[FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate

[FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate

[Michael Niedermayer]

Fixes: signed integer overflow: 538976288 - -9223372036854775808 cannot be represented in type 'long'
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6275845531238400

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/flacdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 524a0469495..0569f019b3a 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -706,10 +706,10 @@ static void decorrelate_33bps(int ch_mode, int32_t **decoded, int64_t *decoded_3
     int i;
     if (ch_mode == FLAC_CHMODE_LEFT_SIDE ) {
         for (i = 0; i < len; i++)
-           decoded[1][i] = decoded[0][i] - decoded_33bps[i];
+           decoded[1][i] = decoded[0][i] - (uint64_t)decoded_33bps[i];
     } else if (ch_mode == FLAC_CHMODE_RIGHT_SIDE ) {
         for (i = 0; i < len; i++)
-           decoded[0][i] = decoded[1][i] + decoded_33bps[i];
+           decoded[0][i] = decoded[1][i] + (uint64_t)decoded_33bps[i];
     } else if (ch_mode == FLAC_CHMODE_MID_SIDE ) {
         for (i = 0; i < len; i++) {
             uint64_t a = decoded[0][i];
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/5] avcodec/flacdec: Fix integer overflow in "33bit" DECODER_SUBFRAME_FIXED_WIDE()

[Michael Niedermayer]

Fixes: signed integer overflow: 4 * 2307917133220067266 cannot be represented in type 'long'
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6307690022043648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/flacdec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 0569f019b3a..ed2de14d0a9 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -366,19 +366,19 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded,
         break;                                                        \
     case 1:                                                           \
         for (int i = pred_order; i < blocksize; i++)                  \
-            decoded[i] = (int64_t)residual[i] + (int64_t)decoded[i-1];\
+            decoded[i] = (uint64_t)residual[i] + (uint64_t)decoded[i-1];\
         break;                                                        \
     case 2:                                                           \
         for (int i = pred_order; i < blocksize; i++)                  \
-            decoded[i] = (int64_t)residual[i] + 2*(int64_t)decoded[i-1] - (int64_t)decoded[i-2];  \
+            decoded[i] = (uint64_t)residual[i] + 2*(uint64_t)decoded[i-1] - (uint64_t)decoded[i-2];  \
         break;                                                        \
     case 3:                                                           \
         for (int i = pred_order; i < blocksize; i++)                  \
-            decoded[i] = (int64_t)residual[i] + 3*(int64_t)decoded[i-1] - 3*(int64_t)decoded[i-2] + (int64_t)decoded[i-3];   \
+            decoded[i] = (uint64_t)residual[i] + 3*(uint64_t)decoded[i-1] - 3*(uint64_t)decoded[i-2] + (uint64_t)decoded[i-3];   \
         break;                                                        \
     case 4:                                                           \
         for (int i = pred_order; i < blocksize; i++)                  \
-            decoded[i] = (int64_t)residual[i] + 4*(int64_t)decoded[i-1] - 6*(int64_t)decoded[i-2] + 4*(int64_t)decoded[i-3] - (int64_t)decoded[i-4];   \
+            decoded[i] = (uint64_t)residual[i] + 4*(uint64_t)decoded[i-1] - 6*(uint64_t)decoded[i-2] + 4*(uint64_t)decoded[i-3] - (uint64_t)decoded[i-4];   \
         break;                                                        \
     default:                                                          \
         av_log(s->avctx, AV_LOG_ERROR, "illegal pred order %d\n", pred_order);   \
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/5] avcodec/utvideodec: move allocation to the end of init

[Michael Niedermayer]

Fixes: mem leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-6666804266926080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/utvideodec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 7ee07209d47..4987ee0196a 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -985,10 +985,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
         return AVERROR_INVALIDDATA;
     }
 
-    c->buffer = av_calloc(avctx->width + 8, c->pro?2:1);
-    if (!c->buffer)
-        return AVERROR(ENOMEM);
-
     av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &h_shift, &v_shift);
     if ((avctx->width  & ((1<<h_shift)-1)) ||
         (avctx->height & ((1<<v_shift)-1))) {
@@ -1036,6 +1032,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
         return AVERROR_INVALIDDATA;
     }
 
+    c->buffer = av_calloc(avctx->width + 8, c->pro?2:1);
+    if (!c->buffer)
+        return AVERROR(ENOMEM);
+
     return 0;
 }
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/5] avcodec/vlc: free multi on fail

[Michael Niedermayer]

Fixes: leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-6449246523752448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vlc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c
index 3b66c943546..acc081e8b74 100644
--- a/libavcodec/vlc.c
+++ b/libavcodec/vlc.c
@@ -478,6 +478,7 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int
 fail:
     if (buf != localbuf)
         av_free(buf);
+    ff_vlc_free_multi(multi);
     return AVERROR_INVALIDDATA;
 }
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/5] avcodec/vlc: free multi on fail

[Paul B Mahol]

LGTM
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/5] avformat/avs: Check if return code is representable

[Michael Niedermayer]

Fixes: leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-6738814988320768

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/avs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/avs.c b/libavformat/avs.c
index ab47980a11c..19f03731573 100644
--- a/libavformat/avs.c
+++ b/libavformat/avs.c
@@ -140,6 +140,10 @@ static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt)
         return 0;    /* this indicate EOS */
     if (ret < 0)
         return ret;
+    if (size != (int)size) {
+        av_packet_unref(pkt);
+        return AVERROR(EDOM);
+    }
 
     pkt->stream_index = avs->st_audio->index;
     pkt->flags |= AV_PKT_FLAG_KEY;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 717 bytes --]

On Wed, Sep 20, 2023 at 02:30:30AM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 538976288 - -9223372036854775808 cannot be represented in type 'long'
> Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6275845531238400
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/flacdec.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

will apply patchset

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

He who knows, does not speak. He who speaks, does not know. -- Lao Tsu

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".