From patchwork Fri Sep 25 22:26:33 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 22588
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 901FB448B73
	for <patchwork@ffaux-bg.ffmpeg.org>; Sat, 26 Sep 2020 01:27:46 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 49A3568AE9A;
	Sat, 26 Sep 2020 01:27:46 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-2.mx.upcmail.net
 (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A97936881FE
 for <ffmpeg-devel@ffmpeg.org>; Sat, 26 Sep 2020 01:27:39 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kLwBn-0001eV-0X
 for ffmpeg-devel@ffmpeg.org; Sat, 26 Sep 2020 00:27:39 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id LwApkHETlIr7GLwApkWXxz; Sat, 26 Sep 2020 00:26:39 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=T5tGdMTiADwOGze3TGkA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 26 Sep 2020 00:26:33 +0200
Message-Id: <20200925222638.23675-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-CMAE-Envelope: 
 MS4wfDUtp2R0rPDsB1YHDdnKzxxyVd8xUKhkn6HubDQC0nntSkyHhELb40vqeGRj9pDuBGMNxvoWklUDMbbH+wbtw3s0oF5fdowdPQDhueyNbLO14+LdbwZC
 cUp/nvATli6xpCcqmFlebw2lktJf2IpZygO9t5WZnD7YV8ca6lQyXUK0
Subject: [FFmpeg-devel] [PATCH 1/6] avcodec/dxtory: Fix get_raw_size() for
	YUV
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: out of array read
Fixes: 25455/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-6327985731534848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxtory.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index 3f3c23ff2a..157e4b3ed2 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -44,9 +44,9 @@ static int64_t get_raw_size(enum AVPixelFormat fmt, int width, int height)
     case AV_PIX_FMT_YUV444P:
         return width * height * 3LL;
     case AV_PIX_FMT_YUV420P:
-        return (int64_t)(width * height) + AV_CEIL_RSHIFT(width, 1) * AV_CEIL_RSHIFT(height, 1);
+        return (int64_t)(width * height) + 2 * AV_CEIL_RSHIFT(width, 1) * AV_CEIL_RSHIFT(height, 1);
     case AV_PIX_FMT_YUV410P:
-        return (int64_t)(width * height) + AV_CEIL_RSHIFT(width, 2) * AV_CEIL_RSHIFT(height, 2);
+        return (int64_t)(width * height) + 2 * AV_CEIL_RSHIFT(width, 2) * AV_CEIL_RSHIFT(height, 2);
     }
 
     return 0;

From patchwork Fri Sep 25 22:26:34 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 22592
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 0A7CE448B73
	for <patchwork@ffaux-bg.ffmpeg.org>; Sat, 26 Sep 2020 01:27:51 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E5BE168AEBC;
	Sat, 26 Sep 2020 01:27:50 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe06-1.mx.upcmail.net
 (vie01a-dmta-pe06-1.mx.upcmail.net [84.116.36.14])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 835BA68ABC3
 for <ffmpeg-devel@ffmpeg.org>; Sat, 26 Sep 2020 01:27:40 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kLwBo-0009iq-0H
 for ffmpeg-devel@ffmpeg.org; Sat, 26 Sep 2020 00:27:40 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id LwApkHEVgIr7GLwApkWXyZ; Sat, 26 Sep 2020 00:26:40 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=X1TKV6eGtvSLRvhbu9sA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=QOGEsqRv6VhmHaoFNykA:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 26 Sep 2020 00:26:34 +0200
Message-Id: <20200925222638.23675-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200925222638.23675-1-michael@niedermayer.cc>
References: <20200925222638.23675-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfI8DAkpcrW5BokssboQ6USz8VUuoL/8grMYsDLOncveA/ty+vRcRcnC4cpTHh49hRERtoiLXppC0fkmBDkvl7CSTEtj3DQnz+yoAa3AB9rqHCVEZROM3
 nCWfnJAPVF+jQc2VmKSorvcVq8wevwQ4pTpJeYQ7ijxADdUwaQNXrE9I
Subject: [FFmpeg-devel] [PATCH 2/6] avcodec/dxtory: Fix negative shift in
	dxtory_decode_v1_410()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: left shift of negative value -256
Fixes: 25460/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-5073252341514240

