[FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD

[FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD

[Michael Niedermayer]

Fixes: runtime error: signed integer overflow: 2140143616 + 254665816 cannot be represented in type 'int'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XMD_fuzzer-6690181676924928

As a sideeffect this simplifies the equation, the high bits are different after this but only
the low 16bits are stored and used in later steps.
The change is untested as there are no fate testcases, no sample files on the server, no links on
the mailing list and no reports on trac referencing this format that i could find.

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/adpcm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 451696932d1..d8f334cf5a0 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1579,11 +1579,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, AVFrame *frame,
                     nibble[0] = sign_extend(byte & 15, 4);
                     nibble[1] = sign_extend(byte >> 4, 4);
 
-                    out[2+n*2] = (nibble[0]*(scale<<14) + (history[0]*29336) - (history[1]*13136)) >> 14;
+                    out[2+n*2  ] = nibble[0]*scale + ((history[0]*3667 - history[1]*1642) >> 11);
                     history[1] = history[0];
                     history[0] = out[2+n*2];
 
-                    out[2+n*2+1] = (nibble[1]*(scale<<14) + (history[0]*29336) - (history[1]*13136)) >> 14;
+                    out[2+n*2+1] = nibble[1]*scale + ((history[0]*3667 - history[1]*1642) >> 11);
                     history[1] = history[0];
                     history[0] = out[2+n*2+1];
                 }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 02/11] avcodec/pngdec: remove AVFrame argument from decode_iccp_chunk()

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 8fbb71f60f6..679cb8c2281 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -972,7 +972,7 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s,
     return 0;
 }
 
-static int decode_iccp_chunk(PNGDecContext *s, GetByteContext *gb, AVFrame *f)
+static int decode_iccp_chunk(PNGDecContext *s, GetByteContext *gb)
 {
     int ret, cnt = 0;
     AVBPrint bp;
@@ -1466,7 +1466,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
             s->have_srgb = 1;
             break;
         case MKTAG('i', 'C', 'C', 'P'): {
-            if ((ret = decode_iccp_chunk(s, &gb_chunk, p)) < 0)
+            if ((ret = decode_iccp_chunk(s, &gb_chunk)) < 0)
                 goto fail;
             break;
         }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 03/11] avcodec/pngdec: Do not pass AVFrame into global header decode

[Michael Niedermayer]

The global header should not contain a frame, and decoding it
would result in leaks

Fixes: memleak
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-6603443149340672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 679cb8c2281..5dc36d400c2 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -734,6 +734,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
     int ret;
     size_t byte_depth = s->bit_depth > 8 ? 2 : 1;
 
+    if (!p)
+        return AVERROR_INVALIDDATA;
     if (!(s->hdr_state & PNG_IHDR)) {
         av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n");
         return AVERROR_INVALIDDATA;
@@ -1515,6 +1517,9 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
     }
 exit_loop:
 
+    if (!p)
+        return AVERROR_INVALIDDATA;
+
     if (avctx->codec_id == AV_CODEC_ID_PNG &&
         avctx->skip_frame == AVDISCARD_ALL) {
         return 0;
@@ -1727,7 +1732,7 @@ static int decode_frame_apng(AVCodecContext *avctx, AVFrame *p,
         if ((ret = inflateReset(&s->zstream.zstream)) != Z_OK)
             return AVERROR_EXTERNAL;
         bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size);
-        if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0)
+        if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0)
             return ret;
     }
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 04/11] avcodec/exr: Cleanup befor return

[Michael Niedermayer]

Fixes: leaks
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6703454090559488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 2f1766c17bf..8cc6b056b29 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1930,8 +1930,10 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 
             bytestream2_get_buffer(gb, key, FFMIN(sizeof(key) - 1, var_size));
             if (strncmp("scanlineimage", key, var_size) &&
-                strncmp("tiledimage", key, var_size))
-                return AVERROR_PATCHWELCOME;
+                strncmp("tiledimage", key, var_size)) {
+                ret = AVERROR_PATCHWELCOME;
+                goto fail;
+            }
 
             continue;
         } else if ((var_size = check_header_variable(s, "preview",
@@ -1939,12 +1941,16 @@ static int decode_header(EXRContext *s, AVFrame *frame)
             uint32_t pw = bytestream2_get_le32(gb);
             uint32_t ph = bytestream2_get_le32(gb);
             uint64_t psize = pw * ph;
-            if (psize > INT64_MAX / 4)
-                return AVERROR_INVALIDDATA;
+            if (psize > INT64_MAX / 4) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
             psize *= 4;
 
