-19 10:01:02 -03:00
Michael Niedermayer
6be3786c82 avformat/mxfdec: Check timecode for overflow
Fixes: signed integer overflow: 9223372036840103968 + 538976288 cannot be represented in type 'long'
Fixes: 70604/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4844090340999168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-09-19 00:43:22 +02:00
Michael Niedermayer
5a96aa435a avformat/mxfdec: More offset_temp checks
Fixes: signed integer overflow: 9223372036854775807 - -1927491430256034080 cannot be represented in type 'long'
Fixes: 70607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5282235077951488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <git@haerdin.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-09-19 00:39:21 +02:00
Michael Niedermayer
176db9db6e avformat/flvdec: Free metaVideoColor
Fixes: memeleak
Fixes: 70659/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-4539872627458048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-09-19 00:24:27 +02:00
Tomas Härdin
665bf46ac2 lavf/mxfdec: Handle KLV fill 2024-09-18 21:43:06 +02:00
Tomas Härdin
8f2ba4333d lavf/mxfdec: Switch to mxf_metadata_read_table loop to FF_ARRAY_ELEMS, skip if read == NULL 2024-09-18 21:43:06 +02:00
James Almer
1c706cec46 avformat/mov_chan: add extra checks to channel description count
Make sure it's not zero, and equal or bigger than number of channels

Fixes: Timeout / DOS
Fixes: 67143/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-4858720481771520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
2024-09-17 15:41:45 -03:00
Marth64
8707c8660d avformat/dvdvideodec: implement seeking
Player applications can now enjoy seeking while playing back
a title. Accuracy is at the mercy of what libdvdnav exposes,
which is currently dvdnav_time_search().

Signed-off-by: Marth64 <marth64@proxyid.net>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2024-09-15 13:53:00 +02:00
sfan5
e66f977494 lavf/tls_mbedtls: restrict TLSv1.3 verification workaround to affected version
Now that mbedTLS 3.6.1 is released we know that only 3.6.0 contains this regression.

ref: c28e5b597e
Signed-off-by: sfan5 <sfan5@live.de>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
2024-09-15 13:50:18 +02:00
jiangjie
f606872ed0 avformat/dashdec: The segments in dash file doesn't read completely when segment's size and duration is very small.
If the segment is very small, avformat_find_stream_info
will read all audio/video data in this segment.
cur->is_restart_needed is set to 0 later in dash_read_packet,
and no chance to be set to 1 again in the read_data function.

Reproduction:
ffmpeg -f lavfi -i mandelbrot -f lavfi -i anullsrc -c:v vp8 \
 -g 5 -r 5 -c:a libopus -use_template 0 -seg_duration 1 \
 -t 15 -y test_720.mpd
ffprobe -show_packets test_720.mpd
2024-09-14 11:42:09 +08:00
Marvin Scholz
6229e4ac42 avformat/mxfdec: narrow variable scopes 2024-09-13 19:48:15 +02:00