[FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements

[FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements

[Michael Niedermayer]

Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192
Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cbs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
index b26e39eab4d..dcbc86a5f7d 100644
--- a/libavcodec/cbs.c
+++ b/libavcodec/cbs.c
@@ -605,7 +605,7 @@ static av_always_inline int cbs_read_unsigned(CodedBitstreamContext *ctx,
 
     CBS_TRACE_READ_START();
 
-    av_assert0(width > 0 && width <= 32);
+    av_assert0(width >= 0 && width <= 32);
 
     if (get_bits_left(gbc) < width) {
         av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid value at "
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/6] avcodec/aac/aacdec_usac: Dont leave type at a invalid value

[Michael Niedermayer]

Fixes: Assertion 0 failed at libavcodec/aac/aacdec_usac.c:1646
Fixes: 70541/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5190889543106560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/aac/aacdec_usac.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
index 1b79d19a30f..82db65eb0d0 100644
--- a/libavcodec/aac/aacdec_usac.c
+++ b/libavcodec/aac/aacdec_usac.c
@@ -265,6 +265,7 @@ static int decode_usac_extension(AACDecContext *ac, AACUsacElemConfig *e,
         /* No configuration needed - fallthrough (len should be 0) */
     default:
         skip_bits(gb, 8*ext_config_len);
+        e->ext.type = ID_EXT_ELE_FILL;
         break;
     };
 
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/6] avformat/iamf_parse: Check for 0 samples

[Michael Niedermayer]

Fixes: division by zero
Fixes: 70561/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6199435013455872
Fixes: 70565/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5783790316748800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iamf_parse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index cdfd5f75fef..e007d6a7af2 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -252,7 +252,7 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len)
     if (ret < 0)
         goto fail;
 
-    if ((codec_config->nb_samples > INT_MAX) ||
+    if ((codec_config->nb_samples > INT_MAX) || codec_config->nb_samples <= 0 ||
         (-codec_config->audio_roll_distance > INT_MAX / codec_config->nb_samples)) {
         ret = AVERROR_INVALIDDATA;
         goto fail;
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/6] avformat/iamf_parse: Check for 0 samples

[James Almer]

On 7/31/2024 4:54 PM, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: 70561/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6199435013455872
> Fixes: 70565/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5783790316748800
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/iamf_parse.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
> index cdfd5f75fef..e007d6a7af2 100644
> --- a/libavformat/iamf_parse.c
> +++ b/libavformat/iamf_parse.c
> @@ -252,7 +252,7 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len)
>       if (ret < 0)
>           goto fail;
>   
> -    if ((codec_config->nb_samples > INT_MAX) ||
> +    if ((codec_config->nb_samples > INT_MAX) || codec_config->nb_samples <= 0 ||
>           (-codec_config->audio_roll_distance > INT_MAX / codec_config->nb_samples)) {
>           ret = AVERROR_INVALIDDATA;
>           goto fail;

LGTM
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails

[Michael Niedermayer]

Fixes: out of array access
Fixes: 70734/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4741427068731392

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/aac/aacdec_usac.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
index 82db65eb0d0..2938e693874 100644
--- a/libavcodec/aac/aacdec_usac.c
+++ b/libavcodec/aac/aacdec_usac.c
@@ -918,8 +918,10 @@ static int decode_usac_stereo_info(AACDecContext *ac, AACUSACConfig *usac,
         }
 
         ret = setup_sce(ac, sce1, usac);
-        if (ret < 0)
+        if (ret < 0) {
+            ics2->max_sfb = 0;
             return ret;
+        }
 
         ret = setup_sce(ac, sce2, usac);
         if (ret < 0)
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails

[Lynne via ffmpeg-devel]

[-- Attachment #1.1.1.1: Type: text/plain, Size: 1172 bytes --]

On 31/07/2024 21:54, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 70734/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4741427068731392
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/aac/aacdec_usac.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
> index 82db65eb0d0..2938e693874 100644
> --- a/libavcodec/aac/aacdec_usac.c
> +++ b/libavcodec/aac/aacdec_usac.c
> @@ -918,8 +918,10 @@ static int decode_usac_stereo_info(AACDecContext *ac, AACUSACConfig *usac,
>           }
>   
>           ret = setup_sce(ac, sce1, usac);
> -        if (ret < 0)
> +        if (ret < 0) {
> +            ics2->max_sfb = 0;
>               return ret;
> +        }
>   
>           ret = setup_sce(ac, sce2, usac);
>           if (ret < 0)

Err, the one and only place where setup_sce can return an error is also 
where ics->max_sfb = 0; is cleaned up. It doesn't make sense that this 
patch would do anything at all.

