[FFmpeg-devel] [PATCH 1/6] avformat/mov: Check samplesize and offset to avoid integer overflow

[FFmpeg-devel] [PATCH 1/6] avformat/mov: Check samplesize and offset to avoid integer overflow

[Michael Niedermayer]

Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long'
Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6ab43b00c6..8af564ed61 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4192,6 +4192,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
                 if (keyframe)
                     distance = 0;
                 sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample];
+                if (current_offset > INT64_MAX - sample_size) {
+                    av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n",
+                           current_offset,
+                           sample_size);
+                    return;
+                }
+
                 if (sc->pseudo_stream_id == -1 ||
                    sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) {
                     AVIndexEntry *e;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/6] avformat/rka: Fix 1/0 with bps=1

[Michael Niedermayer]

Fixes: division by zero
Fixes: 55940/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6333107679920128

The decoder does not support bps=1 and i have no such sample so it is not
known if this duration is correct. Alternatively we could error out on all
bps we currently do not support on the decoder side or not set duration.

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rka.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rka.c b/libavformat/rka.c
index cc55480345..39e5b3bce1 100644
--- a/libavformat/rka.c
+++ b/libavformat/rka.c
@@ -114,7 +114,7 @@ static int rka_read_header(AVFormatContext *s)
     par->ch_layout.nb_channels = channels;
     par->sample_rate = samplerate;
     par->bits_per_raw_sample = bps;
-    st->duration = nb_samples / (channels * (bps >> 3));
+    st->duration = 8LL*nb_samples / (channels * bps);
 
     if (s->pb->seekable & AVIO_SEEKABLE_NORMAL)
         ff_ape_parse_tag(s);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/6] avcodec/rka: Fix some integer anomalies

[Michael Niedermayer]

Fixes: left shift of negative value -3201
Fixes: integer overflow: -76470276 * -25608 cannot be represented in type 'int'
Fixes: 56052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-5236218750435328

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rka.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/rka.c b/libavcodec/rka.c
index 461baf1e1f..994c563ffd 100644
--- a/libavcodec/rka.c
+++ b/libavcodec/rka.c
@@ -723,16 +723,16 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns
             last_val = val;
             src = &ctx->buf1[off + -1];
             for (int i = 0; i < filt.size && i < 15; i++)
-                sum += filt.coeffs[i] * src[-i];
+                sum += filt.coeffs[i] * (unsigned)src[-i];
             sum = sum * 2;
             for (int i = 15; i < filt.size; i++)
-                sum += filt.coeffs[i] * src[-i];
+                sum += filt.coeffs[i] * (unsigned)src[-i];
             sum = sum >> 6;
             if (ctx->cmode == 0) {
                 if (bits == 0) {
                     ctx->buf1[off] = sum + val;
                 } else {
-                    ctx->buf1[off] = (val + (sum >> bits) << bits) +
+                    ctx->buf1[off] = (val + (sum >> bits)) * (1 << bits) +
                         (((1U << bits) - 1U) & ctx->buf1[off + -1]);
                 }
                 ctx->buf0[off] = ctx->buf1[off] + ctx->buf0[off + -1];
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/6] avcodec/rka: check for size 1 filter

[Michael Niedermayer]

Such filters will not advance and be stuck in the current implementation

Fixes: Infinite loop
Fixes: 56052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-5236218750435328

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rka.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rka.c b/libavcodec/rka.c
index 994c563ffd..7452acf27f 100644
--- a/libavcodec/rka.c
+++ b/libavcodec/rka.c
@@ -691,7 +691,7 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns
     else
         split = size >> 4;
 
-    if (size <= 0)
+    if (size <= 1)
         return 0;
 
     for (int x = 0; x < size;) {
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/6] avcodec/rka: avoid negative value shift

[Michael Niedermayer]

Fixes: left shift of negative value -81
Fixes: 56061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-4649758062149632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rka.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rka.c b/libavcodec/rka.c
index 7452acf27f..1eb2289e58 100644
--- a/libavcodec/rka.c
+++ b/libavcodec/rka.c
@@ -737,7 +737,7 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns
                 }
                 ctx->buf0[off] = ctx->buf1[off] + ctx->buf0[off + -1];
             } else {
-                val <<= ctx->cmode;
+                val *= 1 << ctx->cmode;
                 sum += ctx->buf0[off + -1] + val;
                 switch (s->bps) {
                 case 16: sum = av_clip_int16(sum); break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/6] avcodec/rka: avoid undefined doubling sum overflow

[Michael Niedermayer]

Fixes: signed integer overflow: -2124073172 * 2 cannot be represented in type 'int'
Fixes: 56099/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-4530933127839744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rka.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rka.c b/libavcodec/rka.c
index 1eb2289e58..2212e3f930 100644
--- a/libavcodec/rka.c
+++ b/libavcodec/rka.c
@@ -724,7 +724,7 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns
             src = &ctx->buf1[off + -1];
             for (int i = 0; i < filt.size && i < 15; i++)
                 sum += filt.coeffs[i] * (unsigned)src[-i];
-            sum = sum * 2;
+            sum = sum * 2U;
             for (int i = 15; i < filt.size; i++)
                 sum += filt.coeffs[i] * (unsigned)src[-i];
             sum = sum >> 6;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check samplesize and offset to avoid integer overflow

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 762 bytes --]

Hi

On Mon, Feb 20, 2023 at 08:29:24PM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long'
> Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mov.c | 7 +++++++
>  1 file changed, 7 insertions(+)

will apply patchset

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".