* [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation
@ 2021-12-23 21:15 Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 2/5] avcodec/cdgraphics: avoid signed overflow in alpha Michael Niedermayer
` (4 more replies)
0 siblings, 5 replies; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-23 21:15 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Timeout
Fixes: 42667/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5619236075077632
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/targa.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/libavcodec/targa.c b/libavcodec/targa.c
index 221fcc956d0..b0048621d35 100644
--- a/libavcodec/targa.c
+++ b/libavcodec/targa.c
@@ -117,6 +117,7 @@ static int decode_frame(AVCodecContext *avctx,
int idlen, pal, compr, y, w, h, bpp, flags, ret;
int first_clr, colors, csize;
int interleave;
+ size_t img_size;
bytestream2_init(&s->gb, avpkt->data, avpkt->size);
@@ -180,6 +181,15 @@ static int decode_frame(AVCodecContext *avctx,
return avpkt->size;
}
+ if (!(compr & TGA_RLE)) {
+ img_size = w * ((bpp + 1) >> 3);
+ if (bytestream2_get_bytes_left(&s->gb) < img_size * h) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Not enough data available for image\n");
+ return AVERROR_INVALIDDATA;
+ }
+ }
+
if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
return ret;
p->pict_type = AV_PICTURE_TYPE_I;
@@ -251,7 +261,6 @@ static int decode_frame(AVCodecContext *avctx,
if (res < 0)
return res;
} else {
- size_t img_size = w * ((bpp + 1) >> 3);
uint8_t *line;
if (bytestream2_get_bytes_left(&s->gb) < img_size * h) {
av_log(avctx, AV_LOG_ERROR,
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* [FFmpeg-devel] [PATCH 2/5] avcodec/cdgraphics: avoid signed overflow in alpha
2021-12-23 21:15 [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation Michael Niedermayer
@ 2021-12-23 21:15 ` Michael Niedermayer
2021-12-23 21:45 ` Andreas Rheinhardt
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 3/5] avformat/flvdec: timestamps cannot use the full int64 range Michael Niedermayer
` (3 subsequent siblings)
4 siblings, 1 reply; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-23 21:15 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: left shift of 255 by 24 places cannot be represented in type 'int'
Fixes: 42766/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5142826105569280
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/cdgraphics.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
index 06f83920943..f54ce5a05c0 100644
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -122,7 +122,7 @@ static void cdg_load_palette(CDGraphicsContext *cc, uint8_t *data, int low)
r = ((color >> 8) & 0x000F) * 17;
g = ((color >> 4) & 0x000F) * 17;
b = ((color ) & 0x000F) * 17;
- palette[i + array_offset] = cc->alpha[i + array_offset] << 24 | r << 16 | g << 8 | b;
+ palette[i + array_offset] = (unsigned)cc->alpha[i + array_offset] << 24 | r << 16 | g << 8 | b;
}
cc->frame->palette_has_changed = 1;
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* [FFmpeg-devel] [PATCH 3/5] avformat/flvdec: timestamps cannot use the full int64 range
2021-12-23 21:15 [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 2/5] avcodec/cdgraphics: avoid signed overflow in alpha Michael Niedermayer
@ 2021-12-23 21:15 ` Michael Niedermayer
2021-12-30 20:44 ` Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 4/5] avcodec/apedec: fix integer overflow in 8bit samples Michael Niedermayer
` (2 subsequent siblings)
4 siblings, 1 reply; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-23 21:15 UTC (permalink / raw)
To: FFmpeg development discussions and patches
We do not support this as we multiply by 1000
Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented in type 'long'
Fixes: 42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/flvdec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index 44a7e5f93cc..b9e36b3ff1b 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -461,6 +461,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m
d = av_int2double(avio_rb64(ioc));
if (isnan(d) || d < INT64_MIN || d > INT64_MAX)
goto invalid;
+ if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000))
+ goto invalid;
current_array[0][i] = d;
}
if (times && filepositions) {
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* [FFmpeg-devel] [PATCH 4/5] avcodec/apedec: fix integer overflow in 8bit samples
2021-12-23 21:15 [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 2/5] avcodec/cdgraphics: avoid signed overflow in alpha Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 3/5] avformat/flvdec: timestamps cannot use the full int64 range Michael Niedermayer
@ 2021-12-23 21:15 ` Michael Niedermayer
2021-12-30 20:42 ` Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample Michael Niedermayer
2021-12-30 21:11 ` [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation Michael Niedermayer
4 siblings, 1 reply; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-23 21:15 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 'int'
Fixes: 42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/apedec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 35a2e617e69..b932263012e 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -1587,7 +1587,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
for (ch = 0; ch < s->channels; ch++) {
sample8 = (uint8_t *)frame->data[ch];
for (i = 0; i < blockstodecode; i++)
- *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff;
+ *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff;
}
break;
case 16:
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample
2021-12-23 21:15 [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation Michael Niedermayer
` (2 preceding siblings ...)
