From patchwork Thu Sep 19 22:56:32 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51656
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:d154:0:b0:48e:c0f8:d0de with SMTP id bt20csp619955vqb;
        Thu, 19 Sep 2024 15:57:04 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCUqjlzfneouJDnb6PjgsTfmoIHC3qZRWVAnqk97lSzuEj9Nl7/WsfAnLoXwIcgo4GqiEltlinVTX1MK0Tp0ub9c@gmail.com
X-Google-Smtp-Source: 
 AGHT+IGaN8PeKW25A3HsiIdYp2dpvl48PILAcIqExQguQutzgUzdLKiZKuKdCnF8KxHPh42fZKtu
X-Received: by 2002:a2e:4e02:0:b0:2f5:11f6:1b24 with SMTP id
 38308e7fff4ca-2f7cc36fa50mr2168751fa.18.1726786624016;
        Thu, 19 Sep 2024 15:57:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1726786623; cv=none;
        d=google.com; s=arc-20240605;
        b=Zyl8bZ/+sA6Z315lTwXos1UcD2Ug4Kaix8qdk3G74KEj1SecUNVh3tfTc36Rrpg4VG
         pyOGeHTEYtjNHL+LSAPS5GtznwPUvhN6lWP94H4PaT3pxY4RSOXmAtRUd3RuuNrzl3JW
         6wD32E7flBagQkE4bfdOeo4SZhnVTg41ClyD8CBTQojeSdK/Sg0ilY6ZjXg5oD7XWVn7
         dpn0hSfcYdEsp5eh15q98XfsVJexmxarlrAzb1jL/fhjYO8fghNJWTBh28A5srobkNfa
         OQF9uk5H0z248tm0ziSX8BXIBOldbvEA2tIUq1cz1iAwXtjKjyK1QW8XJPsYSb1/HMEE
         837g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=kV/FHpq/Yw6BRQtOZCmNYwsyfmg1t9EAzc5HYHL91To=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=AtHfcKIGmoY+/1bwODHycLss6lUz0qvQRcS1WWMBlJCaKhSRnoZiJXdYTZMjRQZLle
         I9aFFGs0cldCrIYyAiTNgPkCnS0qX3IFn5h/VQAMxBTmKaoh+0aGA2jKQRlxTT/tsMBz
         jkR6ZYagmKAat9BdF7y0zKnVOZXBRUH4CF2Kl0WtwfCH0x/tbMRPO0Uvq/pVkjFVyCaN
         RBR8wMD/XnldO/6ZFQ6Q4k5hB0a+O2mSDYZ9N4Chw49446th8f26ksMZcdiGN7HvbTf6
         ClTcTHnuO5Ddk8od63vk9gGPRHOnib0T+gbDn2wdCYM3vx4F8PFZ8lLNY1hQ5kfgY/8s
         bBWw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="aCo/OpOh";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 38308e7fff4ca-2f79d37d042si35689371fa.457.2024.09.19.15.57.03;
        Thu, 19 Sep 2024 15:57:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="aCo/OpOh";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A7E5168DC7A;
	Fri, 20 Sep 2024 01:56:48 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net
 [217.70.183.200])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1750A68B32F
 for <ffmpeg-devel@ffmpeg.org>; Fri, 20 Sep 2024 01:56:41 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 74AA820004
 for <ffmpeg-devel@ffmpeg.org>; Thu, 19 Sep 2024 22:56:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1726786600;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=Ncx4BUxTn/LsKjilt7blAzt8LYkJYzdOo9tjJM7V9tw=;
 b=aCo/OpOhSmjS4/1t/PTKkWB4SmuxxBgEO4ednRX+J1nBIwU4LdrejdQlM3ZJAT/NeAX2+Z
 /yYaOY1zhu0SEZwRiLj+sfQvj5C5p75kIXyPbL0IltDezew7u34u+Oxw3hNEUvIdJb8dwx
 C/jGjOOVy8itFdMRyd95RqGRHESCo8CaPvy+TTO2GhZlR20kUQBwFNtSgwLacp6hGoSNVo
 WdzESCtahyb+gbITZ/Ah136PFvOoxfSEhSsqpaJEJBxoij4vBq5ElJGPn6qJuId4ZFDIXo
 aOw33uQNwbo5Bhe1gGD9ZUwcGEgm/YA6mVE/9ZUXLhVekK2fyFSDLqcVr+gHEA==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 20 Sep 2024 00:56:32 +0200
Message-ID: <20240919225639.2376418-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.1
In-Reply-To: <20240919225639.2376418-1-michael@niedermayer.cc>
References: <20240919225639.2376418-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 2/9] avformat/asf: Check picsize
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: wkLFeB/nkUbu

