From patchwork Tue Mar 26 00:11:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47462 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510459pzb; Mon, 25 Mar 2024 17:12:04 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVGyX8HsFz/xEmoyaIg86C9WED3vBMSP/r74SHcEeV3ZPqxOXyyUbw9xbtKkD8094C7sFZnBd+S42bs5YLZRzC0JHnoCsCMJsgQow== X-Google-Smtp-Source: AGHT+IGQYBTMLUToqXmrhg6jDz2FxXHy1nuD/yUoHOAewNXE5ZvkuDK6OioEev5mumU6tDC8Hl9M X-Received: by 2002:a17:906:b789:b0:a46:f9a0:748 with SMTP id dt9-20020a170906b78900b00a46f9a00748mr5429923ejb.5.1711411923814; Mon, 25 Mar 2024 17:12:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711411923; cv=none; d=google.com; s=arc-20160816; b=pCCtopcVQgm8vIMtSNGqLxcoqJ3zRynTmKqnO//RA26pxKXSwAABPS4DrD/z816Yv+ 5oMBqfHQDVXg7D7SWvDuRTPKlo7KG6aKwyzDN3b3QVL6Yn3ehUN6rMbs/5jBPOvNZVfB x9I+hWt9coPBxzQ//3FIcV7Ig6w/G4JHarfoEii8yBu9rDPwL5CtqJMSBcbWF3JfTLdw iWiHzWDL9uSJMJCIi6YQon57c49M1ShFzDPnASbZizk6gLKPsgIESK6NxZ8h/dpFKGf2 ngSg0nRNMxN1FjyM+rtCmLw8CTiKhxMMiyhIjiozzlBBmeiG6lNmeMYEmIgFKekKVxTN gdtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to; bh=SPvw4gIuRR2RRnlmX2UYo6zkHUQd/V0mBdZt+/oykUE=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=m+Jmmoq36hKovl9kQVa3pMMES0Rgx5dVV/U8TfBlzY31iwZmkCDd8OVjj/z9ji7xQi SFiAhlineUT6Ha1hJ19Zk5chWrnco7CCwRm5MH7NsmKfocNYa/LHfJgKiUhZpsVUO84H 2WQqeAPhbVhYBydWY6XuQLMmGaMeu/POCj9l2I4kExt0yWkMWeH+SFr6E07BVYB4Ofb6 wMZk2Q/Ak9XPWZpeWslbmizPwXqAUJ67OknvCYpAO+OBIhTqOw5Y4OMxMrooTmmuSgnd TkAVdZlI5zXlviLm9hLTgwNTtyxh9yaEyHxXM0+XmmZMZk18Gmz0aVT0Z+fc+VsD5fUK GP3A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=BTDWLFa8; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id x23-20020a1709065ad700b00a4749f4632dsi2345774ejs.43.2024.03.25.17.12.03; Mon, 25 Mar 2024 17:12:03 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=BTDWLFa8; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9136168D5DB; Tue, 26 Mar 2024 02:11:59 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DF7E768D463 for ; Tue, 26 Mar 2024 02:11:52 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 39F43E0002 for ; Tue, 26 Mar 2024 00:11:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411912; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=lK8fEFv11poqFO3gpQZxdGLGSoBoaIEAcaI8d62mRSU=; b=BTDWLFa8/m+ZCY8Y8YloifOL0oY0t+6bpgKkxZDX3GkbRQF6CYjAEHgqxZjcX9ZOJqu6Cl gxrRSd/jIJ6T8420PytbA+akm/S1W0sLU6ONn/ouPvP1vshxX+s02OHPeWSgU21kXM4xI7 SF9htYjRhLewLNj70dhv9i2skkLo4v3Sl0NqUx0ALq8iRhlRmRAl+h11MKJHUDKkE6LIFY FQO4LssOHsc1kE2lvt9Hk7OAOm67KNdEp0RrolMMHbhRQI8kDBKpAv91VqdkEh0fuJuUvy dHOP/4vS5+e8lquvwHZJKXUwHY4UXvgxHeO+7y2uS7zzIi9q+1F21z4WevTEjQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:42 +0100 Message-Id: <20240326001151.12083-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 01/10] avformat/concatdec: Check user_duration sum X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 2EROEiL+UCx2 Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6434245599690752 Fixes: signed integer overflow: 9223372026773000000 + 22337000000 cannot be represented in type 'long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index ac541a592fa..f1401e43530 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -679,6 +679,8 @@ static int concat_read_header(AVFormatContext *avf) cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint; } cat->files[i].duration = cat->files[i].user_duration; + if (time + (uint64_t)cat->files[i].user_duration > INT64_MAX) + return AVERROR_INVALIDDATA; time += cat->files[i].user_duration; } if (i == cat->nb_files) { From patchwork Tue Mar 26 00:11:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47463 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510517pzb; Mon, 25 Mar 2024 17:12:14 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVM53RbiWuI6Uqo4DBBmE/Spu60PrBq0cruBMdBvPeYtsBR+mE7lpPIl0Sxp5XCElY509/SFo47lHspP1KH4VZbPx+ICMdtz44tAg== X-Google-Smtp-Source: AGHT+IG8sm/QuMKJt2OdmXxbTMrfUqhn/LnYPEjz1NQcsmkyV3i+7pZ8QBH19IXjcn3eE+0aEFdS X-Received: by 2002:a2e:9f14:0:b0:2d4:7575:4aa3 with SMTP id u20-20020a2e9f14000000b002d475754aa3mr5220204ljk.4.1711411934039; Mon, 25 Mar 2024 17:12:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711411934; cv=none; d=google.com; s=arc-20160816; b=m8U3qoklpl+Ce9D8/4mEFQQuEEBNXNn/L19blhptA8Aoh3BgfLMl7uWoVTNOnAKViS F9NoXImnY3ZgqlA8q2inLmNpS3Y1/2xJ6ocoremdlui35hZM1PMhbZEN+Uho7DGVZWNV y+nDqXjFYxlahsSByC8Qp4d8TWtpszcHhZo0c0m3sLWR5pbj3ro0GW/sqzGd1Fzs7u5v JNN6XdN0URNz0MAMLxf5A47Q0juv+MDNmQkULcTukRy6zEnz7m1igzBbcOcKRr6AHwWY 1SXTnYN4ghgg90INuKh1nYw+qNPx4Q6kqq3Q0Fl8I085w5nwZOm2XP2gphwgIS93QkT3 uQ5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=6/H9SWv2s7aXw7UL9UEuTXj880eSHmhCIbIcdnhSNQw=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=QTEsJ+WooDva+1CFaKM8phDNpsCosQZPf5GDXvAJwxtzljN0H0rsLKzrQCu6BXVLMm LnZ5LWTMzfKxXnoqiBvYY3KkMopiLJFDNAGyMocimM/E9HBD4fXLyaBUBGCh4siQssye Bz2MGXS+J8XfzlMOcRTyBMUtmXCuBScMfiBJDE7IhKMauxlXJFFGgcA5Wfqg65mdhozH XscORr5zCrRiYdw0r0WC43xkbbVcL97SGd2G4PzZnMHdQ9RCIWgV6OGx7m7GMFJ9Rjj1 vS/6XXVXKWjXjGWlTiVdp0MtrsKhZoihUxbM7LfcI/dZmO5pJOVrSx3KMn72C0KugK8a Yd1g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=j4phhYUE; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id i30-20020a50d75e000000b0056bdc1ffbc9si2938670edj.543.2024.03.25.17.12.13; Mon, 25 Mar 2024 17:12:14 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=j4phhYUE; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8F62568D5E8; Tue, 26 Mar 2024 02:12:00 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D570C68D463 for ; Tue, 26 Mar 2024 02:11:53 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 2ED2BC0002 for ; Tue, 26 Mar 2024 00:11:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411913; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=QulAQmZ5MyPiVhehXaj1aaVOJ/jBqI/RmYKdG3cUH80=; b=j4phhYUE+1aHZDEuO9kppbCNNqBr7izZ+kP0+OZrcCvcx7V5zFBvlPSUFQWcbCVkwoq9jA 83mzAIAHH2KQJe9bhndvLZ7qgSEj0wdcm3Z5jo8Jb0MpzSgSYFDEWklvrZKbncZugRxDEd jrS2uEJrs6NYMU/1eSPdbOIGYKZe/kYNLBicRZIdvQud6D5ZvXuJ8s/pAjKnKsRTBeDi9I I33Eob5sVTF9VkPgqLOeCRnUojCcIk82m6hRjq8OdWTwaxAbiBvtKwbfVhh4lHsXddb2yC aooVanxtTLnnPoXJ3ZAYyVMk4e46vO/C5qBBORTLZ4VSKdgXR/8572DGsIWX+w== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:43 +0100 Message-Id: <20240326001151.12083-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240326001151.12083-1-michael@niedermayer.cc> References: <20240326001151.12083-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 02/10] avformat/jacosubdec: Use 64bit for abs X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: chAeBU3FyNso Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5401294942371840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 447397b6a77..dabb298a264 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -150,7 +150,7 @@ static int get_shift(unsigned timeres, const char *buf) } ret = (int64_t)h*3600 + (int64_t)m*60 + s; - if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) + if (FFABS(ret) > (INT64_MAX - FFABS((int64_t)d)) / timeres) return 0; ret = sign * (ret * timeres + d); From patchwork Tue Mar 26 00:11:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47464 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510579pzb; Mon, 25 Mar 2024 17:12:22 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV4tqFO8RpZw7Xaritp0MO5xYpRmmOk0ckOAELtOM/mTga4m+HTzcaWWLI4TVMLIrBrdlyqIrp7oBEYyFaU2iC2CLPSyIgtPjGlpw== X-Google-Smtp-Source: AGHT+IERE8eTNNNmTrxuqVrWs4Zelgk+JbQCkLKwm8CqRYndKowYX8thTmlqFoT8oJbBJHN2D7cS X-Received: by 2002:a50:f612:0:b0:568:a655:49c6 with SMTP id c18-20020a50f612000000b00568a65549c6mr7086623edn.8.1711411942500; Mon, 25 Mar 2024 17:12:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711411942; cv=none; d=google.com; s=arc-20160816; b=c1DPsm6c/OvdLt0HTd0A9oqpYxOl08Rofds5GKS75M7jZ3vsSh9s2EYlDl6Nu0vQcg 4Yy3XK4kxaf4Rx/NGNdr2WZ3R0DZ50Hl/zmDGbfQd4J0mJFUSQxtdA0UOeSOsJTbT+Oh slGGBg4NoAMXOXsZ59Q+zFmbEyaCrYHWnl2COzMU7H0aQzPPmzQmZe4blVF1tS0kFBsg sX9xvG2ok/h1Cp+32X/MuEAO/DiV6R8DZW/qBi/2PzVJYk6iB3IQGJ/lEpNGUSl4Th8b cE6kFwJZgug//y5vlX+bJean8C9ylegGus2ZFN6gExSCgBAsPs70hrBIyyivajtfmKws PZUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=W+rsZl3+q62nE/3Dc/z/NQHPUDXK1AgZmaVlPcgno70=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=eFOzDcWHRy9tIMBo2zm5fk2EPQhu21BIL7/L7bred9W6ilEqdpaFXh5oD/fpocYXZA 09XUOy8BxMhl26LIukD0otqTZmluVrMtnnhQ0KKWW+0s9DFvu7TFszvDQxTs+THVQv7q PdRvfUEx58Wr4wuesFUqb2nsMwla0HpNmfJPiqP/Au0Mo0+KqSFQslDl2P56d2fCA21H 34xJPyRU89TDn4L9Em31mEj5CG38KGg926Hm2nOEiy32qCSMP51U1kADRASIVgfBv2Ta c4AqPkL0NjG5LEWXIdeR9uD7HwUpaa/gEBeQpV2QqzantxNyE4NpXKZGTz0+F/oDjET/ 0Dyg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=d2Zwm+0U; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id b23-20020aa7dc17000000b0056bbfe5d156si3027187edu.414.2024.03.25.17.12.22; Mon, 25 Mar 2024 17:12:22 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=d2Zwm+0U; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8F03368D5F0; Tue, 26 Mar 2024 02:12:01 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CD4FE68D5DC for ; Tue, 26 Mar 2024 