[FFmpeg-devel] [PATCH 1/6] avcodec/mpeg4videoenc: fix encoding long frames

[FFmpeg-devel] [PATCH 1/6] avcodec/mpeg4videoenc: fix encoding long frames

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mpeg4videoenc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c
index 8f0452de3a..5f83a9dff1 100644
--- a/libavcodec/mpeg4videoenc.c
+++ b/libavcodec/mpeg4videoenc.c
@@ -1081,8 +1081,8 @@ int ff_mpeg4_encode_picture_header(MpegEncContext *s, int picture_number)
     time_mod  = FFUMOD(s->time, s->avctx->time_base.den);
     time_incr = time_div - s->last_time_base;
 
-    // This limits the frame duration to max 1 hour
-    if (time_incr > 3600) {
+    // This limits the frame duration to max 1 day
+    if (time_incr > 3600*24) {
         av_log(s->avctx, AV_LOG_ERROR, "time_incr %"PRIu64" too large\n", time_incr);
         return AVERROR(EINVAL);
     }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/6] avcodec/exr: Check x/ysize

[Michael Niedermayer]

Fixes: OOM
Fixes: 48911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6352002510094336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 8cd867a32f..c25bae8cd4 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1241,7 +1241,8 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
         td->ysize = FFMIN(s->tile_attr.ySize, s->ydelta - tile_y * s->tile_attr.ySize);
         td->xsize = FFMIN(s->tile_attr.xSize, s->xdelta - tile_x * s->tile_attr.xSize);
 
-        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX ||
+            av_image_check_size2(td->xsize, td->ysize, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx) < 0)
             return AVERROR_INVALIDDATA;
 
         td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
@@ -1265,7 +1266,8 @@ static int decode_block(AVCodecContext *avctx, void *tdata,
         td->ysize          = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */
         td->xsize          = s->xdelta;
 
-        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX)
+        if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX ||
+            av_image_check_size2(td->xsize, td->ysize, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx) < 0)
             return AVERROR_INVALIDDATA;
 
         td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/6] tools/target_dec_fuzzer: Adjust threshold for MMVIDEO

[Michael Niedermayer]

Fixes: Timeout
Fixes: 49003/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-5550368423018496

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 1587045e02..017c5cf024 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -246,6 +246,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_LOCO:        maxpixels  /= 1024;  break;
     case AV_CODEC_ID_VORBIS:      maxsamples /= 1024;  break;
     case AV_CODEC_ID_LSCR:        maxpixels  /= 16;    break;
+    case AV_CODEC_ID_MMVIDEO:     maxpixels  /= 256;   break;
     case AV_CODEC_ID_MOTIONPIXELS:maxpixels  /= 256;   break;
     case AV_CODEC_ID_MP4ALS:      maxsamples /= 65536; break;
     case AV_CODEC_ID_MSA1:        maxpixels  /= 16384; break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/6] avformat/asfdec_f: Use 64bit for packet start time

[Michael Niedermayer]

Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
Fixes: 49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asfdec_f.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 7fc174635b..bdbd4271c8 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -104,7 +104,7 @@ typedef struct ASFContext {
     int ts_is_pts;
     int packet_multi_size;
     int packet_time_delta;
-    int packet_time_start;
+    int64_t packet_time_start;
     int64_t packet_pos;
 
     int stream_index;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size

[Michael Niedermayer]

Fixes: Timeout
Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/ffv1dec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 01ddcaa512..9bdac0be4e 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
         if (buf_size < avctx->width * avctx->height / (128*8))
             return AVERROR_INVALIDDATA;
     } else {
-        if (buf_size < avctx->height / 8)
+        int i;
+        int w = avctx->width;
+        for (i = 0; w > (1<<ff_log2_run[i]); i++)
+            w -= ff_log2_run[i];
+        if (buf_size < (avctx->height + i + 6)/ 8)
             return AVERROR_INVALIDDATA;
     }
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/6] tools/target_dec_fuzzer: Adjust threshold for MWSC

[Michael Niedermayer]

Fixes: Timeout
Fixes: 49172/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MWSC_fuzzer-5213749102903296