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 4/5] avcodec/apedec: fix integer overflow in 8bit samples Michael Niedermayer
@ 2021-12-23 21:15 ` Michael Niedermayer
2021-12-23 23:07 ` Peter Ross
2021-12-24 3:32 ` John-Paul Stewart
2021-12-30 21:11 ` [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation Michael Niedermayer
4 siblings, 2 replies; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-23 21:15 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: division by zero
Fixes: 42814/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-4787014237552640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/mvdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 1a5012e5076..390f6ba4de8 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -366,6 +366,9 @@ static int mv_read_header(AVFormatContext *avctx)
avpriv_request_sample(avctx, "Audio compression (format %i)", v);
}
+ if (bytes_per_sample <= 0)
+ return AVERROR_INVALIDDATA;
+
if (set_channels(avctx, ast, avio_rb32(pb)) < 0)
return AVERROR_INVALIDDATA;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/5] avcodec/cdgraphics: avoid signed overflow in alpha
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 2/5] avcodec/cdgraphics: avoid signed overflow in alpha Michael Niedermayer
@ 2021-12-23 21:45 ` Andreas Rheinhardt
2021-12-25 10:43 ` Michael Niedermayer
0 siblings, 1 reply; 15+ messages in thread
From: Andreas Rheinhardt @ 2021-12-23 21:45 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: left shift of 255 by 24 places cannot be represented in type 'int'
> Fixes: 42766/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5142826105569280
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/cdgraphics.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
> index 06f83920943..f54ce5a05c0 100644
> --- a/libavcodec/cdgraphics.c
> +++ b/libavcodec/cdgraphics.c
> @@ -122,7 +122,7 @@ static void cdg_load_palette(CDGraphicsContext *cc, uint8_t *data, int low)
> r = ((color >> 8) & 0x000F) * 17;
> g = ((color >> 4) & 0x000F) * 17;
> b = ((color ) & 0x000F) * 17;
> - palette[i + array_offset] = cc->alpha[i + array_offset] << 24 | r << 16 | g << 8 | b;
> + palette[i + array_offset] = (unsigned)cc->alpha[i + array_offset] << 24 | r << 16 | g << 8 | b;
> }
> cc->frame->palette_has_changed = 1;
> }
>
LGTM. Although I'd prefer uint32_t here, as this is exactly what is
needed and it fits the type of palette.
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample Michael Niedermayer
@ 2021-12-23 23:07 ` Peter Ross
2021-12-24 3:32 ` John-Paul Stewart
1 sibling, 0 replies; 15+ messages in thread
From: Peter Ross @ 2021-12-23 23:07 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1037 bytes --]
On Thu, Dec 23, 2021 at 10:15:27PM +0100, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: 42814/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-4787014237552640
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/mvdec.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
> index 1a5012e5076..390f6ba4de8 100644
> --- a/libavformat/mvdec.c
> +++ b/libavformat/mvdec.c
> @@ -366,6 +366,9 @@ static int mv_read_header(AVFormatContext *avctx)
> avpriv_request_sample(avctx, "Audio compression (format %i)", v);
> }
>
> + if (bytes_per_sample <= 0)
> + return AVERROR_INVALIDDATA;
> +
> if (set_channels(avctx, ast, avio_rb32(pb)) < 0)
> return AVERROR_INVALIDDATA;
please apply.
