Changelog: Update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces
2019-05-14 00:39:42 +02:00 · 2019-05-14 00:17:31 +02:00 · 2019-05-14 00:17:30 +02:00 · 2019-05-14 00:17:29 +02:00 · 2019-05-13 14:10:33 +02:00 · 2019-05-13 14:09:27 +02:00
41 changed files with 266 additions and 51 deletions
@@ -1,6 +1,54 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.

+version 3.2.14:
+- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces
+- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning
+- avcodec/htmlsubtitles: Be a bit more picky on syntax
+- libswcale: Fix possible string overflow in test.
+- avcodec/hq_hqa: Check available space before reading slice offsets
+- lavf/webm_chunk: Respect buffer size
+- avcodec/jvdec: Use ff_get_buffer() when the content is not reused
+- avcodec/truemotion2: Fix 2 integer overflows in tm2_update_block()
+- avcodec/jpeg2000: Check stepsize before using it
+- avcodec/aacdec_fixed: Fix undefined shift in noise_scale()
+- avutil/avstring: Fix bug and undefined behavior in av_strncasecmp()
+- avformat/mov: Skip stsd adjustment without chunks
+- avformat/aadec: Check for scanf() failure
+- avcodec/ccaption_dec: Add a blank like at the end to avoid rollup reading from outside
+- avcodec/ivi: Move buffer/block end check to caller of ivi_dc_transform()
+- avcodec/diracdec: Use 64bit in intermediate of global motion vector field generation
+- avcodec/truemotion2: Fix integer overflow in tm2_decode_blocks()
+- avcodec/rscc: Check that the to be uncompressed input is large enough
+- avcodec/hevcdec: Avoid only partly skiping duplicate first slices
+- lavc/bmp: Avoid a heap buffer overwrite for 1bpp input.
+- avcodec/truemotion2: Fix integer overflow in tm2_null_res_block()
+- avcodec/dfa: Check the chunk header is not truncated
+- avcodec/dvbsubdec: Check object position
+- avcodec/cdgraphics: Use ff_set_dimensions()
+- avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes
+- avcodec/aic: Check remaining bits in aic_decode_coeffs()
+- avcodec/bethsoftvideo: Check block_type
+- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int()
+- avcodec/error_resilience: Use a symmetric check for skipping MV estimation
+- avcodec/mlpdec: Insuffient typo
+- avcodec/zmbv: obtain frame later
+- avcodec/jvdec: Check available input space before decode8x8()
+- avcodec/h264_direct: Fix overflow in POC comparission
+- avformat/webmdashenc: Check id in adaption_sets
+- avformat/http: Fix Out-of-Bounds access in process_line()
+- avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393
+- avformat/matroskadec: Do not leak queued packets on sync errors
+- avformat/mov: validate chunk_count vs stsc_data
+- avformat/mov.c: require tfhd to begin parsing trun
+- avcodec/pgssubdec: Check for duplicate display segments
+- avformat/rtsp: Check number of streams in sdp_parse_line()
+- avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect()
+- avcodec/fic: Check that there is input left in fic_decode_block()
+- avutil/mem: Optimize fill32() by unrolling and using 64bit
+- avcodec/hevcdec: decode at most one slice reporting being the first in the picture
+- avfilter/af_silenceremove: fix possible crash if supplied duration is negative
+
 version 3.2.13:
 - avcodec/tests/rangecoder: initialize array to avoid valgrind warning
 - avcodec/h264_slice: Fix integer overflow in implicit_weight_table()
@@ -1 +1 @@
-3.2.13
+3.2.14
@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.

