* [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows
@ 2023-03-26 22:26 Michael Niedermayer
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vc1dec: Use av_fast_realloc() for slices Michael Niedermayer
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-03-26 22:26 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: -532410125 + -1759642300 cannot be represented in type 'int'
Fixes: 57045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-637023665297817
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/wavarc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 8d37af95716..896972cec82 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -349,7 +349,7 @@ static int decode_2slp(AVCodecContext *avctx,
int sum = 15;
for (int o = 0; o < order; o++)
- sum += s->filter[ch][o] * samples[n + 70 - o - 1];
+ sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1];
samples[n + 70] = get_srice(gb, k) + (sum >> 4);
}
@@ -452,7 +452,7 @@ fail:
const int *src = s->samples[ch] + s->offset;
for (int n = 0; n < frame->nb_samples; n++)
- dst[n] = src[n] * (1 << s->shift) + 0x80U;
+ dst[n] = src[n] * (1U << s->shift) + 0x80U;
}
break;
case AV_SAMPLE_FMT_S16P:
@@ -461,7 +461,7 @@ fail:
const int *src = s->samples[ch] + s->offset;
for (int n = 0; n < frame->nb_samples; n++)
- dst[n] = src[n] * (1 << s->shift);
+ dst[n] = src[n] * (1U << s->shift);
}
break;
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 2/4] avcodec/vc1dec: Use av_fast_realloc() for slices
2023-03-26 22:26 [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows Michael Niedermayer
@ 2023-03-26 22:26 ` Michael Niedermayer
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 3/4] avcodec/g729postfilter: Limit shift in long term filter Michael Niedermayer
` (2 subsequent siblings)
3 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-03-26 22:26 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Timeout
Fixes: 57281/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-4594141064724480
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/vc1dec.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index 5cb4c544c9a..18fb616fff5 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -836,6 +836,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
const uint8_t *rawbuf;
int raw_size;
} *slices = NULL, *tmp;
+ unsigned slices_allocated = 0;
v->second_field = 0;
@@ -859,6 +860,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
//for advanced profile we may need to parse and unescape data
if (avctx->codec_id == AV_CODEC_ID_VC1 || avctx->codec_id == AV_CODEC_ID_VC1IMAGE) {
int buf_size2 = 0;
+ size_t next_allocated = 0;
buf2 = av_mallocz(buf_size + AV_INPUT_BUFFER_PADDING_SIZE);
if (!buf2)
return AVERROR(ENOMEM);
@@ -882,7 +884,8 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
int buf_size3;
if (avctx->hwaccel)
buf_start_second_field = start;
- tmp = av_realloc_array(slices, sizeof(*slices), n_slices+1);
+ av_size_mult(sizeof(*slices), n_slices+1, &next_allocated);
+ tmp = next_allocated ? av_fast_realloc(slices, &slices_allocated, next_allocated) : NULL;
if (!tmp) {
ret = AVERROR(ENOMEM);
goto err;
@@ -911,7 +914,8 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
break;
case VC1_CODE_SLICE: {
int buf_size3;
- tmp = av_realloc_array(slices, sizeof(*slices), n_slices+1);
+ av_size_mult(sizeof(*slices), n_slices+1, &next_allocated);
+ tmp = next_allocated ? av_fast_realloc(slices, &slices_allocated, next_allocated) : NULL;
if (!tmp) {
ret = AVERROR(ENOMEM);
goto err;
@@ -946,7 +950,8 @@ static int vc1_decode_frame(AVCodecContext *avctx, AVFrame *pict,
} else { // found field marker, unescape second field
if (avctx->hwaccel)
buf_start_second_field = divider;
- tmp = av_realloc_array(slices, sizeof(*slices), n_slices+1);
