From patchwork Sun Jul 19 17:42:13 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 21187
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 9609844ABFD
	for <patchwork@ffaux-bg.ffmpeg.org>; Sun, 19 Jul 2020 20:43:26 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 807FA68B8FB;
	Sun, 19 Jul 2020 20:43:26 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe06-2.mx.upcmail.net
 (vie01a-dmta-pe06-2.mx.upcmail.net [84.116.36.15])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 775C368B8E6
 for <ffmpeg-devel@ffmpeg.org>; Sun, 19 Jul 2020 20:43:19 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1jxDLL-0000dM-0b
 for ffmpeg-devel@ffmpeg.org; Sun, 19 Jul 2020 19:43:19 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id xDKMjM6wu6Jy6xDKMjFdrN; Sun, 19 Jul 2020 19:42:19 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=HoCxq_Ifyv35M0YNJdoA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 19 Jul 2020 19:42:13 +0200
Message-Id: <20200719174218.30659-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-CMAE-Envelope: 
 MS4wfGrIBP277FMeqIBNTkO7mjS6jfc1ER7WqR7yDy4WeJIE8ILjXQLAIWsZ3VfqW2CERt1M+oAOIGHCXtYS7xLuRy7eNSTDCl/etAi2xeDihC1KpdJTbN+f
 abJd4kP2j3x4BU8OghOyREhyiy8BObn43Iq7eSJ54gufoNK6E0tgnzgG
Subject: [FFmpeg-devel] [PATCH 1/6] avformat/wc3movie: Move wc3_read_close()
	up
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/wc3movie.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c
index 6577007777..c59b5bf6cc 100644
--- a/libavformat/wc3movie.c
+++ b/libavformat/wc3movie.c
@@ -73,6 +73,16 @@ typedef struct Wc3DemuxContext {
 
 } Wc3DemuxContext;
 
+static int wc3_read_close(AVFormatContext *s)
+{
+    Wc3DemuxContext *wc3 = s->priv_data;
+
+    if (wc3->vpkt.size > 0)
+        av_packet_unref(&wc3->vpkt);
+
+    return 0;
+}
+
 static int wc3_probe(const AVProbeData *p)
 {
     if (p->buf_size < 12)
@@ -286,16 +296,6 @@ static int wc3_read_packet(AVFormatContext *s,
     return ret;
 }
 
-static int wc3_read_close(AVFormatContext *s)
-{
-    Wc3DemuxContext *wc3 = s->priv_data;
-
-    if (wc3->vpkt.size > 0)
-        av_packet_unref(&wc3->vpkt);
-
-    return 0;
-}
-
 AVInputFormat ff_wc3_demuxer = {
     .name           = "wc3movie",
     .long_name      = NULL_IF_CONFIG_SMALL("Wing Commander III movie"),

From patchwork Sun Jul 19 17:42:14 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 21186
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id CB31D44ABFD
	for <patchwork@ffaux-bg.ffmpeg.org>; Sun, 19 Jul 2020 20:43:25 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A5EBB68B89D;
	Sun, 19 Jul 2020 20:43:25 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe06-2.mx.upcmail.net
 (vie01a-dmta-pe06-2.mx.upcmail.net [84.116.36.15])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 738E668AF26
 for <ffmpeg-devel@ffmpeg.org>; Sun, 19 Jul 2020 20:43:19 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1jxDLL-0002j4-0j
 for ffmpeg-devel@ffmpeg.org; Sun, 19 Jul 2020 19:43:19 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id xDKNjM6zv6Jy6xDKNjFdrk; Sun, 19 Jul 2020 19:42:19 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=1BuEdW73MkSxslcvUUIA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 19 Jul 2020 19:42:14 +0200
Message-Id: <20200719174218.30659-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200719174218.30659-1-michael@niedermayer.cc>
References: <20200719174218.30659-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfGrIBP277FMeqIBNTkO7mjS6jfc1ER7WqR7yDy4WeJIE8ILjXQLAIWsZ3VfqW2CERt1M+oAOIGHCXtYS7xLuRy7eNSTDCl/etAi2xeDihC1KpdJTbN+f
 abJd4kP2j3x4BU8OghOyREhyiy8BObn43Iq7eSJ54gufoNK6E0tgnzgG
Subject: [FFmpeg-devel] [PATCH 2/6] avformat/wc3movie: Cleanup on
	wc3_read_header() failure
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: memleak
Fixes: 23660/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6007508031504384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/wc3movie.c | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c
index c59b5bf6cc..76e945d261 100644
--- a/libavformat/wc3movie.c
+++ b/libavformat/wc3movie.c
@@ -139,10 +139,14 @@ static int wc3_read_header(AVFormatContext *s)
             /* load up the name */
             buffer = av_malloc(size+1);
             if (!buffer)
-                return AVERROR(ENOMEM);
+            if (!buffer) {
+                ret = AVERROR(ENOMEM);
+                goto fail;
+            }
             if ((ret = avio_read(pb, buffer, size)) != size) {
                 av_freep(&buffer);
-                return AVERROR(EIO);
+                ret =  AVERROR(EIO);
+                goto fail;
             }
             buffer[size] = 0;
             av_dict_set(&s->metadata, "title", buffer,
@@ -164,21 +168,26 @@ static int wc3_read_header(AVFormatContext *s)
         default:
             av_log(s, AV_LOG_ERROR, "unrecognized WC3 chunk: %s\n",
                    av_fourcc2str(fourcc_tag));
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
         }
 
         fourcc_tag = avio_rl32(pb);
         /* chunk sizes are 16-bit aligned */
         size = (avio_rb32(pb) + 1) & (~1);
-        if (avio_feof(pb))
-            return AVERROR(EIO);
+        if (avio_feof(pb)) {
+            ret = AVERROR(EIO);
+            goto fail;
+        }
 
     } while (fourcc_tag != BRCH_TAG);
 
     /* initialize the decoder streams */
     st = avformat_new_stream(s, NULL);
-    if (!st)
-        return AVERROR(ENOMEM);
+    if (!st) {
+        ret = AVERROR(ENOMEM);
+        goto fail;
+    }
     avpriv_set_pts_info(st, 33, 1, WC3_FRAME_FPS);
     wc3->video_stream_index = st->index;
     st->codecpar->codec_type = AVMEDIA_TYPE_VIDEO;
@@ -188,8 +197,10 @@ static int wc3_read_header(AVFormatContext *s)
     st->codecpar->height = wc3->height;
 
     st = avformat_new_stream(s, NULL);
-    if (!st)
-        return AVERROR(ENOMEM);
+    if (!st) {
+        ret = AVERROR(ENOMEM);
+        goto fail;
+    }
     avpriv_set_pts_info(st, 33, 1, WC3_FRAME_FPS);
     wc3->audio_stream_index = st->index;
     st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
@@ -204,6 +215,9 @@ static int wc3_read_header(AVFormatContext *s)
     st->codecpar->block_align = WC3_AUDIO_BITS * WC3_AUDIO_CHANNELS;
 
     return 0;
+fail:
+    wc3_read_close(s);
+    return ret;
 }
 
 static int wc3_read_packet(AVFormatContext *s,

From patchwork Sun Jul 19 17:42:15 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 21191
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id BFECF44AD59
	for <patchwork@ffaux-bg.ffmpeg.org>; Sun, 19 Jul 2020 20:50:26 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 99B7968B904;
	Sun, 19 Jul 2020 20:50:26 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe02-3.mx.upcmail.net
 (vie01a-dmta-pe02-3.mx.upcmail.net [62.179.121.159])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2BFEF68B8D1
 for <ffmpeg-devel@ffmpeg.org>; Sun, 19 Jul 2020 20:50:21 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1jxDLM-0008rg-0K
 for ffmpeg-devel@ffmpeg.org; Sun, 19 Jul 2020 19:43:20 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id xDKNjM70Z6Jy6xDKNjFdrn; Sun, 19 Jul 2020 19:42:19 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=_suGnbPSncaiJubrA8gA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 19 Jul 2020 19:42:15 +0200
Message-Id: <20200719174218.30659-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200719174218.30659-1-michael@niedermayer.cc>
References: <20200719174218.30659-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfOOXVp79iMAtYxjPKCfdggGWRglfES9Vxr44+aEIceFUkAi9dlXx/O3wdINtNwQzzZV0y9dpS7vAc1PcQN6/3J+4z2cDWctAq/PnDtvgKAIywGsmouRJ
 PPlepwJfnQ70TdL8XwcBiGIOxNcjR6l/n+I1WSttc+YWXZPsYeCWFyay
Subject: [FFmpeg-devel] [PATCH 3/6] avformat/sbgdec: Check for overflow in
	parse_timestamp()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: signed integer overflow: 33986707200000000 + 9195561788997000192 cannot be represented in type 'long'
Fixes: 23790/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6554232198266880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/sbgdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index de1de271bb..c11244ef3d 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -474,6 +474,8 @@ static int parse_timestamp(struct sbg_parser *p,
     while (lex_char(p, '+')) {
         if (!lex_time(p, &dt))
             return AVERROR_INVALIDDATA;
+        if (av_sat_add64(rel, dt) - dt != rel)
+            return AVERROR_INVALIDDATA;
         rel += dt;
         r = 1;
     }

