[FFmpeg-devel] [PATCH 1/7] avcodec/bonk: Use unsigned in predictor_calc_error() to avoid undefined overflows

[FFmpeg-devel] [PATCH 1/7] avcodec/bonk: Use unsigned in predictor_calc_error() to avoid undefined overflows

[Michael Niedermayer]

Fixes: signed integer overflow: 22 * -2107998208 cannot be represented in type 'int'
Fixes: 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bonk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 1695229dbd..9e8892e4db 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -278,7 +278,7 @@ static int predictor_calc_error(int *k, int *state, int order, int error)
         *state_ptr = &(state[order-2]);
 
     for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) {
-        int k_value = *k_ptr, state_value = *state_ptr;
+        unsigned k_value = *k_ptr, state_value = *state_ptr;
 
         x -= shift_down(k_value * state_value, LATTICE_SHIFT);
         state_ptr[1] = state_value + shift_down(k_value * x, LATTICE_SHIFT);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/7] avcodec/bonk: Simplify read_uint_max()

[Michael Niedermayer]

The max == 0 case can be removed too but i left it as 50% of the cases use it

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bonk.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 9e8892e4db..04ea4def2f 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -132,7 +132,6 @@ static av_cold int bonk_init(AVCodecContext *avctx)
 static unsigned read_uint_max(BonkContext *s, uint32_t max)
 {
     unsigned value = 0;
-    int i, bits;
 
     if (max == 0)
         return 0;
@@ -140,15 +139,9 @@ static unsigned read_uint_max(BonkContext *s, uint32_t max)
     if (max >> 31)
         return 32;
 
-    bits = 32 - ff_clz(max);
-
-    for (i = 0; i < bits - 1; i++)
-        if (get_bits1(&s->gb))
-            value += 1 << i;
-
-    if ((value | (1 << (bits - 1))) <= max)
+    for (unsigned i = 1; i <= max - value; i+=i)
         if (get_bits1(&s->gb))
-            value += 1 << (bits - 1);
+            value += i;
 
     return value;
 }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/7] avcodec/bonk: Simplify read_uint_max()

[Paul B Mahol]

On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> The max == 0 case can be removed too but i left it as 50% of the cases use
> it
>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/bonk.c | 11 ++---------
>  1 file changed, 2 insertions(+), 9 deletions(-)
>
> diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> index 9e8892e4db..04ea4def2f 100644
> --- a/libavcodec/bonk.c
> +++ b/libavcodec/bonk.c
> @@ -132,7 +132,6 @@ static av_cold int bonk_init(AVCodecContext *avctx)
>  static unsigned read_uint_max(BonkContext *s, uint32_t max)
>  {
>      unsigned value = 0;
> -    int i, bits;
>
>      if (max == 0)
>          return 0;
> @@ -140,15 +139,9 @@ static unsigned read_uint_max(BonkContext *s, uint32_t
> max)
>      if (max >> 31)
>          return 32;
>
> -    bits = 32 - ff_clz(max);
> -
> -    for (i = 0; i < bits - 1; i++)
> -        if (get_bits1(&s->gb))
> -            value += 1 << i;
> -
> -    if ((value | (1 << (bits - 1))) <= max)
> +    for (unsigned i = 1; i <= max - value; i+=i)
>          if (get_bits1(&s->gb))
> -            value += 1 << (bits - 1);
> +            value += i;
>
>      return value;
>  }
> --
> 2.17.1
>

probably ok.

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/7] avcodec/bonk: Simplify read_uint_max()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1784 bytes --]

On Sun, Nov 06, 2022 at 07:30:24PM +0100, Paul B Mahol wrote:
> On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > The max == 0 case can be removed too but i left it as 50% of the cases use
> > it
> >
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/bonk.c | 11 ++---------
> >  1 file changed, 2 insertions(+), 9 deletions(-)
> >
> > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> > index 9e8892e4db..04ea4def2f 100644
> > --- a/libavcodec/bonk.c
> > +++ b/libavcodec/bonk.c
> > @@ -132,7 +132,6 @@ static av_cold int bonk_init(AVCodecContext *avctx)
> >  static unsigned read_uint_max(BonkContext *s, uint32_t max)
> >  {
> >      unsigned value = 0;
> > -    int i, bits;
> >
> >      if (max == 0)
> >          return 0;
> > @@ -140,15 +139,9 @@ static unsigned read_uint_max(BonkContext *s, uint32_t
> > max)
> >      if (max >> 31)
> >          return 32;
> >
> > -    bits = 32 - ff_clz(max);
> > -
> > -    for (i = 0; i < bits - 1; i++)
> > -        if (get_bits1(&s->gb))
> > -            value += 1 << i;
> > -
> > -    if ((value | (1 << (bits - 1))) <= max)
> > +    for (unsigned i = 1; i <= max - value; i+=i)
> >          if (get_bits1(&s->gb))
> > -            value += 1 << (bits - 1);
> > +            value += i;
> >
> >      return value;
> >  }
> > --
> > 2.17.1
> >
> 
> probably ok.

