From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id A34F2436A1 for ; Thu, 21 Jul 2022 19:11:19 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5572168B501; Thu, 21 Jul 2022 22:11:17 +0300 (EEST) Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-oln040092072103.outbound.protection.outlook.com [40.92.72.103]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DB87B68AC34 for ; Thu, 21 Jul 2022 22:11:10 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FxGIMrlfZFtli4EsDHDhyjChSPXWZuEj2zdnAn/fE1j9COFtDF/9eqsvLFMCDQTCIhtXHjVbwNp8P4bVSm/2pt38RZq5XtabZtS/gtmlcDlE4eWcdf804Y8iFd8mWtgBJ9F12sBaPX4QCqeELUvyHHBSKqIc/cfmVjTP0Yoy3gmOn+S0WkhxT/omGCPMLtBcYro+vBoH9UlIdQE9cZvGbBGrsfrwOz/2X7/PMfYso4eEpeerSvO8ts0ItqyKq7Y6SmXBa+im+OceTSmNB2z+z902NcmqNlCCURudk3eV5od31YT55vPVk+4UqFUDS0x97w2RAAEbUSgAjXXHSL9k2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3NsCX+J9S6pMxBLDql/Xgf5W6Qmsl73Wunsc8xQCeeI=; b=gUI8x86IqgZYbjq11IjABIgFTZPDhdIkCWPHEPuVVNpMTPLw99FZNUuScshwD9v4YOSeSsNMzx0S98we2mjhMRPfLM88ieg2P+ZkqZET9aZKYGuc/JKzl9bdqhR2qyW4IT8xj5B6os8r9LyKFm9zgmfNBEaS+TAyqIwKCVce2Vr5F7yFVol1EBENrcBQCeqNXPKoLhvJ7woVG0HFMPMasiLTzxR92iZX1M/rO2rSVBNLEpFmHA/BWeXOUjVj9SagHjXPWfZohbjfHwxChyjJOEoC/5Dk30eA0zF6VnQnuC3+ef7X2p4tkgdF1z7onw3WjHMtiVY6TnP3BuWJ2l8Tqg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3NsCX+J9S6pMxBLDql/Xgf5W6Qmsl73Wunsc8xQCeeI=; b=C47mwHW/dIKVPn1nIUf9b5QjmMD08tVq5dDraVsi1vsjYHVJ3l0zysSwHrFRPyurTttkGbl9SA5j054mqPWRo0xne/f7Uhwgp1Ryxm0PA6U7RZlgkqyt+fMuIjqyZnA3cHQEniAvaT06oNB6hTLu/uKzniyEVu9PEXUh4Gb93RpGMt2A4dDUqKRt0LRFB53c218slYWROjVuoyWVGHyEPZAU+eRqvh7Y5tWzsgRkjgxzzB4tRz0we6io7hrTrmCdHdnuQhsjEBJc4oSIuOKw4BiTlRhKBb/uFHzj+/t7yGqsaLtJqFY91jHfjNDZjdXO693iPR8UHRBlF16kCBki1Q== Received: from DB6PR0101MB2214.eurprd01.prod.exchangelabs.com (2603:10a6:4:42::27) by AM5PR0102MB2643.eurprd01.prod.exchangelabs.com (2603:10a6:206:3::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.15; Thu, 21 Jul 2022 19:11:08 +0000 Received: from DB6PR0101MB2214.eurprd01.prod.exchangelabs.com ([fe80::210e:b627:bcc9:8c46]) by DB6PR0101MB2214.eurprd01.prod.exchangelabs.com ([fe80::210e:b627:bcc9:8c46%11]) with mapi id 15.20.5438.023; Thu, 21 Jul 2022 19:11:08 +0000 Message-ID: Date: Thu, 21 Jul 2022 21:11:06 +0200 Content-Language: en-US To: ffmpeg-devel@ffmpeg.org References: <20220719113453.23169-1-michael@niedermayer.cc> <20220719113453.23169-5-michael@niedermayer.cc> <20220720143013.GA2088045@pb2> <20220720224638.GD2088045@pb2> From: Andreas Rheinhardt In-Reply-To: <20220720224638.GD2088045@pb2> X-TMN: [5dz53BdcWs1CL+Ab/qGdT1OUsq3nFcGn] X-ClientProxiedBy: ZR0P278CA0131.