From patchwork Wed Aug 7 23:53:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 50943 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:d7b2:0:b0:489:2eb3:e4c4 with SMTP id dc18csp702354vqb; Wed, 7 Aug 2024 16:53:46 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXpChlG40NObaGNfP5vwDjWve3Z6ZlISKyWM+Rl3Op0uVyO6wgeJuQPA132cR+IL3/BC5D1skSRQ1Dl9lpDyEKfP8w5PHbYgGpfgw== X-Google-Smtp-Source: AGHT+IH3lG9NFQ/vCkt2deXHQA3BqueJPqycXr3dn6bnkRZQZpyveHp4NhffoJVVb5Ibe0IAy7aI X-Received: by 2002:a2e:1301:0:b0:2ef:259f:a569 with SMTP id 38308e7fff4ca-2f19de2dd17mr782131fa.15.1723074826390; Wed, 07 Aug 2024 16:53:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1723074826; cv=none; d=google.com; s=arc-20160816; b=yYDLml1O5rZTSYVSGhVewhfvKqCHiQoq8Y7fdR2SW5a0PRcZAxJq+UP7f5jpIdUQwF ZF4lidPimY6TCSXs/72/nm/srmWg0ov8sPLiiF+AaZ41wAuJEwJ4Oe9MNBiPLuwqpAs6 htVBbwdrEOqnnv25I+iSj02FJuVntvoX3skFRfWoayI4v07QmmT+ryDbvdzBQ7NtyuCw MiDPjZeOHE6VMN22FH3ruc7jHHXhieNQGAzOh48uMwEHqujH8pKwyIGcDKm1L1xzhTVX L8l+u2+aiGtYc+vLI2LInpntSWhXg7nTeWi64gPAik1p35mu5k/OpootsWlbcQnHKZVt a6jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=NWuB2gGiJYjieyW2ADUCHgdOXbTsrYmaTeoR5VmNMrY=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=quCP7jXozmbVwhQeS8myJ/026S7I8X04vGCGgHV80BaG1IhYyCaPI3HU9DwM90Oaiu WRnpBc3EUAfAZVWxH+UDAL4JHvRKYpNoAwXulx6+e50j8c2pObJOgDiVg2fAv4iFymsc n2iu2lsp5DMBSPomU+rl1vVsalKoUgJ2YPKodrw5/4IsAZa/J46HAJUGwVYg68Qb8emD lqHMIFkn/gaNJ1FE40QgY7a+3MCXM+xgIbXxhJWeGzIP86e2ZezuTt25eKjx771oa2/l dbbNwdHRioM4aGjRhL6Pngl0uIIsVi156wrgdp6hKRulWrnvSNaPejl1B0liO0EnjKCh POtA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=PLXzMtcu; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 4fb4d7f45d1cf-5bbb2e70856si79517a12.633.2024.08.07.16.53.45; Wed, 07 Aug 2024 16:53:46 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=PLXzMtcu; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0E9A868DAAB; Thu, 8 Aug 2024 02:53:42 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 85F0868D8CC for ; Thu, 8 Aug 2024 02:53:35 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 8CCE7FF802 for ; Wed, 7 Aug 2024 23:53:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1723074814; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=kTa4Qby49SME/MNrtJjh8Hp52xNvT/zRWKkOIdi0zU4=; b=PLXzMtcuRobQZ7sFQNphPMFbdo5OI7cBtrcfB1gUInELVvTh0ePblH3o4+6z0lcbiexrrt HLjm4uqywIyHjcIZpPd7AT2uNPLEZbCawxB+/BIH/vibtZwZGtRhzaOf4iltpHizCB+0J9 uKHpisBOA03mPBPTuKrmr7CpH41Tqd1w53R5qmvMH81awL27oyP21VswMO2NHiHeTo7ywb DCC814Rjkffx4jSigLvTdSmBINDzBo8ubH0Jd894fqcMDYismvKOg93IRa41yr2t+7L+WP 3BcsHtI6wGbDPLRf6TYbewmLHkp7Glgb3BO4aiYwECkcK79jcRtsq9sTUzR62w== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 8 Aug 2024 01:53:32 +0200 Message-ID: <20240807235333.2148870-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/cfhdenc: Clear dwt_tmp X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: kS9v24nXzK49 This occurs on a 32x32 input Fixes: use of uninitialized value Fixes: 70897/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5960860961406976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/cfhdenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cfhdenc.c b/libavcodec/cfhdenc.c index 7084509f6e1..98554187c1b 100644 --- a/libavcodec/cfhdenc.c +++ b/libavcodec/cfhdenc.c @@ -285,7 +285,7 @@ static av_cold int cfhd_encode_init(AVCodecContext *avctx) s->plane[i].dwt_buf = av_calloc(h8 * 8 * w8 * 8, sizeof(*s->plane[i].dwt_buf)); s->plane[i].dwt_tmp = - av_malloc_array(h8 * 8 * w8 * 8, sizeof(*s->plane[i].dwt_tmp)); + av_calloc(h8 * 8 * w8 * 8, sizeof(*s->plane[i].dwt_tmp)); if (!s->plane[i].dwt_buf || !s->plane[i].dwt_tmp) return AVERROR(ENOMEM); From patchwork Wed Aug 7 23:53:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 50944 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:d7b2:0:b0:489:2eb3:e4c4 with SMTP id dc18csp702401vqb; Wed, 7 Aug 2024 16:53:56 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXs6QCv0CjGpDmK3SrnxEsEnYfEzNSUUdWnufuzIycUa0SB+RpKb6HfBwZ8zKzDpDiVDjM1jE3c6c/EOtPRbo8TkSH4/aFzEZHtPw== X-Google-Smtp-Source: AGHT+IGfHgXP9sTxD+kcxuQ4hf1aFh5FRnukUGKeKb99l42f1+WqOLvD3aCQgZEz588Bdg490TCI X-Received: by 2002:a17:907:86a4:b0:a6f:e7a0:91cf with SMTP id a640c23a62f3a-a80791a64cdmr269454166b.24.1723074836583; Wed, 07 Aug 2024 16:53:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1723074836; cv=none; d=google.com; s=arc-20160816; b=CBPMjwyczriM7vGEl3WadWKoCsXbRA0tk3cwL37H5fkYdO4i0sqcLjTNnH4jHLle9U /roLSh8SdGEEh0X2Rp0am9zGu0oKBkkmQbCITnFWnmhyJ6Ej17WEt0ogL5QLn4//LfSN 9ZDrJchUomeLJsd0zSKXgvtN9p+vpNoruFWpbYn9c6cSgfpwTiyoCNQIEhrX9xIOzzOt 0qgTu/exiwmGuN6Nr/4orjAOegnoRP2huyegxXlPUVH8oeToB1iyOpuUzeBiO8IvKSp/ WFp1q8k6NA4HXTumfE+Uy6LOHRgOvSaOVDBzcOZTd6+eTJK9UBzPoJuYlFYKrk5AZ+mY pnGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=cxSTL8jFLhf+txz9fr6S1lc5gjUG8Ph8cpfLBr/ueyM=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=R69DRL7d07kmbUYYhk0YRo0dDmNFoYySL1swGBWQeouj4oZEBLX0/QwS90C6eYP7Zn 76QfqeaE/ICukyhkgUwyDKbGrfXw2T4pTcMLxtci4FBTb1m3FmwRTmIip3UYcoYYHTFA 5Hr2klc+T6RnrK2xKRSc3QgkF9e3b0ElejWW/ozRqSiGbbgeO3s5b3GcNVKCJX5XCCdC /qV6/pwGBGTTejTYTJC2ek2iX+OEOTfmc9bEFHj9rDbLFEP0SNqfU1C2OosqIr2HOuy3 4M1OD/0DokeGXdct+Did0l8TOeag7jWisCEkquAw/qo/5BuhoBbhHdpwOrsTYuKsAIZ4 hPJA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=UlKG9z8q; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a7dc9bcf121si738674866b.11.2024.08.07.16.53.56; Wed, 07 Aug 2024 16:53:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=UlKG9z8q; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 59C1068DBB1; Thu, 8 Aug 2024 02:53:45 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 852B168DAAB for ; Thu, 8 Aug 2024 02:53:36 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id B8E6640003 for ; Wed, 7 Aug 2024 