From patchwork Sat Jun 13 11:23:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 20323 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 45A5F44B245 for ; Sat, 13 Jun 2020 14:30:11 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 18BA768B108; Sat, 13 Jun 2020 14:30:11 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-1.mx.upcmail.net (vie01a-dmta-pe01-1.mx.upcmail.net [62.179.121.154]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 48DF368AA89 for ; Sat, 13 Jun 2020 14:30:04 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jk4HG-0007Qi-07 for ffmpeg-devel@ffmpeg.org; Sat, 13 Jun 2020 13:24:46 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id k4GHjOejW6Jy6k4GIjdjfs; Sat, 13 Jun 2020 13:23:46 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=zvxr3P5ZVj4PM9i-casA:9 a=N-pDE2tjf37c7Tws:21 a=zxPOS37g7Ra8V7z2:21 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=bWyr8ysk75zN3GCy5bjg:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sat, 13 Jun 2020 13:23:41 +0200 Message-Id: <20200613112345.13515-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfEEMi+6wgB2zGpYEyw8S6R61xgDphlSmpntqR/RDjASZ9Z0k60I+NM5iPmc07s0poYqiHeJWL2k/RjGVvIXKj10JKreur3kHod3adHg1dp6mPt167tDe Y1eUTKWrqzhvt02YvoePwPe+VbI8DYcTzXlKeHHLpYSZxSzmdhSajcKF Subject: [FFmpeg-devel] [PATCH 1/5] avcodec/iff: Fix off by x error X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: out of array access Fixes: 23245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723121327013888.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 66879cbf5d..79f6215c77 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -723,7 +723,7 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in if (opcode >= 0) { int size = opcode + 1; for (i = 0; i < size; i++) { - int length = FFMIN(size - i, width); + int length = FFMIN(size - i, width - x); if (src_end - src < length * 4) return; memcpy(dst + y*linesize + x * 4, src, length * 4); From patchwork Sat Jun 13 11:23:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 20324 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 31C5C44B245 for ; Sat, 13 Jun 2020 14:30:16 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1636F68B31C; Sat, 13 Jun 2020 14:30:16 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-1.mx.upcmail.net (vie01a-dmta-pe01-1.mx.upcmail.net [62.179.121.154]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 893CD68AA89 for ; Sat, 13 Jun 2020 14:30:09 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jk4HH-00070z-0G for ffmpeg-devel@ffmpeg.org; Sat, 13 Jun 2020 13:24:47 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id k4GIjOekn6Jy6k4GJjdjg9; Sat, 13 Jun 2020 13:23:47 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=n56v0SaebGItXFOb_JQA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sat, 13 Jun 2020 13:23:42 +0200 Message-Id: <20200613112345.13515-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200613112345.13515-1-michael@niedermayer.cc> References: <20200613112345.13515-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfE43Zd6IQCdXvPta5d5aq07lEnKQEcP+kYHGFPPwKPzqGpZXc63NyuImlvRjEvqWWVbm8weigXLyXwZhmPiAWR6NmkoeNKgkw0kFVZ1lzYtGb8UvxvLj UQIp09McRbjwiBttcsHi1tU1QwrFZv2MQ+/tzGeusaw4O0B4Lz7P27TG Subject: [FFmpeg-devel] [PATCH 2/5] avformat/ape: Cleanup after ape_read_header() failure X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: memleaks Fixes: 23306/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5635436931448832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/ape.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/libavformat/ape.c b/libavformat/ape.c index ed6752a415..39a584aa98 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -83,6 +83,8 @@ typedef struct APEContext { uint8_t *bittable; } APEContext; +static int ape_read_close(AVFormatContext * s); + static int ape_probe(const AVProbeData * p) { int version = AV_RL16(p->buf+4); @@ -281,14 +283,18 @@ static int ape_read_header(AVFormatContext * s) if (ape->seektablelength > 0) { ape->seektable = av_mallocz(ape->seektablelength); - if (!ape->seektable) - return AVERROR(ENOMEM); + if (!ape->seektable) { + ret = AVERROR(ENOMEM); + goto fail; + } for (i = 0; i < ape->seektablelength / sizeof(uint32_t) && !pb->eof_reached; i++) ape->seektable[i] = avio_rl32(pb); if (ape->fileversion < 3810) { ape->bittable = av_mallocz(ape->totalframes); - if (!ape->bittable) - return AVERROR(ENOMEM); + if (!ape->bittable) { + ret = AVERROR(ENOMEM); + goto fail; + } for (i = 0; i < ape->totalframes && !pb->eof_reached; i++) ape->bittable[i] = avio_r8(pb); } @@ -341,8 +347,10 @@ static int ape_read_header(AVFormatContext * s) /* now we are ready: build format streams */ st = avformat_new_stream(s, NULL); - if (!st) - return AVERROR(ENOMEM); + if (!st) { + ret = AVERROR(ENOMEM); + goto fail; + } total_blocks = (ape->totalframes == 0) ? 