summaryrefslogtreecommitdiff
path: root/libavformat/rmdec.c
Commit message (Collapse)AuthorAgeFilesLines
* avformat/rmdec: check tag_sizeMichael Niedermayer2022-09-241-0/+2
| | | | | | | | Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int' Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6598073725353984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/demux: Add new demux.h headerAndreas Rheinhardt2022-05-101-1/+1
| | | | | | And move those stuff already in demuxer-only files to it. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
* avformat/utils: Move stream_options, avformat_new_stream to options.cAndreas Rheinhardt2022-05-101-1/+1
| | | | | | | | | This is the appropriate place given that AVStream is about to become an AVOpt-enabled struct. Also move av_disposition_(to|from)_string, as these are tied to the disposition stream option. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
* rm: convert to new channel layout APIVittorio Giovara2022-03-151-3/+2
| | | | | Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: James Almer <jamrial@gmail.com>
* avformat/rmdec: Better duplicate tags checkMichael Niedermayer2022-03-081-4/+5
| | | | | | | | Fixes: memleaks Fixes: 44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Check for multiple audio_stream_infoMichael Niedermayer2021-10-091-0/+4
| | | | | | | | Fixes: memleak Fixes: 39166/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5153276690038784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat: Avoid allocation for AVStreamInternalAndreas Rheinhardt2021-09-171-4/+5
| | | | | | | | | | Do this by allocating AVStream together with the data that is currently in AVStreamInternal; or rather: Put AVStream at the beginning of a new structure called FFStream (which encompasses more than just the internal fields and is a proper context in its own right, hence the name) and remove AVStreamInternal altogether. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
* avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4Michael Niedermayer2021-09-151-2/+2
| | | | | | | | Fixes: runtime error: signed integer overflow: 65312 * 65535 cannot be represented in type 'int' Fixes: 32832/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-4817710040088576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Simplify cleanup after read_header failureAndreas Rheinhardt2021-07-081-36/+20
| | | | | | by setting the FF_FMT_INIT_CLEANUP flag. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
* avformat/rmdec: Check old_format len for overflowMichael Niedermayer2021-06-181-3/+5
| | | | | | | | | | | Maybe such large values could be disallowed earlier and closer to where they are set. Fixes: signed integer overflow: 538976288 * 8224 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6704350354341888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat: move AVStream.{parser,need_parsing} to AVStreamInternalJames Almer2021-05-071-4/+4
| | | | | | | Those are private fields, no reason to have them exposed in a public header. Signed-off-by: James Almer <jamrial@gmail.com>
* avformat: Constify all muxer/demuxersAndreas Rheinhardt2021-04-271-3/+3
| | | | | | | This is possible now that the next-API is gone. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> Signed-off-by: James Almer <jamrial@gmail.com>
* avformat/rmdec: Don't rely on unspecified order of evaluationAndreas Rheinhardt2021-04-081-1/+1
| | | | Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
* avformat/rmdec: Fix memleaks upon read_header failureAndreas Rheinhardt2021-04-081-16/+22
| | | | | | | | | | | | | | | | | | | | For both the RealMedia as well as the IVR demuxer (which share the same context) each AVStream's priv_data contains an AVPacket that might contain data (even when reading the header) and therefore needs to be unreferenced. Up until now, this has not always been done: The RealMedia demuxer didn't do it when allocating a new stream's priv_data failed although there might be other streams with packets to unreference. (The reason for this was that until recently rm_read_close() couldn't handle an AVStream without priv_data, so one had to choose between a potential crash and a memleak.) The IVR demuxer meanwhile never ever called read_close so that the data already contained in packets leaks upon error. This patch fixes both demuxers by adding the appropriate cleanup code. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
* avformat/rmdec: use larger intermediate type for audio_framesize * ↵Michael Niedermayer2021-04-011-1/+1
