From patchwork Tue Oct 20 20:56:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23116 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 769B644A728 for ; Tue, 20 Oct 2020 23:57:28 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5CE2568B75D; Tue, 20 Oct 2020 23:57:28 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6A80B68AEB0 for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh6-0004c8-1q for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:20 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg7k0zMCIr7GUyg7kAXWS; Tue, 20 Oct 2020 22:56:19 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=i51LI5RlNAXxkH1rBT0A:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=bWyr8ysk75zN3GCy5bjg:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:09 +0200 Message-Id: <20201020205619.7939-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfHT6vtSFcLOBb779qPqrNZqkrgT4ZEcxQfdqLp0x49S7fMRjxrdiQdzFvKtptqdT/jXiihqwjCEx4jMe8PjngCPXDy6D2z+PoIK/4WG9O3T/lRgIwvy9 VlT1QVQBcWsjc2PTnVoATviF4kLcuJoJaKE2YAPVIjRLdvjctzEw11yM Subject: [FFmpeg-devel] [PATCH 01/11] avcodec/notchlc: Check uncompressed size against input for LZ4 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: OOM Fixes: 26168/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-6019839015256064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/notchlc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c index 3f7079da70..0254e7d76a 100644 --- a/libavcodec/notchlc.c +++ b/libavcodec/notchlc.c @@ -490,6 +490,9 @@ static int decode_frame(AVCodecContext *avctx, bytestream2_init(gb, s->lzf_buffer, uncompressed_size); } else if (s->format == 1) { + if (bytestream2_get_bytes_left(gb) < uncompressed_size / 255) + return AVERROR_INVALIDDATA; + av_fast_padded_malloc(&s->uncompressed_buffer, &s->uncompressed_size, uncompressed_size); if (!s->uncompressed_buffer) From patchwork Tue Oct 20 20:56:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23120 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id AE00E44A728 for ; Tue, 20 Oct 2020 23:57:32 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9BCE368B7CA; Tue, 20 Oct 2020 23:57:32 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-3.mx.upcmail.net (vie01a-dmta-pe01-3.mx.upcmail.net [62.179.121.156]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7550D68B567 for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh6-0000B8-0G for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:20 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg8k0zOEIr7GUyg8kAXWz; Tue, 20 Oct 2020 22:56:20 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=XTjV_rmhAchSL7esKQUA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:10 +0200 Message-Id: <20201020205619.7939-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfHT6vtSFcLOBb779qPqrNZqkrgT4ZEcxQfdqLp0x49S7fMRjxrdiQdzFvKtptqdT/jXiihqwjCEx4jMe8PjngCPXDy6D2z+PoIK/4WG9O3T/lRgIwvy9 VlT1QVQBcWsjc2PTnVoATviF4kLcuJoJaKE2YAPVIjRLdvjctzEw11yM Subject: [FFmpeg-devel] [PATCH 02/11] tools/target_dec_fuzzer: adjust threshold for wmalossless X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Timeout (>30sec -> 0.5sec) Fixes: 26351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5191487740182528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 0df3e75cba..226a02ab4f 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -179,6 +179,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_VP9: maxpixels /= 4096; break; case AV_CODEC_ID_WMV3IMAGE: maxpixels /= 8192; break; case AV_CODEC_ID_WS_VQA: maxpixels /= 16384; break; + case AV_CODEC_ID_WMALOSSLESS: maxsamples /= 1024; break; case AV_CODEC_ID_ZEROCODEC: maxpixels /= 128; break; } From patchwork Tue Oct 20 20:56:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23115 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 6BD3244A728 for ; Tue, 20 Oct 2020 23:57:27 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4C1B068B682; Tue, 20 Oct 2020 23:57:27 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe02-1.mx.upcmail.net (vie01a-dmta-pe02-1.mx.upcmail.net [62.179.121.157]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6D31968B4CA for ; Tue, 20 Oct 2020 23:57:20 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh6-0005GR-0I for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:20 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg8k0zObIr7GUyg8kAXX8; Tue, 20 Oct 2020 22:56:20 