* [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush()
@ 2022-11-05 20:16 Michael Niedermayer
2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 2/4] avcodec/bonk: decode multiple passes in intlist_read() at once Michael Niedermayer
` (3 more replies)
0 siblings, 4 replies; 10+ messages in thread
From: Michael Niedermayer @ 2022-11-05 20:16 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: null pointer dereference
Fixes: 52155/clusterfuzz-testcase-minimized-ffmpeg_BSF_DTS2PTS_fuzzer-5760107527143424
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/dts2pts_bsf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/dts2pts_bsf.c b/libavcodec/dts2pts_bsf.c
index bf20b1ec8a..8142562d2c 100644
--- a/libavcodec/dts2pts_bsf.c
+++ b/libavcodec/dts2pts_bsf.c
@@ -505,7 +505,8 @@ static void dts2pts_flush(AVBSFContext *ctx)
s->root = NULL;
ff_cbs_fragment_reset(&s->au);
- ff_cbs_flush(s->cbc);
+ if (s->cbc)
+ ff_cbs_flush(s->cbc);
}
static void dts2pts_close(AVBSFContext *ctx)
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 10+ messages in thread* [FFmpeg-devel] [PATCH 2/4] avcodec/bonk: decode multiple passes in intlist_read() at once 2022-11-05 20:16 [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() Michael Niedermayer @ 2022-11-05 20:16 ` Michael Niedermayer 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 3/4] avcodec/bonk: Check unquant for overflow Michael Niedermayer ` (2 subsequent siblings) 3 siblings, 0 replies; 10+ messages in thread From: Michael Niedermayer @ 2022-11-05 20:16 UTC (permalink / raw) To: FFmpeg development discussions and patches This makes the worst case much faster Fixes: Timeout Fixes: 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/bonk.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c index 409694f710..471e09fe14 100644 --- a/libavcodec/bonk.c +++ b/libavcodec/bonk.c @@ -159,6 +159,7 @@ static int intlist_read(BonkContext *s, int *buf, int entries, int base_2_part) int n_zeros = 0, step = 256, dominant = 0; int pos = 0, level = 0; BitCount *bits = s->bits; + int passes = 1; memset(buf, 0, entries * sizeof(*buf)); if (base_2_part) { @@ -222,21 +223,25 @@ static int intlist_read(BonkContext *s, int *buf, int entries, int base_2_part) x = 0; n_zeros = 0; for (i = 0; n_zeros < entries; i++) { + if (x >= max_x) + return AVERROR_INVALIDDATA; + if (pos >= entries) { pos = 0; - level += 1 << low_bits; + level += passes << low_bits; + passes = 1; + if (bits[x].bit && bits[x].count > entries - n_zeros) + passes = bits[x].count / (entries - n_zeros); } - if (x >= max_x) - return AVERROR_INVALIDDATA; - if (buf[pos] >= level) { if (bits[x].bit) - buf[pos] += 1 << low_bits; + buf[pos] += passes << low_bits; else n_zeros++; - bits[x].count--; + av_assert1(bits[x].count >= passes); + bits[x].count -= passes; x += bits[x].count == 0; } -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* [FFmpeg-devel] [PATCH 3/4] avcodec/bonk: Check unquant for overflow 2022-11-05 20:16 [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() Michael Niedermayer 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 2/4] avcodec/bonk: decode multiple passes in intlist_read() at once Michael Niedermayer @ 2022-11-05 20:16 ` Michael Niedermayer 2022-11-06 8:51 ` Paul B Mahol 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 4/4] avcodec/bonk: Check for undefined overflow in predictor_calc_error() Michael Niedermayer 2022-11-06 22:38 ` [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() James Almer 3 siblings, 1 reply; 10+ messages in thread From: Michael Niedermayer @ 2022-11-05 20:16 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: signed integer overflow: -2889074 * 2048 cannot be represented in type 'int' Fixes: 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/bonk.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c index 471e09fe14..1695229dbd 100644 --- a/libavcodec/bonk.c +++ b/libavcodec/bonk.c @@ -363,12 +363,17 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame *frame, return ret; for (int i = 0; i < samples_per_packet; i++) { + int64_t t64; for (int j = 0; j < s->down_sampling - 1; j++) { sample[0] = predictor_calc_error(s->k, state, s->n_taps, 0); sample++; } - sample[0] = predictor_calc_error(s->k, state, s->n_taps, s->input_samples[i] * quant); + t64 = s->input_samples[i] * (int64_t)quant; + if ((int32_t)t64 != t64) + return AVERROR_INVALIDDATA; + + sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64); sample++; } -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/4] avcodec/bonk: Check unquant for overflow 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 3/4] avcodec/bonk: Check unquant for overflow Michael Niedermayer @ 2022-11-06 8:51 ` Paul B Mahol 2022-11-06 12:29 ` Michael Niedermayer 0 siblings, 1 reply; 10+ messages in thread From: Paul B Mahol @ 2022-11-06 8:51 UTC (permalink / raw) To: FFmpeg development discussions and patches On 11/5/22, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: signed integer overflow: -2889074 * 2048 cannot be represented in > type 'int' > Fixes: > 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/bonk.