02:11:54 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 245A340004 for ; Tue, 26 Mar 2024 00:11:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411914; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=a5Mf598dRUqirGn4AmSy9OTp/9bX0DepOUvafSa5+lw=; b=d2Zwm+0U9WPTnfIMjaPiCPG7n1bl4qyp6Ztz/34r/TOViGbYC+hxkCzwQgObFZ7NIFEHRi 9sQ46Lu59wv9+u9Il8B62lBaLqcmxkF5poNLOUFYbrW6cp3gScI/P6WV0ME6TGOaa5q0ed paQRDIxqL15oGXSzOAbj1PnJLNDL2tLMVTTiTG7OZBPdJgFi8cv6vPCOpdp5nhKY19a1YU G3Ugt1iTNJ8uwuI/CHnMw1mhUOCTTPykjMz4r7ivjIZraO/d/x56kPkLKwEoQpsc8GpT4p l6Q4wmZUIrlOVM5gRW+MUAvDJd6kz+xUGXa+39A+iJsIzfS3iku/MEsExE3WnQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:44 +0100 Message-Id: <20240326001151.12083-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240326001151.12083-1-michael@niedermayer.cc> References: <20240326001151.12083-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 03/10] avformat/mov: use 64bit for intermediate for rounding X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Tb9LjO3NmLTp Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f954b924a02..e5e704caeb1 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8993,7 +8993,7 @@ static int mov_read_timecode_track(AVFormatContext *s, AVStream *st) /* 60 fps content have tmcd_nb_frames set to 30 but tc_rate set to 60, so * we multiply the frame number with the quotient. * See tickets #9492, #9710. */ - rounded_tc_rate = (tc_rate.num + tc_rate.den / 2) / tc_rate.den; + rounded_tc_rate = (tc_rate.num + tc_rate.den / 2LL) / tc_rate.den; /* Work around files where tmcd_nb_frames is rounded down from frame rate * instead of up. See ticket #5978. */ if (tmcd_nb_frames == tc_rate.num / tc_rate.den && From patchwork Tue Mar 26 00:11:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47465 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510622pzb; Mon, 25 Mar 2024 17:12:31 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVsOQ5ybHJv+TrWeR1N2h3B/0nDAskZZwYOW6qWIGqYqi6mZgPwk3WTc2TVX8+ZTigq6dbMRbfdiYqCKimbY+suFbYFacSyLPBffA== X-Google-Smtp-Source: AGHT+IE1PyOsWb+sEX/R4ZPpm5rso0cIzcC6JzHV1V9+swgnUO1fdOPrauQyPHD3it5mO8nNwoAF X-Received: by 2002:a17:907:961e:b0:a47:4366:567a with SMTP id gb30-20020a170907961e00b00a474366567amr5682711ejc.2.1711411950780; Mon, 25 Mar 2024 17:12:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711411950; cv=none; d=google.com; s=arc-20160816; b=sEUevkS2P/JqtTfwYxOlL3XOX9epAEFcIGaNYrhWKFkC/dUojRCVmZmY1pwj2FuO4I MpDPWg6RSeOz2NDOrstzZCNVakPQv72qcCQBrgKCNX9Zkq0/JJUCWDUYNKrQxfj7kHJf l1o7UH7XfvHLhVxhi40BOAKK6VZUj84zS2rwM7x7NOSeT6aC5QcqgMg5PgmP40UxdWlt FhWUwbKw73Gii0+G4nYfB8DAl2cJhr10FebWVUVvStezbsJ2GzkWKm1fgSPn4roNrqD8 Tb3v3v+ziZnGIau3WHCKsFB/2sqbqfTYKc0H6GehBPLznnZUmy9rUCZcDo3vZFnt9/5z cZww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=W7SFJl6SX76p0G3w3ZZ0dFu3QWipzllmWfEAxCWTKrU=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=NcHsIyVvO9TCFO9IZ3/mbZc+RL56Glyx/ZbViu1k8YhSMDjcAH6aCB614Vlg5iZxgt sKP+98olc5vds8AnGyMawA7e0PZdh25iPNbPh25tX3QdTeho1fm9pcmBAq6YKAUy7DO1 GQg9wdZYSgtRIExxhd0TsPtnfSRuCKT8D01BPEJhK2SPEr/99uO2cQlW9OSbZKKHyreH gPaXxPEQhaXEVK+bfG2QA5bNalY88c0wqleO24HMCuHfszLM44VDr/3rFzuoBqnxzGNr KwGrkxKSSHqWXMlaFF6oN+XxZUtgF8ka0Qgao754/sfk+uJjdstKqkSIBs/Lt2qQml+a ml+w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=p4xA7pOd; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id ky25-20020a170907779900b00a46d75a522esi2912247ejc.792.2024.03.25.17.12.30; Mon, 25 Mar 2024 17:12:30 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=p4xA7pOd; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B050C68D5F8; Tue, 26 Mar 2024 02:12:03 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6A7D068D5E7 for ; Tue, 26 Mar 2024 02:11:55 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id C68EFE0003 for ; Tue, 26 Mar 2024 00:11:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411914; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=kzqrUMjTrOeRVGmQ56g1FJrZsfMT5aPtvMQ8nqw0oCI=; b=p4xA7pOdKsp5lt0IXAAzjfsykg62vTZmuU/UgqHz/coEd9uvRmKQmvYVWWRCIcEZYqTjdw 5YePa5ruprV3GH4otYl4KtUu0doLlsi6QBnifRYUbTQEv3LX8PYeFIChcmdmGKp2vI7lhF zpbHZQ3uS3u2G1L5ENXtn15ONjHwUSBp+WJdErJnB3v2ZSAlOSS2uJ4XEh0SxsvodJGh1r A/1TWogpw64oryneT17VSmvHF8MAk3HE5YowzvO4iaiSsGA2vx6a50HnDcZofOYe2yOqvJ NTDJtoTkrWAiRXAMNM6YttKBgKctLLCkBjVHdom3jHTr/uETU3HRisd8AhNXNA== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:45 +0100 Message-Id: <20240326001151.12083-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240326001151.12083-1-michael@niedermayer.cc> References: <20240326001151.12083-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 04/10] avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: MxsxkgMWwsHU Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104 Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index b93f05b4b82..bd879bd3cc0 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -210,7 +210,7 @@ static int fps_from_frame_rate(AVRational rate) { if (!rate.den || !rate.num) return -1; - return (rate.num + rate.den/2) / rate.den; + return (rate.num + rate.den/2LL) / rate.den; } int av_timecode_check_frame_rate(AVRational rate) From patchwork Tue Mar 26 00:11:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47466 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510658pzb; Mon, 25 Mar 2024 17:12:39 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVHvznCLiRS/fFbfmuvLyCQAGjb247bKnYbIs6fhrbbUgYD4xNhKQdB/EfDCjSked7395RmJxiezrWPNZs+6+MntAdLmVBkPUf4Cg== X-Google-Smtp-Source: AGHT+IHEof9p6fGyNmr2VoY0BWgPhpuQnDcCxU9ylOCFtWnng4b4AbpT96QUQi29dCnOugJJz+5E X-Received: by 2002:a17:907:7798:b0:a47:34b5:e0aa with SMTP id ky24-20020a170907779800b00a4734b5e0aamr6392356ejc.60.1711411959307; Mon, 25 Mar 2024 17:12:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711411959; cv=none; d=google.com; s=arc-20160816; b=Yci5SbLsaoIfzo9o0tJARRPltcydpVrP5IBoeL2bNQe3AaoR0lvKw0UgOqAmH3UIQe ew4zQmT6D3G5iGGb/Je82YWbWyocneZpOlbOR8nYzut0A5dhnT6TuROvotaBMQFdi74x 8f2g2ZHbOZ9KQSVBf1ezWfxm1TrqwMTMHhRI8hw8+ycwFU2jYBh3d13Mz9fHex0CNtts aili4jhKcM0Ddr/wmFjxgiy5TsY0MHdcPEQjA1OFYK2g8c/mqFXnLCox6Pf4kLxu2yui toeHH+v6JA3FtY4UgOlNQ6/fT7cz+rk53kMiv6aV3RgPHdrQSTlII3OxUtt0LhCOiH7f 0enw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=0ge0hhCtS2bBaQxHKs8LXiL/J6TyS129u8s/R+UpwpM=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=pYOkwNJAX1iz4yFsGmPd8bV4tOANKs2h353fvt7MYuoHMOdtxiyMG4zI9QS0rHecfW ouTy+w9FwJf1gnUjBodCBHuQdFLX/C0Awb92oajRYjUSSwcgb/kjWWoX/P6KVgvHJVjj Llh0KeGkXqWNqN6WvSigfwO6koiE7w3vrPCB/MPCMxSIiTvfYjB0RKQ+4Rxu4G1iCFyo mdn85sFRJuuif0G4sPXap5abUyAFlqlprKxhfdKGWjQIv3vT17fyjYMHHlXrgEwXg+Rx lNES0YwNP07zwwlabVUma6hfuEq03v+q9sGetIT9px6ZP8K9A4/siiSSTKSKLByQ5uQV uviQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=oc11mu4m; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id gb36-20020a170907962400b00a47496c4fd4si2308963ejc.337.2024.03.25.17.12.38; Mon, 25 Mar 2024 17:12:39 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=oc11mu4m; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B0F7268D602; Tue, 26 Mar 2024 02:12:04 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 82D7C68D5EF for ; Tue, 26 Mar 2024 02:11:56 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 91267240004 for ; Tue, 26 Mar 2024 00:11:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411915; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=eyZXgtwn4vHWs7FA5LUPknFLF1nZ6H2O25ph09FgiMU=; b=oc11mu4mexM2MxYf6LPxx4TBCvmXlFboNCjUaDE2Jy+l0gapji3YfxpVv8flijY5qWCQqM Cmjjy+oWwz/UQ+endl5bk9NKz4NsDBcmqrce+yww68xggyKsB0ZTh1drVChvkYC/PDl2Px 77GWqxr1vvyeTixrD/ElUrogG5sMLQVzmCkRz+D6za/fdzNty3TTozOMktOzQFL6BKyL4D kbKi9QAcmcNw0kpweuDC3KOr+DiPt5xN73ptvcisPCbIHyy7EQFcJFWQBtOEwun2Azy+Vb GwwxixahUcW/uw9yn5DtlPg9RgfSb1BQ/TVsIrOOoZ04bZydpAEWPN423ZjfbA== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:46 +0100 Message-Id: <20240326001151.12083-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240326001151.12083-1-michael@niedermayer.cc> References: <20240326001151.12083-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 05/10] avformat/rpl: Use 64bit for total_audio_size and check it X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: AADr8c5Ah0ZX Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4677434693517312 Fixes: signed integer overflow: 5555555555555555556 * 8 cannot be represented in type 'long long' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 3f10e51d482..09d0b68f748 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -118,7 +118,7 @@ static int rpl_read_header(AVFormatContext *s) AVIOContext *pb = s->pb; RPLContext *rpl = s->priv_data; AVStream *vst = NULL, *ast = NULL; - int total_audio_size; + int64_t total_audio_size; int error = 0; const char *endptr; char audio_type[RPL_LINE_LENGTH]; @@ -303,6 +303,8 @@ static int rpl_read_header(AVFormatContext *s) if (ast) av_add_index_entry(ast, offset + video_size, total_audio_size, audio_size, audio_size * 8, 0); + if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8) + return AVERROR_INVALIDDATA; total_audio_size += audio_size * 