From patchwork Mon Feb 20 19:29:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 40451 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:5494:b0:bf:7b3a:fd32 with SMTP id i20csp2166378pzk; Mon, 20 Feb 2023 11:29:44 -0800 (PST) X-Google-Smtp-Source: AK7set9VDbET6JTOVBy6tA1QULL8TbkJUYyEt47t/mw6IpHcK3mFdVZ/VsnBr6eyLz6sCE+sqT9J X-Received: by 2002:a17:906:8315:b0:88d:3c85:4ccf with SMTP id j21-20020a170906831500b0088d3c854ccfmr7727575ejx.25.1676921384640; Mon, 20 Feb 2023 11:29:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676921384; cv=none; d=google.com; s=arc-20160816; b=aK4HL8zpkpFG5xa5EmuRJX3X8/HIAgfMtjat5BQsr3V94N9aRBaoYVClj7OJJwe2Fb X+AnRb/srgiTXXa+85IrFrWzFD9mo5gaEBtIMLRkFeB8jzaaERalD9pE6B+CmOSY6BTQ zcFXQO/RxfmB0uOqc1Njean/DJZbrU+ODD78WMiV07PZp6aB8rptH9xRchGgN++g28d5 ktxUZBG3YoDmusjO3C3nk21YxBqH/VKxRN4fhxcNVS7fo1i4cGsr90VrY5XwGFY0/7jB s1C7cYXlgYdB77oWrx25jWHrKwL7Bc9yz7DX29vnFBgTBi/DmQE6uPypeb7lYvn/HKxa uZ7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=q3v5GJwUhU2qQltKNUE1lAWToZumMAaXkmk/dYj1G1Q=; b=HR0Tm5JMOYS7N7Ek2DO680jEy2M89mTrfA1aX8c7JLli54a4jIKMze26wUkjB4HcIN ybBsr6ItDLTnzEEg58l48nwaD/p0r3uG83jiP+g3kZ68fl+ZUVe1MKoU0WXYbCVWvyCe VjKbMzrO4HNhMdhsMdnBLs+CnoQKIhcO6sLaXvLOecFOXi8xc0pgaDlMqbq1tNJtFoKg NUSeqad3pjZhU5CXgwAzyBsUxV9XQQmoD/uojDGAMJQylkUtpNe+wysLsWK6wg9WUfTZ 3k6t/UVETdkL8yrTNjTkVwsrB/h+HQl1RtqKTrpOjK6GbZ2S7/TDr+4rfxrIqsoFFlkp 4T6g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id w8-20020a170906968800b008d67b53a661si3021204ejx.164.2023.02.20.11.29.44; Mon, 20 Feb 2023 11:29:44 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 95A0E68BE74; Mon, 20 Feb 2023 21:29:40 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2B6A868BFEC for ; Mon, 20 Feb 2023 21:29:33 +0200 (EET) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id CD97260005 for ; Mon, 20 Feb 2023 19:29:31 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 20 Feb 2023 20:29:24 +0100 Message-Id: <20230220192929.4493-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 Subject: [FFmpeg-devel] [PATCH 1/6] avformat/mov: Check samplesize and offset to avoid integer overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: BRratAhuwYAq Fixes: signed integer overflow: 9223372036854775584 + 536870912 cannot be represented in type 'long' Fixes: 55844/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-510613920664780 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6ab43b00c6..8af564ed61 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4192,6 +4192,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st) if (keyframe) distance = 0; sample_size = sc->stsz_sample_size > 0 ? sc->stsz_sample_size : sc->sample_sizes[current_sample]; + if (current_offset > INT64_MAX - sample_size) { + av_log(mov->fc, AV_LOG_ERROR, "Current offset %"PRId64" or sample size %u is too large\n", + current_offset, + sample_size); + return; + } + if (sc->pseudo_stream_id == -1 || sc->stsc_data[stsc_index].id - 1 == sc->pseudo_stream_id) { AVIndexEntry *e; From patchwork Mon Feb 20 19:29:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 