From patchwork Thu Oct 10 00:18:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 52171 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:ac52:0:b0:48e:c0f8:d0de with SMTP id x18csp27267vqg; Wed, 9 Oct 2024 17:26:10 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUp6Bj6kkupP5+43QAQiiL3Ejz0tEDYxYbjdk14BZMVXjjDyI/YoIFP8KaU9RM6ZCajOLK4VdwgDOnzUaP334M1@gmail.com X-Google-Smtp-Source: AGHT+IGxu/V9A0i4zhPYkF7uLzHLpbMZW9gpfPLctzQhvaJBIsTBzpC1nOeZeuRmZuRufwrcLrC0 X-Received: by 2002:a17:907:7f91:b0:a99:65c6:7f34 with SMTP id a640c23a62f3a-a999e628d1bmr155469566b.7.1728519970612; Wed, 09 Oct 2024 17:26:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1728519970; cv=none; d=google.com; s=arc-20240605; b=IgcySsyAt4oI1Ax6d4a1Kff6Cs3ZeR/ADvAqJZszDq83l53IDNJ3MTjVvHX5+w5sX/ fcmLr7b3as7xtsenhpO75uSotPEJ8RiS3NKZeNMGgJsiK8z376PfPwPMBcVQgcMhjnrE 69CDgQILlcXxBKDtAsCaFac3S4voL6u2P+PYqoAgFBfPlzm8rzxLcEAfg/BaT7XJsfPl eyy9HpR5KNdVtk2yqQbzLUD7XLi+U9Cb0irg+xMARDR6YD9r+5UOt1IFy59+R95/0BrH RRerdrXbf0dtWtzibvFS0A9s2TL9oMGupBZWrCRS/84s7gUOcFZbbP4L00CMUi6EaSqu +MnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=+ggRIiwz0SXxAeU3veNkyQ6cqQAuEega+2TtQ1pDuHs=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=lHFnxgCPPW1KpLoj5Sxaj+ysHikECd4VQC34AJVTwIVPmK5YKnzsYZiO2QYuwW3Izp EWxywARebIVzuHqvaYiPrE/rbmFsHhzZ9ugZMwtm4XmmpP2UmBX6QNK6mHRmLa1gNjcQ 7lN3gh2qUaLNqI7jrx3/obRTSKAbQwwmGFXLIn3liZGZtLh144VqooJXt96klmWbRSI9 l+hZJtWTtYS2wWrQPnyl64SNLjwnNxOiwQBh1EtfWiC7z8INgnvWaNvZwAhMkTRjnuES THwAbJWw67TllOUuxO2QCGS8q8vtKoU/rbNOEyLx+yd04JDZpZPe3c3It3cdM/4rxDQ8 hjkg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=liHqmBHL; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a99a816d052si3699966b.1014.2024.10.09.17.26.10; Wed, 09 Oct 2024 17:26:10 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=liHqmBHL; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8664168DDF4; Thu, 10 Oct 2024 03:18:40 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 01D4468DD14 for ; Thu, 10 Oct 2024 03:18:33 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 34E8C1C0003 for ; Thu, 10 Oct 2024 00:18:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1728519513; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=80AF+3sjsLuieCI37CcUtCT2xwuQiPP1gVzdsDTD+VM=; b=liHqmBHLT4hNtf9i/dkvAnasNPVoW6qzMeDFYoCvkAdbC3EWxKqv4DIEZu8/l+I9OIxFIK FsFqadd31RPeBVckhuCVzotHir9mW125JeQIom/w8MDykjPIC7HkwEb6C+TpPN/4awTtQs WKeVNeb29QIQnkVX8crQMP59gLpjseh9ZrhIwU4iLZnLLPslLNtRx+h2O8V13VE6RBJmbn ajCqy5RWuLYNhXwjpI8Ahz+PgucElGUN/Wypv8sWPiCxREV7S97UmZK1TBvZEo8xkh0HNx I1dILxgc4ncJUDUJv1xQ/InSWNVsmuub4m9uEyfWDwbCfk7QUE1EKgLmRvi/cA== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 10 Oct 2024 02:18:28 +0200 Message-ID: <20241010001832.1120712-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.47.0 MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 1/5] swscale/rgb2rgb_template: Fix ff_rgb24toyv12_c() with odd height X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 1031C1eCPt09 Fixes: out of array access Fixes: 368143798/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6475823425585152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libswscale/rgb2rgb_template.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libswscale/rgb2rgb_template.c b/libswscale/rgb2rgb_template.c index 197450169a8..84b9da0911e 100644 --- a/libswscale/rgb2rgb_template.c +++ b/libswscale/rgb2rgb_template.c @@ -640,7 +640,7 @@ static inline void uyvytoyv12_c(const uint8_t *src, uint8_t *ydst, } /** - * Height should be a multiple of 2 and width should be a multiple of 2. + * width should be a multiple of 2. * (If this is a problem for anyone then tell me, and I will fix it.) */ void ff_rgb24toyv12_c(const uint8_t *src, uint8_t *ydst, uint8_t *udst, @@ -659,6 +659,11 @@ void ff_rgb24toyv12_c(const uint8_t *src, uint8_t *ydst, uint8_t *udst, for (y = 0; y < height; y += 2) { int i; + if (y + 1 == height) { + ydst2 = ydst1; + src2 = src1; + } + for (i = 0; i < chromWidth; i++) { unsigned int b11 = src1[6 * i + 0]; unsigned int g11 = src1[6 * i + 1]; From patchwork Thu Oct 10 00:18:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 52168 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:ac52:0:b0:48e:c0f8:d0de with SMTP id x18csp24406vqg; Wed, 9 Oct 2024 17:18:55 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWetWIuwV9QnHyV7A7SCWyCEveXKo4nbFO/+tj4VJTeNFPbmNxn+7V9VuDCc4r24Dfmd9VKsp3icCPf7xbDklgx@gmail.com X-Google-Smtp-Source: AGHT+IEcv2CoS+GyLgh3DxorAfMhNNiGOuGM3hjXKMmuwgsLdFIIlKRkzUgo6gL8DYmKlBaRj2q0 X-Received: by 2002:a05:6512:2216:b0:536:5625:511f with SMTP id 2adb3069b0e04-539c495264fmr3674089e87.45.1728519534733; Wed, 09 Oct 2024 17:18:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1728519534; cv=none; d=google.com; s=arc-20240605; b=dyGA5ZdGWtP8czLhYWZkxsuNmmZ/MfBwjIp/qZ+ATBq62zTHuOOzU7rti2sRKkd1Vz cHPqxJDaPHMoLi/WTrT/KPY02B94B64z5D8HvQjCWftmef+x0FC3fYHA+VTWIGs1fQCg SgEgxF7rFMq4X1jsjNFbqjMIjA3dxXfpDpOUKXvMRofEk18r6NYF1DS/aW+HamoIHHEj PGW/RIySMp9zKnpLQiokHleSZ+qdViw4fsmi1loGhol+/4Pte0BAIjZ/TQ7PS2oq19GL 7qdHjU0JXKm8Hu0dmMfX9WN/ftPlnZ02qM2Yx+fcrGMBjmgsKmlalDdFC/fYw70fO6Aq 7/IQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=NQjOwr8vmC+YahGLOeDASe2zJy2JtJZz28y8BJXmcYI=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=RzQjpR2fh4oAVFDc0Vix7K6iQBl8mPtHTpKaTg0uxa/EwYXriqRtwurI9Ry+O6TKBO n21u4BKMfk/Ummand2LgvT5s+zlP/lyxxgUgUVbDd6OmWwsOJIAzPqslSu8CdkVZIYEE 9PiBm7Y5Eovuv2HUWZR425JBVLPPtwBJpO12dXWmZ7X6BgsnDfqOy79kwAtAwOKnQReZ +wb5BStM0pxEYWPP+IHrWuiSVAclva8waCaJE6C4yQIN+ysM3oSy5ph3MeuOCHEzhkyz LcyEAoq4yY/Y7n4CFl7qlYS8uWg6XRL2FFH0RwylEQNFueKa+v65hdecMnb7luS48d7I 3/9Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=GiZQxmNv; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 2adb3069b0e04-539cb6c4c06si40238e87.64.2024.10.09.17.18.54; Wed, 