[FFmpeg-devel] [PATCH 1/2] avcodec/vmixdec: Fix signed integer overflow in dc

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed

* [FFmpeg-devel] [PATCH 1/2] avcodec/vmixdec: Fix signed integer overflow in dc
@ 2023-09-05  2:03 Michael Niedermayer
  2023-09-05  2:03 ` [FFmpeg-devel] [PATCH 2/2] avcodec/cbs_h266_syntax_template: Check num_multi_layer_olss Michael Niedermayer
  2023-09-25 19:21 ` [FFmpeg-devel] [PATCH 1/2] avcodec/vmixdec: Fix signed integer overflow in dc Michael Niedermayer
  0 siblings, 2 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-05  2:03 UTC (permalink / raw)
  To: FFmpeg development discussions and patches

Fixes: signed integer overflow: 2147483181 + 1024 cannot be represented in type 'int'
Fixes: 61117/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMIX_fuzzer-5387692433866752

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vmixdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vmixdec.c b/libavcodec/vmixdec.c
index b77c90929a..8f2278b2ea 100644
--- a/libavcodec/vmixdec.c
+++ b/libavcodec/vmixdec.c
@@ -134,7 +134,7 @@ static int decode_dcac(AVCodecContext *avctx,
                     ac_run = get_ue_golomb_long(ac_gb);
             }
 
-            block[0] = dc + add;
+            block[0] = dc + (unsigned)add;
             s->idsp.idct_put(dst + x, linesize, block);
         }
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [FFmpeg-devel] [PATCH 2/2] avcodec/cbs_h266_syntax_template: Check num_multi_layer_olss
  2023-09-05  2:03 [FFmpeg-devel] [PATCH 1/2] avcodec/vmixdec: Fix signed integer overflow in dc Michael Niedermayer
@ 2023-09-05  2:03 ` Michael Niedermayer
  2023-09-05 14:51   ` Nuo Mi
  2023-09-25 19:21 ` [FFmpeg-devel] [PATCH 1/2] avcodec/vmixdec: Fix signed integer overflow in dc Michael Niedermayer
  1 sibling, 1 reply; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-05  2:03 UTC (permalink / raw)
  To: FFmpeg development discussions and patches

The constraints in the specification are self contradictionary if num_multi_layer_olss is 0
That is they require various variables to be positive and smaller than 0. So
num_multi_layer_olss cannot be 0 if vps_each_layer_is_an_ols_flag is 0

Its quite possible a broader check can be used, this is just the first
condition that I saw violated

Fixes: index 257 out of bounds for type 'uint8_t [257]'
Fixes: 61160/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-6709397181825024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cbs_h266_syntax_template.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c
index 4075897b9a..31b9d0b030 100644
--- a/libavcodec/cbs_h266_syntax_template.c
+++ b/libavcodec/cbs_h266_syntax_template.c
@@ -944,6 +944,10 @@ static int FUNC(vps) (CodedBitstreamContext *ctx, RWContext *rw,
 
     if (!current->vps_each_layer_is_an_ols_flag) {
         uint16_t vps_num_dpb_params;
+
+        if (num_multi_layer_olss <= 0)
+            return AVERROR_INVALIDDATA;
+
         ue(vps_num_dpb_params_minus1, 0, num_multi_layer_olss - 1);
         if (current->vps_each_layer_is_an_ols_flag)
             vps_num_dpb_params = 0;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [FFmpeg-devel] [PATCH 2/2] avcodec/cbs_h266_syntax_template: Check num_multi_layer_olss
  2023-09-05  2:03 ` [FFmpeg-devel] [PATCH 2/2] avcodec/cbs_h266_syntax_template: Check num_multi_layer_olss Michael Niedermayer
@ 2023-09-05 14:51   ` Nuo Mi
  2023-09-05 23:41     ` Michael Niedermayer
  0 siblings, 1 reply; 5+ messages in thread
From: Nuo Mi @ 2023-09-05 14:51 UTC (permalink / raw)
  To: FFmpeg development discussions and patches

On Tue, Sep 5, 2023 at 10:04 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> The constraints in the specification are self contradictionary if
> num_multi_layer_olss is 0
>

Hi Michael,
See
https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/cbs_h266_syntax_template.c#L897
This loop can make sure num_multi_layer_olss > 0. The only exception
is vps_ols_mode_idc == 3.
which is reserved by future extension.

Did you see the "ols_mode_idc == 3, patch welcome" output?
Maybe we can return an error at that place.

