From patchwork Thu Sep 12 23:33:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 51554 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:c541:0:b0:48e:c0f8:d0de with SMTP id f1csp424vqr; Thu, 12 Sep 2024 16:33:50 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUBHac7vcHgrapkN13YSpHUTOYJ172c5kUOE6KMr5Y/LtPzqF96b1tw0gFG+G8M8X+bpJxDK/zcWu3AVUs4dgIi@gmail.com X-Google-Smtp-Source: AGHT+IFTPr7R/X4ksVENh4u9TYPQ+yAdCEL7RvuWKAGZwF1YWuUwxmRqpdjnRUv/+xd55tlcifhO X-Received: by 2002:a05:6402:51d4:b0:5c2:56d2:20b3 with SMTP id 4fb4d7f45d1cf-5c413e2359dmr3167736a12.21.1726184030432; Thu, 12 Sep 2024 16:33:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726184030; cv=none; d=google.com; s=arc-20240605; b=lG/2cFN4GzGyx6C0+txwesThjCEqb1LwFUKZkEcsbxr9WzuQ9XSwu66VMl/KPyPg0o yl4ZxyCN/XySHdTCNz/lIUuRl1v1QGdRh5MjTSoy199+RmytUGAsd5u3zt0uj/E5lyAD tKteY7fnw0Bt1I8OU0YfBGS6v0u9PG+r1+WH+5qIcMNz/+AQUx5e0mhmATcLgJh5XHuM fNMBThWU5gwltC4lcRAqIBq9XslTcqrYaQvnQhrxY2co7uWsNtOsYACuKHlo2XrOm7aM sh4xPtXQgf8kY3xAqoDDXLMtU/Vh6qomejXtM1F32NWNKdxAoyM7kgcIIOHVW+AhO23p lfzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=LPFsEmF/qKJSjlG3UhZl3akICehEP0scO/CNhzAuWBQ=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=eE5jnkrCV8a/mHCseYtiQPp8fwZeojfj6HrLZQbye6XbNr9J3crXg4EVdkl6vXZq+N CipmVGZIYFGktG5YHQCAA4yDJWOiFhRr3FHRN3UQEPeY4IG9RElXMzTpY32vip53QEsU CZaa6hSbLx0GVvP/i5mN+6uUqZOVqUIAYYMVy1pxmJboZYhi7MbaiYQbZdD7DRAm3UYh 9l8V4jolel0HNBZQm8WQEVZVFoyIlT3xa6khmmPDSRAqzCjnGo9XC2wr0xABrT7Im1c6 JOqSqNf4gLIguCt/ceibMXn5xg1/CDI6/3gJHTJhT26xCvs2jhB4M/thVIM3b37iBuXJ ILWw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=mCI98hDT; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 4fb4d7f45d1cf-5c3ebd79ef1si9292470a12.234.2024.09.12.16.33.49; Thu, 12 Sep 2024 16:33:50 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=mCI98hDT; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6470468D657; Fri, 13 Sep 2024 02:33:45 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2406A68CFA6 for ; Fri, 13 Sep 2024 02:33:39 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 1D6FEE0002 for ; Thu, 12 Sep 2024 23:33:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1726184018; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=8pxxvQz3pZCIFnNDEAYQ40YV0glbBM6jlafO88P1A0E=; b=mCI98hDTGHhCvLFyx+3iJLGcCv5fXifl8wqpfIqNGAxwb2+M+WApFmjSueJd1HIa2d36i8 /Hkkq89qyyadq580wQwt7BICfAKJd29B5MbxvnH8U2tSKNx6MuuWfFx+Tl0PVW8w76APDV AF1rUM6v7y8IoBUhoMQGrNMLB37+uaHaUzGQ7s8WcBXH5/BaLJgcLalkeLgOpTl/kx3rZ5 Ul451dVb/3JJ3YC5TKWiJDvUmm4oh5Q2TPSHkx2dZeXaIWVav9n6wxAUOdxWcdLphv5+8v Y+ubytePHxRCprj5vl9SDrVjS5qnFafBxvjEbYI1+/Iv61zvoq5tAJ9DUVlMwQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 13 Sep 2024 01:33:31 +0200 Message-ID: <20240912233337.2444412-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 1/7] avformat/mov_chan: Check for FF_SANE_NB_CHANNELS X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 4o2QUzukxnPJ We do not support more channels. For example avcodec_open2() limits channels this way too The example file contains multiple chunks with over 16 million channels Fixes: Timeout / DOS Fixes: 67143/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-4858720481771520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mov_chan.