From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 097AB40BFA for ; Sun, 15 Feb 2026 03:35:44 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'/jMHTV0d9GSpYs9SRFfS8pKmxfLqPiZE4WCBKN0KgTk=', expected b'bS9Nn7itGPaCUFxxTGGUGU9zPTM4XervsSWEUetKF6Y=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1771126525; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=/jMHTV0d9GSpYs9SRFfS8pKmxfLqPiZE4WCBKN0KgTk=; b=lnow8N7pFeyYZBvNb9RFhH7UaMccyWmL1O+WG+1CtEcE8aE2nk++VyttwHyRTDordv7Nx CLXN0t3ExsFS+STUO4eZ8QnW72qQwuv7oDEta9o00Cl5YmOl0pZigZQiwanbhXViGzyiz06 gyIYQnN0mwwEO52GHk9Wkk69sY1ddMeYky9xnT0OI/tURKKF5Ki19nSE2VgJrlbrFvnQ4pJ 32NUKAk7cjnC6rrcbxR3CT4Srgt8JYtAapQqURv1AAv6c40xBO81irWmm6ohYRCStD9Q8Hr b3d/26QJ1eLmH2HAkEziBibbRG4UoxbZaPKlsqowXd4g7FjExCtf4yj9x9IQ== Received: from [172.20.0.3] (unknown [172.20.0.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 32E9A6911C2; Sun, 15 Feb 2026 05:35:25 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1771126515; b=EQKGirqhrZ2/+bgn4oT5e5MVUr9cCqYde+nLQYiKxwdDlgWZQvuDKvc4be8waOFuia1Ie NXoXK/cvvlLSkojA+sHWcIrXEiKICVHPTi7g7lLH6bWzjEtD7Gm1/YqbWpkUN/ulqNqBUyP +mlDwxKbUSHP4Gp6H3w2DksQGtMuEibMejDycQNxv6kIMjIdOGy4QT4tXuvb25ncxx0oxT9 5PBrM6zcd4SK9EBzKSIWGb2UwhvYJqzppFX02hJ5tFOLulo31lkGCP377Pw/q0iKTD8pmMK m5+xGKCFBfv9cMkNvZsZhPWQugBiEWKflk67nMrqzODiTwWveKUu3mRE8pqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1771126515; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=s+iIegotbYfhbGGJc6mXpdonhSz9JAdSrXFk1FzTC9k=; b=LI1af3sy04y3dHr+e50xS6uk2jqmBuft+uJaUBZvn24rQCuMf0WHcse7nCdfa75KnWSiQ ekkDWN2iWhELZQGRKbAqaw/6X0I1LVvy+jtViJ7xDiCy59UaUhuCJnynaony0qbMsivyVIy igHlUglqEBBs+t0b6LbBNXupySJIlp+UCFokjZ0DiKx/yETsLfnUzv7kDUTClFbw86JNjKp siEKGVfreEuajpHMwgy8mrgz75SRBBR/CxNyrR2kTddQ+WlqsDhjpSrAbHLqC44Zx2fSf86 /f1a+LORDCDr82mUekHKwSX2HKNusTdfsq98QRDk4EFfKCJ37Gq0zl9/GSrA== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1771126508; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=bS9Nn7itGPaCUFxxTGGUGU9zPTM4XervsSWEUetKF6Y=; b=WgBFnhswnHHoTcBO424IzK5FeD/k+lSThSavClENECAjtr/R4zLU154IpBZmxpEYMtap0 syzgFxE+NvA2rOBystqrvEExI4Bp8r6b/fE9KjZU+pfzX+prqtBIS9SJQugCiLoYCzPy6Op 2exXQPP8Y1mfKDA0W01ybD4eSgX2gYFPi59VU+9yxzADQjaEYvKIbgEJcHmaSEhO26G5OMv wr2V3MG3NGxR3iA0sd+J3rwlAkMGxBpDZVUJodhK9tYJp2zxSmp/0SMvSmu0zoqF9PKGoff xcbrmq51Pu/s8XHzQ0YcTvr6E5RSGZgXCaAZTVLYefj9LVU1IQWhFxhOURtA== Received: from c8d966988b92 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 04560691171 for ; Sun, 15 Feb 2026 05:35:07 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Sun, 15 Feb 2026 03:35:07 -0000 Message-ID: <177112650816.25.5840298865996712010@009cbcb3d8cd> Message-ID-Hash: KM4IL4KRHFDXRS456HGRV7SJ5PRHX47W X-Message-ID-Hash: KM4IL4KRHFDXRS456HGRV7SJ5PRHX47W X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avcodec/cfhd: Check transform type before continuing (PR #21759) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: michaelni via ffmpeg-devel Cc: michaelni Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21759 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21759 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21759.patch avcodec/cfhd: Check transform type before continuing. Fixes: null pointer dereference Fixes: 471768165/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_DEC_fuzzer-6187504467509248 The first frame allocates buffers with one transform type the second frame sets up another transform type but the code to reallocate buffers is never triggered Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer >>From 56c7b802d04419f56ce577f9d9d1d06a7ba9c287 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Feb 2026 23:00:02 +0100 Subject: [PATCH 1/2] avcodec/cfhd: Add CFHDSegment enum and named identifiers Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 4 ++-- libavcodec/cfhd.h | 9 +++++++++ libavcodec/cfhdenc.c | 12 ++++++------ 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index f110b91f0b..6d1cf4b67b 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -631,7 +631,7 @@ static int cfhd_decode(AVCodecContext *avctx, AVFrame *pic, } else av_log(avctx, AV_LOG_DEBUG, "Unknown tag %i data %x\n", tag, data); - if (tag == BitstreamMarker && data == 0xf0f && + if (tag == BitstreamMarker && data == CoefficientSegment && s->coded_format != AV_PIX_FMT_NONE) { int lowpass_height = s->plane[s->channel_num].band[0][0].height; int lowpass_width = s->plane[s->channel_num].band[0][0].width; @@ -701,7 +701,7 @@ static int cfhd_decode(AVCodecContext *avctx, AVFrame *pic, coeff_data = s->plane[s->channel_num].subband[s->subband_num_actual]; /* Lowpass coefficients */ - if (tag == BitstreamMarker && data == 0xf0f) { + if (tag == BitstreamMarker && data == CoefficientSegment) { int lowpass_height, lowpass_width, lowpass_a_height, lowpass_a_width; if (!s->a_width || !s->a_height) { diff --git a/libavcodec/cfhd.h b/libavcodec/cfhd.h index 2dbac80c66..880c0e1e9d 100644 --- a/libavcodec/cfhd.h +++ b/libavcodec/cfhd.h @@ -91,6 +91,15 @@ enum CFHDParam { ChannelHeight = 105, }; +enum CFHDSegment { + LowPassSegment = 0x1a4a, + LowPassEndSegment = 0x1b4b, + HighPassSegment = 0x0d0d, + BandSegment = 0x0e0e, + HighPassEndSegment = 0x0c0c, + CoefficientSegment = 0x0f0f, +}; + #define VLC_BITS 9 #define SUBBAND_COUNT 10 #define SUBBAND_COUNT_3D 17 diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index 42e01bfd85..db435f321c 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -627,7 +627,7 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } bytestream2_put_be16(pby, BitstreamMarker); - bytestream2_put_be16(pby, 0x1a4a); + bytestream2_put_be16(pby, LowPassSegment); pos = bytestream2_tell_p(pby); @@ -653,7 +653,7 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, bytestream2_put_be16(pby, 16); bytestream2_put_be16(pby, BitstreamMarker); - bytestream2_put_be16(pby, 0x0f0f); + bytestream2_put_be16(pby, CoefficientSegment); for (int i = 0; i < height; i++) { for (int j = 0; j < width; j++) @@ -662,7 +662,7 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } bytestream2_put_be16(pby, BitstreamMarker); - bytestream2_put_be16(pby, 0x1b4b); + bytestream2_put_be16(pby, LowPassEndSegment); for (int l = 0; l < 3; l++) { for (int i = 0; i < 3; i++) { @@ -677,7 +677,7 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, int height = s->plane[p].band[l][0].height; bytestream2_put_be16(pby, BitstreamMarker); - bytestream2_put_be16(pby, 0x0d0d); + bytestream2_put_be16(pby, HighPassSegment); bytestream2_put_be16(pby, WaveletType); bytestream2_put_be16(pby, 3 + 2 * (l == 2)); @@ -714,7 +714,7 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, int count = 0, padd = 0; bytestream2_put_be16(pby, BitstreamMarker); - bytestream2_put_be16(pby, 0x0e0e); + bytestream2_put_be16(pby, BandSegment); bytestream2_put_be16(pby, SubbandNumber); bytestream2_put_be16(pby, i + 1); @@ -783,7 +783,7 @@ static int cfhd_encode_frame(AVCodecContext *avctx, AVPacket *pkt, } bytestream2_put_be16(pby, BitstreamMarker); - bytestream2_put_be16(pby, 0x0c0c); + bytestream2_put_be16(pby, HighPassEndSegment); } s->plane[p].size = bytestream2_tell_p(pby) - pos; -- 2.52.0 >>From 0b97c9938e518fd03ef8699e86d60773ec1a6010 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Feb 2026 00:00:55 +0100 Subject: [PATCH 2/2] avcodec/cfhd: Check transform type before continuing Fixes: null pointer dereference Fixes: 471768165/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_DEC_fuzzer-6187504467509248 The first frame allocates buffers with one transform type the second frame sets up another transform type but the code to reallocate buffers is never triggered Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/cfhd.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 6d1cf4b67b..4d430e32ef 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -698,6 +698,11 @@ static int cfhd_decode(AVCodecContext *avctx, AVFrame *pic, if (s->subband_num_actual == 255) goto finish; + + if (tag == BitstreamMarker && data == CoefficientSegment || tag == BandHeader || tag == BandSecondPass || s->peak.level) + if (s->transform_type != s->a_transform_type) + return AVERROR_PATCHWELCOME; + coeff_data = s->plane[s->channel_num].subband[s->subband_num_actual]; /* Lowpass coefficients */ -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org