From patchwork Sat Apr 24 15:59:23 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 27271
Delivered-To: andriy.gelman@gmail.com
Received: by 2002:a25:49c5:0:0:0:0:0 with SMTP id w188csp2202262yba;
        Sat, 24 Apr 2021 09:00:36 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJxQXnX+8vDrWm+7JlM72KSnzh/FwAfAklzpFN8M1j8idNv46gAd7jOL3fYI1rNdOIpaxWd+
X-Received: by 2002:a17:906:81cc:: with SMTP id
 e12mr9686575ejx.21.1619280036116;
        Sat, 24 Apr 2021 09:00:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619280036; cv=none;
        d=google.com; s=arc-20160816;
        b=CCCcVWipyqpMbTWK/sz/r5kJl8EHiTWuOQaaEj4qJxpTwUgC/nvCclfoLnQ+dH73KE
         DVGJ5ielo2QcEiwKNIra4d/z1wme1+UGl6wssuc+Rq/B6so7ZsLij2rFnGiyCMTlXuck
         9cD9Zs22P2TrjK+M4klrmnzsizgovI0AEEBazcvYktgsEnQaIyA/VOL2MzZkjeGo5idp
         zBe5Z9NUvS5D+H/bvoap/u4o3BMqgaTV/KYbIKTRxGHbIJP6uhtVsnqbtv5SJ26s+KfU
         K5nXWU/ZB3QgdSZL72fLVo8I1uRr68rbm7KRL241Om2CLUGegEfT5Kktyzr02+fArDMI
         1HSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:message-id:date:to:from:delivered-to;
        bh=m1fO00XVWdRAlxMgNGMwTWbHhE5jp0tF34ZE84t2rcQ=;
        b=CH7VrRnkoQz3rR+p2GAIk9ZdR/EJ0yMPdPBgwP8nnpHttUF/sWhCnZphJ9F+0oTVrY
         8vBWVze3DIdmfCxDa7Reh2aslYeGARBzZAT+xy5Z2X2Trnp9jkdX2/tkO4C7cql/WgJk
         BfG9rbWQdS4hmqpv6c8364kM+vbR1BiCjgN4DDKVsQMrsgK1bNsSCY28ARz09vAwBdW7
         UXXzdthIpvp1tpG5HJKHcZaioIvCe6QrX5vM0/RxhhMmn1VJIqV2fGRncYJ4lKVpvI7I
         esxsHX9hpWIHHgcQ/EHQq0Yr3/YEag3H8981ft0XmpvUp2wtIflhA/8g8CuAu06pnB/i
         eRsw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 p20si2135163ejb.124.2021.04.24.09.00.34;
        Sat, 24 Apr 2021 09:00:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 45A01680BD4;
	Sat, 24 Apr 2021 19:00:33 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-1.mx.upcmail.net
 (vie01a-dmta-pe01-1.mx.upcmail.net [62.179.121.154])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C498A680306
 for <ffmpeg-devel@ffmpeg.org>; Sat, 24 Apr 2021 19:00:26 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1laKhm-00GTWD-0K
 for ffmpeg-devel@ffmpeg.org; Sat, 24 Apr 2021 18:00:26 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id aKgolhTPaljeHaKgoljNBj; Sat, 24 Apr 2021 17:59:26 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=wh31a4_u-3O8hZYYS8YA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=bWyr8ysk75zN3GCy5bjg:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 24 Apr 2021 17:59:23 +0200
Message-Id: <20210424155926.4018-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-CMAE-Envelope: 
 MS4wfFan9fhPp3LiC7mEEtYq2AqxtjFD5LLs7mI0tv4G4JPq8G9PWfZ5/UJd8rYsPilZrt31nApJZf6ZVrxOFSGSYKL5oAO+tMefipAgmPmwDpB3EhDtWD1m
 y2tGBvyi/iXqnNMa3skNFIRzmABugGKKVUIStX/hGHJvXmE7NIUgOI7y
Subject: [FFmpeg-devel] [PATCH 1/4] avformat/dxa: Check fps to be within the
 supported range more precissely
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: NWqlN4pU0pPx
Content-Length: 1134

Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself
Fixes: assertiomnm failure
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6744985740378112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/dxa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/dxa.c b/libavformat/dxa.c
index 909c5ba2ba..cd9c489851 100644
--- a/libavformat/dxa.c
+++ b/libavformat/dxa.c
@@ -79,7 +79,7 @@ static int dxa_read_header(AVFormatContext *s)
     if(fps > 0){
         den = 1000;
         num = fps;
-    }else if (fps < 0){
+    }else if (fps < 0 && fps > INT_MIN){
         den = 100000;
         num = -fps;
     }else{

