* [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2.
@ 2024-03-20 2:19 Michael Niedermayer
2024-03-20 2:19 ` [FFmpeg-devel] [PATCH 2/3] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0 Michael Niedermayer
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Michael Niedermayer @ 2024-03-20 2:19 UTC (permalink / raw)
To: FFmpeg development discussions and patches
The WADY decoder only supports mono and stereo
This fixes a probetest failure
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/wady.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/wady.c b/libavformat/wady.c
index 6dcc0018f3..81a64c6d3f 100644
--- a/libavformat/wady.c
+++ b/libavformat/wady.c
@@ -32,7 +32,8 @@ static int wady_probe(const AVProbeData *p)
return 0;
if (p->buf[4] != 0 || p->buf[5] == 0 ||
AV_RL16(p->buf+6) == 0 ||
- AV_RL32(p->buf+8) == 0)
+ AV_RL16(p->buf+6) > 2 ||
+ (int32_t)AV_RL32(p->buf+8) <= 0)
return 0;
return AVPROBE_SCORE_MAX / 3 * 2;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 2/3] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0
2024-03-20 2:19 [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2 Michael Niedermayer
@ 2024-03-20 2:19 ` Michael Niedermayer
2024-03-20 2:19 ` [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames" Michael Niedermayer
2024-03-25 17:17 ` [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2 Michael Niedermayer
2 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2024-03-20 2:19 UTC (permalink / raw)
To: FFmpeg development discussions and patches
This combination causes 0 size arrays to be allocated and to leak later
Fixes: memleak
Fixes: 64342/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4520993686945792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/mov.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 8d1135270c..f954b924a0 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6994,6 +6994,9 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, MOVAtom atom)
sample_count = avio_rb32(pb);
if (encryption_index->auxiliary_info_default_size == 0) {
+ if (sample_count == 0)
+ return AVERROR_INVALIDDATA;
+
encryption_index->auxiliary_info_sizes = av_malloc(sample_count);
if (!encryption_index->auxiliary_info_sizes)
return AVERROR(ENOMEM);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames"
2024-03-20 2:19 [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2 Michael Niedermayer
2024-03-20 2:19 ` [FFmpeg-devel] [PATCH 2/3] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0 Michael Niedermayer
@ 2024-03-20 2:19 ` Michael Niedermayer
2024-03-20 6:41 ` Zhao Zhili
2024-03-25 17:17 ` [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2 Michael Niedermayer
2 siblings, 1 reply; 8+ messages in thread
From: Michael Niedermayer @ 2024-03-20 2:19 UTC (permalink / raw)
To: FFmpeg development discussions and patches
This reverts commit d3aa0cd16f5e952bc346b7c74b4dcba95151a63a.
Fixes: out of array write
Fixes: 64407/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-4966763443650560
The bsf code performs 2 iterations, the first counts how much space is needed
than allocates
and the 2nd pass copies into teh allocated space
The reverted code reallocates sps/pps in the first pass in a data dependant way that leaves