From patchwork Sun Jul 19 17:42:16 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 21189
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 8DD6C44ABFD
	for <patchwork@ffaux-bg.ffmpeg.org>; Sun, 19 Jul 2020 20:43:30 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7C3D268B90B;
	Sun, 19 Jul 2020 20:43:30 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-1.mx.upcmail.net
 (vie01a-dmta-pe01-1.mx.upcmail.net [62.179.121.154])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6F58268B8FA
 for <ffmpeg-devel@ffmpeg.org>; Sun, 19 Jul 2020 20:43:21 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1jxDLM-0007LU-0L
 for ffmpeg-devel@ffmpeg.org; Sun, 19 Jul 2020 19:43:20 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id xDKOjM70m6Jy6xDKOjFdrt; Sun, 19 Jul 2020 19:42:20 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=hwvyHcRgrodHUNDTNi8A:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 19 Jul 2020 19:42:16 +0200
Message-Id: <20200719174218.30659-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200719174218.30659-1-michael@niedermayer.cc>
References: <20200719174218.30659-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfOOXVp79iMAtYxjPKCfdggGWRglfES9Vxr44+aEIceFUkAi9dlXx/O3wdINtNwQzzZV0y9dpS7vAc1PcQN6/3J+4z2cDWctAq/PnDtvgKAIywGsmouRJ
 PPlepwJfnQ70TdL8XwcBiGIOxNcjR6l/n+I1WSttc+YWXZPsYeCWFyay
Subject: [FFmpeg-devel] [PATCH 4/6] avformat/cdg: Fix integer overflow in
	duration computation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: signed integer overflow: 8398407 * 300 cannot be represented in type 'int'
Fixes: 23914/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4702539290509312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/cdg.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/cdg.c b/libavformat/cdg.c
index 05cac6e528..f933819d57 100644
--- a/libavformat/cdg.c
+++ b/libavformat/cdg.c
@@ -49,7 +49,7 @@ static int read_header(AVFormatContext *s)
     if (ret < 0) {
         av_log(s, AV_LOG_WARNING, "Cannot calculate duration as file size cannot be determined\n");
     } else
-        vst->duration = (ret * vst->time_base.den) / (CDG_PACKET_SIZE * 300);
+        vst->duration = (ret * (int64_t)vst->time_base.den) / (CDG_PACKET_SIZE * 300);
 
     return 0;
 }

From patchwork Sun Jul 19 17:42:17 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 21188
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 775AD44ABFD
	for <patchwork@ffaux-bg.ffmpeg.org>; Sun, 19 Jul 2020 20:43:29 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 583FD68B903;
	Sun, 19 Jul 2020 20:43:29 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe03-2.mx.upcmail.net
 (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 68E3B68B8F9
 for <ffmpeg-devel@ffmpeg.org>; Sun, 19 Jul 2020 20:43:21 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1jxDLM-0008jG-0L
 for ffmpeg-devel@ffmpeg.org; Sun, 19 Jul 2020 19:43:20 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id xDKOjM7126Jy6xDKOjFdry; Sun, 19 Jul 2020 19:42:20 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=w-B9jLQYKa1YRshLvvsA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 19 Jul 2020 19:42:17 +0200
Message-Id: <20200719174218.30659-5-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200719174218.30659-1-michael@niedermayer.cc>
References: <20200719174218.30659-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfOOXVp79iMAtYxjPKCfdggGWRglfES9Vxr44+aEIceFUkAi9dlXx/O3wdINtNwQzzZV0y9dpS7vAc1PcQN6/3J+4z2cDWctAq/PnDtvgKAIywGsmouRJ
 PPlepwJfnQ70TdL8XwcBiGIOxNcjR6l/n+I1WSttc+YWXZPsYeCWFyay
Subject: [FFmpeg-devel] [PATCH 5/6] avformat/subviewerdec: fail on
	AV_NOPTS_VALUE
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Such values are not supported by ff_subtitles_queue*

Fixes: signed integer overflow: 10 - -9223372036854775808 cannot be represented in type 'long'
Fixes: 24193/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5714901855895552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/subviewerdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c
index fdca3a4820..5c2fe676f1 100644
--- a/libavformat/subviewerdec.c
+++ b/libavformat/subviewerdec.c
@@ -148,6 +148,10 @@ static int subviewer_read_header(AVFormatContext *s)
             new_event = 1;
             pos = avio_tell(s->pb);
         } else if (*line) {
+            if (pts_start == AV_NOPTS_VALUE) {
+                res = AVERROR_INVALIDDATA;
+                goto end;
+            }
             if (!new_event) {
                 sub = ff_subtitles_queue_insert(&subviewer->q, "\n", 1, 1);
                 if (!sub) {

