[FFmpeg-devel] [PATCH 1/6] avformat/mov: Check that is_still_picture_avif has no trak based streams

[FFmpeg-devel] [PATCH 1/6] avformat/mov: Check that is_still_picture_avif has no trak based streams

[Michael Niedermayer]

Fixes: Assertion failure in mov_read_iloc( in mov_read_iloc())
Fixes: 62866/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5282997370486784

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 2f29487beb8..e8efccf6ebf 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4628,6 +4628,10 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     MOVStreamContext *sc;
     int ret;
 
+    if (c->is_still_picture_avif) {
+        return AVERROR_INVALIDDATA;
+    }
+
     st = avformat_new_stream(c->fc, NULL);
     if (!st) return AVERROR(ENOMEM);
     st->id = -1;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/6] avcodec/cbs: Do not assert on traces beyond 255 bits

[Michael Niedermayer]

Fixes: Assertion length < 256 failed at libavcodec/cbs.c:517
Fixes: 62673/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6490971837431808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cbs.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
index cdd7adebebd..2f5d0334a2a 100644
--- a/libavcodec/cbs.c
+++ b/libavcodec/cbs.c
@@ -514,6 +514,11 @@ void ff_cbs_trace_read_log(void *trace_context,
 
     position = get_bits_count(gbc);
 
+    if (length >= 256) {
+        av_log(ctx->log_ctx, ctx->trace_level, "trace of %d bits truncated at 255\n", length);
+        length = 255;
+    }
+
     av_assert0(length < 256);
     for (i = 0; i < length; i++)
         bits[i] = get_bits1(gbc) ? '1' : '0';
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/6] avcodec/apedec: Fix integer overflow in predictor_decode_stereo_3950()

[Michael Niedermayer]

Fixes: signed integer overflow: 1900031961 + 553590817 cannot be represented in type 'int'
Fixes: 63061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5166188298371072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/apedec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 8bfbb75b41e..d31c0671520 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -1284,7 +1284,7 @@ static void predictor_decode_stereo_3950(APEContext *ctx, int count)
             *decoded1++ = a1;
             if (num_passes > 1) {
                 int32_t left  = a1 - (unsigned)(a0 / 2);
-                int32_t right = left + a0;
+                int32_t right = left + (unsigned)a0;
 
                 if (FFMAX(FFABS(left), FFABS(right)) > (1<<23)) {
                     ctx->interim_mode = !interim_mode;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/6] avcodec/dovi_rpu: Use 64 bit in get_us/se_coeff()

[Michael Niedermayer]

Fixes: shift exponent 32 is too large for 32-bit type 'int'
Fixes: 63151/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5067531154751488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dovi_rpu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dovi_rpu.c b/libavcodec/dovi_rpu.c
index f6485256c45..a6b23f4dd11 100644
--- a/libavcodec/dovi_rpu.c
+++ b/libavcodec/dovi_rpu.c
@@ -149,7 +149,7 @@ static inline uint64_t get_ue_coef(GetBitContext *gb, const AVDOVIRpuDataHeader
 
     case RPU_COEFF_FLOAT:
         fpart.u32 = get_bits_long(gb, 32);
-        return fpart.f32 * (1 << hdr->coef_log2_denom);
+        return fpart.f32 * (1LL << hdr->coef_log2_denom);
     }
 
     return 0; /* unreachable */
@@ -168,7 +168,7 @@ static inline int64_t get_se_coef(GetBitContext *gb, const AVDOVIRpuDataHeader *
 
     case RPU_COEFF_FLOAT:
         fpart.u32 = get_bits_long(gb, 32);
-        return fpart.f32 * (1 << hdr->coef_log2_denom);
+        return fpart.f32 * (1LL << hdr->coef_log2_denom);
     }
 
     return 0; /* unreachable */
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/6] avutil/tx_template: fix integer ovberflwo in fft3()

[Michael Niedermayer]