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c index cc5b3331290..2cc6b2a7797 100644 --- a/libavformat/mov_chan.c +++ b/libavformat/mov_chan.c @@ -30,6 +30,7 @@ #include "libavutil/channel_layout.h" #include "libavutil/mem.h" #include "libavcodec/codec_id.h" +#include "libavcodec/internal.h" #include "mov_chan.h" enum { @@ -549,6 +550,10 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st, num_descr, nb_channels); num_descr = nb_channels; } + if (nb_channels > FF_SANE_NB_CHANNELS) { + ret = AVERROR(ENOTSUP); + goto out; + } av_channel_layout_uninit(ch_layout); ret = av_channel_layout_custom_init(ch_layout, nb_channels); From patchwork Thu Sep 12 23:33:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 51555 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:c541:0:b0:48e:c0f8:d0de with SMTP id f1csp514vqr; Thu, 12 Sep 2024 16:34:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU5LTO2hVKpr+ET1fc3n3cm/+5vdX7lJogF2xo+HHNAlrXU3D2fH95/UkOnPYL6xPfxpBIVl2sK32VxCoIIorkk@gmail.com X-Google-Smtp-Source: AGHT+IGDfuo76diakDW63E6or2rNEUKssecQyIdxU17hG3OVfblATdr0yANXT4XKXXu0BBlt2/G/ X-Received: by 2002:a2e:a98a:0:b0:2f3:eca4:7c32 with SMTP id 38308e7fff4ca-2f791b663cfmr6584071fa.38.1726184042986; Thu, 12 Sep 2024 16:34:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726184042; cv=none; d=google.com; s=arc-20240605; b=bKlF/QbngGdwJvaSp8xiLh5G3YUCwQdVSmWTtMHb0t32xWqHzyFg0+oWfPUPJYL2mi RM5aSIMtGGJtzgSyl3ogWWGZKjciuZ3Dk5bK+QIQGSPlbLVbkjsZ7VHyfY4pUyE/oPXC BV22nAO7or8BvkiL0SN4lAvklrkN8VPXPzqZYCwuqXILDPGbW9l+kje5E34Dahw5AR4p oqMqGSEUDrk2Ag6JZ7YjqoYZJ6i6hUjrpQ39c+3kkUpTmvg2DSnVlTGROf8ZTNaxN3ZE +vInuulS0z/SK8xbFHesJrp8t1ig0797Z4mCaQ4GUIGm5a6zNIPKDvStQsuLvWGKPfv9 Ls5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=dSlNbrF4e2gyMUaPMAAvxV5mSk7OSPh1eFwde6q6Ih0=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=Ta9NWpj+lBBkwOQk4G+JcXWa1t8UwgMWtB2SwNtfgugSfqgHI0CXq4iqbCwVi3K6a6 iMOaZsb8ULFQeD6xZT0Sp1NIv601oKLV9Su7cYvRiL0TDHHqqrjCWOUsQl5bDrf6vjJw gl9CA0ux1FH4l1Vlm+14GBRWReKZbGHUadGFyl1kGqzLxRct/4geNIb915SqERCJGILY ecQe5ENuLA4lz3NzEc50bvm1TNVg0S41bJ6a32/HA9G+LRgiCysjiqLBtTFYS4Rmekcs U+WwTSXiwucgTi0BM3zE7L6FB4CaIVOY0kbnbzljoQyhDkJ14lTMvPeIxRFXYcFMBlQV lRJA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=UQFqQmQ9; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 38308e7fff4ca-2f75bfd439fsi38038521fa.5.2024.09.12.16.34.02; Thu, 12 Sep 2024 16:34:02 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=UQFqQmQ9; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C946468DBF6; Fri, 13 Sep 2024 02:33:47 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D62A868D657 for ; Fri, 13 Sep 2024 02:33:39 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 271CBFF802 for ; Thu, 12 Sep 2024 23:33:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1726184019; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rDzKhBOdqzavYKiQTrDiEkNox4vwcgK1XuDamcv/J2A=; b=UQFqQmQ9zo+atYiiSnkbl9KnJQu2AgMm/WchGVCaXAF/h9JlauHLcds9KmDPzfKbchsFri UU8ZDUz9L3/jVgDaYRLCi4GpQRSDdGymhz/FdV6ueOxKWsxpXAYkOnKHCXBDX4nzUMm8Sg 51chkvYi4AAYoevuxb49/dZ9b3Ry7aeoWU3eWsVp3VT633eV3wVdqpP6xBudGRCVPd6vJz h9t/m3Rd5UD9Vqn8eSZR+kTA1KodQ11xei7ecsLytLA8kokfAfHl5zjcgaWWQ//SwcgTeY hwT4uBwow61KFFertYRyGiREsHu9nAiDm1PtGbKtsJk31Z9kqqFysrxn7EZ8rw== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 13 Sep 2024 01:33:32 +0200 Message-ID: <20240912233337.2444412-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240912233337.2444412-1-michael@niedermayer.cc> References: <20240912233337.2444412-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 2/7] avcodec/vc2enc: basic sanity check on slice_max_bytes X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: VZl88nOB4ocX Fixes: left shift of 896021632 by 3 places