[FFmpeg-devel] [PATCH 1/8] avcodec/psd: Move frame allocation after RLE processing

[FFmpeg-devel] [PATCH 1/8] avcodec/psd: Move frame allocation after RLE processing

[Michael Niedermayer]

Fixes: Timeout
Fixes: 410609448/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PSD_fuzzer-6267226128973824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/psd.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/psd.c b/libavcodec/psd.c
index 9c3e4f69052..f0b90ec1bd7 100644
--- a/libavcodec/psd.c
+++ b/libavcodec/psd.c
@@ -418,9 +418,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture,
 
     s->uncompressed_size = s->line_size * s->height * s->channel_count;
 
-    if ((ret = ff_get_buffer(avctx, picture, 0)) < 0)
-        return ret;
-
     /* decode picture if need */
     if (s->compression == PSD_RLE) {
         s->tmp = av_malloc(s->uncompressed_size);
@@ -443,6 +440,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture,
         ptr_data = s->gb.buffer;
     }
 
+    if ((ret = ff_get_buffer(avctx, picture, 0)) < 0)
+        return ret;
+
     /* Store data */
     if ((avctx->pix_fmt == AV_PIX_FMT_YA8)||(avctx->pix_fmt == AV_PIX_FMT_YA16BE)){/* Interleaved */
         ptr = picture->data[0];
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/8] avcodec/hcadec: Check sample_rate

[Michael Niedermayer]

Fixes: AVERROR_BUG return
Fixes: 413997604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-5188382613635072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hcadec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c
index 7780372cf3f..161044bfbcc 100644
--- a/libavcodec/hcadec.c
+++ b/libavcodec/hcadec.c
@@ -179,6 +179,9 @@ static void ath_init1(uint8_t *ath, int sample_rate)
 
 static int ath_init(uint8_t *ath, int type, int sample_rate)
 {
+    if (sample_rate <= 0)
+        return AVERROR_INVALIDDATA;
+
     switch (type) {
     case 0:
         /* nothing to do */
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/8] swscale/output: Fix integer overflows in yuv2rgba64_1_c_template()

[Michael Niedermayer]

Fixes: signed integer overflow: -132524 * 16525 cannot be represented in type 'int'
Fixes: 414862270/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4869083202125824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libswscale/output.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libswscale/output.c b/libswscale/output.c
index c37649e7ce5..c18c96a57a1 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -1211,8 +1211,8 @@ yuv2rgba64_1_c_template(SwsInternal *c, const int32_t *buf0,
         for (i = 0; i < ((dstW + 1) >> 1); i++) {
             SUINT Y1 = (buf0[i * 2]    ) >> 2;
             SUINT Y2 = (buf0[i * 2 + 1]) >> 2;
-            int U  = (ubuf0[i] - (128 << 11)) >> 2;
-            int V  = (vbuf0[i] - (128 << 11)) >> 2;
+            SUINT U  = (ubuf0[i] - (128 << 11)) >> 2;
+            SUINT V  = (vbuf0[i] - (128 << 11)) >> 2;
             int R, G, B;
 
             Y1 -= c->yuv2rgb_y_offset;
@@ -1260,8 +1260,8 @@ yuv2rgba64_1_c_template(SwsInternal *c, const int32_t *buf0,
         for (i = 0; i < ((dstW + 1) >> 1); i++) {
             SUINT Y1 = (buf0[i * 2]    ) >> 2;
             SUINT Y2 = (buf0[i * 2 + 1]) >> 2;
-            int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14;
-            int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14;
+            SUINT U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14;
+            SUINT V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14;
             int R, G, B;
 
             Y1 -= c->yuv2rgb_y_offset;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/8] tools/target_dec_fuzzer: adjust threshold for VP8

[Michael Niedermayer]

Fixes: Timeout
Fixes: 416589179/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP8_fuzzer-5432788428062720

