[FFmpeg-devel] [PATCH 1/9] avcodec/targaenc: Allocate space for the palette

[FFmpeg-devel] [PATCH 1/9] avcodec/targaenc: Allocate space for the palette

[Michael Niedermayer]

Fixes: out of array access
Fixes: 68927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5105665067515904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/targaenc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/targaenc.c b/libavcodec/targaenc.c
index d9c500b97de..8f496c62bd9 100644
--- a/libavcodec/targaenc.c
+++ b/libavcodec/targaenc.c
@@ -21,6 +21,7 @@
 
 #include <string.h>
 
+#include "libavutil/avassert.h"
 #include "libavutil/imgutils.h"
 #include "libavutil/internal.h"
 #include "libavutil/intreadwrite.h"
@@ -89,10 +90,11 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
     TargaContext *s = avctx->priv_data;
     int bpp, picsize, datasize = -1, ret, i;
     uint8_t *out;
+    int maxpal = 32*32;
 
     picsize = av_image_get_buffer_size(avctx->pix_fmt,
                                        avctx->width, avctx->height, 1);
-    if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45)) < 0)
+    if ((ret = ff_alloc_packet(avctx, pkt, picsize + 45 + maxpal)) < 0)
         return ret;
 
     /* zero out the header and only set applicable fields */
@@ -125,6 +127,7 @@ static int targa_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
             AV_WL24(pkt->data + 18 + 3 * i, *(uint32_t *)(p->data[1] + i * 4));
             }
         out += 32 * pal_bpp;        /* skip past the palette we just output */
+        av_assert0(32 * pal_bpp <= maxpal);
         break;
         }
     case AV_PIX_FMT_GRAY8:
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/9] avcodec/mpeg4audio: Check that there is enough space for the first 3 elements in ff_mpeg4audio_get_config_gb()

[Michael Niedermayer]

Fixes: out of array access
Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mpeg4audio.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/mpeg4audio.c b/libavcodec/mpeg4audio.c
index fbd2a8f811a..ae18944f0d5 100644
--- a/libavcodec/mpeg4audio.c
+++ b/libavcodec/mpeg4audio.c
@@ -94,6 +94,10 @@ int ff_mpeg4audio_get_config_gb(MPEG4AudioConfig *c, GetBitContext *gb,
 {
     int specific_config_bitindex, ret;
     int start_bit_index = get_bits_count(gb);
+
+    if (get_bits_left(gb) < 5+4+4)
+        return AVERROR_INVALIDDATA;
+
     c->object_type = get_object_type(gb);
     c->sample_rate = get_sample_rate(gb, &c->sampling_index);
     c->chan_config = get_bits(gb, 4);
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/9] avformat/iamf_parse: Try to use less space after the array

[Michael Niedermayer]

Fixes: out of array access
Fixes: 68584/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6256656668229632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iamf_parse.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index 312090b247c..5c2ff6862a7 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -355,6 +355,9 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
         substream_count = avio_r8(pb);
         coupled_substream_count = avio_r8(pb);
 
+        if (substream_count + k > audio_element->nb_substreams)
+            return AVERROR_INVALIDDATA;
+
         audio_element->layers[i].substream_count         = substream_count;
         audio_element->layers[i].coupled_substream_count = coupled_substream_count;
         if (output_gain_is_present_flag) {
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/9] avformat/iamf_parse: Layer, thou shalt not be 0

[Michael Niedermayer]

Fixes: out of array access
Fixes: 68302/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4665793796177920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iamf_parse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index 5c2ff6862a7..12c2b9533a8 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -330,7 +330,7 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
     nb_layers = avio_r8(pb) >> 5; // get_bits(&gb, 3);
     // skip_bits(&gb, 5); //reserved
 
-    if (nb_layers > 6)
+    if (nb_layers > 6 || nb_layers == 0)
         return AVERROR_INVALIDDATA;
 
     audio_element->layers = av_calloc(nb_layers, sizeof(*audio_element->layers));
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/9] avformat/mov: Check extend and base offset

[Michael Niedermayer]

Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 9016cd5ad08..46cbce98040 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         }
         for (int j = 0; j < extent_count; j++) {
             if (rb_size(pb, &extent_offset, offset_size) < 0 ||
-                rb_size(pb, &extent_length, length_size) < 0)
+                rb_size(pb, &extent_length, length_size) < 0 ||
+                base_offset < 0 || extent_offset < 0 ||
+                base_offset + (uint64_t)extent_offset > INT64_MAX)
                 return AVERROR_INVALIDDATA;
             if (offset_type == 1)
                 c->heif_item[i].is_idat_relative = 1;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/9] avcodec/libvpxenc: Cleanup on error

[Michael Niedermayer]

This or fifo needs to be freed on errors explicitly
I have not verified that its always safe to call vpx_free() this needs to be checked before applying this

Fixes: memleak
Fixes: 68937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-4830831016214528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/libvpxenc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c
index 5c7b6e9de73..5490246d9ed 100644
--- a/libavcodec/libvpxenc.c
+++ b/libavcodec/libvpxenc.c
@@ -2042,6 +2042,7 @@ const FFCodec ff_libvpx_vp8_encoder = {
     FF_CODEC_ENCODE_CB(vpx_encode),
     .close          = vpx_free,
     .caps_internal  = FF_CODEC_CAP_NOT_INIT_THREADSAFE |
+                      FF_CODEC_CAP_INIT_CLEANUP |
                       FF_CODEC_CAP_AUTO_THREADS,
     .p.pix_fmts     = (const enum AVPixelFormat[]){ AV_PIX_FMT_YUV420P, AV_PIX_FMT_YUVA420P, AV_PIX_FMT_NONE },
     .p.priv_class   = &class_vp8,
@@ -2118,6 +2119,7 @@ FFCodec ff_libvpx_vp9_encoder = {
     FF_CODEC_ENCODE_CB(vpx_encode),
     .close          = vpx_free,
     .caps_internal  = FF_CODEC_CAP_NOT_INIT_THREADSAFE |
+                      FF_CODEC_CAP_INIT_CLEANUP |
                       FF_CODEC_CAP_AUTO_THREADS,
     .defaults       = defaults,
     .init_static_data = vp9_init_static,
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg

[Michael Niedermayer]

Ive been told that someone at the BCN video tech meetup claimed to be the
"release maintainer for FFmpeg".

