From patchwork Tue Aug 20 07:50:52 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51084
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:612c:40de:b0:48e:c0f8:d0de with SMTP id
 lb30csp133286vqb;
        Tue, 20 Aug 2024 00:51:11 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCUBE1aYQWi8P7yQkcfTmZGxdw69KxFEKoNu9Gf07fgueadkZc3Rvj+ob7bqSiYkcFED88eaiqZeUYKVwv4JSoF0@gmail.com
X-Google-Smtp-Source: 
 AGHT+IEtapT/SoEFA6WF6b/p2zkMY/XOatsJBh+kaAGTqoZ1JYlh+Q1A4ZsumrmlKsWwuzQBWQPe
X-Received: by 2002:a2e:b888:0:b0:2ef:32b5:1de0 with SMTP id
 38308e7fff4ca-2f3e5584e85mr6365211fa.7.1724140270995;
        Tue, 20 Aug 2024 00:51:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1724140270; cv=none;
        d=google.com; s=arc-20160816;
        b=izqWG7F1RJFH7T7riOs0qgxisU42d1LJ4jENieyQFkjmxt7/hQPlYqAu80eMPxBMcX
         +g7RQ6L3EbR2DReTICh1MkcqJQzpMKoz64L4USowCy+DT3G5O2aLTzPFKYu5Jnf0u0ni
         fQPZTBQM9oDMQ4Q02hE6qKzLsyt4OSGFSxg+p8eL1V4c/59p1vQGLp3k4Oi2XscBC2Yx
         is0GGZd4Tr+CcSMx8w6w4/WqV93H/tvjNamLEvSeI6CyBkSrbVoyzM2l0l2eiXiYWyXq
         cPEG3+5ZXlOlO4nycz465M0QZh0BemFKJpeVmGCF/ftM27glI7FG5scx4Iv3Z53Ygqjd
         m18Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:message-id:date:to:from
         :dkim-signature:delivered-to;
        bh=o/blj9TQGzGLp65uabobP7Qd448DCoi1+WSVwE5N4Rk=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=zbqoRnjoRCi/wl88qltA+GSFpUG+61D8kXqLp/3k0W3i6/dIfZC5Z6BP5XPm8u2How
         anZ8Uo78c28QgL9nlO0SEy1emVRpSe58Vss9PM+ZSUBeDmedcAoMA9Y2deC5dbW+Q9og
         hoeqqiycRQ1UIiyJccQ9O1LJv2dPRDWTuKSFdLFPwnHRjHt8TK08HtuAQc+J158/3ftC
         VOVh1DijouXQkSn3zo7ncqG9IHUrvdxKeahxu7ptih8rnKTdGpMhX/T+v3V8mc2R0ojc
         S7+7Dl2yvdu1Ow4ocu216PKTs8mSim9fRkk6kvd02abOBs+TGtYIlydQ49UpNP3ARfsM
         YWEw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=oS9c05zd;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 38308e7fff4ca-2f3f2104829si365951fa.8.2024.08.20.00.51.10;
        Tue, 20 Aug 2024 00:51:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=oS9c05zd;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A6C8E68DC72;
	Tue, 20 Aug 2024 10:51:06 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net
 [217.70.183.198])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CB7EA68DBA7
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 10:50:59 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 99F78C0009
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 07:50:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1724140258;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=8Z/oE+UtDBWSEyK2vE9nM4YoEL+/lJ7aANl1FO+aDoA=;
 b=oS9c05zdj5+WXGP/9kEHI3SKcjbY3Ca2W24QPuWzAWv4xs16NgnQTIJxNQM/gRVlbQOvcK
 UguVX4OvCLPPjQKDrGiJU6R99+Ry/dgBdaH+ntSaabz6tIdzELsPwoidPdU1faW41jEpqD
 V8YNfNo1PWUksTGLNH9qKdYN6KBKsUYUrtL4C84HrzHVQ4ID5BRJnpXyNyQCE+nRzuhctc
 d/pp86xTipzOloA5KIjywbR62rnk/srP5eykK55Zr+canpwMfj8eXlBs94GmOeAoPdZgSr
 MMAVvHDziQivzeTAdohD7TOA3TxEiHVL3Iz6NQsWk1AnG5HFgVzAGVkm/qJ29g==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 20 Aug 2024 09:50:52 +0200
Message-ID: <20240820075057.1735944-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.0
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 1/6] avcodec/magicyuvenc: better slice height
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: VBIKrP4DXwvJ

Fixes: Use of uninitialized value
Fixes: 71072/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-4835252046987264