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c > index 471e09fe14..1695229dbd 100644 > --- a/libavcodec/bonk.c > +++ b/libavcodec/bonk.c > @@ -363,12 +363,17 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame > *frame, > return ret; > > for (int i = 0; i < samples_per_packet; i++) { > + int64_t t64; > for (int j = 0; j < s->down_sampling - 1; j++) { > sample[0] = predictor_calc_error(s->k, state, s->n_taps, > 0); > sample++; > } > > - sample[0] = predictor_calc_error(s->k, state, s->n_taps, > s->input_samples[i] * quant); > + t64 = s->input_samples[i] * (int64_t)quant; > + if ((int32_t)t64 != t64) > + return AVERROR_INVALIDDATA; > + > + sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64); > sample++; > } > NAK, using int64_t and thus slowing things down. > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/4] avcodec/bonk: Check unquant for overflow 2022-11-06 8:51 ` Paul B Mahol @ 2022-11-06 12:29 ` Michael Niedermayer 0 siblings, 0 replies; 10+ messages in thread From: Michael Niedermayer @ 2022-11-06 12:29 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 2559 bytes --] On Sun, Nov 06, 2022 at 09:51:57AM +0100, Paul B Mahol wrote: > On 11/5/22, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: signed integer overflow: -2889074 * 2048 cannot be represented in > > type 'int' > > Fixes: > > 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/bonk.c | 7 ++++++- > > 1 file changed, 6 insertions(+), 1 deletion(-) > > > > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c > > index 471e09fe14..1695229dbd 100644 > > --- a/libavcodec/bonk.c > > +++ b/libavcodec/bonk.c > > @@ -363,12 +363,17 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame > > *frame, > > return ret; > > > > for (int i = 0; i < samples_per_packet; i++) { > > + int64_t t64; > > for (int j = 0; j < s->down_sampling - 1; j++) { > > sample[0] = predictor_calc_error(s->k, state, s->n_taps, > > 0); > > sample++; > > } > > > > - sample[0] = predictor_calc_error(s->k, state, s->n_taps, > > s->input_samples[i] * quant); > > + t64 = s->input_samples[i] * (int64_t)quant; > > + if ((int32_t)t64 != t64) > > + return AVERROR_INVALIDDATA; > > + > > + sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64); > > sample++; > > } > > > > NAK, using int64_t and thus slowing things down. this code has little speed relevance, a single interation of this loop takes over 1300 cpu cycles already and it is faster, why, no clue, i guess it maybe reshuffles some speed relevant bits int 13145422 decicycles in QUA, 8192 runs, 0 skips 13175400 decicycles in QUA, 8192 runs, 0 skips 13260076 decicycles in QUA, 8192 runs, 0 skips int64 13049729 decicycles in QUA, 8192 runs, 0 skips 13049418 decicycles in QUA, 8192 runs, 0 skips 13038855 decicycles in QUA, 8192 runs, 0 skips [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Old school: Use the lowest level language in which you can solve the problem conveniently. New school: Use the highest level language in which the latest supercomputer can solve the problem without the user falling asleep waiting. [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* [FFmpeg-devel] [PATCH 4/4] avcodec/bonk: Check for undefined overflow in predictor_calc_error() 2022-11-05 20:16 [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() Michael Niedermayer 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 2/4] avcodec/bonk: decode multiple passes in intlist_read() at once Michael Niedermayer 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 3/4] avcodec/bonk: Check unquant for overflow Michael Niedermayer @ 2022-11-05 20:16 ` Michael Niedermayer 2022-11-06 8:50 ` Paul B Mahol 2022-11-06 22:38 ` [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() James Almer 3 siblings, 1 reply; 10+ messages in thread From: Michael Niedermayer @ 2022-11-05 20:16 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: signed integer overflow: 22 * -2107998208 cannot be represented in type 'int' Fixes: 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/bonk.