[FFmpeg-devel] [PATCH 1/6] avcodec/eatgq: : Check index increments in tgq_decode_block()

[FFmpeg-devel] [PATCH 1/6] avcodec/eatgq: : Check index increments in tgq_decode_block()

[Michael Niedermayer]

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/eatgq.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c
index 89e9f20880..beb9f4d046 100644
--- a/libavcodec/eatgq.c
+++ b/libavcodec/eatgq.c
@@ -56,7 +56,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
+static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
 {
     const uint8_t *scantable = ff_zigzag_direct;
     int i, j, value;
@@ -64,6 +64,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
     for (i = 1; i < 64;) {
         switch (show_bits(gb, 3)) {
         case 4:
+            if (i >= 63)
+                return AVERROR_INVALIDDATA;
             block[scantable[i++]] = 0;
         case 0:
             block[scantable[i++]] = 0;
@@ -73,6 +75,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
         case 1:
             skip_bits(gb, 2);
             value = get_bits(gb, 6);
+            if (value > 64 - i)
+                return AVERROR_INVALIDDATA;
             for (j = 0; j < value; j++)
                 block[scantable[i++]] = 0;
             break;
@@ -100,6 +104,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
         }
     }
     block[0] += 128 << 4;
+    return 0;
 }
 
 static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame,
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/6] avcodec/pngdec: Check deloco index more exactly

[Michael Niedermayer]

Fixes: out of array access:
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6716193709096960

Alternatively it should be possible to limit this to 3 plane RGB 8 /16bit to ensure the size is what it should be

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index f1cad26c52..cb4162d2ab 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -322,7 +322,7 @@ void ff_png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type,
 static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \
 { \
     int i; \
-    for (i = 0; i < size; i += 3 + alpha) { \
+    for (i = 0; i < size - 2; i += 3 + alpha) { \
         int g = dst [i + 1]; \
         dst[i + 0] += g; \
         dst[i + 2] += g; \
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/6] avcodec/pngdec: dont skip/read chunk twice

[Michael Niedermayer]

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6668158952144896.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index cb4162d2ab..95bcfb514a 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -1231,6 +1231,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
                 }
                 av_log(avctx, AV_LOG_ERROR, ", skipping\n");
                 bytestream2_skip(&s->gb, length + 8); /* tag */
+                continue;
             }
         }
         tag = bytestream2_get_le32(&s->gb);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/6] avcodec/sgidec: do not forget the number of components in read_uncompressed_sgi()

[Michael Niedermayer]

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6704753329700864
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6683986844057600
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6697387691474944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/sgidec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c
index 6ff2ee97f6..92083f23de 100644
--- a/libavcodec/sgidec.c
+++ b/libavcodec/sgidec.c
@@ -159,7 +159,7 @@ static int read_uncompressed_sgi(uint8_t *const out[4], const ptrdiff_t stride[4
     unsigned rowsize = width * bytes_per_channel;
 
     /* Test buffer size. */
-    if (rowsize * (int64_t)height > bytestream2_get_bytes_left(g))
+    if (rowsize * (int64_t)height * nb_components > bytestream2_get_bytes_left(g))
         return AVERROR_INVALIDDATA;
 
     for (unsigned z = 0; z < nb_components; z++) {
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/6] avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things

[Michael Niedermayer]

Fixes: subtraction of unsigned offset from 0xf6602770 overflowed to 0xf6638c80
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-495074400600064

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/videodsp_template.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/videodsp_template.c b/libavcodec/videodsp_template.c
index 324d70f2cb..d653f4d524 100644
--- a/libavcodec/videodsp_template.c
+++ b/libavcodec/videodsp_template.c
@@ -64,7 +64,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src,
     av_assert2(start_x < end_x && block_w);
 
     w    = end_x - start_x;
-    src += start_y * src_linesize + start_x * sizeof(pixel);
+    src += start_y * src_linesize + start_x * (ptrdiff_t)sizeof(pixel);
     buf += start_x * sizeof(pixel);
 
     // top
@@ -87,7 +87,7 @@ void FUNC(ff_emulated_edge_mc)(uint8_t *buf, const uint8_t *src,
         buf += buf_linesize;
     }
 
-    buf -= block_h * buf_linesize + start_x * sizeof(pixel);
+    buf -= block_h * buf_linesize + start_x * (ptrdiff_t)sizeof(pixel);
     while (block_h--) {
         pixel *bufp = (pixel *) buf;
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/6] avcodec/tiff: do not try to read a value from a 0 value linearization table

[Michael Niedermayer]

Fixes: index 4294967295 out of bounds for type 'uint16_t [65536]'
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6666195176914944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 1a1879de89..c3f67860db 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1451,7 +1451,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         break;
     case TIFF_GRAY_RESPONSE_CURVE:
     case DNG_LINEARIZATION_TABLE:
-        if (count > FF_ARRAY_ELEMS(s->dng_lut))
+        if (count > FF_ARRAY_ELEMS(s->dng_lut) || count < 1)
             return AVERROR_INVALIDDATA;
         for (int i = 0; i < count; i++)
             s->dng_lut[i] = ff_tget(&s->gb, type, s->le);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/6] avcodec/sgidec: do not forget the number of components in read_uncompressed_sgi()

[Andreas Rheinhardt]

Michael Niedermayer:
> Fixes: out of array access
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6704753329700864
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6683986844057600
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6697387691474944
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/sgidec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c
> index 6ff2ee97f6..92083f23de 100644
> --- a/libavcodec/sgidec.c
> +++ b/libavcodec/sgidec.c
> @@ -159,7 +159,7 @@ static int read_uncompressed_sgi(uint8_t *const out[4], const ptrdiff_t stride[4
>      unsigned rowsize = width * bytes_per_channel;
>  
>      /* Test buffer size. */
> -    if (rowsize * (int64_t)height > bytestream2_get_bytes_left(g))
> +    if (rowsize * (int64_t)height * nb_components > bytestream2_get_bytes_left(g))
>          return AVERROR_INVALIDDATA;
>  
>      for (unsigned z = 0; z < nb_components; z++) {

LGTM. (Sorry for having forgotten this in
ce4713ea731b9deb0440abe8d8a2a41d2957efc5.)

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/6] avcodec/sgidec: do not forget the number of components in read_uncompressed_sgi()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1719 bytes --]

On Thu, Jan 12, 2023 at 01:02:57AM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: out of array access
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6704753329700864
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6683986844057600
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SGI_fuzzer-6697387691474944
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/sgidec.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/sgidec.c b/libavcodec/sgidec.c
> > index 6ff2ee97f6..92083f23de 100644
> > --- a/libavcodec/sgidec.c
> > +++ b/libavcodec/sgidec.c
> > @@ -159,7 +159,7 @@ static int read_uncompressed_sgi(uint8_t *const out[4], const ptrdiff_t stride[4
> >      unsigned rowsize = width * bytes_per_channel;
> >  
> >      /* Test buffer size. */
> > -    if (rowsize * (int64_t)height > bytestream2_get_bytes_left(g))
> > +    if (rowsize * (int64_t)height * nb_components > bytestream2_get_bytes_left(g))
> >          return AVERROR_INVALIDDATA;
> >  
> >      for (unsigned z = 0; z < nb_components; z++) {
> 
> LGTM. (Sorry for having forgotten this in
> ce4713ea731b9deb0440abe8d8a2a41d2957efc5.)

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Concerning the gods, I have no means of knowing whether they exist or not
or of what sort they may be, because of the obscurity of the subject, and
the brevity of human life -- Protagoras

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/6] avcodec/eatgq: : Check index increments in tgq_decode_block()

[Peter Ross]

[-- Attachment #1.1: Type: text/plain, Size: 2527 bytes --]

On Thu, Jan 12, 2023 at 12:54:27AM +0100, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/eatgq.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c
> index 89e9f20880..beb9f4d046 100644
> --- a/libavcodec/eatgq.c
> +++ b/libavcodec/eatgq.c
> @@ -56,7 +56,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx)
>      return 0;
>  }
>  
> -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
> +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
>  {
>      const uint8_t *scantable = ff_zigzag_direct;
>      int i, j, value;
> @@ -64,6 +64,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
>      for (i = 1; i < 64;) {
>          switch (show_bits(gb, 3)) {
>          case 4:
> +            if (i >= 63)
> +                return AVERROR_INVALIDDATA;
>              block[scantable[i++]] = 0;
>          case 0:
>              block[scantable[i++]] = 0;
> @@ -73,6 +75,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
>          case 1:
>              skip_bits(gb, 2);
>              value = get_bits(gb, 6);
> +            if (value > 64 - i)
> +                return AVERROR_INVALIDDATA;
>              for (j = 0; j < value; j++)
>                  block[scantable[i++]] = 0;
>              break;
> @@ -100,6 +104,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
>          }
>      }
>      block[0] += 128 << 4;
> +    return 0;
>  }
>  
>  static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame,
> -- 
> 2.17.1

Hi Michael,

The return value of tgq_decode() is not checked anywhere.

