From patchwork Mon Apr 19 18:23:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 27101 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:5014:0:0:0:0:0 with SMTP id e20csp760743iob; Mon, 19 Apr 2021 11:30:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwDWxdQbd8ngmtWsaZ2uMMN/avr5q2v9MKnF5UaS/36C7HyNuls2ndBTqj1TygntAe4qzE3 X-Received: by 2002:a05:6402:27d4:: with SMTP id c20mr27780360ede.271.1618857046112; Mon, 19 Apr 2021 11:30:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618857046; cv=none; d=google.com; s=arc-20160816; b=o0+naj9QMZEduXD7WtZ/1i/Wehn1hpJkuecwC6I+VcME5ZvOAhfmjmnJINGzgD+tvB aRDcevcp+Nu7xFOsbR6gTxJsNDCxbHFJ+7Iyv2klMExi+zrEkj77ftQP2m/bmjr7q5Bi wr+zn4i7gZu03SUIgG7GfSJV33Co+pLHE9JojzxUqQMH5RZ0oHJGYH08HCru/ZBKFUjR sWXtUnYpDtTfX890jqjvyH0gVXWQXlPLkIE4pr10iber6VFIySMPD/l9hx1UMUWwgc/h I4pedXOiUD44XVdZIXJDRhw/exjEth7Ay9+PV2O6BZq2V0E2eQfXjtlxyggBkCy2CxwD s97g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=hPM9pGpFTgAaFikiapHyNDKt31hRou8Jm7SRtnGYyyk=; b=liT6GPqUz4gF3zctpPeoAdO+3otK9YUn6eeVQ6PumTlYGWDX9QyzlMaINWRk6rSoxr yRHOySN16YU3sGfLbVvTFcgeWnzNCEpy45sWHWX63pXNXSRYwHT0uJYiVkLbyAyDonwO ZepUQ6+HvIjn+m7REMQWhZuW6r94AuKDNecYeId6+eBCvPPaNw7v0/HYNgQufUbwdBaU ObeLFqWEbu1OkFgbIFvRthNQYUb5Yl58cY/7J6kbsff2hUWJIv1p8pq934Wse27483wG 0kAg5oMg18b115KhK6NMXNY/WqeWzmbym5MeH1bfprOP9qyp6fZEGzFOn6tisMtjeyg4 yTGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id le19si3615179ejb.535.2021.04.19.11.30.44; Mon, 19 Apr 2021 11:30:46 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 16E92689920; Mon, 19 Apr 2021 21:30:31 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-1.mx.upcmail.net (vie01a-dmta-pe01-1.mx.upcmail.net [62.179.121.154]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BE90C6809AE for ; Mon, 19 Apr 2021 21:30:28 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1lYYZj-00CVc2-0B for ffmpeg-devel@ffmpeg.org; Mon, 19 Apr 2021 20:24:47 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id YYYllPi8aljeHYYYlltlk4; Mon, 19 Apr 2021 20:23:47 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=9QDXtRz8bUfy2NV5kmgA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Apr 2021 20:23:38 +0200 Message-Id: <20210419182346.4445-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfJf15UiK6xucjFd+7mDVRDV/cFObiI4Sa14ui4UM7wvBOj05EH1fIWgqwmhok0Tn8Fib33KZeKYTL2CsdWUgap24BmuzQiJiuf2QEPwDXPmUuzFIEi+z 8EmQXnAIOMnryv+oG9Tth12HNABpi9fdF8w0uPMDcxR+nIDXJBB7ynIe Subject: [FFmpeg-devel] [PATCH 1/9] avformat/utils: check dts/duration to be representable before using them X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: VwxB5uKo/f4i Fixes: signed integer overflow: 6854513951393103890 + 3427256975738527712 cannot be represented in type 'long' Fixes: 32936/clusterfuzz-testcase-minimized-ffmpeg_dem_R3D_fuzzer-5236914752978944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index d4ec3d0190..26528f2a68 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1243,7 +1243,9 @@ static void update_initial_durations(AVFormatContext *s, AVStream *st, (pktl->pkt.dts == AV_NOPTS_VALUE || pktl->pkt.dts == st->first_dts || pktl->pkt.dts == RELATIVE_TS_BASE) && - !pktl->pkt.duration) { + !pktl->pkt.duration && + av_sat_add64(cur_dts, duration) == cur_dts + (uint64_t)duration + ) { pktl->pkt.dts = cur_dts; if (!st->internal->avctx->has_b_frames) pktl->pkt.pts = cur_dts; From patchwork Mon Apr 19 18:23:39 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 27094 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:5014:0:0:0:0:0 with SMTP id e20csp756511iob; Mon, 19 Apr 2021 11:24:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxyW8FjHuF2Sjkpg53g1NzKEV5ygqWPXqgOriv6Wmtj7LXqcgpS3i+w3deIJnqj2IqNsDT8 X-Received: by 2002:a05:6402:31b3:: with SMTP id dj19mr10089577edb.180.1618856698802; Mon, 19 Apr 2021 