* [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago
@ 2023-05-25 21:40 Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 2/5] avcodec/takdsp: Fix integer overflows Michael Niedermayer
` (4 more replies)
0 siblings, 5 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-05-25 21:40 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: -9223372036854775808 - 2082844800 cannot be represented in type 'long'
Fixes: 58384/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6428383700713472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/mov.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 9fdeef057e..3e2c4bc10d 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1530,6 +1530,10 @@ static void mov_metadata_creation_time(MOVContext *c, AVIOContext *pb, AVDiction
}
}
if (time) {
+ if (time < INT64_MIN + 2082844800) {
+ av_log(c->fc, AV_LOG_DEBUG, "creation_time predates big bang\n");
+ return;
+ }
time -= 2082844800; /* seconds between 1904-01-01 and Epoch */
if ((int64_t)(time * 1000000ULL) / 1000000 != time) {
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 2/5] avcodec/takdsp: Fix integer overflows
2023-05-25 21:40 [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Michael Niedermayer
@ 2023-05-25 21:40 ` Michael Niedermayer
2023-06-18 12:16 ` Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 3/5] avcodec/rka: Avoid undefined left shift Michael Niedermayer
` (3 subsequent siblings)
4 siblings, 1 reply; 8+ messages in thread
From: Michael Niedermayer @ 2023-05-25 21:40 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: avcodec/takdsp.c:44:23: runtime error: signed integer overflow: -2097158 - 2147012608 cannot be represented in type 'int'
Fixes: 58417/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5268919664640000
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/takdsp.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c
index 881d7be5f2..b646a063db 100644
--- a/libavcodec/takdsp.c
+++ b/libavcodec/takdsp.c
@@ -28,8 +28,8 @@ static void decorrelate_ls(int32_t *p1, int32_t *p2, int length)
int i;
for (i = 0; i < length; i++) {
- int32_t a = p1[i];
- int32_t b = p2[i];
+ uint32_t a = p1[i];
+ uint32_t b = p2[i];
p2[i] = a + b;
}
}
@@ -39,8 +39,8 @@ static void decorrelate_sr(int32_t *p1, int32_t *p2, int length)
int i;
for (i = 0; i < length; i++) {
- int32_t a = p1[i];
- int32_t b = p2[i];
+ uint32_t a = p1[i];
+ uint32_t b = p2[i];
p1[i] = b - a;
}
}
@@ -50,7 +50,7 @@ static void decorrelate_sm(int32_t *p1, int32_t *p2, int length)
int i;
for (i = 0; i < length; i++) {
- int32_t a = p1[i];
+ uint32_t a = p1[i];
int32_t b = p2[i];
a -= b >> 1;
p1[i] = a;
@@ -63,7 +63,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int
int i;
for (i = 0; i < length; i++) {
- int32_t a = p1[i];
+ uint32_t a = p1[i];
int32_t b = p2[i];
b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift;
p1[i] = b - a;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 3/5] avcodec/rka: Avoid undefined left shift
2023-05-25 21:40 [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 2/5] avcodec/takdsp: Fix integer overflows Michael Niedermayer
@ 2023-05-25 21:40 ` Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 4/5] avcodec/hevcdec: Avoid null pointer dereferences in MC Michael Niedermayer
` (2 subsequent siblings)
4 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-05-25 21:40 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: left shift of 34136248 by 6 places cannot be represented in type 'int'
Fixes: 58429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-5692211592560640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/rka.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/rka.c b/libavcodec/rka.c
index 3e86d83819..01920dbba5 100644
--- a/libavcodec/rka.c
+++ b/libavcodec/rka.c
@@ -750,7 +750,7 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns
}
if (ctx->cmode2 != 0) {
int sum = 0;
- for (int i = (m << 6) / split; i > 0; i = i >> 1)
+ for (int i = (signed)((unsigned)m << 6) / split; i > 0; i = i >> 1)
sum++;
sum = sum - (ctx->cmode2 + 7);
ctx->cmode = FFMAX(sum, tab[ctx->cmode2]);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 4/5] avcodec/hevcdec: Avoid null pointer dereferences in MC
2023-05-25 21:40 [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 2/5] avcodec/takdsp: Fix integer overflows Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 3/5] avcodec/rka: Avoid undefined left shift Michael Niedermayer
@ 2023-05-25 21:40 ` Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 5/5] avcodec/hevc_refs: Check that nb_refs stays <= HEVC_MAX_REFS Michael Niedermayer
2023-05-28 18:53 ` [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Marton Balint
4 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-05-25 21:40 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xfffffffffffffff8
Fixes: 58440/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5956015530311680
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/hevcdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 7e1bf4e915..90000203e4 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -1940,13 +1940,13 @@ static void hls_prediction_unit(HEVCLocalContext *lc, int x0, int y0,
if (current_mv.pred_flag & PF_L0) {
ref0 = refPicList[0].ref[current_mv.ref_idx[0]];
- if (!ref0)
+ if (!ref0 || !ref0->frame->data[0])
return;
hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH);
}
if (current_mv.pred_flag & PF_L1) {
ref1 = refPicList[1].ref[current_mv.ref_idx[1]];
- if (!ref1)
+ if (!ref1 || !ref1->frame->data[0])
return;
hevc_await_progress(s, ref1, ¤t_mv.mv[1], y0, nPbH);
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 5/5] avcodec/hevc_refs: Check that nb_refs stays <= HEVC_MAX_REFS
2023-05-25 21:40 [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Michael Niedermayer
` (2 preceding siblings ...)
