* [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table()
@ 2024-04-01 2:00 Michael Niedermayer
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 2/3] avcodec/exr: Dont use 64bits to hold 6bits Michael Niedermayer
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Michael Niedermayer @ 2024-04-01 2:00 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Timeout
Fixes: 67645/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6308760977997824
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/exr.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 0f1f683e7e7..09f2fca109c 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -335,7 +335,10 @@ static int huf_unpack_enc_table(GetByteContext *gb,
return ret;
for (; im <= iM; im++) {
- uint64_t l = freq[im] = get_bits(&gbit, 6);
+ uint64_t l;
+ if (get_bits_left(&gbit) < 6)
+ return AVERROR_INVALIDDATA;
+ l = freq[im] = get_bits(&gbit, 6);
if (l == LONG_ZEROCODE_RUN) {
int zerun = get_bits(&gbit, 8) + SHORTEST_LONG_RUN;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 2/3] avcodec/exr: Dont use 64bits to hold 6bits
2024-04-01 2:00 [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Michael Niedermayer
@ 2024-04-01 2:00 ` Michael Niedermayer
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 3/3] avcodec/hevcdec: Fix null dereference in hevc_frame_end() Michael Niedermayer
2024-04-02 21:26 ` [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Michael Niedermayer
2 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2024-04-01 2:00 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/exr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 09f2fca109c..8bd39f78a45 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -335,7 +335,7 @@ static int huf_unpack_enc_table(GetByteContext *gb,
return ret;
for (; im <= iM; im++) {
- uint64_t l;
+ int l;
if (get_bits_left(&gbit) < 6)
return AVERROR_INVALIDDATA;
l = freq[im] = get_bits(&gbit, 6);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 3/3] avcodec/hevcdec: Fix null dereference in hevc_frame_end()
2024-04-01 2:00 [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Michael Niedermayer
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 2/3] avcodec/exr: Dont use 64bits to hold 6bits Michael Niedermayer
@ 2024-04-01 2:00 ` Michael Niedermayer
2024-04-01 12:23 ` Andreas Rheinhardt
2024-04-02 21:26 ` [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Michael Niedermayer
2 siblings, 1 reply; 5+ messages in thread
From: Michael Niedermayer @ 2024-04-01 2:00 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: member access within null pointer of type 'const AVFilmGrainParams' (aka 'const struct AVFilmGrainParams')
Fixes: 67701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6595117570916352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/hevcdec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 752459af2d3..2514d522ba5 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -2945,6 +2945,8 @@ static int hevc_frame_end(HEVCContext *s)
if (out->needs_fg) {
av_assert0(out->frame_grain->buf[0]);
fgp = av_film_grain_params_select(out->frame);
+ if (!fgp)
+ return 0;
switch (fgp->type) {
case AV_FILM_GRAIN_PARAMS_NONE:
av_assert0(0);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/3] avcodec/hevcdec: Fix null dereference in hevc_frame_end()
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 3/3] avcodec/hevcdec: Fix null dereference in hevc_frame_end() Michael Niedermayer
@ 2024-04-01 12:23 ` Andreas Rheinhardt
0 siblings, 0 replies; 5+ messages in thread
From: Andreas Rheinhardt @ 2024-04-01 12:23 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: member access within null pointer of type 'const AVFilmGrainParams' (aka 'const struct AVFilmGrainParams')
> Fixes: 67701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6595117570916352
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/hevcdec.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
> index 752459af2d3..2514d522ba5 100644
> --- a/libavcodec/hevcdec.c
> +++ b/libavcodec/hevcdec.c
> @@ -2945,6 +2945,8 @@ static int hevc_frame_end(HEVCContext *s)
> if (out->needs_fg) {
> av_assert0(out->frame_grain->buf[0]);
> fgp = av_film_grain_params_select(out->frame);
> + if (!fgp)
> + return 0;
> switch (fgp->type) {
> case AV_FILM_GRAIN_PARAMS_NONE:
> av_assert0(0);
There seems to be a deeper logic bug here: If there is no usable (as
defined by av_film_grain_params_select()) film grain stuff here, then
the frame_grain frame will be "blank" (may contain e.g. an earlier
frame, but definitely not the one it is supposed to have), but it will
nevertheless be the frame to be output.
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table()
2024-04-01 2:00 [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Michael Niedermayer
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 2/3] avcodec/exr: Dont use 64bits to hold 6bits Michael Niedermayer
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 3/3] avcodec/hevcdec: Fix null dereference in hevc_frame_end() Michael Niedermayer
@ 2024-04-02 21:26 ` Michael Niedermayer
2 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2024-04-02 21:26 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 649 bytes --]
On Mon, Apr 01, 2024 at 04:00:04AM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 67645/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6308760977997824
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/exr.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
will apply patches 1+2
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The educated differ from the uneducated as much as the living from the
dead. -- Aristotle
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-04-02 21:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-01 2:00 [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Michael Niedermayer
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 2/3] avcodec/exr: Dont use 64bits to hold 6bits Michael Niedermayer
2024-04-01 2:00 ` [FFmpeg-devel] [PATCH 3/3] avcodec/hevcdec: Fix null dereference in hevc_frame_end() Michael Niedermayer
2024-04-01 12:23 ` Andreas Rheinhardt
2024-04-02 21:26 ` [FFmpeg-devel] [PATCH 1/3] avcodec/exr: Check for remaining bits in huf_unpack_enc_table() Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git