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/magicyuvenc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/magicyuvenc.c b/libavcodec/magicyuvenc.c
index 93eabb9f9a5..6e640d24cc1 100644
--- a/libavcodec/magicyuvenc.c
+++ b/libavcodec/magicyuvenc.c
@@ -378,11 +378,14 @@ static int count_plane_slice(AVCodecContext *avctx, int n, int plane)
     Slice *sl = &s->slices[n * s->planes + plane];
     const uint8_t *dst = sl->slice;
     PTable *counts = sl->counts;
+    const int slice_height = s->slice_height;
+    const int last_height = FFMIN(slice_height, avctx->height - n * slice_height);
+    const int height = (n < (s->nb_slices - 1)) ? slice_height : last_height;
 
     memset(counts, 0, sizeof(sl->counts));
 
     count_usage(dst, AV_CEIL_RSHIFT(avctx->width, s->hshift[plane]),
-                AV_CEIL_RSHIFT(s->slice_height, s->vshift[plane]), counts);
+                AV_CEIL_RSHIFT(height, s->vshift[plane]), counts);
 
     return 0;
 }

From patchwork Tue Aug 20 07:50:53 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51088
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:612c:40de:b0:48e:c0f8:d0de with SMTP id
 lb30csp137360vqb;
        Tue, 20 Aug 2024 01:01:19 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCUGCpqBDHiPRDJcpY4yp6dxh24KF6iIvp0QWyIaX7ne3ZsRahWcfsP8vvWSyHuKBrpcpYEmWHe4HRyJpY4SKWtg@gmail.com
X-Google-Smtp-Source: 
 AGHT+IFPS9jZUKs1Bbu1Ub19+56RREOneb+sLS7JG6sl84JZhHbjQ2gGXiJyryEZxdav2mKCDciU
X-Received: by 2002:a17:907:9625:b0:a7d:e84c:a9ed with SMTP id
 a640c23a62f3a-a8392a410fcmr1035776266b.65.1724140878926;
        Tue, 20 Aug 2024 01:01:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1724140878; cv=none;
        d=google.com; s=arc-20160816;
        b=degAGWyt4Sbe2ZP7x63slZUzzoyK8C3DqZFGSpsA834vHLqLTwbxGJUOSvniLYOvwa
         ThMRcPAoyDjoOJ2Y8n2XmmPyN7hmI3l2gWCMSmu2kzZudV5UF2j5auANVYAZPbcr+2jg
         JYintsqlmEPA1JGwQvGSmEZdzw+iKrNrBE+xeJsQOdZ7+znCsld7om03v8eCNUPtop0L
         /KcIAH/DyYHt2NyyocajRgOsLq3saZ7EJMwHGRqlvetohsNkHj/wNiC/f5g7lvJJ0Mcf
         UJyQ9mIsiintKJpX3dl54zWg7/brnu4xj5HnAWC5EQoUC7AhViKefQTKDzmvtJbUqu0F
         9sMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=ZQSgL8FMhJNhUyjVnM3rvsMk3h3vU5CF4HCRS0kkamU=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=wNP8gEb8M+YQO/Y2/YGU/gCy0FhA0JHvB3Yd2cnj0YqIEpG/GAn6j/LJnEaIglld/q
         WpfSlcvghxhZ4UmDZUuSaFsUKxL3n42mba9kuiP35IIpMZafD8LxL3qNPbbo8Mpcvw7X
         fNP+RoHRphhD8ZpcamQr7BCjg0VG6VDc8uWkwWU7C1+41Cz9t3/AxIygDF1R6DOxQjR0
         CQiFlIPRKjLQoWpZ/JzfLoUheOaiUAsP2hpQyXv7WxZXFJ8i02jWSPoOtgkSOdW7e5Rt
         8GmOQd9x1i5fMPz8xuNz1uWvav4O06uB1BUJdmPt3S1vMUHMF1vF05osQ8f8YhxoKCUB
         wpQA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=C0MjdLDS;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 a640c23a62f3a-a83838c8467si678828966b.151.2024.08.20.01.01.18;
        Tue, 20 Aug 2024 01:01:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=C0MjdLDS;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B609B68DB76;
	Tue, 20 Aug 2024 10:51:07 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net
 [217.70.183.193])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6C4B568DBA7
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 10:51:00 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id A8547240004
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 07:50:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1724140259;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=gGbMogSB66Xb7YkFJ8dwnk3FOL6ky45PRFTQJsWZQoY=;
 b=C0MjdLDSgX1DQIYFHiRVzxyry10IJXxTo1cwboNni2guSFk6j7Ci9hdCAmkDHECcACoWkU
 W9fE0ymu4OsZ6GuvOUSLh5hJDcnutZAYbonvODUyr8TMY6UeAdGpciVn+iuksIctHapSYh
 R+yXL+wYxlsaK9oL7GXFOEZFC4HW39YSK0UfNxDD+VBzzk9dKT649g3Uizjsknx2iE17+0
 7SChcaxryz1eru7LanUuaaV+QFiDCanPCFSC0qD3m+d4aR/XvUtIZn6jkIMdKUix21jj/g
 x4eUSA5QCbLjO71G59DhGfqYIyrTjoaTXFgUfeQ+2PWPnM6UH2mjcl80So8lLw==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 20 Aug 2024 09:50:53 +0200
Message-ID: <20240820075057.1735944-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240820075057.1735944-1-michael@niedermayer.cc>
References: <20240820075057.1735944-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 2/6] avformat/apetag: Check APETAGEX
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: BZjyO5tPDaBf

Fixes: Use of uninitialized value
Fixes: 71074/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5697034877730816

