Commit Graph

43797 Commits

Author SHA1 Message Date
Andreas Rheinhardt 9018257751 avcodec/movtextdec: Reindentation
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 05:15:00 +02:00
Andreas Rheinhardt 71981d7d4d avcodec/movtextdec: Use bytestream API
Improves readability.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 05:13:00 +02:00
Andreas Rheinhardt ba795890ec avcodec/movtextdec: Avoid loop when writing UTF-8 character to AVBPrint
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 05:09:00 +02:00
Andreas Rheinhardt c84a91eff7 avcodec/movtextdec: Remove unnecessary variable
style_active doesn't do anything any more: It is already assured
that style_active is one when one reaches the end of a style.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 05:08:02 +02:00
Andreas Rheinhardt dd80066c97 avcodec/movtextdec: Fix immediately adjacent styles
The checks for whether a style should be opened/closed at the current
character position are as follows: A variable entry contained the index
of the currently active or potentially next active style. If the current
character position coincided with the start of style[entry], the style
was activated; this was followed by a check whether the current
character position coincided with the end of style[entry]; if so, the
style was deactivated and entry incremented. Afterwards the char was
processed.

The order of the checks leads to problems in case the endChar of style A
coincides with the startChar of the next style (say B): Style B was never
opened. When we are at said common position, the currently active style
is A and so the start pos check does not succeed; but the end pos check
does and it closes the currently active style A and increments entry.
At the next iteration of the loop, the current character position is
bigger than the start position of style B (which is style[entry]) and
therefore the style is not activated.

The solution is of course to first check for whether a style needs to be
closed (and increment entry if it does) before checking whether the next
style needs to be opened.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 05:03:39 +02:00
Andreas Rheinhardt 40c16907bb avcodec/movtextdec: Skip empty styles
They would either lead to unnecessary ASS tags being emitted (namely
tags that are reset immediately thereafter) or would lead to problems
when parsing: e.g. if a zero-length style immediately follows another
style, the current code will end the preceding style and set the
zero-length style as the next potentially active style, but it is only
tested for activation when the next character is parsed at which point
the current offset is already greater than both the starting as well
as the end offset of the empty style. It will therefore neither be
opened nor closed and all subsequent styles will be ignored.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 05:02:00 +02:00
Andreas Rheinhardt 94ad68ee17 avcodec/movtextdec: Fix leaks on (re)allocation failure
Up until now, the 3GPP Timed Text decoder used av_dynarray_add()
for a list of style entries. Said entries are individually allocated
and owned by the pointers in the dynamic array and are therefore
unsuitable for av_dynarray_add() which simply frees the array,
but not the entries on error. In this case the intended new entry
also leaks because it has been forgotten to free it.

This commit fixes this. It is now allocated in one go and not
reallocated multiple times (and it won't be overallocated any more).
After all, the final number of elements (pending errors) is already
known in advance.

Furthermore, the style entries are now the entries of the new array,
i.e. they are no longer allocated separately. This also removes one
level of indirection.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 04:59:08 +02:00
Andreas Rheinhardt c33b9fa74b avcodec/movtextdec: Simplify finding default font
There is no need to walk through the list of fonts twice.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 04:58:30 +02:00
Andreas Rheinhardt a42695c072 avcodec/movtextdec: Simplify checking for invalid extradata
Every font entry occupies at least three bytes, so checking early
whether there is that much data available is a low-effort way to exclude
invalid extradata. Doing so leads to an overall simplification.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 04:56:32 +02:00
Andreas Rheinhardt 38cdd27e9b avcodec/movtextdec: Fix leaks of strings upon reallocation failure
Up until now, the 3GPP Timed Text decoder used av_dynarray_add()
for a list of font entries, a structure which contains an allocated
string. The font entries are owned by the pointers in the dynamic array
and are therefore unsuitable for av_dynarray_add() which simply frees
the array, but not the font entries and of course not the strings. The
latter all leak if reallocating the dynamic array fails.

This commit fixes this. It stops reallocating the array altogether:
After all, the final number of elements (pending errors) is already
known in advance.

Furthermore, the font entries are now the entries of the new array,
i.e. the font entries are no longer allocated separately. This also
removes one level of indirection.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 04:52:48 +02:00
Andreas Rheinhardt 5758620560 avcodec/movtextdec: Reset counter of fonts when freeing them
If allocating fonts fails when reading the header, all fonts are freed,
yet the counter of fonts is not reset and no error is returned; when
subtitles are decoded lateron, the inexistent list of fonts is searched
for the matching font for this particular entry which of course leads to
a segfault.

Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-19 04:49:57 +02:00
Michael Niedermayer 4f83a53638 avcodec/aacdec_fixed: Limit index in vector_pow43()
Fixes: out of array access
Fixes: 26087/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5724825462767616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-18 21:27:23 +02:00
Michael Niedermayer 182d7a7427 avcodec/h264_slice: fix undefined integer overflow with POC in error concealment
Alternatively the POC could be changed to 64bit. the large values seem to be within what is allowed.

Fixes: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int'
Fixes: 26076/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5711127201447936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-18 21:27:23 +02:00
Michael Niedermayer cc072f7353 avcodec/decode: Consider discarded samples in max_samples
Fixes: Timeout (several minutes -> 3 sec)
Fixes: 25246/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5943400661254144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-18 21:27:23 +02:00
Michael Niedermayer ee33fecb62 avcodec/mpeg12dec: Limit maximum A53 CC size
This is more than 10 times the size of the largest i found. And also alot more
than our encoder could handle (our encoder is limited to max 31)
Without any limit megabyte+ sized blocks can be reallocated millions of times.
Sadly the SCTE-20 spec does not seem to contain any hard limit directly, so this limit here
is arbitrary

Fixes: Timeout (25sec -> 152ms)
Fixes: 25714/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG2VIDEO_fuzzer-5713633336885248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-18 20:42:21 +02:00
Michael Niedermayer 34df97b088 avcodec/photocd: Use ff_set_dimensions()
Fixes: out of memory
Fixes: 25588/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PHOTOCD_fuzzer-6612945080156160

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-18 20:42:21 +02:00
Andreas Rheinhardt 746ab8327c avcodec/asvenc: Avoid reversing output data twice
The ASUS V2 format is designed for a little-endian bitstream reader, yet
our encoder used an ordinary big-endian bitstream writer to write it;
the bits of every byte were swapped at the end and some data (namely the
numbers not in static tables) had to be bitreversed before writing it at
all, so that it would be reversed twice.

This commit stops doing so; instead, a little-endian bitstream writer is
used. This also necessitated to switch certain static tables, which
required trivial modifications to the decoder (that uses the same
tables).

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-18 15:29:34 +02:00
Andreas Rheinhardt c9e8f03195 avcodec/asvenc: Simplify flushing and padding packet
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-18 14:46:28 +02:00
Andreas Rheinhardt cdf7619705 avcodec/asvdec: Avoid reversing input data twice
Up until now the ASV2 decoder used an ordinary big-endian bitreader to
read data actually destined for a little-endian bitreader; this is done
by reversing the whole input packet bitwise, using the big-endian
bigreader and reversing (and shifting) the result again. This commit
stops this and instead uses a little-endian bitreader directly.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-18 14:46:28 +02:00
Timo Rothenpieler 62073cfa97 avcodec/nvenc: update driver versions for SDK 11.0 2020-10-17 23:10:42 +02:00
Michael Niedermayer 77cdc68479 avcodec/mv30: Fix multiple integer overflows
Fixes: signed integer overflow: -895002 * 2400 cannot be represented in type 'int'
Fixes: 26052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5431812577558528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-17 14:36:11 +02:00
Michael Niedermayer 42ded4d1e6 avcodec/smacker: Check remaining bits in SMK_BLK_FULL
Fixes: out of array access
Fixes: 26047/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5083031667474432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-17 14:36:11 +02:00
Michael Niedermayer 5a2a7604da avcodec/cook: Check subpacket index against max
Fixes: off by 1 error
Fixes: index 5 out of bounds for type 'COOKSubpacket [5]'
Fixes: 25772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5762459498184704.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-17 14:36:11 +02:00
Michael Niedermayer 01bb12f883 avcodec/utils: Check for overflow with ATRAC* in get_audio_frame_duration()
Fixes: signed integer overflow: 1024 * 13129048 cannot be represented in type 'int'
Fixes: 26378/clusterfuzz-testcase-minimized-ffmpeg_dem_CODEC2RAW_fuzzer-5634018353348608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-17 14:36:11 +02:00
Michael Niedermayer 3fbf873792 avcodec/hevcpred_template: Fix diagonal chroma availability in 4:2:2 edge case in intra_pred
Fixes: pixel decode issue.ts
Fixes: raw frame.hevc

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-17 14:36:11 +02:00
Michael Niedermayer 060e1ad69d avcodec/hevc_mvs: Cleanup ff_hevc_set_neighbour_available()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-17 14:36:11 +02:00
Zane van Iperen bf4a253f38 avcodec/adpcmenc: remove BLKSIZE #define
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
2020-10-17 09:36:07 +10:00
Zane van Iperen e368be5230 avcodec/adpcm_ima_wav: support custom block size for encoding
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
2020-10-17 09:36:06 +10:00
Zane van Iperen ed1cfb8e31 avcodec/adpcm_yamaha: support custom block size for encoding
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
2020-10-17 09:36:06 +10:00
Zane van Iperen eb75a80dc8 avcodec/adpcm_ima_apm: support custom block size for encoding
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
2020-10-17 09:36:06 +10:00
Zane van Iperen b5c2c9a1ce avcodec/adpcm_ima_ssi: support custom block size for encoding
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
2020-10-17 09:36:05 +10:00
Zane van Iperen bd1c94bb68 avcodec/adpcm_ms: support custom block size for encoding
Fixes tickets #6585 and #7109

Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
2020-10-17 09:36:05 +10:00
Zane van Iperen c78c60c3e8 avcodec/adpcmenc: add "block_size" option
Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
2020-10-17 09:36:02 +10:00
James Almer 0ed455b84e avcodec/av1dec: add cur_frame.spatial_id and temporal_id to AV1Frame
Will be used by hwaccels, which have access to a frame's AV1RawFrameHeader but not
its AV1RawOBUHeader.

Signed-off-by: James Almer <jamrial@gmail.com>
2020-10-16 13:34:31 -03:00
Andriy Gelman 2b5e18a953 avcodec/movtextenc: cosmetics
Change pointer position.

Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-10-15 22:30:13 -04:00
Andriy Gelman d4c46dc328 avcodec/movtextenc: fix writing to bytestream on BE arches
Fixes fate-binsub-movtextenc on PPC64

Currently tags are written in reverse order on BE arches. This is fixed
by using MKBETAG() and AV_RB32() to be arch agnostics.

Also s->font_count is of type int. On BE arches with 32bit int,
count = AV_RB16(&s->font_count) will read two most significant bytes
instead of the least significant bytes. This is fixed by assigning
s->font_count to count first.

The final change is modifying the type of len. On BE arches
the most significant byte of the int was written instead of the least
significant byte.

Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
2020-10-15 22:27:37 -04:00
Andreas Rheinhardt 8e58db7348 avcodec/asvenc: Inline constants
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-16 00:39:07 +02:00
Andreas Rheinhardt 4f3edcdcbc avcodec/asvdec: Use init_get_bits8()
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-16 00:39:01 +02:00
Andreas Rheinhardt 2a8edb1ad3 avcodec/asvdec: Reduce the size of some VLCs
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-16 00:38:58 +02:00
Andreas Rheinhardt 6608ecb1b5 avcodec/ylc: Inline constants
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-16 00:38:50 +02:00
Andreas Rheinhardt 753e450a71 avcodec/v3/408enc: Remove empty close functions
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-10-16 00:29:06 +02:00
Michael Niedermayer 7265b7d904 avcodec/exr: Fix overflow with many blocks
Fixes: signed integer overflow: 1073741827 * 8 cannot be represented in type 'int'
Fixes: 25621/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6304841641754624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-15 23:38:58 +02:00
James Almer 191f68aec1 avcodec/Makefile: add missing av1_cuvid entry
Signed-off-by: James Almer <jamrial@gmail.com>
2020-10-15 18:30:04 -03:00
Michael Niedermayer 394e8bb385 avcodec/vp9dsp_template: Fix integer overflows in idct16_1d()
Fixes: signed integer overflow: -190760 * 11585 cannot be represented in type 'int'
Fixes: 25471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5743354917421056

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-15 22:53:56 +02:00
Michael Niedermayer 949f0a6be9 avcodec/ansi: Check initial dimensions
Fixes: Timeout (minutes to less than 1sec)
Fixes: 25682/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ANSI_fuzzer-6320712032452608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-15 22:53:56 +02:00
Michael Niedermayer 106f11f68a avcodec/hevcdec: Check slice_cb_qp_offset / slice_cr_qp_offset
Fixes: signed integer overflow: 29 + 2147483640 cannot be represented in type 'int'
Fixes: 25413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5697909331591168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-15 22:53:56 +02:00
Michael Niedermayer eeabdef1bf avcodec/sonic: Check for overread
Fixes: Timeout (too long -> 1.3 sec)
Fixes: 24358/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5107284099989504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-15 22:53:56 +02:00
Michael Niedermayer 92233a6344 avcodec/mobiclip: Check that Motion vectors are within the input frame
The MV checks did not consider the width and height of the block, also they
had some off by 1 errors. This resulted in undefined behavior and crashes.
This commit instead errors out on these

Fixes: out of array read
Fixes: 26080/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOBICLIP_fuzzer-5758146355920896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-15 22:53:56 +02:00
Michael Niedermayer b6b640c544 avcodec/mobiclip: set the bitstream size to the input
Fixes: out of array read
Fixes: 25453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOBICLIP_fuzzer-5163575973511168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-10-15 22:53:56 +02:00
James Almer 0467991de7 avcodec/allcodecs: move av1_cuvid below libaom_av1
Software decoders should always be first.

Signed-off-by: James Almer <jamrial@gmail.com>
2020-10-15 17:29:27 -03:00