Commit Graph

98167 Commits

Author SHA1 Message Date
James Almer
b303fe926e avcodec/av1_parser: add missing parsing for RGB pixel format signaling
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit af6cddae1fe9cf378e961d9a2a36dd7234996ab3)
2020-07-02 22:26:39 -03:00
James Almer
8f5f453998 avcodec/av1_parser: set context values outside the OBU parsing loop
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 634a44db5a621e59079fbeb00ec62f2f6c9fdd8b)
2020-07-02 22:26:39 -03:00
Michael Niedermayer
836f6fb567 avutil/avsscanf: Add () to avoid integer overflow in scanexp()
Fixes: signed integer overflow: 2147483610 + 52 cannot be represented in type 'int'
Fixes: 23260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-5187871274434560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 42b28565aa852b98d95d8d02f7b0781999f9d533)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-02 10:20:36 +02:00
Michael Niedermayer
3571d9d654 avformat/utils: reorder duration computation to avoid overflow
Fixes: signed integer overflow: 8 * 9223372036854774783 cannot be represented in type 'long'
Fixes: 23381/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4818340509122560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 10cc82c35baabbb07ffec3faccb04d8928c39e4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-02 10:20:36 +02:00
Michael Niedermayer
f27a510211 avcodec/pngdec: Check for fctl after idat
Fixes: out of array access
Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 65b1ba680fb67902a9c876a49d0146eaae5a1c3d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-02 10:20:36 +02:00
Michael Niedermayer
a3fdeb0c3a avformat/hls: Pass a copy of the URL for probing
The segments / url can be modified by the io read when reloading

This may be an alternative or additional fix for Ticket8673
as a further alternative the reload stuff could be disabled during
probing

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b5e39880fb7269b1b3577cee288e06aa3dc1dfa2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-02 10:20:36 +02:00
Michael Niedermayer
199d6a049a avutil/common: Fix integer overflow in av_ceil_log2_c()
Fixes: left shift of 1913647649 by 1 places cannot be represented in type 'int'
Fixes: 23572/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5082619795734528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e409262837712016097c187e97bf99aadf6a4cdf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-02 10:20:36 +02:00
Michael Niedermayer
f4affa071a avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms
Fixes: signed integer overflow: 2048 + 2147483646 cannot be represented in type 'int'
Fixes: 23538/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5227567073460224

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 21598d711d894081d0566282473044ba4f378f33)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-02 10:20:36 +02:00
Michael Niedermayer
c05d51c067 avformat/mvdec: Fix integer overflow with billions of channels
Fixes: signed integer overflow: 1394614304 * 2 cannot be represented in type 'int'
Fixes: 23491/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5697377020411904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b6fbbe08c325415cc784df296058beb6604f0b9c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-02 10:20:36 +02:00
Michael Niedermayer
3ce81bf960 avformat/microdvddec: skip malformed lines without frame number.
Fixes: signed integer overflow: 1 - -9223372036854775808 cannot be represented in type 'long'
Fixes: 23490/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5133490093031424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a8fb7612a97530bdd0b2549dacf91dcf71a3187a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-02 10:20:36 +02:00
Guo Yejun
dd273d359e dnn_backend_native: check operand index
it fixed the issue in https://trac.ffmpeg.org/ticket/8716
(cherry-pick from 0b3bd001ac1745d9d008a2d195817df57d7d1d14)
Signed-off-by: Guo, Yejun <yejun.guo@intel.com>
2020-07-02 09:03:24 +08:00
Guo Yejun
5530748bfd dnn_backend_native.c: refine code for fail case
(cherry-pick from fc932195ab0c9c00fa0cd9620c60763d978d495b)
Signed-off-by: Guo, Yejun <yejun.guo@intel.com>
2020-07-02 09:01:41 +08:00
Zhao Zhili
143e2d0d66 avformat/mov: fix memleaks
Fix two cases of memleaks:
1. The leak of dv_demux
2. The leak of dv_fctx upon dv_demux allocate failure

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3dc38a186b2326ce03e50969897ea703817ddb0)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-07-01 19:02:29 +02:00
Andreas Rheinhardt
7c1ad9d151 libavformat/mov: Fix memleaks when demuxing DV audio
The code for demuxing DV audio predates the introduction of refcounted
packets and when the latter was added, changes to the former were
forgotten. This meant that when avpriv_dv_produce_packet initialized the
packet containing the AVBufferRef, the AVBufferRef as well as the
underlying AVBuffer leaked; the actual packet data didn't leak: They
were directly freed, but not via their AVBuffer's free function.

https://samples.ffmpeg.org/ffmpeg-bugs/trac/ticket4671/dir1.tar.bz2
contains samples for this (enable_drefs needs to be enabled for them).

