[FFmpeg-devel] [PATCH 1/5] avcodec/smacker: Move buffer allocation to later

[FFmpeg-devel] [PATCH 1/5] avcodec/smacker: Move buffer allocation to later

[Michael Niedermayer]

Reduces allocations on random input
Fixes: 421650030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-6144441767493632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/smacker.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index db464dfcf7d..bd08bc7be28 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -641,10 +641,6 @@ static int smka_decode_frame(AVCodecContext *avctx, AVFrame *frame,
                "The buffer does not contain an integer number of samples\n");
         return AVERROR_INVALIDDATA;
     }
-    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
-        return ret;
-    samples  = (int16_t *)frame->data[0];
-    samples8 =            frame->data[0];
 
     // Initialize
     for(i = 0; i < (1 << (bits + stereo)); i++) {
@@ -666,6 +662,12 @@ static int smka_decode_frame(AVCodecContext *avctx, AVFrame *frame,
         } else
             values[i] = h.entries[0].value;
     }
+
+    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+        return ret;
+    samples  = (int16_t *)frame->data[0];
+    samples8 =            frame->data[0];
+
     /* this codec relies on wraparound instead of clipping audio */
     if(bits) { //decode 16-bit data
         for(i = stereo; i >= 0; i--)
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/5] avcodec/smacker: Check input before allocation

[Michael Niedermayer]

Fixes: Timeout
Fixes: 421650030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-6144441767493632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/smacker.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index bd08bc7be28..99009bfd361 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -662,6 +662,10 @@ static int smka_decode_frame(AVCodecContext *avctx, AVFrame *frame,
         } else
             values[i] = h.entries[0].value;
     }
+    if (get_bits_left(&gb) < (stereo+1) * (bits+1) * 8) {
+        ret = AVERROR_INVALIDDATA;
+        goto error;
+    }
 
     if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
         return ret;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/smacker: Check input before allocation

[Andreas Rheinhardt]

Michael Niedermayer:
> Fixes: Timeout
> Fixes: 421650030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-6144441767493632
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/smacker.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
> index bd08bc7be28..99009bfd361 100644
> --- a/libavcodec/smacker.c
> +++ b/libavcodec/smacker.c
> @@ -662,6 +662,10 @@ static int smka_decode_frame(AVCodecContext *avctx, AVFrame *frame,
>          } else
>              values[i] = h.entries[0].value;
>      }
> +    if (get_bits_left(&gb) < (stereo+1) * (bits+1) * 8) {
> +        ret = AVERROR_INVALIDDATA;
> +        goto error;
> +    }
>  
>      if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
>          return ret;

What about constant output (which you even optimized in
08e82e5b572b440f4faf160d2eac923ca47a59f8)?

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/smacker: Check input before allocation

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1795 bytes --]

On Thu, Jul 03, 2025 at 09:14:42PM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: Timeout
> > Fixes: 421650030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-6144441767493632
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/smacker.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
> > index bd08bc7be28..99009bfd361 100644
> > --- a/libavcodec/smacker.c
> > +++ b/libavcodec/smacker.c
> > @@ -662,6 +662,10 @@ static int smka_decode_frame(AVCodecContext *avctx, AVFrame *frame,
> >          } else
> >              values[i] = h.entries[0].value;
> >      }
> > +    if (get_bits_left(&gb) < (stereo+1) * (bits+1) * 8) {
> > +        ret = AVERROR_INVALIDDATA;
> > +        goto error;
> > +    }
> >  
> >      if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
> >          return ret;
> 
> What about constant output (which you even optimized in
> 08e82e5b572b440f4faf160d2eac923ca47a59f8)?

from this:

    if(bits) { //decode 16-bit data
        for(i = stereo; i >= 0; i--)
            pred[i] = av_bswap16(get_bits(&gb, 16));
...
    } else { //8-bit data
        for(i = stereo; i >= 0; i--)
            pred[i] = get_bits(&gb, 8);
...
    }

I assumed that there are at least (stereo+1) * (bits+1) * 8 bits
bits can only be 0 or 1

did i miss something ?

