From patchwork Thu Mar 21 01:15:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47274 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:3a4a:b0:1a3:31a3:7958 with SMTP id zu10csp262343pzb; Wed, 20 Mar 2024 18:15:31 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUizCZdHJLxuPQHUNH9eDCmHZ3JgdBn7zgVdgrE62TqpDUbvu6yhw8GoFR6hT86Wifb6cqPSCs43r+7en0ToRwUg6b4t2zFA/rSow== X-Google-Smtp-Source: AGHT+IGclq+gfarcW1jyD3ycYHEreFDvgVyIePcNYxbEz714lwDOxmyEurfsAFaFMlzdkDn5x1eZ X-Received: by 2002:a17:906:ae56:b0:a46:bbc9:a8c7 with SMTP id lf22-20020a170906ae5600b00a46bbc9a8c7mr6561164ejb.71.1710983731132; Wed, 20 Mar 2024 18:15:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710983731; cv=none; d=google.com; s=arc-20160816; b=hBeo3cCUr/oRcQbKVSwXag+UwbPC/x6dsPldi5YrdruPZ/jszgGnfdjeQOb7Ah1kvG 5rfsehHq3FNwyuEaJXlm1n4250pO97J4DcZBrCkAXgxlbSnfqIhIuxLsLm7HbmxTVRyd s0LMqwjlUnkp2R1xzcInwlrsP6rvwpfahdYMePBnR4vwfdfn025eyD02BBnZ26d+bs5h Hix66c95lqgj3ywEp4BXLYW709X6YHbPFlqJCeeZyJVnICbuZH88yyOtoL7PSPIw2M// KYygwhDo7W5GiJ+LixEXP40W0yv8IATXKJA/IdduCG3h1jPSyIlm91oXkeHkpWn0ool/ N+bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to; bh=BAbWbP7fGxJLAs8BVwsGpGy++R0jujlaWNhjVj9mUmU=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=likcDwWcYkKp+LmrA32dv0F6JyLVagqtOolz8bm4jUaULe/qPrm1bHjZ82oiHlcJHn od4/64m9PSHo1l5Nq4fGzQYqbs1FsTzAvRmmvXqkqRiZxenvwbfFn/CKdan9Fq1iESdH oo5UyN5/nhUAIVNVSNtu5PxRcNNN1yb0pJLWxSk+g1sk3kEQ15O15+GkE+G3CluQwNq7 1UQ0ywsVu/utXRIOaFxp/U1TnOUNn1vd/vQse8PnDYhDmZut908+uYNYpIDGvNJoeZSB wRvYMeWpbULRs4MWnNV9Qlwn9vUlwry5PiPUPa8ZowROGkFTeSZXmsSs/JLPKbksBKrS BHrA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=fqLtnlRo; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id bw9-20020a170906c1c900b00a462131d058si6779964ejb.526.2024.03.20.18.15.30; Wed, 20 Mar 2024 18:15:31 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=fqLtnlRo; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A37F468D3BB; Thu, 21 Mar 2024 03:15:26 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4C71468D305 for ; Thu, 21 Mar 2024 03:15:19 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id A1D1440002 for ; Thu, 21 Mar 2024 01:15:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1710983718; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=tqL5R+xrkRpv8ogJpyN5rZuLdIKXBdvhH7QTGC+6Ins=; b=fqLtnlRobwCXgh+OP5GCtc08DzgAumjJZhEWh0mL3os8VhmuJgDgzkfVNwPvyXKoz4lPCm zwYD758r+y8+Na7OfOuzxy2/XYoYPmsjFHaPBjrYEbnt9IQF53Q5JUiRiD5XnvVYqRH4uX KH8q4WnFeyNaQOTiUQcuIPahLk0nkYv4bz7nD5axsCznoG7qxq3SQGDq/iwKH61hIb9XhG DZ+tcAcbcfTiOIjGvlRi5WhPtr0ZsbnJkBOaXYsMVKjtwr/mJhpgoRa4owJ5EUJbWfuSmO hSvlNiP8mP8qlDDCTvWNb/M7944nmwQzPgx4uouLi8lXdlcsuKRRaGtmegC3RQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 21 Mar 2024 02:15:14 +0100 Message-Id: <20240321011517.10363-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 1/4] avcodec/mscc: move frame allocates to later X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: TLJgIScwEsmD Fixes: Timeout Fixes: 66964/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SRGC_fuzzer-5413170363564032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/mscc.c | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/libavcodec/mscc.c b/libavcodec/mscc.c index d1d23e6751..1e9fd35f03 100644 --- a/libavcodec/mscc.c +++ b/libavcodec/mscc.c @@ -142,28 +142,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, if (avpkt->size < 3) return buf_size; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - - if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { - size_t size; - const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); - - if (pal && size == AVPALETTE_SIZE) { -#if FF_API_PALETTE_HAS_CHANGED -FF_DISABLE_DEPRECATION_WARNINGS - frame->palette_has_changed = 1; -FF_ENABLE_DEPRECATION_WARNINGS -#endif - for (j = 0; j < 256; j++) - s->pal[j] = 0xFF000000 | AV_RL32(pal + j * 4); - } else if (pal) { - av_log(avctx, AV_LOG_ERROR, - "Palette size %"SIZE_SPECIFIER" is wrong\n", size); - } - memcpy(frame->data[1], s->pal, AVPALETTE_SIZE); - } - ret = inflateReset(zstream); if (ret != Z_OK) { av_log(avctx, AV_LOG_ERROR, "Inflate reset error: %d\n", ret); @@ -191,6 +169,27 @@ inflate_error: av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", ret); return AVERROR_UNKNOWN; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { + size_t size; + const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, &size); + + if (pal && size == AVPALETTE_SIZE) { +#if FF_API_PALETTE_HAS_CHANGED +FF_DISABLE_DEPRECATION_WARNINGS + frame->palette_has_changed = 1; +FF_ENABLE_DEPRECATION_WARNINGS +#endif + for (j = 0; j < 256; j++) + s->pal[j] = 0xFF000000 | AV_RL32(pal + j * 4); + } else if (pal) { + av_log(avctx, AV_LOG_ERROR, + "Palette size %"SIZE_SPECIFIER" is wrong\n", size); + } + memcpy(frame->data[1], s->pal, AVPALETTE_SIZE); + } bytestream2_init(&gb, s->decomp_buf, zstream->total_out); bytestream2_init_writer(&pb, s->uncomp_buf, s->uncomp_size); From patchwork Thu Mar 21 01:15:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47275 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:3a4a:b0:1a3:31a3:7958 with SMTP id zu10csp262406pzb; Wed, 20 Mar 2024 18:15:43 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWC4tLlAi5HfEiMuAJfdr1t28d4M9mdifonsNFPfrNDuQegTZkiL5efX4k2mfpf19ayF45SQ8Hn0PN2rT6F8m/NZcGh5iy7t//7qA== X-Google-Smtp-Source: AGHT+IEzaM4v6DrtuIRsBsPqwQew9wqWiKNjwbJB+khYVBa9+QmErBA7U0LzQAIUkquUCfuSa/w8 X-Received: by 2002:a17:906:470f:b0:a45:231:9b4b with SMTP id y15-20020a170906470f00b00a4502319b4bmr4647531ejq.20.1710983743347; Wed, 20 Mar 2024 18:15:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710983743; cv=none; d=google.com; s=arc-20160816; b=Qe5VabkMqh+ZGXk6D+if9/HT78csFkgodGkQ2tWzHaVL8iKI2SRNHaKYxRBY8nDUCt zr9wRChMrGn8h3ZlAMc7P66j9qR3mlg6S2el1eKszMx5gQ1ffBmf2iL4XP7zKdw3EdqS XLWxeeR0XaHPlhhfUp5sN/A59B/PZWU4wjcIMeJmrPzga5NJLoeWbqUc0SrGcL4bvH7u Bz0eUHjqTR0wp5L/Imi/JHzEf1FKWnY21Rpbgq4uD1UQn+fLp+K+mazk4/ODFLvzssQG SNv4ngQLHTXkiQICCh4ivLmjI0N8dYJ6ekZYdW0Zk7vI3cZgFs3R5OVMW8d280KbjtRP mUWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=zrh24ISW/8cpj2om1WLDQRhmB+vlhSOuqzHnuaddg3E=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=TBxBxQIuJJw1DFdiXToEq34ZUKM7Y9DmPT50Hu6b6m7Uf4eHH5U39ksndsUhqxphPe qk30hbZsD03R/KXqLc0hp7NNAjCXvw+rD1k4D4MA1yhF0Mrz8lEmXnQqcQBT5FMgiubL 6rk8BaU+F4qMUUMLag5Qdzu3yRBphcc2aAw/jQjKPAgxl9ouBBKbX+Lk5M5phFrX0vcH +1LdbnaTHsl4xInr0Trh7XxzZr5+1PNE+fhtZilu9/2eT+z8lPYNzhDo8L+PRaGw1owc lvfbmC/dlErjVViVAKKHucQkDTupq/aLFXqS20A51NydEOqfJKYhwHG7YXQybHTgEz+n 