8; } From patchwork Tue Mar 26 00:11:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47467 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510692pzb; Mon, 25 Mar 2024 17:12:48 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWI/J06kG5xazJMov5m85Evv2JcpXu4a+Y6JjuAKjsTFq9o9JdpOV5uo9HKTBracu0pC72klPf6YoFtTe7TILW2xpQS3KWDPF//vA== X-Google-Smtp-Source: AGHT+IHifyiktO8eBLSZRh8gecTy80DVZW5ZjdItUZmy49TkJ7622CKP02loo8nxr/nWTi8yey4c X-Received: by 2002:a17:906:3e5a:b0:a47:aea:2557 with SMTP id t26-20020a1709063e5a00b00a470aea2557mr4926237eji.2.1711411967879; Mon, 25 Mar 2024 17:12:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711411967; cv=none; d=google.com; s=arc-20160816; b=y5z294dVTqLahktM/nyAx8OlwzM2qauvbLKgMZH1jRO4NGyU6I1y+ayhYdy+Khuv+Q 5DYwDNFy6NMGCltLtZ+ueF9MzJ12QSJyMbm/C2VTwQafnHOnRdaq4oZZhnCbwaPoFSBx wjR4dmTT8GmtO5r2uC9khw5FNINmJ6wGE6/tWgvTdWuqxYPqUfJon/kQJrCpHaHpGQ18 Q+hxudyfa/0LPHbeSH1aj6wCmtcRaMhMjJps1Km4+akxHgkc13gD7K+CF3R03h1HwXj1 W+UpyUGx9Gy8m6sc3CPl7d7ZtbECU90Y6i+ZcGnhl4aIcrHORqdgUwhnzoVCwg0kHxqL R1mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=1t2E1+x7D2PN8ZAt7rFTOdVuxFSLDSm8xQq0aAQ0jg0=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=G9r4TjDabG8UJioJdQht5kgkeF1ouieg2sxw2yTlyjvZnk6N0Yevu7ty4BvAzU9bEF JiMxw3iuPcNSTT0oAfetwbIZwUbU4zcdSlOjP4U+/K02WpRAnwk+oj0Ms1mSs/l0rzOV CDhEuDj/Pl8C6ywWsJJXW1/K6MsjVdenY4iFGdLSJh3yRk+r77MTOY6fQHYVVKZDH7x6 yNhon+7hVvoSiy1XWC8OJWzF7Sajah5VHX9/rkXBUVU3bgSj+IVmsSYjF2u/a7gvAvBB zMH80EwXN1gTMcyehY5qcb4N9LDUxxvoE5miKe+YLeLPUXZqpZ9UerxOGLToxUJ6Nw8T fgmQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="nl/o6E6k"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id t21-20020a17090605d500b00a47436c4b05si2674131ejt.719.2024.03.25.17.12.47; Mon, 25 Mar 2024 17:12:47 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="nl/o6E6k"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BD41768D60E; Tue, 26 Mar 2024 02:12:05 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4B17C68D5F4 for ; Tue, 26 Mar 2024 02:11:57 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 7DD77FF802 for ; Tue, 26 Mar 2024 00:11:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411916; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=BeA+V+SdCmn9LFxd6ZtO/h+t7qZIwvHVJU1g3xk4bxM=; b=nl/o6E6kCfTLJ/kIAv0KGjJCjohWDmrAhM/NXZHWbatdJUyQAw0fmunNQ9w2z0pxKNHOBC CzYythbsxF7altXhVVG6t9doUG09w59VMrD9V6TL8Uc1oIlWzk75extIhjZXnwOsTQEBlW 6CGihYu99UM3aLjCU6zeGKn6O7qYvIjpzqT6B6i+TsdcDbQ5iM7A5Ewk+LaHiYTuzDxemR 3Jajy1ZT/ZUDFJHyFOkacktunEiMbCpZAH5EWB08cJuxpq0tT449sIRWkxH52p4iPBYVEm Js3/EfvH9x6J6J5EQrkXK8t+fXiYoi4RrPWoB8XlXscN94qDJuX2i2hdayE1UQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:47 +0100 Message-Id: <20240326001151.12083-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240326001151.12083-1-michael@niedermayer.cc> References: <20240326001151.12083-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 06/10] avformat/sbgdec: Check for negative duration X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: kcs7NHtKrQyO Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index bc2469afd17..e60eb1481ea 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -387,7 +387,7 @@ static int parse_options(struct sbg_parser *p) case 'L': FORWARD_ERROR(parse_optarg(p, opt, &oarg)); r = str_to_time(oarg.s, &p->scs.opt_duration); - if (oarg.e != oarg.s + r) { + if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) { snprintf(p->err_msg, sizeof(p->err_msg), "syntax error for option -L"); return AVERROR_INVALIDDATA; From patchwork Tue Mar 26 00:11:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47468 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510747pzb; Mon, 25 Mar 2024 17:12:56 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXicS0RSvZjfcpmLfqXYVmLrVqrWMDc4n3rE4026sidLlSxTJ7gXiqYB72etQWyGkqsith1O0g3ndnQguOxoEVdxOGS1+2f5bMplQ== X-Google-Smtp-Source: AGHT+IFdlYQWeG1Qn45jYxYZIrwDjDv2SWOATbdom6m3vpvnwag7qLa4AsmholRru9rYht0VjjW0 X-Received: by 2002:a17:906:1417:b0:a45:b1d8:200c with SMTP id p23-20020a170906141700b00a45b1d8200cmr5705151ejc.14.1711411976516; Mon, 25 Mar 2024 17:12:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711411976; cv=none; d=google.com; s=arc-20160816; b=SxFXRhdPoaxQsHq2/zgmG/avwjnV+mGtUyoON2PDWafebw0sOOJ3EK11H697b7KLLr bku4ht4/p/mQKTEXfgBBddkp1j51MetwVdmxx7FntN61Z1wucUyl8XvDuO1lXgYi3sPy cgtsRy3NxokUe1E2wgun/X8EmPemcWpmD4XH5t4ArMcIjpn+NSZotbG5z94gCKbU3ixm oz+QDe2PYE0Z5SvPWmrSaA1bP+jMUB7uVIhLPuWiT4awn4Wx/JhlSL/q2C+jdGXjxfY3 