* [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3
@ 2023-01-11 20:42 Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 2/6] avcodec/utils: Ensure linesize for SVQ3 Michael Niedermayer
` (6 more replies)
0 siblings, 7 replies; 13+ messages in thread
From: Michael Niedermayer @ 2023-01-11 20:42 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array read on 32bit
Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848
The chroma MC code reads over the currently allocated frame.
Alternative fixes would be allocating a few bytes more at the end instead of a whole
line extra or to adjust the threshold where the edge emu code is activated
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/utils.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 2b63a498b9..1aa0a05a31 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -321,6 +321,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
*width = FFALIGN(*width, w_align);
*height = FFALIGN(*height, h_align);
if (s->codec_id == AV_CODEC_ID_H264 || s->lowres ||
+ s->codec_id == AV_CODEC_ID_VC1 || s->codec_id == AV_CODEC_ID_WMV3 ||
s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 ||
s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A
) {
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* [FFmpeg-devel] [PATCH 2/6] avcodec/utils: Ensure linesize for SVQ3
2023-01-11 20:42 [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Michael Niedermayer
@ 2023-01-11 20:42 ` Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 3/6] avcodec/bink: Fix off by 1 error in ref end Michael Niedermayer
` (5 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Michael Niedermayer @ 2023-01-11 20:42 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Assertion block_w * sizeof(uint8_t) <= ((buf_linesize) >= 0 ? (buf_linesize) : (-(buf_linesize))
Fixes: 54861/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5352418248622080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/utils.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 1aa0a05a31..30dea8a813 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -335,6 +335,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
// the next rounded up width is 32
*width = FFMAX(*width, 32);
}
+ if (s->codec_id == AV_CODEC_ID_SVQ3) {
+ *width = FFMAX(*width, 32);
+ }
for (i = 0; i < 4; i++)
linesize_align[i] = STRIDE_ALIGN;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* [FFmpeg-devel] [PATCH 3/6] avcodec/bink: Fix off by 1 error in ref end
2023-01-11 20:42 [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 2/6] avcodec/utils: Ensure linesize for SVQ3 Michael Niedermayer
@ 2023-01-11 20:42 ` Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 4/6] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() Michael Niedermayer
` (4 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Michael Niedermayer @ 2023-01-11 20:42 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-6657932926517248
Alterantivly to this it is possibly to allocate a bigger array
Note: oss-fuzz assigned this issue to a unrelated theora bug so the bug number matches that
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/bink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index e3971e557a..a3140114f0 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -870,7 +870,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
binkb_init_bundles(c);
ref_start = frame->data[plane_idx];
- ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw) * 8;
+ ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8;
for (i = 0; i < 64; i++)
coordmap[i] = (i & 7) + (i >> 3) * stride;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* [FFmpeg-devel] [PATCH 4/6] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane()
2023-01-11 20:42 [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 2/6] avcodec/utils: Ensure linesize for SVQ3 Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 3/6] avcodec/bink: Fix off by 1 error in ref end Michael Niedermayer
@ 2023-01-11 20:42 ` Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 5/6] avcodec/bonk: Avoid undefined overflow in quant Michael Niedermayer
` (3 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Michael Niedermayer @ 2023-01-11 20:42 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/bink.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index a3140114f0..15fc9d29ed 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -870,7 +870,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
binkb_init_bundles(c);
ref_start = frame->data[plane_idx];
- ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8;
+ ref_end = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8;
for (i = 0; i < 64; i++)
coordmap[i] = (i & 7) + (i >> 3) * stride;
@@ -926,7 +926,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
ref = dst + xoff + yoff * stride;
- if (ref < ref_start || ref + 8*stride > ref_end) {
+ if (ref < ref_start || ref > ref_end) {
av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
} else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
c->put_pixels_tab(dst, ref, stride, 8);
@@ -942,7 +942,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
ref = dst + xoff + yoff * stride;
- if (ref < ref_start || ref + 8 * stride > ref_end) {
+ if (ref < ref_start || ref > ref_end) {
av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
} else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
c->put_pixels_tab(dst, ref, stride, 8);
@@ -974,7 +974,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
ref = dst + xoff + yoff * stride;
- if (ref < ref_start || ref + 8 * stride > ref_end) {
+ if (ref < ref_start || ref > ref_end) {
av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
} else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
c->put_pixels_tab(dst, ref, stride, 8);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* [FFmpeg-devel] [PATCH 5/6] avcodec/bonk: Avoid undefined overflow in quant
2023-01-11 20:42 [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Michael Niedermayer
` (2 preceding siblings ...)