-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample Michael Niedermayer
2021-12-23 23:07 ` Peter Ross
@ 2021-12-24 3:32 ` John-Paul Stewart
2021-12-24 16:58 ` Michael Niedermayer
1 sibling, 1 reply; 15+ messages in thread
From: John-Paul Stewart @ 2021-12-24 3:32 UTC (permalink / raw)
To: ffmpeg-devel
On 2021-12-23 16:15, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: 42814/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-4787014237552640
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/mvdec.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
> index 1a5012e5076..390f6ba4de8 100644
> --- a/libavformat/mvdec.c
> +++ b/libavformat/mvdec.c
> @@ -366,6 +366,9 @@ static int mv_read_header(AVFormatContext *avctx)
> avpriv_request_sample(avctx, "Audio compression (format %i)", v);
> }
>
> + if (bytes_per_sample <= 0)
> + return AVERROR_INVALIDDATA;
> +
bytes_per_sample is uint32_t so it can never be less than zero.
bytes_per_sample will be zero for movie files with no audio, so that is
not necessarily invalid data.
I can't offer a better suggestion at the moment, though. I'll see if
can come up with something, unless one of you guys gets to it first.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample
2021-12-24 3:32 ` John-Paul Stewart
@ 2021-12-24 16:58 ` Michael Niedermayer
2021-12-24 20:29 ` John-Paul Stewart
0 siblings, 1 reply; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-24 16:58 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1801 bytes --]
On Thu, Dec 23, 2021 at 10:32:12PM -0500, John-Paul Stewart wrote:
> On 2021-12-23 16:15, Michael Niedermayer wrote:
> > Fixes: division by zero
> > Fixes: 42814/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-4787014237552640
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavformat/mvdec.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
> > index 1a5012e5076..390f6ba4de8 100644
> > --- a/libavformat/mvdec.c
> > +++ b/libavformat/mvdec.c
> > @@ -366,6 +366,9 @@ static int mv_read_header(AVFormatContext *avctx)
> > avpriv_request_sample(avctx, "Audio compression (format %i)", v);
> > }
> >
> > + if (bytes_per_sample <= 0)
> > + return AVERROR_INVALIDDATA;
> > +
>
> bytes_per_sample is uint32_t so it can never be less than zero.
>
> bytes_per_sample will be zero for movie files with no audio, so that is
> not necessarily invalid data.
i can change it to AVERROR_PATCHWELCOME but this codepath has already
created a audio stream so the code at least belives at this point that
there is audio and it will crash a few lines later
>
> I can't offer a better suggestion at the moment, though. I'll see if
> can come up with something, unless one of you guys gets to it first.
ok, ill apply this unless i see another fix first as it fixes the crash
and in fact in this path requests for samples where already printed also
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample
2021-12-24 16:58 ` Michael Niedermayer
@ 2021-12-24 20:29 ` John-Paul Stewart
2021-12-25 10:43 ` Michael Niedermayer
0 siblings, 1 reply; 15+ messages in thread
From: John-Paul Stewart @ 2021-12-24 20:29 UTC (permalink / raw)
To: ffmpeg-devel
On 2021-12-24 11:58, Michael Niedermayer wrote:
> On Thu, Dec 23, 2021 at 10:32:12PM -0500, John-Paul Stewart wrote:
>> On 2021-12-23 16:15, Michael Niedermayer wrote:
>>> Fixes: division by zero
>>> Fixes: 42814/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-4787014237552640
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>> libavformat/mvdec.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
>>> index 1a5012e5076..390f6ba4de8 100644
>>> --- a/libavformat/mvdec.c
>>> +++ b/libavformat/mvdec.c
>>> @@ -366,6 +366,9 @@ static int mv_read_header(AVFormatContext *avctx)
>>> avpriv_request_sample(avctx, "Audio compression (format %i)", v);
>>> }
>>>
>>> + if (bytes_per_sample <= 0)
>>> + return AVERROR_INVALIDDATA;
>>> +
>>
>> bytes_per_sample is uint32_t so it can never be less than zero.
