From patchwork Fri Apr 26 03:08:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 48262 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:1509:b0:1a9:af23:56c1 with SMTP id nq9csp112183pzb; Thu, 25 Apr 2024 20:08:53 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWskNS8GVrng4M92qudmWhhXKiJZRBBQTVRadmQUFDGz5PHxyZL8YZWysiQbXkcTM61uiVu+Oj3aa3BcK7eNj3pYV47jzOQQM1QIA== X-Google-Smtp-Source: AGHT+IGJSwEHmn/Ug0UrgEYa7MjptYETV29EHQ2gPUtk6NTjNqMS2VoSBhZirPoh2cTE1Me6bBuw X-Received: by 2002:a17:906:c14b:b0:a58:c299:34f3 with SMTP id dp11-20020a170906c14b00b00a58c29934f3mr1116697ejc.55.1714100932942; Thu, 25 Apr 2024 20:08:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714100932; cv=none; d=google.com; s=arc-20160816; b=nzz46PScCZRtTaHM8FZ+mFEDqhok/cgs0TJ9hh0TruqJVLRutXC4ZWRHfAzCL229Hy 5PwEap0vP3iLCWmp4KSH0ov2ctRH9DgIzUBeSg+8OolwlQDEwXIdG+MpWj3IZnub7nRB aA2VJWvDvST7neoMdug0yxa30miW0WuS7UATUV7Zk4X2GahQPYifOySSWheKzhIWRlwC HHy4xBBWcd5hABfvSjMDKaT2xOVEenMNOxznj7i/xlstbO4Ze2xgbbh7hcfZqM0tAoXy JPszPfnzpsMQYYkfBMmeijhZWjSv7eiOBjBL151UuBHV1tkohavZpbPxmpimEfZEX1E5 wR+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=tnC4VJucQFO7H6HAakEnxq37iHybU3WDHA1qNYMU/Yk=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=ArbhzLgPdY2xrZuFYp9G3q4xivYVr5eqdON9+ngimFDxI6oRs057S/PM62bhn8GI0c Y6Phbbh/J4Gq0tUIjfH8zUH2kKrPJOsUmM+cE6Oh6SUuUG3tDrZIIUG4FFhXjMtq6apd bMul/DgTZ58OB3Tw0MafcCEVNETE8AS8UozuMw5zW81UAFYBydI9QhPxxbhcEh1A27eG v6J7WOxIzMgIU4OXaQQXNWKJsm9R7+ZcHNfImrjMhDIvTaNENyEqsH18BN1fJBlWBFot tFgjBouJyosAIl5njT8+kW/29PU7NfSRAq6LlVd4YnkIKw2wWdxoxiRGGyjExr3NDAvn VU+g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=Tfg9NCMq; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id f21-20020a17090624d500b00a55b0215e7dsi6526306ejb.215.2024.04.25.20.08.52; Thu, 25 Apr 2024 20:08:52 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=Tfg9NCMq; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B70A468D3B9; Fri, 26 Apr 2024 06:08:47 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CEC4568D27C for ; Fri, 26 Apr 2024 06:08:40 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 0277340002 for ; Fri, 26 Apr 2024 03:08:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1714100920; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0jOVbyuCWD6xhnPe6P796uSXXChwTEG0vSwmrDoD0yQ=; b=Tfg9NCMqWvno1Nl5v6UgL5s7GGIPNbxeGb4/jVGDwOnj1knWmwqOa3Pm5P2B73+fJdSDI1 k6YGmA2guPeZdFEp+7Wj4C5dQwncbJ501HjC+4zW/UjKrB90HqzJq+INXM4rwbVELZ3LjN NykiC6N0kJDN0O2YYF0/Do93fH4P6MQWn1ytz4MS8GSR8hMtLXo02SA6MumoGDVLVe2ZYR 8ie0j1aSaCM1L/htfavFxL/cFsqjQ/hK/EId0/l8q/YiYrziY/fm/2dWiZAdq+JprSpNph nJPV8Pv8V8OXQ6k/FZXzMN/8Uieaia61P6PKYewAl3zr60fYK7SdvtBTXurtYA== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 26 Apr 2024 05:08:34 +0200 Message-ID: <20240426030839.3001504-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.43.2 MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check tile_item_list