* [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets
@ 2024-07-07 18:47 Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 2/6] avcodec/vaapi_h264: Do not store our error code in VASliceParameterBufferH264 Michael Niedermayer
` (5 more replies)
0 siblings, 6 replies; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-07 18:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: CID1604593 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/tiff.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index fd4116aec4d..37b56e9757e 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1298,9 +1298,13 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
s->is_thumbnail = (value != 0);
break;
case TIFF_WIDTH:
+ if (value > INT_MAX)
+ return AVERROR_INVALIDDATA;
s->width = value;
break;
case TIFF_HEIGHT:
+ if (value > INT_MAX)
+ return AVERROR_INVALIDDATA;
s->height = value;
break;
case TIFF_BPP:
@@ -1432,12 +1436,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
s->tile_byte_counts_offset = off;
break;
case TIFF_TILE_LENGTH:
+ if (value > INT_MAX)
+ return AVERROR_INVALIDDATA;
s->tile_length = value;
break;
case TIFF_TILE_WIDTH:
+ if (value > INT_MAX)
+ return AVERROR_INVALIDDATA;
s->tile_width = value;
break;
case TIFF_PREDICTOR:
+ if (value > INT_MAX)
+ return AVERROR_INVALIDDATA;
s->predictor = value;
break;
case TIFF_SUB_IFDS:
@@ -1582,12 +1592,18 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
}
break;
case TIFF_T4OPTIONS:
- if (s->compr == TIFF_G3)
+ if (s->compr == TIFF_G3) {
+ if (value > INT_MAX)
+ return AVERROR_INVALIDDATA;
s->fax_opts = value;
+ }
break;
case TIFF_T6OPTIONS:
- if (s->compr == TIFF_G4)
+ if (s->compr == TIFF_G4) {
+ if (value > INT_MAX)
+ return AVERROR_INVALIDDATA;
s->fax_opts = value;
+ }
break;
#define ADD_METADATA(count, name, sep)\
if ((ret = add_metadata(count, type, name, sep, s, frame)) < 0) {\
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* [FFmpeg-devel] [PATCH 2/6] avcodec/vaapi_h264: Do not store our error code in VASliceParameterBufferH264
2024-07-07 18:47 [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
@ 2024-07-07 18:47 ` Michael Niedermayer
2024-07-09 6:11 ` Xiang, Haihao
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 3/6] avcodec/vvc/refs: Use unsigned mask Michael Niedermayer
` (4 subsequent siblings)
5 siblings, 1 reply; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-07 18:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
I am not sure this is possible (thus this requires review)
Fixes: CID1604570 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/vaapi_h264.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/vaapi_h264.c b/libavcodec/vaapi_h264.c
index 398e92568c2..77819a64a4e 100644
--- a/libavcodec/vaapi_h264.c
+++ b/libavcodec/vaapi_h264.c
@@ -342,6 +342,10 @@ static int vaapi_h264_decode_slice(AVCodecContext *avctx,
const H264SliceContext *sl = &h->slice_ctx[0];
VASliceParameterBufferH264 slice_param;
int err;
+ int slice_type = ff_h264_get_slice_type(sl);
+
+ if (slice_type < 0)
+ return slice_type;
slice_param = (VASliceParameterBufferH264) {
.slice_data_size = size,
@@ -349,7 +353,7 @@ static int vaapi_h264_decode_slice(AVCodecContext *avctx,
.slice_data_flag = VA_SLICE_DATA_FLAG_ALL,
.slice_data_bit_offset = get_bits_count(&sl->gb),
.first_mb_in_slice = (sl->mb_y >> FIELD_OR_MBAFF_PICTURE(h)) * h->mb_width + sl->mb_x,
- .slice_type = ff_h264_get_slice_type(sl),
+ .slice_type = slice_type,
.direct_spatial_mv_pred_flag = sl->slice_type == AV_PICTURE_TYPE_B ? sl->direct_spatial_mv_pred : 0,
