All one needs is one byte beyond the end of the normal data; and because
the packet is padded, one already has it.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The current code tries the access the codecpar of a nonexistent
audio stream when seeking. Stop that. Fixes ticket #9121.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The DSS demuxer currently decrements a counter that should be positive
at the beginning of read_packet; should it become negative, it means
that the data to be read can't be read contiguosly, but has to be read
in two parts. In this case the counter is incremented again after the
first read if said read succeeded; if not, the counter stays negative.
This can lead to problems in further read_packet calls; in tickets #9020
and #9023 it led to segfaults if one tries to seek lateron if the seek
failed and generic seek tried to read from the beginning. But it could
also happen when av_new_packet() failed and the user attempted to read
again afterwards.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
All instances of adding attached pictures to a stream or adding
a stream and an attached packet to said stream have several things
in common like setting the index and flags of the packet, setting
the stream disposition etc. This commit therefore factors this out.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes: out of array write
Fixes: 32116/clusterfuzz-testcase-minimized-ffmpeg_dem_SIMBIOSIS_IMX_fuzzer-6702533894602752
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int'
Fixes: 31406/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5024692843970560
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Print every error in the stack, if more than one, and don't print
bogus errors if there's none logged within OpenSSL.
Retain the underlying IO error code, print an error message out of
it, and pass the error code on to the caller.
Signed-off-by: Martin Storsjö <martin@martin.st>
Fixes: signed integer overflow: -9223372036854775760 - 50 cannot be represented in type 'long'
Fixes: 31673/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-580134751869337
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -9223372032574480351 - 4294967296 cannot be represented in type 'long long'
Fixes: 30022/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5568610275819520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Both functions to read attached pictures coincide since
e83f27a21a (save for some log messages
in case av_dict_set failed).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Timestamp difference is available in media timebase (1/90K) where as
rtcp time is in the default microseconds timebase. This patch fixes
the calculated prft wallclock time by rescaling the timestamp delta
to the microseconds timebase.
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: signed integer overflow: 539033600 - -1910497124 cannot be represented in type 'int'
Fixes: 30928/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5922630966312960
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 136323327 * 281474976710656 cannot be represented in type 'long'
Fixes: 30913/clusterfuzz-testcase-minimized-ffmpeg_dem_IVF_fuzzer-5753392189931520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The check has been added at a time when the code performed the
multiplication itself instead of deferring it to av_malloc_array()
and when our allocation functions used unsigned instead of size_t.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The check has been added at a time when the code performed the
multiplication itself instead of deferring it to av_malloc_array()
and when our allocation functions used unsigned instead of size_t.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
This check is outdated because the caller doesn't need to check that
the multiplication overflows when using av_realloc_array() (the code
in question used av_realloc() before that); furthermore, the check
is also a remnant of the time in which our allocation functions
didn't use size_t parameters.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Affects the FATE-tests webm-dash-manifest-unaligned-video-streams,
webm-dash-manifest and webm-dash-manifest-representations.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: signed integer overflow: -1957694447 + -1620425806 cannot be represented in type 'int'
Fixes: 30207/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5050791771635712
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Fixes: 30209/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-5724831658147840
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This is important, for example, for connection timed out events,
when used over a network, returning AVERROR(ETIMEDOUT).
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Fixes: signed integer overflow: 2 * 1914708000 cannot be represented in type 'int'
Fixes: 31639/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6303428239294464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long'
Fixes: 31003/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6256298771480576
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Also free the gme_info_t structure immediately after its use.
This simplifies cleanup, because it might be unsafe to call
gme_free_info(NULL) (or even worse, gme_track_info() might even
on error set the pointer to the gme_info_t structure to something
else than NULL).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
When the trailer is never written (or when a stream switches from
non-animation mode to animation mode mid-stream), a cached packet
(if existing) would leak. Fix this by adding a deinit function.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The WebP muxer sometimes caches a packet it receives to write it later;
yet if a cached packet is too small (so small as to be invalid),
it is cached, but not written and not unreferenced. Such a packet leaks,
either by being overwritten by the next packet or because it is never
unreferenced at all.
Fix this by not caching unusable packets at all; and error out on
invalid packets.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Replace it in ipmovie_read_header() by AVFormatInternal.parse_pkt
which is unused when reading the header.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
They will be discarded anyway because this can only happen
for invalid data. This already implies that the pkt won't be used
at all when parsing the very first chunk when reading the header,
so one can use NULL as argument and remove the av_packet_unref()
on error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
When one of these errors happens during ipmovie_read_packet(),
an error is returned and the packet is cleaned up generically.
And since 712d3ac539 the same happens
in ipmovie_read_header().
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Replace it by using AVFormatInternal.parse_pkt which is otherwise unused
when reading a header.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Before 8d78e90a6b the Matroska demuxer
used stack packets to hold temporary packets; now it uses a temporary
packet allocated by the Matroska demuxer. Yet because it used stack
packets the code has always properly reset the packet on error, while
on success these temporary packets were put into a packet list via
avpriv_packet_list_put(), which already resets the source packet.
This means that this code is compatible with just reusing
AVFormatInternal.parse_pkt (which is unused while one is in the
demuxer's read_packet() function). Compared to before 8d78e90a6
this no longer wastes one initialization per AVPacket read
(the resetting of the stack packet performed by av_packet_move_ref()
in avpriv_packet_list_put() was for naught).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Originally added in 12f996edfa
behind #if 0; aebb56e184 then
removed the #if and replaced it by using av_dlog. Then commit
1a3eb042c7 replaced this with av_log
at trace level. Yet the code block always stayed within { }
at an increased level of indentation.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
This makes av_read_frame() return packets with proper timestamps.
