[FFmpeg-devel] [PATCH 1/2] avcodec/ffv1enc_template: Fix remaining space check

[FFmpeg-devel] [PATCH 1/2] avcodec/ffv1enc_template: Fix remaining space check

[Michael Niedermayer]

Fixes: Assertion sc->slice_coding_mode == 0 failed at libavcodec/ffv1enc.c:1667
Fixes: 408838118/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-6493138204295168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/ffv1enc_template.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/libavcodec/ffv1enc_template.c b/libavcodec/ffv1enc_template.c
index 64f3c420c51..aaf82159eef 100644
--- a/libavcodec/ffv1enc_template.c
+++ b/libavcodec/ffv1enc_template.c
@@ -38,19 +38,13 @@ RENAME(encode_line)(FFV1Context *f, FFV1SliceContext *sc,
     if (bits == 0)
         return 0;
 
-    if (ac != AC_GOLOMB_RICE) {
-        if (c->bytestream_end - c->bytestream < w * 35) {
+    if (sc->slice_coding_mode == 1) {
+        av_assert0(ac != AC_GOLOMB_RICE);
+        if (c->bytestream_end - c->bytestream < (w * bits + 7LL)>>3) {
             av_log(logctx, AV_LOG_ERROR, "encoded Range Coder frame too large\n");
             return AVERROR_INVALIDDATA;
         }
-    } else {
-        if (put_bytes_left(&sc->pb, 0) < w * 4) {
-            av_log(logctx, AV_LOG_ERROR, "encoded Golomb Rice frame too large\n");
-            return AVERROR_INVALIDDATA;
-        }
-    }
 
-    if (sc->slice_coding_mode == 1) {
         for (x = 0; x < w; x++) {
             int i;
             int v = sample[0][x];
@@ -62,6 +56,18 @@ RENAME(encode_line)(FFV1Context *f, FFV1SliceContext *sc,
         return 0;
     }
 
+    if (ac != AC_GOLOMB_RICE) {
+        if (c->bytestream_end - c->bytestream < w * 35) {
+            av_log(logctx, AV_LOG_ERROR, "encoded Range Coder frame too large\n");
+            return AVERROR_INVALIDDATA;
+        }
+    } else {
+        if (put_bytes_left(&sc->pb, 0) < w * 4) {
+            av_log(logctx, AV_LOG_ERROR, "encoded Golomb Rice frame too large\n");
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
     for (x = 0; x < w; x++) {
         int diff, context;
 
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/2] avcodec/sanm: avoid using k in left pxoff check

[Michael Niedermayer]

k is always 4 here and it seems this is not what was intended
replacing it with 0 works but it may be wrong

This needs review

Fixes: out of array read
Fixes: 409593384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-6488251907244032

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/sanm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 00bfef00fe8..ec429e1a002 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -734,7 +734,7 @@ static int old_codec4(SANMVideoContext *ctx, GetByteContext *gb, int top, int le
             }
 
             /* smooth top and left block borders with neighbours */
-            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
+            if (((pxoff - p + 0) < 0) || ((pxoff - p + k) >= maxpxo)
                 || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
                 || (i == 0) || (j == 0))
                 continue;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/2] avcodec/sanm: avoid using k in left pxoff check

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1903 bytes --]

Hi Manual

On Wed, May 14, 2025 at 03:39:53AM +0200, Michael Niedermayer wrote:
> k is always 4 here and it seems this is not what was intended
> replacing it with 0 works but it may be wrong
> 
> This needs review
> 
> Fixes: out of array read
> Fixes: 409593384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-6488251907244032
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/sanm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

please review, this patch is just written based on gut feeling,
its just clear that the code before was buggy

thx


> 
> diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
> index 00bfef00fe8..ec429e1a002 100644
> --- a/libavcodec/sanm.c
> +++ b/libavcodec/sanm.c
> @@ -734,7 +734,7 @@ static int old_codec4(SANMVideoContext *ctx, GetByteContext *gb, int top, int le
>              }
>  
>              /* smooth top and left block borders with neighbours */
> -            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
> +            if (((pxoff - p + 0) < 0) || ((pxoff - p + k) >= maxpxo)
>                  || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
>                  || (i == 0) || (j == 0))
>                  continue;
> -- 
> 2.49.0
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> 

