From patchwork Fri Mar 29 19:32:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47662 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:9f96:b0:1a3:b6bb:3029 with SMTP id mm22csp2173983pzb; Fri, 29 Mar 2024 12:32:35 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXgGN45CRWXJ8Ms09hO1SptYguVVRMVV3tjolYeBMdZSiI8jt2RB7AOay2je18oWwFLp0CHIyYBWK0bMcY3a78+40jKQ8m7XJO8Ew== X-Google-Smtp-Source: AGHT+IGxYWyICqRS6PLiCWSPKF3E3wJhX+YRXQOseKMMAxfhjv2ZrI2wC/e+W5LXAhF6Xj6JLLhx X-Received: by 2002:a17:906:49a:b0:a4d:f85a:c458 with SMTP id f26-20020a170906049a00b00a4df85ac458mr2001168eja.4.1711740754993; Fri, 29 Mar 2024 12:32:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711740754; cv=none; d=google.com; s=arc-20160816; b=J993dIWG7TBeDAmEaDB8PQInHDIDtcDuvt2cw6uhUeSMRaFz8/r4t04pBeloW0iaEg cUwIwMG53Nx34nEa15o9wDnzXFBbqSywnAVFnXMkZC8IfGRgwblOH0foIK4655WlleDk nl84bg8ds3I37PCE9TxCNXpaLGnstvZMxUhna9Ro6wsV3+acwLfbWVc/L3Xv4JsC1KWD sWN59RnfqU5p9MgleqNeSuX1yfmXY1sgde9Jni8ZMHLE3n/3CEdU+HcR9iJcKW8WlRKK gRGK7NdRLJpWA9KNEnurB3P+Qi3cnTop3mDWwf5ldkjIX2f2DGPZMIXnsXM5/6uF9aQQ aVaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to; bh=8hVJaqaazRKqaNwnfw2oT4B28CgSB+Ov6QwwZVywWcc=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=fFzuJYSMXESV8mkhEQv6jleFR7dfs43GtOOZOndaepG9c9hrH4sT9kCFXXYLgkbSjq GN19w0vH/bCVwli0JKingnlZp8jCEvj0M4TU8hLnugK0tS7M0361T5hb9wIgQ89/RZq/ d56ynCl7M7kzGEMAzfxAhwsn6v4d6LW60LYxdYPP7ZA5BMamvPqywQcMxgfrkTDjfFm7 AF8tW9n1Xbv1gfi7mDrrVRn6lbIG3n+S7DJ5BgLq8JkQeWaAdVgQHVLpi+XHohyD9Yhw 9jwhDHgyOyzJL5ByrUZ51mYy+NUTe9cafyZOOcY7rcnZUz9GbpxceDO4iuTBRPkbobm7 IAsA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=B9Msmq6m; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id ca2-20020a170906a3c200b00a4633a910desi2057470ejb.867.2024.03.29.12.32.34; Fri, 29 Mar 2024 12:32:34 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=B9Msmq6m; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 29D4A68D21E; Fri, 29 Mar 2024 21:32:30 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1E0ED68D1FD for ; Fri, 29 Mar 2024 21:32:23 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 3258F20005 for ; Fri, 29 Mar 2024 19:32:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711740742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=Ey+NhAGFsuFXG4ZkrFBACPZXz24vv7m8y/1sK5TtJA0=; b=B9Msmq6mDfK8i0g6oYZOtp3Rz0optXqsSb8sADfPOwMu5M81YGkU/4i5hWJ6YlfagyAqe+ FtT102LyKCNdbi1/Ck8XUN+LLkODM4UtdpGz8dRmaLAAX61MQCTGS/2GGwdK4Um5RwK1Dy l/LS8Nn35VhDNS4osABu5EQwKW16oO/G8xv7oDdXdC7D6O9AXHaqiw7cgy8fUnIMyE2f2n 4PEl6WVsRw5D3mRHBWK69MmGiBUcNTzmELJVQdH6EqukO+8fxPIYHavm+DpjpJNiQalKf1 xsSXiwLiMsmR5EHG09wrFgOKAturWgNIulTLSDgb0/9ZuEDG+xd5E3NSKZjf/A== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 29 Mar 2024 20:32:19 +0100 Message-Id: <20240329193221.11522-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 1/3] avcodec/jpeg2000htdec: Check magp before using it in a shift X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: IFAzbBsB7cTg Fixes: shift exponent -1 is negative Fixes: 65378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 1afc6b1e2dd..fe2afb05057 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1910,6 +1910,8 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile int nb_precincts, precno; Jpeg2000Band *band = rlevel->band + bandno; int cblkno = 0, bandpos; + /* See Rec. ITU-T T.800, Equation E-2 */ + int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1; bandpos = bandno + (reslevelno > 0); @@ -1917,6 +1919,9 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile band->coord[1][0] == band->coord[1][1]) continue; + if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && magp >= 31) + return; + nb_precincts = rlevel->num_precincts_x * rlevel->num_precincts_y; /* Loop on precincts */ for (precno = 0; precno < nb_precincts; precno++) { @@ -1927,8 +1932,6 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile cblkno < prec->nb_codeblocks_width * prec->nb_codeblocks_height; cblkno++) { int x, y, ret; - /* See Rec. ITU-T T.800, Equation E-2 */ - int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1; Jpeg2000Cblk *cblk = prec->cblk + cblkno; From patchwork Fri Mar 29 19:32:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47663 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:9f96:b0:1a3:b6bb:3029 with SMTP id mm22csp2174050pzb; Fri, 29 Mar 2024 12:32:44 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXZlUOfoVfw8A9msKiB3SCRgxVwv5wc02XKwoFgAbmJaglf3ZWpmg7EF8crZGoNJlbTzxtABq+xyZ1+w/Gn3vAwP5GILziiQnoHZQ== X-Google-Smtp-Source: AGHT+IEJxn98S9HJEYBJ1rrkhzvgClRiRf3z/8o7g3MF3377iTL3vLYIuZsKMQc5EjqfLT0bKXwH X-Received: by 2002:a2e:94d6:0:b0:2d4:6bcd:7e19 with SMTP id r22-20020a2e94d6000000b002d46bcd7e19mr1905193ljh.42.1711740763938; Fri, 29 Mar 2024 12:32:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711740763; cv=none; d=google.com; s=arc-20160816; b=yvVvR623OUZqNd0wLUOpn5QMF0cVA9KBFtTDdvONqZ83ozNpGEZkqJHewJ+OZZGBnm AN3Bb72BBdEuyUn3/AGXzVqbRJe7GVLsQk2WCi0Lmw5JST781dx2UjQapsI+XPT+PYxA CB419PgkK3gE+YDBs35CaY8O3V7N/4fge7WV2a2s+kczgTaRUyHAsRG4IfPdpfzhj0K8 duAGUtgdMHetLvstRW0zLKeFDU14Ru3azVYbUzFh+CJTKy0nmB8aRj0pxcytZVrZ6JTy JGv1yWIJirXr6qPjJaSYaOYJAqAYjq8FkIubZttk2Cr2tzKwjQ/JBCj3pRv+fMvCGGwl C82A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=XtRHiH6rEBy195jg1LoUcf2Az1Axntb72rW4gWWIdeU=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=CYJuGNvt732J0GcX/VHi39d2n4hEEbIh7wlbltgCHpoTQlx3qqIDd63l5iuy326J5S uEPnLlYI+6OJxBCiVqp2kCq2Njeb6hAMq+OmX8lzpQlvxzapyhUFSm9ILxDuLb8wBe4C IeCc3Z/JPg+//nbKkSIPB8Zds6TpQtizDOxcgDt+Rv4kyCg/p+veJQfwtGMXOuTP3fPq J3G+mSP9tjtXNLsEs+VDAqMWeDBN/MEqmkKTWZJO1/4132Y7ou0+azeE7K3pnMU6KUxg VkNZFPhwBroOrMwNqSidK9cNDQFfCbjJ01Qz6PBKgJyFa2IBN9bIoFI3h3IpAcO1dNRy sv3Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=IIKO5oUa; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id q7-20020a50cc87000000b0056c0520541asi2058073edi.466.2024.03.29.12.32.43; Fri, 29 Mar 2024 12:32:43 