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/apetag.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/apetag.c b/libavformat/apetag.c
index bd0a19e4d6a..0989fcb0940 100644
--- a/libavformat/apetag.c
+++ b/libavformat/apetag.c
@@ -121,7 +121,8 @@ int64_t ff_ape_parse_tag(AVFormatContext *s)
 
     avio_seek(pb, file_size - APE_TAG_FOOTER_BYTES, SEEK_SET);
 
-    avio_read(pb, buf, 8);     /* APETAGEX */
+    if(avio_read(pb, buf, 8) != 8)     /* APETAGEX */
+        return 0;
     if (strncmp(buf, APE_TAG_PREAMBLE, 8)) {
         return 0;
     }

From patchwork Tue Aug 20 07:50:54 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51085
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:612c:40de:b0:48e:c0f8:d0de with SMTP id
 lb30csp133435vqb;
        Tue, 20 Aug 2024 00:51:31 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCVcrRoQInb1pBpfnWZJuitwb0ZcKs1i/akFGTdoRgzZRmrGfY/rn5K4dyik4q0AKxRxgSo4WLQ8+rNweDaYzhDhKn0qishVXyU5dA==
X-Google-Smtp-Source: 
 AGHT+IEC9/Sga3wG0qdeR6ezPNMqm0nkIbTAbAarh/F3mrUoiDaDX9DbaxlIG/TRpPrHK6Ork1lB
X-Received: by 2002:a05:651c:2105:b0:2f3:f08f:fb5 with SMTP id
 38308e7fff4ca-2f3f08f116cmr5422371fa.22.1724140290896;
        Tue, 20 Aug 2024 00:51:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1724140290; cv=none;
        d=google.com; s=arc-20160816;
        b=NwzHHgp2jXi0sPEN/HSjpYZdybH/hUBC/2+etSBrbksWSV8/OxrSksmY+ZbjVR8CcZ
         rOU4IL9QY1kAbRddww+oRLSpZvU0GKL45WEQcW8edDPq5s7x6IiVx4RsGYEP6Wba2RPp
         G03LIz8LWo+xxyiI2waAu3MPcneZ5mnQ7VF0GZXKRsBtdDf1wcNWWn+HfxNws+ZMnn1F
         l5fwRp9Hg4n2Mo++ZcSkKtaRD7/Ckwy/kmtK2V9IsrGX34FW+1tTAiRAPc7KnWO0xOwt
         2lOpSjpBg3Z7pmC1udZhDEgcue6cfeIxnYaj+hd6CWM2iXNfAvGaiZltxw7oYJavQbNz
         tW7w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=nbRgY3JN2pACzz4el9E8UvN94TkPvGtRqEO7b2gob8Q=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=dySmocMRe+RxQs46NhNLhlyKDuTH2RyZZLRyOlM5pq14YGWZqVYOvU9hFLtq321RTi
         LPWepR5uTKzeqRH8jn9au0nBZn0dDK6jTQhKTjg7qUNndF6qno5F1U8WbW2P6JJoFLyx
         NRLZmdZ5HB/NiQCzMAWiv4BvIzsGn6s0jF8MI9WIUqTVrs1T332Bt65B3/QM+xlusOle
         C38F6mjZ/cyXpHYpfS0/H6puVXnVh41C1ZX3eaSV7B0btuUr2952fVcToiP6KbDgmd8t
         qaQz2dNknD0IZpyrZswinseFI0fWHOqr0Y4ZewXatXSFCjgMiw3SAB+XSHwHewRzVO6s
         7amA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=gfY4lPW5;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 4fb4d7f45d1cf-5bebc0c3cc8si6594975a12.621.2024.08.20.00.51.30;
        Tue, 20 Aug 2024 00:51:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=gfY4lPW5;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2B1EC68DBF0;
	Tue, 20 Aug 2024 10:51:10 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [217.70.183.195])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 92C9F68DC6D
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 10:51:01 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id C4AA66000A
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 07:51:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1724140260;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=orAoWir7qV27dBOklqvs/VT/gH4cKYANl5ycLUouf3w=;
 b=gfY4lPW5RuLqewFOpRO7LFzdypnSisLkouvxbvQHBGu/hZPkm4XnkxxEYpj3PPVo27tV/4
 3BmIb0jWULimtnG7+MESb4wiKm+ZwVP4eYX43yR/mjtF8U3eGfb2x2DeD22dfw4q9FldcF
 k1SbkM9Mk5PE/uZPiWqxEAYz+lcfRBHmLoa/pYTueoclhJVXN8mnexoEwHPQTk9ILhAW/H
 ACXkc6MzGdnGkjBCLlv/fznAuZWuUirSPoHtnco5+Qlo/Y1hYv9ONb2kiQvFGFq1z0fxOq
 Ws0sNuv20HPAHrBqT46wAfI8CLTdi+Ui9kqcMLR7jk04NOR63dvS98ipi/S8Sw==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 20 Aug 2024 09:50:54 +0200
Message-ID: <20240820075057.1735944-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240820075057.1735944-1-michael@niedermayer.cc>
References: <20240820075057.1735944-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 3/6] avcodec/vc1_block: propagate error codes
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: DRMPzhz1bwW9

Fixes: use of uninitialized value
Fixes: 71228/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6188476880453632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vc1_block.c | 59 ++++++++++++++++++++++++++++--------------
 1 file changed, 40 insertions(+), 19 deletions(-)

diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c
index 1d622b1a67b..1c422d902fa 100644
--- a/libavcodec/vc1_block.c
+++ b/libavcodec/vc1_block.c
@@ -1297,6 +1297,7 @@ static int vc1_decode_p_mb(VC1Context *v)
     int dst_idx, off;
     int skipped, fourmv;
     int block_cbp = 0, pat, block_tt = 0, block_intra = 0;
+    int ret;
 
     mquant = v->pq; /* lossy initialization */
 
@@ -1355,8 +1356,10 @@ static int vc1_decode_p_mb(VC1Context *v)
                     if (i == 1 || i == 3 || s->mb_x)
                         v->c_avail = v->mb_type[0][s->block_index[i] - 1];
 
-                    vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant,
-                                           (i & 4) ? v->codingset2 : v->codingset);
+                    ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant,
+                                                 (i & 4) ? v->codingset2 : v->codingset);
+                    if (ret < 0)
+                        return ret;
                     if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY))
                         continue;
                     v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]);
@@ -1458,8 +1461,10 @@ static int vc1_decode_p_mb(VC1Context *v)
                     if (i == 1 || i == 3 || s->mb_x)
                         v->c_avail = v->mb_type[0][s->block_index[i] - 1];
 
-                    vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant,
-                                           (i & 4) ? v->codingset2 : v->codingset);
+                    ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, is_coded[i], mquant,
+                                                 (i & 4) ? v->codingset2 : v->codingset);
+                    if (ret < 0)
+                        return ret;
                     if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY))
                         continue;
                     v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]);
@@ -1530,6 +1535,7 @@ static int vc1_decode_p_mb_intfr(VC1Context *v)
     int block_cbp = 0, pat, block_tt = 0;
     int idx_mbmode = 0, mvbp;
     int fieldtx;
+    int ret;
 
     mquant = v->pq; /* Lossy initialization */
 
@@ -1602,8 +1608,10 @@ static int vc1_decode_p_mb_intfr(VC1Context *v)
                 if (i == 1 || i == 3 || s->mb_x)
                     v->c_avail = v->mb_type[0][s->block_index[i] - 1];
 
-                vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant,
-                                       (i & 4) ? v->codingset2 : v->codingset);
+                ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant,
+                                             (i & 4) ? v->codingset2 : v->codingset);
+                if (ret < 0)
+                    return ret;
                 if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY))
                     continue;
                 v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]);
@@ -1735,6 +1743,7 @@ static int vc1_decode_p_mb_intfi(VC1Context *v)
     int pred_flag = 0;
     int block_cbp = 0, pat, block_tt = 0;
     int idx_mbmode = 0;
+    int ret;
 
     mquant = v->pq; /* Lossy initialization */
 
@@ -1766,8 +1775,10 @@ static int vc1_decode_p_mb_intfi(VC1Context *v)
             if (i == 1 || i == 3 || s->mb_x)
                 v->c_avail = v->mb_type[0][s->block_index[i] - 1];
 
-            vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant,
-                                   (i & 4) ? v->codingset2 : v->codingset);
+            ret = vc1_decode_intra_block(v, v->block[v->cur_blk_idx][block_map[i]], i, val, mquant,
+                                         (i & 4) ? v->codingset2 : v->codingset);
+            if (ret < 0)
+                return ret;
             if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY))
                 continue;
             v->vc1dsp.vc1_inv_trans_8x8(v->block[v->cur_blk_idx][block_map[i]]);
@@ -1857,6 +1868,7 @@ static int vc1_decode_b_mb(VC1Context *v)
     int skipped, direct;
     int dmv_x[2], dmv_y[2];
     int bmvtype = BMV_TYPE_BACKWARD;
+    int ret;
 
     mquant      = v->pq; /* lossy initialization */
     s->mb_intra = 0;
@@ -1969,8 +1981,10 @@ static int vc1_decode_b_mb(VC1Context *v)
             if (i == 1 || i == 3 || s->mb_x)
                 v->c_avail = v->mb_type[0][s->block_index[i] - 1];
 
-            vc1_decode_intra_block(v, s->block[i], i, val, mquant,
-                                   (i & 4) ? v->codingset2 : v->codingset);
+            ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant,
+                                         (i & 4) ? v->codingset2 : v->codingset);
+            if (ret < 0)
+                return ret;
             if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY))
                 continue;
             v->vc1dsp.vc1_inv_trans_8x8(s->block[i]);
@@ -2016,6 +2030,7 @@ static int vc1_decode_b_mb_intfi(VC1Context *v)
     int bmvtype = BMV_TYPE_BACKWARD;
     int block_cbp = 0, pat, block_tt = 0;
     int idx_mbmode;
+    int ret;
 
     mquant      = v->pq; /* Lossy initialization */
     s->mb_intra = 0;
@@ -2048,8 +2063,10 @@ static int vc1_decode_b_mb_intfi(VC1Context *v)
             if (i == 1 || i == 3 || s->mb_x)
                 v->c_avail = v->mb_type[0][s->block_index[i] - 1];
 
