[FFmpeg-devel] [PATCH 1/4] tools/target_dec_fuzzer: Adjust Threshold for VP6A

[FFmpeg-devel] [PATCH 1/4] tools/target_dec_fuzzer: Adjust Threshold for VP6A

[Michael Niedermayer]

Fixes: Timeout
Fixes: 64220/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6A_fuzzer-5653856213925888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index e59db6697df..84b646b7f45 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -304,6 +304,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_VP4:         maxpixels  /= 4096;  break;
     case AV_CODEC_ID_VP5:         maxpixels  /= 256;   break;
     case AV_CODEC_ID_VP6F:        maxpixels  /= 4096;  break;
+    case AV_CODEC_ID_VP6A:        maxpixels  /= 4096;  break;
     case AV_CODEC_ID_VP7:         maxpixels  /= 256;   break;
     case AV_CODEC_ID_VP9:         maxpixels  /= 4096;  break;
     case AV_CODEC_ID_WAVPACK:     maxsamples /= 1024;  break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/4] avcodec/cbs_vp8: Do not use assert to check for end

[Michael Niedermayer]

Fixes: abort()
Fixes: 64232/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5417957987319808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cbs_vp8.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/cbs_vp8.c b/libavcodec/cbs_vp8.c
index 01d4b9cefef..b76cde98517 100644
--- a/libavcodec/cbs_vp8.c
+++ b/libavcodec/cbs_vp8.c
@@ -329,7 +329,9 @@ static int cbs_vp8_read_unit(CodedBitstreamContext *ctx,
 
     pos = get_bits_count(&gbc);
     pos /= 8;
-    av_assert0(pos <= unit->data_size);
+
+    if (pos > unit->data_size)
+        return AVERROR_INVALIDDATA;
 
     frame->data_ref = av_buffer_ref(unit->data_ref);
     if (!frame->data_ref)
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/4] avcodec/jpeglsdec: Check Jpeg-LS LSE

[Michael Niedermayer]

Fixes: signed integer overflow: 2147478526 + 33924 cannot be represented in type 'int'
Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 64243/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5195717848989696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/jpeglsdec.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index ec163b8964d..c245cf0279c 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -382,6 +382,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near,
     state->T3     = s->t3;
     state->reset  = s->reset;
     ff_jpegls_reset_coding_parameters(state, 0);
+
+    /* Testing parameters here, we cannot test in LSE or SOF because
+     * these interdepend and are allowed in either order
+     */
+    if (state->maxval >= (1<<state->bpp) ||
+        state->T1 > state->T2 ||
+        state->T2 > state->T3 ||
+        state->T3 > state->maxval ||
+        state->reset > FFMAX(255, state->maxval)) {
+        ret = AVERROR_INVALIDDATA;
+        goto end;
+    }
+
     ff_jpegls_init_state(state);
 
     if (s->bits <= 8)
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/4] avformat/mov: do not set sign bit for chunk_offsets

[Michael Niedermayer]

Fixes: signed integer overflow: 2314885530818453536 - -7412889664301817824 cannot be represented in type 'long'
Fixes: 64296/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6304027146846208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 30cf7a15b01..65c5c8c288c 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2242,8 +2242,13 @@ static int mov_read_stco(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         for (i = 0; i < entries && !pb->eof_reached; i++)
             sc->chunk_offsets[i] = avio_rb32(pb);
     else if (atom.type == MKTAG('c','o','6','4'))
-        for (i = 0; i < entries && !pb->eof_reached; i++)
+        for (i = 0; i < entries && !pb->eof_reached; i++) {
             sc->chunk_offsets[i] = avio_rb64(pb);
+            if (sc->chunk_offsets[i] < 0) {
+                av_log(c->fc, AV_LOG_WARNING, "Impossible chunk_offset\n");
+                sc->chunk_offsets[i] = 0;
+            }
+        }
     else
         return AVERROR_INVALIDDATA;
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/4] avcodec/cbs_vp8: Do not use assert to check for end

[James Almer]

On 12/16/2023 9:16 AM, Michael Niedermayer wrote:
> Fixes: abort()
> Fixes: 64232/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5417957987319808
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/cbs_vp8.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/cbs_vp8.c b/libavcodec/cbs_vp8.c
> index 01d4b9cefef..b76cde98517 100644
> --- a/libavcodec/cbs_vp8.c
> +++ b/libavcodec/cbs_vp8.c
> @@ -329,7 +329,9 @@ static int cbs_vp8_read_unit(CodedBitstreamContext *ctx,
>   
>       pos = get_bits_count(&gbc);
>       pos /= 8;
> -    av_assert0(pos <= unit->data_size);
> +
> +    if (pos > unit->data_size)
> +        return AVERROR_INVALIDDATA;

Wouldn't this be hiding a bug in the parsing code? The assert is there 
to ensure no overread happened.

