[FFmpeg-devel] [PATCH 01/22] avformat/asfdec_o: Check size of index object

[FFmpeg-devel] [PATCH 01/22] avformat/asfdec_o: Check size of index object

[Michael Niedermayer]

We subtract 24 so it must be at least 24

Fixes: CID1604482 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asfdec_o.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index dfe448e9f7e..dd187e600d0 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -867,6 +867,9 @@ static int asf_read_simple_index(AVFormatContext *s, const GUIDParseTable *g)
     int64_t offset;
     uint64_t size = avio_rl64(pb);
 
+    if (size < 24)
+        return AVERROR_INVALIDDATA;
+
     // simple index objects should be ordered by stream number, this loop tries to find
     // the first not indexed video stream
     for (i = 0; i < asf->nb_streams; i++) {
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 02/22] avformat/bintext: Check avio_size() return

[Michael Niedermayer]

Fixes: CID1604503 Overflowed constant
Fixes: CID1604566 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/bintext.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/libavformat/bintext.c b/libavformat/bintext.c
index 90d48b66914..c96c14ccd9d 100644
--- a/libavformat/bintext.c
+++ b/libavformat/bintext.c
@@ -93,9 +93,12 @@ static int next_tag_read(AVFormatContext *avctx, uint64_t *fsize)
     AVIOContext *pb = avctx->pb;
     char buf[36];
     int len;
-    uint64_t start_pos = avio_size(pb) - 256;
+    int64_t start_pos = avio_size(pb);
 
-    avio_seek(pb, start_pos, SEEK_SET);
+    if (start_pos < 256)
+        return AVERROR_INVALIDDATA;
+
+    avio_seek(pb, start_pos - 256, SEEK_SET);
     if (avio_read(pb, buf, sizeof(next_magic)) != sizeof(next_magic))
         return -1;
     if (memcmp(buf, next_magic, sizeof(next_magic)))
@@ -245,7 +248,10 @@ static int xbin_read_header(AVFormatContext *s)
         return AVERROR(EIO);
 
     if (pb->seekable & AVIO_SEEKABLE_NORMAL) {
-        bin->fsize = avio_size(pb) - 9 - st->codecpar->extradata_size;
+        int64_t fsize =  avio_size(pb);
+        if (fsize < 9 + st->codecpar->extradata_size)
+            return 0;
+        bin->fsize = fsize - 9 - st->codecpar->extradata_size;
         ff_sauce_read(s, &bin->fsize, NULL, 0);
         avio_seek(pb, 9 + st->codecpar->extradata_size, SEEK_SET);
     }
@@ -285,7 +291,10 @@ static int adf_read_header(AVFormatContext *s)
 
     if (pb->seekable & AVIO_SEEKABLE_NORMAL) {
         int got_width = 0;
-        bin->fsize = avio_size(pb) - 1 - 192 - 4096;
+        int64_t fsize =  avio_size(pb);
+        if (fsize < 1 + 192 + 4096)
+            return 0;
+        bin->fsize = fsize - 1 - 192 - 4096;
         st->codecpar->width = 80<<3;
         ff_sauce_read(s, &bin->fsize, &got_width, 0);
         if (st->codecpar->width < 8)
@@ -318,6 +327,7 @@ static int idf_read_header(AVFormatContext *s)
     AVIOContext *pb = s->pb;
     AVStream *st;
     int got_width = 0, ret;
+    int64_t fsize;
 
     if (!(pb->seekable & AVIO_SEEKABLE_NORMAL))
         return AVERROR(EIO);
@@ -332,14 +342,18 @@ static int idf_read_header(AVFormatContext *s)
     st->codecpar->extradata[0] = 16;
     st->codecpar->extradata[1] = BINTEXT_PALETTE|BINTEXT_FONT;
 
-    avio_seek(pb, avio_size(pb) - 4096 - 48, SEEK_SET);
+    fsize = avio_size(pb);
+    if (fsize < 12 + 4096 + 48)
+        return AVERROR_INVALIDDATA;
+    bin->fsize = fsize - 12 - 4096 - 48;
+
+    avio_seek(pb, bin->fsize + 12, SEEK_SET);
 
     if (avio_read(pb, st->codecpar->extradata + 2 + 48, 4096) < 0)
         return AVERROR(EIO);
     if (avio_read(pb, st->codecpar->extradata + 2, 48) < 0)
         return AVERROR(EIO);
 