X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: yyJDDQjbjBHy Fixes: Null pointer dereference Fixes: 67861/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5352628142800896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index ecd29a7d08b..97a24e6737e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -9289,6 +9289,9 @@ static int read_image_grid(AVFormatContext *s, const HEIFGrid *grid, if (tile_grid->nb_tiles != size) return AVERROR_INVALIDDATA; + for (int i = 0; i < size; i++) + if (!grid->tile_item_list[i]) + return AVERROR_INVALIDDATA; for (int i = 0; i < tile_cols; i++) tile_grid->coded_width += grid->tile_item_list[i]->width; for (int i = 0; i < size; i += tile_cols) From patchwork Fri Apr 26 03:08:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 48263 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:1509:b0:1a9:af23:56c1 with SMTP id nq9csp112243pzb; Thu, 25 Apr 2024 20:09:06 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUIZM8ouYqm2wIJ0FWCPduMZlAOQikODkTPO6ASHspIyQRc5DAoMWlN+4WTJlFgeiizH+HbAnHOr8EPaFjr01sn4Gyugt6DhEK10A== X-Google-Smtp-Source: AGHT+IG3aa9q4CWBy32wzRpth12u1UEc2NACxTPS998UR7DjOTZl7DmgWTWUzajohE0UR9h1WL2G X-Received: by 2002:a05:6512:3a85:b0:51b:58c7:d04d with SMTP id q5-20020a0565123a8500b0051b58c7d04dmr866553lfu.0.1714100945860; Thu, 25 Apr 2024 20:09:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714100945; cv=none; d=google.com; s=arc-20160816; b=JvCQEMgFhT41byKMqGm/1qlf69QlO0ZJj5S0TKj7fRPLo+04W70A+fo+0Ey/7WVv4v agBNjgk8iRHBP5Q5Q0aBuPmOonum/tgOTyoaof4FrSQxddkMmh6rwgV9cOo6AKAMosLM mDOTWaggDb2RRahIx7dSb51JInpMyorIWm0c41zfErb2it8q4GvicHZVukgsFqZmfSAX bBfLf+34rWEly93OYEljrTuSylHUY676m52wlytfYSbj1T1uCh6lGAP3C0pNnhpqfVAW KfTteIro8Qa+ftiP5BkXA8hI2bgbquTWRrxCpx3O72fvZP7wr3NYZ/NJHnUJE+TScQWM OcGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=pcd5+BIqC3UMlfWAQapsUJQ7K6it3jmExCfVJkFRudk=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=pORw5eHVYz1Rq9Ijbb0vU+RWmFX/OSxBTgFNWSPNp30gM5KE/u/eQPBmvmiAo67QIJ 7YAE4GlddcKqFSMMEJb1LQduRnpjl0fvpb1YrFQEKgTTEwp7UYfn085/luNTst2drCXf wGZVobtENVxQxPfIh9nuXRsQ9sf0aVjpK5DNbIf1VhYGuL7Y5N1YWbOJT0//rOTI6WNg YEXlZFzQID21lWWPRqTAal/NgmhM+6cvPGbjivxGuukFwJ9H2e2t52ybz1D0di+BuqA2 enG5MOqr2UpUGcQIFpRXXbp9tzVC5K7ZjywiHHvIzTFtYkiZw2OyZo6uy8Pu8WMP6o18 CHnw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="il9qrp/B"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a4-20020a19f804000000b005195b133edbsi5889754lff.488.2024.04.25.20.09.05; Thu, 25 Apr 2024 20:09:05 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="il9qrp/B"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6B78268D429; Fri, 26 Apr 2024 06:08:50 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 19F1668D3B9 for ; Fri, 26 Apr 2024 06:08:42 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 4579FFF802 for ; Fri, 26 Apr 2024 03:08:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1714100921; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=p5SEnycyGRgYXfD+LIi2Zky1dsrA3rb0UzfWMcttZLQ=; b=il9qrp/BvfWO1fNilxdAbxC1bLswwcA5nZfNC8IBEEBskDC8+JJkJjBzblkruf46u1+Y3K