From patchwork Thu Nov 30 12:28:53 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 44849
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:a301:b0:181:818d:5e7f with SMTP id x1csp307384pzk;
        Thu, 30 Nov 2023 04:29:07 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IFDJxar5lJ5Y7Z1BtyZQqkVydR4QMOK79YCCNNj+p9abKc9v0EdrCwyqFLUoaDHaIXBNgGX
X-Received: by 2002:a05:6512:a91:b0:50b:d44d:9d9e with SMTP id
 m17-20020a0565120a9100b0050bd44d9d9emr309205lfu.47.1701347347256;
        Thu, 30 Nov 2023 04:29:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701347347; cv=none;
        d=google.com; s=arc-20160816;
        b=qMKcVDx05/VgJeEA4aQfTZLcQWv70cI39bI4ftXBojxaH8akswwxG7VBlVVrORULwc
         ASJ2H48KZXR1j65113ufXJKm86umlGPt37jlfUi8qfg9YwXKKWINJJl5OX8BCyYLRf3n
         UqiMcJrh7JGfpPfXZbzd/pAA+XqIdDajVycaG7brrT2VAdCF/YTvxP1uiLQgn/MRe5YE
         4Ba7obyBNVuqmkzt5l31e9gOBrLRa9ZgHSs8hdUglOntVZWkhl+Sd5laX7qQuFzvqD4/
         pQbJ6OJmn9RKf4Pd4O7P1yqxkazKiQgsTRTTqnlFVn2TfKQjPlaZijC3O/CGnqxCGZ5/
         Dlzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:cc:reply-to
         :from:list-subscribe:list-help:list-post:list-archive
         :list-unsubscribe:list-id:precedence:subject:message-id:date:to
         :delivered-to;
        bh=0qyEgguQsELzDCXXOz0xbl1Sg8xgGBXPa9edZhZoE/Q=;
        fh=l1lGNKUVwoEdHyh7agyNrt9DxytATGtBhRX2oneY+XI=;
        b=FPljJ6L1d/zIoewLLvHqpj0uXdF0y3hi2pMJTBnnI3m8zMsjs1/OnOvM6S6cD2suns
         Mvk8Soh42e4rUQJVi3EwZjLcsPwub6ppHpsXHE3rMdIVzctMAynVZB51KNrnZrR/wzXm
         kipdHKGcI9uPUXJukhKGpmM9p3zHbCEOxWJk306yu+m7ElvXQtaGADcHppEBrXOGn4u0
         fs5/R32uDuHQy7hHdCxDf9AnQK8ohap00mv/X9xYsvx1U1FS88HdpLAfg+8u5CcOSuwZ
         qw3hTTpvmfrNVFd3G4HIOoLf8Iwc41wq2kZFw2CksAbXeRZRUAwPj75R87wa8pl9N2sf
         iDzw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 x12-20020a05640226cc00b0054af71ba7d1si529229edd.538.2023.11.30.04.29.05;
        Thu, 30 Nov 2023 04:29:07 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 93F6368D040;
	Thu, 30 Nov 2023 14:29:02 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1CC9E68CFB8
 for <ffmpeg-devel@ffmpeg.org>; Thu, 30 Nov 2023 14:28:55 +0200 (EET)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 1E7FA1C0003
 for <ffmpeg-devel@ffmpeg.org>; Thu, 30 Nov 2023 12:28:53 +0000 (UTC)
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Thu, 30 Nov 2023 13:28:53 +0100
Message-Id: <20231130122853.26758-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH] avcodec/av1dec: Fix resolving zero divisor
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
X-Patchwork-Original-From: Michael Niedermayer via ffmpeg-devel
 <ffmpeg-devel@ffmpeg.org>
From: Michael Niedermayer <michael@niedermayer.cc>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Michael Niedermayer <michael@niedermayer.cc>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 2nv+FMF25+DJ

Fixes: Out of array read
Fixes: global-buffer-overflow-AV1

Found-by: "Leonelli, Matteo" <matteo.leonelli@cispa.de>
Tested-by: "Wang, Fei W" <fei.w.wang@intel.com>
Reviewed-by: "Wang, Fei W" <fei.w.wang@intel.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/av1dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c
index 6114cb78e65..4dcde234c6c 100644
--- a/libavcodec/av1dec.c
+++ b/libavcodec/av1dec.c
@@ -177,7 +177,7 @@ static uint8_t get_shear_params_valid(AV1DecContext *s, int idx)
     int16_t alpha, beta, gamma, delta, divf, divs;
     int64_t v, w;
     int32_t *param = &s->cur_frame.gm_params[idx][0];
-    if (param[2] < 0)
+    if (param[2] <= 0)
         return 0;
 
     alpha = av_clip_int16(param[2] - (1 << AV1_WARPEDMODEL_PREC_BITS));