Fixes: signed integer overflow: 1073750247 * 2 cannot be represented in type 'int'
Fixes: 70722/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5447231587549184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/asf.c b/libavformat/asf.c
index a71337aa3c9..5c118d2dbe0 100644
--- a/libavformat/asf.c
+++ b/libavformat/asf.c
@@ -90,8 +90,8 @@ static int asf_read_picture(AVFormatContext *s, int len)
         return 0;
     }
 
-    if (picsize >= len) {
-        av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d >= %d.\n",
+    if (picsize >= len || ((int64_t)len - picsize) * 2 + 1 > INT_MAX) {
+        av_log(s, AV_LOG_ERROR, "Invalid attached picture data size: %d  (len = %d).\n",
                picsize, len);
         return AVERROR_INVALIDDATA;
     }

From patchwork Thu Sep 19 22:56:33 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51657
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:d154:0:b0:48e:c0f8:d0de with SMTP id bt20csp619987vqb;
        Thu, 19 Sep 2024 15:57:14 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCWmt+tJataVVIKYWF5A73GY/sxxWLpsDbDTX24H2K0FF3Lq6s8EAhIqYvVm+POeFu8uJHYFwgqsek446SwmoYtY@gmail.com
X-Google-Smtp-Source: 
 AGHT+IH1o/h6JlNY5tkH2CCfNvUgLA7OqAklW70OmLyvW9gERi2iY0tdb97jooeQoZdQ+vrNyuR5
X-Received: by 2002:a05:651c:2213:b0:2f7:7e07:770f with SMTP id
 38308e7fff4ca-2f7c3d09951mr17251151fa.3.1726786633944;
        Thu, 19 Sep 2024 15:57:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1726786633; cv=none;
        d=google.com; s=arc-20240605;
        b=IasPYn9AeStodYrMjxohkGi1jf/jBbLQc2m1EvoceJY5HCfb5QkEbCobMdwyFVIw0t
         mLh0gYElJ3HZSeVlJgPq6q6NszXtxFKIExoy5P7dtVN+49+BSf+urqSWoW6dyw+/0M1+
         h3Kk0lh3+/FqUN93fikwM9a3xPUEybqYtqnV3touTS3uuMfI+VpHOlx8qnpdshfwfnFt
         UwIW57fwD/k92MFb6ooJZ+W19TuI4I0MtGxRJarvccnrhaLSkSgA7bpzCLfhhPanif5s
         kOoiNZ+i3p9ESmgpcOnc8Fxj7gpJdjMgp6NNemWqyauulF14/zxpK5QU63lJs/Gv1Ao5
         1EOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=4BHXOGQQ4kru3yKHRcJdHgzLGoM1FjzA0ey9WMgbZIs=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=XXud9jWxwNYHjFEdKZbD9M8VFz7bYcrtC6xBWVB/Nwo29/HRe7ocobF5vmZ1yPhlSa
         TxXd4UgxC8fXTck8/RZwhoLTKF5YCkPWTjjuI7shh0/kdP4FOA6B5i58dt/ya45zu3w+
         YJ0SvdgdiHR2DZ6KC+AkBgYu0Wj9hS0eXLtNspvbArDP7x/5RK0D+E/zSm/fv4+HVPe5
         Kx1d9WPuzDoHaeWrnkgZf7lOJ4+tu1yGVvfBxzpb1UEbs+a8V/5O546NMKVQo6AaOe2N
         314ItTQP0dcTgw4WvPzvN3Czk3VmGBDE6NuTTzyJzlt7vsXkDk4HxI3O/R/F/YBbbZkD
         0KNw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="eNn/wPQJ";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 38308e7fff4ca-2f79d47bf77si40240631fa.557.2024.09.19.15.57.13;
        Thu, 19 Sep 2024 15:57:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="eNn/wPQJ";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C3BBF68DCFE;
	Fri, 20 Sep 2024 01:56:49 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DA9C468B32F
 for <ffmpeg-devel@ffmpeg.org>; Fri, 20 Sep 2024 01:56:42 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 8AF731C0003
 for <ffmpeg-devel@ffmpeg.org>; Thu, 19 Sep 2024 22:56:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1726786601;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=56TGZXvgZs+6J+eMMwLCRqCVUUP8PMYHGVuNnOZN8iI=;
 b=eNn/wPQJaq4GAk08gMB0CHAuDiZ08yCUoKEcSaIFBqGmuLzdZNUhk2H0MPd6EUZUqvqhe0
 J568ydMDw0Ng4o+wBMls6abint17F04DsoimLACVw85ZIKedIiN8m/SEdxTVkE4+wM4Y7t
 MScOlFWPfv/LlNOuhJ00yijTEDN2peyXsZe5u2tA1Uq4vrsJ95VUkc+MlLFsi3ugNtpRUZ
 seDn9/oJPdUqAqtMxjzq8QwZchqmatS+/3ai86UUFJfzH1HfCcw54uqrqQuw3WpNLJeYYt
 q2rOgr6g1jxJGY4kzP9Ez90ZBhBy61qr6spn267ngWaeUJzUfzfR/jehuzMqHg==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 20 Sep 2024 00:56:33 +0200
Message-ID: <20240919225639.2376418-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.1
In-Reply-To: <20240919225639.2376418-1-michael@niedermayer.cc>
References: <20240919225639.2376418-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 3/9] avcodec/jfdctint_template: use unsigned
 z* in row_fdct()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 24LUzbnotgaL