cannot be represented in type 'int' Fixes: 70544/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC2_fuzzer-6685593652756480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 508defc0b9f..b82370a7532 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -988,7 +988,7 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); - if (s->slice_min_bytes < 0) + if (s->slice_min_bytes < 0 || s->slice_max_bytes > INT_MAX >> 3) return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); From patchwork Thu Sep 12 23:33:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 51556 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:c541:0:b0:48e:c0f8:d0de with SMTP id f1csp564vqr; Thu, 12 Sep 2024 16:34:13 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCX0b/479mMtWcdqIb3o4ARTmlyv5DToI+2cRW746sTuR8lrBIwkrhK9JfDFMZPOZyVJxISjItXW3RMzpBJaRE7I@gmail.com X-Google-Smtp-Source: AGHT+IH1RB616I1fDLdAvnEL9clkZoY9ZrsYQ43T9W2BZO4DiKfnsrDyiEjIIsLEjLT9d6IFeuRC X-Received: by 2002:a17:906:fe04:b0:a8d:6921:e179 with SMTP id a640c23a62f3a-a90294e6753mr421427666b.39.1726184052903; Thu, 12 Sep 2024 16:34:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726184052; cv=none; d=google.com; s=arc-20240605; b=DcqtaM+b7fOnlT2+L2lIEZ9lQudFooo0ZSsATQh6u/i2IYh9xPByRW1NceRrIisRsP 7GxBEHtq71n4cwrqSQpazr49qhJdyaQWdHH4TJuN7q1BkzxGjmfLk4/RS0s//2XHap48 V5d9sLIABZ8aPYSb7yvv0eT8YmM9wv4UPmvEKSWMvMhllUVKEi+MlpzCyVexQsIOqd9G HChZUVZvpzaIjN+OTMHF/TsJIV3TbZDm7dq7YF918wXAmQZ/TqZgllxjneKeeK4kyYtk 0Mszq3rEbVUaDpEtXL2oNv2vzgMxF+B05te6+XT3WDaflvoQiLGGlj3Mvp7k3/DFqRXy NKUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=Qu2tSv9VPwutN94bCW30JgrxmUjjplosYq+iZ8G7Lgs=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=Vm5bq2egW0f/9KF037L60CN2XtC1q6/Ddj3dAhlbLe9nS5mCoeXRUxeSwGtntcDDWz YgfgvQzIQTdpin5Wt0bXbMZ4Ls6nKBTI2pDVJFJk5ah4KkKROinG9BadhwLfHArdZJd+ LW9r9XwhGgeRMYWConL2CdMROXfpSQQqz2H8kNb2mpwx443+pnVt91Dpmb7rwyQ14QAJ ScgOK7eFFhRUfmOeGgGJJPEL4s6Zct0g3XwHwR3Hm4pnVljAWMu3qBKmamJzG2j86ShR eIDgkZ1elPk/B9TRL5dtqcEglIpk6FGrejh4JrDjAYN5bEbPsLRUpH+dH2P5CtGc+EKa h9CA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=Khg43uYM; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a8d25d40eafsi943252666b.695.2024.09.12.16.34.12; Thu, 12 Sep 2024 16:34:12 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=Khg43uYM; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 15AAA68DD03; Fri, 13 Sep 2024 02:33:49 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0360568DBF5 for ; Fri, 13 Sep 2024 02:33:40 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 44CA560002 for ; Thu, 12 Sep 2024 23:33:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1726184020; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3sBUsit0OVBv+rXhApoeJLu1Ms8KNv/1jaWQnf6Wei8=; b=Khg43uYM/EazQO3JXhHSGXkEvwQ9ygxIynQRAmtSkHNrMDHZUZg4RGelMrdJqvWNr4M9J3 YXdveh4Cr9Qz9Ni16o14sAPYW4HGcuxSlT7JBSnDhUfMXpBVk32+6q2yIOKo1/BmWl2Pc7 dnEJq6zXH6O3Jmj+Fq9xJsl/VjndyTMvYZBkBoxr1DwA+ZOJO4KodwbQyaHJ2v/68DqVFR GqzbPYJCUbx2qf414iOB5gswVdW51sTGFgu1RrZljEbrAzZzfM4rcI3BgVw8AuMrzz+wxf tZ5hZ6TmoJsTjzBRSyzNqIXJfSWT2ittx+Ri0Zm8SmcSeHcLo63stDELa7enfg== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 13 Sep 2024 01:33:33 +0200 Message-ID: <20240912233337.2444412-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240912233337.2444412-1-michael@niedermayer.cc> References: <20240912233337.2444412-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 3/7] swscale/swscale: Use unsigned operation to avoid undefined behavior X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: eXkFmKLZfNAC I have not checked that the constant is correct, this just fixes the undefined behavior Fixes: signed integer overflow: -646656 * 3517 cannot be represented in type 'int Fixes: 70559/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5209368631508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libswscale/swscale.