From patchwork Sat Sep 17 21:15:49 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37987
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:3b1c:b0:96:9ee8:5cfd with SMTP id c28csp389254pzh;
        Sat, 17 Sep 2022 14:16:12 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM78l+AjnnMzDoIwvvzSXfvP8iL5WmdKcR8Th6ZZgiuB2OnS5BrRRAMbz5cHbEQFJaIeG2x8
X-Received: by 2002:a17:906:5d07:b0:77d:132b:f4f9 with SMTP id
 g7-20020a1709065d0700b0077d132bf4f9mr7734303ejt.170.1663449372404;
        Sat, 17 Sep 2022 14:16:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663449372; cv=none;
        d=google.com; s=arc-20160816;
        b=WVwgI6QoneATrU9Wp7GtcSvjPj9Mvz7hsRx8WrgyoLj8yXsODIgP0Ms4grLilcbOQg
         Ce51j8+D0iZHPbH9Dc+bJSvjWzY/0vmu40XJuL02MCwfhZU6CqQ2CSpsMD7IdMVvEjwF
         n3cPn8sujPQDGhXw2hjaiumDrXf3N39uMVLinUgPi4DN5N0yog/0Oc+/SJDr2TKOZ9rv
         Z46cg5oHtTfmnsvVoH+GlavSWP3xGplzDJwQjG5r1/+t2KiTVTU7p/v0pyI3U7x7SA6q
         kkvkcqHZpIkmfC9zA+yH6Z/ySeN1NiuD3E/RgKT8WnJ0z7MRBMpVGFFCa4xsFogC6niv
         U1IQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:message-id:date:to:from:delivered-to;
        bh=W7ydwIJKZAgRb8F7My62xLor/775tTH1VIR6UYoI/2s=;
        b=EjZZd1Gda+BRTPxytYpDH+gI6PYP7qpxrsES65Q1wFvfvxYy9LWT4A2E/n7EgQ98Oi
         ngU8/6KrTd1miU3BT4GQCZB60GKX6ITaI40LHAJG501Er2sWxgr+44pmjliRrDQgpSNm
         9UvjQ3vqaO0SOQ/4Rt3Caufns2NQdLdJYfG0xM1QaUmQSA2G0XNPwtHv5uKKlEzjO4ci
         zaVzSF0XlGy6G6sAWUna7fjkAP/kyfLd1w2g9ImwyuLXylRz8BWWaBTm2ReTZ9XF8wn2
         h5j0GMSq7NOaNsvaQrC8L8+8o9S9N6Io/GyUNf4F6nK3ECoiZ4DfmHZe8cA17ysRMzFn
         qSAA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 qw38-20020a1709066a2600b0077b4248b138si21541032ejc.127.2022.09.17.14.16.11;
        Sat, 17 Sep 2022 14:16:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D2D9D68BB9B;
	Sun, 18 Sep 2022 00:16:06 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at02-3.mx.upcmail.net
 (vie01a-dmta-at02-3.mx.upcmail.net [62.179.121.150])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A2EC068B9C0
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Sep 2022 00:15:59 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at02.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oZfAM-00350M-Kf
 for ffmpeg-devel@ffmpeg.org; Sat, 17 Sep 2022 23:15:58 +0200
Received: from ren-mail-psmtp-mg01. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id Zf9moPPmn8s8UZfAMoEt86; Sat, 17 Sep 2022 23:15:58 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg01. with ESMTP
 id ZfALoibKMOG5ZZfALom24N; Sat, 17 Sep 2022 23:15:57 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=KJo5sHJo c=1 sm=1 tr=0 ts=6326390e
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=NIjpAlihMiSmCakebC4A:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 17 Sep 2022 23:15:49 +0200
Message-Id: <20220917211557.11547-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-CMAE-Envelope: 
 MS4wfE9fZPqyOvB56wBnmFJoAeXs0Ut08ojTc7zBz/CuMTKjnK6UGJnxpbBUuqrae7bNgMSA7mY4USXQGvoLDGjuAR+mSCGOLNBotLYWvRLLmJlDJo24D+UV
 hFG6EwZw+j8mUyufxMs8OWl2XlbJmEWlkUGDruA7/uhGshPuPs7zi61/txCk9C+IUN4MIRwaoC8e6Q==
Subject: [FFmpeg-devel] [PATCH 1/9] avformat/ape: Check frames size
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: sJX8dyTGiQ+4

Fixes: signed integer overflow: 9223372036854775806 + 3 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APE_fuzzer-6389264140599296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/ape.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/ape.c b/libavformat/ape.c
index f904fde178c..92e9ac7cb1c 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -298,6 +298,8 @@ static int ape_read_header(AVFormatContext * s)
             ape->frames[i].pos  -= ape->frames[i].skip;
             ape->frames[i].size += ape->frames[i].skip;
         }
+        if (ape->frames[i].size > INT_MAX - 3)
+            return AVERROR_INVALIDDATA;
         ape->frames[i].size = (ape->frames[i].size + 3) & ~3;
     }
     if (ape->fileversion < 3810) {