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=BL405mRU4th8_zuBxbIA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:11 +0200 Message-Id: <20201020205619.7939-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfHT6vtSFcLOBb779qPqrNZqkrgT4ZEcxQfdqLp0x49S7fMRjxrdiQdzFvKtptqdT/jXiihqwjCEx4jMe8PjngCPXDy6D2z+PoIK/4WG9O3T/lRgIwvy9 VlT1QVQBcWsjc2PTnVoATviF4kLcuJoJaKE2YAPVIjRLdvjctzEw11yM Subject: [FFmpeg-devel] [PATCH 03/11] avformat/mxfdec: Check type before setting sub_descriptors_refs X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: memleak Fixes: 26352/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5201158714687488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index d16a7af0df..0313cf4a28 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1172,6 +1172,8 @@ static int mxf_read_generic_descriptor(void *arg, AVIOContext *pb, int tag, int switch(tag) { case 0x3F01: + if (descriptor->type != MultipleDescriptor) + return AVERROR_INVALIDDATA; return mxf_read_strong_ref_array(pb, &descriptor->sub_descriptors_refs, &descriptor->sub_descriptors_count); case 0x3002: /* ContainerDuration */ From patchwork Tue Oct 20 20:56:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23122 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id F091C44A728 for ; Tue, 20 Oct 2020 23:57:34 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D848468B638; Tue, 20 Oct 2020 23:57:34 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-3.mx.upcmail.net (vie01a-dmta-pe01-3.mx.upcmail.net [62.179.121.156]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 78A7768B604 for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh6-0000B9-0G for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:20 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg8k0zOpIr7GUyg8kAXXE; Tue, 20 Oct 2020 22:56:20 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=jJMHE8A0yU2SPyyVBVsA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:12 +0200 Message-Id: <20201020205619.7939-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfHT6vtSFcLOBb779qPqrNZqkrgT4ZEcxQfdqLp0x49S7fMRjxrdiQdzFvKtptqdT/jXiihqwjCEx4jMe8PjngCPXDy6D2z+PoIK/4WG9O3T/lRgIwvy9 VlT1QVQBcWsjc2PTnVoATviF4kLcuJoJaKE2YAPVIjRLdvjctzEw11yM Subject: [FFmpeg-devel] [PATCH 04/11] avformat/utils: Move +1 to avoid overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Fixes: Timeout Fixes: 26434/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5752845451919360 Fixes: 26444/clusterfuzz-testcase-minimized-ffmpeg_dem_BINK_fuzzer-4697773380993024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e8335a601f..59d65a8092 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -253,7 +253,7 @@ int ffio_limit(AVIOContext *s, int size) remaining= FFMAX(remaining, 0); } - if (s->maxsize>= 0 && remaining+1 < size) { + if (s->maxsize>= 0 && remaining < size - (int64_t)1) { av_log(NULL, remaining ? AV_LOG_ERROR : AV_LOG_DEBUG, "Truncating packet of size %d to %"PRId64"\n", size, remaining+1); size = remaining+1; } From patchwork Tue Oct 20 20:56:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23117 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id A470844A728 for ; Tue, 20 Oct 2020 23:57:29 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8E27E68B784; Tue, 20 Oct 2020 23:57:29 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe02-1.mx.upcmail.net (vie01a-dmta-pe02-1.mx.upcmail.net [62.179.121.157]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7069968B50A for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh6-0007YK-0I for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:20 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg8k0zP4Ir7GUyg8kAXXL; Tue, 20 Oct 2020 22:56:20 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=xZ5kvSrnTjKnUzCt5mwA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:13 +0200 Message-Id: <20201020205619.7939-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfHT6vtSFcLOBb779qPqrNZqkrgT4ZEcxQfdqLp0x49S7fMRjxrdiQdzFvKtptqdT/jXiihqwjCEx4jMe8PjngCPXDy6D2z+PoIK/4WG9O3T/lRgIwvy9 VlT1QVQBcWsjc2PTnVoATviF4kLcuJoJaKE2YAPVIjRLdvjctzEw11yM Subject: [FFmpeg-devel] [PATCH 05/11] avformat/ffmetadec: finalize AVBPrint on errors X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: memleak Fixes: 26450/clusterfuzz-testcase-minimized-ffmpeg_dem_FFMETADATA_fuzzer-6249850443923456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/ffmetadec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmetadec.c