From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 57E3247DC1 for ; Fri, 27 Oct 2023 08:07:52 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D545E68CC13; Fri, 27 Oct 2023 11:07:49 +0300 (EEST) Received: from mailout1.w1.samsung.com (mailout1.w1.samsung.com [210.118.77.11]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C499368CC0B for ; Fri, 27 Oct 2023 11:07:43 +0300 (EEST) Received: from eucas1p2.samsung.com (unknown [182.198.249.207]) by mailout1.w1.samsung.com (KnoxPortal) with ESMTP id 20231027080740euoutp015ca6eae3abe50781489f2e7d5d8bbac7~R6GY3oXYV3093130931euoutp01a for ; Fri, 27 Oct 2023 08:07:40 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout1.w1.samsung.com 20231027080740euoutp015ca6eae3abe50781489f2e7d5d8bbac7~R6GY3oXYV3093130931euoutp01a DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1698394060; bh=myhYlhyC/qb5+ZUP3l9L9dYLCtZTAVyaZhDY4GszmVo=; h=From:To:In-Reply-To:Subject:Date:References:From; b=fWXplF2ZjgoyBvwgPoKpJ+gl9YB35vfUwqlKesFFMOuSHYolLSOBwS23WzZFE3804 dYNWmMOZGs/AkdG4xSwu0CHSa78XB+RVb2bxWXhBapxhbb43+809rD/3QyPNNdXamD q55rwpQ7f7Xzikhs0AiLzf4Bvrdv5gey8ps3p3Po= Received: from eusmges2new.samsung.com (unknown [203.254.199.244]) by eucas1p2.samsung.com (KnoxPortal) with ESMTP id 20231027080740eucas1p21b2e552a7f0c4dafecc1ac3d575053af~R6GYxfI3Q2038420384eucas1p2T for ; Fri, 27 Oct 2023 08:07:40 +0000 (GMT) Received: from eucas1p1.samsung.com ( [182.198.249.206]) by eusmges2new.samsung.com (EUCPMTA) with SMTP id BA.82.11320.BCF6B356; Fri, 27 Oct 2023 09:07:39 +0100 (BST) Received: from eusmtrp1.samsung.com (unknown [182.198.249.138]) by eucas1p2.samsung.com (KnoxPortal) with ESMTPA id 20231027080739eucas1p26eff30be8dd0c194429be23c21d40590~R6GYCgP570821008210eucas1p24 for ; Fri, 27 Oct 2023 08:07:39 +0000 (GMT) Received: from eusmgms1.samsung.com (unknown [182.198.249.179]) by eusmtrp1.samsung.com (KnoxPortal) with ESMTP id 20231027080739eusmtrp1343f1be50b175a5c37be54d98547f8a8~R6GYBySaE2963429634eusmtrp1I for ; Fri, 27 Oct 2023 08:07:39 +0000 (GMT) X-AuditID: cbfec7f4-97dff70000022c38-36-653b6fcb0131 Received: from eusmtip1.samsung.com ( [203.254.199.221]) by eusmgms1.samsung.com (EUCPMTA) with SMTP id 29.6D.10549.BCF6B356; Fri, 27 Oct 2023 09:07:39 +0100 (BST) Received: from AMDN5164 (unknown [106.210.132.171]) by eusmtip1.samsung.com (KnoxPortal) with ESMTPA id 20231027080739eusmtip1960a2d376ac7e964282693d3bdf4d5c2~R6GXvrbMZ2385323853eusmtip10 for ; Fri, 27 Oct 2023 08:07:38 +0000 (GMT) From: "Dawid Kozinski/Multimedia \(PLT\) /SRPOL/Staff Engineer/Samsung Electronics" To: "'FFmpeg development discussions and patches'" In-Reply-To: <20231004225921.30287-2-michael@niedermayer.cc> Date: Fri, 27 Oct 2023 10:07:38 +0200 Message-ID: <00e201da08ac$a70a7b10$f51f7130$@samsung.