-PROJECT_NUMBER         = 3.2.13
+PROJECT_NUMBER         = 3.2.14

 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a
@@ -221,7 +221,7 @@ static void noise_scale(int *coefs, int scale, int band_energy, int len)
    }
    else {
        s = s + 32;
-        round = 1 << (s-1);
+        round = s ? 1 << (s-1) : 0;
        for (i=0; i<len; i++) {
            out = (int)((int64_t)((int64_t)coefs[i] * c + round) >> s);
            coefs[i] = out * ssign;
@@ -208,6 +208,9 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst,
    int mb, idx;
    unsigned val;

+    if (get_bits_left(gb) < 5)
+        return AVERROR_INVALIDDATA;
+
    has_skips  = get_bits1(gb);
    coeff_type = get_bits1(gb);
    coeff_bits = get_bits(gb, 3);
@@ -109,6 +109,11 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx,
            if(yoffset >= avctx->height)
                return AVERROR_INVALIDDATA;
            dst += vid->frame->linesize[0] * yoffset;
+        case VIDEO_P_FRAME:
+        case VIDEO_I_FRAME:
+            break;
+        default:
+            return AVERROR_INVALIDDATA;
    }

    // main code
@@ -286,7 +286,7 @@ static int bmp_decode_frame(AVCodecContext *avctx,
        case 1:
            for (i = 0; i < avctx->height; i++) {
                int j;
-                for (j = 0; j < n; j++) {
+                for (j = 0; j < avctx->width >> 3; j++) {
                    ptr[j*8+0] =  buf[j] >> 7;
                    ptr[j*8+1] = (buf[j] >> 6) & 1;
                    ptr[j*8+2] = (buf[j] >> 5) & 1;
@@ -296,6 +296,9 @@ static int bmp_decode_frame(AVCodecContext *avctx,
                    ptr[j*8+6] = (buf[j] >> 1) & 1;
                    ptr[j*8+7] =  buf[j]       & 1;
                }
+                for (j = 0; j < (avctx->width & 7); j++) {
+                    ptr[avctx->width - (avctx->width & 7) + j] = buf[avctx->width >> 3] >> (7 - j) & 1;
+                }
                buf += n;
                ptr += linesize;
            }
@@ -212,10 +212,10 @@ static const unsigned char pac2_attribs[32][3] = // Color, font, ident

 struct Screen {
    /* +1 is used to compensate null character of string */
-    uint8_t characters[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t charsets[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t colors[SCREEN_ROWS][SCREEN_COLUMNS+1];
-    uint8_t fonts[SCREEN_ROWS][SCREEN_COLUMNS+1];
+    uint8_t characters[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t charsets[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t colors[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
+    uint8_t fonts[SCREEN_ROWS+1][SCREEN_COLUMNS+1];
    /*
     * Bitmask of used rows; if a bit is not set, the
     * corresponding row is not used.
@@ -80,11 +80,8 @@ static av_cold int cdg_decode_init(AVCodecContext *avctx)
        return AVERROR(ENOMEM);
    cc->transparency = -1;

-    avctx->width   = CDG_FULL_WIDTH;
-    avctx->height  = CDG_FULL_HEIGHT;
    avctx->pix_fmt = AV_PIX_FMT_PAL8;
-
-    return 0;
+    return ff_set_dimensions(avctx, CDG_FULL_WIDTH, CDG_FULL_HEIGHT);
 }

 static void cdg_border_preset(CDGraphicsContext *cc, uint8_t *data)
@@ -353,6 +353,8 @@ static int dfa_decode_frame(AVCodecContext *avctx,

    bytestream2_init(&gb, avpkt->data, avpkt->size);
    while (bytestream2_get_bytes_left(&gb) > 0) {
+        if (bytestream2_get_bytes_left(&gb) < 12)
+            return AVERROR_INVALIDDATA;
        bytestream2_skip(&gb, 4);
        chunk_size = bytestream2_get_le32(&gb);
        chunk_type = bytestream2_get_le32(&gb);
@@ -1403,7 +1403,7 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref)
    int *b      = s->globalmc[ref].pan_tilt;
    int *c      = s->globalmc[ref].perspective;

-    int m       = (1<<ep) - (c[0]*x + c[1]*y);
+    int64_t m   = (1<<ep) - (c[0]*(int64_t)x + c[1]*(int64_t)y);
    int64_t mx  = m * (int64_t)((A[0][0] * (int64_t)x + A[0][1]*(int64_t)y) + (1<<ez) * b[0]);
    int64_t my  = m * (int64_t)((A[1][0] * (int64_t)x + A[1][1]*(int64_t)y) + (1<<ez) * b[1]);