Moreover, errors in avpriv_dv_produce_packet were ignored; this has been
changed, too.

Furthermore, in the hypothetical scenario that the track has a palette,
this would leak, too, so reorder the code so that the palette code
appears after the DV audio code.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 61f5c6ab06fc61e0f9f8f8dab5595b8bb202df73)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-07-01 19:01:56 +02:00
Andreas Rheinhardt
b3d8e13a88 avcodec/cbs_av1: Fix writing uvlc numbers >= INT_MAX
Fixes: assertion failure
Fixes: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 23264/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-6308429248593920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 6f06c17a55137855c67ba4a7b6778ca34ddbbe6b)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-07-01 19:01:31 +02:00
Andreas Rheinhardt
3cf212f6c8 avformat/avc, mxfenc: Avoid allocation of H264 SPS structure, fix memleak
Up until now, ff_avc_decode_sps would parse a SPS and return some
properties from it in a freshly allocated structure. Yet said structure
is very small and completely internal to libavformat, so there is no
reason to use the heap for it. This commit therefore changes the
function to return an int and to modify a caller-provided structure.
This will also allow ff_avc_decode_sps to return better error codes in
the future.

It also fixes a memleak in mxfenc: If a packet contained multiple SPS,
only the SPS structure belonging to the last SPS would be freed, the
other ones would leak when the pointer is overwritten to point to the
new SPS structure. Of course, without allocations there are no leaks.
This is Coverity issue #1445194.

Furthermore, the SPS structure has been renamed from
H264SequenceParameterSet to H264SPS in order to avoid overlong lines.

Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a0b6df0a3953e2586e63f513485c4d2d42507d7f)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-07-01 19:00:19 +02:00
Andreas Rheinhardt
284fffa92f avcodec/bitstream: Don't check for undefined behaviour after it happened
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 5e196dac22cc510db104922f99626a03b453ef4a)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-07-01 18:59:57 +02:00
Andreas Rheinhardt
d8407afe02 avformat/aviobuf: Also return truncated buffer in avio_get_dyn_buf()
Two kinds of errors can happen when working with dynamic buffers:
(Re)allocation errors or truncation errors (one has to truncate the
buffer to a size of INT_MAX because avio_close_dyn_buf() and
avio_get_dyn_buf() both return an int). Right now, avio_get_dyn_buf()
returns an empty buffer in either case. But given that
avio_get_dyn_buf() does not destroy the dynamic buffer, one can return
the buffer in case of truncation and let the user check the error flags
and decide for himself instead of hardcoding a single way to proceed
in case of truncation.

(This actually restores the behaviour from before commit
163bb9ac0af495a5cb95441bdb5c02170440d28c.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c33e56c7a6a8bef7d95e1d36eb2f35748d475695)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-07-01 18:59:27 +02:00
Andreas Rheinhardt
b6546add07 avformat/aviobuf: Don't check for overflow after it happened
If adding two ints overflows, it doesn't matter whether the result will
be stored in an unsigned or not; and checking afterwards does not make it
retroactively defined.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 28a078eded1c29985ed078b59d48ff59cf00394b)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-07-01 18:58:10 +02:00
Michael Niedermayer
8e12af29d1 avcodec/tiff: Check stride for dng
Fixes: assertion failure
Fixes: 23422/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5746026064642048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 276dfa9d91ee50183824612803891b7d066e8f00)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-06-15 20:41:15 +02:00
Andreas Rheinhardt
716b5c6ec9 avformat/mov: Fix reel_name size check
Only read str_size bytes from offset 30 of extradata if the extradata is
indeed at least 30 + str_size bytes long.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ff3fad6b0edb13dd664403b01bc00309f035b110)
2020-06-15 17:30:33 +02:00
Andreas Rheinhardt
9d921e38f4 avformat/mov: Fix memleak upon encountering repeating tags
mov_read_custom tries to read three strings belonging to three different
tags. When an already encountered tag is encountered again, a new buffer
for the string to be read is allocated and stored in the pointer
destined for this particular tag. But in this scenario, said pointer
already holds the address of the string read earlier, leading to a leak.

