* [FFmpeg-devel] [PATCH 2/5] avcodec/ivi: Check luma/chroma mb_size
2025-07-16 0:52 [FFmpeg-devel] [PATCH 1/5] avcodec/cfhd: Check idwt_buf size before allocation Michael Niedermayer
@ 2025-07-16 0:52 ` Michael Niedermayer
2025-07-16 0:52 ` [FFmpeg-devel] [PATCH 3/5] avcodec/ffv1dec: Check k in get_vlc_symbol() Michael Niedermayer
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2025-07-16 0:52 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: shift exponent -1 is negative
Fixes: 429011224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5031059358285824
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/ivi.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c
index e7d8d10c3e0..a38f382d5f2 100644
--- a/libavcodec/ivi.c
+++ b/libavcodec/ivi.c
@@ -994,9 +994,11 @@ static int decode_band(IVI45DecContext *ctx,
for (t = 0; t < band->num_tiles; t++) {
tile = &band->tiles[t];
- if (tile->mb_size != band->mb_size) {
- av_log(avctx, AV_LOG_ERROR, "MB sizes mismatch: %d vs. %d\n",
- band->mb_size, tile->mb_size);
+ if (tile->mb_size != band->mb_size ||
+ ctx->planes[0].bands[0].mb_size < band->mb_size
+ ) {
+ av_log(avctx, AV_LOG_ERROR, "MB sizes mismatch: %d vs. %d vs. %d\n",
+ band->mb_size, tile->mb_size, ctx->planes[0].bands[0].mb_size);
return AVERROR_INVALIDDATA;
}
tile->is_empty = get_bits1(&ctx->gb);
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread* [FFmpeg-devel] [PATCH 3/5] avcodec/ffv1dec: Check k in get_vlc_symbol()
2025-07-16 0:52 [FFmpeg-devel] [PATCH 1/5] avcodec/cfhd: Check idwt_buf size before allocation Michael Niedermayer
2025-07-16 0:52 ` [FFmpeg-devel] [PATCH 2/5] avcodec/ivi: Check luma/chroma mb_size Michael Niedermayer
@ 2025-07-16 0:52 ` Michael Niedermayer
2025-07-16 0:52 ` [FFmpeg-devel] [PATCH 4/5] avcodec/jpeg2000dec: Check that we arent reading with a non existing tile part Michael Niedermayer
2025-07-16 0:52 ` [FFmpeg-devel] [PATCH 5/5] avcodec/smacker: cleanup on bet buffer failure Michael Niedermayer
3 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2025-07-16 0:52 UTC (permalink / raw)
To: FFmpeg development discussions and patches
The true problem happens in several previous get_vlc_symbol()
but checking that is more expensive (involving FFABS())
here its just a simple check between 2 variables we have.
Fixes: Assertion log >= k failed at libavcodec/golomb.h:406
Fixes: 429296194/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_DEC_fuzzer-4691594622337024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/ffv1dec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index d613aa53959..d709e8ccbb3 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -56,6 +56,11 @@ static inline int get_vlc_symbol(GetBitContext *gb, VlcState *const state,
k++;
i += i;
}
+ if (k > bits) {
+ ff_dlog(NULL, "k-overflow bias:%d error:%d drift:%d count:%d k:%d",
+ state->bias, state->error_sum, state->drift, state->count, k);
+ k = bits;
+ }
v = get_sr_golomb(gb, k, 12, bits);
ff_dlog(NULL, "v:%d bias:%d error:%d drift:%d count:%d k:%d",
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread* [FFmpeg-devel] [PATCH 4/5] avcodec/jpeg2000dec: Check that we arent reading with a non existing tile part
2025-07-16 0:52 [FFmpeg-devel] [PATCH 1/5] avcodec/cfhd: Check idwt_buf size before allocation Michael Niedermayer
2025-07-16 0:52 ` [FFmpeg-devel] [PATCH 2/5] avcodec/ivi: Check luma/chroma mb_size Michael Niedermayer
2025-07-16 0:52 ` [FFmpeg-devel] [PATCH 3/5] avcodec/ffv1dec: Check k in get_vlc_symbol() Michael Niedermayer
@ 2025-07-16 0:52 ` Michael Niedermayer
2025-07-16 0:52 ` [FFmpeg-devel] [PATCH 5/5] avcodec/smacker: cleanup on bet buffer failure Michael Niedermayer
3 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2025-07-16 0:52 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: applying zero offset to null pointer
Fixes: 429330004/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-4733213845291008
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/jpeg2000dec.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index b82d85d5ee5..0e867025a38 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1156,6 +1156,10 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile,
else
select_stream(s, tile, tp_index, codsty);
+ // refering to a non existing tile part
+ if (!s->g.buffer)
+ return AVERROR_INVALIDDATA;
+
if (!(ret = get_bits(s, 1))) {
jpeg2000_flush(s);
goto skip_data;
@@ -1868,7 +1872,8 @@ static int jpeg2000_decode_packets(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile
);
}
/* EOC marker reached */
- bytestream2_skip(&s->g, 2);
+ if (ret >= 0)
+ bytestream2_skip(&s->g, 2);
return ret;
}
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread* [FFmpeg-devel] [PATCH 5/5] avcodec/smacker: cleanup on bet buffer failure
2025-07-16 0:52 [FFmpeg-devel] [PATCH 1/5] avcodec/cfhd: Check idwt_buf size before allocation Michael Niedermayer
` (2 preceding siblings ...)
2025-07-16 0:52 ` [FFmpeg-devel] [PATCH 4/5] avcodec/jpeg2000dec: Check that we arent reading with a non existing tile part Michael Niedermayer
@ 2025-07-16 0:52 ` Michael Niedermayer
3 siblings, 0 replies; 5+ messages in thread
From: Michael Niedermayer @ 2025-07-16 0:52 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: memleak (of vlc)
Fixes: 430343927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-5265858979233792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/smacker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 99009bfd361..e0c4dac350c 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -668,7 +668,7 @@ static int smka_decode_frame(AVCodecContext *avctx, AVFrame *frame,
}
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
- return ret;
+ goto error;
samples = (int16_t *)frame->data[0];
samples8 = frame->data[0];
--
2.49.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread