* [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements
@ 2024-07-31 19:54 Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 2/6] avcodec/aac/aacdec_usac: Dont leave type at a invalid value Michael Niedermayer
` (5 more replies)
0 siblings, 6 replies; 11+ messages in thread
From: Michael Niedermayer @ 2024-07-31 19:54 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192
Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/cbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
index b26e39eab4d..dcbc86a5f7d 100644
--- a/libavcodec/cbs.c
+++ b/libavcodec/cbs.c
@@ -605,7 +605,7 @@ static av_always_inline int cbs_read_unsigned(CodedBitstreamContext *ctx,
CBS_TRACE_READ_START();
- av_assert0(width > 0 && width <= 32);
+ av_assert0(width >= 0 && width <= 32);
if (get_bits_left(gbc) < width) {
av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid value at "
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 2/6] avcodec/aac/aacdec_usac: Dont leave type at a invalid value
2024-07-31 19:54 [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements Michael Niedermayer
@ 2024-07-31 19:54 ` Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 3/6] avformat/iamf_parse: Check for 0 samples Michael Niedermayer
` (4 subsequent siblings)
5 siblings, 0 replies; 11+ messages in thread
From: Michael Niedermayer @ 2024-07-31 19:54 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Assertion 0 failed at libavcodec/aac/aacdec_usac.c:1646
Fixes: 70541/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5190889543106560
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/aac/aacdec_usac.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
index 1b79d19a30f..82db65eb0d0 100644
--- a/libavcodec/aac/aacdec_usac.c
+++ b/libavcodec/aac/aacdec_usac.c
@@ -265,6 +265,7 @@ static int decode_usac_extension(AACDecContext *ac, AACUsacElemConfig *e,
/* No configuration needed - fallthrough (len should be 0) */
default:
skip_bits(gb, 8*ext_config_len);
+ e->ext.type = ID_EXT_ELE_FILL;
break;
};
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 3/6] avformat/iamf_parse: Check for 0 samples
2024-07-31 19:54 [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 2/6] avcodec/aac/aacdec_usac: Dont leave type at a invalid value Michael Niedermayer
@ 2024-07-31 19:54 ` Michael Niedermayer
2024-07-31 22:04 ` James Almer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails Michael Niedermayer
` (3 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Michael Niedermayer @ 2024-07-31 19:54 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: division by zero
Fixes: 70561/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6199435013455872
Fixes: 70565/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5783790316748800
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/iamf_parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index cdfd5f75fef..e007d6a7af2 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -252,7 +252,7 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len)
if (ret < 0)
goto fail;
- if ((codec_config->nb_samples > INT_MAX) ||
+ if ((codec_config->nb_samples > INT_MAX) || codec_config->nb_samples <= 0 ||
(-codec_config->audio_roll_distance > INT_MAX / codec_config->nb_samples)) {
ret = AVERROR_INVALIDDATA;
goto fail;
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails
2024-07-31 19:54 [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 2/6] avcodec/aac/aacdec_usac: Dont leave type at a invalid value Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 3/6] avformat/iamf_parse: Check for 0 samples Michael Niedermayer
@ 2024-07-31 19:54 ` Michael Niedermayer
2024-08-01 15:11 ` Lynne via ffmpeg-devel
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 5/6] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow Michael Niedermayer
` (2 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Michael Niedermayer @ 2024-07-31 19:54 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array access
Fixes: 70734/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4741427068731392
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/aac/aacdec_usac.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
index 82db65eb0d0..2938e693874 100644
--- a/libavcodec/aac/aacdec_usac.c
+++ b/libavcodec/aac/aacdec_usac.c
@@ -918,8 +918,10 @@ static int decode_usac_stereo_info(AACDecContext *ac, AACUSACConfig *usac,
}
ret = setup_sce(ac, sce1, usac);
- if (ret < 0)
+ if (ret < 0) {
+ ics2->max_sfb = 0;
return ret;
+ }
ret = setup_sce(ac, sce2, usac);
if (ret < 0)
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 5/6] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow
2024-07-31 19:54 [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements Michael Niedermayer
` (2 preceding siblings ...)
