[FFmpeg-devel] [PATCH 1/4] avformat/replaygain: avoid undefined / negative abs

[FFmpeg-devel] [PATCH 1/4] avformat/replaygain: avoid undefined / negative abs

[Michael Niedermayer]

Fixes: signed integer overflow: -2147483648 * 100000 cannot be represented in type 'int'
Fixes: 52060/clusterfuzz-testcase-minimized-ffmpeg_dem_MP3_fuzzer-5131616708329472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/replaygain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/replaygain.c b/libavformat/replaygain.c
index 24f5c74183..915bcb2382 100644
--- a/libavformat/replaygain.c
+++ b/libavformat/replaygain.c
@@ -60,7 +60,7 @@ static int32_t parse_value(const char *value, int32_t min)
         }
     }
 
-    if (abs(db) > (INT32_MAX - mb) / 100000)
+    if (llabs(db) > (INT32_MAX - mb) / 100000)
         return min;
 
     return db * 100000 + sign * mb;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/4] avcodec/cbs: Check ctx for NULL in ff_cbs_flush()

[Michael Niedermayer]

Fixes: null pointer dereference
Fixes: 52155/clusterfuzz-testcase-minimized-ffmpeg_BSF_DTS2PTS_fuzzer-5760107527143424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cbs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
index 504197e06d..9d59403f13 100644
--- a/libavcodec/cbs.c
+++ b/libavcodec/cbs.c
@@ -120,7 +120,7 @@ av_cold int ff_cbs_init(CodedBitstreamContext **ctx_ptr,
 
 av_cold void ff_cbs_flush(CodedBitstreamContext *ctx)
 {
-    if (ctx->codec->flush)
+    if (ctx && ctx->codec->flush)
         ctx->codec->flush(ctx);
 }
 
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/4] avcodec/alsdec: The minimal block is at least 7 bits

[Michael Niedermayer]

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/alsdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index 17937ad928..eab382e74f 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1028,7 +1028,7 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd)
 
     *bd->shift_lsbs = 0;
 
-    if (get_bits_left(gb) < 1)
+    if (get_bits_left(gb) < 7)
         return AVERROR_INVALIDDATA;
 
     // read block type flag and read the samples accordingly
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/4] avcodec/alsdec: Check bits left before block decoding in non multi channel coding loop

[Michael Niedermayer]

Fixes: Timeout
Fixes: 52161/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-6440216563154944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libavcodec/alsdec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index eab382e74f..4605b2248f 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1660,7 +1660,8 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
 
     if (!sconf->mc_coding || ctx->js_switch) {
         int independent_bs = !sconf->joint_stereo;
-
+        if (get_bits_left(gb) < 7*channels*ctx->num_blocks)
+            return AVERROR_INVALIDDATA;
         for (c = 0; c < channels; c++) {
             js_blocks[0] = 0;
             js_blocks[1] = 0;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/4] avcodec/cbs: Check ctx for NULL in ff_cbs_flush()

[Andreas Rheinhardt]

Michael Niedermayer:
> Fixes: null pointer dereference
> Fixes: 52155/clusterfuzz-testcase-minimized-ffmpeg_BSF_DTS2PTS_fuzzer-5760107527143424
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/cbs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
> index 504197e06d..9d59403f13 100644
> --- a/libavcodec/cbs.c
> +++ b/libavcodec/cbs.c
> @@ -120,7 +120,7 @@ av_cold int ff_cbs_init(CodedBitstreamContext **ctx_ptr,
>  
>  av_cold void ff_cbs_flush(CodedBitstreamContext *ctx)
>  {
> -    if (ctx->codec->flush)
> +    if (ctx && ctx->codec->flush)
>          ctx->codec->flush(ctx);
>  }
>  

The check should be in the dts2pts bsf instead.

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/4] avformat/replaygain: avoid undefined / negative abs

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 979 bytes --]

On Sat, Oct 29, 2022 at 09:13:50PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: -2147483648 * 100000 cannot be represented in type 'int'
> Fixes: 52060/clusterfuzz-testcase-minimized-ffmpeg_dem_MP3_fuzzer-5131616708329472
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/replaygain.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/4] avcodec/alsdec: The minimal block is at least 7 bits

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 399 bytes --]

On Sat, Oct 29, 2022 at 09:13:52PM +0200, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/alsdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Never trust a computer, one day, it may think you are the virus. -- Compn

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/4] avcodec/alsdec: Check bits left before block decoding in non multi channel coding loop

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 684 bytes --]

On Sat, Oct 29, 2022 at 09:13:53PM +0200, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 52161/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-6440216563154944
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> ---
>  libavcodec/alsdec.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many that live deserve death. And some that die deserve life. Can you give
it to them? Then do not be too eager to deal out death in judgement. For
even the very wise cannot see all ends. -- Gandalf

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".