* [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list
@ 2024-04-26 3:08 Michael Niedermayer
2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 2/6] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Michael Niedermayer
` (5 more replies)
0 siblings, 6 replies; 11+ messages in thread
From: Michael Niedermayer @ 2024-04-26 3:08 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Null pointer dereference
Fixes: 67861/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5352628142800896
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/mov.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index ecd29a7d08b..97a24e6737e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -9289,6 +9289,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid,
if (tile_grid->nb_tiles != size)
return AVERROR_INVALIDDATA;
+ for (int i = 0; i < size; i++)
+ if (!grid->tile_item_list[i])
+ return AVERROR_INVALIDDATA;
for (int i = 0; i < tile_cols; i++)
tile_grid->coded_width += grid->tile_item_list[i]->width;
for (int i = 0; i < size; i += tile_cols)
--
2.43.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread* [FFmpeg-devel] [PATCH 2/6] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template 2024-04-26 3:08 [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list Michael Niedermayer @ 2024-04-26 3:08 ` Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 3/6] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() Michael Niedermayer ` (4 subsequent siblings) 5 siblings, 0 replies; 11+ messages in thread From: Michael Niedermayer @ 2024-04-26 3:08 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int' Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libswscale/output.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 8849a3201a6..0b6c77e167d 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1207,8 +1207,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1232,20 +1232,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1253,8 +1253,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1278,20 +1278,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } -- 2.43.2 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 3/6] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() 2024-04-26 3:08 [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 2/6] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Michael Niedermayer @ 2024-04-26 3:08 ` Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 4/6] avformat/iamfdec: Files without streams cannot have packets Michael Niedermayer ` (3 subsequent siblings) 5 siblings, 0 replies; 11+ messages in thread From: Michael Niedermayer @ 2024-04-26 3:08 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: signed integer overflow: -1082982400 + -1079364728 cannot be represented in type 'int' Fixes: 67910/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5329011971522560 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libswscale/output.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 0b6c77e167d..b234f9c6b9a 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1429,7 +1429,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < dstW; i++) { - int Y = (buf0[i]) >> 2; + SUINT Y = (buf0[i]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1448,9 +1448,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1462,7 +1462,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0xffff<<14; for (i = 0; i < dstW; i++) { - int Y = (buf0[i] ) >> 2; + SUINT Y = (buf0[i] ) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1481,9 +1481,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; -- 2.43.2 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 4/6] avformat/iamfdec: Files without streams cannot have packets 2024-04-26 3:08 [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 2/6] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 3/6] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() Michael Niedermayer @ 2024-04-26 3:08 ` Michael Niedermayer 2024-04-26 12:56 ` James Almer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 5/6] avcodec/wavarc: fix integer overflow in decode_5elp() block type 2 Michael Niedermayer ` (2 subsequent siblings) 5 siblings, 1 reply; 11+ messages in thread From: Michael Niedermayer @ 2024-04-26 3:08 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: Assertion pkt->stream_index < (unsigned)s->nb_streams && "Invalid stream index.\n" failed at libavformat/demux.c:572 Fixes: 67890/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5166340789829632.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/iamfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iamfdec.c b/libavformat/iamfdec.c index e34d13e74c5..67ff7e8f01a 100644 --- a/libavformat/iamfdec.c +++ b/libavformat/iamfdec.c @@ -162,6 +162,9 @@ static int iamf_read_packet(AVFormatContext *s, AVPacket *pkt) IAMFDemuxContext *const c = s->priv_data; int ret; + if (!s->nb_streams) + return AVERROR_EOF; + ret = ff_iamf_read_packet(s, c, s->pb, INT_MAX, pkt); if (ret < 0) return ret; -- 2.43.2 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/6] avformat/iamfdec: Files without streams cannot have packets 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 4/6] avformat/iamfdec: Files without streams cannot have packets Michael Niedermayer @ 2024-04-26 12:56 ` James Almer 0 siblings, 0 replies; 11+ messages in thread From: James Almer @ 2024-04-26 12:56 UTC (permalink / raw) To: ffmpeg-devel On 4/26/2024 12:08 AM, Michael Niedermayer wrote: > Fixes: Assertion pkt->stream_index < (unsigned)s->nb_streams && "Invalid stream index.\n" failed at libavformat/demux.c:572 > Fixes: 67890/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5166340789829632.fuzz > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/iamfdec.