* [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it
@ 2024-07-26 21:08 Michael Niedermayer
2024-07-26 21:08 ` [FFmpeg-devel] [PATCH 2/3] avcodec/adpcm: Make sample count computation match code accesing samplesfor AV_CODEC_ID_ADPCM_DTK Michael Niedermayer
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Michael Niedermayer @ 2024-07-26 21:08 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: NULL pointer dereference
Fixes: 70569/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5247918563459072
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/mov.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index b74e43e2140..63db7d59a58 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -10060,6 +10060,10 @@ static int mov_read_header(AVFormatContext *s)
st = item->st;
sc = st->priv_data;
+
+ if (!sc->sample_sizes || !sc->sample_count)
+ return AVERROR_INVALIDDATA;
+
st->codecpar->width = item->width;
st->codecpar->height = item->height;
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 9+ messages in thread
* [FFmpeg-devel] [PATCH 2/3] avcodec/adpcm: Make sample count computation match code accesing samplesfor AV_CODEC_ID_ADPCM_DTK
2024-07-26 21:08 [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it Michael Niedermayer
@ 2024-07-26 21:08 ` Michael Niedermayer
2024-07-26 21:08 ` [FFmpeg-devel] [PATCH 3/3] avcodec/adpcm: Remove setting min_channel to value it is already set to Michael Niedermayer
2024-07-26 22:11 ` [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it James Almer
2 siblings, 0 replies; 9+ messages in thread
From: Michael Niedermayer @ 2024-07-26 21:08 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array access
Fixes: 70618/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_DTK_fuzzer-4814907107770368
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/adpcm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index afdbeaa15ee..8f9a8a8c8e2 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1050,6 +1050,8 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb,
nb_samples = buf_size / (21 * ch) * 32;
break;
case AV_CODEC_ID_ADPCM_DTK:
+ nb_samples = buf_size / 32 * 28;
+ break;
case AV_CODEC_ID_ADPCM_PSX:
nb_samples = buf_size / (16 * ch) * 28;
break;
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 9+ messages in thread
* [FFmpeg-devel] [PATCH 3/3] avcodec/adpcm: Remove setting min_channel to value it is already set to
2024-07-26 21:08 [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it Michael Niedermayer
2024-07-26 21:08 ` [FFmpeg-devel] [PATCH 2/3] avcodec/adpcm: Make sample count computation match code accesing samplesfor AV_CODEC_ID_ADPCM_DTK Michael Niedermayer
@ 2024-07-26 21:08 ` Michael Niedermayer
2024-07-27 11:17 ` Peter Ross
2024-07-26 22:11 ` [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it James Almer
2 siblings, 1 reply; 9+ messages in thread
From: Michael Niedermayer @ 2024-07-26 21:08 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/adpcm.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 8f9a8a8c8e2..6c53d0bcf39 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -260,10 +260,6 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
case AV_CODEC_ID_ADPCM_IMA_AMV:
max_channels = 1;
break;
- case AV_CODEC_ID_ADPCM_DTK:
- case AV_CODEC_ID_ADPCM_EA:
- min_channels = 1;
- break;
case AV_CODEC_ID_ADPCM_AFC:
case AV_CODEC_ID_ADPCM_EA_R1:
case AV_CODEC_ID_ADPCM_EA_R2:
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it
2024-07-26 21:08 [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it Michael Niedermayer
2024-07-26 21:08 ` [FFmpeg-devel] [PATCH 2/3] avcodec/adpcm: Make sample count computation match code accesing samplesfor AV_CODEC_ID_ADPCM_DTK Michael Niedermayer
2024-07-26 21:08 ` [FFmpeg-devel] [PATCH 3/3] avcodec/adpcm: Remove setting min_channel to value it is already set to Michael Niedermayer
@ 2024-07-26 22:11 ` James Almer
2024-07-26 22:24 ` James Almer
2 siblings, 1 reply; 9+ messages in thread
From: James Almer @ 2024-07-26 22:11 UTC (permalink / raw)
To: ffmpeg-devel
On 7/26/2024 6:08 PM, Michael Niedermayer wrote:
> Fixes: NULL pointer dereference
> Fixes: 70569/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5247918563459072
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/mov.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index b74e43e2140..63db7d59a58 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -10060,6 +10060,10 @@ static int mov_read_header(AVFormatContext *s)
>
> st = item->st;
> sc = st->priv_data;
> +
> + if (!sc->sample_sizes || !sc->sample_count)
> + return AVERROR_INVALIDDATA;
Deja vu. Didn't you send something like this before?
