From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 639DD4C962
	for <ffmpegdev@gitmailbox.com>; Thu, 18 Sep 2025 23:24:32 +0000 (UTC)
Authentication-Results: ffbox; dkim=fail (body hash mismatch (got 
   b'zIi62VV9jKQJM4pQzVpFD0WX5/bPwszhyzXOaMoisEc=', expected 
   b'ajR3ul1kqURnj1Op2IVoDtC4hwDpVz5KWs8ckHF9Grs=')) header.d=ffmpeg.org 
   header.i=@ffmpeg.org header.a=rsa-sha256
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1758237848; h=mime-version : to :
 date : message-id : reply-to : subject : list-id : list-archive :
 list-archive : list-help : list-owner : list-post : list-subscribe :
 list-unsubscribe : from : cc : content-type :
 content-transfer-encoding : from;
 bh=zIi62VV9jKQJM4pQzVpFD0WX5/bPwszhyzXOaMoisEc=;
 b=FRrV1JrdhCZB4fraHJcLUWGZGKCKikj6kUX2vqBff/U8OLQIPsz4Ny9ciDBqllfAfK6q/
 Wp68IiU852HQA4qQSCh3G/QgG7GkIVsG3tSk+YFQg7C/yhLtuQaYhpBzPPt2qBzv/mNyxnm
 zA7bPSlXVeYhQQ36FUgAstHAUCTaFdq+lB9HixM2N/R7QVO6sYJek7Cm3VE7826t4Z1fXXJ
 HUfLGvh+3tPARa6DQn7LFsAimKjfTT+ALxkROENEqQzjzuwsvRAxRnSbcEK7BDltwTqnXi+
 Nkr/4w4kIoJXzpYkv9x7aqEHKkPSNnsHGOekC0hQUFZJrl4yX2sDAZkHPxqA==
Received: from [172.19.0.4] (unknown [172.19.0.4])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 2291068011A;
	Fri, 19 Sep 2025 02:24:08 +0300 (EEST)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1758237844;
 b=OIXVxCXHhD0AotCykQIT7JnAOwgkOrWryi/GNjw8ebhyJq3mADDSuFVg6ZU2Hci1LA4xU
 bThwgfSmwpqfrwjwsO82H5Z6k8XVoGRfKxwcxw/ooJ3WBoS+LIB7HX5d11bm+hVG+ENv25N
 lehZT7dqaVLHvIVYqcq1V+lU+9Sx8Z+ZWT+iVEeO+/6CjAeFRrg/N8anebGgbVvQBXy/Prp
 kVPFPm5rAO/2eoR9ACsU2EjdKClmRu3+p0WzVtA7oqK+j8VKF6XQFtjOB0vq+qIQgwiBfz/
 ifTetxi+jiiFCsuOnvZLHYWOFF5Xlka/ED3zF4vbofmrQqKpqtabxMePEINg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ffmpeg.org; s=arc; t=1758237844; h=from : sender : reply-to :
 subject : date : message-id : to : cc : mime-version : content-type :
 content-transfer-encoding : content-id : content-description :
 resent-date : resent-from : resent-sender : resent-to : resent-cc :
 resent-message-id : in-reply-to : references : list-id : list-help :
 list-unsubscribe : list-subscribe : list-post : list-owner :
 list-archive; bh=Ch2r6FItu2ED2JrAgWsQTlTMq2Ls6tJ2Huuu/cTc5TU=;
 b=DPhlg1xMtXD2AUOD0PLb8gdEri4ILJnzK+sr4PDLCpVftoBdOSXvR4YKcS52N+lGzoSMb
 m1Aya3rAAvdIxkrlbedp0oJWny3qvvZDgWNqWww5B9MBiKo6ITut6RXAu9hU5UI1hwp0oq5
 4nSEElNtAhb+OkzYJsUt7Iu7HC2pHxrLmcOPAbtfaG/pFkXanjjL7xILa0nenjdJoD50lAs
 cpLE+nQzSSn6uMy13UCJt0ET0ktyf0fvooZwgEhmzwI4XIYtOm+QwzeowpAwmrqwuyjJUvh
 5YbDKJ8hmwb/cd2s4Mu5w1ncpw6cbl71Dl6pVPDxn96eIik4S57x2l8YdJcw==
ARC-Authentication-Results: i=1; ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none;
 dmarc=none
Authentication-Results: ffmpeg.org;
 dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org;
 arc=none (Message is not ARC signed); dmarc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org;
 i=@ffmpeg.org; q=dns/txt; s=mail; t=1758237829; h=content-type :
 mime-version : content-transfer-encoding : from : to : reply-to :
 subject : date : from;
 bh=ajR3ul1kqURnj1Op2IVoDtC4hwDpVz5KWs8ckHF9Grs=;
 b=irOzH6GzTK77NGsi2wZP/UvDXf/MbFndT+N02+LiWdIRSrWwSD/vg4V54k41eq0tvhuTS
 1KPprD4htbchGMFtF/QqGoZ11CaSq9zWO27FVUQV3BOzO/ln/P4d1MYDRdQ+bBPJ+6yJyYf
 +Jr/J60W25WvjH6S5ciZfublY3P1YZj0FEj/Hgqt1bwdS1Ki5jpcoY46c6RwGb3bxT1iL8W
 s3/O/C/pWtAD2KX9FgtgEyrMcndKd9QVRTQl46JyAtQxGoGsX0KPvY5MhbpQaDUp2jtz3hC
 zXAWBzjpEZxuXzoKflNn3ZCks4Dr7gSeGIoFJ0jf/ev0BRPHxEDixxlQBABw==
Received: from ed19c606a818 (code.ffmpeg.org [188.245.149.3])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 1D58C68EA95
	for <ffmpeg-devel@ffmpeg.org>; Fri, 19 Sep 2025 02:23:49 +0300 (EEST)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 18 Sep 2025 23:23:47 -0000
Message-ID: <175823782950.25.1121038659284770191@463a07221176>
Message-ID-Hash: RCF2X3Q6J4TOD25KICVO5Z4KQRYSPGJO
X-Message-ID-Hash: RCF2X3Q6J4TOD25KICVO5Z4KQRYSPGJO
X-MailFrom: code@ffmpeg.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-ffmpeg-devel.ffmpeg.org-0;
 header-match-ffmpeg-devel.ffmpeg.org-1;
 header-match-ffmpeg-devel.ffmpeg.org-2;
 header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] Fix 3 bigsleep issues in exr (PR #20550)
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
Archived-At: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/message/RCF2X3Q6J4TOD25KICVO5Z4KQRYSPGJO/>
Archived-At: 
 <https://lists.ffmpeg.org/lore/ffmpeg-devel/175823782950.25.1121038659284770191@463a07221176/>
List-Archive: 
 <https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/>
List-Archive: <https://lists.ffmpeg.org/lore/ffmpeg-devel/>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Owner: <mailto:ffmpeg-devel-owner@ffmpeg.org>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Subscribe: <mailto:ffmpeg-devel-join@ffmpeg.org>
List-Unsubscribe: <mailto:ffmpeg-devel-leave@ffmpeg.org>
From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Cc: michaelni <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://master.gitmailbox.com/ffmpegdev/175823782950.25.1121038659284770191@463a07221176/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #20550 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20550
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20550.patch


