* [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size
@ 2023-09-21 18:09 Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 2/6] avcodec/wavarc: Fix integer overflwo in do_stereo() Michael Niedermayer
` (5 more replies)
0 siblings, 6 replies; 12+ messages in thread
From: Michael Niedermayer @ 2023-09-21 18:09 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array access
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/osq.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index e7f11691d2e..bcc75fef6fc 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx, AVFrame *frame)
GetBitContext *gb = &s->gb;
int ret, n;
+ if (s->pkt_offset > s->pkt->size)
+ s->pkt_offset = 0;
+
while (s->bitstream_size < s->max_framesize) {
int size;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* [FFmpeg-devel] [PATCH 2/6] avcodec/wavarc: Fix integer overflwo in do_stereo()
2023-09-21 18:09 [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Michael Niedermayer
@ 2023-09-21 18:09 ` Michael Niedermayer
2023-10-03 14:32 ` Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 3/6] avcodec/wavarc: Allocate AV_INPUT_BUFFER_PADDING_SIZE Michael Niedermayer
` (4 subsequent siblings)
5 siblings, 1 reply; 12+ messages in thread
From: Michael Niedermayer @ 2023-09-21 18:09 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: 148676193 - -2006512262 cannot be represented in type 'int'
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5963163952349184
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/wavarc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index b954e8800cd..48c673fdea4 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -154,11 +154,11 @@ static void do_stereo(WavArcContext *s, int ch, int correlated, int len)
} else {
if (correlated) {
for (int n = 0; n < nb_samples; n++)
- s->samples[1][n + len] += s->samples[0][n + len];
+ s->samples[1][n + len] += (unsigned)s->samples[0][n + len];
}
for (int n = 0; n < len; n++) {
s->pred[0][n] = s->samples[1][nb_samples + n];
- s->pred[1][n] = s->pred[0][n] - s->samples[0][nb_samples + n];
+ s->pred[1][n] = s->pred[0][n] - (unsigned)s->samples[0][nb_samples + n];
}
}
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* [FFmpeg-devel] [PATCH 3/6] avcodec/wavarc: Allocate AV_INPUT_BUFFER_PADDING_SIZE
2023-09-21 18:09 [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 2/6] avcodec/wavarc: Fix integer overflwo in do_stereo() Michael Niedermayer
@ 2023-09-21 18:09 ` Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 4/6] avcodec/wavarc: Check k in decode_5elp() Michael Niedermayer
` (3 subsequent siblings)
5 siblings, 0 replies; 12+ messages in thread
From: Michael Niedermayer @ 2023-09-21 18:09 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: overread
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5963163952349184
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6048030137909248
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/wavarc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 48c673fdea4..9ba95143b8a 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -111,7 +111,7 @@ static av_cold int wavarc_init(AVCodecContext *avctx)
}
s->max_framesize = s->nb_samples * 16;
- s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream));
+ s->bitstream = av_calloc(s->max_framesize + AV_INPUT_BUFFER_PADDING_SIZE, sizeof(*s->bitstream));
if (!s->bitstream)
return AVERROR(ENOMEM);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* [FFmpeg-devel] [PATCH 4/6] avcodec/wavarc: Check k in decode_5elp()
2023-09-21 18:09 [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 2/6] avcodec/wavarc: Fix integer overflwo in do_stereo() Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 3/6] avcodec/wavarc: Allocate AV_INPUT_BUFFER_PADDING_SIZE Michael Niedermayer
@ 2023-09-21 18:09 ` Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 5/6] avcodec/jpegxl_parse: Cleanup on error in read_vlc_prefix() Michael Niedermayer
` (2 subsequent siblings)
5 siblings, 0 replies; 12+ messages in thread
From: Michael Niedermayer @ 2023-09-21 18:09 UTC (permalink / raw)
To: FFmpeg development discussions and patches
regression since 18b2ecc24778140c2bc798ed64842dc8feb6dc3a
Fixes: assertion failure
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6280165808013312
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/wavarc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 9ba95143b8a..a9d98f0c55e 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -539,6 +539,8 @@ static int decode_5elp(AVCodecContext *avctx,
if (block_type >= 0 && block_type <= 7) {
k = 1 + (avctx->sample_fmt == AV_SAMPLE_FMT_S16P);
k = get_urice(gb, k) + 1;
+ if (k >= 32)
+ return AVERROR_INVALIDDATA;
}
if (block_type <= 2 || block_type == 6 || block_type == 13 ||
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* [FFmpeg-devel] [PATCH 5/6] avcodec/jpegxl_parse: Cleanup on error in read_vlc_prefix()
2023-09-21 18:09 [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Michael Niedermayer
` (2 preceding siblings ...)