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The smallest minority on earth is the individual. Those who deny 
individual rights cannot claim to be defenders of minorities. - Ayn Rand

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/2] avcodec/sanm: avoid using k in left pxoff check

[Manuel Lauss]

Hi Michael,

On Fri, May 30, 2025 at 9:52 PM Michael Niedermayer
<michael@niedermayer.cc> wrote:
>
> Hi Manual
>
> On Wed, May 14, 2025 at 03:39:53AM +0200, Michael Niedermayer wrote:
> > k is always 4 here and it seems this is not what was intended
> > replacing it with 0 works but it may be wrong
> >
> > This needs review
> >
> > Fixes: out of array read
> > Fixes: 409593384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-6488251907244032
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/sanm.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
>
> please review, this patch is just written based on gut feeling,
> its just clear that the code before was buggy

> >
> > diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
> > index 00bfef00fe8..ec429e1a002 100644
> > --- a/libavcodec/sanm.c
> > +++ b/libavcodec/sanm.c
> > @@ -734,7 +734,7 @@ static int old_codec4(SANMVideoContext *ctx, GetByteContext *gb, int top, int le
> >              }
> >
> >              /* smooth top and left block borders with neighbours */
> > -            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
> > +            if (((pxoff - p + 0) < 0) || ((pxoff - p + k) >= maxpxo)
> >                  || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
> >                  || (i == 0) || (j == 0))
> >                  continue;

Oops, yes, that change is correct.
I think you should just rip the whole block-smoothing block out
entirely: it creates a "sawtooth" pattern
which is more annoying than the "blockiness" it tries to soften.

Thanks!
    Manuel
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/2] avcodec/sanm: avoid using k in left pxoff check

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2346 bytes --]

Hi Manuel

On Fri, May 30, 2025 at 10:54:01PM +0200, Manuel Lauss wrote:
> Hi Michael,
> 
> On Fri, May 30, 2025 at 9:52 PM Michael Niedermayer
> <michael@niedermayer.cc> wrote:
> >
> > Hi Manual
> >
> > On Wed, May 14, 2025 at 03:39:53AM +0200, Michael Niedermayer wrote:
> > > k is always 4 here and it seems this is not what was intended
> > > replacing it with 0 works but it may be wrong
> > >
> > > This needs review
> > >
> > > Fixes: out of array read
> > > Fixes: 409593384/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-6488251907244032
> > >
> > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >  libavcodec/sanm.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > please review, this patch is just written based on gut feeling,
> > its just clear that the code before was buggy
> 
> > >
> > > diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
> > > index 00bfef00fe8..ec429e1a002 100644
> > > --- a/libavcodec/sanm.c
> > > +++ b/libavcodec/sanm.c
> > > @@ -734,7 +734,7 @@ static int old_codec4(SANMVideoContext *ctx, GetByteContext *gb, int top, int le
> > >              }
> > >
> > >              /* smooth top and left block borders with neighbours */
> > > -            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
> > > +            if (((pxoff - p + 0) < 0) || ((pxoff - p + k) >= maxpxo)
> > >                  || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
> > >                  || (i == 0) || (j == 0))
> > >                  continue;
> 
> Oops, yes, that change is correct.

will apply


> I think you should just rip the whole block-smoothing block out
> entirely: it creates a "sawtooth" pattern
> which is more annoying than the "blockiness" it tries to soften.

probably, but i just wanted to fix the out of array access,
ill leave improvment beyond that to others

thx

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Rewriting code that is poorly written but fully understood is good.
Rewriting code that one doesnt understand is a sign that one is less smart
than the original author, trying to rewrite it will not make it better.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/2] avcodec/sanm: avoid using k in left pxoff check