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/swscale.c b/libswscale/swscale.c index df0d5708aa8..8b6a3a84b4e 100644 --- a/libswscale/swscale.c +++ b/libswscale/swscale.c @@ -224,7 +224,7 @@ static void lumRangeFromJpeg16_c(int16_t *_dst, int width) int i; int32_t *dst = (int32_t *) _dst; for (i = 0; i < width; i++) - dst[i] = (dst[i]*(14071/4) + (33561947<<4)/4)>>12; + dst[i] = ((int)(dst[i]*(14071U/4) + (33561947<<4)/4)) >> 12; } From patchwork Thu Sep 12 23:33:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 51560 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:c541:0:b0:48e:c0f8:d0de with SMTP id f1csp3912vqr; Thu, 12 Sep 2024 16:44:14 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU0mI9o7t4IlwQdVed9iELLnWSfpydOcoNn7FU9C8IKp2teXbgT03N+unjmu9ArVB7P+fajB4m7OVRSscvx4VRC@gmail.com X-Google-Smtp-Source: AGHT+IGTMPUltB6JwZueI/kY2JrGY5wmRnettsdcYfaY/M1NuFekcqdDUDSEC7c8JJihrGxrlEFe X-Received: by 2002:a17:907:6ea2:b0:a8a:6e20:761e with SMTP id a640c23a62f3a-a9029617457mr440746266b.48.1726184653742; Thu, 12 Sep 2024 16:44:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726184653; cv=none; d=google.com; s=arc-20240605; b=kncTjGFxHnAd+OniMewPXPUS7Ws9TWPgXAemtDAc/FyExHucIqYj3NVYFiP7gooSkN coV1c2N5m4UnhiMLc364XrhI0bTKVZ06n53YqrHKpPjZm8r/PaAnaQsjUVBYaRuu9DBy cybI0TnMpDveakFh93v37mkZVRpRxBFjQQCThBurfcyu3IOUNE+v8NqBqlg2aocKV4ow rddppTqbvwQKu4/NbERf/nOU+hop69Q60AgXYrS2bSSn/9onC5MLwxC9XBJMc1rCuKY+ YzplX14dI2jBbvLPPn0YLDgOQ6zORgT8aA4O/88F6OlIbQHEDEZoiMAPLf6QucBzVesY mp4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=1BzI4e/0dGODyU4GztUdF1WGsTxAhVBCRVYeRB8C4fE=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=KCXq1vNmzM/h8iUskzvsna/C9nnKSB6e25enBfDGbg4HtLBwiytd61ppmvP0WM8a8l R7YTblx9FxT67P+8c6CSX3VJzk6kGVa/mnXK4XR/jIb5KSKVtiu4VJiRMbxKUL/CgTjw /puKbv2nyWKl5uZQsA62/XKol4UJi6EMDYQ938Aq8f6aybOLqmeFUe1HFvr2aDM0SRWr +uUrSCT1T+4IO6lXl0RfpGeI8G52UuJ4fuvmESvCtwHuyXBfJKSEwL9jbRZCnoW0ntSx 62O9mXkTFSstQseHf4oP7fwGKVbHy8+NGTd3Eddx73+1kN9m9cpQJxnlj09rbpJmf1zP INvg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=EvU+oX+M; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a8d25ce9764si925934166b.493.2024.09.12.16.44.13; Thu, 12 Sep 2024 16:44:13 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=EvU+oX+M; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7DADD68DCAC; Fri, 13 Sep 2024 02:33:50 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2E07168DBF6 for ; Fri, 13 Sep 2024 02:33:42 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 8C8A520003 for ; Thu, 12 Sep 2024 23:33:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1726184021; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8sgSvc8RoanJfItlTM2+reZOvhhGRukZ6IBzOoYcUxo=; b=EvU+oX+MibjTHpnYCRXYQXYlnK+qxiQo7ZkzeeAWAtZEkxdhT59PpLxXjnM/+ONTBjsUh4 2oCE5A+ZkNO/wxrDGCkaKHbJwn9TSqprQsTSeLhjpbcWm/EtfPGhcV4i0cuQ1OoVsOK5/c u3VbYovDpg9RDv+PmbX6rw0S9cryw1h8jYXTmVTBctRzYTqFCdZjzRx2rs1AzFspELIMQK UUXwI5M5R6nLMxKGspsyEEReH/j4xlU2rtu1s7ShWNbT1QbknCkle9FmSQrwu8xdARANDR oAi4LkvcloWldPpgthh2O0RPtqt7sLOLNaCNHq4jA4cerrJ8q+J+tBmQ+huIaQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 13 Sep 