[FFmpeg-devel] [PATCH 1/7] avcodec/hcadec: do not set hfr_group_count to invalid values

[FFmpeg-devel] [PATCH 1/7] avcodec/hcadec: do not set hfr_group_count to invalid values

[Michael Niedermayer]

Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-6247136417087488
Fixes: out of array write

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hcadec.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c
index 026b998341c..8c8c235f7b3 100644
--- a/libavcodec/hcadec.c
+++ b/libavcodec/hcadec.c
@@ -212,6 +212,7 @@ static int init_hca(AVCodecContext *avctx, const uint8_t *extradata,
     int8_t r[16] = { 0 };
     unsigned b, chunk;
     int version, ret;
+    unsigned hfr_group_count;
 
     init_flush(avctx);
 
@@ -336,11 +337,12 @@ static int init_hca(AVCodecContext *avctx, const uint8_t *extradata,
     if (c->total_band_count < c->base_band_count)
         return AVERROR_INVALIDDATA;
 
-    c->hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count),
+    hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + c->stereo_band_count),
                                c->bands_per_hfr_group);
 
-    if (c->base_band_count + c->stereo_band_count + (unsigned long)c->hfr_group_count > 128ULL)
+    if (c->base_band_count + c->stereo_band_count + (uint64_t)hfr_group_count > 128ULL)
         return AVERROR_INVALIDDATA;
+    c->hfr_group_count = hfr_group_count;
 
     for (int i = 0; i < avctx->ch_layout.nb_channels; i++) {
         c->ch[i].chan_type = r[i];
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/7] avcodec/hcadec: do not allow code to continue after failed init

[Michael Niedermayer]

Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-6247136417087488
Fixes: out of array write

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hcadec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c
index 8c8c235f7b3..88146c7cdd3 100644
--- a/libavcodec/hcadec.c
+++ b/libavcodec/hcadec.c
@@ -538,8 +538,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
             return AVERROR_INVALIDDATA;
         } else if (AV_RB16(avpkt->data + 6) <= avpkt->size) {
             ret = init_hca(avctx, avpkt->data, AV_RB16(avpkt->data + 6));
-            if (ret < 0)
+            if (ret < 0) {
+                c->crc_table = NULL; // signal that init has not finished
                 return ret;
+            }
             offset = AV_RB16(avpkt->data + 6);
             if (offset == avpkt->size)
                 return avpkt->size;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/7] avcodec/qoadec: Fix undefined overflow in lms_predict

[Michael Niedermayer]

Fixes: signed integer overflow: -1575944192 + -602931200 cannot be represented in type 'int'
Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QOA_fuzzer-6470469339185152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/qoadec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/qoadec.c b/libavcodec/qoadec.c
index 75099d1199f..c5cf351f9c1 100644
--- a/libavcodec/qoadec.c
+++ b/libavcodec/qoadec.c
@@ -67,7 +67,7 @@ static int qoa_lms_predict(QOAChannel *lms)
 {
     int prediction = 0;
     for (int i = 0; i < QOA_LMS_LEN; i++)
-        prediction += lms->weights[i] * lms->history[i];
+        prediction += (unsigned)lms->weights[i] * lms->history[i];
     return prediction >> 13;
 }
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/7] avcodec/rtv1: fix undefined FFALIGN

[Michael Niedermayer]

Fixes: signed integer overflow: 2147483647 + 4 cannot be represented in type 'int'
Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rtv1.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c
index 06afe9e873c..807c8a34666 100644
--- a/libavcodec/rtv1.c
+++ b/libavcodec/rtv1.c
@@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
 
     width = bytestream2_get_le32(&gb);
     height = bytestream2_get_le32(&gb);
+    if (width > INT_MAX-4U || height > INT_MAX-4U)
+        return AVERROR_INVALIDDATA;
     ret = ff_set_dimensions(avctx, FFALIGN(width, 4), FFALIGN(height, 4));
     if (ret < 0)
         return ret;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/7] avcodec/rtv1: fix undefined FFALIGN

[James Almer]

On 3/25/2024 11:30 PM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2147483647 + 4 cannot be represented in type 'int'
> Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/rtv1.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c
> index 06afe9e873c..807c8a34666 100644
> --- a/libavcodec/rtv1.c
> +++ b/libavcodec/rtv1.c
> @@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
>   
>       width = bytestream2_get_le32(&gb);
>       height = bytestream2_get_le32(&gb);
> +    if (width > INT_MAX-4U || height > INT_MAX-4U)

Does this promote width and height to unsigned? If not, you may want to 
cast them to unsigned (or check for < 0) and remove the then unnecessary 
U to the 4.

