From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id A18E34BA44
	for <ffmpegdev@gitmailbox.com>; Fri, 20 Jun 2025 14:39:50 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 3C2C368DCB0;
	Fri, 20 Jun 2025 17:39:46 +0300 (EEST)
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
 [217.70.183.196])
 by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 18F1D68C8BC
 for <ffmpeg-devel@ffmpeg.org>; Fri, 20 Jun 2025 17:39:39 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 6DFD2443C8
 for <ffmpeg-devel@ffmpeg.org>; Fri, 20 Jun 2025 14:39:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1750430378;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=uFDVwyAG5/OAZVWb8gAz/CndFfIy4o9IMUJpNISPV4g=;
 b=es/Q5sNDXLWTvfzg7J5I6IWnK29IPqMe9+z24INIGWKcfXJpRwEnbjPn6BoJH5vQBcvaDB
 kpW+kjCD2tqHLDyqs31Lz6zD1k1dw+IZ+RxJYzFT8NqQEFKNuxEEKSZfm8/4waNKR7k2aT
 hyKUDIgfn3pUEV0hh7CtbeYElje133ewha1d9g9GmJDtLh3BW78N8wCx6nWFnIX9XblGc4
 wy+qcphoHAUX391nEXvHMeSfng1Dc51/sCyCguNunlRuOGxWoxNGatnlRuOLm03xBLHwuz
 Dp1O8SOQE7HhyYbdKXyHnAlvCjqK3pZElSwSTStg0qTepUqceK24DLS7S7ZVEg==
Date: Fri, 20 Jun 2025 16:39:37 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20250620143937.GV29660@pb2>
References: <20250620003255.295598-1-michael@niedermayer.cc>
 <20250620003255.295598-5-michael@niedermayer.cc>
 <1e44d636-2e4b-43f9-bf19-e7db85902624@gmail.com>
MIME-Version: 1.0
In-Reply-To: <1e44d636-2e4b-43f9-bf19-e7db85902624@gmail.com>
X-GND-State: clean
X-GND-Score: -85
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdekieeiucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeetgfegvdffieeuffevhfeitdfgfeejudekfeegteegveegjeegkedvveejleevkeenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeguddrieeirdeijedruddufeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeijedruddufedphhgvlhhopehlohgtrghlhhhoshhtpdhmrghilhhfrhhomhepmhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhhfmhhpvghgqdguvghvvghlsehffhhmphgvghdrohhrgh
X-GND-Sasl: michael@niedermayer.cc
Subject: Re: [FFmpeg-devel] [PATCH 5/8] avformat/mov: Check that
 sample_sizes is allocated in mov_parse_heif_items()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============0365699414308755225=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250620143937.GV29660@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============0365699414308755225==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="0HdOv0QEvrnI9aWS"
Content-Disposition: inline


--0HdOv0QEvrnI9aWS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jun 19, 2025 at 09:53:33PM -0300, James Almer wrote:
> On 6/19/2025 9:32 PM, Michael Niedermayer wrote:
> > Fixes: NULL pointer dereference
> > Fixes: 416811958/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5=
425269114732544
> >=20
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz=
/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavformat/mov.c | 3 +++
> >   1 file changed, 3 insertions(+)
> >=20
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 8a094b1ea0a..22488b517cb 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -10332,6 +10332,9 @@ static int mov_parse_heif_items(AVFormatContext=
 *s)
> >           st =3D item->st;
> >           sc =3D st->priv_data;
> > +        if (!sc->sample_sizes)
> > +            return AVERROR_INVALIDDATA;
> > +
> >           st->codecpar->width  =3D item->width;
> >           st->codecpar->height =3D item->height;
>=20
> Does the following fix it too?
>=20
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 8a094b1ea0..a2a9c10f20 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -5430,18 +5430,18 @@ static int heif_add_stream(MOVContext *c, HEIFI=
tem *item)
> >      sc->stsc_data[0].first =3D 1;
> >      sc->stsc_data[0].count =3D 1;
> >      sc->stsc_data[0].id =3D 1;
> > -    sc->chunk_count =3D 1;
> >      sc->chunk_offsets =3D av_malloc_array(1, sizeof(*sc->chunk_offsets=
));
> >      if (!sc->chunk_offsets)
> >          return AVERROR(ENOMEM);
> > -    sc->sample_count =3D 1;
> > +    sc->chunk_count =3D 1;
> >      sc->sample_sizes =3D av_malloc_array(1, sizeof(*sc->sample_sizes));
> >      if (!sc->sample_sizes)
> >          return AVERROR(ENOMEM);
> > -    sc->stts_count =3D 1;
> > +    sc->sample_count =3D 1;
> >      sc->stts_data =3D av_malloc_array(1, sizeof(*sc->stts_data));
> >      if (!sc->stts_data)
> >          return AVERROR(ENOMEM);
> > +    sc->stts_count =3D 1;
> >      sc->stts_data[0].count =3D 1;
> >      // Not used for still images. But needed by mov_build_index.
> >      sc->stts_data[0].duration =3D 0;
>=20
> I'd rather have the checks in sanity_checks() detect this, so if
> sc->sample_sizes is NULL then sc->sample_count should be 0.

sample send privately to you.

The code above does not fix it (had to apply by hand though it didnt apply

unning: 416811958/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5425=
269114732544
libavformat/mov.c:10342:9: runtime error: applying zero offset to null poin=
ter
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/mov.c:1=
0342:9 in
libavformat/mov.c:10342:9: runtime error: store to null pointer of type 'un=
signed int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/mov.c:1=
0342:9 in
AddressSanitizer:DEADLYSIGNAL
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D305816=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x000000=
000000 (pc 0x000000b1766e bp 0x7ffe03383c90 sp 0x7ffe03383960 T0)
=3D=3D305816=3D=3DThe signal is caused by a WRITE memory access.
=3D=3D305816=3D=3DHint: address points to the zero page.
    #0 0xb1766e in mov_parse_heif_items ffmpeg/libavformat/mov.c:10342:30
    #1 0xb1766e in mov_read_header ffmpeg/libavformat/mov.c:10498:15
    #2 0x79457d in avformat_open_input ffmpeg/libavformat/demux.c:309:20
    #3 0x5b1fd2 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dem_fuzzer.c:=
199:11
    #4 0x2729e4c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, u=
nsigned long) (ffmpeg/tools/target_dem_mov_fuzzer+0x2729e4c)
    #5 0x27144bf in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsign=
ed long) (ffmpeg/tools/target_dem_mov_fuzzer+0x27144bf)
    #6 0x2719b1f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned ch=
ar const*, unsigned long)) (ffmpeg/tools/target_dem_mov_fuzzer+0x2719b1f)
    #7 0x271415b in main (ffmpeg/tools/target_dem_mov_fuzzer+0x271415b)
    #8 0x7fdaeca5b082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/c=
su/../csu/libc-start.c:308:16
    #9 0x504f5d in _start (ffmpeg/tools/target_dem_mov_fuzzer+0x504f5d)


thx

[...]

--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Does the universe only have a finite lifespan? No, its going to go on
forever, its just that you wont like living in it. -- Hiranya Peiri

--0HdOv0QEvrnI9aWS
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaFVyqQAKCRBhHseHBAsP
q4mkAKCWDhxIujEq9kjaVLEhljra5WihTwCdGM5RITzaDPe7iEWTI7sHz5RlXR4=
=bLS+
-----END PGP SIGNATURE-----

--0HdOv0QEvrnI9aWS--

--===============0365699414308755225==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============0365699414308755225==--