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQLBd/YEamG8pkZ17K4RTXJx2KX1+AIcSmVjAhcK1uKubM3YkA== Content-Language: pl X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJIsWRmVeSWpSXmKPExsWy7djPc7qn861TDbpWmll8+3SG2YHR48+i zSwBjFFcNimpOZllqUX6dglcGf/ucxTclql4cHkqewPja+kuRk4OCQETibtzV7B0MXJxCAms YJSYu7uJHcKZxCTx4P9vNghnIpPE5qkdzDAt39q7oaqWM0qc+3afGcJpY5LY+Ow+I0gVm0Ce xOPPa8E6RAR8JLrXr2cFsTkFbCR+9G5kB7GFBdIk1lxrBKrn4GARUJXYsJkDJMwrYCnRtrud BcIWlDg58wmYzSygJ/Hs1CwoW1ti2cLXUAcpSPx8uowVYpWTxM4jbxghakQkbjxqYQS5TUJg IofEoz0/WCEaXCQm7N3LBGELS7w6voUdwpaROD25hwXkHgmBYolD/Q4QZo3EoR/pEBXWEm8b jzNC2I4SP1/+Z4co4ZO48VYQYiufxKRt05khwrwSHW1CEKaKRF+nGESjlMTTZXOYJzAqzULy 4iwkL85C8uIsJK8sYGRZxSieWlqcm55abJSXWq5XnJhbXJqXrpecn7uJEZgaTv87/mUH4/JX H/UOMTJxMB5ilOBgVhLhjfSxSBXiTUmsrEotyo8vKs1JLT7EKM3BoiTOq5oinyokkJ5Ykpqd mlqQWgSTZeLglGpgqkyYtvHD9Yc/PIufPes0aAtY97kxZJchb8xfP7Ob5r/XXFob8m7jgYAw nZB9jw5JzQhWf75/2lquqXsfvqp7VinILO4277Rq2a+G47qbN6xbWR5Wdv/i5J65jkZ8dw4X zfulWHPhhKr7zIMLuP32fup6Jtq4RZtj7krfT406WisfFVfyRymxhFo58MycJhbK5vAi9/mn gNZV6dqXvO9kbw8UXs6ia3lgxTPNxpKqF+/bk4qvHJ+/t1/xO5s5t9zv2J7F+b31WtN0VBU9 +rY5FK2arLR87wRbR4dY8epnfO+eb3x/7fIp14t/M1s+HZffeoSJW+rV8XMd3FdXbypVPFA2 4eO2hKNx8sefuVSmSyqxFGckGmoxFxUnAgBgk92HfAMAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPLMWRmVeSWpSXmKPExsVy+t/xu7qn861TDSZu4LX49ukMswOjx59F m1kCGKP0bIryS0tSFTLyi0tslaINLYz0DC0t9IxMLPUMjc1jrYxMlfTtbFJSczLLUov07RL0 MiZf+MNYcFuk4nX7IqYGxg7BLkZODgkBE4lv7d3sXYxcHEICSxklrl84xQKRkJJYunQRI4Qt LPHnWhcbRFELk8TvZ+/BEmwCORJrZ09kArFFBHwkutevZ4Uo2sso8e/JFrAEp4CNxI/ejewg trBAisTaqfeB4hwcLAKqEhs2c4CEeQUsJdp2t7NA2IISJ2c+AbOZBQwkliz8xQRha0ssW/ia GeIgBYmfT5exQux1kth55A0jRI2IxI1HLYwTGIVmIRk1C8moWUhGzULSsoCRZRWjSGppcW56 brGhXnFibnFpXrpecn7uJkZgTGw79nPzDsZ5rz7qHWJk4mA8xCjBwawkwhvpY5EqxJuSWFmV WpQfX1Sak1p8iNEU6LWJzFKiyfnAqMwriTc0MzA1NDGzNDC1NDNWEuf1LOhIFBJITyxJzU5N LUgtgulj4uCUamCabqa/cEp0hnnjP2+zoPg3bSf7eDes2WIrcIu598+XH17Ov6zFZ+62zdsZ HXnZnFn/p1Ryiaf6uh3yPN/PscvtsnjZKmAr8LpIauLE3x+3NkgduF555LGsrXSS1LEgo9CD h7f8ve9l+lx5V9bJ0ulVzM3334tK3itfspOv5OgloZ+8/CcC2zmK47k9nzL19nTM3/v5kqTi tuXrvqVf/njLodJJ4uWGA8L9b8S2P5d6Pu2dWML2Zec2M6849+nntUWhi68tkguNZIrdPYNP Sz3kOIP54UTDhpCdL+4k6+h4qU58/C93fuWavFNRk5uf32A9J37xQ5bhiQsXJGb9cj+juCTl RdrWsBuem3e3NRlxKbEUZyQaajEXFScCAPkJ/zoSAwAA X-CMS-MailID: 20231027080739eucas1p26eff30be8dd0c194429be23c21d40590 X-Msg-Generator: CA X-RootMTR: 20231004225945eucas1p231b26708597bd5572bad27ae388937d5 