ahEQnZbkgcwHlMPKz2vrPcnbGzsxozn9QC3dVt9np9Pp/IuGGu5o+Yctzqq19gPDNmgO34 zcbCU04RRD0Qmnp9Xb6Z98IT1BYLs9h2OzSHAPoOp2+0Eu8zSGhowGLJ9shUBlp25Y9Pnq 9p/qsNbnczBbUfCYOUnEpzIxHvUvPC0wdnd/fDDGy24Rp/99uWaNMitcGDjMaEmsO6hmCM ZobSYFTIfFDXxTh28EKFufn2YBemyvqJBDxPKFxS1N5OZpRbgnF3V+Vvuy+MVQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 26 Apr 2024 05:08:35 +0200 Message-ID: <20240426030839.3001504-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240426030839.3001504-1-michael@niedermayer.cc> References: <20240426030839.3001504-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 2/6] swscale/output: Fix integer overflow in yuv2rgba64_1_c_template X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 57nI8wFaJ9+k Fixes: signed integer overflow: -831176 * 9539 cannot be represented in type 'int' Fixes: 67869/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5117342091640832 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libswscale/output.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 8849a3201a6..0b6c77e167d 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1207,8 +1207,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1232,20 +1232,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } @@ -1253,8 +1253,8 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A1 = 0xffff<<14, A2 = 0xffff<<14; for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] ) >> 2; - int Y2 = (buf0[i * 2 + 1]) >> 2; + SUINT Y1 = (buf0[i * 2] ) >> 2; + SUINT Y2 = (buf0[i * 2 + 1]) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1278,20 +1278,20 @@ yuv2rgba64_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From patchwork Fri Apr 26 03:08:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 48264 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:1509:b0:1a9:af23:56c1 with SMTP id nq9csp112303pzb; Thu, 25 Apr 2024 20:09:15 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWW2ax8awuA2qV6sTHroQyz2GGY9O8skQMNssp0ekNP6lVlADT31ASwFrNtt2daOaGGtBsnJ5FtuxBhsVr8dprMnyaGxzMOcwji7w== X-Google-Smtp-Source: AGHT+IHaYn1LpbbZgxNNd9MvnSo3/fP5R9ZP0TbSUzExt27FM+N5u62bxJLsEhDn77q45CAWkbyI X-Received: by 2002:a17:906:2a96:b0:a55:b2e9:413a with SMTP id l22-20020a1709062a9600b00a55b2e9413amr692931eje.7.1714100954867; Thu, 25 Apr 2024 20:09:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714100954; cv=none; d=google.com; s=arc-20160816; b=BkwZf6DTgXOXjc/vYMrRsseR9vHW7SEFq4xpge7jk/Kee5yjJNC7rBxu8HzMhLYSXK 6PTp3DZhcA4fj2eVO3Asqo54Z8i7pj8sisxiQ9w5CngGPfOPD1PUX6zs/kIv1vJOVdqp gkhFeeWOTLD88f2aL/adLrkTZ8+nivkihz8qs9HbgbikK7KXNBgJA4Bl0N1WPIQTvMrg FfxQGi79GuxveWSJ+apmaCDppoEwQDQFx2iUSR2ER/xU2uIU7zbNcul2hVzy12VcXsS0 w/JnPwJR/dr4IJ5aJPmBC0IRbH/gLSodgMhQY4FElkjC4IfqtGfQrnV+sdrU26mCsiLC BGzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=9gwkEcn4Ho9F2044GfepGUb8iXrcgOzHda21vy2kclk=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=UIe55TG4ECZ30zL6+T8wSJqykmtWbr4vZGbHb0/v4MgjpHxLoQgOP3SFXhDgpil2nL lkDISYkCL6eWdL3HZ0cn/l7OmAMJe+XnVQvBou/A+UUePfaisjxLm5B07nC8yWfG/+SU bUHnVDrN0btAW8AJo8nX/htqQZDfc3zAaXl0gnp6Fd2rMoYTkZE5ZFnJf6kAHWvUwkke gCDbBDE0cIp17xrIsImz5UOW9WktVcoyg808cxiBzILST9tRkqXeHdYT5D3CpqK2Ev6V 2CJUG6nedSWoj3OxVEwH0qXrnd+Gb9rOHRKq+pb1MLYdPNAefejI6CIVEMe4RjEyqP9k 5oMw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=E5zNIT8L; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id gs38-20020a1709072d2600b00a55abdb43a9si7562829ejc.371.2024.04.25.20.09.14; Thu, 25 Apr 2024 20:09:14 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=E5zNIT8L; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C063768D436; Fri, 26 Apr 2024 06:08:51 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3A99B68D3C6 for ; Fri, 26 Apr 2024 06:08:43 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 6A5B81BF206 for ; Fri, 26 Apr 2024 03:08:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1714100922; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=C74gUFu2Of9qmGI0USz7TsVNrpMl4KQOTxbUO3ILOTs=; b=E5zNIT8LJAmrC/VOMscM10Hu2MWQBRy3/W4dvywutrr8+sJDuL8B9ErM83GDQk6GvfhBOA WPtoI+zn+IHg9eja9cr0Rg4DXYu04Ydxep6FulyDeug5nmqesyu7811RVDGs3RDEp41pdl +TQuvdvqgpom4sfTyur7JiGGw5WV5HarkOiM+OddOUXJ+BBm2JRP+Nlp/rxZholM33xHru FhbPObKz73UNku0FF11zzF/g6QYEAUAhYXnaajjXzR6qife27TpX6+xTqCvMdpDuJCkiuH R1GQokrBPiPWFYVIgvxsoErmyxz4fL+43g+ha3p1Uco/2flxq9pm5iGA+wZ8Ow== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 26 Apr 2024 05:08:36 +0200 Message-ID: <20240426030839.3001504-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240426030839.3001504-1-michael@niedermayer.cc> References: <20240426030839.3001504-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 3/6] swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: PegY7FGS7o+C Fixes: signed integer overflow: -1082982400 + -1079364728 cannot be represented in type 'int' Fixes: 67910/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5329011971522560 The input is 9bit in 16bit, the fuzzer fills all 16bit thus generating "invalid" input No overflow should happen with valid input. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libswscale/output.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 0b6c77e167d..b234f9c6b9a 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1429,7 +1429,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, if (uvalpha < 2048) { for (i = 0; i < dstW; i++) { - int Y = (buf0[i]) >> 2; + SUINT Y = (buf0[i]) >> 2; int U = (ubuf0[i] - (128 << 11)) >> 2; int V = (vbuf0[i] - (128 << 11)) >> 2; int R, G, B; @@ -1448,9 +1448,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; @@ -1462,7 +1462,7 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, const int32_t *ubuf1 = ubuf[1], *vbuf1 = vbuf[1]; int A = 0xffff<<14; for (i = 0; i < dstW; i++) { - int Y = (buf0[i] ) >> 2; + SUINT Y = (buf0[i] ) >> 2; int