[FFmpeg-devel] [PATCH 1/7] avcodec/mmvideo: fix paltte index

[FFmpeg-devel] [PATCH 1/7] avcodec/mmvideo: fix paltte index

[Michael Niedermayer]

Fixes: 391935573/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-4655048979709952
Fixes: out of array access

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mmvideo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
index 7313507debc..2a0c855992e 100644
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@@ -91,7 +91,7 @@ static void mm_decode_pal(MmContext *s)
     int start = bytestream2_get_le16(&s->gb);
     int count = bytestream2_get_le16(&s->gb);
     for (int i = 0; i < count; i++)
-        s->palette[start+i] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2);
+        s->palette[(start+i)&0xFF] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2);
 }
 
 /**
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/7] avcodec/hevc/hevcdec: Check num_entry_point_offsets

[Michael Niedermayer]

The code uses int, unsigned int and uint16_t to store num_entry_point_offsets
This limits it to the smallest of the 3.
Alternatively uint16_t can be changed and then a larger limit used.
A Check will still be needed.

Fixes: 391974932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5966648879677440
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hevc/hevcdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c
index a7a91769fec..636df5a4e9e 100644
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -1110,7 +1110,7 @@ static int hls_slice_header(SliceHeader *sh, const HEVCContext *s, GetBitContext
     if (pps->tiles_enabled_flag || pps->entropy_coding_sync_enabled_flag) {
         unsigned num_entry_point_offsets = get_ue_golomb_long(gb);
         // It would be possible to bound this tighter but this here is simpler
-        if (num_entry_point_offsets > get_bits_left(gb)) {
+        if (num_entry_point_offsets > get_bits_left(gb) || num_entry_point_offsets > UINT16_MAX) {
             av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets);
             return AVERROR_INVALIDDATA;
         }
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/7] avcodec/hevc/hevcdec: Check num_entry_point_offsets

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1085 bytes --]

On Thu, May 08, 2025 at 11:57:33PM +0200, Michael Niedermayer wrote:
> The code uses int, unsigned int and uint16_t to store num_entry_point_offsets
> This limits it to the smallest of the 3.
> Alternatively uint16_t can be changed and then a larger limit used.
> A Check will still be needed.
> 
> Fixes: 391974932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5966648879677440
> Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/hevc/hevcdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If one takes all money from those who grow wealth and gives it to those who
do not grow wealth, 10 years later, almost the same people who where wealthy
will be wealthy again, the same people who where poor will be poor again.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 3/7] avcodec/speexdec: Pass and check remaining packets to decode functions

[Michael Niedermayer]

Fixes: out of array access
Fixes: 394638693/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4868142996455424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/speexdec.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
index 60daab3b015..94dce5420cc 100644
--- a/libavcodec/speexdec.c
+++ b/libavcodec/speexdec.c
@@ -169,7 +169,7 @@ typedef struct SpeexSubmode {
 
 typedef struct SpeexMode {
     int modeID;                 /**< ID of the mode */
-    int (*decode)(AVCodecContext *avctx, void *dec, GetBitContext *gb, float *out);
+    int (*decode)(AVCodecContext *avctx, void *dec, GetBitContext *gb, float *out, int packets_left);
     int frame_size;             /**< Size of frames used for decoding */
     int subframe_size;          /**< Size of sub-frames used for decoding */
     int lpc_size;               /**< Order of LPC filter */
@@ -521,8 +521,8 @@ static const SpeexSubmode wb_submode4 = {
     split_cb_shape_sign_unquant, &split_cb_high, -1.f
 };
 
-static int nb_decode(AVCodecContext *, void *, GetBitContext *, float *);
-static int sb_decode(AVCodecContext *, void *, GetBitContext *, float *);
+static int nb_decode(AVCodecContext *, void *, GetBitContext *, float *, int packets_left);
+static int sb_decode(AVCodecContext *, void *, GetBitContext *, float *, int packets_left);
 
 static const SpeexMode speex_modes[SPEEX_NB_MODES] = {
     {
@@ -867,7 +867,7 @@ static void lsp_to_lpc(const float *freq, float *ak, int lpcrdr)
 }
 
 static int nb_decode(AVCodecContext *avctx, void *ptr_st,
-                     GetBitContext *gb, float *out)
+                     GetBitContext *gb, float *out, int packets_left)
 {
     DecoderState *st = ptr_st;
     float ol_gain = 0, ol_pitch_coef = 0, best_pitch_gain = 0, pitch_average = 0;
@@ -1218,7 +1218,7 @@ static void qmf_synth(const float *x1, const float *x2, const float *a, float *y
 }
 
