From patchwork Wed Jul 31 19:54:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 50834 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:12d6:0:b0:489:2eb3:e4c4 with SMTP id 205csp712803vqs; Wed, 31 Jul 2024 12:54:22 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWCyNy9xlknoX8vbqpb8hUkYoYBJZUEhwHqXJSYiIS3lmPS4flnnV3fppQMypIRN+j7bmSvKtfiy7zkkBSMhndHaSdDO3Y7WYSXeA== X-Google-Smtp-Source: AGHT+IHLAu5N1rnI4RqA+CtvTsp/AxI6SdL5G3PAFMIRJbMTFME80D84GxxwUFLU1qrTrcd/EOqU X-Received: by 2002:a2e:9dce:0:b0:2ec:53a8:4b3e with SMTP id 38308e7fff4ca-2f1533a9913mr2684021fa.38.1722455661708; Wed, 31 Jul 2024 12:54:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1722455661; cv=none; d=google.com; s=arc-20160816; b=Y72ZIlPB4L5a+Pi0CQWOultAzBxcdj9mBnn+BzX71oYXg8Sz6QjLmxPfHlNYm8HN8O HjGeVtWmgBs8u8EwoDNICxxQlJvjTlLzLmDCj++GQOpkZ8xCbgiB6i41XYw5OXfRP2ET 4LlEHMUFPIf61lbDrdFf4tHCbWKTtND9jgKN3e3bPimX2HwXoibxPM2mgnYSqhUozCFw A6enaLarI6d4CxNKjq2irdNZj4g+TLr68MsboIcfKK5bmSBVydrIn/16NfG8GcTqYIJD oNlKfRoB1D1wCCQobeoN6VaNcmA9/xBu+2CYo2Xd+k7FIXqC6DN0Uql2NpFQ8Dhl1TbR QAQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=+zsFX//hc/+DsZwPmqkMMlVaEarZMCCLwt6wKLxtBoc=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=SF41s4aE5wQQD/njCe3H1Yvhu85pe4O/Qfi/7I64BIHULqsgQxq8oSiN6zx8vzwg6s dhAYNhzMQzwE6PptlLPARyjr9ulK7Nq9FeqaDsMmBfc1fjwqfnPTWlam4qpvw61yzNdV J0aIvXHbODRSiGV8tPnFcT7NuK0dP2W4+yoeu0JnAatDpMxtbwYPFptqhLtO/qF5MYYp k1riNdIZye6TCnftl8vKE889HO8ZbHPD7q33DVnz2c407ILOW8UdORKpc2ow+2aLB4zA N8vBanC1xCL6uJV9EBZXlp19f0TU0vEQRVttUwoDgiQMgDrybfVCND/2+E9XmLklu0EW HZkA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=Rq3FhJ0h; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 38308e7fff4ca-2f03d0bbe48si38117511fa.168.2024.07.31.12.54.21; Wed, 31 Jul 2024 12:54:21 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=Rq3FhJ0h; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EE48968D866; Wed, 31 Jul 2024 22:54:17 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 19E6D68BF43 for ; Wed, 31 Jul 2024 22:54:12 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 711C21BF204 for ; Wed, 31 Jul 2024 19:54:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1722455651; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=4qDKCiBVHro0p/CM82jK0Odgt6NfsHLXX/dgo6hhq7M=; b=Rq3FhJ0hJeVOueLRds1NT/8mpqlTI30t/GVbJc2bh8uSk4Ag4129kEvvna+hL7pM+vLBj+ cj80c2+tDxRLAO9XISdVP/sTEg+0/hyzcrgeI/JaUgL4AjK6z/Sdi67LVrlBAfCutqWPmv wGNt5JsZV1AEg8R9HLVj87Vqy6multJ1g3RjQTaF8pOT3fBoD4q8r9p6RP7fu0uHn9T++M Y/vx8Ipq2DC9FupNndVA3xP7d3F328QAKnFbbFGR7FntNhoS1qbqaSTvZEhlUqZUE/LGk3 HI0Q8ozGxd+XoL1Uk5DcD+N6pP48w8/mDqob7L4G0JKqXEDmerr1d+dAMWlttQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 31 Jul 2024 21:54:05 +0200 Message-ID: <20240731195410.274508-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: ngkXSwSF4xYa Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192 Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/cbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c index b26e39eab4d..dcbc86a5f7d 100644 --- a/libavcodec/cbs.c +++ b/libavcodec/cbs.c @@ -605,7 +605,7 @@ static av_always_inline int cbs_read_unsigned(CodedBitstreamContext *ctx, CBS_TRACE_READ_START(); - av_assert0(width > 0 && width <= 32); + av_assert0(width >= 0 && width <= 32); if (get_bits_left(gbc) < width) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid value at " From patchwork Wed Jul 31 19:54:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 50835 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:12d6:0:b0:489:2eb3:e4c4 with SMTP id 205csp712873vqs; Wed, 31 Jul 2024 12:54:31 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXl81QzDwqRgcgjszI3sJW5gTcyUrY5brE74oSSo0YoRwBtcNKKjA8UMkcgCkE/I+vExah2k/+In+vM20TcB4uibCjUOEtHhWdRig== X-Google-Smtp-Source: AGHT+IG397pcFU0zIDnrvIl6dbBvQ1L7u9Bv5JxWFuwv5qXPlzRR8mc54vEzfFdHxTWdzv19kvak X-Received: by 2002:a05:6512:3c94:b0:52f:d15f:d46b with SMTP id 2adb3069b0e04-530b61a9f63mr62719e87.14.1722455671128; Wed, 31 Jul 2024 12:54:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1722455671; cv=none; d=google.com; s=arc-20160816; b=LsfPzB/tgKEGSM2HStL1Cx6A4f+WShARC0a2o6elKbF5k9u85LXxgUzi1CJfhAVfJP BHqIT5C3iHajHB2TdlNqdvnMoxR07f/Wr1TLbsOvGkJ3ojzGmd6r2YLUzPBiEIEJuZyi Bcs4mxUb2+hlUOPUh4aDR0PNiqEqvh3g2CebaxJaxhusHLKOso5JL7sP2vhULmIdS+ex hORSrh3gt3IHpHzD7shdM2ciK/5BCdmK4Ni2SgLOkQE8W5I6ICfm1jJVzm6X6UbbESYl lR84gZs+iWvz0R+zxHLSnB5M+T1paX7L5Ewduj0hjVOCyAhQIcbIhOasIUmStwX8uJOn 44AQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=vhsZ3E2/02JojnJboy8eugi8HNdrtXJdaCx/xn+qxBY=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=rq/fMV83AXYUKgLaYpmSvnm9GpUsR+Xcd0QXoGBAsz3TU8KHi2/xRNrkQCs60+lCzv p1Ze0EzldCwXNHt18/UYl+w4fGQ9+0tl3yzYydULjwHFcytjRWZUIWUPTENh6Al5Cplg S8He5NEgB1otkVjz85bC1zRrIR+0+TcYZQDwUCpponFoeSWlHVgq+F7H/Sqpc9ofPpoI /QHUJYy7IBTOEKedvkA74aQYiUBlhiqOF/GCu6DO1MXq+yAET7Yf2nAY1kyCRAi96x0V QXB2tidENvylJI2Xy5F7EW7mPFj1bj7cAgkheKbZ8NHg17lix2PgReDns3AA4ElX/pjg P0sw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=QdkqaHPU; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 2adb3069b0e04-52fd5b94e32si4331120e87.18.2024.07.31.12.54.30; Wed, 31 Jul 2024 12:54:31 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=QdkqaHPU; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 344E768D8E9; Wed, 31 Jul 2024 22:54:21 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0999968D872 for ; Wed, 31 Jul 2024 22:54:12 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 444BE1C0006 for ; Wed, 31 Jul 2024 19:54:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1722455652; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Tl9OW7VQdZz4Lh6T+QKS6Wr9swSQ3jt2pXoSxIunqEA=; b=QdkqaHPUAp2onbi8o6ysr5CS8ohrpCuzhmQcaJTObzuYcCuQq1wmx6fZU+bl+PNA6d1z1B 91FgqGmomo8aD80/LzSVrAf4JSEd6sVCJOMvUMyMMAqhKoB07hlClURrVWNr5wz/Zsh4ry GlsVrRwq/LCJWRQ7sUYhVuyNSiH798oEp0xjzMXijPY4qylbETNNg/mcazNFlcH9iE6GUX sRZsZhXXIa8mRLea4DDC/AiB88oUEZRtLbqHqlT/O/y25QByVWV6gmAewfzxHv3vovNyO7 Nm8OReoNU2c+GRAuOHT0wqUzlCNIzlKTvxUSsKrXPcCUuHGrI0eIs+ZSALQ9HQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 31 Jul 2024 21:54:06 +0200 Message-ID: <20240731195410.274508-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240731195410.274508-1-michael@niedermayer.cc> References: <20240731195410.274508-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 2/6] avcodec/aac/aacdec_usac: Dont leave type at a invalid value X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: /HkQLcsx6Aeb Fixes: Assertion 0 failed at libavcodec/aac/aacdec_usac.c:1646 Fixes: 70541/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5190889543106560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/aac/aacdec_usac.