-            if ((int64_t)psize >= bytestream2_get_bytes_left(gb))
-                return AVERROR_INVALIDDATA;
+            if ((int64_t)psize >= bytestream2_get_bytes_left(gb)) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
 
             bytestream2_skip(gb, psize);
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 05/11] avcodec/flacdec: Fix signed integre overflow

[Michael Niedermayer]

Fixes: signed integer overflow: 3011809745540902265 + 6323452730883571725 cannot be represented in type 'long'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6687553022722048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/flacdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index cc778a8dff1..524a0469495 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -513,7 +513,7 @@ static int decode_subframe_lpc_33bps(FLACContext *s, int64_t *decoded,
     for (i = pred_order; i < s->blocksize; i++, decoded++) {
         int64_t sum = 0;
         for (j = 0; j < pred_order; j++)
-            sum += (int64_t)coeffs[j] * decoded[j];
+            sum += (int64_t)coeffs[j] * (uint64_t)decoded[j];
         decoded[j] = residual[i] + (sum >> qlevel);
     }
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 05/11] avcodec/flacdec: Fix signed integre overflow

[James Almer]

On 4/16/2023 1:48 PM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 3011809745540902265 + 6323452730883571725 cannot be represented in type 'long'
> Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6687553022722048
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/flacdec.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
> index cc778a8dff1..524a0469495 100644
> --- a/libavcodec/flacdec.c
> +++ b/libavcodec/flacdec.c
> @@ -513,7 +513,7 @@ static int decode_subframe_lpc_33bps(FLACContext *s, int64_t *decoded,
>       for (i = pred_order; i < s->blocksize; i++, decoded++) {
>           int64_t sum = 0;
>           for (j = 0; j < pred_order; j++)
> -            sum += (int64_t)coeffs[j] * decoded[j];
> +            sum += (int64_t)coeffs[j] * (uint64_t)decoded[j];

Why not instead do

sum = av_sat_add64(sum, (int64_t)coeffs[j] * decoded[j]);

Also, decoded[j] is an int64_t, so wouldn't coeffs[j] be promoted if you 
swap the order in the multiplication, thus saving the cast?

>           decoded[j] = residual[i] + (sum >> qlevel);
>       }
>   
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 05/11] avcodec/flacdec: Fix signed integre overflow

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1993 bytes --]

On Fri, May 05, 2023 at 07:36:05PM -0300, James Almer wrote:
> On 4/16/2023 1:48 PM, Michael Niedermayer wrote:
> > Fixes: signed integer overflow: 3011809745540902265 + 6323452730883571725 cannot be represented in type 'long'
> > Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6687553022722048
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/flacdec.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
> > index cc778a8dff1..524a0469495 100644
> > --- a/libavcodec/flacdec.c
> > +++ b/libavcodec/flacdec.c
> > @@ -513,7 +513,7 @@ static int decode_subframe_lpc_33bps(FLACContext *s, int64_t *decoded,
> >       for (i = pred_order; i < s->blocksize; i++, decoded++) {
> >           int64_t sum = 0;
> >           for (j = 0; j < pred_order; j++)
> > -            sum += (int64_t)coeffs[j] * decoded[j];
> > +            sum += (int64_t)coeffs[j] * (uint64_t)decoded[j];
> 
> Why not instead do
> 
> sum = av_sat_add64(sum, (int64_t)coeffs[j] * decoded[j]);

Why should this be clipping ?
flac is a lossless codec, i see nothing in the specification that calls for
cliping.


> 
> Also, decoded[j] is an int64_t, so wouldn't coeffs[j] be promoted if you
> swap the order in the multiplication, thus saving the cast?

it can be shuffled around to achieve the same, do you prefer 
 coeffs[j] * (uint64_t)decoded[j]; ?
 
thx

[...] 