[Manuel Lauss]

Servus Michael,

On Sat, May 31, 2025 at 12:51 AM Michael Niedermayer
<michael@niedermayer.cc> wrote:

> > > >              /* smooth top and left block borders with neighbours */
> > > > -            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
> > > > +            if (((pxoff - p + 0) < 0) || ((pxoff - p + k) >= maxpxo)
> > > >                  || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
> > > >                  || (i == 0) || (j == 0))
> > > >                  continue;
> >
> > Oops, yes, that change is correct.
>
> will apply
>
>
> > I think you should just rip the whole block-smoothing block out
> > entirely: it creates a "sawtooth" pattern
> > which is more annoying than the "blockiness" it tries to soften.
>
> probably, but i just wanted to fix the out of array access,
> ill leave improvment beyond that to others

Is it OK if I just remove this block entirely?  I'd commit that along
with the other 2 sanm patches I have.

Manuel
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/2] avcodec/sanm: avoid using k in left pxoff check

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 2008 bytes --]

On Tue, Jun 03, 2025 at 12:30:40PM +0200, Manuel Lauss wrote:
> Servus Michael,
> 
> On Sat, May 31, 2025 at 12:51 AM Michael Niedermayer
> <michael@niedermayer.cc> wrote:
> 
> > > > >              /* smooth top and left block borders with neighbours */
> > > > > -            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
> > > > > +            if (((pxoff - p + 0) < 0) || ((pxoff - p + k) >= maxpxo)
> > > > >                  || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
> > > > >                  || (i == 0) || (j == 0))
> > > > >                  continue;
> > >
> > > Oops, yes, that change is correct.
> >
> > will apply
> >
> >
> > > I think you should just rip the whole block-smoothing block out
> > > entirely: it creates a "sawtooth" pattern
> > > which is more annoying than the "blockiness" it tries to soften.
> >
> > probably, but i just wanted to fix the out of array access,
> > ill leave improvment beyond that to others
> 
> Is it OK if I just remove this block entirely?  I'd commit that along
> with the other 2 sanm patches I have.

i think you dont understand the bug my change is fixing

Its an out of array access in:
                for (k = 0; k < 4; k++)
                    *(dst + pxoff + k) = ((*(dst + pxoff + k) + *(dst + pxoff - p + k)) >> 1) & 0x7f;

The hunk:
            /* smooth top and left block borders with neighbours */
            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
                || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
                || (i == 0) || (j == 0))
                continue;

skips this code. If the hunk is removed and nothing else is changed
its MORE buggy as there will be more out of array accesses


thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

For a strong democracy, genuine criticism is necessary, allegations benefit
noone, they just cause unnecessary conflicts. - Narendra Modi

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/2] avcodec/sanm: avoid using k in left pxoff check

[Manuel Lauss]

Servus Michael,

On Wed, Jun 4, 2025 at 1:00 PM Michael Niedermayer
<michael@niedermayer.cc> wrote:
>
> On Tue, Jun 03, 2025 at 12:30:40PM +0200, Manuel Lauss wrote:
> > Servus Michael,
> >
> > On Sat, May 31, 2025 at 12:51 AM Michael Niedermayer
> > <michael@niedermayer.cc> wrote:
> >
> > > > > >              /* smooth top and left block borders with neighbours */
> > > > > > -            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
> > > > > > +            if (((pxoff - p + 0) < 0) || ((pxoff - p + k) >= maxpxo)
> > > > > >                  || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
> > > > > >                  || (i == 0) || (j == 0))
> > > > > >                  continue;
> > > >
> > > > Oops, yes, that change is correct.
> > >
> > > will apply
> > >
> > >
> > > > I think you should just rip the whole block-smoothing block out
> > > > entirely: it creates a "sawtooth" pattern
> > > > which is more annoying than the "blockiness" it tries to soften.
> > >
> > > probably, but i just wanted to fix the out of array access,
> > > ill leave improvment beyond that to others
> >
> > Is it OK if I just remove this block entirely?  I'd commit that along
> > with the other 2 sanm patches I have.
>
> i think you dont understand the bug my change is fixing
>
> Its an out of array access in:
>                 for (k = 0; k < 4; k++)
>                     *(dst + pxoff + k) = ((*(dst + pxoff + k) + *(dst + pxoff - p + k)) >> 1) & 0x7f;
>
> The hunk:
>             /* smooth top and left block borders with neighbours */
>             if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
>                 || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
>                 || (i == 0) || (j == 0))
>                 continue;
>
> skips this code. If the hunk is removed and nothing else is changed
> its MORE buggy as there will be more out of array accesses