.num_ref_idx_l0_active_minus1 = sl->list_count > 0 ? sl->ref_count[0] - 1 : 0,
.num_ref_idx_l1_active_minus1 = sl->list_count > 1 ? sl->ref_count[1] - 1 : 0,
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* [FFmpeg-devel] [PATCH 3/6] avcodec/vvc/refs: Use unsigned mask
2024-07-07 18:47 [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 2/6] avcodec/vaapi_h264: Do not store our error code in VASliceParameterBufferH264 Michael Niedermayer
@ 2024-07-07 18:47 ` Michael Niedermayer
2024-07-08 13:49 ` Nuo Mi
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 4/6] avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() Michael Niedermayer
` (3 subsequent siblings)
5 siblings, 1 reply; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-07 18:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Not a bugfix, but might fix CID1604361 Overflowed constant
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/vvc/refs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/vvc/refs.c b/libavcodec/vvc/refs.c
index 26a5b0b34cc..c1fc6132c2e 100644
--- a/libavcodec/vvc/refs.c
+++ b/libavcodec/vvc/refs.c
@@ -310,7 +310,7 @@ void ff_vvc_bump_frame(VVCContext *s, VVCFrameContext *fc)
static VVCFrame *find_ref_idx(VVCContext *s, VVCFrameContext *fc, int poc, uint8_t use_msb)
{
- const int mask = use_msb ? ~0 : fc->ps.sps->max_pic_order_cnt_lsb - 1;
+ const unsigned mask = use_msb ? ~0 : fc->ps.sps->max_pic_order_cnt_lsb - 1;
for (int i = 0; i < FF_ARRAY_ELEMS(fc->DPB); i++) {
VVCFrame *ref = &fc->DPB[i];
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* [FFmpeg-devel] [PATCH 4/6] avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create()
2024-07-07 18:47 [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 2/6] avcodec/vaapi_h264: Do not store our error code in VASliceParameterBufferH264 Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 3/6] avcodec/vvc/refs: Use unsigned mask Michael Niedermayer
@ 2024-07-07 18:47 ` Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 5/6] avfilter: Free out on error Michael Niedermayer
` (2 subsequent siblings)
5 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-07 18:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Untested, needs review
Fixes: CID1591856 Resource leak
Fixes: CID1591887 Resource leak
Fixes: CID1591874 Resource leak
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavdevice/dshow_capture.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libavdevice/dshow_capture.h b/libavdevice/dshow_capture.h
index 81e684b9be3..bb39d4947aa 100644
--- a/libavdevice/dshow_capture.h
+++ b/libavdevice/dshow_capture.h
@@ -124,14 +124,15 @@ void ff_dshow_##prefix##_Destroy(class *this) \
class *ff_dshow_##prefix##_Create(__VA_ARGS__) \
{ \
class *this = CoTaskMemAlloc(sizeof(class)); \
- void *vtbl = CoTaskMemAlloc(sizeof(*this->vtbl)); \
dshowdebug("ff_dshow_"AV_STRINGIFY(prefix)"_Create(%p)\n", this); \
- if (!this || !vtbl) \
+ if (!this) \
goto fail; \
ZeroMemory(this, sizeof(class)); \
- ZeroMemory(vtbl, sizeof(*this->vtbl)); \
+ this->vtbl = CoTaskMemAlloc(sizeof(*this->vtbl)); \
+ if (!this->vtbl) \
+ goto fail; \
+ ZeroMemory(this->vtbl, sizeof(*this->vtbl)); \
this->ref = 1; \
- this->vtbl = vtbl; \
if (!setup) \
goto fail; \
dshowdebug("created ff_dshow_"AV_STRINGIFY(prefix)" %p\n", this); \
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* [FFmpeg-devel] [PATCH 5/6] avfilter: Free out on error
2024-07-07 18:47 [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
` (2 preceding siblings ...)
