From patchwork Mon Oct 19 14:24:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23082 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id B6AEE448C78 for ; Mon, 19 Oct 2020 17:26:10 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9EE0F68B649; Mon, 19 Oct 2020 17:26:10 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D732C68B5B2 for ; Mon, 19 Oct 2020 17:26:02 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUW6s-0002Z4-0F for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 16:26:02 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id UW5tk1aMlIr7GUW5tkaaVA; Mon, 19 Oct 2020 16:25:01 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=K3HcShl3LTRt7jcA3bsA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=bWyr8ysk75zN3GCy5bjg:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Oct 2020 16:24:55 +0200 Message-Id: <20201019142501.6867-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfOIzGc5/0l8vZYqiZZq80nytvTiXn7B7giNMuD+rOEc5ySFWGMfI8GW6jrAh2IwDYbkEjlYuse8QfWpZ7Z8RzMiEi4r+U9PU/HnxuQnUO0LM2PoQc2+N nHR58aoB5TXmFQkTRvuFx7agUwNdPJInvaipxuLoF2/Ge1X/y4h9gy3w Subject: [FFmpeg-devel] [PATCH 1/7] avcodec/fits: Check bscale X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: division by 0 Fixes: 26208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-6270472117026816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index ad73ab70de..25c33e06c8 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -187,6 +187,8 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t header->blank = t; header->blank_found = 1; } else if (!strcmp(keyword, "BSCALE") && sscanf(value, "%lf", &d) == 1) { + if (d <= 0) + return AVERROR_INVALIDDATA; header->bscale = d; } else if (!strcmp(keyword, "BZERO") && sscanf(value, "%lf", &d) == 1) { header->bzero = d; From patchwork Mon Oct 19 14:24:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23083 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id A2813448C78 for ; Mon, 19 Oct 2020 17:26:11 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8CC2668B60D; Mon, 19 Oct 2020 17:26:11 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-2.mx.upcmail.net (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DC23E68B5B7 for ; Mon, 19 Oct 2020 17:26:02 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUW6s-0005J9-0E for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 16:26:02 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id UW5uk1aOmIr7GUW5ukaaWk; Mon, 19 Oct 2020 16:25:02 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=YCB0-3Ug8JgNN7Ci9CsA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Oct 2020 16:24:56 +0200 Message-Id: <20201019142501.6867-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201019142501.6867-1-michael@niedermayer.cc> References: <20201019142501.6867-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfOIzGc5/0l8vZYqiZZq80nytvTiXn7B7giNMuD+rOEc5ySFWGMfI8GW6jrAh2IwDYbkEjlYuse8QfWpZ7Z8RzMiEi4r+U9PU/HnxuQnUO0LM2PoQc2+N nHR58aoB5TXmFQkTRvuFx7agUwNdPJInvaipxuLoF2/Ge1X/y4h9gy3w Subject: [FFmpeg-devel] [PATCH 2/7] avcodec/vp9dsp_template: Fix some overflows in iadst8_1d() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 190587 * 11585 cannot be represented in type 'int' Fixes: 26407/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5086348408782848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vp9dsp_template.