From patchwork Sat Sep 17 21:15:50 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37995
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:3b1c:b0:96:9ee8:5cfd with SMTP id c28csp389629pzh;
        Sat, 17 Sep 2022 14:17:20 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4eB4SDMeyQ8XC9abB0rL+L7vHt3vDLiYZ6optu4qp0AWNyBMOXz1bAXPOYcrmh3jEJ4N40
X-Received: by 2002:a17:906:db03:b0:741:337e:3600 with SMTP id
 xj3-20020a170906db0300b00741337e3600mr8052688ejb.343.1663449440448;
        Sat, 17 Sep 2022 14:17:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663449440; cv=none;
        d=google.com; s=arc-20160816;
        b=IC3smMYIM/gfeNksXcPy/W3K5V5OH/4AX025GgL9lM34pKMLynRJtzW6JcVGS2cU2K
         N8pdrKsAwASZ7oIor5yFKVo7k/eGmSp4O3GN3ReKkqNFbSUe7vrNN2AAkWAyfhhHiaXX
         qNXvJx54e0tecZImjJFIWEzRZQBpvLIexKIEtPQel+bIQJ3rjfUsss6I5ScDH5EArKMF
         qwnLiXYbtw+aaj9UnjZNPlv6chnXbjK5zaGXwz0HF/zN0iowtaFpvxuUhQn1r0FyXa71
         3267hu7NizJv4bpabZ3WILaj/zkS4oV5elNyVUdV4/78sqjljXdvn6kZ5dPb2MJkeoNv
         unow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=T6+WXA0K5iQ823fXuIoyUYKC39kACo/KvpnB0lDgal8=;
        b=qPljXgxtogfuff+44Dng3YfzanVQau/Nphw9/cJscB5qDwT+TnIps7on9vVlj3uZLz
         UbKmvvf4QA89TlB6ZWeE+LQW3hYtcAA0QyP3e17HQs0pP1W7m9NXVK9yp/HvKkBZ6dcL
         h03aut+PIvvdAEnbG9pv0SKMO+hywOfGDcZdcFHtcjZ/rYIws6kPldvdVWVFsIe6Ry64
         gm+/3qeEWtAho37R0TXzHCIoD8a4BBMEElBevhzfAC85OAhZoBOiUzKrqyV/67BG5DZJ
         EBh6OZ64+VcPATu0HfxaA3cOPPyDo8uShfIJ1xi/k8xrK6owmZ4y/w2rjbVmjWVZDzxc
         TBVQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 b3-20020a50ccc3000000b00450d34e5e94si4943342edj.250.2022.09.17.14.17.20;
        Sat, 17 Sep 2022 14:17:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 30A3F68BBF3;
	Sun, 18 Sep 2022 00:17:05 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at02-3.mx.upcmail.net
 (vie01a-dmta-at02-3.mx.upcmail.net [62.179.121.150])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7B21168BBB0
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Sep 2022 00:16:58 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at02.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oZfBK-00350M-27
 for ffmpeg-devel@ffmpeg.org; Sat, 17 Sep 2022 23:16:58 +0200
Received: from ren-mail-psmtp-mg02. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id ZfBKoPRaK8s8UZfBKoEtEP; Sat, 17 Sep 2022 23:16:58 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg02. with ESMTP
 id ZfAMoy3ekbZLDZfAMoILB7; Sat, 17 Sep 2022 23:15:58 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=Ufwy9IeN c=1 sm=1 tr=0 ts=6326390e
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=0xbBXbfFRQGKdBtbK-MA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 17 Sep 2022 23:15:50 +0200
Message-Id: <20220917211557.11547-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220917211557.11547-1-michael@niedermayer.cc>
References: <20220917211557.11547-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfDIi23mKr+8AJhTY6GIN984wbayfwCU03qceTzX2SLD40B6sNrbLkB96aGmyAvzckCebSU8bQuP8lRKIYYsiHw/eXKWDxta3Q7BxPRKSX4erq5nX5apJ
 TTKPMEv1esY5L85SblFjdfNLdpE7/DJutApPsLCcHNdgCZBU0UpoWXuBh1+bCuw+QiSUWsLBvIes/A==
Subject: [FFmpeg-devel] [PATCH 2/9] avformat/apm: Use 64bit for bit_rate
 computation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: xtg+LJaiRmfP

Fixes: signed integer overflow: -1155522528 * 4 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_APM_fuzzer-6580670570299392

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/apm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/apm.c b/libavformat/apm.c
index baf7d2f9412..a3ddc08e83b 100644
--- a/libavformat/apm.c
+++ b/libavformat/apm.c
@@ -148,7 +148,7 @@ static int apm_read_header(AVFormatContext *s)
     par->codec_id              = AV_CODEC_ID_ADPCM_IMA_APM;
     par->format                = AV_SAMPLE_FMT_S16;
     par->bit_rate              = par->ch_layout.nb_channels *
-                                 par->sample_rate *
+                                 (int64_t)par->sample_rate *
                                  par->bits_per_coded_sample;
 
     if ((ret = avio_read(s->pb, buf, APM_FILE_EXTRADATA_SIZE)) < 0)

