github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-30 22:00:51 +08:00
Code Issues Packages Projects Releases Wiki Activity
67,787 Commits 39 Branches 417 Tags
release/2.4
Commit Graph

406 Commits

Author SHA1 Message Date
Michael Niedermayer
cd6cce2330 avcodec/mjpegdec: Check that reference frame matches the current frame 
Fixes: out of array read
Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4705edbbb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2017-08-23 13:15:17 +02:00
Michael Niedermayer
33cbc52d64 avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' 
Fixes: 1724/clusterfuzz-testcase-minimized-4842395432648704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 40fa6a2fa2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2017-08-23 13:15:17 +02:00
Michael Niedermayer
133705f9e8 avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' 
Fixes: 943/clusterfuzz-testcase-5114865297391616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a78ae465fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2017-08-23 13:15:17 +02:00
Michael Niedermayer
4f951d7b16 avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 
Fixes: 733/clusterfuzz-testcase-4682158096515072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 800d02abe0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2017-08-23 13:15:17 +02:00
Michael Niedermayer
be4f53c1ae avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 
Fixes: 693/clusterfuzz-testcase-6109776066904064

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4b72d5cd6f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2017-08-23 13:15:16 +02:00
Michael Niedermayer
0171371298 avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 
Fixes: 611/clusterfuzz-testcase-5613455820193792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c91bdd4524)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2017-08-23 13:15:16 +02:00
Michael Niedermayer
7a529a25b1 avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac() 
Fixes timeout
Fixes: 496/clusterfuzz-testcase-5805083497332736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3782656631)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2017-08-23 13:15:16 +02:00
Michael Niedermayer
4445b614fa avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan() 
Fixes timeout
Fixes: 445/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Fixes: 456/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_JPEGLS_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 755933cb5c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2017-08-23 13:15:16 +02:00
Michael Niedermayer
14e5d6a009 avcodec/mjpegdec: Check for rgb before flipping 
Fixes assertion failure due to unsupported case

Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25d9643f11)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2017-08-23 13:15:16 +02:00
Michael Niedermayer
fa9873cce8 avcodec/mjpegdec: Check for end for both bytes in unescaping 
Fixes assertion failure
Fixes: c40c779601b77dc6e19aaea0b04b9751/signal_sigabrt_7ffff6ae7cb7_5769_b94f6ec70caecb2d3d76b4771b109ac1.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 509c9e74e5)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2016-02-01 02:12:22 +01:00
Michael Niedermayer
5c0d8a8387 avcodec/mjpegdec: Fix negative shift 
Fixes: mjpeg_left_shift.avi

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d86d7b2486)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2016-01-31 00:25:20 +01:00
Andreas Cadhalpun
46fcc2ba55 mjpegdec: extend check for incompatible values of s->rgb and s->ls 
This can happen if s->ls changes from 0 to 1, but picture allocation is
skipped due to s->interlaced.

In that case ff_jpegls_decode_picture could be called even though the
s->picture_ptr frame has the wrong pixel format and thus a wrong
linesize, which results in a too small zero buffer being allocated.

This fixes an out-of-bounds read in ls_decode_line.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 7ea2db6eaf)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
 2016-01-28 02:15:49 +01:00
Andreas Cadhalpun
073fcfe358 mjpegdec: consider chroma subsampling in size check 
If the chroma components are subsampled, smaller buffers are allocated
for them. In that case the maximal block_offset for the chroma
components is not as large as for the luma component.

This fixes out of bounds writes causing segmentation faults or memory
corruption.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5adb5d9d89)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2015-12-07 01:34:16 +01:00
Michael Niedermayer
5d9bee34f9 avcodec/mjpegdec: Reinitialize IDCT on BPP changes 
Fixes misaligned access
Fixes: dc9262a469f6f315f74c087a7b3a7f35/signal_sigsegv_2e95bcd_9_9c0f9f4a9ba82aa9b3ab2b91ce4d5277.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cc35f6f476)

Conflicts:

	libavcodec/mjpegdec.c
(cherry picked from commit f82c4777ee7a319fe2aa36f413a61943313b4abc)
 2015-12-06 12:40:49 +01:00
Michael Niedermayer
2f89546333 avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it 
Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d24888ef19)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2015-12-06 12:40:49 +01:00
Michael Niedermayer
7cdd319b01 avcodec/mjpegdec: Fix decoding RGBA RCT LJPEG 
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 055e56e9f7)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
 2015-12-06 12:40:49 +01:00
Michael Niedermayer
748194b58b avcodec/mjpegdec: fix len computation in ff_mjpeg_decode_dqt() 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 81cf910856)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2015-06-01 23:25:20 +02:00
Michael Niedermayer
492818d724 avcodec/mjpegdec: Skip blocks which are outside the visible area 
Fixes out of array accesses
Fixes: ffmpeg_mjpeg_crash.avi