+ av_size_mult(sizeof(*slices), n_slices+1, &next_allocated);
+ tmp = next_allocated ? av_fast_realloc(slices, &slices_allocated, next_allocated) : NULL;
if (!tmp) {
ret = AVERROR(ENOMEM);
goto err;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 3/4] avcodec/g729postfilter: Limit shift in long term filter
2023-03-26 22:26 [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows Michael Niedermayer
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vc1dec: Use av_fast_realloc() for slices Michael Niedermayer
@ 2023-03-26 22:26 ` Michael Niedermayer
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 4/4] avcodec/vp3: Check width to avoid assertion failure Michael Niedermayer
2023-04-02 21:40 ` [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows Michael Niedermayer
3 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-03-26 22:26 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: shift exponent 34 is too large for 32-bit type 'int'
Fixes: 57389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-6229522659016704
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/g729postfilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/g729postfilter.c b/libavcodec/g729postfilter.c
index f3cacbac05b..26e937f0baf 100644
--- a/libavcodec/g729postfilter.c
+++ b/libavcodec/g729postfilter.c
@@ -353,7 +353,7 @@ static int16_t long_term_filter(AudioDSPContext *adsp, int pitch_delay_int,
if (tmp > 0)
L_temp0 >>= tmp;
else
- L_temp1 >>= -tmp;
+ L_temp1 >>= FFMIN(-tmp, 31);
/* Check if longer filter increases the values of R'(k). */
if (L_temp1 > L_temp0) {
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 4/4] avcodec/vp3: Check width to avoid assertion failure
2023-03-26 22:26 [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows Michael Niedermayer
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vc1dec: Use av_fast_realloc() for slices Michael Niedermayer
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 3/4] avcodec/g729postfilter: Limit shift in long term filter Michael Niedermayer
@ 2023-03-26 22:26 ` Michael Niedermayer
2023-03-27 0:45 ` Kieran Kunhya
2023-03-27 9:59 ` Andreas Rheinhardt
2023-04-02 21:40 ` [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows Michael Niedermayer
3 siblings, 2 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-03-26 22:26 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Assertion failure on x86-32
Fixes: 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/vp3.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 9660def675f..22348559461 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2353,6 +2353,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx)
s->avctx = avctx;
s->width = FFALIGN(avctx->coded_width, 16);
s->height = FFALIGN(avctx->coded_height, 16);
+ if (s->width < 18)
+ return AVERROR_PATCHWELCOME;
if (avctx->codec_id != AV_CODEC_ID_THEORA)
avctx->pix_fmt = AV_PIX_FMT_YUV420P;
avctx->chroma_sample_location = AVCHROMA_LOC_CENTER;
@@ -2919,7 +2921,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
/* sanity check */
if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 ||
visible_width + offset_x > s->width ||
- visible_height + offset_y > s->height) {
+ visible_height + offset_y > s->height ||
+ visible_width < 18
+ ) {
av_log(avctx, AV_LOG_ERROR,
"Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n",
visible_width, visible_height, offset_x, offset_y,
@@ -2965,6 +2969,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
} else
avctx->pix_fmt = AV_PIX_FMT_YUV420P;
+ if (s->width < 18)
+ return AVERROR_PATCHWELCOME;
ret = ff_set_dimensions(avctx, s->width, s->height);
if (ret < 0)
return ret;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/4] avcodec/vp3: Check width to avoid assertion failure
