Timo Rothenpieler
7552712b15
avformat/img2dec: reject input images too big to fit into a single packet
...
Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.
Fixes #YWH-PGM40646-32
(cherry picked from commit f6a95c7eb7
2025-12-31 18:00:04 +01:00
Andreas Rheinhardt
165f660407
avformat/os_support: Include stdint.h for int64_t
...
Fixes checkheaders for Windows targets.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com >
(cherry picked from commit d09dacc197
2025-12-03 20:26:49 +01:00
Timo Rothenpieler
7abad77850
all: apply linter fixes
2025-12-03 20:26:49 +01:00
Michael Niedermayer
3491fc6b8d
avformat/rtpdec_rfc4175: Only change PayloadContext on success
...
Reviewed-by: Joshua Rogers <joshua@joshua.hu >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit c03e49dd1dmichael@niedermayer.cc >
2025-11-23 04:32:19 +01:00
Michael Niedermayer
da520e2da9
avformat/rtpdec_rfc4175: Check dimensions
...
Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175
Found-by: Joshua Rogers <joshua@joshua.hu >
Reviewed-by: Joshua Rogers <joshua@joshua.hu >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit d4e0d5ed48michael@niedermayer.cc >
2025-11-23 04:32:19 +01:00
Michael Niedermayer
04986e8f50
avformat/rtpdec_rfc4175: Fix memleak of sampling
...
Reviewed-by: Joshua Rogers <joshua@joshua.hu >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit af3dee3132michael@niedermayer.cc >
2025-11-23 04:32:18 +01:00
Michael Niedermayer
1d515916f6
avformat/http: Fix off by 1 error
...
Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte
Found-by: Joshua Rogers <joshua@joshua.hu >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit b518c027a0michael@niedermayer.cc >
2025-11-23 04:32:18 +01:00
Michael Niedermayer
4ffc69b99c
avformat/sctp: Check size in sctp_write()
...
Fixes: out of array access
No testcase
Found-by: Joshua Rogers <joshua@joshua.hu > with ZeroPath
Reviewed-by: Joshua Rogers <joshua@joshua.hu >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 5b98cea4bfmichael@niedermayer.cc >
2025-11-23 04:32:17 +01:00
Michael Niedermayer
222ef19414
avformat/rtmpproto: consider command line argument lengths
...
Fixes: out of array access
Fixes: zeropath/rtmp-2025-10
Found-by: Joshua Rogers <joshua@joshua.hu >
Reviewed-by: Joshua Rogers <joshua@joshua.hu >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 83e0298de2michael@niedermayer.cc >
2025-11-23 04:32:17 +01:00
Michael Niedermayer
79200bd288
avformat/rtmpproto_ Check tcurl and flashver length
...
Fixes: out of array accesses
Reviewed-by: Joshua Rogers <joshua@joshua.hu >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit a64e037429michael@niedermayer.cc >
2025-11-23 04:32:17 +01:00
Michael Niedermayer
b75fcac83c
avformat/rtpenc_h264_hevc: Check space for nal_length_size in ff_rtp_send_h264_hevc()
...
Fixes: memcpy with negative size
Fixes: momo_trip-poc/input
Reported-by: Momoko Shiraishi <shiraishi@os.is .s.u-tokyo.ac.jp>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit d03483bd26michael@niedermayer.cc >
2025-11-23 04:32:17 +01:00
Andreas Rheinhardt
b7263cc4d4
avformat/avidec: Fix integer overflow iff ULONG_MAX < INT64_MAX
...
Affects many FATE-tests, see
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Reviewed-by: James Almer <jamrial@gmail.com >
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com >
(cherry picked from commit 7a089ed8e0michael@niedermayer.cc >
2025-11-23 04:32:16 +01:00
Andreas Rheinhardt
f40982e07a
avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
...
Otherwise it might be > buf_ptr in which case ffio_get_checksum()
could segfault (s->buf_ptr - s->checksum_ptr would be negative
which would be converted to something very big when converted
to unsigned for the update_checksum callback).
Fixes ticket #11233 .
