[FFmpeg-devel] [PATCH 1/5] avcodec/wbmpdec: use remaining size not whole size

[FFmpeg-devel] [PATCH 1/5] avcodec/wbmpdec: use remaining size not whole size

[Michael Niedermayer]

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6652634692190208
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6653703453278208
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6668020758216704
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6684749875249152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wbmpdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wbmpdec.c b/libavcodec/wbmpdec.c
index 9638b55b94..8b105bc135 100644
--- a/libavcodec/wbmpdec.c
+++ b/libavcodec/wbmpdec.c
@@ -72,7 +72,7 @@ static int wbmp_decode_frame(AVCodecContext *avctx, AVFrame *p,
     if (p->linesize[0] == (width + 7) / 8)
         bytestream2_get_buffer(&gb, p->data[0], height * ((width + 7) / 8));
     else
-        readbits(p->data[0], width, height, p->linesize[0], gb.buffer, gb.buffer_end - gb.buffer_start);
+        readbits(p->data[0], width, height, p->linesize[0], gb.buffer, gb.buffer_end - gb.buffer);
 
     p->key_frame = 1;
     p->pict_type = AV_PICTURE_TYPE_I;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/5] avcodec/xpmdec: Check size before allocation to avoid truncation

[Michael Niedermayer]

Fixes:OOM
Fixes:out of array access (no testcase)
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/xpmdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
index ff1f51dd32..504cc47d8f 100644
--- a/libavcodec/xpmdec.c
+++ b/libavcodec/xpmdec.c
@@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p,
 
     size *= 4;
 
+    if (size > SIZE_MAX)
+        return AVERROR(ENOMEM);
+
     ptr += mod_strcspn(ptr, ",") + 1;
     if (end - ptr < 1)
         return AVERROR_INVALIDDATA;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/5] avcodec/012v: Order operations for odd size handling

[Michael Niedermayer]

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6714182078955520.fuzz
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6698145212137472.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/012v.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/012v.c b/libavcodec/012v.c
index 2d89a86b98..f0197cd8f9 100644
--- a/libavcodec/012v.c
+++ b/libavcodec/012v.c
@@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx, AVFrame *pic,
             u = x/2 + (uint16_t *)(pic->data[1] + line * pic->linesize[1]);
             v = x/2 + (uint16_t *)(pic->data[2] + line * pic->linesize[2]);
             memcpy(y, y_temp, sizeof(*y) * (width - x));
-            memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2);
-            memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2);
+            memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2));
+            memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2));
         }
 
         line_end += stride;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/5] avcodec/motionpixels: Mask pixels to valid values

[Michael Niedermayer]

Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-6724203352555520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/motionpixels.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c
index 4141c5a495..a947ca05de 100644
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -185,7 +185,7 @@ static YuvPixel mp_get_yuv_from_rgb(MotionPixelsContext *mp, int x, int y)
     int color;
 
     color = *(uint16_t *)&mp->frame->data[0][y * mp->frame->linesize[0] + x * 2];
-    return mp_rgb_yuv_table[color];
+    return mp_rgb_yuv_table[color & 0x7FFF];
 }
 
 static void mp_set_rgb_from_yuv(MotionPixelsContext *mp, int x, int y, const YuvPixel *p)
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/5] avcodec/sonic: avoid integer overflow on quantization parameter

[Michael Niedermayer]

Fixes: signed integer overflow: -1094995529 * 16 cannot be represented in type 'int'
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-6681622236233728

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/sonic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index 77bdb418a7..95ac2b1a96 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -1013,7 +1013,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, AVFrame *frame,
     if (s->lossless)
         quant = 1;
     else
-        quant = get_symbol(&c, state, 0) * SAMPLE_FACTOR;
+        quant = get_symbol(&c, state, 0) * (unsigned)SAMPLE_FACTOR;
 
 //    av_log(NULL, AV_LOG_INFO, "quant: %d\n", quant);
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/xpmdec: Check size before allocation to avoid truncation

[James Almer]

On 1/12/2023 9:01 PM, Michael Niedermayer wrote:
> Fixes:OOM
> Fixes:out of array access (no testcase)
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/xpmdec.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
> index ff1f51dd32..504cc47d8f 100644
> --- a/libavcodec/xpmdec.c
> +++ b/libavcodec/xpmdec.c
> @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p,
>   
>       size *= 4;
>   
> +    if (size > SIZE_MAX)
> +        return AVERROR(ENOMEM);

Maybe check for (size > SIZE_MAX / 4) before the multiplication above 
instead.