If you have any doubt who maintains releases, just do something like the following and look at the output:
VER=5.1
echo commiters ; git shortlog  --group=committer -s  n$VER..release/$VER -n ;\
echo authors   ; git shortlog                    -s  n$VER..release/$VER -n

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 MAINTAINERS | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index 41a98744adf..a82fa58c69f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -536,10 +536,12 @@ wm4
 Releases
 ========
 
+7.0                                     Michael Niedermayer
+6.1                                     Michael Niedermayer
+5.1                                     Michael Niedermayer
+4.4                                     Michael Niedermayer
+3.4                                     Michael Niedermayer
 2.8                                     Michael Niedermayer
-2.7                                     Michael Niedermayer
-2.6                                     Michael Niedermayer
-2.5                                     Michael Niedermayer
 
 If you want to maintain an older release, please contact us
 
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 8/9] avcodec/smcenc: width < 4 is unsupported

[Michael Niedermayer]

Fixes: out of array read
Fixes: 68939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-587804104884224

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/smcenc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c
index 789aef4f770..d70cce900ec 100644
--- a/libavcodec/smcenc.c
+++ b/libavcodec/smcenc.c
@@ -537,6 +537,9 @@ static int smc_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
     uint8_t *pal;
     int ret;
 
+    if (avctx->width < 4)
+        return AVERROR_PATCHWELCOME;
+
     ret = ff_alloc_packet(avctx, pkt, 8LL * avctx->height * avctx->width);
     if (ret < 0)
         return ret;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 9/9] avcodec/r210enc: Use av_rescale for bitrate

[Michael Niedermayer]

Fixes: signed integer overflow: 281612954574848 * 65344 cannot be represented in type 'long'
Fixes: 68956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_R210_fuzzer-6459074458746880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/r210enc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/r210enc.c b/libavcodec/r210enc.c
index 91e34528741..ec1ebc8d609 100644
--- a/libavcodec/r210enc.c
+++ b/libavcodec/r210enc.c
@@ -35,7 +35,7 @@ static av_cold int encode_init(AVCodecContext *avctx)
 
     avctx->bits_per_coded_sample = 32;
     if (avctx->width > 0)
-        avctx->bit_rate = ff_guess_coded_bitrate(avctx) * aligned_width / avctx->width;
+        avctx->bit_rate = av_rescale(ff_guess_coded_bitrate(avctx), aligned_width, avctx->width);
 
     return 0;
 }
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/9] avcodec/mpeg4audio: Check that there is enough space for the first 3 elements in ff_mpeg4audio_get_config_gb()

[Andreas Rheinhardt]

Michael Niedermayer:
> Fixes: out of array access
> Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/mpeg4audio.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavcodec/mpeg4audio.c b/libavcodec/mpeg4audio.c
> index fbd2a8f811a..ae18944f0d5 100644
> --- a/libavcodec/mpeg4audio.c
> +++ b/libavcodec/mpeg4audio.c
> @@ -94,6 +94,10 @@ int ff_mpeg4audio_get_config_gb(MPEG4AudioConfig *c, GetBitContext *gb,
>  {
>      int specific_config_bitindex, ret;
>      int start_bit_index = get_bits_count(gb);
> +
> +    if (get_bits_left(gb) < 5+4+4)
> +        return AVERROR_INVALIDDATA;
> +
>      c->object_type = get_object_type(gb);
>      c->sample_rate = get_sample_rate(gb, &c->sampling_index);
>      c->chan_config = get_bits(gb, 4);

This is not a proper fix. The real bug seems to be that
avpriv_mpeg4audio_get_config2() relies on the buffer to be padded, but
iamf_parse.c does not add padding.

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg

[Anton Khirnov]

Quoting Michael Niedermayer (2024-06-17 01:08:29)
> Ive been told that someone at the BCN video tech meetup claimed to be the
> "release maintainer for FFmpeg".
> 
> If you have any doubt who maintains releases, just do something like the following and look at the output:
> VER=5.1
> echo commiters ; git shortlog  --group=committer -s  n$VER..release/$VER -n ;\
> echo authors   ; git shortlog                    -s  n$VER..release/$VER -n

Passive aggressive gossip does not belong in a commit message.

-- 
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg

[Paul B Mahol]

On Mon, Jun 17, 2024 at 1:09 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Ive been told that someone at the BCN video tech meetup claimed to be the
> "release maintainer for FFmpeg".
>
>
That is nothing, I see many claims in many such videos and on many
platforms that they are developer/maintainer of FFmpeg while in fact they
develop/maintain only their closed source business.

Do not tell lies, or half lies, it does not help you on long run.


> If you have any doubt who maintains releases, just do something like the
> following and look at the output:
> VER=5.1
> echo commiters ; git shortlog  --group=committer -s  n$VER..release/$VER
> -n ;\
> echo authors   ; git shortlog                    -s  n$VER..release/$VER -n
>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  MAINTAINERS | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 41a98744adf..a82fa58c69f 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -536,10 +536,12 @@ wm4
>  Releases
>  ========
>
> +7.0                                     Michael Niedermayer
> +6.1                                     Michael Niedermayer
> +5.1                                     Michael Niedermayer
> +4.4                                     Michael Niedermayer
> +3.4                                     Michael Niedermayer
>  2.8                                     Michael Niedermayer
> -2.7                                     Michael Niedermayer
> -2.6                                     Michael Niedermayer
> -2.5                                     Michael Niedermayer
>
>  If you want to maintain an older release, please contact us
>
> --
> 2.45.2
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 8/9] avcodec/smcenc: width < 4 is unsupported

[Paul B Mahol]

On Mon, Jun 17, 2024 at 1:09 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: out of array read
> Fixes:
> 68939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-587804104884224
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/smcenc.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c
> index 789aef4f770..d70cce900ec 100644
> --- a/libavcodec/smcenc.c
> +++ b/libavcodec/smcenc.c
> @@ -537,6 +537,9 @@ static int smc_encode_frame(AVCodecContext *avctx,
> AVPacket *pkt,
>      uint8_t *pal;
>      int ret;
>
> +    if (avctx->width < 4)
> +        return AVERROR_PATCHWELCOME;
> +
>

I just enabled address sanitizer for smc encoder and i do not get any
errors.
Where is log of where overread happens?