11:24:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618856698; cv=none; d=google.com; s=arc-20160816; b=bQcErZz5CvzFv71DELqgqPDmnYOE1nbhjZrdak3HIWTizzc9ShbX0YQMA+pt709YPd EGrycHwTwODeFrT7yIEKoa/HcOoRaYeU7cXDKYJJ0ko5CNcLiB4VgU8Z4rG04g5o+0hB uPo6cv0N0Z9B6TqsnKYmyqTqvvW5DxgkPC9VDFQWBlMToIzv6AxcKDoVs3F5KEZJo2NT fCp5UHejMxvcXgbE+o+Sb4tu8eYcVfM5aHkqT3goYwl9lzbm0kFvhhZNg1+M4yOH0JbX nECUdRdBaPGyREKMh7tJ0dbOuuEXqQxmNT9YArfuv1FO0o8bO3xeL2bwoSSGhhrmt7FM ibvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=V8b3V4PMYWHhr0R+xCu2Oq/tvoetHE7XgaF/CGTLTe8=; b=trtpAp+Nu4fbgPgryWmFMRF09NKe98frVX9vdqsD5rS9XVM2R7P//Phj7TkOHaqeLk e4U0yC1SNehISLHkI08pkUs8dR6YKOWPaG/8QpPnrXPtTy0U9ewNPLdkKTq9ETvCEQa8 Ss34lcEKBr3SncP7dPggwRjnOzPUxfTu42+86onoMQzgUc2dj3VA8mVDt/9E3Za0VxgB FjBCHpjcHEFnpO2FCWQoW4vTGVML/3Vm3NowoRJyMH5Y50ZZSxQMXDoajg5ilRwIf7El TF2Dep/O7+U/XAwHVMTL1Ivj4a+M90S0S703DP6hVkBcW+/7YFNuhZZsSwWP6uflO709 CnqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id f2si9787045edl.536.2021.04.19.11.24.58; Mon, 19 Apr 2021 11:24:58 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E57DA68980B; Mon, 19 Apr 2021 21:24:55 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe06-2.mx.upcmail.net (vie01a-dmta-pe06-2.mx.upcmail.net [84.116.36.15]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 70F0D680136 for ; Mon, 19 Apr 2021 21:24:47 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1lYYZj-005krj-0B for ffmpeg-devel@ffmpeg.org; Mon, 19 Apr 2021 20:24:47 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id YYYllPi9bljeHYYYlltlkF; Mon, 19 Apr 2021 20:23:47 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=qX5wZS9MHFB6eZLz2DQA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Apr 2021 20:23:39 +0200 Message-Id: <20210419182346.4445-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210419182346.4445-1-michael@niedermayer.cc> References: <20210419182346.4445-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfJf15UiK6xucjFd+7mDVRDV/cFObiI4Sa14ui4UM7wvBOj05EH1fIWgqwmhok0Tn8Fib33KZeKYTL2CsdWUgap24BmuzQiJiuf2QEPwDXPmUuzFIEi+z 8EmQXnAIOMnryv+oG9Tth12HNABpi9fdF8w0uPMDcxR+nIDXJBB7ynIe Subject: [FFmpeg-devel] [PATCH 2/9] avformat/mov: Limit nb_chapter_tracks to input size X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: pvEu9QIlggD4 Fixes: Timeout (15k loop iterations instead of 400m) Fixes: 31368/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6601583174483968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 9ca1ac89a8..add1e94641 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4687,6 +4687,8 @@ static int mov_read_chap(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < num && !pb->eof_reached; i++) c->chapter_tracks[i] = avio_rb32(pb); + c->nb_chapter_tracks = i; + return 0; } From patchwork Mon Apr 19 18:23:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 27098 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:5014:0:0:0:0:0 with SMTP id e20csp760845iob; Mon, 19 Apr 2021 11:30:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZobBPuvCDXGOJeIV3Z6oz/JH90dCmtlsCLpYTtnXsgbuWWYlVOXZg+zbKVxRp5RCQQmfH X-Received: by 2002:aa7:c4c1:: with SMTP id p1mr8946735edr.133.1618857054060; Mon, 19 Apr 2021 11:30:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618857054; cv=none; d=google.com; s=arc-20160816; b=MXSRlANU65Yi4Wzi6hliLbz3nBil/7ryWYuUI1ExpcWLIHz7RBkEVO+14l3z6r1rNx QoM9fJBTY4GWDN5uDEMygNGxG0qGAzHKjFX111qbWg+46wmEac7FwNU7kENRfHUg+MOZ 9hyHy7HSYtD5Rvp6ziEUmO4tKNJzh0d8PQDm7l/MW8XieWZAbNpxczVDDY8RYwjDYMiZ UaE3gRnRMUlldEoSdgOu9i46HUb1mSmM59IxGrliRwsmNPdMvbqNIEA1a4ftdTdOjvuA nCRh263XCGxGzYeRy07ml81Au9iPDD7E5NWLVnt2NmY1rRClBKTE/IDJ99gGf4/L1FJi NetQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=ndSNKbUcC7wtQhuNdVi0g8RvcnOo0vJaML4VqPpG6S0=; b=ivE+9xPYTWWiEMXRxnlbPr1zdzkTv9pc+FWwmkZ0qXflMaWSgLzPdeM7eGu2MFAfsF s6Zr0xzJu9U50u/G9w1SbDuPMFSRPlxz41zaadTHUkzWUVmGsHm0WmQvVcMa8SWI15WV