-    bin->fsize = avio_size(pb) - 12 - 4096 - 48;
     ff_sauce_read(s, &bin->fsize, &got_width, 0);
     if (st->codecpar->width < 8)
         return AVERROR_INVALIDDATA;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 03/22] avformat/hlsenc: Check ret

[Michael Niedermayer]

Fixes: CID1609624 Unused value

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/hlsenc.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
index 274de00f9a9..6d6ede1b6ff 100644
--- a/libavformat/hlsenc.c
+++ b/libavformat/hlsenc.c
@@ -2617,8 +2617,10 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt)
                            " will retry with a new http session.\n");
                     ff_format_io_close(s, &vs->out);
                     ret = hlsenc_io_open(s, &vs->out, filename, &options);
-                    reflush_dynbuf(vs, &range_length);
-                    ret = hlsenc_io_close(s, &vs->out, filename);
+                    if (ret >= 0) {
+                        reflush_dynbuf(vs, &range_length);
+                        ret = hlsenc_io_close(s, &vs->out, filename);
+                    }
                 }
                 av_dict_free(&options);
                 av_freep(&vs->temp_buffer);
@@ -2629,6 +2631,9 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt)
                 hls_rename_temp_file(s, oc);
         }
 
+        if (ret < 0)
+            return ret;
+
         old_filename = av_strdup(oc->url);
         if (!old_filename) {
             return AVERROR(ENOMEM);
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 04/22] avformat/hnm: Check *chunk_size

[Michael Niedermayer]

Fixes: CID1604419 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/hnm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/hnm.c b/libavformat/hnm.c
index 42efaaa3e8b..425dadc5e31 100644
--- a/libavformat/hnm.c
+++ b/libavformat/hnm.c
@@ -114,6 +114,8 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt)
     if (hnm->superchunk_remaining == 0) {
         /* parse next superchunk */
         superchunk_size = avio_rl24(pb);
+        if (superchunk_size < 4)
+            return AVERROR_INVALIDDATA;
         avio_skip(pb, 1);
 
         hnm->superchunk_remaining = superchunk_size - 4;
@@ -124,7 +126,7 @@ static int hnm_read_packet(AVFormatContext *s, AVPacket *pkt)
     chunk_id = avio_rl16(pb);
     avio_skip(pb, 2);
 
-    if (chunk_size > hnm->superchunk_remaining || !chunk_size) {
+    if (chunk_size > hnm->superchunk_remaining || chunk_size < 8) {
         av_log(s, AV_LOG_ERROR,
                "invalid chunk size: %"PRIu32", offset: %"PRId64"\n",
                chunk_size, avio_tell(pb));
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 05/22] avformat/matroskadec: Use int64_t size

[Michael Niedermayer]

The length is 64bit that is passed into the functions.
Alternatively the values can be checked before cast

Fixes: CID1604572 Overflowed return value

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/matroskadec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index aa28a37da4c..9914838698c 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -989,7 +989,7 @@ static int ebml_read_length(MatroskaDemuxContext *matroska, AVIOContext *pb,
  * Read the next element as an unsigned int.
  * Returns NEEDS_CHECKING unless size == 0.
  */
-static int ebml_read_uint(AVIOContext *pb, int size,
+static int ebml_read_uint(AVIOContext *pb, int64_t size,
                           uint64_t default_value, uint64_t *num)
 {
     int n = 0;
@@ -1010,7 +1010,7 @@ static int ebml_read_uint(AVIOContext *pb, int size,
  * Read the next element as a signed int.
  * Returns NEEDS_CHECKING unless size == 0.
  */
-static int ebml_read_sint(AVIOContext *pb, int size,
+static int ebml_read_sint(AVIOContext *pb, int64_t size,
                           int64_t default_value, int64_t *num)
 {
     int n = 1;
@@ -1033,7 +1033,7 @@ static int ebml_read_sint(AVIOContext *pb, int size,
  * Read the next element as a float.
  * Returns 0 if size == 0, NEEDS_CHECKING or < 0 on obvious failure.
  */
-static int ebml_read_float(AVIOContext *pb, int size,
+static int ebml_read_float(AVIOContext *pb, int64_t size,
                            double default_value, double *num)
 {
     if (size == 0) {
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 05/22] avformat/matroskadec: Use int64_t size