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavformat/iamfdec.c b/libavformat/iamfdec.c > index e34d13e74c5..67ff7e8f01a 100644 > --- a/libavformat/iamfdec.c > +++ b/libavformat/iamfdec.c > @@ -162,6 +162,9 @@ static int iamf_read_packet(AVFormatContext *s, AVPacket *pkt) > IAMFDemuxContext *const c = s->priv_data; > int ret; > > + if (!s->nb_streams) > + return AVERROR_EOF; > + > ret = ff_iamf_read_packet(s, c, s->pb, INT_MAX, pkt); > if (ret < 0) > return ret; This should be checked in iamf_read_header() instead, after the nb_audio_elements loop that would add streams, and return INVALIDDATA if there's none. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 5/6] avcodec/wavarc: fix integer overflow in decode_5elp() block type 2 2024-04-26 3:08 [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list Michael Niedermayer ` (2 preceding siblings ...) 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 4/6] avformat/iamfdec: Files without streams cannot have packets Michael Niedermayer @ 2024-04-26 3:08 ` Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset Michael Niedermayer 2024-04-26 12:30 ` [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list James Almer 5 siblings, 0 replies; 11+ messages in thread From: Michael Niedermayer @ 2024-04-26 3:08 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: signed integer overflow: 2097152000 + 107142979 cannot be represented in type 'int' Fixes: 67919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5955101769400320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/wavarc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c index b4b26958e6f..93b76c43e8a 100644 --- a/libavcodec/wavarc.c +++ b/libavcodec/wavarc.c @@ -689,7 +689,7 @@ static int decode_5elp(AVCodecContext *avctx, for (int o = 0; o < order; o++) sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; - samples[n + 70] += ac_out[n] + (sum >> 4); + samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4); } for (int n = 0; n < 70; n++) -- 2.43.2 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset 2024-04-26 3:08 [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list Michael Niedermayer ` (3 preceding siblings ...) 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 5/6] avcodec/wavarc: fix integer overflow in decode_5elp() block type 2 Michael Niedermayer @ 2024-04-26 3:08 ` Michael Niedermayer 2024-04-29 20:25 ` Tomas Härdin 2024-04-26 12:30 ` [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list James Almer 5 siblings, 1 reply; 11+ messages in thread From: Michael Niedermayer @ 2024-04-26 3:08 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: signed integer overflow: 538976288 - -9223372036315799520 cannot be represented in type 'long' Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5523457266745344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 233d614f783..e65cec74c23 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -791,6 +791,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->index_sid = avio_rb32(pb); partition->body_offset = avio_rb64(pb); partition->body_sid = avio_rb32(pb); + if (partition->body_offset < 0) + return AVERROR_INVALIDDATA; + if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) { av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n"); return AVERROR_INVALIDDATA; -- 2.43.2 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset Michael Niedermayer @ 2024-04-29 20:25 ` Tomas Härdin 2024-05-05 1:34 ` Michael Niedermayer 0 siblings, 1 reply; 11+ messages in thread From: Tomas Härdin @ 2024-04-29 20:25 UTC (permalink / raw) To: FFmpeg development discussions and patches fre 2024-04-26 klockan 05:08 +0200 skrev Michael Niedermayer: > Fixes: signed integer overflow: 538976288 - -9223372036315799520 > cannot be represented in type 'long' > Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer- > 5523457266745344 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mxfdec.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c > index 233d614f783..e65cec74c23 100644 > --- a/libavformat/mxfdec.c > +++ b/libavformat/mxfdec.c > @@ -791,6 +791,9 @@ static int mxf_read_partition_pack(void *arg, > AVIOContext *pb, int tag, int size > partition->index_sid = avio_rb32(pb); > partition->body_offset = avio_rb64(pb); > partition->body_sid = avio_rb32(pb); > + if (partition->body_offset < 0) > + return AVERROR_INVALIDDATA; The spec says BodyOffset is UInt64, so this means we drop support for files >= 2^63 bytes. This is probably fine though. Supporting such large files would be a pain in more places than here. MXF is sometimes used to archive scanned copies of film, but even raw 16k rgb48 essence @ 120 Hz takes over 1000 days of footage to hit the 2^63 limit.. I took a look at the body_offset logic and it looks like it should be correct when we force them to be non-negative. TL;DR: looks OK /Tomas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset 2024-04-29 20:25 ` Tomas Härdin @ 2024-05-05 1:34 ` Michael Niedermayer 0 siblings, 0 replies; 11+ messages in thread From: Michael Niedermayer @ 2024-05-05 1:34 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 1911 bytes --] On Mon, Apr 29, 2024 at 10:25:33PM +0200, Tomas Härdin wrote: > fre 2024-04-26 klockan 05:08 +0200 skrev Michael Niedermayer: > > Fixes: signed integer overflow: 538976288 - -9223372036315799520 > > cannot be represented in type 'long' > > Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer- > > 5523457266745344 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/mxfdec.