[FFmpeg-devel] [PATCH 1/4] avcodec/jpeg2000dec: Check image offset

[FFmpeg-devel] [PATCH 1/4] avcodec/jpeg2000dec: Check image offset

[Michael Niedermayer]

Fixes: left shift of negative value -538967841
Fixes: 62447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6427134337613824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/jpeg2000dec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index eda959e558d..691cfbd8915 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -238,6 +238,11 @@ static int get_siz(Jpeg2000DecoderContext *s)
         return AVERROR_INVALIDDATA;
     }
 
+    if (s->image_offset_x >= s->width || s->image_offset_y >= s->height) {
+        av_log(s->avctx, AV_LOG_ERROR, "image offsets outside image");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (s->reduction_factor && (s->image_offset_x || s->image_offset_y) ){
         av_log(s->avctx, AV_LOG_ERROR, "reduction factor with image offsets is not fully implemented");
         return AVERROR_PATCHWELCOME;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1

[Michael Niedermayer]

Fixes: out of array access
Fixes: 62467/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/evc_parse.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
index bd3a4416f2d..5ab33166cf3 100644
--- a/libavcodec/evc_parse.c
+++ b/libavcodec/evc_parse.c
@@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb, EVCParserSliceHeader *sh,
         if (!sh->arbitrary_slice_flag)
             sh->last_tile_id = get_bits(gb, pps->tile_id_len_minus1 + 1);
         else {
-            sh->num_remaining_tiles_in_slice_minus1 = get_ue_golomb_long(gb);
-            num_tiles_in_slice = sh->num_remaining_tiles_in_slice_minus1 + 2;
+            unsigned num_remaining_tiles_in_slice_minus1 = get_ue_golomb_long(gb);
+            if (num_remaining_tiles_in_slice_minus1 > EVC_MAX_TILE_ROWS * EVC_MAX_TILE_COLUMNS - 2)
+                return AVERROR_INVALIDDATA;
+
+            num_tiles_in_slice = num_remaining_tiles_in_slice_minus1 + 2;
+            sh->num_remaining_tiles_in_slice_minus1 = num_remaining_tiles_in_slice_minus1;
             for (int i = 0; i < num_tiles_in_slice - 1; ++i)
                 sh->delta_tile_id_minus1[i] = get_ue_golomb_long(gb);
         }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/4] avcodec/evc_parse: remove pow() and log2()

[Michael Niedermayer]

The use of float based functions is both unneeded and wrong due to unpredictable rounding

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/evc_parse.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
index 5ab33166cf3..20b6849041a 100644
--- a/libavcodec/evc_parse.c
+++ b/libavcodec/evc_parse.c
@@ -176,7 +176,8 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const EVCParserSliceHeader *sh,
             poc->PicOrderCntVal = 0;
             poc->DocOffset = -1;
         } else {
-            int SubGopLength = (int)pow(2.0, sps->log2_sub_gop_length);
+            int SubGopLength = 1 << sps->log2_sub_gop_length;
+
             if (tid == 0) {
                 poc->PicOrderCntVal = poc->prevPicOrderCntVal + SubGopLength;
                 poc->DocOffset = 0;
@@ -191,15 +192,16 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const EVCParserSliceHeader *sh,
                     poc->prevPicOrderCntVal += SubGopLength;
                     ExpectedTemporalId = 0;
                 } else
-                    ExpectedTemporalId = 1 + (int)log2(poc->DocOffset);
+                    ExpectedTemporalId = 1 + av_log2(poc->DocOffset);
+
                 while (tid != ExpectedTemporalId) {
                     poc->DocOffset = (poc->DocOffset + 1) % SubGopLength;
                     if (poc->DocOffset == 0)
                         ExpectedTemporalId = 0;
                     else
-                        ExpectedTemporalId = 1 + (int)log2(poc->DocOffset);
+                        ExpectedTemporalId = 1 + av_log2(poc->DocOffset);
                 }
-                PocOffset = (int)(SubGopLength * ((2.0 * poc->DocOffset + 1) / (int)pow(2.0, tid) - 2));
+                PocOffset = (int)(SubGopLength * ((2.0 * poc->DocOffset + 1) / (1 << tid) - 2));
                 poc->PicOrderCntVal = poc->prevPicOrderCntVal + PocOffset;
             }
         }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/4] avcodec/evc_parse: Check tid