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 017c5cf024..49baa2da6c 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -254,6 +254,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_MSS2:        maxpixels  /= 16384; break;
     case AV_CODEC_ID_MSZH:        maxpixels  /= 128;   break;
     case AV_CODEC_ID_MVC2:        maxpixels  /= 128;   break;
+    case AV_CODEC_ID_MWSC:        maxpixels  /= 256;   break;
     case AV_CODEC_ID_MXPEG:       maxpixels  /= 128;   break;
     case AV_CODEC_ID_OPUS:        maxsamples /= 16384; break;
     case AV_CODEC_ID_PNG:         maxpixels  /= 128;   break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size

[James Almer]

On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/ffv1dec.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> index 01ddcaa512..9bdac0be4e 100644
> --- a/libavcodec/ffv1dec.c
> +++ b/libavcodec/ffv1dec.c
> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
>           if (buf_size < avctx->width * avctx->height / (128*8))
>               return AVERROR_INVALIDDATA;
>       } else {
> -        if (buf_size < avctx->height / 8)
> +        int i;

for (int i...

> +        int w = avctx->width;
> +        for (i = 0; w > (1<<ff_log2_run[i]); i++)
> +            w -= ff_log2_run[i];
> +        if (buf_size < (avctx->height + i + 6)/ 8)
>               return AVERROR_INVALIDDATA;
>       }
>   
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/6] tools/target_dec_fuzzer: Adjust threshold for MMVIDEO

[Peter Ross]

[-- Attachment #1.1: Type: text/plain, Size: 1247 bytes --]

On Tue, Jul 19, 2022 at 01:34:50PM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 49003/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-5550368423018496
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> index 1587045e02..017c5cf024 100644
> --- a/tools/target_dec_fuzzer.c
> +++ b/tools/target_dec_fuzzer.c
> @@ -246,6 +246,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>      case AV_CODEC_ID_LOCO:        maxpixels  /= 1024;  break;
>      case AV_CODEC_ID_VORBIS:      maxsamples /= 1024;  break;
>      case AV_CODEC_ID_LSCR:        maxpixels  /= 16;    break;
> +    case AV_CODEC_ID_MMVIDEO:     maxpixels  /= 256;   break;
>      case AV_CODEC_ID_MOTIONPIXELS:maxpixels  /= 256;   break;
>      case AV_CODEC_ID_MP4ALS:      maxsamples /= 65536; break;
>      case AV_CODEC_ID_MSA1:        maxpixels  /= 16384; break;

please apply.

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/6] avcodec/mpeg4videoenc: fix encoding long frames

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 498 bytes --]

On Tue, Jul 19, 2022 at 01:34:48PM +0200, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/mpeg4videoenc.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

will apply

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Take away the freedom of one citizen and you will be jailed, take away
the freedom of all citizens and you will be congratulated by your peers
in Parliament.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1295 bytes --]

On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
> 
> 
> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> > Fixes: Timeout
> > Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/ffv1dec.c | 6 +++++-
> >   1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> > index 01ddcaa512..9bdac0be4e 100644
> > --- a/libavcodec/ffv1dec.c
> > +++ b/libavcodec/ffv1dec.c
> > @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
> >           if (buf_size < avctx->width * avctx->height / (128*8))
> >               return AVERROR_INVALIDDATA;
> >       } else {
> > -        if (buf_size < avctx->height / 8)
> > +        int i;
> 
> for (int i...

will apply with that change

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Take away the freedom of one citizen and you will be jailed, take away
the freedom of all citizens and you will be congratulated by your peers
in Parliament.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/6] tools/target_dec_fuzzer: Adjust threshold for MMVIDEO

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1544 bytes --]

On Wed, Jul 20, 2022 at 06:58:10PM +1000, Peter Ross wrote:
> On Tue, Jul 19, 2022 at 01:34:50PM +0200, Michael Niedermayer wrote:
> > Fixes: Timeout
> > Fixes: 49003/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-5550368423018496
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  tools/target_dec_fuzzer.c | 1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> > index 1587045e02..017c5cf024 100644
> > --- a/tools/target_dec_fuzzer.c
> > +++ b/tools/target_dec_fuzzer.c
> > @@ -246,6 +246,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> >      case AV_CODEC_ID_LOCO:        maxpixels  /= 1024;  break;
> >      case AV_CODEC_ID_VORBIS:      maxsamples /= 1024;  break;
> >      case AV_CODEC_ID_LSCR:        maxpixels  /= 16;    break;
> > +    case AV_CODEC_ID_MMVIDEO:     maxpixels  /= 256;   break;
> >      case AV_CODEC_ID_MOTIONPIXELS:maxpixels  /= 256;   break;
> >      case AV_CODEC_ID_MP4ALS:      maxsamples /= 65536; break;
> >      case AV_CODEC_ID_MSA1:        maxpixels  /= 16384; break;
> 
> please apply.

