From patchwork Sun Apr 16 16:48:20 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41204
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1838688pzb;
        Sun, 16 Apr 2023 09:48:47 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350bpkE1G/qGPuW1JEYLKHdMt8ngcC34Fay0JJJ+k0iloX65AcbNw6GSCMAQau0YazpAOpXLz
X-Received: by 2002:a17:906:fcd8:b0:94a:62e7:70e1 with SMTP id
 qx24-20020a170906fcd800b0094a62e770e1mr5382148ejb.68.1681663726749;
        Sun, 16 Apr 2023 09:48:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663726; cv=none;
        d=google.com; s=arc-20160816;
        b=so5Dvl84EBh1R3Xv2FPk9XSytnlnhEaLMRezzM1eTIng0QUNBxjc6sh9JUnLpNDN4P
         oS0aAQzDpB0dQbIDogod0kyXd10twkH4wG3mIH9G6xInkp4I3mswsjlmnrKLEox8I6kh
         D5btLfgB5DPfM/+7eNnvkAvR/a7B3Ff+D77hlam+Il66rCyNIQu3kobaWYCWvbhKx8wT
         w9ul7yhk9nIJrkqxuQnR/XkIZtqasfjYogTHIxUy+4KkppzmDCUtrErCHwEk6v/CEnGd
         xbv1UNTMtO87kBF5CR8H4xIRCTSE0GDwFFG2w/KmIrSweChR7x/FlQ1LUpZKEYV4b1Fj
         9okQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:message-id:date:to:from:delivered-to;
        bh=RfXKJ9WAq1F7CrhjS6nEf20AN8w10RWSz6IEVq0buAE=;
        b=NDXcDnSXEydl7YpbgSsbLNWIfk3i09E2k/gW0JGzmTPJ1xDbcqhmFm5PRrwxanDvVZ
         oGFOny26U5JPGRPNzZSuunGmlsYfw47GWt5YcGOnyRMYzd5AX8x/40s/6sWukKKhba+K
         4NnF5X3aVOII1zv2HwIV98y0snDpj8eucAVIQr0cWKIvrNGryc1tkiyDoVGAt5hGQMxu
         ylMLG5ZQlOMYLFLfTnwU/m8sxuXPcRc57mE7dR43guLXEWV9hWTAteeyyPCRCKE1asGI
         15nVHPrGdUi0k/K79t2aLnGjh+wvqLy/2eX212MnoihY+UT5gQtk4HjSZLCYZVms/Jh+
         JNTw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 z20-20020a170906271400b009267d6857ebsi8374992ejc.952.2023.04.16.09.48.45;
        Sun, 16 Apr 2023 09:48:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D15F268B87F;
	Sun, 16 Apr 2023 19:48:40 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B55336802DE
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:33 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 6EEEC1C0002
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:32 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:20 +0200
Message-Id: <20230416164830.15664-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
Subject: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in
 intermediate in ADPCM_XMD
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: BA0CUrd2Llx3

Fixes: runtime error: signed integer overflow: 2140143616 + 254665816 cannot be represented in type 'int'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XMD_fuzzer-6690181676924928

As a sideeffect this simplifies the equation, the high bits are different after this but only
the low 16bits are stored and used in later steps.
The change is untested as there are no fate testcases, no sample files on the server, no links on
the mailing list and no reports on trac referencing this format that i could find.

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/adpcm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 451696932d1..d8f334cf5a0 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1579,11 +1579,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, AVFrame *frame,
                     nibble[0] = sign_extend(byte & 15, 4);
                     nibble[1] = sign_extend(byte >> 4, 4);
 
-                    out[2+n*2] = (nibble[0]*(scale<<14) + (history[0]*29336) - (history[1]*13136)) >> 14;
+                    out[2+n*2  ] = nibble[0]*scale + ((history[0]*3667 - history[1]*1642) >> 11);
                     history[1] = history[0];
                     history[0] = out[2+n*2];
 
-                    out[2+n*2+1] = (nibble[1]*(scale<<14) + (history[0]*29336) - (history[1]*13136)) >> 14;
+                    out[2+n*2+1] = nibble[1]*scale + ((history[0]*3667 - history[1]*1642) >> 11);
                     history[1] = history[0];
                     history[0] = out[2+n*2+1];
                 }