 static int sb_decode(AVCodecContext *avctx, void *ptr_st,
-                     GetBitContext *gb, float *out)
+                     GetBitContext *gb, float *out, int packets_left)
 {
     SpeexContext *s = avctx->priv_data;
     DecoderState *st = ptr_st;
@@ -1234,9 +1234,11 @@ static int sb_decode(AVCodecContext *avctx, void *ptr_st,
     mode = st->mode;
 
     if (st->modeID > 0) {
+        if (packets_left <= 1)
+            return AVERROR_INVALIDDATA;
         low_innov_alias = out + st->frame_size;
         s->st[st->modeID - 1].innov_save = low_innov_alias;
-        ret = speex_modes[st->modeID - 1].decode(avctx, &s->st[st->modeID - 1], gb, out);
+        ret = speex_modes[st->modeID - 1].decode(avctx, &s->st[st->modeID - 1], gb, out, packets_left);
         if (ret < 0)
             return ret;
     }
@@ -1559,7 +1561,7 @@ static int speex_decode_frame(AVCodecContext *avctx, AVFrame *frame,
 
     dst = (float *)frame->extended_data[0];
     for (int i = 0; i < frames_per_packet; i++) {
-        ret = speex_modes[s->mode].decode(avctx, &s->st[s->mode], &s->gb, dst + i * s->frame_size);
+        ret = speex_modes[s->mode].decode(avctx, &s->st[s->mode], &s->gb, dst + i * s->frame_size, frames_per_packet - i);
         if (ret < 0)
             return ret;
         if (avctx->ch_layout.nb_channels == 2)
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/7] avcodec/speexdec: Pass and check remaining packets to decode functions

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 727 bytes --]

On Thu, May 08, 2025 at 11:57:34PM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 394638693/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4868142996455424
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/speexdec.c | 16 +++++++++-------
>  1 file changed, 9 insertions(+), 7 deletions(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Some people wanted to paint the bikeshed green, some blue and some pink.
People argued and fought, when they finally agreed, only rust was left.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 4/7] avformat/iff: Check nb_channels == 0 in MHDR

[Michael Niedermayer]

Fixes: division by 0
Fixes: 395163171/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-542604339373670

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iff.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/iff.c b/libavformat/iff.c
index 7142a06e98f..9402be48c98 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -510,6 +510,8 @@ static int iff_read_header(AVFormatContext *s)
                 sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO;
             else if (sta->codecpar->ch_layout.nb_channels == 2)
                 sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_STEREO;
+            else if (sta->codecpar->ch_layout.nb_channels == 0)
+                return AVERROR_INVALIDDATA;
             break;
 
         case ID_ABIT:
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/7] avformat/iff: Check nb_channels == 0 in MHDR

[Peter Ross]

[-- Attachment #1.1: Type: text/plain, Size: 1145 bytes --]

On Thu, May 08, 2025 at 11:57:35PM +0200, Michael Niedermayer wrote:
> Fixes: division by 0
> Fixes: 395163171/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-542604339373670
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/iff.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavformat/iff.c b/libavformat/iff.c
> index 7142a06e98f..9402be48c98 100644
> --- a/libavformat/iff.c
> +++ b/libavformat/iff.c
> @@ -510,6 +510,8 @@ static int iff_read_header(AVFormatContext *s)
>                  sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO;
>              else if (sta->codecpar->ch_layout.nb_channels == 2)
>                  sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_STEREO;
> +            else if (sta->codecpar->ch_layout.nb_channels == 0)
> +                return AVERROR_INVALIDDATA;
>              break;
>  
>          case ID_ABIT:

please apply

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/7] avformat/iff: Check nb_channels == 0 in MHDR

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1399 bytes --]

On Fri, May 09, 2025 at 07:07:19PM +1000, Peter Ross wrote:
> On Thu, May 08, 2025 at 11:57:35PM +0200, Michael Niedermayer wrote:
> > Fixes: division by 0
> > Fixes: 395163171/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-542604339373670
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/iff.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/libavformat/iff.c b/libavformat/iff.c
> > index 7142a06e98f..9402be48c98 100644
> > --- a/libavformat/iff.c
> > +++ b/libavformat/iff.c
> > @@ -510,6 +510,8 @@ static int iff_read_header(AVFormatContext *s)
> >                  sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO;
> >              else if (sta->codecpar->ch_layout.nb_channels == 2)
> >                  sta->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_STEREO;
> > +            else if (sta->codecpar->ch_layout.nb_channels == 0)
> > +                return AVERROR_INVALIDDATA;
> >              break;
> >  
> >          case ID_ABIT:
> 
> please apply

will apply

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I am the wisest man alive, for I know one thing, and that is that I know
nothing. -- Socrates

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 5/7] avcodec/aac/aacdec_usac: Limit sfo from noise offset to be above -200

[Michael Niedermayer]