09 Oct 2024 17:18:54 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=GiZQxmNv; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B0D3D68DE22; Thu, 10 Oct 2024 03:18:42 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0239868DDB7 for ; Thu, 10 Oct 2024 03:18:34 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 3FC66E0003 for ; Thu, 10 Oct 2024 00:18:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1728519514; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=en+eO8AUnRYLZBMM/WFAlfiRDhCU0iLKm7zb8vEApUU=; b=GiZQxmNv9yDjQs97coZyXmHWrhgaOhDNXGaJRmJO2n6ojKpL7nhDq3LTaoITha5c73o7zR 65s6kop5rdVwFNVHfVNas8bVUv8MPeoZDmwiT3K6pdTDfCkJzeMgIbyfUZMvmKstuW7Fzm u6bP/cRcSEuLSsRa31HVOaw2r5wt1zsEjz7THTTAFtRX1nXp80eT4NOMIHivbYkLjwnVrY fvYxYgpUQp8wPRgNkAc79Cdgv8qBdDkVvignrXQ/pE5RI+lfHwuZd1tfYiNXsusIr+CjDl RPPCd/YLVNA+MHhCY2UiyWRoy2awGQYyWfg8M0F1yrZs2DB17zLM9eS696SpjQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 10 Oct 2024 02:18:29 +0200 Message-ID: <20241010001832.1120712-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241010001832.1120712-1-michael@niedermayer.cc> References: <20241010001832.1120712-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 2/5] swscale/output: used unsigned for bit accumulation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: izeeK5iikRYr Fixes: Integer overflow Fixes: 368725672/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-5009093023563776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libswscale/output.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libswscale/output.c b/libswscale/output.c index 31921a3ccec..ae9a50637a9 100644 --- a/libswscale/output.c +++ b/libswscale/output.c @@ -664,7 +664,7 @@ yuv2mono_2_c_template(SwsContext *c, const int16_t *buf[2], if (c->dither == SWS_DITHER_ED) { int err = 0; - int acc = 0; + unsigned acc = 0; for (i = 0; i < dstW; i +=2) { int Y; @@ -686,7 +686,8 @@ yuv2mono_2_c_template(SwsContext *c, const int16_t *buf[2], c->dither_error[0][i] = err; } else { for (i = 0; i < dstW; i += 8) { - int Y, acc = 0; + int Y; + unsigned acc = 0; Y = (buf0[i + 0] * yalpha1 + buf1[i + 0] * yalpha) >> 19; accumulate_bit(acc, Y + d128[0]); @@ -721,7 +722,7 @@ yuv2mono_1_c_template(SwsContext *c, const int16_t *buf0, if (c->dither == SWS_DITHER_ED) { int err = 0; - int acc = 0; + unsigned acc = 0; for (i = 0; i < dstW; i +=2) { int Y; @@ -743,7 +744,7 @@ yuv2mono_1_c_template(SwsContext *c, const int16_t *buf0, c->dither_error[0][i] = err; } else { for (i = 0; i < dstW; i += 8) { - int acc = 0; + unsigned acc = 0; accumulate_bit(acc, ((buf0[i + 0] + 64) >> 7) + d128[0]); accumulate_bit(acc, ((buf0[i + 1] + 64) >> 7) + d128[1]); accumulate_bit(acc, ((buf0[i + 2] + 64) >> 7) + d128[2]); From patchwork Thu Oct 10 00:18:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 52170 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:ac52:0:b0:48e:c0f8:d0de with SMTP id