Fixes: signed integer overflow: 856827136 + 2123580416 cannot be represented in type 'int'
Fixes: 70772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_KS_fuzzer-5180569961431040

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/jfdctint_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jfdctint_template.c b/libavcodec/jfdctint_template.c
index aa2680132ee..58827b677e6 100644
--- a/libavcodec/jfdctint_template.c
+++ b/libavcodec/jfdctint_template.c
@@ -183,7 +183,7 @@ static av_always_inline void FUNC(row_fdct)(int16_t *data)
 {
   int tmp0, tmp1, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7;
   int tmp10, tmp11, tmp12, tmp13;
-  int z1, z2, z3, z4, z5;
+  unsigned z1, z2, z3, z4, z5;
   int16_t *dataptr;
   int ctr;
 

From patchwork Thu Sep 19 22:56:34 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51658
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:d154:0:b0:48e:c0f8:d0de with SMTP id bt20csp620022vqb;
        Thu, 19 Sep 2024 15:57:22 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCWQVkp0iv1eT9OPgApXa1Q87oIth9c+CpuA75r7E8HOPTe/rZfEhWnEngD5vGGskWLzSX/gka1Gtw2BOYvhphl+@gmail.com
X-Google-Smtp-Source: 
 AGHT+IGxu4zZkshNwPPoLc1MoRr/NfQxZ8dKoLSQAcPFPrTBp0zb6JcCQlo8gezN1/4ImdM56vLm
X-Received: by 2002:a17:907:9444:b0:a8d:29b7:ecf3 with SMTP id
 a640c23a62f3a-a90d4fdec7dmr66971366b.13.1726786642097;
        Thu, 19 Sep 2024 15:57:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1726786642; cv=none;
        d=google.com; s=arc-20240605;
        b=Kw9LBNCfiC2WdP8/R4uJMqEBUcW4/oGp5YD0xVeGt1P4QCPMSmJLM86AUvo91DZ8aq
         0obnlR2frfCZXcwkg3LsGuKq83YdKzsFiW3V5MrcGqnmV8kaqaTmo1y2BmAJI3seXfm1
         JSP25rPxjLieey6Iadc3PoUCDOt4nbN/YVSigV1qACQfAw/DzGxQeOfv5uoecciEWsDX
         OA5O3bZbuQajlZ3fDBsMjJIJJ9IYyeH94W7wAaoRjBlLM8CBZrbgoSPtOONflYd2rXc/
         zsVviVlVefMSLGur9lr+joy2p0RNWPmKkl2dfJwqj5DxwSWgkQsh5M0wN+LPAEMXWdoN
         L9nA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=rt/8DpFK4o4dv2ppchwYMR55Ddidga9phgN2qjjQLWg=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=jbt+p92tpUEwgjHfT5I+z5PX9kp4yEWCXQccIxA887htaM+LvrCA80JNXJpQmFCXy/
         fyfJybiwVsTN/RMVv8d21beopmSPihI0mMhlBCpvfsNne+NjFXvaDnvBHkB2IuPD9FON
         AtEIyyXXm64kkRVaEwDv8xxXD81vlmq8Eb9ki+2W7FJHn1wLiL9qZoDODZC7+jMvGX5U
         HU/B+nTWYgL36bFBx6WYx21eGrtb1drpeijvigR4HflHc17Rv9Ruk/LYDZFgMtJVPaRW
         lQejhWDOWU+s0Qegryz0PGEFKsR91FtlcUGZlxDrmcatgjUGN1UzpbywXd+dZe/aMaWY