From patchwork Sun Jul 19 17:42:18 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 21190
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 7876A44ABFD
	for <patchwork@ffaux-bg.ffmpeg.org>; Sun, 19 Jul 2020 20:43:31 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5B95F68B911;
	Sun, 19 Jul 2020 20:43:31 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe03-2.mx.upcmail.net
 (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 66F5668B8F8
 for <ffmpeg-devel@ffmpeg.org>; Sun, 19 Jul 2020 20:43:21 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1jxDLM-0008FK-0L
 for ffmpeg-devel@ffmpeg.org; Sun, 19 Jul 2020 19:43:20 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id xDKOjM71O6Jy6xDKOjFds1; Sun, 19 Jul 2020 19:42:20 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=GWABNc1dfq9zWtcegDkA:9 a=pHzHmUro8NiASowvMSCR:22 a=Ew2E2A-JSTLzCXPT_086:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 19 Jul 2020 19:42:18 +0200
Message-Id: <20200719174218.30659-6-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200719174218.30659-1-michael@niedermayer.cc>
References: <20200719174218.30659-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfOOXVp79iMAtYxjPKCfdggGWRglfES9Vxr44+aEIceFUkAi9dlXx/O3wdINtNwQzzZV0y9dpS7vAc1PcQN6/3J+4z2cDWctAq/PnDtvgKAIywGsmouRJ
 PPlepwJfnQ70TdL8XwcBiGIOxNcjR6l/n+I1WSttc+YWXZPsYeCWFyay
Subject: [FFmpeg-devel] [PATCH 6/6] tools:target_dem_fuzzer: Split into a
	fuzzer fuzzing at the protocol level and one fuzzing a fixed
	demuxer input
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

This should improve coverage and should improve the efficiency of seed files

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 Makefile                  | 3 +++
 tools/Makefile            | 5 ++++-
 tools/target_dem_fuzzer.c | 9 ++++++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 45a22b0cb3..6a0dabfc5a 100644
--- a/Makefile
+++ b/Makefile
@@ -56,6 +56,9 @@ tools/target_bsf_%_fuzzer$(EXESUF): tools/target_bsf_%_fuzzer.o $(FF_DEP_LIBS)
 tools/target_dem_fuzzer$(EXESUF): tools/target_dem_fuzzer.o $(FF_DEP_LIBS)
 	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
 
+tools/target_io_dem_fuzzer$(EXESUF): tools/target_io_dem_fuzzer.o $(FF_DEP_LIBS)
+	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
+
 tools/sofa2wavs$(EXESUF): ELIBS = $(FF_EXTRALIBS)
 tools/uncoded_frame$(EXESUF): $(FF_DEP_LIBS)
 tools/uncoded_frame$(EXESUF): ELIBS = $(FF_EXTRALIBS)
diff --git a/tools/Makefile b/tools/Makefile
index 001093105b..88d64ce6d2 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -9,7 +9,10 @@ tools/target_bsf_%_fuzzer.o: tools/target_bsf_fuzzer.c
 	$(COMPILE_C) -DFFMPEG_BSF=$*
 
 tools/target_dem_fuzzer.o: tools/target_dem_fuzzer.c
-	$(COMPILE_C)
+	$(COMPILE_C) -DIO_FLAT=1
+
+tools/target_io_dem_fuzzer.o: tools/target_dem_fuzzer.c
+	$(COMPILE_C) -DIO_FLAT=0
 
 OUTDIRS += tools
 
diff --git a/tools/target_dem_fuzzer.c b/tools/target_dem_fuzzer.c
index b8356c5aa1..eefb5c5fa3 100644
--- a/tools/target_dem_fuzzer.c
+++ b/tools/target_dem_fuzzer.c
@@ -76,6 +76,10 @@ static int64_t io_seek(void *opaque, int64_t offset, int whence)
     }
     if (offset < 0 || offset > c->filesize)
         return -1;
+    if (IO_FLAT) {
+        c->fuzz      += offset - c->pos;
+        c->fuzz_size -= offset - c->pos;
+    }
     c->pos = offset;
     return 0;
 }
@@ -110,7 +114,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     if (!avfmt)
         error("Failed avformat_alloc_context()");
 
-    if (size > 2048) {
+    if (IO_FLAT) {
+        seekable = 1;
+        io_buffer_size = size;
+    } else if (size > 2048) {
         int flags;
         char extension[64];