Also, can i get the sample? As with other issues, we shouldn't reach
this point if these were not allocated.
> +
> st->codecpar->width = item->width;
> st->codecpar->height = item->height;
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it
2024-07-26 22:11 ` [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it James Almer
@ 2024-07-26 22:24 ` James Almer
2024-07-27 22:06 ` Michael Niedermayer
0 siblings, 1 reply; 9+ messages in thread
From: James Almer @ 2024-07-26 22:24 UTC (permalink / raw)
To: ffmpeg-devel
On 7/26/2024 7:11 PM, James Almer wrote:
> On 7/26/2024 6:08 PM, Michael Niedermayer wrote:
>> Fixes: NULL pointer dereference
>> Fixes:
>> 70569/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5247918563459072
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>> libavformat/mov.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index b74e43e2140..63db7d59a58 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -10060,6 +10060,10 @@ static int mov_read_header(AVFormatContext *s)
>> st = item->st;
>> sc = st->priv_data;
>> +
>> + if (!sc->sample_sizes || !sc->sample_count)
>> + return AVERROR_INVALIDDATA;
>
> Deja vu. Didn't you send something like this before?
>
> Also, can i get the sample? As with other issues, we shouldn't reach
No, it was me:
https://ffmpeg.org//pipermail/ffmpeg-devel/2024-June/330391.html
Still, i want to check the sample because i'm not sure how this code is
reached like this.
> this point if these were not allocated.
>
>> +
>> st->codecpar->width = item->width;
>> st->codecpar->height = item->height;
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/3] avcodec/adpcm: Remove setting min_channel to value it is already set to
2024-07-26 21:08 ` [FFmpeg-devel] [PATCH 3/3] avcodec/adpcm: Remove setting min_channel to value it is already set to Michael Niedermayer
@ 2024-07-27 11:17 ` Peter Ross
2024-07-27 22:00 ` Michael Niedermayer
0 siblings, 1 reply; 9+ messages in thread
From: Peter Ross @ 2024-07-27 11:17 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 869 bytes --]
On Fri, Jul 26, 2024 at 11:08:32PM +0200, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/adpcm.c | 4 ----
> 1 file changed, 4 deletions(-)
>
> diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
> index 8f9a8a8c8e2..6c53d0bcf39 100644
> --- a/libavcodec/adpcm.c
> +++ b/libavcodec/adpcm.c
> @@ -260,10 +260,6 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
> case AV_CODEC_ID_ADPCM_IMA_AMV:
> max_channels = 1;
> break;
> - case AV_CODEC_ID_ADPCM_DTK:
> - case AV_CODEC_ID_ADPCM_EA:
> - min_channels = 1;
> - break;
> case AV_CODEC_ID_ADPCM_AFC:
> case AV_CODEC_ID_ADPCM_EA_R1:
> case AV_CODEC_ID_ADPCM_EA_R2:
> --
> 2.45.2
please apply.