         7KKA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="pgusj/51";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 a640c23a62f3a-a90612c6331si863080366b.427.2024.09.19.15.57.21;
        Thu, 19 Sep 2024 15:57:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="pgusj/51";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 097DF68DC68;
	Fri, 20 Sep 2024 01:56:51 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net
 [217.70.183.193])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2E3F068B32F
 for <ffmpeg-devel@ffmpeg.org>; Fri, 20 Sep 2024 01:56:43 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 6DF34240003
 for <ffmpeg-devel@ffmpeg.org>; Thu, 19 Sep 2024 22:56:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1726786602;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=psGTQWw3q6z1i2Fn/mByFRcTWno4vawNaRCGBjbBbPc=;
 b=pgusj/51Gkr78AwZl3qzLyx1I7eYcUei1zxcB0AaluuHySL0LGOjyW3GqTA5dtyXZWKA85
 buvm8/17S5qA8KxIp0NanmAHkGqPqZTKE6w9AdpAa5eM0CG2ZZNFJ7S0eztNx7e5TyPSgT
 QchJw1Zr1wEWJPmJ9cgVrnP9zrirKHV/leIPJr+ulWtnXB3V+PhdfQJpP/ah4L1zr6lfXW
 EnZ84Mls3vQvbUtzGGvL5EiyAun7Zs494RZNpeKN7+Q3mvgfK7K7qNB2RVkBt1G0HPwene
 ZWycrwcKhJoAH1VmEwQNUNDlkY1yastG8o1jlfaxM6lvOurspadMxlUTU9AR/A==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 20 Sep 2024 00:56:34 +0200
Message-ID: <20240919225639.2376418-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.1
In-Reply-To: <20240919225639.2376418-1-michael@niedermayer.cc>
References: <20240919225639.2376418-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 4/9] avcodec/osq: use unsigned for
 decorrelation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: LsavTRNF7AIx

Fixes: signed integer overflow: 1205469696 + 1901074655 cannot be represented in type 'int'
Fixes: 70773/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5419594888577024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/osq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index 2b75364c18c..1bf62646994 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -342,7 +342,7 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int
 
             if (nb_channels == 2 && ch == 1) {
                 if (decorrelate)
-                    dst[n] += s->decode_buffer[0][OFFSET+n];
+                    dst[n] += (unsigned)s->decode_buffer[0][OFFSET+n];
             }
 
             if (downsample)