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c index 1695229dbd..40963aa7c6 100644 --- a/libavcodec/bonk.c +++ b/libavcodec/bonk.c @@ -278,10 +278,13 @@ static int predictor_calc_error(int *k, int *state, int order, int error) *state_ptr = &(state[order-2]); for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { - int k_value = *k_ptr, state_value = *state_ptr; + int64_t k_value = *k_ptr, state_value = *state_ptr; x -= shift_down(k_value * state_value, LATTICE_SHIFT); - state_ptr[1] = state_value + shift_down(k_value * x, LATTICE_SHIFT); + k_value *= x; + if ((int32_t)k_value != k_value) + return AVERROR_INVALIDDATA; + state_ptr[1] = state_value + shift_down(k_value, LATTICE_SHIFT); } // don't drift too far, to avoid overflows @@ -366,6 +369,8 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame *frame, int64_t t64; for (int j = 0; j < s->down_sampling - 1; j++) { sample[0] = predictor_calc_error(s->k, state, s->n_taps, 0); + if (sample[0] == AVERROR_INVALIDDATA) + return sample[0]; sample++; } @@ -374,6 +379,8 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame *frame, return AVERROR_INVALIDDATA; sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64); + if (sample[0] == AVERROR_INVALIDDATA) + return sample[0]; sample++; } -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/4] avcodec/bonk: Check for undefined overflow in predictor_calc_error() 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 4/4] avcodec/bonk: Check for undefined overflow in predictor_calc_error() Michael Niedermayer @ 2022-11-06 8:50 ` Paul B Mahol 2022-11-06 12:30 ` Michael Niedermayer 0 siblings, 1 reply; 10+ messages in thread From: Paul B Mahol @ 2022-11-06 8:50 UTC (permalink / raw) To: FFmpeg development discussions and patches On 11/5/22, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: signed integer overflow: 22 * -2107998208 cannot be represented in > type 'int' > Fixes: > 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/bonk.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c > index 1695229dbd..40963aa7c6 100644 > --- a/libavcodec/bonk.c > +++ b/libavcodec/bonk.c > @@ -278,10 +278,13 @@ static int predictor_calc_error(int *k, int *state, > int order, int error) > *state_ptr = &(state[order-2]); > > for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { > - int k_value = *k_ptr, state_value = *state_ptr; > + int64_t k_value = *k_ptr, state_value = *state_ptr; > > x -= shift_down(k_value * state_value, LATTICE_SHIFT); > - state_ptr[1] = state_value + shift_down(k_value * x, > LATTICE_SHIFT); > + k_value *= x; > + if ((int32_t)k_value != k_value) > + return AVERROR_INVALIDDATA; > + state_ptr[1] = state_value + shift_down(k_value, LATTICE_SHIFT); > } > > // don't drift too far, to avoid overflows > @@ -366,6 +369,8 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame > *frame, > int64_t t64; > for (int j = 0; j < s->down_sampling - 1; j++) { > sample[0] = predictor_calc_error(s->k, state, s->n_taps, > 0); > + if (sample[0] == AVERROR_INVALIDDATA) > + return sample[0]; > sample++; > } > > @@ -374,6 +379,8 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame > *frame, > return AVERROR_INVALIDDATA; > > sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64); > + if (sample[0] == AVERROR_INVALIDDATA) > + return sample[0]; > sample++; > } > > -- > 2.17.1 > NAK, slowing things down by using int64_t > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/4] avcodec/bonk: Check for undefined overflow in predictor_calc_error() 2022-11-06 8:50 ` Paul B Mahol @ 2022-11-06 12:30 ` Michael Niedermayer 0 siblings, 0 replies; 10+ messages in thread From: Michael Niedermayer @ 2022-11-06 12:30 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 2766 bytes --] On Sun, Nov 06, 2022 at 09:50:47AM +0100, Paul B Mahol wrote: > On 11/5/22, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: signed integer overflow: 22 * -2107998208 cannot be represented in > > type 'int' > > Fixes: > > 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/bonk.c | 11 +++++++++-- > > 1 file changed, 9 insertions(+), 2 deletions(-) > > > > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c > > index 1695229dbd..40963aa7c6 100644 > > --- a/libavcodec/bonk.c > > +++ b/libavcodec/bonk.c > > @@ -278,10 +278,13 @@ static int predictor_calc_error(int *k, int *state, > > int order, int error) > > *state_ptr = &(state[order-2]); > > > > for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { > > - int k_value = *k_ptr, state_value = *state_ptr; > > + int64_t k_value = *k_ptr, state_value = *state_ptr; > > > > x -= shift_down(k_value * state_value, LATTICE_SHIFT); > > - state_ptr[1] = state_value + shift_down(k_value * x, > > LATTICE_SHIFT); > > + k_value *= x; > > + if ((int32_t)k_value != k_value) > > + return