Fixes: signed integer overflow: -1028966111 + -1314089526 cannot be represented in type 'int'
Fixes: 63174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5853273711837184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavutil/tx_template.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavutil/tx_template.c b/libavutil/tx_template.c
index 8dc3d2519c1..a2c27465cbc 100644
--- a/libavutil/tx_template.c
+++ b/libavutil/tx_template.c
@@ -185,10 +185,9 @@ static av_always_inline void fft3(TXComplex *out, TXComplex *in,
     BF(tmp[1].re, tmp[2].im, in[1].im, in[2].im);
     BF(tmp[1].im, tmp[2].re, in[1].re, in[2].re);
 
-    out[0*stride].re = tmp[0].re + tmp[2].re;
-    out[0*stride].im = tmp[0].im + tmp[2].im;
-
 #ifdef TX_INT32
+    out[0*stride].re = (int64_t)tmp[0].re + tmp[2].re;
+    out[0*stride].im = (int64_t)tmp[0].im + tmp[2].im;
     mtmp[0] = (int64_t)tab[ 8] * tmp[1].re;
     mtmp[1] = (int64_t)tab[ 9] * tmp[1].im;
     mtmp[2] = (int64_t)tab[10] * tmp[2].re;
@@ -198,6 +197,8 @@ static av_always_inline void fft3(TXComplex *out, TXComplex *in,
     out[2*stride].re = tmp[0].re - (mtmp[2] - mtmp[0] + 0x40000000 >> 31);
     out[2*stride].im = tmp[0].im - (mtmp[3] + mtmp[1] + 0x40000000 >> 31);
 #else
+    out[0*stride].re = tmp[0].re + tmp[2].re;
+    out[0*stride].im = tmp[0].im + tmp[2].im;
     tmp[1].re = tab[ 8] * tmp[1].re;
     tmp[1].im = tab[ 9] * tmp[1].im;
     tmp[2].re = tab[10] * tmp[2].re;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/6] tools/target_dec_fuzzer: Adjust threshold for CSCD

[Michael Niedermayer]

Fixes: Timeout
Fixes: 63362/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-4694620065628160

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 798fc0b3f2a..27e7398089a 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -221,6 +221,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_CFHD:        maxpixels  /= 16384; break;
     case AV_CODEC_ID_CINEPAK:     maxpixels  /= 128;   break;
     case AV_CODEC_ID_COOK:        maxsamples /= 1<<20; break;
+    case AV_CODEC_ID_CSCD:        maxpixels  /= 1024;  break;
     case AV_CODEC_ID_DFA:         maxpixels  /= 1024;  break;
     case AV_CODEC_ID_DIRAC:       maxpixels  /= 8192;  break;
     case AV_CODEC_ID_DSICINVIDEO: maxpixels  /= 1024;  break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/6] avutil/tx_template: fix integer ovberflwo in fft3()

[Lynne]

Oct 22, 2023, 02:36 by michael@niedermayer.cc:

> Fixes: signed integer overflow: -1028966111 + -1314089526 cannot be represented in type 'int'
> Fixes: 63174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5853273711837184
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavutil/tx_template.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/libavutil/tx_template.c b/libavutil/tx_template.c
> index 8dc3d2519c1..a2c27465cbc 100644
> --- a/libavutil/tx_template.c
> +++ b/libavutil/tx_template.c
> @@ -185,10 +185,9 @@ static av_always_inline void fft3(TXComplex *out, TXComplex *in,
>  BF(tmp[1].re, tmp[2].im, in[1].im, in[2].im);
>  BF(tmp[1].im, tmp[2].re, in[1].re, in[2].re);
>  
> -    out[0*stride].re = tmp[0].re + tmp[2].re;
> -    out[0*stride].im = tmp[0].im + tmp[2].im;
> -
>  #ifdef TX_INT32
> +    out[0*stride].re = (int64_t)tmp[0].re + tmp[2].re;
> +    out[0*stride].im = (int64_t)tmp[0].im + tmp[2].im;
>  mtmp[0] = (int64_t)tab[ 8] * tmp[1].re;
>  mtmp[1] = (int64_t)tab[ 9] * tmp[1].im;
>  mtmp[2] = (int64_t)tab[10] * tmp[2].re;
> @@ -198,6 +197,8 @@ static av_always_inline void fft3(TXComplex *out, TXComplex *in,
>  out[2*stride].re = tmp[0].re - (mtmp[2] - mtmp[0] + 0x40000000 >> 31);
>  out[2*stride].im = tmp[0].im - (mtmp[3] + mtmp[1] + 0x40000000 >> 31);
>  #else
> +    out[0*stride].re = tmp[0].re + tmp[2].re;
> +    out[0*stride].im = tmp[0].im + tmp[2].im;
>  tmp[1].re = tab[ 8] * tmp[1].re;
>  tmp[1].im = tab[ 9] * tmp[1].im;
>  tmp[2].re = tab[10] * tmp[2].re;
>