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Any man who breaks a law that conscience tells him is unjust and willingly 
accepts the penalty by staying in jail in order to arouse the conscience of 
the community on the injustice of the law is at that moment expressing the 
very highest respect for law. - Martin Luther King Jr

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 05/11] avcodec/flacdec: Fix signed integre overflow

[James Almer]

On 5/6/2023 12:08 PM, Michael Niedermayer wrote:
> On Fri, May 05, 2023 at 07:36:05PM -0300, James Almer wrote:
>> On 4/16/2023 1:48 PM, Michael Niedermayer wrote:
>>> Fixes: signed integer overflow: 3011809745540902265 + 6323452730883571725 cannot be represented in type 'long'
>>> Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6687553022722048
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>    libavcodec/flacdec.c | 2 +-
>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
>>> index cc778a8dff1..524a0469495 100644
>>> --- a/libavcodec/flacdec.c
>>> +++ b/libavcodec/flacdec.c
>>> @@ -513,7 +513,7 @@ static int decode_subframe_lpc_33bps(FLACContext *s, int64_t *decoded,
>>>        for (i = pred_order; i < s->blocksize; i++, decoded++) {
>>>            int64_t sum = 0;
>>>            for (j = 0; j < pred_order; j++)
>>> -            sum += (int64_t)coeffs[j] * decoded[j];
>>> +            sum += (int64_t)coeffs[j] * (uint64_t)decoded[j];
>>
>> Why not instead do
>>
>> sum = av_sat_add64(sum, (int64_t)coeffs[j] * decoded[j]);
> 
> Why should this be clipping ?
> flac is a lossless codec, i see nothing in the specification that calls for
> cliping.

No, but an overflowing case like 3011809745540902265 + 
6323452730883571725 isn't supported either and will generate bad output, 
so might as well use an optimized function for this.

> 
> 
>>
>> Also, decoded[j] is an int64_t, so wouldn't coeffs[j] be promoted if you
>> swap the order in the multiplication, thus saving the cast?
> 
> it can be shuffled around to achieve the same, do you prefer
>   coeffs[j] * (uint64_t)decoded[j]; ?

No gain doing that compared to your first version. I suggested it for 
av_sat_add64(), which i insist you should use, if you want with a 
comment about it being there not for spec reasons but to prevent integer 
overflows, and removing all casts.

>   
> thx
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 06/11] avcodec/utils: the IFF_ILBM implementation assumes that there are a multiple of 16 allocated

[Michael Niedermayer]

Fixes: out of array access
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5124452659888128
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6362836707442688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 599da21dba2..ef1845954e8 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -317,7 +317,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
     }
 
     if (s->codec_id == AV_CODEC_ID_IFF_ILBM) {
-        w_align = FFMAX(w_align, 8);
+        w_align = FFMAX(w_align, 16);
     }
 
     *width  = FFALIGN(*width, w_align);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 07/11] avcodec/sonic: Fix two undefined integer overflows

[Michael Niedermayer]

Fixes: signed integer overflow: 2147483372 - -148624 cannot be represented in type 'int'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5477177805373440
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-6681622236233728

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/sonic.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index 62e6193ac63..0544fecf469 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -473,7 +473,7 @@ static void predictor_init_state(int *k, int *state, int order)
 
 static int predictor_calc_error(int *k, int *state, int order, int error)
 {
-    int i, x = error - shift_down(k[order-1] *  (unsigned)state[order-1], LATTICE_SHIFT);
+    int i, x = error - (unsigned)shift_down(k[order-1] *  (unsigned)state[order-1], LATTICE_SHIFT);
 
 #if 1
     int *k_ptr = &(k[order-2]),
@@ -1013,7 +1013,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, AVFrame *frame,
     if (s->lossless)
         quant = 1;
     else
-        quant = get_symbol(&c, state, 0) * SAMPLE_FACTOR;
+        quant = get_symbol(&c, state, 0) * (unsigned)SAMPLE_FACTOR;
 
 //    av_log(NULL, AV_LOG_INFO, "quant: %d\n", quant);
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 08/11] avcodec/tak: Check remaining bits in ff_tak_decode_frame_header()

[Michael Niedermayer]

Fixes: out of array access
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6682195323650048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tak.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/tak.c b/libavcodec/tak.c
index f26574c968e..48fe83381f1 100644
--- a/libavcodec/tak.c
+++ b/libavcodec/tak.c
@@ -169,6 +169,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb,
     if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA)
         return AVERROR_INVALIDDATA;
 
+    if (get_bits_left(gb) < 24)
+        return AVERROR_INVALIDDATA;
+
     skip_bits(gb, 24);
 
     return 0;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 09/11] avcodec/tiff: add a zero DNG_LINEARIZATION_TABLE check

[Michael Niedermayer]