b/libavformat/ffmetadec.c index 0ea89fe3f3..9fcba08490 100644 --- a/libavformat/ffmetadec.c +++ b/libavformat/ffmetadec.c @@ -185,7 +185,7 @@ static int read_header(AVFormatContext *s) AVStream *st = avformat_new_stream(s, NULL); if (!st) - return AVERROR(ENOMEM); + goto nomem; st->codecpar->codec_type = AVMEDIA_TYPE_DATA; st->codecpar->codec_id = AV_CODEC_ID_FFMETADATA; @@ -195,7 +195,7 @@ static int read_header(AVFormatContext *s) AVChapter *ch = read_chapter(s); if (!ch) - return AVERROR(ENOMEM); + goto nomem; m = &ch->metadata; } else @@ -211,6 +211,10 @@ static int read_header(AVFormatContext *s) AV_TIME_BASE_Q); return 0; +nomem: + av_bprint_finalize(&bp, NULL); + + return AVERROR(ENOMEM); } static int read_packet(AVFormatContext *s, AVPacket *pkt) From patchwork Tue Oct 20 20:56:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23121 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id ADD2744A728 for ; Tue, 20 Oct 2020 23:57:33 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9074D68B6D7; Tue, 20 Oct 2020 23:57:33 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7726568B5F4 for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh6-0004c3-1q for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:20 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg8k0zPHIr7GUyg8kAXXR; Tue, 20 Oct 2020 22:56:20 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=GynWzD8kVxD4Fm86RjsA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:14 +0200 Message-Id: <20201020205619.7939-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfHT6vtSFcLOBb779qPqrNZqkrgT4ZEcxQfdqLp0x49S7fMRjxrdiQdzFvKtptqdT/jXiihqwjCEx4jMe8PjngCPXDy6D2z+PoIK/4WG9O3T/lRgIwvy9 VlT1QVQBcWsjc2PTnVoATviF4kLcuJoJaKE2YAPVIjRLdvjctzEw11yM Subject: [FFmpeg-devel] [PATCH 06/11] avutil/eval: Unconditionally check argument of e_div X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: division by zero Fixes: 26451/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-4756955832516608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavutil/eval.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/eval.c b/libavutil/eval.c index d527f6a9d0..aaa8eb4945 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -317,7 +317,7 @@ static double eval_expr(Parser *p, AVExpr *e) case e_lte: return e->value * (d <= d2 ? 1.0 : 0.0); case e_pow: return e->value * pow(d, d2); case e_mul: return e->value * (d * d2); - case e_div: return e->value * ((!CONFIG_FTRAPV || d2 ) ? (d / d2) : d * INFINITY); + case e_div: return e->value * (d2 ? (d / d2) : d * INFINITY); case e_add: return e->value * (d + d2); case e_last:return e->value * d2; case e_st : return e->value * (p->var[av_clip(d, 0, VARS-1)]= d2); From patchwork Tue Oct 20 20:56:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23125 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id A5F0444A728 for ; Tue, 20 Oct 2020 23:57:37 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 89B9E68B811; Tue, 20 Oct 2020 23:57:37 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 87D3668B638 for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh7-0004by-0W for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:21 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg8k0zPbIr7GUyg8kAXXb; Tue, 20 Oct 2020 22:56:21 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=UDwDHnHKXW09hr-mdgMA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:15 +0200 Message-Id: <20201020205619.7939-7-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfATUKEXoApF6AYPOM3+9H73BWimao2aivc5gLwZ7/jqKukPMo2pJNTtLudjHBfq6WZ1NB2jZMv5ls2SAnmDFZ97QiPfzAxqaG5PJupSbU4PfbNZs269o p4qtDDY9Ki8UKmmMFbvsx7aEcIv7PAiEKYYsVoDLI+OmaMmBYypaHdnb Subject: [FFmpeg-devel] [PATCH 07/11] avformat/rmdec: Make expected_len 64bit X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 1347551268 * 14 cannot be represented in type 'int' Fixes: 26458/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-5655364324032512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/rmdec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 03ddf29226..3606b74a6e 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -703,17 +703,19 @@ static int rm_sync(AVFormatContext *s, int64_t *timestamp, int *flags, int *stre state= (state<<8) + avio_r8(pb); if(state == MKBETAG('I', 'N', 'D', 'X')){ - int n_pkts, expected_len; + int n_pkts; + int64_t expected_len; len = avio_rb32(pb); avio_skip(pb, 2); n_pkts = avio_rb32(pb); - expected_len = 20 + n_pkts * 14; - if (len == 20) + expected_len = 20 + n_pkts * 14LL; + + if (len == 20 && expected_len <= INT_MAX) /* some files don't add index entries to chunk size... */ len = expected_len; else if (len != expected_len) av_log(s, AV_LOG_WARNING, - "Index size %d (%d pkts) is wrong, should be %d.