From patchwork Thu Sep 19 22:56:35 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51659
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:d154:0:b0:48e:c0f8:d0de with SMTP id bt20csp620064vqb;
        Thu, 19 Sep 2024 15:57:31 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCVeRGvPiOquvPY0LdHsk3+b1XX7ospT7q/DD99+5Q21wl+5FKKoyyurVY+N1IrfqRNISG6eKEmmLpm9TvjCbb4W@gmail.com
X-Google-Smtp-Source: 
 AGHT+IGjIutALB0Vq0KLV1nYoPvFUqkXSYfvPisZ27/9Inh+/dgxyruF/KaTamHBYlOVjciIlaCF
X-Received: by 2002:a17:907:982:b0:a86:b923:4a04 with SMTP id
 a640c23a62f3a-a90d5924f6emr42928466b.50.1726786651512;
        Thu, 19 Sep 2024 15:57:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1726786651; cv=none;
        d=google.com; s=arc-20240605;
        b=CLerwjAnP/VtDyeEe+Dh7oI4R7Ijsc7zNJYABo1w6AG1U2VCaTjnOpfszsqKckEykZ
         Vlo7KUBmrWPI6MHgQwhNVzbQf0v2cbRMqhJjgPhlYMSh430Ue2chXEhkiTsqnm+pu59i
         TB/YmqTHAi/UFQ/yV0b6s/WrKm6XkveuAUh4yUa6ewbLQ8mQmvXCErJa938tMDh+uyfW
         xt7zqy0uoFPZ/xEfoXXTP+0uT8e7Mzx8HsiReMoZmKzUJJh1iDmV0ZKIrFzpCZ9sLsfO
         wThqmsjK2FifqASknatf2y+a7zkOEkQjNwoKUJl7wIiqtEMbER4q0HT3GBads2ELWT9V
         1o0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=f4er/CPPlBJiNkAbVmoT6uje+ss0jQJpCNOmVg0QahQ=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=ecDVzZ/1kUCF1TChaCgacRqCb73qMqU0U3krOnQ2Kw+6QHORGSOw/zENVTc8AnNrPc
         jU5dHU++LQ2U61vCMZegyqyYsUxLrWCcJmj8UeTFMQYZukRw6ZPWu07NRzK5HEoCg0Cg
         yFYG7RYFW1bBl52p36raFGWDQS1wEUWNQ8fp+Jph30n22K1CiRtKAz279woOuEX7Q3fH
         DagQI+FMmbZxwA3TDL093vLE6lArFiqN/L5kU5KHhmmX2Ls+1z4q/7hn9uJ+a1zUA018
         moHscRAphhZL1ypxo+bkSaUa8CwaUsUFOvpLM2aVGvbvM1vtPw5QkvrovAMxvTq7Da9b
         JhEQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="a/O9rbOB";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 a640c23a62f3a-a906109a077si856870266b.106.2024.09.19.15.57.31;
        Thu, 19 Sep 2024 15:57:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b="a/O9rbOB";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7515168DD55;
	Fri, 20 Sep 2024 01:56:52 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CAE4268DC7D
 for <ffmpeg-devel@ffmpeg.org>; Fri, 20 Sep 2024 01:56:43 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 347F71C0004
 for <ffmpeg-devel@ffmpeg.org>; Thu, 19 Sep 2024 22:56:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1726786603;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=b4CCGrU+edbKcQL8pbcog/cDdacP3xJTxW/l1M7VkL0=;
 b=a/O9rbOBzMgw/irqLSHiDsze8juuCUomidnpUq2cVucOfENHTxpf7Mvz4ue3ovfUv5uha4
 qm5PyyUNhq8dXWISP465ZoZhQUDMhEuyLyYJ1wOD78Z5d0orAB/sXhJdrFVPSUwkT2+5UZ
 PTc6rTnQK0GNR0xOHJuMQg//L/osTdlCrKEVlwp6rJUz1TzfMi/naoGoH93cExToDcrHQk
 Wnjla38gzkmFbwoyGkvZIvflCARU4fhyz13JwPiP8i9aLnlxYizRI2uEyvJWjrq7abiOmY
 lfWstyUEj41kjZrckHyXYlzJ26gv3rxUx7XFmJZMyKww+jNubbou8AAIBUtnEQ==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 20 Sep 2024 00:56:35 +0200
Message-ID: <20240919225639.2376418-5-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.1
In-Reply-To: <20240919225639.2376418-1-michael@niedermayer.cc>
References: <20240919225639.2376418-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 5/9] avcodec/cbs_h266_syntax_template: Check
 bit depth with range extension
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: rSaQ6+3zwh9t