-            vc1_decode_intra_block(v, s->block[i], i, val, mquant,
-                                   (i & 4) ? v->codingset2 : v->codingset);
+            ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant,
+                                         (i & 4) ? v->codingset2 : v->codingset);
+            if (ret < 0)
+                return ret;
             if (CONFIG_GRAY && (i > 3) && (s->avctx->flags & AV_CODEC_FLAG_GRAY))
                 continue;
             v->vc1dsp.vc1_inv_trans_8x8(s->block[i]);
@@ -2186,6 +2203,7 @@ static int vc1_decode_b_mb_intfr(VC1Context *v)
     int stride_y, fieldtx;
     int bmvtype = BMV_TYPE_BACKWARD;
     int dir, dir2;
+    int ret;
 
     mquant = v->pq; /* Lossy initialization */
     s->mb_intra = 0;
@@ -2242,8 +2260,10 @@ static int vc1_decode_b_mb_intfr(VC1Context *v)
             if (i == 1 || i == 3 || s->mb_x)
                 v->c_avail = v->mb_type[0][s->block_index[i] - 1];
 
-            vc1_decode_intra_block(v, s->block[i], i, val, mquant,
-                                   (i & 4) ? v->codingset2 : v->codingset);
+            ret = vc1_decode_intra_block(v, s->block[i], i, val, mquant,
+                                         (i & 4) ? v->codingset2 : v->codingset);
+            if (ret < 0)
+                return ret;
             if (CONFIG_GRAY && i > 3 && (s->avctx->flags & AV_CODEC_FLAG_GRAY))
                 continue;
             v->vc1dsp.vc1_inv_trans_8x8(s->block[i]);
@@ -2775,6 +2795,7 @@ static void vc1_decode_p_blocks(VC1Context *v)
 {
     MpegEncContext *s = &v->s;
     int apply_loop_filter;
+    int ret;
 
     /* select coding mode used for VLC tables selection */
     switch (v->c_ac_table_index) {
@@ -2817,22 +2838,22 @@ static void vc1_decode_p_blocks(VC1Context *v)
                 }
 
             if (v->fcm == ILACE_FIELD) {
-                vc1_decode_p_mb_intfi(v);
+                ret = vc1_decode_p_mb_intfi(v);
                 if (apply_loop_filter)
                     ff_vc1_p_loop_filter(v);
             } else if (v->fcm == ILACE_FRAME) {
-                vc1_decode_p_mb_intfr(v);
+                ret = vc1_decode_p_mb_intfr(v);
                 if (apply_loop_filter)
                     ff_vc1_p_intfr_loop_filter(v);
             } else {
-                vc1_decode_p_mb(v);
+                ret = vc1_decode_p_mb(v);
                 if (apply_loop_filter)
                     ff_vc1_p_loop_filter(v);
             }
-            if (get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) {
+            if (ret < 0 || get_bits_left(&s->gb) < 0 || get_bits_count(&s->gb) < 0) {
                 // TODO: may need modification to handle slice coding
                 ff_er_add_slice(&s->er, 0, s->start_mb_y, s->mb_x, s->mb_y, ER_MB_ERROR);
-                av_log(s->avctx, AV_LOG_ERROR, "Bits overconsumption: %i > %i at %ix%i\n",
+                av_log(s->avctx, AV_LOG_ERROR, "Error or Bits overconsumption: %i > %i at %ix%i\n",
                        get_bits_count(&s->gb), s->gb.size_in_bits, s->mb_x, s->mb_y);
                 return;
             }

