[FFmpeg-devel] [PATCH 1/3] avcodec/alsdec: No channels cannot be accessed

[FFmpeg-devel] [PATCH 1/3] avcodec/alsdec: No channels cannot be accessed

[Michael Niedermayer]

Fixes: out of array access
Fixes: 48145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5054524173189120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/alsdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index bf961a03f5..7031fa0acb 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -361,6 +361,9 @@ static av_cold int read_specific_config(ALSDecContext *ctx)
         return AVERROR_PATCHWELCOME;
     }
 
+    if (avctx->ch_layout.nb_channels == 0)
+        return AVERROR_INVALIDDATA;
+
     ctx->cur_frame_length = sconf->frame_length;
 
     // read channel config
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/3] avformat/cinedec: Check size and pos more

[Michael Niedermayer]

Fixes: signed integer overflow: 9223372036848019263 + 134232320 cannot be represented in type 'long'
Fixes: 48155/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5751429207293952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/cinedec.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c
index f4779b2676..e8d9657ee1 100644
--- a/libavformat/cinedec.c
+++ b/libavformat/cinedec.c
@@ -273,10 +273,11 @@ static int cine_read_header(AVFormatContext *avctx)
     /* parse image offsets */
     avio_seek(pb, offImageOffsets, SEEK_SET);
     for (i = 0; i < st->duration; i++) {
-        if (avio_feof(pb))
+        int64_t pos = avio_rl64(pb);
+        if (avio_feof(pb) || pos < 0)
             return AVERROR_INVALIDDATA;
 
-        av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+        av_add_index_entry(st, pos, i, 0, 0, AVINDEX_KEYFRAME);
     }
 
     return 0;
@@ -302,10 +303,10 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
         return AVERROR_INVALIDDATA;
     avio_skip(pb, n - 8);
     size = avio_rl32(pb);
-    if (avio_feof(pb))
+    if (avio_feof(pb) || size < 0)
         return AVERROR_INVALIDDATA;
 
-    if (cine->maxsize && sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
+    if (cine->maxsize && (uint64_t)sti->index_entries[cine->pts].pos + size + n > cine->maxsize)
         size = cine->maxsize - sti->index_entries[cine->pts].pos - n;
 
     ret = av_get_packet(pb, pkt, size);
@@ -313,7 +314,7 @@ static int cine_read_packet(AVFormatContext *avctx, AVPacket *pkt)
         return ret;
 
     if (ret != size)
-        cine->maxsize = sti->index_entries[cine->pts].pos + n + ret;
+        cine->maxsize = (uint64_t)sti->index_entries[cine->pts].pos + n + ret;
 
     pkt->pts = cine->pts++;
     pkt->stream_index = 0;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/3] tools/target_dec_fuzzer: adjust threshold for cinepak

[Michael Niedermayer]

Fixes: Timeout
Fixes: 48158/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5986526573494272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index fefc8514f0..d85c6e7db4 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -212,6 +212,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_ARBC:        maxpixels  /= 1024;  break;
     case AV_CODEC_ID_BINKVIDEO:   maxpixels  /= 32;    break;
     case AV_CODEC_ID_CFHD:        maxpixels  /= 128;   break;
+    case AV_CODEC_ID_CINEPAK:     maxpixels  /= 128;   break;
     case AV_CODEC_ID_COOK:        maxsamples /= 1<<20; break;
     case AV_CODEC_ID_DFA:         maxpixels  /= 1024;  break;
     case AV_CODEC_ID_DIRAC:       maxpixels  /= 8192;  break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/3] avcodec/alsdec: No channels cannot be accessed

[Thilo Borgmann]

Am 02.07.22 um 14:22 schrieb Michael Niedermayer:
> Fixes: out of array access
> Fixes: 48145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5054524173189120
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/alsdec.c | 3 +++
>   1 file changed, 3 insertions(+)

LGTM

Thanks,
Thilo

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/3] avcodec/alsdec: No channels cannot be accessed

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 702 bytes --]

On Sat, Jul 02, 2022 at 03:27:03PM +0200, Thilo Borgmann wrote:
> Am 02.07.22 um 14:22 schrieb Michael Niedermayer:
> > Fixes: out of array access
> > Fixes: 48145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5054524173189120
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/alsdec.c | 3 +++
> >   1 file changed, 3 insertions(+)
> 
> LGTM

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are best at talking, realize last or never when they are wrong.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/3] avformat/cinedec: Check size and pos more

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 797 bytes --]

On Sat, Jul 02, 2022 at 02:22:49PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 9223372036848019263 + 134232320 cannot be represented in type 'long'
> Fixes: 48155/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5751429207293952
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/cinedec.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Take away the freedom of one citizen and you will be jailed, take away
the freedom of all citizens and you will be congratulated by your peers
in Parliament.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/3] tools/target_dec_fuzzer: adjust threshold for cinepak

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 630 bytes --]

On Sat, Jul 02, 2022 at 02:22:50PM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 48158/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5986526573494272
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 1 +
>  1 file changed, 1 insertion(+)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The educated differ from the uneducated as much as the living from the
dead. -- Aristotle 

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".