* [FFmpeg-devel] [PATCH 1/4] avcodec/hevc/hevcdec: Clean sao_pixel_buffer_v on allocation
@ 2025-07-23 11:45 Michael Niedermayer
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 2/4] avformat/mov: make sure file_checksum is fully initialized Michael Niedermayer
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Michael Niedermayer @ 2025-07-23 11:45 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: use of uninitialized memory
Fixes: 378102648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5896308499480576
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/hevc/hevcdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c
index 21ecf063c5a..53aa8d60ff4 100644
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -152,10 +152,10 @@ static int pic_arrays_init(HEVCLayerContext *l, const HEVCSPS *sps)
int w = sps->width >> sps->hshift[c_idx];
int h = sps->height >> sps->vshift[c_idx];
l->sao_pixel_buffer_h[c_idx] =
- av_malloc((w * 2 * sps->ctb_height) <<
+ av_mallocz((w * 2 * sps->ctb_height) <<
sps->pixel_shift);
l->sao_pixel_buffer_v[c_idx] =
- av_malloc((h * 2 * sps->ctb_width) <<
+ av_mallocz((h * 2 * sps->ctb_width) <<
sps->pixel_shift);
if (!l->sao_pixel_buffer_h[c_idx] ||
!l->sao_pixel_buffer_v[c_idx])
--
2.50.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* [FFmpeg-devel] [PATCH 2/4] avformat/mov: make sure file_checksum is fully initialized
2025-07-23 11:45 [FFmpeg-devel] [PATCH 1/4] avcodec/hevc/hevcdec: Clean sao_pixel_buffer_v on allocation Michael Niedermayer
@ 2025-07-23 11:45 ` Michael Niedermayer
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 3/4] avformat/mxfdec: Ensure klv->key is initialized Michael Niedermayer
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 4/4] avformat/vqf: Ensure that comm_chunk is fully read Michael Niedermayer
2 siblings, 0 replies; 6+ messages in thread
From: Michael Niedermayer @ 2025-07-23 11:45 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: use of uninitialized memory
Fixes: 394990189/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6431722199908352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/mov.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index ccaa988e4be..8f1c5df3c96 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1407,7 +1407,9 @@ static int mov_read_adrm(MOVContext *c, AVIOContext *pb, MOVAtom atom)
avio_read(pb, output, 8); // go to offset 8, absolute position 0x251
avio_read(pb, input, DRM_BLOB_SIZE);
avio_read(pb, output, 4); // go to offset 4, absolute position 0x28d
- avio_read(pb, file_checksum, 20);
+ ret = ffio_read_size(pb, file_checksum, 20);
+ if (ret < 0)
+ goto fail;
// required by external tools
ff_data_to_hex(checksum_string, file_checksum, sizeof(file_checksum), 1);
--
2.50.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* [FFmpeg-devel] [PATCH 3/4] avformat/mxfdec: Ensure klv->key is initialized
2025-07-23 11:45 [FFmpeg-devel] [PATCH 1/4] avcodec/hevc/hevcdec: Clean sao_pixel_buffer_v on allocation Michael Niedermayer
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 2/4] avformat/mov: make sure file_checksum is fully initialized Michael Niedermayer
@ 2025-07-23 11:45 ` Michael Niedermayer
2025-07-23 20:02 ` Tomas Härdin
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 4/4] avformat/vqf: Ensure that comm_chunk is fully read Michael Niedermayer
2 siblings, 1 reply; 6+ messages in thread
From: Michael Niedermayer @ 2025-07-23 11:45 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: read of uninitialized memory
Fixes: 391916474/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4935250956845056
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/mxfdec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 0eed13d850d..184e97256cd 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -491,7 +491,9 @@ static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, AVIOContext *pb)
return AVERROR_INVALIDDATA;
memcpy(klv->key, mxf_klv_key, 4);
- avio_read(pb, klv->key + 4, 12);
+ int ret = ffio_read_size(pb, klv->key + 4, 12);
+ if (ret < 0)
+ return ret;
length = klv_decode_ber_length(pb, &llen);
if (length < 0)
return length;
--
2.50.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* [FFmpeg-devel] [PATCH 4/4] avformat/vqf: Ensure that comm_chunk is fully read
2025-07-23 11:45 [FFmpeg-devel] [PATCH 1/4] avcodec/hevc/hevcdec: Clean sao_pixel_buffer_v on allocation Michael Niedermayer