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index 1b79d19a30f..82db65eb0d0 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -265,6 +265,7 @@ static int decode_usac_extension(AACDecContext *ac, AACUsacElemConfig *e, /* No configuration needed - fallthrough (len should be 0) */ default: skip_bits(gb, 8*ext_config_len); + e->ext.type = ID_EXT_ELE_FILL; break; }; From patchwork Wed Jul 31 19:54:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 50838 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:12d6:0:b0:489:2eb3:e4c4 with SMTP id 205csp716345vqs; Wed, 31 Jul 2024 13:01:59 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU53oUL/zx0P4PwZeCIHpzK2L0kGeYg7y/M792tXZMBWmGpM7gpecSv3WuDI56Wo0lNAI7tSapuY0O7XKzP/JTxPYIJF424NbCrlw== X-Google-Smtp-Source: AGHT+IHfw9UDo72ApRyh+y23JZHWXWUyIygiqK3L4l0r7XkdgZGl9tNOcNHUil0JWe0oZEPXgNGi X-Received: by 2002:a05:6512:251f:b0:52e:a60e:3a0a with SMTP id 2adb3069b0e04-530b619a102mr52578e87.2.1722456118712; Wed, 31 Jul 2024 13:01:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1722456118; cv=none; d=google.com; s=arc-20160816; b=EFpEq2DnILc6vt8V1dZa6EHAIcyn+P76TAUdluUP4rPHo8cTH9v58lfpwz/0uVEYhf tyCDKn8F6GxJCQIefvNBEaKpm5pj5v6UkCw+iOXgztz2fjnwZ5ECJVm0DuGL2ibBmOnA KpDlx7YCRBOxfON7gySN0Mcf0p415ssY4MSY6FolfBocL1LIRrdzzkiS0axbYSo1mPC3 5pmmXUG9lolvjJPBy1rXRpP66MqdyFxAHJI5xSBEuDef+iTZ+OaDKtz86/tz/4HVs/3G gwndsFLl/7mb+/mqwTijHjQa8Qv3yqOctJ0bmJ50ueiS0oaLG1r3Vq57vQb0CEzMON0+ cQbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=6gxXbFSZyCNy3e1OVHTbaHymzoJR4UV2/tl4XzaS584=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=pqEeMWOmvCrjfszizyWOSU1/0EdtyfQsuD3i1l57dYBMhKlcD/hcVIq8bFOVoYdi45 zpzai3uxPFqlmMvPF5EGlTwNDCK1S53wzcEkVzjuFe2jbGsz0QuukMxFFxJkcTTYKBYf 9ndY9TcdGvzRqtMhW02RW2keUMZuN4lfzB/WCg1MG680/F8i9378Cfzi4Pg63sHwaOhH 8priq6AfpiFwmoyvRPn574NM3FIqBg1Tff3RbkNKOFGrjodYRvsMyRjy79YFaK2bpJAa aAcnlZK5LF6Il961g/bmUJejj+kmoRMQMeC6SwoTR/v05HhxBHN2j1ppIxncS0EF2ZO2 oyug==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=k3i0O37U; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 2adb3069b0e04-52fd5bfba4bsi4256878e87.415.2024.07.31.13.01.58; Wed, 31 Jul 2024 13:01:58 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=k3i0O37U; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9D93268D903; Wed, 31 Jul 2024 22:54:22 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C9DF568BF43 for ; Wed, 31 Jul 2024 22:54:13 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 0F12240004 for ; Wed, 31 Jul 2024 19:54:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1722455653; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tbI3DUoCyoB9oXH1oW5LI/fwD3UCuW1O4VIwpJZWPlc=; b=k3i0O37U64D9zMHpLczQmSGVZQWglT42zcBTDeokjM4+Wqa1PlC+XkWMjE1CvQT6LyIpSv QZyeeewxaHU5u4kjnDUQv8jy+qB8UJeCbAr+Zg6gSGRrQxofyNUUtvDi+c1AIQyqj9Tqwh