>      ret = ff_alloc_packet(avctx, pkt, 8LL * avctx->height * avctx->width);
>      if (ret < 0)
>          return ret;
> --
> 2.45.2
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/9] avcodec/libvpxenc: Cleanup on error

[James Zern via ffmpeg-devel]

On Sun, Jun 16, 2024 at 4:09 PM Michael Niedermayer
<michael@niedermayer.cc> wrote:
>
> This or fifo needs to be freed on errors explicitly
> I have not verified that its always safe to call vpx_free() this needs to be checked before applying this
>

It should be safe to call into libvpx whether the encoder init
succeeded or not; av_freep() is most of the rest of the code.

> Fixes: memleak
> Fixes: 68937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-4830831016214528
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/libvpxenc.c | 2 ++
>  1 file changed, 2 insertions(+)
>

lgtm.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1136 bytes --]

On Mon, Jun 17, 2024 at 09:07:23AM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2024-06-17 01:08:29)
> > Ive been told that someone at the BCN video tech meetup claimed to be the
> > "release maintainer for FFmpeg".
> > 
> > If you have any doubt who maintains releases, just do something like the following and look at the output:
> > VER=5.1
> > echo commiters ; git shortlog  --group=committer -s  n$VER..release/$VER -n ;\
> > echo authors   ; git shortlog                    -s  n$VER..release/$VER -n
> 
> Passive aggressive gossip does not belong in a commit message.

we generally explain in a commit message the "why" and "what" and so on.
There was no intention of any aggression.

But how would you word it instead ?

The example git commands simply show the authors and commiters on the release branch
since the first release on it. I think its reasonable to provide these as reference

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 8/9] avcodec/smcenc: width < 4 is unsupported

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 21810 bytes --]

On Mon, Jun 17, 2024 at 09:50:18AM +0200, Paul B Mahol wrote:
> On Mon, Jun 17, 2024 at 1:09 AM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > Fixes: out of array read
> > Fixes:
> > 68939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-587804104884224
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/smcenc.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c
> > index 789aef4f770..d70cce900ec 100644
> > --- a/libavcodec/smcenc.c
> > +++ b/libavcodec/smcenc.c
> > @@ -537,6 +537,9 @@ static int smc_encode_frame(AVCodecContext *avctx,
> > AVPacket *pkt,
> >      uint8_t *pal;
> >      int ret;
> >
> > +    if (avctx->width < 4)
> > +        return AVERROR_PATCHWELCOME;
> > +
> >
> 
> I just enabled address sanitizer for smc encoder and i do not get any
> errors.
> Where is log of where overread happens?

log is below:

