From patchwork Mon Aug 22 22:55:44 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37403
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:139a:b0:8f:1db5:eae2 with SMTP id w26csp1559049pzh;
        Mon, 22 Aug 2022 15:56:08 -0700 (PDT)
X-Google-Smtp-Source: 
 AA6agR5w+TJ03Ge61HT5VfSOXlRi5eyZV+/1maL1vm2rubbU3/sLOFI4rnsAhIoEBULRgRiFub+c
X-Received: by 2002:a05:6402:428a:b0:42e:8f7e:1638 with SMTP id
 g10-20020a056402428a00b0042e8f7e1638mr1114155edc.228.1661208968686;
        Mon, 22 Aug 2022 15:56:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661208968; cv=none;
        d=google.com; s=arc-20160816;
        b=J1TG65BsiXxXtgGnJBAW8Ghb5Nle8uajmmHEJ6gsOCYm5jbYHhEEERDxsIQBr1EKir
         znfnecMicOFqGdgDQuFCk4xVbh1N0M4ej/x7UfxAlCS9Ya3Z/OpywbWiqK1UaBj/YFC4
         nf0rDemRhUfA1sLFGUXEz7maMrRXIVDAS3vDCmThFfF7KEF8UzhEA5W9IsrTMMF3BG+p
         Sj7mpUQvvsHLwaGuQN0A20vFtE4qGPhuvyRqTDty0KnFicUwmaGDxZywRynvdKnUutdB
         K5QhiD4xIHeh3CuuAtnLRgHAew9yOOOqBJjCWoedtUM91JpOvX+voxGWVNGQwRsFo7Pa
         oe8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:message-id:date:to:from:delivered-to;
        bh=cxpiUgyl6AzqxYUTU5rIthKhhkCnLj0wQT9ABFCpjYQ=;
        b=v3C4Nv/EuVCuJv+Ty5MNi6K/B5a+Mi2Nw93ByNKznuXHXXudg1qr/nZVRsiB6y56Tq
         fvCfWXfok8dMUAt6KgG9RBiHiUOzGS4kOlQvpc/i5smNGiKyzpbPM0u+ANSSsBh3MZDP
         fxnjRxTBAZodrGnYfCjLoVDmO/9SmEhOWlOFu2AJakXKJBtL00ffq2T7RG+6hIlU9uLf
         K1n+dxipx880yUxmKI6mXqJM/HQojXuUD5yxXTWv/A+/rhxFqXqztHrXP9fq82zDQ+qu
         sxiWmB0TeL4ZZicdlvdx6ZLGrwi/kJzgb0TVQrc/q5y8e7XwNOUKIbvPrckFELnE/5w+
         unyw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 ke6-20020a17090798e600b0073d657f2850si5442491ejc.256.2022.08.22.15.56.08;
        Mon, 22 Aug 2022 15:56:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CEA1F68B9E4;
	Tue, 23 Aug 2022 01:55:56 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at03-1.mx.upcmail.net
 (vie01a-dmta-at03-1.mx.upcmail.net [62.179.121.151])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0268D68B864
 for <ffmpeg-devel@ffmpeg.org>; Tue, 23 Aug 2022 01:55:49 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oQGKi-005Zn7-D3
 for ffmpeg-devel@ffmpeg.org; Tue, 23 Aug 2022 00:55:48 +0200
Received: from ren-mail-psmtp-mg02. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id QGKhoQO5N8s8UQGKho20x8; Tue, 23 Aug 2022 00:55:48 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg02. with ESMTP
 id QGKhoUUj08eSWQGKhot3qN; Tue, 23 Aug 2022 00:55:47 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=KKE5sHJo c=1 sm=1 tr=0 ts=63040973
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=wXWYXtlecB1Qirxkgk0A:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 23 Aug 2022 00:55:44 +0200
Message-Id: <20220822225547.12895-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-CMAE-Envelope: 
 MS4wfFpa1zr9YnzZ7R11LqEtJQ4/VUEFjvKlo2UIdCzpUs1FvY1lcozjDGvo4hpbdgM9YfnVM6yXobt8ql3j1k/gA8i+jqKv2ttWgnM9M8ZylKcPK7/X88Xr
 Ckt7BH8cqgOxlehRRrESHwGijmPicxFZdtC0RY46oyo4Nvrl71xiP007LbEo9uQKUgzrC/2zYWM2Pw==
Subject: [FFmpeg-devel] [PATCH 1/4] libavformat/iff: Check for overflow in
 body_end calculation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: +IaQqAttggW9

Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long'
Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iff.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/iff.c b/libavformat/iff.c
index b37600605a..b8e8bffe03 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -501,6 +501,9 @@ static int iff_read_header(AVFormatContext *s)
         case ID_DST:
         case ID_MDAT:
             iff->body_pos = avio_tell(pb);
+            if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX)
+                return AVERROR_INVALIDDATA;
+
             iff->body_end = iff->body_pos + data_size;
             iff->body_size = data_size;
             if (chunk_id == ID_DST) {

From patchwork Mon Aug 22 22:55:45 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37405
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:139a:b0:8f:1db5:eae2 with SMTP id w26csp1559358pzh;
        Mon, 22 Aug 2022 15:56:57 -0700 (PDT)
X-Google-Smtp-Source: 
 AA6agR6tCAshc7ym7GANezfRUWIzRrBAAr6J39st/zaDXJOuWU+xS+kFHmB8vEVHKOmZH0FO7GVc
X-Received: by 2002:aa7:d682:0:b0:446:c5e1:f91 with SMTP id
 d2-20020aa7d682000000b00446c5e10f91mr1122773edr.26.1661209017040;
        Mon, 22 Aug 2022 15:56:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661209017; cv=none;
        d=google.com; s=arc-20160816;
        b=K13c+v3A7eNEQJvzDvu49Sl5E6zwGGU7f4poVZVXrlcAlcKLvqSmvGZ/dDvww1JecU
         KFEKHT2kM/w0Kgxp0lMXOU6dErBNuUvWxSSCzCelqsATHkg+A09vXVBa/9dPNhNZcdU3
         C7hm81dbeuor5/nuOtwpjApZKJFhEo4YnrphBH4tC+ic2lPICpOxop1emny24PmgZfxa
         OJ8QHtjfPf2coqVK5WzQzK+AVThpdDbQ9MpImGZzdO4YINs4qTrVxdAyXb+ILdMs7UnL
         yrCq1v0bgmDNxWe3owtK7q+Nwv89ka+tSLbHeiD36vqWrYzMn+Bz+V+p0dt/90oY1b3j
         YNuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=BnaRUMUchBf++wpzvkyo7RQszFPV3oVPtaD8P7f56zs=;
        b=D6WF1uh/zsKsojGZYN4wYX9UPDUojnrwceMO0tjLZja3VqvlppSOnST6Yk5HC+XBan
         mZVXSLT4RpwzJbmVi2Kz/i+f7RYvMq1HEEnXZSip+yYq/LBnnHRr82sQowP30fqSeNpm
         9YmAPEPzT0ilPCloFV9Bd5c3IZTUJ5wsraOU9c8JVj2goMYRRJgsfOBTlu0kB9ei6/cq
         mCpoj6SetQ/DQmzdEkhNL4qv9IRxfHOhgO8pHK/SHSWC/jued6hGlIA7DL+HfUGL/wk5
         6/wCI7eUeACoDBxto4EwN8hV7vwZ8yAH9pLYg5MMfiFi6swZC5W3dKlm4pQAg8XL9ZYX
         LQ2w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 y29-20020a50ce1d000000b00445d446954fsi619431edi.326.2022.08.22.15.56.56;
        Mon, 22 Aug 2022 15:56:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E0CFE68B9E5;
	Tue, 23 Aug 2022 01:56:54 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at03-1.mx.upcmail.net
 (vie01a-dmta-at03-1.mx.upcmail.net [62.179.121.151])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7556C68B53E
 for <ffmpeg-devel@ffmpeg.org>; Tue, 23 Aug 2022 01:56:48 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oQGLg-005ZsZ-1J
 for ffmpeg-devel@ffmpeg.org; Tue, 23 Aug 2022 00:56:48 +0200
Received: from ren-mail-psmtp-mg02. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id QGKhoQO5N8s8UQGLgo219q; Tue, 23 Aug 2022 00:56:48 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg02. with ESMTP
 id QGKioUUjC8eSWQGKiot3qP; Tue, 23 Aug 2022 00:55:48 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=KKE5sHJo c=1 sm=1 tr=0 ts=63040974
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10
 a=F-r7SiUni3eZCERIZQQA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 23 Aug 2022 00:55:45 +0200
Message-Id: <20220822225547.12895-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220822225547.12895-1-michael@niedermayer.cc>
References: <20220822225547.12895-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfCiZOE6F22wa35f8iZyWK04FWX/6GKhTmK6sYo577Pc2WVMY75mDlhqo625IHWV/rI/wQCYOJSE+o0FkkHC0yyPgGKdELUGEhqKsK8Xifoh9Dh6ghiKx
 y8EwH3eXE7UJAO4UaMqjJLrVsjhtAs9id1IA4VMxHgtXcKR1z9bowuDqt0eVhy6stwhFwMjK7TJBxg==
Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/midivid: Perform
 lzss_uncompress() before ff_reget_buffer()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: rVzOajANfYQg