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship: All citizens are under surveillance, all their steps and
actions recorded, for the politicians to enforce control.
Democracy: All politicians are under surveillance, all their steps and
actions recorded, for the citizens to enforce control.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/7] avcodec/bonk: Remove special 32bit case from read_uint_max()

[Michael Niedermayer]

This case seems not to match the reference decoder and it also
seems not reachable

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bonk.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 04ea4def2f..fca8c246aa 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -136,8 +136,7 @@ static unsigned read_uint_max(BonkContext *s, uint32_t max)
     if (max == 0)
         return 0;
 
-    if (max >> 31)
-        return 32;
+    av_assert0(max >> 31 == 0);
 
     for (unsigned i = 1; i <= max - value; i+=i)
         if (get_bits1(&s->gb))
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/7] avcodec/bonk: Remove special 32bit case from read_uint_max()

[Paul B Mahol]

On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> This case seems not to match the reference decoder and it also
> seems not reachable
>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/bonk.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> index 04ea4def2f..fca8c246aa 100644
> --- a/libavcodec/bonk.c
> +++ b/libavcodec/bonk.c
> @@ -136,8 +136,7 @@ static unsigned read_uint_max(BonkContext *s, uint32_t
> max)
>      if (max == 0)
>          return 0;
>
> -    if (max >> 31)
> -        return 32;
> +    av_assert0(max >> 31 == 0);
>
>      for (unsigned i = 1; i <= max - value; i+=i)
>          if (get_bits1(&s->gb))
> --
> 2.17.1


Not sure, at your risk.

Test lossy mode too.

>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/7] avcodec/bonk: Remove special 32bit case from read_uint_max()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1608 bytes --]

On Sun, Nov 06, 2022 at 07:28:48PM +0100, Paul B Mahol wrote:
> On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > This case seems not to match the reference decoder and it also
> > seems not reachable
> >
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/bonk.c | 3 +--
> >  1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> > index 04ea4def2f..fca8c246aa 100644
> > --- a/libavcodec/bonk.c
> > +++ b/libavcodec/bonk.c
> > @@ -136,8 +136,7 @@ static unsigned read_uint_max(BonkContext *s, uint32_t
> > max)
> >      if (max == 0)
> >          return 0;
> >
> > -    if (max >> 31)
> > -        return 32;
> > +    av_assert0(max >> 31 == 0);
> >
> >      for (unsigned i = 1; i <= max - value; i+=i)
> >          if (get_bits1(&s->gb))
> > --
> > 2.17.1
> 
> 
> Not sure, at your risk.
> 
> Test lossy mode too.

piotr provided me with a larger testset including lossy files
they are all unchanged

will apply this and the other remaining patches.
They look all correct to me, if i am wrong which is always a possibility
iam human ... then you can revert whats wrong of course

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you drop bombs on a foreign country and kill a hundred thousand
innocent people, expect your government to call the consequence
"unprovoked inhuman terrorist attacks" and use it to justify dropping
more bombs and killing more people. The technology changed, the idea is old.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/7] avcodec/bonk: Remove special 32bit case from read_uint_max()

[Paul B Mahol]

On 11/14/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Sun, Nov 06, 2022 at 07:28:48PM +0100, Paul B Mahol wrote:
>> On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> > This case seems not to match the reference decoder and it also
>> > seems not reachable
>> >
>> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> > ---
>> >  libavcodec/bonk.c | 3 +--
>> >  1 file changed, 1 insertion(+), 2 deletions(-)
>> >
>> > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
>> > index 04ea4def2f..fca8c246aa 100644
>> > --- a/libavcodec/bonk.c
>> > +++ b/libavcodec/bonk.c
>> > @@ -136,8 +136,7 @@ static unsigned read_uint_max(BonkContext *s,
>> > uint32_t
>> > max)
>> >      if (max == 0)
>> >          return 0;
>> >
>> > -    if (max >> 31)
>> > -        return 32;
>> > +    av_assert0(max >> 31 == 0);
>> >
>> >      for (unsigned i = 1; i <= max - value; i+=i)
>> >          if (get_bits1(&s->gb))
>> > --
>> > 2.17.1
>>
>>
>> Not sure, at your risk.
>>
>> Test lossy mode too.
>
> piotr provided me with a larger testset including lossy files
> they are all unchanged
>
> will apply this and the other remaining patches.
> They look all correct to me, if i am wrong which is always a possibility
> iam human ... then you can revert whats wrong of course
>

Its not for valid, but for fuzzed files.