Reported-by: Du4t
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com >
(cherry picked from commit 987c955cd7michael@niedermayer.cc >
2025-11-23 04:32:15 +01:00
Michael Niedermayer
900eb11fdf
avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 0243cf89b1michael@niedermayer.cc >
2025-11-23 04:32:15 +01:00
Kacper Michajłow
2838f8f54c
avformat/lrcdec: limit input timestamp range to avoid overflows
...
Fixes: clusterfuzz-testcase-ffmpeg_dem_LRC_fuzzer-5226140131459072
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com >
(cherry picked from commit c74bc74398michael@niedermayer.cc >
2025-08-14 00:20:32 +02:00
Kimapr
8bce773786
avformat/libopenmpt: fix seeking weirdness
...
- proper pts for packets. leaving it blank leaves it up for guessing,
but the guess doesn't take seeking into account, causing weirdness.
- clamp to 0 when seeking to negative ts. libopenmpt docs are unclear on
this but not doing this causes an immediate EOF when seeking backwards
to the beginning in mpv.
- only set song duration and packet pts when they are non-negative and
in int64 range. NaNs count as out of range. this isn't a fix for any
specific issue but might be helpful still, and shouldn't break
anything.
(cherry picked from commit ecef5f9e1fmichael@niedermayer.cc >
2025-08-13 22:05:48 +02:00
Michael Niedermayer
c08f721f58
avformat/hls: add cmfv/cmfa exceptions
...
Fixes: Ticket11526
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit f3c3a6ecfbmichael@niedermayer.cc >
2025-08-13 22:05:48 +02:00
Kacper Michajłow
1f4a28e59e
avformat/lrcdec: support arbitrary precision timestamp
...
Apparently files with milliseconds exist in the wild. And since it cost
nothing to support arbitrary number of digits, extend format to support
that.
Depending on number of digits, the time base of fractional part is
changing. Most LRCs use 2 digits and centiseconds base, but subs with 3
digits and miliseconds exist too.
Set internal time base to AV_TIME_BASE, which in parcitice allows to
hold microseconds with 6 digits. Totally artificial, but who knows maybe
someone wants that.
Fixes : #11677
Signed-off-by: Kacper Michajłow <kasper93@gmail.com >
(cherry picked from commit bc3cc0a6afmichael@niedermayer.cc >
2025-08-13 22:05:47 +02:00
Michael Niedermayer
6e9758a4e7
avformat/dashdec: Allocate space for appended "/"
...
Fixes: writing 1 byte over the end of the array
Fixes: BIGSLEEP-433502298/test.xml
Found-by: Google Big Sleep
A prettier solution is welcome!
A testcase exists only for the baseurl case
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit ce0a655f85michael@niedermayer.cc >
2025-08-04 16:44:25 +02:00
Michael Niedermayer
85bc00a3c8
avformat/mxg: clear AV_INPUT_BUFFER_PADDING_SIZE
...
Fixes: use of uninitialized memory
Fixes: 427532813/clusterfuzz-testcase-minimized-ffmpeg_dem_MXG_fuzzer-5661938917113856
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 1b12e919cfmichael@niedermayer.cc >
2025-08-04 16:44:25 +02:00
Michael Niedermayer
816bd485de
avformat/vqf: Ensure that comm_chunk is fully read
...
Fixes: use of uninitialized memory
Fixes: 412125811/clusterfuzz-testcase-minimized-ffmpeg_dem_VQF_fuzzer-6253774274887680
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 1b7a327b3amichael@niedermayer.cc >
2025-08-04 16:44:24 +02:00
Michael Niedermayer
ce94db5861
avformat/mov: make sure file_checksum is fully initialized
...
Fixes: use of uninitialized memory
Fixes: 394990189/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6431722199908352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8b16e1ddd9michael@niedermayer.cc >
2025-08-04 16:36:14 +02:00
Michael Niedermayer
3064fdc97e
avformat/asfdec_f: Check amount of value read
...
Fixes: use of uninitialized memory
Fixes: 403675492/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-4754281823797248
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit fa197924a6michael@niedermayer.cc >
2025-08-04 16:36:14 +02:00
Michael Niedermayer
4ec12a24c3
avformat/concatdec: Clip duration in one more case in get_best_effort_duration()
...