From patchwork Sat Sep 17 21:15:51 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37989
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:3b1c:b0:96:9ee8:5cfd with SMTP id c28csp389360pzh;
        Sat, 17 Sep 2022 14:16:30 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4WLDQQ7CYVmOHqriS0FjM+xaem7sRyupSH9449sN8amnjvCTkYiLdetnyUP6xPRlqdbVty
X-Received: by 2002:a05:6402:2711:b0:451:327a:365f with SMTP id
 y17-20020a056402271100b00451327a365fmr8931412edd.315.1663449390190;
        Sat, 17 Sep 2022 14:16:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663449390; cv=none;
        d=google.com; s=arc-20160816;
        b=iwiWoErCXNYYwtyTRQpFSUfUgjQQFoYL47jM4Al66plOtChW//6ruvF2sxuGXKtTlO
         wHUZ5Hkw2k14KyZ7WMz51jC+0dExf7eHVtqL6mWxZyCWEo/hEL/RfrCAVWpEBJQsWeld
         abj+gNPS/qWgu6mridFHcRBdVrDPh/5MaBrHGjxcZrtJcnXtkqqUT6KAsNCsWaOV5I74
         lIdrOVlo2XsyYvRs+5fsqeuqA15ousDdCnSrkrMLJa/uFFKNASP9KY2crz+/PyAgSXRP
         5PWRzfcHnm4CWvsQWEiBkqj4HKrd8NQ3ALbtnO++56V8DzIW4gYnDeJh3deYdiWqGQpx
         AbIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=+MQe5O1g5o/9ebAm+sPW5sLyG7J3wusfCwiC7PHKscg=;
        b=Xt0m5gZt1YqRZuSasTehIWsUjvDoJ3STNwFbDCuAz9wNLTHDmHztvW3866Cu+lHrHB
         Cka3MZGVExAR5sCeeTKwIenp4EhpyFg3O0W6IYuSK/hVsTOnssWRKrbQTC1BCDx5Fl6H
         Pxw8vqqZBRfQqs4gliU9LOil4hgDG/yTCevA6EhiMANAFEYfY0FAT4pFj2HsFTfRVRKF
         sX2G4Sd3u/q2EZ2mJWXkeV30BPFP2UBlsoq8u7Q16pUziNtAVyW1ozqUuwN8uYYdIlRc
         VUVb7VTlAgIC20bWtiMcHupTWoT9zQBi905b4C95Yxkp7UNEFk1hRL76jQPUex/mx5+N
         VJ9g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 gn31-20020a1709070d1f00b00780a8f6b0a4si3805927ejc.281.2022.09.17.14.16.29;
        Sat, 17 Sep 2022 14:16:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2FE7B68BBB8;
	Sun, 18 Sep 2022 00:16:09 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at01-2.mx.upcmail.net
 (vie01a-dmta-at01-2.mx.upcmail.net [62.179.121.146])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 45B8A68B9F1
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Sep 2022 00:16:00 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oZfAM-00GP6r-Uz
 for ffmpeg-devel@ffmpeg.org; Sat, 17 Sep 2022 23:15:58 +0200
Received: from ren-mail-psmtp-mg02. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id ZfAMoPQUB8s8UZfAMoEt8A; Sat, 17 Sep 2022 23:15:58 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg02. with ESMTP
 id ZfAMoy3ewbZLDZfAMoILBG; Sat, 17 Sep 2022 23:15:58 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=Ufwy9IeN c=1 sm=1 tr=0 ts=6326390e
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=Ou-dB1wDnAJ2Pr8qICMA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 17 Sep 2022 23:15:51 +0200
Message-Id: <20220917211557.11547-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220917211557.11547-1-michael@niedermayer.cc>
References: <20220917211557.11547-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfE9fZPqyOvB56wBnmFJoAeXs0Ut08ojTc7zBz/CuMTKjkSIi96PpO7MwzUg5Z5XPsUUQwoqaiVgpx8rAEpxXqYsAD13WL/uSO1fGaxi9wInQnv/J8P8t
 yZiX+5MAwRD0L37kvUKH+T91/oQH53dX16NQUArCcTRec97NwOwselzOs3Ssws687qZ720F0QWTFlg==
Subject: [FFmpeg-devel] [PATCH 3/9] avformat/asfdec_o: Limit packet offset
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: wLMDFFLyGrF+

avoids overflows with it

Fixes: signed integer overflow: 9223372036846866010 + 4294967047 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6538296768987136
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-657169555665715

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asfdec_o.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index 48b7d17322d..e837ca62e7f 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -1242,6 +1242,8 @@ static int asf_read_packet_header(AVFormatContext *s)
     unsigned char error_flags, len_flags, pay_flags;
 
     asf->packet_offset = avio_tell(pb);
+    if (asf->packet_offset > INT64_MAX/2)
+        asf->packet_offset = 0;
     error_flags = avio_r8(pb); // read Error Correction Flags
     if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) {
         if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) {