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 4/6] avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() Michael Niedermayer
@ 2024-07-07 18:47 ` Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used Michael Niedermayer
2024-07-12 22:36 ` [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
5 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-07 18:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
CID1197065 Resource leak
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavfilter/af_aderivative.c | 1 +
libavfilter/vf_deshake.c | 6 ++++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavfilter/af_aderivative.c b/libavfilter/af_aderivative.c
index eeaa23ff88d..4883972dcf1 100644
--- a/libavfilter/af_aderivative.c
+++ b/libavfilter/af_aderivative.c
@@ -126,6 +126,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
s->prev = ff_get_audio_buffer(inlink, 1);
if (!s->prev) {
av_frame_free(&in);
+ av_frame_free(&out);
return AVERROR(ENOMEM);
}
}
diff --git a/libavfilter/vf_deshake.c b/libavfilter/vf_deshake.c
index 107b78a7d1c..05a2df652ee 100644
--- a/libavfilter/vf_deshake.c
+++ b/libavfilter/vf_deshake.c
@@ -478,8 +478,10 @@ static int filter_frame(AVFilterLink *link, AVFrame *in)
aligned = !((intptr_t)in->data[0] & 15 | in->linesize[0] & 15);
deshake->sad = av_pixelutils_get_sad_fn(4, 4, aligned, deshake); // 16x16, 2nd source unaligned
- if (!deshake->sad)
- return AVERROR(EINVAL);
+ if (!deshake->sad) {
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
if (deshake->cx < 0 || deshake->cy < 0 || deshake->cw < 0 || deshake->ch < 0) {
// Find the most likely global motion for the current frame
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used
2024-07-07 18:47 [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
` (3 preceding siblings ...)
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 5/6] avfilter: Free out on error Michael Niedermayer
@ 2024-07-07 18:47 ` Michael Niedermayer
2024-07-07 19:05 ` Andreas Rheinhardt
2024-07-12 22:36 ` [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
5 siblings, 1 reply; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-07 18:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: CID1516994 Out-of-bounds access
Fixes: CID1516996 Out-of-bounds access
Fixes: CID1516999 Out-of-bounds access
Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavfilter/af_surround.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
index e37dddc3614..fab39a37ea9 100644
--- a/libavfilter/af_surround.c
+++ b/libavfilter/af_surround.c
@@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
float iscale = 1.f;
+ const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
+ if (chan >= FF_ARRAY_ELEMS(sc_map))
+ return AVERROR_PATCHWELCOME;
ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
1, s->win_size, &iscale, 0);
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used Michael Niedermayer
@ 2024-07-07 19:05 ` Andreas Rheinhardt
2024-07-07 19:12 ` Andreas Rheinhardt
0 siblings, 1 reply; 15+ messages in thread
From: Andreas Rheinhardt @ 2024-07-07 19:05 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: CID1516994 Out-of-bounds access
> Fixes: CID1516996 Out-of-bounds access
> Fixes: CID1516999 Out-of-bounds access
>
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavfilter/af_surround.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
> index e37dddc3614..fab39a37ea9 100644
> --- a/libavfilter/af_surround.c
> +++ b/libavfilter/af_surround.c
> @@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
>
> for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
> float iscale = 1.f;
> + const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
> + if (chan >= FF_ARRAY_ELEMS(sc_map))
> + return AVERROR_PATCHWELCOME;
>
> ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
> 1, s->win_size, &iscale, 0);
Can this happen?
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used
2024-07-07 19:05 ` Andreas Rheinhardt
@ 2024-07-07 19:12 ` Andreas Rheinhardt
2024-07-07 21:59 ` Michael Niedermayer
0 siblings, 1 reply; 15+ messages in thread
From: Andreas Rheinhardt @ 2024-07-07 19:12 UTC (permalink / raw)
To: ffmpeg-devel
Andreas Rheinhardt:
> Michael Niedermayer:
>> Fixes: CID1516994 Out-of-bounds access
>> Fixes: CID1516996 Out-of-bounds access
>> Fixes: CID1516999 Out-of-bounds access
>>
>> Sponsored-by: Sovereign Tech Fund
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>> libavfilter/af_surround.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
>> index e37dddc3614..fab39a37ea9 100644
>> --- a/libavfilter/af_surround.c
>> +++ b/libavfilter/af_surround.c
>> @@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
>>
>> for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
>> float iscale = 1.f;
>> + const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
>> + if (chan >= FF_ARRAY_ELEMS(sc_map))
>> + return AVERROR_PATCHWELCOME;
>>
>> ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
>> 1, s->win_size, &iscale, 0);
>
> Can this happen?
