* [FFmpeg-devel] [PATCH 1/3] avcodec/wavarc: Use unsigned for samples in 1dif, 2slp, 5elp
@ 2023-09-10 1:09 Michael Niedermayer
2023-09-10 1:09 ` [FFmpeg-devel] [PATCH 2/3] avformat/jpegxl_anim_dec: Check that size fits within argument Michael Niedermayer
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-10 1:09 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: 141394472 + 2038060365 cannot be represented in type 'int'
Fixes: 61787/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5882604925878272
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/wavarc.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index b954e8800cd..2e32b46ebd9 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -243,18 +243,18 @@ static int decode_1dif(AVCodecContext *avctx,
break;
case 3:
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 4] = get_srice(gb, k) + (samples[n + 3] - samples[n + 2]) * 3 +
+ samples[n + 4] = get_srice(gb, k) + (samples[n + 3] - (unsigned)samples[n + 2]) * 3 +
samples[n + 1];
finished = 1;
break;
case 2:
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 4] = get_srice(gb, k) + (samples[n + 3] * 2 - samples[n + 2]);
+ samples[n + 4] = get_srice(gb, k) + (samples[n + 3] * 2U - samples[n + 2]);
finished = 1;
break;
case 1:
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 4] = get_srice(gb, k) + samples[n + 3];
+ samples[n + 4] = get_srice(gb, k) + (unsigned)samples[n + 3];
finished = 1;
break;
case 0:
@@ -343,13 +343,13 @@ static int decode_2slp(AVCodecContext *avctx,
break;
case 4:
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 70] = get_srice(gb, k) + (samples[n + 69] - samples[n + 68]) * 3 +
+ samples[n + 70] = get_srice(gb, k) + (samples[n + 69] - (unsigned)samples[n + 68]) * 3 +
samples[n + 67];
finished = 1;
break;
case 3:
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 70] = get_srice(gb, k) + (samples[n + 69] * 2 - samples[n + 68]);
+ samples[n + 70] = get_srice(gb, k) + (samples[n + 69] * 2U - samples[n + 68]);
finished = 1;
break;
case 2:
@@ -359,7 +359,7 @@ static int decode_2slp(AVCodecContext *avctx,
break;
case 1:
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 70] = get_srice(gb, k) + samples[n + 69];
+ samples[n + 70] = get_srice(gb, k) + (unsigned)samples[n + 69];
finished = 1;
break;
case 0:
@@ -630,7 +630,7 @@ static int decode_5elp(AVCodecContext *avctx,
case 20:
case 7:
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 70] += ac_out[n] + samples[n + 69] * 3 - samples[n + 68] * 3 + samples[n + 67];
+ samples[n + 70] += ac_out[n] + samples[n + 69] * 3U - samples[n + 68] * 3U + samples[n + 67];
finished = 1;
break;
case 19:
@@ -653,14 +653,14 @@ static int decode_5elp(AVCodecContext *avctx,
samples[n] = ac_pred[n];
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 70] += ac_out[n] + samples[n + 69] * 3 - samples[n + 68] * 3 + samples[n + 67];
+ samples[n + 70] += ac_out[n] + samples[n + 69] * 3U - samples[n + 68] * 3U + samples[n + 67];
finished = 1;
break;
case 18:
case 5:
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 70] += ac_out[n] + samples[n + 69] * 2 - samples[n + 68];
+ samples[n + 70] += ac_out[n] + samples[n + 69] * 2U - samples[n + 68];
finished = 1;
break;
case 17:
@@ -672,7 +672,7 @@ static int decode_5elp(AVCodecContext *avctx,
case 16:
case 3:
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 70] += ac_out[n] + samples[n + 69];
+ samples[n + 70] += ac_out[n] + (unsigned)samples[n + 69];
finished = 1;
break;
case 15:
@@ -695,7 +695,7 @@ static int decode_5elp(AVCodecContext *avctx,
samples[n] = ac_pred[n];
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 70] += samples[n + 69] * 2 - samples[n + 68];
+ samples[n + 70] += samples[n + 69] * 2U - samples[n + 68];
finished = 1;
break;
@@ -712,14 +712,14 @@ static int decode_5elp(AVCodecContext *avctx,
for (int o = 0; o < order; o++)
sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1];
- samples[n + 70] += ac_out[n] + (sum >> 4);
+ samples[n + 70] += (unsigned)ac_out[n] + (sum >> 4);
}
for (int n = 0; n < 70; n++)
samples[n] = ac_pred[n];
for (int n = 0; n < s->nb_samples; n++)
- samples[n + 70] += samples[n + 69];
+ samples[n + 70] += (unsigned)samples[n + 69];
finished = 1;
break;
@@ -731,7 +731,7 @@ static int decode_5elp(AVCodecContext *avctx,
for (int o = 0; o < order; o++)
sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1];
- samples[n + 70] += ac_out[n] + (sum >> 4);
+ samples[n + 70] += (unsigned)ac_out[n] + (sum >> 4);
}
finished = 1;
break;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread* [FFmpeg-devel] [PATCH 2/3] avformat/jpegxl_anim_dec: Check that size fits within argument
2023-09-10 1:09 [FFmpeg-devel] [PATCH 1/3] avcodec/wavarc: Use unsigned for samples in 1dif, 2slp, 5elp Michael Niedermayer
@ 2023-09-10 1:09 ` Michael Niedermayer
2023-09-14 19:47 ` Michael Niedermayer