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 4/6] avcodec/wavarc: Check k in decode_5elp() Michael Niedermayer
@ 2023-09-21 18:09 ` Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 6/6] avformat/mov: Check avif_info Michael Niedermayer
2023-09-21 18:14 ` [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Paul B Mahol
5 siblings, 0 replies; 12+ messages in thread
From: Michael Niedermayer @ 2023-09-21 18:09 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6167847715602432
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/jpegxl_parser.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 6656ed35c51..17e87d5cc34 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -777,8 +777,10 @@ static int read_vlc_prefix(GetBitContext *gb, JXLEntropyDecoder *dec, JXLSymbolD
}
}
- if (total_code != 32768 && level2_codecounts[0] < dist->alphabet_size - 1)
- return AVERROR_INVALIDDATA;
+ if (total_code != 32768 && level2_codecounts[0] < dist->alphabet_size - 1) {
+ ret = AVERROR_INVALIDDATA;
+ goto end;
+ }
for (int i = 1; i < dist->alphabet_size + 1; i++)
level2_codecounts[i] += level2_codecounts[i - 1];
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* [FFmpeg-devel] [PATCH 6/6] avformat/mov: Check avif_info
2023-09-21 18:09 [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Michael Niedermayer
` (3 preceding siblings ...)
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 5/6] avcodec/jpegxl_parse: Cleanup on error in read_vlc_prefix() Michael Niedermayer
@ 2023-09-21 18:09 ` Michael Niedermayer
2023-09-28 10:37 ` Anton Khirnov
2023-09-21 18:14 ` [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Paul B Mahol
5 siblings, 1 reply; 12+ messages in thread
From: Michael Niedermayer @ 2023-09-21 18:09 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6674082962997248
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/mov.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 93c1f9e929a..52939a373ec 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -7767,7 +7767,7 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return 0;
}
- if (c->fc->nb_streams) {
+ if (c->fc->nb_streams || c->avif_info) {
av_log(c->fc, AV_LOG_INFO, "Duplicate iloc box found\n");
return 0;
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size
2023-09-21 18:09 [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Michael Niedermayer
` (4 preceding siblings ...)
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 6/6] avformat/mov: Check avif_info Michael Niedermayer
@ 2023-09-21 18:14 ` Paul B Mahol
2023-09-22 16:47 ` Michael Niedermayer
5 siblings, 1 reply; 12+ messages in thread
From: Paul B Mahol @ 2023-09-21 18:14 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On Thu, Sep 21, 2023 at 8:09 PM Michael Niedermayer <michael@niedermayer.cc>
wrote:
> Fixes: out of array access
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/osq.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/osq.c b/libavcodec/osq.c
> index e7f11691d2e..bcc75fef6fc 100644
> --- a/libavcodec/osq.c
> +++ b/libavcodec/osq.c
> @@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx,
> AVFrame *frame)
> GetBitContext *gb = &s->gb;
> int ret, n;
>
> + if (s->pkt_offset > s->pkt->size)
> + s->pkt_offset = 0;
>
This is more hack than real fix.
Can you provide input file?
> +
> while (s->bitstream_size < s->max_framesize) {
> int size;
>
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size
2023-09-21 18:14 ` [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Paul B Mahol
@ 2023-09-22 16:47 ` Michael Niedermayer
2023-09-22 17:36 ` Paul B Mahol
0 siblings, 1 reply; 12+ messages in thread
From: Michael Niedermayer @ 2023-09-22 16:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 2221 bytes --]
On Thu, Sep 21, 2023 at 08:14:31PM +0200, Paul B Mahol wrote:
> On Thu, Sep 21, 2023 at 8:09 PM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
>
> > Fixes: out of array access
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/osq.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/osq.c b/libavcodec/osq.c
> > index e7f11691d2e..bcc75fef6fc 100644
> > --- a/libavcodec/osq.c
> > +++ b/libavcodec/osq.c
> > @@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx,
> > AVFrame *frame)
> > GetBitContext *gb = &s->gb;
> > int ret, n;
> >
> > + if (s->pkt_offset > s->pkt->size)
> > + s->pkt_offset = 0;
> >
>
> This is more hack than real fix.
why ?
pkt->size is reset outside the codec, so either it needs to be
checked on codec entry or the codec should not use
internal->in_pkt and expect its size to be conserved
or implement flush() or something
ff_decode_flush_buffers() for example will clear teh packet
if you prefer i can implement flush() and reset pkt_offset in it
that probably would achieve teh same
just say if you prefer that ?