will apply

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If a bugfix only changes things apparently unrelated to the bug with no
further explanation, that is a good sign that the bugfix is wrong.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size

[Andreas Rheinhardt]

Michael Niedermayer:
> On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
>>
>>
>> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
>>> Fixes: Timeout
>>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>   libavcodec/ffv1dec.c | 6 +++++-
>>>   1 file changed, 5 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
>>> index 01ddcaa512..9bdac0be4e 100644
>>> --- a/libavcodec/ffv1dec.c
>>> +++ b/libavcodec/ffv1dec.c
>>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
>>>           if (buf_size < avctx->width * avctx->height / (128*8))
>>>               return AVERROR_INVALIDDATA;
>>>       } else {
>>> -        if (buf_size < avctx->height / 8)
>>> +        int i;
>>
>> for (int i...
> 
> will apply with that change
> 
> thx
> 

James' suggestion made you use an uninitialized i in the actual check;
and even the original check is wrong, as one can overrun ff_log2_run
(unless there is a check that I am not missing). So it seems to me that
reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.

- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2856 bytes --]

On Thu, Jul 21, 2022 at 12:17:22AM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
> >>
> >>
> >> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> >>> Fixes: Timeout
> >>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> >>>
> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >>> ---
> >>>   libavcodec/ffv1dec.c | 6 +++++-
> >>>   1 file changed, 5 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> >>> index 01ddcaa512..9bdac0be4e 100644
> >>> --- a/libavcodec/ffv1dec.c
> >>> +++ b/libavcodec/ffv1dec.c
> >>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
> >>>           if (buf_size < avctx->width * avctx->height / (128*8))
> >>>               return AVERROR_INVALIDDATA;
> >>>       } else {
> >>> -        if (buf_size < avctx->height / 8)
> >>> +        int i;
> >>
> >> for (int i...
> > 
> > will apply with that change
> > 
> > thx
> > 
> 
> James' suggestion made you use an uninitialized i in the actual check;

yes


> and even the original check is wrong, as one can overrun ff_log2_run
> (unless there is a check that I am not missing). 

Theres a check but its too late


> So it seems to me that
> reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.

not against that but heres a quick fix attempt


Author: Michael Niedermayer <michael@niedermayer.cc>
Date:   Thu Jul 21 00:20:41 2022 +0200

    avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check
    
    Found-by: mkver
    
    Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index d71584505d..c6eca3227c 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -884,9 +884,14 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
             return AVERROR_INVALIDDATA;
     } else {
         int w = avctx->width;
-        for (int i = 0; w > (1<<ff_log2_run[i]); i++)
+        int s = 1 + w / (1<<23);
+        int i;
+
+        w /= s;
+
+        for (i = 0; w > (1<<ff_log2_run[i]); i++)
             w -= ff_log2_run[i];
-        if (buf_size < (avctx->height + i + 6)/ 8)
+        if (buf_size < (avctx->height + s*i + 6)/ 8)
             return AVERROR_INVALIDDATA;
     }
 
 

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 2
"100% positive feedback" - "All either got their money back or didnt complain"
"Best seller ever, very honest" - "Seller refunded buyer after failed scam"

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2276 bytes --]

On Thu, Jul 21, 2022 at 12:46:38AM +0200, Michael Niedermayer wrote:
> On Thu, Jul 21, 2022 at 12:17:22AM +0200, Andreas Rheinhardt wrote:
> > Michael Niedermayer:
> > > On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
> > >>
> > >>
> > >> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> > >>> Fixes: Timeout
> > >>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> > >>>
> > >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > >>> ---
> > >>>   libavcodec/ffv1dec.c | 6 +++++-
> > >>>   1 file changed, 5 insertions(+), 1 deletion(-)
> > >>>
> > >>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> > >>> index 01ddcaa512..9bdac0be4e 100644
> > >>> --- a/libavcodec/ffv1dec.c
> > >>> +++ b/libavcodec/ffv1dec.c
> > >>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
> > >>>           if (buf_size < avctx->width * avctx->height / (128*8))
> > >>>               return AVERROR_INVALIDDATA;
> > >>>       } else {
> > >>> -        if (buf_size < avctx->height / 8)
> > >>> +        int i;
> > >>
> > >> for (int i...
> > > 
> > > will apply with that change
> > > 
> > > thx
> > > 
> > 
> > James' suggestion made you use an uninitialized i in the actual check;
> 
> yes
> 
> 
> > and even the original check is wrong, as one can overrun ff_log2_run
> > (unless there is a check that I am not missing). 
> 
> Theres a check but its too late
> 
> 
> > So it seems to me that
> > reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.
> 
> not against that but heres a quick fix attempt
> 
> 
> Author: Michael Niedermayer <michael@niedermayer.cc>
> Date:   Thu Jul 21 00:20:41 2022 +0200
> 
>     avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check

