[FFmpeg-devel] [PATCH] Fix some oss-fuzz aborts (PR #20198)

From: "Kacper Michajłow" <code@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] [PATCH] Fix some oss-fuzz aborts (PR #20198)
Date: Sat,  9 Aug 2025 18:26:54 +0300 (EEST)
Message-ID: <20250809152654.9153668D0D3@ffbox0-bg.ffmpeg.org> (raw)

PR #20198 opened by Kacper Michajłow (kasper93)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20198
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20198.patch


From 78a867c88ec2a46003ba04653662d4430f2b777e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Sat, 9 Aug 2025 16:49:17 +0200
Subject: [PATCH 1/5] avformat/lrcdec: limit input timestamp range to avoid
 overflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: clusterfuzz-testcase-ffmpeg_dem_LRC_fuzzer-5226140131459072
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
 libavformat/lrcdec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 7941c02c5d..2d57d52eff 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -78,7 +78,7 @@ static int64_t count_ts(const char *p)
 static int64_t read_ts(const char *p, int64_t *start)
 {
     int64_t offset = 0;
-    uint64_t mm;
+    uint32_t mm;
     double ss;
     char prefix[3];
 
@@ -88,8 +88,8 @@ static int64_t read_ts(const char *p, int64_t *start)
     if(p[offset] != '[') {
         return 0;
     }
-    int ret = sscanf(p, "%2[[-]%"SCNu64":%lf]", prefix, &mm, &ss);
-    if (ret != 3 || prefix[0] != '[') {
+    int ret = sscanf(p, "%2[[-]%"SCNu32":%lf]", prefix, &mm, &ss);
+    if (ret != 3 || prefix[0] != '[' || ss < 0 || ss >= 60) {
         return 0;
     }
     *start = (mm * 60 + ss) * AV_TIME_BASE;
-- 
2.49.1


From 1fac48b536eec8148a242e3217fe7c2afcb6e2f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Sat, 9 Aug 2025 17:09:57 +0200
Subject: [PATCH 2/5] avcodec/g726: init missing sample rate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: 416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_G726_DEC_fuzzer-5695764455292928
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
 libavcodec/g726.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/g726.c b/libavcodec/g726.c
index 5491b7eb7a..f41df3073f 100644
--- a/libavcodec/g726.c
+++ b/libavcodec/g726.c
@@ -455,6 +455,8 @@ static av_cold int g726_decode_init(AVCodecContext *avctx)
     g726_reset(c);
 
     avctx->sample_fmt = AV_SAMPLE_FMT_S16;
+    if (!avctx->sample_rate)
+        avctx->sample_rate = 8000;
 
     return 0;
 }
-- 
2.49.1


From f490d20a30dd591dbdd1004e009efa7633422ac3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Sat, 9 Aug 2025 17:11:25 +0200
Subject: [PATCH 3/5] avcodec/g728dec: init missing sample rate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: BAD BUILD: fuzzing /tmp/not-out/tmp0d_svy0e/ffmpeg_AV_CODEC_ID_G728_DEC_fuzzer with afl-fuzz failed
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
 libavcodec/g728dec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/g728dec.c b/libavcodec/g728dec.c
index 9ab650f2cb..6403bcae46 100644
--- a/libavcodec/g728dec.c
+++ b/libavcodec/g728dec.c
@@ -96,6 +96,8 @@ static av_cold int g728_decode_init(AVCodecContext *avctx)
         s->sbg[NSBGSZ - 1 -i] = -GOFF;
 
     avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
+    if (!avctx->sample_rate)
+        avctx->sample_rate = 8000;
 
     av_channel_layout_uninit(&avctx->ch_layout);
     avctx->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO;
-- 
2.49.1


From d9c7779c14dc017c1d60eb55f32289be2df6e7d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Sat, 9 Aug 2025 17:14:19 +0200
Subject: [PATCH 4/5] avcodec/aac/aacdec: check also if sampler rate is not
 negative
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: 416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5560251133001728
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
 libavcodec/aac/aacdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c
index 6a2aa9dc8e..c8d290da54 100644
--- a/libavcodec/aac/aacdec.c
+++ b/libavcodec/aac/aacdec.c
@@ -1181,7 +1181,7 @@ av_cold int ff_aac_decode_init(AVCodecContext *avctx)
     AACDecContext *ac = avctx->priv_data;
     int ret;
 
-    if (avctx->sample_rate > 96000)
+    if (avctx->sample_rate <= 0 || avctx->sample_rate > 96000)
         return AVERROR_INVALIDDATA;
 
     ff_aacdec_common_init_once();
-- 
2.49.1


From 46984103701df1a1a1941e500f3044cee969ad66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Sat, 9 Aug 2025 17:15:51 +0200
Subject: [PATCH 5/5] avcodec/libvorbisdec: avoid overflow when assinging
 sample rate from long to int
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes: 416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_DEC_fuzzer-6096101407260672
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
 libavcodec/libvorbisdec.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c
index 7922261b2f..326ed4b4fe 100644
--- a/libavcodec/libvorbisdec.c
+++ b/libavcodec/libvorbisdec.c
@@ -114,6 +114,12 @@ static av_cold int oggvorbis_decode_init(AVCodecContext *avccontext)
         }
     }
 
+    if (context->vi.rate <= 0 || context->vi.rate > INT_MAX) {
+        av_log(avccontext, AV_LOG_ERROR, "vorbis rate is invalid\n");
+        ret = AVERROR_INVALIDDATA;
+        goto error;
+    }
+
     av_channel_layout_uninit(&avccontext->ch_layout);
     avccontext->ch_layout.order       = AV_CHANNEL_ORDER_UNSPEC;
     avccontext->ch_layout.nb_channels = context->vi.channels;
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