Fixes: signed integer overflow: 40000 - -9223372036854770000 cannot be represented in type 'long'
Fixes: 427262541/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-4831506940100608
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8cdb47e47amichael@niedermayer.cc >
2025-08-04 16:36:13 +02:00
Michael Niedermayer
3d9613a314
avformat/iff: Check nb_channels == 0 in CHNL
...
Fixes: division by 0
Fixes: 418396712/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6104388018176000
Fixes: 418478219/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4569544410857472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 5b1301004bmichael@niedermayer.cc >
2025-08-04 16:36:09 +02:00
James Almer
444025cbfa
avformat/movenc: fix writing reserved bits in EC3SpecificBox
...
As described in section F.6.1 from ETSI TS 102 366.
Found-by: nyanmisaka
Reviewed-by: Baptiste Coudurier <baptiste.coudurier@gmail.com >
Signed-off-by: James Almer <jamrial@gmail.com >
(cherry picked from commit 17729aa80cmichael@niedermayer.cc >
2025-08-04 16:36:09 +02:00
Michael Niedermayer
6bbd95776d
avformat/imf_cpl: do not continue looping forever
...
Fixes: infinite loop
Fixes: 401658595/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5756875014733824
Regression since: 61fa1e14e4https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 39800d78b0michael@niedermayer.cc >
2025-08-04 16:36:06 +02:00
Michael Niedermayer
8ed465d5eb
avformat/mov: reject negative ELST durations
...
Fixes: multiple integer overflows
Fixes: 401016767/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6242067591790592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 9fc2702f6fmichael@niedermayer.cc >
2025-08-04 16:36:06 +02:00
Michael Niedermayer
4d38b3353c
avformat/avidec: Ignore duplicate GAB2
...
Fixes: memleak
Fixes: 398401912/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4669849976766464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 6a47046981michael@niedermayer.cc >
2025-08-04 16:36:06 +02:00
Michael Niedermayer
7e55d3fb8f
avformat/iff: Check nb_channels == 0 in MHDR
...
Fixes: division by 0
Fixes: 395163171/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-542604339373670
Reviewed-by: Peter Ross <pross@xvid.org >
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit ce1fd73d63michael@niedermayer.cc >
2025-08-04 16:36:04 +02:00
Michael Niedermayer
ca80672a2a
avformat/hls: Fix flash1.bogulus.cfd support
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 75be669ca1michael@niedermayer.cc >
2025-08-04 16:36:03 +02:00
Michael Niedermayer
ffbb402090
avformat/hls: Split allowed_segment_extensions off allowed_extensions
...
This allows the user to set only the one that is needed to ALL or a
specific "wrong" extension like html
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit f99f223eb1michael@niedermayer.cc >
2025-08-04 16:36:03 +02:00
Michael Niedermayer
bed3ae9e59
avformat/hls: Fix Youtube AAC
...
Fixes: Ticket11435
Fixes: yt-dlp -f 234+270 https://www.youtube.com/live/l8PMl7tUDIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 48c0dba23bmichael@niedermayer.cc >
2025-08-04 16:36:03 +02:00
Michael Niedermayer
7248719023
avformat/hls: add fmp4 to allowed_extensions
...
Fixes: yt-dlp/issues/12700
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit d82016c730michael@niedermayer.cc >
2025-08-04 16:36:02 +02:00
Michael Niedermayer
ca76bf994f
avformat/hls: Add ec3 to allowed_extensions
...
Fixes part of Ticket11435
Fixes: Elisa Viihde (Finnish online recording service)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 68644994fdmichael@niedermayer.cc >
2025-08-04 16:36:02 +02:00
Michael Niedermayer
1da45df21b
avformat/hls: Add cmfv and cmfa to allowed_extensions
...
Fixes: www.nicovideo.jp
Fixes: Ticket11526
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 2352145e41michael@niedermayer.cc >
2025-08-04 16:36:02 +02:00
softworkz
93d792505e
avformat/hls: Partially revert "reduce default max reload to 3"
...
(setting to 100 as a reasonable compromise)
The change has caused regressions for many users and consumers.
Playlist reloads only happen when a playlist doesn't indicate that it
has ended (via #EXT-X-ENDLIST), which means that the addition of future
segments is still expected.
It is well possible that an HLS server is temporarily unable to serve
further segments but resumes after some time, either indicating a
discontinuity or even by fully catching up.
