[FFmpeg-devel] [PATCH 1/5] avformat/mxfdec: Avoid some redundant writing to tables in mxf_compute_ptses_fake_index()

[FFmpeg-devel] [PATCH 1/5] avformat/mxfdec: Avoid some redundant writing to tables in mxf_compute_ptses_fake_index()

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index e63e803aa56..4ceb6cf672f 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1939,10 +1939,10 @@ static int mxf_compute_ptses_fake_index(MXFContext *mxf, MXFIndexTable *index_ta
     if (index_table->nb_ptses <= 0)
         return 0;
 
-    if (!(index_table->ptses      = av_calloc(index_table->nb_ptses, sizeof(int64_t))) ||
+    if (!(index_table->ptses      = av_malloc_array(index_table->nb_ptses, sizeof(int64_t))) ||
         !(index_table->fake_index = av_calloc(index_table->nb_ptses, sizeof(AVIndexEntry))) ||
         !(index_table->offsets    = av_calloc(index_table->nb_ptses, sizeof(int8_t))) ||
-        !(flags                   = av_calloc(index_table->nb_ptses, sizeof(uint8_t)))) {
+        !(flags                   = av_malloc_array(index_table->nb_ptses, sizeof(uint8_t)))) {
         av_freep(&index_table->ptses);
         av_freep(&index_table->fake_index);
         av_freep(&index_table->offsets);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/5] avcodec/wavpack: Fix overflow in k=31

[Michael Niedermayer]

Untested with "non fuzzed" samples as i have no such file

Fixes: shift exponent 32 is too large for 32-bit type 'int'
Fixes: 50930/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6319201949712384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 7aa1f65e17b..b4d19df7ea2 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -126,7 +126,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, unsigned k)
     if (k < 1)
         return 0;
     p   = av_log2(k);
-    e   = (1 << (p + 1)) - k - 1;
+    e   = (1LL << (p + 1)) - k - 1;
     res = get_bits_long(gb, p);
     if (res >= e)
         res = (res << 1) - e + get_bits1(gb);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/5] avcodec/wavpack: Check for end of input in wv_unpack_dsd_high()

[Michael Niedermayer]

Fixes: Timeout
Fixes: 50793/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-4980185027444736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavpack.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index b4d19df7ea2..3cb40775506 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -495,6 +495,8 @@ static int wv_unpack_dsd_high(WavpackFrameContext *s, uint8_t *dst_left, uint8_t
                 sp[0].fltr0 = 0;
             }
 
+            if (DSD_BYTE_READY(high, low) && !bytestream2_get_bytes_left(&s->gbyte))
+                return AVERROR_INVALIDDATA;
             while (DSD_BYTE_READY(high, low) && bytestream2_get_bytes_left(&s->gbyte)) {
                 value = (value << 8) | bytestream2_get_byte(&s->gbyte);
                 high = (high << 8) | 0xff;
@@ -530,6 +532,8 @@ static int wv_unpack_dsd_high(WavpackFrameContext *s, uint8_t *dst_left, uint8_t
                 sp[1].fltr0 = 0;
             }
 
+            if (DSD_BYTE_READY(high, low) && !bytestream2_get_bytes_left(&s->gbyte))
+                return AVERROR_INVALIDDATA;
             while (DSD_BYTE_READY(high, low) && bytestream2_get_bytes_left(&s->gbyte)) {
                 value = (value << 8) | bytestream2_get_byte(&s->gbyte);
                 high = (high << 8) | 0xff;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/5] avcodec/hdrdec: Update w in inner loop of decompress()

[Michael Niedermayer]

Fixes: out of array access
Fixes: 50936/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HDR_fuzzer-5423041009549312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hdrdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hdrdec.c b/libavcodec/hdrdec.c
index 9b262f2ef2c..7727826e2a5 100644
--- a/libavcodec/hdrdec.c
+++ b/libavcodec/hdrdec.c
@@ -70,8 +70,8 @@ static int decompress(uint8_t *scanline, int w, GetByteContext *gb, const uint8_
             for (int i = run << rshift; i > 0 && w > 0 && scanline >= start + 4; i--) {
                 memcpy(scanline, scanline - 4, 4);
                 scanline += 4;
+                w -= 4;
             }
-            w -= run << rshift;
             rshift += 8;
             if (rshift > 16)
                 break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/5] tools/target_dec_fuzzer: Adjust threshold for Jpeg2000