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:40::10) To DB6PR0101MB2214.eurprd01.prod.exchangelabs.com (2603:10a6:4:42::27) X-Microsoft-Original-Message-ID: MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 112b05f0-c4dc-4b4e-d894-08da6b4cc41b X-MS-TrafficTypeDiagnostic: AM5PR0102MB2643:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: upFkEsR84aZq1YVANEdli+4uaZJ+a7nah0jlhD3IxF+MmUocDz9u6YmZg1swENr0uRgxU6eXKnMQ/GteqaqRvt9z1LG18d3wOHMPIcE3vLw5WFB7K0l5tUyNW97i6kpgzXFxfvDgMSmkT5YQbqlJAB3t0tqqvxhVuCnqMUy47elb/L2Jb3SFYhWZVjjiVcctZGsnlRFtJRcjw/1/SNCAgZDKUiwJebdAWV4f9UZP3FVGe1xDCk0Rex5YZf9YvBa6dno4T3rSkPK+IYWCHs+pinlrKRsYC30ZOVUsVYRcbz1mXW4I3g2lHlVo5mD2yIBIMkk85cCXffgEY4LZbg7sVHlGBVlY24cNbyLM2bd4szzuXZi11BzeyT+RnQ+GHoSsTu1i3WrkvU7fhiL5ZnvhxMLRZz99/R3o3h4HUdAdsQlMNQAkUphAr6UQB+0ZLru8yg89yUdy/wsEsXoqv6NLhZ+B3XYvJh2DFfIvvef3mVsZzXvDuFFXIiHiHS8AxMpUoudnqJcaGXIe9TrEgU7DyZ0ekgxq4JMdsFkeictHzKxK10j618WG6nKDxSgBs/0BXH2UG3La7ujm1PrBh0xJLE64UnFGgU0U+7Oa56KrXxo3EZ9S34TRJ1nb6RXQAZhiEeFeq60kpZ6wjVz4EnNG0UQbfWPVfGpNhYJ7GHvFv3PBNzu9ayR+WbIbLxJiOrIh X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?UCs0azAwamF2Y3NRSXZtSVp4TVVaYXkxV3o1RGhaSndYcm8zUGdyMUJBeXV5?= =?utf-8?B?alZDdEpVU3J2Zzh3OUpaa0lXWnFMSTBsbnAyc3lhVnZDajBEaUNESkJuUTgw?= =?utf-8?B?NnNYck8yQnRuZnE5V0trZ0lhODlObVZZVnppMDlqS2xhYnBOanp3ejA2S3V4?= =?utf-8?B?WHI4QUZ4dHJSdFpST0NsRStqQ1U3ZzBUVGVGRS81MUFvT2RPQUg5Q054ZWJl?= =?utf-8?B?R05QckFwanJ2WjBuVkx4ZnJTOElFblA1R2t5WWpKZ2dOZDRNd3o1Rm5CSzRU?= =?utf-8?B?QUZUTlpKYXhWU2N6SUgwenpSb084eVozckRKZ2JOSzg2THZZelBLKzJlMXRv?= =?utf-8?B?aWhscitrYzFnZWFDbXR6N0VnUjVqbHVRRStJZVMzMDFrcFIrN3J2Tks2YWNJ?= =?utf-8?B?VGx1Z0tFQzVIYUh6dFpSWDFJdk9wWGJJVG1qQ2U1cWc1U3FOOHN3bzBKV0xT?= =?utf-8?B?eW5wR2hBbWJ1bWNadlIrdGdxTlI0TjlMUk9BbVRrbEVjNmFmYkpLUVVqdGlW?= =?utf-8?B?ME1hSEdLa2RqNkNqVDFPWVBQVlp5SU9LeVRVcW4rZzkxSytoNjVSeFJ0M25T?= =?utf-8?B?WmJka2RySHNhLzg2RnJib09WRnpkanBKb0tReVg2bjlpTWRzQzZHZ1VTZjYz?= =?utf-8?B?RUtaUXl0ZU1WYW9HVlRiYjNwZDdEQm8wVEt3YU9BVzEvdFh6ZU5ORDh2MlhP?= =?utf-8?B?SERBckVBWEZEU2REQ1ZDTUJMZDZobUlsdWNsNjlpOW44bU81WmVmd1RRY0wy?= =?utf-8?B?OFdwb3plQXArQ2lsSmdhMDcwMzg3V1orOVhzOUI4OUZVSzhmUzRnNzZiNXBu?= =?utf-8?B?VG1neFBXamE3K1I1cTVoaU1PVWJadE1kQnRWWGQybVgwWElsRmNMck5RSC9B?= =?utf-8?B?ckNrNXRaaW51eG5Wbkp5NlgxcXNJYytETUFyYVlZanFhbXV2ODBhVTExU080?= =?utf-8?B?SkhYcWtrc0UvOHhVd2F1TkVhNTNnV2FIbFU1eFY4UnhDbzVENlFJcWFadTNm?= =?utf-8?B?QlpBUDE0amFIOVBJTEpndXkwdC83NkZqb2JZeTlmYk9xMCtyMEd1ZHUycDIz?= =?utf-8?B?SE4wMnBQdGN6d3dxL0lJY3dLZ3BSeVBVa3UwWVIxaWMxNWgzVSsrZ3B1VGR3?= =?utf-8?B?akZHYUlSRkM4YlhYLzJNaklSc2hnSGVHYldsMzFGb0JJTmpYd1lYUGovV1d2?= =?utf-8?B?NTN4R3creE1jTXhUaTV1YkErTEEyNDlXSWE5WlVTWEhnV0VOL3g4SkVhanB3?= =?utf-8?B?WHJtTHo3WGU5d213TmkySDQ4SWNldFRBS0tudEFOcHppMnhiVkxYYU5GSEwz?= =?utf-8?B?bUpad1d1YVhreXMyVTBUNWYweldZTUp5d1FNbC84MXVyRmFyVis3TC9iT3F2?= =?utf-8?B?REdyUDNDbVFua3JtV0kyajd4YXIyekQzZ1ZJUEJKbWlkTUdIZ255bDQyVHVT?= =?utf-8?B?MVd2R3ZPVlNSYmo4aS9zOGl6ZXdvU3ZGaHJpWWxLTC9QMTFuRjcweGFYbm02?= =?utf-8?B?cS8yMEVwbFNXZFZSZ0RKRHpiNjZwZXRLYmJrVzhHanJocVFYdXNtSWNjL2Iv?= =?utf-8?B?L3RpbmE2S1QrTFlGWEtnL3R6RzNUeGNQYmxUc3BLT0M3ZDYxTXBqYU5HaURa?= =?utf-8?B?bXphOENZNTlQRHpRY05wUSs0M1d6Nm42cDR5UmhwN3pXTHYvTEZWbzVXNXZs?