> thx
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> If you drop bombs on a foreign country and kill a hundred thousand
> innocent people, expect your government to call the consequence
> "unprovoked inhuman terrorist attacks" and use it to justify dropping
> more bombs and killing more people. The technology changed, the idea is
> old.
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/7] avcodec/bonk: actual_run seems not able to become negative

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bonk.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index fca8c246aa..99dac0b951 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -184,8 +184,7 @@ static int intlist_read(BonkContext *s, int *buf, int entries, int base_2_part)
         } else if (steplet > 0) {
             int actual_run = read_uint_max(s, steplet - 1);
 
-            if (actual_run < 0)
-                break;
+            av_assert0(actual_run >= 0);
 
             if (actual_run > 0) {
                 bits[x  ].bit   = dominant;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/7] avcodec/bonk: actual_run seems not able to become negative

[Paul B Mahol]

On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/bonk.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> index fca8c246aa..99dac0b951 100644
> --- a/libavcodec/bonk.c
> +++ b/libavcodec/bonk.c
> @@ -184,8 +184,7 @@ static int intlist_read(BonkContext *s, int *buf, int
> entries, int base_2_part)
>          } else if (steplet > 0) {
>              int actual_run = read_uint_max(s, steplet - 1);
>
> -            if (actual_run < 0)
> -                break;
> +            av_assert0(actual_run >= 0);
>
>              if (actual_run > 0) {
>                  bits[x  ].bit   = dominant;
> --
> 2.17.1
>

Not sure, at your risk.

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/7] avcodec/bonk: step cannot become 0 without overflowing which is undefined

[Michael Niedermayer]

also the original reference code does not contain a 0 check

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bonk.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 99dac0b951..37ad7854b6 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -203,8 +203,6 @@ static int intlist_read(BonkContext *s, int *buf, int entries, int base_2_part)
         }
 
         if (step < 256) {
-            if (step == 0)
-                return AVERROR_INVALIDDATA;
             step = 65536 / step;
             dominant = !dominant;
         }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/7] avcodec/bonk: step cannot become 0 without overflowing which is undefined

[Paul B Mahol]

On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> also the original reference code does not contain a 0 check
>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/bonk.c | 2 --
>  1 file changed, 2 deletions(-)
>
> diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> index 99dac0b951..37ad7854b6 100644
> --- a/libavcodec/bonk.c
> +++ b/libavcodec/bonk.c
> @@ -203,8 +203,6 @@ static int intlist_read(BonkContext *s, int *buf, int
> entries, int base_2_part)
>          }
>
>          if (step < 256) {
> -            if (step == 0)
> -                return AVERROR_INVALIDDATA;
>              step = 65536 / step;
>              dominant = !dominant;
>          }
> --
> 2.17.1
>


Not sure, at your risk.

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/7] avcodec/bonk: Check step against overflow

[Michael Niedermayer]

No testcase

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bonk.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 37ad7854b6..f2427de4f1 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -180,6 +180,8 @@ static int intlist_read(BonkContext *s, int *buf, int entries, int base_2_part)
             if (!dominant)
                 n_zeros += steplet;
 
+            if (step > INT32_MAX*8LL/9 + 1)
+                return AVERROR_INVALIDDATA;
             step += step / 8;
         } else if (steplet > 0) {
             int actual_run = read_uint_max(s, steplet - 1);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/7] avcodec/bonk: Check step against overflow

[Paul B Mahol]

On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> No testcase
>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/bonk.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> index 37ad7854b6..f2427de4f1 100644
> --- a/libavcodec/bonk.c
> +++ b/libavcodec/bonk.c
> @@ -180,6 +180,8 @@ static int intlist_read(BonkContext *s, int *buf, int
> entries, int base_2_part)
>              if (!dominant)
>                  n_zeros += steplet;
>
> +            if (step > INT32_MAX*8LL/9 + 1)
> +                return AVERROR_INVALIDDATA;
>              step += step / 8;
>          } else if (steplet > 0) {
>              int actual_run = read_uint_max(s, steplet - 1);
> --
> 2.17.1

probably ok

>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/7] avcodec/bonk: Check step against overflow