2024 01:33:34 +0200 Message-ID: <20240912233337.2444412-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240912233337.2444412-1-michael@niedermayer.cc> References: <20240912233337.2444412-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 4/7] avformat/mxfdec: Check timecode for overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: CXlKqzuNN4t+ Fixes: signed integer overflow: 9223372036840103968 + 538976288 cannot be represented in type 'long' Fixes: 70604/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4844090340999168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index ac63c0d5add..8eae9f87afa 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2391,6 +2391,9 @@ static int mxf_parse_physical_source_package(MXFContext *mxf, MXFTrack *source_t physical_track->edit_rate, source_track->edit_rate); + if (av_sat_add64(start_position, mxf_tc->start_frame) != start_position + (uint64_t)mxf_tc->start_frame) + continue; + if (av_timecode_init(&tc, mxf_tc->rate, flags, start_position + mxf_tc->start_frame, mxf->fc) == 0) { mxf_add_timecode_metadata(&st->metadata, "timecode", &tc); return 0; From patchwork Thu Sep 12 23:33:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 51557 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:c541:0:b0:48e:c0f8:d0de with SMTP id f1csp717vqr; Thu, 12 Sep 2024 16:34:34 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXQM6d1/PJ2zgSYJzlq2b+dJImKtO1nRtRF4bKOCICo21S4g4QHS7BlGPEVXqBJ4wou5qnmC9gdDjuhOntUGyG3@gmail.com X-Google-Smtp-Source: AGHT+IGKFGJ3Hgf0z9FtLAVuIB1+OykJvg3Rvbz1ixg+BiSHPHr4NAfePpQmsbDbFTYAS//9wHHp X-Received: by 2002:a05:6512:6d1:b0:535:6795:301a with SMTP id 2adb3069b0e04-53678feb14emr2611517e87.47.1726184074269; Thu, 12 Sep 2024 16:34:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726184074; cv=none; d=google.com; s=arc-20240605; b=UxvgCNQK6jiw0cv+N5Kh6hCHOEcJqJF6X6VJynPKgv4R7kOu36TUgstFV8tdLYfcJS Jw7IiltJPEqnHkT5zPSH7Ro7I5lqwhGXy4YT4r0PD+I8vv7ZR3/gSXUuEdzrKkYgooUD x5NJjCeO8J3hvfcNbEPGVjWjIrk6GjrBpsVsd/EZT6ZTsuCar4N9+tl+SHTV4+2kQtFN HHVyIbmO3DIXuxro0RNSO/jEcM/ejhaRxNYKI5newTWxFiGpQnPPYa+7wTOx+07cQCoV r816H8DFGedh39jL8pFQJvKu3jWW+4Ol8nHaaXKXWQpBDgiGkX1PLgJJISwQCxeGh/XX ew5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=VYfc0LXiBn2pHEQEJuru4Z0wuZ1vhitfmZW0AnIhDI0=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=dcjOQM4J3U6/e1HGZ0v7KHQusfYiQAv0GEvm7deDVU0j5E1unx5IeL/TZVEEawKRPw /5rFTHwPYuB6YSWGq5ua/qsh/CEKW9iuVY8YEmb6vqRWjYvBdlcNg01CL2iTc00mhZqU ppxfhCJ5dlNBOb4kecccyyK0AhhHGvYuXXePJrvFF/LcOXXyg6ip7MSJCC2xNQ7h4CJf J5yPXTc49Z3jNp8Za+KBhVsXyNeq0vUCw500X331EinvVAXTbvBOSGNZIB7qC4CC0jHu 5M7aENOnYuNjL3OmcwLCb60yBDmkda1VtFDnzVPNTNbvR7bTrbz8o174PmS9zWkralIl wfwQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=MeIfmIPP; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 2adb3069b0e04-5365f866fe9si4225733e87.3.2024.09.12.16.34.33; Thu, 12 Sep 2024 16:34:34 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=MeIfmIPP; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id ED4CC68DDA2; Fri, 13 Sep 2024 02:33:51 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EAED068DC7D for ; Fri, 13 Sep 2024 02:33:42 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 51ED4FF803 for ; Thu, 12 Sep 2024 23:33:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1726184022; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RaKpQGy/d9tEobFsYG72jjDgSNq5dg6qVFNASDhvvyY=; b=MeIfmIPPdTNhyp9wlhIBQ5ic1FttM6TM1CnUeQf0oFQfNoW8u+rebKPlAQq+MjFpHQIxxm