From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id DCB494DB8F
	for <ffmpegdev@gitmailbox.com>; Fri,  4 Jul 2025 10:35:49 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 7CC0C68F7D0;
	Fri,  4 Jul 2025 13:35:42 +0300 (EEST)
Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com
 [209.85.210.174])
 by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id F0B7568F7AA
 for <ffmpeg-devel@ffmpeg.org>; Fri,  4 Jul 2025 13:35:34 +0300 (EEST)
Received: by mail-pf1-f174.google.com with SMTP id
 d2e1a72fcca58-747fba9f962so696717b3a.0
 for <ffmpeg-devel@ffmpeg.org>; Fri, 04 Jul 2025 03:35:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1751625333; x=1752230133; darn=ffmpeg.org;
 h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date
 :references:in-reply-to:message-id:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=3d/wJ0bgrHMne3me6yMHf8GbLagowzRJtaniz02DAlc=;
 b=S8t3b/p0N3Bml7BUHARZLYplos9oNqoWcitU5oW0GieCk2PYALxesy4fY6QLSkFPDg
 ZJmP7nffRLN2LXWBb3+6QfXwjzK7GbjT76LAnJ7o5GVowFcv5z0opimqY1mFAZs0jkkP
 tw/Wymo6nPgszWeQw+7H0X6xIUJs1S6nGajn6wCcNi2bRSV7NFSRXl7LYZhLJ26C00AE
 c2rJSt/gWU/Ico3almpq+qGW7J91qCDCv/QisOcH/w34ghNtqIKU1qphEDgGYXKbXZKw
 9/a6Sx7HzaJ69a1xwBkenlfLylu4FjdSqg7aMRtof6/+xP25cTf7EvdrhxWCF9O6Iucp
 SWkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1751625333; x=1752230133;
 h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date
 :references:in-reply-to:message-id:from:x-gm-message-state:from:to
 :cc:subject:date:message-id:reply-to;
 bh=3d/wJ0bgrHMne3me6yMHf8GbLagowzRJtaniz02DAlc=;
 b=efOuXOKj6HGEVzTHZgn/aKVa0xpZvImpnrd5uytiu6lc83JI7VUa02cjOCIJhHr3Ic
 ZT1lDwKsx5EnStt5LzteUZa4550hu7eKjdoDwrds5t795XI6d2kEDuwuj96XJN7bQGmo
 M59SpyPGAF+F39TQMVQqBP74m7fNyna8tWOkSWZbJZXxQo6JloLgMYYoZaC71Pn78lOs
 bfYuUO91YsOTbsUbghDq5kI3jVo4/zs5KF+WPFeYbfSNpzOyOlZOKP19ivqatBrfbqNa
 qrn0etv8AvYhC5C8d7CBnb40XaYEJuuBfZVW5HpIfBRSqVpG9iBc/M1wSDTQj5l9scSb
 7hhQ==
X-Gm-Message-State: AOJu0YxcXK+cDkMzKVWCoX6dfM1yhuiQ1xwZxIIKsB+af768nAA2LKYq
 EIPVU4urMmYeenFHJficEpo1kLlKgufhP2vgtXACTtIpB3Y6BELLStY/fwqMHQ==
X-Gm-Gg: ASbGncuPjOhdRYvo8QosEVE4HyZOqbfAAMHVfHJFhAdy1uYn1O+Jbsw2g/HHJMPQMaf
 D6YLNWRTAJ77LgUjUitBm2G3OpSOfzD4rAUr7ZlOrfQK3GsiXrGcXaIcbY6sBddj6Goh6F6xOPf
 vasK7v/e2yuBNOzmIwpOT7zAqtPA/wbNcmCgM/aKA8l0qnFTarTA5ASwBE1AbX0qM21Xc3wOpCZ
 Kkcb04XFvUtn2RohXnU80O7Q1nSZTHo+aMiHjwiYaL4kc5O+xeh6dFO0sjXlB+9XpsDKil8recw
 /A3TY2BosS863liMqKeqeJLmbJjHQmuO1NuuZtEfVvZsGyoqu9ubNjk8yX6wLRFHLSMcDEkqKoq
 0ticCzRGnD/Dg4F+xUxMXEVcKvdU=
X-Google-Smtp-Source: AGHT+IHxQqgIdlc80gM/Scymdb1X8mVo5jAcNAHQIN+GPrReQYQy9NkMzAWyPL6nt5t+LdalJhaacQ==
X-Received: by 2002:a05:6a21:1798:b0:220:3a2:e0c6 with SMTP id
 adf61e73a8af0-2259574d806mr5065689637.6.1751625333126; 
 Fri, 04 Jul 2025 03:35:33 -0700 (PDT)
Received: from [127.0.0.1] (master.gitmailbox.com. [34.83.118.50])
 by smtp.gmail.com with ESMTPSA id
 41be03b00d2f7-b38ee74a681sm1754749a12.76.2025.07.04.03.35.32
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 04 Jul 2025 03:35:32 -0700 (PDT)
From: Andreas Rheinhardt <ffmpegagent-at-gmail.com@ffmpeg.org>
X-Google-Original-From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Message-Id: <1211c4131e1fe68ebf58b026ef9e33bc10710c5a.1751625321.git.ffmpegagent@gmail.com>
In-Reply-To: <pull.105.ffstaging.FFmpeg.1751625321.ffmpegagent@gmail.com>
References: <pull.105.ffstaging.FFmpeg.1751625321.ffmpegagent@gmail.com>
X-Original-From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Fri, 04 Jul 2025 10:35:18 +0000
Fcc: Sent
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] [PATCH 1/4] avcodec/opus/dec: Don't use outdated size
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/1211c4131e1fe68ebf58b026ef9e33bc10710c5a.1751625321.git.ffmpegagent@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