| | | | | | | | | | sub_packet_h check Fixes: signed integer overflow: 65535 * 65535 cannot be represented in type 'int' Fixes: 31406/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5024692843970560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Check codec_length without overflowMichael Niedermayer2021-02-161-1/+1
| | | | | | | | Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 30333/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5175286983426048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Check remaining space in debug av_log() loopMichael Niedermayer2021-02-101-1/+4
| | | | | | | | | Fixes: Timeout (long -> 2 ms) Fixes: 26709/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5665833403285504 Fixes: 27522/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6321071221112832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Reorder operations to avoid overflowMichael Niedermayer2021-02-041-2/+2
| | | | | | | | Fixes: signed integer overflow: -2147483648 - 14 cannot be represented in type 'int' Fixes: 27659/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5697250168406016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Fix codecdata_length overflow checkMichael Niedermayer2021-02-021-1/+1
| | | | | | | | Fixes: signed integer overflow: 2147483647 + 64 cannot be represented in type 'int' Fixes: 28509/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6310969680723968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Check for EOF in index packet readingMichael Niedermayer2020-11-211-0/+2
| | | | | | | | Fixes: Timeout(>10sec -> 1ms) Fixes: 27284/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6304211110985728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: remove unneeded memset() on packet allocationMichael Niedermayer2020-11-041-2/+1
| | | | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Make expected_len 64bitMichael Niedermayer2020-10-251-4/+6
| | | | | | | | Fixes: signed integer overflow: 1347551268 * 14 cannot be represented in type 'int' Fixes: 26458/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5655364324032512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: sanity check coded_framesizeMichael Niedermayer2020-10-181-1/+5
| | | | | | | | Fixes: signed integer overflow: -14671840 * 8224 cannot be represented in type 'int' Fixes: 24793/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5101884323659776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Fix potential crash on allocation failureAndreas Rheinhardt2020-09-191-0/+3
| | | | | | | | | | | | | | | | The RealMedia demuxer uses the priv_data of its streams to store a structure containing an AVPacket. These packets are unreferenced in the read_close function, yet said function simply presumed that the priv_data has been successfully allocated. This implies that it mustn't be called when an allocation of priv_data fails; but this can happen since commit 35bbc1955a58ba74552c50d9161084644f00bbd3 if one has a stream with multiple substreams (also exported as AVStream) and if allocating the priv_data for one of these substreams fails. This has been fixed by making sure that read_close can handle the case in which priv_data has not been successfully allocated. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avformat/rmdec: Actually return value < 0 on read_header failureAndreas Rheinhardt2020-09-191-3/+5
| | | | | | | | | | | | | | | The RealMedia demuxer's read_header function initially initializes ret, the variable designated for the return variable to -1. Afterwards, chunks of the file are parsed in a loop until an error happens or until the actual frame data is encountered. If the first function whose return value is put into ret doesn't fail, then ret contains a value >= 0 (actually == 0) and this is what will be returned if an error is encountered afterwards. This is a regression since 35bbc1955a58ba74552c50d9161084644f00bbd3. Before that, ret had never been overwritten with a nonnegative value. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
* avformat: Improve returned error codesAndreas Rheinhardt2020-01-081-4/+4
| | | | | | | | | | This commit improves returned error codes by forwarding error codes. In some instances, the hardcoded returned error codes made no sense at all: The normal error code for failure of av_new_packet() is AVERROR(ENOMEM), yet there were instances where AVERROR(EIO) was returned. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat: Forward errors where possibleAndreas Rheinhardt2019-12-121-3/+1