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 4/4] avcodec/vp3: Check width to avoid assertion failure Michael Niedermayer
@ 2023-03-27 0:45 ` Kieran Kunhya
2023-03-28 20:10 ` Michael Niedermayer
2023-03-27 9:59 ` Andreas Rheinhardt
1 sibling, 1 reply; 8+ messages in thread
From: Kieran Kunhya @ 2023-03-27 0:45 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On Sun, 26 Mar 2023, 23:27 Michael Niedermayer, <michael@niedermayer.cc>
wrote:
> Fixes: Assertion failure on x86-32
> Fixes:
> 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/vp3.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
> index 9660def675f..22348559461 100644
> --- a/libavcodec/vp3.c
> +++ b/libavcodec/vp3.c
> @@ -2353,6 +2353,8 @@ static av_cold int vp3_decode_init(AVCodecContext
> *avctx)
> s->avctx = avctx;
> s->width = FFALIGN(avctx->coded_width, 16);
> s->height = FFALIGN(avctx->coded_height, 16);
> + if (s->width < 18)
> + return AVERROR_PATCHWELCOME;
> if (avctx->codec_id != AV_CODEC_ID_THEORA)
> avctx->pix_fmt = AV_PIX_FMT_YUV420P;
> avctx->chroma_sample_location = AVCHROMA_LOC_CENTER;
> @@ -2919,7 +2921,9 @@ static int theora_decode_header(AVCodecContext
> *avctx, GetBitContext *gb)
> /* sanity check */
> if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0
> ||
> visible_width + offset_x > s->width ||
> - visible_height + offset_y > s->height) {
> + visible_height + offset_y > s->height ||
> + visible_width < 18
> + ) {
> av_log(avctx, AV_LOG_ERROR,
> "Invalid frame dimensions - w:%d h:%d x:%d y:%d
> (%dx%d).\n",
> visible_width, visible_height, offset_x, offset_y,
> @@ -2965,6 +2969,8 @@ static int theora_decode_header(AVCodecContext
> *avctx, GetBitContext *gb)
> } else
> avctx->pix_fmt = AV_PIX_FMT_YUV420P;
>
> + if (s->width < 18)
> + return AVERROR_PATCHWELCOME;
> ret = ff_set_dimensions(avctx, s->width, s->height);
> if (ret < 0)
> return ret;
> --
> 2.17.1
>
Please provide some explanation around the number "18"
Kieran
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/4] avcodec/vp3: Check width to avoid assertion failure
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 4/4] avcodec/vp3: Check width to avoid assertion failure Michael Niedermayer
2023-03-27 0:45 ` Kieran Kunhya
@ 2023-03-27 9:59 ` Andreas Rheinhardt
1 sibling, 0 replies; 8+ messages in thread
From: Andreas Rheinhardt @ 2023-03-27 9:59 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: Assertion failure on x86-32
> Fixes: 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/vp3.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
> index 9660def675f..22348559461 100644
> --- a/libavcodec/vp3.c
> +++ b/libavcodec/vp3.c
> @@ -2353,6 +2353,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx)
> s->avctx = avctx;
> s->width = FFALIGN(avctx->coded_width, 16);
> s->height = FFALIGN(avctx->coded_height, 16);
> + if (s->width < 18)
> + return AVERROR_PATCHWELCOME;
> if (avctx->codec_id != AV_CODEC_ID_THEORA)
> avctx->pix_fmt = AV_PIX_FMT_YUV420P;
> avctx->chroma_sample_location = AVCHROMA_LOC_CENTER;
> @@ -2919,7 +2921,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
> /* sanity check */
> if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 ||
> visible_width + offset_x > s->width ||
> - visible_height + offset_y > s->height) {
> + visible_height + offset_y > s->height ||
> + visible_width < 18
> + ) {
> av_log(avctx, AV_LOG_ERROR,
> "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n",
> visible_width, visible_height, offset_x, offset_y,
> @@ -2965,6 +2969,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb)
> } else
> avctx->pix_fmt = AV_PIX_FMT_YUV420P;
>
> + if (s->width < 18)
> + return AVERROR_PATCHWELCOME;
> ret = ff_set_dimensions(avctx, s->width, s->height);
> if (ret < 0)
> return ret;
Always mention in the commit message which assertion fails when fixing
an assertion.