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails Michael Niedermayer
@ 2024-07-31 19:54 ` Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 6/6] avcodec/snow: Fix off by 1 error in run_buffer Michael Niedermayer
2024-07-31 22:03 ` [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements James Almer
5 siblings, 0 replies; 11+ messages in thread
From: Michael Niedermayer @ 2024-07-31 19:54 UTC (permalink / raw)
To: FFmpeg development discussions and patches
The snow encoder uses block based motion estimation which can read out of array if
insufficient alignment is used
It may be better to only apply this for the encoder, as it would safe a few bytes of memory
for the decoder. Until then, this fixes the issue in a simple way.
Fixes: out of array access
Fixes: 68963/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4979988435632128
Fixes: 68969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6239933667803136.fuzz
Fixed: 70497/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5751882631413760
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/utils.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 337c00e789a..7914f799041 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -259,6 +259,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
if (s->codec_id == AV_CODEC_ID_SVQ1) {
w_align = 64;
h_align = 64;
+ } else if (s->codec_id == AV_CODEC_ID_SNOW) {
+ w_align = 16;
+ h_align = 16;
}
break;
case AV_PIX_FMT_RGB555:
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* [FFmpeg-devel] [PATCH 6/6] avcodec/snow: Fix off by 1 error in run_buffer
2024-07-31 19:54 [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements Michael Niedermayer
` (3 preceding siblings ...)
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 5/6] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow Michael Niedermayer
@ 2024-07-31 19:54 ` Michael Niedermayer
2024-07-31 20:05 ` Michael Niedermayer
2024-07-31 22:03 ` [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements James Almer
5 siblings, 1 reply; 11+ messages in thread
From: Michael Niedermayer @ 2024-07-31 19:54 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: out of array access
Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/snow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/snow.c b/libavcodec/snow.c
index 0285362d439..af6214d0778 100644
--- a/libavcodec/snow.c
+++ b/libavcodec/snow.c
@@ -428,7 +428,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){
!FF_ALLOCZ_TYPED_ARRAY(s->spatial_dwt_buffer, width * height) || //FIXME this does not belong here
!FF_ALLOCZ_TYPED_ARRAY(s->temp_dwt_buffer, width) ||
!FF_ALLOCZ_TYPED_ARRAY(s->temp_idwt_buffer, width) ||
- !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1)))
+ !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1))
return AVERROR(ENOMEM);
for(i=0; i<MAX_REF_FRAMES; i++) {
--
2.45.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 6/6] avcodec/snow: Fix off by 1 error in run_buffer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 6/6] avcodec/snow: Fix off by 1 error in run_buffer Michael Niedermayer
@ 2024-07-31 20:05 ` Michael Niedermayer
0 siblings, 0 replies; 11+ messages in thread
From: Michael Niedermayer @ 2024-07-31 20:05 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 839 bytes --]
On Wed, Jul 31, 2024 at 09:54:10PM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/snow.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
I intend to apply this and the other snow patch (which was on the ML since a while
with a different commit message) very soon because they affect upcoming point releases
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Good people do not need laws to tell them to act responsibly, while bad
people will find a way around the laws. -- Plato
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements
2024-07-31 19:54 [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements Michael Niedermayer
` (4 preceding siblings ...)
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 6/6] avcodec/snow: Fix off by 1 error in run_buffer Michael Niedermayer
@ 2024-07-31 22:03 ` James Almer
5 siblings, 0 replies; 11+ messages in thread
From: James Almer @ 2024-07-31 22:03 UTC (permalink / raw)
To: ffmpeg-devel
On 7/31/2024 4:54 PM, Michael Niedermayer wrote:
> Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192
> Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/cbs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
> index b26e39eab4d..dcbc86a5f7d 100644
> --- a/libavcodec/cbs.c
> +++ b/libavcodec/cbs.c
> @@ -605,7 +605,7 @@ static av_always_inline int cbs_read_unsigned(CodedBitstreamContext *ctx,
>
> CBS_TRACE_READ_START();
>
> - av_assert0(width > 0 && width <= 32);
> + av_assert0(width >= 0 && width <= 32);
No, sei_3d_reference_displays_info should instead not attempt to read
from the bitstream when width is 0.
I'll send a patch for this later.