This commit therefore aborts the reading process upon encountering
an already encountered tag.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit dfef1d5e3cd4dfead84416a01e6c9ff0da50b34d)
2020-06-15 17:30:33 +02:00
Andreas Rheinhardt
c49dfee90b avformat/matroskaenc: Don't use NULL for %s format string
The argument pertaining to a printf %s conversion specifier must not
be NULL, even if the precision (i.e. the number of characters to write)
is zero. If it is NULL, it is undefined behaviour.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 6de6ce7bc80e874099895b6c73977bc2efb06a4d)
2020-06-15 17:30:33 +02:00
Andreas Rheinhardt
3f3cfddb37 avformat/webvttdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c784fe8b867e42a1c8d2c48d7046e3e0cce7ec31)
2020-06-15 17:30:33 +02:00
Andreas Rheinhardt
b7897f0319 avformat/vplayerdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 67434afa7fcb2b411b10a4d09fb30cd3a5907c2c)
2020-06-15 17:30:33 +02:00
Andreas Rheinhardt
6eac7d79f4 avformat/tedcaptionsdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if allocating the AVStream for the subtitles fails.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 337783b118d4cc265759c103b672dd5d5d3e7cb8)
2020-06-15 17:30:33 +02:00
Andreas Rheinhardt
04e1d16f65 avformat/subviewerdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a708f652737eba08607df84394ca4bec6b458736)
2020-06-15 17:30:32 +02:00
Andreas Rheinhardt
49b60a9a52 avformat/subviewer1dec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 9751d7515222c7b58d0c6fb31aec6e0464c0f338)
2020-06-15 17:30:32 +02:00
Andreas Rheinhardt
3201350dc7 avformat/stldec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit e13874b9eae4e156ca1c478e6d59d3461bbdc09f)
2020-06-15 17:30:32 +02:00
Andreas Rheinhardt
157bbc779c avformat/srtdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c70409957c7332971f0e147729d769f6d2f95390)
2020-06-15 17:30:32 +02:00
Andreas Rheinhardt
bf29cf8eb6 avformat/sccdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3c63e67bb00fa7d96595203d01a576df651e275)
2020-06-15 17:30:28 +02:00
Andreas Rheinhardt
6e64260a19 avformat/samidec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle
or when creating extradata.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f161f8e4ad10c8ae5b2e97870e09bc6a421408eb)
2020-06-15 17:25:47 +02:00
Andreas Rheinhardt
7754a2ea12 avformat/pjsdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 9df560e8986640e20c62286f0baee2a80540accd)
2020-06-15 17:25:47 +02:00
Andreas Rheinhardt
d84b9ab4ab avformat/mpsubdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon creating an AVStream.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a5ed8aeea4f4199e89520c3fdbd9d07ae7fc3c3f)
2020-06-15 17:25:47 +02:00
Andreas Rheinhardt
f172490742 avformat/mpl2dec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 331799747e7e995710f5dfc4d413cda35eb01289)
2020-06-15 17:25:47 +02:00
Andreas Rheinhardt
330a757d41 avformat/microdvddec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle
or when allocating extradata.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit b12014a5b861959fd41a32ba3ff4cb139c56efcd)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
ea27fe480e avformat/lrcdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit d38694cea9f289b3f9dcce1a2f07746d029b35f3)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
db2002aee7 avformat/jacosubdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c13a752733a9af955b032c55f704b748fe37dd19)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
788a7c027b avformat/assdec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle
or if creating the extradata failed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 5ab39c2d8c1e5e00b48d758eee7d5ae435a99ef7)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
7c0a9ff9c0 avformat/aqtitledec: Fix memleak upon read header failure
The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a86a5d06d8967d01964833456df1df9fc186f125)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
30d66abc80 avformat/mov: Fix memleaks upon read_header failure
By default, a demuxer's read_close function is not called automatically
if an error happens when reading the header; instead it is up to the
demuxer to clean up after itself in this case. The mov demuxer did this
by calling its read_close function when it encountered some errors when
reading the header. Yet for other errors (mostly adding side-data to
streams) this has been forgotten, so that all the internal structures
of the demuxer leak.