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 4/6] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() Michael Niedermayer
@ 2023-01-11 20:42 ` Michael Niedermayer
2023-01-11 21:06 ` Paul B Mahol
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 6/6] avcodec/bonk: Check ntaps against buffer size Michael Niedermayer
` (2 subsequent siblings)
6 siblings, 1 reply; 13+ messages in thread
From: Michael Niedermayer @ 2023-01-11 20:42 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: -2889074 * 2048 cannot be represented in type 'int'
Fixes: 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6617680050520064
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6743951854141440
No check is done for the overflow as this was rejected in last review, see the ML
Note: the 2nd and 3rd testcase was assigned by ossfuzz to a unrelated theora issue (48567)
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/bonk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 5d736b1563..9e176d5477 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -356,7 +356,7 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame *frame,
sample++;
}
- sample[0] = predictor_calc_error(s->k, state, s->n_taps, s->input_samples[i] * quant);
+ sample[0] = predictor_calc_error(s->k, state, s->n_taps, s->input_samples[i] * (unsigned)quant);
sample++;
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* [FFmpeg-devel] [PATCH 6/6] avcodec/bonk: Check ntaps against buffer size
2023-01-11 20:42 [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Michael Niedermayer
` (3 preceding siblings ...)
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 5/6] avcodec/bonk: Avoid undefined overflow in quant Michael Niedermayer
@ 2023-01-11 20:42 ` Michael Niedermayer
2023-01-11 21:06 ` Paul B Mahol
2023-01-12 7:38 ` [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Andreas Rheinhardt
2023-02-23 22:26 ` Michael Niedermayer
6 siblings, 1 reply; 13+ messages in thread
From: Michael Niedermayer @ 2023-01-11 20:42 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array read
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6739246658748416
Note: This issue was assigned to a unrelated theora bug
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/bonk.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
index 9e176d5477..061cc69a58 100644
--- a/libavcodec/bonk.c
+++ b/libavcodec/bonk.c
@@ -101,6 +101,10 @@ static av_cold int bonk_init(AVCodecContext *avctx)
s->samples_per_packet = AV_RL16(avctx->extradata + 15);
if (!s->samples_per_packet)
return AVERROR(EINVAL);
+
+ if (s->down_sampling * s->samples_per_packet < s->n_taps)
+ return AVERROR_INVALIDDATA;
+
s->max_framesize = s->samples_per_packet * avctx->ch_layout.nb_channels * s->down_sampling * 16LL;
if (s->max_framesize > (INT32_MAX - AV_INPUT_BUFFER_PADDING_SIZE) / 8)
return AVERROR_INVALIDDATA;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avcodec/bonk: Check ntaps against buffer size
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 6/6] avcodec/bonk: Check ntaps against buffer size Michael Niedermayer
@ 2023-01-11 21:06 ` Paul B Mahol
2023-01-12 14:30 ` Michael Niedermayer
0 siblings, 1 reply; 13+ messages in thread
From: Paul B Mahol @ 2023-01-11 21:06 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On 1/11/23, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: out of array read
> Fixes:
> 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6739246658748416
>
> Note: This issue was assigned to a unrelated theora bug
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/bonk.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> index 9e176d5477..061cc69a58 100644
> --- a/libavcodec/bonk.c
> +++ b/libavcodec/bonk.c
> @@ -101,6 +101,10 @@ static av_cold int bonk_init(AVCodecContext *avctx)
> s->samples_per_packet = AV_RL16(avctx->extradata + 15);
> if (!s->samples_per_packet)
> return AVERROR(EINVAL);
> +
> + if (s->down_sampling * s->samples_per_packet < s->n_taps)
> + return AVERROR_INVALIDDATA;
> +
> s->max_framesize = s->samples_per_packet * avctx->ch_layout.nb_channels
> * s->down_sampling * 16LL;
> if (s->max_framesize > (INT32_MAX - AV_INPUT_BUFFER_PADDING_SIZE) / 8)
> return AVERROR_INVALIDDATA;
> --
> 2.17.1
LGTM
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [FFmpeg-devel] [PATCH 5/6] avcodec/bonk: Avoid undefined overflow in quant
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 5/6] avcodec/bonk: Avoid undefined overflow in quant Michael Niedermayer
@ 2023-01-11 21:06 ` Paul B Mahol
2023-01-12 14:29 ` Michael Niedermayer
0 siblings, 1 reply; 13+ messages in thread
From: Paul B Mahol @ 2023-01-11 21:06 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On 1/11/23, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: signed integer overflow: -2889074 * 2048 cannot be represented in
> type 'int'
> Fixes:
> 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360
> Fixes:
> 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6617680050520064
> Fixes:
> 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6743951854141440
>
> No check is done for the overflow as this was rejected in last review, see
> the ML
>
> Note: the 2nd and 3rd testcase was assigned by ossfuzz to a unrelated theora
> issue (48567)
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/bonk.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> index 5d736b1563..9e176d5477 100644
> --- a/libavcodec/bonk.c
> +++ b/libavcodec/bonk.c
> @@ -356,7 +356,7 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame
> *frame,
> sample++;
> }
>
> - sample[0] = predictor_calc_error(s->k, state, s->n_taps,
> s->input_samples[i] * quant);
> + sample[0] = predictor_calc_error(s->k, state, s->n_taps,
> s->input_samples[i] * (unsigned)quant);
> sample++;
> }
>
> --
> 2.17.1
>
LGTM
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3
2023-01-11 20:42 [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Michael Niedermayer
` (4 preceding siblings ...)
