[FFmpeg-devel] [PATCH 1/3] avutil/tx: Use unsigned in ff_tx_fft_sr_combine() to avoid undefined behavior

[FFmpeg-devel] [PATCH 1/3] avutil/tx: Use unsigned in ff_tx_fft_sr_combine() to avoid undefined behavior

[Michael Niedermayer]

Fixes: signed integer overflow: -1284837070 - 982101618 cannot be represented in type 'int'
Fixes: 53105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4848015827664896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavutil/tx_priv.h     | 3 +++
 libavutil/tx_template.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavutil/tx_priv.h b/libavutil/tx_priv.h
index fb61119009..6f01f305fc 100644
--- a/libavutil/tx_priv.h
+++ b/libavutil/tx_priv.h
@@ -34,6 +34,7 @@
 #define MULT(x, m) ((x) * (m))
 #define SCALE_TYPE float
 typedef float TXSample;
+typedef float TXUSample;
 typedef AVComplexFloat TXComplex;
 #elif defined(TX_DOUBLE)
 #define TX_TAB(x) x ## _double
@@ -45,6 +46,7 @@ typedef AVComplexFloat TXComplex;
 #define MULT(x, m) ((x) * (m))
 #define SCALE_TYPE double
 typedef double TXSample;
+typedef double TXUSample;
 typedef AVComplexDouble TXComplex;
 #elif defined(TX_INT32)
 #define TX_TAB(x) x ## _int32
@@ -56,6 +58,7 @@ typedef AVComplexDouble TXComplex;
 #define MULT(x, m) (((((int64_t)(x)) * (int64_t)(m)) + 0x40000000) >> 31)
 #define SCALE_TYPE float
 typedef int32_t TXSample;
+typedef uint32_t TXUSample;
 typedef AVComplexInt32 TXComplex;
 #else
 typedef void TXComplex;
diff --git a/libavutil/tx_template.c b/libavutil/tx_template.c
index 666af5e496..b624869010 100644
--- a/libavutil/tx_template.c
+++ b/libavutil/tx_template.c
@@ -497,7 +497,7 @@ static inline void TX_NAME(ff_tx_fft_sr_combine)(TXComplex *z,
     int o2 = 4*len;
     int o3 = 6*len;
     const TXSample *wim = cos + o1 - 7;
-    TXSample t1, t2, t3, t4, t5, t6, r0, i0, r1, i1;
+    TXUSample t1, t2, t3, t4, t5, t6, r0, i0, r1, i1;
 
     for (int i = 0; i < len; i += 4) {
         TRANSFORM(z[0], z[o1 + 0], z[o2 + 0], z[o3 + 0], cos[0], wim[7]);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/3] avcodec/mlpdec: Check max matrix instead of max channel in noise check

[Michael Niedermayer]

This is a regression since: adaa06581c5444c94eef72d61b8166f096e2687a
Before this, max_channel and  max_matrix_channel where compared for equality

Fixes: out of array access
Fixes: 53340/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-514959011885875

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mlpdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 0b0eb75990..5b14a3b03b 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -539,7 +539,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp,
 
     /* This should happen for TrueHD streams with >6 channels and MLP's noise
      * type. It is not yet known if this is allowed. */
-    if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
+    if (max_matrix_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
         avpriv_request_sample(m->avctx,
                               "%d channels (more than the "
                               "maximum supported by the decoder)",
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/3] avcodec/dts2pts_bsf: Eliminate some 64bit corner cases

[Michael Niedermayer]

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 53364/clusterfuzz-testcase-minimized-ffmpeg_BSF_DTS2PTS_fuzzer-4693772269387776

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dts2pts_bsf.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/dts2pts_bsf.c b/libavcodec/dts2pts_bsf.c
index 8142562d2c..522d5e1eb0 100644
--- a/libavcodec/dts2pts_bsf.c
+++ b/libavcodec/dts2pts_bsf.c
@@ -301,15 +301,15 @@ static int h264_filter(AVBSFContext *ctx)
 
             if (output_picture_number != h264->last_poc) {
                 if (h264->last_poc != INT_MIN) {
-                    int diff = FFABS(h264->last_poc - output_picture_number);
+                    int64_t diff = FFABS(h264->last_poc - (int64_t)output_picture_number);
 
                     if ((output_picture_number < 0) && !h264->last_poc)
                         h264->poc_diff = 0;
-                    else if (FFABS(output_picture_number) < h264->poc_diff) {
+                    else if (FFABS((int64_t)output_picture_number) < h264->poc_diff) {
                         diff = FFABS(output_picture_number);
                         h264->poc_diff = 0;
                     }
-                    if (!h264->poc_diff || (h264->poc_diff > diff)) {
+                    if ((!h264->poc_diff || (h264->poc_diff > diff)) && diff <= INT_MAX) {
                         h264->poc_diff = diff;
                         if (h264->poc_diff == 1 && h264->sps.frame_mbs_only_flag) {
                             av_tree_enumerate(s->root, &h264->poc_diff, NULL, dec_poc);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/3] avutil/tx: Use unsigned in ff_tx_fft_sr_combine() to avoid undefined behavior

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 780 bytes --]

On Tue, Nov 22, 2022 at 12:58:21AM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: -1284837070 - 982101618 cannot be represented in type 'int'
> Fixes: 53105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4848015827664896
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavutil/tx_priv.h     | 3 +++
>  libavutil/tx_template.c | 2 +-
>  2 files changed, 4 insertions(+), 1 deletion(-)

will apply patchset


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is dangerous to be right in matters on which the established authorities
are wrong. -- Voltaire

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".