40452 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:5494:b0:bf:7b3a:fd32 with SMTP id i20csp2166446pzk; Mon, 20 Feb 2023 11:29:53 -0800 (PST) X-Google-Smtp-Source: AK7set8DZDvCd1ZuT6PCxNdxchsDPCTw/VV/SQRNK/p3VcwsD4oBxuEQdRfU4VFqsCvJHS0hwfiX X-Received: by 2002:a17:906:7848:b0:877:a7ec:5ff with SMTP id p8-20020a170906784800b00877a7ec05ffmr12014439ejm.10.1676921393755; Mon, 20 Feb 2023 11:29:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676921393; cv=none; d=google.com; s=arc-20160816; b=DJLa5HsY//j0wktseSutlMdtZny3GXWipckNjiuu1DGP0n4tqbpm3E0jLm1uZRre2+ sGFVbQBOW48OFilwXI3+seiOfPVb/u6/fkhYgkrIlnmYXDAWBT52nUj4X4pduml7g8Vz unTj+Uo/yRxqZ+i3SIqLdJTcFWaztasRsd/2EAN8JULU8eL+H7/rwLSJ4uNPoW39ac0W 9a1+60bu0sTbRMn4MIrRy4lTNmAO5qu7pMpwNYTPx8GutU+se4xF1gwHdGWd+W47Rw/F S7QGzdhdncUkXi5TdV03O0fjHr0/K3ZkrrVZlSjeMKv+LJBccq+Ox9+7v9bLBHY8NkLh Bleg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=1VquvIz/RE1gGKrjLlQDMsHMUH0OtIXx+cA4lInwIfM=; b=orbJpNJFfVGmHmo2Qbf+P7cVCST7H65imYK08iXKQ8MtpxBm809/xMixHJk2zv2ZzL nxypL57RW0P4nr6rBLrRszcHlcadwlWPTD4TcYgdAtapRgIF/p9jEl9YxQm5ll34/ZlN FPxTmmMJIlKfa5WeyakUjMI+Uxcz1tHF4ZnE92/f77FaD1ck+xZATiTQdgFg3BKymlY2 jN2L7WEfn8G6fBA65AxdLmcoopS4rr6ffklLg/6g11Sh9aBENSS5yGGib94mU2ZwfEI4 /DBid0slNmIWweY/+mYE8rqDsw8YnV6edXOdnhm7oW3uNGSS5Xelo1AGDKY6jf1h6P2L 1Ufg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 19-20020a17090602d300b008d00cf8986csi5669121ejk.427.2023.02.20.11.29.53; Mon, 20 Feb 2023 11:29:53 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BB4B568C091; Mon, 20 Feb 2023 21:29:41 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay10.mail.gandi.net (relay10.mail.gandi.net [217.70.178.230]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6053E68BFEC for ; Mon, 20 Feb 2023 21:29:34 +0200 (EET) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id 7DCC0240002 for ; Mon, 20 Feb 2023 19:29:33 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 20 Feb 2023 20:29:25 +0100 Message-Id: <20230220192929.4493-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230220192929.4493-1-michael@niedermayer.cc> References: <20230220192929.4493-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 2/6] avformat/rka: Fix 1/0 with bps=1 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: MoO/57P6lv39 Fixes: division by zero Fixes: 55940/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6333107679920128 The decoder does not support bps=1 and i have no such sample so it is not known if this duration is correct. Alternatively we could error out on all bps we currently do not support on the decoder side or not set duration. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/rka.