AVERROR_INVALIDDATA; > > + state_ptr[1] = state_value + shift_down(k_value, LATTICE_SHIFT); > > } > > > > // don't drift too far, to avoid overflows > > @@ -366,6 +369,8 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame > > *frame, > > int64_t t64; > > for (int j = 0; j < s->down_sampling - 1; j++) { > > sample[0] = predictor_calc_error(s->k, state, s->n_taps, > > 0); > > + if (sample[0] == AVERROR_INVALIDDATA) > > + return sample[0]; > > sample++; > > } > > > > @@ -374,6 +379,8 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame > > *frame, > > return AVERROR_INVALIDDATA; > > > > sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64); > > + if (sample[0] == AVERROR_INVALIDDATA) > > + return sample[0]; > > sample++; > > } > > > > -- > > 2.17.1 > > > > > NAK, > > slowing things down by using int64_t ill post some other solution, it seems slower indeed, i was hoping gcc would produce smarter code thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Elect your leaders based on what they did after the last election, not based on what they say before an election. [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() 2022-11-05 20:16 [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() Michael Niedermayer ` (2 preceding siblings ...) 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 4/4] avcodec/bonk: Check for undefined overflow in predictor_calc_error() Michael Niedermayer @ 2022-11-06 22:38 ` James Almer 2022-11-09 22:03 ` Michael Niedermayer 3 siblings, 1 reply; 10+ messages in thread From: James Almer @ 2022-11-06 22:38 UTC (permalink / raw) To: ffmpeg-devel On 11/5/2022 5:16 PM, Michael Niedermayer wrote: > Fixes: null pointer dereference > Fixes: 52155/clusterfuzz-testcase-minimized-ffmpeg_BSF_DTS2PTS_fuzzer-5760107527143424 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/dts2pts_bsf.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/dts2pts_bsf.c b/libavcodec/dts2pts_bsf.c > index bf20b1ec8a..8142562d2c 100644 > --- a/libavcodec/dts2pts_bsf.c > +++ b/libavcodec/dts2pts_bsf.c > @@ -505,7 +505,8 @@ static void dts2pts_flush(AVBSFContext *ctx) > s->root = NULL; > > ff_cbs_fragment_reset(&s->au); > - ff_cbs_flush(s->cbc); > + if (s->cbc) > + ff_cbs_flush(s->cbc); > } > > static void dts2pts_close(AVBSFContext *ctx) Should be ok. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() 2022-11-06 22:38 ` [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() James Almer @ 2022-11-09 22:03 ` Michael Niedermayer 0 siblings, 0 replies; 10+ messages in thread From: Michael Niedermayer @ 2022-11-09 22:03 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 1367 bytes --] On Sun, Nov 06, 2022 at 07:38:42PM -0300, James Almer wrote: > On 11/5/2022 5:16 PM, Michael Niedermayer wrote: > > Fixes: null pointer dereference > > Fixes: 52155/clusterfuzz-testcase-minimized-ffmpeg_BSF_DTS2PTS_fuzzer-5760107527143424 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/dts2pts_bsf.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/libavcodec/dts2pts_bsf.c b/libavcodec/dts2pts_bsf.c > > index bf20b1ec8a..8142562d2c 100644 > > --- a/libavcodec/dts2pts_bsf.c > > +++ b/libavcodec/dts2pts_bsf.c > > @@ -505,7 +505,8 @@ static void dts2pts_flush(AVBSFContext *ctx) > > s->root = NULL; > > ff_cbs_fragment_reset(&s->au); > > - ff_cbs_flush(s->cbc); > > + if (s->cbc) > > + ff_cbs_flush(s->cbc); > > } > > static void dts2pts_close(AVBSFContext *ctx) > > Should be ok. will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Frequently ignored answer#1 FFmpeg bugs should be sent to our bugtracker. User questions about the command line tools should be sent to the ffmpeg-user ML. And questions about how to use libav* should be sent to the libav-user ML. [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2022-11-09 22:03 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-11-05 20:16 [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() Michael Niedermayer 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 2/4] avcodec/bonk: decode multiple passes in intlist_read() at once Michael Niedermayer 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 3/4] avcodec/bonk: Check unquant for overflow Michael Niedermayer 2022-11-06 8:51 ` Paul B Mahol 2022-11-06 12:29 ` Michael Niedermayer 2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 4/4] avcodec/bonk: Check for undefined overflow in predictor_calc_error() Michael Niedermayer 2022-11-06 8:50 ` Paul B Mahol 2022-11-06 12:30 ` Michael Niedermayer 2022-11-06 22:38 ` [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() James Almer 2022-11-09 22:03 ` Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git