>>From 38d62a1a51a84e220b6dbeaefd961f170d2d5c72 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 18 Sep 2025 17:32:46 +0200
Subject: [PATCH 1/3] avcodec/exr: check ac_size

Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr

The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly

Found-by: Google Big Sleep

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index e6051567d1..b772f1f74a 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1021,6 +1021,11 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     )
         return AVERROR_INVALIDDATA;
 
+    if (ac_size <= 0) {
+        avpriv_request_sample(s->avctx, "Zero ac_size");
+        return AVERROR_INVALIDDATA;
+    }
+
     if ((uint64_t)rle_raw_size > INT_MAX) {
         avpriv_request_sample(s->avctx, "Too big rle_raw_size");
         return AVERROR_INVALIDDATA;
-- 
2.49.1


>>From c440bc3aed7b71217f9d552839f1e31155b6d2aa Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 18 Sep 2025 21:28:04 +0200
Subject: [PATCH 2/3] avcodec/exr: Round dc_w/h up

Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file

Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b772f1f74a..9da935b382 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -992,8 +992,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     int64_t version, lo_usize, lo_size;
     int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
     int64_t ac_count, dc_count, ac_compression;
-    const int dc_w = td->xsize >> 3;
-    const int dc_h = td->ysize >> 3;
+    const int dc_w = (td->xsize + 7) >> 3;
+    const int dc_h = (td->ysize + 7) >> 3;
     GetByteContext gb, agb;
     int skip, ret;
     int have_rle = 0;
@@ -1031,6 +1031,10 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
         return AVERROR_INVALIDDATA;
     }
 
+    if (td->xsize % 8 || td->ysize % 8) {
+        avpriv_request_sample(s->avctx, "odd dimensions DWA");
+    }
+
     bytestream2_init(&gb, src + 88, compressed_size - 88);
     skip = bytestream2_get_le16(&gb);
     if (skip < 2)
-- 
2.49.1


>>From cd05df4a3c216f24830c86e7c376acdc7edf71a5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 19 Sep 2025 00:18:30 +0200
Subject: [PATCH 3/3] avcodec/exr: Check that DWA has 3 channels

The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9da935b382..c83325aa52 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1005,6 +1005,11 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     if (version != 2)
         return AVERROR_INVALIDDATA;
 
+    if (s->nb_channels < 3) {
+        avpriv_request_sample(s->avctx, "Gray DWA");
+        return AVERROR_PATCHWELCOME;
+    }
+
     lo_usize = AV_RL64(src + 8);
     lo_size = AV_RL64(src + 16);
     ac_size = AV_RL64(src + 24);
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org