U = (ubuf0[i] + ubuf1[i] - (128 << 12)) >> 3; int V = (vbuf0[i] + vbuf1[i] - (128 << 12)) >> 3; int R, G, B; @@ -1481,9 +1481,9 @@ yuv2rgba64_full_1_c_template(SwsContext *c, const int32_t *buf0, G = V * c->yuv2rgb_v2g_coeff + U * c->yuv2rgb_u2g_coeff; B = U * c->yuv2rgb_u2b_coeff; - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A, 30) >> 14); dest += 4; From patchwork Fri Apr 26 03:08:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 48265 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:1509:b0:1a9:af23:56c1 with SMTP id nq9csp112376pzb; Thu, 25 Apr 2024 20:09:25 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXvCClK8ZH0hRJa2hE8NmR19D0B/e2e22SLgRRbmWUxsK8Dnplhqt1lfmCzDwl2xXJ9gUPHkv4T4nR1Py8FPzkDS7cKEbDsvulT/g== X-Google-Smtp-Source: AGHT+IHia6Ao7h4hoOJmXK8CRSXTiEZHEL+8qGUWR7UOGkiDh/QBiAJytc1mnz+8kti1p7TPpw/W X-Received: by 2002:a50:cd54:0:b0:56d:e6f6:f73c with SMTP id d20-20020a50cd54000000b0056de6f6f73cmr693849edj.42.1714100965163; Thu, 25 Apr 2024 20:09:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714100965; cv=none; d=google.com; s=arc-20160816; b=D1G3Y9mKYWyMUFAdmZJMBSdyJXXtBL0leJBlRBFRDcHfxMVShsNSNWQ3KvYUqCehRS jeWIogoH1zQsng6WQUDCM49yemAhv9HSjkYUwW8iZnvQv3pfF4wJBEY5tvdfGDV6lwJA 0AumC8AxnIsp/drNKEvbd/6MgVGwlW+QHtD6zew2KlXwanVqozMpH8Jekjv3TN/6acFE G7Z9DOtGo7KF7MQyf+Cq2LY2K4EmXOSi7cA9Hphas/zMZg2QVEXPuaP/djN75Ry2UJbL t6Jl90d4E5rJX8cGQCGJHyab22xStdQNWnqfGbjOqDoWObGv+P8W3ThRUhTLedIqTJdq Xlgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=x7rLrJ/ZOBvz3nHNLiDxEKtAHpED5Gg/NADEPrH5Pvo=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=fWKOOrbjPQ8HcJjDNmC2JDbTKZMzrTQ3nYmySw0SxJb6XS+1JW5JuM6BFKE/na0rr2 +7DvrrBj9it6OBBanXotKCVYNMzVTz8U9MgFoKSbOpGT4or1IxC2Sociuf/MZ27zDCbe RubE7nikVJIetU3PDFybV92GYeORZqCvQNENyQtaJ0m9a3ZitgHsReENz2Bt+YnFqjjk I/YDj5M8/vgrMEE8hTMthMcm+LlJaSz8X78lhkkeGhdyF2A3NhFDW7KUBcW+iRhuEaeJ iI9w36TR345yTj4nrRQ578nqyGgfTw8xIj7oMR8tYmxi7jEsZHlPeH6WYpPjry0ntqqe ndxQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="no/k4o/h"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id h11-20020a056402280b00b00572004f4edesi7182641ede.542.2024.04.25.20.09.24; Thu, 25 Apr 2024 20:09:25 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="no/k4o/h"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 07E6E68D43F; Fri, 26 Apr 2024 06:08:53 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B6E9668D425 for ; Fri, 26 Apr 2024 06:08:43 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 23045FF803 for ; Fri, 26 Apr 2024 03:08:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1714100923; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K3YsFLlbnVDyIAHs5wFRocn8pg1TLB1c69HLwGHO8rM=; b=no/k4o/hgOdv3/U3W3cfAf7hb8Fqd9EHICiJDh9vAkCTExAmnDLiDEgxDuspYP3F8fxs0/ knsECeaWQlVUP1pzfzEr72dtNpvcAK/xCs9draxGPtpRGqDZ/f7NLXklcP4PBmCpFOIL6R mkIy66lCKhbZOHenG1KkpOelp63QqbVT3uZZYZEfLnK8rXj1L8LtbHBnQxqaQbBD43X4Pt QJg5dnppSFUAbMiwHD/phO2XfyuPyZZh2AIyologQXkmHVYwsbEzpB0zt7IhpslRPPpU0+ ZtjPCOb0arICZm2wxvDXpHMIvmPsqiKWXqbdh5ag/+xb5qt2p2w6itRhqwyBgw== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 26 Apr 2024 05:08:37 +0200 Message-ID: <20240426030839.3001504-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240426030839.3001504-1-michael@niedermayer.cc> References: <20240426030839.3001504-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 4/6] avformat/iamfdec: Files without streams cannot have packets X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 2UZoYe4JMhcp Fixes: Assertion pkt->stream_index < (unsigned)s->nb_streams && "Invalid stream index.\n" failed at libavformat/demux.c:572 Fixes: 67890/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-5166340789829632.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/iamfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iamfdec.c b/libavformat/iamfdec.c index e34d13e74c5..67ff7e8f01a 100644 --- a/libavformat/iamfdec.c +++ b/libavformat/iamfdec.c @@ -162,6 +162,9 @@ static int iamf_read_packet(AVFormatContext *s, AVPacket *pkt) IAMFDemuxContext *const c = s->priv_data; int ret; + if (!s->nb_streams) + return AVERROR_EOF; + ret = ff_iamf_read_packet(s, c, s->pb, INT_MAX, pkt); if (ret < 0) return ret; From patchwork Fri Apr 26 03:08:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 48266 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:1509:b0:1a9:af23:56c1 with SMTP id nq9csp112431pzb; Thu, 25 Apr 2024 20:09:34 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU0lYcIDy1o1qUScPdC1sZdsxQLzPrE0w9We9+8HzrHoWe3xO1PEyRHq6nnol+6uUkU+Acb2K4LKtwe/iZ5pkbKBopFXwDjR97n6g== X-Google-Smtp-Source: AGHT+IFOgRUjZ7OCWirghHE7NvBNvPmLo7JDUoW6q8Y0qkRLPtIRBVdO+OhmwLRzV3QqipBWbNZE X-Received: by 2002:a19:5508:0:b0:51a:dcf4:5b2a with SMTP id n8-20020a195508000000b0051adcf45b2amr750122lfe.56.1714100974638; Thu, 25 Apr 2024 20:09:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714100974; cv=none; d=google.com; s=arc-20160816; b=DOSr2ZOnNUCq+2x+8ojLz9S6tsZFeTIs/BxsgM+f6mTnGdVUm3l5h0K2JQCafYiGhB pp2Epu2Ts/BdvS15qj5J/Pa6peW0/621lSgCWKuIvwIdmTzh9K53tOThxhG2Twz1PfDf +rgZ+Ac9nDfZPdpEypmdIKSd62/Zh3eUOj6kJzGNDX2bwYvA7r1XsYjd7gIsN32yPDgp QyuA4hOPOhQ1ALvIXnGHrvdphJayJjhwXqFRRjys8bY+jLmT6QFRgFJqZkcqtvxBPsg5 KQuPLYZwCcls9TxUbjin6RpP5m+WfMvDjKxfDP3/U1mLf6rWJrOOT60PFQ30VLXjOK8B bWyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=w8uUaG9N9Bi7PG4DxnYUnj7hkHTtXN2iEmIP9H1iJA8=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=EZnuVeSFEInMdUoOtbxt2eqijoaDNv4RANa3ck7uFpqAwoTPNrZ60qwMk+Fcg/oJAh bmiBvBfpP5L9m5PD6eXc6QiJ/FwrM2lF5y2WUWd5vvBP8lH48dTeZDF2fbXplzJ4hX85 BW4FHLbI/HvwKhVkV9M8T6Dp3IBhk5ddwzqTGwECtvsR+KhSdb8LSOIwuivDMFbInXF8 S2MuQolj2awpJtBWFFcoJb23bMq4TjwOylb/L1sp4mtOeL3FzKc2IHozZkxgDPbRA1dL IusYM8dOZYxnn7uuS5LOw0hNslTVOhxmHFXIIHfSTHVaJmzQV9LCLXVOfqsiDVbU5Rhh OYnw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="i/AIc+AH"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id