Fixes: shift exponent 62 is too large for 32-bit type 'int'
Fixes: 71020/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-6444916325023744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cbs_h266_syntax_template.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c
index a8f5af04d02..1c111126563 100644
--- a/libavcodec/cbs_h266_syntax_template.c
+++ b/libavcodec/cbs_h266_syntax_template.c
@@ -1041,6 +1041,9 @@ static int FUNC(sps_range_extension)(CodedBitstreamContext *ctx, RWContext *rw,
 {
     int err;
 
+    if (current->sps_bitdepth_minus8 < 10)
+        return AVERROR_INVALIDDATA;
+
     flag(sps_extended_precision_flag);
     if (current->sps_transform_skip_enabled_flag)
         flag(sps_ts_residual_coding_rice_present_in_sh_flag);

From patchwork Thu Sep 19 22:56:36 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51660
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:d154:0:b0:48e:c0f8:d0de with SMTP id bt20csp620111vqb;
        Thu, 19 Sep 2024 15:57:41 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCW8kuSAJcGXFM4SGinUAd0ZvFOWov0AVuSXnZW0GtI5DnWB30aJ0H+4GDWFlfBv77rs7YxaZma3FlS3p/VANSrh@gmail.com
X-Google-Smtp-Source: 
 AGHT+IEedwQKU/p3FROF1SouAew+On8gyGHygwo8iqD+CQ4nvHkRqlVCf3UZtg3tX+9h+hUzUWkl
X-Received: by 2002:a17:907:1ca1:b0:a80:a193:a509 with SMTP id
 a640c23a62f3a-a90d4fc3263mr30411166b.2.1726786661352;
        Thu, 19 Sep 2024 15:57:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1726786661; cv=none;
        d=google.com; s=arc-20240605;
        b=WA2Xks6AeUsciCckldN7yAauMstLfD6sj2DlmZ+5cGw1x2hWOp2JyfH2GZy44La5Ce
         yAnH4X8CR9Jdyy/BrevfM0vhNvcdKRrNZaYLLyqV4SPatLgm0JuQuZ8tGScaL6ebWrsQ
         /QKHgQFRTRY2l3X9cTQdZwkUG8g5aQ8MRYiSk8aVitbu0we4WNWu3UTyKqaGXWrqB/Oo
         iShUd8GgxEk7qhk3DeDfu08sQ0ADHwG+h0dRcQ2ic8C696UDJgCWqHlvEjbATsFx2jvo
         9/4iuL5mC4wasPhiJVt9ng31xIyaXBc7H0b8cKd7hb7dJGftwT6qblsS5mOGr/+ejiku
         7p/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=QgWsIM1Nx3WUDV4CBSJBitDZZP+VDxQ66Rm67c++uk4=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=Zw3FYQprEGMyVQ605/xEw9vF5CLg8PLNVBU50nlRpZAs6xZbk9ST8NYpi2rr2/JF3y
         YaPy8eWUC40A0DuXSq/nZUtFnodqok57uldofkBwasTxtlkm/snyTLfEv6rhW3Bhdhns
         gNG0lwnBc8HuFqed9Q6Hjfr/iRDZBzdQcmfrl8TfUr50wxub2y5lxJGST6w38DTb8Eji
         1BjR5a++TbvbY5K2Hu7rcBLoChchp0oJ9fUszQRD7BBWrZhFkhj4gaJPZE8zpRfvTDGX
         T8OzE1xSDK7LHQ+xuaIBVg9fLOt0BekqQAaMTLiNRirPvKUX4Pr26UZhTGVNIMmywFWH
         pkQg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=dZjhIx9B;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 a640c23a62f3a-a90612c6509si874344466b.484.2024.09.19.15.57.40;
        Thu, 19 Sep 2024 15:57:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=dZjhIx9B;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id AB60F68DD8B;
	Fri, 20 Sep 2024 01:56:53 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net
 [217.70.183.198])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CAE7F68DC89
 for <ffmpeg-devel@ffmpeg.org>; Fri, 20 Sep 2024 01:56:44 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 20FDAC0002
 for <ffmpeg-devel@ffmpeg.org>; Thu, 19 Sep 2024 22:56:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1726786604;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=NRIeV/X/lbew+VFzDH4K2aOmfS3xtxoBVYN+tXZLerU=;
 b=dZjhIx9BNuqhJ+8Nx2JuU67A+km9A417dbUzi+M+ULmbCEzhvEC8IhZTiqXOWZzKn5QnEl
 ZQB6v9ubhKeOj87cVkcRBzxs76EJd9buAPvKuQ2jh1dTktqFu/AJOxJFRfL56T7ACQny68
 L4H7zym7Iu8eaywsMnk3vrpkDKmC34/BEapWfPgmnvQWNJUCGfiXECAUrfyiSYFAlnmTbx
 4wEcRIxt8/5OHmpHLDK38ms4+i7p4l/MocSBrnnnUztZOx5pkZI0HxAbZ+R4dS4m8msl7r
 Yb/VyyRMVmdOmtxIrEWGKjIw57pFFALMljf53PwYrruGBURF6cQwI4KAUmIAlw==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 20 Sep 2024 00:56:36 +0200
Message-ID: <20240919225639.2376418-6-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.1
In-Reply-To: <20240919225639.2376418-1-michael@niedermayer.cc>
References: <20240919225639.2376418-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 6/9] avcodec/aac/aacdec: use correct index in
 deallocation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: iNOU0RSnZrUu