x18csp27241vqg; Wed, 9 Oct 2024 17:26:07 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVk5G5EvsNMx3oVTOuGY+jcHll3UZBYfHppZAbVOoUtbYpNuUD5+OfiXFZ7D7s4jtubO/W/LA0eHezoekLEQN6K@gmail.com X-Google-Smtp-Source: AGHT+IFI9NbCjlrzRg22QKugxcgrcJUiN28KeZ70e6VxKEW8aJWvhfMhI9G6j3Nj3gyG15hhexFa X-Received: by 2002:a17:907:6d1c:b0:a99:4209:38b0 with SMTP id a640c23a62f3a-a999e8ccb08mr145955966b.44.1728519967404; Wed, 09 Oct 2024 17:26:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1728519967; cv=none; d=google.com; s=arc-20240605; b=ctGsOo59nry2ssSQV6NbbK1yc23nT7YOkU0yp3OXGL4Yxs5Iu4BgsyCQXvNyWrY3Pq 4tLMYilY17VAYnl+YD28VSPqity/SIyaTwcVvmj6SIi+LtWJfc+nu7sTSn73t2p50/nG 3ZG+wSlxJ3cBB+TweLedUHi9RHaFw9+UUKs7mNifeuANngGUNjE6p6v5FLY8mo717XJi Dryvh57jYUXNRV7K3iKECiNyNg4RTadSTwIZPV41OmNQX0OFvTYFNyLjs/sardEXI/Gj fQAkpPbGW7IVVUhS5xm0aWqJpUxoSAfcTOYBBbFHGSki+iq9F4xr/x5rSAauqneO++Fa B1HA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=xDmhnT4H/igZRPIVDcE8Q41tJN2W9T49fQL3k427JvE=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=hKqn9QV4ZPFfqHHTrSz1QQjndiQBhwLz2uQl/tsSiy/cY53B0vs+5JW1rlPlgjfsoe h0JSDF1fNjnmgsRcNxpFXrLQhkSt66sn2oVbeD7DgrkCheDhIh2a2hSD7vvtTo5u6TRz KllcSVc7sdnS6mAZsR6JJ0XI6qPUOENaBvgjkvOpSlYW+qbnpX6wATEzsWEB6BgtRnWC DEzTrbDMs5/2W7uGvtjMX5LsNVgdQ6Xipc6sfeWyYC5xyLnB8Ge9rYSJ6N0pev7/xdFI a3ZViLxY2a3hR+upmsUoZWxzakKJ8tYnf340JMSMZ72nZJnOnS0EhXSF/YuUeMsPvpSJ v8Zw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="D/AvqZAy"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a99a80d5003si4526466b.446.2024.10.09.17.26.06; Wed, 09 Oct 2024 17:26:07 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b="D/AvqZAy"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2AB3D68DE1D; Thu, 10 Oct 2024 03:18:44 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 84A9468DDF0 for ; Thu, 10 Oct 2024 03:18:35 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id E520A1C0004 for ; Thu, 10 Oct 2024 00:18:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1728519515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nTReeLQIfxUYi/48xPStjvq5widiWWyJLor6lRoP3gs=; b=D/AvqZAyQWoA8vbLTU/mLFQivE1lVvaOWme/XuoWcYs8LLWQMzzGi7HIvjwltr3AoJaSlG tsK8MOYp6kDuOmgz/jVErQJd9h1DuGm4p2w6IsgUmveyWUwPuKqr6jKRQYlR8LB/bWhXPL sqNaNcyOqzaxwasmIoqNU+pXabkZj54kZuO7h8RCjU1ckeBHVugwqHe0Q3LDhTlHE05yPZ Drycin3jFNrAIG3gOKzmXyArjZHmXHzxCdcangk3vgcRKUZNWD1WQBMazrRPsnXbNblmSF AFKtzEqN1I++Rd6IYnvAiT1c13okC7tmTqLttmAfi9vkN/Lh7/2VVNpCcLt5Fg== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 10 Oct 2024 02:18:30 +0200 Message-ID: <20241010001832.1120712-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241010001832.1120712-1-michael@niedermayer.cc> References: <20241010001832.1120712-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 3/5] avformat/mxfdec: Fix overflow in midpoint computation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 2z4C4ExPyPAK Fixes: signed integer overflow: 4611686016549392399 + 9223372033098784800 cannot be represented in type 'long long' Fixes: 368503277/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5928227458056192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index e5f59089ab4..147b6a17f68 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3894,7 +3894,7 @@ static int mxf_get_next_track_edit_unit(MXFContext *mxf, MXFTrack *track, int64_ a = -1; b = track->original_duration; while (b - 1 > a) { - m = (a + b) >> 1; + m = (a + (uint64_t)b) >> 1; if (mxf_edit_unit_absolute_offset(mxf, t, m, track->edit_rate, NULL, &offset, NULL, 0) < 0) return -1; if (offset < current_offset) From patchwork Thu Oct 10 00:18:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 52172 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:ac52:0:b0:48e:c0f8:d0de with SMTP id x18csp30636vqg; Wed, 9 Oct 2024 17:36:07 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW44Oc7KGMF4Ns0QdV7HM8jRl01USmMZeeV/yWAWrM9yHezGX7+vynUCOogm65AWveALd8uqpkNRxb298KkvnVk@gmail.com X-Google-Smtp-Source: AGHT+IF4UmeIhhHq/iJ/MecqhvVqV+BGS/1l6KM0RPwlZtQSXmZauJbqUYv6AaoG5R6sg111wCY1 X-Received: by 2002:a05:6402:13d4:b0:5c6:b7e0:a363 with SMTP id 4fb4d7f45d1cf-5c91d675ca4mr3945118a12.23.1728520567615; Wed, 09 Oct 2024 17:36:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1728520567; cv=none; d=google.com; s=arc-20240605; b=PyenAtfo9IuMIpj8XToS4DMNnrONLRcDaRmmgYSoiPkn5evh71qvuPT1lDA+eavsxv P32TUZ6evCOSRG4u2lPohOqls1fu6llO4y5/S+ix8QST0oL4H+tSohJMp+l6NmdcR5ip reRaRisdw1nSj2sPYDMxXoABy8IKdAhKbMJjaKeJS3E0sbbx2vfJBGq7Xyza/qDyfNOU JKobxN5qSPoeeP+f/RKu9oe0oJiEGZmtyfpIuHVtpqcru+G2XVP/EG42wkQHBSuZ2nh9 M57C4hZppZbf4Q6VDppkfAzd9O4CYHd08YpC2guPdsMaK8CJsFqtTET3EL5pImPJOU8T YXAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=HHFoUyzPptPjc36FIOxlByCmMsABVEPA1roYpjlY9qE=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=T2CE0ctrOnwYsV5eK57z70P1OHNY2beCkxuV7pjjlqeLS38zL4EOIuQj8VJBBxGAvf 4G0HwOwTnRRiwHEO+e7dW3ahkXyNwfeLQg8dECXFyvKbAqMbl+tkaX4JrYZu5dhBXMKD KH5g6vEMujU7QJLfErBMjfIfmWGDmFjOI5NyllzI3cdOLslT0zntdiCulggQxV7JQTRu p6eJ08qvzXTmDdSYM5WsjlcSCtxRFLQBnfPb5BxtKfE1NPuTQmObGETCUI+lKrf86WQD nUvHyEXEqOQ88otUmVZkUSWPiP7XZDf2pLMC8zJn2ZsxH9y9bFeMB1nSNfDWRAWtBkTd mxyQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=lByq1Vaz; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 4fb4d7f45d1cf-5c937307943si59519a12.669.2024.10.09.17.36.07; Wed, 09 Oct 2024 17:36:07 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=lByq1Vaz; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6F8CC68DE48; Thu, 10 Oct 2024 03:18:45 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 69EDF68DDDC for ; Thu, 10 Oct 2024 03:18:36 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id AE26DC0002 for ; Thu, 10 Oct 2024 00:18:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1728519515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hjdPLIR/pJk9ZsueP1GRJSBDBCxBSZ0y8kSxYfGJDR4=; b=lByq1Vaz0/7FcxiNZdBIdEQICW0obPQO2unhYcxhmaD9cgpO2L0c1gZVV7CIlLm9EIv3HV