+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-0e842ae89cdd58a7ef107605832b8beb5821004e
Time ran: 0.04435396194458008
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 267861690
INFO: Loaded 1 modules   (65950 inline 8-bit counters): 65950 [0x8b8e570, 0x8b9e70e),
INFO: Loaded 1 PC tables (65950 PCs): 65950 [0x8a2d0d0,0x8aaddc0),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-0e842ae89cdd58a7ef107605832b8beb5821004e
=================================================================
==23375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf76af7fe at pc 0x08141703 bp 0xffb541a8 sp 0xffb53d80
READ of size 1 at 0xf76af7fe thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x8141702 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned int), void const*, void const*, unsigned int) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:860:7
    #1 0x8141c31 in memcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:892:10
    #2 0x822ccab in smc_encode_stream /src/ffmpeg/libavcodec/smcenc.c:193:30
    #3 0x822ccab in smc_encode_frame /src/ffmpeg/libavcodec/smcenc.c:560:5
    #4 0x820f5cc in ff_encode_encode_cb /src/ffmpeg/libavcodec/encode.c:254:11
    #5 0x82114db in encode_simple_internal /src/ffmpeg/libavcodec/encode.c:340:15
    #6 0x82114db in encode_simple_receive_packet /src/ffmpeg/libavcodec/encode.c:354:15
    #7 0x82114db in encode_receive_packet_internal /src/ffmpeg/libavcodec/encode.c:388:15
    #8 0x821082f in avcodec_send_frame /src/ffmpeg/libavcodec/encode.c:531:15
    #9 0x81ef067 in encode /src/ffmpeg/tools/target_enc_fuzzer.c:56:11
    #10 0x81ef067 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:186:15
    #11 0x80aefce in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #12 0x8099f2e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #13 0x809fb30 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #14 0x80c9717 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0xf7c6aed4 in __libc_start_main
    #16 0x8091075 in _start
0xf76af7fe is located 2 bytes to the left of 264320-byte region [0xf76af800,0xf76f0080)
allocated by thread T0 here:
    #0 0x81ab67a in posix_memalign /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x884f02f in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x880036a in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x8821c97 in get_video_buffer /src/ffmpeg/libavutil/frame.c:215:21
    #4 0x8821c97 in av_frame_get_buffer /src/ffmpeg/libavutil/frame.c:294:16
    #5 0x81eed9f in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:171:15
    #6 0x80aefce in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #7 0x8099f2e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x809fb30 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #9 0x80c9717 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0xf7c6aed4 in __libc_start_main
SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141702)
Shadow bytes around the buggy address:
  0x3eed5ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eed5eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eed5ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eed5ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eed5ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3eed5ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x3eed5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eed5f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eed5f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eed5f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eed5f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23375==ABORTING
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
READ of size 1 at 0xf76af7fe thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x8141702  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141702)
    #1 0x8141c31  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141c31)
    #2 0x822ccab  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x822ccab)
    #3 0x820f5cc  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x820f5cc)
    #4 0x82114db  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x82114db)
    #5 0x821082f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x821082f)
    #6 0x81ef067  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81ef067)
    #7 0x80aefce  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aefce)
    #8 0x8099f2e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099f2e)
    #9 0x809fb30  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809fb30)
    #10 0x80c9717  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9717)
    #11 0xf7c6aed4  (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
    #12 0x8091075  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8091075)
0xf76af7fe is located 2 bytes to the left of 264320-byte region [0xf76af800,0xf76f0080)
allocated by thread T0 here:
    #0 0x81ab67a  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81ab67a)
    #1 0x884f02f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x884f02f)
    #2 0x880036a  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x880036a)
    #3 0x8821c97  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8821c97)
    #4 0x81eed9f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81eed9f)
    #5 0x80aefce  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aefce)
    #6 0x8099f2e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099f2e)
    #7 0x809fb30  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809fb30)
    #8 0x80c9717  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9717)
    #9 0xf7c6aed4  (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
ORIGINAL STACKTRACE ON REVISION 9C6C4F3D476D7A8D423EC3B954254C6A67EBC792 (110 LINES)
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/e3430abcedf901dbb1adbcd2478114b79cdd58a7ef107605832b8beb5821004e
Time ran: 0.05047249794006348
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2836813750
INFO: Loaded 1 modules   (65781 inline 8-bit counters): 65781 [0x8b7f310, 0x8b8f405),
INFO: Loaded 1 PC tables (65781 PCs): 65781 [0x8a20d40,0x8aa14e8),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/e3430abcedf901dbb1adbcd2478114b79cdd58a7ef107605832b8beb5821004e
=================================================================
==1182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf791b7fe at pc 0x08141413 bp 0xffafff08 sp 0xffaffae0
READ of size 1 at 0xf791b7fe thread T0
    #0 0x8141412 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned int), void const*, void const*, unsigned int) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:860:7
    #1 0x8141941 in memcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:892:10
    #2 0x822c60b in smc_encode_stream /src/ffmpeg/libavcodec/smcenc.c:193:30
    #3 0x822c60b in smc_encode_frame /src/ffmpeg/libavcodec/smcenc.c:560:5
    #4 0x820efcc in ff_encode_encode_cb /src/ffmpeg/libavcodec/encode.c:254:11
    #5 0x8210edb in encode_simple_internal /src/ffmpeg/libavcodec/encode.c:340:15
    #6 0x8210edb in encode_simple_receive_packet /src/ffmpeg/libavcodec/encode.c:354:15
    #7 0x8210edb in encode_receive_packet_internal /src/ffmpeg/libavcodec/encode.c:388:15
    #8 0x821022f in avcodec_send_frame /src/ffmpeg/libavcodec/encode.c:531:15
    #9 0x81eed77 in encode /src/ffmpeg/tools/target_enc_fuzzer.c:56:11
    #10 0x81eed77 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:186:15
    #11 0x80aecde in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #12 0x8099c3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #13 0x809f840 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #14 0x80c9427 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0xf7bdced4 in __libc_start_main
    #16 0x8090d85 in _start
0xf791b7fe is located 2 bytes to the left of 296064-byte region [0xf791b800,0xf7963c80)
allocated by thread T0 here:
    #0 0x81ab38a in posix_memalign /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x885246f in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x88037ca in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x88250d7 in get_video_buffer /src/ffmpeg/libavutil/frame.c:215:21
    #4 0x88250d7 in av_frame_get_buffer /src/ffmpeg/libavutil/frame.c:294:16
    #5 0x81eeaaf in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:171:15
    #6 0x80aecde in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #7 0x8099c3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x809f840 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #9 0x80c9427 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0xf7bdced4 in __libc_start_main
SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141412)
Shadow bytes around the buggy address:
  0x3ef236a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ef236b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ef236c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ef236d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ef236e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ef236f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x3ef23700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ef23710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ef23720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ef23730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ef23740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1182==ABORTING
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
==1182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf791b7fe at pc 0x08141413 bp 0xffafff08 sp 0xffaffae0
READ of size 1 at 0xf791b7fe thread T0
    #0 0x8141412  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141412)
    #1 0x8141941  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141941)
    #2 0x822c60b  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x822c60b)
    #3 0x820efcc  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x820efcc)
    #4 0x8210edb  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8210edb)
    #5 0x821022f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x821022f)
    #6 0x81eed77  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81eed77)
    #7 0x80aecde  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aecde)
    #8 0x8099c3e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099c3e)
    #9 0x809f840  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809f840)
    #10 0x80c9427  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9427)
    #11 0xf7bdced4  (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
    #12 0x8090d85  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8090d85)
0xf791b7fe is located 2 bytes to the left of 296064-byte region [0xf791b800,0xf7963c80)
allocated by thread T0 here:
    #0 0x81ab38a  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81ab38a)
    #1 0x885246f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x885246f)
    #2 0x88037ca  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x88037ca)
    #3 0x88250d7  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x88250d7)
    #4 0x81eeaaf  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81eeaaf)
    #5 0x80aecde  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aecde)
    #6 0x8099c3e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099c3e)
    #7 0x809f840  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809f840)
    #8 0x80c9427  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9427)
    #9 0xf7bdced4  (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Democracy is the form of government in which you can choose your dictator

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/9] avformat/iamf_parse: Layer, thou shalt not be 0

[James Almer]

On 6/16/2024 8:08 PM, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 68302/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4665793796177920
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/iamf_parse.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
> index 5c2ff6862a7..12c2b9533a8 100644
> --- a/libavformat/iamf_parse.c
> +++ b/libavformat/iamf_parse.c
> @@ -330,7 +330,7 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
>       nb_layers = avio_r8(pb) >> 5; // get_bits(&gb, 3);
>       // skip_bits(&gb, 5); //reserved
>   
> -    if (nb_layers > 6)
> +    if (nb_layers > 6 || nb_layers == 0)
>           return AVERROR_INVALIDDATA;
>   
>       audio_element->layers = av_calloc(nb_layers, sizeof(*audio_element->layers));