[Andreas Rheinhardt]

Michael Niedermayer:
> The length is 64bit that is passed into the functions.
> Alternatively the values can be checked before cast
> 
> Fixes: CID1604572 Overflowed return value
> 
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/matroskadec.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> index aa28a37da4c..9914838698c 100644
> --- a/libavformat/matroskadec.c
> +++ b/libavformat/matroskadec.c
> @@ -989,7 +989,7 @@ static int ebml_read_length(MatroskaDemuxContext *matroska, AVIOContext *pb,
>   * Read the next element as an unsigned int.
>   * Returns NEEDS_CHECKING unless size == 0.
>   */
> -static int ebml_read_uint(AVIOContext *pb, int size,
> +static int ebml_read_uint(AVIOContext *pb, int64_t size,
>                            uint64_t default_value, uint64_t *num)
>  {
>      int n = 0;
> @@ -1010,7 +1010,7 @@ static int ebml_read_uint(AVIOContext *pb, int size,
>   * Read the next element as a signed int.
>   * Returns NEEDS_CHECKING unless size == 0.
>   */
> -static int ebml_read_sint(AVIOContext *pb, int size,
> +static int ebml_read_sint(AVIOContext *pb, int64_t size,
>                            int64_t default_value, int64_t *num)
>  {
>      int n = 1;
> @@ -1033,7 +1033,7 @@ static int ebml_read_sint(AVIOContext *pb, int size,
>   * Read the next element as a float.
>   * Returns 0 if size == 0, NEEDS_CHECKING or < 0 on obvious failure.
>   */
> -static int ebml_read_float(AVIOContext *pb, int size,
> +static int ebml_read_float(AVIOContext *pb, int64_t size,
>                             double default_value, double *num)
>  {
>      if (size == 0) {

The values are already checked before that (via the max_lengths list).

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 05/22] avformat/matroskadec: Use int64_t size

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2323 bytes --]

On Fri, Jul 12, 2024 at 10:42:38AM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > The length is 64bit that is passed into the functions.
> > Alternatively the values can be checked before cast
> > 
> > Fixes: CID1604572 Overflowed return value
> > 
> > Sponsored-by: Sovereign Tech Fund
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/matroskadec.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> > index aa28a37da4c..9914838698c 100644
> > --- a/libavformat/matroskadec.c
> > +++ b/libavformat/matroskadec.c
> > @@ -989,7 +989,7 @@ static int ebml_read_length(MatroskaDemuxContext *matroska, AVIOContext *pb,
> >   * Read the next element as an unsigned int.
> >   * Returns NEEDS_CHECKING unless size == 0.
> >   */
> > -static int ebml_read_uint(AVIOContext *pb, int size,
> > +static int ebml_read_uint(AVIOContext *pb, int64_t size,
> >                            uint64_t default_value, uint64_t *num)
> >  {
> >      int n = 0;
> > @@ -1010,7 +1010,7 @@ static int ebml_read_uint(AVIOContext *pb, int size,
> >   * Read the next element as a signed int.
> >   * Returns NEEDS_CHECKING unless size == 0.
> >   */
> > -static int ebml_read_sint(AVIOContext *pb, int size,
> > +static int ebml_read_sint(AVIOContext *pb, int64_t size,
> >                            int64_t default_value, int64_t *num)
> >  {
> >      int n = 1;
> > @@ -1033,7 +1033,7 @@ static int ebml_read_sint(AVIOContext *pb, int size,
> >   * Read the next element as a float.
> >   * Returns 0 if size == 0, NEEDS_CHECKING or < 0 on obvious failure.
> >   */
> > -static int ebml_read_float(AVIOContext *pb, int size,
> > +static int ebml_read_float(AVIOContext *pb, int64_t size,
> >                             double default_value, double *num)
> >  {
> >      if (size == 0) {
> 
> The values are already checked before that (via the max_lengths list).