the 2nd pass in a different state then the first
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/bsf/h264_mp4toannexb.c | 83 +++----------------------------
tests/fate/h264.mak | 5 --
2 files changed, 6 insertions(+), 82 deletions(-)
diff --git a/libavcodec/bsf/h264_mp4toannexb.c b/libavcodec/bsf/h264_mp4toannexb.c
index 120241c892..b99de39ce9 100644
--- a/libavcodec/bsf/h264_mp4toannexb.c
+++ b/libavcodec/bsf/h264_mp4toannexb.c
@@ -36,8 +36,6 @@ typedef struct H264BSFContext {
uint8_t *pps;
int sps_size;
int pps_size;
- unsigned sps_buf_size;
- unsigned pps_buf_size;
uint8_t length_size;
uint8_t new_idr;
uint8_t idr_sps_seen;
@@ -133,33 +131,16 @@ pps:
memset(out + total_size, 0, padding);
if (pps_offset) {
- uint8_t *sps;
-
+ s->sps = out;
s->sps_size = pps_offset;
- sps = av_fast_realloc(s->sps, &s->sps_buf_size, s->sps_size);
- if (!sps) {
- av_free(out);
- return AVERROR(ENOMEM);
- }
- s->sps = sps;
- memcpy(s->sps, out, s->sps_size);
} else {
av_log(ctx, AV_LOG_WARNING,
"Warning: SPS NALU missing or invalid. "
"The resulting stream may not play.\n");
}
if (pps_offset < total_size) {
- uint8_t *pps;
-
+ s->pps = out + pps_offset;
s->pps_size = total_size - pps_offset;
- pps = av_fast_realloc(s->pps, &s->pps_buf_size, s->pps_size);
- if (!pps) {
- av_freep(&s->sps);
- av_free(out);
- return AVERROR(ENOMEM);
- }
- s->pps = pps;
- memcpy(s->pps, out + pps_offset, s->pps_size);
} else {
av_log(ctx, AV_LOG_WARNING,
"Warning: PPS NALU missing or invalid. "
@@ -179,35 +160,6 @@ pps:
return 0;
}
-static int h264_mp4toannexb_save_ps(uint8_t **dst, int *dst_size,
- unsigned *dst_buf_size,
- const uint8_t *nal, uint32_t nal_size,
- int first)
-{
- static const uint8_t nalu_header[4] = { 0, 0, 0, 1 };
- const int start_code_size = sizeof(nalu_header);
- uint8_t *ptr;
- uint32_t size;
-
- if (first)
- size = 0;
- else
- size = *dst_size;
-
- ptr = av_fast_realloc(*dst, dst_buf_size, size + nal_size + start_code_size);
- if (!ptr)
- return AVERROR(ENOMEM);
-
- memcpy(ptr + size, nalu_header, start_code_size);
- size += start_code_size;
- memcpy(ptr + size, nal, nal_size);
- size += nal_size;
-
- *dst = ptr;
- *dst_size = size;
- return 0;
-}
-
static int h264_mp4toannexb_init(AVBSFContext *ctx)
{
int extra_size = ctx->par_in->extradata_size;
@@ -268,9 +220,6 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
if (j) \
av_log(__VA_ARGS__)
for (int j = 0; j < 2; j++) {
- int sps_count = 0;
- int pps_count = 0;
-
buf = in->data;
new_idr = s->new_idr;
sps_seen = s->idr_sps_seen;
@@ -301,18 +250,8 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
if (unit_type == H264_NAL_SPS) {
sps_seen = new_idr = 1;
- if (!j) {
- h264_mp4toannexb_save_ps(&s->sps, &s->sps_size, &s->sps_buf_size,
- buf, nal_size, !sps_count);
- sps_count++;
- }
} else if (unit_type == H264_NAL_PPS) {
pps_seen = new_idr = 1;
- if (!j) {
- h264_mp4toannexb_save_ps(&s->pps, &s->pps_size, &s->pps_buf_size,
- buf, nal_size, !pps_count);
- pps_count++;
- }
/* if SPS has not been seen yet, prepend the AVCC one to PPS */
if (!sps_seen) {
if (!s->sps_size) {
@@ -332,10 +271,9 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
/* prepend only to the first type 5 NAL unit of an IDR picture, if no sps/pps are already present */