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 6/6] avcodec/bonk: Check ntaps against buffer size Michael Niedermayer
@ 2023-01-12 7:38 ` Andreas Rheinhardt
2023-01-12 14:43 ` Michael Niedermayer
2023-02-23 22:26 ` Michael Niedermayer
6 siblings, 1 reply; 13+ messages in thread
From: Andreas Rheinhardt @ 2023-01-12 7:38 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: out of array read on 32bit
> Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848
>
> The chroma MC code reads over the currently allocated frame.
> Alternative fixes would be allocating a few bytes more at the end instead of a whole
> line extra or to adjust the threshold where the edge emu code is activated
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/utils.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/libavcodec/utils.c b/libavcodec/utils.c
> index 2b63a498b9..1aa0a05a31 100644
> --- a/libavcodec/utils.c
> +++ b/libavcodec/utils.c
> @@ -321,6 +321,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
> *width = FFALIGN(*width, w_align);
> *height = FFALIGN(*height, h_align);
> if (s->codec_id == AV_CODEC_ID_H264 || s->lowres ||
> + s->codec_id == AV_CODEC_ID_VC1 || s->codec_id == AV_CODEC_ID_WMV3 ||
> s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 ||
> s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A
> ) {
Does this only happen on 32bit systems? If so, why?
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [FFmpeg-devel] [PATCH 5/6] avcodec/bonk: Avoid undefined overflow in quant
2023-01-11 21:06 ` Paul B Mahol
@ 2023-01-12 14:29 ` Michael Niedermayer
0 siblings, 0 replies; 13+ messages in thread
From: Michael Niedermayer @ 2023-01-12 14:29 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1805 bytes --]
On Wed, Jan 11, 2023 at 10:06:44PM +0100, Paul B Mahol wrote:
> On 1/11/23, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: signed integer overflow: -2889074 * 2048 cannot be represented in
> > type 'int'
> > Fixes:
> > 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360
> > Fixes:
> > 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6617680050520064
> > Fixes:
> > 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6743951854141440
> >
> > No check is done for the overflow as this was rejected in last review, see
> > the ML
> >
> > Note: the 2nd and 3rd testcase was assigned by ossfuzz to a unrelated theora
> > issue (48567)
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/bonk.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> > index 5d736b1563..9e176d5477 100644
> > --- a/libavcodec/bonk.c
> > +++ b/libavcodec/bonk.c
> > @@ -356,7 +356,7 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame
> > *frame,
> > sample++;
> > }
> >
> > - sample[0] = predictor_calc_error(s->k, state, s->n_taps,
> > s->input_samples[i] * quant);
> > + sample[0] = predictor_calc_error(s->k, state, s->n_taps,
> > s->input_samples[i] * (unsigned)quant);
> > sample++;
> > }
> >
> > --
> > 2.17.1
> >
>
> LGTM
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Avoid a single point of failure, be that a person or equipment.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avcodec/bonk: Check ntaps against buffer size
2023-01-11 21:06 ` Paul B Mahol
@ 2023-01-12 14:30 ` Michael Niedermayer
0 siblings, 0 replies; 13+ messages in thread
From: Michael Niedermayer @ 2023-01-12 14:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1578 bytes --]
On Wed, Jan 11, 2023 at 10:06:19PM +0100, Paul B Mahol wrote:
> On 1/11/23, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: out of array read
> > Fixes:
> > 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6739246658748416
> >
> > Note: This issue was assigned to a unrelated theora bug
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/bonk.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> > index 9e176d5477..061cc69a58 100644
> > --- a/libavcodec/bonk.c
> > +++ b/libavcodec/bonk.c
> > @@ -101,6 +101,10 @@ static av_cold int bonk_init(AVCodecContext *avctx)
> > s->samples_per_packet = AV_RL16(avctx->extradata + 15);
> > if (!s->samples_per_packet)
> > return AVERROR(EINVAL);
> > +
> > + if (s->down_sampling * s->samples_per_packet < s->n_taps)
> > + return AVERROR_INVALIDDATA;
> > +
