* [FFmpeg-devel] [PATCH 1/2] swscale/output: alpha can become negative after scaling, use multiply
@ 2024-06-16 7:48 Michael Niedermayer
2024-06-16 7:48 ` [FFmpeg-devel] [PATCH 2/2] swscale/output: Avoid undefined overflow in yuv2rgb_write_full() Michael Niedermayer
2024-06-25 20:04 ` [FFmpeg-devel] [PATCH 1/2] swscale/output: alpha can become negative after scaling, use multiply Michael Niedermayer
0 siblings, 2 replies; 3+ messages in thread
From: Michael Niedermayer @ 2024-06-16 7:48 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: left shift of negative value -3245
Fixes: 69047/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6571511551950848
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libswscale/output.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/libswscale/output.c b/libswscale/output.c
index b234f9c6b9a..f9ce43dde80 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -1221,8 +1221,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0,
Y2 += (1 << 13) - (1 << 29);
if (hasAlpha) {
- A1 = abuf0[i * 2 ] << 11;
- A2 = abuf0[i * 2 + 1] << 11;
+ A1 = abuf0[i * 2 ] * (1 << 11);
+ A2 = abuf0[i * 2 + 1] * (1 << 11);
A1 += 1 << 13;
A2 += 1 << 13;
@@ -1267,8 +1267,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0,
Y2 += (1 << 13) - (1 << 29);
if (hasAlpha) {
- A1 = abuf0[i * 2 ] << 11;
- A2 = abuf0[i * 2 + 1] << 11;
+ A1 = abuf0[i * 2 ] * (1 << 11);
+ A2 = abuf0[i * 2 + 1] * (1 << 11);
A1 += 1 << 13;
A2 += 1 << 13;
@@ -1439,7 +1439,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0,
Y += (1 << 13) - (1 << 29);
if (hasAlpha) {
- A = abuf0[i] << 11;
+ A = abuf0[i] * (1 << 11);
A += 1 << 13;
}
@@ -1472,7 +1472,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0,
Y += (1 << 13) - (1 << 29);
if (hasAlpha) {
- A = abuf0[i] << 11;
+ A = abuf0[i] * (1 << 11);
A += 1 << 13;
}
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread* [FFmpeg-devel] [PATCH 2/2] swscale/output: Avoid undefined overflow in yuv2rgb_write_full()
2024-06-16 7:48 [FFmpeg-devel] [PATCH 1/2] swscale/output: alpha can become negative after scaling, use multiply Michael Niedermayer
@ 2024-06-16 7:48 ` Michael Niedermayer
2024-06-25 20:04 ` [FFmpeg-devel] [PATCH 1/2] swscale/output: alpha can become negative after scaling, use multiply Michael Niedermayer
1 sibling, 0 replies; 3+ messages in thread
From: Michael Niedermayer @ 2024-06-16 7:48 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: -140140 * 16525 cannot be represented in type 'int'
Fixes: 68859/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4516387130245120
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libswscale/output.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libswscale/output.c b/libswscale/output.c
index f9ce43dde80..0e6181b3e01 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -1925,9 +1925,9 @@ static av_always_inline void yuv2rgb_write_full(SwsContext *c,
Y -= c->yuv2rgb_y_offset;
Y *= c->yuv2rgb_y_coeff;
Y += 1 << 21;
- R = (unsigned)Y + V*c->yuv2rgb_v2r_coeff;
- G = (unsigned)Y + V*c->yuv2rgb_v2g_coeff + U*c->yuv2rgb_u2g_coeff;
- B = (unsigned)Y + U*c->yuv2rgb_u2b_coeff;
+ R = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2r_coeff;
+ G = (unsigned)Y + V*(unsigned)c->yuv2rgb_v2g_coeff + U*(unsigned)c->yuv2rgb_u2g_coeff;
+ B = (unsigned)Y + U*(unsigned)c->yuv2rgb_u2b_coeff;
if ((R | G | B) & 0xC0000000) {
R = av_clip_uintp2(R, 30);
G = av_clip_uintp2(G, 30);
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [FFmpeg-devel] [PATCH 1/2] swscale/output: alpha can become negative after scaling, use multiply
2024-06-16 7:48 [FFmpeg-devel] [PATCH 1/2] swscale/output: alpha can become negative after scaling, use multiply Michael Niedermayer
2024-06-16 7:48 ` [FFmpeg-devel] [PATCH 2/2] swscale/output: Avoid undefined overflow in yuv2rgb_write_full() Michael Niedermayer
@ 2024-06-25 20:04 ` Michael Niedermayer
1 sibling, 0 replies; 3+ messages in thread
From: Michael Niedermayer @ 2024-06-25 20:04 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 687 bytes --]
On Sun, Jun 16, 2024 at 09:48:30AM +0200, Michael Niedermayer wrote:
> Fixes: left shift of negative value -3245
> Fixes: 69047/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6571511551950848
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libswscale/output.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
will apply patchset
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-06-25 20:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-16 7:48 [FFmpeg-devel] [PATCH 1/2] swscale/output: alpha can become negative after scaling, use multiply Michael Niedermayer
2024-06-16 7:48 ` [FFmpeg-devel] [PATCH 2/2] swscale/output: Avoid undefined overflow in yuv2rgb_write_full() Michael Niedermayer
2024-06-25 20:04 ` [FFmpeg-devel] [PATCH 1/2] swscale/output: alpha can become negative after scaling, use multiply Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git