From patchwork Tue Feb 2 23:13:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 25354 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 34A7644B152 for ; Wed, 3 Feb 2021 01:14:45 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 19F5C68A6F0; Wed, 3 Feb 2021 01:14:45 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D6E58689F27 for ; Wed, 3 Feb 2021 01:14:35 +0200 (EET) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1l74sV-0008G2-0J for ffmpeg-devel@ffmpeg.org; Wed, 03 Feb 2021 00:14:35 +0100 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id 74rWl5acrljeH74rXlMRP3; Wed, 03 Feb 2021 00:13:35 +0100 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=ZXRJXr437kzHD1v4ViAA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 3 Feb 2021 00:13:28 +0100 Message-Id: <20210202231334.24412-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfDeHtYxEPR3w/OIv2U/migcWnyjQ04uh4w7kfUEht/xtwmweUiiTvHgODPyImyX+J3zU9B+ds0loLVErj4I4a0laLSzm3dZJFD38nnaD8SkP9clh0XiE wiUQbNpN3mKcbw502xHVUu7j/weRIsqNKkH2o1rOY9y001RaY+nGTmlv Subject: [FFmpeg-devel] [PATCH 1/7] avformat/utils: Extend overflow check in dts wrap in compute_pkt_fields() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: -9223372032574480351 - 4294967296 cannot be represented in type 'long long' Fixes: 30022/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5568610275819520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index fb3299503e..9f04e94624 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1255,7 +1255,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, presentation_delayed = 1; if (pkt->pts != AV_NOPTS_VALUE && pkt->dts != AV_NOPTS_VALUE && - st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << (st->pts_wrap_bits - 1)) && + st->pts_wrap_bits < 63 && pkt->dts > INT64_MIN + (1LL << st->pts_wrap_bits) && pkt->dts - (1LL << (st->pts_wrap_bits - 1)) > pkt->pts) { if (is_relative(st->cur_dts) || pkt->dts - (1LL<<(st->pts_wrap_bits - 1)) > st->cur_dts) { pkt->dts -= 1LL << st->pts_wrap_bits; From patchwork Tue Feb 2 23:13:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 25355 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 3C71044B152 for ; Wed, 3 Feb 2021 01:14:46 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 284F468A791; Wed, 3 Feb 2021 01:14:46 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D93A768A1B8 for ; Wed, 3 Feb 2021 01:14:35 +0200 (EET) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1l74sV-0007fF-0J for ffmpeg-devel@ffmpeg.org; Wed, 03 Feb 2021 00:14:35 +0100 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id 74rXl5adXljeH74rXlMRPQ; Wed, 03 Feb 2021 00:13:35 +0100 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=TkDl-IKZXT3PzGrDuc4A:9 a=pHzHmUro8NiASowvMSCR:22 a=Ew2E2A-JSTLzCXPT_086:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 3 Feb 2021 00:13:29 +0100 Message-Id: <20210202231334.24412-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210202231334.24412-1-michael@niedermayer.cc> References: <20210202231334.24412-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfDeHtYxEPR3w/OIv2U/migcWnyjQ04uh4w7kfUEht/xtwmweUiiTvHgODPyImyX+J3zU9B+ds0loLVErj4I4a0laLSzm3dZJFD38nnaD8SkP9clh0XiE wiUQbNpN3mKcbw502xHVUu7j/weRIsqNKkH2o1rOY9y001RaY+nGTmlv Subject: [FFmpeg-devel] [PATCH 2/7] tools/target_dec_fuzzer: count all video decoding failures in the new API X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The next commit depends on this Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index affa6e3b51..cef47cbd50 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -349,6 +349,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (ctx->codec_type != AVMEDIA_TYPE_SUBTITLE) { int ret = avcodec_send_packet(ctx, &avpkt); decode_more = ret >= 0; + if(!decode_more) { + ec_pixels += (ctx->width + 32LL) * (ctx->height + 32LL); + if (it > 20 || ec_pixels > 4 * ctx->max_pixels) + ctx->error_concealment = 0; + if (ec_pixels > maxpixels) + goto maximums_reached; + } } else decode_more = 1; From patchwork Tue Feb 2 23:13:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 25352 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id EFE9744B152 for ; Wed, 3 Feb 2021 01:14:42 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CA5CA68A56C; Wed, 3 Feb 2021 01:14:42 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-2.mx.upcmail.net (vie01a-dmta-pe03-2.mx.upcmail.net [62.179.121.161]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D3D6768810B for ; Wed, 3 Feb 2021 01:14:35 +0200 (EET) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1l74sV-0008G4-0J for ffmpeg-devel@ffmpeg.org; Wed, 03 Feb 2021 00:14:35 +0100 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id 74rXl5adgljeH74rXlMRPV; Wed, 03 Feb 2021 00:13:35 +0100 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=d1nJR6xGuaPcBP5JuOUA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 