LGMT, but please change the commit message.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/9] avformat/iamf_parse: Try to use less space after the array

[James Almer]

On 6/16/2024 8:08 PM, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 68584/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6256656668229632
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/iamf_parse.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
> index 312090b247c..5c2ff6862a7 100644
> --- a/libavformat/iamf_parse.c
> +++ b/libavformat/iamf_parse.c
> @@ -355,6 +355,9 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
>           substream_count = avio_r8(pb);
>           coupled_substream_count = avio_r8(pb);
>   
> +        if (substream_count + k > audio_element->nb_substreams)
> +            return AVERROR_INVALIDDATA;
> +
>           audio_element->layers[i].substream_count         = substream_count;
>           audio_element->layers[i].coupled_substream_count = coupled_substream_count;
>           if (output_gain_is_present_flag) {

LGTM, and ditto, change the commit message.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/9] avformat/mov: Check extend and base offset

[James Almer]

On 6/16/2024 8:08 PM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/mov.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 9016cd5ad08..46cbce98040 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>           }
>           for (int j = 0; j < extent_count; j++) {
>               if (rb_size(pb, &extent_offset, offset_size) < 0 ||
> -                rb_size(pb, &extent_length, length_size) < 0)
> +                rb_size(pb, &extent_length, length_size) < 0 ||
> +                base_offset < 0 || extent_offset < 0 ||
> +                base_offset + (uint64_t)extent_offset > INT64_MAX)

You can do the negative value check directly in rb_size() instead. And 
I'd prefer the other check to be (base_offset > INT64_MAX - extent_offset).

>                   return AVERROR_INVALIDDATA;
>               if (offset_type == 1)
>                   c->heif_item[i].is_idat_relative = 1;
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg

[Rémi Denis-Courmont]

Le 17 juin 2024 01:08:29 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>Ive been told that someone at the BCN video tech meetup claimed to be the
>"release maintainer for FFmpeg".

I don't think that this is appropriate in a commit message that'll go on a blockchain never to be modifiable.

>If you have any doubt who maintains releases, just do something like the following and look at the output:

Assuming that the allegations are true, the recipients of the misinformation won't see this message so no point.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/9] avformat/mov: Check extend and base offset

[Rémi Denis-Courmont]

Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>
>Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>---
> libavformat/mov.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/libavformat/mov.c b/libavformat/mov.c
>index 9016cd5ad08..46cbce98040 100644
>--- a/libavformat/mov.c
>+++ b/libavformat/mov.c
>@@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>         }
>         for (int j = 0; j < extent_count; j++) {
>             if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>-                rb_size(pb, &extent_length, length_size) < 0)
>+                rb_size(pb, &extent_length, length_size) < 0 ||
>+                base_offset < 0 || extent_offset < 0 ||
>+                base_offset + (uint64_t)extent_offset > INT64_MAX)

Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?

>                 return AVERROR_INVALIDDATA;
>             if (offset_type == 1)
>                 c->heif_item[i].is_idat_relative = 1;
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/9] avformat/mov: Check extend and base offset

[Andreas Rheinhardt]

Rémi Denis-Courmont:
> 
> 
> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>>
>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>> libavformat/mov.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index 9016cd5ad08..46cbce98040 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>         }
>>         for (int j = 0; j < extent_count; j++) {
>>             if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>> -                rb_size(pb, &extent_length, length_size) < 0)
>> +                rb_size(pb, &extent_length, length_size) < 0 ||
>> +                base_offset < 0 || extent_offset < 0 ||
>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
> 
> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?
> 

+1

>>                 return AVERROR_INVALIDDATA;
>>             if (offset_type == 1)
>>                 c->heif_item[i].is_idat_relative = 1;

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 8/9] avcodec/smcenc: width < 4 is unsupported

[Paul B Mahol]

Fixed by making nx/ny always >= 0.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg

[Steven Liu]

Michael Niedermayer <michael@niedermayer.cc> 于2024年6月17日周一 07:09写道：
>
> Ive been told that someone at the BCN video tech meetup claimed to be the
> "release maintainer for FFmpeg".
>
> If you have any doubt who maintains releases, just do something like the following and look at the output:
> VER=5.1
> echo commiters ; git shortlog  --group=committer -s  n$VER..release/$VER -n ;\
> echo authors   ; git shortlog                    -s  n$VER..release/$VER -n

(base) MacBook-Pro:ffmpeg StevenLiu$ VER=5.1
(base) MacBook-Pro:ffmpeg StevenLiu$ echo committers ; git shortlog
--group=committer -s  n$VER..release/$VER -n ;echo authors   ; git
shortlog                    -s  n$VER..release/$VER -n
committers
fatal: ambiguous argument 'n5.1..release/5.1': unknown revision or
path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
authors
fatal: ambiguous argument 'n5.1..release/5.1': unknown revision or
path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
(base) MacBook-Pro:ffmpeg StevenLiu$



>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  MAINTAINERS | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 41a98744adf..a82fa58c69f 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -536,10 +536,12 @@ wm4
>  Releases
>  ========
>
> +7.0                                     Michael Niedermayer
> +6.1                                     Michael Niedermayer
> +5.1                                     Michael Niedermayer
> +4.4                                     Michael Niedermayer
> +3.4                                     Michael Niedermayer
>  2.8                                     Michael Niedermayer
> -2.7                                     Michael Niedermayer
> -2.6                                     Michael Niedermayer
> -2.5                                     Michael Niedermayer
>
>  If you want to maintain an older release, please contact us
>
> --
> 2.45.2
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg

[Steven Liu]