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp9dsp_template.c b/libavcodec/vp9dsp_template.c index bfabe63536..3acf94c583 100644 --- a/libavcodec/vp9dsp_template.c +++ b/libavcodec/vp9dsp_template.c @@ -1275,10 +1275,10 @@ static av_always_inline void iadst8_1d(const dctcoef *in, ptrdiff_t stride, t6 = (dctint)((1U << 13) + t4a - t6a) >> 14; t7 = (dctint)((1U << 13) + t5a - t7a) >> 14; - out[3] = -(((t2 + t3) * 11585 + (1 << 13)) >> 14); - out[4] = ((t2 - t3) * 11585 + (1 << 13)) >> 14; - out[2] = ((t6 + t7) * 11585 + (1 << 13)) >> 14; - out[5] = -(((t6 - t7) * 11585 + (1 << 13)) >> 14); + out[3] = -((dctint)((t2 + t3) * 11585U + (1 << 13)) >> 14); + out[4] = (dctint)((t2 - t3) * 11585U + (1 << 13)) >> 14; + out[2] = (dctint)((t6 + t7) * 11585U + (1 << 13)) >> 14; + out[5] = -((dctint)((t6 - t7) * 11585U + (1 << 13)) >> 14); } itxfm_wrap(8, 5) From patchwork Mon Oct 19 14:24:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23084 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 8461C448C78 for ; Mon, 19 Oct 2020 17:26:12 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6A23068B787; Mon, 19 Oct 2020 17:26:12 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-2.mx.upcmail.net (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E071068B649 for ; Mon, 19 Oct 2020 17:26:02 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUW6s-0003ez-0E for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 16:26:02 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id UW5uk1aP5Ir7GUW5ukaaWw; Mon, 19 Oct 2020 16:25:02 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=ytUGk9Q8pmp7zyxsyWoA:9 a=pHzHmUro8NiASowvMSCR:22 a=xoEH_sTeL_Rfw54TyV31:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Oct 2020 16:24:57 +0200 Message-Id: <20201019142501.6867-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201019142501.6867-1-michael@niedermayer.cc> References: <20201019142501.6867-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfOIzGc5/0l8vZYqiZZq80nytvTiXn7B7giNMuD+rOEc5ySFWGMfI8GW6jrAh2IwDYbkEjlYuse8QfWpZ7Z8RzMiEi4r+U9PU/HnxuQnUO0LM2PoQc2+N nHR58aoB5TXmFQkTRvuFx7agUwNdPJInvaipxuLoF2/Ge1X/y4h9gy3w Subject: [FFmpeg-devel] [PATCH 3/7] avutil/common: Implement av_sat_add64_c() with fewer branches X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" No benchmark because this is not used in any speed relevant pathes nor is it used where __builtin_add_overflow is available. So I do not know how to realistically benchmark it. Signed-off-by: Michael Niedermayer --- libavutil/common.h | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libavutil/common.h b/libavutil/common.h index 92b721a59c..a48c0648f8 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -303,11 +303,10 @@ static av_always_inline int64_t av_sat_add64_c(int64_t a, int64_t b) { int64_t tmp; return !__builtin_add_overflow(a, b, &tmp) ? tmp : (tmp < 0 ? INT64_MAX : INT64_MIN); #else - if (b >= 0 && a >= INT64_MAX - b) - return INT64_MAX; - if (b <= 0 && a <= INT64_MIN - b) - return INT64_MIN; - return a + b; + int64_t s = a+(uint64_t)b; + if ((int64_t)(a^b | ~s^b) >= 0) + return b < 0 ? INT64_MIN : INT64_MAX; + return s; #endif } From patchwork Mon Oct 19 14:24:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23086 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 0B60544B0CE for ; Mon, 19 Oct 2020 17:31:57 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E026568B5C6; Mon, 19 Oct 2020 17:31:56 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe02-2.mx.upcmail.net (vie01a-dmta-pe02-2.mx.upcmail.net [62.179.121.158]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3824268AAA0 for ; Mon, 19 Oct 2020 17:31:50 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUW6s-00025M-0F for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 16:26:02 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id UW5uk1aPOIr7GUW5ukaaXK; Mon, 19 Oct 2020 16:25:02 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=plnUClZVoOBsx64cE4UA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Oct 2020 16:24:58 +0200 Message-Id: <20201019142501.6867-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201019142501.6867-1-michael@niedermayer.cc> References: <20201019142501.6867-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfOIzGc5/0l8vZYqiZZq80nytvTiXn7B7giNMuD+rOEc5ySFWGMfI8GW6jrAh2IwDYbkEjlYuse8QfWpZ7Z8RzMiEi4r+U9PU/HnxuQnUO0LM2PoQc2+N nHR58aoB5TXmFQkTRvuFx7agUwNdPJInvaipxuLoF2/Ge1X/y4h9gy3w Subject: [FFmpeg-devel] [PATCH 