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxtory.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index 157e4b3ed2..a82532c467 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -177,10 +177,10 @@ static int dxtory_decode_v1_410(AVCodecContext *avctx, AVFrame *pic,
             V[huvborder] = src[1] + 0x80;
             src += 2;
         }
-        Y1 += pic->linesize[0] << 2;
-        Y2 += pic->linesize[0] << 2;
-        Y3 += pic->linesize[0] << 2;
-        Y4 += pic->linesize[0] << 2;
+        Y1 += pic->linesize[0] * 4;
+        Y2 += pic->linesize[0] * 4;
+        Y3 += pic->linesize[0] * 4;
+        Y4 += pic->linesize[0] * 4;
         U  += pic->linesize[1];
         V  += pic->linesize[2];
     }

From patchwork Fri Sep 25 22:26:35 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 22589
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 8A834448B73
	for <patchwork@ffaux-bg.ffmpeg.org>; Sat, 26 Sep 2020 01:27:47 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 61C8E68AF8D;
	Sat, 26 Sep 2020 01:27:47 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-2.mx.upcmail.net
 (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3206D68A8E9
 for <ffmpeg-devel@ffmpeg.org>; Sat, 26 Sep 2020 01:27:40 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kLwBo-0004qZ-0I
 for ffmpeg-devel@ffmpeg.org; Sat, 26 Sep 2020 00:27:40 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id LwAqkHEVxIr7GLwAqkWXye; Sat, 26 Sep 2020 00:26:40 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=JcKA98LtKwby-CQ8p2kA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=GiHQeXbIydbNWtWbTz-1:22 a=p-dnK0njbqwfn1k4-x12:22 a=7aar8cbMflRChVwg8ngv:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 26 Sep 2020 00:26:35 +0200
Message-Id: <20200925222638.23675-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200925222638.23675-1-michael@niedermayer.cc>
References: <20200925222638.23675-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfI8DAkpcrW5BokssboQ6USz8VUuoL/8grMYsDLOncveA/ty+vRcRcnC4cpTHh49hRERtoiLXppC0fkmBDkvl7CSTEtj3DQnz+yoAa3AB9rqHCVEZROM3
 nCWfnJAPVF+jQc2VmKSorvcVq8wevwQ4pTpJeYQ7ijxADdUwaQNXrE9I
Subject: [FFmpeg-devel] [PATCH 3/6] avcodec/dxtory: Fix negative shift in
	dx2_decode_slice_410()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: left shift of negative value -768
Fixes: 25574/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXTORY_fuzzer-6012596027916288

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxtory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index a82532c467..bc95e0e7e1 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -637,7 +637,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame,
             V[huvborder] = decode_sym(gb, lru[2]) ^ 0x80;
         }
 
-        Y += ystride << 2;
+        Y += ystride * 4;
         U += ustride;
         V += vstride;
     }

From patchwork Fri Sep 25 22:26:36 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 22593
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 66A17448B73
	for <patchwork@ffaux-bg.ffmpeg.org>; Sat, 26 Sep 2020 01:27:52 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4497F68B56A;
	Sat, 26 Sep 2020 01:27:52 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-2.mx.upcmail.net
 (vie01a-dmta-pe05-2.mx.upcmail.net [84.116.36.12])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 84D2468ACEC
 for <ffmpeg-devel@ffmpeg.org>; Sat, 26 Sep 2020 01:27:40 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kLwBo-0000op-0I
 for ffmpeg-devel@ffmpeg.org; Sat, 26 Sep 2020 00:27:40 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id LwAqkHEWGIr7GLwAqkWXyj; Sat, 26 Sep 2020 00:26:40 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=cnHtoSNslBUUCu65DyEA:9 a=pHzHmUro8NiASowvMSCR:22 a=Ew2E2A-JSTLzCXPT_086:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 26 Sep 2020 00:26:36 +0200
Message-Id: <20200925222638.23675-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200925222638.23675-1-michael@niedermayer.cc>
References: <20200925222638.23675-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfI8DAkpcrW5BokssboQ6USz8VUuoL/8grMYsDLOncveA/ty+vRcRcnC4cpTHh49hRERtoiLXppC0fkmBDkvl7CSTEtj3DQnz+yoAa3AB9rqHCVEZROM3
 nCWfnJAPVF+jQc2VmKSorvcVq8wevwQ4pTpJeYQ7ijxADdUwaQNXrE9I
Subject: [FFmpeg-devel] [PATCH 4/6] tools/target_dec_fuzzer: Correct
	maxsamples_per_frame if maxsamples has been changed
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 7bea736fcf..db1c6d35a6 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -185,6 +185,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_ZEROCODEC:   maxpixels  /= 128;   break;
     }
 