> > s->max_framesize = s->samples_per_packet * avctx->ch_layout.nb_channels
> > * s->down_sampling * 16LL;
> > if (s->max_framesize > (INT32_MAX - AV_INPUT_BUFFER_PADDING_SIZE) / 8)
> > return AVERROR_INVALIDDATA;
> > --
> > 2.17.1
>
> LGTM
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3
2023-01-12 7:38 ` [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Andreas Rheinhardt
@ 2023-01-12 14:43 ` Michael Niedermayer
0 siblings, 0 replies; 13+ messages in thread
From: Michael Niedermayer @ 2023-01-12 14:43 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1976 bytes --]
On Thu, Jan 12, 2023 at 08:38:08AM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: out of array read on 32bit
> > Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848
> >
> > The chroma MC code reads over the currently allocated frame.
> > Alternative fixes would be allocating a few bytes more at the end instead of a whole
> > line extra or to adjust the threshold where the edge emu code is activated
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/utils.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/libavcodec/utils.c b/libavcodec/utils.c
> > index 2b63a498b9..1aa0a05a31 100644
> > --- a/libavcodec/utils.c
> > +++ b/libavcodec/utils.c
> > @@ -321,6 +321,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
> > *width = FFALIGN(*width, w_align);
> > *height = FFALIGN(*height, h_align);
> > if (s->codec_id == AV_CODEC_ID_H264 || s->lowres ||
> > + s->codec_id == AV_CODEC_ID_VC1 || s->codec_id == AV_CODEC_ID_WMV3 ||
> > s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 ||
> > s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A
> > ) {
>
> Does this only happen on 32bit systems? If so, why?
Id have to double check, some of the issues in this set where 32bit specific some not
But the x86 codepath has special cases i think for non interpolated cases while
the C path which was used in the issue does not.
A check could also be added to the C path to not read the next line whan not needed
the patch is just folllowing what h264 does
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
It is what and why we do it that matters, not just one of them.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3
2023-01-11 20:42 [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Michael Niedermayer
` (5 preceding siblings ...)
2023-01-12 7:38 ` [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Andreas Rheinhardt
@ 2023-02-23 22:26 ` Michael Niedermayer
6 siblings, 0 replies; 13+ messages in thread
From: Michael Niedermayer @ 2023-02-23 22:26 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 895 bytes --]
On Wed, Jan 11, 2023 at 09:42:16PM +0100, Michael Niedermayer wrote:
> Fixes: out of array read on 32bit
> Fixes: 54857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5840588224462848
>
> The chroma MC code reads over the currently allocated frame.
> Alternative fixes would be allocating a few bytes more at the end instead of a whole
> line extra or to adjust the threshold where the edge emu code is activated
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/utils.c | 1 +
> 1 file changed, 1 insertion(+)
will apply remaining bits of this patchset
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2023-02-23 22:26 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-11 20:42 [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 2/6] avcodec/utils: Ensure linesize for SVQ3 Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 3/6] avcodec/bink: Fix off by 1 error in ref end Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 4/6] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane() Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 5/6] avcodec/bonk: Avoid undefined overflow in quant Michael Niedermayer
2023-01-11 21:06 ` Paul B Mahol
2023-01-12 14:29 ` Michael Niedermayer
2023-01-11 20:42 ` [FFmpeg-devel] [PATCH 6/6] avcodec/bonk: Check ntaps against buffer size Michael Niedermayer
2023-01-11 21:06 ` Paul B Mahol
2023-01-12 14:30 ` Michael Niedermayer
2023-01-12 7:38 ` [FFmpeg-devel] [PATCH 1/6] avcodec/utils: allocate a line more for VC1 and WMV3 Andreas Rheinhardt
2023-01-12 14:43 ` Michael Niedermayer
2023-02-23 22:26 ` Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git