[FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow

[FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow

[Michael Niedermayer]

Fixes: 2.28595e+09 is outside the range of representable values of type 'int'
Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/ac3.h     | 2 ++
 libavcodec/eac3dec.c | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h
index 24304caa61..2386c15ad0 100644
--- a/libavcodec/ac3.h
+++ b/libavcodec/ac3.h
@@ -53,6 +53,7 @@
 #define AC3_DYNAMIC_RANGE1      0
 
 typedef int                     INTFLOAT;
+typedef unsigned int            UINTFLOAT;
 typedef int16_t                 SHORTFLOAT;
 
 #else /* USE_FIXED */
@@ -73,6 +74,7 @@ typedef int16_t                 SHORTFLOAT;
 #define AC3_DYNAMIC_RANGE1      1.0f
 
 typedef float                   INTFLOAT;
+typedef float                   UINTFLOAT;
 typedef float                   SHORTFLOAT;
 
 #endif /* USE_FIXED */
diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c
index d360b02691..deca51dd3d 100644
--- a/libavcodec/eac3dec.c
+++ b/libavcodec/eac3dec.c
@@ -138,9 +138,11 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s)
             // spx_noise_blend and spx_signal_blend are both FP.23
             nscale *= 1.0 / (1<<23);
             sscale *= 1.0 / (1<<23);
+            if (nscale < -1.0)
+                nscale = -1.0;
 #endif
             for (i = 0; i < s->spx_band_sizes[bnd]; i++) {
-                float noise  = nscale * (int32_t)av_lfg_get(&s->dith_state);
+                UINTFLOAT noise = (INTFLOAT)(nscale * (int32_t)av_lfg_get(&s->dith_state));
                 s->transform_coeffs[ch][bin]   *= sscale;
                 s->transform_coeffs[ch][bin++] += noise;
             }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/2] avcodec/mvha: Check input size for HUFY before picture allocation

[Michael Niedermayer]

Fixes: Timeout
Fixes: 54772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5484199677394944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mvha.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c
index b1661c1c3b..55056c91cf 100644
--- a/libavcodec/mvha.c
+++ b/libavcodec/mvha.c
@@ -159,9 +159,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
     if (size < 1 || size >= avpkt->size)
         return AVERROR_INVALIDDATA;
 
-    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
-        return ret;
-
     if (type == MKTAG('L','Z','Y','V')) {
         z_stream *const zstream = &s->zstream.zstream;
         ret = inflateReset(zstream);
@@ -170,6 +167,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
             return AVERROR_EXTERNAL;
         }
 
+        if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+            return ret;
+
         zstream->next_in  = avpkt->data + 8;
         zstream->avail_in = avpkt->size - 8;
 
@@ -218,10 +218,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
             }
         }
 
+        if (get_bits_left(gb) < avctx->height * avctx->width)
+            return AVERROR_INVALIDDATA;
+
         ret = build_vlc(avctx, &s->vlc);
         if (ret < 0)
             return ret;
 
+        if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+            return ret;
+
         for (int p = 0; p < 3; p++) {
             int width = avctx->width >> (p > 0);
             ptrdiff_t stride = frame->linesize[p];
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 736 bytes --]

On Sat, Jan 07, 2023 at 12:09:52AM +0100, Michael Niedermayer wrote:
> Fixes: 2.28595e+09 is outside the range of representable values of type 'int'
> Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/ac3.h     | 2 ++
>  libavcodec/eac3dec.c | 4 +++-
>  2 files changed, 5 insertions(+), 1 deletion(-)

will apply patchset

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No great genius has ever existed without some touch of madness. -- Aristotle

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".