+    maxsamples_per_frame = FFMIN(maxsamples_per_frame, maxsamples);
 
     AVCodecContext* ctx = avcodec_alloc_context3(c);
     AVCodecContext* parser_avctx = avcodec_alloc_context3(NULL);

From patchwork Fri Sep 25 22:26:37 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 22590
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 29E0B448B73
	for <patchwork@ffaux-bg.ffmpeg.org>; Sat, 26 Sep 2020 01:27:49 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1832C68AB33;
	Sat, 26 Sep 2020 01:27:49 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-2.mx.upcmail.net
 (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3539768AB96
 for <ffmpeg-devel@ffmpeg.org>; Sat, 26 Sep 2020 01:27:40 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kLwBo-0001eV-0I
 for ffmpeg-devel@ffmpeg.org; Sat, 26 Sep 2020 00:27:40 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id LwAqkHEWXIr7GLwAqkWXzH; Sat, 26 Sep 2020 00:26:40 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=d3bGlinsDDw2l1mHmWQA:9 a=pHzHmUro8NiASowvMSCR:22 a=Ew2E2A-JSTLzCXPT_086:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 26 Sep 2020 00:26:37 +0200
Message-Id: <20200925222638.23675-5-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200925222638.23675-1-michael@niedermayer.cc>
References: <20200925222638.23675-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfI8DAkpcrW5BokssboQ6USz8VUuoL/8grMYsDLOncveA/ty+vRcRcnC4cpTHh49hRERtoiLXppC0fkmBDkvl7CSTEtj3DQnz+yoAa3AB9rqHCVEZROM3
 nCWfnJAPVF+jQc2VmKSorvcVq8wevwQ4pTpJeYQ7ijxADdUwaQNXrE9I
Subject: [FFmpeg-devel] [PATCH 5/6] tools/target_dec_fuzzer: assume that
	discarded audio packets produced max samples
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

We do not know how many samples these produce as its not exported.
Alternatively we could export that but as long as its not we better
assume its more than 0 as otherwise the thresholds would not work

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index db1c6d35a6..6b75e006e6 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -344,6 +344,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
             if (ec_pixels > maxpixels)
                 goto maximums_reached;
 
+            if (ctx->codec_type == AVMEDIA_TYPE_AUDIO &&
+                frame->nb_samples == 0 && !got_frame &&
+                (avpkt.flags & AV_PKT_FLAG_DISCARD))
+                nb_samples += ctx->max_samples;
+
             nb_samples += frame->nb_samples;
             if (nb_samples > maxsamples)
                 goto maximums_reached;