> +
>       ptr += mod_strcspn(ptr, ",") + 1;
>       if (end - ptr < 1)
>           return AVERROR_INVALIDDATA;
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/5] avcodec/sonic: avoid integer overflow on quantization parameter

[Paul B Mahol]

On 1/13/23, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: signed integer overflow: -1094995529 * 16 cannot be represented in
> type 'int'
> Fixes:
> 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-6681622236233728
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/sonic.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
> index 77bdb418a7..95ac2b1a96 100644
> --- a/libavcodec/sonic.c
> +++ b/libavcodec/sonic.c
> @@ -1013,7 +1013,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,
> AVFrame *frame,
>      if (s->lossless)
>          quant = 1;
>      else
> -        quant = get_symbol(&c, state, 0) * SAMPLE_FACTOR;
> +        quant = get_symbol(&c, state, 0) * (unsigned)SAMPLE_FACTOR;
>
>  //    av_log(NULL, AV_LOG_INFO, "quant: %d\n", quant);
>
> --
> 2.17.1
>


You are pointlessly wasting resources on broken bonk clone.

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/xpmdec: Check size before allocation to avoid truncation

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1226 bytes --]

On Thu, Jan 12, 2023 at 09:11:35PM -0300, James Almer wrote:
> 
> 
> On 1/12/2023 9:01 PM, Michael Niedermayer wrote:
> > Fixes:OOM
> > Fixes:out of array access (no testcase)
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/xpmdec.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
> > index ff1f51dd32..504cc47d8f 100644
> > --- a/libavcodec/xpmdec.c
> > +++ b/libavcodec/xpmdec.c
> > @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p,
> >       size *= 4;
> > +    if (size > SIZE_MAX)
> > +        return AVERROR(ENOMEM);
> 
> Maybe check for (size > SIZE_MAX / 4) before the multiplication above
> instead.

what is the advantage of this ?

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/xpmdec: Check size before allocation to avoid truncation

[James Almer]

On 1/13/2023 5:49 PM, Michael Niedermayer wrote:
> On Thu, Jan 12, 2023 at 09:11:35PM -0300, James Almer wrote:
>>
>>
>> On 1/12/2023 9:01 PM, Michael Niedermayer wrote:
>>> Fixes:OOM
>>> Fixes:out of array access (no testcase)
>>> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>    libavcodec/xpmdec.c | 3 +++
>>>    1 file changed, 3 insertions(+)
>>>
>>> diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
>>> index ff1f51dd32..504cc47d8f 100644
>>> --- a/libavcodec/xpmdec.c
>>> +++ b/libavcodec/xpmdec.c
>>> @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p,
>>>        size *= 4;
>>> +    if (size > SIZE_MAX)
>>> +        return AVERROR(ENOMEM);
>>
>> Maybe check for (size > SIZE_MAX / 4) before the multiplication above
>> instead.
> 
> what is the advantage of this ?

An int64_t value will never be bigger than or equal to SIZE_MAX on 64 
bits targets, so maybe some compiler out there will warn about it.

> 
> thx
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/xpmdec: Check size before allocation to avoid truncation

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1658 bytes --]

On Fri, Jan 13, 2023 at 05:53:20PM -0300, James Almer wrote:
> On 1/13/2023 5:49 PM, Michael Niedermayer wrote:
> > On Thu, Jan 12, 2023 at 09:11:35PM -0300, James Almer wrote:
> > > 
> > > 
> > > On 1/12/2023 9:01 PM, Michael Niedermayer wrote:
> > > > Fixes:OOM
> > > > Fixes:out of array access (no testcase)
> > > > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184
> > > > 
> > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > > ---
> > > >    libavcodec/xpmdec.c | 3 +++
> > > >    1 file changed, 3 insertions(+)
> > > > 
> > > > diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
> > > > index ff1f51dd32..504cc47d8f 100644
> > > > --- a/libavcodec/xpmdec.c
> > > > +++ b/libavcodec/xpmdec.c
> > > > @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p,
> > > >        size *= 4;
> > > > +    if (size > SIZE_MAX)
> > > > +        return AVERROR(ENOMEM);
> > > 
> > > Maybe check for (size > SIZE_MAX / 4) before the multiplication above
> > > instead.
> > 
> > what is the advantage of this ?
> 
> An int64_t value will never be bigger than or equal to SIZE_MAX on 64 bits
> targets, so maybe some compiler out there will warn about it.

hmm ok, ill apply it with that change

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Does the universe only have a finite lifespan? No, its going to go on
forever, its just that you wont like living in it. -- Hiranya Peiri

