[FFmpeg-devel] [PATCH 1/8] avcodec/psd: Move frame allocation after RLE processing

[FFmpeg-devel] [PATCH 1/8] avcodec/psd: Move frame allocation after RLE processing

[Michael Niedermayer]

Fixes: Timeout
Fixes: 410609448/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PSD_fuzzer-6267226128973824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/psd.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/psd.c b/libavcodec/psd.c
index 9c3e4f69052..f0b90ec1bd7 100644
--- a/libavcodec/psd.c
+++ b/libavcodec/psd.c
@@ -418,9 +418,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture,
 
     s->uncompressed_size = s->line_size * s->height * s->channel_count;
 
-    if ((ret = ff_get_buffer(avctx, picture, 0)) < 0)
-        return ret;
-
     /* decode picture if need */
     if (s->compression == PSD_RLE) {
         s->tmp = av_malloc(s->uncompressed_size);
@@ -443,6 +440,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture,
         ptr_data = s->gb.buffer;
     }
 
+    if ((ret = ff_get_buffer(avctx, picture, 0)) < 0)
+        return ret;
+
     /* Store data */
     if ((avctx->pix_fmt == AV_PIX_FMT_YA8)||(avctx->pix_fmt == AV_PIX_FMT_YA16BE)){/* Interleaved */
         ptr = picture->data[0];
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/8] avcodec/hcadec: Check sample_rate

[Michael Niedermayer]

Fixes: AVERROR_BUG return
Fixes: 413997604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-5188382613635072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hcadec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c
index 7780372cf3f..161044bfbcc 100644
--- a/libavcodec/hcadec.c
+++ b/libavcodec/hcadec.c
@@ -179,6 +179,9 @@ static void ath_init1(uint8_t *ath, int sample_rate)
 
 static int ath_init(uint8_t *ath, int type, int sample_rate)
 {
+    if (sample_rate <= 0)
+        return AVERROR_INVALIDDATA;
+
     switch (type) {
     case 0:
         /* nothing to do */
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/8] swscale/output: Fix integer overflows in yuv2rgba64_1_c_template()

[Michael Niedermayer]

Fixes: signed integer overflow: -132524 * 16525 cannot be represented in type 'int'
Fixes: 414862270/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4869083202125824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libswscale/output.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libswscale/output.c b/libswscale/output.c
index c37649e7ce5..c18c96a57a1 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -1211,8 +1211,8 @@ yuv2rgba64_1_c_template(SwsInternal *c, const int32_t *buf0,
         for (i = 0; i < ((dstW + 1) >> 1); i++) {
             SUINT Y1 = (buf0[i * 2]    ) >> 2;
             SUINT Y2 = (buf0[i * 2 + 1]) >> 2;
-            int U  = (ubuf0[i] - (128 << 11)) >> 2;
-            int V  = (vbuf0[i] - (128 << 11)) >> 2;
+            SUINT U  = (ubuf0[i] - (128 << 11)) >> 2;
+            SUINT V  = (vbuf0[i] - (128 << 11)) >> 2;
             int R, G, B;
 
             Y1 -= c->yuv2rgb_y_offset;
@@ -1260,8 +1260,8 @@ yuv2rgba64_1_c_template(SwsInternal *c, const int32_t *buf0,
         for (i = 0; i < ((dstW + 1) >> 1); i++) {
             SUINT Y1 = (buf0[i * 2]    ) >> 2;
             SUINT Y2 = (buf0[i * 2 + 1]) >> 2;
-            int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14;
-            int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14;
+            SUINT U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14;
+            SUINT V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14;
             int R, G, B;
 
             Y1 -= c->yuv2rgb_y_offset;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/8] tools/target_dec_fuzzer: adjust threshold for VP8

[Michael Niedermayer]

Fixes: Timeout
Fixes: 416589179/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP8_fuzzer-5432788428062720

