The check for item presence was insufficient as it would result in the last
item in the array being overwritten if it existed even if the id didn't match.
Fixes: Assertion ref failed at src/libavformat/mov.c:10649
Fixes: clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5312542695292928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 28c330d0f3)
Given the entire iamf struct is inside a single Track, if the first iamf stream
(which is the one sharing the index and id from the Track) was to be disabled,
then packets from every iamf stream would be discarded.
Fix this by actually going through the entire iamf Sample and discarding those
from the disabled streams only.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 16ee3d8d99)
If we were to add the highest id of a non iamf stream as offset to iamf stream
ids, and one of the latter was 0, then an id overlap would ocurr.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 51aef95ba1)
The udp buffer size might be too small to easily
be full temporarily and return WSAEWOULDBLOCK.
The udp code will handle the windows error code
and convert it to AVERROR(EAGAIN).
This issue just can be reproduced on windows.
If sleep a interval and retry to send pkt when hit
EAGAIN, it will increase latency, and appropriate
interval is hard to define.
So this patch just remind user increase the buffer
size via -buffer_size to avoid this issue.
Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit ec0a04de0d)
The profile contains profile_idc and constraint_set*_flag,
throws away high 8 bit flags and then we get profile_idc.
Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit 785a4e0d6c)
profile_iop is an 8 bits field. Previous code copied
AVCodecParameters::profile (which can contain bits
beyond 8 bits) into profile_iop, producing overflow
and wrong values.
This patch maps the constrained flags into the proper
profile_iop bits (constraint_set1 / 3)
Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit 6c2768bf8c)
fix issue #20407
Refer to RFC 5245 15.1,
the foundation may be any string up to 32 chars.
The old code could misread foundations as transport("udp").
This patch fully parse all these attr to avoid parsing error.
Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit b41f8207c4)
use audio_ssrc + 1 for video_ssrc to avoid ssrc collision
See RFC 3550 Section 8,
The SSRC identifier carried in the RTP header and in various fields
of RTCP packets is a random 32 bit number that is required to be
globally unique within an RTP session.
simply + 1 also can get an unique ssrc, and faster than generating
new unique ssrc.
Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit b3ea558492)
(This also fixes a symbol name collision with libssh,
which has a nonstatic function called md5.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.
Fixes #YWH-PGM40646-32
(cherry picked from commit f6a95c7eb7)
The fields are defined as 8 bit long unsigned ints. Fortunately, writing most sane values
as leb is equivalent, which is why no tests are affected.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 21ff60d2cf)
Pico VR adds a '\0' after projection_type (a real C string than
a fourcc). It's not strictly correct, but doesn't affect parsing.
[prji: Projection Information Box]
position = 149574743
size = 17
version = 0
flags = 0x000000
projection_type = rect
Co-Authored-by: Keven Ma
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
(cherry picked from commit 0734d1c55a)
Fixes: out of array read
Fixes: BIGSLEEP-445383648
Fixes: crash_input_1/2/3.dhav
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 55e71768cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Otherwise it might be > buf_ptr in which case ffio_get_checksum()
could segfault (s->buf_ptr - s->checksum_ptr would be negative
which would be converted to something very big when converted
to unsigned for the update_checksum callback).
Fixes ticket #11233.
Reported-by: Du4t
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 987c955cd7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Last parameter to recvfrom() is not initialized, causing
recvfrom() to randomly return EINVAL. Issue was introduced in
af04a27893.
(cherry picked from commit 4348bde2d2)
The parser API doesn't work with packets, only raw data, so in order for it to
be made aware of new extradata propagated through packet side data we need to
pass it in some other form, namely, replacing the main extradata and ensuring
it will be parsed by restarting the parser.
Signed-off-by: James Almer <jamrial@gmail.com>
When parsing the RTSP message reason, the whole remainder
after parsing the status code was used, which would lead to
a leading space in the parsed reason string.
(cherry picked from commit e63e040f0c)
Signed-off-by: Marvin Scholz <epirat07@gmail.com>
When reading fails the first time, ch would be uninitialized and
printed in the log message. Instead check for an error early and
log it properly.
(cherry picked from commit 2ed47ab725)
Signed-off-by: Marvin Scholz <epirat07@gmail.com>
When using a literal IPv6 address as hostname, it can contain a Zone ID
especially in the case of link-local addresses. Sending this to the
server in the Host header is not useful to the server and in some cases
servers refuse such requests.
To prevent any such issues, strip the Zone ID from the address if it's
an IPv6 address. This also removes it for the Cookies lookup.
Based on a patch by: Daniel N Pettersson <danielnp@axis.com>
(cherry picked from commit 5cb6d2221a)
Signed-off-by: Marvin Scholz <epirat07@gmail.com>
fix a regression introduced in 4eca8df,
writing chapters failed if chapters where
not available before mov_write_header().
(cherry picked from commit b2f5bc7fd3)
The array is only ever needed for streams where each sample entry may have a
different value. Given that for non animated HEIF there's a single value that
applies to the image, use the field defined for that.
Fixes: NULL pointer dereference
Fixes: 437528618/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6537287645331456
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit a28e01a6c1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