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 4/5] avcodec/hevcdec: Avoid null pointer dereferences in MC Michael Niedermayer
@ 2023-05-25 21:40 ` Michael Niedermayer
2023-05-28 18:53 ` [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Marton Balint
4 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-05-25 21:40 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: 58528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5834725318328320
Fixes: index 16 out of bounds for type 'int [16]'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/hevc_refs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevc_refs.c b/libavcodec/hevc_refs.c
index e9be02c489..0716e1a597 100644
--- a/libavcodec/hevc_refs.c
+++ b/libavcodec/hevc_refs.c
@@ -353,7 +353,7 @@ int ff_hevc_slice_rpl(HEVCContext *s)
}
}
// Construct RefPicList0, RefPicList1 (8-8, 8-10)
- if (s->ps.pps->pps_curr_pic_ref_enabled_flag) {
+ if (s->ps.pps->pps_curr_pic_ref_enabled_flag && rpl_tmp.nb_refs < HEVC_MAX_REFS) {
rpl_tmp.list[rpl_tmp.nb_refs] = s->ref->poc;
rpl_tmp.ref[rpl_tmp.nb_refs] = s->ref;
rpl_tmp.isLongTerm[rpl_tmp.nb_refs] = 1;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago
2023-05-25 21:40 [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Michael Niedermayer
` (3 preceding siblings ...)
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 5/5] avcodec/hevc_refs: Check that nb_refs stays <= HEVC_MAX_REFS Michael Niedermayer
@ 2023-05-28 18:53 ` Marton Balint
2023-05-28 21:03 ` Michael Niedermayer
4 siblings, 1 reply; 8+ messages in thread
From: Marton Balint @ 2023-05-28 18:53 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On Thu, 25 May 2023, Michael Niedermayer wrote:
> Fixes: signed integer overflow: -9223372036854775808 - 2082844800 cannot be represented in type 'long'
> Fixes: 58384/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6428383700713472
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/mov.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 9fdeef057e..3e2c4bc10d 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -1530,6 +1530,10 @@ static void mov_metadata_creation_time(MOVContext *c, AVIOContext *pb, AVDiction
> }
> }
> if (time) {
> + if (time < INT64_MIN + 2082844800) {
> + av_log(c->fc, AV_LOG_DEBUG, "creation_time predates big bang\n");
> + return;
> + }
Actually creation_time is unsigned, so it cannot be negative. I suggest
you simply reject everyting less than 0 here. You should also move the
check to the version == 1 case, because only that can read a "negative"
value.
Regards,
Marton
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago
2023-05-28 18:53 ` [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Marton Balint
@ 2023-05-28 21:03 ` Michael Niedermayer
0 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-05-28 21:03 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1541 bytes --]
On Sun, May 28, 2023 at 08:53:49PM +0200, Marton Balint wrote:
>
>
> On Thu, 25 May 2023, Michael Niedermayer wrote:
>
> > Fixes: signed integer overflow: -9223372036854775808 - 2082844800 cannot be represented in type 'long'
> > Fixes: 58384/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6428383700713472
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavformat/mov.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 9fdeef057e..3e2c4bc10d 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -1530,6 +1530,10 @@ static void mov_metadata_creation_time(MOVContext *c, AVIOContext *pb, AVDiction
> > }
> > }
> > if (time) {
> > + if (time < INT64_MIN + 2082844800) {
> > + av_log(c->fc, AV_LOG_DEBUG, "creation_time predates big bang\n");
> > + return;
> > + }
>
> Actually creation_time is unsigned, so it cannot be negative. I suggest you
> simply reject everyting less than 0 here. You should also move the check to
> the version == 1 case, because only that can read a "negative" value.
ok will apply with these changes
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Asymptotically faster algorithms should always be preferred if you have
asymptotical amounts of data
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/5] avcodec/takdsp: Fix integer overflows
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 2/5] avcodec/takdsp: Fix integer overflows Michael Niedermayer
@ 2023-06-18 12:16 ` Michael Niedermayer
0 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2023-06-18 12:16 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 824 bytes --]
On Thu, May 25, 2023 at 11:40:16PM +0200, Michael Niedermayer wrote:
> Fixes: avcodec/takdsp.c:44:23: runtime error: signed integer overflow: -2097158 - 2147012608 cannot be represented in type 'int'
> Fixes: 58417/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5268919664640000
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/takdsp.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
will apply the remaining patches of this set (2-5)
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
While the State exists there can be no freedom; when there is freedom there
will be no State. -- Vladimir Lenin
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-06-18 12:16 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-25 21:40 [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 2/5] avcodec/takdsp: Fix integer overflows Michael Niedermayer
2023-06-18 12:16 ` Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 3/5] avcodec/rka: Avoid undefined left shift Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 4/5] avcodec/hevcdec: Avoid null pointer dereferences in MC Michael Niedermayer
2023-05-25 21:40 ` [FFmpeg-devel] [PATCH 5/5] avcodec/hevc_refs: Check that nb_refs stays <= HEVC_MAX_REFS Michael Niedermayer
2023-05-28 18:53 ` [FFmpeg-devel] [PATCH 1/5] avformat/mov: We do not support creation times of 300 billion years ago Marton Balint
2023-05-28 21:03 ` Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git