yNp+d4NayW40sgLJen/RLMn2gNPFKEAMjuITNIXT0zxY9yEZGYLkH/6W0YIetmhzhBmCUU oJa02Bm8ZKKfAAfRKEyd9cT1liHuLPRshXdMyWUV30/L+gQLiYK+zoZOeQDIcwFH+zHgOx /ZwZb1/9+TaL9cWrpdGGilVVFUqnBsuwptgRd2SOELw14S0K2IplcGprYjERVJf33XeFVM lz4eUpD2FTXuZdCNyUvClseMUn0MCKp5b5wa+bDHFw2nL9fJV3AMbgInKyH8bg== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 10 Oct 2024 02:18:31 +0200 Message-ID: <20241010001832.1120712-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241010001832.1120712-1-michael@niedermayer.cc> References: <20241010001832.1120712-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 4/5] avformat/mxfdec: Detect infinite loop of segments X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 9KFGxOVAmMCP Fixes: Infinite loop Fixes: 371059874/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5024314548617216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 147b6a17f68..7a0731614c8 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1908,6 +1908,7 @@ static int64_t mxf_essence_container_end(MXFContext *mxf, int body_sid) static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_table, int64_t edit_unit, AVRational edit_rate, int64_t *edit_unit_out, int64_t *offset_out, MXFPartition **partition_out, int nag) { int i = 0; + int lastdir = 0; int64_t index_duration, index_end; MXFIndexTableSegment *first_segment, *last_segment; @@ -1969,12 +1970,14 @@ static int mxf_edit_unit_absolute_offset(MXFContext *mxf, MXFIndexTable *index_t *edit_unit_out = av_rescale_q(edit_unit, edit_rate, s->index_edit_rate); return mxf_absolute_bodysid_offset(mxf, index_table->body_sid, offset_temp, offset_out, partition_out); - } else if (edit_unit < s->index_start_position) { - // the segments are sorted by IndexStartPosition, so this is guaranteed to terminate - i--; } else { - // edit_unit >= s->index_start_position + s->index_duration - i++; + // the segments are sorted by IndexStartPosition + int dir = (edit_unit < s->index_start_position) ? -1 : 1; + + if (lastdir == -dir) + break; + i += dir; + lastdir = dir; } } From patchwork Thu Oct 10 00:18:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 52169 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:ac52:0:b0:48e:c0f8:d0de with SMTP id x18csp24619vqg; Wed, 9 Oct 2024 17:19:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW0u0Xy85nZghqswSoUi9X/iCR/m9jf3W3JrEEksNro03aBT2Yt1AQBMKTQ0wZQBWimdtjoxrXp4GhA2kd2LJOT@gmail.com X-Google-Smtp-Source: AGHT+IH2L/jbySInY1NtyhIsnZvyN3iDGd0Fxs905Kd7d+YXI60ts6ZJryEw2q0IiVypPAqudKGz X-Received: by 2002:a05:651c:549:b0:2f6:6074:db71 with SMTP id 38308e7fff4ca-2fb18759414mr26474421fa.17.1728519563629; Wed, 09 Oct 2024 17:19:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1728519563; cv=none; d=google.com; s=arc-20240605; b=GK8MNWU1zgKcDjhoI5aEZ+mV9U/PjHGnfuPqmJ2Wpl3zmcAje+vbQ+EkAZ7GFqmOoj