if (new_idr && unit_type == H264_NAL_IDR_SLICE && !sps_seen && !pps_seen) {
- if (s->sps_size)
- count_or_copy(&out, &out_size, s->sps, s->sps_size, PS_OUT_OF_BAND, j);
- if (s->pps_size)
- count_or_copy(&out, &out_size, s->pps, s->pps_size, PS_OUT_OF_BAND, j);
+ if (ctx->par_out->extradata)
+ count_or_copy(&out, &out_size, ctx->par_out->extradata,
+ ctx->par_out->extradata_size, PS_OUT_OF_BAND, j);
new_idr = 0;
/* if only SPS has been seen, also insert PPS */
} else if (new_idr && unit_type == H264_NAL_IDR_SLICE && sps_seen && !pps_seen) {
@@ -351,7 +289,7 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
else
ps = PS_NONE;
count_or_copy(&out, &out_size, buf, nal_size, ps, j);
- if (unit_type == H264_NAL_SLICE) {
+ if (!new_idr && unit_type == H264_NAL_SLICE) {
new_idr = 1;
sps_seen = 0;
pps_seen = 0;
@@ -391,14 +329,6 @@ fail:
return ret;
}
-static void h264_mp4toannexb_close(AVBSFContext *ctx)
-{
- H264BSFContext *s = ctx->priv_data;
-
- av_freep(&s->sps);
- av_freep(&s->pps);
-}
-
static void h264_mp4toannexb_flush(AVBSFContext *ctx)
{
H264BSFContext *s = ctx->priv_data;
@@ -418,6 +348,5 @@ const FFBitStreamFilter ff_h264_mp4toannexb_bsf = {
.priv_data_size = sizeof(H264BSFContext),
.init = h264_mp4toannexb_init,
.filter = h264_mp4toannexb_filter,
- .close = h264_mp4toannexb_close,
.flush = h264_mp4toannexb_flush,
};
diff --git a/tests/fate/h264.mak b/tests/fate/h264.mak
index 674054560b..d0c57eabe9 100644
--- a/tests/fate/h264.mak
+++ b/tests/fate/h264.mak
@@ -227,7 +227,6 @@ FATE_H264-$(call FRAMECRC, MOV, H264) += fate-h264-twofields-packet
FATE_H264-$(call DEMMUX, MOV, H264, H264_MP4TOANNEXB_BSF SCALE_FILTER) += fate-h264-bsf-mp4toannexb-new-extradata
FATE_H264-$(call DEMMUX, MOV, H264, H264_MP4TOANNEXB_BSF) += fate-h264-bsf-mp4toannexb \
- fate-h264-bsf-mp4toannexb-2 \
fate-h264_mp4toannexb_ticket5927 \
fate-h264_mp4toannexb_ticket5927_2 \
@@ -432,10 +431,6 @@ fate-h264-conformance-sva_nl1_b: CMD = framecrc -i $(TARGET_SAM
fate-h264-conformance-sva_nl2_e: CMD = framecrc -i $(TARGET_SAMPLES)/h264-conformance/SVA_NL2_E.264
fate-h264-bsf-mp4toannexb: CMD = md5 -i $(TARGET_SAMPLES)/h264/interlaced_crop.mp4 -c:v copy -f h264
-# First IDR is prefixed by SPS/PPS
-fate-h264-bsf-mp4toannexb-2: CMD = md5 -i $(TARGET_SAMPLES)/h264/ps_prefix_first_idr.mp4 -c:v copy -f h264
-fate-h264-bsf-mp4toannexb-2: CMP = oneline
-fate-h264-bsf-mp4toannexb-2: REF = cffcfa6a2d0b58c9de1f5785f099f41d
fate-h264-bsf-mp4toannexb-new-extradata: CMD = stream_remux mov $(TARGET_SAMPLES)/h264/extradata-reload-multi-stsd.mov "" h264 "-map 0:v"
fate-h264_mp4toannexb_ticket5927: CMD = transcode "mp4" $(TARGET_SAMPLES)/h264/thezerotheorem-cut.mp4 \
h264 "-c:v copy -bsf:v h264_mp4toannexb -an" "-c:v copy"
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames"
2024-03-20 2:19 ` [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames" Michael Niedermayer
@ 2024-03-20 6:41 ` Zhao Zhili
2024-03-20 13:02 ` Michael Niedermayer
0 siblings, 1 reply; 8+ messages in thread
From: Zhao Zhili @ 2024-03-20 6:41 UTC (permalink / raw)
To: FFmpeg development discussions and patches
> On Mar 20, 2024, at 10:19, Michael Niedermayer <michael@niedermayer.cc> wrote:
>
> This reverts commit d3aa0cd16f5e952bc346b7c74b4dcba95151a63a.