From patchwork Sat Sep 17 21:15:52 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37990
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:3b1c:b0:96:9ee8:5cfd with SMTP id c28csp389402pzh;
        Sat, 17 Sep 2022 14:16:39 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM5+wjOI5dm4MZ2oceb4WVKocJQf/ayuPUMQvJdbP1bY5XoKfQYnrYnzVyhzd5WSX15RjXUY
X-Received: by 2002:a05:6402:5cb:b0:452:e416:2bc4 with SMTP id
 n11-20020a05640205cb00b00452e4162bc4mr9286797edx.114.1663449398494;
        Sat, 17 Sep 2022 14:16:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663449398; cv=none;
        d=google.com; s=arc-20160816;
        b=vuOtLgTsDKJveIYoj+wRc9foiZlgVBreg6+Dv+VzE0kBDuwopvxziA9g2PxwC5MvoZ
         KgyMAc8duXawlN930vrZilByo0CIoU2TXNLd3Ol3yV4ik5IDTcAEujCgGLegq+LMmNiC
         w8ullzdGlSqM0bpLIhUminRti4MBtGBYtDJjOQIOCW/46Lbv65FrAjglY3H4XXtEwooh
         giOdv1TTdRry7wYT3PFw4skm+OnMg2mM/VAyYL2yg1pxDQOqmTdvHwerJVwiLPJRXMQl
         9UdkVURP5/fHacidDWqy1dhH6W3dXoblJLQNVnbbaLN0GNs6ZEqmxPkNG2jSyY0qeYtF
         /XeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=ZwWAVpfxnWQ7PvvdHhNv3xB2xHC4cvXog8Ijwq5x/EY=;
        b=quYtEycNNE/psE5LthWp72q9+Kw62w+8xB2GxhY7+SHo05z61QJSoQQrwNx4yzRBeh
         A7AD0rGjzUnl/MCRSqTHFcdfKrIFDepkvGpypqVJ2bsjr+g6F889y/165qJSFvfDkBoK
         hv4hVShyQ4NBUYGIqb5PiXm8a9SkUnMq1or8g2Rc+P48oj9seZw+ztZSKX2J8B99fwiU
         6ySds8oEUWfwwTg+3vURasOWgf1FM5F5w8R+7pfT0lEJMxt1KXkLGZimG8ClM2f7/tHe
         FYcG82x5qLutXWWoRCXm9uUS7i0z8kvdQ6ZChWfOCKKL6bXxzgpG3JK5XcSaf8TSAqxR
         vrXg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 gt16-20020a1709072d9000b0077f0a70e44dsi16899106ejc.200.2022.09.17.14.16.38;
        Sat, 17 Sep 2022 14:16:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 416D868BBB4;
	Sun, 18 Sep 2022 00:16:10 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at03-1.mx.upcmail.net
 (vie01a-dmta-at03-1.mx.upcmail.net [62.179.121.151])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 46FA768BA02
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Sep 2022 00:16:00 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oZfAN-00DrNV-3G
 for ffmpeg-devel@ffmpeg.org; Sat, 17 Sep 2022 23:15:59 +0200
Received: from ren-mail-psmtp-mg01. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id Zf9moPPmW8s8UZfANoEt8B; Sat, 17 Sep 2022 23:15:59 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg01. with ESMTP
 id ZfAMoibKrOG5ZZfANom24R; Sat, 17 Sep 2022 23:15:59 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=KJo5sHJo c=1 sm=1 tr=0 ts=6326390f
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=ivyqkYbKNu5qN0FXvq8A:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 17 Sep 2022 23:15:52 +0200
Message-Id: <20220917211557.11547-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220917211557.11547-1-michael@niedermayer.cc>
References: <20220917211557.11547-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfKq4dzuArM76/NQYEO8esUrYd/wGR+o9H8JdspmBJiwZVS5u8IOHkzEliDeGgbskw6qdOkQdQMnxac44YCD8OSJVWd12Y6q+9JjT1GToiUWUgQ9aVCDI
 NTj+Q9MGVvD6Xh1ZoxrR6atq73/rhbjeMlZ1AhGI+FccM1TXkXclkcn2ym/hyq/tbd7FVAUWyH4+Vw==
Subject: [FFmpeg-devel] [PATCH 4/9] avformat/cafdec: Check that nb_frasmes
 fits within 64bit
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: z61IHSzBUj9Y

Fixes: signed integer overflow: 1099511693312 * 538976288 cannot be represented in type 'long'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6565048815845376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/cafdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index d5b8c38c25c..e0a9031cb80 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -387,7 +387,7 @@ static int read_header(AVFormatContext *s)
 
 found_data:
     if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) {
-        if (caf->data_size > 0)
+        if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet)
             st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet;
     } else if (ffstream(st)->nb_index_entries && st->duration > 0) {
         if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) {

From patchwork Sat Sep 17 21:15:53 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37988
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:3b1c:b0:96:9ee8:5cfd with SMTP id c28csp389305pzh;
        Sat, 17 Sep 2022 14:16:22 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM43xMhNBrns+QgCxVhy7+i6eEGraQBVund64JVwSIFGe/7DeVV/HF8zJK54rcJdBaKIZpTs
X-Received: by 2002:a05:6402:27c8:b0:451:440a:2f48 with SMTP id
 c8-20020a05640227c800b00451440a2f48mr8958013ede.1.1663449381885;
        Sat, 17 Sep 2022 14:16:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663449381; cv=none;
        d=google.com; s=arc-20160816;
        b=ajT3KIIqpg6bLGRozSoJsPNo2HQAlJ4a+2YUPCRS9XSunH9lnsJnXYPHikK72tXdEa
         kufJiIpOJI/UEXL+Ndswn5Tf7w9RvUry69o9cwKyimD6qeQ1KvHUc08j72NjrKdnOfqe
         APGKhYqDVh8UTssaFXGyXmJwaigMGH6ir6Qj+ui39vkYnNB0tTsGNhVcOSOaBJXyL+YA
         kM26dnqoMwK/MojZYrdBd7yhsygxmmRz42y0ybThnllmWqCH19MUb3WYnucybf0lYQ/d
         /dlfR6HVE9mLDq0aN4AvDA+SHleFQgqdvtSQPR75FSt9j1+bdwdDf6KTOzdsqUCjbKQD
         lh5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=jrj1QAwW58kawV5v8IdkmuCajic6o7wJ3jBuy2LtgnU=;
        b=sQrUBxjRewpm9uFprwpNJ/1JGTEFANvpXH+ZHgh9c/VOyET4DO2HYpdUJ3r69DB+Jr
         XQ33/8yOXV7L4vVLnoAFJhnRKKBJAGwFJyhKjJw0HaoYGURCTnDElUbKodBLQwXx86/C
         WGl4vF5Hw+tseljUKXCyhPt/k6Q1lHCrOVhRTXzej+JBu5tyE1fXbnfEd+hIo6Io4GKm
         IPxNCxPyLWNnhpGOb/PulHo3bA/2jLn8G81KEdc51waCrOAED0OFMOzW+jWqT6iZCObJ
         nWkKkkC/mc9sQnsaVGnzAJt13MJHEi5ip+s8LDCcjsxJKT6dX8+i/KDgsDwAp2wBCE9D
         QVMQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 d11-20020a056402400b00b00453d55cb36csi155928eda.365.2022.09.17.14.16.21;
        Sat, 17 Sep 2022 14:16:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 12BC668BBB2;
	Sun, 18 Sep 2022 00:16:08 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at01-2.mx.upcmail.net
 (vie01a-dmta-at01-2.mx.upcmail.net [62.179.121.146])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4387768B9C0
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Sep 2022 00:16:00 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oZfAN-00GP11-FM
 for ffmpeg-devel@ffmpeg.org; Sat, 17 Sep 2022 23:15:59 +0200
Received: from ren-mail-psmtp-mg02. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id ZfAMoPQUB8s8UZfANoEt8F; Sat, 17 Sep 2022 23:15:59 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg02. with ESMTP
 id ZfANoy3fAbZLDZfANoILBU; Sat, 17 Sep 2022 23:15:59 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=Ufwy9IeN c=1 sm=1 tr=0 ts=6326390f
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=-_9i-eTdipuMXZ40kBcA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 17 Sep 2022 23:15:53 +0200
Message-Id: <20220917211557.11547-5-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220917211557.11547-1-michael@niedermayer.cc>
References: <20220917211557.11547-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfKq4dzuArM76/NQYEO8esUrYd/wGR+o9H8JdspmBJiwZ/HNIHdoZoOQSAS1nZKd+h80BO8gdwGZHODuVtRQFAsm9g6cq+cIEEhGC8pPbThrywiQapkfX
 yVs2opJftzUeWjVoArRQaM3+Z4p/1LPCNOzHTxhrhT2zXoNe2p1QCHtOtTAKaBj5pvMXrfqOXPe7Ag==
Subject: [FFmpeg-devel] [PATCH 5/9] avformat/dhav: Use 64bit seek_back
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: bmEUp/ValK4v

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DHAV_fuzzer-6604736532447232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/dhav.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/dhav.c b/libavformat/dhav.c
index 9d26efe8fc9..4e720f2a26c 100644
--- a/libavformat/dhav.c
+++ b/libavformat/dhav.c
@@ -242,7 +242,7 @@ static int64_t get_duration(AVFormatContext *s)
     avio_seek(s->pb, avio_size(s->pb) - 8, SEEK_SET);
     while (avio_tell(s->pb) > 12 && max_interations--) {
         if (avio_rl32(s->pb) == MKTAG('d','h','a','v')) {
-            int seek_back = avio_rl32(s->pb);
+            int64_t seek_back = avio_rl32(s->pb);
 
             avio_seek(s->pb, -seek_back, SEEK_CUR);
             read_chunk(s);

From patchwork Sat Sep 17 21:15:54 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37991
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:3b1c:b0:96:9ee8:5cfd with SMTP id c28csp389446pzh;
        Sat, 17 Sep 2022 14:16:47 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM6bz/LofMRrFtaNOq088DcTnLCKnBXL6DfmzC8xcD6JADarlsIaQtoh76V+eK+jEvdbzeKO
X-Received: by 2002:a17:907:7e94:b0:77a:c48b:c80 with SMTP id
 qb20-20020a1709077e9400b0077ac48b0c80mr7373609ejc.690.1663449407131;
        Sat, 17 Sep 2022 14:16:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663449407; cv=none;
        d=google.com; s=arc-20160816;
        b=CLp/cnuVaUrIHX9vDFBT/I6a83GtBSS1i+HIfHmKbV+lspVuXVbbC6yds2SoVDM3gY
         Ztv6ONE5RGNa4hL9CeI7kCniMvyfgR/i/Le+Icb9KTJYYqOJrEGzKOC+WkBOhneDkxlA
         C//R4NMP7rUXck7WvK3MMcQU0lcqkvaqExNTFpxUbWxToACDneVxJuttE+Ms1NS2xpdh
         6a//UPCoqShM2jXzwQ6IpgEV9/MC7DR7wHtRiD0+QTCLdPyF6I/xP2I5HXgY0fjuMZDP
         g2A86C8GKvwGoDtN/A4PJd8O8Ed58VG6IMYKSIlLsCkmC9UxMR1iEep/bqohCVKX8Rqh
         VQ+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=/oKhVWQxu1QuCOfm8cxMBpGEmdFJ2M5wZIgllaxCcXU=;
        b=NQFng1A6GC0o0AMb9IlIg8ZUV8rSMimyOm6GRKdX62zhnYGR7W97iaAZerNs8Wk5tb
         uDsu2doJJ25C9zqXA5hHe7J3fAMLsq30RHwCGEkUKZv6oMtjK29QnJ37A4ySyKw6Rec1
         XjiIdWNp5k3gRQZE+Pjn+kaWlpe9Fsy9WK3p24DVLpC6MuYrXR7pUPUqiecNohKKaz3E
         G5ZEMve59Xv3j/OECRfbF0uscQL7LBNDY1AkGj1HDhfN94t4Zsw21w2zRf2qVJxvj5Ap
         qnaYVY9gUy33glH0z5XiZlOKuIfWQ30HUU/7LoVLgxq8rVtr7+e3RmhUj7oh5ESSswcQ
         vxoA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 rp9-20020a170906d96900b00730babc11e3si16546665ejb.640.2022.09.17.14.16.46;
        Sat, 17 Sep 2022 14:16:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2D6BB68BBC6;
	Sun, 18 Sep 2022 00:16:11 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at03-1.mx.upcmail.net
 (vie01a-dmta-at03-1.mx.upcmail.net [62.179.121.151])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 48FF468BA85
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Sep 2022 00:16:00 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oZfAN-00DrNV-R9
 for ffmpeg-devel@ffmpeg.org; Sat, 17 Sep 2022 23:15:59 +0200
Received: from ren-mail-psmtp-mg02. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id ZfAMoPQUB8s8UZfANoEt8H; Sat, 17 Sep 2022 23:15:59 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg02. with ESMTP
 id ZfANoy3fGbZLDZfANoILBb; Sat, 17 Sep 2022 23:15:59 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=Ufwy9IeN c=1 sm=1 tr=0 ts=6326390f
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=JJivkjlbSVwfRkSe34sA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 17 Sep 2022 23:15:54 +0200
Message-Id: <20220917211557.11547-6-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220917211557.11547-1-michael@niedermayer.cc>
References: <20220917211557.11547-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfKq4dzuArM76/NQYEO8esUrYd/wGR+o9H8JdspmBJiwZ/HNIHdoZoOQSAS1nZKd+h80BO8gdwGZHODuVtRQFAsm9g6cq+cIEEhGC8pPbThrywiQapkfX
 yVs2opJftzUeWjVoArRQaM3+Z4p/1LPCNOzHTxhrhT2zXoNe2p1QCHtOtTAKaBj5pvMXrfqOXPe7Ag==
Subject: [FFmpeg-devel] [PATCH 6/9] avformat/dxa: avoid bpc overflows
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: dBmb/eet6/3f

Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6639823726706688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/dxa.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/dxa.c b/libavformat/dxa.c
index 16fbb081568..474b85270ae 100644
--- a/libavformat/dxa.c
+++ b/libavformat/dxa.c
@@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s)
             if(tag == MKTAG('d', 'a', 't', 'a')) break;
             avio_skip(pb, fsize);
         }
-        c->bpc = (fsize + c->frames - 1) / c->frames;
-        if(ast->codecpar->block_align)
+        c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames;
+        if(ast->codecpar->block_align) {
+            if (c->bpc > INT_MAX - ast->codecpar->block_align + 1)
+                return AVERROR_INVALIDDATA;
             c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
+        }
         c->bytes_left = fsize;
         c->wavpos = avio_tell(pb);
         avio_seek(pb, c->vidpos, SEEK_SET);

From patchwork Sat Sep 17 21:15:55 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37992
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:3b1c:b0:96:9ee8:5cfd with SMTP id c28csp389487pzh;
        Sat, 17 Sep 2022 14:16:56 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM5JVRHMXj54Sr8qkZ1SiVO87YBWGd6vez/tG57e2Ca2rN7rkXNHxDWVWOGVodz7eg4Y3u9y
X-Received: by 2002:a17:907:3ea7:b0:77e:6057:3e1a with SMTP id
 hs39-20020a1709073ea700b0077e60573e1amr8033101ejc.470.1663449415774;
        Sat, 17 Sep 2022 14:16:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663449415; cv=none;
        d=google.com; s=arc-20160816;
        b=mO5e2y6nN0HBM3KtzG4a53/V+jrOO5cfUNAxQwu5YG/kFKLtxDhV9e2xQOHtYxS0t5
         eHM/mK7hh/JAvEBPD3hwINHSUk4e9tO9EgUUqAwUWmtLewkpEiDHv/YXnEycLOFvnPc3
         CWm3z1Yn8Nd2vtn87sVqbddygrGNVmRtRFwMVHuAKi2RUctmgaEbSTG50UwMhUwPo05i
         VmK+NSB5B41sdMqlhS1YZiMfj4Q7xi1IYcFdNw7mdifzESDpq9Rj450D6nxwMXUR/FEH
         3YUWD146obPfmkJC8Nxp6ymu5nfKEnJGn/LXNJh8zkj1Mbd+F7GApYghmuUPPhgafOQD
         c8BQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=YXb3j+c5sxwFknKpm1aQPp2ZaVjLLc9w96xUz+ikv3I=;
        b=GbFPuCk2xJQc7rPvrlNIWq+Dxc8UfQS/pGijV80V/TVyx7mJDodETVCqDHJq/UA1I6
         wG/pbI68TpMWXU03R/IaEAk3H88nCBqah6wgJSG44wi3FLPelpdVwplld/FqkW8AFaLt
         LdFzQy9u2ZFQnNWVlLBlxTcbe3NGs0EITrENU6M0NxkuP+32MHyCENEi+iENpvg5mURB
         R8z0AnFV6mi7ciZRNIuj9Uy7XucAwpIa1Qc985vfvGq5gIEeEvdvNeAFxBnEaj19yxFY
         BstRM/+Qdo5WVZhx7EFF62BMSO1Ay97dCC2wMFlTGlVuSM1QS4WVusga5obrAzDi2og7
         13yg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 b7-20020a056402278700b004469a602b4esi5875647ede.66.2022.09.17.14.16.55;
        Sat, 17 Sep 2022 14:16:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1457568BBD8;
	Sun, 18 Sep 2022 00:16:12 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at03-1.mx.upcmail.net
 (vie01a-dmta-at03-1.mx.upcmail.net [62.179.121.151])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A799C68BB5A
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Sep 2022 00:16:00 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oZfAO-00DrNV-7K
 for ffmpeg-devel@ffmpeg.org; Sat, 17 Sep 2022 23:16:00 +0200
Received: from ren-mail-psmtp-mg02. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id ZfAOoPQVL8s8UZfAOoEt8L; Sat, 17 Sep 2022 23:16:00 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg02. with ESMTP
 id ZfAOoy3fMbZLDZfAOoILBk; Sat, 17 Sep 2022 23:16:00 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=Ufwy9IeN c=1 sm=1 tr=0 ts=63263910
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=h7uK-zp-ZIHwQwwoGEYA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 17 Sep 2022 23:15:55 +0200
Message-Id: <20220917211557.11547-7-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220917211557.11547-1-michael@niedermayer.cc>
References: <20220917211557.11547-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfP7EFXbA4RImoSaLqAEXsIfCQQWF1iv1q3/3CzxnAESK3zDz/oS0lpzN8g1V5JcDXJiVR20Qolimjri2bvRUjBVsq5Ltb6KJ0qUEndAUJdy2EatOGJ5e
 VdmfEJETppJHJF7eX5GGMqqUJCIUasxzZhHqVI8X7q6vey2whuTLqAfMvEghyLhFDFxfBNqOgUKb9g==
Subject: [FFmpeg-devel] [PATCH 7/9] avformat/genh: Check nb_channels for IMA
 ADPCM
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: hm4rnCRRWcmv