48Ig==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=d3i76iqF; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id si7-20020a170906cec700b00a46fc33b474si842823ejb.22.2024.03.20.18.15.42; Wed, 20 Mar 2024 18:15:43 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=d3i76iqF; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D186C68D4E0; Thu, 21 Mar 2024 03:15:27 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3474F68D3BB for ; Thu, 21 Mar 2024 03:15:21 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id D94041BF203 for ; Thu, 21 Mar 2024 01:15:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1710983720; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=dVYzGlPzzdhOND7wIAk5PrbAt3dUAA20H+3K4/3O1K4=; b=d3i76iqFaf/BnC/csKDpCcYYE5B/rXNlbz9Q4QULzzRn7cLHTOmVrL5nFlCnJhce67w0jA JzknuFGLXItPXumJMTKFjhpVofioxrvPBl2uVZVKCsaGG9HPdH1eyU/HFOsh/RUFhWBID/ SgN/zz8VX9SLkW+vV6v1gQC+KMGB4vuKf9ACrna7EUiF8vexD/QrvXD97fsrpLTorvX9cS SrbGxPL8X72+IqCRLdXDUrmbSd7S3AuxaRyJj9m+G6BxmkkRbR5MS6xCmu5OWsjD8/KfeW mHKXolnA90YMNyfXTtPNeqLbXrRjB5jX5zivcY/RWmebf2RPZrnfk3m8e/D/Fw== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 21 Mar 2024 02:15:15 +0100 Message-Id: <20240321011517.10363-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240321011517.10363-1-michael@niedermayer.cc> References: <20240321011517.10363-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 2/4] avformat/iamf_reader: return REDO on failure to read X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: qLdMTUhw9tuH Fixes: null pointer derference Fixes: 67007/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6522819204677632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/iamf_reader.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c index 42d20f1ae6..a06aa98cdb 100644 --- a/libavformat/iamf_reader.c +++ b/libavformat/iamf_reader.c @@ -26,6 +26,7 @@ #include "libavcodec/packet.h" #include "avformat.h" #include "avio_internal.h" +#include "demux.h" #include "iamf.h" #include "iamf_parse.h" #include "iamf_reader.h" @@ -322,7 +323,7 @@ int ff_iamf_read_packet(AVFormatContext *s, IAMFDemuxContext *c, break; } - return read; + return FFERROR_REDO; } void ff_iamf_read_deinit(IAMFDemuxContext *c) From patchwork Thu Mar 21 01:15:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47276 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:3a4a:b0:1a3:31a3:7958 with SMTP id zu10csp262463pzb; Wed, 20 Mar 2024 18:15:52 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXbyET2oOEBGByZJu2XEfIYvmmM7OMrzUQqGBLwXc5lUXYXW0cYiQrWBa/KXjZiB3eCK8m9L7MAOdhJ861W3LKp0icV7Vv2otEqhQ== X-Google-Smtp-Source: AGHT+IGrgu0s27IRDtF3j0ggjXfa+vZmRRcg+z38eCL82voLB6r0n5fmhuvWB14utywpzCgLB0aW X-Received: by 2002:a19:5e1a:0:b0:513:c25a:eec3 with SMTP id s26-20020a195e1a000000b00513c25aeec3mr4977055lfb.4.1710983752703; Wed, 20 Mar 2024 18:15:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710983752; cv=none; d=google.com; s=arc-20160816; b=WlfWkGvRSNfUhgwF3Nk/uA47XwVnpBBcqK94oBRrqyfHtxvBE6A4GYyxBd8YeZPHDO uqr+nS13eqLpEBo1a5/j4apUtbjrkYhA36siI3LNhPFFPJu2O5gc/ZkVW+Er3ch9w7uZ MngjngqNJbGZSSuSTG3cBTG7v6qnnaeUa7NE3oEF/5MPm5cRm2uLGLPd3rIn9O9VBR6e zbYYbG3nxrpHq3jpKtdotnsJpPSTmibAc0h4Du+LEIZcD5rycq8KmAXssZmSFDkiI+bm Yil0yy2mX79qusHILHEeAiCyjOI9Ni4q8PSMgQ0MMRPCR5boenSotf3D+Xh7wF4nLpev bgbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=ygfgqhejEnMonM3kRaYs0oY1cuFLkd2ccD4IrpZ7rQA=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=OhshydQhqHaIvRXeKRgKNgGm2dyQTIGim5bYbsEHb9b3A+r7tkI0qG3OrFqaupr5KS JmYRAJ+cHKh/mq/ThBHTrOFi8kGzS2gijLOnBtrFvIzP5aT/9q+yO+20JGBdwxHAw5WU u074zU8UygU/3nD7Tgl5C3/5cBV7mj/I7zEAPvX6tNpEItIaxh3/VfxSaFnT4zN0c+je CoXW48s/sr/KIpvCYna+caFvDveclhPCWBArwUw/DpOFSTZKCxZi+RJEjHqwMpGZnFLd 5EpqCzvX17HaJTtcCLimugK4Off47Wr8a5vuS9MG+T+3kdmOEB3K6X+Q5plT7d2MGcv3 NzDQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=KHvWSKB9; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id v9-20020a170906564900b00a465f304271si6891102ejr.483.2024.03.20.18.15.52; Wed, 20 Mar 2024 18:15:52 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=KHvWSKB9; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1DA1D68D4F6; Thu, 21 Mar 2024 03:15:30 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EEBAE68D305 for ; Thu, 21 Mar 2024 03:15:21 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 4CA23E0004 for ; Thu, 21 Mar 2024 01:15:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1710983721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=xRXxEeO9EKTik90mm3HokHMb3AiGIV68TfVJcqmFgz4=; b=KHvWSKB9RmsOhX03jV1o5rtubAsYMN53gf3XGQJICdajZXN9+dFhHtT0rW7P8gcfz/MXOm pqUPu05Fqe08D/Yuxy5yUElcIjm7p60hR6Ub9b3KiWkpiGj2pxQyN5fJ4BQEm1X2vfda9r VU5FBB1awAwrDwVrmeNn5h2r4eSVdg+k27wAgwM0ebNRPwOSsvgNgr7c69DimDfEbxFqTJ pFH3XQH/rV+8M4psYg4s8c2ZSkWmaXG9pk2xwOuYs3WXb+3BfteWA1w4Jtf84HAhggJyyS KyQLb4xLGMmOHQoCQTGcML0QWN1ROuYjYkHArn8kx9+SG9OtG1xGGLutfgH9jQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 21 Mar 2024 02:15:16 +0100 Message-Id: <20240321011517.10363-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240321011517.10363-1-michael@niedermayer.cc> References: <20240321011517.10363-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 3/4] avcodec/cbs_h266_syntax_template: Check tile_y X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: A7WSuSPKEaGN Fixes: out of array access Fixes: 67021/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4883576579489792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/cbs_h266_syntax_template.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 49fb12ba77..0aae9fdfd5 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -2072,6 +2072,8 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, RWContext *rw, tile_x = tile_idx % current->num_tile_columns; tile_y = tile_idx / current->num_tile_columns; + if (tile_y >= current->num_tile_rows) + return AVERROR_INVALIDDATA; ctu_x = 0, ctu_y = 0; for (j = 0; j < tile_x; j++) { From patchwork Thu Mar 21 01:15:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47277 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a21:3a4a:b0:1a3:31a3:7958 with SMTP id zu10csp262515pzb; Wed, 20 Mar 2024 18:16:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWsjeski5LiswFibHfy3EqxQi4Uqb7/bJ+cfuFuTsn3/TM0yZhvDuQw+y0T2/9zMzAr5xCjxZ8Js4iYTnXlD6skubyrR0EgpEDEPw== X-Google-Smtp-Source: AGHT+IEvnggFoXDRehKS4xCPpDIa/NEfkcsfMIFP/b/2DVSl+CsIWj2t50i/BGJdjQPp8W0dqCj6 X-Received: by 2002:ac2:4d87:0:b0:515:925b:9aee with SMTP id g7-20020ac24d87000000b00515925b9aeemr110725lfe.68.1710983762775; Wed, 20 Mar 2024 