RhM5zdlDblEUFXwcF3hLtpUrha6S0KkP3zuawHxI65OW91h4sPNPnWXKPzz5vnlstjqM hzAdIW5gs8VGi9pw1OZlNQhy7sP/7Xo/WCVvrKsiOnRJO0ER4QRz880w9Acz8QlOy+SO 95kiF4x+7PfWq3MJf+ZWuRimIEPh1OvXS4BeoQU8ZAIcvq+rR9OFyhxtICGVNFyIFzyL 9dDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id g3si12998014edu.276.2021.04.19.11.30.53; Mon, 19 Apr 2021 11:30:54 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2221868811D; Mon, 19 Apr 2021 21:30:42 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe05-1.mx.upcmail.net (vie01a-dmta-pe05-1.mx.upcmail.net [84.116.36.11]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1CC9568993C for ; Mon, 19 Apr 2021 21:30:35 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1lYYZj-008XHR-08 for ffmpeg-devel@ffmpeg.org; Mon, 19 Apr 2021 20:24:47 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id YYYllPi9qljeHYYYlltlkI; Mon, 19 Apr 2021 20:23:47 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=5VDQGX7n4znJNIm0dj8A:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Apr 2021 20:23:40 +0200 Message-Id: <20210419182346.4445-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210419182346.4445-1-michael@niedermayer.cc> References: <20210419182346.4445-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfJf15UiK6xucjFd+7mDVRDV/cFObiI4Sa14ui4UM7wvBOj05EH1fIWgqwmhok0Tn8Fib33KZeKYTL2CsdWUgap24BmuzQiJiuf2QEPwDXPmUuzFIEi+z 8EmQXnAIOMnryv+oG9Tth12HNABpi9fdF8w0uPMDcxR+nIDXJBB7ynIe Subject: [FFmpeg-devel] [PATCH 3/9] avformat/mov: Ignore duplicate CoLL X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Ta29bSw+ZqqZ Fixes: memleak Fixes: 32146/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5377612845285376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index add1e94641..3436fb6b73 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5501,6 +5501,11 @@ static int mov_read_coll(MOVContext *c, AVIOContext *pb, MOVAtom atom) } avio_skip(pb, 3); /* flags */ + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); From patchwork Mon Apr 19 18:23:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 27100 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:5014:0:0:0:0:0 with SMTP id e20csp760589iob; Mon, 19 Apr 2021 11:30:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzZH7VVPdSJx9H1F55LLyGjhcs5153V03eF1bbZlqRsj6awX77nJIHdzqv/fnUSjnNZa5k1 X-Received: by 2002:a17:906:cb1:: with SMTP id k17mr23237165ejh.307.1618857034531; Mon, 19 Apr 2021 11:30:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618857034; cv=none; d=google.com; s=arc-20160816; b=a5sL7mk+6jCVuP4qmtsuyQdjjBOYF2OZ1goPJaLPlRlVHq3/7KMoQ0b0SqkOjqSnUN 4ujZfZnxuLOHnvzoJReudQy4Qm6Pav9NVFMiC/bcPjHFe67byx0/3M+dmym7pcuZakaI 1FgNYCzantvcm1yev4ABK4VzMY5gRj/w97RN0aEWXhRhCjY/YOgwpWkdHLLM8THdFD7f N0v7MAv79gX354C9b3aX+HOq6KYyqnNlobJ5Zknr3agNwr2IHH0ioks1sYFMpq8Zy5yU zMzBaYsVioHjC1eEjlxZP4Web1gZvebCDkzBwXb82YN+/Tit7UQxSrkPseYlA+SwBn+P CwjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=B3XegrDJjTy5Y3F8jwZcYcOf8J6415w8aZV/Yf7Im+k=; b=xfwIaWIeCsCdUIAv3I0iqc2N+rla0Oygd87XwAB6hPw/hZTO1K8kj9dQ7x6D7nc/mm cdHM+cOajl8xT5Gx/Ase/PCxcAW/o2ZGyqTGMBQ+wXAz9K1RWgXLm273y0t/Mwytt3pt HNlLN1lWU7bzcVv+8jELmhDnqguT+ySQ0akt5fg9v+JvCwb3hcyS+yCHCqcBx6atTi7n 6yZTp+zNkkIN+SdpPFhJZzhbpX3kxtC5o+Mzws/BDzWBE6fJMcoUcfUqGpg3z4gk5HBi kssuCg7tZeSlEDwpeuLGnpfa7ZSMiZOFz/df9HJ0vRmcPm3PSyQXM0YEhacXTQLfch+i f8Cw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id cx12si333217edb.306.2021.04.19.11.30.34; Mon, 19 Apr 2021 11:30:34 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1728F6809AE; Mon, 19 Apr 2021 21:30:30 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-1.mx.upcmail.net (vie01a-dmta-pe01-1.mx.upcmail.net [62.179.121.154]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 78D526809AE for ; Mon, 19 Apr 2021 21:30:28 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1lYYZk-00CVc5-0J