From patchwork Fri Apr 26 03:08:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 48263 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:1509:b0:1a9:af23:56c1 with SMTP id nq9csp112243pzb; Thu, 25 Apr 2024 20:09:06 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUIZM8ouYqm2wIJ0FWCPduMZlAOQikODkTPO6ASHspIyQRc5DAoMWlN+4WTJlFgeiizH+HbAnHOr8EPaFjr01sn4Gyugt6DhEK10A== X-Google-Smtp-Source: AGHT+IG3aa9q4CWBy32wzRpth12u1UEc2NACxTPS998UR7DjOTZl7DmgWTWUzajohE0UR9h1WL2G X-Received: by 2002:a05:6512:3a85:b0:51b:58c7:d04d with SMTP id q5-20020a0565123a8500b0051b58c7d04dmr866553lfu.0.1714100945860; Thu, 25 Apr 2024 20:09:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714100945; cv=none; d=google.com; s=arc-20160816; b=JvCQEMgFhT41byKMqGm/1qlf69QlO0ZJj5S0TKj7fRPLo+04W70A+fo+0Ey/7WVv4v agBNjgk8iRHBP5Q5Q0aBuPmOonum/tgOTyoaof4FrSQxddkMmh6rwgV9cOo6AKAMosLM mDOTWaggDb2RRahIx7dSb51JInpMyorIWm0c41zfErb2it8q4GvicHZVukgsFqZmfSAX bBfLf+34rWEly93OYEljrTuSylHUY676m52wlytfYSbj1T1uCh6lGAP3C0pNnhpqfVAW KfTteIro8Qa+ftiP5BkXA8hI2bgbquTWRrxCpx3O72fvZP7wr3NYZ/NJHnUJE+TScQWM OcGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=pcd5+BIqC3UMlfWAQapsUJQ7K6it3jmExCfVJkFRudk=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=pORw5eHVYz1Rq9Ijbb0vU+RWmFX/OSxBTgFNWSPNp30gM5KE/u/eQPBmvmiAo67QIJ 7YAE4GlddcKqFSMMEJb1LQduRnpjl0fvpb1YrFQEKgTTEwp7UYfn085/luNTst2drCXf wGZVobtENVxQxPfIh9nuXRsQ9sf0aVjpK5DNbIf1VhYGuL7Y5N1YWbOJT0//rOTI6WNg YEXlZFzQID21lWWPRqTAal/NgmhM+6cvPGbjivxGuukFwJ9H2e2t52ybz1D0di+BuqA2 enG5MOqr2UpUGcQIFpRXXbp9tzVC5K7ZjywiHHvIzTFtYkiZw2OyZo6uy8Pu8WMP6o18 CHnw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="il9qrp/B"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a4-20020a19f804000000b005195b133edbsi5889754lff.488.2024.04.25.20.09.05; Thu, 25 Apr 2024 20:09:05 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="il9qrp/B"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6B78268D429; Fri, 26 Apr 2024 06:08:50 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 19F1668D3B9 for ; Fri, 26 Apr 2024 06:08:42 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 4579FFF802 for ; Fri, 26 Apr 2024 03:08:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1714100921; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=p5SEnycyGRgYXfD+LIi2Zky1dsrA3rb0UzfWMcttZLQ=; b=il9qrp/BvfWO1fNilxdAbxC1bLswwcA5nZfNC8IBEEBskDC8+JJkJjBzblkruf46u1+Y3K ahEQnZbkgcwHlMPKz2vrPcnbGzsxozn9QC3dVt9np9Pp/IuGGu5o+Yctzqq19gPDNmgO34 zcbCU04RRD0Qmnp9Xb6Z98IT1BYLs9h2OzSHAPoOp2+0Eu8zSGhowGLJ9shUBlp25Y9Pnq 9p/qsNbnczBbUfCYOUnEpzIxHvUvPC0wdnd/fDDGy24Rp/99uWaNMitcGDjMaEmsO6hmCM ZobSYFTIfFDXxTh28EKFufn2YBemyvqJBDxPKFxS1N5OZpRbgnF3V+Vvuy+MVQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 26 Apr 2024 05:08:35 +0200 Message-ID: <20240426030839.3001504-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240426030839.3001504-1-michael@niedermayer.cc> References: <20240426030839.3001504-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 2/6] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 57nI8wFaJ9+k Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int' Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libswscale/output.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 8849a3201a6..0b6c77e167d 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1207,8 +1207,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1232,20 +1232,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1253,8 +1253,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1278,20 +1278,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } }