[FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Check desc_bytes

[FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Check desc_bytes

[Michael Niedermayer]

Fixes: Division by 0
Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/matroskadec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 5a9acfb247..f433391a16 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -4216,6 +4216,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
             do {
                 int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset;
                 int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns;
+                if (desc_bytes <= 0)
+                    return -1;
                 double desc_sec = desc_ns / nano_seconds_per_second;
                 double calc_bits_per_second = (desc_bytes * 8) / desc_sec;
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/2] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned

[Michael Niedermayer]

Fixes: left shift of 32768 by 16 places cannot be represented in type 'int'
Fixes: Timeout
Fixes: 44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520
Fixes: 44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/jpeglsdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 269c71dc18..6ca723f797 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -191,7 +191,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state,
     if (RItype)
         temp += state->N[Q] >> 1;
 
-    for (k = 0; (state->N[Q] << k) < temp; k++)
+    for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++)
         ;
 
 #ifdef JLS_BROKEN
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Check desc_bytes

[Andreas Rheinhardt]

Michael Niedermayer:
> Fixes: Division by 0
> Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/matroskadec.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> index 5a9acfb247..f433391a16 100644
> --- a/libavformat/matroskadec.c
> +++ b/libavformat/matroskadec.c
> @@ -4216,6 +4216,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
>              do {
>                  int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset;
>                  int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns;
> +                if (desc_bytes <= 0)
> +                    return -1;
>                  double desc_sec = desc_ns / nano_seconds_per_second;
>                  double calc_bits_per_second = (desc_bytes * 8) / desc_sec;
>  

This should give a declaration-after-statement error.

- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Check desc_bytes

[Andreas Rheinhardt]

Andreas Rheinhardt:
> Michael Niedermayer:
>> Fixes: Division by 0
>> Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928
>>
>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>  libavformat/matroskadec.c | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
>> index 5a9acfb247..f433391a16 100644
>> --- a/libavformat/matroskadec.c
>> +++ b/libavformat/matroskadec.c
>> @@ -4216,6 +4216,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
>>              do {
>>                  int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset;
>>                  int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns;
>> +                if (desc_bytes <= 0)
>> +                    return -1;
>>                  double desc_sec = desc_ns / nano_seconds_per_second;
>>                  double calc_bits_per_second = (desc_bytes * 8) / desc_sec;
>>  
> 
> This should give a declaration-after-statement error.
> 

s/error/warning/

- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Check desc_bytes

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1667 bytes --]

On Sat, Feb 05, 2022 at 10:58:28PM +0100, Andreas Rheinhardt wrote:
> Andreas Rheinhardt:
> > Michael Niedermayer:
> >> Fixes: Division by 0
> >> Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928
> >>
> >> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> ---
> >>  libavformat/matroskadec.c | 2 ++
> >>  1 file changed, 2 insertions(+)
> >>
> >> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> >> index 5a9acfb247..f433391a16 100644
> >> --- a/libavformat/matroskadec.c
> >> +++ b/libavformat/matroskadec.c
> >> @@ -4216,6 +4216,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
> >>              do {
> >>                  int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset;
> >>                  int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns;
> >> +                if (desc_bytes <= 0)
> >> +                    return -1;
> >>                  double desc_sec = desc_ns / nano_seconds_per_second;
> >>                  double calc_bits_per_second = (desc_bytes * 8) / desc_sec;
> >>  
> > 
> > This should give a declaration-after-statement error.
> > 
> 
> s/error/warning/

will split the declaration for the double and move them up

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/2] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 802 bytes --]

On Sat, Feb 05, 2022 at 08:53:04PM +0100, Michael Niedermayer wrote:
> Fixes: left shift of 32768 by 16 places cannot be represented in type 'int'
> Fixes: Timeout
> Fixes: 44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520
> Fixes: 44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/jpeglsdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are best at talking, realize last or never when they are wrong.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".