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rka.c b/libavformat/rka.c index cc55480345..39e5b3bce1 100644 --- a/libavformat/rka.c +++ b/libavformat/rka.c @@ -114,7 +114,7 @@ static int rka_read_header(AVFormatContext *s) par->ch_layout.nb_channels = channels; par->sample_rate = samplerate; par->bits_per_raw_sample = bps; - st->duration = nb_samples / (channels * (bps >> 3)); + st->duration = 8LL*nb_samples / (channels * bps); if (s->pb->seekable & AVIO_SEEKABLE_NORMAL) ff_ape_parse_tag(s); From patchwork Mon Feb 20 19:29:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 40453 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:5494:b0:bf:7b3a:fd32 with SMTP id i20csp2166498pzk; Mon, 20 Feb 2023 11:30:02 -0800 (PST) X-Google-Smtp-Source: AK7set+dJRCK+F1QymWJ+HRA9LjgROGj5rIJjBH0SmnIL0udcPseALNsAVwiS0ey7zIU5LL5QRLb X-Received: by 2002:a17:906:81d8:b0:87f:546d:7cb4 with SMTP id e24-20020a17090681d800b0087f546d7cb4mr9513520ejx.64.1676921402052; Mon, 20 Feb 2023 11:30:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676921402; cv=none; d=google.com; s=arc-20160816; b=Nj6332RHhhgYtsTc2c2xYYsAweM9Lzk8soPNccmVRz+NmlUYdHFvZMk7mD9wu5qiqc Amcsj96grAyJ1qoctmhQw+n7DYXaN3+kQpzpL3AQvjRsHWfrHO1n7Ts8LXYRPstnA7rD x37nmIH2Xz1ixyW03xlALFLn0d0863r1asreOhxurdsBHCguvMmQP8sFuSJ0I8+E+r3x rmRtgwhXOBvYj+ahbUqtUiy4CZUOPGb8xQUHkY3jbK+obAvwOen6ghR+YXBu5qe79XYv fEe++/M5+bOwdc5M4ByM/GnXoQO/B+eP3IOE+px5NsifCEKAp00hHZtBGyh5F6Q3fvUh +98Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=mUdngrufdFTLXykEMB9BnlUg90Pf6xvfzZBMHKDUvRA=; b=b+eOg77XfXnI5kUTtXwNNjH1W87dkrn6gDHWOc5b2GoUswSVhHuaN5eVMspjUgFrL/ Kjt1d4bMLIQjluPoIaljuPXF/sjBuUlpgK5MGzVPh4N2fMnc9kDYg+vTNhfHF3fJe7Nj Sft7YyWsaGjwLrPxLeuYAUQ4bWWAFoHAFL4epxbwhpSTEhGxYomCXH/s3RqAahnI3q2+ BdQqFzYCZyuv33HhmGof3E5Zni+STOFWm7a8s6LnZ5T2mzsfyDmjABAZW9azSP9lXjBg hCJaot3R2QC8Je+5Rd9XtG7g3c0udJFPbuU7QYfPwDnO50mm3WxNvQiKFlGbZ5X3Amoc Jesg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id vz14-20020a17090704ce00b008d127b89dc1si406451ejb.769.2023.02.20.11.30.01; Mon, 20 Feb 2023 11:30:02 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C8A1368C09E; Mon, 20 Feb 2023 21:29:43 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay10.mail.gandi.net (relay10.mail.gandi.net [217.70.178.230]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 534E268C091 for ; Mon, 20 Feb 2023 21:29:36 +0200 (EET) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id 6071A240006 for ; Mon, 20 Feb 2023 19:29:35 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 20 Feb 2023 20:29:26 +0100 Message-Id: <20230220192929.4493-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230220192929.4493-1-michael@niedermayer.cc> References: <20230220192929.4493-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 3/6] avcodec/rka: Fix some integer anomalies X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: EOtKtg12Whae Fixes: left shift of negative value -3201 Fixes: integer overflow: -76470276 * -25608 cannot be represented in type 'int' Fixes: 56052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-5236218750435328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/rka.