>
Apart from that: I think you are mistaken when you believe that this
will "fix" the issue. Coverity will not think that these issues are
fixed even with this check.
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used
2024-07-07 19:12 ` Andreas Rheinhardt
@ 2024-07-07 21:59 ` Michael Niedermayer
2024-07-08 2:28 ` James Almer
0 siblings, 1 reply; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-07 21:59 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 2324 bytes --]
On Sun, Jul 07, 2024 at 09:12:06PM +0200, Andreas Rheinhardt wrote:
> Andreas Rheinhardt:
> > Michael Niedermayer:
> >> Fixes: CID1516994 Out-of-bounds access
> >> Fixes: CID1516996 Out-of-bounds access
> >> Fixes: CID1516999 Out-of-bounds access
> >>
> >> Sponsored-by: Sovereign Tech Fund
> >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> ---
> >> libavfilter/af_surround.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
> >> index e37dddc3614..fab39a37ea9 100644
> >> --- a/libavfilter/af_surround.c
> >> +++ b/libavfilter/af_surround.c
> >> @@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
> >>
> >> for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
> >> float iscale = 1.f;
> >> + const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
> >> + if (chan >= FF_ARRAY_ELEMS(sc_map))
> >> + return AVERROR_PATCHWELCOME;
> >>
> >> ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
> >> 1, s->win_size, &iscale, 0);
> >
> > Can this happen?
IMHO, this doesnt matter. A filter that depends on a audio channel layout
API from another lib cannot depend on its implementation but just the
public API/ABI
So even if the av_channel_layout_* API didnt allow us to set such layout
today we would need to check for it
now can this happen?
try this:
./ffmpeg -i matrixbench_mpeg2.mpg -af surround=chl_out="123456789" -f null -
I get a
Segmentation fault (core dumped)
and it doesnt segfault after the patch
> >
>
> Apart from that: I think you are mistaken when you believe that this
> will "fix" the issue. Coverity will not think that these issues are
> fixed even with this check.
After this patch the issue is either detected as fixed or not,
if not then it becomes a false positive and either way is fixed
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used
2024-07-07 21:59 ` Michael Niedermayer
@ 2024-07-08 2:28 ` James Almer
0 siblings, 0 replies; 15+ messages in thread
From: James Almer @ 2024-07-08 2:28 UTC (permalink / raw)
To: ffmpeg-devel
On 7/7/2024 6:59 PM, Michael Niedermayer wrote:
> On Sun, Jul 07, 2024 at 09:12:06PM +0200, Andreas Rheinhardt wrote:
>> Andreas Rheinhardt:
>>> Michael Niedermayer:
>>>> Fixes: CID1516994 Out-of-bounds access
>>>> Fixes: CID1516996 Out-of-bounds access
>>>> Fixes: CID1516999 Out-of-bounds access
>>>>
>>>> Sponsored-by: Sovereign Tech Fund
>>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>>> ---
>>>> libavfilter/af_surround.c | 3 +++
>>>> 1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
>>>> index e37dddc3614..fab39a37ea9 100644
>>>> --- a/libavfilter/af_surround.c
>>>> +++ b/libavfilter/af_surround.c
>>>> @@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
>>>>
>>>> for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
>>>> float iscale = 1.f;
>>>> + const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
>>>> + if (chan >= FF_ARRAY_ELEMS(sc_map))
>>>> + return AVERROR_PATCHWELCOME;
>>>>
>>>> ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
>>>> 1, s->win_size, &iscale, 0);
>>>
>>> Can this happen?
>
> IMHO, this doesnt matter. A filter that depends on a audio channel layout
> API from another lib cannot depend on its implementation but just the
> public API/ABI
> So even if the av_channel_layout_* API didnt allow us to set such layout
> today we would need to check for it
>
> now can this happen?
> try this:
>
> ./ffmpeg -i matrixbench_mpeg2.mpg -af surround=chl_out="123456789" -f null -
>
> I get a
> Segmentation fault (core dumped)
>
> and it doesnt segfault after the patch
This is (probably) a regression since 66afa361e816.