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=IIKO5oUa; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3864768D1FD; Fri, 29 Mar 2024 21:32:31 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BD2AD68D1FD for ; Fri, 29 Mar 2024 21:32:23 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 1CE68FF802 for ; Fri, 29 Mar 2024 19:32:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711740743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fKOthLc15a1xAL3qCsl/KDqLmHstw22M9VJqpeZBeYs=; b=IIKO5oUaiysgO+ZDsdWXr4vIk4v0aDSm4+OVF7F9i7j0Mt+5BxDVORNMp6G4wchMN+pkxV F1xdSwJDmbe2a9fpks2UhQXOFHIzBk7MQuzLL7WBRjGdP8o8k6TDll8t+1NOtRFYnCNmUg m40vTjaslCyH8DFWSLMkUm7SEtOQWWswkFFhAvZzU/cOqluK4LEG4qQZhkABMKYhU2uNx1 p/7jovagTItnS+3xQBMEAg5kmAnxv+P2lRnSsOVgltybGDrdraMBduiPAFw7B/u6HMBuuZ RKK4QceHjjQ/9Wa1Reb8M8+aQQB65isuaEfP/GJdNQZeekyPM21XDRtlDa+oAw== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 29 Mar 2024 20:32:20 +0100 Message-Id: <20240329193221.11522-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240329193221.11522-1-michael@niedermayer.cc> References: <20240329193221.11522-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 2/3] avcodec/jpeg2000htdec: warn about non zero roi shift X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: YbKLlo1x6tAF Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000htdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000htdec.c b/libavcodec/jpeg2000htdec.c index 6b9898d3ff2..4f0b10b4293 100644 --- a/libavcodec/jpeg2000htdec.c +++ b/libavcodec/jpeg2000htdec.c @@ -1198,6 +1198,9 @@ ff_jpeg2000_decode_htj2k(const Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *c av_assert0(width * height <= 4096); av_assert0(width * height > 0); + if (roi_shift) + avpriv_report_missing_feature(s->avctx, "ROI shift"); + memset(t1->data, 0, t1->stride * height * sizeof(*t1->data)); memset(t1->flags, 0, t1->stride * (height + 2) * sizeof(*t1->flags)); From patchwork Fri Mar 29 19:32:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 47664 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:9f96:b0:1a3:b6bb:3029 with SMTP id mm22csp2174096pzb; Fri, 29 Mar 2024 12:32:52 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXm9xXCtadRx3SS82YPB5QO73kxKmqZZNnBNHwUUQjJZPeD45IkeoAw58pnBQeqZEd6LVITXIQHO9reUvq/GVnuH7vCRNG318R79Q== X-Google-Smtp-Source: AGHT+IEijZADYGXQWUcoq8+M3C7m/F/VCvG5VQsRLl2r9dF8SuNMCRl78hxewpcvOGqHA+ygzwDM X-Received: by 2002:a05:6402:268c:b0:56c:1f33:84d6 with SMTP id w12-20020a056402268c00b0056c1f3384d6mr2452238edd.3.1711740772057; Fri, 29 Mar 2024 12:32:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1711740772; cv=none; d=google.com; s=arc-20160816; b=TUrbpq4phmh1pwOkFaoR8FIO9kHEiyaGeQb71rRy/OmZ/YY+agwnqk6dHI+UnZVXxr 3DE68pVEyCqoVOcZ9vW4XXb5hk8afo20LEU9CAzCr0nQES/ZJzVS7S+X69yx8vsZN7uz jzm7JrJ6bAUgerrHoqg5cMw1KXy1ipcm0mMaGZi9kfwxjwMA7reSmvdkbeASGDS9hxiy jWoS6rG47xthgkjqtcNfrdEQYQK6Bj2fQ9YhW0jz+WIpXMa3lTo1iA/GfmqmHU1PhZ4t 