From patchwork Fri Sep 25 22:26:38 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 22591
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 137E2448B73
	for <patchwork@ffaux-bg.ffmpeg.org>; Sat, 26 Sep 2020 01:27:50 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 000D868AC4C;
	Sat, 26 Sep 2020 01:27:49 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-2.mx.upcmail.net
 (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 37A9A68ABC3
 for <ffmpeg-devel@ffmpeg.org>; Sat, 26 Sep 2020 01:27:40 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1kLwBo-0005DW-0K
 for ffmpeg-devel@ffmpeg.org; Sat, 26 Sep 2020 00:27:40 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id LwAqkHEX8Ir7GLwAqkWXzM; Sat, 26 Sep 2020 00:26:40 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=-ZpY-vuE6ZU6Tlr_55cA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 26 Sep 2020 00:26:38 +0200
Message-Id: <20200925222638.23675-6-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20200925222638.23675-1-michael@niedermayer.cc>
References: <20200925222638.23675-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfI8DAkpcrW5BokssboQ6USz8VUuoL/8grMYsDLOncveA/ty+vRcRcnC4cpTHh49hRERtoiLXppC0fkmBDkvl7CSTEtj3DQnz+yoAa3AB9rqHCVEZROM3
 nCWfnJAPVF+jQc2VmKSorvcVq8wevwQ4pTpJeYQ7ijxADdUwaQNXrE9I
Subject: [FFmpeg-devel] [PATCH 6/6] avcodec/decode: Consider discarded
	samples in max_samples
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: Timeout (several minutes -> 3 sec)
Fixes: 25246/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5943400661254144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/decode.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/decode.c b/libavcodec/decode.c
index 3ef1ece25b..257abc7de4 100644
--- a/libavcodec/decode.c
+++ b/libavcodec/decode.c
@@ -318,7 +318,7 @@ static int64_t guess_correct_pts(AVCodecContext *ctx,
  * returning any output, so this function needs to be called in a loop until it
  * returns EAGAIN.
  **/
-static inline int decode_simple_internal(AVCodecContext *avctx, AVFrame *frame)
+static inline int decode_simple_internal(AVCodecContext *avctx, AVFrame *frame, int64_t *discarded_samples)
 {
     AVCodecInternal   *avci = avctx->internal;
     DecodeSimpleContext *ds = &avci->ds;
@@ -411,12 +411,14 @@ static inline int decode_simple_internal(AVCodecContext *avctx, AVFrame *frame)
             !(avctx->flags2 & AV_CODEC_FLAG2_SKIP_MANUAL)) {
             avci->skip_samples = FFMAX(0, avci->skip_samples - frame->nb_samples);
             got_frame = 0;
+            *discarded_samples += frame->nb_samples;
         }
 
         if (avci->skip_samples > 0 && got_frame &&
             !(avctx->flags2 & AV_CODEC_FLAG2_SKIP_MANUAL)) {
             if(frame->nb_samples <= avci->skip_samples){
                 got_frame = 0;
+                *discarded_samples += frame->nb_samples;
                 avci->skip_samples -= frame->nb_samples;
                 av_log(avctx, AV_LOG_DEBUG, "skip whole frame, skip left: %d\n",
                        avci->skip_samples);
@@ -444,6 +446,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
                 }
                 av_log(avctx, AV_LOG_DEBUG, "skip %d/%d samples\n",
                        avci->skip_samples, frame->nb_samples);
+                *discarded_samples += avci->skip_samples;
                 frame->nb_samples -= avci->skip_samples;
                 avci->skip_samples = 0;
             }
@@ -452,6 +455,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
         if (discard_padding > 0 && discard_padding <= frame->nb_samples && got_frame &&
             !(avctx->flags2 & AV_CODEC_FLAG2_SKIP_MANUAL)) {
             if (discard_padding == frame->nb_samples) {
+                *discarded_samples += frame->nb_samples;
                 got_frame = 0;
             } else {
                 if(avctx->pkt_timebase.num && avctx->sample_rate) {
@@ -544,9 +548,12 @@ FF_ENABLE_DEPRECATION_WARNINGS
 static int decode_simple_receive_frame(AVCodecContext *avctx, AVFrame *frame)
 {
     int ret;
+    int64_t discarded_samples = 0;
 
     while (!frame->buf[0]) {
-        ret = decode_simple_internal(avctx, frame);
+        if (discarded_samples > avctx->max_samples)
+            return AVERROR(EAGAIN);
+        ret = decode_simple_internal(avctx, frame, &discarded_samples);
         if (ret < 0)
             return ret;
     }