[FFmpeg-devel] [PATCH] Fix 3 bigsleep issues in exr (PR #20550)

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed

* [FFmpeg-devel] [PATCH] Fix 3 bigsleep issues in exr (PR #20550)
@ 2025-09-18 23:23 michaelni via ffmpeg-devel
  0 siblings, 0 replies; only message in thread
From: michaelni via ffmpeg-devel @ 2025-09-18 23:23 UTC (permalink / raw)
  To: ffmpeg-devel; +Cc: michaelni

PR #20550 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20550
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20550.patch


>From 38d62a1a51a84e220b6dbeaefd961f170d2d5c72 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 18 Sep 2025 17:32:46 +0200
Subject: [PATCH 1/3] avcodec/exr: check ac_size

Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr

The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly

Found-by: Google Big Sleep

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index e6051567d1..b772f1f74a 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1021,6 +1021,11 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     )
         return AVERROR_INVALIDDATA;
 
+    if (ac_size <= 0) {
+        avpriv_request_sample(s->avctx, "Zero ac_size");
+        return AVERROR_INVALIDDATA;
+    }
+
     if ((uint64_t)rle_raw_size > INT_MAX) {
         avpriv_request_sample(s->avctx, "Too big rle_raw_size");
         return AVERROR_INVALIDDATA;
-- 
2.49.1


>From c440bc3aed7b71217f9d552839f1e31155b6d2aa Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 18 Sep 2025 21:28:04 +0200
Subject: [PATCH 2/3] avcodec/exr: Round dc_w/h up

Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file

Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b772f1f74a..9da935b382 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -992,8 +992,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     int64_t version, lo_usize, lo_size;
     int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
     int64_t ac_count, dc_count, ac_compression;
-    const int dc_w = td->xsize >> 3;
-    const int dc_h = td->ysize >> 3;
+    const int dc_w = (td->xsize + 7) >> 3;
+    const int dc_h = (td->ysize + 7) >> 3;
     GetByteContext gb, agb;
     int skip, ret;
     int have_rle = 0;
@@ -1031,6 +1031,10 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
         return AVERROR_INVALIDDATA;
     }
 
+    if (td->xsize % 8 || td->ysize % 8) {
+        avpriv_request_sample(s->avctx, "odd dimensions DWA");
+    }
+
     bytestream2_init(&gb, src + 88, compressed_size - 88);
     skip = bytestream2_get_le16(&gb);
     if (skip < 2)
-- 
2.49.1


>From cd05df4a3c216f24830c86e7c376acdc7edf71a5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 19 Sep 2025 00:18:30 +0200
Subject: [PATCH 3/3] avcodec/exr: Check that DWA has 3 channels

The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9da935b382..c83325aa52 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1005,6 +1005,11 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     if (version != 2)
         return AVERROR_INVALIDDATA;
 
+    if (s->nb_channels < 3) {
+        avpriv_request_sample(s->avctx, "Gray DWA");
+        return AVERROR_PATCHWELCOME;
+    }
+
     lo_usize = AV_RL64(src + 8);
     lo_size = AV_RL64(src + 16);
     ac_size = AV_RL64(src + 24);
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2025-09-18 23:24 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-18 23:23 [FFmpeg-devel] [PATCH] Fix 3 bigsleep issues in exr (PR #20550) michaelni via ffmpeg-devel

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git