From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id A3F9649D8D for ; Fri, 10 May 2024 21:33:51 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CED3C68D546; Sat, 11 May 2024 00:33:47 +0300 (EEST) Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0D35E68D38E for ; Sat, 11 May 2024 00:33:40 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 0DDC3240002 for ; Fri, 10 May 2024 21:33:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1715376820; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=toNDjxIv65JbEX7SFPJGPS2iQujec6tYWrxQLhz4rE0=; b=AjW+hkh/RP7y5rjvMqPHR3V1DTWpqFgQlVme35c+lig+2FwVu0BlW5oM49bxQZF1zczhFv Zk3ZSjqKYwUZkich/13X+dAPuotvUXflbjkSZCeto9e2IPH7F61HCdcJH/7sV9YHsD4Jrd idqqyNv394B9+YNB9sf/2F2si/oopT/7e1mT1XVhSKiA7c4QtV17FfKAGleigKUfZ4pw2a BGNncL1+1alLliJs5+TdpK2kHVjSF4py1dvu36A5g5h89sLkOMUEKkYqS73kVIniI+Y1ah /kXc36cOdOlH+3svRlKSiFSTIWdvfUYQC3WFlcCF32YAWLLv9OWfrl749qqiFA== Date: Fri, 10 May 2024 23:33:39 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240510213339.GP6420@pb2> References: <20240509151042.8D70B411AC8@natalya.videolan.org> <2e38efa4-5716-4d33-8e07-05d47b0896a8@jkqxz.net> MIME-Version: 1.0 In-Reply-To: <2e38efa4-5716-4d33-8e07-05d47b0896a8@jkqxz.net> X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [FFmpeg-cvslog] avcodec/cbs_av1: Avoid shift overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============0292675751697677445==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============0292675751697677445== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="gMS8U5zzqQhbQVTh" Content-Disposition: inline --gMS8U5zzqQhbQVTh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 09, 2024 at 09:38:14PM +0100, Mark Thompson wrote: > On 09/05/2024 16:10, Michael Niedermayer wrote: > > ffmpeg | branch: master | Michael Niedermayer = | Wed May 1 21:44:33 2024 +0200| [d7924a4f60f2088de1e6790345caba929eb97030= ] | committer: Michael Niedermayer > >=20 > > avcodec/cbs_av1: Avoid shift overflow > >=20 > > Fixes: CID1465488 Unintentional integer overflow > >=20 > > Sponsored-by: Sovereign Tech Fund > > Signed-off-by: Michael Niedermayer > >=20 > >> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=3Dcommit;h=3Dd7924a4f= 60f2088de1e6790345caba929eb97030 > > --- > >=20 > > libavcodec/cbs_av1.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > >=20 > > diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c > > index 1d9ac5ab44..fb82996022 100644 > > --- a/libavcodec/cbs_av1.c > > +++ b/libavcodec/cbs_av1.c > > @@ -301,7 +301,7 @@ static int cbs_av1_write_increment(CodedBitstreamCo= ntext *ctx, PutBitContext *pb > > return AVERROR(ENOSPC); > > =20 > > if (len > 0) > > - put_bits(pbc, len, (1 << len) - 1 - (value !=3D range_max)); > > + put_bits(pbc, len, (1U << len) - 1 - (value !=3D range_max)); > > =20 > > CBS_TRACE_WRITE_END_NO_SUBSCRIPTS(); > > =20 > What syntax element can call this with range_max - range_min =3D=3D 31? = (Do you have a stream?) coverity is a tool doing static analysis. There are no streams. cbs_av1_write_increment() checks its inputs at the begin of the function av_assert0(range_min <=3D range_max && range_max - range_min < 32); if (value < range_min || value > range_max) ... "error" If we assume these are correct then the function is supposed to support range_max =3D range_min + 31 otherwise the assert really should be range_max - range_min < 31 both value =3D range_max and value =3D range_max - 1 will overflow 1 << len but not 1U << len Do you suggest that the range in the assert() is wrong ? The patch/commit intended to fix the discrepancy of the asserts range and what the function actually supports. Iam not sure if an input stream can trigger this. thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Dictatorship naturally arises out of democracy, and the most aggravated form of tyranny and slavery out of the most extreme liberty. -- Plato --gMS8U5zzqQhbQVTh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZj6SrwAKCRBhHseHBAsP qyqqAJsHlyJQzYwDneayZ1kb+JEQyZhYNwCgkeZittnfbOEB+k++Cs93hYYdtzI= =LQb0 -----END PGP SIGNATURE----- --gMS8U5zzqQhbQVTh-- --===============0292675751697677445== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============0292675751697677445==--