Maybe an output layout sanity check should be added back to init() in
some form instead, to return EINVAL after an "Unsupported upmix" warning
message is printed, like it used to be the case.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/6] avcodec/vvc/refs: Use unsigned mask
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 3/6] avcodec/vvc/refs: Use unsigned mask Michael Niedermayer
@ 2024-07-08 13:49 ` Nuo Mi
2024-07-09 12:59 ` Michael Niedermayer
0 siblings, 1 reply; 15+ messages in thread
From: Nuo Mi @ 2024-07-08 13:49 UTC (permalink / raw)
To: FFmpeg development discussions and patches
LGTM.
Thank you, Michael,
On Mon, Jul 8, 2024 at 2:48 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:
> Not a bugfix, but might fix CID1604361 Overflowed constant
>
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/vvc/refs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/vvc/refs.c b/libavcodec/vvc/refs.c
> index 26a5b0b34cc..c1fc6132c2e 100644
> --- a/libavcodec/vvc/refs.c
> +++ b/libavcodec/vvc/refs.c
> @@ -310,7 +310,7 @@ void ff_vvc_bump_frame(VVCContext *s, VVCFrameContext
> *fc)
>
> static VVCFrame *find_ref_idx(VVCContext *s, VVCFrameContext *fc, int
> poc, uint8_t use_msb)
> {
> - const int mask = use_msb ? ~0 : fc->ps.sps->max_pic_order_cnt_lsb - 1;
> + const unsigned mask = use_msb ? ~0 :
> fc->ps.sps->max_pic_order_cnt_lsb - 1;
>
> for (int i = 0; i < FF_ARRAY_ELEMS(fc->DPB); i++) {
> VVCFrame *ref = &fc->DPB[i];
> --
> 2.45.2
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/6] avcodec/vaapi_h264: Do not store our error code in VASliceParameterBufferH264
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 2/6] avcodec/vaapi_h264: Do not store our error code in VASliceParameterBufferH264 Michael Niedermayer
@ 2024-07-09 6:11 ` Xiang, Haihao
2024-07-12 20:37 ` Michael Niedermayer
0 siblings, 1 reply; 15+ messages in thread
From: Xiang, Haihao @ 2024-07-09 6:11 UTC (permalink / raw)
To: ffmpeg-devel
On So, 2024-07-07 at 20:47 +0200, Michael Niedermayer wrote:
> I am not sure this is possible (thus this requires review)
>
> Fixes: CID1604570 Overflowed constant
>
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/vaapi_h264.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/vaapi_h264.c b/libavcodec/vaapi_h264.c
> index 398e92568c2..77819a64a4e 100644
> --- a/libavcodec/vaapi_h264.c
> +++ b/libavcodec/vaapi_h264.c
> @@ -342,6 +342,10 @@ static int vaapi_h264_decode_slice(AVCodecContext *avctx,
> const H264SliceContext *sl = &h->slice_ctx[0];
> VASliceParameterBufferH264 slice_param;
> int err;
> + int slice_type = ff_h264_get_slice_type(sl);
> +
> + if (slice_type < 0)
> + return slice_type;
sl->slice_type should be one of AV_PICTURE_TYPE_P, AV_PICTURE_TYPE_B,
AV_PICTURE_TYPE_I, AV_PICTURE_TYPE_SP and AV_PICTURE_TYPE_SI when this callback
function is called, I don't think the if statement is required.
Thanks
Haihao
>
> slice_param = (VASliceParameterBufferH264) {
> .slice_data_size = size,
> @@ -349,7 +353,7 @@ static int vaapi_h264_decode_slice(AVCodecContext *avctx,
> .slice_data_flag = VA_SLICE_DATA_FLAG_ALL,
> .slice_data_bit_offset = get_bits_count(&sl->gb),
> .first_mb_in_slice = (sl->mb_y >>
> FIELD_OR_MBAFF_PICTURE(h)) * h->mb_width + sl->mb_x,
> - .slice_type = ff_h264_get_slice_type(sl),
> + .slice_type = slice_type,
> .direct_spatial_mv_pred_flag = sl->slice_type == AV_PICTURE_TYPE_B
> ? sl->direct_spatial_mv_pred : 0,
> .num_ref_idx_l0_active_minus1 = sl->list_count > 0 ? sl-
> >ref_count[0] - 1 : 0,
> .num_ref_idx_l1_active_minus1 = sl->list_count > 1 ? sl-
> >ref_count[1] - 1 : 0,
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/6] avcodec/vvc/refs: Use unsigned mask
2024-07-08 13:49 ` Nuo Mi
@ 2024-07-09 12:59 ` Michael Niedermayer
0 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-09 12:59 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 373 bytes --]
On Mon, Jul 08, 2024 at 09:49:25PM +0800, Nuo Mi wrote:
> LGTM.