>   
>       frame->data_ref = av_buffer_ref(unit->data_ref);
>       if (!frame->data_ref)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/4] avcodec/cbs_vp8: Do not use assert to check for end

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1318 bytes --]

On Sat, Dec 16, 2023 at 09:20:24AM -0300, James Almer wrote:
> On 12/16/2023 9:16 AM, Michael Niedermayer wrote:
> > Fixes: abort()
> > Fixes: 64232/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5417957987319808
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/cbs_vp8.c | 4 +++-
> >   1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/cbs_vp8.c b/libavcodec/cbs_vp8.c
> > index 01d4b9cefef..b76cde98517 100644
> > --- a/libavcodec/cbs_vp8.c
> > +++ b/libavcodec/cbs_vp8.c
> > @@ -329,7 +329,9 @@ static int cbs_vp8_read_unit(CodedBitstreamContext *ctx,
> >       pos = get_bits_count(&gbc);
> >       pos /= 8;
> > -    av_assert0(pos <= unit->data_size);
> > +
> > +    if (pos > unit->data_size)
> > +        return AVERROR_INVALIDDATA;
> 
> Wouldn't this be hiding a bug in the parsing code? The assert is there to
> ensure no overread happened.

ill send a better patch, this patch is bad and wrong

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The educated differ from the uneducated as much as the living from the
dead. -- Aristotle 

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/4] avcodec/cbs_vp8: Do not use assert to check for end

[Dai, Jianhui J]

> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of Michael
> Niedermayer
> Sent: Saturday, December 16, 2023 8:16 PM
> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/cbs_vp8: Do not use assert to
> check for end
> 
> Fixes: abort()
> Fixes: 64232/clusterfuzz-testcase-minimized-
> ffmpeg_BSF_TRACE_HEADERS_fuzzer-5417957987319808
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-
> fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/cbs_vp8.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/cbs_vp8.c b/libavcodec/cbs_vp8.c index
> 01d4b9cefef..b76cde98517 100644
> --- a/libavcodec/cbs_vp8.c
> +++ b/libavcodec/cbs_vp8.c
> @@ -329,7 +329,9 @@ static int cbs_vp8_read_unit(CodedBitstreamContext
> *ctx,
> 
>      pos = get_bits_count(&gbc);
>      pos /= 8;
> -    av_assert0(pos <= unit->data_size);
> +
> +    if (pos > unit->data_size)
> +        return AVERROR_INVALIDDATA;
> 

This is a potentially fatal error caused by the parser overreading past the expected data. This should not occur after the fix GetBitContext setup patch was applied.
BTW, the VP8 compressed header does not guarantee 8-bit alignment according to the SPEC.
It could be better to check the bit pos.

```
pos = get_bits_count(&gbc);
av_assert0(pos <= unit->data_size * 8);
```

>      frame->data_ref = av_buffer_ref(unit->data_ref);
>      if (!frame->data_ref)
> --
> 2.17.1
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with
> subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/4] tools/target_dec_fuzzer: Adjust Threshold for VP6A

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 674 bytes --]

On Sat, Dec 16, 2023 at 01:16:16PM +0100, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 64220/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6A_fuzzer-5653856213925888
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 1 +
>  1 file changed, 1 insertion(+)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Does the universe only have a finite lifespan? No, its going to go on
forever, its just that you wont like living in it. -- Hiranya Peiri

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/4] avcodec/jpeglsdec: Check Jpeg-LS LSE

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 806 bytes --]

On Sat, Dec 16, 2023 at 01:16:18PM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2147478526 + 33924 cannot be represented in type 'int'
> Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
> Fixes: 64243/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5195717848989696
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/jpeglsdec.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

While the State exists there can be no freedom; when there is freedom there
will be no State. -- Vladimir Lenin

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/4] avformat/mov: do not set sign bit for chunk_offsets

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 720 bytes --]

On Sat, Dec 16, 2023 at 01:16:19PM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2314885530818453536 - -7412889664301817824 cannot be represented in type 'long'
> Fixes: 64296/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6304027146846208
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mov.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".