>
> Fixes: out of array write
> Fixes: 64407/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-4966763443650560
>
> The bsf code performs 2 iterations, the first counts how much space is needed
> than allocates
> and the 2nd pass copies into teh allocated space
>
> The reverted code reallocates sps/pps in the first pass in a data dependant way that leaves
> the 2nd pass in a different state then the first
Sorry for the break. How to access the fuzz report details?
Without the patch, it generates broken files in those cases. I want to dig further to fix it.
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/bsf/h264_mp4toannexb.c | 83 +++----------------------------
> tests/fate/h264.mak | 5 --
> 2 files changed, 6 insertions(+), 82 deletions(-)
>
> diff --git a/libavcodec/bsf/h264_mp4toannexb.c b/libavcodec/bsf/h264_mp4toannexb.c
> index 120241c892..b99de39ce9 100644
> --- a/libavcodec/bsf/h264_mp4toannexb.c
> +++ b/libavcodec/bsf/h264_mp4toannexb.c
> @@ -36,8 +36,6 @@ typedef struct H264BSFContext {
> uint8_t *pps;
> int sps_size;
> int pps_size;
> - unsigned sps_buf_size;
> - unsigned pps_buf_size;
> uint8_t length_size;
> uint8_t new_idr;
> uint8_t idr_sps_seen;
> @@ -133,33 +131,16 @@ pps:
> memset(out + total_size, 0, padding);
>
> if (pps_offset) {
> - uint8_t *sps;
> -
> + s->sps = out;
> s->sps_size = pps_offset;
> - sps = av_fast_realloc(s->sps, &s->sps_buf_size, s->sps_size);
> - if (!sps) {
> - av_free(out);
> - return AVERROR(ENOMEM);
> - }
> - s->sps = sps;
> - memcpy(s->sps, out, s->sps_size);
> } else {
> av_log(ctx, AV_LOG_WARNING,
> "Warning: SPS NALU missing or invalid. "
> "The resulting stream may not play.\n");
> }
> if (pps_offset < total_size) {
> - uint8_t *pps;
> -
> + s->pps = out + pps_offset;
> s->pps_size = total_size - pps_offset;
> - pps = av_fast_realloc(s->pps, &s->pps_buf_size, s->pps_size);
> - if (!pps) {
> - av_freep(&s->sps);
> - av_free(out);
> - return AVERROR(ENOMEM);
> - }
> - s->pps = pps;
> - memcpy(s->pps, out + pps_offset, s->pps_size);
> } else {
> av_log(ctx, AV_LOG_WARNING,
> "Warning: PPS NALU missing or invalid. "
> @@ -179,35 +160,6 @@ pps:
> return 0;
> }
>
> -static int h264_mp4toannexb_save_ps(uint8_t **dst, int *dst_size,
> - unsigned *dst_buf_size,
> - const uint8_t *nal, uint32_t nal_size,
> - int first)
> -{
> - static const uint8_t nalu_header[4] = { 0, 0, 0, 1 };
> - const int start_code_size = sizeof(nalu_header);
> - uint8_t *ptr;
> - uint32_t size;
> -
> - if (first)
> - size = 0;
> - else
> - size = *dst_size;
> -
> - ptr = av_fast_realloc(*dst, dst_buf_size, size + nal_size + start_code_size);
> - if (!ptr)
> - return AVERROR(ENOMEM);
> -
> - memcpy(ptr + size, nalu_header, start_code_size);
> - size += start_code_size;
> - memcpy(ptr + size, nal, nal_size);
> - size += nal_size;
> -
> - *dst = ptr;
> - *dst_size = size;
> - return 0;
> -}
> -
> static int h264_mp4toannexb_init(AVBSFContext *ctx)
> {
> int extra_size = ctx->par_in->extradata_size;
> @@ -268,9 +220,6 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
> if (j) \
> av_log(__VA_ARGS__)