lgtm
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/6] avcodec/cbs: Do not assert on traces beyond 255 bits

[Mark Thompson]

On 22/10/2023 01:35, Michael Niedermayer wrote:
> Fixes: Assertion length < 256 failed at libavcodec/cbs.c:517
> Fixes: 62673/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6490971837431808
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/cbs.c | 5 +++++
>   1 file changed, 5 insertions(+)
> 
> diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
> index cdd7adebebd..2f5d0334a2a 100644
> --- a/libavcodec/cbs.c
> +++ b/libavcodec/cbs.c
> @@ -514,6 +514,11 @@ void ff_cbs_trace_read_log(void *trace_context,
>   
>       position = get_bits_count(gbc);
>   
> +    if (length >= 256) {
> +        av_log(ctx->log_ctx, ctx->trace_level, "trace of %d bits truncated at 255\n", length);
> +        length = 255;
> +    }
> +
>       av_assert0(length < 256);
>       for (i = 0; i < length; i++)
>           bits[i] = get_bits1(gbc) ? '1' : '0';

IMO the assert is sensible (no syntax element is that large) and so this must be catching a bug somewhere else.  Please don't nullify the assert to hide the bug.

Can you share the input stream which hit this case?

Thanks,

- Mark
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/6] avutil/tx_template: fix integer ovberflwo in fft3()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2122 bytes --]

On Sun, Oct 22, 2023 at 03:55:47AM +0200, Lynne wrote:
> Oct 22, 2023, 02:36 by michael@niedermayer.cc:
> 
> > Fixes: signed integer overflow: -1028966111 + -1314089526 cannot be represented in type 'int'
> > Fixes: 63174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5853273711837184
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavutil/tx_template.c | 7 ++++---
> >  1 file changed, 4 insertions(+), 3 deletions(-)
> >
> > diff --git a/libavutil/tx_template.c b/libavutil/tx_template.c
> > index 8dc3d2519c1..a2c27465cbc 100644
> > --- a/libavutil/tx_template.c
> > +++ b/libavutil/tx_template.c
> > @@ -185,10 +185,9 @@ static av_always_inline void fft3(TXComplex *out, TXComplex *in,
> >  BF(tmp[1].re, tmp[2].im, in[1].im, in[2].im);
> >  BF(tmp[1].im, tmp[2].re, in[1].re, in[2].re);
> >  
> > -    out[0*stride].re = tmp[0].re + tmp[2].re;
> > -    out[0*stride].im = tmp[0].im + tmp[2].im;
> > -
> >  #ifdef TX_INT32
> > +    out[0*stride].re = (int64_t)tmp[0].re + tmp[2].re;
> > +    out[0*stride].im = (int64_t)tmp[0].im + tmp[2].im;
> >  mtmp[0] = (int64_t)tab[ 8] * tmp[1].re;
> >  mtmp[1] = (int64_t)tab[ 9] * tmp[1].im;
> >  mtmp[2] = (int64_t)tab[10] * tmp[2].re;
> > @@ -198,6 +197,8 @@ static av_always_inline void fft3(TXComplex *out, TXComplex *in,
> >  out[2*stride].re = tmp[0].re - (mtmp[2] - mtmp[0] + 0x40000000 >> 31);
> >  out[2*stride].im = tmp[0].im - (mtmp[3] + mtmp[1] + 0x40000000 >> 31);
> >  #else
> > +    out[0*stride].re = tmp[0].re + tmp[2].re;
> > +    out[0*stride].im = tmp[0].im + tmp[2].im;
> >  tmp[1].re = tab[ 8] * tmp[1].re;
> >  tmp[1].im = tab[ 9] * tmp[1].im;
> >  tmp[2].re = tab[10] * tmp[2].re;
> >
> 
> lgtm