for ffmpeg-devel@ffmpeg.org; Mon, 19 Apr 2021 20:24:48 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id YYYllPiADljeHYYYlltlkM; Mon, 19 Apr 2021 20:23:48 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=kZ-L1COiwVAgUAgnLXsA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Apr 2021 20:23:41 +0200 Message-Id: <20210419182346.4445-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210419182346.4445-1-michael@niedermayer.cc> References: <20210419182346.4445-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfBu2m8B3WDCMJZR0X7JeupBWSW0kdg0JYyJ1X2qwvyyQb45b+JHCi76evJxw5NDvs9UMP6yM9SIN6fNg4OLeUNceaAQ2wUU9IHLTOHsT7b0nZ8LCfj/B s2phGLuJCcxrbhcxtayuqxcZkJj4DNwCxWoNjJTOx+FO4EFmi3x43EII Subject: [FFmpeg-devel] [PATCH 4/9] avformat/wtvdec: Improve size overflow checks in parse_chunks() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: ra2b8fW/TTEZ Fixes: signed integer overflow: 32 + 2147483647 cannot be represented in type 'int Fixes: 32967/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5132856218222592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/wtvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 44ca86d517..2f1b192cea 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -809,7 +809,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 92) + if (size < 0 || size > INT_MAX - 92 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; @@ -825,7 +825,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 76) + if (size < 0 || size > INT_MAX - 76 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; From patchwork Mon Apr 19 18:23:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 27099 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:5014:0:0:0:0:0 with SMTP id e20csp760282iob; Mon, 19 Apr 2021 11:30:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzn/ImCLAy2LN9k7LEAJ8AOa6PaSUxVGQAeG2Vm+abTZ/6UxlO2XAmISUWiyM0jBDAvLP7r X-Received: by 2002:a17:906:6703:: with SMTP id a3mr23198814ejp.240.1618857012260; Mon, 19 Apr 2021 11:30:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618857012; cv=none; d=google.com; s=arc-20160816; b=meVCdzaLttPxHm+uH/YzK8sgdB3g71MYl77eAtPZ2lHeyTA9MJ8V7ewvK+cSo5sJrj Wv2RJIe8YbX95wMW/J8tNtF8eqRc4ktZ08Ux80tomskhG62is3B22f9ve9zjbbLl/Bj3 /OrZPzHxk90sz13nTigzb8r0a+OH/SxWwQCd9zvmToF2BODxNVrFWJyTwqt3QTFwVNAT K3S6PeoZMJ0LJm7dDfJQqpxy+BIIyNZjN/Wq0OpF48rRhNISf4GZRfnoTyk0Zuso5NVd DcBZIwGDCtLpDC98tSQhGaiAtk18BPfOqAVevgc7TQ8dnPN6bH5FKx/O/SeXccwXnf2h mLlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=r6jZ+eZGZnc8AAwiwI/2nRJaHsQ3Xzgy9Dr2MGHvGtY=; b=waD+I0nnFNf4H2tpczqU7kjqKT7tKdBwRT7YHXvXBuQTXbf+S47YZVBDC6Lfwl0u4w OcQgxqArc6dohx1AUtCOg85Ixk7AV68/CzLVb2Wo+UVGoJELHg8Tu/DSdNQgl9Nyir8F l/jcQoufGd90jEdH/Tx+XnsclXMw89U3sfelNvevEYif5Je7djBjOyk//NUsASZbkMav Tuo6iRw3uG1XJPp4IahPJBEO6eHWbQdKjYU3GjjNTP6jLAW6fKQuH/vueLIw1Z4WMFoW tSsIxQKpvA3KJNSGWDGSGvnnQFcOcw2A53Mh8VF/xg8/O3eM4QEC66Mf5D/7IzS4AiYj f+2w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id b16si7211794edw.227.2021.04.19.11.30.04; Mon, 19 Apr 2021 11:30:12 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 11268687FAC; Mon, 19 Apr 2021 21:30:01 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-1.mx.upcmail.net (vie01a-dmta-pe03-1.mx.upcmail.net [62.179.121.160]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DD747680C80 for ; Mon, 19 Apr 2021 21:29:53 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1lYYZk-00Aoaz-0T for ffmpeg-devel@ffmpeg.org; Mon, 19 Apr 2021 20:24:48 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id YYYmlPiAJljeHYYYmltlkO; Mon, 19 Apr 2021 20:23:48 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=Rl2k9aLj2RxrNSmz_noA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=QOGEsqRv6VhmHaoFNykA:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Apr 2021 20:23:42 +0200 Message-Id: <20210419182346.4445-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210419182346.4445-1-michael@niedermayer.cc> References: <20210419182346.4445-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfBu2m8B3WDCMJZR0X7JeupBWSW0kdg0JYyJ1X2qwvyyQb45b+JHCi76evJxw5NDvs9UMP6yM9SIN6fNg4OLeUNceaAQ2wUU9IHLTOHsT7b0nZ8LCfj/B s2phGLuJCcxrbhcxtayuqxcZkJj4DNwCxWoNjJTOx+FO4EFmi3x43EII Subject: [FFmpeg-devel] [PATCH 5/9] avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: rxt5haZe2Tu3 Fixes: Timeout Fixes: 33156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-6259655027326976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vc1.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index b7140c089c..40e2b4d692 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -672,6 +672,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) if (v->s.pict_type == AV_PICTURE_TYPE_P) v->rnd ^= 1; + if (get_bits_left(gb) < 5) + return AVERROR_INVALIDDATA; /* Quantizer stuff */ pqindex = get_bits(gb, 5); if (!pqindex) @@ -764,6 +766,9 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) av_log(v->s.avctx, AV_LOG_DEBUG, "MB Skip plane encoding: " "Imode: %i, Invert: %i\n", status>>1, status&1); + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; + /* Hopefully this is correct for P-frames */ v->s.mv_table_index = get_bits(gb, 2); //but using ff_vc1_ tables v->cbptab = get_bits(gb, 2); From patchwork Mon Apr 19 18:23:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 27093 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:5014:0:0:0:0:0 with SMTP id e20csp756600iob; Mon, 19 Apr 2021 11:25:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJychtIkAeVJJpX/sXSnsAaLG0xOzVlj15EDFpUuEdpRCJU0+cVqGoyVzeBKDKRNbJ/pPilp X-Received: by 2002:a17:906:953:: with SMTP id j19mr23762861ejd.56.1618856706531; Mon, 19 Apr 2021 11:25:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618856706; cv=none; d=google.com; s=arc-20160816; b=X4nrU1tK82CqwRXlBhNoFY9W67i2wGazteFuwfLs2J9zSJbBAn+bZ2pPB0YXTcC/to 3gnVhBT8yEoj3zywAoVy1JATlTswpVHsJmX29/ead1lSjzxD66QatbkWb1COBXFFJha7 dmmn+xszvk3DuO2qsNcC6ZvZF5tkUKe6getoLJnIpvIJfKy1Mj0uwJnPOBcyr739nu16 cu3dNj0/WHTN4l5wWTg6LggDs1QfdfFSHE7FmNFAEPwi2En4MbRQJfRiubP7jBVVCuMD gmXHHgDtdH0kn9PO+oJJofcZjV4TXhA9Ct/tav6vKXeyHOYPWHud3vQChnbgvV7t/Prv 47Eg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=IYHoiq072V+YRDmCTi+/7Wfi4TijxBSvyLkSrWPQFi8=; b=AglTBs0NIQHc/v+GsUYAII6SeUThKewqrirRZu7w9IkpXSl5o3liwNJs4HtrVEHoMB KJY5wFfsbfCQL1fZJUIHaue09QbdHtlwwgJEi8r8tOr18ZsfJbenQzRiQ5i4QbEckO3Y gSiHWzU3QJW8duzKEdo8F8QPyFYd1j05qAJn3kLOHalw7wYH7rBGQTFVTD4bQrp0pMwI NK2sdCq9IRJ6wLthjpomdDpPqaIbkpTCf1E5Y5UFXxjQdkpFI0CtY8wR1MM8ic/lZBI5 u6FREcAq9pe8D/GOgVaTuWpv0N50GHGljSTt3yWxQiXi9J35LLzqyyOR05lkjxFeCA23 608g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id u23si12903765ejx.579.2021.04.19.11.25.06; Mon, 19 Apr 2021 11:25:06 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D27D668025E; Mon, 19 Apr 2021 21:24:56 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe06-2.mx.upcmail.net (vie01a-dmta-pe06-2.mx.upcmail.net [84.116.36.15]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 39842680136 for ; Mon, 19 Apr 2021 21:24:48 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1lYYZk-005krk-0I for ffmpeg-devel@ffmpeg.org; Mon, 19 Apr 2021 20:24:48 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id YYYmlPiAVljeHYYYmltlkT; Mon, 19 Apr 2021 20:23:48 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=-KN1DE7n4j4oi_bJ3bsA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Apr 2021 20:23:43 +0200 Message-Id: <20210419182346.4445-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210419182346.4445-1-michael@niedermayer.cc> References: <20210419182346.4445-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfBu2m8B3WDCMJZR0X7JeupBWSW0kdg0JYyJ1X2qwvyyQb45b+JHCi76evJxw5NDvs9UMP6yM9SIN6fNg4OLeUNceaAQ2wUU9IHLTOHsT7b0nZ8LCfj/B