Fixes: memleak
Fixes: 71084/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5857751899635712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/aac/aacdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c
index c37de2e0036..4110bc40ca5 100644
--- a/libavcodec/aac/aacdec.c
+++ b/libavcodec/aac/aacdec.c
@@ -1104,7 +1104,7 @@ static av_cold int decode_close(AVCodecContext *avctx)
         OutputConfiguration *oc = &ac->oc[i];
         AACUSACConfig *usac = &oc->usac;
         for (int j = 0; j < usac->nb_elems; j++) {
-            AACUsacElemConfig *ec = &usac->elems[i];
+            AACUsacElemConfig *ec = &usac->elems[j];
             av_freep(&ec->ext.pl_data);
         }
     }

From patchwork Thu Sep 19 22:56:37 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 51661
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a59:d154:0:b0:48e:c0f8:d0de with SMTP id bt20csp620164vqb;
        Thu, 19 Sep 2024 15:57:51 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCU8Do2F3w9dA0GY08xd9wF3Av9HsJxny4T21u+tmRzv691hWVTC1XkXKGSeviQIrZTHALNH8nVzDwk2PdMvYv1T@gmail.com
X-Google-Smtp-Source: 
 AGHT+IGB0ioqmLNU8iAb1dEQ7q8Earp/yPeHm5qurBU2b7SFVcboBOPQnB0zHnYoxVTbyE0NzIGZ
X-Received: by 2002:a05:6402:90b:b0:5c4:8b7:d93d with SMTP id
 4fb4d7f45d1cf-5c464a42b12mr755793a12.18.1726786671021;
        Thu, 19 Sep 2024 15:57:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1726786671; cv=none;
        d=google.com; s=arc-20240605;
        b=PyKeX0PIQiLGx8bbNXLWHqxJYJJ9rR6xlBoKycgk4HBAG4pKN2FM0COv+svKoXWsIR
         jl83K2Gauh4XOpLQF0ebmn4Qzj9oSwHEXJP8zDNaui8t8/6Mz5RrlF+G5WVrMU/CH7gd
         P7sJr5+uhgKhiz+W1OfAApPc1adyPDZrZoZ+dUDYKSaQwjYxOq34q62ku+tolrfRS2WB
         ZvgNV/ccm4Q6xS1j/L+uxzxIV3Xyt+je4WbcFUo1HVozyQ6MZ1sOK0I0rnWp4SItYt41
         dgc8/a06vPzMxdjwvjJJkBtklymM4hitKlzxQtjar1tMc3rMtLs0UnSkUTekRvhCnbZ6
         Aeiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=b+RBgtD0EGa9Va4AkP8LYcS9by9QsZAuT8m/9Kkffvs=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=bDBo1+VrWvvd5X+eiI+JacGpglKKGd39XAc7ZqfR7+uqu3NQx98ym7KvdrL/N1cB0X
         Pr9F8oGF0gIU73gJZyi3Ck3X8Ki8vpuWEv/3ISYM0mw2JwJq6NY3P1tx8VU/M4g9nxA1
         LJsZ6mOS0r9qdO6WaYCBuZnpBOijpFQN/IPEDNzNNAdBM4blU4ExqOaV/i2os9Fgc5Wr
         WrB//Cc4znlqv1a3CfQ9SOUqvCaiIR7WlRY/TdBzohDlZNJPj47CxSvfPtAhhsrqwnm1
         w0+Gtd5TEJRtVaTa/d0xwpJrAlWMA3eYXmj+3ixwDbW/yMXV0M3QSjoeCSge5mgiz//7