4OHVOwi9Ib8EHt3uozp/cfnAfQG9hGB5lLgtbjxR0u5uEdB5bV50klUK+sVOHzl0TZEf lAVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=v8dOQYaHtqAMHYVDlsj56jpDKsBJlRPQPa06C+gg9/k=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=h+8C8ruS9ms1xWkEbt2WjzCD1IahMw2JgVZSLuDQrqqyqP07axKPOAKzSgAwlFKYIY 0n3NfgJV+ct/IsEpl406emRJ8hdBHGipYbCj/tXYcWHytxMDESfPSa4/D8r6EE4t6cYA qKpGYd7Wk6lqTqi2wR5mv8KLvyK51umpOTSeejc50XaSaq1VX/zKJpPgWfPNFoC+SsAa vEM3Z5F1DWY5sOx1gr0y166DaOopHIE1WMKiiezy33NvRFRY6LBCk3jB7Py7otTQMxeQ v3JEqdYkrPpIhNBk1y6a5SsPJqlRCOZbv/WL0NxD0ngsbo/GXsc3RXj/sQ5JL9JNsZS+ pSPw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=cUV+jjAI; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id c30-20020a50f61e000000b0056c2e8ee2e5si2114915edn.117.2024.03.29.12.32.51; Fri, 29 Mar 2024 12:32:52 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=cUV+jjAI; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6351668D256; Fri, 29 Mar 2024 21:32:33 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0C48D68D219 for ; Fri, 29 Mar 2024 21:32:24 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 3BC7E60003 for ; Fri, 29 Mar 2024 19:32:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1711740744; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=pWa/0ARTUkcVAmMiqEJMIMlYYX+Ee5vMS0vsXLCphUA=; b=cUV+jjAIvx/3eTWCKKCcXujQWKlTXbZAsURO4m0iBrAAjJ7qsrcAH8pihO6od6Inb5BTkV eq5msfCgCsspE6UqdU9EvbPxwd8aJGxKzGP4wBnPH8XNTeGsUORnL2Thqr+urnhI/3gjUf 5C+bBjG2KiqUn2xkaaYxFxzMRT71xfeZ0m+JYz/X10HtW1HtFcQ4le2hxWu6lnj5QYcp/2 z2mVpqMaEtm2ShjNJCoW3cPVeQOHPJq8Feb61pzbHB5tSN4ymdTgtxQken8TXhEo9zJb1z foSvfTAq/bmIA+XH9JwLuMgHeZJmj4M/UQGlj17jYfM8N76GE12cnPgif6PKxQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 29 Mar 2024 20:32:21 +0100 Message-Id: <20240329193221.11522-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20240329193221.11522-1-michael@niedermayer.cc> References: <20240329193221.11522-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 3/3] avformat/mxfdec: Check first case of offset_temp computation for overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: FJ8qqcm9O9Af This is kind of ugly Fixes: signed integer overflow: 255 * 1157565362826411919 cannot be represented in type 'long' Fixes: 67313/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6250434245230592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c9af4628555..fe86f516630 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1891,9 +1891,14 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t if (edit_unit < s->index_start_position + s->index_duration) { int64_t index = edit_unit - s->index_start_position; - if (s->edit_unit_byte_count) + if (s->edit_unit_byte_count) { + if (s->edit_unit_byte_count * (uint64_t)index / s->edit_unit_byte_count != index || + s->edit_unit_byte_count * index > INT64_MAX - offset_temp + ) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * index; - else { + } else { if (s->nb_index_entries == 2 * s->index_duration + 1) index *= 2; /* Avid index */