Steven Liu <lingjiujianke@gmail.com> 于2024年6月18日周二 17:53写道：
>
> Michael Niedermayer <michael@niedermayer.cc> 于2024年6月17日周一 07:09写道：
> >
> > Ive been told that someone at the BCN video tech meetup claimed to be the
> > "release maintainer for FFmpeg".
> >
> > If you have any doubt who maintains releases, just do something like the following and look at the output:
> > VER=5.1
> > echo commiters ; git shortlog  --group=committer -s  n$VER..release/$VER -n ;\
> > echo authors   ; git shortlog                    -s  n$VER..release/$VER -n
>
> (base) MacBook-Pro:ffmpeg StevenLiu$ VER=5.1
> (base) MacBook-Pro:ffmpeg StevenLiu$ echo committers ; git shortlog
> --group=committer -s  n$VER..release/$VER -n ;echo authors   ; git
> shortlog                    -s  n$VER..release/$VER -n
> committers
> fatal: ambiguous argument 'n5.1..release/5.1': unknown revision or
> path not in the working tree.
> Use '--' to separate paths from revisions, like this:
> 'git <command> [<revision>...] -- [<file>...]'
> authors
> fatal: ambiguous argument 'n5.1..release/5.1': unknown revision or
> path not in the working tree.
> Use '--' to separate paths from revisions, like this:
> 'git <command> [<revision>...] -- [<file>...]'
> (base) MacBook-Pro:ffmpeg StevenLiu$

This can fix the error message. not sure if this is right operation :D
echo committers ; git shortlog  --group=committer -s
n$VER..remotes/origin/release/$VER -n ;echo authors   ; git shortlog
                 -s  n$VER..remotes/origin/release/$VER -n


>
>
>
> >
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  MAINTAINERS | 8 +++++---
> >  1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index 41a98744adf..a82fa58c69f 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -536,10 +536,12 @@ wm4
> >  Releases
> >  ========
> >
> > +7.0                                     Michael Niedermayer
> > +6.1                                     Michael Niedermayer
> > +5.1                                     Michael Niedermayer
> > +4.4                                     Michael Niedermayer
> > +3.4                                     Michael Niedermayer
> >  2.8                                     Michael Niedermayer
> > -2.7                                     Michael Niedermayer
> > -2.6                                     Michael Niedermayer
> > -2.5                                     Michael Niedermayer
> >
> >  If you want to maintain an older release, please contact us
> >
> > --
> > 2.45.2
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel@ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg

[Anton Khirnov]

Quoting Michael Niedermayer (2024-06-18 01:48:25)
> On Mon, Jun 17, 2024 at 09:07:23AM +0200, Anton Khirnov wrote:
> > Quoting Michael Niedermayer (2024-06-17 01:08:29)
> > > Ive been told that someone at the BCN video tech meetup claimed to be the
> > > "release maintainer for FFmpeg".
> > > 
> > > If you have any doubt who maintains releases, just do something like the following and look at the output:
> > > VER=5.1
> > > echo commiters ; git shortlog  --group=committer -s  n$VER..release/$VER -n ;\
> > > echo authors   ; git shortlog                    -s  n$VER..release/$VER -n
> > 
> > Passive aggressive gossip does not belong in a commit message.
> 
> we generally explain in a commit message the "why" and "what" and so on.
> There was no intention of any aggression.

The commit message is indirectly accusing an unindentified person of
trying to usurp your position as a release maintainer. The accusation is
aggressive, and the fact that it is indirect makes it passive
aggressive.

Not providing any specifics beyond "someone said that someone said"
makes it gossip.

Each of those factors in isolation IMO makes this text inappropriate for
a commit message.

> But how would you word it instead ?

I would not word it at all, as there is no evidence that this needs
clarifying. Gossip is not evidence.

> The example git commands simply show the authors and commiters on the release branch
> since the first release on it. I think its reasonable to provide these as reference

I don't. Nobody is disputing your role as a release maintainer.

-- 
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/9] avcodec/mpeg4audio: Check that there is enough space for the first 3 elements in ff_mpeg4audio_get_config_gb()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1599 bytes --]

On Mon, Jun 17, 2024 at 07:27:16AM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: out of array access
> > Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/mpeg4audio.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/libavcodec/mpeg4audio.c b/libavcodec/mpeg4audio.c
> > index fbd2a8f811a..ae18944f0d5 100644
> > --- a/libavcodec/mpeg4audio.c
> > +++ b/libavcodec/mpeg4audio.c
> > @@ -94,6 +94,10 @@ int ff_mpeg4audio_get_config_gb(MPEG4AudioConfig *c, GetBitContext *gb,
> >  {
> >      int specific_config_bitindex, ret;
> >      int start_bit_index = get_bits_count(gb);
> > +
> > +    if (get_bits_left(gb) < 5+4+4)
> > +        return AVERROR_INVALIDDATA;
> > +
> >      c->object_type = get_object_type(gb);
> >      c->sample_rate = get_sample_rate(gb, &c->sampling_index);
> >      c->chan_config = get_bits(gb, 4);
> 
> This is not a proper fix. The real bug seems to be that
> avpriv_mpeg4audio_get_config2() relies on the buffer to be padded, but
> iamf_parse.c does not add padding.

indeed, patch droped

james already posted a better fix

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/9] avformat/iamf_parse: Try to use less space after the array

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1679 bytes --]

On Mon, Jun 17, 2024 at 09:35:06PM -0300, James Almer wrote:
> On 6/16/2024 8:08 PM, Michael Niedermayer wrote:
> > Fixes: out of array access
> > Fixes: 68584/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6256656668229632
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavformat/iamf_parse.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
> > index 312090b247c..5c2ff6862a7 100644
> > --- a/libavformat/iamf_parse.c
> > +++ b/libavformat/iamf_parse.c
> > @@ -355,6 +355,9 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
> >           substream_count = avio_r8(pb);
> >           coupled_substream_count = avio_r8(pb);
> > +        if (substream_count + k > audio_element->nb_substreams)
> > +            return AVERROR_INVALIDDATA;
> > +
> >           audio_element->layers[i].substream_count         = substream_count;
> >           audio_element->layers[i].coupled_substream_count = coupled_substream_count;
> >           if (output_gain_is_present_flag) {
> 
> LGTM,

will apply


> and ditto, change the commit message.

