From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 657AE4B186
	for <ffmpegdev@gitmailbox.com>; Wed, 31 Jul 2024 22:03:21 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2ECEC68D7F7;
	Thu,  1 Aug 2024 01:03:19 +0300 (EEST)
Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com
 [209.85.214.170])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B7D5668D6BC
 for <ffmpeg-devel@ffmpeg.org>; Thu,  1 Aug 2024 01:03:12 +0300 (EEST)
Received: by mail-pl1-f170.google.com with SMTP id
 d9443c01a7336-1fc49c0aaffso46346785ad.3
 for <ffmpeg-devel@ffmpeg.org>; Wed, 31 Jul 2024 15:03:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1722463390; x=1723068190; darn=ffmpeg.org;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id:from
 :to:cc:subject:date:message-id:reply-to;
 bh=xkoIh/1myVjrFdegshfv3plqY6i4rkzprwxoQEg6CmI=;
 b=JCf0gpwcxa9nuSML/JtBsYe3sUJAdSjNvwHg4g42wFxgu7YidqaESTH05Lv0K4MjNG
 TV1Ple2HCH/Q7eem6GVDZTJZXzjdONHj1NSMyuedjNs9OXYyNWegn+vQEzXYsXETyxp2
 E4UTHJPRtGDxbyPVYUsVvHUQZGuSZj1fX2/a0Bf8ARf8cSrqGTuPyEOaa2XmOvxE2fvi
 XqE458yaX9qGi2ruu2mmnB2wvff4I4KjEiKsMeTxKIunUWSvEEd5VmH3zaWg1Qx7xUHY
 KTY8R/NBJS9q2eElJWreVXVAnAQWNtEIFhJbVM+2SF5J55Wze6x0XVa1g9Gk3txksMjB
 fcfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1722463390; x=1723068190;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=xkoIh/1myVjrFdegshfv3plqY6i4rkzprwxoQEg6CmI=;
 b=GcGBB84i6zhv43N7j/ZKZnaWDw6ADdJanKQgpqVebKqBlggwdn3ejr/xTKJmoj30pV
 Q6y79wKTSR5Cntt3IMOcVFHcv+jZcZ3TWaMkANl3ZdqSEEaF14qdePxIWOb396X4komJ
 fwcxj+x9eE5zWgOGEHGx42oFYtjMUyKW+nYLdYTNACoy/1TO++fluISKSFNYn6XXFW+b
 dlN/vv/JHYAnY3uQV2HyGAQhig02v/5m5ooYO2KQ6UzkFtlUQLelm320R3Lrd5IB1XCf
 vNaJN7pb+gXvrlAG2GS5Cr7pufFlO/7rtqJjLxXTWueFmaJ/qdK9M7op9985d0f0x66P
 b11g==
X-Gm-Message-State: AOJu0Yw90begebsXkx9o3Fr8gUZYzv3JKU8/QQKHHpsstCafJjNT0t1+
 8kltdhjxljTTQmf/VZ5sA2CHGPD07HgO1QXN/miVFTgWJ1xBnU1oftxJUA==
X-Google-Smtp-Source: AGHT+IHEFP2oRoSvqCkog2FY/bwzfDjZ+bs7txkF9c0lTVZL5WCIVZ8iChOqnwYBnvzxlUSkL2YLEg==
X-Received: by 2002:a17:902:c411:b0:1fb:9b47:b642 with SMTP id
 d9443c01a7336-1ff4cea6f4cmr7704535ad.31.1722463389750; 
 Wed, 31 Jul 2024 15:03:09 -0700 (PDT)
Received: from [192.168.0.12] ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-1fed7ff9086sm125302725ad.302.2024.07.31.15.03.08
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Wed, 31 Jul 2024 15:03:09 -0700 (PDT)
Message-ID: <e1e4de29-05b8-4aee-9cc1-d56e88b3f94f@gmail.com>
Date: Wed, 31 Jul 2024 19:03:55 -0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: ffmpeg-devel@ffmpeg.org
References: <20240731195410.274508-1-michael@niedermayer.cc>
Content-Language: en-US
From: James Almer <jamrial@gmail.com>
In-Reply-To: <20240731195410.274508-1-michael@niedermayer.cc>
Subject: Re: [FFmpeg-devel] [PATCH 1/6] avcodec/cbs:
 sei_3d_reference_displays_info uses length 0 elements
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/e1e4de29-05b8-4aee-9cc1-d56e88b3f94f@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 7/31/2024 4:54 PM, Michael Niedermayer wrote:
> Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192
> Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/cbs.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
> index b26e39eab4d..dcbc86a5f7d 100644
> --- a/libavcodec/cbs.c
> +++ b/libavcodec/cbs.c
> @@ -605,7 +605,7 @@ static av_always_inline int cbs_read_unsigned(CodedBitstreamContext *ctx,
>   
>       CBS_TRACE_READ_START();
>   
> -    av_assert0(width > 0 && width <= 32);
> +    av_assert0(width >= 0 && width <= 32);

No, sei_3d_reference_displays_info should instead not attempt to read 
from the bitstream when width is 0.

I'll send a patch for this later.

>   
>       if (get_bits_left(gbc) < width) {
>           av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid value at "
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".