[FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list

[FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list

[Michael Niedermayer]

Fixes: Null pointer dereference
Fixes: 67861/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5352628142800896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index ecd29a7d08b..97a24e6737e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -9289,6 +9289,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid,
     if (tile_grid->nb_tiles != size)
         return AVERROR_INVALIDDATA;
 
+    for (int i = 0; i < size; i++)
+        if (!grid->tile_item_list[i])
+            return AVERROR_INVALIDDATA;
     for (int i = 0; i < tile_cols; i++)
         tile_grid->coded_width  += grid->tile_item_list[i]->width;
     for (int i = 0; i < size; i += tile_cols)
-- 
2.43.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/6] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template

[Michael Niedermayer]

Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int'
Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832

The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input
No overflow should happen with valid input.

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libswscale/output.c | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/libswscale/output.c b/libswscale/output.c
index 8849a3201a6..0b6c77e167d 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -1207,8 +1207,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0,
 
     if (uvalpha < 2048) {
         for (i = 0; i < ((dstW + 1) >> 1); i++) {
-            int Y1 = (buf0[i * 2]    ) >> 2;
-            int Y2 = (buf0[i * 2 + 1]) >> 2;
+            SUINT Y1 = (buf0[i * 2]    ) >> 2;
+            SUINT Y2 = (buf0[i * 2 + 1]) >> 2;
             int U  = (ubuf0[i] - (128 << 11)) >> 2;
             int V  = (vbuf0[i] - (128 << 11)) >> 2;
             int R, G, B;
@@ -1232,20 +1232,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0,
             G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff;
             B =                            U * c->yuv2rgb_u2b_coeff;
 
-            output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16));
-            output_pixel(&dest[1], av_clip_uintp2(((  G + Y1) >> 14) + (1<<15), 16));
-            output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16));
+            output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16));
+            output_pixel(&dest[1], av_clip_uintp2(((int)(  G + Y1) >> 14) + (1<<15), 16));
+            output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16));
             if (eightbytes) {
                 output_pixel(&dest[3], av_clip_uintp2(A1      , 30) >> 14);
-                output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16));
-                output_pixel(&dest[5], av_clip_uintp2(((  G + Y2) >> 14) + (1<<15), 16));
-                output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[5], av_clip_uintp2(((int)(  G + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16));
                 output_pixel(&dest[7], av_clip_uintp2(A2      , 30) >> 14);
                 dest += 8;
             } else {
-                output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16));
-                output_pixel(&dest[4], av_clip_uintp2(((  G + Y2) >> 14) + (1<<15), 16));
-                output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[4], av_clip_uintp2(((int)(  G + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16));
                 dest += 6;
             }
         }
@@ -1253,8 +1253,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0,
         const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1];
         int A1 = 0xffff<<14, A2 = 0xffff<<14;
         for (i = 0; i < ((dstW + 1) >> 1); i++) {
-            int Y1 = (buf0[i * 2]    ) >> 2;
-            int Y2 = (buf0[i * 2 + 1]) >> 2;
+            SUINT Y1 = (buf0[i * 2]    ) >> 2;
+            SUINT Y2 = (buf0[i * 2 + 1]) >> 2;
             int U  = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3;
             int V  = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3;
             int R, G, B;
@@ -1278,20 +1278,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0,
             G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff;
             B =                            U * c->yuv2rgb_u2b_coeff;
 
-            output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16));
-            output_pixel(&dest[1], av_clip_uintp2(((  G + Y1) >> 14) + (1<<15), 16));
-            output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16));
+            output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16));
+            output_pixel(&dest[1], av_clip_uintp2(((int)(  G + Y1) >> 14) + (1<<15), 16));
+            output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16));
             if (eightbytes) {
                 output_pixel(&dest[3], av_clip_uintp2(A1      , 30) >> 14);
-                output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16));
-                output_pixel(&dest[5], av_clip_uintp2(((  G + Y2) >> 14) + (1<<15), 16));
-                output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[5], av_clip_uintp2(((int)(  G + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16));
                 output_pixel(&dest[7], av_clip_uintp2(A2      , 30) >> 14);
                 dest += 8;
             } else {
-                output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16));
-                output_pixel(&dest[4], av_clip_uintp2(((  G + Y2) >> 14) + (1<<15), 16));
-                output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[4], av_clip_uintp2(((int)(  G + Y2) >> 14) + (1<<15), 16));
+                output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16));
                 dest += 6;
             }
         }
-- 
2.43.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/6] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template()

[Michael Niedermayer]

Fixes: signed integer overflow: -1082982400 + -1079364728 cannot be represented in type 'int'
Fixes: 67910/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5329011971522560
The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input
No overflow should happen with valid input.