I was thinking about this:

diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 00bfef00fe..5912a8c14b 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -732,25 +732,6 @@ static int old_codec4(SANMVideoContext *ctx,
GetByteContext *gb, int top, int le
                }
                pxo2 = pxo2 - 4 + p;
            }
-
-            /* smooth top and left block borders with neighbours */
-            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
-                || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
-                || (i == 0) || (j == 0))
-                continue;
-            if (param & 0x80) {
-                for (k = 0; k < 4; k++)
-                    *(dst + pxoff + k) = ((*(dst + pxoff + k) + *(dst
+ pxoff - p + k)) >> 1) | 0x80;
-                *(dst + pxoff + 1 * p) = (*(dst + pxoff + 1 * p) +
*(dst + pxoff + 1 * p - 1)) >> 1 | 0x80;
-                *(dst + pxoff + 2 * p) = (*(dst + pxoff + 2 * p) +
*(dst + pxoff + 2 * p - 1)) >> 1 | 0x80;
-                *(dst + pxoff + 3 * p) = (*(dst + pxoff + 3 * p) +
*(dst + pxoff + 3 * p - 1)) >> 1 | 0x80;
-            } else {
-                for (k = 0; k < 4; k++)
-                    *(dst + pxoff + k) = ((*(dst + pxoff + k) + *(dst
+ pxoff - p + k)) >> 1) & 0x7f;
-                *(dst + pxoff + 1 * p) = (*(dst + pxoff + 1 * p) +
*(dst + pxoff + 1 * p - 1)) >> 1;
-                *(dst + pxoff + 2 * p) = (*(dst + pxoff + 2 * p) +
*(dst + pxoff + 2 * p - 1)) >> 1;
-                *(dst + pxoff + 3 * p) = (*(dst + pxoff + 3 * p) +
*(dst + pxoff + 3 * p - 1)) >> 1;
-            }
        }
    }
    return 0;


Manuel
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/2] avcodec/sanm: avoid using k in left pxoff check

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 4165 bytes --]

