From patchwork Sun Dec 25 22:03:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 39750 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:bc95:b0:ad:ade2:bfd2 with SMTP id fx21csp2307144pzb; Sun, 25 Dec 2022 14:03:39 -0800 (PST) X-Google-Smtp-Source: AMrXdXv070cMketcmMPWwYF40wL1ZoqQpQOs02P0/4JN3TUb36u7ZCdPHrrfGuIkKm6xIYz9g/4N X-Received: by 2002:a17:907:c516:b0:7c1:e78:11ed with SMTP id tq22-20020a170907c51600b007c10e7811edmr14929971ejc.0.1672005819024; Sun, 25 Dec 2022 14:03:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672005819; cv=none; d=google.com; s=arc-20160816; b=o3AjkBryAtWLlr3CijeM79M6sYBeFZjuzHjjcmk/qWu/YRhqVp9dTYsRKhbAqFDKfk aBUJJm+KX5BLAXGgafirQlC1TANAsthpB8e4BYq6EdOc5pbHmVQr3ZqC9h4pwd18JtVZ x+ScMV7ZoxKUBrA/WFaEwgBPj3dzQ9aOlQblSfiSVTDAiRL38fbOvrHYcek+icSvEm3S TbnOVImlBIoaEPrr18Z0TIbRtlPnbt5ew1HnqjN/X7CwjKpAb4ffgjfgu2/mhSWMPLmS hKtDoTB9EXgYmUoZmp2ITQEkkiVvc9gEL5jtwl4xfegYWP3HN0OEHMepc6uOsuEkMWaB o1XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=MwdHLVSxJDy4PGLCHOWQcvtGuudQs6Nn3gYQvj5ZGt0=; b=PaO4dHvfM5050LvbA751/IITYSbR+JzTjedAClVa8fywxPqtMWnPIkxsJOQugRC+w9 E4a+MdEqTgAKOamJYvhj7K50oVIFYyAZWcceQYbwlyyOmDyoMCmi/vUBJ2S9YSlgF3Pm pwL4wJWE9CUZ9O2FX3G/WD/a/9iOgjtiwA/U9bwTvZcRIPXu41+67hxVFoKQs0H2kdr0 f/GYuGc3j5lhy5Opvg4Bw7zPYJZK1UxTYAo1H0TXmomp3wz+PdHragpzCGOhN9kcW1cB +yzyJwa4zvZhit2N+jPmlB500J9drJ0L3GHUz6KHW6ZjAeORq/P3x4aIh48GB9sgDSZn G+7g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id cw10-20020a170906478a00b007c18d5fe285si7047827ejc.713.2022.12.25.14.03.37; Sun, 25 Dec 2022 14:03:39 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C1AEB68B9C1; Mon, 26 Dec 2022 00:03:32 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6784E68B080 for ; Mon, 26 Dec 2022 00:03:25 +0200 (EET) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id AC715E0003 for ; Sun, 25 Dec 2022 22:03:24 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 25 Dec 2022 23:03:22 +0100 Message-Id: <20221225220323.20968-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/hdrdec: Check for end of input in decompress() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: rwmQkPCzLRMz Fixes: Timeout Fixes: 54386/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HDR_fuzzer-5053598268784640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/hdrdec.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavcodec/hdrdec.c b/libavcodec/hdrdec.c index 21d3e7f693..998227744b 100644 --- a/libavcodec/hdrdec.c +++ b/libavcodec/hdrdec.c @@ -58,6 +58,8 @@ static int decompress(uint8_t *scanline, int w, GetByteContext *gb, const uint8_ int rshift = 0; while (w > 0) { + if (bytestream2_get_bytes_left(gb) < 4) + return AVERROR_INVALIDDATA; scanline[0] = bytestream2_get_byte(gb); scanline[1] = bytestream2_get_byte(gb); scanline[2] = bytestream2_get_byte(gb); @@ -143,13 +145,17 @@ static int hdr_decode_frame(AVCodecContext *avctx, AVFrame *p, int i; if (width < MINELEN || width > MAXELEN) { - decompress(scanline, width, &gb, scanline); + ret = decompress(scanline, width, &gb, scanline); + if (ret < 0) + return ret; goto convert; } i = bytestream2_peek_byte(&gb); if (i != 2) { - decompress(scanline, width, &gb, scanline); + ret = decompress(scanline, width, &gb, scanline); + if (ret < 0) + return ret; goto convert; } bytestream2_skip(&gb, 1); @@ -161,7 +167,9 @@ static int hdr_decode_frame(AVCodecContext *avctx, AVFrame *p, if (scanline[1] != 2 || scanline[2] & 128) { scanline[0] = 2; scanline[3] = i; - decompress(scanline + 4, width - 1, &gb, scanline); + ret = decompress(scanline + 4, width - 1, &gb, scanline); + if (ret < 0) + return ret; goto convert; } From patchwork Sun Dec 25 22:03:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 39751 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:bc95:b0:ad:ade2:bfd2 with SMTP id fx21csp2307191pzb; Sun, 25 Dec 2022 14:03:48 -0800 (PST) X-Google-Smtp-Source: AMrXdXvuaQqIn/yQJX6Z+rOY6on5kRJ1W/dOf4JXNzPZWLCt0igm1vU18CZRcpsLslkfQk+LF4oO X-Received: by 2002:a17:907:a508:b0:7c1:539b:d028 with SMTP id vr8-20020a170907a50800b007c1539bd028mr13838024ejc.48.1672005828143; Sun, 25 Dec 2022 14:03:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672005828; cv=none; d=google.com; s=arc-20160816; b=VTOZCobE8m1ctXHLM1cvdCvWUw2lfUX8VLhbwSIAJgMhT1++FCL/JMXw2FvEZ1Bx7o x/H4JhJXcr1qN/PmSocSG/WS2TIJvxbfRiTXboSUsn2kJbjfHwlxHl15Vl2+IP5WjuyE zeajDDcgBDx10AgxN+b/ylxdXAg2dab05hDbAlLPe+4NQNhQ+i1sD+Rww0V3HNxlapcQ hvQYuMJ+2lUDxjiWUBvl/o8AqZBAU0iCRJiglCXlTXlNIwxgVjDnQ2Lv5rvMg6Te7/HQ rH8K97O3S5pl8wCb0iDNWU1OrEMIuebRxAvwOaeSmKYZ9RvyLIv0nT+mNPuw0oMj9eIr kyXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=lMP/323zx2tTvPbhT6bgxTFIocQLETbwtZ29QLvIOFk=; b=qUrO16VfffAT+RjgDxOQCkaRV5/nPPZxsspEiioisMby4MGTFCO846lN+1qiJEEaY2 Nb+CEElzF8JgJeYUfJC0WDdG78v07dAwXfclsNQ+4gdtPJQIrP7jV183zvy1fGum8MFS hqYVL9uv9pgMLz+BegllYIDmn9r4v1lmxPo2nT5BMlhLQLCK0CaBz1PdJeXRFbfhlviP rpYkwRKxSJx3NW5VwDUS/V4OU2xWWnxfte6j79CjbaHpBrSle5C4gVYZvYaGUgamf3f5 ND2ZFCCHLnKtEBFkJRXWdzGXgx9bkftkY6JWgHslVQwduV0Hvn6D2DcOjtuniN4fyOwI XqxQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id q13-20020a170906770d00b00770872942d8si5972356ejm.958.2022.12.25.14.03.47; Sun, 25 Dec 2022 14:03:48 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D500968B9EC; Mon, 26 Dec 2022 00:03:34 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9D5A568B220 for ; Mon, 26 Dec 2022 00:03:26 +0200 (EET) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id B345B240005 for ; Sun, 25 Dec 2022 22:03:25 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 25 Dec 2022 23:03:23 +0100 Message-Id: <20221225220323.20968-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221225220323.20968-1-michael@niedermayer.cc> References: <20221225220323.20968-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 2/2] avformat/mxfdec: Use 64bit in remainder X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: wBCxyL1k3HAm Fixes: signed integer overflow: 48000 * 223587 cannot be represented in type 'int' Fixes: 54513/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5817594836025344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index e6118e141d..6150c131ec 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -3857,8 +3857,8 @@ static int64_t mxf_compute_sample_count(MXFContext *mxf, AVStream *st, if ((sample_rate.num / sample_rate.den) == 48000) { return av_rescale_q(edit_unit, sample_rate, track->edit_rate); } else { - int remainder = (sample_rate.num * time_base.num) % - (time_base.den * sample_rate.den); + int64_t remainder = (sample_rate.num * (int64_t)time_base.num) % + (time_base.den * (int64_t)sample_rate.den); if (remainder) av_log(mxf->fc, AV_LOG_WARNING, "seeking detected on stream #%d with time base (%d/%d) and "