When flushing, the code would use subpacket sizes from the last
proper packet sent and use this to offset the NULL buf variable
which is UB (this happens in the opus-testvector02 FATE-test).

This also has the potential to make buf != NULL, so that one
would enter the codepath for non-flush packets and try to parse
a subpacket, erroring out because the size would be negative
(I don't have a sample for this as the testvector02 sample
only uses one stream).

Fix this by not using wrong sizes.

Fixes: libavcodec/opus/dec.c:588:18: runtime error: applying non-zero offset 10 to null pointer

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/opus/dec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/opus/dec.c b/libavcodec/opus/dec.c
index 6c59dc1f46..a43146c82c 100644
--- a/libavcodec/opus/dec.c
+++ b/libavcodec/opus/dec.c
@@ -484,6 +484,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
     int coded_samples   = 0;
     int decoded_samples = INT_MAX;
     int delayed_samples = 0;
+    int subpacket_size  = 0;
     int i, ret;
 
     /* calculate the number of delayed samples */
@@ -504,6 +505,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
             return ret;
         }
         coded_samples += pkt->frame_count * pkt->frame_duration;
+        subpacket_size = pkt->packet_size;
         c->streams[0].silk_samplerate = get_silk_samplerate(pkt->config);
     }
 
@@ -575,6 +577,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
                 return AVERROR_INVALIDDATA;
             }
 
+            subpacket_size     = s->packet.packet_size;
             s->silk_samplerate = get_silk_samplerate(s->packet.config);
         }
 
@@ -585,8 +588,8 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
         s->decoded_samples = ret;
         decoded_samples       = FFMIN(decoded_samples, ret);
 
-        buf      += s->packet.packet_size;
-        buf_size -= s->packet.packet_size;
+        buf       = FF_PTR_ADD(buf, subpacket_size);
+        buf_size -= subpacket_size;
     }
 
     /* buffer the extra samples */
-- 
ffmpeg-codebot

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".