The check could be made more strict

Fixes: signed integer overflow: 36 * 538976288 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-6539389873815552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/genh.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/genh.c b/libavformat/genh.c
index a25d4d625a4..1f707b55552 100644
--- a/libavformat/genh.c
+++ b/libavformat/genh.c
@@ -78,6 +78,8 @@ static int genh_read_header(AVFormatContext *s)
     case  0: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX;        break;
     case  1:
     case 11: st->codecpar->bits_per_coded_sample = 4;
+             if (st->codecpar->ch_layout.nb_channels > INT_MAX / 36)
+                return AVERROR_INVALIDDATA;
              st->codecpar->block_align = 36 * st->codecpar->ch_layout.nb_channels;
              st->codecpar->codec_id = AV_CODEC_ID_ADPCM_IMA_WAV;    break;
     case  2: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_DTK;        break;

From patchwork Sat Sep 17 21:15:56 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37993
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:3b1c:b0:96:9ee8:5cfd with SMTP id c28csp389545pzh;
        Sat, 17 Sep 2022 14:17:04 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4I1eyYgtOOExjWIQM3SYN8J67Tehdyjfcqu7MiSz3uU+jBtjruL9BjyOw7nlDIadtLxq0i
X-Received: by 2002:a05:6402:3587:b0:451:30ca:c067 with SMTP id
 y7-20020a056402358700b0045130cac067mr9202609edc.195.1663449424402;
        Sat, 17 Sep 2022 14:17:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663449424; cv=none;
        d=google.com; s=arc-20160816;
        b=rs+Ddvhx/eLmz0wRQcXq7ZPslfrxTXv1bPboGJuRJi1GDQ8xHtGWHksm8wMmyslvvz
         oCwPjbtQ/BDMld4eCVO64bPIzFUz08PTHlHRcL47OPorQL0WzzdqdUPZbL1MJY3s/jyS
         aXONtM3Kia0peMb80YX68YpGUNd3u5EcOV3rzDXRq+A6TAvW507pfjvKv7vpcwi4OO41
         z3HCrdBXN32ce3ytq1bV4Q1WVWsOoTEBy3Ulme2uoJ9oaAdZEPLv1Vz1jzVmDzZUb1uV
         TD+cpSWS6LHJhNc+GSNdIv2mK6frfpjuC8fOPHvW1f9QI7HbymGf3rTBaRuqPkasDj+i
         jdIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=QOTchAE59+3DsZjUEcmcKX5i8i5WBImqEF8/eI1h2s4=;
        b=iaZhc6eofZePGGSJ4n9x23NK+bBWDCb7sZWlswcehIPGfV+1GH9viBdrqZlJKhGBpv
         fnmhcvfBFLaXt5H+1jm5HQtXkx1t4SnG4CnG8xRmAclEhEIvevZ75hvCd4zyHcpETk04
         jGPGJlxn/XOYTC7o+4T9ziGTZNzN9qp7thU7QADt/i1pK3Fk/Wa9EvWQHXzEahrWdfQR
         hOxmzDF+fmlVv7LCMDZ/YG0pywEeKP7lttdZ18336z6GbJS+5mgYyPDUaPbmeo0GaExe
         gamrtUddQkomWXiU9rv1nyV91wdXq3V/x6yGePO1M0Kcw7Vpz4c4B2VoZbKF0Wmcey6U
         4yAg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 t20-20020a170906179400b0072f1d8e7300si10893580eje.430.2022.09.17.14.17.04;
        Sat, 17 Sep 2022 14:17:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1CB3268BBD1;
	Sun, 18 Sep 2022 00:16:13 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at03-1.mx.upcmail.net
 (vie01a-dmta-at03-1.mx.upcmail.net [62.179.121.151])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CBD9268BB5A
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Sep 2022 00:16:00 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at03.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oZfAO-00DrNV-CG
 for ffmpeg-devel@ffmpeg.org; Sat, 17 Sep 2022 23:16:00 +0200
Received: from ren-mail-psmtp-mg01. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id Zf9moPPmm8s8UZfAOoEt8M; Sat, 17 Sep 2022 23:16:00 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg01. with ESMTP
 id ZfAOoibLOOG5ZZfAOom24U; Sat, 17 Sep 2022 23:16:00 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=KJo5sHJo c=1 sm=1 tr=0 ts=63263910
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=2pjwXNU-MM44mZu5czYA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 17 Sep 2022 23:15:56 +0200
Message-Id: <20220917211557.11547-8-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220917211557.11547-1-michael@niedermayer.cc>
References: <20220917211557.11547-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfP7EFXbA4RImoSaLqAEXsIfCQQWF1iv1q3/3CzxnAESKXU1qaD7Zz26MjdpyfXW+Q+0ZdaQI6rEcZD3MHrBBCzJigvpKyM9qUgb7cQoSZ6MdB9+C6t31
 Q96ZaI1NgZ5SeZN4TiT25daFGVT3ihJA8cBV5GllxyDHmNHYY0QoFsO+EXq7FmsqMAgyBZrF32pumg==
Subject: [FFmpeg-devel] [PATCH 8/9] avformat/icodec: Check nb_pal
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: M5u4oRDGfTfY

Fixes: signed integer overflow: 538976288 * 4 cannot be represented in type 'int'
Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_ICO_fuzzer-6690068904935424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/icodec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/icodec.c b/libavformat/icodec.c
index 290f658d0c0..85dab3bca0a 100644
--- a/libavformat/icodec.c
+++ b/libavformat/icodec.c
@@ -196,6 +196,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
             AV_WL32(buf + 32, image->nb_pal);
         }
 