18:16:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1710983762; cv=none; d=google.com; s=arc-20160816; b=j5ORAtQVjCM6u2KiesTxKsyEr0oOaJ6VxoOyeubHrsHC22Q57KOeQBoTdxq978Tts3 0di4z0hgUdF+S0920qaU5SU9KMBmRUXID3h80sXU3q0RMHnXFjczuvk5FQCcrK7VpyTJ gMRa+qp23FLfOZjtF24G/WMeKHv6IsBGL/vjNGtKqs+Dj51ufC5XvSDFNwa+ctpwKhJ3 6Tb/GD4pYNtHqQr/K5FIQCdeW5za8bYzfQyk+WfJIDVqTxFTqx6oroRiFTlt5T34f6tn Ae68NMYbo/i1LovB/BqYGCCjfpFkidsHl/Z2PDMBrYH/pldKMUNZjtcc5Z5i1AifIfz1 zn9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=yUO1NBDtsddqTOkth0rnlqdXZhn0nTdofoKnxz56VbI=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=E98SkWdTI50ffkfSgA9zeSDr1arbQ/H3VS3KFhX69/e9awzIiisVOS8mL9Nfyey3GR yuv4oFk81cHvKkmqvOqRjant3lJJ5Zz18wRrBs2I1I4UuPR0XBNguKKzpcl30ZnSwtXp 9at5K8cUmSZbFr5FwVX6makmOBxj6j/zPKNGxGrb+L335omCaIMX1UgqC5cvc2s4CU6c 5bqozU6QF+LRGgVLl6Qn7hdo+XwJyGFK6O7Dhx6WU3KQG6B2QY8R4jhx8cqG7gBBpz/6 jipPOZLMwyR5j+0E/oShQrLxxHxUIrJUObr4s5njBP5NsCCu6jOD9mZvghoQSb67UIjt AwRg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=WdS9U9bb; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id k7-20020a17090627c700b00a3ef81bc5d7si6944137ejc.770.2024.03.20.18.16.02; Wed, 20 Mar 2024 18:16:02 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=WdS9U9bb; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2ABC768D4C5; Thu, 21 Mar 2024 03:15:31 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E622868D4E4 for ; Thu, 21 Mar 2024 03:15:22 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 42E53240004 for ; Thu, 21 Mar 2024 01:15:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1710983722; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=MgQkRK/RDvc7ae8CpMY/cQac16SCt7pUXBatKCZDga0=; b=WdS9U9bb1Ya20r8+9H3UK26wr9lXvp1vdJ+nwfg74MvELzvWG/5xxSs3oynuxSHrEhX36n cB4QtG8LaXhw5S1RXiZR5pw5mG85Uy0oNtTcC8SntYE6XHu3SF2s2E7p3eL78ib3NvBXyx +X5blAwis0EXePVV2E/k+2eI6ISEv1uEsWXVh1jsSbHxfQQ8t7iTGJ1gvkfCYmipCXYVQR y7kLqG6Kzp3HcMDJr6E8JAIVtVVvEaHTYeJ3Zf4uH0S4wCK/gvn466IJMKP2hlzTJzarpa i9aqfeQ9uGamh/8VHOM7D78ZGKev/Kv0/BGUY5or3N1bcrxSn1tSxpC3VWSapQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 21 Mar 2024 02:15:17 +0100 Message-Id: <20240321011517.10363-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240321011517.10363-1-michael@niedermayer.cc> References: <20240321011517.10363-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 4/4] avformat/iamf: Check language_label X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: jqjMH6+rc0Cr Fixes: null pointer dereference Fixes: 67023/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6011025237278720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/iamf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/iamf.c b/libavformat/iamf.c index 5de70dc082..f2c22ce3aa 100644 --- a/libavformat/iamf.c +++ b/libavformat/iamf.c @@ -89,9 +89,10 @@ void ff_iamf_free_mix_presentation(IAMFMixPresentation **pmix_presentation) if (!mix_presentation) return; - for (int i = 0; i < mix_presentation->count_label; i++) - av_free(mix_presentation->language_label[i]); - av_free(mix_presentation->language_label); + if (mix_presentation->language_label) + for (int i = 0; i < mix_presentation->count_label; i++) + av_free(mix_presentation->language_label[i]); + av_freep(&mix_presentation->language_label); av_iamf_mix_presentation_free(&mix_presentation->mix); av_freep(pmix_presentation); }