ne14-20020a1709077b8e00b00a55a5f4d6a1si7459746ejc.590.2024.04.25.20.09.34; Thu, 25 Apr 2024 20:09:34 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="i/AIc+AH"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 17A7C68D446; Fri, 26 Apr 2024 06:08:54 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4DE4768D425 for ; Fri, 26 Apr 2024 06:08:45 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 87809C0005 for ; Fri, 26 Apr 2024 03:08:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1714100924; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gFMSYExuMgFhFqNCtzf24V7bgIn8G/bisKIf5uzkOAQ=; b=i/AIc+AHZ+M+ySSROmJtTbzBJgjNryWAurnpzXbNuYsZ9DiY8lktBOC1RXOqtWcRIU7e8k f36goXPoei1Q4zWKBfACGIiaJwLTPPbP2n6JqoKAytjJDexvpdqUyxMmtBWAZly2aWZv4H S8Gn9fRtXFzBpJG1nQ0R/pamv8pbQUaF9sTXPhqdcmqVAsBjQdFpB674XkJYXz+9Lof+Ft 3o6nOVL8mYYx8KUCF+/X+QQ9f+hhV9j61DlMq5hdc6FQk4shKc0olm//h5RfmM/jzuQ7L2 Bl5o++AX2jcsws618ldcJn5kY63iePVXqzT+qjaKNbtRCf+phWSqT4v4J5rn2A== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 26 Apr 2024 05:08:38 +0200 Message-ID: <20240426030839.3001504-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240426030839.3001504-1-michael@niedermayer.cc> References: <20240426030839.3001504-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 5/6] avcodec/wavarc: fix integer overflow in decode_5elp() block type 2 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: mSqKE+n7om3h Fixes: signed integer overflow: 2097152000 + 107142979 cannot be represented in type 'int' Fixes: 67919/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5955101769400320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/wavarc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c index b4b26958e6f..93b76c43e8a 100644 --- a/libavcodec/wavarc.c +++ b/libavcodec/wavarc.c @@ -689,7 +689,7 @@ static int decode_5elp(AVCodecContext *avctx, for (int o = 0; o < order; o++) sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1]; - samples[n + 70] += ac_out[n] + (sum >> 4); + samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4); } for (int n = 0; n < 70; n++) From patchwork Fri Apr 26 03:08:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 48267 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:1509:b0:1a9:af23:56c1 with SMTP id nq9csp112507pzb; Thu, 25 Apr 2024 20:09:44 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVFS/Od9xuUeBRpt80X/KMyYPBpjmkVYpOy9a3HzJDvUsyCnz367805sYIQHAnBozKIor/kGrpJWWW7qm/osB9yAwrxKXer5t02Ng== X-Google-Smtp-Source: AGHT+IEkCow3s/KVo/7aylJ+SMCBh2ZujnA559YInARSB+TKUK5gbEKbuxYNbs9Z9e3s2x6252M3 X-Received: by 2002:a17:907:7d8d:b0:a58:a117:36b3 with SMTP id oz13-20020a1709077d8d00b00a58a11736b3mr1054545ejc.1.1714100984441; Thu, 25 Apr 2024 20:09:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714100984; cv=none; d=google.com; s=arc-20160816; b=seEjL0Qzt6ZMLGdZTH6gUO2EKm4dEVi/yQZqa/IbqXWPRRy0LVjOxl8D1dwQZuUoYO RFIrbqBuyUPpNAA/pRC3I8F6fzVsE30OIbjnpL6Caq9iDEBs2W0Ilag4Im5MqwLROeVx