@@ -1353,6 +1353,13 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
        display->y_pos = AV_RB16(buf) & 0xfff;
        buf += 2;

+        if (display->x_pos >= region->width ||
+            display->y_pos >= region->height) {
+            av_log(avctx, AV_LOG_ERROR, "Object outside region\n");
+            av_free(display);
+            return AVERROR_INVALIDDATA;
+        }
+
        if ((object->type == 1 || object->type == 2) && buf+1 < buf_end) {
            display->fgcolor = *buf++;
            display->bgcolor = *buf++;
@@ -419,7 +419,7 @@ static void guess_mv(ERContext *s)
    }

    if ((!(s->avctx->error_concealment&FF_EC_GUESS_MVS)) ||
-        num_avail <= mb_width / 2) {
+        num_avail <= FFMAX(mb_width, mb_height) / 2) {
        for (mb_y = 0; mb_y < mb_height; mb_y++) {
            for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
                const int mb_xy = mb_x + mb_y * s->mb_stride;
@@ -138,6 +138,9 @@ static int fic_decode_block(FICContext *ctx, GetBitContext *gb,
 {
    int i, num_coeff;

+    if (get_bits_left(gb) < 8)
+        return AVERROR_INVALIDDATA;
+
    /* Is it a skip block? */
    if (get_bits1(gb)) {
        /* This is a P-frame. */
@@ -142,8 +142,8 @@ void ff_h264_direct_ref_list_init(const H264Context *const h, H264SliceContext *
            av_log(h->avctx, AV_LOG_ERROR, "co located POCs unavailable\n");
            sl->col_parity = 1;
        } else
-        sl->col_parity = (FFABS(col_poc[0] - cur_poc) >=
-                          FFABS(col_poc[1] - cur_poc));
+            sl->col_parity = (FFABS(col_poc[0] - (int64_t)cur_poc) >=
+                              FFABS(col_poc[1] - (int64_t)cur_poc));
        ref1sidx =
        sidx     = sl->col_parity;
    // FL -> FL & differ parity
@@ -439,6 +439,11 @@ static int hls_slice_header(HEVCContext *s)

    // Coded parameters
    sh->first_slice_in_pic_flag = get_bits1(gb);
+    if (s->ref && sh->first_slice_in_pic_flag) {
+        av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
+        return 1; // This slice will be skiped later, do not corrupt state
+    }
+
    if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) {
        s->seq_decode = (s->seq_decode + 1) & 0xff;
        s->max_ra     = INT_MAX;
@@ -2775,6 +2780,11 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal)
        ret = hls_slice_header(s);
        if (ret < 0)
            return ret;
+        if (ret == 1) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+

        if (s->max_ra == INT_MAX) {
            if (s->nal_unit_type == NAL_CRA_NUT || IS_BLA(s)) {
@@ -248,6 +248,9 @@ static int hqa_decode_frame(HQContext *ctx, AVFrame *pic, size_t data_size)
    int width, height, quant;
    const uint8_t *src = ctx->gbc.buffer;

+    if (bytestream2_get_bytes_left(&ctx->gbc) < 8 + 4*(num_slices + 1))
+        return AVERROR_INVALIDDATA;
+
    width  = bytestream2_get_be16(&ctx->gbc);
    height = bytestream2_get_be16(&ctx->gbc);

@@ -22,6 +22,7 @@
 #include "libavutil/common.h"
 #include "libavutil/parseutils.h"
 #include "htmlsubtitles.h"
+#include <ctype.h>

 static int html_color_parse(void *log_ctx, const char *str)
 {
@@ -51,6 +52,53 @@ static void rstrip_spaces_buf(AVBPrint *buf)
            buf->str[--buf->len] = 0;
 }

