From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id B43934C350
	for <ffmpegdev@gitmailbox.com>; Fri,  1 Aug 2025 14:40:20 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 05FBE68D173;
	Fri,  1 Aug 2025 17:40:16 +0300 (EEST)
Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net
 [217.70.183.199])
 by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 3648568CD81
 for <ffmpeg-devel@ffmpeg.org>; Fri,  1 Aug 2025 17:40:09 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 909B843A04
 for <ffmpeg-devel@ffmpeg.org>; Fri,  1 Aug 2025 14:40:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1754059208;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=a+ozUYZMt6KkCrt1o6tBKwybFDmJm48smAfV9NsFFeI=;
 b=npcaeAHPWhRLJ5lujIDAzXs59eZ1FK1ea4/UTXktMPhRTOp7z1WibDgNXygrd2KLI3QOqq
 4+pDMffZylpa9T97dT3iq/bboDucxpyUZLEVhMxi21f9akbsaL/xDz9VfEBKx/ooyZEOU3
 OtP9UFsQ5XRN9Qyagjl70QthZ18qzKm3loTC0aX8raGgWjcPCT+KqEr4TJWDL4tpFUxVuq
 ikCYZKFkkLonsyxJqOu7m1cXo/bAJ9RPWB4UtwL+J6M8zM1BeGDNW5+ydm+K8ZBO5BV3Bb
 Je5D8yA5Uej/PwVgyOFJ2gsCYPtbwc4jbwCeW2RfwdIYHTyjMkEjPvedjf81UQ==
Date: Fri, 1 Aug 2025 16:40:07 +0200
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20250801144007.GX29660@pb2>
References: <20250731224832.2546237-1-michael@niedermayer.cc>
 <CAOLZvyFHWEzfn1cG4=Ta16CmUcv6eY=sKmfUFijEtBXugjqLPQ@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAOLZvyFHWEzfn1cG4=Ta16CmUcv6eY=sKmfUFijEtBXugjqLPQ@mail.gmail.com>
X-GND-State: clean
X-GND-Score: -85
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgddutdefleehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdduhedmnecujfgurhepfffhvffukfhfgggtuggjsehgtderredttdejnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpeefteffteehhedtveejffelleetfeejueegieehkefhfeduheektdekudefueevleenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeguddrieeirdeihedrudejieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeguddrieeirdeihedrudejiedphhgvlhhopehlohgtrghlhhhoshhtpdhmrghilhhfrhhomhepmhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtpdhnsggprhgtphhtthhopedupdhrtghpthhtohepfhhfmhhpvghgqdguvghvvghlsehffhhmphgvghdrohhrgh
X-GND-Sasl: michael@niedermayer.cc
Subject: Re: [FFmpeg-devel] [PATCH] avcodec/sanm: Checks related to negative
 left/top
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============3809183641499768021=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250801144007.GX29660@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============3809183641499768021==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="1CYSiscSkItkTqnc"
Content-Disposition: inline


--1CYSiscSkItkTqnc
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 01, 2025 at 02:50:56PM +0200, Manuel Lauss wrote:
> On Fri, Aug 1, 2025 at 12:48=E2=80=AFAM Michael Niedermayer
> <michael@niedermayer.cc> wrote:
> >
> > Fixes: 423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM=
_fuzzer-5466731806261248
> > Fixes: out of array access
> >
> > CC: Manuel Lauss <manuel.lauss@gmail.com>
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz=
/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/sanm.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
> > index 617b977ab70..d345f588463 100644
> > --- a/libavcodec/sanm.c
> > +++ b/libavcodec/sanm.c
> > @@ -1654,7 +1654,7 @@ static int process_frame_obj(SANMVideoContext *ct=
x, GetByteContext *gb)
> >      bytestream2_skip(gb, 2);
> >      parm2 =3D bytestream2_get_le16u(gb);
> >
> > -    if (w < 1 || h < 1 || w > 800 || h > 600 || left > 800 || top > 60=
0) {
> > +    if (w < 1 || h < 1 || w > 800 || h > 600 || left > 800 || top > 60=
0 || left + w <=3D 0 || top + h <=3D 0) {
>=20
> OK, makes sense.
>=20
> >          av_log(ctx->avctx, AV_LOG_WARNING,
> >                 "ignoring invalid fobj dimensions: c%d %d %d @ %d %d\n",
> >                 codec, w, h, left, top);
> > @@ -1715,7 +1715,7 @@ static int process_frame_obj(SANMVideoContext *ct=
x, GetByteContext *gb)
> >              }
> >          }
> >      } else {
> > -        if (((left + w > ctx->width) || (top + h > ctx->height)) && fs=
c) {
> > +        if (((left + w > ctx->width) || (top + h > ctx->height)) && (f=
sc || codec =3D=3D 20)) {
>=20
> OK, does not break anything.
>=20
> >              /* correct unexpected overly large frames: this happens
> >               * for instance with The Dig's sq1.san video: it has a few
> >               * (all black) 640x480 frames halfway in, while the rest is
> > @@ -1775,11 +1775,11 @@ static int process_frame_obj(SANMVideoContext *=
ctx, GetByteContext *gb)
> >      if ((w =3D=3D ctx->width) && (h =3D=3D ctx->height)) {
> >          memcpy(ctx->fbuf, ctx->frm0, ctx->fbuf_size);
> >      } else {
> > -        uint8_t *dst =3D (uint8_t *)ctx->fbuf + left + top * ctx->pitc=
h;
> >          const uint8_t *src =3D (uint8_t *)ctx->frm0;
> >          const int cw =3D FFMIN(w, ctx->width - left);
> >          const int ch =3D FFMIN(h, ctx->height - top);
> >          if ((cw > 0) && (ch > 0) && (left >=3D 0) && (top >=3D 0)) {
> > +            uint8_t *dst =3D (uint8_t *)ctx->fbuf + left + top * ctx->=
pitch;
>=20
> OK
>=20
> >              for (int i =3D 0; i < ch; i++) {
> >                  memcpy(dst, src, cw);
> >                  dst +=3D ctx->pitch;
>=20
>=20
> Reviewed-by: Manuel Lauss <manuel.lauss@gmail.com>

will apply

thx

[...]
--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

"Nothing to hide" only works if the folks in power share the values of
you and everyone you know entirely and always will -- Tom Scott


--1CYSiscSkItkTqnc
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaIzRwwAKCRBhHseHBAsP
q6w2AJ4nlpyeQKrmIBkAbPV4kuI+U/nhVgCfaPMVmp5t5TciLfDRW4ntAupaNRY=
=/hkh
-----END PGP SIGNATURE-----

--1CYSiscSkItkTqnc--

--===============3809183641499768021==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============3809183641499768021==--