[FFmpeg-devel] [PATCH 1/9] avformat/ape: Check frames size

[FFmpeg-devel] [PATCH 1/9] avformat/ape: Check frames size

[Michael Niedermayer]

Fixes: signed integer overflow: 9223372036854775806 + 3 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APE_fuzzer-6389264140599296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/ape.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/ape.c b/libavformat/ape.c
index f904fde178c..92e9ac7cb1c 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -298,6 +298,8 @@ static int ape_read_header(AVFormatContext * s)
             ape->frames[i].pos  -= ape->frames[i].skip;
             ape->frames[i].size += ape->frames[i].skip;
         }
+        if (ape->frames[i].size > INT_MAX - 3)
+            return AVERROR_INVALIDDATA;
         ape->frames[i].size = (ape->frames[i].size + 3) & ~3;
     }
     if (ape->fileversion < 3810) {
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/9] avformat/apm: Use 64bit for bit_rate computation

[Michael Niedermayer]

Fixes: signed integer overflow: -1155522528 * 4 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APM_fuzzer-6580670570299392

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/apm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/apm.c b/libavformat/apm.c
index baf7d2f9412..a3ddc08e83b 100644
--- a/libavformat/apm.c
+++ b/libavformat/apm.c
@@ -148,7 +148,7 @@ static int apm_read_header(AVFormatContext *s)
     par->codec_id              = AV_CODEC_ID_ADPCM_IMA_APM;
     par->format                = AV_SAMPLE_FMT_S16;
     par->bit_rate              = par->ch_layout.nb_channels *
-                                 par->sample_rate *
+                                 (int64_t)par->sample_rate *
                                  par->bits_per_coded_sample;
 
     if ((ret = avio_read(s->pb, buf, APM_FILE_EXTRADATA_SIZE)) < 0)
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/9] avformat/asfdec_o: Limit packet offset

[Michael Niedermayer]

avoids overflows with it

Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asfdec_o.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index 48b7d17322d..e837ca62e7f 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -1242,6 +1242,8 @@ static int asf_read_packet_header(AVFormatContext *s)
     unsigned char error_flags, len_flags, pay_flags;
 
     asf->packet_offset = avio_tell(pb);
+    if (asf->packet_offset > INT64_MAX/2)
+        asf->packet_offset = 0;
     error_flags = avio_r8(pb); // read Error Correction Flags
     if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) {
         if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) {
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/9] avformat/cafdec: Check that nb_frasmes fits within 64bit

[Michael Niedermayer]

Fixes: signed integer overflow: 1099511693312 * 538976288 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6565048815845376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/cafdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index d5b8c38c25c..e0a9031cb80 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -387,7 +387,7 @@ static int read_header(AVFormatContext *s)
 
 found_data:
     if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) {
-        if (caf->data_size > 0)
+        if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet)
             st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet;
     } else if (ffstream(st)->nb_index_entries && st->duration > 0) {
         if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) {
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/9] avformat/dhav: Use 64bit seek_back

[Michael Niedermayer]

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DHAV_fuzzer-6604736532447232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/dhav.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/dhav.c b/libavformat/dhav.c
index 9d26efe8fc9..4e720f2a26c 100644
--- a/libavformat/dhav.c
+++ b/libavformat/dhav.c
@@ -242,7 +242,7 @@ static int64_t get_duration(AVFormatContext *s)
     avio_seek(s->pb, avio_size(s->pb) - 8, SEEK_SET);
     while (avio_tell(s->pb) > 12 && max_interations--) {
         if (avio_rl32(s->pb) == MKTAG('d','h','a','v')) {
-            int seek_back = avio_rl32(s->pb);
+            int64_t seek_back = avio_rl32(s->pb);
 
             avio_seek(s->pb, -seek_back, SEEK_CUR);
             read_chunk(s);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/9] avformat/dxa: avoid bpc overflows

[Michael Niedermayer]

Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/dxa.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/dxa.c b/libavformat/dxa.c
index 16fbb081568..474b85270ae 100644
--- a/libavformat/dxa.c
+++ b/libavformat/dxa.c
@@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s)
             if(tag == MKTAG('d', 'a', 't', 'a')) break;
             avio_skip(pb, fsize);
         }
-        c->bpc = (fsize + c->frames - 1) / c->frames;
-        if(ast->codecpar->block_align)
+        c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames;
+        if(ast->codecpar->block_align) {
+            if (c->bpc > INT_MAX - ast->codecpar->block_align + 1)
+                return AVERROR_INVALIDDATA;
             c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
+        }
         c->bytes_left = fsize;
         c->wavpos = avio_tell(pb);
         avio_seek(pb, c->vidpos, SEEK_SET);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 7/9] avformat/genh: Check nb_channels for IMA ADPCM

[Michael Niedermayer]

The check could be made more strict

Fixes: signed integer overflow: 36 * 538976288 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-6539389873815552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/genh.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/genh.c b/libavformat/genh.c
index a25d4d625a4..1f707b55552 100644
--- a/libavformat/genh.c
+++ b/libavformat/genh.c
@@ -78,6 +78,8 @@ static int genh_read_header(AVFormatContext *s)
     case  0: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX;        break;
     case  1:
     case 11: st->codecpar->bits_per_coded_sample = 4;
+             if (st->codecpar->ch_layout.nb_channels > INT_MAX / 36)
+                return AVERROR_INVALIDDATA;
              st->codecpar->block_align = 36 * st->codecpar->ch_layout.nb_channels;
              st->codecpar->codec_id = AV_CODEC_ID_ADPCM_IMA_WAV;    break;
     case  2: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_DTK;        break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 8/9] avformat/icodec: Check nb_pal

[Michael Niedermayer]

Fixes: signed integer overflow: 538976288 * 4 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-6690068904935424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/icodec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/icodec.c b/libavformat/icodec.c
index 290f658d0c0..85dab3bca0a 100644
--- a/libavformat/icodec.c
+++ b/libavformat/icodec.c
@@ -196,6 +196,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
             AV_WL32(buf + 32, image->nb_pal);
         }
 
+        if (image->nb_pal > INT_MAX / 4 - 14 - 40)
+            return AVERROR_INVALIDDATA;
+
         AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4);
         AV_WL32(buf + 8, AV_RL32(buf + 8) / 2);
     }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 9/9] avformat/jacosubdec: Fix overflow in get_shift()

[Michael Niedermayer]

Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-6722544461283328
Fixes: signed integer overflow: 48214448 * 60 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/jacosubdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c
index 0ee4820f62a..61b1316dc9b 100644
--- a/libavformat/jacosubdec.c
+++ b/libavformat/jacosubdec.c
@@ -144,7 +144,7 @@ static int get_shift(int timeres, const char *buf)
     ret = 0;
     switch (n) {
     case 4:
-        ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d);
+        ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d);
         break;
     case 3:
         ret = sign * ((         (int64_t)a*60 + b) * timeres + c);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 8/9] avformat/icodec: Check nb_pal

[Peter Ross]

[-- Attachment #1.1: Type: text/plain, Size: 1131 bytes --]

On Sat, Sep 17, 2022 at 11:15:56PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 538976288 * 4 cannot be represented in type 'int'
> Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-6690068904935424
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/icodec.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/icodec.c b/libavformat/icodec.c
> index 290f658d0c0..85dab3bca0a 100644
> --- a/libavformat/icodec.c
> +++ b/libavformat/icodec.c
> @@ -196,6 +196,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
>              AV_WL32(buf + 32, image->nb_pal);
>          }
>  
> +        if (image->nb_pal > INT_MAX / 4 - 14 - 40)
> +            return AVERROR_INVALIDDATA;
> +
>          AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4);
>          AV_WL32(buf + 8, AV_RL32(buf + 8) / 2);
>      }
> -- 
> 2.17.1

lgtm, please apply

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/9] avformat/ape: Check frames size

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 706 bytes --]

On Sat, Sep 17, 2022 at 11:15:49PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 9223372036854775806 + 3 cannot be represented in type 'long'
> Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APE_fuzzer-6389264140599296
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/ape.c | 2 ++
>  1 file changed, 2 insertions(+)

will apply patchset

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

During times of universal deceit, telling the truth becomes a
revolutionary act. -- George Orwell

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".