[Michael Niedermayer]

Fixes: Timeout
Fixes: 50955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5148704872464384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 5b335d3130c..3d4521887a2 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -242,7 +242,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_IFF_ILBM:    maxpixels  /= 128;   break;
     case AV_CODEC_ID_INDEO4:      maxpixels  /= 128;   break;
     case AV_CODEC_ID_INTERPLAY_ACM: maxsamples /= 16384;  break;
-    case AV_CODEC_ID_JPEG2000:    maxpixels  /= 16;    break;
+    case AV_CODEC_ID_JPEG2000:    maxpixels  /= 4096;  break;
     case AV_CODEC_ID_LAGARITH:    maxpixels  /= 1024;  break;
     case AV_CODEC_ID_LOCO:        maxpixels  /= 1024;  break;
     case AV_CODEC_ID_VORBIS:      maxsamples /= 1024;  break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/5] avcodec/hdrdec: Update w in inner loop of decompress()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 633 bytes --]

On Sun, Sep 11, 2022 at 04:27:20PM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 50936/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HDR_fuzzer-5423041009549312
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/hdrdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No great genius has ever existed without some touch of madness. -- Aristotle

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/5] tools/target_dec_fuzzer: Adjust threshold for Jpeg2000

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 787 bytes --]

On Sun, Sep 11, 2022 at 04:27:21PM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 50955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5148704872464384
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The day soldiers stop bringing you their problems is the day you have stopped 
leading them. They have either lost confidence that you can help or concluded 
you do not care. Either case is a failure of leadership. - Colin Powell

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/5] avformat/mxfdec: Avoid some redundant writing to tables in mxf_compute_ptses_fake_index()

[Tomas Härdin]

sön 2022-09-11 klockan 16:27 +0200 skrev Michael Niedermayer:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mxfdec.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index e63e803aa56..4ceb6cf672f 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -1939,10 +1939,10 @@ static int
> mxf_compute_ptses_fake_index(MXFContext *mxf, MXFIndexTable *index_ta
>      if (index_table->nb_ptses <= 0)
>          return 0;
>  
> -    if (!(index_table->ptses      = av_calloc(index_table->nb_ptses,
> sizeof(int64_t))) ||
> +    if (!(index_table->ptses      = av_malloc_array(index_table-
> >nb_ptses, sizeof(int64_t))) ||
>          !(index_table->fake_index = av_calloc(index_table->nb_ptses,
> sizeof(AVIndexEntry))) ||
>          !(index_table->offsets    = av_calloc(index_table->nb_ptses,
> sizeof(int8_t))) ||
> -        !(flags                   = av_calloc(index_table->nb_ptses,
> sizeof(uint8_t)))) {
> +        !(flags                   = av_malloc_array(index_table-
> >nb_ptses, sizeof(uint8_t)))) {

Looks OK. Seems like the same thing can be done with offsets

/Tomas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/5] avformat/mxfdec: Avoid some redundant writing to tables in mxf_compute_ptses_fake_index()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1554 bytes --]

On Tue, Sep 20, 2022 at 01:12:44PM +0200, Tomas Härdin wrote:
> sön 2022-09-11 klockan 16:27 +0200 skrev Michael Niedermayer:
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/mxfdec.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > index e63e803aa56..4ceb6cf672f 100644
> > --- a/libavformat/mxfdec.c
> > +++ b/libavformat/mxfdec.c
> > @@ -1939,10 +1939,10 @@ static int
> > mxf_compute_ptses_fake_index(MXFContext *mxf, MXFIndexTable *index_ta
> >      if (index_table->nb_ptses <= 0)
> >          return 0;
> >  
> > -    if (!(index_table->ptses      = av_calloc(index_table->nb_ptses,
> > sizeof(int64_t))) ||
> > +    if (!(index_table->ptses      = av_malloc_array(index_table-
> > >nb_ptses, sizeof(int64_t))) ||
> >          !(index_table->fake_index = av_calloc(index_table->nb_ptses,
> > sizeof(AVIndexEntry))) ||
> >          !(index_table->offsets    = av_calloc(index_table->nb_ptses,
> > sizeof(int8_t))) ||
> > -        !(flags                   = av_calloc(index_table->nb_ptses,
> > sizeof(uint8_t)))) {
> > +        !(flags                   = av_malloc_array(index_table-
> > >nb_ptses, sizeof(uint8_t)))) {
> 
> Looks OK. Seems like the same thing can be done with offsets