This would avoid regeting the frame on lzss errors

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/midivid.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/libavcodec/midivid.c b/libavcodec/midivid.c
index 7448c8c797..6b76d5bcad 100644
--- a/libavcodec/midivid.c
+++ b/libavcodec/midivid.c
@@ -203,12 +203,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
     bytestream2_skip(gb, 8);
     uncompressed = bytestream2_get_le32(gb);
 
-    if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0)
-        return ret;
-
-    if (uncompressed) {
-        ret = decode_mvdv(s, avctx, frame);
-    } else {
+    if (!uncompressed) {
         av_fast_padded_malloc(&s->uncompressed, &s->uncompressed_size, 16LL * (avpkt->size - 12));
         if (!s->uncompressed)
             return AVERROR(ENOMEM);
@@ -217,9 +212,13 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
         if (ret < 0)
             return ret;
         bytestream2_init(gb, s->uncompressed, ret);
-        ret = decode_mvdv(s, avctx, frame);
     }
 
+    if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0)
+        return ret;
+
+    ret = decode_mvdv(s, avctx, frame);
+
     if (ret < 0)
         return ret;
     key = ret;

From patchwork Mon Aug 22 22:55:46 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37402
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:139a:b0:8f:1db5:eae2 with SMTP id w26csp1558975pzh;
        Mon, 22 Aug 2022 15:56:00 -0700 (PDT)
X-Google-Smtp-Source: 
 AA6agR4fU+SqUSRpUXaHIjfmR+kfjs6McaDGODxTAHnBntWee7ZppRVEa3CEAQhhxaAMysfhmI6x
X-Received: by 2002:a17:906:9bf7:b0:73d:6478:5ba9 with SMTP id
 de55-20020a1709069bf700b0073d64785ba9mr8130594ejc.576.1661208960120;
        Mon, 22 Aug 2022 15:56:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661208960; cv=none;
        d=google.com; s=arc-20160816;
        b=Y/Blng+QEtcU4MgrB7WEnIc2z0xVX99cczm+O4mnE7YSIWh9ST/mA4xO3ksP1tf4cw
         U0dJJj38/wtWWmOtDCwbDg/r6nYqX18sKAfiau+VzTi7iOSh1S/YNRB+J6oET1mMmfMs
         j1wED7E15SbnpDE3erbQ2KvL7S6ef/pAAGk5bIIM5dz3MbnQqXLfJF5C5oUxdwr9hQ7J
         eUljkjDjUkoNtrA3e9XtjxyWVk9/A6rYnImBDgoXkJZ8jwRb1VC5/xlBtxlUo1NuKaA/
         MN1OYuOf7NOC2ITo4nmz2XBoYGkaFI8fMDychlabqtAMyHtxTOE1Z0l89O5XW+/hWHLy
         4u8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=UZYgyHqEKz85zpabpIYngYTToFv+SVydu0VCM7v/GFA=;
        b=I2K7jMOSnvCq8lOdZ1AtbtDMbna658ICsNbuJ0wStl27gKfkGYsSVTetPK3CNFYPsG
         HwNhKrzbSe+8NDj621q9DluFyDhCkcfS8ULRI4h83HLqmKP97BlTbIb+BFC5EDk6RwGF
         hDX0HHrGtxHrpTXYgkmDdia/oGBlLrtGM0uA6faSc7/ofbXkBOOtVLunWqkw+2dgbw47
         kJNhQaL1BNlFCHkPpHnoVpwV+sci01KivoWNv01Dt6jVyhilkhgz4yIlR4vWot6unM+1