From patchwork Tue Aug 20 07:50:55 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51089
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:612c:40de:b0:48e:c0f8:d0de with SMTP id
 lb30csp137397vqb;
        Tue, 20 Aug 2024 01:01:23 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCWWT9CP4j5oAzRqhoCiXyPN7RBLNkdPnJgVASrEUYcm6XWhS+LXCfcoIXV9XFUF+Qd2ugvSni7x1475nTdKrvBYhpKWrrahmsCHXA==
X-Google-Smtp-Source: 
 AGHT+IEyVj0jy/4VR73edvSOXTkXBQJeyld2NSPl3va3quvgoPu1ve1UuNqU3NCFmTyhfnjJDz8g
X-Received: by 2002:a17:907:f1e5:b0:a72:8d2f:859c with SMTP id
 a640c23a62f3a-a83929547bbmr892347066b.33.1724140883012;
        Tue, 20 Aug 2024 01:01:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1724140882; cv=none;
        d=google.com; s=arc-20160816;
        b=fbq94Cz65jgx9mHGRALqS1I5QkBNeIoLapc4cdxD1QiSKuVLXNFetpbt5A5EiBWSo4
         MRiE4Y4+gcDG0NF0a/Op3bVKWfL/dGStFMkB2VG47MtFpEsFt+5I5NIhxAcavV7KPjAJ
         Mm+xygWOMNS6P6SQuVXWGCdQiDGScIo1wsbdgzmCmamF6LkLhYyq3lenvfMVQf0869gh
         zfY2ucYh44h5++ZOjO1lGa1GoiKl6/LZCgEWrgV9YXAVatZFvVPDj9lJDhUt7hXqT/NT
         6HPzNB6WxhSRfgK1K0jooLS8CBgyUcUWBykVtW5CYumqZaIBOuGfqeMzaTElyIGDGNxn
         R8EA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=20z2MiYAiH5r5u57fXMi6iWM9S0A1ViimVxumPYy/LM=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=BK8cpqvPQllVm89QPFBIcW8xB4/rCw4r/z9sDbSXeNPTijOrCrryWeFlbKtEwgZzcK
         dUMrrHLvjFpuOiylBPqpfm+jh9EXspqKJhXZpa6uMzuK/VdUDUQY2E5UDhrsg4X+KQ+9
         IvBRc/NspCH1vgttgVHI0sOCahk4Lp9W8uqoczl7v7ww3EeB4BimeUFN6AKi9zPPnYzZ
         2DbxRXLJydIMPhWgtXy3qf2wx3oRz/PF6dtz6pG/nXNjiUXT23jI9qmsbOHDEyD2l7H5
         KMKNzhZu2iN+ItwROuFvRjBvGuFf3dOvE+Kjp5rizGqcHljS/q5R6DolTghK6uHaw9M4
         d5+Q==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="N/a23fHy";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 a640c23a62f3a-a838394a9f1si645444266b.563.2024.08.20.01.01.22;
        Tue, 20 Aug 2024 01:01:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="N/a23fHy";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4C30468DC91;
	Tue, 20 Aug 2024 10:51:11 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net
 [217.70.183.201])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7FA6F68DB76
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 10:51:02 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id BBC541BF20B
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 07:51:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1724140261;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=a2jSKpEYIrAKKif47YMRrPK8kmNtfGOYHwfL0oCs5xw=;
 b=N/a23fHyGQTjzf5KFyPo+phNliwXi/vocRDxuSW2PQc+XYv0JqHJwAdCf2Hz0gKPjywOOY
 b9SojzDCTTvUZhLAjc4RMF0N1USjMQEJhqCTaIEoKDTlNuie98QbvGZW/TrHApxsqJmYgs
 sPHArR41civbazMBNqSNig9GgDpOQc2Rlzf2vNPQACvX5fksQ46tcvDXHv82+NAHOX+o9d
 eScB5IZD48aqAV+Oihcol9/eJcy4VCrTMUexzIfJ1TPhgAtXj4LbKJlHmwpunxZZlgaIDW
 gCwIxEe1EAfHm0Rf3xi6xUC4mw+6uAHid1cvTBdq9iPvBU4S7JegM6jrx8vrAA==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 20 Aug 2024 09:50:55 +0200
Message-ID: <20240820075057.1735944-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240820075057.1735944-1-michael@niedermayer.cc>
References: <20240820075057.1735944-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 4/6] avcodec/notchlc: Check bytes left before
 reading
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: Cby4deCFdW/U

Fixes: Use of uninitialized value
Fixes: 71230/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-4624502095413248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/notchlc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c
index 371c8b5e54c..246a3e0174d 100644
--- a/libavcodec/notchlc.c
+++ b/libavcodec/notchlc.c
@@ -93,6 +93,9 @@ static int lz4_decompress(AVCodecContext *avctx,
             } while (current == 255);
         }
 
+        if (bytestream2_get_bytes_left(gb) < num_literals)
+            return AVERROR_INVALIDDATA;
+
         if (pos + num_literals < HISTORY_SIZE) {
             bytestream2_get_buffer(gb, history + pos, num_literals);
             pos += num_literals;