From patchwork Sat Apr 24 15:59:24 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 27253
Delivered-To: andriy.gelman@gmail.com
Received: by 2002:a25:49c5:0:0:0:0:0 with SMTP id w188csp2202370yba;
        Sat, 24 Apr 2021 09:00:46 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJy9c+PGY6EGjaW0CwCtkSrGJ2g+HH2Yg/HxjiYb8ZzUlKpdDayhTq88vJ3RNLfS9r80wBHs
X-Received: by 2002:a17:906:6a93:: with SMTP id
 p19mr9762284ejr.319.1619280046364;
        Sat, 24 Apr 2021 09:00:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619280046; cv=none;
        d=google.com; s=arc-20160816;
        b=gaZZmV0Ce7cuXW9KNfa/BjBUaRyunWJuxrqYo0CZWCMbyNUoHVVdLZVZW/uDyM/8Kp
         Gwdedg2BVnOb2ogCR+LuBjG7Kkr6l7EyYAARsNf8Hsjd332hsPpLsUS/86SmgVUs1AMZ
         uRshqp9zs0jMmdaIGpldcRuDA1xSZ530f1kEfqyCFZfF/P5Pgy8dCIZLz/PxfY2yWLrK
         nr/oB+UP5/ByFYcDWU0U0PsOoLzV5obAYHdX7Z4diZ9rb3LlKynBdAuidOy/bbM54Ypc
         42+uhCslxxrukn5nGLh+PupRTOd/JUzZW9cSR3008+9LGC6nsd1NEgJ1yRhYMwxoeHem
         GPRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=BLaRLkpSq8ijyZ7yJ3jgYxZUYaIpBrSQXqFhjZ4GssM=;
        b=FFnpuVYfGANQIxGyrtUBt8xfVFTzPeXVRwZnQAeHligH7TBMaPgzL2YLh7++RQXbzV
         K/Ey/rP/eyuDrrzU8p6/wccyOqDQ4cesgIj2me23BUkgP0qyfG6H95Et8ZHnEQu4DAE+
         zDm64eaDUGt3d98FFp0IdVDNF1PufrKJO/Iwi2IK1+kk5N68m50oEzg7lnYYotTG2s3b
         NhT/h452e9cDyVa8xFIXYleVRw32+QdYmp9WJCfVU0DigFeyO+caib7B2QS7q9L/ADzM
         VdG+CN0FqeLzOAIS3KoNNGrsoI7Ha2HSJjky+A+TZTryEYN5DqyVa9A4DOi7MTaMOj+V
         fVpg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id f5si7664268edw.108.2021.04.24.09.00.46;
        Sat, 24 Apr 2021 09:00:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 582BE680BFE;
	Sat, 24 Apr 2021 19:00:35 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-1.mx.upcmail.net
 (vie01a-dmta-pe01-1.mx.upcmail.net [62.179.121.154])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 37A0A680A7F
 for <ffmpeg-devel@ffmpeg.org>; Sat, 24 Apr 2021 19:00:27 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1laKhn-00GTW2-0R
 for ffmpeg-devel@ffmpeg.org; Sat, 24 Apr 2021 18:00:27 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id aKgolhTQHljeHaKgpljNBt; Sat, 24 Apr 2021 17:59:27 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=WGDL60ZxXam1uetKiJ0A:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 24 Apr 2021 17:59:24 +0200
Message-Id: <20210424155926.4018-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210424155926.4018-1-michael@niedermayer.cc>
References: <20210424155926.4018-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfPZ3Z1/d1B1RjEyEHujd6P/DZT81a7mZRRLm8iPdr/XjDAcFwJPxAhqMct/di+mLV6hpy1Kt74DthEXZ49p/e0LU5kM2DFWFiIl4/iaQ47N9Cwp0LBVg
 UC0gzUhKxq1r8rzOvOl3kqgdNGtHNn8W0xz1OjJl+RbbJHgv+zW5gwD8
Subject: [FFmpeg-devel] [PATCH 2/4] avformat/iff: Use 64bit in duration
 computation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: SD+aHh4linyc
Content-Length: 1240

Fixes: signed integer overflow: 588 * 16719904 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6748331936186368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/iff.c b/libavformat/iff.c
index 27b5581cc3..bc4c410ebe 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -384,7 +384,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt)
                 avio_skip(pb, 1);
             pkt->flags |= AV_PKT_FLAG_KEY;
             pkt->stream_index = 0;
-            pkt->duration = 588 * s->streams[0]->codecpar->sample_rate / 44100;
+            pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100;
             pkt->pos = chunk_pos;
 
             chunk_pos = avio_tell(pb);

