The APP parser can read a fixed number of bytes without checking len,
making len negative and passing it to bytestream2_skipu(), which takes
an unsigned size. This can advance the buffer by a huge amount and
results in undefined behavior.
Add small len guards in the fixed-size AVI1/LJIF paths and only skip
the tail if len > 0.
Signed-off-by: Ruikai Peng <ruikai@pwno.io>
Found via an unused-variable warning from GCC.
Also just forward the error from amf_init_frames_context().
This bug has been introduced in
4479d28103.
Reviewed-by: Jan Ekström <jeebjp@gmail.com>
Reviewed-by: Mikhail Mironov <mikhail.mironov@amd.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
sharpness, noise_reduction, mpeg_noise_reduction,
frame_rate_conversion, brightness and color are not actual fields in
L11 metadata, this appears to be based on perhaps an out of date
patent specification. Instead the two bytes are considered
reserved.
Drop reading them and write out 0s, the fields will be deprecated from
the struct in a future commit and scheduled for removal.
If extra IFDs occur outside of the top level, we don't allocate enough
buffer space for them. This commit changes our calculation to include
their size always, and then we shrink the allocated buffer once every
IFD is written (by at most 192 bytes).
Signed-off-by: Leo Izen <leo.izen@gmail.com>
blk_mv_type is only set for block 0-3, not for chroma blocks,
so it only needs four elements per MB.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
JPEG is mostly byte-aligned. We only really need GetBitContext while
decoding the image data.
Suggested-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
It only contains a single field, so add this directly to MPVContext
and remove private_ctx. This avoids an indirection in
ff_h261_loop_filter().
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
They are only used by the decoder (which has them twice, because
the IntraX8Context contains a WMV2DSPContext whose put_mspel_pixels
functions were unused), so move them there.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
WMV1 and WMV2 use other scantables and therefore
ff_msmpeg4_common_init() reinitializes them. Yet WMV2
also uses a different IDCT overwriting the ordinary one,
so that the IDCT permutation changes and therefore
ff_wmv2_common_init() (called after ff_msmpeg4_common_init())
needs to reinitialize the scantables again.
Avoid this by calling ff_wmv2_common_init() in
ff_msmpeg4_common_init().
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Both FF_VK_EXT_VIDEO_ENCODE_QUEUE and FF_VK_EXT_VIDEO_MAINTENANCE_1 are
required, not only one of them.
Found by VVL.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
The temporary hw_frames_ctx created for header parsing was not being
fully released, leading to a leak. Explicitly unreference the temporary
context after use to resolve the leak.
Signed-off-by: hajin-chung <hajinchung1@gmail.com>
Maliciously constructed input EXIF blocks could use the extra IFDs we
set aside in noncontinugous ways, which will cause them to be written
as subdirectories of IFD0 rather than existing IFDs. The base tag size
is (correctly) excluded from the size calculation, but if they are
being written as additional tags, the allocation will be too small and
a write may overflow.
Signed-off-by: Leo Izen <leo.izen@gmail.com>
With the limiting of video usages on the image views, we no longer need
a yuv sampler, since no multi-plane image will be created with the
SAMPLED usage bit.
Prior to the fix, in the case of a tile containing multiple slices
(pps_num_exp_slices_in_tile != 0) the number of slices was temporarily
allowed to exceed pps_num_slices_in_pic_minus1+1 and therefore
VVC_MAX_SLICES. The number of slices was later verified, but while the
current slice index was higher than expected it was used to write to a
array of size VVC_MAX_SLICES, leading to an OOB write.
To rectify this, the patch adds some checks at an earlier stage, to
ensure that the slice index i + j at no point exceeds
pps_num_slices_in_pic_minus1.
Fixes #YWH-PGM40646-30
The bug was caused by incorrect reading of the step_index field: the original
code read a 16-bit value (including a padding byte) instead of the correct
8-bit step_index as defined by the ADPCM format. This led to distorted audio
or incorrect step calculations when decoding specific ADPCM-encoded files.
Fix by:
1. Reading step_index as an 8-bit unsigned byte via bytestream2_get_byteu()
2. Skipping the subsequent 8-bit padding byte with bytestream2_skip()
The original fix was intended only for sequential mjpeg, but it was also used for progressive
which broke. This commit fixes this regression
Fixes: issue21225
The testcase 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904 still exits within 240ms
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Several files use values for primaries and transfer characteristics other than
BT709 and IEC_61966 respectively, while still being GBR.
Also always set color_range while at it. It's always coded in the bistream.
Fixes part of #21304.
Signed-off-by: James Almer <jamrial@gmail.com>