HRvnC5T9e7VaQhRPUtJVxgFDq3R423Ir1mCeIgKS39J4I7OxKPIX/U9d+AcqV0pYPKk5OC p0cDtQKvQfVbLc8zXUOYtOzubYvhKd9qe7YUIA0zpGcvzaJ9jAyF+W2vRophHlopGdhSaV sela21GCyTcSPO21aP8raRvY/GqL/lSnE7nv9K0DZn+i8bep1ArwV3JDTl7QJA== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 31 Jul 2024 21:54:07 +0200 Message-ID: <20240731195410.274508-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240731195410.274508-1-michael@niedermayer.cc> References: <20240731195410.274508-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 3/6] avformat/iamf_parse: Check for 0 samples X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: DJ8seB84OdDw Fixes: division by zero Fixes: 70561/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6199435013455872 Fixes: 70565/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5783790316748800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/iamf_parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index cdfd5f75fef..e007d6a7af2 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -252,7 +252,7 @@ static int codec_config_obu(void *s, IAMFContext *c, AVIOContext *pb, int len) if (ret < 0) goto fail; - if ((codec_config->nb_samples > INT_MAX) || + if ((codec_config->nb_samples > INT_MAX) || codec_config->nb_samples <= 0 || (-codec_config->audio_roll_distance > INT_MAX / codec_config->nb_samples)) { ret = AVERROR_INVALIDDATA; goto fail; From patchwork Wed Jul 31 19:54:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 50836 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:12d6:0:b0:489:2eb3:e4c4 with SMTP id 205csp713008vqs; Wed, 31 Jul 2024 12:54:48 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXLR9mn0q1Lvdd4WzhFD6XHVho1sNKa3YMUb2XYQMsyl1FikBCI15jod5iB5zY3xP0a0jOkE+VCsU7CphUXAuAaAV7DEACGc3g03g== X-Google-Smtp-Source: AGHT+IG3rTg39uZ3MGfWdO3UqYJs7vcdmnzvrtBxrHFZeNlDRVdCNk8n1sadRiqUJX6Bo7QaA2k7 X-Received: by 2002:a2e:9e44:0:b0:2ef:32bb:5368 with SMTP id 38308e7fff4ca-2f1530ea1e2mr3870771fa.11.1722455688260; Wed, 31 Jul 2024 12:54:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1722455688; cv=none; d=google.com; s=arc-20160816; b=Mz/C7gcRyOVDv9Gw60ycqm1kQLS1a4I0kSt/81E0zj/gU3HpjgBttm4GY41rSKX0Jh uAGbA75oeoJz8PDQTTU3YTs2CiIFa0e2yBoOn4xa3YL2w8Lv5GKDzK+pJguwLjWJibHX vmbjEaMqcOMm/+T+Ad9Cg79yj5fzNrvwD5EFsLZmn4iP2qdE7OFGFxnBpi3Jb+zlRiLx Ej31iHw/uctg5nGy4ZsQn94K/Rtblv2y2Xi8Jmk+/6PGM8CLeTfPnQjKaQAiMYumoCGQ 1zVilgIachd9ArCafG3fLAeoaFXm/MTf7DBUtD30Elr2eAilJebh0g3hhtId92UUGE9V T3qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=+xVl1EETch3pAHnLPUA866E7lPe4GNW0hnruqwGjqO0=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=Qy7Foek3Pu2uCe2iUB45fpyJrcPZXkne9uVA1VIyZ0ls9ksrpfHflXLsLNtVtWtu5f ZEaALhdufys+NT4GdUa0Y5loe04vNvqd9OyccEj+8MGCPyvfNSLA4G6wy0Bk5VlJpJOi GRwotI3AGJxL0lyvEyB8CqEPg1dM1al361C/sM1J3Of4ZGnxGgmjAVZYJ4Y8LhCEc7sL v87Urhw6o4FNbArDvjZc8DGA39B4Xq8bhDbWqzrB7CpuuB9QLvBvugW8Z4/Vk7XnFfgc gTK/BrkgrrTu0EqQqkpfKu2AaoHp8uy1w2bQdiHBRhsFN9yVf7IUmquqJ4sPtBGxzW29 rljA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=eFwhWGn4; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 38308e7fff4ca-2f03d169bd8si38917621fa.480.2024.07.31.12.54.47; Wed, 