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/5] avcodec/wbmpdec: use remaining size not whole size

[Peter Ross]

[-- Attachment #1.1: Type: text/plain, Size: 1495 bytes --]

On Fri, Jan 13, 2023 at 01:01:34AM +0100, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6652634692190208
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6653703453278208
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6668020758216704
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6684749875249152
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/wbmpdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/wbmpdec.c b/libavcodec/wbmpdec.c
> index 9638b55b94..8b105bc135 100644
> --- a/libavcodec/wbmpdec.c
> +++ b/libavcodec/wbmpdec.c
> @@ -72,7 +72,7 @@ static int wbmp_decode_frame(AVCodecContext *avctx, AVFrame *p,
>      if (p->linesize[0] == (width + 7) / 8)
>          bytestream2_get_buffer(&gb, p->data[0], height * ((width + 7) / 8));
>      else
> -        readbits(p->data[0], width, height, p->linesize[0], gb.buffer, gb.buffer_end - gb.buffer_start);
> +        readbits(p->data[0], width, height, p->linesize[0], gb.buffer, gb.buffer_end - gb.buffer);
>  
>      p->key_frame = 1;
>      p->pict_type = AV_PICTURE_TYPE_I;

please apply.

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/5] avcodec/wbmpdec: use remaining size not whole size

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1759 bytes --]

On Sun, Jan 15, 2023 at 01:44:09PM +1100, Peter Ross wrote:
> On Fri, Jan 13, 2023 at 01:01:34AM +0100, Michael Niedermayer wrote:
> > Fixes: out of array access
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6652634692190208
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6653703453278208
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6668020758216704
> > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WBMP_fuzzer-6684749875249152
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/wbmpdec.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/wbmpdec.c b/libavcodec/wbmpdec.c
> > index 9638b55b94..8b105bc135 100644
> > --- a/libavcodec/wbmpdec.c
> > +++ b/libavcodec/wbmpdec.c
> > @@ -72,7 +72,7 @@ static int wbmp_decode_frame(AVCodecContext *avctx, AVFrame *p,
> >      if (p->linesize[0] == (width + 7) / 8)
> >          bytestream2_get_buffer(&gb, p->data[0], height * ((width + 7) / 8));
> >      else
> > -        readbits(p->data[0], width, height, p->linesize[0], gb.buffer, gb.buffer_end - gb.buffer_start);
> > +        readbits(p->data[0], width, height, p->linesize[0], gb.buffer, gb.buffer_end - gb.buffer);
> >  
> >      p->key_frame = 1;
> >      p->pict_type = AV_PICTURE_TYPE_I;
> 
> please apply.

will apply

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

During times of universal deceit, telling the truth becomes a
revolutionary act. -- George Orwell

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/5] avcodec/012v: Order operations for odd size handling

[Paul B Mahol]

On 1/13/23, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: out of array access
> Fixes:
> 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6714182078955520.fuzz
> Fixes:
> 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZERO12V_fuzzer-6698145212137472.fuzz
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/012v.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/012v.c b/libavcodec/012v.c
> index 2d89a86b98..f0197cd8f9 100644
> --- a/libavcodec/012v.c
> +++ b/libavcodec/012v.c
> @@ -131,8 +131,8 @@ static int zero12v_decode_frame(AVCodecContext *avctx,
> AVFrame *pic,
>              u = x/2 + (uint16_t *)(pic->data[1] + line *
> pic->linesize[1]);
>              v = x/2 + (uint16_t *)(pic->data[2] + line *
> pic->linesize[2]);
>              memcpy(y, y_temp, sizeof(*y) * (width - x));
> -            memcpy(u, u_temp, sizeof(*u) * (width - x + 1) / 2);
> -            memcpy(v, v_temp, sizeof(*v) * (width - x + 1) / 2);
> +            memcpy(u, u_temp, sizeof(*u) * ((width - x + 1) / 2));
> +            memcpy(v, v_temp, sizeof(*v) * ((width - x + 1) / 2));
>          }
>
>          line_end += stride;
> --
> 2.17.1
>


LGTM

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/5] avcodec/motionpixels: Mask pixels to valid values

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 815 bytes --]

On Fri, Jan 13, 2023 at 01:01:37AM +0100, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-6724203352555520
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/motionpixels.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

"You are 36 times more likely to die in a bathtub than at the hands of a
terrorist. Also, you are 2.5 times more likely to become a president and
2 times more likely to become an astronaut, than to die in a terrorist
attack." -- Thoughty2


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".