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libswscale/output.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/libswscale/output.c b/libswscale/output.c
index 0b6c77e167d..b234f9c6b9a 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -1429,7 +1429,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0,
 
     if (uvalpha < 2048) {
         for (i = 0; i < dstW; i++) {
-            int Y  = (buf0[i]) >> 2;
+            SUINT Y  = (buf0[i]) >> 2;
             int U  = (ubuf0[i] - (128 << 11)) >> 2;
             int V  = (vbuf0[i] - (128 << 11)) >> 2;
             int R, G, B;
@@ -1448,9 +1448,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0,
             G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff;
             B =                            U * c->yuv2rgb_u2b_coeff;
 
-            output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16));
-            output_pixel(&dest[1], av_clip_uintp2(((  G + Y) >> 14) + (1<<15), 16));
-            output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16));
+            output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16));
+            output_pixel(&dest[1], av_clip_uintp2(((int)(  G + Y) >> 14) + (1<<15), 16));
+            output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16));
             if (eightbytes) {
                 output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14);
                 dest += 4;
@@ -1462,7 +1462,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0,
         const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1];
         int A = 0xffff<<14;
         for (i = 0; i < dstW; i++) {
-            int Y  = (buf0[i]    ) >> 2;
+            SUINT Y  = (buf0[i]    ) >> 2;
             int U  = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3;
             int V  = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3;
             int R, G, B;
@@ -1481,9 +1481,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0,
             G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff;
             B =                            U * c->yuv2rgb_u2b_coeff;
 
-            output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16));
-            output_pixel(&dest[1], av_clip_uintp2(((  G + Y) >> 14) + (1<<15), 16));
-            output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16));
+            output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16));
+            output_pixel(&dest[1], av_clip_uintp2(((int)(  G + Y) >> 14) + (1<<15), 16));
+            output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16));
             if (eightbytes) {
                 output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14);
                 dest += 4;
-- 
2.43.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/6] avformat/iamfdec: Files without streams cannot have packets

[Michael Niedermayer]

Fixes: Assertion pkt->stream_index < (unsigned)s->nb_streams && "Invalid stream index.\n" failed at libavformat/demux.c:572
Fixes: 67890/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5166340789829632.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iamfdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/iamfdec.c b/libavformat/iamfdec.c
index e34d13e74c5..67ff7e8f01a 100644
--- a/libavformat/iamfdec.c
+++ b/libavformat/iamfdec.c
@@ -162,6 +162,9 @@ static int iamf_read_packet(AVFormatContext *s, AVPacket *pkt)
     IAMFDemuxContext *const c = s->priv_data;
     int ret;
 
+    if (!s->nb_streams)
+        return AVERROR_EOF;
+
     ret = ff_iamf_read_packet(s, c, s->pb, INT_MAX, pkt);
     if (ret < 0)
         return ret;
-- 
2.43.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/6] avcodec/wavarc: fix integer overflow in decode_5elp() block type 2

[Michael Niedermayer]

Fixes: signed integer overflow: 2097152000 + 107142979 cannot be represented in type 'int'
Fixes: 67919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5955101769400320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavarc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index b4b26958e6f..93b76c43e8a 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -689,7 +689,7 @@ static int decode_5elp(AVCodecContext *avctx,
                 for (int o = 0; o < order; o++)
                     sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1];
 
-                samples[n + 70] += ac_out[n] + (sum >> 4);
+                samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4);
             }
 
             for (int n = 0; n < 70; n++)
-- 
2.43.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset

[Michael Niedermayer]

Fixes: signed integer overflow: 538976288 - -9223372036315799520 cannot be represented in type 'long'
Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5523457266745344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 233d614f783..e65cec74c23 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -791,6 +791,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size
     partition->index_sid = avio_rb32(pb);
     partition->body_offset = avio_rb64(pb);
     partition->body_sid = avio_rb32(pb);
+    if (partition->body_offset < 0)
+        return AVERROR_INVALIDDATA;
+
     if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) {
         av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n");
         return AVERROR_INVALIDDATA;
-- 
2.43.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list

[James Almer]

On 4/26/2024 12:08 AM, Michael Niedermayer wrote:
> Fixes: Null pointer dereference
> Fixes: 67861/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5352628142800896
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/mov.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index ecd29a7d08b..97a24e6737e 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -9289,6 +9289,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid,
>       if (tile_grid->nb_tiles != size)
>           return AVERROR_INVALIDDATA;
>   
> +    for (int i = 0; i < size; i++)
> +        if (!grid->tile_item_list[i])
> +            return AVERROR_INVALIDDATA;
>       for (int i = 0; i < tile_cols; i++)
>           tile_grid->coded_width  += grid->tile_item_list[i]->width;
>       for (int i = 0; i < size; i += tile_cols)

We shouldn't get this far if that's NULL. Does the following also work?

> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index ecd29a7d08..b21c4b6f3c 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -9440,7 +9440,7 @@ static int mov_parse_tiles(AVFormatContext *s)
>                  break;
>              }
> 
> -            if (k == grid->nb_tiles) {
> +            if (k == mov->nb_heif_item) {
>                  av_log(s, AV_LOG_WARNING, "HEIF item id %d referenced by grid id %d doesn't "
>                                            "exist\n",
>                         tile_id, grid->item->item_id);
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/6] avformat/iamfdec: Files without streams cannot have packets

[James Almer]

On 4/26/2024 12:08 AM, Michael Niedermayer wrote:
> Fixes: Assertion pkt->stream_index < (unsigned)s->nb_streams && "Invalid stream index.\n" failed at libavformat/demux.c:572
> Fixes: 67890/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5166340789829632.fuzz
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/iamfdec.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/iamfdec.c b/libavformat/iamfdec.c
> index e34d13e74c5..67ff7e8f01a 100644
> --- a/libavformat/iamfdec.c
> +++ b/libavformat/iamfdec.c
> @@ -162,6 +162,9 @@ static int iamf_read_packet(AVFormatContext *s, AVPacket *pkt)
>       IAMFDemuxContext *const c = s->priv_data;
>       int ret;
>   
> +    if (!s->nb_streams)
> +        return AVERROR_EOF;
> +
>       ret = ff_iamf_read_packet(s, c, s->pb, INT_MAX, pkt);
>       if (ret < 0)
>           return ret;

This should be checked in iamf_read_header() instead, after the 
nb_audio_elements loop that would add streams, and return INVALIDDATA if 
there's none.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1986 bytes --]

On Fri, Apr 26, 2024 at 09:30:50AM -0300, James Almer wrote:
> On 4/26/2024 12:08 AM, Michael Niedermayer wrote:
> > Fixes: Null pointer dereference
> > Fixes: 67861/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5352628142800896
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavformat/mov.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index ecd29a7d08b..97a24e6737e 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -9289,6 +9289,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid,
> >       if (tile_grid->nb_tiles != size)
> >           return AVERROR_INVALIDDATA;
> > +    for (int i = 0; i < size; i++)
> > +        if (!grid->tile_item_list[i])
> > +            return AVERROR_INVALIDDATA;
> >       for (int i = 0; i < tile_cols; i++)
> >           tile_grid->coded_width  += grid->tile_item_list[i]->width;
> >       for (int i = 0; i < size; i += tile_cols)
> 
> We shouldn't get this far if that's NULL. Does the following also work?
> 
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index ecd29a7d08..b21c4b6f3c 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -9440,7 +9440,7 @@ static int mov_parse_tiles(AVFormatContext *s)
> >                  break;
> >              }
> > 
> > -            if (k == grid->nb_tiles) {
> > +            if (k == mov->nb_heif_item) {

works, please apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Old school: Use the lowest level language in which you can solve the problem
            conveniently.
New school: Use the highest level language in which the latest supercomputer
            can solve the problem without the user falling asleep waiting.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset

[Tomas Härdin]

fre 2024-04-26 klockan 05:08 +0200 skrev Michael Niedermayer:
> Fixes: signed integer overflow: 538976288 - -9223372036315799520
> cannot be represented in type 'long'
> Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-
> 5523457266745344
> 
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mxfdec.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index 233d614f783..e65cec74c23 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -791,6 +791,9 @@ static int mxf_read_partition_pack(void *arg,
> AVIOContext *pb, int tag, int size
>      partition->index_sid = avio_rb32(pb);
>      partition->body_offset = avio_rb64(pb);
>      partition->body_sid = avio_rb32(pb);
> +    if (partition->body_offset < 0)
> +        return AVERROR_INVALIDDATA;

The spec says BodyOffset is UInt64, so this means we drop support for
files >= 2^63 bytes. This is probably fine though. Supporting such
large files would be a pain in more places than here.

MXF is sometimes used to archive scanned copies of film, but even raw
16k rgb48 essence @ 120 Hz takes over 1000 days of footage to hit the
2^63 limit..

I took a look at the body_offset logic and it looks like it should be
correct when we force them to be non-negative.

TL;DR: looks OK

/Tomas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1911 bytes --]

On Mon, Apr 29, 2024 at 10:25:33PM +0200, Tomas Härdin wrote:
> fre 2024-04-26 klockan 05:08 +0200 skrev Michael Niedermayer:
> > Fixes: signed integer overflow: 538976288 - -9223372036315799520
> > cannot be represented in type 'long'
> > Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-
> > 5523457266745344
> > 
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/mxfdec.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > index 233d614f783..e65cec74c23 100644
> > --- a/libavformat/mxfdec.c
> > +++ b/libavformat/mxfdec.c
> > @@ -791,6 +791,9 @@ static int mxf_read_partition_pack(void *arg,
> > AVIOContext *pb, int tag, int size
> >      partition->index_sid = avio_rb32(pb);
> >      partition->body_offset = avio_rb64(pb);
> >      partition->body_sid = avio_rb32(pb);
> > +    if (partition->body_offset < 0)
> > +        return AVERROR_INVALIDDATA;
> 
> The spec says BodyOffset is UInt64, so this means we drop support for
> files >= 2^63 bytes. This is probably fine though. Supporting such
> large files would be a pain in more places than here.
> 
> MXF is sometimes used to archive scanned copies of film, but even raw
> 16k rgb48 essence @ 120 Hz takes over 1000 days of footage to hit the
> 2^63 limit..
> 
> I took a look at the body_offset logic and it looks like it should be
> correct when we force them to be non-negative.
> 
> TL;DR: looks OK

will apply
will also apply 2,3,5 of this set

thanks

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I have never wished to cater to the crowd; for what I know they do not
approve, and what they approve I do not know. -- Epicurus

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".