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index f5f41bdb247..96d65c7b69e 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -325,6 +325,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_VP6F:        maxpixels  /= 4096;  break;
     case AV_CODEC_ID_VP6A:        maxpixels  /= 4096;  break;
     case AV_CODEC_ID_VP7:         maxpixels  /= 256;   break;
+    case AV_CODEC_ID_VP8:         maxpixels  /= 256;   break;
     case AV_CODEC_ID_VP9:         maxpixels  /= 4096;  break;
     case AV_CODEC_ID_WAVPACK:     maxsamples /= 1024;  break;
     case AV_CODEC_ID_WCMV:        maxpixels  /= 1024;  break;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/8] avformat/mov: Check that sample_sizes is allocated in mov_parse_heif_items()

[Michael Niedermayer]

Fixes: NULL pointer dereference
Fixes: 416811958/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5425269114732544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 8a094b1ea0a..22488b517cb 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -10332,6 +10332,9 @@ static int mov_parse_heif_items(AVFormatContext *s)
 
         st = item->st;
         sc = st->priv_data;
+        if (!sc->sample_sizes)
+            return AVERROR_INVALIDDATA;
+
         st->codecpar->width  = item->width;
         st->codecpar->height = item->height;
 
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/8] avcodec/vvc/ctu: Check palette_escape_val

[Michael Niedermayer]

Fixes: integer overflow
Fixes: 418314174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4871731867353088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vvc/ctu.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
index ba4c89b1d1b..7fa2b496389 100644
--- a/libavcodec/vvc/ctu.c
+++ b/libavcodec/vvc/ctu.c
@@ -2053,6 +2053,8 @@ static int palette_subblock_data(VVCLocalContext *lc,
                 const int v = PALETTE_INDEX(xc, yc);
                 if (v == esc) {
                     const int coeff = ff_vvc_palette_escape_val(lc);
+                    if (coeff >= (1U << sps->bit_depth))
+                        return AVERROR_INVALIDDATA;
                     const int pixel = av_clip_intp2(RSHIFT(coeff * scale, 6), sps->bit_depth);
                     PALETTE_SET_PIXEL(xc, yc, pixel);
                 } else {
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 7/8] avcodec/vvc/cabac: Check k in kth_order_egk_decode()

[Michael Niedermayer]

The return value is int we can thus not handle 31 or more bits

Fixes: integer overflow
Fixes: 418396701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4730994378997760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vvc/cabac.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/vvc/cabac.c b/libavcodec/vvc/cabac.c
index 6847ce59aff..78703cb065e 100644
--- a/libavcodec/vvc/cabac.c
+++ b/libavcodec/vvc/cabac.c
@@ -937,6 +937,8 @@ static int kth_order_egk_decode(CABACContext *c, int k)
 
     while (bit) {
         bit = get_cabac_bypass(c);
+        if (k >= 31)
+            return AVERROR_PATCHWELCOME;
         value += bit << k++;
     }
 
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 8/8] avcodec/vvc/ctu: Check ff_vvc_num_signalled_palette_entries

[Michael Niedermayer]

Fixes: index 107 out of bounds for type 'uint16_t const[63]'
Fixes: 421336912/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-6436225806565376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vvc/ctu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
index 7fa2b496389..cf7edccb8b8 100644
--- a/libavcodec/vvc/ctu.c
+++ b/libavcodec/vvc/ctu.c
@@ -1889,7 +1889,7 @@ static int palette_signaled(VVCLocalContext *lc, const bool local_dual_tree,
     const int size            = nb_predicted + nb_signaled;
     const bool dual_tree_luma = local_dual_tree && cu->tree_type == DUAL_TREE_LUMA;
 
-    if (size > max_entries)
+    if (size > max_entries || nb_signaled < 0)
         return AVERROR_INVALIDDATA;
 
     for (int c = start; c < end; c++) {
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/8] avformat/mov: Check that sample_sizes is allocated in mov_parse_heif_items()

[James Almer]

[-- Attachment #1.1.1: Type: text/plain, Size: 2142 bytes --]

On 6/19/2025 9:32 PM, Michael Niedermayer wrote:
> Fixes: NULL pointer dereference
> Fixes: 416811958/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5425269114732544
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/mov.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 8a094b1ea0a..22488b517cb 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -10332,6 +10332,9 @@ static int mov_parse_heif_items(AVFormatContext *s)
>   
>           st = item->st;
>           sc = st->priv_data;
> +        if (!sc->sample_sizes)
> +            return AVERROR_INVALIDDATA;
> +
>           st->codecpar->width  = item->width;
>           st->codecpar->height = item->height;

Does the following fix it too?

> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 8a094b1ea0..a2a9c10f20 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -5430,18 +5430,18 @@ static int heif_add_stream(MOVContext *c, HEIFItem *item)
>      sc->stsc_data[0].first = 1;
>      sc->stsc_data[0].count = 1;
>      sc->stsc_data[0].id = 1;
> -    sc->chunk_count = 1;
>      sc->chunk_offsets = av_malloc_array(1, sizeof(*sc->chunk_offsets));
>      if (!sc->chunk_offsets)
>          return AVERROR(ENOMEM);
> -    sc->sample_count = 1;
> +    sc->chunk_count = 1;
>      sc->sample_sizes = av_malloc_array(1, sizeof(*sc->sample_sizes));
>      if (!sc->sample_sizes)
>          return AVERROR(ENOMEM);
> -    sc->stts_count = 1;
> +    sc->sample_count = 1;
>      sc->stts_data = av_malloc_array(1, sizeof(*sc->stts_data));
>      if (!sc->stts_data)
>          return AVERROR(ENOMEM);
> +    sc->stts_count = 1;
>      sc->stts_data[0].count = 1;
>      // Not used for still images. But needed by mov_build_index.
>      sc->stts_data[0].duration = 0;

I'd rather have the checks in sanity_checks() detect this, so if 
sc->sample_sizes is NULL then sc->sample_count should be 0.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/8] avcodec/hcadec: Check sample_rate

[Andreas Rheinhardt]

Michael Niedermayer:
> Fixes: AVERROR_BUG return
> Fixes: 413997604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-5188382613635072
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/hcadec.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c
> index 7780372cf3f..161044bfbcc 100644
> --- a/libavcodec/hcadec.c
> +++ b/libavcodec/hcadec.c
> @@ -179,6 +179,9 @@ static void ath_init1(uint8_t *ath, int sample_rate)
>  
>  static int ath_init(uint8_t *ath, int type, int sample_rate)
>  {
> +    if (sample_rate <= 0)
> +        return AVERROR_INVALIDDATA;
> +
>      switch (type) {
>      case 0:
>          /* nothing to do */

The sample rate used here comes from avctx->sample_rate, so why do you
want to check this here instead of checking it generically for all audio
decoders without AV_CODEC_CAP_CHANNEL_CONF like this:

diff --git a/libavcodec/avcodec.c b/libavcodec/avcodec.c
index 7bcb0295e5..0ad39b4d91 100644
--- a/libavcodec/avcodec.c
+++ b/libavcodec/avcodec.c
@@ -254,7 +254,11 @@ int attribute_align_arg
avcodec_open2(AVCodecContext *avctx, const AVCodec *code
         }
     }

-    if (avctx->sample_rate < 0) {
+    /* AV_CODEC_CAP_CHANNEL_CONF is a decoder-only flag; so the code below
+     * in particular checks that sample_rate is set for all audio
encoders. */
+    if (avctx->sample_rate < 0 ||
+        avctx->sample_rate == 0 && avctx->codec_type ==
AVMEDIA_TYPE_AUDIO &&
+        !(codec->capabilities & AV_CODEC_CAP_CHANNEL_CONF)) {
         av_log(avctx, AV_LOG_ERROR, "Invalid sample rate: %d\n",
avctx->sample_rate);
         ret = AVERROR(EINVAL);
         goto free_and_end;
diff --git a/libavcodec/encode.c b/libavcodec/encode.c
index 72dfa8867a..38833c566c 100644
--- a/libavcodec/encode.c
+++ b/libavcodec/encode.c
@@ -633,11 +633,6 @@ static int encode_preinit_audio(AVCodecContext *avctx)
                avctx->sample_fmt);
         return AVERROR(EINVAL);
     }
-    if (avctx->sample_rate <= 0) {
-        av_log(avctx, AV_LOG_ERROR, "Invalid audio sample rate: %d\n",
-               avctx->sample_rate);
-        return AVERROR(EINVAL);
-    }

     ret = avcodec_get_supported_config(avctx, NULL,
AV_CODEC_CONFIG_SAMPLE_FORMAT,
                                        0, (const void **) &sample_fmts,

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/8] avcodec/hcadec: Check sample_rate

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1516 bytes --]

Hi Andreas

On Fri, Jun 20, 2025 at 10:45:46AM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: AVERROR_BUG return
> > Fixes: 413997604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-5188382613635072
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/hcadec.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c
> > index 7780372cf3f..161044bfbcc 100644
> > --- a/libavcodec/hcadec.c
> > +++ b/libavcodec/hcadec.c
> > @@ -179,6 +179,9 @@ static void ath_init1(uint8_t *ath, int sample_rate)
> >  
> >  static int ath_init(uint8_t *ath, int type, int sample_rate)
> >  {
> > +    if (sample_rate <= 0)
> > +        return AVERROR_INVALIDDATA;
> > +
> >      switch (type) {
> >      case 0:
> >          /* nothing to do */
> 
> The sample rate used here comes from avctx->sample_rate,

> so why do you
> want to check this here instead of checking it generically for all audio
> decoders without AV_CODEC_CAP_CHANNEL_CONF

I have not considered this alternative. Your patch is better

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The bravest are surely those who have the clearest vision
of what is before them, glory and danger alike, and yet
notwithstanding go out to meet it. -- Thucydides

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/8] avformat/mov: Check that sample_sizes is allocated in mov_parse_heif_items()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 4398 bytes --]

On Thu, Jun 19, 2025 at 09:53:33PM -0300, James Almer wrote:
> On 6/19/2025 9:32 PM, Michael Niedermayer wrote:
> > Fixes: NULL pointer dereference
> > Fixes: 416811958/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5425269114732544
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavformat/mov.c | 3 +++
> >   1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 8a094b1ea0a..22488b517cb 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -10332,6 +10332,9 @@ static int mov_parse_heif_items(AVFormatContext *s)
> >           st = item->st;
> >           sc = st->priv_data;
> > +        if (!sc->sample_sizes)
> > +            return AVERROR_INVALIDDATA;
> > +
> >           st->codecpar->width  = item->width;
> >           st->codecpar->height = item->height;
> 
> Does the following fix it too?
> 
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 8a094b1ea0..a2a9c10f20 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -5430,18 +5430,18 @@ static int heif_add_stream(MOVContext *c, HEIFItem *item)
> >      sc->stsc_data[0].first = 1;
> >      sc->stsc_data[0].count = 1;
> >      sc->stsc_data[0].id = 1;
> > -    sc->chunk_count = 1;
> >      sc->chunk_offsets = av_malloc_array(1, sizeof(*sc->chunk_offsets));
> >      if (!sc->chunk_offsets)
> >          return AVERROR(ENOMEM);
> > -    sc->sample_count = 1;
> > +    sc->chunk_count = 1;
> >      sc->sample_sizes = av_malloc_array(1, sizeof(*sc->sample_sizes));
> >      if (!sc->sample_sizes)
> >          return AVERROR(ENOMEM);
> > -    sc->stts_count = 1;
> > +    sc->sample_count = 1;
> >      sc->stts_data = av_malloc_array(1, sizeof(*sc->stts_data));
> >      if (!sc->stts_data)
> >          return AVERROR(ENOMEM);
> > +    sc->stts_count = 1;
> >      sc->stts_data[0].count = 1;
> >      // Not used for still images. But needed by mov_build_index.
> >      sc->stts_data[0].duration = 0;
> 
> I'd rather have the checks in sanity_checks() detect this, so if
> sc->sample_sizes is NULL then sc->sample_count should be 0.

sample send privately to you.