         CzmB86s8SRmdomFlkWc46RltZ4AHgnBNm/x4n/L52iHon8yxNNwnaC3hP+53GWjTCGeK
         b0RQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 l6-20020a1709062a8600b0073306936037si8477357eje.320.2022.08.22.15.55.59;
        Mon, 22 Aug 2022 15:56:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B6FB668B9D9;
	Tue, 23 Aug 2022 01:55:55 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at02-1.mx.upcmail.net
 (vie01a-dmta-at02-1.mx.upcmail.net [62.179.121.148])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A1C1468B864
 for <ffmpeg-devel@ffmpeg.org>; Tue, 23 Aug 2022 01:55:49 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at02.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oQGKi-00Gp9y-H6
 for ffmpeg-devel@ffmpeg.org; Tue, 23 Aug 2022 00:55:48 +0200
Received: from ren-mail-psmtp-mg01. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id QGKioQO6g8s8UQGKio20xF; Tue, 23 Aug 2022 00:55:48 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg01. with ESMTP
 id QGKiofKWiOPqFQGKioXp15; Tue, 23 Aug 2022 00:55:48 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=OcX7sjfY c=1 sm=1 tr=0 ts=63040974
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=OG3OoL7GWXFyNppkCD8A:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 23 Aug 2022 00:55:46 +0200
Message-Id: <20220822225547.12895-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220822225547.12895-1-michael@niedermayer.cc>
References: <20220822225547.12895-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfFpa1zr9YnzZ7R11LqEtJQ4/VUEFjvKlo2UIdCzpUs1F7Vl5TPLYkrJFSFNs2WXSHY5C51D8YyD/r7WTaCDWK3L0YBtag1q+tyQdBWOJuwJtezj6s80Y
 eAHHnT0qi4n23JB+ULYaUGk3OJwx9KZECaHhbj5Je1zb3IKqZPlk48MGFLMKZLYOslz2Fxs4CM61cQ==
Subject: [FFmpeg-devel] [PATCH 3/4] tools/target_dec_fuzzer: Adjust
 threshold for MVDV
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: dwZcMmEqKVYX

Fixes: Timeout
Fixes: 50213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-5228284098510848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index e142daefe9..aa3ba0e523 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -256,6 +256,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     case AV_CODEC_ID_MSZH:        maxpixels  /= 128;   break;
     case AV_CODEC_ID_MTS2:        maxpixels  /= 4096;  break;
     case AV_CODEC_ID_MVC2:        maxpixels  /= 128;   break;
+    case AV_CODEC_ID_MVDV:        maxpixels  /= 1024;  break;
     case AV_CODEC_ID_MWSC:        maxpixels  /= 256;   break;
     case AV_CODEC_ID_MXPEG:       maxpixels  /= 128;   break;
     case AV_CODEC_ID_NUV:         maxpixels  /= 128;   break;