Patch droped
teh issue is already marked as false positive as it was mixed with other false positive stuff

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 06/22] avformat/mm: Check length

[Michael Niedermayer]

Fixes: CID1220824 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mm.c b/libavformat/mm.c
index 23c025d8525..e377ed4fbb9 100644
--- a/libavformat/mm.c
+++ b/libavformat/mm.c
@@ -95,7 +95,7 @@ static int read_header(AVFormatContext *s)
     type = avio_rl16(pb);
     length = avio_rl32(pb);
 
-    if (type != MM_TYPE_HEADER)
+    if (type != MM_TYPE_HEADER || length < 10)
         return AVERROR_INVALIDDATA;
 
     /* read header */
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 07/22] avformat/mov: Use 64bit for str_size

[Michael Niedermayer]

We assign a 64bit variable to it before checking

Fixes: CID1604544 Overflowed integer argument

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index d862434d256..7c33c4477dd 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -333,7 +333,8 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     char *str = NULL;
     const char *key = NULL;
     uint16_t langcode = 0;
-    uint32_t data_type = 0, str_size, str_size_alloc;
+    uint32_t data_type = 0, str_size_alloc;
+    uint64_t str_size;
     int (*parse)(MOVContext*, AVIOContext*, unsigned, const char*) = NULL;
     int raw = 0;
     int num = 0;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 08/22] avformat/mp3dec; Check for avio_size() failure

[Michael Niedermayer]

Fixes: CID1608710 Improper use of negative value

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mp3dec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c
index f421e03926f..6443b80596c 100644
--- a/libavformat/mp3dec.c
+++ b/libavformat/mp3dec.c
@@ -137,9 +137,10 @@ static void read_xing_toc(AVFormatContext *s, int64_t filesize, int64_t duration
     int fill_index = (mp3->usetoc || fast_seek) && duration > 0;
 
     if (!filesize &&
-        !(filesize = avio_size(s->pb))) {
+        (filesize = avio_size(s->pb)) <= 0) {
         av_log(s, AV_LOG_WARNING, "Cannot determine file size, skipping TOC table.\n");
         fill_index = 0;
+        filesize = 0;
     }
 
     for (i = 0; i < XING_TOC_COUNT; i++) {
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 09/22] avformat/mp3dec: Check header_filesize

[Michael Niedermayer]

Fixes: CID1608714 Division or modulo by float zero

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mp3dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c
index 6443b80596c..0029ba63aa3 100644
--- a/libavformat/mp3dec.c
+++ b/libavformat/mp3dec.c
@@ -585,7 +585,7 @@ static int mp3_seek(AVFormatContext *s, int stream_index, int64_t timestamp,
     if (best_pos < 0)
         return best_pos;
 
-    if (mp3->is_cbr && ie == &ie1 && mp3->frames) {
+    if (mp3->is_cbr && ie == &ie1 && mp3->frames && mp3->header_filesize > 0) {
         int frame_duration = av_rescale(st->duration, 1, mp3->frames);
         ie1.timestamp = frame_duration * av_rescale(best_pos - si->data_offset, mp3->frames, mp3->header_filesize);
     }
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 10/22] avformat/nsvdec: Check asize for PCM

[Michael Niedermayer]

Fixes: CID1604527 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/nsvdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index 3b8f812aa5e..dd01765d7d2 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -617,7 +617,7 @@ null_chunk_retry:
         pkt = &nsv->ahead[NSV_ST_AUDIO];
         /* read raw audio specific header on the first audio chunk... */
         /* on ALL audio chunks ?? seems so! */
-        if (asize && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) {
+        if (asize >= 4 && st[NSV_ST_AUDIO]->codecpar->codec_tag == MKTAG('P', 'C', 'M', ' ')/* && fill_header*/) {
             uint8_t bps;
             uint8_t channels;
             uint16_t samplerate;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 11/22] avformat/sapdec: Check ffurl_get_file_handle() for error

[Michael Niedermayer]

Fixes: CID1604506 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/sapdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/sapdec.c b/libavformat/sapdec.c
index 357c0dd5147..d5b5d71c020 100644
--- a/libavformat/sapdec.c
+++ b/libavformat/sapdec.c
@@ -198,6 +198,9 @@ static int sap_fetch_packet(AVFormatContext *s, AVPacket *pkt)
     struct pollfd p = {fd, POLLIN, 0};
     uint8_t recvbuf[RTP_MAX_PACKET_LENGTH];
 
+    if (fd < 0)
+        return fd;
+
     if (sap->eof)
         return AVERROR_EOF;
 
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 12/22] avformat/sauce: Check avio_size() for failure

[Michael Niedermayer]