From patchwork Sat Apr 24 15:59:25 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 27275
Delivered-To: andriy.gelman@gmail.com
Received: by 2002:a25:49c5:0:0:0:0:0 with SMTP id w188csp2202732yba;
        Sat, 24 Apr 2021 09:01:15 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJzoaFwRlHkeyxFZU9+fiJGp0Pk9Ck9pwDbxEMh7xqht5ap+ktb/hXCGbqDEgDhf8yWvUK72
X-Received: by 2002:a05:6402:270a:: with SMTP id
 y10mr11108569edd.387.1619280064971;
        Sat, 24 Apr 2021 09:01:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619280064; cv=none;
        d=google.com; s=arc-20160816;
        b=v5PLqnUuEGWKjbVCCxgSGljJPEFr8MfPTM0PoyQfz8URLec26sUd3KjXDLhqmXsjFw
         oCuXnz49+8J38/q0WvWEOg8S6+FJpe30Dkw637OnXRNSRc6s8jyGsDc2e1th8V4h04W1
         ajPwLF7iiG7eiqnt6tkhjGaARnMWE2wbx65rLfJb0okwEluyswXJfNUyaJ56D0BNTsNC
         hZC1zkny5DWM4K8HR0uG7oGTRzSmQiU1dxr+edZyujtGy+Zzui7/3rFIj8KrWCg0absb
         U8a6sQuTphTe4mVLHL/zflHPKUWP8EYS9Qtef5/RuXr2kqB20WM6RAET0c4zcxbftcC7
         tXRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=2eWqFvdReDjx8hH02xza62QsSCKuYH6MvpcXf2Wipt8=;
        b=pBAcTtCrxNPTtTmcYkVSnYJ7WIC4wL9Y1kRVJAuioRSTkn8abksAgoJ6I5rNoYj12r
         oKPGVjqyN/xYPrs5YzTEONzqSaWuABNvjhWrK+DgeNFiIuxv/ut9lJDSBuJtDW0eQV+d
         sX8QC9maPMV6BEdKjwdgX1BVeamHwI/FSBQyjf6Gepz05Sc/9D1cA8GM4S1Eu/Aol7i6
         X0RSJL+0Ewyg6vIxE0yD8YAMr4LyukiY3Sy8GRd0yu++6cNsLWcx+9viTNQokVoCUDIL
         j3ZCK0VtxdD5TWuBfAx4cScWoxqPf6suFXYe65JDFW0RC2xBDgYhGw05yWFf7Lh89g7l
         U+Sw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id y6si2123319edr.344.2021.04.24.09.01.04;
        Sat, 24 Apr 2021 09:01:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8241B680C4F;
	Sat, 24 Apr 2021 19:00:37 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe06-1.mx.upcmail.net
 (vie01a-dmta-pe06-1.mx.upcmail.net [84.116.36.14])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 69287680AEA
 for <ffmpeg-devel@ffmpeg.org>; Sat, 24 Apr 2021 19:00:27 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1laKhn-002U89-0J
 for ffmpeg-devel@ffmpeg.org; Sat, 24 Apr 2021 18:00:27 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id aKgplhTQRljeHaKgpljNBy; Sat, 24 Apr 2021 17:59:27 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=XgWULi_iT2XPd3FFU8QA:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=SsAZrZ5W_gNWK9tOzrEV:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 24 Apr 2021 17:59:25 +0200
Message-Id: <20210424155926.4018-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210424155926.4018-1-michael@niedermayer.cc>
References: <20210424155926.4018-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfPZ3Z1/d1B1RjEyEHujd6P/DZT81a7mZRRLm8iPdr/XjDAcFwJPxAhqMct/di+mLV6hpy1Kt74DthEXZ49p/e0LU5kM2DFWFiIl4/iaQ47N9Cwp0LBVg
 UC0gzUhKxq1r8rzOvOl3kqgdNGtHNn8W0xz1OjJl+RbbJHgv+zW5gwD8
Subject: [FFmpeg-devel] [PATCH 3/4] avformat/mccdec: Fix overflows in num/den
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 2rw5FbukLd9X
Content-Length: 1200

Fixes: signed integer overflow: 6365816 * 1000 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MCC_fuzzer-6737934184218624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mccdec.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavformat/mccdec.c b/libavformat/mccdec.c
index 2a0b7905a0..7671be61d4 100644
--- a/libavformat/mccdec.c
+++ b/libavformat/mccdec.c
@@ -127,8 +127,7 @@ static int mcc_read_header(AVFormatContext *s)
                 num = strtol(rate_str, &df, 10);
                 den = 1;
                 if (df && !av_strncasecmp(df, "DF", 2)) {
-                    num *= 1000;
-                    den  = 1001;
+                    av_reduce(&num, &den, num * 1000LL, 10001, INT_MAX);
                 }
             }
 