| | | | | | | | | | It is not uncommon to find code where the caller thinks to know better what the return value should be than the callee. E.g. something like "if (av_new_packet(pkt, size) < 0) return AVERROR(ENOMEM);". This commit changes several instances of this to instead forward the actual error. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Initialize and sanity check offset in ivr_read_header()Michael Niedermayer2019-12-101-1/+3
| | | | | | | | Fixes: signed integer overflow: -9223372036854775808 - 17 cannot be represented in type 'long' Fixes: 18768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5674385247830016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Use av_packet_move_ref() for packet ownership transferAndreas Rheinhardt2019-12-041-4/+1
| | | | | Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec.c: fix brackets around argumentsJames Almer2019-09-151-1/+1
| | | | | | Regression since 78f52b4fe3 Signed-off-by: James Almer <jamrial@gmail.com>
* avformat/rmdec.c: fix left shift of negative value in rm_sync()James Almer2019-09-151-2/+2
| | | | | | | Fixes ticket 8143. Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: James Almer <jamrial@gmail.com>
* lavf: Constify the probe function argument.Carl Eugen Hoyos2019-03-211-2/+2
| | | | | Reviewed-by: Lauri Kasanen Reviewed-by: Tomas Härdin
* avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()Michael Niedermayer2018-08-171-0/+2
| | | | | | | | | Fixes: long running loop Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6 Found-by: Paul Ch <paulcher@icloud.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: Do not pass mime type in rm_read_multi() to ↵Michael Niedermayer2018-07-051-1/+1
| | | | | | | | | | ff_rm_read_mdpr_codecdata() Fixes: use after free() Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362 Found-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* avformat/rmdec: make use of avio_get_str()Paul B Mahol2018-04-021-11/+7
| | | | | | Also do not set empty metadata. Signed-off-by: Paul B Mahol <onemda@gmail.com>
* Merge commit '95ce02b35d3d1bb16111031df1d82a6e4d894d36'James Almer2017-11-071-4/+7
|\ | | | | | | | | | | | | | | | | * commit '95ce02b35d3d1bb16111031df1d82a6e4d894d36': rmdec: don't ignore the return value of av_get_packet() See 65b83ce01b94eae944290c11257799a9288f2d4c Merged-by: James Almer <jamrial@gmail.com>
| * rmdec: don't ignore the return value of av_get_packet()Sean McGovern2017-07-171-5/+14
| |
| * Use correct printf conversion specifiers for POSIX integer typesDiego Biurrun2016-12-231-1/+1
| |
* | avformat/rmdec: Fix DoS due to lack of eof check孙浩 and 张洪亮(望初)2017-08-271-1/+4
| | | | | | | | | | | | | | Fixes: loop.ivr Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* | Fix all -Wformat warnings raised by DJGPPClément Bœsch2017-03-291-1/+2
| |
* | lavf: use av_fourcc2str() where appropriateClément Bœsch2017-03-291-7/+2
| |
* | Merge commit '83548fe894cdb455cc127f754d09905b6d23c173'James Almer2017-03-211-1/+2
|\ \ | |/ | | | | | | | | | | * commit '83548fe894cdb455cc127f754d09905b6d23c173': lavf: fix usage of AVIOContext.seekable Merged-by: James Almer <jamrial@gmail.com>
| * lavf: fix usage of AVIOContext.seekableAnton Khirnov2016-09-301-1/+2
| | | | | | | | | | | | | | | | It is supposed to be a flag. The only currently defined value is AVIO_SEEKABLE_NORMAL, but other ones may be added in the future. However all the current lavf code treats this field as a bool (mainly for historical reasons). Change all those cases to properly check for AVIO_SEEKABLE_NORMAL.
* | Merge commit 'd9442d13033a24b14ebae149dcdb42709430e2d9'Clément Bœsch2017-03-191-13/+0
|\ \ | |/ | | | | | | | | | | * commit 'd9442d13033a24b14ebae149dcdb42709430e2d9': rm: Drop broken disabled cruft Merged-by: Clément Bœsch <u@pkh.me>
| * rm: Drop broken disabled cruftDiego Biurrun2016-08-171-13/+0
| |
* | avcodec: add SIPR parserPaul B Mahol2017-01-161-0/+1
| | | | | | | | | | | | Fixes #2056. Signed-off-by: Paul B Mahol <onemda@gmail.com>
* | rmdec: validate block alignmentAndreas Cadhalpun2016-11-231-0/+4
| | | | | | | | | | | | | | This fixes division by zero crashes. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
* | lavf/rmdec: Do not return EIO on EOF.Carl Eugen Hoyos2016-08-021-1/+3
| | | | | | | | Reported-by: applemax82
* | avformat/rmdec: Clear extradata when extradata_size is clearedMichael Niedermayer2016-07-291-0/+1
| | | | | | | | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
* | avformat: add AVFormatContext to ff_get_extradata()Paul B Mahol2016-04-141-1/+1
| | | | | | | | | | | | Needed for av_log() inside that function. Signed-off-by: Paul B Mahol <onemda@gmail.com>
View Lorry Controller Status