\n", + "Index size %d (%d pkts) is wrong, should be %"PRId64".\n", len, n_pkts, expected_len); len -= 14; // we already read part of the index header if(len<0) From patchwork Tue Oct 20 20:56:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23118 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id C766444A728 for ; Tue, 20 Oct 2020 23:57:30 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id AD59868B7A6; Tue, 20 Oct 2020 23:57:30 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-3.mx.upcmail.net (vie01a-dmta-pe01-3.mx.upcmail.net [62.179.121.156]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 738E468B521 for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh7-0000BF-0Q for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:21 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg9k0zPpIr7GUyg9kAXXh; Tue, 20 Oct 2020 22:56:21 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=Qf5iWKer_pn0Xws0A-8A:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:16 +0200 Message-Id: <20201020205619.7939-8-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfATUKEXoApF6AYPOM3+9H73BWimao2aivc5gLwZ7/jqKukPMo2pJNTtLudjHBfq6WZ1NB2jZMv5ls2SAnmDFZ97QiPfzAxqaG5PJupSbU4PfbNZs269o p4qtDDY9Ki8UKmmMFbvsx7aEcIv7PAiEKYYsVoDLI+OmaMmBYypaHdnb Subject: [FFmpeg-devel] [PATCH 08/11] avformat/mpegts: Check pcr_incr before setting bitrate X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: division by zero Fixes: 26459/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5666350112178176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mpegts.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index f750989629..3085371c58 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -3139,8 +3139,10 @@ static int mpegts_read_header(AVFormatContext *s) /* NOTE2: it is only the bitrate of the start of the stream */ ts->pcr_incr = (pcrs[1] - pcrs[0]) / (packet_count[1] - packet_count[0]); ts->cur_pcr = pcrs[0] - ts->pcr_incr * packet_count[0]; - s->bit_rate = TS_PACKET_SIZE * 8 * 27000000LL / ts->pcr_incr; - st->codecpar->bit_rate = s->bit_rate; + if (ts->pcr_incr) { + s->bit_rate = TS_PACKET_SIZE * 8 * 27000000LL / ts->pcr_incr; + st->codecpar->bit_rate = s->bit_rate; + } st->start_time = ts->cur_pcr; av_log(ts->stream, AV_LOG_TRACE, "start=%0.3f pcr=%0.3f incr=%d\n", st->start_time / 1000000.0, pcrs[0] / 27e6, ts->pcr_incr); From patchwork Tue Oct 20 20:56:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23123 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id B8C3844A728 for ; Tue, 20 Oct 2020 23:57:35 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A275868B755; Tue, 20 Oct 2020 23:57:35 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7A49668B61C for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh7-0004c2-0R for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:21 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg9k0zQEIr7GUyg9kAXXn; Tue, 20 Oct 2020 22:56:21 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=FgKcs6cmVauWja7wtLUA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:17 +0200 Message-Id: <20201020205619.7939-9-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfATUKEXoApF6AYPOM3+9H73BWimao2aivc5gLwZ7/jqKukPMo2pJNTtLudjHBfq6WZ1NB2jZMv5ls2SAnmDFZ97QiPfzAxqaG5PJupSbU4PfbNZs269o p4qtDDY9Ki8UKmmMFbvsx7aEcIv7PAiEKYYsVoDLI+OmaMmBYypaHdnb Subject: [FFmpeg-devel] [PATCH 09/11] avformat/pcm: Check block_align X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 321 * 8746632 cannot be represented in type 'int' Fixes: 26461/clusterfuzz-testcase-minimized-ffmpeg_dem_PVF_fuzzer-6326427831762944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/pcm.