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 2/4] avformat/mov: make sure file_checksum is fully initialized Michael Niedermayer
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 3/4] avformat/mxfdec: Ensure klv->key is initialized Michael Niedermayer
@ 2025-07-23 11:45 ` Michael Niedermayer
2 siblings, 0 replies; 6+ messages in thread
From: Michael Niedermayer @ 2025-07-23 11:45 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: use of uninitialized memory
Fixes: 412125811/clusterfuzz-testcase-minimized-ffmpeg_dem_VQF_fuzzer-6253774274887680
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/vqf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavformat/vqf.c b/libavformat/vqf.c
index 053720ea22f..fb668c16da3 100644
--- a/libavformat/vqf.c
+++ b/libavformat/vqf.c
@@ -144,7 +144,9 @@ static int vqf_read_header(AVFormatContext *s)
if (len < 12)
return AVERROR_INVALIDDATA;
- avio_read(s->pb, comm_chunk, 12);
+ ret = ffio_read_size(s->pb, comm_chunk, 12);
+ if (ret < 0)
+ return ret;
st->codecpar->ch_layout.nb_channels = AV_RB32(comm_chunk) + 1;
read_bitrate = AV_RB32(comm_chunk + 4);
rate_flag = AV_RB32(comm_chunk + 8);
--
2.50.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/4] avformat/mxfdec: Ensure klv->key is initialized
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 3/4] avformat/mxfdec: Ensure klv->key is initialized Michael Niedermayer
@ 2025-07-23 20:02 ` Tomas Härdin
2025-07-23 22:51 ` Marton Balint
0 siblings, 1 reply; 6+ messages in thread
From: Tomas Härdin @ 2025-07-23 20:02 UTC (permalink / raw)
To: FFmpeg development discussions and patches
ons 2025-07-23 klockan 13:45 +0200 skrev Michael Niedermayer:
> Fixes: read of uninitialized memory
> Fixes: 391916474/clusterfuzz-testcase-minimized-
> ffmpeg_dem_MXF_fuzzer-4935250956845056
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/mxfdec.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index 0eed13d850d..184e97256cd 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -491,7 +491,9 @@ static int klv_read_packet(MXFContext *mxf,
> KLVPacket *klv, AVIOContext *pb)
> return AVERROR_INVALIDDATA;
>
> memcpy(klv->key, mxf_klv_key, 4);
> - avio_read(pb, klv->key + 4, 12);
> + int ret = ffio_read_size(pb, klv->key + 4, 12);
> + if (ret < 0)
> + return ret;
ret != 12 is better. If it's non-negative then return AVERROR_EOF
/Tomas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/4] avformat/mxfdec: Ensure klv->key is initialized
2025-07-23 20:02 ` Tomas Härdin
@ 2025-07-23 22:51 ` Marton Balint
0 siblings, 0 replies; 6+ messages in thread
From: Marton Balint @ 2025-07-23 22:51 UTC (permalink / raw)
To: FFmpeg development discussions and patches
On Wed, 23 Jul 2025, Tomas Härdin wrote:
> ons 2025-07-23 klockan 13:45 +0200 skrev Michael Niedermayer:
>> Fixes: read of uninitialized memory
>> Fixes: 391916474/clusterfuzz-testcase-minimized-
>> ffmpeg_dem_MXF_fuzzer-4935250956845056
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>> libavformat/mxfdec.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
>> index 0eed13d850d..184e97256cd 100644
>> --- a/libavformat/mxfdec.c
>> +++ b/libavformat/mxfdec.c
>> @@ -491,7 +491,9 @@ static int klv_read_packet(MXFContext *mxf,
>> KLVPacket *klv, AVIOContext *pb)
>> return AVERROR_INVALIDDATA;
>>
>> memcpy(klv->key, mxf_klv_key, 4);
>> - avio_read(pb, klv->key + 4, 12);
>> + int ret = ffio_read_size(pb, klv->key + 4, 12);
>> + if (ret < 0)
>> + return ret;
>
> ret != 12 is better. If it's non-negative then return AVERROR_EOF
ffio_read_size always returns the requested size or negative.
Also AVERROR_EOF would be a valid file ending, but a truncated read
clearly means AVERROR_INVALIDDATA, and that is exactly what
ffio_read_size() returns on a short read. So the patch is correct as is
IMHO.
Regards,
Marton
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-07-23 22:54 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-23 11:45 [FFmpeg-devel] [PATCH 1/4] avcodec/hevc/hevcdec: Clean sao_pixel_buffer_v on allocation Michael Niedermayer
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 2/4] avformat/mov: make sure file_checksum is fully initialized Michael Niedermayer
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 3/4] avformat/mxfdec: Ensure klv->key is initialized Michael Niedermayer
2025-07-23 20:02 ` Tomas Härdin
2025-07-23 22:51 ` Marton Balint
2025-07-23 11:45 ` [FFmpeg-devel] [PATCH 4/4] avformat/vqf: Ensure that comm_chunk is fully read Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git