The code above does not fix it (had to apply by hand though it didnt apply

unning: 416811958/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5425269114732544
libavformat/mov.c:10342:9: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/mov.c:10342:9 in
libavformat/mov.c:10342:9: runtime error: store to null pointer of type 'unsigned int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/mov.c:10342:9 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==305816==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000b1766e bp 0x7ffe03383c90 sp 0x7ffe03383960 T0)
==305816==The signal is caused by a WRITE memory access.
==305816==Hint: address points to the zero page.
    #0 0xb1766e in mov_parse_heif_items ffmpeg/libavformat/mov.c:10342:30
    #1 0xb1766e in mov_read_header ffmpeg/libavformat/mov.c:10498:15
    #2 0x79457d in avformat_open_input ffmpeg/libavformat/demux.c:309:20
    #3 0x5b1fd2 in LLVMFuzzerTestOneInput ffmpeg/tools/target_dem_fuzzer.c:199:11
    #4 0x2729e4c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (ffmpeg/tools/target_dem_mov_fuzzer+0x2729e4c)
    #5 0x27144bf in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (ffmpeg/tools/target_dem_mov_fuzzer+0x27144bf)
    #6 0x2719b1f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (ffmpeg/tools/target_dem_mov_fuzzer+0x2719b1f)
    #7 0x271415b in main (ffmpeg/tools/target_dem_mov_fuzzer+0x271415b)
    #8 0x7fdaeca5b082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x504f5d in _start (ffmpeg/tools/target_dem_mov_fuzzer+0x504f5d)


thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Does the universe only have a finite lifespan? No, its going to go on
forever, its just that you wont like living in it. -- Hiranya Peiri

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/8] avcodec/vvc/ctu: Check palette_escape_val

[Nuo Mi]

On Fri, Jun 20, 2025 at 8:40 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: integer overflow
> Fixes:
> 418314174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4871731867353088
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/vvc/ctu.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
> index ba4c89b1d1b..7fa2b496389 100644
> --- a/libavcodec/vvc/ctu.c
> +++ b/libavcodec/vvc/ctu.c
> @@ -2053,6 +2053,8 @@ static int palette_subblock_data(VVCLocalContext *lc,
>                  const int v = PALETTE_INDEX(xc, yc);
>                  if (v == esc) {
>                      const int coeff = ff_vvc_palette_escape_val(lc);
>
A check for < 0 is needed.

> +                    if (coeff >= (1U << sps->bit_depth))
> +                        return AVERROR_INVALIDDATA;

                     const int pixel = av_clip_intp2(RSHIFT(coeff * scale,
> 6), sps->bit_depth);
>                      PALETTE_SET_PIXEL(xc, yc, pixel);
>                  } else {
> --
> 2.49.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/8] avcodec/vvc/cabac: Check k in kth_order_egk_decode()

[Nuo Mi]

On Fri, Jun 20, 2025 at 8:40 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> The return value is int we can thus not handle 31 or more bits
>
> Fixes: integer overflow
> Fixes:
> 418396701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4730994378997760
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/vvc/cabac.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/libavcodec/vvc/cabac.c b/libavcodec/vvc/cabac.c
> index 6847ce59aff..78703cb065e 100644
> --- a/libavcodec/vvc/cabac.c
> +++ b/libavcodec/vvc/cabac.c
> @@ -937,6 +937,8 @@ static int kth_order_egk_decode(CABACContext *c, int k)
>
>      while (bit) {
>          bit = get_cabac_bypass(c);
> +        if (k >= 31)
> +            return AVERROR_PATCHWELCOME;
>
Hi Michael,
Thank you for the patch.