Need to add something like:

-            tgq_decode_block(s, s->block[i], &gb);
+            if ((ret = tgq_decode_block(s, s->block[i], &gb)) < 0)
+                return ret;

(From earlier attempt at fixing this: https://patchwork.ffmpeg.org/project/ffmpeg/patch/1ab7c3994301a243fc64d59d6a08e3a2b364e411.1666774269.git.pross@xvid.org/)

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/6] avcodec/eatgq: : Check index increments in tgq_decode_block()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2912 bytes --]

On Sun, Jan 15, 2023 at 01:50:18PM +1100, Peter Ross wrote:
> On Thu, Jan 12, 2023 at 12:54:27AM +0100, Michael Niedermayer wrote:
> > Fixes: out of array access
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/eatgq.c | 7 ++++++-
> >  1 file changed, 6 insertions(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c
> > index 89e9f20880..beb9f4d046 100644
> > --- a/libavcodec/eatgq.c
> > +++ b/libavcodec/eatgq.c
> > @@ -56,7 +56,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx)
> >      return 0;
> >  }
> >  
> > -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
> > +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb)
> >  {
> >      const uint8_t *scantable = ff_zigzag_direct;
> >      int i, j, value;
> > @@ -64,6 +64,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
> >      for (i = 1; i < 64;) {
> >          switch (show_bits(gb, 3)) {
> >          case 4:
> > +            if (i >= 63)
> > +                return AVERROR_INVALIDDATA;
> >              block[scantable[i++]] = 0;
> >          case 0:
> >              block[scantable[i++]] = 0;
> > @@ -73,6 +75,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
> >          case 1:
> >              skip_bits(gb, 2);
> >              value = get_bits(gb, 6);
> > +            if (value > 64 - i)
> > +                return AVERROR_INVALIDDATA;
> >              for (j = 0; j < value; j++)
> >                  block[scantable[i++]] = 0;
> >              break;
> > @@ -100,6 +104,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb
> >          }
> >      }
> >      block[0] += 128 << 4;
> > +    return 0;
> >  }
> >  
> >  static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame,
> > -- 
> > 2.17.1
> 
> Hi Michael,
> 
> The return value of tgq_decode() is not checked anywhere.
> 
> Need to add something like:
> 
> -            tgq_decode_block(s, s->block[i], &gb);
> +            if ((ret = tgq_decode_block(s, s->block[i], &gb)) < 0)
> +                return ret;

will apply with this 

thx


> 
> (From earlier attempt at fixing this: https://patchwork.ffmpeg.org/project/ffmpeg/patch/1ab7c3994301a243fc64d59d6a08e3a2b364e411.1666774269.git.pross@xvid.org/)
> 
> -- Peter
> (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is what and why we do it that matters, not just one of them.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/6] avcodec/pngdec: Check deloco index more exactly

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 756 bytes --]

On Thu, Jan 12, 2023 at 12:54:28AM +0100, Michael Niedermayer wrote:
> Fixes: out of array access:
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6716193709096960
> 
> Alternatively it should be possible to limit this to 3 plane RGB 8 /16bit to ensure the size is what it should be
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/pngdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

There will always be a question for which you do not know the correct answer.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/6] avcodec/pngdec: dont skip/read chunk twice

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 647 bytes --]

On Thu, Jan 12, 2023 at 12:54:29AM +0100, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-6668158952144896.fuzz
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/pngdec.c | 1 +
>  1 file changed, 1 insertion(+)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Asymptotically faster algorithms should always be preferred if you have
asymptotical amounts of data

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/6] avcodec/videodsp_template: Adjust pointers to avoid undefined pointer things

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 805 bytes --]

On Thu, Jan 12, 2023 at 12:54:31AM +0100, Michael Niedermayer wrote:
> Fixes: subtraction of unsigned offset from 0xf6602770 overflowed to 0xf6638c80
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-495074400600064
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/videodsp_template.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".