[Michael Niedermayer]

The check is based on not infinite looping. It is likely
a more strict check can be done

Fixes: Infinite loop
Fixes: 62473/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5719883750703104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/evc_parse.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
index 20b6849041a..8c0ef16f3ad 100644
--- a/libavcodec/evc_parse.c
+++ b/libavcodec/evc_parse.c
@@ -178,6 +178,9 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const EVCParserSliceHeader *sh,
         } else {
             int SubGopLength = 1 << sps->log2_sub_gop_length;
 
+            if (tid > 1 + av_log2(SubGopLength - 1))
+                return AVERROR_INVALIDDATA;
+
             if (tid == 0) {
                 poc->PicOrderCntVal = poc->prevPicOrderCntVal + SubGopLength;
                 poc->DocOffset = 0;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/4] avcodec/jpeg2000dec: Check image offset

[Tomas Härdin]

On Thu, 2023-10-05 at 00:59 +0200, Michael Niedermayer wrote:
> Fixes: left shift of negative value -538967841
> Fixes: 62447/clusterfuzz-testcase-minimized-
> ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6427134337613824
> 
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/jpeg2000dec.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
> index eda959e558d..691cfbd8915 100644
> --- a/libavcodec/jpeg2000dec.c
> +++ b/libavcodec/jpeg2000dec.c
> @@ -238,6 +238,11 @@ static int get_siz(Jpeg2000DecoderContext *s)
>          return AVERROR_INVALIDDATA;
>      }
>  
> +    if (s->image_offset_x >= s->width || s->image_offset_y >= s-
> >height) {
> +        av_log(s->avctx, AV_LOG_ERROR, "image offsets outside
> image");
> +        return AVERROR_INVALIDDATA;
> +    }

Probably OK

/Tomas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/4] avcodec/jpeg2000dec: Check image offset

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1326 bytes --]

On Wed, Oct 25, 2023 at 09:20:09PM +0200, Tomas Härdin wrote:
> On Thu, 2023-10-05 at 00:59 +0200, Michael Niedermayer wrote:
> > Fixes: left shift of negative value -538967841
> > Fixes: 62447/clusterfuzz-testcase-minimized-
> > ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6427134337613824
> > 
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/jpeg2000dec.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
> > index eda959e558d..691cfbd8915 100644
> > --- a/libavcodec/jpeg2000dec.c
> > +++ b/libavcodec/jpeg2000dec.c
> > @@ -238,6 +238,11 @@ static int get_siz(Jpeg2000DecoderContext *s)
> >          return AVERROR_INVALIDDATA;
> >      }
> >  
> > +    if (s->image_offset_x >= s->width || s->image_offset_y >= s-
> > >height) {
> > +        av_log(s->avctx, AV_LOG_ERROR, "image offsets outside
> > image");
> > +        return AVERROR_INVALIDDATA;
> > +    }
> 
> Probably OK

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Republics decline into democracies and democracies degenerate into
despotisms. -- Aristotle

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1

[Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics]

> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> Michael Niedermayer
> Sent: czwartek, 5 października 2023 00:59
> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check
> num_remaining_tiles_in_slice_minus1
> 
> Fixes: out of array access
> Fixes: 62467/clusterfuzz-testcase-minimized-
> ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688
> 
> Found-by: continuous fuzzing process
> https://protect2.fireeye.com/v1/url?k=10fdc12a-701f5c77-10fc4a65-
> 000babd9f1ba-c93ee30773aca891&q=1&e=409cddd0-bda7-445c-b76b-
> 1caf069ec3f8&u=https%3A%2F%2Fgithub.com%2Fgoogle%2Foss-
> fuzz%2Ftree%2Fmaster%2Fprojects%2Fffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/evc_parse.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index
> bd3a4416f2d..5ab33166cf3 100644
> --- a/libavcodec/evc_parse.c
> +++ b/libavcodec/evc_parse.c
> @@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb,
> EVCParserSliceHeader *sh,
>          if (!sh->arbitrary_slice_flag)
>              sh->last_tile_id = get_bits(gb, pps->tile_id_len_minus1 + 1);
>          else {
> -            sh->num_remaining_tiles_in_slice_minus1 =
get_ue_golomb_long(gb);
> -            num_tiles_in_slice = sh->num_remaining_tiles_in_slice_minus1
+ 2;
> +            unsigned num_remaining_tiles_in_slice_minus1 =
> get_ue_golomb_long(gb);
> +            if (num_remaining_tiles_in_slice_minus1 > EVC_MAX_TILE_ROWS *
> EVC_MAX_TILE_COLUMNS - 2)
> +                return AVERROR_INVALIDDATA;
> +
> +            num_tiles_in_slice = num_remaining_tiles_in_slice_minus1 + 2;
> +            sh->num_remaining_tiles_in_slice_minus1 =
> + num_remaining_tiles_in_slice_minus1;
>              for (int i = 0; i < num_tiles_in_slice - 1; ++i)
>                  sh->delta_tile_id_minus1[i] = get_ue_golomb_long(gb);
>          }
> --
> 2.17.1
> 

Reviewed and tested. It can be merged.

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://protect2.fireeye.com/v1/url?k=91e63ba2-f104a6ff-91e7b0ed-
> 000babd9f1ba-bd82db9b8a752a77&q=1&e=409cddd0-bda7-445c-b76b-
> 1caf069ec3f8&u=https%3A%2F%2Fffmpeg.org%2Fmailman%2Flistinfo%2Fffmp
> eg-devel
> 
> To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org
> with subject "unsubscribe".


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/4] avcodec/evc_parse: remove pow() and log2()

[Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics]

> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> Michael Niedermayer
> Sent: czwartek, 5 października 2023 00:59
> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> Subject: [FFmpeg-devel] [PATCH 3/4] avcodec/evc_parse: remove pow() and
> log2()
> 
> The use of float based functions is both unneeded and wrong due to
> unpredictable rounding
> 
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/evc_parse.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index
> 5ab33166cf3..20b6849041a 100644
> --- a/libavcodec/evc_parse.c
> +++ b/libavcodec/evc_parse.c
> @@ -176,7 +176,8 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const
> EVCParserSliceHeader *sh,
>              poc->PicOrderCntVal = 0;
>              poc->DocOffset = -1;
>          } else {
> -            int SubGopLength = (int)pow(2.0, sps->log2_sub_gop_length);
> +            int SubGopLength = 1 << sps->log2_sub_gop_length;
> +
>              if (tid == 0) {
>                  poc->PicOrderCntVal = poc->prevPicOrderCntVal +
SubGopLength;
>                  poc->DocOffset = 0;
> @@ -191,15 +192,16 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const
> EVCParserSliceHeader *sh,
>                      poc->prevPicOrderCntVal += SubGopLength;
>                      ExpectedTemporalId = 0;
>                  } else
> -                    ExpectedTemporalId = 1 + (int)log2(poc->DocOffset);
> +                    ExpectedTemporalId = 1 + av_log2(poc->DocOffset);
> +
>                  while (tid != ExpectedTemporalId) {
>                      poc->DocOffset = (poc->DocOffset + 1) % SubGopLength;
>                      if (poc->DocOffset == 0)
>                          ExpectedTemporalId = 0;
>                      else
> -                        ExpectedTemporalId = 1 +
(int)log2(poc->DocOffset);
> +                        ExpectedTemporalId = 1 +
> + av_log2(poc->DocOffset);
>                  }
> -                PocOffset = (int)(SubGopLength * ((2.0 * poc->DocOffset +
1) /
> (int)pow(2.0, tid) - 2));
> +                PocOffset = (int)(SubGopLength * ((2.0 * poc->DocOffset
> + + 1) / (1 << tid) - 2));
>                  poc->PicOrderCntVal = poc->prevPicOrderCntVal +
PocOffset;
>              }
>          }
> --
> 2.17.1
> 
Reviewed. Looks good. It can be merged.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://protect2.fireeye.com/v1/url?k=b3e7a91c-d29c0395-b3e62253-
> 74fe48600034-766db145edef46dd&q=1&e=130227c8-f092-4124-aef7-
> bcb9009528da&u=https%3A%2F%2Fffmpeg.org%2Fmailman%2Flistinfo%2Fffmp
> eg-devel
> 
> To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org
> with subject "unsubscribe".


