From patchwork Thu Jun 18 19:19:08 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 20470
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 48790449E40
	for <patchwork@ffaux-bg.ffmpeg.org>; Thu, 18 Jun 2020 22:19:24 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 20C0568B542;
	Thu, 18 Jun 2020 22:19:24 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com
 [209.85.221.50])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 80E9C68B1B3
 for <ffmpeg-devel@ffmpeg.org>; Thu, 18 Jun 2020 22:19:17 +0300 (EEST)
Received: by mail-wr1-f50.google.com with SMTP id r7so7294817wro.1
 for <ffmpeg-devel@ffmpeg.org>; Thu, 18 Jun 2020 12:19:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=TpjelqGMMizvmGu9b+Lyh11PhKKHtXYyXva58+53Tas=;
 b=FiNgIbX/XbECl9Xq8M8uBBJ4nwKEPy9oWeTdpDezwvK2pH4kby/I0FFLEmVnjYINUC
 tBlmaCJ6W0uc+BYX1dse38Itf/ndfkACkK/F2Ti4F901gdBkAxZlgAcBrGqg0oHcRlGz
 J4YY54PVXdkO/oSWPoUIve4Y7vE+q3cJQTIXneLYXLa2c4pvYbx5ItM+SF4UDyZht+Ul
 4KkQnoIZTM5icF0kFKv5LPBSyKPFU2EyIq4WDvhzZw3CPsxaYgi2vnJg7vxH8I+iHKcV
 zgybPEZlWjqtKryx1xfNS9XU51Mzxqnr6geiFH++23xH+ZLVWQPhRELbHYrj0OHYe+Zb
 asvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=TpjelqGMMizvmGu9b+Lyh11PhKKHtXYyXva58+53Tas=;
 b=jbuXvI+GgTuPVkv7C38Ym4rfGboTQCBM6JP9dX2gjwZv6VAq0EbVeozRyWxz+pn++N
 3aGyC6j2dGrf9hk9x7zyP7FC//+k3ffRGjNGyiGF875NQgxKfE+Tc7OanFezdHW8TcL3
 utMd3j6lq2i6SNUputBa9Y77Nya9ysKApK0+Q/mfLXz3MM4L0aVxgdi4iX4l8s7ocJZn
 pT/4w+xvjcKMx/DtSwr4l62SfgUZrv+oCHWfm2YV3LO6eddDQw8Gh5SegsM6aVubeuVe
 TpuZpDvykHA5GU91Mhe7g8dcPNQAb8RvwAJ1cWwXzUN1RS4Hk3ClL/WnKFYmcOt3+QrI
 6SWQ==
X-Gm-Message-State: AOAM532AbIyyvM2OOlAt2y1jWDkq9xK0do/fSyO+smABcDOGskQXQmm1
 cOyPoBzF0Ez4Hi/7rqf4pMdbbXIW
X-Google-Smtp-Source: 
 ABdhPJy5MlMObd7Wj01dALY8iGzqCDZieGuZ9BkIbIib+ETVc5wMa2sLL90uIfaaU1p66VJf/m6Neg==
X-Received: by 2002:a5d:5303:: with SMTP id e3mr6044959wrv.321.1592507956294;
 Thu, 18 Jun 2020 12:19:16 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de.
 [188.193.171.87])
 by smtp.gmail.com with ESMTPSA id e8sm2874996wrv.24.2020.06.18.12.19.14
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Jun 2020 12:19:15 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 18 Jun 2020 21:19:08 +0200
Message-Id: <20200618191909.2253-1-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH v2 1/2] avcodec/cbs_av1: Fix writing uvlc
	numbers >= INT_MAX
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: assertion failure
Fixes: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 23264/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_METADATA_fuzzer-6308429248593920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
The earlier version did fix the undefined behaviour when shifting, but
one nevertheless ran into an av_assert2 in put_bits because put_bits
can't write 32 bits at once*. So write via three calls to put_bits.

*: If one wants to write 32 bits at once and if there are 32 bits left
(i.e. the cache is empty), then bit_buf will be shifted by 32 places
which is undefined behaviour (even though bit_buf is zero in this case).

 libavcodec/cbs_av1.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c
index 29b316e011..0abcba9c60 100644
--- a/libavcodec/cbs_av1.c
+++ b/libavcodec/cbs_av1.c
@@ -125,8 +125,9 @@ static int cbs_av1_write_uvlc(CodedBitstreamContext *ctx, PutBitContext *pbc,
         put_bits(pbc, 1, 1);
     } else {
         zeroes = av_log2(value + 1);
-        v = value - (1 << zeroes) + 1;
-        put_bits(pbc, zeroes + 1, 1);
+        v = value - (1U << zeroes) + 1;
+        put_bits(pbc, zeroes, 0);
+        put_bits(pbc, 1, 1);
         put_bits(pbc, zeroes, v);
     }
 

