* [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate
@ 2023-09-20 0:30 Michael Niedermayer
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 2/5] avcodec/flacdec: Fix integer overflow in "33bit" DECODER_SUBFRAME_FIXED_WIDE() Michael Niedermayer
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Michael Niedermayer @ 2023-09-20 0:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: 538976288 - -9223372036854775808 cannot be represented in type 'long'
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6275845531238400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/flacdec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 524a0469495..0569f019b3a 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -706,10 +706,10 @@ static void decorrelate_33bps(int ch_mode, int32_t **decoded, int64_t *decoded_3
int i;
if (ch_mode == FLAC_CHMODE_LEFT_SIDE ) {
for (i = 0; i < len; i++)
- decoded[1][i] = decoded[0][i] - decoded_33bps[i];
+ decoded[1][i] = decoded[0][i] - (uint64_t)decoded_33bps[i];
} else if (ch_mode == FLAC_CHMODE_RIGHT_SIDE ) {
for (i = 0; i < len; i++)
- decoded[0][i] = decoded[1][i] + decoded_33bps[i];
+ decoded[0][i] = decoded[1][i] + (uint64_t)decoded_33bps[i];
} else if (ch_mode == FLAC_CHMODE_MID_SIDE ) {
for (i = 0; i < len; i++) {
uint64_t a = decoded[0][i];
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* [FFmpeg-devel] [PATCH 2/5] avcodec/flacdec: Fix integer overflow in "33bit" DECODER_SUBFRAME_FIXED_WIDE()
2023-09-20 0:30 [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate Michael Niedermayer
@ 2023-09-20 0:30 ` Michael Niedermayer
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 3/5] avcodec/utvideodec: move allocation to the end of init Michael Niedermayer
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Michael Niedermayer @ 2023-09-20 0:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: 4 * 2307917133220067266 cannot be represented in type 'long'
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6307690022043648
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/flacdec.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 0569f019b3a..ed2de14d0a9 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -366,19 +366,19 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded,
break; \
case 1: \
for (int i = pred_order; i < blocksize; i++) \
- decoded[i] = (int64_t)residual[i] + (int64_t)decoded[i-1];\
+ decoded[i] = (uint64_t)residual[i] + (uint64_t)decoded[i-1];\
break; \
case 2: \
for (int i = pred_order; i < blocksize; i++) \
- decoded[i] = (int64_t)residual[i] + 2*(int64_t)decoded[i-1] - (int64_t)decoded[i-2]; \
+ decoded[i] = (uint64_t)residual[i] + 2*(uint64_t)decoded[i-1] - (uint64_t)decoded[i-2]; \
break; \
case 3: \
for (int i = pred_order; i < blocksize; i++) \
- decoded[i] = (int64_t)residual[i] + 3*(int64_t)decoded[i-1] - 3*(int64_t)decoded[i-2] + (int64_t)decoded[i-3]; \
+ decoded[i] = (uint64_t)residual[i] + 3*(uint64_t)decoded[i-1] - 3*(uint64_t)decoded[i-2] + (uint64_t)decoded[i-3]; \
break; \
case 4: \
for (int i = pred_order; i < blocksize; i++) \
- decoded[i] = (int64_t)residual[i] + 4*(int64_t)decoded[i-1] - 6*(int64_t)decoded[i-2] + 4*(int64_t)decoded[i-3] - (int64_t)decoded[i-4]; \
+ decoded[i] = (uint64_t)residual[i] + 4*(uint64_t)decoded[i-1] - 6*(uint64_t)decoded[i-2] + 4*(uint64_t)decoded[i-3] - (uint64_t)decoded[i-4]; \
break; \
default: \
av_log(s->avctx, AV_LOG_ERROR, "illegal pred order %d\n", pred_order); \
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* [FFmpeg-devel] [PATCH 3/5] avcodec/utvideodec: move allocation to the end of init
2023-09-20 0:30 [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate Michael Niedermayer
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 2/5] avcodec/flacdec: Fix integer overflow in "33bit" DECODER_SUBFRAME_FIXED_WIDE() Michael Niedermayer
@ 2023-09-20 0:30 ` Michael Niedermayer
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 4/5] avcodec/vlc: free multi on fail Michael Niedermayer
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Michael Niedermayer @ 2023-09-20 0:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: mem leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-6666804266926080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/utvideodec.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 7ee07209d47..4987ee0196a 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -985,10 +985,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
return AVERROR_INVALIDDATA;
}
- c->buffer = av_calloc(avctx->width + 8, c->pro?2:1);
- if (!c->buffer)
- return AVERROR(ENOMEM);
-
av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, &h_shift, &v_shift);
if ((avctx->width & ((1<<h_shift)-1)) ||
(avctx->height & ((1<<v_shift)-1))) {
@@ -1036,6 +1032,10 @@ static av_cold int decode_init(AVCodecContext *avctx)
return AVERROR_INVALIDDATA;
}
+ c->buffer = av_calloc(avctx->width + 8, c->pro?2:1);