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/pcm.c b/libavformat/pcm.c index 767bbd045a..1effc0b6f8 100644 --- a/libavformat/pcm.c +++ b/libavformat/pcm.c @@ -39,7 +39,11 @@ int ff_pcm_read_packet(AVFormatContext *s, AVPacket *pkt) * Clamp to RAW_SAMPLES if larger. */ size = FFMAX(par->sample_rate/25, 1); - size = FFMIN(size, RAW_SAMPLES) * par->block_align; + if (par->block_align <= INT_MAX / RAW_SAMPLES) { + size = FFMIN(size, RAW_SAMPLES) * par->block_align; + } else { + size = par->block_align; + } ret = av_get_packet(s->pb, pkt, size); From patchwork Tue Oct 20 20:56:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23119 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id ACD0244A728 for ; Tue, 20 Oct 2020 23:57:31 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9539C68B773; Tue, 20 Oct 2020 23:57:31 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 75D6A68B5E6 for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh7-0004cB-0R for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:21 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg9k0zQbIr7GUyg9kAXY0; Tue, 20 Oct 2020 22:56:21 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=F3Nnvccz3d7PCxGD65cA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:18 +0200 Message-Id: <20201020205619.7939-10-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfATUKEXoApF6AYPOM3+9H73BWimao2aivc5gLwZ7/jqKukPMo2pJNTtLudjHBfq6WZ1NB2jZMv5ls2SAnmDFZ97QiPfzAxqaG5PJupSbU4PfbNZs269o p4qtDDY9Ki8UKmmMFbvsx7aEcIv7PAiEKYYsVoDLI+OmaMmBYypaHdnb Subject: [FFmpeg-devel] [PATCH 10/11] avformat/lrcdec: Clip timestamps X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 7111111111111531010 - -7335632962598013506 cannot be represented in type 'long' Fixes: 26463/clusterfuzz-testcase-minimized-ffmpeg_dem_LRC_fuzzer-6015558333759488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/lrcdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index 46d5e2bc6a..ca23a60f84 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -185,6 +185,8 @@ static int lrc_read_header(AVFormatContext *s) sscanf(comma_offset + 1, "%"SCNd64, &lrc->ts_offset) != 1) { av_dict_set(&s->metadata, line.str + 1, comma_offset + 1, 0); } + lrc->ts_offset = av_clip64(lrc->ts_offset, INT64_MIN/4, INT64_MAX/4); + *comma_offset = ':'; *right_bracket_offset = ']'; } @@ -198,6 +200,7 @@ static int lrc_read_header(AVFormatContext *s) while((ts_stroffset_incr = read_ts(line.str + ts_stroffset, &ts_start)) != 0) { + ts_start = av_clip64(ts_start, INT64_MIN/4, INT64_MAX/4); ts_stroffset += ts_stroffset_incr; sub = ff_subtitles_queue_insert(&lrc->q, line.str + ts_strlength, line.len - ts_strlength, 0); From patchwork Tue Oct 20 20:56:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 23124 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id AE92A44A728 for ; Tue, 20 Oct 2020 23:57:36 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8832B68B751; Tue, 20 Oct 2020 23:57:36 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8395668B629 for ; Tue, 20 Oct 2020 23:57:21 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1kUyh7-0004c4-0V for ffmpeg-devel@ffmpeg.org; Tue, 20 Oct 2020 22:57:21 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id Uyg9k0zQnIr7GUyg9kAXYB; Tue, 20 Oct 2020 22:56:21 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=QN4WuTDL c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=cohzu5scbGQAZDBoLU0A:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=GiHQeXbIydbNWtWbTz-1:22 a=p-dnK0njbqwfn1k4-x12:22 a=7aar8cbMflRChVwg8ngv:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 20 Oct 2020 22:56:19 +0200 Message-Id: <20201020205619.7939-11-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201020205619.7939-1-michael@niedermayer.cc> References: <20201020205619.7939-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfATUKEXoApF6AYPOM3+9H73BWimao2aivc5gLwZ7/jqKukPMo2pJNTtLudjHBfq6WZ1NB2jZMv5ls2SAnmDFZ97QiPfzAxqaG5PJupSbU4PfbNZs269o p4qtDDY9Ki8UKmmMFbvsx7aEcIv7PAiEKYYsVoDLI+OmaMmBYypaHdnb Subject: [FFmpeg-devel] [PATCH 11/11] avutil/mathematics: Use av_sat_add64() for the last addition in av_add_stable() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 9223372036854770375 + 5450 cannot be represented in type 'long' Fixes: 26471/clusterfuzz-testcase-minimized-ffmpeg_dem_MXG_fuzzer-6229617557635072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 16c6e4db03..da0fc17b2e 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -210,6 +210,6 @@ int64_t av_add_stable(AVRational ts_tb, int64_t ts, AVRational inc_tb, int64_t i if (old == INT64_MAX || old == AV_NOPTS_VALUE || old_ts == AV_NOPTS_VALUE) return ts; - return av_rescale_q(old + 1, inc_tb, ts_tb) + (ts - old_ts); + return av_sat_add64(av_rescale_q(old + 1, inc_tb, ts_tb), ts - old_ts); } }