We may need to check the return value from ff_vvc_palette_predictor_run[1],
as it also uses kth_order_egk_decode

[1]: https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/vvc/ctu.c#L1860

         value += bit << k++;
>      }
>
> --
> 2.49.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/8] avcodec/vvc/ctu: Check palette_escape_val

[Andreas Rheinhardt]

Nuo Mi:
> On Fri, Jun 20, 2025 at 8:40 AM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
>> Fixes: integer overflow
>> Fixes:
>> 418314174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4871731867353088
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by
>> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
>> Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>  libavcodec/vvc/ctu.c | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
>> index ba4c89b1d1b..7fa2b496389 100644
>> --- a/libavcodec/vvc/ctu.c
>> +++ b/libavcodec/vvc/ctu.c
>> @@ -2053,6 +2053,8 @@ static int palette_subblock_data(VVCLocalContext *lc,
>>                  const int v = PALETTE_INDEX(xc, yc);
>>                  if (v == esc) {
>>                      const int coeff = ff_vvc_palette_escape_val(lc);
>>
> A check for < 0 is needed.

The check below is performed as unsigned comparison. If coeff were < 0,
then (unsigned)coeff is > INT_MAX and the check below triggers.

> 
>> +                    if (coeff >= (1U << sps->bit_depth))
>> +                        return AVERROR_INVALIDDATA;
> 
>                      const int pixel = av_clip_intp2(RSHIFT(coeff * scale,
>> 6), sps->bit_depth);
>>                      PALETTE_SET_PIXEL(xc, yc, pixel);
>>                  } else {
>> --
>> 2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/8] avcodec/vvc/ctu: Check palette_escape_val

[Nuo Mi]

On Sun, Jun 22, 2025 at 2:41 PM Andreas Rheinhardt <
andreas.rheinhardt@outlook.com> wrote:

> Nuo Mi:
> > On Fri, Jun 20, 2025 at 8:40 AM Michael Niedermayer <
> michael@niedermayer.cc>
> > wrote:
> >
> >> Fixes: integer overflow
> >> Fixes:
> >>
> 418314174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4871731867353088
> >>
> >> Found-by: continuous fuzzing process
> >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >> Signed-off-by
> >> <
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by
> >:
> >> Michael Niedermayer <michael@niedermayer.cc>
> >> ---
> >>  libavcodec/vvc/ctu.c | 2 ++
> >>  1 file changed, 2 insertions(+)
> >>
> >> diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
> >> index ba4c89b1d1b..7fa2b496389 100644
> >> --- a/libavcodec/vvc/ctu.c
> >> +++ b/libavcodec/vvc/ctu.c
> >> @@ -2053,6 +2053,8 @@ static int palette_subblock_data(VVCLocalContext
> *lc,
> >>                  const int v = PALETTE_INDEX(xc, yc);
> >>                  if (v == esc) {
> >>                      const int coeff = ff_vvc_palette_escape_val(lc);
> >>
> > A check for < 0 is needed.
>
> The check below is performed as unsigned comparison. If coeff were < 0,
> then (unsigned)coeff is > INT_MAX and the check below triggers.
>
Ah, smart, but not so readable

>
> >
> >> +                    if (coeff >= (1U << sps->bit_depth))
> >> +                        return AVERROR_INVALIDDATA;
> >
> >                      const int pixel = av_clip_intp2(RSHIFT(coeff *
> scale,
> >> 6), sps->bit_depth);
> >>                      PALETTE_SET_PIXEL(xc, yc, pixel);
> >>                  } else {
> >> --
> >> 2.49.0
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/8] tools/target_dec_fuzzer: adjust threshold for VP8

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 703 bytes --]

On Fri, Jun 20, 2025 at 02:32:51AM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 416589179/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP8_fuzzer-5432788428062720
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 1 +
>  1 file changed, 1 insertion(+)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The bravest are surely those who have the clearest vision
of what is before them, glory and danger alike, and yet
notwithstanding go out to meet it. -- Thucydides

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/8] avcodec/psd: Move frame allocation after RLE processing

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 845 bytes --]

On Fri, Jun 20, 2025 at 02:32:48AM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 410609448/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PSD_fuzzer-6267226128973824
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/psd.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

will apply 1,3,6,8

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Any man who breaks a law that conscience tells him is unjust and willingly 
accepts the penalty by staying in jail in order to arouse the conscience of 
the community on the injustice of the law is at that moment expressing the 
very highest respect for law. - Martin Luther King Jr

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".