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No human being will ever know the Truth, for even if they happen to say it
by chance, they would not even known they had done so. -- Xenophanes

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/6] avcodec/cbs: Do not assert on traces beyond 255 bits

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 3048 bytes --]

On Sun, Oct 22, 2023 at 03:34:20PM +0100, Mark Thompson wrote:
> On 22/10/2023 01:35, Michael Niedermayer wrote:
> > Fixes: Assertion length < 256 failed at libavcodec/cbs.c:517
> > Fixes: 62673/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6490971837431808
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/cbs.c | 5 +++++
> >   1 file changed, 5 insertions(+)
> > 
> > diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
> > index cdd7adebebd..2f5d0334a2a 100644
> > --- a/libavcodec/cbs.c
> > +++ b/libavcodec/cbs.c
> > @@ -514,6 +514,11 @@ void ff_cbs_trace_read_log(void *trace_context,
> >       position = get_bits_count(gbc);
> > +    if (length >= 256) {
> > +        av_log(ctx->log_ctx, ctx->trace_level, "trace of %d bits truncated at 255\n", length);
> > +        length = 255;
> > +    }
> > +
> >       av_assert0(length < 256);
> >       for (i = 0; i < length; i++)
> >           bits[i] = get_bits1(gbc) ? '1' : '0';
> 
> IMO the assert is sensible (no syntax element is that large) and so this must be catching a bug somewhere else.  Please don't nullify the assert to hide the bug.
> 
> Can you share the input stream which hit this case?

will mail it to you

the backtrce is this:

    #7 0x505748 in ff_cbs_trace_read_log ffmpeg/libavcodec/cbs.c:517:5
    #8 0x5273f1 in cbs_av1_read_uvlc ffmpeg/libavcodec/cbs_av1.c:67:5
    #9 0x5273f1 in cbs_av1_read_timing_info ffmpeg/libavcodec/cbs_av1_syntax_template.c:168
    #10 0x5273f1 in cbs_av1_read_sequence_header_obu ffmpeg/libavcodec/cbs_av1_syntax_template.c:214
    #11 0x51278a in cbs_av1_read_unit ffmpeg/libavcodec/cbs_av1.c:856:19
    #12 0x4ff30a in cbs_read_fragment_content ffmpeg/libavcodec/cbs.c:209:15
    #13 0x4ff30a in cbs_read_data ffmpeg/libavcodec/cbs.c:276
    #14 0x4edc32 in trace_headers ffmpeg/libavcodec/trace_headers_bsf.c:113:11
    #15 0x4c9898 in LLVMFuzzerTestOneInput ffmpeg/tools/target_bsf_fuzzer.c:154:16
    #16 0x136900d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
    #17 0x135dbe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
    #18 0x1362de1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
    #19 0x135d8c0 in main Fuzzer/build/../FuzzerMain.cpp:20:10
    #20 0x7f456b8b8c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #21 0x41f179 in _start (ffmpeg/tools/target_bsf_trace_headers_fuzzer+0x41f179)


[...]

thx

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Whats the most studid thing your enemy could do ? Blow himself up
Whats the most studid thing you could do ? Give up your rights and
freedom because your enemy blew himself up.