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index f5f41bdb247..96d65c7b69e 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -325,6 +325,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_VP6F:        maxpixels  /= 4096;  break;
     case AV_CODEC_ID_VP6A:        maxpixels  /= 4096;  break;
     case AV_CODEC_ID_VP7:         maxpixels  /= 256;   break;
+    case AV_CODEC_ID_VP8:         maxpixels  /= 256;   break;
     case AV_CODEC_ID_VP9:         maxpixels  /= 4096;  break;
     case AV_CODEC_ID_WAVPACK:     maxsamples /= 1024;  break;
     case AV_CODEC_ID_WCMV:        maxpixels  /= 1024;  break;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/8] avformat/mov: Check that sample_sizes is allocated in mov_parse_heif_items()

[Michael Niedermayer]

Fixes: NULL pointer dereference
Fixes: 416811958/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5425269114732544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 8a094b1ea0a..22488b517cb 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -10332,6 +10332,9 @@ static int mov_parse_heif_items(AVFormatContext *s)
 
         st = item->st;
         sc = st->priv_data;
+        if (!sc->sample_sizes)
+            return AVERROR_INVALIDDATA;
+
         st->codecpar->width  = item->width;
         st->codecpar->height = item->height;
 
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/8] avcodec/vvc/ctu: Check palette_escape_val

[Michael Niedermayer]

Fixes: integer overflow
Fixes: 418314174/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4871731867353088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vvc/ctu.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
index ba4c89b1d1b..7fa2b496389 100644
--- a/libavcodec/vvc/ctu.c
+++ b/libavcodec/vvc/ctu.c
@@ -2053,6 +2053,8 @@ static int palette_subblock_data(VVCLocalContext *lc,
                 const int v = PALETTE_INDEX(xc, yc);
                 if (v == esc) {
                     const int coeff = ff_vvc_palette_escape_val(lc);
+                    if (coeff >= (1U << sps->bit_depth))
+                        return AVERROR_INVALIDDATA;
                     const int pixel = av_clip_intp2(RSHIFT(coeff * scale, 6), sps->bit_depth);
                     PALETTE_SET_PIXEL(xc, yc, pixel);
                 } else {
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 7/8] avcodec/vvc/cabac: Check k in kth_order_egk_decode()

[Michael Niedermayer]

The return value is int we can thus not handle 31 or more bits

Fixes: integer overflow
Fixes: 418396701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4730994378997760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vvc/cabac.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/vvc/cabac.c b/libavcodec/vvc/cabac.c
index 6847ce59aff..78703cb065e 100644
--- a/libavcodec/vvc/cabac.c
+++ b/libavcodec/vvc/cabac.c
@@ -937,6 +937,8 @@ static int kth_order_egk_decode(CABACContext *c, int k)
 
     while (bit) {
         bit = get_cabac_bypass(c);
+        if (k >= 31)
+            return AVERROR_PATCHWELCOME;
         value += bit << k++;
     }
 
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 8/8] avcodec/vvc/ctu: Check ff_vvc_num_signalled_palette_entries

[Michael Niedermayer]

Fixes: index 107 out of bounds for type 'uint16_t const[63]'
Fixes: 421336912/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-6436225806565376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vvc/ctu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c
index 7fa2b496389..cf7edccb8b8 100644
--- a/libavcodec/vvc/ctu.c
+++ b/libavcodec/vvc/ctu.c
@@ -1889,7 +1889,7 @@ static int palette_signaled(VVCLocalContext *lc, const bool local_dual_tree,
     const int size            = nb_predicted + nb_signaled;
     const bool dual_tree_luma = local_dual_tree && cu->tree_type == DUAL_TREE_LUMA;
 
-    if (size > max_entries)
+    if (size > max_entries || nb_signaled < 0)
         return AVERROR_INVALIDDATA;
 
     for (int c = start; c < end; c++) {
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 5/8] avformat/mov: Check that sample_sizes is allocated in mov_parse_heif_items()

[James Almer]

[-- Attachment #1.1.1: Type: text/plain, Size: 2142 bytes --]

On 6/19/2025 9:32 PM, Michael Niedermayer wrote:
> Fixes: NULL pointer dereference
> Fixes: 416811958/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5425269114732544
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/mov.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 8a094b1ea0a..22488b517cb 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -10332,6 +10332,9 @@ static int mov_parse_heif_items(AVFormatContext *s)
>   
>           st = item->st;
>           sc = st->priv_data;
> +        if (!sc->sample_sizes)
> +            return AVERROR_INVALIDDATA;
> +
>           st->codecpar->width  = item->width;
>           st->codecpar->height = item->height;

Does the following fix it too?

> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 8a094b1ea0..a2a9c10f20 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -5430,18 +5430,18 @@ static int heif_add_stream(MOVContext *c, HEIFItem *item)
>      sc->stsc_data[0].first = 1;
>      sc->stsc_data[0].count = 1;
>      sc->stsc_data[0].id = 1;
> -    sc->chunk_count = 1;
>      sc->chunk_offsets = av_malloc_array(1, sizeof(*sc->chunk_offsets));
>      if (!sc->chunk_offsets)
>          return AVERROR(ENOMEM);
> -    sc->sample_count = 1;
> +    sc->chunk_count = 1;
>      sc->sample_sizes = av_malloc_array(1, sizeof(*sc->sample_sizes));
>      if (!sc->sample_sizes)
>          return AVERROR(ENOMEM);
> -    sc->stts_count = 1;
> +    sc->sample_count = 1;
>      sc->stts_data = av_malloc_array(1, sizeof(*sc->stts_data));
>      if (!sc->stts_data)
>          return AVERROR(ENOMEM);
> +    sc->stts_count = 1;
>      sc->stts_data[0].count = 1;
>      // Not used for still images. But needed by mov_build_index.
>      sc->stts_data[0].duration = 0;

I'd rather have the checks in sanity_checks() detect this, so if 
sc->sample_sizes is NULL then sc->sample_count should be 0.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/8] avcodec/hcadec: Check sample_rate

[Andreas Rheinhardt]

Michael Niedermayer:
> Fixes: AVERROR_BUG return
> Fixes: 413997604/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-5188382613635072
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/hcadec.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c
> index 7780372cf3f..161044bfbcc 100644
> --- a/libavcodec/hcadec.c
> +++ b/libavcodec/hcadec.c
> @@ -179,6 +179,9 @@ static void ath_init1(uint8_t *ath, int sample_rate)
>  
>  static int ath_init(uint8_t *ath, int type, int sample_rate)
>  {
> +    if (sample_rate <= 0)
> +        return AVERROR_INVALIDDATA;
> +
>      switch (type) {
>      case 0:
>          /* nothing to do */

The sample rate used here comes from avctx->sample_rate, so why do you
want to check this here instead of checking it generically for all audio
decoders without AV_CODEC_CAP_CHANNEL_CONF like this:

diff --git a/libavcodec/avcodec.c b/libavcodec/avcodec.c
index 7bcb0295e5..0ad39b4d91 100644
--- a/libavcodec/avcodec.c
+++ b/libavcodec/avcodec.c
@@ -254,7 +254,11 @@ int attribute_align_arg
avcodec_open2(AVCodecContext *avctx, const AVCodec *code
         }
     }

-    if (avctx->sample_rate < 0) {
+    /* AV_CODEC_CAP_CHANNEL_CONF is a decoder-only flag; so the code below
+     * in particular checks that sample_rate is set for all audio
encoders. */
+    if (avctx->sample_rate < 0 ||
+        avctx->sample_rate == 0 && avctx->codec_type ==
AVMEDIA_TYPE_AUDIO &&
+        !(codec->capabilities & AV_CODEC_CAP_CHANNEL_CONF)) {
         av_log(avctx, AV_LOG_ERROR, "Invalid sample rate: %d\n",
avctx->sample_rate);
         ret = AVERROR(EINVAL);
         goto free_and_end;
diff --git a/libavcodec/encode.c b/libavcodec/encode.c
index 72dfa8867a..38833c566c 100644
--- a/libavcodec/encode.c
+++ b/libavcodec/encode.c
@@ -633,11 +633,6 @@ static int encode_preinit_audio(AVCodecContext *avctx)
                avctx->sample_fmt);
         return AVERROR(EINVAL);
     }
-    if (avctx->sample_rate <= 0) {
-        av_log(avctx, AV_LOG_ERROR, "Invalid audio sample rate: %d\n",
-               avctx->sample_rate);
-        return AVERROR(EINVAL);
-    }

     ret = avcodec_get_supported_config(avctx, NULL,
AV_CODEC_CONFIG_SAMPLE_FORMAT,
                                        0, (const void **) &sample_fmts,

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".