s2phGLuJCcxrbhcxtayuqxcZkJj4DNwCxWoNjJTOx+FO4EFmi3x43EII Subject: [FFmpeg-devel] [PATCH 6/9] avcodec/adpcm: Set vqa_version before use in init X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: SWQGfi2zGKvq Fixes: null pointer dereference Fixes: 33172/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_WS_fuzzer-5200164273913856 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index be14607eac..2deefeb651 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -191,6 +191,8 @@ static av_cold int adpcm_decode_init(AVCodecContext * avctx) avctx->sample_fmt = AV_SAMPLE_FMT_S16P; break; case AV_CODEC_ID_ADPCM_IMA_WS: + if (avctx->extradata && avctx->extradata_size >= 2) + c->vqa_version = AV_RL16(avctx->extradata); avctx->sample_fmt = c->vqa_version == 3 ? AV_SAMPLE_FMT_S16P : AV_SAMPLE_FMT_S16; break; From patchwork Mon Apr 19 18:23:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 27096 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:5014:0:0:0:0:0 with SMTP id e20csp760311iob; Mon, 19 Apr 2021 11:30:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzgzDyjK+OJwvk92hZtBAoH39GfBcD38kcf2dI0lFa1Aaz7l9YnUa4ClmJTFXbDxT5VK+J7 X-Received: by 2002:a05:6402:37a:: with SMTP id s26mr8915374edw.159.1618857014186; Mon, 19 Apr 2021 11:30:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618857014; cv=none; d=google.com; s=arc-20160816; b=Mq6qd1OpvBVOZ6cv3MSXR4MEVLtI6II4CS0ttiqHnVw7MlZVgIApcVDIKhMsI2KNQ2 l/5jkmz7MhKqKOz1+OGprDiPS3Qf7w7xBIw6jdEI6XdT2ZpaKTbnBBheRW8N2IOSap/B wtLJEHgy9psL2OzclunWOrT5hyEQzgCHniTc36VjTU9+VRayhXQGEqA7T/eiWbB9ycaD 2/KObpNnZOFziz7vxJSROIRfKC/A1lv+guk4I8+ttAa++4qMGi4IHCrXndKF0rMNeDa8 D51KTQpOXd4KWpfIuqlBVYz4j0GZJmIyXqO/YbBcTgD1J4jVZXkM3WoRJjHp+c66xwE2 HaDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=9f0ZGKRJL4FhX2MXqPY6dN3ueKX7yJKVBi8TlVoUQoA=; b=0FelQZW7h8mC7L2kWu10gOVK9RasmS9aZ2iGEbkK/4CletsxopbZq19ms1QPssbOVF tUvSvRBlt/3BuB5NBCQ4TRwkOvU7uCSEMA+MUjeZwlfCpPofCEKJNe80kvPKpY+wOhSd HmqL8JDVJgtqPk17vaTv6ZZlE2mgxBMtNbt8lc+1LdIfhfd6+ai0diOgg418lKUofY4f V5S9oVAk/TICcD+/Gmkvb1sO4v3I9rOP5gDtkDMMIhnwu8k+RyiYp9SGBZc1zyold9Hf WxdKCcYxuJObehsu7zWUfVm1ptHk6WiojiG3MWHtvJno/OSIWLJHy5AFIVIY5hbSwFV/ pnxA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id z13si12650149ejp.97.2021.04.19.11.30.13; Mon, 19 Apr 2021 11:30:14 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0BEC9687F19; Mon, 19 Apr 2021 21:30:07 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-1.mx.upcmail.net (vie01a-dmta-pe03-1.mx.upcmail.net [62.179.121.160]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 979A9687F19 for ; Mon, 19 Apr 2021 21:30:00 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1lYYZk-00Aoau-0U for ffmpeg-devel@ffmpeg.org; Mon, 19 Apr 2021 20:24:48 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id YYYmlPiAhljeHYYYmltlkX; Mon, 19 Apr 2021 20:23:48 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=IbpKE9J5JjbRPdVnRWgA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Apr 2021 20:23:44 +0200 Message-Id: <20210419182346.4445-7-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210419182346.4445-1-michael@niedermayer.cc> References: <20210419182346.4445-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfBu2m8B3WDCMJZR0X7JeupBWSW0kdg0JYyJ1X2qwvyyQb45b+JHCi76evJxw5NDvs9UMP6yM9SIN6fNg4OLeUNceaAQ2wUU9IHLTOHsT7b0nZ8LCfj/B s2phGLuJCcxrbhcxtayuqxcZkJj4DNwCxWoNjJTOx+FO4EFmi3x43EII Subject: [FFmpeg-devel] [PATCH 7/9] avformat/id3v2: Check end for overflow in id3v2_parse() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: b4YXTj6uU2KI Fixes: signed integer overflow: 9223372036840103978 + 67637280 cannot be represented in type 'long' Fixes: 33341/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6408154041679872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/id3v2.