+/*
+ * Fast code for scanning text enclosed in braces. Functionally
+ * equivalent to this sscanf call:
+ *
+ * sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0
+ */
+static int scanbraces(const char* in) {
+    if (strncmp(in, "{\\an", 4) != 0) {
+        return 0;
+    }
+    if (!isdigit(in[4])) {
+        return 0;
+    }
+    if (in[5] != '}') {
+        return 0;
+    }
+    return 1;
+}
+
+/*
+ * Fast code for scanning the rest of a tag. Functionally equivalent to
+ * this sscanf call:
+ *
+ * sscanf(in, "%127[^<>]>%n", buffer, lenp) == 2
+ */
+static int scantag(const char* in, char* buffer, int* lenp) {
+    int len;
+
+    for (len = 0; len < 128; len++) {
+        const char c = *in++;
+        switch (c) {
+        case '\0':
+            return 0;
+        case '<':
+            return 0;
+        case '>':
+            buffer[len] = '\0';
+            *lenp = len+1;
+            return 1;
+        default:
+            break;
+        }
+        buffer[len] = c;
+    }
+    return 0;
+}
+
 int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
 {
    char *param, buffer[128], tmp[128];
@@ -82,9 +130,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
            break;
        case '{':    /* skip all {\xxx} substrings except for {\an%d}
                        and all microdvd like styles such as {Y:xxx} */
-            len = 0;
-            an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0;
-
+            an += scanbraces(in);
            if (!closing_brace_missing) {
                if (   (an != 1 && in[1] == '\\')
                    || (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) {
@@ -102,13 +148,13 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
        case '<':
            tag_close = in[1] == '/';
            len = 0;
-            if (sscanf(in+tag_close+1, "%127[^>]>%n", buffer, &len) >= 1 && len > 0) {
+            if (scantag(in+tag_close+1, buffer, &len) && len > 0) {
                const char *tagname = buffer;
                while (*tagname == ' ')
                    tagname++;
                if ((param = strchr(tagname, ' ')))
                    *param++ = 0;
-                if ((!tag_close && sptr < FF_ARRAY_ELEMS(stack)) ||
+                if ((!tag_close && sptr < FF_ARRAY_ELEMS(stack) && *tagname) ||
                    ( tag_close && sptr > 0 && !strcmp(stack[sptr-1].tag, tagname))) {
                    int i, j, unknown = 0;
                    in += len + tag_close;
@@ -488,12 +488,6 @@ static int ivi_dec_tile_data_size(GetBitContext *gb)
 static int ivi_dc_transform(IVIBandDesc *band, int *prev_dc, int buf_offs,
                            int blk_size)
 {
-    int buf_size = band->pitch * band->aheight - buf_offs;
-    int min_size = (blk_size - 1) * band->pitch + blk_size;
-
-    if (min_size > buf_size)
-        return AVERROR_INVALIDDATA;
-
    band->dc_transform(prev_dc, band->buf + buf_offs,
                       band->pitch, blk_size);

@@ -724,6 +718,11 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band,
                if (ret < 0)
                    return ret;
            } else {
+                int buf_size = band->pitch * band->aheight - buf_offs;
+                int min_size = (blk_size - 1) * band->pitch + blk_size;
+
+                if (min_size > buf_size)
+                    return AVERROR_INVALIDDATA;
                /* block not coded */
                /* for intra blocks apply the dc slant transform */
                /* for inter - perform the motion compensation without delta */
@@ -247,6 +247,11 @@ static void init_band_stepsize(AVCodecContext *avctx,
        }
    }

+    if (band->f_stepsize > (INT_MAX >> 15)) {
+        band->f_stepsize = 0;
+        av_log(avctx, AV_LOG_ERROR, "stepsize out of range\n");
+    }
+
    band->i_stepsize = band->f_stepsize * (1 << 15);

    /* FIXME: In OpenJPEG code stepsize = stepsize * 0.5. Why?
@@ -531,7 +531,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t)
    }

    for (i = 0; i < w * h; i++)
-        data[i] = (data[i] + ((1<<I_PRESHIFT)>>1)) >> I_PRESHIFT;
+        data[i] = (data[i] + ((1LL<<I_PRESHIFT)>>1)) >> I_PRESHIFT;
 }

 int ff_jpeg2000_dwt_init(DWTContext *s, int border[2][2],
@@ -163,13 +163,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            av_log(avctx, AV_LOG_ERROR, "video size %d invalid\n", video_size);
            return AVERROR_INVALIDDATA;
        }
-        if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
-            return ret;

        if (video_type == 0 || video_type == 1) {
            GetBitContext gb;
            init_get_bits(&gb, buf, 8 * video_size);