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/4] avcodec/evc_parse: Check tid

[Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics]

> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> Michael Niedermayer
> Sent: czwartek, 5 października 2023 00:59
> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> Subject: [FFmpeg-devel] [PATCH 4/4] avcodec/evc_parse: Check tid
> 
> The check is based on not infinite looping. It is likely a more strict
check can be
> done
> 
> Fixes: Infinite loop
> Fixes: 62473/clusterfuzz-testcase-minimized-
> ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5719883750703104
> 
> Found-by: continuous fuzzing process
> https://protect2.fireeye.com/v1/url?k=a44f565e-c532bcdd-a44edd11-
> 74fe48600158-625c91e4183f7607&q=1&e=5e707773-ad1c-4987-a095-
> 2350d52c5cd3&u=https%3A%2F%2Fgithub.com%2Fgoogle%2Foss-
> fuzz%2Ftree%2Fmaster%2Fprojects%2Fffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/evc_parse.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index
> 20b6849041a..8c0ef16f3ad 100644
> --- a/libavcodec/evc_parse.c
> +++ b/libavcodec/evc_parse.c
> @@ -178,6 +178,9 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const
> EVCParserSliceHeader *sh,
>          } else {
>              int SubGopLength = 1 << sps->log2_sub_gop_length;
> 
> +            if (tid > 1 + av_log2(SubGopLength - 1))
> +                return AVERROR_INVALIDDATA;
> +
>              if (tid == 0) {
>                  poc->PicOrderCntVal = poc->prevPicOrderCntVal +
SubGopLength;
>                  poc->DocOffset = 0;

int SubGopLength = 1 << sps->log2_sub_gop_length; if (tid > 1 +
av_log2(SubGopLength - 1))
	return AVERROR_INVALIDDATA;

For the value of SubGopLength = 1 ( if sps->log2_sub_gop_length  = 0; "The
value of log2_sub_gop_length shall be in the range of 0 to 5, inclusive" -
ISO_IEC_23094-1-2020 7.4.3.1), we have av_log2(0). The value of the
logarithm of 0 with any base (in this case, log2) is minus infinity (-inf)

Perhaps we should consider changing the condition to:
if (tid < 0 || tid > av_log2(SubGopLength))
                return AVERROR_INVALIDDATA;

> --
> 2.17.1
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://protect2.fireeye.com/v1/url?k=30e716c0-519afc43-30e69d8f-
> 74fe48600158-4965ec93628418ff&q=1&e=5e707773-ad1c-4987-a095-
> 2350d52c5cd3&u=https%3A%2F%2Fffmpeg.org%2Fmailman%2Flistinfo%2Fffmp
> eg-devel
> 
> To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org
> with subject "unsubscribe".


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2675 bytes --]

