* [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention
@ 2022-07-03 14:18 Michael Niedermayer
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 2/4] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M Michael Niedermayer
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Michael Niedermayer @ 2022-07-03 14:18 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/ffv1dec_template.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c
index 0b1d176ba1..9b1d65e825 100644
--- a/libavcodec/ffv1dec_template.c
+++ b/libavcodec/ffv1dec_template.c
@@ -93,11 +93,11 @@ static av_always_inline int RENAME(decode_line)(FFV1Context *s, int w,
run_count--;
}
} else {
- while (run_count > 1 && w-x > 1) {
- sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x);
- x++;
- run_count--;
- }
+ while (run_count > 1 && w-x > 1) {
+ sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x);
+ x++;
+ run_count--;
+ }
}
run_count--;
if (run_count < 0) {
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 2/4] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M
2022-07-03 14:18 [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention Michael Niedermayer
@ 2022-07-03 14:18 ` Michael Niedermayer
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 3/4] avformat/avienc: Check video dimensions Michael Niedermayer
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2022-07-03 14:18 UTC (permalink / raw)
To: FFmpeg development discussions and patches
This limit is possibly not reachable due to other restrictions on buffers but
the decoder run table is too small beyond this, so explicitly check for it.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/ffv1dec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 365f8b77a7..7731c15c87 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -187,6 +187,9 @@ static int decode_slice_header(const FFV1Context *f, FFV1Context *fs)
|| (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
return -1;
+ if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23))
+ return AVERROR_INVALIDDATA;
+
for (i = 0; i < f->plane_count; i++) {
PlaneContext * const p = &fs->plane[i];
int idx = get_symbol(c, state, 0);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 3/4] avformat/avienc: Check video dimensions
2022-07-03 14:18 [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention Michael Niedermayer
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 2/4] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M Michael Niedermayer
@ 2022-07-03 14:18 ` Michael Niedermayer
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 4/4] avcodec/ffv1dec: Check for min packet size Michael Niedermayer
2022-07-12 17:57 ` [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention Michael Niedermayer
3 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2022-07-03 14:18 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/avienc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/avienc.c b/libavformat/avienc.c
index 2264241d57..14115b3e2b 100644
--- a/libavformat/avienc.c
+++ b/libavformat/avienc.c
@@ -426,6 +426,10 @@ static int avi_write_header(AVFormatContext *s)
avio_wl32(pb, -1); /* quality */
avio_wl32(pb, au_ssize); /* sample size */
avio_wl32(pb, 0);
+ if (par->width > 65535 || par->height > 65535) {
+ av_log(s, AV_LOG_ERROR, "%dx%d dimensions are too big\n", par->width, par->height);
+ return AVERROR(EINVAL);
+ }
avio_wl16(pb, par->width);
avio_wl16(pb, par->height);
ff_end_tag(pb, strh);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 4/4] avcodec/ffv1dec: Check for min packet size
2022-07-03 14:18 [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention Michael Niedermayer
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 2/4] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M Michael Niedermayer
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 3/4] avformat/avienc: Check video dimensions Michael Niedermayer
@ 2022-07-03 14:18 ` Michael Niedermayer
2022-07-12 17:57 ` [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention Michael Niedermayer
3 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2022-07-03 14:18 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Timeout
Fixes: 48619/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5793597923917824
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/ffv1dec.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 7731c15c87..01ddcaa512 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -879,6 +879,14 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
p->key_frame = 0;
}
+ if (f->ac != AC_GOLOMB_RICE) {
+ if (buf_size < avctx->width * avctx->height / (128*8))
+ return AVERROR_INVALIDDATA;
+ } else {
+ if (buf_size < avctx->height / 8)
+ return AVERROR_INVALIDDATA;
+ }
+
ret = ff_thread_get_ext_buffer(avctx, &f->picture, AV_GET_BUFFER_FLAG_REF);
if (ret < 0)
return ret;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention
2022-07-03 14:18 [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention Michael Niedermayer
` (2 preceding siblings ...)
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 4/4] avcodec/ffv1dec: Check for min packet size Michael Niedermayer
@ 2022-07-12 17:57 ` Michael Niedermayer
3 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2022-07-12 17:57 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 439 bytes --]
On Sun, Jul 03, 2022 at 04:18:08PM +0200, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/ffv1dec_template.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Republics decline into democracies and democracies degenerate into
despotisms. -- Aristotle
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-07-12 17:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-03 14:18 [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention Michael Niedermayer
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 2/4] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M Michael Niedermayer
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 3/4] avformat/avienc: Check video dimensions Michael Niedermayer
2022-07-03 14:18 ` [FFmpeg-devel] [PATCH 4/4] avcodec/ffv1dec: Check for min packet size Michael Niedermayer
2022-07-12 17:57 ` [FFmpeg-devel] [PATCH 1/4] avcodec/ffv1dec_template: Fix indention Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git