+            if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
+                return ret;
+
+            if (avctx->height/8 * (avctx->width/8) > 4 * video_size) {
+                av_log(avctx, AV_LOG_ERROR, "Insufficient input data for dimensions\n");
+                return AVERROR_INVALIDDATA;
+            }
+
            for (j = 0; j < avctx->height; j += 8)
                for (i = 0; i < avctx->width; i += 8)
                    decode8x8(&gb,
@@ -179,6 +185,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
            buf += video_size;
        } else if (video_type == 2) {
            int v = *buf++;
+
+            av_frame_unref(s->frame);
+            if ((ret = ff_get_buffer(avctx, s->frame, AV_GET_BUFFER_FLAG_REF)) < 0)
+                return ret;
+
            for (j = 0; j < avctx->height; j++)
                memset(s->frame->data[0] + j * s->frame->linesize[0],
                       v, avctx->width);
@@ -1169,7 +1169,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data,
        }

        if (length < header_size + substr_header_size) {
-            av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n");
+            av_log(m->avctx, AV_LOG_ERROR, "Insufficient data for headers\n");
            goto error;
        }

@@ -676,6 +676,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size,
             */
            break;
        case DISPLAY_SEGMENT:
+            if (*data_size) {
+                av_log(avctx, AV_LOG_ERROR, "Duplicate display segment\n");
+                ret = AVERROR_INVALIDDATA;
+                break;
+            }
            ret = display_end_segment(avctx, data, buf, segment_length);
            if (ret >= 0)
                *data_size = ret;
@@ -90,6 +90,8 @@ static void qpeg_decode_intra(QpegContext *qctx, uint8_t *dst,
                }
            }
        } else {
+            if (bytestream2_get_bytes_left(&qctx->buffer) < copy)
+                copy = bytestream2_get_bytes_left(&qctx->buffer);
            for(i = 0; i < copy; i++) {
                dst[filled++] = bytestream2_get_byte(&qctx->buffer);
                if (filled >= width) {
@@ -181,6 +181,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data,
        /* If necessary, uncompress tiles, and hijack the bytestream reader */
        if (packed_tiles_size != tiles_nb * TILE_SIZE) {
            uLongf length = tiles_nb * TILE_SIZE;
+
+            if (bytestream2_get_bytes_left(gbc) < packed_tiles_size) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
+
            inflated_tiles = av_malloc(length);
            if (!inflated_tiles) {
                ret = AVERROR(ENOMEM);
@@ -587,7 +587,8 @@ static inline void tm2_null_res_block(TM2Context *ctx, AVFrame *pic, int bx, int
 {
    int i;
    int ct;
-    int left, right, diff;
+    unsigned left, right;
+    int diff;
    int deltas[16];
    TM2_INIT_POINTERS();

@@ -673,8 +674,8 @@ static inline void tm2_update_block(TM2Context *ctx, AVFrame *pic, int bx, int b
    /* update chroma */
    for (j = 0; j < 2; j++) {
        for (i = 0; i < 2; i++) {
-            U[i] = Uo[i] + GET_TOK(ctx, TM2_UPD);
-            V[i] = Vo[i] + GET_TOK(ctx, TM2_UPD);
+            U[i] = Uo[i] + (unsigned)GET_TOK(ctx, TM2_UPD);
+            V[i] = Vo[i] + (unsigned)GET_TOK(ctx, TM2_UPD);
        }
        U  += Ustride;
        V  += Vstride;
@@ -823,7 +824,7 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p)
    dst = p->data[0];
    for (j = 0; j < h; j++) {
        for (i = 0; i < w; i++) {
-            int y = Y[i], u = U[i >> 1], v = V[i >> 1];
+            unsigned y = Y[i], u = U[i >> 1], v = V[i >> 1];
            dst[3*i+0] = av_clip_uint8(y + v);
            dst[3*i+1] = av_clip_uint8(y);
            dst[3*i+2] = av_clip_uint8(y + u);
@@ -519,9 +519,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
        return AVERROR_INVALIDDATA;
    }