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rka.c b/libavcodec/rka.c index 461baf1e1f..994c563ffd 100644 --- a/libavcodec/rka.c +++ b/libavcodec/rka.c @@ -723,16 +723,16 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns last_val = val; src = &ctx->buf1[off + -1]; for (int i = 0; i < filt.size && i < 15; i++) - sum += filt.coeffs[i] * src[-i]; + sum += filt.coeffs[i] * (unsigned)src[-i]; sum = sum * 2; for (int i = 15; i < filt.size; i++) - sum += filt.coeffs[i] * src[-i]; + sum += filt.coeffs[i] * (unsigned)src[-i]; sum = sum >> 6; if (ctx->cmode == 0) { if (bits == 0) { ctx->buf1[off] = sum + val; } else { - ctx->buf1[off] = (val + (sum >> bits) << bits) + + ctx->buf1[off] = (val + (sum >> bits)) * (1 << bits) + (((1U << bits) - 1U) & ctx->buf1[off + -1]); } ctx->buf0[off] = ctx->buf1[off] + ctx->buf0[off + -1]; From patchwork Mon Feb 20 19:29:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 40454 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:5494:b0:bf:7b3a:fd32 with SMTP id i20csp2166575pzk; Mon, 20 Feb 2023 11:30:10 -0800 (PST) X-Google-Smtp-Source: AK7set/0nwt44QO9czHHaKMFCF8XcIALgoeKaBaFqYBOsbYR2S1tMhpM6ltYDW3tV2wP7gdW58fG X-Received: by 2002:a17:907:c20c:b0:88f:87f0:c919 with SMTP id ti12-20020a170907c20c00b0088f87f0c919mr12666905ejc.64.1676921410359; Mon, 20 Feb 2023 11:30:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676921410; cv=none; d=google.com; s=arc-20160816; b=DMxAFkTIPM9CXa4P+jZ94XmbvknEGOPRbQnU9KNo4RFsLKVcAn7JyGtgwHBQHgR3RG 06+rSRgfQUrn6GRKJLJBde9mIAgqvGsP2CL9rljPtieMVOEXNqbLW9OiWjh/8Bbv+DET 8G6cFm9spjI+/vnbezZ3jtWq6e5TwwnGInIBE9acGfPpwaC2Ai/LTGIFVFWwy+O89lRd a5bwr73bA1Slxx2T75LiNP045HpoDOwbA2qgrZRHKX3fPt3sa2XXpqiMfU3ecOgAcfjl a7B86/nZwMXZFcFJ37eKMRlPW+4yvP4CfaDH5TVof4Oax2P1KxeXb6wash5rFI4ClchW YiRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=ag1Z7hoMWE4NM6YniLKPiIY5uFx/Yp1J5mOWfXzuz4E=; b=wZfT7Lmtv3m1zIjBiQeNJcn9ho2RuUdrKqme1lx1Uwh86HkS4Gvwcj+oCCu4ELnEDe JUv5BH+2sUQqLLdes0WhKcYi73hNMCkL/2NY++f90sQcL+i/7eOYcwWEvEpfPr4zq/ER XjKM2Ak9F3HwvqVl/Jq7ObuKcPo31+IXDyxBIlwujIayw3S+gUhGnAPRJDSRlYQympDN hjBkWmGb9CerxXy6E7Ce0IUakN6R0+Agsf6Sq2xzZduPzEma8+lhExJLej1yUaajg8Gc D++x/jy/UjLCvB0d49yJ21swFxn2G7rfnfhKxqcsH7zASVaZeBG7e3iVj/snZH3z7VMK uauw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id uk7-20020a170907ca0700b00888fddc4ec2si16285776ejc.657.2023.02.20.11.30.10; Mon, 20 Feb 2023 11:30:10 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C078968BFEC; Mon, 20 Feb 2023 21:29:44 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id F039468C08F for ; Mon, 20 Feb 2023 21:29:37 +0200 (EET) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id 39764E0002 for ; Mon, 20 Feb 2023 19:29:36 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 20 Feb 2023 20:29:27 +0100 Message-Id: <20230220192929.4493-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230220192929.4493-1-michael@niedermayer.cc> References: <20230220192929.4493-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 4/6] avcodec/rka: check for size 1 filter X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: C4aq0edc1mek Such filters will not advance and be stuck in the current implementation Fixes: Infinite loop Fixes: 56052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-5236218750435328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/rka.