will apply this so the uninitialized read is fixed. If this has
some off by 1 error or something that can be adjusted later
dont want to leave this bug open

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No great genius has ever existed without some touch of madness. -- Aristotle

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/6] avformat/asfdec_f: Use 64bit for packet start time

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 682 bytes --]

On Tue, Jul 19, 2022 at 01:34:51PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
> Fixes: 49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/asfdec_f.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are best at talking, realize last or never when they are wrong.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/6] avcodec/exr: Check x/ysize

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 686 bytes --]

On Tue, Jul 19, 2022 at 01:34:49PM +0200, Michael Niedermayer wrote:
> Fixes: OOM
> Fixes: 48911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6352002510094336
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/exr.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship naturally arises out of democracy, and the most aggravated
form of tyranny and slavery out of the most extreme liberty. -- Plato

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/6] tools/target_dec_fuzzer: Adjust threshold for MWSC

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 534 bytes --]

On Tue, Jul 19, 2022 at 01:34:53PM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 49172/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MWSC_fuzzer-5213749102903296
> 
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 1 +
>  1 file changed, 1 insertion(+)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Asymptotically faster algorithms should always be preferred if you have
asymptotical amounts of data

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size

[Andreas Rheinhardt]

Michael Niedermayer:
> On Thu, Jul 21, 2022 at 12:17:22AM +0200, Andreas Rheinhardt wrote:
>> Michael Niedermayer:
>>> On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
>>>>
>>>>
>>>> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
>>>>> Fixes: Timeout
>>>>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
>>>>>
>>>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>>>> ---
>>>>>   libavcodec/ffv1dec.c | 6 +++++-
>>>>>   1 file changed, 5 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
>>>>> index 01ddcaa512..9bdac0be4e 100644
>>>>> --- a/libavcodec/ffv1dec.c
>>>>> +++ b/libavcodec/ffv1dec.c
>>>>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
>>>>>           if (buf_size < avctx->width * avctx->height / (128*8))
>>>>>               return AVERROR_INVALIDDATA;
>>>>>       } else {
>>>>> -        if (buf_size < avctx->height / 8)
>>>>> +        int i;
>>>>
>>>> for (int i...
>>>
>>> will apply with that change
>>>
>>> thx
>>>
>>
>> James' suggestion made you use an uninitialized i in the actual check;
> 
> yes
> 
> 
>> and even the original check is wrong, as one can overrun ff_log2_run
>> (unless there is a check that I am not missing). 
> 
> Theres a check but its too late
> 
> 
>> So it seems to me that
>> reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.
> 
> not against that but heres a quick fix attempt
> 

I thought that it would be easier to backport the fix if it were one
patch; of course it was never my intention to force you to revert this.

> 
> Author: Michael Niedermayer <michael@niedermayer.cc>
> Date:   Thu Jul 21 00:20:41 2022 +0200
> 
>     avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check
>     
>     Found-by: mkver

Please don't use my nickname in the future in commit messages.

>     
>     Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> 
> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> index d71584505d..c6eca3227c 100644
> --- a/libavcodec/ffv1dec.c
> +++ b/libavcodec/ffv1dec.c
> @@ -884,9 +884,14 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
>              return AVERROR_INVALIDDATA;
>      } else {
>          int w = avctx->width;
> -        for (int i = 0; w > (1<<ff_log2_run[i]); i++)
> +        int s = 1 + w / (1<<23);
> +        int i;
> +
> +        w /= s;
> +
> +        for (i = 0; w > (1<<ff_log2_run[i]); i++)
>              w -= ff_log2_run[i];
> -        if (buf_size < (avctx->height + i + 6)/ 8)
> +        if (buf_size < (avctx->height + s*i + 6)/ 8)
>              return AVERROR_INVALIDDATA;
>      }
>  
>  
> 

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".