-    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
-        return ret;
-
    if (c->comp == 0) { // uncompressed data
        if (c->decomp_size < len) {
            av_log(avctx, AV_LOG_ERROR, "Buffer too small\n");
@@ -547,6 +544,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
        av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size);
        return AVERROR_INVALIDDATA;
    }
+    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+        return ret;
+
    if (c->flags & ZMBV_KEYFRAME) {
        frame->key_frame = 1;
        frame->pict_type = AV_PICTURE_TYPE_I;
@@ -186,8 +186,17 @@ static int config_input(AVFilterLink *inlink)

    s->start_duration = av_rescale(s->start_duration, inlink->sample_rate,
                                   AV_TIME_BASE);
+    if (s->start_duration < 0) {
+        av_log(ctx, AV_LOG_WARNING, "start duration must be non-negative\n");
+        s->start_duration = -s->start_duration;
+    }
+
    s->stop_duration  = av_rescale(s->stop_duration, inlink->sample_rate,
                                   AV_TIME_BASE);
+    if (s->stop_duration < 0) {
+        av_log(ctx, AV_LOG_WARNING, "stop duration must be non-negative\n");
+        s->stop_duration = -s->stop_duration;
+    }

    s->start_holdoff = av_malloc_array(FFMAX(s->start_duration, 1),
                                       sizeof(*s->start_holdoff) *
@@ -78,6 +78,7 @@ static int aa_read_header(AVFormatContext *s)
    AADemuxContext *c = s->priv_data;
    AVIOContext *pb = s->pb;
    AVStream *st;
+    int ret;

    /* parse .aa header */
    avio_skip(pb, 4); // file size
@@ -121,7 +122,10 @@ static int aa_read_header(AVFormatContext *s)
        }
        if (!strcmp(key, "HeaderKey")) { // this looks like "1234567890 1234567890 1234567890 1234567890"
            av_log(s, AV_LOG_DEBUG, "HeaderKey is <%s>\n", val);
-            sscanf(val, "%u%u%u%u", &header_key_part[0], &header_key_part[1], &header_key_part[2], &header_key_part[3]);
+            ret = sscanf(val, "%u%u%u%u", &header_key_part[0], &header_key_part[1], &header_key_part[2], &header_key_part[3]);
+            if (ret != 4)
+                return AVERROR_INVALIDDATA;
+
            for (idx = 0; idx < 4; idx++) {
                AV_WB32(&header_key[idx * 4], header_key_part[idx]); // convert each part to BE!
            }
@@ -386,7 +386,7 @@ static int ftp_file_size(FTPContext *s)
    static const int size_codes[] = {213, 0};

    snprintf(command, sizeof(command), "SIZE %s\r\n", s->path);
-    if (ftp_send_command(s, command, size_codes, &res) == 213 && res) {
+    if (ftp_send_command(s, command, size_codes, &res) == 213 && res && strlen(res) > 4) {
        s->filesize = strtoll(&res[4], NULL, 10);
    } else {
        s->filesize = -1;
@@ -766,7 +766,7 @@ static int process_line(URLContext *h, char *line, int line_count,
            while (av_isspace(*p))
                p++;
            resource = p;
-            while (!av_isspace(*p))
+            while (*p && !av_isspace(*p))
                p++;
            *(p++) = '\0';
            av_log(h, AV_LOG_TRACE, "Requested resource: %s\n", resource);
@@ -78,6 +78,7 @@ typedef struct MOVAtom {
 struct MOVParseTableEntry;

 typedef struct MOVFragment {
+    int found_tfhd;
    unsigned track_id;
    uint64_t base_data_offset;
    uint64_t moof_offset;
@@ -3363,7 +3363,7 @@ static int matroska_read_packet(AVFormatContext *s, AVPacket *pkt)
            ret = matroska_resync(matroska, pos);
    }