That is they require various variables to be positive and smaller than 0. So
> num_multi_layer_olss cannot be 0 if vps_each_layer_is_an_ols_flag is 0
>
> Its quite possible a broader check can be used, this is just the first
> condition that I saw violated
>
> Fixes: index 257 out of bounds for type 'uint8_t [257]'
> Fixes:
> 61160/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-6709397181825024


> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/cbs_h266_syntax_template.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/libavcodec/cbs_h266_syntax_template.c
> b/libavcodec/cbs_h266_syntax_template.c
> index 4075897b9a..31b9d0b030 100644
> --- a/libavcodec/cbs_h266_syntax_template.c
> +++ b/libavcodec/cbs_h266_syntax_template.c
> @@ -944,6 +944,10 @@ static int FUNC(vps) (CodedBitstreamContext *ctx,
> RWContext *rw,
>
>      if (!current->vps_each_layer_is_an_ols_flag) {
>          uint16_t vps_num_dpb_params;
> +
> +        if (num_multi_layer_olss <= 0)
> +            return AVERROR_INVALIDDATA;
> +
>          ue(vps_num_dpb_params_minus1, 0, num_multi_layer_olss - 1);
>          if (current->vps_each_layer_is_an_ols_flag)
>              vps_num_dpb_params = 0;
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [FFmpeg-devel] [PATCH 2/2] avcodec/cbs_h266_syntax_template: Check num_multi_layer_olss
  2023-09-05 14:51   ` Nuo Mi
@ 2023-09-05 23:41     ` Michael Niedermayer
  0 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-05 23:41 UTC (permalink / raw)
  To: FFmpeg development discussions and patches


[-- Attachment #1.1: Type: text/plain, Size: 3062 bytes --]

On Tue, Sep 05, 2023 at 10:51:23PM +0800, Nuo Mi wrote:
> On Tue, Sep 5, 2023 at 10:04 AM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > The constraints in the specification are self contradictionary if
> > num_multi_layer_olss is 0
> >
> 
> Hi Michael,
> See
> https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/cbs_h266_syntax_template.c#L897
> This loop can make sure num_multi_layer_olss > 0. The only exception
> is vps_ols_mode_idc == 3.
> which is reserved by future extension.
> 
> Did you see the "ols_mode_idc == 3, patch welcome" output?
> Maybe we can return an error at that place.

ols_mode_idc and vps_ols_mode_idc are 2


> 
> That is they require various variables to be positive and smaller than 0. So
> > num_multi_layer_olss cannot be 0 if vps_each_layer_is_an_ols_flag is 0
> >
> > Its quite possible a broader check can be used, this is just the first
> > condition that I saw violated
> >
> > Fixes: index 257 out of bounds for type 'uint8_t [257]'
> > Fixes:
> > 61160/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-6709397181825024
> 
> 
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/cbs_h266_syntax_template.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/libavcodec/cbs_h266_syntax_template.c
> > b/libavcodec/cbs_h266_syntax_template.c
> > index 4075897b9a..31b9d0b030 100644
> > --- a/libavcodec/cbs_h266_syntax_template.c
> > +++ b/libavcodec/cbs_h266_syntax_template.c
> > @@ -944,6 +944,10 @@ static int FUNC(vps) (CodedBitstreamContext *ctx,
> > RWContext *rw,
> >
> >      if (!current->vps_each_layer_is_an_ols_flag) {
> >          uint16_t vps_num_dpb_params;
> > +
> > +        if (num_multi_layer_olss <= 0)
> > +            return AVERROR_INVALIDDATA;
> > +
> >          ue(vps_num_dpb_params_minus1, 0, num_multi_layer_olss - 1);
> >          if (current->vps_each_layer_is_an_ols_flag)
> >              vps_num_dpb_params = 0;
> > --
> > 2.17.1
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel@ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> >
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Into a blind darkness they enter who follow after the Ignorance,
they as if into a greater darkness enter who devote themselves
to the Knowledge alone. -- Isha Upanishad

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [FFmpeg-devel] [PATCH 1/2] avcodec/vmixdec: Fix signed integer overflow in dc
  2023-09-05  2:03 [FFmpeg-devel] [PATCH 1/2] avcodec/vmixdec: Fix signed integer overflow in dc Michael Niedermayer
  2023-09-05  2:03 ` [FFmpeg-devel] [PATCH 2/2] avcodec/cbs_h266_syntax_template: Check num_multi_layer_olss Michael Niedermayer
@ 2023-09-25 19:21 ` Michael Niedermayer
  1 sibling, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-25 19:21 UTC (permalink / raw)
  To: FFmpeg development discussions and patches


[-- Attachment #1.1: Type: text/plain, Size: 722 bytes --]

On Tue, Sep 05, 2023 at 04:03:57AM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2147483181 + 1024 cannot be represented in type 'int'
> Fixes: 61117/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMIX_fuzzer-5387692433866752
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/vmixdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply this

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is dangerous to be right in matters on which the established authorities
are wrong. -- Voltaire

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-09-25 19:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-05  2:03 [FFmpeg-devel] [PATCH 1/2] avcodec/vmixdec: Fix signed integer overflow in dc Michael Niedermayer
2023-09-05  2:03 ` [FFmpeg-devel] [PATCH 2/2] avcodec/cbs_h266_syntax_template: Check num_multi_layer_olss Michael Niedermayer
2023-09-05 14:51   ` Nuo Mi
2023-09-05 23:41     ` Michael Niedermayer
2023-09-25 19:21 ` [FFmpeg-devel] [PATCH 1/2] avcodec/vmixdec: Fix signed integer overflow in dc Michael Niedermayer

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git