+        if (image->nb_pal > INT_MAX / 4 - 14 - 40)
+            return AVERROR_INVALIDDATA;
+
         AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4);
         AV_WL32(buf + 8, AV_RL32(buf + 8) / 2);
     }

From patchwork Sat Sep 17 21:15:57 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 37994
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:3b1c:b0:96:9ee8:5cfd with SMTP id c28csp389588pzh;
        Sat, 17 Sep 2022 14:17:13 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4/oLLkc1rC9W4cn0NCP11Zw/+bY+xCqUwy7ZjdMJB+y9mxnsifvu8VCzrxEGvLNmSZy5Q3
X-Received: by 2002:a17:906:8a44:b0:780:b567:63cf with SMTP id
 gx4-20020a1709068a4400b00780b56763cfmr5638635ejc.306.1663449432837;
        Sat, 17 Sep 2022 14:17:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1663449432; cv=none;
        d=google.com; s=arc-20160816;
        b=fu1JGttXF2cS2YBX0Gi4+kNQN0ijLJkoQ5BmKHXOMkhl2nuPCYBxzMHvDehgDvckdM
         BL/MLNyPkm/Uv0DYeI6YbFqr3fFEAPviKXGAeHpUrQT8Hizh9veIKN+CiMvg07kfzXop
         0T4WjpxctiKBP4PbxpkeuLxldtVDLQfe8Lo4YWUu/tkR5Gq4S//R8XSjnzkLVC6k1w9O
         yUA4MAGV9REuh3iAlOggHnAA6J9TpcO8+/7+lwznSdBrhVmg2vQnm86yjgEHu/POekyK
         PzaLiuIXg/Zp/TMtWwyWgT6sDh76hh9lsxL0AFRZUsQA9Lh36tZ7SDMJpSGeGGKPZ1Ig
         zJuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=F8Ixvi2p7OdTY0Q6jlOfI2iZPULr0yBQwrI4fQjwGl4=;
        b=fUSpb3SVg8NEYFLi+XdCLsBNaqDS9rOTCnl+Zof2t5YnT/rR25pu3HbhGndkAaTZ+N
         1tcjGk7BaiQW/zAwA5HrxwpNtQo/0Ut46Z7gLq56rCFlxrKgPkhuk/auWVW5eROmFpoX
         IbcKisQVrmIWmZnQfnuJ7cexa61GfasFKsFvdR08dEkoFpq8z/dGF/E8erwDcUipO4Ch
         lIefVAcb+kQVakbbD5JweRdiD3I7EI9YfqniNQabNiIgjN1hhElJZuIt7782S4yKiixA
         WNvuxwNkCkddHq8MsMB4pruR1NURrecrMiU6l72N+Uhj8bHgDCKzdjqdY9RUQ1lfB3Ub
         R89Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 j25-20020aa7ca59000000b004533484fe75si4567165edt.315.2022.09.17.14.17.12;
        Sat, 17 Sep 2022 14:17:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1816168BBEC;
	Sun, 18 Sep 2022 00:16:14 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-at01-2.mx.upcmail.net
 (vie01a-dmta-at01-2.mx.upcmail.net [62.179.121.146])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 00D0468BB5A
 for <ffmpeg-devel@ffmpeg.org>; Sun, 18 Sep 2022 00:16:00 +0300 (EEST)
Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
 by vie01a-dmta-at01.mx.upcmail.net with esmtp (Exim 4.92)
 (envelope-from <michael@niedermayer.cc>) id 1oZfAO-00GP6r-HF
 for ffmpeg-devel@ffmpeg.org; Sat, 17 Sep 2022 23:16:00 +0200
Received: from ren-mail-psmtp-mg01. ([80.109.253.241])
 by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
 id Zf9moPPmk8s8UZfAOoEt8O; Sat, 17 Sep 2022 23:16:00 +0200
Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg01. with ESMTP
 id ZfAOoibLROG5ZZfAOom24V; Sat, 17 Sep 2022 23:16:00 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.68.29
X-CNFS-Analysis: v=2.4 cv=KJo5sHJo c=1 sm=1 tr=0 ts=63263910
 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17
 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8
 a=c5QjGmhTwOig4Jn9F5gA:9
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 17 Sep 2022 23:15:57 +0200
Message-Id: <20220917211557.11547-9-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20220917211557.11547-1-michael@niedermayer.cc>
References: <20220917211557.11547-1-michael@niedermayer.cc>
X-CMAE-Envelope: 
 MS4wfP7EFXbA4RImoSaLqAEXsIfCQQWF1iv1q3/3CzxnAESKXU1qaD7Zz26MjdpyfXW+Q+0ZdaQI6rEcZD3MHrBBCzJigvpKyM9qUgb7cQoSZ6MdB9+C6t31
 Q96ZaI1NgZ5SeZN4TiT25daFGVT3ihJA8cBV5GllxyDHmNHYY0QoFsO+EXq7FmsqMAgyBZrF32pumg==
Subject: [FFmpeg-devel] [PATCH 9/9] avformat/jacosubdec: Fix overflow in
 get_shift()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: BZ1gWQVsPlDc

Fixes: 50993/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-6722544461283328
Fixes: signed integer overflow: 48214448 * 60 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/jacosubdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c
index 0ee4820f62a..61b1316dc9b 100644
--- a/libavformat/jacosubdec.c
+++ b/libavformat/jacosubdec.c
@@ -144,7 +144,7 @@ static int get_shift(int timeres, const char *buf)
     ret = 0;
     switch (n) {
     case 4:
-        ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d);
+        ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d);
         break;
     case 3:
         ret = sign * ((         (int64_t)a*60 + b) * timeres + c);