willl apply with offsets too

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

There will always be a question for which you do not know the correct answer.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/wavpack: Fix overflow in k=31

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 917 bytes --]

On Sun, Sep 11, 2022 at 04:27:18PM +0200, Michael Niedermayer wrote:
> Untested with "non fuzzed" samples as i have no such file
> 
> Fixes: shift exponent 32 is too large for 32-bit type 'int'
> Fixes: 50930/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6319201949712384
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/wavpack.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship: All citizens are under surveillance, all their steps and
actions recorded, for the politicians to enforce control.
Democracy: All politicians are under surveillance, all their steps and
actions recorded, for the citizens to enforce control.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/5] avcodec/wavpack: Check for end of input in wv_unpack_dsd_high()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 818 bytes --]

On Sun, Sep 11, 2022 at 04:27:19PM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 50793/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-4980185027444736
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/wavpack.c | 4 ++++
>  1 file changed, 4 insertions(+)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you drop bombs on a foreign country and kill a hundred thousand
innocent people, expect your government to call the consequence
"unprovoked inhuman terrorist attacks" and use it to justify dropping
more bombs and killing more people. The technology changed, the idea is old.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/wavpack: Fix overflow in k=31

[Paul B Mahol]

On 9/11/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Untested with "non fuzzed" samples as i have no such file
>

Then create it.

> Fixes: shift exponent 32 is too large for 32-bit type 'int'
> Fixes:
> 50930/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6319201949712384
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/wavpack.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
> index 7aa1f65e17b..b4d19df7ea2 100644
> --- a/libavcodec/wavpack.c
> +++ b/libavcodec/wavpack.c
> @@ -126,7 +126,7 @@ static av_always_inline unsigned get_tail(GetBitContext
> *gb, unsigned k)
>      if (k < 1)
>          return 0;
>      p   = av_log2(k);
> -    e   = (1 << (p + 1)) - k - 1;
> +    e   = (1LL << (p + 1)) - k - 1;
>      res = get_bits_long(gb, p);
>      if (res >= e)
>          res = (res << 1) - e + get_bits1(gb);
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/wavpack: Fix overflow in k=31

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1430 bytes --]

On Wed, Nov 30, 2022 at 09:39:44PM +0100, Paul B Mahol wrote:
> On 9/11/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Untested with "non fuzzed" samples as i have no such file
> >
> 
> Then create it.

the official WavPack-5.6.0 decoder has 2 alternative optimized codepathes
#ifdef USE_BITMASK_TABLES
    extras = bitset [bitcount] - maxcode - 1;
#else
    extras = (1 << bitcount) - maxcode - 1;
#endif

The 2nd path would result in the same 1<<32 which is undefined but luckily
the first seems hardcoded to be used it uses this table:

const uint32_t bitset [] = {
    1L << 0, 1L << 1, 1L << 2, 1L << 3,
    1L << 4, 1L << 5, 1L << 6, 1L << 7,
    1L << 8, 1L << 9, 1L << 10, 1L << 11,
    1L << 12, 1L << 13, 1L << 14, 1L << 15,
    1L << 16, 1L << 17, 1L << 18, 1L << 19,
    1L << 20, 1L << 21, 1L << 22, 1L << 23,
    1L << 24, 1L << 25, 1L << 26, 1L << 27,
    1L << 28, 1L << 29, 1L << 30, 1L << 31
};

here bitset[32] is out of array

Given above i suspect no valid file should use this. Otherwise something
seriously odd is going on.