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When the tyrant has disposed of foreign enemies by conquest or treaty, and
there is nothing more to fear from them, then he is always stirring up
some war or other, in order that the people may require a leader. -- Plato
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size
2023-09-22 16:47 ` Michael Niedermayer
@ 2023-09-22 17:36 ` Paul B Mahol
0 siblings, 0 replies; 12+ messages in thread
From: Paul B Mahol @ 2023-09-22 17:36 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On 9/22/23, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Thu, Sep 21, 2023 at 08:14:31PM +0200, Paul B Mahol wrote:
>> On Thu, Sep 21, 2023 at 8:09 PM Michael Niedermayer
>> <michael@niedermayer.cc>
>> wrote:
>>
>> > Fixes: out of array access
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
>> >
>> > Found-by: continuous fuzzing process
>> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> > Signed-off-by
>> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
>> > Michael Niedermayer <michael@niedermayer.cc>
>> > ---
>> > libavcodec/osq.c | 3 +++
>> > 1 file changed, 3 insertions(+)
>> >
>> > diff --git a/libavcodec/osq.c b/libavcodec/osq.c
>> > index e7f11691d2e..bcc75fef6fc 100644
>> > --- a/libavcodec/osq.c
>> > +++ b/libavcodec/osq.c
>> > @@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx,
>> > AVFrame *frame)
>> > GetBitContext *gb = &s->gb;
>> > int ret, n;
>> >
>> > + if (s->pkt_offset > s->pkt->size)
>> > + s->pkt_offset = 0;
>> >
>>
>> This is more hack than real fix.
>
> why ?
>
> pkt->size is reset outside the codec, so either it needs to be
> checked on codec entry or the codec should not use
> internal->in_pkt and expect its size to be conserved
> or implement flush() or something
>
> ff_decode_flush_buffers() for example will clear teh packet
>
> if you prefer i can implement flush() and reset pkt_offset in it
> that probably would achieve teh same
> just say if you prefer that ?
Yup, that is much cleaner, go ahead with that solution with flush().
I forgot about flush() case completely.
>
> thx
>
> [...]
> --
> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> When the tyrant has disposed of foreign enemies by conquest or treaty, and
> there is nothing more to fear from them, then he is always stirring up
> some war or other, in order that the people may require a leader. -- Plato
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avformat/mov: Check avif_info
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 6/6] avformat/mov: Check avif_info Michael Niedermayer
@ 2023-09-28 10:37 ` Anton Khirnov
2023-09-29 19:35 ` Michael Niedermayer
0 siblings, 1 reply; 12+ messages in thread
From: Anton Khirnov @ 2023-09-28 10:37 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Quoting Michael Niedermayer (2023-09-21 20:09:12)
> Fixes: leak
> Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6674082962997248
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/mov.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 93c1f9e929a..52939a373ec 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -7767,7 +7767,7 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> return 0;
> }
>
> - if (c->fc->nb_streams) {
> + if (c->fc->nb_streams || c->avif_info) {
I remember seeing this patch before and asking whether the first
condition is not redundant now.
--
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avformat/mov: Check avif_info
2023-09-28 10:37 ` Anton Khirnov
@ 2023-09-29 19:35 ` Michael Niedermayer
0 siblings, 0 replies; 12+ messages in thread
From: Michael Niedermayer @ 2023-09-29 19:35 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1364 bytes --]
On Thu, Sep 28, 2023 at 12:37:57PM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2023-09-21 20:09:12)
> > Fixes: leak
> > Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6674082962997248
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavformat/mov.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 93c1f9e929a..52939a373ec 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -7767,7 +7767,7 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> > return 0;
> > }
> >
> > - if (c->fc->nb_streams) {
> > + if (c->fc->nb_streams || c->avif_info) {
>
> I remember seeing this patch before and asking whether the first
> condition is not redundant now.
right, the author of the underlaying code also suggested its redundant,
so as suggested there ill apply it with just the 2nd check
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No human being will ever know the Truth, for even if they happen to say it
by chance, they would not even known they had done so. -- Xenophanes
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/6] avcodec/wavarc: Fix integer overflwo in do_stereo()
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 2/6] avcodec/wavarc: Fix integer overflwo in do_stereo() Michael Niedermayer
@ 2023-10-03 14:32 ` Michael Niedermayer
0 siblings, 0 replies; 12+ messages in thread
From: Michael Niedermayer @ 2023-10-03 14:32 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 728 bytes --]
On Thu, Sep 21, 2023 at 08:09:08PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 148676193 - -2006512262 cannot be represented in type 'int'
> Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5963163952349184
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/wavarc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
will apply the 3 wavarc patches from this set
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No snowflake in an avalanche ever feels responsible. -- Voltaire
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2023-10-03 14:32 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-21 18:09 [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 2/6] avcodec/wavarc: Fix integer overflwo in do_stereo() Michael Niedermayer
2023-10-03 14:32 ` Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 3/6] avcodec/wavarc: Allocate AV_INPUT_BUFFER_PADDING_SIZE Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 4/6] avcodec/wavarc: Check k in decode_5elp() Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 5/6] avcodec/jpegxl_parse: Cleanup on error in read_vlc_prefix() Michael Niedermayer
2023-09-21 18:09 ` [FFmpeg-devel] [PATCH 6/6] avformat/mov: Check avif_info Michael Niedermayer
2023-09-28 10:37 ` Anton Khirnov
2023-09-29 19:35 ` Michael Niedermayer
2023-09-21 18:14 ` [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size Paul B Mahol
2023-09-22 16:47 ` Michael Niedermayer
2023-09-22 17:36 ` Paul B Mahol
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git