* [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA
@ 2023-09-13 23:47 Michael Niedermayer
2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Michael Niedermayer @ 2023-09-13 23:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Timeout
Fixes: 62120/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5647877768347648
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
tools/target_dec_fuzzer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index c3f88ef49f6..8e66f378462 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -261,6 +261,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
case AV_CODEC_ID_MSZH: maxpixels /= 128; break;
case AV_CODEC_ID_MTS2: maxpixels /= 4096; break;
case AV_CODEC_ID_MVC2: maxpixels /= 128; break;
+ case AV_CODEC_ID_MVHA: maxpixels /= 16384; break;
case AV_CODEC_ID_MVDV: maxpixels /= 1024; break;
case AV_CODEC_ID_MWSC: maxpixels /= 256; break;
case AV_CODEC_ID_MXPEG: maxpixels /= 128; break;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 5+ messages in thread* [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() 2023-09-13 23:47 [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer @ 2023-09-13 23:47 ` Michael Niedermayer 2023-09-26 9:35 ` Paul B Mahol 2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 3/3] avcodec/aacdec_template: Better avoidance of signed integer overflow in imdct_and_windowing_eld() Michael Niedermayer 2023-10-03 14:28 ` [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer 2 siblings, 1 reply; 5+ messages in thread From: Michael Niedermayer @ 2023-09-13 23:47 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: use after free Fixes: 62153/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4702814909366272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/vlc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c index b353d2e86c2..f4bab0ae529 100644 --- a/libavcodec/vlc.c +++ b/libavcodec/vlc.c @@ -471,10 +471,13 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int goto fail; } } - ret = vlc_common_end(vlc, nb_bits, j, buf, flags, localbuf); + ret = vlc_common_end(vlc, nb_bits, j, buf, flags, buf); if (ret < 0) goto fail; - return vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, logctx); + ret = vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, logctx); + if (buf != localbuf) + av_free(buf); + return ret; fail: if (buf != localbuf) av_free(buf); -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() 2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer @ 2023-09-26 9:35 ` Paul B Mahol 0 siblings, 0 replies; 5+ messages in thread From: Paul B Mahol @ 2023-09-26 9:35 UTC (permalink / raw) To: FFmpeg development discussions and patches On Thu, Sep 14, 2023 at 1:48 AM Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: use after free > Fixes: > 62153/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4702814909366272 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/vlc.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c > index b353d2e86c2..f4bab0ae529 100644 > --- a/libavcodec/vlc.c > +++ b/libavcodec/vlc.c > @@ -471,10 +471,13 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, > VLC_MULTI *multi, int nb_bits, int > goto fail; > } > } > - ret = vlc_common_end(vlc, nb_bits, j, buf, flags, localbuf); > + ret = vlc_common_end(vlc, nb_bits, j, buf, flags, buf); > if (ret < 0) > goto fail; > - return vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, > logctx); > + ret = vlc_multi_gen(multi->table, vlc, nb_elems, j, nb_bits, buf, > logctx); > + if (buf != localbuf) > + av_free(buf); > + return ret; > fail: > if (buf != localbuf) > av_free(buf); > -- > 2.17.1 > > LGTM > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* [FFmpeg-devel] [PATCH 3/3] avcodec/aacdec_template: Better avoidance of signed integer overflow in imdct_and_windowing_eld() 2023-09-13 23:47 [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer 2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer @ 2023-09-13 23:47 ` Michael Niedermayer 2023-10-03 14:28 ` [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer 2 siblings, 0 replies; 5+ messages in thread From: Michael Niedermayer @ 2023-09-13 23:47 UTC (permalink / raw) To: FFmpeg development discussions and patches Fixes: 62171/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5644657180409856 Fixes: signed integer overflow: 2 * 1079352273 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/aacdec_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 51a4cb2b66f..954399f86bb 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2856,8 +2856,8 @@ static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce) ac->mdct512_fn(ac->mdct512, buf, in, sizeof(INTFLOAT)); for (i = 0; i < n; i+=2) { - buf[i + 0] = -(int)(USE_FIXED + 1U)*buf[i + 0]; - buf[i + 1] = (int)(USE_FIXED + 1U)*buf[i + 1]; + buf[i + 0] = -(UINTFLOAT)(USE_FIXED + 1)*buf[i + 0]; + buf[i + 1] = (UINTFLOAT)(USE_FIXED + 1)*buf[i + 1]; } // Like with the regular IMDCT at this point we still have the middle half // of a transform but with even symmetry on the left and odd symmetry on -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA 2023-09-13 23:47 [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer 2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer 2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 3/3] avcodec/aacdec_template: Better avoidance of signed integer overflow in imdct_and_windowing_eld() Michael Niedermayer @ 2023-10-03 14:28 ` Michael Niedermayer 2 siblings, 0 replies; 5+ messages in thread From: Michael Niedermayer @ 2023-10-03 14:28 UTC (permalink / raw) To: FFmpeg development discussions and patches [-- Attachment #1.1: Type: text/plain, Size: 627 bytes --] On Thu, Sep 14, 2023 at 01:47:32AM +0200, Michael Niedermayer wrote: > Fixes: Timeout > Fixes: 62120/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5647877768347648 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > tools/target_dec_fuzzer.c | 1 + > 1 file changed, 1 insertion(+) will apply patchset [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The worst form of inequality is to try to make unequal things equal. -- Aristotle [-- Attachment #1.2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] [-- Attachment #2: Type: text/plain, Size: 251 bytes --] _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-10-03 14:28 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-09-13 23:47 [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer 2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 2/3] avcodec/vlc: Attempt to free buf after use in ff_vlc_init_multi_from_lengths() Michael Niedermayer 2023-09-26 9:35 ` Paul B Mahol 2023-09-13 23:47 ` [FFmpeg-devel] [PATCH 3/3] avcodec/aacdec_template: Better avoidance of signed integer overflow in imdct_and_windowing_eld() Michael Niedermayer 2023-10-03 14:28 ` [FFmpeg-devel] [PATCH 1/3] tools/target_dec_fuzzer: Adjust threshold for MVHA Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel This inbox may be cloned and mirrored by anyone: git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \ ffmpegdev@gitmailbox.com public-inbox-index ffmpegdev Example config snippet for mirrors. AGPL code for this site: git clone https://public-inbox.org/public-inbox.git