From patchwork Wed Jul 26 23:59:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 43000 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c11c:b0:130:ccc6:6c4b with SMTP id bh28csp68913pzb; Wed, 26 Jul 2023 16:59:48 -0700 (PDT) X-Google-Smtp-Source: APBJJlGd+clstEMCD/fTGe7OGdQyAsahsLn0olp/WxzTcTO5Vrc2ZCPeeZB7LeUOQIkn1ePu/LGW X-Received: by 2002:aa7:da43:0:b0:51e:1af0:3a90 with SMTP id w3-20020aa7da43000000b0051e1af03a90mr430890eds.37.1690415987850; Wed, 26 Jul 2023 16:59:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690415987; cv=none; d=google.com; s=arc-20160816; b=s3SQpU/ftAozHBcNhMzawCeW6/G5jscDu/oxxAJSBJpYj+fF+VJR4b03rEwSsyrYje KHG6Rwcew6Kdmp2KQH09dAWd3QJxx15HWm3/vrDm9PQl3exjpylcGQGvV/BzT781+vWJ iCu6L+vh3gf4LCLqIGOBh0ZJsLJmyP/qU47Q6JHsERLK+77IYWJE0ealCSCh5VJK2vDh 9Hxqd7BghSmmfEuBYhL9ym0wViycZef0UeOoWIjXmYOWMm5OYEjd9m/B07VgTZ8Hrf4a 8r2Qz+JNChydgORKU4cZiQxQm9UF3q6RDDBARUdvlaX53Qhw7sKt4OB0Eb9fXpAKONsX +A0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=//hjThHc6jFx3EtFu3XTKRJXrNLpkE74l/X0y9rwGgo=; fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=; b=ZBIhfmOE/IJ/TTLcfX59PyNUFUQVS/VGVvWpNO9GmfygLMg1sdjqB4AKCIHkiIaFEi 9sJwZzWp///Bfo/J+Wj5MVDy889x4uLST76WHv6qn8DgSxZBqRA68A7oKN52CPOlImuf 4T39gubHEca86mn/Hp9IHH5/5wiHGSDYes/gTqTGXiK4ZhbViYcKzw1dK0dkkcScBCXK gA2cynmZ3c93iHUJN629i3vZ4fMEHNwKrBu2AXa+WfpJ8UzPs5pnYibjR/T7cmZSH/Vt Hw1be9AN9ecMWvmI17/8DNjl2WUGdgffbjHfFg6glmjQIeQ3HulDWsk/TE5ijozvZiIJ 2JaA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id p23-20020a056402045700b0051da5244b7bsi12017edw.469.2023.07.26.16.59.47; Wed, 26 Jul 2023 16:59:47 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 60D6E68C8F4; Thu, 27 Jul 2023 02:59:32 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 10E0D68C853 for ; Thu, 27 Jul 2023 02:59:25 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 7213320002 for ; Wed, 26 Jul 2023 23:59:19 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 27 Jul 2023 01:59:15 +0200 Message-Id: <20230726235916.30058-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230726235916.30058-1-michael@niedermayer.cc> References: <20230726235916.30058-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 3/4] avcodec/vvc_parser: Avoid undefined overflow in POC computation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: xKlTJmX264xE The comments to the function say that it does not implement the spec and instead follows VTM. This patch is quite likely not the right solution and more intended to show the issue to people knowing the specific part of VTM ... Fixes: signed integer overflow: 2147483392 + 256 cannot be represented in type 'int' Fixes: 60505/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6216675924770816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vvc_parser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vvc_parser.c b/libavcodec/vvc_parser.c index 3951ebe50a..c661595e1e 100644 --- a/libavcodec/vvc_parser.c +++ b/libavcodec/vvc_parser.c @@ -225,10 +225,10 @@ static void get_slice_poc(VVCParserContext *s, int *poc, } else { if ((poc_lsb < prev_poc_lsb) && ((prev_poc_lsb - poc_lsb) >= (max_poc_lsb / 2))) - poc_msb = prev_poc_msb + max_poc_lsb; + poc_msb = prev_poc_msb + (unsigned)max_poc_lsb; else if ((poc_lsb > prev_poc_lsb) && ((poc_lsb - prev_poc_lsb) > (max_poc_lsb / 2))) - poc_msb = prev_poc_msb - max_poc_lsb; + poc_msb = prev_poc_msb - (unsigned)max_poc_lsb; else poc_msb = prev_poc_msb; }