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c > > index 233d614f783..e65cec74c23 100644 > > --- a/libavformat/mxfdec.c > > +++ b/libavformat/mxfdec.c > > @@ -791,6 +791,9 @@ static int mxf_read_partition_pack(void *arg, > > AVIOContext *pb, int tag, int size > > partition->index_sid = avio_rb32(pb); > > partition->body_offset = avio_rb64(pb); > > partition->body_sid = avio_rb32(pb); > > + if (partition->body_offset < 0) > > + return AVERROR_INVALIDDATA; > > The spec says BodyOffset is UInt64, so this means we drop support for > files >= 2^63 bytes. This is probably fine though. Supporting such > large files would be a pain in more places than here. > > MXF is sometimes used to archive scanned copies of film, but even raw > 16k rgb48 essence @ 120 Hz takes over 1000 days of footage to hit the > 2^63 limit.. > > I took a look at the body_offset logic and it looks like it should be > correct when we force them to be non-negative. > > TL;DR: looks OK will apply will also apply 2,3,5 of this set thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I have never wished to cater to the crowd; for what I know they do not approve, and what they approve I do not know. -- Epicurus [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list 2024-04-26 3:08 [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list Michael Niedermayer ` (4 preceding siblings ...) 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset Michael Niedermayer @ 2024-04-26 12:30 ` James Almer 2024-04-27 18:06 ` Michael Niedermayer 5 siblings, 1 reply; 11+ messages in thread From: James Almer @ 2024-04-26 12:30 UTC (permalink / raw) To: ffmpeg-devel On 4/26/2024 12:08 AM, Michael Niedermayer wrote: > Fixes: Null pointer dereference > Fixes: 67861/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5352628142800896 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mov.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavformat/mov.c b/libavformat/mov.c > index ecd29a7d08b..97a24e6737e 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -9289,6 +9289,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid, > if (tile_grid->nb_tiles != size) > return AVERROR_INVALIDDATA; > > + for (int i = 0; i < size; i++) > + if (!grid->tile_item_list[i]) > + return AVERROR_INVALIDDATA; > for (int i = 0; i < tile_cols; i++) > tile_grid->coded_width += grid->tile_item_list[i]->width; > for (int i = 0; i < size; i += tile_cols) We shouldn't get this far if that's NULL. Does the following also work? > diff --git a/libavformat/mov.c b/libavformat/mov.c > index ecd29a7d08..b21c4b6f3c 100644 > --- a/libavformat/mov.c > +++ b/libavformat/mov.c > @@ -9440,7 +9440,7 @@ static int mov_parse_tiles(AVFormatContext *s) > break; > } > > - if (k == grid->nb_tiles) { > + if (k == mov->nb_heif_item) { > av_log(s, AV_LOG_WARNING, "HEIF item id %d referenced by grid id %d doesn't " > "exist\n", > tile_id, grid->item->item_id); _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list 2024-04-26 12:30 ` [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list James Almer @ 2024-04-27 18:06 ` Michael Niedermayer 0 siblings, 0 replies; 11+ messages in thread From: Michael Niedermayer @ 2024-04-27 18:06 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 1986 bytes --] On Fri, Apr 26, 2024 at 09:30:50AM -0300, James Almer wrote: > On 4/26/2024 12:08 AM, Michael Niedermayer wrote: > > Fixes: Null pointer dereference > > Fixes: 67861/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5352628142800896 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/mov.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavformat/mov.c b/libavformat/mov.c > > index ecd29a7d08b..97a24e6737e 100644 > > --- a/libavformat/mov.c > > +++ b/libavformat/mov.c > > @@ -9289,6 +9289,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid, > > if (tile_grid->nb_tiles != size) > > return AVERROR_INVALIDDATA; > > + for (int i = 0; i < size; i++) > > + if (!grid->tile_item_list[i]) > > + return AVERROR_INVALIDDATA; > > for (int i = 0; i < tile_cols; i++) > > tile_grid->coded_width += grid->tile_item_list[i]->width; > > for (int i = 0; i < size; i += tile_cols) > > We shouldn't get this far if that's NULL. Does the following also work? > > > diff --git a/libavformat/mov.c b/libavformat/mov.c > > index ecd29a7d08..b21c4b6f3c 100644 > > --- a/libavformat/mov.c > > +++ b/libavformat/mov.c > > @@ -9440,7 +9440,7 @@ static int mov_parse_tiles(AVFormatContext *s) > > break; > > } > > > > - if (k == grid->nb_tiles) { > > + if (k == mov->nb_heif_item) { works, please apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Old school: Use the lowest level language in which you can solve the problem conveniently. New school: Use the highest level language in which the latest supercomputer can solve the problem without the user falling asleep waiting. [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2024-05-05 1:34 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-04-26 3:08 [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 2/6] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 3/6] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 4/6] avformat/iamfdec: Files without streams cannot have packets Michael Niedermayer 2024-04-26 12:56 ` James Almer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 5/6] avcodec/wavarc: fix integer overflow in decode_5elp() block type 2 Michael Niedermayer 2024-04-26 3:08 ` [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset Michael Niedermayer 2024-04-29 20:25 ` Tomas Härdin 2024-05-05 1:34 ` Michael Niedermayer 2024-04-26 12:30 ` [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list James Almer 2024-04-27 18:06 ` Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git