>>
>> bytes_per_sample will be zero for movie files with no audio, so that is
>> not necessarily invalid data.
I have to retract that comment. Sorry for the confusion.
Now that I've had time to delve into it further, the Silicon Graphics
format will fill in a placeholder audio track (16 bit stereo, 22050 Hz)
even when there is no actual audio. So even movies with no sound will
have bytes_per_sample > 0.
> i can change it to AVERROR_PATCHWELCOME but this codepath has already
> created a audio stream so the code at least belives at this point that
> there is audio and it will crash a few lines later
>
>>
>> I can't offer a better suggestion at the moment, though. I'll see if
>> can come up with something, unless one of you guys gets to it first.
>
> ok, ill apply this unless i see another fix first as it fixes the crash
> and in fact in this path requests for samples where already printed also
The real issue is that the audio stream is always allocated even when
there is no audio. Fixing that is a project for another day. Don't let
me stop you from applying the above patch.
And again, my apologies for the confusion.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/5] avcodec/cdgraphics: avoid signed overflow in alpha
2021-12-23 21:45 ` Andreas Rheinhardt
@ 2021-12-25 10:43 ` Michael Niedermayer
0 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-25 10:43 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1604 bytes --]
On Thu, Dec 23, 2021 at 10:45:47PM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: left shift of 255 by 24 places cannot be represented in type 'int'
> > Fixes: 42766/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5142826105569280
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/cdgraphics.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
> > index 06f83920943..f54ce5a05c0 100644
> > --- a/libavcodec/cdgraphics.c
> > +++ b/libavcodec/cdgraphics.c
> > @@ -122,7 +122,7 @@ static void cdg_load_palette(CDGraphicsContext *cc, uint8_t *data, int low)
> > r = ((color >> 8) & 0x000F) * 17;
> > g = ((color >> 4) & 0x000F) * 17;
> > b = ((color ) & 0x000F) * 17;
> > - palette[i + array_offset] = cc->alpha[i + array_offset] << 24 | r << 16 | g << 8 | b;
> > + palette[i + array_offset] = (unsigned)cc->alpha[i + array_offset] << 24 | r << 16 | g << 8 | b;
> > }
> > cc->frame->palette_has_changed = 1;
> > }
> >
>
> LGTM. Although I'd prefer uint32_t here, as this is exactly what is
> needed and it fits the type of palette.
will apply32_t
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample
2021-12-24 20:29 ` John-Paul Stewart
@ 2021-12-25 10:43 ` Michael Niedermayer
0 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-25 10:43 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 2680 bytes --]
On Fri, Dec 24, 2021 at 03:29:50PM -0500, John-Paul Stewart wrote:
> On 2021-12-24 11:58, Michael Niedermayer wrote:
> > On Thu, Dec 23, 2021 at 10:32:12PM -0500, John-Paul Stewart wrote:
> >> On 2021-12-23 16:15, Michael Niedermayer wrote:
> >>> Fixes: division by zero
> >>> Fixes: 42814/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-4787014237552640
> >>>
> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >>> ---
> >>> libavformat/mvdec.c | 3 +++
> >>> 1 file changed, 3 insertions(+)
> >>>
> >>> diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
> >>> index 1a5012e5076..390f6ba4de8 100644
> >>> --- a/libavformat/mvdec.c
> >>> +++ b/libavformat/mvdec.c
> >>> @@ -366,6 +366,9 @@ static int mv_read_header(AVFormatContext *avctx)
> >>> avpriv_request_sample(avctx, "Audio compression (format %i)", v);
> >>> }
> >>>
> >>> + if (bytes_per_sample <= 0)
> >>> + return AVERROR_INVALIDDATA;
> >>> +
> >>
> >> bytes_per_sample is uint32_t so it can never be less than zero.