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rka.c b/libavcodec/rka.c index 994c563ffd..7452acf27f 100644 --- a/libavcodec/rka.c +++ b/libavcodec/rka.c @@ -691,7 +691,7 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns else split = size >> 4; - if (size <= 0) + if (size <= 1) return 0; for (int x = 0; x < size;) { From patchwork Mon Feb 20 19:29:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 40455 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:5494:b0:bf:7b3a:fd32 with SMTP id i20csp2166655pzk; Mon, 20 Feb 2023 11:30:19 -0800 (PST) X-Google-Smtp-Source: AK7set9YShEBIC8G4dDcSQsrMLusYw7oVPtEM9ipM3Hyr8LXRq0cAZyjlaKkQSpFFJZ4swtOUMda X-Received: by 2002:aa7:de98:0:b0:4ab:eac:30f2 with SMTP id j24-20020aa7de98000000b004ab0eac30f2mr1416210edv.18.1676921419518; Mon, 20 Feb 2023 11:30:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676921419; cv=none; d=google.com; s=arc-20160816; b=c12ccHZzNWpICu1q2R3GkFWv24k22yZxEB35rwbIayc+T9dVpdPN0NZnrpaDCdRaWa HoOZgqS2HCPmQZCeiP8Je8gRsP/T1KOnbZOI4Sqgu5b/4rpSJoKEU0pwObflphbSE2Xq +TcL8Jsnrh32XKJ01EIa7yCyGENTQzWSw2jgGgDOdP+9vgsX5bagnOfBCoPwqqGExCCS qOF0aNKD/lOVor+kEUXyj531LihQZzy4j1cAQE4OTJtc7TRsULHxNTdX6Z7EZUsZI8w1 gzWqMxVgbsG90pK7nr6i+A0EdrtFsBd5C2lTVCmAakBygvVJYHdHuvdfSTJaI4QwNcqr HU/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=+yNuGF/qawtwI/h0gNS3Y3Sn4VbkRYCICtcKgsvnNEA=; b=xgMCWCs84FURXJh+mxOkumVsKRT4lpXkYN3gMD0uLI2zG7uoXqE3ugNd+1veLq4Aqx 5tQ0cCQTj4+apJVk5887gse7skwWXjLftTsWXBnNAJx7JFlgbkMt7nD4zZu6d6QXxYU1 9J8eamByGw//8yftZ+AP9QNGvSislrD4pnlHE82+STFjB0bdYcPAV1o7/EMuwsEOMMzB Si87t1bO04xYSkYrllSSCAh46SmRyLC06+PUKukEfu46nDwWiGnQoYGY7zhbsv+ltRtl r9Uh+ZGdBmU8H1XFvy2KuMPQ/vDWitCjks6PFJA1nTE+01pE1nuHbipLUOeC97WCoKxA MKHA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id n4-20020aa7c444000000b004ada4edd8fcsi12578881edr.63.2023.02.20.11.30.19; Mon, 20 Feb 2023 11:30:19 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DF8E468C0A8; Mon, 20 Feb 2023 21:29:47 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CEE0868C09C for ; Mon, 20 Feb 2023 21:29:40 +0200 (EET) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id AE7431C0002 for ; Mon, 20 Feb 2023 19:29:39 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 20 Feb 2023 20:29:28 +0100 Message-Id: <20230220192929.4493-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230220192929.4493-1-michael@niedermayer.cc> References: <20230220192929.4493-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 5/6] avcodec/rka: avoid negative value shift X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Y5zHSgoTSoE5 Fixes: left shift of negative value -81 Fixes: 56061/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-4649758062149632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/rka.