> for (int j = 0; j < 2; j++) {
> - int sps_count = 0;
> - int pps_count = 0;
> -
> buf = in->data;
> new_idr = s->new_idr;
> sps_seen = s->idr_sps_seen;
> @@ -301,18 +250,8 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
>
> if (unit_type == H264_NAL_SPS) {
> sps_seen = new_idr = 1;
> - if (!j) {
> - h264_mp4toannexb_save_ps(&s->sps, &s->sps_size, &s->sps_buf_size,
> - buf, nal_size, !sps_count);
> - sps_count++;
> - }
> } else if (unit_type == H264_NAL_PPS) {
> pps_seen = new_idr = 1;
> - if (!j) {
> - h264_mp4toannexb_save_ps(&s->pps, &s->pps_size, &s->pps_buf_size,
> - buf, nal_size, !pps_count);
> - pps_count++;
> - }
> /* if SPS has not been seen yet, prepend the AVCC one to PPS */
> if (!sps_seen) {
> if (!s->sps_size) {
> @@ -332,10 +271,9 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
>
> /* prepend only to the first type 5 NAL unit of an IDR picture, if no sps/pps are already present */
> if (new_idr && unit_type == H264_NAL_IDR_SLICE && !sps_seen && !pps_seen) {
> - if (s->sps_size)
> - count_or_copy(&out, &out_size, s->sps, s->sps_size, PS_OUT_OF_BAND, j);
> - if (s->pps_size)
> - count_or_copy(&out, &out_size, s->pps, s->pps_size, PS_OUT_OF_BAND, j);
> + if (ctx->par_out->extradata)
> + count_or_copy(&out, &out_size, ctx->par_out->extradata,
> + ctx->par_out->extradata_size, PS_OUT_OF_BAND, j);
> new_idr = 0;
> /* if only SPS has been seen, also insert PPS */
> } else if (new_idr && unit_type == H264_NAL_IDR_SLICE && sps_seen && !pps_seen) {
> @@ -351,7 +289,7 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
> else
> ps = PS_NONE;
> count_or_copy(&out, &out_size, buf, nal_size, ps, j);
> - if (unit_type == H264_NAL_SLICE) {
> + if (!new_idr && unit_type == H264_NAL_SLICE) {
> new_idr = 1;
> sps_seen = 0;
> pps_seen = 0;
> @@ -391,14 +329,6 @@ fail:
> return ret;
> }
>
> -static void h264_mp4toannexb_close(AVBSFContext *ctx)
> -{
> - H264BSFContext *s = ctx->priv_data;
> -
> - av_freep(&s->sps);
> - av_freep(&s->pps);
> -}
> -
> static void h264_mp4toannexb_flush(AVBSFContext *ctx)
> {
> H264BSFContext *s = ctx->priv_data;
> @@ -418,6 +348,5 @@ const FFBitStreamFilter ff_h264_mp4toannexb_bsf = {
> .priv_data_size = sizeof(H264BSFContext),
> .init = h264_mp4toannexb_init,
> .filter = h264_mp4toannexb_filter,
> - .close = h264_mp4toannexb_close,
> .flush = h264_mp4toannexb_flush,
> };
> diff --git a/tests/fate/h264.mak b/tests/fate/h264.mak
> index 674054560b..d0c57eabe9 100644
> --- a/tests/fate/h264.mak
> +++ b/tests/fate/h264.mak
> @@ -227,7 +227,6 @@ FATE_H264-$(call FRAMECRC, MOV, H264) += fate-h264-twofields-packet
> FATE_H264-$(call DEMMUX, MOV, H264, H264_MP4TOANNEXB_BSF SCALE_FILTER) += fate-h264-bsf-mp4toannexb-new-extradata
>
> FATE_H264-$(call DEMMUX, MOV, H264, H264_MP4TOANNEXB_BSF) += fate-h264-bsf-mp4toannexb \
> - fate-h264-bsf-mp4toannexb-2 \
> fate-h264_mp4toannexb_ticket5927 \
> fate-h264_mp4toannexb_ticket5927_2 \
>
> @@ -432,10 +431,6 @@ fate-h264-conformance-sva_nl1_b: CMD = framecrc -i $(TARGET_SAM
> fate-h264-conformance-sva_nl2_e: CMD = framecrc -i $(TARGET_SAMPLES)/h264-conformance/SVA_NL2_E.264
>