From patchwork Tue Aug 20 07:50:56 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51086
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:612c:40de:b0:48e:c0f8:d0de with SMTP id
 lb30csp133527vqb;
        Tue, 20 Aug 2024 00:51:49 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCU1PXp1npK2snwl0Qc3ewHpkr2vDMoUiVd2MZb0xGrPGKDwKglNZ/XS6U64O4Az4Yq6lswYc0TknCZJuKd98Oj52UGRexpghxwWZw==
X-Google-Smtp-Source: 
 AGHT+IHJaRTpHr4E5H9YkLNYtaft9TW8bQZOYfKetI9l4DZjxN1BAwKG4A5vWWj43PLFKpCLCtYj
X-Received: by 2002:a2e:9b04:0:b0:2ec:54ec:1741 with SMTP id
 38308e7fff4ca-2f3be599fb4mr77996311fa.18.1724140308899;
        Tue, 20 Aug 2024 00:51:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1724140308; cv=none;
        d=google.com; s=arc-20160816;
        b=DhuMgogMBVUaK4IyIUwkrHRiOLQx7+b8NtjWQRD8KidNMYSEwykJDybNCiQ1LmgXI1
         Tjny3T8xCp44gt4hRxkVoWmS3mHgzuM4nlGasoHPOjzJIzSv8iLUi9k+QwQhduA40Iem
         uFqnnnmf1jmr0mR6bZvXk4uFqhArkd6Jyy9KlgG/E/t/LNQzA5S92mcorbuwEttXa0RD
         iUUCLL4hxk2e0CWn615sztlu3NWgCcp2lvvpsAbaPA9Zr3q3ZqREoS//E0Yv3/YDm97I
         HlbdHyUhEcNVNtWNVjHUHQrrZtLV4QjrbK/7ZZ8ygOTLE9wEgZbZGC76Qr32333LF5AY
         CrKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=40Xf6KP9er9m7Plq74tK6BE67lvRrKCHqpPESWnG1aE=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=Q4OSuzbZap8vcZUA6wdd25T4uXbEkvTYt7LpbCMtQY+3/I/ma34AMJlQ2SYEKXhgeo
         2XDnaHPpsAR0jhsrTkRp0ct751F+LkJBoOV47hkSUJU/guQ/FwmYunjzUjfkNPZ7lkfw
         CvrnmjWcykNJQrM26CIeyJYbymFHEMkkIGJfmXpPBJD6TVCs+N5/z/di/ND+So6vQdnf
         IYHSrmzTgokc5OnzyCOAFW64Ol8990luoSYafSbaVE9FO+spxo+cEfp31btY8heyBifp
         a/oZ+EHgnL9DCCn6+gooAHKCL2I22FHDXRp2a8a40cyltxhdjA92kE3pv7XBqHes4Sq/
         Q5qA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=HK9E0XEy;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 4fb4d7f45d1cf-5becbd51136si5671931a12.217.2024.08.20.00.51.48;
        Tue, 20 Aug 2024 00:51:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=HK9E0XEy;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A8E3A68DD6B;
	Tue, 20 Aug 2024 10:51:12 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
 [217.70.183.196])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B0B9268DBF0
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 10:51:03 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id E9A7BE0009
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 07:51:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1724140263;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=xFVJKoOANepDOYEDjFNyl5AnyEFonpfc5ger5e4CGQA=;
 b=HK9E0XEy4irGC4/bLF0EtRipK1L6tRcLI0YiDN3l6rFX7MQi1dva5u85zctWCUTzim8Wwc
 b1n6DzC47xSp6YloXSAXOK4JD6lw9oSnygKEWYFMoRuycJARDgXXVT/LTlhQ20f0az84ql
 8hJ1Y7bMGMuUrHl8fZGid28PEZzj2eER3/GHKs1siA8qyXCuYnHJZKRzor5L+xcB3t4GZG
 aeKQYu4wqAFSJR1lX1HfqEqOlqxFSDrd45SCJQwdF+uTC3Ndrxv9rLODTfD7lDaubjKO9D
 FwwNWlAfhUs2J360WZRwNjj9hfAzA3Xf9XEOH+M4PF9WakD+U6iKH4OjgoumyQ==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 20 Aug 2024 09:50:56 +0200
Message-ID: <20240820075057.1735944-5-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240820075057.1735944-1-michael@niedermayer.cc>
References: <20240820075057.1735944-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 5/6] tools/target_swr_fuzzer: Check
 av_samples_fill_arrays() for failure
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 8o9v1C7PCbm+

Fixes: use of uninitialized value
Fixes: 71242/clusterfuzz-testcase-minimized-ffmpeg_SWR_fuzzer-4905557943713792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_swr_fuzzer.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/tools/target_swr_fuzzer.c b/tools/target_swr_fuzzer.c
index f2d8ec49c05..b6cdb72a560 100644
--- a/tools/target_swr_fuzzer.c
+++ b/tools/target_swr_fuzzer.c
@@ -83,6 +83,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     int in_sample_nb;
     int out_sample_nb = size;
     int count;
+    int ret;
 
     if (size > 128) {
         GetByteContext gbc;
@@ -132,8 +133,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     if (!out_data)
         goto end;
 
-    av_samples_fill_arrays(ain , NULL,     data,  in_ch_count,  in_sample_nb,  in_sample_fmt, 1);
-    av_samples_fill_arrays(aout, NULL, out_data, out_ch_count, out_sample_nb, out_sample_fmt, 1);
+    ret = av_samples_fill_arrays(ain , NULL,     data,  in_ch_count,  in_sample_nb,  in_sample_fmt, 1);
+    if (ret < 0)
+        goto end;
+    ret = av_samples_fill_arrays(aout, NULL, out_data, out_ch_count, out_sample_nb, out_sample_fmt, 1);
+    if (ret < 0)
+        goto end;
 
     count = swr_convert(swr, aout, out_sample_nb, (const uint8_t **)ain, in_sample_nb);
 