On Fri, Oct 27, 2023 at 10:07:38AM +0200, Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics wrote:
> 
> 
> 
> 
> > -----Original Message-----
> > From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> > Michael Niedermayer
> > Sent: czwartek, 5 października 2023 00:59
> > To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> > Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check
> > num_remaining_tiles_in_slice_minus1
> > 
> > Fixes: out of array access
> > Fixes: 62467/clusterfuzz-testcase-minimized-
> > ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688
> > 
> > Found-by: continuous fuzzing process
> > https://protect2.fireeye.com/v1/url?k=10fdc12a-701f5c77-10fc4a65-
> > 000babd9f1ba-c93ee30773aca891&q=1&e=409cddd0-bda7-445c-b76b-
> > 1caf069ec3f8&u=https%3A%2F%2Fgithub.com%2Fgoogle%2Foss-
> > fuzz%2Ftree%2Fmaster%2Fprojects%2Fffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/evc_parse.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> > 
> > diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index
> > bd3a4416f2d..5ab33166cf3 100644
> > --- a/libavcodec/evc_parse.c
> > +++ b/libavcodec/evc_parse.c
> > @@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb,
> > EVCParserSliceHeader *sh,
> >          if (!sh->arbitrary_slice_flag)
> >              sh->last_tile_id = get_bits(gb, pps->tile_id_len_minus1 + 1);
> >          else {
> > -            sh->num_remaining_tiles_in_slice_minus1 =
> get_ue_golomb_long(gb);
> > -            num_tiles_in_slice = sh->num_remaining_tiles_in_slice_minus1
> + 2;
> > +            unsigned num_remaining_tiles_in_slice_minus1 =
> > get_ue_golomb_long(gb);
> > +            if (num_remaining_tiles_in_slice_minus1 > EVC_MAX_TILE_ROWS *
> > EVC_MAX_TILE_COLUMNS - 2)
> > +                return AVERROR_INVALIDDATA;
> > +
> > +            num_tiles_in_slice = num_remaining_tiles_in_slice_minus1 + 2;
> > +            sh->num_remaining_tiles_in_slice_minus1 =
> > + num_remaining_tiles_in_slice_minus1;
> >              for (int i = 0; i < num_tiles_in_slice - 1; ++i)
> >                  sh->delta_tile_id_minus1[i] = get_ue_golomb_long(gb);
> >          }
> > --
> > 2.17.1
> > 
> 
> Reviewed and tested. It can be merged.

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Homeopathy is like voting while filling the ballot out with transparent ink.
Sometimes the outcome one wanted occurs. Rarely its worse than filling out
a ballot properly.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/4] avcodec/evc_parse: remove pow() and log2()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2960 bytes --]

On Fri, Oct 27, 2023 at 10:15:49AM +0200, Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics wrote:
> 
> 
> 
> 
> > -----Original Message-----
> > From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> > Michael Niedermayer
> > Sent: czwartek, 5 października 2023 00:59
> > To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> > Subject: [FFmpeg-devel] [PATCH 3/4] avcodec/evc_parse: remove pow() and
> > log2()
> > 
> > The use of float based functions is both unneeded and wrong due to
> > unpredictable rounding
> > 
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/evc_parse.c | 10 ++++++----
> >  1 file changed, 6 insertions(+), 4 deletions(-)
> > 
> > diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index
> > 5ab33166cf3..20b6849041a 100644
> > --- a/libavcodec/evc_parse.c
> > +++ b/libavcodec/evc_parse.c
> > @@ -176,7 +176,8 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const
> > EVCParserSliceHeader *sh,
> >              poc->PicOrderCntVal = 0;
> >              poc->DocOffset = -1;
> >          } else {
> > -            int SubGopLength = (int)pow(2.0, sps->log2_sub_gop_length);
> > +            int SubGopLength = 1 << sps->log2_sub_gop_length;
> > +
> >              if (tid == 0) {
> >                  poc->PicOrderCntVal = poc->prevPicOrderCntVal +
> SubGopLength;
> >                  poc->DocOffset = 0;
> > @@ -191,15 +192,16 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const
> > EVCParserSliceHeader *sh,
> >                      poc->prevPicOrderCntVal += SubGopLength;
> >                      ExpectedTemporalId = 0;
> >                  } else
> > -                    ExpectedTemporalId = 1 + (int)log2(poc->DocOffset);
> > +                    ExpectedTemporalId = 1 + av_log2(poc->DocOffset);
> > +
> >                  while (tid != ExpectedTemporalId) {
> >                      poc->DocOffset = (poc->DocOffset + 1) % SubGopLength;
> >                      if (poc->DocOffset == 0)
> >                          ExpectedTemporalId = 0;
> >                      else
> > -                        ExpectedTemporalId = 1 +
> (int)log2(poc->DocOffset);
> > +                        ExpectedTemporalId = 1 +
> > + av_log2(poc->DocOffset);
> >                  }
> > -                PocOffset = (int)(SubGopLength * ((2.0 * poc->DocOffset +
> 1) /
> > (int)pow(2.0, tid) - 2));
> > +                PocOffset = (int)(SubGopLength * ((2.0 * poc->DocOffset
> > + + 1) / (1 << tid) - 2));
> >                  poc->PicOrderCntVal = poc->prevPicOrderCntVal +
> PocOffset;
> >              }
> >          }
> > --
> > 2.17.1
> > 
> Reviewed. Looks good. It can be merged.

