* [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA
@ 2023-09-13 23:47 Michael Niedermayer
2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-13 23:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Timeout
Fixes: 62120/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5647877768347648
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
tools/target_dec_fuzzer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index c3f88ef49f6..8e66f378462 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -261,6 +261,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
case AV_CODEC_ID_MSZH: maxpixels /= 128; break;
case AV_CODEC_ID_MTS2: maxpixels /= 4096; break;
case AV_CODEC_ID_MVC2: maxpixels /= 128; break;
+ case AV_CODEC_ID_MVHA: maxpixels /= 16384; break;
case AV_CODEC_ID_MVDV: maxpixels /= 1024; break;
case AV_CODEC_ID_MWSC: maxpixels /= 256; break;
case AV_CODEC_ID_MXPEG: maxpixels /= 128; break;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths()
2023-09-13 23:47 [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer
@ 2023-09-13 23:47 ` Michael Niedermayer
2023-09-26 9:35 ` Paul B Mahol
2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 3/3] avcodec/aacdec_template: Better avoidance of signed integer overflow in imdct_and_windowing_eld() Michael Niedermayer
2023-10-03 14:28 ` [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer
2 siblings, 1 reply; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-13 23:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: use after free
Fixes: 62153/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4702814909366272
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/vlc.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c
index b353d2e86c2..f4bab0ae529 100644
--- a/libavcodec/vlc.c
+++ b/libavcodec/vlc.c
@@ -471,10 +471,13 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int
goto fail;
}
}
- ret = vlc_common_end(vlc, nb_bits, j, buf, flags, localbuf);
+ ret = vlc_common_end(vlc, nb_bits, j, buf, flags, buf);
if (ret < 0)
goto fail;
- return vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, logctx);
+ ret = vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, logctx);
+ if (buf != localbuf)
+ av_free(buf);
+ return ret;
fail:
if (buf != localbuf)
av_free(buf);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 3/3] avcodec/aacdec_template: Better avoidance of signed integer overflow in imdct_and_windowing_eld()
2023-09-13 23:47 [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer
2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer
@ 2023-09-13 23:47 ` Michael Niedermayer
2023-10-03 14:28 ` [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer
2 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-13 23:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: 62171/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5644657180409856
Fixes: signed integer overflow: 2 * 1079352273 cannot be represented in type 'int'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/aacdec_template.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 51a4cb2b66f..954399f86bb 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -2856,8 +2856,8 @@ static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce)
ac->mdct512_fn(ac->mdct512, buf, in, sizeof(INTFLOAT));
for (i = 0; i < n; i+=2) {
- buf[i + 0] = -(int)(USE_FIXED + 1U)*buf[i + 0];
- buf[i + 1] = (int)(USE_FIXED + 1U)*buf[i + 1];
+ buf[i + 0] = -(UINTFLOAT)(USE_FIXED + 1)*buf[i + 0];
+ buf[i + 1] = (UINTFLOAT)(USE_FIXED + 1)*buf[i + 1];
}
// Like with the regular IMDCT at this point we still have the middle half
// of a transform but with even symmetry on the left and odd symmetry on
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths()
2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer
@ 2023-09-26 9:35 ` Paul B Mahol
0 siblings, 0 replies; 5+ messages in thread
From: Paul B Mahol @ 2023-09-26 9:35 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On Thu, Sep 14, 2023 at 1:48 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:
> Fixes: use after free
> Fixes:
> 62153/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4702814909366272
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/vlc.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c
> index b353d2e86c2..f4bab0ae529 100644
> --- a/libavcodec/vlc.c
> +++ b/libavcodec/vlc.c
> @@ -471,10 +471,13 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc,
> VLC_MULTI *multi, int nb_bits, int
> goto fail;
> }
> }
> - ret = vlc_common_end(vlc, nb_bits, j, buf, flags, localbuf);
> + ret = vlc_common_end(vlc, nb_bits, j, buf, flags, buf);
> if (ret < 0)
> goto fail;
> - return vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf,
> logctx);
> + ret = vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf,
> logctx);
> + if (buf != localbuf)
> + av_free(buf);
> + return ret;
> fail:
> if (buf != localbuf)
> av_free(buf);
> --
> 2.17.1
>
>
LGTM
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA
2023-09-13 23:47 [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer
2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer
2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 3/3] avcodec/aacdec_template: Better avoidance of signed integer overflow in imdct_and_windowing_eld() Michael Niedermayer
@ 2023-10-03 14:28 ` Michael Niedermayer
2 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-10-03 14:28 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 627 bytes --]
On Thu, Sep 14, 2023 at 01:47:32AM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 62120/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5647877768347648
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> tools/target_dec_fuzzer.c | 1 +
> 1 file changed, 1 insertion(+)
will apply patchset
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The worst form of inequality is to try to make unequal things equal.
-- Aristotle
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-10-03 14:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-13 23:47 [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer
2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer
2023-09-26 9:35 ` Paul B Mahol
2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 3/3] avcodec/aacdec_template: Better avoidance of signed integer overflow in imdct_and_windowing_eld() Michael Niedermayer
2023-10-03 14:28 ` [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git