YWAktBwlOQgsC9CElbt2SyHz1dfsS4ZHzUldNIaLB134jLBcf6zgywtLCziXmZVda3E1 3Q2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=dbxBAJ0YWKFsiEm7QhQmnlZ5+8FfLND+g39v+cKn+Sc=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=fxVTmlABDdDwMcTiT5mnU3YWwBG4ufh3JEU1LQmWYnI+mpEA3vfqIBo5r73ju9UXeK v6qdbYZ9lKVVOlJmOmHYRec0YX/rUVO00XqkkFacBjfaj67EHNge1k5ue7AwTLW75qZI gf5NyfRZo6VGbLWkutMdhjep83A4MO2SQvtQ/avPe5BdNSRzWcsXby4n3lGxm+iumR6C 9SyQ/vde/iILxckvNrE6X2Lb4DeR3vDVakymdOcIYaj9kHPhN5hUi1DRJt7xlkHDxTtW nwZwl5kuyTw98eEwriuwt8rAF+6RyrbUH3GqfG9TcrRYlC86hOdy/+k9w8Nvsw9Wx2uW atnw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=KYgOBG88; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 9-20020a170906308900b00a474b309881si2232089ejv.121.2024.03.25.17.12.56; Mon, 25 Mar 2024 17:12:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=KYgOBG88; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E04E468D603; Tue, 26 Mar 2024 02:12:06 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CA41D68D49B for ; Tue, 26 Mar 2024 02:11:57 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 300FFC0003 for ; Tue, 26 Mar 2024 00:11:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=xHns4NEyDy2JMuA75iaao180N2OzEv/VCkeBgy3YDjk=; b=KYgOBG88kPFhcRZgdwKkoMVgBy/6/MPgLjvbRGhkFF8p65vXtAWgBfzu2hpbgi3zHp9PoO 78EFx/Oye+09/Xt8dl/f8U8nH21yztneH/iGKdb07S/pTRFDCRsaxuWtXb/oQIyGPNF3wx 7y3E1bIXdKW6RcFOlJ0WUGJe8yGK3BcLMWdISJIOMdwmOKovaGo18X1JIW1CJ5elgkjR7k CxZT6YfQq2VMZOI2tfmFr0/Uk6BQlDj7C74kGAVuZ5jLJzOv9ik7FzhTYJhBxey4pQtwOo otqJ1x0jW9YJjL0X9MZZ9wZCrnYZUGM3wK9EU0r6Dzem+lezWPwnHtyhtcKh7g== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:48 +0100 Message-Id: <20240326001151.12083-7-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240326001151.12083-1-michael@niedermayer.cc> References: <20240326001151.12083-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 07/10] avformat/wavdec: sanity check channels and bps before using them for block_align X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 1t61TXfckWJX Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-4704044498944000 Fixes: signed integer overflow: 520464 * 8224 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 668c8adc36b..89855670d9c 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -34,6 +34,7 @@ #include "libavutil/log.h" #include "libavutil/mathematics.h" #include "libavutil/opt.h" +#include "libavcodec/internal.h" #include "avformat.h" #include "avio.h" #include "avio_internal.h" @@ -908,7 +909,9 @@ static int w64_read_header(AVFormatContext *s) if (ret < 0) return ret; avio_skip(pb, FFALIGN(size, INT64_C(8)) - size); - if (st->codecpar->block_align) { + if (st->codecpar->block_align && + st->codecpar->ch_layout.nb_channels < FF_SANE_NB_CHANNELS && + st->codecpar->bits_per_coded_sample < 128) { int block_align = st->codecpar->block_align; block_align = FFMAX(block_align, From patchwork Tue Mar 26 00:11:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47469 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510816pzb; Mon, 25 Mar 2024 17:13:05 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUeVmbfJShf2knK2WQ5QDloPXmrJWUc/BDTr/DXmRIrPcNFFbjTsxqSug6e5BuPf+qnnBariYzgWv0pCLguRExkkkOm9V9Y+lxVoA== X-Google-Smtp-Source: AGHT+IEWqdBbsf6JESu2RjF0a8DbEnwjr8AT3RMhPMDAWTLt+RiR8457LM5P6Qe/tJuK9tNmZGV8 X-Received: by 2002:a5d:6a4e:0:b0:341:b5a8:ee43 with SMTP id t14-20020a5d6a4e000000b00341b5a8ee43mr5254839wrw.4.1711411985537; Mon, 25 Mar 2024 17:13:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711411985; cv=none; d=google.com; s=arc-20160816; b=AkyErP34Ce9ddP4vT/y6kHD/LSyNre/plTmvmafcXAEHVhks+u2AsxYwylI3TkT91t +JreQlUB7lOdtztalFSbsLS1BBRmgCs1uXiIwVay2P9N3Rf4KQukJc58lkCRQvuiiNmr cMjjpijVMDhsu4VQXLIjA1nUJMEQ02SXw5R0xCQgNpc3Fjbb2Jy7DfiRFH1JlQTTpGMv cVazdKzPsU0bNYyAvnBVcoNNSjkwN4EFolsQbgmcAsghvhdYcZnc02DnpuOkPk7yoLb4 jQ9Wu5G2oM1Ir/ICBrNwRRmjvFRD7cqxl8A6zA07lTU8c3GyOdo+T4BmhRXYdER/pBlG lQ7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=A7upmFn+b9bqBdvLsZBstVfjwjEXhk+mTi3zmgID9bg=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=qZhT+FErnvjS+dtidvppvDS/uFvhQx79liCemJlVcV0HvqENkituYoIsb9yVom9YNU gjlqxNjAAP4ZyQ9diNTkXd8db4NtcCw/a8U2ZBo5gsosHiYLHHk799hiXC2S3HAtZD1u K544t6ueouXCq7GOZfiVfclftl2aSR0D4RlgQopbeAFeHnQcY25QAVE3vNVd6eNhgOuM 3tAloHqyXviLwmK8NvS7yt2rZMp09rtoq5k55CK0rVHbcdURHRZrhTofZ8a1CiJ+lWnk rLcwgTnaF/j78cHE6zI5Fc1eXiY5Ks5MHEpmxQ4IjUnUx8+M8CwqhHMZbcN+EkhRubKx VB2g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=BPNXqSUj; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id