From patchwork Mon Aug 22 22:55:47 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37404
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:139a:b0:8f:1db5:eae2 with SMTP id w26csp1559099pzh;
        Mon, 22 Aug 2022 15:56:17 -0700 (PDT)
X-Google-Smtp-Source: 
 AA6agR7QesTcExjoKZx/w95IEiClZU5uPjnWWOkaqlkIzwMrTISwJHUD4rg/1AfMlfZtEVH4Soj5
X-Received: by 2002:a17:907:28c8:b0:730:9ccc:331f with SMTP id
 en8-20020a17090728c800b007309ccc331fmr13827433ejc.608.1661208976759;
        Mon, 22 Aug 2022 15:56:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661208976; cv=none;
        d=google.com; s=arc-20160816;
        b=G43kDAnWNd5nVK32E89EjVlgmk9J0C0O93IJhE8DXqygq2p43qk8q2Hl2qP2ajCG2W
         aPSN1h3jf6YhzwrDb5xTpU/Y48JvjSUwKBKBGOwYKcvlQCm+kX7jmVgbtgXyRbFJDheo
         nSD1YZg5rlnFkeg+2UsjVDyMbBz4yd7mjleocRSRBn745B5EIO5XNHzYiuRzE7fkkiuW
         aIU4K+9BH6lFzshLPxEVian9l/UPN9QGgR3EOjBR8O2Ye49c+G31C/lpyRyTK28bJeNU
         8K5b3OerXkLidYgEnkkaSQNTxYDGQZAbRD938hXveExSasupPZ8h+Q9WU2NgIW918dfu
         JAXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=p6IOzgcRa3Jqn0JvcwXEa2UsO5BKG9A98SiBE9Tmvow=;
        b=SkIkOQRETZ+SCWXxEhqcA/v2rtwUTVrxvQBN2sHWzd3HNa/W5tf8YJXzlv4UGuXnCg
         oru4xztSPVbdOl3JLau8QHYbOGQrbtcb74XetcmSRT7XtuaJYeRrLOk+G0kakMZysS7T
         zJgOD14C2iU1QsOSevjDaj1n67HJk1EolMG3+lUotrQYf+KJe4K1msGy/WNpJ8+3Oc/A
         c8h+mM2qsEX3aWiHXemre8xHgFm5gRKuV+dxdpo6isIluxWYvj+Anu3K+PX2nyUOr/fz
         HgkCTDpmQBoBT5ztLlOplFP2ozQRPxr1AiFxH14v3vDsY6TBrJivPZG19caq31YigaZq
         ORDw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 y16-20020a056402271000b004408bac1e2fsi618604edd.370.2022.08.22.15.56.16;
        Mon, 22 Aug 2022 15:56:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C989868B9E8;
	Tue, 23 Aug 2022 01:55:57 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at03-1.mx.upcmail.net
 (vie01a-dmta-at03-1.mx.upcmail.net [62.179.121.151])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 03A9868B934
 for <ffmpeg-devel@ffmpeg.org>; Tue, 23 Aug 2022 01:55:49 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oQGKi-005Zn8-MK
 for ffmpeg-devel@ffmpeg.org; Tue, 23 Aug 2022 00:55:48 +0200
Received: from ren-mail-psmtp-mg01. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id QGKioQO6g8s8UQGKio20xI; Tue, 23 Aug 2022 00:55:48 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg01. with ESMTP
 id QGKiofKWnOPqFQGKioXp16; Tue, 23 Aug 2022 00:55:48 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=OcX7sjfY c=1 sm=1 tr=0 ts=63040974
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=atLl2F6amod1EEmZevUA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 23 Aug 2022 00:55:47 +0200
Message-Id: <20220822225547.12895-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220822225547.12895-1-michael@niedermayer.cc>
References: <20220822225547.12895-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfFpa1zr9YnzZ7R11LqEtJQ4/VUEFjvKlo2UIdCzpUs1F7Vl5TPLYkrJFSFNs2WXSHY5C51D8YyD/r7WTaCDWK3L0YBtag1q+tyQdBWOJuwJtezj6s80Y
 eAHHnT0qi4n23JB+ULYaUGk3OJwx9KZECaHhbj5Je1zb3IKqZPlk48MGFLMKZLYOslz2Fxs4CM61cQ==
Subject: [FFmpeg-devel] [PATCH 4/4] libavcodec/8bps: Check that line lengths
 fit within the buffer
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 16TuHWH+XV17

Fixes: Timeout
Fixes: undefined pointer arithmetic
Fixes: 50330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5436287485607936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/8bps.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c
index 3bac9f64c4..4a3511948b 100644
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -71,6 +71,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
     unsigned char *planemap = c->planemap;
     int ret;
 
+    if (buf_size < planes * height *2)
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
         return ret;