= =?utf-8?B?UGQydHVrRUFNVk95WUtRd3JMbUxjS3V4anVtMzBLTXZybnBwNzdrSzc0MzFp?= =?utf-8?Q?k+OfhZLwcq944BaQC4=3D?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 112b05f0-c4dc-4b4e-d894-08da6b4cc41b X-MS-Exchange-CrossTenant-AuthSource: DB6PR0101MB2214.eurprd01.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Jul 2022 19:11:08.1942 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0102MB2643 Subject: Re: [FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Michael Niedermayer: > On Thu, Jul 21, 2022 at 12:17:22AM +0200, Andreas Rheinhardt wrote: >> Michael Niedermayer: >>> On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote: >>>> >>>> >>>> On 7/19/2022 8:34 AM, Michael Niedermayer wrote: >>>>> Fixes: Timeout >>>>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080 >>>>> >>>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>>>> Signed-off-by: Michael Niedermayer >>>>> --- >>>>> libavcodec/ffv1dec.c | 6 +++++- >>>>> 1 file changed, 5 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c >>>>> index 01ddcaa512..9bdac0be4e 100644 >>>>> --- a/libavcodec/ffv1dec.c >>>>> +++ b/libavcodec/ffv1dec.c >>>>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, >>>>> if (buf_size < avctx->width * avctx->height / (128*8)) >>>>> return AVERROR_INVALIDDATA; >>>>> } else { >>>>> - if (buf_size < avctx->height / 8) >>>>> + int i; >>>> >>>> for (int i... >>> >>> will apply with that change >>> >>> thx >>> >> >> James' suggestion made you use an uninitialized i in the actual check; > > yes > > >> and even the original check is wrong, as one can overrun ff_log2_run >> (unless there is a check that I am not missing). > > Theres a check but its too late > > >> So it seems to me that >> reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate. > > not against that but heres a quick fix attempt > I thought that it would be easier to backport the fix if it were one patch; of course it was never my intention to force you to revert this. > > Author: Michael Niedermayer > Date: Thu Jul 21 00:20:41 2022 +0200 > > avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check > > Found-by: mkver Please don't use my nickname in the future in commit messages. > > Signed-off-by: Michael Niedermayer > > diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c > index d71584505d..c6eca3227c 100644 > --- a/libavcodec/ffv1dec.c > +++ b/libavcodec/ffv1dec.c > @@ -884,9 +884,14 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe, > return AVERROR_INVALIDDATA; > } else { > int w = avctx->width; > - for (int i = 0; w > (1< + int s = 1 + w / (1<<23); > + int i; > + > + w /= s; > + > + for (i = 0; w > (1< w -= ff_log2_run[i]; > - if (buf_size < (avctx->height + i + 6)/ 8) > + if (buf_size < (avctx->height + s*i + 6)/ 8) > return AVERROR_INVALIDDATA; > } > > > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".