Fixes: index 4294967295 out of bounds for type 'uint16_t [65536]'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5950405086674944
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6666195176914944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 1a1879de890..ebc7505dcdf 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1451,7 +1451,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         break;
     case TIFF_GRAY_RESPONSE_CURVE:
     case DNG_LINEARIZATION_TABLE:
-        if (count > FF_ARRAY_ELEMS(s->dng_lut))
+        if (count < 1 || count > FF_ARRAY_ELEMS(s->dng_lut))
             return AVERROR_INVALIDDATA;
         for (int i = 0; i < count; i++)
             s->dng_lut[i] = ff_tget(&s->gb, type, s->le);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 10/11] avcodec/dpcm: fix undefined interger overflow in wady

[Michael Niedermayer]

Fixes: signed integer overflow: -2147375930 + -133875 cannot be represented in type 'int'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WADY_DPCM_fuzzer-6703727013920768

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dpcm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 6ea9e2c0650..eff6587404d 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -444,7 +444,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, AVFrame *frame,
             if (n & 0x80)
                 s->sample[idx] = sign_extend((n & 0x7f) << 9, 16);
             else
-                s->sample[idx] += s->scale * wady_table[n & 0x7f];
+                s->sample[idx] += s->scale * (unsigned)wady_table[n & 0x7f];
             *output_samples++ = av_clip_int16(s->sample[idx]);
             idx ^= stereo;
         }
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 11/11] avcodec/wavarc: Check order before using it to write the list

[Michael Niedermayer]

Fixes: out of array access
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6247711015043072
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6487578428964864
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6651587794960384
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6686265824378880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavarc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 896972cec82..827803c91d0 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -343,6 +343,8 @@ static int decode_2slp(AVCodecContext *avctx,
             break;
         case 0:
             order = get_urice(gb, 2);
+            if ((unsigned)order >= FF_ARRAY_ELEMS(s->filter[ch]))
+                return AVERROR_INVALIDDATA;
             for (int o = 0; o < order; o++)
                 s->filter[ch][o] = get_srice(gb, 2);
             for (int n = 0; n < s->nb_samples; n++) {
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 11/11] avcodec/wavarc: Check order before using it to write the list

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 976 bytes --]

On Sun, Apr 16, 2023 at 06:48:30PM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6247711015043072
> Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6487578428964864
> Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6651587794960384
> Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6686265824378880
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/wavarc.c | 2 ++
>  1 file changed, 2 insertions(+)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The smallest minority on earth is the individual. Those who deny 
individual rights cannot claim to be defenders of minorities. - Ayn Rand

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD

[Paul B Mahol]

NAK, breaks decoding.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 427 bytes --]

On Mon, Apr 17, 2023 at 09:04:48AM +0200, Paul B Mahol wrote:
> NAK, breaks decoding.

The file you posted decodes the same before and after the patch
is there some other issue ?
or is tha patch ok with the whitespace change removed ?

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Nations do behave wisely once they have exhausted all other alternatives. 
-- Abba Eban

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 569 bytes --]

On Tue, Apr 18, 2023 at 12:45:01AM +0200, Michael Niedermayer wrote:
> On Mon, Apr 17, 2023 at 09:04:48AM +0200, Paul B Mahol wrote:
> > NAK, breaks decoding.
> 
> The file you posted decodes the same before and after the patch
> is there some other issue ?
> or is tha patch ok with the whitespace change removed ?

will apply patchset
ill wait a little more for patch #1 before applying

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

He who knows, does not speak. He who speaks, does not know. -- Lao Tsu

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD

[Paul B Mahol]

On Sat, May 6, 2023 at 12:15 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> On Tue, Apr 18, 2023 at 12:45:01AM +0200, Michael Niedermayer wrote:
> > On Mon, Apr 17, 2023 at 09:04:48AM +0200, Paul B Mahol wrote:
> > > NAK, breaks decoding.
> >
> > The file you posted decodes the same before and after the patch
> > is there some other issue ?
> > or is tha patch ok with the whitespace change removed ?
>
> will apply patchset
> ill wait a little more for patch #1 before applying
>

I sent another mail that approved it, after I tested changes. No need to
wait.