23:53:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1723074815; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vizoyyXl5hfU+bU8h5sALASxWdfYEDOSkRmllEq/eZE=; b=UlKG9z8qMoVncT3UzPZ6/njqcFFoo9dM787Dnls+toPNhU0MmNXKBBBhvrnbJEPSymj9P+ j2OVX+dw/bF1y9owLlK5hAs6h4Z+TMSqV3fUSWUDljWgd87mWLsO3jzfdJKSEsHs6JXnKe o5Hlbh0z+FHjmt5h+vMXIVa30rH0+v8zL6kBMqFn3wW4Vq7/mxDpNeCyemWBqFDp4Q01QZ HB7fPAwaVaGIY7d/GNb/C1tuqsD5b6NVmb+wiVrlqUxc898TcS1lCH6wLvYthDak0CuQHz XuCjyG/6174nZg6CuK3+Zn/SPpF/egBEECojE8EtMKOnlR+kgM04sHQEtszidw== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 8 Aug 2024 01:53:33 +0200 Message-ID: <20240807235333.2148870-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240807235333.2148870-1-michael@niedermayer.cc> References: <20240807235333.2148870-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/cbs_vp9: Try to store fewer than 2 things in the same bit X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: VLlshkhc0f5f Fixes: use of uninitialized value Fixes: 70907/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-6339363208757248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/cbs_vp9.c | 9 ++++++--- libavcodec/cbs_vp9.h | 3 +++ libavcodec/cbs_vp9_syntax_template.c | 6 +++--- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 816d06da04d..7b8bc9c7985 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -541,9 +541,12 @@ static int cbs_vp9_assemble_fragment(CodedBitstreamContext *ctx, size_len = av_log2(max) / 8 + 1; av_assert0(size_len <= 4); - sfi.superframe_marker = VP9_SUPERFRAME_MARKER; - sfi.bytes_per_framesize_minus_1 = size_len - 1; - sfi.frames_in_superframe_minus_1 = frag->nb_units - 1; + sfi.superframe_marker = + sfi.superframe_marker_2 = VP9_SUPERFRAME_MARKER; + sfi.bytes_per_framesize_minus_1 = + sfi.bytes_per_framesize_minus_1_2= size_len - 1; + sfi.frames_in_superframe_minus_1 = + sfi.frames_in_superframe_minus_1_2 = frag->nb_units - 1; size = 2; for (i = 0; i < frag->nb_units; i++) { diff --git a/libavcodec/cbs_vp9.h b/libavcodec/cbs_vp9.h index af15eb4bace..428662a8cdb 100644 --- a/libavcodec/cbs_vp9.h +++ b/libavcodec/cbs_vp9.h @@ -174,6 +174,9 @@ typedef struct VP9RawSuperframeIndex { uint8_t bytes_per_framesize_minus_1; uint8_t frames_in_superframe_minus_1; uint32_t frame_sizes[VP9_MAX_FRAMES_IN_SUPERFRAME]; + uint8_t superframe_marker_2; + uint8_t bytes_per_framesize_minus_1_2; + uint8_t frames_in_superframe_minus_1_2; } VP9RawSuperframeIndex; typedef struct VP9RawSuperframe { diff --git a/libavcodec/cbs_vp9_syntax_template.c b/libavcodec/cbs_vp9_syntax_template.c index 2f08eccf180..3f542d0c5d5 100644 --- a/libavcodec/cbs_vp9_syntax_template.c +++ b/libavcodec/cbs_vp9_syntax_template.c @@ -421,9 +421,9 @@ static int FUNC(superframe_index)(CodedBitstreamContext *ctx, RWContext *rw, frame_sizes[i], 1, i); } - f(3, superframe_marker); - f(2, bytes_per_framesize_minus_1); - f(3, frames_in_superframe_minus_1); + f(3, superframe_marker_2); + f(2, bytes_per_framesize_minus_1_2); + f(3, frames_in_superframe_minus_1_2); return 0; }