cOVkLug7AeU+tnKcauygC79JmuQ6dAt+fEuyT9wlhjbeIRXqFQwcwpeSdwoHOFPZCGPpBA YiwiUFITQi7Os8sdxXDDsQ9jYFrHMrJyGZ1BRVzOG7t3pgpnKvkRAVjspTif8MU0vKk5Nq dzoHq2tsU/X0veLs4ex9TkimCebh6UgMdkfJTlxiCFDt2BGRjXjAyPeogoBuVfjg2OQj41 3mphjKu/NADUD0p0CVSmwJRG35gqOxsA0r6bNQiej3XKugZM5dROahT0DRA9xg== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 13 Sep 2024 01:33:35 +0200 Message-ID: <20240912233337.2444412-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240912233337.2444412-1-michael@niedermayer.cc> References: <20240912233337.2444412-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 5/7] avformat/mxfdec: More offset_temp checks X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: aZ7GVzwRqqKo Fixes: signed integer overflow: 9223372036854775807 - -1927491430256034080 cannot be represented in type 'long' Fixes: 70607/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5282235077951488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 8eae9f87afa..41281c5196d 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1924,6 +1924,11 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out, partition_out); } else { /* EditUnitByteCount == 0 for VBR indexes, which is fine since they use explicit StreamOffsets */ + if (s->edit_unit_byte_count && s->index_duration > INT64_MAX / s->edit_unit_byte_count || + s->edit_unit_byte_count * s->index_duration > INT64_MAX - offset_temp + ) + return AVERROR_INVALIDDATA; + offset_temp += s->edit_unit_byte_count * s->index_duration; } } From patchwork Thu Sep 12 23:33:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 51559 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:c541:0:b0:48e:c0f8:d0de with SMTP id f1csp774vqr; Thu, 12 Sep 2024 16:34:43 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUa8/LtPUwVpHDLxgX51tqWZW5PQIlMrKdU2tkMhpvlUxeq0lErMICFvo7DzaS5+FhXpJhl+4NZPRlycWhAIefB@gmail.com X-Google-Smtp-Source: AGHT+IEYCI2UbfXJELCmk3hjZ94rFORdlRO00Mm12q145baTOAf2QtAKnJjMEnpNfZyTWfiLvPp0 X-Received: by 2002:a2e:d1a:0:b0:2f7:5980:78ca with SMTP id 38308e7fff4ca-2f787f1cc18mr20082111fa.32.1726184083623; Thu, 12 Sep 2024 16:34:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726184083; cv=none; d=google.com; s=arc-20240605; b=gYbsUP2SQCDTSWe38SDG/b/QJlnrb0nV20/c9VXSUPAYyz2SnZ0DUd3EGzbOPlSflm TsTRPYquyB4FmU6J/NHVhpV5koQwBGSO/oPupgT6Sh38eBRS8+BR5WHpwNcArPYVeEjE NwrAdSQ8XZHk/cXxqp9cKXa3zWC3Fw3DNpUdl3vzw5D/d5eahaCyPJ7rL62UONixKLuM 4ezsJu2ejtormonqxcI0UPKKxaw03Z4EYM7P94NqVuRDnt0Fd+jGc+JrRAqXDm+Nhf77 OoUUgjh1O0ep8AJcfn7ryMeXKe39fJdSU8jRTrN4f0YWAjx/OxrIuTAizn71gJmmu0PQ 04Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=yxvrRd6WkOPoclJGePB5FcljEyQl/akF7AQ3lZMLnYQ=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=UiaZg7YbFpVGtUcnZrLxsNnezk8x4ngeP9MpJp/kQ3/LjCcxsGIFONwX5mgSJwn912 cf5CJG9yQLNWCY25sQjgZdaIXXQFB12pv3vWCBJtg8iUDFs2Jkyx1lJw5GUd6EfVfry7 JXP2cWvKlEMU7mKlQnqvqjL19wqwdxgkusLlYfxwV299zm53/Eo8WyrrJGLJasoeNt3g KvAYF6irsY339zcjOF4BtmyMdxjtPTmhC5S9RZH9eTaTp+EXEalsv9VQ52Utgedyvhf8 9y/qPD1gg1zzSjC0aD0AjwS3OOYZfoKcor8hLX07lLuCXKiEyVt1OBwl6H67scLQztm+ 60/w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=fR4omc70; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 4fb4d7f45d1cf-5c3ebd9f602si8901698a12.425.2024.09.12.16.34.43; Thu, 12 Sep 2024 16:34:43 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=fR4omc70; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4334E68DDB4; Fri, 13 Sep 2024 02:33:53 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3860168DD12 for ; Fri, 13 Sep 2024 02:33:44 