o21-20020a17090608d500b00a4739c0a661si2935395eje.735.2024.03.25.17.13.05; Mon, 25 Mar 2024 17:13:05 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=BPNXqSUj; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D4BCC68D61C; Tue, 26 Mar 2024 02:12:08 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C5A6268D5FD for ; Tue, 26 Mar 2024 02:11:58 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 20C5460003 for ; Tue, 26 Mar 2024 00:11:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411918; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=WX+OGgpihmROZ05EKaBBwR4YJHIttUg/z32QHhXFTWY=; b=BPNXqSUjll9/yBaez4AcoOOpv+BM/c79B7jWUhRkJzobktMmvE1kGeoLGDXeKTLuTYxPS7 12iBLzlU0hjiCCe9zpfN7A55bPNb5taCimmJz9uSqDOHcHIgeU/Oz74m0BdfonxmxzbeXR xLyTxAwm6z4dlB8P4UK2NFfzCLqHdVyiqaEMqPX4Mh9hMpwiKXb4sjhHuqiIHdYpv8Ilrt 17GBoD4WpcAb60L/mKhGKriR0t96eXsj0l3OIylzt4sl7nfgb1hHirE78hL2RKvWg383Kj iL6L4nyVaOPjvN8y5XANL+S0k1ujnrewXtVE05HgFamDOL3xXa9SvnTW7v+w6A== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:49 +0100 Message-Id: <20240326001151.12083-8-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240326001151.12083-1-michael@niedermayer.cc> References: <20240326001151.12083-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 08/10] avformat/wavdec: satuarte next_tag_ofs, data_end X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: MQHg9VZk12VG Fixes: signed integer overflow: 5053074104798691550 + 5053074104259715104 cannot be represented in type 'long' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6515315309936640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 89855670d9c..0fed1ee6398 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -453,7 +453,7 @@ static int wav_read_header(AVFormatContext *s) } if (rf64 || bw64) { - next_tag_ofs = wav->data_end = avio_tell(pb) + data_size; + next_tag_ofs = wav->data_end = av_sat_add64(avio_tell(pb), data_size); } else if (size != 0xFFFFFFFF) { data_size = size; next_tag_ofs = wav->data_end = size ? next_tag_ofs : INT64_MAX; From patchwork Tue Mar 26 00:11:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47470 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510866pzb; Mon, 25 Mar 2024 17:13:14 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU9rFqRYbmPNbRK8RXUwNq8sOndnb8hqLFKFtxjzX5m/vrLqoLeHOWyrjU4/MHJbR168a0tcQucp5YkZOUv+a0Jk4It047btEA44w== X-Google-Smtp-Source: AGHT+IEKXgYGQsrcG6KhbDHgDRYG2mC6yji/7NM0UzRqhQ+cHfLLVYkbGTYPgTvfTkFVA7k+X/iI X-Received: by 2002:a2e:908f:0:b0:2d4:ae2f:ce5 with SMTP id l15-20020a2e908f000000b002d4ae2f0ce5mr5253089ljg.40.1711411994476; Mon, 25 Mar 2024 17:13:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711411994; cv=none; d=google.com; s=arc-20160816; b=uJYR7f4LSjjsQjQIUHAnsu9DLKORBCZW5GQnQPp1r7wxm7Rz70D8JQUxIZEuXhSORB 9RPQINjX13o5LaXKwSikCNbHoByUwtfpjQdnRUbvxTGTlPInu6kF/B/yIJUmCa/pjIcB KDR+sp8ZFXlbCxKtvtPhWI0nY9qHwyOCfcfZxRQFY3L7HbHAcGgHA3WPlZV9HdqE2gwY KCKSv6JMGVHDps3We9brSkA9yHUWBMu1bSHjfhmEnsK6LCa1IQS8NL2nWb8N2FNsfs09 lR1HcT0bMfoKG+H5ULUCv67xH3GGAPhFTRBdokDQiZOqkjlo8I6shuOtCBGMoCjWBgd0 ROug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=PctA5sCBZ+oxSnFSIPZit8fHgDbqXqQrNCjzN94BU+I=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=KzvlJjq8ILX/d0f023i8bswBS3FzZ0Amh0iwg53iZPAGAkkzeEn63um6Pxar2wFNa/ TWnJW8AmReNdEBnKz7LUPq8Y9yCAHjnNcalY8nQkYmsFwtWXRiaWpU90Ra2lI/yl5HvY wByHRLT2Dz1DJEAAUvhYgxD8+N+cN8UsVdDnJokMsXvHSmUFqDrm9VHAB5yy7ghaE9Q4 nz2ei3nRkrPxRIeh824efK4kCj2JUho71HVkXbVxh38X2iMLXGn9Ml+ZE7MLT1ZKqZjW DL5z4ThFnEo2BSFYVjALeMWJZOxIYf8XsrWSIPhVa7eXaqBgcyL2s/uRDNheXnWbYEBk 1Bgg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=LG1hbkBL; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id y11-20020a056402440b00b0056c09fda133si1739373eda.204.2024.03.25.17.13.14; Mon, 25 Mar 2024 17:13:14 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=LG1hbkBL; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id F38D268D5F6; Tue, 26 Mar 2024 02:12:09 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D2F7D68D603 for ; Tue, 26 Mar 2024 02:11:59 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 29F931BF204 for ; Tue, 26 Mar 2024 00:11:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411919; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=xoKub9vPX+f/Ra/ShcAKsUyaVQm4BvpVqXf2/4VX0L4=; b=LG1hbkBL+Whu2mc1kJPkrwiXk5Syb01zF/qAxTDSXSBPszLcYtJJjix4asWzDbF8gOecR7 yMJPRJ+tMwSfUiXHd/3g3Dne3Na9ehBYsLj3MsFl+D1Wtqjpk5AZJWK8e6Mm+bOAezku9T q5BdKtZC0e+Wb86TuHnTxuKGLXNz17ythY4eeY2ARXPVUw4C3nTfPMaH7jyEKcgpg0XECp AOZUZwBwqmnfPEfZSFA31zh6E0Ei1EJPSKktyZBal4q8SQtyF/fCAj+NgI3gzC3ZsV7ewC