* [FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow @ 2023-01-06 23:09 Michael Niedermayer 2023-01-06 23:09 ` [FFmpeg-devel] [PATCH 2/2] avcodec/mvha: Check input size for HUFY before picture allocation Michael Niedermayer 2023-01-11 10:24 ` [FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Michael Niedermayer 0 siblings, 2 replies; 3+ messages in thread From: Michael Niedermayer @ 2023-01-06 23:09 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: 2.28595e+09 is outside the range of representable values of type 'int' Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/ac3.h | 2 ++ libavcodec/eac3dec.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3.h b/libavcodec/ac3.h index 24304caa61..2386c15ad0 100644 --- a/libavcodec/ac3.h +++ b/libavcodec/ac3.h @@ -53,6 +53,7 @@ #define AC3_DYNAMIC_RANGE1 0 typedef int INTFLOAT; +typedef unsigned int UINTFLOAT; typedef int16_t SHORTFLOAT; #else /* USE_FIXED */ @@ -73,6 +74,7 @@ typedef int16_t SHORTFLOAT; #define AC3_DYNAMIC_RANGE1 1.0f typedef float INTFLOAT; +typedef float UINTFLOAT; typedef float SHORTFLOAT; #endif /* USE_FIXED */ diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index d360b02691..deca51dd3d 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -138,9 +138,11 @@ static void ff_eac3_apply_spectral_extension(AC3DecodeContext *s) // spx_noise_blend and spx_signal_blend are both FP.23 nscale *= 1.0 / (1<<23); sscale *= 1.0 / (1<<23); + if (nscale < -1.0) + nscale = -1.0; #endif for (i = 0; i < s->spx_band_sizes[bnd]; i++) { - float noise = nscale * (int32_t)av_lfg_get(&s->dith_state); + UINTFLOAT noise = (INTFLOAT)(nscale * (int32_t)av_lfg_get(&s->dith_state)); s->transform_coeffs[ch][bin] *= sscale; s->transform_coeffs[ch][bin++] += noise; } -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 3+ messages in thread
* [FFmpeg-devel] [PATCH 2/2] avcodec/mvha: Check input size for HUFY before picture allocation 2023-01-06 23:09 [FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Michael Niedermayer @ 2023-01-06 23:09 ` Michael Niedermayer 2023-01-11 10:24 ` [FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Michael Niedermayer 1 sibling, 0 replies; 3+ messages in thread From: Michael Niedermayer @ 2023-01-06 23:09 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: Timeout Fixes: 54772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5484199677394944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/mvha.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c index b1661c1c3b..55056c91cf 100644 --- a/libavcodec/mvha.c +++ b/libavcodec/mvha.c @@ -159,9 +159,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, if (size < 1 || size >= avpkt->size) return AVERROR_INVALIDDATA; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - if (type == MKTAG('L','Z','Y','V')) { z_stream *const zstream = &s->zstream.zstream; ret = inflateReset(zstream); @@ -170,6 +167,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, return AVERROR_EXTERNAL; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + zstream->next_in = avpkt->data + 8; zstream->avail_in = avpkt->size - 8; @@ -218,10 +218,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, } } + if (get_bits_left(gb) < avctx->height * avctx->width) + return AVERROR_INVALIDDATA; + ret = build_vlc(avctx, &s->vlc); if (ret < 0) return ret; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + for (int p = 0; p < 3; p++) { int width = avctx->width >> (p > 0); ptrdiff_t stride = frame->linesize[p]; -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow 2023-01-06 23:09 [FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Michael Niedermayer 2023-01-06 23:09 ` [FFmpeg-devel] [PATCH 2/2] avcodec/mvha: Check input size for HUFY before picture allocation Michael Niedermayer @ 2023-01-11 10:24 ` Michael Niedermayer 1 sibling, 0 replies; 3+ messages in thread From: Michael Niedermayer @ 2023-01-11 10:24 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 736 bytes --] On Sat, Jan 07, 2023 at 12:09:52AM +0100, Michael Niedermayer wrote: > Fixes: 2.28595e+09 is outside the range of representable values of type 'int' > Fixes: 54644/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-4816961584627712 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/ac3.h | 2 ++ > libavcodec/eac3dec.c | 4 +++- > 2 files changed, 5 insertions(+), 1 deletion(-) will apply patchset [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB No great genius has ever existed without some touch of madness. -- Aristotle [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-01-11 10:24 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-01-06 23:09 [FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Michael Niedermayer 2023-01-06 23:09 ` [FFmpeg-devel] [PATCH 2/2] avcodec/mvha: Check input size for HUFY before picture allocation Michael Niedermayer 2023-01-11 10:24 ` [FFmpeg-devel] [PATCH 1/2] avcodec/eac3dec: avoid float noise in fixed mode addition to overflow Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git