Found-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 08509c8f86)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2015-02-13 20:48:08 +01:00
Michael Niedermayer
0882212298 avcodec/mjpegdec: Check number of components for JPEG-LS 
Fixes out of array accesses
Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fabbfaa095)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2015-02-13 20:48:08 +01:00
Michael Niedermayer
3531ff8db3 avcodec/mjpegdec: Check escape sequence validity 
Fixes assertion failure
Fixes: asan_heap-oob_1c1a4ea_1242_cov_2274415971_TESTcmyk.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit afa92907f3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2015-02-13 20:48:08 +01:00
Michael Niedermayer
81754d8f8b Merge commit 'aa7a19b41774ce5f8a4e43f3692a4f9d90aa5c92' into release/2.4 
* commit 'aa7a19b41774ce5f8a4e43f3692a4f9d90aa5c92':
  mjpegdec: check for pixel format changes

Conflicts:
	libavcodec/mjpegdec.c

See: 5c378d6a6d
See: a2f680c7bc
Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2014-12-20 11:50:12 +01:00
Anton Khirnov
aa7a19b417 mjpegdec: check for pixel format changes 
Fixes possible invalid memory access.

Based on code by Michael Niedermayer <michaelni@gmx.at>

CC: libav-stable@libav.org
Bug-ID: CVE-2014-8541
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 809c3023b6)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
 2014-12-20 10:51:40 +01:00
Michael Niedermayer
18dba3d80d avcodec/mjpegdec: Fix integer overflow in shift 
Fixes: signal_sigabrt_7ffff6ac7bb9_2683_cov_4120310995_m_ijpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 970a8f1c25)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-11-30 21:40:36 +01:00
Michael Niedermayer
8524009161 avcodec/mjpegdec: Fix context fields becoming inconsistent 
Fixes out of array access
Fixes: asan_heap-oob_1ca4f85_2760_cov_144449187_miss_congeniality_pegasus_ljpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0eecf40935)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-11-30 21:40:36 +01:00
Michael Niedermayer
47f345de1d avcodec/mjpegdec: Check for pixfmtid 0x42111100 || 0x24111100 with more than 8 bits 
These cases are not supported yet

Fixes assertion failure
Fixes: signal_sigabrt_7ffff6ac7bb9_1_cov_1553101927_00.jpg
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0bf416f262)

Conflicts:

	libavcodec/mjpegdec.c
 2014-11-30 21:40:36 +01:00
Michael Niedermayer
6f5c505109 avcodec/mjpegdec: check bits per pixel for changes similar to dimensions 
Fixes out of array accesses
Fixes: asan_heap-oob_16668e9_2_asan_heap-oob_16668e9_346_miss_congeniality_pegasus_mjpg.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c378d6a6d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-10-04 23:52:28 +02:00
Clément Bœsch
b96d864fd6 avcodec/mjpegdec: Fix chroma width rounding 
Fixes vertical line at the right side
Fixes Ticket 3929

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-09-13 20:25:27 +02:00
Michael Niedermayer
1654ca7d4e avcodec/mjpegdec: fix rounding of chroma_height 
Fixes green line at the bottom
Fixes Ticket3913

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-09-06 03:13:57 +02:00
Michael Niedermayer
f0d4f00f24 avcodec/mjpegdec: fix green line at the bottom with upscale v 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-08-31 15:33:30 +02:00
Michael Niedermayer
63a52ca134 avcodec/mjpegdec: fix green vertical line at the right with upscale h 
Fixes Ticket3891

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-08-31 15:16:36 +02:00
Michael Niedermayer
5c7899a483 avcodec/mjpegdec: Support AV_PIX_FMT_YUV420P16 with upscale_h 
Fixes assertion failure
Fixes: test42f.jpg
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-08-14 16:20:55 +02:00
Przemysław Sobala
c68098ba4a avcodec/mjpegdec: add pix_fmt: 0x14121200 
Fixes: _15801_F.jpg

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-07-22 18:07:44 +02:00
Michael Niedermayer
ef7e8425e8 avcodec/mjpegdec: factorize some parts of the pix_fmt_id switch() 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-07-01 23:28:18 +02:00
Michael Niedermayer
784e1cf76b avcodec/mjpegdec: handle luma upscale detection generically 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-07-01 23:26:19 +02:00
Michael Niedermayer
64d98dadc7 avcodec/mjpegdec: set upscale_h/upscale_v using generic code instead of hardcoding a list 
Some code is left to handle corner cases