4/7] avformat/sbgdec: Check for timestamp overflow in parse_time_sequence() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 3458015007900000256 + 6425686373040000000 cannot be represented in type 'long' Fixes: 26430/clusterfuzz-testcase-minimized-ffmpeg_dem_BRSTM_fuzzer-5761175004119040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index c11244ef3d..4d6ae7abc5 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -538,6 +538,9 @@ static int parse_time_sequence(struct sbg_parser *p, int inblock) return AVERROR_INVALIDDATA; } ts.type = p->current_time.type; + + if (av_sat_add64(p->current_time.t, rel_ts) != p->current_time.t + (uint64_t)rel_ts) + return AVERROR_INVALIDDATA; ts.t = p->current_time.t + rel_ts; r = parse_fade(p, &fade); if (r < 0) From patchwork Mon Oct 19 14:24:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23081 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id D7135448C78 for ; Mon, 19 Oct 2020 17:26:09 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B3C2168B682; Mon, 19 Oct 2020 17:26:09 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe05-3.mx.upcmail.net (vie01a-dmta-pe05-3.mx.upcmail.net [84.116.36.13]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B535568A98A for ; Mon, 19 Oct 2020 17:26:02 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUW6s-0003ho-0E for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 16:26:02 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id UW5uk1aPnIr7GUW5ukaaXe; Mon, 19 Oct 2020 16:25:02 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=VhGpTGtMzLUvIcyFYJQA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Oct 2020 16:24:59 +0200 Message-Id: <20201019142501.6867-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201019142501.6867-1-michael@niedermayer.cc> References: <20201019142501.6867-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfOIzGc5/0l8vZYqiZZq80nytvTiXn7B7giNMuD+rOEc5ySFWGMfI8GW6jrAh2IwDYbkEjlYuse8QfWpZ7Z8RzMiEi4r+U9PU/HnxuQnUO0LM2PoQc2+N nHR58aoB5TXmFQkTRvuFx7agUwNdPJInvaipxuLoF2/Ge1X/y4h9gy3w Subject: [FFmpeg-devel] [PATCH 5/7] avformat/utils: Move +1 to avoid overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Fixes: Timeout Fixes: 26434/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5752845451919360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index a2e701ea1a..49ccc91b82 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -253,7 +253,7 @@ int ffio_limit(AVIOContext *s, int size) remaining= FFMAX(remaining, 0); } - if (s->maxsize>= 0 && remaining+1 < size) { + if (s->maxsize>= 0 && remaining < size - (int64_t)1) { av_log(NULL, remaining ? AV_LOG_ERROR : AV_LOG_DEBUG, "Truncating packet of size %d to %"PRId64"\n", size, remaining+1); size = remaining+1; } From patchwork Mon Oct 19 14:25:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23088 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id C37DB44B0CE for ; Mon, 19 Oct 2020 17:32:01 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A479668B787; Mon, 19 Oct 2020 17:32:01 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe02-2.mx.upcmail.net (vie01a-dmta-pe02-2.mx.upcmail.net [62.179.121.158]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9A37568B546 for ; Mon, 19 Oct 2020 17:31:55 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUW6t-00025P-0T for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 16:26:03 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id UW5uk1aQEIr7GUW5ukaaXt; Mon, 19 Oct 2020 16:25:03 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=UeWhXYrUr_aitEXbDRoA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Oct 2020 16:25:00 +0200 Message-Id: <20201019142501.6867-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201019142501.6867-1-michael@niedermayer.cc> References: <20201019142501.6867-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfBck8TMeOf0mVSwB44cVf5QMYJUFu2OqEQwBNMJGa/XzmeR1Grvbsn59bBUXcO4hwni8Y9N6l7hM4xZ3NC+KkyNdIOvZCurSoGvI3UEEOhWP0yRP+oMp jCKNNntmHqzyRB8JBV1HDgHDmLy/C7/hPoGnbSxlFA6PHv3FyJpevf2B Subject: [FFmpeg-devel] [PATCH 6/7] avformat/ifv: Check that total frames do not overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Infinite loop Fixes: 26392/clusterfuzz-testcase-minimized-ffmpeg_dem_GIF_fuzzer-5713658237419520 Fixes: 26435/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6548251853193216 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/ifv.