+ if (!c->buffer)
+ return AVERROR(ENOMEM);
+
return 0;
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* [FFmpeg-devel] [PATCH 4/5] avcodec/vlc: free multi on fail
2023-09-20 0:30 [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate Michael Niedermayer
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 2/5] avcodec/flacdec: Fix integer overflow in "33bit" DECODER_SUBFRAME_FIXED_WIDE() Michael Niedermayer
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 3/5] avcodec/utvideodec: move allocation to the end of init Michael Niedermayer
@ 2023-09-20 0:30 ` Michael Niedermayer
2023-09-26 9:36 ` Paul B Mahol
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 5/5] avformat/avs: Check if return code is representable Michael Niedermayer
2023-10-03 14:26 ` [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate Michael Niedermayer
4 siblings, 1 reply; 7+ messages in thread
From: Michael Niedermayer @ 2023-09-20 0:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_fuzzer-6449246523752448
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/vlc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c
index 3b66c943546..acc081e8b74 100644
--- a/libavcodec/vlc.c
+++ b/libavcodec/vlc.c
@@ -478,6 +478,7 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int
fail:
if (buf != localbuf)
av_free(buf);
+ ff_vlc_free_multi(multi);
return AVERROR_INVALIDDATA;
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* [FFmpeg-devel] [PATCH 5/5] avformat/avs: Check if return code is representable
2023-09-20 0:30 [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate Michael Niedermayer
` (2 preceding siblings ...)
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 4/5] avcodec/vlc: free multi on fail Michael Niedermayer
@ 2023-09-20 0:30 ` Michael Niedermayer
2023-10-03 14:26 ` [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate Michael Niedermayer
4 siblings, 0 replies; 7+ messages in thread
From: Michael Niedermayer @ 2023-09-20 0:30 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_dem_AVS_fuzzer-6738814988320768
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/avs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/avs.c b/libavformat/avs.c
index ab47980a11c..19f03731573 100644
--- a/libavformat/avs.c
+++ b/libavformat/avs.c
@@ -140,6 +140,10 @@ static int avs_read_audio_packet(AVFormatContext * s, AVPacket * pkt)
return 0; /* this indicate EOS */
if (ret < 0)
return ret;
+ if (size != (int)size) {
+ av_packet_unref(pkt);
+ return AVERROR(EDOM);
+ }
pkt->stream_index = avs->st_audio->index;
pkt->flags |= AV_PKT_FLAG_KEY;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/5] avcodec/vlc: free multi on fail
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 4/5] avcodec/vlc: free multi on fail Michael Niedermayer
@ 2023-09-26 9:36 ` Paul B Mahol
0 siblings, 0 replies; 7+ messages in thread
From: Paul B Mahol @ 2023-09-26 9:36 UTC (permalink / raw)
To: FFmpeg development discussions and patches
LGTM
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate
2023-09-20 0:30 [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate Michael Niedermayer
` (3 preceding siblings ...)
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 5/5] avformat/avs: Check if return code is representable Michael Niedermayer
@ 2023-10-03 14:26 ` Michael Niedermayer
4 siblings, 0 replies; 7+ messages in thread
From: Michael Niedermayer @ 2023-10-03 14:26 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 717 bytes --]
On Wed, Sep 20, 2023 at 02:30:30AM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 538976288 - -9223372036854775808 cannot be represented in type 'long'
> Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6275845531238400
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/flacdec.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
will apply patchset
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
He who knows, does not speak. He who speaks, does not know. -- Lao Tsu
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-10-03 14:26 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-20 0:30 [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate Michael Niedermayer
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 2/5] avcodec/flacdec: Fix integer overflow in "33bit" DECODER_SUBFRAME_FIXED_WIDE() Michael Niedermayer
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 3/5] avcodec/utvideodec: move allocation to the end of init Michael Niedermayer
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 4/5] avcodec/vlc: free multi on fail Michael Niedermayer
2023-09-26 9:36 ` Paul B Mahol
2023-09-20 0:30 ` [FFmpeg-devel] [PATCH 5/5] avformat/avs: Check if return code is representable Michael Niedermayer
2023-10-03 14:26 ` [FFmpeg-devel] [PATCH 1/5] avcodec/flacdec: Fix overflow in "33bit" decorrelate Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git