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-07-01 22:54:57 +02:00
Michael Niedermayer
7558e55345 avcodec/mjpegdec: Support pix_fmt_id==0x11222200 
Fixes: 4858286_300.jpg

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-07-01 22:12:20 +02:00
Michael Niedermayer
cd417d947e avcodec/mjpegdec: fix width for non chroma in rescaling 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-07-01 22:09:19 +02:00
Michael Niedermayer
4e09300ffa mjpegdec: Support pix_fmt_id == 0x22112200 
Fixes 4780490_300.jpg

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-07-01 21:47:54 +02:00
Michael Niedermayer
581b5f0b9b Merge commit 'e3fcb14347466095839c2a3c47ebecff02da891e' 
* commit 'e3fcb14347466095839c2a3c47ebecff02da891e':
  dsputil: Split off IDCT bits into their own context

Conflicts:
	configure
	libavcodec/aic.c
	libavcodec/arm/Makefile
	libavcodec/arm/dsputil_init_arm.c
	libavcodec/arm/dsputil_init_armv6.c
	libavcodec/asvdec.c
	libavcodec/dnxhdenc.c
	libavcodec/dsputil.c
	libavcodec/dvdec.c
	libavcodec/dxva2_mpeg2.c
	libavcodec/intrax8.c
	libavcodec/mdec.c
	libavcodec/mjpegdec.c
	libavcodec/mjpegenc_common.h
	libavcodec/mpegvideo.c
	libavcodec/ppc/dsputil_altivec.h
	libavcodec/ppc/dsputil_ppc.c
	libavcodec/ppc/idctdsp.c
	libavcodec/x86/Makefile
	libavcodec/x86/dsputil_init.c
	libavcodec/x86/dsputil_mmx.c
	libavcodec/x86/dsputil_x86.h

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2014-07-01 15:22:11 +02:00
Diego Biurrun
e3fcb14347 dsputil: Split off IDCT bits into their own context 2014-06-30 07:58:46 -07:00
Derek Buitenhuis
2deb614272 mjpegdec: Properly set the context colorspace info 
The JPEG spec requires it to be this.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
 2014-06-24 20:42:40 +01:00
Derek Buitenhuis
c11043aca7 mjpegdec: Properly set the context colorspace info 
The JPEG spec requires it to be this.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
 2014-06-24 20:40:44 +01:00
Michael Niedermayer
0dceefc5fa Merge commit '9e500efdbe0deeff1602500ebc229a0a6b6bb1a2' 
* commit '9e500efdbe0deeff1602500ebc229a0a6b6bb1a2':
  Add av_image_check_sar() and use it to validate SAR

Conflicts:
	libavcodec/dpx.c
	libavcodec/dvdec.c
	libavcodec/ffv1dec.c
	libavcodec/utils.c
	libavutil/version.h

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2014-06-20 22:20:28 +02:00
Justin Ruggles
9e500efdbe Add av_image_check_sar() and use it to validate SAR 2014-06-20 10:39:33 -04:00
Michael Niedermayer
2b05db4f81 Merge commit 'e74433a8e6fc00c8dbde293c97a3e45384c2c1d9' 
* commit 'e74433a8e6fc00c8dbde293c97a3e45384c2c1d9':
  dsputil: Split clear_block*/fill_block* off into a separate context

Conflicts:
	configure
	libavcodec/asvdec.c
	libavcodec/dnxhddec.c
	libavcodec/dnxhdenc.c
	libavcodec/dsputil.h
	libavcodec/eamad.c
	libavcodec/intrax8.c
	libavcodec/mjpegdec.c
	libavcodec/ppc/dsputil_ppc.c
	libavcodec/vc1dec.c
	libavcodec/x86/dsputil_init.c
	libavcodec/x86/dsputil_mmx.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
 2014-06-19 04:54:38 +02:00
Diego Biurrun
e74433a8e6 dsputil: Split clear_block*/fill_block* off into a separate context 2014-06-18 14:07:23 -07:00
Michael Niedermayer
0545ef7116 avcodec/mjpegdec: Improve intel jpeg flip heuristic 
Fixes Ticket3698

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-06-06 01:32:22 +02:00
Michael Niedermayer
149be91374 avcodec/mjpegdec: request a AMV sample with non mod 16 height 
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-06-01 04:00:47 +02:00
Michael Niedermayer
ec33f59fed avcodec/mjpegdec: Support pix_fmt_id== 0x42111100 
Fixes: 538782_300.jpg
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-05-28 16:36:04 +02:00
Michael Niedermayer
aff352be63 avcodec/mjpegdec: zero gb to silence warning about it being possibly uninitialized 
The code is not speed relevant, also its more robust if the pointers are NULL instead of random.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
 2014-05-08 17:37:40 +02:00