From patchwork Sat Apr 24 15:59:26 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 27258
Delivered-To: andriy.gelman@gmail.com
Received: by 2002:a25:49c5:0:0:0:0:0 with SMTP id w188csp2202507yba;
        Sat, 24 Apr 2021 09:00:58 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwoh5eOsaauRxfCJ22rVIHIVHrVjLUeWnZuz1E0dMiyBUCqc+OIRuFYBw+1WlRLviXOrkom
X-Received: by 2002:a05:6402:42c9:: with SMTP id
 i9mr11054700edc.35.1619280058192;
        Sat, 24 Apr 2021 09:00:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619280058; cv=none;
        d=google.com; s=arc-20160816;
        b=OdUufCuhv4J5+gOyhTwiTVEx3MQWqpCv/5U+174kcbtyUTrCKqZKNPFKAePps4tHO3
         IyRwZbrVF8MeRJJ6BJU3HEPMJJnPW6IVDCfcxbZ7fht/6hpT17KJoGl3vb0NCPIfc8yk
         KvayfwT4wRjdgKjIZn6xwkfFnxQyGITY4MCFISaqJTCs6E0vIRRjbeVJxuu/dDsXQNwX
         dV61TLFALV3UL1/z9jOqLxLm+ck5LKM9IlRR0mGF5WDrp+kLZ2rBZ29O5eKHt2soNEmN
         SkWEAFlLeBIOQhsFIt/kbOTI01bOyNN9u6rwlzz27BPofIXRr73JQzw8EbfUp+UDNiZY
         joHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=tUt77KrniNh1U4PC4f1t+YDtQWqVSKeZx4r9sy+zmt0=;
        b=c2tNDOMhEzlVrKOrbWSLuZL6TM5hfdOI0M3kuUmqKdmcr5jMjIiMxI1ttvziTU6DOH
         7EEgzCwfRV7H1vyzB97R1zE/Ci1eRN9ln/mmDP/auaysYCER8XWpOpJEvXRVrx0dvLq4
         /grIeqqskMa4v8N8Mqk/sKWbvvM6SrjbaxuYQlzM17jBRL6l6eClcuZSFxjtNcR+u0rw
         Yhv5VfLmwBkM8xkKXckQ0MiC9eOU3xQu6zI2p3EYaY7LlXp+DaHy4qWKwLNq3ms6r6fT
         YpYJ5NByHSUVeD0i/tJYmInXakCVSyZB1jy6oysbdc4WlWpVUYrzbCSkDFXT+4AlpQzP
         yh7g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 re28si8460784ejb.40.2021.04.24.09.00.57;
        Sat, 24 Apr 2021 09:00:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 0F652680C00;
	Sat, 24 Apr 2021 19:00:37 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe03-3.mx.upcmail.net
 (vie01a-dmta-pe03-3.mx.upcmail.net [62.179.121.162])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 67790680A7F
 for <ffmpeg-devel@ffmpeg.org>; Sat, 24 Apr 2021 19:00:27 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-pe03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1laKhn-007aQZ-0J
 for ffmpeg-devel@ffmpeg.org; Sat, 24 Apr 2021 18:00:27 +0200
Received: from localhost ([213.47.68.29])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id aKgplhTQiljeHaKgpljNC2; Sat, 24 Apr 2021 17:59:27 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10
 a=nZOtpAppAAAA:20 a=u7BG1PBdFN7e--klMW0A:9 a=1fhp2MxaeJtTNGEnv6mo:22
 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 24 Apr 2021 17:59:26 +0200
Message-Id: <20210424155926.4018-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210424155926.4018-1-michael@niedermayer.cc>
References: <20210424155926.4018-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfPZ3Z1/d1B1RjEyEHujd6P/DZT81a7mZRRLm8iPdr/XjDAcFwJPxAhqMct/di+mLV6hpy1Kt74DthEXZ49p/e0LU5kM2DFWFiIl4/iaQ47N9Cwp0LBVg
 UC0gzUhKxq1r8rzOvOl3kqgdNGtHNn8W0xz1OjJl+RbbJHgv+zW5gwD8
Subject: [FFmpeg-devel] [PATCH 4/4] avformat/mpc8: Check for position
 overflow in mpc8_handle_chunk()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: ZR77NHcnW0+b
Content-Length: 1388

Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mpc8.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index b12a417f63..b3fcae75fb 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -205,8 +205,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, in
 
     switch(tag){
     case TAG_SEEKTBLOFF:
-        pos = avio_tell(pb) + size;
+        pos = avio_tell(pb);
         off = ffio_read_varlen(pb);
+        if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos)
+            return;
+        pos += size;
         mpc8_parse_seektable(s, chunk_pos + off);
         avio_seek(pb, pos, SEEK_SET);
         break;