you lack humor ;(

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship: All citizens are under surveillance, all their steps and
actions recorded, for the politicians to enforce control.
Democracy: All politicians are under surveillance, all their steps and
actions recorded, for the citizens to enforce control.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/9] avformat/iamf_parse: Layer, thou shalt not be 0

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1421 bytes --]

On Mon, Jun 17, 2024 at 09:33:59PM -0300, James Almer wrote:
> On 6/16/2024 8:08 PM, Michael Niedermayer wrote:
> > Fixes: out of array access
> > Fixes: 68302/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4665793796177920
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavformat/iamf_parse.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
> > index 5c2ff6862a7..12c2b9533a8 100644
> > --- a/libavformat/iamf_parse.c
> > +++ b/libavformat/iamf_parse.c
> > @@ -330,7 +330,7 @@ static int scalable_channel_layout_config(void *s, AVIOContext *pb,
> >       nb_layers = avio_r8(pb) >> 5; // get_bits(&gb, 3);
> >       // skip_bits(&gb, 5); //reserved
> > -    if (nb_layers > 6)
> > +    if (nb_layers > 6 || nb_layers == 0)
> >           return AVERROR_INVALIDDATA;
> >       audio_element->layers = av_calloc(nb_layers, sizeof(*audio_element->layers));
> 
> LGMT, but please change the commit message.

just change ?
as in "to anything i feel like" ? :)

ok

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Nations do behave wisely once they have exhausted all other alternatives. 
-- Abba Eban

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/9] avcodec/libvpxenc: Cleanup on error

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1119 bytes --]

On Mon, Jun 17, 2024 at 10:10:38AM -0700, James Zern via ffmpeg-devel wrote:
> On Sun, Jun 16, 2024 at 4:09 PM Michael Niedermayer
> <michael@niedermayer.cc> wrote:
> >
> > This or fifo needs to be freed on errors explicitly
> > I have not verified that its always safe to call vpx_free() this needs to be checked before applying this
> >
> 
> It should be safe to call into libvpx whether the encoder init
> succeeded or not; av_freep() is most of the rest of the code.

Thanks for checking


> 
> > Fixes: memleak
> > Fixes: 68937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-4830831016214528
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/libvpxenc.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> 
> lgtm.

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The greatest way to live with honor in this world is to be what we pretend
to be. -- Socrates

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2495 bytes --]

On Tue, Jun 18, 2024 at 12:09:34PM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2024-06-18 01:48:25)
> > On Mon, Jun 17, 2024 at 09:07:23AM +0200, Anton Khirnov wrote:
> > > Quoting Michael Niedermayer (2024-06-17 01:08:29)
> > > > Ive been told that someone at the BCN video tech meetup claimed to be the
> > > > "release maintainer for FFmpeg".
> > > > 
> > > > If you have any doubt who maintains releases, just do something like the following and look at the output:
> > > > VER=5.1
> > > > echo commiters ; git shortlog  --group=committer -s  n$VER..release/$VER -n ;\
> > > > echo authors   ; git shortlog                    -s  n$VER..release/$VER -n
> > > 
> > > Passive aggressive gossip does not belong in a commit message.
> > 
> > we generally explain in a commit message the "why" and "what" and so on.
> > There was no intention of any aggression.
> 
> The commit message is indirectly accusing an unindentified person of
> trying to usurp your position as a release maintainer. The accusation is
> aggressive, and the fact that it is indirect makes it passive
> aggressive.
> 
> Not providing any specifics beyond "someone said that someone said"
> makes it gossip.
> 
> Each of those factors in isolation IMO makes this text inappropriate for
> a commit message.

I dont entirely agree but ill drop it from the commit message.


[...]

> > The example git commands simply show the authors and commiters on the release branch
> > since the first release on it. I think its reasonable to provide these as reference
> 
> I don't. Nobody is disputing your role as a release maintainer.

Its always nice to learn that iam A release maintainer and not THE release maintainer. :)
Which releases are maintained by someone else ?
And who is that someone else ?
Can that other release maintainer look at some of the regressions we have?
IIRC there are cases that since the multithreding dont 100% of the time
produce the same output, it makes testing more difficult. And while
already at that subject can that other release maintainer help marking
regressions as such and as release blocking ? So they are more vissible
and can get fixed.

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Concerning the gods, I have no means of knowing whether they exist or not
or of what sort they may be, because of the obscurity of the subject, and
the brevity of human life -- Protagoras

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/9] avformat/mov: Check extend and base offset

[James Almer]

On 6/18/2024 4:07 AM, Rémi Denis-Courmont wrote:
> 
> 
> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>>
>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>> libavformat/mov.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index 9016cd5ad08..46cbce98040 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>          }
>>          for (int j = 0; j < extent_count; j++) {
>>              if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>> -                rb_size(pb, &extent_length, length_size) < 0)
>> +                rb_size(pb, &extent_length, length_size) < 0 ||
>> +                base_offset < 0 || extent_offset < 0 ||
>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
> 
> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?

You mean the __builtin_*_overflow() ones?

> 
>>                  return AVERROR_INVALIDDATA;
>>              if (offset_type == 1)
>>                  c->heif_item[i].is_idat_relative = 1;
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/9] avformat/mov: Check extend and base offset

[Rémi Denis-Courmont]

Le 19 juin 2024 14:34:59 GMT+02:00, James Almer <jamrial@gmail.com> a écrit :
>On 6/18/2024 4:07 AM, Rémi Denis-Courmont wrote:
>> 
>> 
>> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>>> 
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>> libavformat/mov.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>>> index 9016cd5ad08..46cbce98040 100644
>>> --- a/libavformat/mov.c
>>> +++ b/libavformat/mov.c
>>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>>          }
>>>          for (int j = 0; j < extent_count; j++) {
>>>              if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>>> -                rb_size(pb, &extent_length, length_size) < 0)
>>> +                rb_size(pb, &extent_length, length_size) < 0 ||
>>> +                base_offset < 0 || extent_offset < 0 ||
>>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
>> 
>> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?
>
>You mean the __builtin_*_overflow() one?