As a result, seeking now works in combination with streamcopy.
A FATE-test for this has been added.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Currently, ff_read_packet() sometimes forwards the return value of
AVInputFormat.read_packet() (which should be zero on success, but isn't
for all demuxers) and sometimes it overwrites this with zero.
Furthermore, it uses two variables, one for the read_packet return value
and one for other errors, which is a bit confusing; it is also
unnecessary given that the documentation explicitly states that
ff_read_packet() never returns positive values. Returning a positive
value would lead to leaks with some callers (namely asfrtp_parse_packet
and estimate_timings_from_pts). So always return zero in case of
success.
(This behaviour stems from a time before av_read_packet sanitized
the return value of read_packet at all: It was added in commit
626004690c and was unnecessary since
88b00723906f68b7563214c30333e48888dddf78.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
This field needs to be replaced altogether, not just its type changed.
This will be done in a separate change.
Signed-off-by: James Almer <jamrial@gmail.com>
When extended atom size support was added to probing in
fec4a2d232, the buffer
size check was backwards, but probing continued to work
because there was no minimum size check yet, so despite
size being 1 on these atoms, and failing to read the 64-bit
size, the tag was still correctly read.
When 0b78016b2d introduced a
minimum size check, this exposed the bug, and broke probing
any files with extended atom sizes, such as entirely valid
large files that start whith mdat atoms.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Commit 6973df1122 added support
for music tracks by outputting its two containing tracks
together in one packet. But the actual data is not contiguous
in the file and therefore one can't simply use av_get_packet()
(which has been used before) for it. Therefore the packet was
now allocated via av_new_packet() and read via avio_read();
and this is also for non-music files.
This causes problems because one can now longer rely on things
done automatically by av_get_packet(): It automatically freed
the packet in case of errors; this lead to memleaks in several
FATE-tests covering this demuxer. Furthermore, in case the data
read is less than the data desired, the returned packet was not
zero-allocated (the packet's padding was uninitialized);
for music files the actual data could even be uninitialized.
The former problems are fixed by using av_get_packet() for
non-music files; the latter problem is handled by erroring out
unless both tracks could be fully read.
Reviewed-by: Zane van Iperen <zane@zanevaniperen.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Always leaving said packet in a blank state after having used it
allows to avoid having to reset it before one uses it; and it also
allows to use it in more places than just in parse_packet() here.
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: signed integer overflow: 9223372036854775807 + 536870912 cannot be represented in type 'long'
Fixes: 31678/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5614204619980800
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
And forward it to the underlying UDP protocol.
Fixes ticket #7517.
Signed-off-by: Jiangjie Gao <gaojiangjie@live.com>
Signed-off-by: Marton Balint <cus@passwd.hu>
Add the "http_proxy" option and its handling to the "tls" protocol,
pass the option from the "https" protocol.
The "https" protocol already defines the "http_proxy" command line
option, like the "http" protocol does. The "http" protocol properly
honors that command line option in addition to the environment
variable. The "https" protocol doesn't, because the proxy is
evaluated in the underlying "tls" protocol, which doesn't have this
option, and thus only handles the environment variable, which it
has access to.
Fixes#7223.
Signed-off-by: Moritz Barsnick <barsnick@gmx.net>
Signed-off-by: Marton Balint <cus@passwd.hu>
These files are technically a series of planar mono tracks.
If the "music" flag is set, merge the packets from the two
mono tracks, essentially replicating:
[0🅰️0][0🅰️1]join=inputs=2:channel_layout=stereo[a]
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
These are auxiliary side-data functions, so they should have been
switched to size_t in d79e0fe65c,
but this has been forgotten.
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
64 bits are needed in order to retain the uid values of Matroska
chapters; the type is kept signed because the semantics of NUT chapters
depend upon whether the id is > 0 or < 0.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Up until now, there has been no check that each chapter has a unique id;
there was only a check for whether a chapter id is zero (this happens
often when the chapters originated from a format that lacks the concept
of chapter id and simply counts from zero) which is invalid in Matroska.
In this case the chapter ids are offset by 1 to make them nonnegative.
Yet offsetting won't fix duplicate ids, therefore this is changed to
simply create new chapter uids when the input chapter uids don't conform
to the requirements of Matroska (in which case it can be presumed that
they did not originate from Matroska, so that we don't need to bother
to preserve them).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The test program for the FIFO muxer allocates a buffer without padding
and wraps it into a packet via av_packet_from_data(). This is an API
violation. Furthermore, said buffer leaks in case av_packet_from_data()
fails. Fix both of these issues by using av_new_packet() instead.
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Also factor allocating and freeing the packet out.
Fixes Coverity issues #1473722 and #1473723; it is a regression
since 4b386b2059.
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
It was introduced in d3d9b1fc8e2dfc8b4d66c9916ab7221062ff4660;
Fixes Coverity issue #733800.
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
If one of the two results of a ternary conditional is a pointer to void,
the type of the whole conditional operator is a pointer to void, even
when the other possible result is not a pointer to void. This loophole
in the type system has allowed mxf_read_local_tags to have a pointer of
type pointer to MXFMetadataSet that actually points to an MXFContext.
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