-    return ret;
+    return 0;
 }

 static int matroska_read_seek(AVFormatContext *s, int stream_index,
@@ -1157,6 +1157,9 @@ static int mov_read_moov(MOVContext *c, AVIOContext *pb, MOVAtom atom)

 static int mov_read_moof(MOVContext *c, AVIOContext *pb, MOVAtom atom)
 {
+    // Set by mov_read_tfhd(). mov_read_trun() will reject files missing tfhd.
+    c->fragment.found_tfhd = 0;
+
    if (!c->has_looked_for_mfra && c->use_mfra_for > 0) {
        c->has_looked_for_mfra = 1;
        if (pb->seekable) {
@@ -2456,8 +2459,11 @@ static inline int mov_get_stsc_samples(MOVStreamContext *sc, int index)

    if (index < sc->stsc_count - 1)
        chunk_count = sc->stsc_data[index + 1].first - sc->stsc_data[index].first;
-    else
+    else {
+        // Validation for stsc / stco  happens earlier in mov_read_stsc + mov_read_trak.
+        av_assert0(sc->stsc_data[index].first <= sc->chunk_count);
        chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1);
+    }

    return sc->stsc_data[index].count * chunk_count;
 }
@@ -3632,6 +3638,13 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)

    c->trak_index = -1;

+    // Here stsc refers to a chunk not described in stco. This is technically invalid,
+    // but we can overlook it (clearing stsc) whenever stts_count == 0 (indicating no samples).
+    if (!sc->chunk_count && !sc->stts_count && sc->stsc_count) {
+        sc->stsc_count = 0;
+        av_freep(&sc->stsc_data);
+    }
+
    /* sanity checks */
    if (sc->chunk_count && (!sc->stts_count || !sc->stsc_count ||
                            (!sc->sample_size && !sc->sample_count))) {
@@ -3639,7 +3652,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
               st->index);
        return 0;
    }
-    if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) {
+    if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) {
        av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n",
               st->index);
        return AVERROR_INVALIDDATA;
@@ -3988,6 +4001,8 @@ static int mov_read_tfhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    MOVFragmentIndex* index = NULL;
    int flags, track_id, i, found = 0;

+    c->fragment.found_tfhd = 1;
+
    avio_r8(pb); /* version */
    flags = avio_rb24(pb);

@@ -4135,6 +4150,11 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom)
    unsigned entries, first_sample_flags = frag->flags;
    int flags, distance, i, err;

+    if (!frag->found_tfhd) {
+        av_log(c->fc, AV_LOG_ERROR, "trun track id unknown, no tfhd was found\n");
+        return AVERROR_INVALIDDATA;
+    }
+
    for (i = 0; i < c->fc->nb_streams; i++) {
        if (c->fc->streams[i]->id == frag->track_id) {
            st = c->fc->streams[i];
@@ -5982,6 +6002,7 @@ static int mov_seek_stream(AVFormatContext *s, AVStream *st, int64_t timestamp,
    }

    /* adjust stsd index */
+    if (sc->chunk_count) {
    time_sample = 0;
    for (i = 0; i < sc->stsc_count; i++) {
        int next = time_sample + mov_get_stsc_samples(sc, i);
@@ -5992,6 +6013,7 @@ static int mov_seek_stream(AVFormatContext *s, AVStream *st, int64_t timestamp,
        }
        time_sample = next;
    }
+    }

    ret = mov_seek_auxiliary_info(s, sc);
    if (ret < 0) {
@@ -446,7 +446,10 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1,
        } else if (!strcmp(st_type, "text")) {
            codec_type = AVMEDIA_TYPE_SUBTITLE;
        }
-        if (codec_type == AVMEDIA_TYPE_UNKNOWN || !(rt->media_type_mask & (1 << codec_type))) {
+        if (codec_type == AVMEDIA_TYPE_UNKNOWN ||
+            !(rt->media_type_mask & (1 << codec_type)) ||
+            rt->nb_rtsp_streams >= s->max_streams
+        ) {
            s1->skip_media = 1;
            return;
        }
@@ -1659,7 +1662,7 @@ int ff_rtsp_connect(AVFormatContext *s)
    char tcpname[1024], cmd[2048], auth[128];
    const char *lower_rtsp_proto = "tcp";
    int port, err, tcp_fd;
-    RTSPMessageHeader reply1 = {0}, *reply = &reply1;
+    RTSPMessageHeader reply1, *reply = &reply1;
    int lower_transport_mask = 0;
    int default_port = RTSP_DEFAULT_PORT;
    char real_challenge[64] = "";
@@ -1688,6 +1691,7 @@ int ff_rtsp_connect(AVFormatContext *s)
    rt->lower_transport_mask &= (1 << RTSP_LOWER_TRANSPORT_NB) - 1;