Fixes: CID1604592 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/sauce.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/sauce.c b/libavformat/sauce.c
index 150be4705b5..55d288d3aea 100644
--- a/libavformat/sauce.c
+++ b/libavformat/sauce.c
@@ -34,7 +34,12 @@ int ff_sauce_read(AVFormatContext *avctx, uint64_t *fsize, int *got_width, int g
     AVIOContext *pb = avctx->pb;
     char buf[36];
     int datatype, filetype, t1, t2, nb_comments;
-    uint64_t start_pos = avio_size(pb) - 128;
+    int64_t start_pos = avio_size(pb);
+
+    if (start_pos <= 0)
+        return AVERROR_INVALIDDATA;
+
+    start_pos -= 128;
 
     avio_seek(pb, start_pos, SEEK_SET);
     if (avio_read(pb, buf, 7) != 7)
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 13/22] avformat/siff: Basic pkt_size check

[Michael Niedermayer]

Fixes: half of CID1258461 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/siff.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/siff.c b/libavformat/siff.c
index 5aad03d870f..b33746d51d2 100644
--- a/libavformat/siff.c
+++ b/libavformat/siff.c
@@ -199,7 +199,10 @@ static int siff_read_packet(AVFormatContext *s, AVPacket *pkt)
         if (c->cur_frame >= c->frames)
             return AVERROR_EOF;
         if (c->curstrm == -1) {
-            c->pktsize = avio_rl32(s->pb) - 4;
+            unsigned pktsize = avio_rl32(s->pb);
+            if (pktsize < 4)
+                return AVERROR_INVALIDDATA;
+            c->pktsize = pktsize - 4;
             c->flags   = avio_rl16(s->pb);
             if (c->flags & VB_HAS_AUDIO && !c->has_audio)
                 return AVERROR_INVALIDDATA;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 14/22] avformat/tty: Check avio_size()

[Michael Niedermayer]

Fixes: CID1220824 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/tty.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/libavformat/tty.c b/libavformat/tty.c
index 95b72005278..c3956ccf34e 100644
--- a/libavformat/tty.c
+++ b/libavformat/tty.c
@@ -123,13 +123,16 @@ static int read_header(AVFormatContext *avctx)
     s->chars_per_frame = FFMAX(av_q2d(st->time_base)*s->chars_per_frame, 1);
 
     if (avctx->pb->seekable & AVIO_SEEKABLE_NORMAL) {
-        s->fsize = avio_size(avctx->pb);
-        st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame;
+        int64_t fsize = avio_size(avctx->pb);
+        if (fsize > 0) {
+            s->fsize = fsize;
+            st->duration = (s->fsize + s->chars_per_frame - 1) / s->chars_per_frame;
 
-        if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0)
-            efi_read(avctx, s->fsize - 51);
+            if (ff_sauce_read(avctx, &s->fsize, 0, 0) < 0)
+                efi_read(avctx, s->fsize - 51);
 
-        avio_seek(avctx->pb, 0, SEEK_SET);
+            avio_seek(avctx->pb, 0, SEEK_SET);
+        }
     }
 
 fail:
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 15/22] avformat/ty: rec_size seems to only need 32bit

[Michael Niedermayer]

May help CID1604560 Overflowed integer argument

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/ty.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/ty.c b/libavformat/ty.c
index ac3b9071fca..f524b74badc 100644
--- a/libavformat/ty.c
+++ b/libavformat/ty.c
@@ -49,7 +49,7 @@ static const uint8_t ty_AC3AudioPacket[]  = { 0x00, 0x00, 0x01, 0xbd };
 #define CHUNK_PEEK_COUNT  3      /* number of chunks to probe */
 
 typedef struct TyRecHdr {
-    int64_t   rec_size;
+    int32_t   rec_size;
     uint8_t   ex[2];
     uint8_t   rec_type;
     uint8_t   subrec_type;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 16/22] avformat/webpenc: Check filesize in trailer

[Michael Niedermayer]

not sure this is possible

Fixes: CID1604446 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/webpenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/webpenc.c b/libavformat/webpenc.c
index 1c5b93e0abf..ce0d046aa94 100644
--- a/libavformat/webpenc.c
+++ b/libavformat/webpenc.c
@@ -190,7 +190,7 @@ static int webp_write_trailer(AVFormatContext *s)
 
         if (!ret) {
             filesize = avio_tell(s->pb);
-            if (avio_seek(s->pb, 4, SEEK_SET) == 4) {
+            if (filesize >= 8 && avio_seek(s->pb, 4, SEEK_SET) == 4) {
                 avio_wl32(s->pb, filesize - 8);
                 // Note: without the following, avio only writes 8 bytes to the file.
                 avio_seek(s->pb, filesize, SEEK_SET);
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 17/22] avformat/xmv: Check this_packet_size

[Michael Niedermayer]

Fixes: CID1604489 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/xmv.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/xmv.c b/libavformat/xmv.c
index e103b2368ea..ed59f7b85bd 100644
--- a/libavformat/xmv.c
+++ b/libavformat/xmv.c
@@ -221,6 +221,8 @@ static int xmv_read_header(AVFormatContext *s)
     /* Initialize the packet context */
 
     xmv->next_packet_offset = avio_tell(pb);
+    if (this_packet_size < xmv->next_packet_offset)
+        return AVERROR_INVALIDDATA;
     xmv->next_packet_size   = this_packet_size - xmv->next_packet_offset;
     xmv->stream_count       = xmv->audio_track_count + 1;
 
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 18/22] avutil/avsscanf: Remove dead code

[Michael Niedermayer]

Fixes: CID1604498 Structurally dead code

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavutil/avsscanf.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/libavutil/avsscanf.c b/libavutil/avsscanf.c
index 7061e6d9651..94f7710043e 100644
--- a/libavutil/avsscanf.c
+++ b/libavutil/avsscanf.c
@@ -669,7 +669,6 @@ static double fffloatscan(FFFILE *f, int prec, int pok)
             while (i--) shunget(f);
             return NAN;
         }
-        return NAN;
     }
 
     if (i) {
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 19/22] avutil/buffer: Check ff_mutex_init() for failure

[Michael Niedermayer]

Fixes: CID1604487 Unchecked return value
Fixes: CID1604494 Unchecked return value

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavutil/buffer.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavutil/buffer.c b/libavutil/buffer.c
index e4562a79b10..a8101d83f01 100644
--- a/libavutil/buffer.c
+++ b/libavutil/buffer.c
@@ -264,7 +264,10 @@ AVBufferPool *av_buffer_pool_init2(size_t size, void *opaque,
     if (!pool)
         return NULL;
 
-    ff_mutex_init(&pool->mutex, NULL);
+    if (ff_mutex_init(&pool->mutex, NULL)) {
+        av_free(pool);
+        return NULL;
+    }
 
     pool->size      = size;
     pool->opaque    = opaque;
@@ -283,7 +286,10 @@ AVBufferPool *av_buffer_pool_init(size_t size, AVBufferRef* (*alloc)(size_t size
     if (!pool)
         return NULL;
 
-    ff_mutex_init(&pool->mutex, NULL);
+    if (ff_mutex_init(&pool->mutex, NULL)) {
+        av_free(pool);
+        return NULL;
+    }
 
     pool->size     = size;
     pool->alloc    = alloc ? alloc : av_buffer_alloc;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 20/22] avutil/frame: Check log2_crop_align

[Michael Niedermayer]

Fixes: CID1604586 Overflowed constant

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavutil/frame.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/frame.c b/libavutil/frame.c
index 0775e2abd9d..673a9afb3bf 100644
--- a/libavutil/frame.c
+++ b/libavutil/frame.c
@@ -1107,7 +1107,7 @@ int av_frame_apply_cropping(AVFrame *frame, int flags)
         if (log2_crop_align < min_log2_align)
             return AVERROR_BUG;
 
-        if (min_log2_align < 5) {
+        if (min_log2_align < 5 && log2_crop_align != INT_MAX) {
             frame->crop_left &= ~((1 << (5 + log2_crop_align - min_log2_align)) - 1);
             calc_cropping_offsets(offsets, frame, desc);
         }
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 21/22] avutil/slicethread: Check pthread_*_init() for failure

[Michael Niedermayer]

Fixes: CID1604383 Unchecked return value
Fixes: CID1604439 Unchecked return value