31 Jul 2024 12:54:48 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=eFwhWGn4; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8FDF768D8C3; Wed, 31 Jul 2024 22:54:23 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CF8BC68BF43 for ; Wed, 31 Jul 2024 22:54:14 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 381BCC0003 for ; Wed, 31 Jul 2024 19:54:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1722455654; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=o5mi0Lh5h/zfCY1tgonTB/wVMJ5jrbArwaRHrS4gGp4=; b=eFwhWGn4ld8IIDeqYf2nb++paMAhnHLGbYvio4PV04r80Q4L4LtEoNLnJiEp6twhTkpPz9 fp3Iv6ZGFU0J/rDJEIpWoCoKIcGcoAft9ktS0zAz++zqSOTxcxS/bUXGT5ySfotMsQmeH3 e1S9B4VSLzNWWTkEDs61tR3D7Bd82PEfqP6UOPwv/Hkcotp20YYyrqO/1KXgGHBqocxvxv snaclAqgiogDL8wPAagV89Up5mwk3y6Lsan97ZjsMTW9CX1Zz/Gc/Xdyjevw2GFkB8GMC3 Nk9nVVCe1Wc1K4UmnLsiA9f6Yl/2hA0ctmyDSYUiebW1mRNgu8dmST45fx/bIw== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 31 Jul 2024 21:54:08 +0200 Message-ID: <20240731195410.274508-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240731195410.274508-1-michael@niedermayer.cc> References: <20240731195410.274508-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 4/6] avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: kx53rOWIk9q7 Fixes: out of array access Fixes: 70734/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4741427068731392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/aac/aacdec_usac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index 82db65eb0d0..2938e693874 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -918,8 +918,10 @@ static int decode_usac_stereo_info(AACDecContext *ac, AACUSACConfig *usac, } ret = setup_sce(ac, sce1, usac); - if (ret < 0) + if (ret < 0) { + ics2->max_sfb = 0; return ret; + } ret = setup_sce(ac, sce2, usac); if (ret < 0) From patchwork Wed Jul 31 19:54:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 50840 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:12d6:0:b0:489:2eb3:e4c4 with SMTP id 205csp729771vqs; Wed, 31 Jul 2024 13:31:58 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVp2jGMZ8pCdg4G4vOxyHa6f7PAP18nya88oJ0dHS4J4ceQ7C4mMkAhN9BvuPvXFqHNotgoCjlho+eKKhH9NZbJv4pmdBRqvz+96g== X-Google-Smtp-Source: AGHT+IHhEx4VJE6MDiScCWrRy0kVUrxflqyITsmFbwrYFiDiIDu/5x1hlp3t8AoCu5JjJIAXhgRX X-Received: by 2002:a2e:87d5:0:b0:2ef:2593:334d with SMTP id 38308e7fff4ca-2f1533c44f5mr2512811fa.47.1722457918321; Wed, 31 Jul 2024 13:31:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1722457918; cv=none; d=google.com; s=arc-20160816; b=KD+vuSvwJNa7m7CQHW465p1f1+I9DZGb339KuGZV4ZgswF/kEsuBVJ4OYSV0gFw9TB hA0qGmm3niCHp5iHKbjpcptXja2lcJhpslzMBoQs9gQov9M4bAXIRc+qn+cO1ZKDE3a/ kSyDu7SIIDqBN7nTBQ2cBCu5AQK8+iMZNH773kVicRX2rKv7J62oaz0ZyXKaegdRdFg8 7g3fd18O8aqmZZnEc+0pBXflsS2hJlr0Z4d9PEISOJrrNlHGY7XI9Vatxxc+gb4RagOn vwpt2DInyIGb+4Xxuxzk0sMcbjJbuj+YUlR1OttCz5jVL1TC67mMARwp5qYADMQF1zZR gr8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=OjOc0C4TtVTCkx7hkGBemZcbZ+0RsyL7eRbx3W/i0Bk=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=iua+3mNg6LBbhgnxjqcDEkc3YqqhIA7HbIQi6WLqay8dfLrTn7EPvdEXDm/lSUE1wD 3Oz6FnsS6hgxWhQho949iHU3Aav7kWg064Y7JkftJATuBBa7LUTQxQAzxAf+LTPQxA48 ydAdS3BPCxNIFL0bMfFMkKz6l1Qp29jnab71J11FTPmLwShhNw/nVk+em3qkwYa7Lxc4 wsvk9gGppG+RLuGyKJ1YjNW4Fus6N7mIqHQAHKpIfcvlxRuKqMsl+zJ4yCsOijP5lFUj kmQpf3Pb4gBg2GqwgXI/ZN+6J5Ub3Xgm/q39utLS9zYpXZs/1m5tMzAHMsBR35Ow2/8P T+XQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=YplWoZBH; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 38308e7fff4ca-2f03d180be5si38847261fa.534.2024.07.31.13.31.57; Wed, 31 Jul 2024 13:31:58 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=YplWoZBH; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BD78668D913; Wed, 31 Jul 2024 22:54:25 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 820D768D753 for ; Wed, 31 Jul 2024 22:54:15 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id DD085C0005 for ; Wed, 31 Jul 2024 19:54:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1722455655; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KLZ6Du3xhzEP/vMCCpxpAcsl5S6DAW8hCmDMwnf+D4w=; b=YplWoZBHq3ekH43/bFuiuj/iuPHufqiXzqnCsmwMcNHKudDw6/eDjeFnYaUyR4TjzVkOPV xBs+2rvgA/y+sl6flpeMemFn4hRs/7ayhWgTVKd0DOK0LVHpgCaOUBHTGxTNMKTeqY6fQ6 P6oc7YNysguTHX8UfJJ0Qwa9p+yJS5dF8UNm6a5snrBkaVlz0ZsqfJUj1/zgRDIMQEcpzK wgPGX1QUyu3rQ/XJmnFSIVnC3Qloa2/ncXg47GPcCTY+ko2g4/GiBQZM9PQklbq0afo21c OC4CiXDnowZvVV+JRYxbckBWPB6kmvc0XwgnVZIuGrJ9gOpb9em+ZAI4MBYnnw== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 31 Jul 2024 21:54:09 +0200 Message-ID: <20240731195410.274508-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240731195410.274508-1-michael@niedermayer.cc> References: <20240731195410.274508-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 5/6] avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: KsKORdNmOZJL The snow encoder uses block based motion estimation which can read out of array if insufficient alignment is used It may be better to only apply this for the encoder, as it would safe a few bytes of memory for the decoder. Until then, this fixes the issue in a simple way. Fixes: out of array access Fixes: 68963/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4979988435632128 Fixes: 68969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6239933667803136.fuzz Fixed: 70497/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5751882631413760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 337c00e789a..7914f799041 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -259,6 +259,9 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, if (s->codec_id == AV_CODEC_ID_SVQ1) { w_align = 64; h_align = 64; + } else if (s->codec_id == AV_CODEC_ID_SNOW) { + w_align = 16; + h_align = 16; } break; case AV_PIX_FMT_RGB555: From patchwork Wed Jul 31 19:54:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 50839 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:12d6:0:b0:489:2eb3:e4c4 with SMTP id 205csp716372vqs; Wed, 31 Jul 2024 13:02:01 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVrdPhPBch5eR1K5ajkuWLXwF7bSkeUd9g4witMF1qAzUqGcDXWcW+mr15bxEoewNPPL72Yz3NTul4YsMtjHXLQfXvBndYgM0sAew== X-Google-Smtp-Source: AGHT+IFx4VXmygnI677vsat0BfGgOXdy2FE0sxaIXZnDeSXFWhs4AiRAeTskUK/4pGad+GRMGju3 X-Received: by 2002:a05:6512:2c0c:b0:52c:8b69:e039 