 redirect:
+    memset(&reply1, 0, sizeof(reply1));
    /* extract hostname and port */
    av_url_split(proto, sizeof(proto), auth, sizeof(auth),
                 host, sizeof(host), &port, path, sizeof(path), s->filename);
@@ -96,7 +96,7 @@ static int get_chunk_filename(AVFormatContext *s, int is_header, char *filename)
            av_log(oc, AV_LOG_ERROR, "No header filename provided\n");
            return AVERROR(EINVAL);
        }
-        av_strlcpy(filename, wc->header_filename, strlen(wc->header_filename) + 1);
+        av_strlcpy(filename, wc->header_filename, MAX_FILENAME_SIZE);
    } else {
        if (av_get_frame_filename(filename, MAX_FILENAME_SIZE,
                                  s->filename, wc->chunk_index - 1) < 0) {
@@ -439,6 +439,7 @@ static int parse_adaptation_sets(AVFormatContext *s)
            continue;
        else if (state == new_set && !strncmp(p, "id=", 3)) {
            void *mem = av_realloc(w->as, sizeof(*w->as) * (w->nb_as + 1));
+            const char *comma;
            if (mem == NULL)
                return AVERROR(ENOMEM);
            w->as = mem;
@@ -447,6 +448,11 @@ static int parse_adaptation_sets(AVFormatContext *s)
            w->as[w->nb_as - 1].streams = NULL;
            p += 3; // consume "id="
            q = w->as[w->nb_as - 1].id;
+            comma = strchr(p, ',');
+            if (!comma || comma - p >= sizeof(w->as[w->nb_as - 1].id)) {
+                av_log(s, AV_LOG_ERROR, "'id' in 'adaptation_sets' is malformed.\n");
+                return AVERROR(EINVAL);
+            }
            while (*p != ',') *q++ = *p++;
            *q = 0;
            p++;
@@ -222,12 +222,13 @@ int av_strcasecmp(const char *a, const char *b)

 int av_strncasecmp(const char *a, const char *b, size_t n)
 {
-    const char *end = a + n;
    uint8_t c1, c2;
+    if (n <= 0)
+        return 0;
    do {
        c1 = av_tolower(*a++);
        c2 = av_tolower(*b++);
-    } while (a < end && c1 && c1 == c2);
+    } while (--n && c1 && c1 == c2);
    return c1 - c2;
 }

@@ -415,6 +415,18 @@ static void fill32(uint8_t *dst, int len)
 {
    uint32_t v = AV_RN32(dst - 4);

+#if HAVE_FAST_64BIT
+    uint64_t v2= v + ((uint64_t)v<<32);
+    while (len >= 32) {
+        AV_WN64(dst   , v2);
+        AV_WN64(dst+ 8, v2);
+        AV_WN64(dst+16, v2);
+        AV_WN64(dst+24, v2);
+        dst += 32;
+        len -= 32;
+    }
+#endif
+
    while (len >= 4) {
        AV_WN32(dst, v);
        dst += 4;
@@ -308,10 +308,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp,
    while (fgets(buf, sizeof(buf), fp)) {
        struct Results r;
        enum AVPixelFormat srcFormat;
-        char srcStr[12];
+        char srcStr[13];
        int srcW = 0, srcH = 0;
        enum AVPixelFormat dstFormat;
-        char dstStr[12];
+        char dstStr[13];
        int dstW = 0, dstH = 0;
        int flags;
        int ret;
@@ -1 +1 @@
 .2.13
 .2.14