> >>
> >> bytes_per_sample will be zero for movie files with no audio, so that is
> >> not necessarily invalid data.
>
> I have to retract that comment. Sorry for the confusion.
>
> Now that I've had time to delve into it further, the Silicon Graphics
> format will fill in a placeholder audio track (16 bit stereo, 22050 Hz)
> even when there is no actual audio. So even movies with no sound will
> have bytes_per_sample > 0.
>
> > i can change it to AVERROR_PATCHWELCOME but this codepath has already
> > created a audio stream so the code at least belives at this point that
> > there is audio and it will crash a few lines later
> >
> >>
> >> I can't offer a better suggestion at the moment, though. I'll see if
> >> can come up with something, unless one of you guys gets to it first.
> >
> > ok, ill apply this unless i see another fix first as it fixes the crash
> > and in fact in this path requests for samples where already printed also
>
> The real issue is that the audio stream is always allocated even when
> there is no audio. Fixing that is a project for another day. Don't let
> me stop you from applying the above patch.
ok will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/5] avcodec/apedec: fix integer overflow in 8bit samples
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 4/5] avcodec/apedec: fix integer overflow in 8bit samples Michael Niedermayer
@ 2021-12-30 20:42 ` Michael Niedermayer
0 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-30 20:42 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 787 bytes --]
On Thu, Dec 23, 2021 at 10:15:26PM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 'int'
> Fixes: 42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/apedec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Homeopathy is like voting while filling the ballot out with transparent ink.
Sometimes the outcome one wanted occurs. Rarely its worse than filling out
a ballot properly.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/5] avformat/flvdec: timestamps cannot use the full int64 range
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 3/5] avformat/flvdec: timestamps cannot use the full int64 range Michael Niedermayer
@ 2021-12-30 20:44 ` Michael Niedermayer
0 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-30 20:44 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 943 bytes --]
On Thu, Dec 23, 2021 at 10:15:25PM +0100, Michael Niedermayer wrote:
> We do not support this as we multiply by 1000
> Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented in type 'long'
> Fixes: 42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/flvdec.c | 2 ++
> 1 file changed, 2 insertions(+)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Any man who breaks a law that conscience tells him is unjust and willingly
accepts the penalty by staying in jail in order to arouse the conscience of
the community on the injustice of the law is at that moment expressing the
very highest respect for law. - Martin Luther King Jr
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation
2021-12-23 21:15 [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation Michael Niedermayer
` (3 preceding siblings ...)
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample Michael Niedermayer
@ 2021-12-30 21:11 ` Michael Niedermayer
4 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2021-12-30 21:11 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 652 bytes --]
On Thu, Dec 23, 2021 at 10:15:23PM +0100, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 42667/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5619236075077632
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/targa.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The greatest way to live with honor in this world is to be what we pretend
to be. -- Socrates
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2021-12-30 21:11 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-23 21:15 [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 2/5] avcodec/cdgraphics: avoid signed overflow in alpha Michael Niedermayer
2021-12-23 21:45 ` Andreas Rheinhardt
2021-12-25 10:43 ` Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 3/5] avformat/flvdec: timestamps cannot use the full int64 range Michael Niedermayer
2021-12-30 20:44 ` Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 4/5] avcodec/apedec: fix integer overflow in 8bit samples Michael Niedermayer
2021-12-30 20:42 ` Michael Niedermayer
2021-12-23 21:15 ` [FFmpeg-devel] [PATCH 5/5] avformat/mvdec: Check bytes_per_sample Michael Niedermayer
2021-12-23 23:07 ` Peter Ross
2021-12-24 3:32 ` John-Paul Stewart
2021-12-24 16:58 ` Michael Niedermayer
2021-12-24 20:29 ` John-Paul Stewart
2021-12-25 10:43 ` Michael Niedermayer
2021-12-30 21:11 ` [FFmpeg-devel] [PATCH 1/5] avcodec/targa: Check input size for uncompressed TGA before allocation Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git