From patchwork Tue Aug 20 07:50:57 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51087
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:612c:40de:b0:48e:c0f8:d0de with SMTP id
 lb30csp133604vqb;
        Tue, 20 Aug 2024 00:51:57 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCV8Yh//FjkkFS4pFii83uYf0RRF3IxtwLXs5Zi4ClQw7CeCI70f/jQ9cOieJn85/yISgE6HsiegZ8kFHkUXQh4u@gmail.com
X-Google-Smtp-Source: 
 AGHT+IHxHMuy5ujOnNU9rGIFvEGEPUcHYDXc0BQA68f7CYimkTPI6KbXOFwZldFexBEFZEm2deAC
X-Received: by 2002:a05:6512:3044:b0:52b:c0b1:ab9e with SMTP id
 2adb3069b0e04-5331c692bb4mr9037092e87.5.1724140317626;
        Tue, 20 Aug 2024 00:51:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1724140317; cv=none;
        d=google.com; s=arc-20160816;
        b=P/Hsuq281jqRJlYUmnpFdTVqfoPHmkMDVhqmKcrauOrTgz51soz2hjzZkEEVoVCA+1
         5U7p5FYWmQVb7gQ4W4lobrAnv1ib4JDlfGc2l77vMmTD9XCOfpalxj3eYdWHj2F7fJkg
         wq+U65gz6z4FcH6NWhjExp7qBeZusnixgyJ0uOmD8ATWh9jawoWbI7q2U6oifCZbdm9x
         PmsDA/d4h1nuVRB1RvCIJbCEffLJYB9sEc31x3l5uqb4+SobqchnOv+pwhr3KjiFE3+Z
         xkxkLGzqOQ34Rp3GVWtWT5um3W0sr5t6nZMqxvwQMhuKbER3mDe0yxyzZJxExHUpESH2
         aiZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=B53kJCrBXBzFSyWJ+0M4LK/U1ck4H2wCVBf2XoMDgIw=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=SW1u/fzLUuSWFKDFEbAT8hE0oRf2rgmc5fV2w7NR+4z/b/58YhnaPgf7+iOLFuHoyB
         qheoWKNxaRfzZDyG/6TSQFWQ0LiNQO8yp6OuK9Rfgy7o76TUa3KHk7NbHSxUQVCCYK/t
         FDufg2DCMTfe5JJFMvZiV0cuo/ixOrqunlp653LsHHlK2MMCehvz7nBlVQycR0lQdnax
         WSMKguDXyKvuTb8L7l0cWsPqxIv1/p5HhhMa6kQPrxNh1B5T/2jCHsQNJtNVZVGm0wV5
         uM3AEuwmX6+URsYGP0Ofk1ihdNbEe3dSgW8xh0rSYi2A9ClIxlReMR3ripN33JjrpF+0
         ileA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=i7kPqtwy;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 a640c23a62f3a-a838398d950si637404366b.1042.2024.08.20.00.51.57;
        Tue, 20 Aug 2024 00:51:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=i7kPqtwy;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 047EA68DD89;
	Tue, 20 Aug 2024 10:51:14 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net
 [217.70.183.199])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BEC0268DC91
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 10:51:04 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id F0BFBFF809
 for <ffmpeg-devel@ffmpeg.org>; Tue, 20 Aug 2024 07:51:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1724140264;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=53VKwywXv5xl0FN20f9eBy4g1TJkUqiVHN3rSuzw0u0=;
 b=i7kPqtwyAvssJ+PJeZcH0UNjfiWIqqPo4zL0G9R5Llip7jwxTZlXtvlYMIILCsAA6XwW4C
 U0FwgYGeiwgkBfyiXGfZzu04bzJfrs8NrluOTfWPjbL2dbbHEBNwKE3dOiMGfwkSzZtCrO
 fpBsAKClZsO/k0Pig5VjBmoPdKUwPi5wPM16a4rFDSWUzueeXtb1gxn1Ye5MoXF+7qlZpx
 4wHKdvEnzmzR89PODyejN/MImjQH/1BlNdX4yqRLBIVUsSNR+wj0Xg21rTWsFvi2KfXj+Z
 84MnYmD0ZF+yRfXtGTCOZGNKY4lAzS/tPtKkKXWZqQZdKWeUfSOSh1PspTa+ew==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 20 Aug 2024 09:50:57 +0200
Message-ID: <20240820075057.1735944-6-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.0
In-Reply-To: <20240820075057.1735944-1-michael@niedermayer.cc>
References: <20240820075057.1735944-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 6/6] avformat/argo_brp: Check that ASF chunk
 header is completely read
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: P3k76jxZU6pR

Fixes: Use of uninitialized value
Fixes: 71280/clusterfuzz-testcase-minimized-ffmpeg_dem_ARGO_BRP_fuzzer-4692991866896384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/argo_brp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/argo_brp.c b/libavformat/argo_brp.c
index f88def37313..94b404b5d06 100644
--- a/libavformat/argo_brp.c
+++ b/libavformat/argo_brp.c
@@ -380,8 +380,8 @@ static int argo_brp_read_packet(AVFormatContext *s, AVPacket *pkt)
         if (blk.size < ASF_CHUNK_HEADER_SIZE)
             return AVERROR_INVALIDDATA;
 
-        if ((ret = avio_read(s->pb, buf, ASF_CHUNK_HEADER_SIZE)) < 0)
-            return ret;
+        if (avio_read(s->pb, buf, ASF_CHUNK_HEADER_SIZE) != ASF_CHUNK_HEADER_SIZE)
+            return AVERROR_INVALIDDATA;
 
         ff_argo_asf_parse_chunk_header(&ckhdr, buf);