also the subject has a typo its p=31 not k=31

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The real ebay dictionary, page 2
"100% positive feedback" - "All either got their money back or didnt complain"
"Best seller ever, very honest" - "Seller refunded buyer after failed scam"

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/wavpack: Fix overflow in k=31

[Paul B Mahol]

On Thu, Dec 1, 2022 at 8:56 PM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> On Wed, Nov 30, 2022 at 09:39:44PM +0100, Paul B Mahol wrote:
> > On 9/11/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > > Untested with "non fuzzed" samples as i have no such file
> > >
> >
> > Then create it.
>
> the official WavPack-5.6.0 decoder has 2 alternative optimized codepathes
> #ifdef USE_BITMASK_TABLES
>     extras = bitset [bitcount] - maxcode - 1;
> #else
>     extras = (1 << bitcount) - maxcode - 1;
> #endif
>
> The 2nd path would result in the same 1<<32 which is undefined but luckily
> the first seems hardcoded to be used it uses this table:
>
> const uint32_t bitset [] = {
>     1L << 0, 1L << 1, 1L << 2, 1L << 3,
>     1L << 4, 1L << 5, 1L << 6, 1L << 7,
>     1L << 8, 1L << 9, 1L << 10, 1L << 11,
>     1L << 12, 1L << 13, 1L << 14, 1L << 15,
>     1L << 16, 1L << 17, 1L << 18, 1L << 19,
>     1L << 20, 1L << 21, 1L << 22, 1L << 23,
>     1L << 24, 1L << 25, 1L << 26, 1L << 27,
>     1L << 28, 1L << 29, 1L << 30, 1L << 31
> };
>
> here bitset[32] is out of array
>
> Given above i suspect no valid file should use this. Otherwise something
> seriously odd is going on.
>
> also the subject has a typo its p=31 not k=31
>
> thx
>

OK


>
> [...]
>
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> The real ebay dictionary, page 2
> "100% positive feedback" - "All either got their money back or didnt
> complain"
> "Best seller ever, very honest" - "Seller refunded buyer after failed scam"
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/wavpack: Fix overflow in k=31

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1649 bytes --]

On Fri, Dec 02, 2022 at 05:14:58PM +0100, Paul B Mahol wrote:
> On Thu, Dec 1, 2022 at 8:56 PM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > On Wed, Nov 30, 2022 at 09:39:44PM +0100, Paul B Mahol wrote:
> > > On 9/11/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > > > Untested with "non fuzzed" samples as i have no such file
> > > >
> > >
> > > Then create it.
> >
> > the official WavPack-5.6.0 decoder has 2 alternative optimized codepathes
> > #ifdef USE_BITMASK_TABLES
> >     extras = bitset [bitcount] - maxcode - 1;
> > #else
> >     extras = (1 << bitcount) - maxcode - 1;
> > #endif
> >
> > The 2nd path would result in the same 1<<32 which is undefined but luckily
> > the first seems hardcoded to be used it uses this table:
> >
> > const uint32_t bitset [] = {
> >     1L << 0, 1L << 1, 1L << 2, 1L << 3,
> >     1L << 4, 1L << 5, 1L << 6, 1L << 7,
> >     1L << 8, 1L << 9, 1L << 10, 1L << 11,
> >     1L << 12, 1L << 13, 1L << 14, 1L << 15,
> >     1L << 16, 1L << 17, 1L << 18, 1L << 19,
> >     1L << 20, 1L << 21, 1L << 22, 1L << 23,
> >     1L << 24, 1L << 25, 1L << 26, 1L << 27,
> >     1L << 28, 1L << 29, 1L << 30, 1L << 31
> > };
> >
> > here bitset[32] is out of array
> >
> > Given above i suspect no valid file should use this. Otherwise something
> > seriously odd is going on.
> >
> > also the subject has a typo its p=31 not k=31
> >
> > thx
> >
> 
> OK

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The worst form of inequality is to try to make unequal things equal.
-- Aristotle

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".