Servus Manuel

On Wed, Jun 04, 2025 at 10:06:28PM +0200, Manuel Lauss wrote:
> Servus Michael,
> 
> On Wed, Jun 4, 2025 at 1:00 PM Michael Niedermayer
> <michael@niedermayer.cc> wrote:
> >
> > On Tue, Jun 03, 2025 at 12:30:40PM +0200, Manuel Lauss wrote:
> > > Servus Michael,
> > >
> > > On Sat, May 31, 2025 at 12:51 AM Michael Niedermayer
> > > <michael@niedermayer.cc> wrote:
> > >
> > > > > > >              /* smooth top and left block borders with neighbours */
> > > > > > > -            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
> > > > > > > +            if (((pxoff - p + 0) < 0) || ((pxoff - p + k) >= maxpxo)
> > > > > > >                  || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
> > > > > > >                  || (i == 0) || (j == 0))
> > > > > > >                  continue;
> > > > >
> > > > > Oops, yes, that change is correct.
> > > >
> > > > will apply
> > > >
> > > >
> > > > > I think you should just rip the whole block-smoothing block out
> > > > > entirely: it creates a "sawtooth" pattern
> > > > > which is more annoying than the "blockiness" it tries to soften.
> > > >
> > > > probably, but i just wanted to fix the out of array access,
> > > > ill leave improvment beyond that to others
> > >
> > > Is it OK if I just remove this block entirely?  I'd commit that along
> > > with the other 2 sanm patches I have.
> >
> > i think you dont understand the bug my change is fixing
> >
> > Its an out of array access in:
> >                 for (k = 0; k < 4; k++)
> >                     *(dst + pxoff + k) = ((*(dst + pxoff + k) + *(dst + pxoff - p + k)) >> 1) & 0x7f;
> >
> > The hunk:
> >             /* smooth top and left block borders with neighbours */
> >             if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
> >                 || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
> >                 || (i == 0) || (j == 0))
> >                 continue;
> >
> > skips this code. If the hunk is removed and nothing else is changed
> > its MORE buggy as there will be more out of array accesses
> 
> I was thinking about this:
> 
> diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
> index 00bfef00fe..5912a8c14b 100644
> --- a/libavcodec/sanm.c
> +++ b/libavcodec/sanm.c
> @@ -732,25 +732,6 @@ static int old_codec4(SANMVideoContext *ctx,
> GetByteContext *gb, int top, int le
>                 }
>                 pxo2 = pxo2 - 4 + p;
>             }
> -
> -            /* smooth top and left block borders with neighbours */
> -            if (((pxoff - p + k) < 0) || ((pxoff - p + k) >= maxpxo)
> -                || ((pxoff + 3 * p) < 0) || ((pxoff + 3 * p) >= maxpxo)
> -                || (i == 0) || (j == 0))
> -                continue;
> -            if (param & 0x80) {
> -                for (k = 0; k < 4; k++)
> -                    *(dst + pxoff + k) = ((*(dst + pxoff + k) + *(dst
> + pxoff - p + k)) >> 1) | 0x80;
> -                *(dst + pxoff + 1 * p) = (*(dst + pxoff + 1 * p) +
> *(dst + pxoff + 1 * p - 1)) >> 1 | 0x80;
> -                *(dst + pxoff + 2 * p) = (*(dst + pxoff + 2 * p) +
> *(dst + pxoff + 2 * p - 1)) >> 1 | 0x80;
> -                *(dst + pxoff + 3 * p) = (*(dst + pxoff + 3 * p) +
> *(dst + pxoff + 3 * p - 1)) >> 1 | 0x80;
> -            } else {
> -                for (k = 0; k < 4; k++)
> -                    *(dst + pxoff + k) = ((*(dst + pxoff + k) + *(dst
> + pxoff - p + k)) >> 1) & 0x7f;
> -                *(dst + pxoff + 1 * p) = (*(dst + pxoff + 1 * p) +
> *(dst + pxoff + 1 * p - 1)) >> 1;
> -                *(dst + pxoff + 2 * p) = (*(dst + pxoff + 2 * p) +
> *(dst + pxoff + 2 * p - 1)) >> 1;
> -                *(dst + pxoff + 3 * p) = (*(dst + pxoff + 3 * p) +
> *(dst + pxoff + 3 * p - 1)) >> 1;
> -            }
>         }

ahh, yes thats fine

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Into a blind darkness they enter who follow after the Ignorance,
they as if into a greater darkness enter who devote themselves
to the Knowledge alone. -- Isha Upanishad

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] avcodec/ffv1enc_template: Fix remaining space check

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 936 bytes --]

On Wed, May 14, 2025 at 03:39:52AM +0200, Michael Niedermayer wrote:
> Fixes: Assertion sc->slice_coding_mode == 0 failed at libavcodec/ffv1enc.c:1667
> Fixes: 408838118/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-6493138204295168
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/ffv1enc_template.c | 24 +++++++++++++++---------
>  1 file changed, 15 insertions(+), 9 deletions(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Any man who breaks a law that conscience tells him is unjust and willingly 
accepts the penalty by staying in jail in order to arouse the conscience of 
the community on the injustice of the law is at that moment expressing the 
very highest respect for law. - Martin Luther King Jr

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".