From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 5B07C400E2
	for <ffmpegdev@gitmailbox.com>; Tue, 19 Aug 2025 01:23:20 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 84F2268D485;
	Tue, 19 Aug 2025 04:23:16 +0300 (EEST)
Received: from c1ad6a1ecdc3 (code.ffmpeg.org [188.245.149.3])
 by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 27F4568D3D7
 for <ffmpeg-devel@ffmpeg.org>; Tue, 19 Aug 2025 04:23:15 +0300 (EEST)
MIME-Version: 1.0
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] =?utf-8?q?=5BPATCH=5D_ff=5Flxf=5Funcompress_reall?=
 =?utf-8?q?oc_vs_av=5Ffast=5Frealloc_fix_=28PR_=2320280=29?=
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: michaelni <code@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Message-Id: <20250819012316.84F2268D485@ffbox0-bg.ffmpeg.org>
Date: Tue, 19 Aug 2025 04:23:16 +0300 (EEST)
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250819012316.84F2268D485@ffbox0-bg.ffmpeg.org/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

PR #20280 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20280
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20280.patch

ff_lxf_uncompress() reallocates the array which we allocated with av_fast_realloc(), 
this patchset fixes this by adding av_fast_realloc() support to ff_lxf_uncompress()



>From cee3985dd978103cab742b6cc5fa98aad9ad8608 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 19 Aug 2025 03:09:14 +0200
Subject: [PATCH 1/2] avcode: Use av_fast_realloc() in ff_lzf_uncompress()

Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Fixes: mixed up realloc() functions

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxv.c     |  2 +-
 libavcodec/lzf.c     | 28 +++++++++++++++++++++++-----
 libavcodec/lzf.h     |  2 +-
 libavcodec/notchlc.c |  2 +-
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index dd82e450b1..b48ee76a88 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -828,7 +828,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
 static int dxv_decompress_lzf(AVCodecContext *avctx)
 {
     DXVContext *ctx = avctx->priv_data;
-    return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size);
+    return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size, &ctx->tex_data_size);
 }
 
 static int dxv_decompress_raw(AVCodecContext *avctx)
diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c
index 94b369dd59..3e8780d599 100644
--- a/libavcodec/lzf.c
+++ b/libavcodec/lzf.c
@@ -37,7 +37,27 @@
 #define LZF_LITERAL_MAX (1 << 5)
 #define LZF_LONG_BACKREF 7 + 2
 
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
+
+static inline int lzf_realloc(uint8_t **buf, int64_t *size, int addition, unsigned *allocated_size)
+{
+    if (allocated_size) {
+        void *ptr = av_fast_realloc(*buf, allocated_size, *size + addition);
+        if (!ptr) {
+            av_freep(buf); //probably not needed
+            return AVERROR(ENOMEM);
+        }
+        *buf = ptr;
+        *size += addition;
+
+        return 0;
+    } else {
+        //TODO remove this codepath after updating notchlc
+        *size += addition + *size / 2;
+        return av_reallocp(buf, *size);
+    }
+}
+
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size, unsigned *allocated_size)
 {
     int ret     = 0;
     uint8_t *p  = *buf;
@@ -49,8 +69,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
         if (s < LZF_LITERAL_MAX) {
             s++;
             if (s > *size - len) {
-                *size += s + *size /2;
-                ret = av_reallocp(buf, *size);
+                ret = lzf_realloc(buf, size, s, allocated_size);
                 if (ret < 0)
                     return ret;
                 p = *buf + len;
@@ -75,8 +94,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
                 return AVERROR_INVALIDDATA;
 
             if (l > *size - len) {
-                *size += l + *size / 2;
-                ret = av_reallocp(buf, *size);
+                ret = lzf_realloc(buf, size, l, allocated_size);
                 if (ret < 0)
                     return ret;
                 p = *buf + len;
diff --git a/libavcodec/lzf.h b/libavcodec/lzf.h
index 0ad73d9f79..5a89b6a876 100644
--- a/libavcodec/lzf.h
+++ b/libavcodec/lzf.h
@@ -24,6 +24,6 @@
 
 #include "bytestream.h"
 
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size);
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size, unsigned *allocated_size);
 
 #endif /* AVCODEC_LZF_H */
diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c
index 246a3e0174..51a94660cd 100644
--- a/libavcodec/notchlc.c
+++ b/libavcodec/notchlc.c
@@ -490,7 +490,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
         return AVERROR_PATCHWELCOME;
 
     if (s->format == 0) {
-        ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size);
+        ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size, NULL);
         if (ret < 0)
             return ret;
 
-- 
2.49.1


>From 19c8df9cc45d63361e578fa78c835712ea7b72a0 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 19 Aug 2025 03:12:37 +0200
Subject: [PATCH 2/2] avcodec/dxv: Check coded_height, to avoid invalid
 av_clip()

Fixes: assertion failure
Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxv.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index b48ee76a88..c3fe5c5ab2 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -940,6 +940,8 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame *frame,
         }
         break;
     }
+    if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1)
+        return AVERROR_INVALIDDATA;
 
     texdsp_ctx.slice_count  = av_clip(avctx->thread_count, 1,
                                       avctx->coded_height / TEXTURE_BLOCK_H);
-- 
2.49.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".