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is what and why we do it that matters, not just one of them.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1

[Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics]

Michael

Could you please apply the following patch

[FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1
https://patchwork.ffmpeg.org/project/ffmpeg/patch/20231004225921.30287-2-michael@niedermayer.cc/ 

Dawid

> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> Michael Niedermayer
> Sent: piątek, 27 października 2023 21:43
> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> Subject: Re: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check
> num_remaining_tiles_in_slice_minus1
> 
> On Fri, Oct 27, 2023 at 10:07:38AM +0200, Dawid Kozinski/Multimedia (PLT)
> /SRPOL/Staff Engineer/Samsung Electronics wrote:
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of
> > > Michael Niedermayer
> > > Sent: czwartek, 5 października 2023 00:59
> > > To: FFmpeg development discussions and patches
> > > <ffmpeg-devel@ffmpeg.org>
> > > Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check
> > > num_remaining_tiles_in_slice_minus1
> > >
> > > Fixes: out of array access
> > > Fixes: 62467/clusterfuzz-testcase-minimized-
> > > ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688
> > >
> > > Found-by: continuous fuzzing process
> > > https://protect2.fireeye.com/v1/url?k=10fdc12a-701f5c77-10fc4a65-
> > > 000babd9f1ba-c93ee30773aca891&q=1&e=409cddd0-bda7-445c-b76b-
> > > 1caf069ec3f8&u=https%3A%2F%2Fgithub.com%2Fgoogle%2Foss-
> > > fuzz%2Ftree%2Fmaster%2Fprojects%2Fffmpeg
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >  libavcodec/evc_parse.c | 8 ++++++--
> > >  1 file changed, 6 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index
> > > bd3a4416f2d..5ab33166cf3 100644
> > > --- a/libavcodec/evc_parse.c
> > > +++ b/libavcodec/evc_parse.c
> > > @@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb,
> > > EVCParserSliceHeader *sh,
> > >          if (!sh->arbitrary_slice_flag)
> > >              sh->last_tile_id = get_bits(gb, pps->tile_id_len_minus1 + 1);
> > >          else {
> > > -            sh->num_remaining_tiles_in_slice_minus1 =
> > get_ue_golomb_long(gb);
> > > -            num_tiles_in_slice = sh->num_remaining_tiles_in_slice_minus1
> > + 2;
> > > +            unsigned num_remaining_tiles_in_slice_minus1 =
> > > get_ue_golomb_long(gb);
> > > +            if (num_remaining_tiles_in_slice_minus1 >
> > > + EVC_MAX_TILE_ROWS *
> > > EVC_MAX_TILE_COLUMNS - 2)
> > > +                return AVERROR_INVALIDDATA;
> > > +
> > > +            num_tiles_in_slice = num_remaining_tiles_in_slice_minus1 + 2;
> > > +            sh->num_remaining_tiles_in_slice_minus1 =
> > > + num_remaining_tiles_in_slice_minus1;
> > >              for (int i = 0; i < num_tiles_in_slice - 1; ++i)
> > >                  sh->delta_tile_id_minus1[i] = get_ue_golomb_long(gb);
> > >          }
> > > --
> > > 2.17.1
> > >
> >
> > Reviewed and tested. It can be merged.
> 
> will apply
> 
> thx
> 
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
> 
> Homeopathy is like voting while filling the ballot out with transparent ink.
> Sometimes the outcome one wanted occurs. Rarely its worse than filling out a
> ballot properly.


_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 412 bytes --]

On Thu, Nov 09, 2023 at 10:27:28AM +0100, Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics wrote:
> Michael
> 
> Could you please apply the following patch

yes, sorry i somehow seem to have forgotten

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".