> fate-h264-bsf-mp4toannexb: CMD = md5 -i $(TARGET_SAMPLES)/h264/interlaced_crop.mp4 -c:v copy -f h264
> -# First IDR is prefixed by SPS/PPS
> -fate-h264-bsf-mp4toannexb-2: CMD = md5 -i $(TARGET_SAMPLES)/h264/ps_prefix_first_idr.mp4 -c:v copy -f h264
> -fate-h264-bsf-mp4toannexb-2: CMP = oneline
> -fate-h264-bsf-mp4toannexb-2: REF = cffcfa6a2d0b58c9de1f5785f099f41d
> fate-h264-bsf-mp4toannexb-new-extradata: CMD = stream_remux mov $(TARGET_SAMPLES)/h264/extradata-reload-multi-stsd.mov "" h264 "-map 0:v"
> fate-h264_mp4toannexb_ticket5927: CMD = transcode "mp4" $(TARGET_SAMPLES)/h264/thezerotheorem-cut.mp4 \
> h264 "-c:v copy -bsf:v h264_mp4toannexb -an" "-c:v copy"
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames"
2024-03-20 6:41 ` Zhao Zhili
@ 2024-03-20 13:02 ` Michael Niedermayer
2024-03-20 17:53 ` Zhao Zhili
0 siblings, 1 reply; 8+ messages in thread
From: Michael Niedermayer @ 2024-03-20 13:02 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1313 bytes --]
On Wed, Mar 20, 2024 at 02:41:05PM +0800, Zhao Zhili wrote:
>
>
> > On Mar 20, 2024, at 10:19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> >
> > This reverts commit d3aa0cd16f5e952bc346b7c74b4dcba95151a63a.
> >
> > Fixes: out of array write
> > Fixes: 64407/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-4966763443650560
> >
> > The bsf code performs 2 iterations, the first counts how much space is needed
> > than allocates
> > and the 2nd pass copies into teh allocated space
> >
> > The reverted code reallocates sps/pps in the first pass in a data dependant way that leaves
> > the 2nd pass in a different state then the first
>
> Sorry for the break. How to access the fuzz report details?
ossfuzz made this one public already
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64407
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames"
2024-03-20 13:02 ` Michael Niedermayer
@ 2024-03-20 17:53 ` Zhao Zhili
2024-03-20 19:51 ` Michael Niedermayer
0 siblings, 1 reply; 8+ messages in thread
From: Zhao Zhili @ 2024-03-20 17:53 UTC (permalink / raw)
To: 'FFmpeg development discussions and patches'
> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of Michael Niedermayer
> Sent: 2024年3月20日 21:02
> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> Subject: Re: [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames"
>
> On Wed, Mar 20, 2024 at 02:41:05PM +0800, Zhao Zhili wrote:
> >
> >
> > > On Mar 20, 2024, at 10:19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > >
> > > This reverts commit d3aa0cd16f5e952bc346b7c74b4dcba95151a63a.
> > >
> > > Fixes: out of array write
> > > Fixes: 64407/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-4966763443650560
> > >
> > > The bsf code performs 2 iterations, the first counts how much space is needed
> > > than allocates
> > > and the 2nd pass copies into teh allocated space
> > >
> > > The reverted code reallocates sps/pps in the first pass in a data dependant way that leaves
> > > the 2nd pass in a different state then the first
> >
> > Sorry for the break. How to access the fuzz report details?