Fixes: out of array read
Fixes: 397731127/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5577772965101568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/aac/aacdec_usac.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
index ef0c115aa09..e03e6e015f0 100644
--- a/libavcodec/aac/aacdec_usac.c
+++ b/libavcodec/aac/aacdec_usac.c
@@ -1023,8 +1023,9 @@ static void apply_noise_fill(AACDecContext *ac, SingleChannelElement *sce,
                 }
             }
 
-            if (band_quantized_to_zero)
-                sce->sfo[g*ics->max_sfb + sfb] += noise_offset;
+            if (band_quantized_to_zero) {
+                sce->sfo[g*ics->max_sfb + sfb] = FFMAX(sce->sfo[g*ics->max_sfb + sfb] + noise_offset, -200);
+            }
         }
         coef += g_len << 7;
     }
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 6/7] avcodec/rv60dec: inter also fails with qp >= 32

[Michael Niedermayer]

Fixes: out of array read in decode_cu_16x16()
Fixes: 398049430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5525836849807360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rv60dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 24981015a94..d704ae512c2 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -1791,7 +1791,7 @@ static int decode_cu_r(RV60Context * s, AVFrame * frame, ThreadContext * thread,
         ttype = cu.pu_type == PU_FULL ? TRANSFORM_8X8 : TRANSFORM_4X4;
 
     is_intra = cu.cu_type == CU_INTRA;
-    if (is_intra && qp >= 32)
+    if (qp >= 32)
         return AVERROR_INVALIDDATA;
     cu_pos = ((xpos & 63) >> 3) + ((ypos & 63) >> 3) * 8;
 
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/7] avcodec/rv60dec: inter also fails with qp >= 32

[Peter Ross]

[-- Attachment #1.1: Type: text/plain, Size: 1110 bytes --]

On Thu, May 08, 2025 at 11:57:37PM +0200, Michael Niedermayer wrote:
> Fixes: out of array read in decode_cu_16x16()
> Fixes: 398049430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5525836849807360
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/rv60dec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
> index 24981015a94..d704ae512c2 100644
> --- a/libavcodec/rv60dec.c
> +++ b/libavcodec/rv60dec.c
> @@ -1791,7 +1791,7 @@ static int decode_cu_r(RV60Context * s, AVFrame * frame, ThreadContext * thread,
>          ttype = cu.pu_type == PU_FULL ? TRANSFORM_8X8 : TRANSFORM_4X4;
>  
>      is_intra = cu.cu_type == CU_INTRA;
> -    if (is_intra && qp >= 32)
> +    if (qp >= 32)
>          return AVERROR_INVALIDDATA;
>      cu_pos = ((xpos & 63) >> 3) + ((ypos & 63) >> 3) * 8;

please apply

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 6/7] avcodec/rv60dec: inter also fails with qp >= 32

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1344 bytes --]

On Fri, May 09, 2025 at 07:07:51PM +1000, Peter Ross wrote:
> On Thu, May 08, 2025 at 11:57:37PM +0200, Michael Niedermayer wrote:
> > Fixes: out of array read in decode_cu_16x16()
> > Fixes: 398049430/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5525836849807360
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/rv60dec.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
> > index 24981015a94..d704ae512c2 100644
> > --- a/libavcodec/rv60dec.c
> > +++ b/libavcodec/rv60dec.c
> > @@ -1791,7 +1791,7 @@ static int decode_cu_r(RV60Context * s, AVFrame * frame, ThreadContext * thread,
> >          ttype = cu.pu_type == PU_FULL ? TRANSFORM_8X8 : TRANSFORM_4X4;
> >  
> >      is_intra = cu.cu_type == CU_INTRA;
> > -    if (is_intra && qp >= 32)
> > +    if (qp >= 32)
> >          return AVERROR_INVALIDDATA;
> >      cu_pos = ((xpos & 63) >> 3) + ((ypos & 63) >> 3) * 8;
> 
> please apply

will apply

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No great genius has ever existed without some touch of madness. -- Aristotle

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 7/7] avcodec/hevc/ps: Fix dependant layer id check

[Michael Niedermayer]

Fixes: shift exponent 49 is too large for 32-bit type 'int'
Fixes: 398060145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5023082406543360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hevc/ps.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c
index 24f4218931d..4b021ea9c1f 100644
--- a/libavcodec/hevc/ps.c
+++ b/libavcodec/hevc/ps.c
@@ -652,8 +652,8 @@ static int decode_vps_ext(GetBitContext *gb, AVCodecContext *avctx, HEVCVPS *vps
 