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Does the universe only have a finite lifespan? No, its going to go on
forever, its just that you wont like living in it. -- Hiranya Peiri

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/5] avcodec/smacker: Check input before allocation

[Andreas Rheinhardt]

Michael Niedermayer:
> On Thu, Jul 03, 2025 at 09:14:42PM +0200, Andreas Rheinhardt wrote:
>> Michael Niedermayer:
>>> Fixes: Timeout
>>> Fixes: 421650030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-6144441767493632
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>  libavcodec/smacker.c | 4 ++++
>>>  1 file changed, 4 insertions(+)
>>>
>>> diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
>>> index bd08bc7be28..99009bfd361 100644
>>> --- a/libavcodec/smacker.c
>>> +++ b/libavcodec/smacker.c
>>> @@ -662,6 +662,10 @@ static int smka_decode_frame(AVCodecContext *avctx, AVFrame *frame,
>>>          } else
>>>              values[i] = h.entries[0].value;
>>>      }
>>> +    if (get_bits_left(&gb) < (stereo+1) * (bits+1) * 8) {
>>> +        ret = AVERROR_INVALIDDATA;
>>> +        goto error;
>>> +    }
>>>  
>>>      if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
>>>          return ret;
>>
>> What about constant output (which you even optimized in
>> 08e82e5b572b440f4faf160d2eac923ca47a59f8)?
> 
> from this:
> 
>     if(bits) { //decode 16-bit data
>         for(i = stereo; i >= 0; i--)
>             pred[i] = av_bswap16(get_bits(&gb, 16));
> ...
>     } else { //8-bit data
>         for(i = stereo; i >= 0; i--)
>             pred[i] = get_bits(&gb, 8);
> ...
>     }
> 
> I assumed that there are at least (stereo+1) * (bits+1) * 8 bits
> bits can only be 0 or 1
> 
> did i miss something ?
> 
No. Seems fine.

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/5] avcodec/get_bits: Use FF_PTR_ADD() in init_get_bits()

[Michael Niedermayer]

Fixes: NULL + 0
Fixes: 421817631/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-4957386534354944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/get_bits.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
index 19542965697..bf6929aa65d 100644
--- a/libavcodec/get_bits.h
+++ b/libavcodec/get_bits.h
@@ -511,7 +511,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
     s->buffer             = buffer;
     s->size_in_bits       = bit_size;
     s->size_in_bits_plus8 = bit_size + 8;
-    s->buffer_end         = buffer + buffer_size;
+    s->buffer_end         = buffer_size ? buffer + buffer_size : buffer;
     s->index              = 0;
 
     return ret;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/5] avcodec/get_bits: Use FF_PTR_ADD() in init_get_bits()

[Kieran Kunhya via ffmpeg-devel]

[-- Attachment #1: Type: message/rfc822, Size: 4487 bytes --]

From: Kieran Kunhya <kieran618@googlemail.com>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH 3/5] avcodec/get_bits: Use FF_PTR_ADD() in init_get_bits()
Date: Thu, 3 Jul 2025 08:26:23 +0100
Message-ID: <CABGuwEk4Wh7N68xaNNPZwHZ0ALgUjozGxAxzoVJ+PB6NX+6nDw@mail.gmail.com>

On Thu, 3 Jul 2025, 03:02 Michael Niedermayer, <michael@niedermayer.cc>
wrote:

> Fixes: NULL + 0
> Fixes:
> 421817631/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-4957386534354944
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/get_bits.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
> index 19542965697..bf6929aa65d 100644
> --- a/libavcodec/get_bits.h
> +++ b/libavcodec/get_bits.h
> @@ -511,7 +511,7 @@ static inline int init_get_bits(GetBitContext *s,
> const uint8_t *buffer,
>      s->buffer             = buffer;
>      s->size_in_bits       = bit_size;
>      s->size_in_bits_plus8 = bit_size + 8;
> -    s->buffer_end         = buffer + buffer_size;
> +    s->buffer_end         = buffer_size ? buffer + buffer_size : buffer;
>      s->index              = 0;
>
>      return ret;
> --
> 2.49.0
>