[-- Attachment #1.1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 624 bytes --]

[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1807 bytes --]

On Thu, Aug 01, 2024 at 05:11:18PM +0200, Lynne via ffmpeg-devel wrote:
> On 31/07/2024 21:54, Michael Niedermayer wrote:
> > Fixes: out of array access
> > Fixes: 70734/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4741427068731392
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/aac/aacdec_usac.c | 4 +++-
> >   1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
> > index 82db65eb0d0..2938e693874 100644
> > --- a/libavcodec/aac/aacdec_usac.c
> > +++ b/libavcodec/aac/aacdec_usac.c
> > @@ -918,8 +918,10 @@ static int decode_usac_stereo_info(AACDecContext *ac, AACUSACConfig *usac,
> >           }
> >           ret = setup_sce(ac, sce1, usac);
> > -        if (ret < 0)
> > +        if (ret < 0) {
> > +            ics2->max_sfb = 0;
> >               return ret;
> > +        }
> >           ret = setup_sce(ac, sce2, usac);
> >           if (ret < 0)
> 
> Err, the one and only place where setup_sce can return an error is also
> where ics->max_sfb = 0; is cleaned up. It doesn't make sense that this patch
> would do anything at all.

there are 2 single channel elements
when the first fails, it automatically cleans the firsts max_sfb but as is before
this patch it leaves the 2nd SCE max_sfb unchanged to whatever unchecked value
was put in it.
It would get checked and cleared in the next setup_sce() call but that is
never called if the first fails

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is what and why we do it that matters, not just one of them.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/6] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow

[Michael Niedermayer]

The snow encoder uses block based motion estimation which can read out of array if
insufficient alignment is used

It may be better to only apply this for the encoder, as it would safe a few bytes of memory
for the decoder. Until then, this fixes the issue in a simple way.

Fixes: out of array access
Fixes: 68963/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4979988435632128
Fixes: 68969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6239933667803136.fuzz
Fixed: 70497/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5751882631413760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/utils.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 337c00e789a..7914f799041 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -259,6 +259,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
         if (s->codec_id == AV_CODEC_ID_SVQ1) {
             w_align = 64;
             h_align = 64;
+        } else if (s->codec_id == AV_CODEC_ID_SNOW) {
+            w_align = 16;
+            h_align = 16;
         }
         break;
     case AV_PIX_FMT_RGB555:
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/6] avcodec/snow: Fix off by 1 error in run_buffer

[Michael Niedermayer]

Fixes: out of array access
Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/snow.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/snow.c b/libavcodec/snow.c
index 0285362d439..af6214d0778 100644
--- a/libavcodec/snow.c
+++ b/libavcodec/snow.c
@@ -428,7 +428,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){
         !FF_ALLOCZ_TYPED_ARRAY(s->spatial_dwt_buffer,  width * height) ||  //FIXME this does not belong here
         !FF_ALLOCZ_TYPED_ARRAY(s->temp_dwt_buffer,     width)          ||
         !FF_ALLOCZ_TYPED_ARRAY(s->temp_idwt_buffer,    width)          ||
-        !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1)))
+        !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1))
         return AVERROR(ENOMEM);
 
     for(i=0; i<MAX_REF_FRAMES; i++) {
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/6] avcodec/snow: Fix off by 1 error in run_buffer

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 839 bytes --]

On Wed, Jul 31, 2024 at 09:54:10PM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/snow.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

I intend to apply this and the other snow patch (which was on the ML since a while
with a different commit message) very soon because they affect upcoming point releases


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Good people do not need laws to tell them to act responsibly, while bad
people will find a way around the laws. -- Plato

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements

[James Almer]

On 7/31/2024 4:54 PM, Michael Niedermayer wrote:
> Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192
> Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/cbs.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
> index b26e39eab4d..dcbc86a5f7d 100644
> --- a/libavcodec/cbs.c
> +++ b/libavcodec/cbs.c
> @@ -605,7 +605,7 @@ static av_always_inline int cbs_read_unsigned(CodedBitstreamContext *ctx,
>   
>       CBS_TRACE_READ_START();
>   
> -    av_assert0(width > 0 && width <= 32);
> +    av_assert0(width >= 0 && width <= 32);

No, sei_3d_reference_displays_info should instead not attempt to read 
from the bitstream when width is 0.

I'll send a patch for this later.

>   
>       if (get_bits_left(gbc) < width) {
>           av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid value at "
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".