         E/Bw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=R7CB0MQE;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 4fb4d7f45d1cf-5c42bb4f858si8523440a12.99.2024.09.19.15.57.50;
        Thu, 19 Sep 2024 15:57:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@niedermayer.cc
 header.s=gm1 header.b=R7CB0MQE;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 08F6F68DD98;
	Fri, 20 Sep 2024 01:56:55 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [217.70.183.195])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BAAEE68DC68
 for <ffmpeg-devel@ffmpeg.org>; Fri, 20 Sep 2024 01:56:45 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 01A7060004
 for <ffmpeg-devel@ffmpeg.org>; Thu, 19 Sep 2024 22:56:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1726786605;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=hCBDEuFaj7eQ7mzIenLw1saMvBe0vO2YbocMO5gOXqQ=;
 b=R7CB0MQEMBBFNrmIb2QxZ429EvyPxu8vlNcrLXzHemwoLyzV0BG4twD8UqOWoW1ZQjyOED
 ezOrDdsqFvcWzxELC8BeD/9xp/9UpmhTlAqy9e2ZA3Ofi4/z5yF8hPIR1fFY5v/0SQwRdN
 ixCKg0ggxiCDyF6XKyEQ9sCjAdTEpz24qJqQFGEVZjvqPAhbuQLxtkXZQll5MXTWAixoBZ
 jGDdwre7ajZ2fj4PQP/lM3egW3W0sDZfnoFp1oE0+gGdv6P4iOUJRacQryJOWaN8AZvUrh
 HtZfYMCV5qSP2MdJnvuJsvOstjZsf2JMcM9TaaMwmqndLY961vuOqQLkmcfpow==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 20 Sep 2024 00:56:37 +0200
Message-ID: <20240919225639.2376418-7-michael@niedermayer.cc>
X-Mailer: git-send-email 2.46.1
In-Reply-To: <20240919225639.2376418-1-michael@niedermayer.cc>
References: <20240919225639.2376418-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 7/9] avcodec/encode: Check bitrate
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 2CUkjKl0EgVb

Fixes: -1.80923e+19 is outside the range of representable values of type 'long'
Fixes: 71103/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-6542773681979392

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/encode.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/encode.c b/libavcodec/encode.c
index bc5acf985d9..3baf5b8103b 100644
--- a/libavcodec/encode.c
+++ b/libavcodec/encode.c
@@ -764,6 +764,11 @@ int ff_encode_preinit(AVCodecContext *avctx)
         return AVERROR(EINVAL);
     }
 
+    if (avctx->bit_rate < 0) {
+        av_log(avctx, AV_LOG_ERROR, "The encoder bitrate is negative.\n");
+        return AVERROR(EINVAL);
+    }
+
     if (avctx->flags & AV_CODEC_FLAG_COPY_OPAQUE &&
         !(avctx->codec->capabilities & AV_CODEC_CAP_ENCODER_REORDERED_OPAQUE)) {
         av_log(avctx, AV_LOG_ERROR, "The copy_opaque flag is set, but the "