-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/3] avcodec/adpcm: Remove setting min_channel to value it is already set to
2024-07-27 11:17 ` Peter Ross
@ 2024-07-27 22:00 ` Michael Niedermayer
0 siblings, 0 replies; 9+ messages in thread
From: Michael Niedermayer @ 2024-07-27 22:00 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1150 bytes --]
On Sat, Jul 27, 2024 at 09:17:01PM +1000, Peter Ross wrote:
> On Fri, Jul 26, 2024 at 11:08:32PM +0200, Michael Niedermayer wrote:
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/adpcm.c | 4 ----
> > 1 file changed, 4 deletions(-)
> >
> > diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
> > index 8f9a8a8c8e2..6c53d0bcf39 100644
> > --- a/libavcodec/adpcm.c
> > +++ b/libavcodec/adpcm.c
> > @@ -260,10 +260,6 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx)
> > case AV_CODEC_ID_ADPCM_IMA_AMV:
> > max_channels = 1;
> > break;
> > - case AV_CODEC_ID_ADPCM_DTK:
> > - case AV_CODEC_ID_ADPCM_EA:
> > - min_channels = 1;
> > - break;
> > case AV_CODEC_ID_ADPCM_AFC:
> > case AV_CODEC_ID_ADPCM_EA_R1:
> > case AV_CODEC_ID_ADPCM_EA_R2:
> > --
> > 2.45.2
>
> please apply.
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Good people do not need laws to tell them to act responsibly, while bad
people will find a way around the laws. -- Plato
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it
2024-07-26 22:24 ` James Almer
@ 2024-07-27 22:06 ` Michael Niedermayer
2024-07-28 0:29 ` James Almer
0 siblings, 1 reply; 9+ messages in thread
From: Michael Niedermayer @ 2024-07-27 22:06 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 685 bytes --]
Hi
On Fri, Jul 26, 2024 at 07:24:38PM -0300, James Almer wrote:
[...]
> > Deja vu. Didn't you send something like this before?
> >
> > Also, can i get the sample? As with other issues, we shouldn't reach
>
> No, it was me:
> https://ffmpeg.org//pipermail/ffmpeg-devel/2024-June/330391.html
Iam surprised we dont have more collisions
either way i will drop this on my side
>
> Still, i want to check the sample because i'm not sure how this code is
> reached like this.
sure, sent privatly
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
He who knows, does not speak. He who speaks, does not know. -- Lao Tsu
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it
2024-07-27 22:06 ` Michael Niedermayer
@ 2024-07-28 0:29 ` James Almer
0 siblings, 0 replies; 9+ messages in thread
From: James Almer @ 2024-07-28 0:29 UTC (permalink / raw)
To: ffmpeg-devel
On 7/27/2024 7:06 PM, Michael Niedermayer wrote:
> Hi
>
> On Fri, Jul 26, 2024 at 07:24:38PM -0300, James Almer wrote:
> [...]
>>> Deja vu. Didn't you send something like this before?
>>>
>>> Also, can i get the sample? As with other issues, we shouldn't reach
>>
>> No, it was me:
>> https://ffmpeg.org//pipermail/ffmpeg-devel/2024-June/330391.html
>
> Iam surprised we dont have more collisions
There's a stsz atom after the iinf atom that tries to replace
sc->sample_sizes. It's inside the same meta box structure as the items
instead of inside an stsd structure, which is not spec compliant, so
ideally we should stop parsing it if that's the case.
I'll push my fix for now, but if such an stsz atom ends up allocating an
array with a single entry, it will be accepted, so not exactly ideal.
> either way i will drop this on my side
>
>
>>
>> Still, i want to check the sample because i'm not sure how this code is
>> reached like this.
>
> sure, sent privatly
>
> thx
>
> [...]
>
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-07-28 0:29 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-07-26 21:08 [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it Michael Niedermayer
2024-07-26 21:08 ` [FFmpeg-devel] [PATCH 2/3] avcodec/adpcm: Make sample count computation match code accesing samplesfor AV_CODEC_ID_ADPCM_DTK Michael Niedermayer
2024-07-26 21:08 ` [FFmpeg-devel] [PATCH 3/3] avcodec/adpcm: Remove setting min_channel to value it is already set to Michael Niedermayer
2024-07-27 11:17 ` Peter Ross
2024-07-27 22:00 ` Michael Niedermayer
2024-07-26 22:11 ` [FFmpeg-devel] [PATCH 1/3] avformat/mov: Check sample_sizes before using it James Almer
2024-07-26 22:24 ` James Almer
2024-07-27 22:06 ` Michael Niedermayer
2024-07-28 0:29 ` James Almer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git