X-EPHeader: CA CMS-TYPE: 201P X-CMS-RootMailID: 20231004225945eucas1p231b26708597bd5572bad27ae388937d5 References: <20231004225921.30287-1-michael@niedermayer.cc> <20231004225921.30287-2-michael@niedermayer.cc> Subject: Re: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: > -----Original Message----- > From: ffmpeg-devel On Behalf Of > Michael Niedermayer > Sent: czwartek, 5 pa=BCdziernika 2023 00:59 > To: FFmpeg development discussions and patches > Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check > num_remaining_tiles_in_slice_minus1 > = > Fixes: out of array access > Fixes: 62467/clusterfuzz-testcase-minimized- > ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688 > = > Found-by: continuous fuzzing process > https://protect2.fireeye.com/v1/url?k=3D10fdc12a-701f5c77-10fc4a65- > 000babd9f1ba-c93ee30773aca891&q=3D1&e=3D409cddd0-bda7-445c-b76b- > 1caf069ec3f8&u=3Dhttps%3A%2F%2Fgithub.com%2Fgoogle%2Foss- > fuzz%2Ftree%2Fmaster%2Fprojects%2Fffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/evc_parse.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > = > diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index > bd3a4416f2d..5ab33166cf3 100644 > --- a/libavcodec/evc_parse.c > +++ b/libavcodec/evc_parse.c > @@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb, > EVCParserSliceHeader *sh, > if (!sh->arbitrary_slice_flag) > sh->last_tile_id =3D get_bits(gb, pps->tile_id_len_minus1 + = 1); > else { > - sh->num_remaining_tiles_in_slice_minus1 =3D get_ue_golomb_long(gb); > - num_tiles_in_slice =3D sh->num_remaining_tiles_in_slice_minu= s1 + 2; > + unsigned num_remaining_tiles_in_slice_minus1 =3D > get_ue_golomb_long(gb); > + if (num_remaining_tiles_in_slice_minus1 > EVC_MAX_TILE_ROWS * > EVC_MAX_TILE_COLUMNS - 2) > + return AVERROR_INVALIDDATA; > + > + num_tiles_in_slice =3D num_remaining_tiles_in_slice_minus1 += 2; > + sh->num_remaining_tiles_in_slice_minus1 =3D > + num_remaining_tiles_in_slice_minus1; > for (int i =3D 0; i < num_tiles_in_slice - 1; ++i) > sh->delta_tile_id_minus1[i] =3D get_ue_golomb_long(gb); > } > -- > 2.17.1 > = Reviewed and tested. It can be merged. > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://protect2.fireeye.com/v1/url?k=3D91e63ba2-f104a6ff-91e7b0ed- > 000babd9f1ba-bd82db9b8a752a77&q=3D1&e=3D409cddd0-bda7-445c-b76b- > 1caf069ec3f8&u=3Dhttps%3A%2F%2Fffmpeg.org%2Fmailman%2Flistinfo%2Fffmp > eg-devel > = > To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org > with subject "unsubscribe". _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".