[FFmpeg-devel] [PATCH 1/5] avformat/flvdec: Check for EOF in AudioPacketTypeMultichannelConfig

[FFmpeg-devel] [PATCH 1/5] avformat/flvdec: Check for EOF in AudioPacketTypeMultichannelConfig

[Michael Niedermayer]

Fixes: Infinite loop
Fixes: 427538726/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-6582567304495104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/flvdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index ac681954cb7..a4fa0157512 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -1715,6 +1715,9 @@ retry_duration:
 
                 av_log(s, AV_LOG_DEBUG, "Set channel data from MultiChannel info.\n");
 
+                if (avio_feof(s->pb))
+                    return AVERROR_EOF;
+
                 goto next_track;
             }
         } else if (stream_type == FLV_STREAM_TYPE_VIDEO) {
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/5] avformat/concatdec: Clip duration in one more case in get_best_effort_duration()

[Michael Niedermayer]

Fixes: signed integer overflow: 40000 - -9223372036854770000 cannot be represented in type 'long'
Fixes: 427262541/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-4831506940100608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/concatdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c
index fe65d0c7688..e0c2c872482 100644
--- a/libavformat/concatdec.c
+++ b/libavformat/concatdec.c
@@ -326,7 +326,7 @@ static int64_t get_best_effort_duration(ConcatFile *file, AVFormatContext *avf)
     if (file->outpoint != AV_NOPTS_VALUE)
         return av_sat_sub64(file->outpoint, file->file_inpoint);
     if (avf->duration > 0)
-        return avf->duration - (file->file_inpoint - file->file_start_time);
+        return av_sat_sub64(avf->duration, file->file_inpoint - file->file_start_time);
     if (file->next_dts != AV_NOPTS_VALUE)
         return file->next_dts - file->file_inpoint;
     return AV_NOPTS_VALUE;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/5] avcodec/h264chroma_template: Replace variable by constant in chroma mc

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/h264chroma_template.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/libavcodec/h264chroma_template.c b/libavcodec/h264chroma_template.c
index b9d24f5a0cd..b20811a71ae 100644
--- a/libavcodec/h264chroma_template.c
+++ b/libavcodec/h264chroma_template.c
@@ -54,7 +54,7 @@ static void FUNCC(OPNAME ## h264_chroma_mc1)(uint8_t *_dst /*align 8*/, const ui
         }\
     } else {\
         for(i=0; i<h; i++){\
-            OP(dst[0], (A*src[0]));\
+            OP(dst[0], (64*src[0]));\
             dst+= stride;\
             src+= stride;\
         }\
@@ -91,8 +91,8 @@ static void FUNCC(OPNAME ## h264_chroma_mc2)(uint8_t *_dst /*align 8*/, const ui
         }\
     } else {\
         for ( i = 0; i < h; i++){\
-            OP(dst[0], A * src[0]);\
-            OP(dst[1], A * src[1]);\
+            OP(dst[0], 64 * src[0]);\
+            OP(dst[1], 64 * src[1]);\
             dst += stride;\
             src += stride;\
         }\
@@ -134,10 +134,10 @@ static void FUNCC(OPNAME ## h264_chroma_mc4)(uint8_t *_dst /*align 8*/, const ui
         }\
     } else {\
         for ( i = 0; i < h; i++){\
-            OP(dst[0], A * src[0]);\
-            OP(dst[1], A * src[1]);\
-            OP(dst[2], A * src[2]);\
-            OP(dst[3], A * src[3]);\
+            OP(dst[0], 64 * src[0]);\
+            OP(dst[1], 64 * src[1]);\
+            OP(dst[2], 64 * src[2]);\
+            OP(dst[3], 64 * src[3]);\
             dst += stride;\
             src += stride;\
         }\
@@ -187,14 +187,14 @@ static void FUNCC(OPNAME ## h264_chroma_mc8)(uint8_t *_dst /*align 8*/, const ui
         }\
     } else {\
         for ( i = 0; i < h; i++){\
-            OP(dst[0], A * src[0]);\
-            OP(dst[1], A * src[1]);\
-            OP(dst[2], A * src[2]);\
-            OP(dst[3], A * src[3]);\
-            OP(dst[4], A * src[4]);\
-            OP(dst[5], A * src[5]);\
-            OP(dst[6], A * src[6]);\
-            OP(dst[7], A * src[7]);\
+            OP(dst[0], 64 * src[0]);\
+            OP(dst[1], 64 * src[1]);\
+            OP(dst[2], 64 * src[2]);\
+            OP(dst[3], 64 * src[3]);\
+            OP(dst[4], 64 * src[4]);\
+            OP(dst[5], 64 * src[5]);\
+            OP(dst[6], 64 * src[6]);\
+            OP(dst[7], 64 * src[7]);\
             dst += stride;\
             src += stride;\
         }\
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/5] avcodec/mpegvideo_dec: Fix lowres=3 field select interlaced mpeg4 frame