CnV+Yvr0ndrdwDK2sNUEzsmgAzxIHeGT+kLFH0mOFe71j+Y2f78I4ebkegBinQ4uj/QN R/lu5r+xn9l4euYYiSoF0IYmGQNPMGXdZFiow58lY/rZBryA+Fb7Z7fCnDaIr3LXTFQc p08QNpPOVF6Ds3mEZP/AB49MCzYqVw3HtwrL8eK33MvezEYKwD3wiKz7QLmLlCWD68wq oqNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=t+RAaZBhDpE7rOuGisTL1TaZtYUk+0ksgUHrOas7/jw=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=HNcSjYJQRwuUqCrj7G8USEmUYxLqAts5MqLMvEpETwuVD9xVav8MivUAkTSwNxO75H ElMvaCcWgIrEAWiB4vFwxG8KyLgytoH40ZhfVZak+9VMBRu1RcHDKFCKGpwC9HK7OHLe pn2Ka00gyamqDSeAhJ/1FyTS1Oc9gdMrhg0l3LwwHSZQr5pmqQ9C5ecC2uzcFzQrZXvQ o8RAoaAfbaR9W6jjBWWkW549jmEw+gio2A4VaQylTPhndOAW0xXKVrFdR+jwvB/uuvX0 /YJMQ8ETzu1wUrgNTPFf5GVrVvPvhn91eeAcRopPG29mRY0excpH1Ny0DAzu/9dlAavg fgVw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="aKg4/VnX"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id gx26-20020a170906f1da00b00a58bdfeca97si1116815ejb.831.2024.04.25.20.09.43; Thu, 25 Apr 2024 20:09:44 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="aKg4/VnX"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3860E68D44A; Fri, 26 Apr 2024 06:08:55 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C1D4468D425 for ; Fri, 26 Apr 2024 06:08:45 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 3057740003 for ; Fri, 26 Apr 2024 03:08:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1714100925; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LcFf3/P0dIO5c/F3G5DHeCfHn/yWWjvDLAYblZ1OEmQ=; b=aKg4/VnXo9jISsB4oDjNVlGzh4e0BOVEsW58osefkmMXG44416ytgrxwrYaxwxlqPg6I2m Ijx/SaO1JZzkxl5oy7SxRt9lFbC9IjMbKRmvgIYlJmQIF4GhSfJvpmgUSl1ZVXQjI0LL5W Lk+AUKRbkO01UFODov+J1NxVpB5BpPC5yHbZNdoVFM7h/w52TimFcX0tQk2bJ9apptJpdA kRpGfnLUQ3mqfunrfTsWcRSjagX75uM8gNggymNwNnzwLL5SWYAzjueON2GyxSIQxI9D4N PaRlXoY3YxUG7+LGTK2bKEK+LuCTL7kLyQzsCaX6T6YsB3NjMASC7ppOQr6t7g== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 26 Apr 2024 05:08:39 +0200 Message-ID: <20240426030839.3001504-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.43.2 In-Reply-To: <20240426030839.3001504-1-michael@niedermayer.cc> References: <20240426030839.3001504-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 6/6] avformat/mxfdec: Check body_offset X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: VMoMKN8CiOHs Fixes: signed integer overflow: 538976288 - -9223372036315799520 cannot be represented in type 'long' Fixes: 68060/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5523457266745344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 233d614f783..e65cec74c23 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -791,6 +791,9 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->index_sid = avio_rb32(pb); partition->body_offset = avio_rb64(pb); partition->body_sid = avio_rb32(pb); + if (partition->body_offset < 0) + return AVERROR_INVALIDDATA; + if (avio_read(pb, op, sizeof(UID)) != sizeof(UID)) { av_log(mxf->fc, AV_LOG_ERROR, "Failed reading UID\n"); return AVERROR_INVALIDDATA;