0 : ((ape->totalframes - 1) * ape->blocksperframe) + ape->finalframeblocks; @@ -359,7 +367,7 @@ static int ape_read_header(AVFormatContext * s) avpriv_set_pts_info(st, 64, 1, ape->samplerate); if ((ret = ff_alloc_extradata(st->codecpar, APE_EXTRADATA_SIZE)) < 0) - return ret; + goto fail; AV_WL16(st->codecpar->extradata + 0, ape->fileversion); AV_WL16(st->codecpar->extradata + 2, ape->compressiontype); AV_WL16(st->codecpar->extradata + 4, ape->formatflags); @@ -378,6 +386,10 @@ static int ape_read_header(AVFormatContext * s) } return 0; +fail: + ape_read_close(s); + + return ret; } static int ape_read_packet(AVFormatContext * s, AVPacket * pkt) From patchwork Sat Jun 13 11:23:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 20326 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id E5A9C44B245 for ; Sat, 13 Jun 2020 14:30:41 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D015368B4C4; Sat, 13 Jun 2020 14:30:41 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe05-3.mx.upcmail.net (vie01a-dmta-pe05-3.mx.upcmail.net [84.116.36.13]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3AC6768B479 for ; Sat, 13 Jun 2020 14:30:41 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jk4HH-000264-0H for ffmpeg-devel@ffmpeg.org; Sat, 13 Jun 2020 13:24:47 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id k4GJjOel56Jy6k4GJjdjgD; Sat, 13 Jun 2020 13:23:47 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=nqO29ZSUBsHRwK5UAoYA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sat, 13 Jun 2020 13:23:43 +0200 Message-Id: <20200613112345.13515-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200613112345.13515-1-michael@niedermayer.cc> References: <20200613112345.13515-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfE43Zd6IQCdXvPta5d5aq07lEnKQEcP+kYHGFPPwKPzqGpZXc63NyuImlvRjEvqWWVbm8weigXLyXwZhmPiAWR6NmkoeNKgkw0kFVZ1lzYtGb8UvxvLj UQIp09McRbjwiBttcsHi1tU1QwrFZv2MQ+/tzGeusaw4O0B4Lz7P27TG Subject: [FFmpeg-devel] [PATCH 3/5] avcodec/pixlet: Fix log(0) check X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: passing zero to clz(), which is not a valid argument Fixes: 23337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5179131989065728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/pixlet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 7b068b1ce5..78f571cd5f 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -221,7 +221,7 @@ static int read_high_coeffs(AVCodecContext *avctx, uint8_t *src, int16_t *dst, length = 25 - nbits; while (i < size) { - if (state >> 8 != -3) + if (((state >> 8) + 3) & 0xFFFFFFF) value = ff_clz((state >> 8) + 3) ^ 0x1F; else value = -1; From patchwork Sat Jun 13 11:23:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 20327 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id CA7DD44B384 for ; Sat, 13 Jun 2020 14:31:36 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id AEB3E68B44A; Sat, 13 Jun 2020 14:31:36 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe06-1.mx.upcmail.net (vie01a-dmta-pe06-1.mx.upcmail.net [84.116.36.14]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7485E68B11E for ; Sat, 13 Jun 2020 14:31:30 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jk4HH-0002Hx-0G for ffmpeg-devel@ffmpeg.org; Sat, 13 Jun 2020 13:24:47 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id k4GJjOelF6Jy6k4GJjdjgF; Sat, 13 Jun 2020 13:23:47 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=AoSA7LNs-ClNCW7MAKQA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sat, 13 Jun 2020 13:23:44 +0200 Message-Id: <20200613112345.13515-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200613112345.13515-1-michael@niedermayer.cc> References: <20200613112345.13515-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfE43Zd6IQCdXvPta5d5aq07lEnKQEcP+kYHGFPPwKPzqGpZXc63NyuImlvRjEvqWWVbm8weigXLyXwZhmPiAWR6NmkoeNKgkw0kFVZ1lzYtGb8UvxvLj UQIp09McRbjwiBttcsHi1tU1QwrFZv2MQ+/tzGeusaw4O0B4Lz7P27TG Subject: [FFmpeg-devel] [PATCH 4/5] avcodec/mpeg4videodec: avoid invalid values and reinitialize in format changes for studio profile X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: out of array access Fixes: 23327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5134822992510976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 7e52bbef1b..f5021208c3 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -3134,6 +3134,7 