[Michael Niedermayer]

Fixes: out of array read in the chroma plane
Fixes: 428034092/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_DEC_fuzzer-5582608941776896.test

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mpegvideo_dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpegvideo_dec.c b/libavcodec/mpegvideo_dec.c
index 4a54f6cd614..85e24c667e3 100644
--- a/libavcodec/mpegvideo_dec.c
+++ b/libavcodec/mpegvideo_dec.c
@@ -557,7 +557,7 @@ static av_always_inline void mpeg_motion_lowres(MpegEncContext *s,
     ptr_cr = ref_picture[2] + uvsrc_y * uvlinesize + uvsrc_x;
 
     if ((unsigned) src_x > FFMAX( h_edge_pos - (!!sx) - 2 * block_s,       0) || uvsrc_y<0 ||
-        (unsigned) src_y > FFMAX((v_edge_pos >> field_based) - (!!sy) - FFMAX(h, hc<<s->chroma_y_shift), 0)) {
+        (unsigned) src_y > FFMAX((v_edge_pos >> field_based) - (!!sy) - FFMAX(h, field_select + hc<<s->chroma_y_shift), 0)) {
         s->vdsp.emulated_edge_mc(s->sc.edge_emu_buffer, ptr_y,
                                  linesize >> field_based, linesize >> field_based,
                                  17, 17 + field_based,
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/5] avcodec/osq: Fix 32bit sample overflow

[Michael Niedermayer]

Fixes: signed integer overflow: 2147483565 + 128 cannot be represented in type 'int'
Fixes: 428055715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6358069900804096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/osq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index 76090aa8d07..1d99ab32451 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -390,7 +390,7 @@ static int osq_decode_block(AVCodecContext *avctx, AVFrame *frame)
             int32_t *src = s->decode_buffer[ch] + OFFSET;
 
             for (int n = 0; n < nb_samples; n++)
-                dst[n] = av_clip_uint8(src[n] + 0x80);
+                dst[n] = av_clip_uint8(src[n] + 0x80ll);
         }
         break;
     case AV_SAMPLE_FMT_S16P:
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/5] avformat/flvdec: Check for EOF in AudioPacketTypeMultichannelConfig

[Timo Rothenpieler]

On 7/13/2025 3:10 AM, Michael Niedermayer wrote:
> Fixes: Infinite loop
> Fixes: 427538726/clusterfuzz-testcase-minimized-ffmpeg_dem_FLV_fuzzer-6582567304495104
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/flvdec.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
> index ac681954cb7..a4fa0157512 100644
> --- a/libavformat/flvdec.c
> +++ b/libavformat/flvdec.c
> @@ -1715,6 +1715,9 @@ retry_duration:
>   
>                   av_log(s, AV_LOG_DEBUG, "Set channel data from MultiChannel info.\n");
>   
> +                if (avio_feof(s->pb))
> +                    return AVERROR_EOF;
> +
>                   goto next_track;
>               }
>           } else if (stream_type == FLV_STREAM_TYPE_VIDEO) {

I don't think just returning from here is correct.
The goto next_track right after it already checks for EOF.
I do not see how between here and the eof check there there'd be any way 
to infinite loop.

It returns FFERROR_REDO there, which is important to drain queued up 
packages.
The next time a call hits flv_read_packet will then immediately return 
AVERROR_EOF, since it's one of the first things the function checks.

So just throwing in a random AVERROR_EOF there seems incorrect to me, 
and is only hiding an actual issue elsewhere, if there is one.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".