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/6] avcodec/cbs: Do not assert on traces beyond 255 bits

[Mark Thompson]

On 23/10/2023 21:53, Michael Niedermayer wrote:
> On Sun, Oct 22, 2023 at 03:34:20PM +0100, Mark Thompson wrote:
>> On 22/10/2023 01:35, Michael Niedermayer wrote:
>>> Fixes: Assertion length < 256 failed at libavcodec/cbs.c:517
>>> Fixes: 62673/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6490971837431808
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>    libavcodec/cbs.c | 5 +++++
>>>    1 file changed, 5 insertions(+)
>>>
>>> diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
>>> index cdd7adebebd..2f5d0334a2a 100644
>>> --- a/libavcodec/cbs.c
>>> +++ b/libavcodec/cbs.c
>>> @@ -514,6 +514,11 @@ void ff_cbs_trace_read_log(void *trace_context,
>>>        position = get_bits_count(gbc);
>>> +    if (length >= 256) {
>>> +        av_log(ctx->log_ctx, ctx->trace_level, "trace of %d bits truncated at 255\n", length);
>>> +        length = 255;
>>> +    }
>>> +
>>>        av_assert0(length < 256);
>>>        for (i = 0; i < length; i++)
>>>            bits[i] = get_bits1(gbc) ? '1' : '0';
>>
>> IMO the assert is sensible (no syntax element is that large) and so this must be catching a bug somewhere else.  Please don't nullify the assert to hide the bug.
>>
>> Can you share the input stream which hit this case?
> 
> will mail it to you
> 
> the backtrce is this:
> 
>      #7 0x505748 in ff_cbs_trace_read_log ffmpeg/libavcodec/cbs.c:517:5
>      #8 0x5273f1 in cbs_av1_read_uvlc ffmpeg/libavcodec/cbs_av1.c:67:5
>      #9 0x5273f1 in cbs_av1_read_timing_info ffmpeg/libavcodec/cbs_av1_syntax_template.c:168
>      #10 0x5273f1 in cbs_av1_read_sequence_header_obu ffmpeg/libavcodec/cbs_av1_syntax_template.c:214
>      #11 0x51278a in cbs_av1_read_unit ffmpeg/libavcodec/cbs_av1.c:856:19
>      #12 0x4ff30a in cbs_read_fragment_content ffmpeg/libavcodec/cbs.c:209:15
>      #13 0x4ff30a in cbs_read_data ffmpeg/libavcodec/cbs.c:276
>      #14 0x4edc32 in trace_headers ffmpeg/libavcodec/trace_headers_bsf.c:113:11
>      #15 0x4c9898 in LLVMFuzzerTestOneInput ffmpeg/tools/target_bsf_fuzzer.c:154:16
>      #16 0x136900d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
>      #17 0x135dbe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
>      #18 0x1362de1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
>      #19 0x135d8c0 in main Fuzzer/build/../FuzzerMain.cpp:20:10
>      #20 0x7f456b8b8c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
>      #21 0x41f179 in _start (ffmpeg/tools/target_bsf_trace_headers_fuzzer+0x41f179)

This is the case in <https://lists.ffmpeg.org/pipermail/ffmpeg-devel/2023-October/315983.html>, and would be fixed by that patch.

Since the problem is a dubious feature of the standard which other implementations then do not follow I would appreciate thoughts from other people on what to do with it, though.

Thanks,

- Mark
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check that is_still_picture_avif has no trak based streams

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 715 bytes --]

On Sun, Oct 22, 2023 at 02:35:15AM +0200, Michael Niedermayer wrote:
> Fixes: Assertion failure in mov_read_iloc( in mov_read_iloc())
> Fixes: 62866/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5282997370486784
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mov.c | 4 ++++
>  1 file changed, 4 insertions(+)

will apply patches of this set that have received no comment

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The greatest way to live with honor in this world is to be what we pretend
to be. -- Socrates

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".