2023-09-10 1:09 ` [FFmpeg-devel] [PATCH 3/3] avcodec/jpegxl_parser: Check for ctx->skip overflow Michael Niedermayer
2023-09-22 19:33 ` [FFmpeg-devel] [PATCH 1/3] avcodec/wavarc: Use unsigned for samples in 1dif, 2slp, 5elp Michael Niedermayer
2 siblings, 1 reply; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-10 1:09 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array access
Fixes: 61991/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-5524679648215040
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/jpegxl_anim_dec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/jpegxl_anim_dec.c b/libavformat/jpegxl_anim_dec.c
index fc95a1781f6..54cd6e4e9d6 100644
--- a/libavformat/jpegxl_anim_dec.c
+++ b/libavformat/jpegxl_anim_dec.c
@@ -152,6 +152,8 @@ static int jpegxl_anim_read_packet(AVFormatContext *s, AVPacket *pkt)
size = avio_size(pb);
if (size < 0)
return size;
+ if (size > INT_MAX)
+ return AVERROR(EDOM);
if (size == 0)
size = 4096;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [FFmpeg-devel] [PATCH 2/3] avformat/jpegxl_anim_dec: Check that size fits within argument
2023-09-10 1:09 ` [FFmpeg-devel] [PATCH 2/3] avformat/jpegxl_anim_dec: Check that size fits within argument Michael Niedermayer
@ 2023-09-14 19:47 ` Michael Niedermayer
0 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-14 19:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 686 bytes --]
On Sun, Sep 10, 2023 at 03:09:51AM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 61991/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-5524679648215040
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/jpegxl_anim_dec.c | 2 ++
> 1 file changed, 2 insertions(+)
will apply the 2 jpegxl patches as 2 more reports about the same issue appeared
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No snowflake in an avalanche ever feels responsible. -- Voltaire
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 3/3] avcodec/jpegxl_parser: Check for ctx->skip overflow
2023-09-10 1:09 [FFmpeg-devel] [PATCH 1/3] avcodec/wavarc: Use unsigned for samples in 1dif, 2slp, 5elp Michael Niedermayer
2023-09-10 1:09 ` [FFmpeg-devel] [PATCH 2/3] avformat/jpegxl_anim_dec: Check that size fits within argument Michael Niedermayer
@ 2023-09-10 1:09 ` Michael Niedermayer
2023-09-22 19:33 ` [FFmpeg-devel] [PATCH 1/3] avcodec/wavarc: Use unsigned for samples in 1dif, 2slp, 5elp Michael Niedermayer
2 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-10 1:09 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array access
Fixes: 62113/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5025082076168192
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/jpegxl_parser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 20c8a41a89b..619a16448fa 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -1326,7 +1326,7 @@ static int skip_boxes(JXLParseContext *ctx, const uint8_t *buf, int buf_size)
if (!size)
return AVERROR_INVALIDDATA;
/* invalid ISOBMFF size */
- if (size <= head_size + 4)
+ if (size <= head_size + 4 || size > INT_MAX - ctx->skip)
return AVERROR_INVALIDDATA;
ctx->skip += size;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [FFmpeg-devel] [PATCH 1/3] avcodec/wavarc: Use unsigned for samples in 1dif, 2slp, 5elp
2023-09-10 1:09 [FFmpeg-devel] [PATCH 1/3] avcodec/wavarc: Use unsigned for samples in 1dif, 2slp, 5elp Michael Niedermayer
2023-09-10 1:09 ` [FFmpeg-devel] [PATCH 2/3] avformat/jpegxl_anim_dec: Check that size fits within argument Michael Niedermayer
2023-09-10 1:09 ` [FFmpeg-devel] [PATCH 3/3] avcodec/jpegxl_parser: Check for ctx->skip overflow Michael Niedermayer
@ 2023-09-22 19:33 ` Michael Niedermayer
2 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-22 19:33 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 834 bytes --]
On Sun, Sep 10, 2023 at 03:09:50AM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 141394472 + 2038060365 cannot be represented in type 'int'
> Fixes: 61787/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5882604925878272
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/wavarc.c | 28 ++++++++++++++--------------
> 1 file changed, 14 insertions(+), 14 deletions(-)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-09-22 19:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-10 1:09 [FFmpeg-devel] [PATCH 1/3] avcodec/wavarc: Use unsigned for samples in 1dif, 2slp, 5elp Michael Niedermayer
2023-09-10 1:09 ` [FFmpeg-devel] [PATCH 2/3] avformat/jpegxl_anim_dec: Check that size fits within argument Michael Niedermayer
2023-09-14 19:47 ` Michael Niedermayer
2023-09-10 1:09 ` [FFmpeg-devel] [PATCH 3/3] avcodec/jpegxl_parser: Check for ctx->skip overflow Michael Niedermayer
2023-09-22 19:33 ` [FFmpeg-devel] [PATCH 1/3] avcodec/wavarc: Use unsigned for samples in 1dif, 2slp, 5elp Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git