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavutil/slicethread.c | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/libavutil/slicethread.c b/libavutil/slicethread.c
index 115b0997369..e6b82e31b65 100644
--- a/libavutil/slicethread.c
+++ b/libavutil/slicethread.c
@@ -102,6 +102,7 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv,
 {
     AVSliceThread *ctx;
     int nb_workers, i;
+    int ret;
 
     av_assert0(nb_threads >= 0);
     if (!nb_threads) {
@@ -135,16 +136,37 @@ int avpriv_slicethread_create(AVSliceThread **pctx, void *priv,
 
     atomic_init(&ctx->first_job, 0);
     atomic_init(&ctx->current_job, 0);
-    pthread_mutex_init(&ctx->done_mutex, NULL);
-    pthread_cond_init(&ctx->done_cond, NULL);
+    ret = pthread_mutex_init(&ctx->done_mutex, NULL);
+    if (ret) {
+        av_freep(&ctx->workers);
+        av_freep(pctx);
+        return AVERROR(ret);
+    }
+    ret = pthread_cond_init(&ctx->done_cond, NULL);
+    if (ret) {
+        ctx->nb_threads = main_func ? 0 : 1;
+        avpriv_slicethread_free(pctx);
+        return AVERROR(ret);
+    }
     ctx->done        = 0;
 
     for (i = 0; i < nb_workers; i++) {
         WorkerContext *w = &ctx->workers[i];
         int ret;
         w->ctx = ctx;
-        pthread_mutex_init(&w->mutex, NULL);
-        pthread_cond_init(&w->cond, NULL);
+        ret = pthread_mutex_init(&w->mutex, NULL);
+        if (ret) {
+            ctx->nb_threads = main_func ? i : i + 1;
+            avpriv_slicethread_free(pctx);
+            return AVERROR(ret);
+        }
+        ret = pthread_cond_init(&w->cond, NULL);
+        if (ret) {
+            pthread_mutex_destroy(&w->mutex);
+            ctx->nb_threads = main_func ? i : i + 1;
+            avpriv_slicethread_free(pctx);
+            return AVERROR(ret);
+        }
         pthread_mutex_lock(&w->mutex);
         w->done = 0;
 
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 22/22] avfilter/vf_xfade: Check ff_inlink_consume_frame() for failure

[Michael Niedermayer]

Fixes: CID1458043 Unchecked return value

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavfilter/vf_xfade.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/libavfilter/vf_xfade.c b/libavfilter/vf_xfade.c
index e67a917d14f..e97117704a0 100644
--- a/libavfilter/vf_xfade.c
+++ b/libavfilter/vf_xfade.c
@@ -2288,8 +2288,11 @@ static int xfade_activate(AVFilterContext *avctx)
         // Check if we are not yet transitioning, in which case
         // just request and forward the input frame.
         if (s->start_pts > s->pts) {
+            int ret;
             s->passthrough = 1;
-            ff_inlink_consume_frame(in_a, &s->xf[0]);
+            ret = ff_inlink_consume_frame(in_a, &s->xf[0]);
+            if (ret < 0)
+                return ret;
             return ff_filter_frame(outlink, s->xf[0]);
         }
         s->passthrough = 0;
@@ -2297,8 +2300,14 @@ static int xfade_activate(AVFilterContext *avctx)
         // We are transitioning, so we need a frame from second input
         if (ff_inlink_check_available_frame(in_b)) {
             int ret;
-            ff_inlink_consume_frame(avctx->inputs[0], &s->xf[0]);
-            ff_inlink_consume_frame(avctx->inputs[1], &s->xf[1]);
+            ret = ff_inlink_consume_frame(avctx->inputs[0], &s->xf[0]);
+            if (ret < 0)
+                return ret;
+            ret = ff_inlink_consume_frame(avctx->inputs[1], &s->xf[1]);
+            if (ret < 0) {
+                av_frame_free(&s->xf[0]);
+                return ret;
+            }
 
             // Calculate PTS offset to first input
             if (s->inputs_offset_pts == AV_NOPTS_VALUE)
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 01/22] avformat/asfdec_o: Check size of index object

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 623 bytes --]

On Fri, Jul 12, 2024 at 01:33:55AM +0200, Michael Niedermayer wrote:
> We subtract 24 so it must be at least 24
> 
> Fixes: CID1604482 Overflowed constant
> 
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/asfdec_o.c | 3 +++
>  1 file changed, 3 insertions(+)

will apply patchset (except 5 which was dropped)

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If a bugfix only changes things apparently unrelated to the bug with no
further explanation, that is a good sign that the bugfix is wrong.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".