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index e0fef08789..0f7035d4c5 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -824,7 +824,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, int isv34, unsync; unsigned tlen; char tag[5]; - int64_t next, end = avio_tell(pb) + len; + int64_t next, end = avio_tell(pb); int taghdrlen; const char *reason = NULL; AVIOContext pb_local; @@ -836,6 +836,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary **metadata, av_unused int uncompressed_buffer_size = 0; const char *comm_frame; + if (av_sat_add64(end, len) != end + (uint64_t)len) + return; + end += len; + av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len); switch (version) { @@ -1057,7 +1061,7 @@ seek: /* Footer preset, always 10 bytes, skip over it */ if (version == 4 && flags & 0x10) - end += 10; + end = av_sat_add64(end, 10); error: if (reason) From patchwork Mon Apr 19 18:23:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 27097 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:5014:0:0:0:0:0 with SMTP id e20csp760421iob; Mon, 19 Apr 2021 11:30:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzkxEPf3qB93KX0bzY1IfSnBR/au4CsHAU5Ru0shb1uFDLp3RxSSC8hyyeVMbom7Kt7gos/ X-Received: by 2002:a17:907:961d:: with SMTP id gb29mr17283515ejc.381.1618857023332; Mon, 19 Apr 2021 11:30:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618857023; cv=none; d=google.com; s=arc-20160816; b=zXujXrvFpivv2qtukFz57RCejIn1BQ0gAWUacWSiLL4pKJA0KchI+65SJhxu7LGC9L HyHIXLrSBe9OI8M9NscI9fFyx/JMR3vbjpXlVXsnBX0dK8BAAljH0xSJ8JLQ2p50nmeq favKxp+J29oJVAHOCximn70UJKzjIDRUT5k8z7COHLTle8pkBlva1FTzVROyWtMpRLIf qrFSBWLGzTrHv7yY2a+uuudifUya/jFCwYG4Z5ywT1PZ5q+d8uQib0mWu4DqK3KEb5Lt N3FLQBjavbB1NSJLqrjNBy82wZfoLRmIG6wcJ4ruBsey2pGq2UCfvWwAQWRY+k8WWsKv wkbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=h4vQ1p0zxBnr6ZQerN1UEjQRILE2W/J2jCHTPEBWH4Q=; b=h+2NmdmP43kuVvSNSfGyP8K+RWHwdUHevAixuSahM0S4puuDpmvfSis9hJ45JQv5bm xkCKaSp4WqAXiasWN6KKUzWPD7qQ89IyZkxzIvg0zXp7G2HParLv3N9IQUbsn0TNq6tm Wu3cEbSbSGx0iS9zgEPopg8fhh5LrItmTmwOT5TpjUXvXp+bYXS4k1XtK7uw62QaJgyu u7jFzdwGi+BMMn6MEz3JufcstHtDYJNYPfaj5rOVpPlWN2mmPVRJAgc1NWOhrmO0zlWf 8+yjCwoYGnLKfWFEudquPFxLm0+A+wbE0pJ+FqLdx8mhm1oBIfHPMXnJymb8bCoGwvXV 5Iew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id p5si13987710edt.116.2021.04.19.11.30.22; Mon, 19 Apr 2021 11:30:23 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E96AA6898E3; Mon, 19 Apr 2021 21:30:12 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe03-1.mx.upcmail.net (vie01a-dmta-pe03-1.mx.upcmail.net [62.179.121.160]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5EB2168980B for ; Mon, 19 Apr 2021 21:30:11 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1lYYZk-00Aoat-0T for ffmpeg-devel@ffmpeg.org; Mon, 19 Apr 2021 20:24:48 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id YYYmlPiAtljeHYYYmltlka; Mon, 19 Apr 2021 20:23:48 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=TxoZLx6QOmfQbus6zZgA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Apr 2021 20:23:45 +0200 Message-Id: <20210419182346.4445-8-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210419182346.4445-1-michael@niedermayer.cc> References: <20210419182346.4445-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfBu2m8B3WDCMJZR0X7JeupBWSW0kdg0JYyJ1X2qwvyyQb45b+JHCi76evJxw5NDvs9UMP6yM9SIN6fNg4OLeUNceaAQ2wUU9IHLTOHsT7b0nZ8LCfj/B s2phGLuJCcxrbhcxtayuqxcZkJj4DNwCxWoNjJTOx+FO4EFmi3x43EII Subject: [FFmpeg-devel] [PATCH 8/9] tools/target_dec_fuzzer: Adjust threshold for TAK X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: BjEdV1p8Phoz Fixes: Timeout Fixes: 33346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4715352157192192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 80da7afcb8..6d19cff6f2 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -190,6 +190,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_SCREENPRESSO:maxpixels /= 64; break; case AV_CODEC_ID_SMACKVIDEO: maxpixels /= 64; break; case AV_CODEC_ID_SNOW: maxpixels /= 128; break; + case AV_CODEC_ID_TAK: maxsamples /= 1024; break; case AV_CODEC_ID_TGV: maxpixels /= 32; break; case AV_CODEC_ID_THEORA: maxpixels /= 1024; break; case AV_CODEC_ID_TRUEMOTION2: maxpixels /= 1024; break; From patchwork Mon Apr 19 18:23:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 27095 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a6b:5014:0:0:0:0:0 with SMTP id e20csp761094iob; Mon, 19 Apr 2021 11:31:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw1Ue3ftWUsU+zHEp3v9G9CiW+3CwaLO9RTNlKvld5PP63l+TX5Wm0I3q3Z0ShkDeUKAKTa X-Received: by 2002:a17:906:b09:: with SMTP id u9mr17520957ejg.244.1618857071114; Mon, 19 Apr 2021 11:31:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618857071; cv=none; d=google.com; s=arc-20160816; b=wQ8v9SSj5jfovucxMsplTvNJQzuoV5YWuwh3NaivfEE0nqz+1iwTsMrvWR4aJz4gvD llzcH5xYDGb9opSCMeB91VC6i67JfDyErTIBkOxJuUxLGaxfDgV4UE/oAbwIu7/uN83D j4xAigvboRsK51wmKwm7ATYfBx3rryzVgCfs5UN0sjv2Iv3vINDD5W1vL1y0GQwZpMF+ 7kZRnwNIkaL8PvVzh+G/lGBr5FRIwHfyX5Cc+E1OXDDOyhvZYXltjexlhrEqqk+6LVFP eQ4l49CMep2cpaNAO8/KGEQJvt07Z0bx1EDRmfG/1tQtaPyRGdYHPmOMfHrq/J5vh3nR AZxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=1U4oQL+krC0Jp8wzphAfHiEwC4km43+Q0FZzJxLybBk=; b=bp1/Cko547wjy2Lwpr91DZpyotXKHoZSIyjWWxVLZjAfOcDd7S3ePIK9gkJrwIRJlB VadwjGo+ZOJG6BMApsa0VQZAuZXW4dNcnflHhdK6N22J+8oOXAJMm3VHDjH79cVdxg13 3aHUwyy9uDi/oiy0ECjBw8X8j9odyurnt67WofILO+9Ay1GsLY4Rr14avBpNRbFXXmHg nVjV8JCmOq+90PIlLPG9EHKxVkIqArcnQrOfVa0tzzOJ0ZjF3L79t75H63G78YF/C5NR hD3+0QV6b3BWY2ingMP0EK3Gk4Mirb17Df6a88fwgiQz+elBY7GyDQql6jzcfg7tCWIR kyrA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id f15si14227425edm.87.2021.04.19.11.31.10; Mon, 19 Apr 2021 11:31:11 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3755D689753; Mon, 19 Apr 2021 21:31:08 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe05-1.mx.upcmail.net (vie01a-dmta-pe05-1.mx.upcmail.net [84.116.36.11]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D470A680CF0 for ; Mon, 19 Apr 2021 21:31:01 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1lYYZk-008XHW-0G for ffmpeg-devel@ffmpeg.org; Mon, 19 Apr 2021 20:24:48 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id YYYmlPiB5ljeHYYYmltlkg; Mon, 19 Apr 2021 20:23:48 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=PwyerEU0riPB0E92uccA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 19 Apr 2021 20:23:46 +0200 Message-Id: <20210419182346.4445-9-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210419182346.4445-1-michael@niedermayer.cc> References: <20210419182346.4445-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfBu2m8B3WDCMJZR0X7JeupBWSW0kdg0JYyJ1X2qwvyyQb45b+JHCi76evJxw5NDvs9UMP6yM9SIN6fNg4OLeUNceaAQ2wUU9IHLTOHsT7b0nZ8LCfj/B s2phGLuJCcxrbhcxtayuqxcZkJj4DNwCxWoNjJTOx+FO4EFmi3x43EII Subject: [FFmpeg-devel] [PATCH 9/9] avcodec/clearvideo: Check for 0 tile_shift X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: x1n/yY1bjosY Fixes: shift exponent -1 is negative Fixes: 33401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5908683596890112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/clearvideo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 79ba88857c..b3ccb51334 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -722,8 +722,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx) } c->tile_shift = av_log2(c->tile_size); - if (1U << c->tile_shift != c->tile_size) { - av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size); + if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1) { + av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1\n", c->tile_size); return AVERROR_INVALIDDATA; }