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) MpegEncContext *s = &ctx->m; int width, height; int bits_per_raw_sample; + int rgb, chroma_format; // random_accessible_vol and video_object_type_indication have already // been read by the caller decode_vol_header() @@ -3141,28 +3142,36 @@ static int decode_studio_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) ctx->shape = get_bits(gb, 2); /* video_object_layer_shape */ skip_bits(gb, 4); /* video_object_layer_shape_extension */ skip_bits1(gb); /* progressive_sequence */ + if (ctx->shape != RECT_SHAPE) { + avpriv_request_sample(s->avctx, "MPEG-4 Studio profile non rectangular shape"); + return AVERROR_PATCHWELCOME; + } if (ctx->shape != BIN_ONLY_SHAPE) { - ctx->rgb = get_bits1(gb); /* rgb_components */ - s->chroma_format = get_bits(gb, 2); /* chroma_format */ - if (!s->chroma_format) { + rgb = get_bits1(gb); /* rgb_components */ + chroma_format = get_bits(gb, 2); /* chroma_format */ + if (!chroma_format || chroma_format == CHROMA_420 || (rgb && chroma_format == CHROMA_422)) { av_log(s->avctx, AV_LOG_ERROR, "illegal chroma format\n"); return AVERROR_INVALIDDATA; } bits_per_raw_sample = get_bits(gb, 4); /* bit_depth */ if (bits_per_raw_sample == 10) { - if (ctx->rgb) { + if (rgb) { s->avctx->pix_fmt = AV_PIX_FMT_GBRP10; } else { - s->avctx->pix_fmt = s->chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; + s->avctx->pix_fmt = chroma_format == CHROMA_422 ? AV_PIX_FMT_YUV422P10 : AV_PIX_FMT_YUV444P10; } } else { avpriv_request_sample(s->avctx, "MPEG-4 Studio profile bit-depth %u", bits_per_raw_sample); return AVERROR_PATCHWELCOME; } + if (rgb != ctx->rgb || s->chroma_format != chroma_format) + s->context_reinit = 1; s->avctx->bits_per_raw_sample = bits_per_raw_sample; + ctx->rgb = rgb; + s->chroma_format = chroma_format; } if (ctx->shape == RECT_SHAPE) { check_marker(s->avctx, gb, "before video_object_layer_width"); From patchwork Sat Jun 13 11:23:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 20325 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 2187644B245 for ; Sat, 13 Jun 2020 14:30:39 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0C72168B4BA; Sat, 13 Jun 2020 14:30:39 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe06-1.mx.upcmail.net (vie01a-dmta-pe06-1.mx.upcmail.net [84.116.36.14]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3272B68B4B4 for ; Sat, 13 Jun 2020 14:30:33 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jk4HH-0002I0-0H for ffmpeg-devel@ffmpeg.org; Sat, 13 Jun 2020 13:24:47 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id k4GJjOelb6Jy6k4GJjdjgH; Sat, 13 Jun 2020 13:23:47 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=emhf11hzAAAA:8 a=IM_zh3B_C3zWKMWvMhkA:9 a=+jEqtf1s3R9VXZ0wqowq2kgwd+I=:19 a=HLUCug_QN4oeKp6PugZw:22 a=pHzHmUro8NiASowvMSCR:22 a=n87TN5wuljxrRezIQYnT:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sat, 13 Jun 2020 13:23:45 +0200 Message-Id: <20200613112345.13515-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200613112345.13515-1-michael@niedermayer.cc> References: <20200613112345.13515-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfE43Zd6IQCdXvPta5d5aq07lEnKQEcP+kYHGFPPwKPzqGpZXc63NyuImlvRjEvqWWVbm8weigXLyXwZhmPiAWR6NmkoeNKgkw0kFVZ1lzYtGb8UvxvLj UQIp09McRbjwiBttcsHi1tU1QwrFZv2MQ+/tzGeusaw4O0B4Lz7P27TG Subject: [FFmpeg-devel] [PATCH 5/5] avformat/oggdec: Disable mid stream codec changes X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The code crashes and neither the authors nor anyone else did fix this We cannot release code which crashes, so if noone fixes it, the only option left is to disable or revert. Revert is difficult as there are multiple commits afterwards Fixes: 22082/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5688619118624768 Fixes: crash from V-codecs/Theora/theora_testsuite_broken/multi2.ogg Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/oggdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 9eb45499c6..1f3ed8024c 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -229,6 +229,15 @@ static int ogg_replace_stream(AVFormatContext *s, uint32_t serial, char *magic, /* We only have a single stream anyway, so if there's a new stream with * a different codec just replace it */ os = &ogg->streams[0]; + if (os->codec != codec) { + /* + * The codec change code from 8296443a70f052a6f5c9a867d28b83a5eb7d304d and surounding commits + * crashes with out of array accesses + * testcase is https://samples.ffmpeg.org/V-codecs/Theora/theora_testsuite_broken/multi2.ogg + */ + return AVERROR_PATCHWELCOME; + } + os->serial = serial; os->codec = codec; os->serial = serial;