This commit fixes this by making sure mov_read_close is called when
necessary.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ac378c535be907ee383dafb430be7216a2920982)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
5171e0ee18 avformat/omadec: Fix memleaks upon read_header failure
Fixes possible leaks of id3v2 metadata as well as an AVDES struct in
case the content is encrypted and an error happens lateron.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 3d3ba43bc68ca90fe72d0fc390c9e5f5c7de1513)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
245d0f1889 avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer
In certain error scenarios, the underlying Matroska demuxer was not
properly closed, causing leaks.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 0841063ce6a2e664fb3986b0a255c57392cd9f02)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
0260352d92 avformat/matroskadec: Use right number of tracks
When demuxing a Matroska/WebM file, streams are added for tracks and for
attachments, so that the array containing the former can be NULL even
when the corresponding AVFormatContext has streams. So check for there
to be tracks in the MatroskaDemuxContext instead of just streams in the
AVFormatContext before dereferencing the pointer to the tracks.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 1ef30571a0a7150cb20c580bfc52af2a7101c20d)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
a2ab8babef avformat/matroskadec: Fix handling gigantic durations
matroska_parse_block currently asserts that the duration is not equal to
AV_NOPTS_VALUE, but there is nothing that actually guarantees this. It
is easy to create (spec-compliant) files which run into this assert;
so replace it and instead cap the duration to INT64_MAX, as the duration
field of an AVPacket is an int64_t.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 3714d452b894821591a2fbafdd1b8ef15abe4be6)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
751f285152 avformat/matroskadec: Move AVBufferRef instead of copying, fix memleak
EBML binary elements are already made reference-counted when read;
so when populating the AVStream.attached_pic, one does not need to
allocate a new buffer for the data; instead the current code just
creates a new reference to the underlying AVBuffer. But this can be
improved even further: Just move the already existing reference.

This also fixes a memleak that happens upon error because
matroska_read_close has not been called in this scenario.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit cbe336c9e81e2d9de3a18abef887c9255a9b9da5)
2020-06-15 17:25:46 +02:00
Andreas Rheinhardt
2c738c7521 avformat/hlsenc: Always treat numbers as decimal
c801ab43c3 caused a regression: The stream
number is now parsed with strtoll without a fixed basis; as a
consequence, the "010" in a variant stream mapping like "a:010" is now
treated as an octal number (i.e. as eight, not ten). This was not
intended and may break some scripts, so this commit restores the old
behaviour.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 19a876fd6973724521dd5e7cc8f8e4683b19eda4)
2020-06-15 05:35:07 +02:00
Andreas Rheinhardt
82d70d8038 avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input
The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit
is so big that it extends beyond the end of the input packet; it does so
only implicitly by using the checked version of the bytestream2 API.
But this has downsides compared to real checks: It can lead to huge
allocations (up to 2GiB) even when the input packet is just a few bytes.
And furthermore it leads to uninitialized data being output.
So add a check to error out early if it happens.

Also check directly whether there is enough data for the length field.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ea1b71e82f5a1752d59d3bfb9704092a79eba6b5)
2020-06-15 04:18:16 +02:00
Michael Niedermayer
cc948a1c8c RELEASE_NOTES: Based on the version from 4.1
Name suggested by Kieran O Leary and Reto Kromer

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-06-14 22:02:34 +02:00
Michael Niedermayer
5c1e458b34 avformat/mxfdec: free duplicated utf16 strings
Fixes: memleak
Fixes: 23415/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5124814510751744

Suggested-by: Marton Balint <cus@passwd.hu>
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0aa2768cb275bda9e9e1331ed95adc7cd686eafe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-06-14 22:02:34 +02:00