Ps5oJ5v782At3exomo3DTQdr6FNXK6ATQstUnBtU40crW/IEM2kIUCi8yh/c81QDVccq jLkPJ52CPLm6EGK2ng4BZRsZaLVQ2kf7KdiKd0yZQ6C8k3H7O0x6sg2dpxX/2LuOMs9K hXcF7U3NYBtyPGuY/FlC2owSjM+g1RHxu1B/xzmj9HpUijYAKt+ApKlchZRIQm16MtYo wFHD/bWG+TW33zTTuUL/W0+9o8ydtyBnzSIv2pdn/JtbkpoGtEXW4UAYEwUeXwz8dJ2O xQow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:from:dkim-signature:delivered-to; bh=IqAI3K0XeSnjzc+1tX9cnyBek02Pnyvu6Xhlf1QAG0o=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=fMeytbrjfrj+YIOmJ5rkgHxXIRcUoWH+lhhy9Bxjnul/P1Ov/ycqrVzpHQSknavc8N /JjOZh4ifOTBb3h9n/r8fCyti5thxFUan/XpGcsdAAYHVYU144AjJfl628Pjjwno3yEF YaR5t3m0Yaz6fYkx3pkgnjFyMo7kSsdgVlwL+UtFanfOZzteNglvgJeAgZuO+qJmVIVa dUFMrofdITaUUyajyYbrLr9rbUCh7kdmGkwpcQlsLQt/P8044V/0aboGY/pWr5QFvz+p c58JKrbSm7ziqVCWAjSrG3OPwkC8aCmyadhjK6k2WkNvjLom+cnEDQdQ1aimGqf5ryDD r3uw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=VCIWXm45; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 38308e7fff4ca-2fb2456e8casi75761fa.52.2024.10.09.17.19.23; Wed, 09 Oct 2024 17:19:23 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@niedermayer.cc header.s=gm1 header.b=VCIWXm45; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DD06068DE53; Thu, 10 Oct 2024 03:18:46 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9FB3F68DE20 for ; Thu, 10 Oct 2024 03:18:37 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id E13631BF205 for ; Thu, 10 Oct 2024 00:18:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1728519517; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YZlIz4GhClXciSt+EjinyN2UAmKlB+h4WzSLoFsZKRE=; b=VCIWXm45Gxa6NVzWl832ALv/chfy+XJHHO1FDbpFhsPAoRLJi3GC5+lzZQso33v7QgpgV7 rkGrkB8vHwh1MO6URI7LQ+OEIf6ssITt0AXVwgpRNmr1KWk9KNOX3+7oqjb9qChA+ot07u y/Djgrssx4KOiJSpK/3Or7uB2YGKhAFj3CAnrIj3xVqBJJOu9zKuZRoT97jpusiYS58FZN oQ9zEuJyzfkPgFOKAYEvqzkhUpDBdG6rOlAMAdj0tOSJcntRV0t1HfDG/wS5v6JTAXArY2 Lygga3USmog5ABZJEiXbGAucl67WTTLcHyBxN317adHBYMt0+Sq0EH/vUwTmRQ== From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 10 Oct 2024 02:18:32 +0200 Message-ID: <20241010001832.1120712-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241010001832.1120712-1-michael@niedermayer.cc> References: <20241010001832.1120712-1-michael@niedermayer.cc> MIME-Version: 1.0 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 5/5] avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Q3WS/X7VgpMA Fixes: use of uninitialized variable Fixes: 368729566/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTS_fuzzer-6044501804646400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index 04565a20110..86b7c8e0414 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1672,6 +1672,8 @@ static int mp4_read_iods(AVFormatContext *s, const uint8_t *buf, unsigned size, MP4DescrParseContext d; int ret; + d.predefined_SLConfigDescriptor_seen = 0; + ret = init_MP4DescrParseContext(&d, s, buf, size, descr, max_descr_count); if (ret < 0) return ret;