>
> ossfuzz made this one public already
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64407
I can't open the "Detailed Report" link. Does it provide asan details?
I'm currently tied up with daily jobs, I need time to learn how to use oss-fuzz.
Feel free to revert the commit. I would be very grateful if anyone has a quick fix for it.
Broken file is less severity than heap-buffer-overflow, but still a serious problem.
>
> thx
>
> [...]
> --
> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Modern terrorism, a quick summary: Need oil, start war with country that
> has oil, kill hundread thousand in war. Let country fall into chaos,
> be surprised about raise of fundamantalists. Drop more bombs, kill more
> people, be surprised about them taking revenge and drop even more bombs
> and strip your own citizens of their rights and freedoms. to be continued
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames"
2024-03-20 17:53 ` Zhao Zhili
@ 2024-03-20 19:51 ` Michael Niedermayer
0 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2024-03-20 19:51 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1805 bytes --]
On Thu, Mar 21, 2024 at 01:53:12AM +0800, Zhao Zhili wrote:
>
>
> > -----Original Message-----
> > From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of Michael Niedermayer
> > Sent: 2024年3月20日 21:02
> > To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
> > Subject: Re: [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames"
> >
> > On Wed, Mar 20, 2024 at 02:41:05PM +0800, Zhao Zhili wrote:
> > >
> > >
> > > > On Mar 20, 2024, at 10:19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > > >
> > > > This reverts commit d3aa0cd16f5e952bc346b7c74b4dcba95151a63a.
> > > >
> > > > Fixes: out of array write
> > > > Fixes: 64407/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-4966763443650560
> > > >
> > > > The bsf code performs 2 iterations, the first counts how much space is needed
> > > > than allocates
> > > > and the 2nd pass copies into teh allocated space
> > > >
> > > > The reverted code reallocates sps/pps in the first pass in a data dependant way that leaves
> > > > the 2nd pass in a different state then the first
> > >
> > > Sorry for the break. How to access the fuzz report details?
> >
> > ossfuzz made this one public already
> > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64407
>
> I can't open the "Detailed Report" link. Does it provide asan details?
yes, posted them to you privately, i didnt realize that wasnt public while the testcase is
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Many things microsoft did are stupid, but not doing something just because
microsoft did it is even more stupid. If everything ms did were stupid they
would be bankrupt already.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2.
2024-03-20 2:19 [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2 Michael Niedermayer
2024-03-20 2:19 ` [FFmpeg-devel] [PATCH 2/3] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0 Michael Niedermayer
2024-03-20 2:19 ` [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames" Michael Niedermayer
@ 2024-03-25 17:17 ` Michael Niedermayer
2 siblings, 0 replies; 8+ messages in thread
From: Michael Niedermayer @ 2024-03-25 17:17 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 571 bytes --]
On Wed, Mar 20, 2024 at 03:19:24AM +0100, Michael Niedermayer wrote:
> The WADY decoder only supports mono and stereo
>
> This fixes a probetest failure
>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/wady.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
will apply patch 1 and 2
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-03-25 17:17 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-20 2:19 [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2 Michael Niedermayer
2024-03-20 2:19 ` [FFmpeg-devel] [PATCH 2/3] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0 Michael Niedermayer
2024-03-20 2:19 ` [FFmpeg-devel] [PATCH 3/3] Revert "avcodec/h264_mp4toannexb_bsf: fix missing PS before IDR frames" Michael Niedermayer
2024-03-20 6:41 ` Zhao Zhili
2024-03-20 13:02 ` Michael Niedermayer
2024-03-20 17:53 ` Zhao Zhili
2024-03-20 19:51 ` Michael Niedermayer
2024-03-25 17:17 ` [FFmpeg-devel] [PATCH 1/3] avformat/wady: Check >0 samplerate and channels 1 || 2 Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git