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/4] avcodec/vp3: Check width to avoid assertion failure
2023-03-27 0:45 ` Kieran Kunhya
@ 2023-03-28 20:10 ` Michael Niedermayer
0 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-03-28 20:10 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 3136 bytes --]
On Mon, Mar 27, 2023 at 01:45:01AM +0100, Kieran Kunhya wrote:
> On Sun, 26 Mar 2023, 23:27 Michael Niedermayer, <michael@niedermayer.cc>
> wrote:
>
> > Fixes: Assertion failure on x86-32
> > Fixes:
> > 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/vp3.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
> > index 9660def675f..22348559461 100644
> > --- a/libavcodec/vp3.c
> > +++ b/libavcodec/vp3.c
> > @@ -2353,6 +2353,8 @@ static av_cold int vp3_decode_init(AVCodecContext
> > *avctx)
> > s->avctx = avctx;
> > s->width = FFALIGN(avctx->coded_width, 16);
> > s->height = FFALIGN(avctx->coded_height, 16);
> > + if (s->width < 18)
> > + return AVERROR_PATCHWELCOME;
> > if (avctx->codec_id != AV_CODEC_ID_THEORA)
> > avctx->pix_fmt = AV_PIX_FMT_YUV420P;
> > avctx->chroma_sample_location = AVCHROMA_LOC_CENTER;
> > @@ -2919,7 +2921,9 @@ static int theora_decode_header(AVCodecContext
> > *avctx, GetBitContext *gb)
> > /* sanity check */
> > if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0
> > ||
> > visible_width + offset_x > s->width ||
> > - visible_height + offset_y > s->height) {
> > + visible_height + offset_y > s->height ||
> > + visible_width < 18
> > + ) {
> > av_log(avctx, AV_LOG_ERROR,
> > "Invalid frame dimensions - w:%d h:%d x:%d y:%d
> > (%dx%d).\n",
> > visible_width, visible_height, offset_x, offset_y,
> > @@ -2965,6 +2969,8 @@ static int theora_decode_header(AVCodecContext
> > *avctx, GetBitContext *gb)
> > } else
> > avctx->pix_fmt = AV_PIX_FMT_YUV420P;
> >
> > + if (s->width < 18)
> > + return AVERROR_PATCHWELCOME;
> > ret = ff_set_dimensions(avctx, s->width, s->height);
> > if (ret < 0)
> > return ret;
> > --
> > 2.17.1
> >
>
> Please provide some explanation around the number "18"
Its because the source needed for MC of a block is 9x9 and chroma is 1/2
so a width of 18 is ok but 16 could result in a 8 linesize into which a 9x9
block would not fit.
This is x86-32 specific probably as the linesize is rouded up more on 64bit
If theres some value in such small sizes i could look into adjusting the
linesize up in these cases?
ill add this to the commit message:
Fixes: Assertion failure on x86-32
av_assert2(block_w * sizeof(pixel) <= FFABS(buf_linesize)); in ff_emulated_edge_mc()
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Complexity theory is the science of finding the exact solution to an
approximation. Benchmarking OTOH is finding an approximation of the exact
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows
2023-03-26 22:26 [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows Michael Niedermayer
` (2 preceding siblings ...)
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 4/4] avcodec/vp3: Check width to avoid assertion failure Michael Niedermayer
@ 2023-04-02 21:40 ` Michael Niedermayer
3 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-04-02 21:40 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 828 bytes --]
On Mon, Mar 27, 2023 at 12:26:39AM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: -532410125 + -1759642300 cannot be represented in type 'int'
> Fixes: 57045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-637023665297817
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/wavarc.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
will apply patchset (with better commit message for the assert())
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-04-02 21:40 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-26 22:26 [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows Michael Niedermayer
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vc1dec: Use av_fast_realloc() for slices Michael Niedermayer
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 3/4] avcodec/g729postfilter: Limit shift in long term filter Michael Niedermayer
2023-03-26 22:26 ` [FFmpeg-devel] [PATCH 4/4] avcodec/vp3: Check width to avoid assertion failure Michael Niedermayer
2023-03-27 0:45 ` Kieran Kunhya
2023-03-28 20:10 ` Michael Niedermayer
2023-03-27 9:59 ` Andreas Rheinhardt
2023-04-02 21:40 ` [FFmpeg-devel] [PATCH 1/4] avcodec/wavarc: Fix several integer overflows Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git