> +        return AVERROR_INVALIDDATA;
>       ret = ff_set_dimensions(avctx, FFALIGN(width, 4), FFALIGN(height, 4));
>       if (ret < 0)
>           return ret;
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/7] avcodec/rtv1: fix undefined FFALIGN

[Andreas Rheinhardt]

James Almer:
> On 3/25/2024 11:30 PM, Michael Niedermayer wrote:
>> Fixes: signed integer overflow: 2147483647 + 4 cannot be represented
>> in type 'int'
>> Fixes:
>> 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>   libavcodec/rtv1.c | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c
>> index 06afe9e873c..807c8a34666 100644
>> --- a/libavcodec/rtv1.c
>> +++ b/libavcodec/rtv1.c
>> @@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx,
>> AVFrame *p,
>>         width = bytestream2_get_le32(&gb);
>>       height = bytestream2_get_le32(&gb);
>> +    if (width > INT_MAX-4U || height > INT_MAX-4U)
> 
> Does this promote width and height to unsigned? If not, you may want to
> cast them to unsigned (or check for < 0) and remove the then unnecessary
> U to the 4.

The right hand side of the comparisons is an unsigned; if width and
height are ints (as i presume based upon the commit message), they get
promoted to unsigned.

> 
>> +        return AVERROR_INVALIDDATA;
>>       ret = ff_set_dimensions(avctx, FFALIGN(width, 4),
>> FFALIGN(height, 4));
>>       if (ret < 0)
>>           return ret;
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/7] avcodec/truemotion1: Height not being a multiple of 4 is unsupported

[Michael Niedermayer]

mb_change_bits is given space based on height >> 2, while more data is read

Fixes: out of array access
Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5201925062590464.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/truemotion1.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index 6b0ee225691..784576d01b3 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -408,6 +408,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
         return AVERROR_PATCHWELCOME;
     }
 
+    if (s->h & 3) {
+        avpriv_request_sample(s->avctx, "Frame with height not being a multiple of 4");
+        return AVERROR_PATCHWELCOME;
+    }
+
     if (s->w != s->avctx->width || s->h != s->avctx->height ||
         new_pix_fmt != s->avctx->pix_fmt) {
         av_frame_unref(s->frame);
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/7] avcodec/wavarc: Avoid signed integer overflow in sample

[Michael Niedermayer]

Fixes: signed integer overflow: -2147483648 + -25122315 cannot be represented in type 'int'
Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6199806972198912

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavarc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 09ed4d473a2..99cbaf01091 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -374,7 +374,7 @@ static int decode_2slp(AVCodecContext *avctx,
                 for (int o = 0; o < order; o++)
                     sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1];
 
-                samples[n + 70] = get_srice(gb, k) + (sum >> 4);
+                samples[n + 70] = get_srice(gb, k) + (unsigned)(sum >> 4);
             }
             finished = 1;
             break;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 7/7] avcodec/wavarc: avoid signed integer overflow in AC code

[Michael Niedermayer]

Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-659847401740697
Fixes: signed integer overflow: 65312 * 34078 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavarc.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 99cbaf01091..aa1af6330bb 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -414,7 +414,7 @@ static int ac_init(AVCodecContext *avctx,
 
 static uint16_t ac_get_prob(WavArcContext *s)
 {
-    return ((s->freq_range - 1) + (s->ac_value - s->ac_low) * s->freq_range) /
+    return ((s->freq_range - 1) + (s->ac_value - s->ac_low) * (unsigned)s->freq_range) /
            ((s->ac_high - s->ac_low) + 1U);
 }
 
@@ -439,8 +439,8 @@ static int ac_normalize(AVCodecContext *avctx, WavArcContext *s, GetBitContext *
         goto fail;
 
     range = (s->ac_high - s->ac_low) + 1;
-    s->ac_high = (range * s->range_high) / s->freq_range + s->ac_low - 1;
-    s->ac_low += (range * s->range_low)  / s->freq_range;
+    s->ac_high = (range * (unsigned)s->range_high) / s->freq_range + s->ac_low - 1;
+    s->ac_low += (range * (unsigned)s->range_low)  / s->freq_range;
 
     if (s->ac_high < s->ac_low)
         goto fail;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/7] avcodec/hcadec: do not set hfr_group_count to invalid values

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 891 bytes --]

On Tue, Mar 26, 2024 at 03:30:50AM +0100, Michael Niedermayer wrote:
> Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-6247136417087488
> Fixes: out of array write
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/hcadec.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

if there are no objections i will apply this patchset before making the 7.0 branch

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Old school: Use the lowest level language in which you can solve the problem
            conveniently.
New school: Use the highest level language in which the latest supercomputer
            can solve the problem without the user falling asleep waiting.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".