Doesn't match commit message

>

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/5] avcodec/get_bits: Use FF_PTR_ADD() in init_get_bits()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2079 bytes --]

On Thu, Jul 03, 2025 at 08:26:23AM +0100, Kieran Kunhya via ffmpeg-devel wrote:
> Date: Thu, 3 Jul 2025 08:26:23 +0100
> From: Kieran Kunhya <kieran618@googlemail.com>
> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> Subject: Re: [FFmpeg-devel] [PATCH 3/5] avcodec/get_bits: Use FF_PTR_ADD() in init_get_bits()
> 
> On Thu, 3 Jul 2025, 03:02 Michael Niedermayer, <michael@niedermayer.cc>
> wrote:
> 
> > Fixes: NULL + 0
> > Fixes:
> > 421817631/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-4957386534354944
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/get_bits.h | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
> > index 19542965697..bf6929aa65d 100644
> > --- a/libavcodec/get_bits.h
> > +++ b/libavcodec/get_bits.h
> > @@ -511,7 +511,7 @@ static inline int init_get_bits(GetBitContext *s,
> > const uint8_t *buffer,
> >      s->buffer             = buffer;
> >      s->size_in_bits       = bit_size;
> >      s->size_in_bits_plus8 = bit_size + 8;
> > -    s->buffer_end         = buffer + buffer_size;
> > +    s->buffer_end         = buffer_size ? buffer + buffer_size : buffer;
> >      s->index              = 0;
> >
> >      return ret;
> > --
> > 2.49.0
> >
> 
> Doesn't match commit message

yes, i didnt like either variant FF_PTR_ADD() needs #include internal.h
which thenb gets included in most of the codebase

ill post a better patch that avoids the bad arguments before init_get_bits*
is called

thx


[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Take away the freedom of one citizen and you will be jailed, take away
the freedom of all citizens and you will be congratulated by your peers
in Parliament.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/5] avcodec/apv_dsp: Avoid UB overflow in dequant

[Michael Niedermayer]

Fixes: signed integer overflow: 33632416 * 64 cannot be represented in type 'int'
Fixes: 421817631/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-4957386534354944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/apv_dsp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/apv_dsp.c b/libavcodec/apv_dsp.c
index 07bb34ec0bf..8fbabcf63db 100644
--- a/libavcodec/apv_dsp.c
+++ b/libavcodec/apv_dsp.c
@@ -58,8 +58,8 @@ static void apv_decode_transquant_c(void *output,
 
         for (int y = 0; y < 8; y++) {
             for (int x = 0; x < 8; x++) {
-                int coeff = (input[y][x] * qmatrix[y][x] * (1 << qp_shift) +
-                             (1 << (bd_shift - 1))) >> bd_shift;
+                int coeff = ((int)(input[y][x] * qmatrix[y][x] * (1U << qp_shift) +
+                             (1 << (bd_shift - 1)))) >> bd_shift;
 
                 scaled_coeff[y][x] =
                     av_clip(coeff, APV_MIN_TRANS_COEFF,
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/5] tools/target_dec_fuzzer: Adjust HQX threshold

[Michael Niedermayer]

Fixes: Timeout
Fixes: 421943287/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQX_fuzzer-5033725399728128

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 96d65c7b69e..cee8993c924 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -254,6 +254,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_HEVC:        maxpixels  /= 16384; break;
     case AV_CODEC_ID_HNM4_VIDEO:  maxpixels  /= 128;   break;
     case AV_CODEC_ID_HQ_HQA:      maxpixels  /= 128;   break;
+    case AV_CODEC_ID_HQX:         maxpixels  /= 4096;  break;
     case AV_CODEC_ID_IFF_ILBM:    maxpixels  /= 4096;  break;
     case AV_CODEC_ID_INDEO4:      maxpixels  /= 128;   break;
     case AV_CODEC_ID_INDEO5:      maxpixels  /= 1024;  break;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".