     /* Consequence of established layer dependencies */
     if (layer1_id_included &&
-        layer1_id_included != ((1 << vps->layer_id_in_nuh[0]) |
-                               (1 << vps->layer_id_in_nuh[1]))) {
+        layer1_id_included != ((1ULL << vps->layer_id_in_nuh[0]) |
+                               (1ULL << vps->layer_id_in_nuh[1]))) {
             av_log(avctx, AV_LOG_ERROR,
                    "Dependent layer not included in layer ID?\n");
             return AVERROR_PATCHWELCOME;
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/7] avcodec/hevc/ps: Fix dependant layer id check

[James Almer]

[-- Attachment #1.1.1: Type: text/plain, Size: 1140 bytes --]

On 5/8/2025 6:57 PM, Michael Niedermayer wrote:
> Fixes: shift exponent 49 is too large for 32-bit type 'int'
> Fixes: 398060145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5023082406543360
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/hevc/ps.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c
> index 24f4218931d..4b021ea9c1f 100644
> --- a/libavcodec/hevc/ps.c
> +++ b/libavcodec/hevc/ps.c
> @@ -652,8 +652,8 @@ static int decode_vps_ext(GetBitContext *gb, AVCodecContext *avctx, HEVCVPS *vps
>   
>       /* Consequence of established layer dependencies */
>       if (layer1_id_included &&
> -        layer1_id_included != ((1 << vps->layer_id_in_nuh[0]) |
> -                               (1 << vps->layer_id_in_nuh[1]))) {
> +        layer1_id_included != ((1ULL << vps->layer_id_in_nuh[0]) |
> +                               (1ULL << vps->layer_id_in_nuh[1]))) {

LGTM.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 7/7] avcodec/hevc/ps: Fix dependant layer id check

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1459 bytes --]

On Thu, May 08, 2025 at 07:10:38PM -0300, James Almer wrote:
> On 5/8/2025 6:57 PM, Michael Niedermayer wrote:
> > Fixes: shift exponent 49 is too large for 32-bit type 'int'
> > Fixes: 398060145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5023082406543360
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/hevc/ps.c | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c
> > index 24f4218931d..4b021ea9c1f 100644
> > --- a/libavcodec/hevc/ps.c
> > +++ b/libavcodec/hevc/ps.c
> > @@ -652,8 +652,8 @@ static int decode_vps_ext(GetBitContext *gb, AVCodecContext *avctx, HEVCVPS *vps
> >       /* Consequence of established layer dependencies */
> >       if (layer1_id_included &&
> > -        layer1_id_included != ((1 << vps->layer_id_in_nuh[0]) |
> > -                               (1 << vps->layer_id_in_nuh[1]))) {
> > +        layer1_id_included != ((1ULL << vps->layer_id_in_nuh[0]) |
> > +                               (1ULL << vps->layer_id_in_nuh[1]))) {
> 
> LGTM.

will apply

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

What is kyc? Its a tool that makes you give out your real ID, while criminals
give out a forged ID card.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/7] avcodec/mmvideo: fix paltte index

[Peter Ross]

[-- Attachment #1.1: Type: text/plain, Size: 1094 bytes --]

On Thu, May 08, 2025 at 11:57:32PM +0200, Michael Niedermayer wrote:
> Fixes: 391935573/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-4655048979709952
> Fixes: out of array access
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/mmvideo.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
> index 7313507debc..2a0c855992e 100644
> --- a/libavcodec/mmvideo.c
> +++ b/libavcodec/mmvideo.c
> @@ -91,7 +91,7 @@ static void mm_decode_pal(MmContext *s)
>      int start = bytestream2_get_le16(&s->gb);
>      int count = bytestream2_get_le16(&s->gb);
>      for (int i = 0; i < count; i++)
> -        s->palette[start+i] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2);
> +        s->palette[(start+i)&0xFF] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2);
>  }
>

please apply

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/7] avcodec/mmvideo: fix paltte index

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1456 bytes --]

On Fri, May 09, 2025 at 07:06:42PM +1000, Peter Ross wrote:
> On Thu, May 08, 2025 at 11:57:32PM +0200, Michael Niedermayer wrote:
> > Fixes: 391935573/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-4655048979709952
> > Fixes: out of array access
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/mmvideo.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
> > index 7313507debc..2a0c855992e 100644
> > --- a/libavcodec/mmvideo.c
> > +++ b/libavcodec/mmvideo.c
> > @@ -91,7 +91,7 @@ static void mm_decode_pal(MmContext *s)
> >      int start = bytestream2_get_le16(&s->gb);
> >      int count = bytestream2_get_le16(&s->gb);
> >      for (int i = 0; i < count; i++)
> > -        s->palette[start+i] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2);
> > +        s->palette[(start+i)&0xFF] = 0xFFU << 24 | (bytestream2_get_be24(&s->gb) << 2);
> >  }
> >
> 
> please apply

will apply

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you fake or manipulate statistics in a paper in physics you will never
get a job again.
If you fake or manipulate statistics in a paper in medicin you will get
a job for life at the pharma industry.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".