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 804A740002 for ; Thu, 12 Sep 2024 23:33:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1726184023; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ojjnUqR3k0UJsjueCwBS/lX1F24XD+tpGndFn6XahNg=; b=fR4omc70jQKRxvGfYynp1C7ur/QYH2HS9wFN2X3jGpO1S2nMfsFW85+T9x+DTfLouk9j2U vGty0nqputL47P5RM3rbjAy9GFo3t3QqIpZY3joDbIEMaBNRuvD28o+X+yCfqeAXj73845 ZXwU+YoF9ZpbwyF5lM8LZcMLYrMDLjdSyS4WprJ1rTFxSDguUr6vM27YBxNLjxXLLzY433 GjypHfWJuwxYrWtxucYGBuxzAnTVQ+gQeOPH5629XeeFdfz5nLJP8gFKDHdCDq9KqyjrOr SERsPjayl+OJGwyeKTbIlVak9cYnCP4Oe5kqYEJB12ujnBlvfnIaJg+QjNcGew== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 13 Sep 2024 01:33:36 +0200 Message-ID: <20240912233337.2444412-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240912233337.2444412-1-michael@niedermayer.cc> References: <20240912233337.2444412-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 6/7] swscale/output: Fix undefined integer overflow in yuv2rgba64_2_c_template() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Yxntwp+rvsoa Fixes: signed integer overflow: -1082982400 + -1083218484 cannot be represented in type 'int' Fixes: 70657/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6707819712675840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libswscale/output.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index abfb0fd1cee..31921a3ccec 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -1150,8 +1150,8 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], av_assert2(uvalpha <= 4096U); for (i = 0; i < ((dstW + 1) >> 1); i++) { - int Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; - int Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; + unsigned Y1 = (buf0[i * 2] * yalpha1 + buf1[i * 2] * yalpha) >> 14; + unsigned Y2 = (buf0[i * 2 + 1] * yalpha1 + buf1[i * 2 + 1] * yalpha) >> 14; int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14; int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14; int R, G, B; @@ -1175,20 +1175,20 @@ yuv2rgba64_2_c_template(SwsContext *c, const int32_t *buf[2], A2 += 1 << 13; } - output_pixel(&dest[0], av_clip_uintp2(((R_B + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[1], av_clip_uintp2((( G + Y1) >> 14) + (1<<15), 16)); - output_pixel(&dest[2], av_clip_uintp2(((B_R + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[0], av_clip_uintp2(((int)(R_B + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[1], av_clip_uintp2(((int)( G + Y1) >> 14) + (1<<15), 16)); + output_pixel(&dest[2], av_clip_uintp2(((int)(B_R + Y1) >> 14) + (1<<15), 16)); if (eightbytes) { output_pixel(&dest[3], av_clip_uintp2(A1 , 30) >> 14); - output_pixel(&dest[4], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[6], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[6], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); output_pixel(&dest[7], av_clip_uintp2(A2 , 30) >> 14); dest += 8; } else { - output_pixel(&dest[3], av_clip_uintp2(((R_B + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[4], av_clip_uintp2((( G + Y2) >> 14) + (1<<15), 16)); - output_pixel(&dest[5], av_clip_uintp2(((B_R + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[3], av_clip_uintp2(((int)(R_B + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[4], av_clip_uintp2(((int)( G + Y2) >> 14) + (1<<15), 16)); + output_pixel(&dest[5], av_clip_uintp2(((int)(B_R + Y2) >> 14) + (1<<15), 16)); dest += 6; } } From patchwork Thu Sep 12 23:33:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 51558 