With a segment length of 3s, a max_reload value of 1000 corresponds to
a duration of 50 minutes which appears to be a reasonable default.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit ace9f03a6cmichael@niedermayer.cc >
2025-08-04 16:35:59 +02:00
Michael Niedermayer
9913cb6a0b
avformat/hls: Fix twitter
...
Allow mp4 with all mpegts extensions
Fixes: Ticket11435
Reviewed-by: Steven Liu <lingjiujianke@gmail.com >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit cef3422b48michael@niedermayer.cc >
2025-08-04 16:35:59 +02:00
Michael Niedermayer
7d740f3692
libavformat/hls: Be more restrictive on mpegts extensions
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 0113e30806michael@niedermayer.cc >
2025-08-04 16:35:58 +02:00
Michael Niedermayer
97fa3b4c2b
avformat/hls: .ts is always ok even if its a mov/mp4
...
Maybe fixes: 11435
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 9e12572933michael@niedermayer.cc >
2025-08-04 16:35:58 +02:00
Michael Niedermayer
0e3639a28c
avformat/hls: Print input format in error message
...
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit d845533130michael@niedermayer.cc >
2025-08-04 16:35:58 +02:00
Michael Niedermayer
9803800e0e
avformat/hls: Be more picky on extensions
...
This blocks disallowed extensions from probing
It also requires all available segments to have matching extensions to the format
mpegts is treated independent of the extension
It is recommended to set the whitelists correctly
instead of depending on extensions, but this should help a bit,
and this is easier to backport
Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
The other parts of CVE-2023-6602 have been fixed by prior commits
Found-by: Harvey Phillips of Amazon Element55 (element55)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 91d96dc8ddmichael@niedermayer.cc >
2025-08-04 16:35:57 +02:00
Michael Niedermayer
3ef588940e
avformat: add ff_match_url_ext()
...
Match url against a list of extensions similar to av_match_ext()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit a7b06bfc5dmichael@niedermayer.cc >
2025-08-04 16:35:57 +02:00
Michael Niedermayer
ba6712e484
avformat/iff: Check that we have a stream in read_dst_frame()
...
Fixes: null pointer dereference
Fixes: 385644864/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4551049565765632
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8668957ef6michael@niedermayer.cc >
2025-08-04 16:35:55 +02:00
Michael Niedermayer
5e9af0efd5
avformat/mlvdec: fix size checks
...
Fixes: heap-buffer-overflow
Fixes: 391962476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-5746746587676672
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 251d43aef0michael@niedermayer.cc >
2025-08-04 16:35:55 +02:00
Michael Niedermayer
ef236e509e
avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit()
...
Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long'
Fixes: 392672068/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6232335892152320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <git@haerdin.se >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 8a6ad9eab2michael@niedermayer.cc >
2025-08-04 16:35:55 +02:00
Michael Niedermayer
1b1acf964f
avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet()
...
Fixes: Use of uninitialized memory
Fixes: 71444/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5448597561212928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 6ecc96f4d0michael@niedermayer.cc >
2025-08-04 16:35:54 +02:00
Michael Niedermayer
5ccb7d1680
avformat/ipmovie: Check signature_buffer read
...
Fixes: use of uninitilaized data
Fixes: 385167047/clusterfuzz-testcase-minimized-ffmpeg_dem_IPMOVIE_fuzzer-5941477505564672
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 788abe0d25michael@niedermayer.cc >
2025-08-04 16:35:53 +02:00
Michael Niedermayer
dcc9cdee5e
avformat/wtvdec: Initialize buf
...
ff_parse_mpeg2_descriptor() reads over what is initialized
Fixes: use of uninitialized memory
Fixes: 383825645/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5144130618982400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 17b019c517michael@niedermayer.cc >
2025-08-04 16:35:53 +02:00
Michael Niedermayer
7c4a8f13eb
avformat/vqf: Propagate errors from add_metadata()
...
Suggested-by: Marton Balint <cus@passwd.hu >
Reviewed-by: Alexander Strasser <eclipse7@gmx.net >
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc >
(cherry picked from commit 49fa3f6c5bmichael@niedermayer.cc >
2025-08-04 16:35:52 +02:00