with SMTP id 2adb3069b0e04-530b61aaf06mr73302e87.4.1722456120915; Wed, 31 Jul 2024 13:02:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1722456120; cv=none; d=google.com; s=arc-20160816; b=lEdM3098s9Kb+wJBegCy3MBLajOhY0VFy3Y3kImMhkqsDswckHJqcDqRuVcn2R/Fwn XQxkDgMrFmEUeETjBFa/RZ5jxmGpPDWhspfKA17jUlwp/XaCySnmjQKnsbUlXBVGJOaf O73SeYbiLsjJSJA/kv8ISulQCzQG57Bhb8BXslx0XAHa/XB5xGv5MAvrRId77FE3/iXi gNRGNZhpIOfA00X0vOId2I7BIOJ4p7KKMckpAbjhTtOuqIV5Q1RFJcjGSJy8hbzDKzoQ NhiNlOwTSRILYpMMEOftrxuNcJqS3xVGMNXtxPY2izj+pGkC687pJEgA2ZTdoXJBVS6K fYaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=Ftgs0RsfVcFlwq4xqUzlG+MU/+4wPbMz0WSjkALvves=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=gWB17WZzCKfLz2OhyvTSd28z7QKyo6FketJtakMRdNz0l17VQeFPW8OpKB5RTg22m6 j0vJRNpVZXerXnsJ24WheeeUgygz6HkcM+dH7fyCximxExUf2CFwoGeiq2k/y33czqWk RXIHmBokyr5OxJqcJrs9zhTyKQ/RS3MJmNeUKglxxH3R/2sOhGMTkMsRN0LAtsJC69GP +A4Czp5jaRpOGpdg4GXRLWHAl6whVktAtdGD3XzaAi/vSY5dSJZvC6K7c9EFhQ49u4ty 4RlYUmHKYWRczg5fSwkNmV+b3f91UyiQNHjhioqY0+w3fiWS5ArEsq2Xvze9HcBOx8M9 6Cig==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=A+sWXh5H; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 2adb3069b0e04-52fd5c05aa3si4403614e87.502.2024.07.31.13.02.00; Wed, 31 Jul 2024 13:02:00 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=A+sWXh5H; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0E38868D91A; Wed, 31 Jul 2024 22:54:27 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3FA3C68D8EA for ; Wed, 31 Jul 2024 22:54:16 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 999D11BF203 for ; Wed, 31 Jul 2024 19:54:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1722455655; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n6waCTR/W5Anaqn5bae/m0xLw2w+stlKIbnr+5MG8bE=; b=A+sWXh5HdYeCezkecxqDI+/qI/DPx42dYr+A/v06+ELGmznbcsk1a6U8FpBJGu5uLJcayQ uxzXUaQ2zu7KqK8ASb9VH8xxCcPoLoyDciYThpa6lgBFNo+3sBsA+mkm0drCjZn04UMafk ks9Yp5hLkYuIn5lG6u5d7nnZJ7xyjUY7j5WufXZwJgS+2Vth1BMdEYcJApnxYixIA1q8SZ uzbjoeMv0ueqlLXatwfwOTKUhxjUhsXq9OxloEF5JKDKK5V7t7tNmUvehu9SfjSEmGtizR x5cKLR5SXT1HeQkjdAcSbjX4XIV8LbXbQUlqohefbWmxioLHyVEGnMO051rZQQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 31 Jul 2024 21:54:10 +0200 Message-ID: <20240731195410.274508-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240731195410.274508-1-michael@niedermayer.cc> References: <20240731195410.274508-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 6/6] avcodec/snow: Fix off by 1 error in run_buffer X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 97ZSE0Xft4Bb Fixes: out of array access Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 0285362d439..af6214d0778 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -428,7 +428,7 @@ av_cold int ff_snow_common_init(AVCodecContext *avctx){ !FF_ALLOCZ_TYPED_ARRAY(s->spatial_dwt_buffer, width * height) || //FIXME this does not belong here !FF_ALLOCZ_TYPED_ARRAY(s->temp_dwt_buffer, width) || !FF_ALLOCZ_TYPED_ARRAY(s->temp_idwt_buffer, width) || - !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1))) + !FF_ALLOCZ_TYPED_ARRAY(s->run_buffer, ((width + 1) >> 1) * ((height + 1) >> 1) + 1)) return AVERROR(ENOMEM); for(i=0; i