diff mbox series

[FFmpeg-devel,1/5] avcodec/tiff: Check camera_calibration for 0

Message ID 20221218170823.32130-1-michael@niedermayer.cc
State Accepted
Commit 44f45711ccbc6bdfcc047402d0e30eb7f3d6214c
Headers show
Series [FFmpeg-devel,1/5] avcodec/tiff: Check camera_calibration for 0 | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Dec. 18, 2022, 5:08 p.m. UTC 
Fixes: division by 0
Fixes: 53926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5680347889401856

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

James Almer Dec. 18, 2022, 5:18 p.m. UTC | #1 
On 12/18/2022 2:08 PM, Michael Niedermayer wrote:
> Fixes: left shift of 1208485947 by 1 places cannot be represented in type 'int'
> Fixes: 54058/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5827521084260352
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/wavpack.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
> index 3cb4077550..42859ab0a1 100644
> --- a/libavcodec/wavpack.c
> +++ b/libavcodec/wavpack.c
> @@ -129,7 +129,7 @@ static av_always_inline unsigned get_tail(GetBitContext *gb, unsigned k)
>       e   = (1LL << (p + 1)) - k - 1;
>       res = get_bits_long(gb, p);
>       if (res >= e)
> -        res = (res << 1) - e + get_bits1(gb);
> +        res = ((unsigned)res << 1) - e + get_bits1(gb);

Don't we usually do << 1U for this?

>       return res;
>   }
>
Andreas Rheinhardt Dec. 18, 2022, 5:32 p.m. UTC | #2 
James Almer:
> On 12/18/2022 2:08 PM, Michael Niedermayer wrote:
>> Fixes: left shift of 1208485947 by 1 places cannot be represented in
>> type 'int'
>> Fixes:
>> 54058/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5827521084260352
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>   libavcodec/wavpack.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
>> index 3cb4077550..42859ab0a1 100644
>> --- a/libavcodec/wavpack.c
>> +++ b/libavcodec/wavpack.c
>> @@ -129,7 +129,7 @@ static av_always_inline unsigned
>> get_tail(GetBitContext *gb, unsigned k)
>>       e   = (1LL << (p + 1)) - k - 1;
>>       res = get_bits_long(gb, p);
>>       if (res >= e)
>> -        res = (res << 1) - e + get_bits1(gb);
>> +        res = ((unsigned)res << 1) - e + get_bits1(gb);
> 
> Don't we usually do << 1U for this?
> 

Definitely not. The type of a shift is given by the left operand, not
the right operand, so using << 1U doesn't help at all here.
(We often use "* 2U" in such cases; "* (1U << 1)" would also be possible.)

- Andreas
Michael Niedermayer Jan. 11, 2023, 10:29 a.m. UTC | #3 
On Sun, Dec 18, 2022 at 06:08:19PM +0100, Michael Niedermayer wrote:
> Fixes: division by 0
> Fixes: 53926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5680347889401856
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/tiff.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 41b5a6b7e4..820457fedc 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -2050,8 +2050,10 @@  again:
         }
 
         if (!s->use_color_matrix) {
-            for (i = 0; i < 3; i++)
-                s->premultiply[i] /= s->camera_calibration[i][i];
+            for (i = 0; i < 3; i++) {
+                if (s->camera_calibration[i][i])
+                    s->premultiply[i] /= s->camera_calibration[i][i];
+            }
         } else {
             for (int c = 0; c < 3; c++) {
                 for (i = 0; i < 3; i++) {