This blocks disallowed extensions from probing
It also requires all available segments to have matching extensions to the format
mpegts is treated independent of the extension
It is recommended to set the whitelists correctly
instead of depending on extensions, but this should help a bit,
and this is easier to backport
Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
The other parts of CVE-2023-6602 have been fixed by prior commits
Found-by: Harvey Phillips of Amazon Element55 (element55)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 91d96dc8dd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
When running the cleanup in rtmp_close on failures in rtmp_open,
we can in rare cases end up using rt->playpath, assuming that it
is still set.
The crash could happen if we hit the fail codepath in rtmp_open
while publishing (rt->is_input == 0) with rt->state set to
a value > STATE_FCPUBLISH.
This would normally not happen while publishing; either we have
an error (and rt->state <= STATE_FCPUBLISH) or we reach
rt->state = STATE_PUBLISHING, and then we also return successfully
from rtmp_open.
The unexpected combination of states could happen if the server
responds with e.g. "NetStream.Play.Stop" while expecting
"NetStream.Publish.Start"; this sets rt->state to STATE_STOPPED,
which also fulfills the condition "> STATE_FCPUBLISH".
We don't need to free the rt->playpath/tcurl/flashver strings here;
they're handled via AVOption, and thus are freed automatically when
the protocol instance is freed (that's why they aren't freed
manually within the rtmp_close function either).
We also don't need to free the AVDictionary with options; it's
owned by the caller.
A smaller fix would be to just call rtmp_close before freeing
the strings and dictionary, but as we don't need to free them
at all, let's remove that redundant code.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8f4819ce01)
Fixes: signed integer overflow: 7803923888585309955 - -3407677434275325337 cannot be represented in type 'int64_t' (aka 'long')
Fixes: 377736723/clusterfuzz-testcase-minimized-media_pipeline_integration_fuzzer-5052449500889088
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 02958ab715)
Fixes: undefined NULL pointer use
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-6363211175493632
This performs equivalent sanity checks as are done in mov_read_trak()
before mov_build_index()
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afbc3a1b23)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized value
Fixes: 70988/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5298245077630976
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9578c135d0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Don't reject extradata with missing PS NALUs if array_completeness is not
requested.
Fixes a regression since a696b28886.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 5813e5aa34)
This was previously adjusted by me in 6b3f9c2e92.
Unfortunately, I traded one integer overflow bug for
another.
Currently, NTP timestamps that exceed INT64_MAX
(~Jan 20, 1968) will cause an overflow when passed
to av_rescale.
This patch replaces av_rescale, which operates on
int64_t, with ff_parse_ntp_time, which operates on
uint64_t. This will give the correct values for
timestamps back around the NTP epoch and present day
timestamps.
Fixes ticket #11388.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit c0fbb6d5b7)
Written in the dominant style of the surrounding code block.
Signed-off-by: Marth64 <marth64@proxyid.net>
Reviewed-by: Steven Liu <lq@chinaffmpeg.org>
(cherry picked from commit f46415f373)
When using fast chapter marker calculation (default), the last
marker is inadverdently ignored due to an off-by-one.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit a5a899bfcb)
There is no reason to accept timestamp values beyond what dvdnav
reported as the duration of the title.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit 1d55f54846)
Some DVD muxers signal segments to start with duplicate audio samples
when starting extraction from a chapter marker or terminate seamless PGs
on partial audio samples (causing corrupt AC3 frames). Clean up after
these muxers by tracking frames with duplicate PTS and eliminating
partial AC3 frames.
This results in smoother chapter extraction and overall seeking experience,
with linear PTS and AC3 delay within 32ms (1 frame) away from the video.
The issue was not apparent until the flushing pattern was replaced with
a full subdemux reset, as the flushing dropped the frames prematurely,
along side others, as such they were never present to begin with.
(cherry picked from commit 0912407b9d)
The packets effectively serve no purpose and we are already
dropping packets with PTS less than 0. This also creates
for a smoother seeking experience after the subdemuxer
reset fix.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit f2f238c3a4)
It is wasteful to open the subdemuxer if an error occurs while
initializing streams or reading IFO headers.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit a2c57e27d6)
The "auto" mode serves no functional purpose except for logging
a message and setting the value to 1. The documentation clearly
explains what the option is for.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit 60434b483c)
Menu 0 is the VIDEO_TS root menu, which does not appear to be used
commonly for menu segments. Instead, default to the menu of VTS 1.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit 4a03e95ff4)
Some discs present titles with bogus NAV packets. We apply this check
for menus and for title MPEG blocks, but we should also apply it
for NAV packets during title demuxing.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit afc152f564)
DVDs naturally consist of segmented MPEG-PS blobs within a VOB
(i.e. VOBs are not linear). NAV packs set the segment boundaries.
When switching between segments, discontinuities occur and thus
the subdemuxer needs to be reset. The current approach to manage
this is by invoking ff_read_frame_flush() on the subdemuxer context,
via a callback function which is invoked during the menu or dvdnav
block functions. The same subdemuxer context is used throughout
the demux, with a stretched PTS wrap bits value (64) + disabled
overflow correction, and then flushed on each segment. Eventually,
a play_end context variable is set to declare EOF.
However, this approach causes frame drops. The block read flushes the
demuxer before the frame read is complete, causing frames to drop
on discontinuity. The play_end signal likewise ends playback before
the frame read is complete, causing frames to drop at end of the title.
To compound the issue, the PTS wrap bits value of 64 is wrong;
the VOBU limit is actually 32 and the overflow correction should work.
Instead, EOF the MPEG-PS subdemuxer organically when each VOB segment
ends, and re-open it if needed with the offset after the full frame read
is complete. In doing so, correct the PTS wrap behavior to 32 bits and
remove the play_end/segment_started signals and callback pattern.
Note that the timestamps as reported by the NAV packets are known as
"PTMs", so the fields storing the time prior to adjustment are renamed
accordingly. This makes it more clear when we are offsetting the
NAV packet reported timestamps versus what we present as a demuxer.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit a1ae66c827)
The function has a few branches where it discards frames via
FFERROR_REDO; consolidate is via a goto block to simplify the
function and improve readability. Logging still maintains
all the relevant details for the reason of the discard.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit 1964faa568)
Menus are generally segmented by cell, so use them as the
marker delimiters. Requires preindex option to be enabled.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit c1e4b6c676)
This consolidates the FFERROR_REDO handling of NAV packets to
dvdvideo_subdemux_read_data(), is a pre-requisite to calculating
chapter markers for menus, and a pre-requisite to fixing the
frame desync issue when the subdemuxer is flushed.
Signed-off-by: Marth64 <marth64@proxyid.net>
(cherry picked from commit b38ca20bf2)