From patchwork Thu Jun 18 19:19:09 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 20471
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 676EE449E40
	for <patchwork@ffaux-bg.ffmpeg.org>; Thu, 18 Jun 2020 22:19:45 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 54C1A68B584;
	Thu, 18 Jun 2020 22:19:45 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com
 [209.85.128.68])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 562B468B1A2
 for <ffmpeg-devel@ffmpeg.org>; Thu, 18 Jun 2020 22:19:39 +0300 (EEST)
Received: by mail-wm1-f68.google.com with SMTP id g21so2431233wmg.0
 for <ffmpeg-devel@ffmpeg.org>; Thu, 18 Jun 2020 12:19:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=Hsh4SR49AB4SIEUpeV8yrekAGasVytP1ouDkMtmujSU=;
 b=gisbyxa3f9ZbFcCtMHXdBXahpkUcqOckZ7b09y+1lGnUlUlCjcWECQnlRZntA/NAlu
 MPCaW75iuaCTKRpFgiW7hGV+mrxG45oqCdQ2Ce9ZhLFkukpMt9D5OTiKqh5WnLkPHvLY
 QYox3cX+5I/v2y255NJ+CjmV+SE+5rSq+HstczYZnkzp1PONnjlWU46jQlKjZmkj0nyJ
 rjlu5F8I/vS6KtTw5DowdaIIMMQl1hkFTlJ4JURAfyFuSA5juBUqUxq9sezKxZZQAclC
 Yo0H0wGGjX6T4ajV4DT+cKITAYi0S1Og7mhp0zd8W0O59uwfHyOyirE300vBc9Qj8gGc
 mfxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=Hsh4SR49AB4SIEUpeV8yrekAGasVytP1ouDkMtmujSU=;
 b=bB1qN+5HxuZQF8KGLePr8j9SMgI3qtWBcSuk7FgZJopd0dQCfWmdX0kyuGf47JBblc
 QYl2Bkc0hw3m3t6Pb7J3B7lFMO2qZQUUCw/FyDKKyR/BxiDSl8BoFpS6AleTBTMI4Tum
 H3eh2W9oYBPlhfzcZbRHWZTLkMSVUobSXn+OkxaLl1mug7wiZk/B1cryWWb/n3pA7AN0
 gxFx5Qh8+hPrYkUanD8bkjVetj39kf7x0dzu2Su7NbLq91TI2Ix/KnI0rhnl2q4CmRgR
 yUp+KRPfoCPNRY+rrHrjXGP+B3mCBfYygqoejotO3MW/N6jqfOu+mPQI6VLaWvDNJGM8
 4Mcw==
X-Gm-Message-State: AOAM533HzFY6loHcx4FWn9QG2NnDtp9e62EmSeGlriw0g9oG+moCXRPF
 u1gPCmfmiRexDwW+oRougMyvNupD
X-Google-Smtp-Source: 
 ABdhPJzPcfmXWSuGWmc4umgBQdAfZdqlVEd8tFGhNhaq4SLQr+rp/mdIek2widQD7alML6bp2zq0Og==
X-Received: by 2002:a05:600c:2256:: with SMTP id
 a22mr5433156wmm.18.1592507978303;
 Thu, 18 Jun 2020 12:19:38 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de.
 [188.193.171.87])
 by smtp.gmail.com with ESMTPSA id e8sm2874996wrv.24.2020.06.18.12.19.37
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 Jun 2020 12:19:37 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 18 Jun 2020 21:19:09 +0200
Message-Id: <20200618191909.2253-2-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200618191909.2253-1-andreas.rheinhardt@gmail.com>
References: <20200618191909.2253-1-andreas.rheinhardt@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/cbs_av1: Simplify writing uvlc
	elements
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

There is no reason to special-case writing a value of zero as uvlc
element as the generic code is perfectly capable of doing so.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavcodec/cbs_av1.c | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/libavcodec/cbs_av1.c b/libavcodec/cbs_av1.c
index 0abcba9c60..dc7be089ac 100644
--- a/libavcodec/cbs_av1.c
+++ b/libavcodec/cbs_av1.c
@@ -120,16 +120,11 @@ static int cbs_av1_write_uvlc(CodedBitstreamContext *ctx, PutBitContext *pbc,
     if (ctx->trace_enable)
         position = put_bits_count(pbc);
 
-    if (value == 0) {
-        zeroes = 0;
-        put_bits(pbc, 1, 1);
-    } else {
-        zeroes = av_log2(value + 1);
-        v = value - (1U << zeroes) + 1;
-        put_bits(pbc, zeroes, 0);
-        put_bits(pbc, 1, 1);
-        put_bits(pbc, zeroes, v);
-    }
+    zeroes = av_log2(value + 1);
+    v = value - (1U << zeroes) + 1;
+    put_bits(pbc, zeroes, 0);
+    put_bits(pbc, 1, 1);
+    put_bits(pbc, zeroes, v);
 
     if (ctx->trace_enable) {
         char bits[65];