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1218 bytes --]

On Sun, Nov 06, 2022 at 07:25:35PM +0100, Paul B Mahol wrote:
> On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > No testcase
> >
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/bonk.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> > index 37ad7854b6..f2427de4f1 100644
> > --- a/libavcodec/bonk.c
> > +++ b/libavcodec/bonk.c
> > @@ -180,6 +180,8 @@ static int intlist_read(BonkContext *s, int *buf, int
> > entries, int base_2_part)
> >              if (!dominant)
> >                  n_zeros += steplet;
> >
> > +            if (step > INT32_MAX*8LL/9 + 1)
> > +                return AVERROR_INVALIDDATA;
> >              step += step / 8;
> >          } else if (steplet > 0) {
> >              int actual_run = read_uint_max(s, steplet - 1);
> > --
> > 2.17.1
> 
> probably ok

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Whats the most studid thing your enemy could do ? Blow himself up
Whats the most studid thing you could do ? Give up your rights and
freedom because your enemy blew himself up.


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 7/7] avcodec/bonk: steplet cannot become negative

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/bonk.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index f2427de4f1..c775ed5ddf 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -169,8 +169,7 @@ static int intlist_read(BonkContext *s, int *buf, int entries, int base_2_part)
             return AVERROR_INVALIDDATA;
 
         if (!get_bits1(&s->gb)) {
-            if (steplet < 0)
-                break;
+            av_assert0(steplet >= 0);
 
             if (steplet > 0) {
                 bits[x  ].bit   = dominant;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/7] avcodec/bonk: steplet cannot become negative

[Paul B Mahol]

On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/bonk.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> index f2427de4f1..c775ed5ddf 100644
> --- a/libavcodec/bonk.c
> +++ b/libavcodec/bonk.c
> @@ -169,8 +169,7 @@ static int intlist_read(BonkContext *s, int *buf, int
> entries, int base_2_part)
>              return AVERROR_INVALIDDATA;
>
>          if (!get_bits1(&s->gb)) {
> -            if (steplet < 0)
> -                break;
> +            av_assert0(steplet >= 0);
>
>              if (steplet > 0) {
>                  bits[x  ].bit   = dominant;
> --
> 2.17.1
>

probably fine

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/7] avcodec/bonk: Use unsigned in predictor_calc_error() to avoid undefined overflows

[Paul B Mahol]

On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: signed integer overflow: 22 * -2107998208 cannot be represented in
> type 'int'
> Fixes:
> 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/bonk.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> index 1695229dbd..9e8892e4db 100644
> --- a/libavcodec/bonk.c
> +++ b/libavcodec/bonk.c
> @@ -278,7 +278,7 @@ static int predictor_calc_error(int *k, int *state, int
> order, int error)
>          *state_ptr = &(state[order-2]);
>
>      for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) {
> -        int k_value = *k_ptr, state_value = *state_ptr;
> +        unsigned k_value = *k_ptr, state_value = *state_ptr;
>
>          x -= shift_down(k_value * state_value, LATTICE_SHIFT);
>          state_ptr[1] = state_value + shift_down(k_value * x,
> LATTICE_SHIFT);
> --
> 2.17.1
>

probably fine.

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/7] avcodec/bonk: Use unsigned in predictor_calc_error() to avoid undefined overflows

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1608 bytes --]

On Sun, Nov 06, 2022 at 07:31:23PM +0100, Paul B Mahol wrote:
> On 11/6/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: signed integer overflow: 22 * -2107998208 cannot be represented in
> > type 'int'
> > Fixes:
> > 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/bonk.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> > index 1695229dbd..9e8892e4db 100644
> > --- a/libavcodec/bonk.c
> > +++ b/libavcodec/bonk.c
> > @@ -278,7 +278,7 @@ static int predictor_calc_error(int *k, int *state, int
> > order, int error)
> >          *state_ptr = &(state[order-2]);
> >
> >      for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) {
> > -        int k_value = *k_ptr, state_value = *state_ptr;
> > +        unsigned k_value = *k_ptr, state_value = *state_ptr;
> >
> >          x -= shift_down(k_value * state_value, LATTICE_SHIFT);
> >          state_ptr[1] = state_value + shift_down(k_value * x,
> > LATTICE_SHIFT);
> > --
> > 2.17.1
> >
> 
> probably fine.

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".