>
> thx
>
> [...]
>
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> He who knows, does not speak. He who speaks, does not know. -- Lao Tsu
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1079 bytes --]

On Sat, May 06, 2023 at 12:24:15AM +0200, Paul B Mahol wrote:
> On Sat, May 6, 2023 at 12:15 AM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > On Tue, Apr 18, 2023 at 12:45:01AM +0200, Michael Niedermayer wrote:
> > > On Mon, Apr 17, 2023 at 09:04:48AM +0200, Paul B Mahol wrote:
> > > > NAK, breaks decoding.
> > >
> > > The file you posted decodes the same before and after the patch
> > > is there some other issue ?
> > > or is tha patch ok with the whitespace change removed ?
> >
> > will apply patchset
> > ill wait a little more for patch #1 before applying
> >
> 
> I sent another mail that approved it, after I tested changes. No need to
> wait.

ok

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Any man who breaks a law that conscience tells him is unjust and willingly 
accepts the penalty by staying in jail in order to arouse the conscience of 
the community on the injustice of the law is at that moment expressing the 
very highest respect for law. - Martin Luther King Jr

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD

[Paul B Mahol]

On Sun, Apr 16, 2023 at 6:48 PM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: runtime error: signed integer overflow: 2140143616 + 254665816
> cannot be represented in type 'int'
> Fixes:
> 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XMD_fuzzer-6690181676924928
>
> As a sideeffect this simplifies the equation, the high bits are different
> after this but only
> the low 16bits are stored and used in later steps.
> The change is untested as there are no fate testcases, no sample files on
> the server, no links on
> the mailing list and no reports on trac referencing this format that i
> could find.
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/adpcm.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
> index 451696932d1..d8f334cf5a0 100644
> --- a/libavcodec/adpcm.c
> +++ b/libavcodec/adpcm.c
> @@ -1579,11 +1579,11 @@ static int adpcm_decode_frame(AVCodecContext
> *avctx, AVFrame *frame,
>                      nibble[0] = sign_extend(byte & 15, 4);
>                      nibble[1] = sign_extend(byte >> 4, 4);
>
> -                    out[2+n*2] = (nibble[0]*(scale<<14) +
> (history[0]*29336) - (history[1]*13136)) >> 14;
> +                    out[2+n*2  ] = nibble[0]*scale + ((history[0]*3667 -
> history[1]*1642) >> 11);
>

Please commit this with no extra spaces added.

Here is sample: https://0x0.st/H8Le.xmd


>                      history[1] = history[0];
>                      history[0] = out[2+n*2];
>
> -                    out[2+n*2+1] = (nibble[1]*(scale<<14) +
> (history[0]*29336) - (history[1]*13136)) >> 14;
> +                    out[2+n*2+1] = nibble[1]*scale + ((history[0]*3667 -
> history[1]*1642) >> 11);
>                      history[1] = history[0];
>                      history[0] = out[2+n*2+1];
>                  }
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2243 bytes --]

On Mon, Apr 17, 2023 at 09:27:03AM +0200, Paul B Mahol wrote:
> On Sun, Apr 16, 2023 at 6:48 PM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > Fixes: runtime error: signed integer overflow: 2140143616 + 254665816
> > cannot be represented in type 'int'
> > Fixes:
> > 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XMD_fuzzer-6690181676924928
> >
> > As a sideeffect this simplifies the equation, the high bits are different
> > after this but only
> > the low 16bits are stored and used in later steps.
> > The change is untested as there are no fate testcases, no sample files on
> > the server, no links on
> > the mailing list and no reports on trac referencing this format that i
> > could find.
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/adpcm.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
> > index 451696932d1..d8f334cf5a0 100644
> > --- a/libavcodec/adpcm.c
> > +++ b/libavcodec/adpcm.c
> > @@ -1579,11 +1579,11 @@ static int adpcm_decode_frame(AVCodecContext
> > *avctx, AVFrame *frame,
> >                      nibble[0] = sign_extend(byte & 15, 4);
> >                      nibble[1] = sign_extend(byte >> 4, 4);
> >
> > -                    out[2+n*2] = (nibble[0]*(scale<<14) +
> > (history[0]*29336) - (history[1]*13136)) >> 14;
> > +                    out[2+n*2  ] = nibble[0]*scale + ((history[0]*3667 -
> > history[1]*1642) >> 11);
> >
> 
> Please commit this with no extra spaces added.

ok


> 
> Here is sample: https://0x0.st/H8Le.xmd

thanks alot, i will test with this before applying


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If the United States is serious about tackling the national security threats 
related to an insecure 5G network, it needs to rethink the extent to which it
values corporate profits and government espionage over security.-Bruce Schneier

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".