> Thank you, Michael,
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Homeopathy is like voting while filling the ballot out with transparent ink.
Sometimes the outcome one wanted occurs. Rarely its worse than filling out
a ballot properly.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/6] avcodec/vaapi_h264: Do not store our error code in VASliceParameterBufferH264
2024-07-09 6:11 ` Xiang, Haihao
@ 2024-07-12 20:37 ` Michael Niedermayer
0 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-12 20:37 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1424 bytes --]
On Tue, Jul 09, 2024 at 06:11:54AM +0000, Xiang, Haihao wrote:
> On So, 2024-07-07 at 20:47 +0200, Michael Niedermayer wrote:
> > I am not sure this is possible (thus this requires review)
> >
> > Fixes: CID1604570 Overflowed constant
> >
> > Sponsored-by: Sovereign Tech Fund
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/vaapi_h264.c | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/vaapi_h264.c b/libavcodec/vaapi_h264.c
> > index 398e92568c2..77819a64a4e 100644
> > --- a/libavcodec/vaapi_h264.c
> > +++ b/libavcodec/vaapi_h264.c
> > @@ -342,6 +342,10 @@ static int vaapi_h264_decode_slice(AVCodecContext *avctx,
> > const H264SliceContext *sl = &h->slice_ctx[0];
> > VASliceParameterBufferH264 slice_param;
> > int err;
> > + int slice_type = ff_h264_get_slice_type(sl);
> > +
> > + if (slice_type < 0)
> > + return slice_type;
>
> sl->slice_type should be one of AV_PICTURE_TYPE_P, AV_PICTURE_TYPE_B,
> AV_PICTURE_TYPE_I, AV_PICTURE_TYPE_SP and AV_PICTURE_TYPE_SI when this callback
> function is called, I don't think the if statement is required.
patch dropped, i will mark this as false positive
thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
What does censorship reveal? It reveals fear. -- Julian Assange
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets
2024-07-07 18:47 [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
` (4 preceding siblings ...)
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used Michael Niedermayer
@ 2024-07-12 22:36 ` Michael Niedermayer
5 siblings, 0 replies; 15+ messages in thread
From: Michael Niedermayer @ 2024-07-12 22:36 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 524 bytes --]
On Sun, Jul 07, 2024 at 08:47:24PM +0200, Michael Niedermayer wrote:
> Fixes: CID1604593 Overflowed constant
>
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/tiff.c | 20 ++++++++++++++++++--
> 1 file changed, 18 insertions(+), 2 deletions(-)
will apply patches 1,4,5
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The misfortune of the wise is better than the prosperity of the fool.
-- Epicurus
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2024-07-12 22:36 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-07-07 18:47 [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 2/6] avcodec/vaapi_h264: Do not store our error code in VASliceParameterBufferH264 Michael Niedermayer
2024-07-09 6:11 ` Xiang, Haihao
2024-07-12 20:37 ` Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 3/6] avcodec/vvc/refs: Use unsigned mask Michael Niedermayer
2024-07-08 13:49 ` Nuo Mi
2024-07-09 12:59 ` Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 4/6] avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create() Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 5/6] avfilter: Free out on error Michael Niedermayer
2024-07-07 18:47 ` [FFmpeg-devel] [PATCH 6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used Michael Niedermayer
2024-07-07 19:05 ` Andreas Rheinhardt
2024-07-07 19:12 ` Andreas Rheinhardt
2024-07-07 21:59 ` Michael Niedermayer
2024-07-08 2:28 ` James Almer
2024-07-12 22:36 ` [FFmpeg-devel] [PATCH 1/6] avcodec/tiff: Check value on positive signed targets Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git