>
> if (get_bits_left(gbc) < width) {
> av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid value at "
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/6] avformat/iamf_parse: Check for 0 samples
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 3/6] avformat/iamf_parse: Check for 0 samples Michael Niedermayer
@ 2024-07-31 22:04 ` James Almer
0 siblings, 0 replies; 11+ messages in thread
From: James Almer @ 2024-07-31 22:04 UTC (permalink / raw)
To: ffmpeg-devel
On 7/31/2024 4:54 PM, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: 70561/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6199435013455872
> Fixes: 70565/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5783790316748800
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/iamf_parse.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
> index cdfd5f75fef..e007d6a7af2 100644
> --- a/libavformat/iamf_parse.c
> +++ b/libavformat/iamf_parse.c
> @@ -252,7 +252,7 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len)
> if (ret < 0)
> goto fail;
>
> - if ((codec_config->nb_samples > INT_MAX) ||
> + if ((codec_config->nb_samples > INT_MAX) || codec_config->nb_samples <= 0 ||
> (-codec_config->audio_roll_distance > INT_MAX / codec_config->nb_samples)) {
> ret = AVERROR_INVALIDDATA;
> goto fail;
LGTM
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails Michael Niedermayer
@ 2024-08-01 15:11 ` Lynne via ffmpeg-devel
2024-08-01 17:07 ` Michael Niedermayer
0 siblings, 1 reply; 11+ messages in thread
From: Lynne via ffmpeg-devel @ 2024-08-01 15:11 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Lynne
[-- Attachment #1.1.1.1: Type: text/plain, Size: 1172 bytes --]
On 31/07/2024 21:54, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 70734/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4741427068731392
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/aac/aacdec_usac.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
> index 82db65eb0d0..2938e693874 100644
> --- a/libavcodec/aac/aacdec_usac.c
> +++ b/libavcodec/aac/aacdec_usac.c
> @@ -918,8 +918,10 @@ static int decode_usac_stereo_info(AACDecContext *ac, AACUSACConfig *usac,
> }
>
> ret = setup_sce(ac, sce1, usac);
> - if (ret < 0)
> + if (ret < 0) {
> + ics2->max_sfb = 0;
> return ret;
> + }
>
> ret = setup_sce(ac, sce2, usac);
> if (ret < 0)
Err, the one and only place where setup_sce can return an error is also
where ics->max_sfb = 0; is cleaned up. It doesn't make sense that this
patch would do anything at all.
[-- Attachment #1.1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 624 bytes --]
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails
2024-08-01 15:11 ` Lynne via ffmpeg-devel
@ 2024-08-01 17:07 ` Michael Niedermayer
0 siblings, 0 replies; 11+ messages in thread
From: Michael Niedermayer @ 2024-08-01 17:07 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1807 bytes --]
On Thu, Aug 01, 2024 at 05:11:18PM +0200, Lynne via ffmpeg-devel wrote:
> On 31/07/2024 21:54, Michael Niedermayer wrote:
> > Fixes: out of array access
> > Fixes: 70734/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4741427068731392
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/aac/aacdec_usac.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
> > index 82db65eb0d0..2938e693874 100644
> > --- a/libavcodec/aac/aacdec_usac.c
> > +++ b/libavcodec/aac/aacdec_usac.c
> > @@ -918,8 +918,10 @@ static int decode_usac_stereo_info(AACDecContext *ac, AACUSACConfig *usac,
> > }
> > ret = setup_sce(ac, sce1, usac);
> > - if (ret < 0)
> > + if (ret < 0) {
> > + ics2->max_sfb = 0;
> > return ret;
> > + }
> > ret = setup_sce(ac, sce2, usac);
> > if (ret < 0)
>
> Err, the one and only place where setup_sce can return an error is also
> where ics->max_sfb = 0; is cleaned up. It doesn't make sense that this patch
> would do anything at all.
there are 2 single channel elements
when the first fails, it automatically cleans the firsts max_sfb but as is before
this patch it leaves the 2nd SCE max_sfb unchanged to whatever unchecked value
was put in it.
It would get checked and cleared in the next setup_sce() call but that is
never called if the first fails
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
It is what and why we do it that matters, not just one of them.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2024-08-01 17:07 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-07-31 19:54 [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 2/6] avcodec/aac/aacdec_usac: Dont leave type at a invalid value Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 3/6] avformat/iamf_parse: Check for 0 samples Michael Niedermayer
2024-07-31 22:04 ` James Almer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails Michael Niedermayer
2024-08-01 15:11 ` Lynne via ffmpeg-devel
2024-08-01 17:07 ` Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 5/6] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow Michael Niedermayer
2024-07-31 19:54 ` [FFmpeg-devel] [PATCH 6/6] avcodec/snow: Fix off by 1 error in run_buffer Michael Niedermayer
2024-07-31 20:05 ` Michael Niedermayer
2024-07-31 22:03 ` [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements James Almer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git