[FFmpeg-devel] [PATCH 1/4] avcodec/bethsoftvideo: Pass GetByteContext into set_palette()

[FFmpeg-devel] [PATCH 1/4] avcodec/bethsoftvideo: Pass GetByteContext into set_palette()

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bethsoftvideo.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/libavcodec/bethsoftvideo.c b/libavcodec/bethsoftvideo.c
index a2e8f412d6..1d0f9198cf 100644
--- a/libavcodec/bethsoftvideo.c
+++ b/libavcodec/bethsoftvideo.c
@@ -51,16 +51,16 @@ static av_cold int bethsoftvid_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static int set_palette(BethsoftvidContext *ctx)
+static int set_palette(BethsoftvidContext *ctx, GetByteContext *g)
 {
     uint32_t *palette = (uint32_t *)ctx->frame->data[1];
     int a;
 
-    if (bytestream2_get_bytes_left(&ctx->g) < 256*3)
+    if (bytestream2_get_bytes_left(g) < 256*3)
         return AVERROR_INVALIDDATA;
 
     for(a = 0; a < 256; a++){
-        palette[a] = 0xFFU << 24 | bytestream2_get_be24u(&ctx->g) * 4;
+        palette[a] = 0xFFU << 24 | bytestream2_get_be24u(g) * 4;
         palette[a] |= palette[a] >> 6 & 0x30303;
     }
     ctx->frame->palette_has_changed = 1;
@@ -85,9 +85,10 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, AVFrame *rframe,
 
     if (avpkt->side_data_elems > 0 &&
         avpkt->side_data[0].type == AV_PKT_DATA_PALETTE) {
-        bytestream2_init(&vid->g, avpkt->side_data[0].data,
+        GetByteContext g;
+        bytestream2_init(&g, avpkt->side_data[0].data,
                          avpkt->side_data[0].size);
-        if ((ret = set_palette(vid)) < 0)
+        if ((ret = set_palette(vid, &g)) < 0)
             return ret;
     }
 
@@ -98,7 +99,7 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, AVFrame *rframe,
     switch(block_type = bytestream2_get_byte(&vid->g)){
         case PALETTE_BLOCK: {
             *got_frame = 0;
-            if ((ret = set_palette(vid)) < 0) {
+            if ((ret = set_palette(vid, &vid->g)) < 0) {
                 av_log(avctx, AV_LOG_ERROR, "error reading palette\n");
                 return ret;
             }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/4] avcodec/bethsoftvideo: Check block_type before frame alloc

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bethsoftvideo.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/bethsoftvideo.c b/libavcodec/bethsoftvideo.c
index 1d0f9198cf..dc7e2f83bb 100644
--- a/libavcodec/bethsoftvideo.c
+++ b/libavcodec/bethsoftvideo.c
@@ -79,6 +79,11 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, AVFrame *rframe,
     int code, ret;
     int yoffset;
 
+    bytestream2_init(&vid->g, avpkt->data, avpkt->size);
+    block_type = bytestream2_get_byte(&vid->g);
+    if (block_type < 1 || block_type > 4)
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_reget_buffer(avctx, vid->frame, 0)) < 0)
         return ret;
     wrap_to_next_line = vid->frame->linesize[0] - avctx->width;
@@ -92,11 +97,10 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, AVFrame *rframe,
             return ret;
     }
 
-    bytestream2_init(&vid->g, avpkt->data, avpkt->size);
     dst = vid->frame->data[0];
     frame_end = vid->frame->data[0] + vid->frame->linesize[0] * avctx->height;
 
-    switch(block_type = bytestream2_get_byte(&vid->g)){
+    switch(block_type){
         case PALETTE_BLOCK: {
             *got_frame = 0;
             if ((ret = set_palette(vid, &vid->g)) < 0) {
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/4] avcodec/bethsoftvideo: Check block_type before frame alloc

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 411 bytes --]

On Fri, Aug 19, 2022 at 12:35:33AM +0200, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/bethsoftvideo.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

He who knows, does not speak. He who speaks, does not know. -- Lao Tsu

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/4] tools/target_dec_fuzzer: Adjust threshold for bethsoftvid

[Michael Niedermayer]

Fixes: Timeout
Fixes: 49791/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BETHSOFTVID_fuzzer-4583956145635328

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 28042077c6..0fb9328d2c 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -213,6 +213,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_ANM:         maxpixels  /= 1024;  break;
     case AV_CODEC_ID_ARBC:        maxpixels  /= 1024;  break;
     case AV_CODEC_ID_ARGO:        maxpixels  /= 1024;  break;
+    case AV_CODEC_ID_BETHSOFTVID: maxpixels  /= 8192;  break;
     case AV_CODEC_ID_BINKVIDEO:   maxpixels  /= 32;    break;
     case AV_CODEC_ID_CDTOONS:     maxpixels  /= 1024;  break;
     case AV_CODEC_ID_CFHD:        maxpixels  /= 16384; break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/4] tools/target_dec_fuzzer: Adjust threshold for bethsoftvid

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 621 bytes --]

On Fri, Aug 19, 2022 at 12:35:34AM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 49791/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BETHSOFTVID_fuzzer-4583956145635328
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 1 +
>  1 file changed, 1 insertion(+)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I have often repented speaking, but never of holding my tongue.
-- Xenocrates

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/4] avcodec/speedhq: Check width

[Michael Niedermayer]

Fixes: out of array access
Fixes: 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400

Alternatively the buffer size can be increased

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/speedhq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
index c43de4f199..ffee5f973b 100644
--- a/libavcodec/speedhq.c
+++ b/libavcodec/speedhq.c
@@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, AVFrame *frame,
     uint32_t second_field_offset;
     int ret;
 