3 Feb 2021 00:13:30 +0100 Message-Id: <20210202231334.24412-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210202231334.24412-1-michael@niedermayer.cc> References: <20210202231334.24412-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfDeHtYxEPR3w/OIv2U/migcWnyjQ04uh4w7kfUEht/xtwmweUiiTvHgODPyImyX+J3zU9B+ds0loLVErj4I4a0laLSzm3dZJFD38nnaD8SkP9clh0XiE wiUQbNpN3mKcbw502xHVUu7j/weRIsqNKkH2o1rOY9y001RaY+nGTmlv Subject: [FFmpeg-devel] [PATCH 3/7] tools/target_dec_fuzzer: Adjust the threshold of vc1image X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Timeout Fixes: 30025/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5965511357759488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index cef47cbd50..2abc7a0053 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -185,6 +185,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_SNOW: maxpixels /= 128; break; case AV_CODEC_ID_TGV: maxpixels /= 32; break; case AV_CODEC_ID_TRUEMOTION2: maxpixels /= 1024; break; + case AV_CODEC_ID_VC1IMAGE: maxpixels /= 8192; break; case AV_CODEC_ID_VP7: maxpixels /= 256; break; case AV_CODEC_ID_VP9: maxpixels /= 4096; break; case AV_CODEC_ID_WMV3IMAGE: maxpixels /= 8192; break; From patchwork Tue Feb 2 23:13:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 25353 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 0373E44B152 for ; Wed, 3 Feb 2021 01:14:44 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DD7A668A4FE; Wed, 3 Feb 2021 01:14:43 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-2.mx.upcmail.net (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CF11A6880FB for ; Wed, 3 Feb 2021 01:14:35 +0200 (EET) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1l74sV-0003St-0J for ffmpeg-devel@ffmpeg.org; Wed, 03 Feb 2021 00:14:35 +0100 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id 74rXl5adoljeH74rXlMRPa; Wed, 03 Feb 2021 00:13:35 +0100 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=OJr0LxbCfuv1Wu3cZSYA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 3 Feb 2021 00:13:31 +0100 Message-Id: <20210202231334.24412-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210202231334.24412-1-michael@niedermayer.cc> References: <20210202231334.24412-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfDeHtYxEPR3w/OIv2U/migcWnyjQ04uh4w7kfUEht/xtwmweUiiTvHgODPyImyX+J3zU9B+ds0loLVErj4I4a0laLSzm3dZJFD38nnaD8SkP9clh0XiE wiUQbNpN3mKcbw502xHVUu7j/weRIsqNKkH2o1rOY9y001RaY+nGTmlv Subject: [FFmpeg-devel] [PATCH 4/7] avcodec/fits: Check gcount and pcount being non negative X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 9223372036854775807 - -30069403896 cannot be represented in type 'long' Fixes: 30046/clusterfuzz-testcase-minimized-ffmpeg_dem_FITS_fuzzer-5807144773484544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/fits.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/fits.c b/libavcodec/fits.c index 25c33e06c8..97fa7abe80 100644 --- a/libavcodec/fits.c +++ b/libavcodec/fits.c @@ -205,8 +205,12 @@ int avpriv_fits_header_parse_line(void *avcl, FITSHeader *header, const uint8_t } else if (!strcmp(keyword, "GROUPS") && sscanf(value, "%c", &c) == 1) { header->groups = (c == 'T'); } else if (!strcmp(keyword, "GCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->gcount = t; } else if (!strcmp(keyword, "PCOUNT") && sscanf(value, "%"SCNd64"", &t) == 1) { + if (t < 0 || t > INT_MAX) + return AVERROR_INVALIDDATA; header->pcount = t; } dict_set_if_not_null(metadata, keyword, value); From patchwork Tue Feb 2 23:13:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 25356 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 32F7744B152 for ; Wed, 3 Feb 2021 01:14:47 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 14F6168A516; Wed, 3 Feb 2021 01:14:47 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-2.mx.upcmail.net (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 40BD968A3D3 for ; Wed, 3 Feb 2021 01:14:36 +0200 (EET) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1l74sW-0004T6-0G for ffmpeg-devel@ffmpeg.org; Wed, 03 Feb 2021 00:14:36 +0100 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id 74rXl5aduljeH74rXlMRPd; Wed, 03 Feb 2021 00:13:36 +0100 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=lUthLf-QZM2aKUppxxcA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 3 Feb 2021 00:13:32 +0100 Message-Id: <20210202231334.24412-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210202231334.24412-1-michael@niedermayer.cc> References: <20210202231334.24412-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfO0bggAcnvtmbv543BrQIAHWH7bDybPxufDTMZkDjAd+lgiLaExQN2ummgg6aYzs1zZnnOx+xLaT8/TMsnBt6GZgyRP8is1en6ma8kwr5+R78otZxGXb HLFhSSrQIZPkORh6C7EofRKYX7aNSfyJliVN3R/R/YSjml0gg5l+ed6j Subject: [FFmpeg-devel] [PATCH 5/7] avformat/mvdec: Sanity check SAMPLE_WIDTH X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: signed integer overflow: 999999999 * 8 cannot be represented in type 'int' Fixes: 30048/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5864289917337600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index d8f121bea5..ac96e4a808 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -159,7 +159,10 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream *st, st->codecpar->sample_rate = var_read_int(pb, size); avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { - st->codecpar->bits_per_coded_sample = var_read_int(pb, size) * 8; + uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; + if (bpc > 100) + return AVERROR_INVALIDDATA; + st->codecpar->bits_per_coded_sample = bpc; } else return AVERROR_INVALIDDATA; From patchwork Tue Feb 2 23:13:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 25358 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 0B06444B152 for ; Wed, 3 Feb 2021 01:14:49 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E8F0B68A898; Wed, 3 Feb 2021 01:14:48 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe05-1.mx.upcmail.net (vie01a-dmta-pe05-1.mx.upcmail.net [84.116.36.11]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A6EED68A1B8 for ; Wed, 3 Feb 2021 01:14:36 +0200 (EET) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1l74sW-0001tl-0G for ffmpeg-devel@ffmpeg.org; Wed, 03 Feb 2021 00:14:36 +0100 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id 74rYl5ae5ljeH74rYlMRPg; Wed, 03 Feb 2021 00:13:36 +0100 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=F6xQ-JQ4EBR5YSC8Uy8A:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 3 Feb 2021 00:13:33 +0100 Message-Id: <20210202231334.24412-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210202231334.24412-1-michael@niedermayer.cc> References: <20210202231334.24412-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfO0bggAcnvtmbv543BrQIAHWH7bDybPxufDTMZkDjAd+lgiLaExQN2ummgg6aYzs1zZnnOx+xLaT8/TMsnBt6GZgyRP8is1en6ma8kwr5+R78otZxGXb HLFhSSrQIZPkORh6C7EofRKYX7aNSfyJliVN3R/R/YSjml0gg5l+ed6j Subject: [FFmpeg-devel] [PATCH 6/7] avcodec/fmvc: avoid copying uninitialized data X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Timeout Fixes: 30049/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FMVC_fuzzer-5986909455253504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/fmvc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 5bee96a18d..3701b0849b 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -440,6 +440,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, memcpy(dst, src, avctx->width * s->bpp); dst -= frame->linesize[0]; src += s->stride * 4; + if (bytestream2_tell_p(pb) < y*s->stride * 4) + break; } } else { unsigned block, nb_blocks; From patchwork Tue Feb 2 23:13:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 25357 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 22C0244B152 for ; Wed, 3 Feb 2021 01:14:48 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0150868A878; Wed, 3 Feb 2021 01:14:48 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-2.mx.upcmail.net (vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5AFD56880FB for ; Wed, 3 Feb 2021 01:14:36 +0200 (EET) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1l74sW-0003St-0G for ffmpeg-devel@ffmpeg.org; Wed, 03 Feb 2021 00:14:36 +0100 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id 74rYl5aeCljeH74rYlMRPl; Wed, 03 Feb 2021 00:13:36 +0100 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=vsNmR7GrC5s1ARwY_z8A:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 3 Feb 2021 00:13:34 +0100 Message-Id: <20210202231334.24412-7-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210202231334.24412-1-michael@niedermayer.cc> References: <20210202231334.24412-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfO0bggAcnvtmbv543BrQIAHWH7bDybPxufDTMZkDjAd+lgiLaExQN2ummgg6aYzs1zZnnOx+xLaT8/TMsnBt6GZgyRP8is1en6ma8kwr5+R78otZxGXb HLFhSSrQIZPkORh6C7EofRKYX7aNSfyJliVN3R/R/YSjml0gg5l+ed6j Subject: [FFmpeg-devel] [PATCH 7/7] tools/target_dec_fuzzer: Adjust threshold for VMNC X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Timeout Fixes: 30055/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMNC_fuzzer-4739482576355328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 2abc7a0053..91e58c5680 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -186,6 +186,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_TGV: maxpixels /= 32; break; case AV_CODEC_ID_TRUEMOTION2: maxpixels /= 1024; break; case AV_CODEC_ID_VC1IMAGE: maxpixels /= 8192; break; + case AV_CODEC_ID_VMNC: maxpixels /= 8192; break; case AV_CODEC_ID_VP7: maxpixels /= 256; break; case AV_CODEC_ID_VP9: maxpixels /= 4096; break; case AV_CODEC_ID_WMV3IMAGE: maxpixels /= 8192; break;