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rka.c b/libavcodec/rka.c index 7452acf27f..1eb2289e58 100644 --- a/libavcodec/rka.c +++ b/libavcodec/rka.c @@ -737,7 +737,7 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns } ctx->buf0[off] = ctx->buf1[off] + ctx->buf0[off + -1]; } else { - val <<= ctx->cmode; + val *= 1 << ctx->cmode; sum += ctx->buf0[off + -1] + val; switch (s->bps) { case 16: sum = av_clip_int16(sum); break; From patchwork Mon Feb 20 19:29:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 40456 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:5494:b0:bf:7b3a:fd32 with SMTP id i20csp2166747pzk; Mon, 20 Feb 2023 11:30:28 -0800 (PST) X-Google-Smtp-Source: AK7set+Cye4iAvqTZOal6S7a+So5lojXpD8chk2bveA06VNTJYXDDrGOZJycucYigtwwWQVg7fyY X-Received: by 2002:a17:906:eca1:b0:87d:eff1:acc8 with SMTP id qh1-20020a170906eca100b0087deff1acc8mr9803624ejb.48.1676921428558; Mon, 20 Feb 2023 11:30:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1676921428; cv=none; d=google.com; s=arc-20160816; b=ANwzbqo0O0k8lYIUOQVKqY5Ufhvxr9vP3IjWg1E16AMZ5tQO7JfXeMYshTzRYBXnQY PEHnXvR8Hdi/1gp6p4mJuYDI5YMWvAXz2upfCxfFGZqEk4sPJQmmulCURfQqcB4qJ2GZ x1zMdRJE4f6lZun92KqScy2YTro8R87GEdai7KD5Ae2zDjanIP9WQIMu0kGvPvi6iHiO kxfhyvnYtnwbPz3til049KgPccaP0mZi3H/tlyeujGVvV38W3VcB1mTEzIxmSXB6DY49 KK1jDvCPxbgSOsRXpuELbcegY1O6egkmqT2PJ/iFXKLl5uS6l0sIcCWo0o6LJDLddSMf pJ4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=pnQ7KdLoPnJ/UN//9GsaQjbA6f7lqh9uUDsh7iGn7Jw=; b=yNjkSu3kPHlOUnkcLi5RPwFwZBi++RY28ElTXJCqXon9Qik+ynfozGzqD3S2UYjUSl jrDe16SImkagCQ004iQ8Xh9eEQrCcflt8RHIHpa15UXCCCYRXbjVnMNlQeiFpKo8RkkO /HN9w92wex6UfqibDyCflSYHi6Z2zvUtBCAmrgcuBk63yX77/ufXUWGEY4VSC7KgyLqj Rgu4synmCM0dYGr18XGRXM1B1B84yTDKqUmRjLXyHxbdAavw5D9D1qUwk4vt9eAtsgTd ZnYdDIFv1i2z/eOE7umUZ0+u9ZV+/iFGSZlsTB85P4bKblMSGCrenmzHc07L9frwcaVT srSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id wl17-20020a170907311100b008b174de7f17si12488191ejb.824.2023.02.20.11.30.28; Mon, 20 Feb 2023 11:30:28 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EFB2D68C0B0; Mon, 20 Feb 2023 21:29:51 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 96FE568C0AB for ; Mon, 20 Feb 2023 21:29:44 +0200 (EET) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id 9F4EDE0002 for ; Mon, 20 Feb 2023 19:29:43 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 20 Feb 2023 20:29:29 +0100 Message-Id: <20230220192929.4493-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230220192929.4493-1-michael@niedermayer.cc> References: <20230220192929.4493-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 6/6] avcodec/rka: avoid undefined doubling sum overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: QeLtiyB7vjjn Fixes: signed integer overflow: -2124073172 * 2 cannot be represented in type 'int' Fixes: 56099/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-4530933127839744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/rka.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rka.c b/libavcodec/rka.c index 1eb2289e58..2212e3f930 100644 --- a/libavcodec/rka.c +++ b/libavcodec/rka.c @@ -724,7 +724,7 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns src = &ctx->buf1[off + -1]; for (int i = 0; i < filt.size && i < 15; i++) sum += filt.coeffs[i] * (unsigned)src[-i]; - sum = sum * 2; + sum = sum * 2U; for (int i = 15; i < filt.size; i++) sum += filt.coeffs[i] * (unsigned)src[-i]; sum = sum >> 6;