-    if (buf_size < 4 || avctx->width < 8)
+    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
         return AVERROR_INVALIDDATA;
 
     quality = buf[0];
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/4] avcodec/speedhq: Check width

[Paul B Mahol]

On Fri, Aug 19, 2022 at 12:36 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: out of array access
> Fixes:
> 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400
>
> Alternatively the buffer size can be increased
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/speedhq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
> index c43de4f199..ffee5f973b 100644
> --- a/libavcodec/speedhq.c
> +++ b/libavcodec/speedhq.c
> @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
> AVFrame *frame,
>      uint32_t second_field_offset;
>      int ret;
>
> -    if (buf_size < 4 || avctx->width < 8)
> +    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
>          return AVERROR_INVALIDDATA;
>

Is this right thing to do?


>
>      quality = buf[0];
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/4] avcodec/speedhq: Check width

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1811 bytes --]

On Sun, Aug 21, 2022 at 12:54:57PM +0200, Paul B Mahol wrote:
> On Fri, Aug 19, 2022 at 12:36 AM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > Fixes: out of array access
> > Fixes:
> > 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400
> >
> > Alternatively the buffer size can be increased
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/speedhq.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
> > index c43de4f199..ffee5f973b 100644
> > --- a/libavcodec/speedhq.c
> > +++ b/libavcodec/speedhq.c
> > @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
> > AVFrame *frame,
> >      uint32_t second_field_offset;
> >      int ret;
> >
> > -    if (buf_size < 4 || avctx->width < 8)
> > +    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
> >          return AVERROR_INVALIDDATA;
> >
> 
> Is this right thing to do?

We can increase the buffer size or change how the %8 != 0 case is handled
WIthout a non fuzzed file with such dimensions, I do not know what the
correct handling of such a file is.
What do you prefer to be done ?

Thanks

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If the United States is serious about tackling the national security threats 
related to an insecure 5G network, it needs to rethink the extent to which it
values corporate profits and government espionage over security.-Bruce Schneier

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/4] avcodec/speedhq: Check width

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1888 bytes --]

On Sun, Aug 21, 2022 at 04:23:09PM +0200, Michael Niedermayer wrote:
> On Sun, Aug 21, 2022 at 12:54:57PM +0200, Paul B Mahol wrote:
> > On Fri, Aug 19, 2022 at 12:36 AM Michael Niedermayer <michael@niedermayer.cc>
> > wrote:
> > 
> > > Fixes: out of array access
> > > Fixes:
> > > 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400
> > >
> > > Alternatively the buffer size can be increased
> > >
> > > Found-by: continuous fuzzing process
> > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by
> > > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > > Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >  libavcodec/speedhq.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
> > > index c43de4f199..ffee5f973b 100644
> > > --- a/libavcodec/speedhq.c
> > > +++ b/libavcodec/speedhq.c
> > > @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
> > > AVFrame *frame,
> > >      uint32_t second_field_offset;
> > >      int ret;
> > >
> > > -    if (buf_size < 4 || avctx->width < 8)
> > > +    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
> > >          return AVERROR_INVALIDDATA;
> > >
> > 
> > Is this right thing to do?
> 
> We can increase the buffer size or change how the %8 != 0 case is handled
> WIthout a non fuzzed file with such dimensions, I do not know what the
> correct handling of such a file is.

> What do you prefer to be done ?

ping

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The bravest are surely those who have the clearest vision
of what is before them, glory and danger alike, and yet
notwithstanding go out to meet it. -- Thucydides

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/4] avcodec/speedhq: Check width

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2104 bytes --]

On Sun, Aug 28, 2022 at 07:39:53PM +0200, Michael Niedermayer wrote:
> On Sun, Aug 21, 2022 at 04:23:09PM +0200, Michael Niedermayer wrote:
> > On Sun, Aug 21, 2022 at 12:54:57PM +0200, Paul B Mahol wrote:
> > > On Fri, Aug 19, 2022 at 12:36 AM Michael Niedermayer <michael@niedermayer.cc>
> > > wrote:
> > > 
> > > > Fixes: out of array access
> > > > Fixes:
> > > > 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400
> > > >
> > > > Alternatively the buffer size can be increased
> > > >
> > > > Found-by: continuous fuzzing process
> > > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > > Signed-off-by
> > > > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > > > Michael Niedermayer <michael@niedermayer.cc>
> > > > ---
> > > >  libavcodec/speedhq.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
> > > > index c43de4f199..ffee5f973b 100644
> > > > --- a/libavcodec/speedhq.c
> > > > +++ b/libavcodec/speedhq.c
> > > > @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
> > > > AVFrame *frame,
> > > >      uint32_t second_field_offset;
> > > >      int ret;
> > > >
> > > > -    if (buf_size < 4 || avctx->width < 8)
> > > > +    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
> > > >          return AVERROR_INVALIDDATA;
> > > >
> > > 
> > > Is this right thing to do?
> > 
> > We can increase the buffer size or change how the %8 != 0 case is handled
> > WIthout a non fuzzed file with such dimensions, I do not know what the
> > correct handling of such a file is.
> 
> > What do you prefer to be done ?
> 
> ping

i will apply this in the next 24h

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Whats the most studid thing your enemy could do ? Blow himself up
Whats the most studid thing you could do ? Give up your rights and
freedom because your enemy blew himself up.


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/4] avcodec/bethsoftvideo: Pass GetByteContext into set_palette()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 490 bytes --]

On Fri, Aug 19, 2022 at 12:35:32AM +0200, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/bethsoftvideo.c | 13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".