IEH1O3sF3uSJV7Zm1UL1O3NajrSgAAN6TBZeLauh2NG5UWA20re3dpFSilWcfA== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:50 +0100 Message-Id: <20240326001151.12083-9-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240326001151.12083-1-michael@niedermayer.cc> References: <20240326001151.12083-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 09/10] avformat/matroskadec: Check timescale X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: H2GgGqCVBbYc Fixes: 3.82046e+18 is outside the range of representable values of type 'unsigned int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6381436594421760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 8897fd622c6..8e031c618ba 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3195,6 +3195,10 @@ static int matroska_parse_tracks(AVFormatContext *s) track->time_scale); track->time_scale = 1.0; } + + if (matroska->time_scale * track->time_scale > UINT_MAX) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale, 1000 * 1000 * 1000); /* 64 bit pts in ns */ From patchwork Tue Mar 26 00:11:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47471 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id hb9csp1510911pzb; Mon, 25 Mar 2024 17:13:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUS+ZIIdzu5dMrjvmg7DvBp7GiXGyRo2c7fqDX4l8KF1I+mGKHoJpHMsEYUU5FLqpgXkpiLmjrE8NqKZkNFwA4MpxRqU68tssO5Dw== X-Google-Smtp-Source: AGHT+IHEWZjWTmXfdzEOaJJTdbGiO0pQAUDgTCKjXZytHQ3I5RU4j8NqOCn+ty6ePbnNlTWo9cm7 X-Received: by 2002:a17:906:ce36:b0:a46:dd30:7cb5 with SMTP id sd22-20020a170906ce3600b00a46dd307cb5mr6117657ejb.76.1711412002949; Mon, 25 Mar 2024 17:13:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711412002; cv=none; d=google.com; s=arc-20160816; b=iIm5cCDhzpDUk7gKNsW/j5kNx0sCNJxioAZcDGDd3zo1mczYaGOLxREwQa8gLS3jlD ZcXIGSr5HrL6CubnKKnwoTxEo4cIp9oEtrKKdPpPecObAbFUqYMd9/PaCuiCsYK6Mj42 Kwq08rU648zXexEIIqEoyHfXD4/J1a4MHXdqGkWgfTg1SgUMOlG3gjiAMeWkuaYrL9uv BRcejvHn+2tpEueju6wRDRwJBF6X6A2PxpI1b0Wm3SeIBxW6ufwKrOYxja16XpR22QSr VDVXLxnr6N8J9rvT01hdLXEmo5yO6wYtkXiCdkPLVRNKCwATQiO0hWshnF0MYZtJvF+Y 5m6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=Qjm0eq8xgL05osBvt3FGa370do6iunAt5nEvMrQxgCg=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=VXBoFX8A7+0N+x/Xg/49zWcv2eOX9/SRPrD6G9qXgtQ18h8yfdzFbIbMzjJb4Qf9qX JjoQMmBTiPjM/dPsxoPyvwvBM2ZPIJ1mGN7b2iSNuks9K4L18aiLNpP6d2N3Z9YRwhc3 jYj6bE64x89oBFnFt3mzNUyf+2RUALG8w/gwuIWOEXULN3W355vYZmUYs2NJR4AKTqqh UENAgFAVChWjR/pSXypZHyYhBZCJFa2w1JBxsmavCxoKdlSvFqIwwVs2FMvuYN8oO+IV tgbRfOy5IsmX9mk6xvHKJAY1yExSZ4ptpGuWw7GlglXIV4R9hZxZd8aD9mPpMMBnlxYk QlKA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=X2HVUOjJ; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id k26-20020a17090666da00b00a46fa6da2bfsi3092845ejp.351.2024.03.25.17.13.22; Mon, 25 Mar 2024 17:13:22 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=X2HVUOjJ; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 019A568D55C; Tue, 26 Mar 2024 02:12:11 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 73B9B68D609 for ; Tue, 26 Mar 2024 02:12:00 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id D30A7240003 for ; Tue, 26 Mar 2024 00:11:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711411920; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=T+6U5V3PUUK9btN+E2erRTx5oIbQL285OSMXxdiYSpw=; b=X2HVUOjJkcOEpDB9b2JcBEfOLR3KFobrvT7ho+iAFOe5Sci7rscls7XTEKr3oQtuDK7WOm ANyX+bt06AyNLOXKzg97fulVbq1UBrMPK0bpCsBJCho2X4jyu9cKo60s8wbdkvjxMRRuD1 FddHYgf1297E8ifRJSsk874ujT+slvs2Qo42mcQ5Ystb1JzcNIAc69RJ2lRdYYzfKDZ8Xk 32xMQvARNI9LyXtDlie4+T/qy8f28aLL5kTDfurMwg46IdkfiRb+IJDwlEwvf9DPoipTtP LsIyhgFD8MjU/yle/mP0d8pq/uB6AzD7gRAEUO3bxjxnkgmgTlmZCp0Hb0r+0w== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 26 Mar 2024 01:11:51 +0100 Message-Id: <20240326001151.12083-10-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240326001151.12083-1-michael@niedermayer.cc> References: <20240326001151.12083-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 10/10] avformat/westwood_vqa: Fix 2g packets X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: cP0hU/MpNQD4 Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int' Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index 954710a6f00..3a31e3f5e8e 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s, break; case SND2_TAG: /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */ - pkt->duration = (chunk_size * 2) / wsvqa->channels; + pkt->duration = (chunk_size * 2LL) / wsvqa->channels; break; } break;