From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id EA80745948
	for <ffmpegdev@gitmailbox.com>; Thu, 27 Apr 2023 18:50:02 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D9AFF68BF1F;
	Thu, 27 Apr 2023 21:50:00 +0300 (EEST)
Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com
 [209.85.210.51])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6979768B74D
 for <ffmpeg-devel@ffmpeg.org>; Thu, 27 Apr 2023 21:49:54 +0300 (EEST)
Received: by mail-ot1-f51.google.com with SMTP id
 46e09a7af769-6a8955b3462so373253a34.2
 for <ffmpeg-devel@ffmpeg.org>; Thu, 27 Apr 2023 11:49:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1682621392; x=1685213392;
 h=content-transfer-encoding:in-reply-to:from:references:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :from:to:cc:subject:date:message-id:reply-to;
 bh=drNweLiAM5RpIxfWoNuFOtfm8fV6SYO7r5pwi39mqEg=;
 b=E1JT0YnUCP04TP8phdrvSLv4LlJm0Ai5WMb43BGcwFDcA+lAp7/tMEmBCJ04tRfc0a
 Rxf5HHeyRG24qOmDtNJFMtpddG0Okd7MXoqLtDSQny4TxT/Vx+NUtlCS+WbxVBIPOmbi
 VE5Og/BJAMrCyK2Q7uneX4cNRSQsgjKf5C3aXiWXY6MEKz4uPbrqkw7LjCtLQxzdf+Yu
 QX4OxMZLn/4mqWNUZV8YjtbA25v9Pu8VgDlMMP+kasaXrQh+v/eF6VmCAETXlRiNTO93
 yxSJYL76xvwOTbxOlOlREs+7JInOdXXEGDEASYZxGdQu4O3dIPEu6A3ucpyD205PDutq
 Wi4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1682621392; x=1685213392;
 h=content-transfer-encoding:in-reply-to:from:references:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=drNweLiAM5RpIxfWoNuFOtfm8fV6SYO7r5pwi39mqEg=;
 b=ZYo3y8XGvTUlCeIRSn4UeBcKf5u2KjM4Qv29PyuDICbVpyod6s3hriZ6HP/KTMwak0
 3rok8LZA/kWj+2Pm/jnOMwcDNlyAkjLcnZyeuhZ0PDuw+nqSIbHaIHSn2+YXMg/l+cF6
 Nk929p3oDSxoeOo+JmJll6yCtbLaIh+IADCUWpl+MYSfntbUOdcNpPMPOvGykeiSdNbr
 LApZ/EI4MP4XcAuefXNsURPwgQjaCxZ5bjGsRdGxY5gEhs6GgHe97fHPDsDXLxJxnVzB
 yzL9/JZ4BX9hk5j9BQgEwh1q9jRAumWNIwvxYM2vqffUDpGyPKKcPVafvg6vHRZHYtj5
 f+EA==
X-Gm-Message-State: AC+VfDxUJ+UhZ/5qKf4ENfRJd6RJzdayiKMVgfuZM0MRJ4KoA72dddWt
 7wPijRPsvbAa2MnxSKk+o7NL1KGmDCc=
X-Google-Smtp-Source: ACHHUZ5VbuEJ9bm5YDs5rm9AuXdIN9k3ILosJugJejaGkGf1qXrxTqiPCLjsguJTT9euYPkKPTC9sA==
X-Received: by 2002:a05:6830:1041:b0:6a6:1705:f4bd with SMTP id
 b1-20020a056830104100b006a61705f4bdmr1234248otp.33.1682621392380; 
 Thu, 27 Apr 2023 11:49:52 -0700 (PDT)
Received: from [192.168.0.15] (host197.190-225-105.telecom.net.ar.
 [190.225.105.197]) by smtp.gmail.com with ESMTPSA id
 v2-20020a056830140200b006a3e377f0d7sm7718608otp.4.2023.04.27.11.49.51
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Thu, 27 Apr 2023 11:49:52 -0700 (PDT)
Message-ID: <e6c59e3c-7f56-8ed7-c8c1-7b015ec9dd84@gmail.com>
Date: Thu, 27 Apr 2023 15:49:54 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.1
Content-Language: en-US
To: ffmpeg-devel@ffmpeg.org
References: <20230427183840.1015-1-michael@niedermayer.cc>
 <20230427183840.1015-3-michael@niedermayer.cc>
From: James Almer <jamrial@gmail.com>
In-Reply-To: <20230427183840.1015-3-michael@niedermayer.cc>
Subject: Re: [FFmpeg-devel] [PATCH 3/3] avcodec/hevc_ps: Avoid signed
 overflow before check on QP
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/e6c59e3c-7f56-8ed7-c8c1-7b015ec9dd84@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 4/27/2023 3:38 PM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: -2147483648 - 5 cannot be represented in type 'int'
> Fixes: 58066/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5312995835379712
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/hevc_ps.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
> index 1533e2a817..6b8f432609 100644
> --- a/libavcodec/hevc_ps.c
> +++ b/libavcodec/hevc_ps.c
> @@ -1522,9 +1522,9 @@ static int pps_scc_extension(GetBitContext *gb, AVCodecContext *avctx,
>       pps->pps_curr_pic_ref_enabled_flag = get_bits1(gb);
>       if (pps->residual_adaptive_colour_transform_enabled_flag = get_bits1(gb)) {
>           pps->pps_slice_act_qp_offsets_present_flag = get_bits1(gb);
> -        pps->pps_act_y_qp_offset  = get_se_golomb_long(gb) - 5;
> -        pps->pps_act_cb_qp_offset = get_se_golomb_long(gb) - 5;
> -        pps->pps_act_cr_qp_offset = get_se_golomb_long(gb) - 3;
> +        pps->pps_act_y_qp_offset  = get_se_golomb_long(gb) - 5U;
> +        pps->pps_act_cb_qp_offset = get_se_golomb_long(gb) - 5U;
> +        pps->pps_act_cr_qp_offset = get_se_golomb_long(gb) - 3U;

Spec compliant values for all of these are in the -7..17 and -9..15 
range, so just use get_se_golomb() instead, which i assume is for small 
values, much like get_ue_golomb().

>   
>   #define CHECK_QP_OFFSET(name) (pps->pps_act_ ## name ## _qp_offset <= -12 || \
>                                  pps->pps_act_ ## name ## _qp_offset >= 12)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".