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/ifv.c b/libavformat/ifv.c index f95e9b0e52..4e904fa828 100644 --- a/libavformat/ifv.c +++ b/libavformat/ifv.c @@ -210,6 +210,7 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) } if (!ev) { + uint64_t vframes, aframes; if (ifv->is_audio_present && !ea) { /*read new video and audio indexes*/ @@ -217,8 +218,12 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_audio_index = ifv->total_aframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); - ifv->total_aframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + aframes = ifv->total_aframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX || aframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; + ifv->total_aframes = aframes; avio_skip(s->pb, 0xc); if (avio_feof(s->pb)) @@ -240,7 +245,10 @@ static int ifv_read_packet(AVFormatContext *s, AVPacket *pkt) ifv->next_video_index = ifv->total_vframes; avio_skip(s->pb, 0x1c); - ifv->total_vframes += avio_rl32(s->pb); + vframes = ifv->total_vframes + (uint64_t)avio_rl32(s->pb); + if (vframes > INT_MAX) + return AVERROR_INVALIDDATA; + ifv->total_vframes = vframes; avio_skip(s->pb, 0x10); if (avio_feof(s->pb)) From patchwork Mon Oct 19 14:25:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23085 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 1CC1B44B0CE for ; Mon, 19 Oct 2020 17:31:25 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E6D5468B611; Mon, 19 Oct 2020 17:31:24 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe06-3.mx.upcmail.net (vie01a-dmta-pe06-3.mx.upcmail.net [84.116.36.16]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 10E4968B516 for ; Mon, 19 Oct 2020 17:31:19 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUW6t-0009Zq-0U for ffmpeg-devel@ffmpeg.org; Mon, 19 Oct 2020 16:26:03 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id UW5vk1aQsIr7GUW5vkaaYI; Mon, 19 Oct 2020 16:25:03 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=HU9Nfab6DaO0s9OQvscA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Oct 2020 16:25:01 +0200 Message-Id: <20201019142501.6867-7-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201019142501.6867-1-michael@niedermayer.cc> References: <20201019142501.6867-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfBck8TMeOf0mVSwB44cVf5QMYJUFu2OqEQwBNMJGa/XzmeR1Grvbsn59bBUXcO4hwni8Y9N6l7hM4xZ3NC+KkyNdIOvZCurSoGvI3UEEOhWP0yRP+oMp jCKNNntmHqzyRB8JBV1HDgHDmLy/C7/hPoGnbSxlFA6PHv3FyJpevf2B Subject: [FFmpeg-devel] [PATCH 7/7] avformat/nistspheredec: Check bps X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: left shift of 1111111190 by 3 places cannot be represented in type 'int' Fixes: 26437/clusterfuzz-testcase-minimized-ffmpeg_dem_NISTSPHERE_fuzzer-4886896091856896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/nistspheredec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nistspheredec.c b/libavformat/nistspheredec.c index 3ef3843d5e..079369929f 100644 --- a/libavformat/nistspheredec.c +++ b/libavformat/nistspheredec.c @@ -109,6 +109,8 @@ static int nist_read_header(AVFormatContext *s) sscanf(buffer, "%*s %*s %"SCNd64, &st->duration); } else if (!memcmp(buffer, "sample_n_bytes", 14)) { sscanf(buffer, "%*s %*s %d", &bps); + if (bps > INT_MAX/8U) + return AVERROR_INVALIDDATA; } else if (!memcmp(buffer, "sample_rate", 11)) { sscanf(buffer, "%*s %*s %d", &st->codecpar->sample_rate); } else if (!memcmp(buffer, "sample_sig_bits", 15)) {