I'd rather the ckd_*() stuff but the differences are mostly stylistic.

>>>                  return AVERROR_INVALIDDATA;
>>>              if (offset_type == 1)
>>>                  c->heif_item[i].is_idat_relative = 1;
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel@ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>> 
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>_______________________________________________
>ffmpeg-devel mailing list
>ffmpeg-devel@ffmpeg.org
>https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
>To unsubscribe, visit link above, or email
>ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/9] avformat/mov: Check extend and base offset

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2407 bytes --]

On Wed, Jun 19, 2024 at 03:08:58PM +0200, Rémi Denis-Courmont wrote:
> 
> 
> Le 19 juin 2024 14:34:59 GMT+02:00, James Almer <jamrial@gmail.com> a écrit :
> >On 6/18/2024 4:07 AM, Rémi Denis-Courmont wrote:
> >> 
> >> 
> >> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
> >>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
> >>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
> >>> 
> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >>> ---
> >>> libavformat/mov.c | 4 +++-
> >>> 1 file changed, 3 insertions(+), 1 deletion(-)
> >>> 
> >>> diff --git a/libavformat/mov.c b/libavformat/mov.c
> >>> index 9016cd5ad08..46cbce98040 100644
> >>> --- a/libavformat/mov.c
> >>> +++ b/libavformat/mov.c
> >>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> >>>          }
> >>>          for (int j = 0; j < extent_count; j++) {
> >>>              if (rb_size(pb, &extent_offset, offset_size) < 0 ||
> >>> -                rb_size(pb, &extent_length, length_size) < 0)
> >>> +                rb_size(pb, &extent_length, length_size) < 0 ||
> >>> +                base_offset < 0 || extent_offset < 0 ||
> >>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
> >> 
> >> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?
> >
> >You mean the __builtin_*_overflow() one?
> 
> I'd rather the ckd_*() stuff but the differences are mostly stylistic.

Whatever is used must be supported by all currently supported platforms
that especially also includes past releases we backport things to.

In practice that means continuing to use the classical way to check
as well as our av_sat_addXY() stuff.

We cannot backport things that depend on C23 as that was not a requirement
in the past. So I also cannot use this in bug fixes.

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The smallest minority on earth is the individual. Those who deny 
individual rights cannot claim to be defenders of minorities. - Ayn Rand

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/9] avformat/mov: Check extend and base offset

[James Almer]

On 6/20/2024 7:54 PM, Michael Niedermayer wrote:
> On Wed, Jun 19, 2024 at 03:08:58PM +0200, Rémi Denis-Courmont wrote:
>>
>>
>> Le 19 juin 2024 14:34:59 GMT+02:00, James Almer <jamrial@gmail.com> a écrit :
>>> On 6/18/2024 4:07 AM, Rémi Denis-Courmont wrote:
>>>>
>>>>
>>>> Le 17 juin 2024 01:08:27 GMT+02:00, Michael Niedermayer <michael@niedermayer.cc> a écrit :
>>>>> Fixes: signed integer overflow: 2314885530818453536 + 9151314442816847872 cannot be represented in type 'long'
>>>>> Fixes: 68359/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6571950311800832
>>>>>
>>>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>>>> ---
>>>>> libavformat/mov.c | 4 +++-
>>>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>>>>> index 9016cd5ad08..46cbce98040 100644
>>>>> --- a/libavformat/mov.c
>>>>> +++ b/libavformat/mov.c
>>>>> @@ -8131,7 +8131,9 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>>>>>           }
>>>>>           for (int j = 0; j < extent_count; j++) {
>>>>>               if (rb_size(pb, &extent_offset, offset_size) < 0 ||
>>>>> -                rb_size(pb, &extent_length, length_size) < 0)
>>>>> +                rb_size(pb, &extent_length, length_size) < 0 ||
>>>>> +                base_offset < 0 || extent_offset < 0 ||
>>>>> +                base_offset + (uint64_t)extent_offset > INT64_MAX)
>>>>
>>>> Can we please stop with the bespoke arithmetic overflow checks and add dedicated helpers instead, similar to what GCC and C23 have?
>>>
>>> You mean the __builtin_*_overflow() one?
>>
>> I'd rather the ckd_*() stuff but the differences are mostly stylistic.
> 
> Whatever is used must be supported by all currently supported platforms
> that especially also includes past releases we backport things to.
> 
> In practice that means continuing to use the classical way to check
> as well as our av_sat_addXY() stuff.
> 
> We cannot backport things that depend on C23 as that was not a requirement
> in the past. So I also cannot use this in bug fixes.

This change is ok for now (With my suggestion amended to it). We can add 
wrappers around the GCC builtins and C23 ckd_* macros later (With pure C 
fallbacks), and start using them for future changes.

> 
> thx
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 9/9] avcodec/r210enc: Use av_rescale for bitrate

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 882 bytes --]

On Mon, Jun 17, 2024 at 01:08:31AM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 281612954574848 * 65344 cannot be represented in type 'long'
> Fixes: 68956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_R210_fuzzer-6459074458746880
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/r210enc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Old school: Use the lowest level language in which you can solve the problem
            conveniently.
New school: Use the highest level language in which the latest supercomputer
            can solve the problem without the user falling asleep waiting.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/9] avcodec/targaenc: Allocate space for the palette

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 641 bytes --]

On Mon, Jun 17, 2024 at 01:08:23AM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 68927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5105665067515904
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/targaenc.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No great genius has ever existed without some touch of madness. -- Aristotle

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 8/9] avcodec/smcenc: width < 4 is unsupported

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 386 bytes --]

On Tue, Jun 18, 2024 at 09:42:50AM +0200, Paul B Mahol wrote:
> Fixed by making nx/ny always >= 0.

will apply your commit

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".