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:c541:0:b0:48e:c0f8:d0de with SMTP id f1csp3906vqr; Thu, 12 Sep 2024 16:44:13 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV4eE3NQmmbK1pgbEk0dQvRoAYzQf+xY+fzEyy4HVbCa3jr86sObBtu+Uv5F/ECUdDdpIb17DYgjQOfGj8tHV38@gmail.com X-Google-Smtp-Source: AGHT+IFhw2/XwrQJfsnIv+mNF6HOcwI2Ol/Xdle+xpRCz+O872fXWYtuAqEgBQSuHxokWsw5m/Ti X-Received: by 2002:a17:907:7d87:b0:a8a:9054:83b5 with SMTP id a640c23a62f3a-a90293fc43fmr193063566b.3.1726184652922; Thu, 12 Sep 2024 16:44:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726184652; cv=none; d=google.com; s=arc-20240605; b=P7sSkWJ3BQRELC4geFmNqprpV6TU+HC2sBEck+I3zeHmQrP3vN0BOrA00q8ihfOm9l vRzjzbwY3W4WD2IglayE4fGk3DupWdz5YCc1jzs+pvh9Tnv+Qu1zEs3YDjU7Un5i7+zf MXH+wAKWnEAUftc+I1JXBwdE9COjD5canW7c6HHmDXJXOLfd6sD0ebbOvx55erKmUvKs 0pbocyvajkFmC1eIHkTHIVabNSPs2LU+maU9H4auhyhdYY9IC/vH3fRMiD2NftqUllGn zThSFX5dgzQq2WQmwtC0kGi2ackXfwrb0kKjXIKLdWWnoUPVjk8Vm1WEHL7kIMUEJtUw +F4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=kD5uNoiVs9fkLEtgKKMtwz95RAzgfE4rM1UGfLZLR+8=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=RlPh9Aku1ajf3FM9PDqGy26p5vaGN99mpBVRNJUOTWuX70wis4CKhV/lq5KBGmJKGa bzEMUgDR0lEtUZjxw8h3aFEQJE/7LEkoj2T8rBNWM8ZT8Zramvmas32PW5Jb5dJXeVbZ mAwBPdqDdcenmHvR+dPmTErPucoDaAWWl4yuAeixsFnLMgGQGduxddUy2GqIinU8gjSb muxi+y+wNkQBYcFqMSbhBVtdmsaGqlUegm1pb4GWsKahLriWd3AYjCzLJrPL+/sp7kT1 O29XP6THuQxKkCeIkKznCF5SdKPrIUE7OehdIQMsrt6/+4MO3nJiGcmnZubuJId7K0bE XuEg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=CVZ9sXhC; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a8d25c4370fsi925644766b.449.2024.09.12.16.44.12; Thu, 12 Sep 2024 16:44:12 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=CVZ9sXhC; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5364468DDDC; Fri, 13 Sep 2024 02:33:54 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CB1F268DBFD for ; Fri, 13 Sep 2024 02:33:44 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 39E9220004 for ; Thu, 12 Sep 2024 23:33:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1726184024; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kGCKlU2zIejwAmgytwPJPbO5cEExan5SGvhMh9TXv7M=; b=CVZ9sXhCjUhhss23/YD7p43bukPQ0VG0SeAgG0YyZAvWk88HfIT2rK4DmRCG2DBa7xWvPD 6pjhjqeUI+E3SAu4Kywv0XnlWu0VnFkCrulp8QyAt8qNYe+ox9oTAaKScA/w5hJno43kwP bSI2WpnYnASeFInHBsdQkzA4tbhTtyNq6o9ps6zEocEBqesx0p30Yh5aOUutHkV1PuK9Sh aTZSSK3RZM4Skx7Il1mr/CHZGOGD8B7Xdw7iTIlFl47PvMFIxvPL2qFj0keTMShnSQvbVf iiconMtXNfWMd9DRKtJ81xKVqBwHdW3Pr0nVXCD5E71U4qNta1KDLshnbI1dzg== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 13 Sep 2024 01:33:37 +0200 Message-ID: <20240912233337.2444412-7-michael@niedermayer.cc> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240912233337.2444412-1-michael@niedermayer.cc> References: <20240912233337.2444412-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 7/7] avformat/flvdec: Free metaVideoColor X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: KHWti0es3wSR Fixes: memeleak Fixes: 70659/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-4539872627458048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/flvdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 22a9b9e4a7c..1fb3e0cd3fa 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -1111,6 +1111,7 @@ static int flv_parse_video_color_info(AVFormatContext *s, AVStream *st, int64_t return TYPE_UNKNOWN; } + av_free(flv->metaVideoColor); if (!(flv->metaVideoColor = av_mallocz(sizeof(FLVMetaVideoColor)))) { return AVERROR(ENOMEM); }