From patchwork Sun Apr 16 16:48:21 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41205
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1838763pzb;
        Sun, 16 Apr 2023 09:48:59 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350az+fb7tOs81BCqWb/Snc7ahCTXa0mIXsgkadHXkfLIk6++AzzyB7BMNOo1OemcokgSoofo
X-Received: by 2002:a17:907:210e:b0:879:ab3:93cd with SMTP id
 qn14-20020a170907210e00b008790ab393cdmr4303917ejb.46.1681663739355;
        Sun, 16 Apr 2023 09:48:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663739; cv=none;
        d=google.com; s=arc-20160816;
        b=lBRLD5zhGoXMbsfgPbpZ8qeqLX3Lq/pdT7yKruHM5iO2+PNwYRveUzG/MhCs+LyzN2
         BTnCkf8aLXn/f+W0A7fvoTccno/d3pQCebs5LJMdSe+ind00IOiUKs1ypV5Gsq/xXL8B
         O9koX6Zgt3HVvHK4IHJD0E+ZlXDOcUvLX97CEDdgIg3HXBIAdRG9qG4GM5Ujh63XKsbh
         uFjhMRGLJrhFFtUf0xN24JuRSNwrXkt2lWeijtlU//ouPowX7g0ancGc8s0ZweAIjIJ0
         +8aSGwQN745bVKo8eVt5AYWUv7a1XvsqiWLGYO1/cDIw3CSbPgV5+dBc0g1n/ZNiz3Ad
         nP8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=S6n1lT4Ut7jQ+ThY3xf1LTY0eOVuxDN43o4AzHA6ZyU=;
        b=NQZR/5YAeE3FGwnd5OklPTefCpTZrIeA6cwijlQKkEBuMQz4OSqAi4YC2zFE61nwaR
         gR1lwqrDfUImabrKAJ8vtf7cwrDV3q8s1LaN5uojJLiS7+82+W2UPciu76+Ecqt3HN+j
         CqP/PFof8M/FtAakpyANVNZ4VKnMENnD/mPWCREI3TH9yk5mPSlMruFTQkdABT5RQW3V
         jtmyTuVceKepbKZjBbgltFOcyYu1NcCzX+jVcGPaYe5KNxN07/3vruCRuCj9I2pcKie3
         DoVqaHltnK6eQ4UNh9+KR0m6gc5qshCw99AcyahLCZFI3FCss2ev5hYk1DKHIZRddZYR
         2X3A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 mz15-20020a1709071b8f00b0094f4f2ba2acsi1418706ejc.593.2023.04.16.09.48.59;
        Sun, 16 Apr 2023 09:48:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 097C668BCAC;
	Sun, 16 Apr 2023 19:48:43 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net
 [217.70.183.201])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DA47C68B9AB
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:35 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id F12F51BF208
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:34 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:21 +0200
Message-Id: <20230416164830.15664-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 02/11] avcodec/pngdec: remove AVFrame
 argument from decode_iccp_chunk()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 5BrW/rdCoIea

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 8fbb71f60f6..679cb8c2281 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -972,7 +972,7 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s,
     return 0;
 }
 
-static int decode_iccp_chunk(PNGDecContext *s, GetByteContext *gb, AVFrame *f)
+static int decode_iccp_chunk(PNGDecContext *s, GetByteContext *gb)
 {
     int ret, cnt = 0;
     AVBPrint bp;
@@ -1466,7 +1466,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
             s->have_srgb = 1;
             break;
         case MKTAG('i', 'C', 'C', 'P'): {
-            if ((ret = decode_iccp_chunk(s, &gb_chunk, p)) < 0)
+            if ((ret = decode_iccp_chunk(s, &gb_chunk)) < 0)
                 goto fail;
             break;
         }

From patchwork Sun Apr 16 16:48:22 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41206
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1838813pzb;
        Sun, 16 Apr 2023 09:49:08 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350aA96lqKalAT/ETyFniL9VVnfiyIYbTjt9ImnzDmNSR9Fjboy0tWUlPOo6wkXDLTQbzMQ2C
X-Received: by 2002:a17:906:12d8:b0:94d:20d2:47ce with SMTP id
 l24-20020a17090612d800b0094d20d247cemr5363805ejb.14.1681663748473;
        Sun, 16 Apr 2023 09:49:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663748; cv=none;
        d=google.com; s=arc-20160816;
        b=CamjCdu+0AHS3HprTNbaoFrgmlVQj4r+Quh7v3xMIXf6n10zPUwz3UA9+mMhaEtvVT
         OeilMcwMn8t3f0vJ0fv21+LF2eQ/nTGgfYCtRt9UyJUtsHFFFx+0KQAA+DJi7OjQStCs
         FOPr/T9ZNteiCjvFYZsJia5TbNrvIPlLIf+RmYReSw71N2w7xIGK5hRwISg1eTkdGWY7
         N8z8g/tjYz0GN0u7ejpiIkA/XXBMlVVvztjLXkeacZh5/Ym/ho5a9tAQWdTpGMULnuYF
         4A4fEx1i4xI0+ZmQQxZuZ73YInQdAtkUErSa8i1esaJAk/vjFVbbu55dlbypQgXyp+zD
         MB5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=F9woYRcuOTJDmAuEb1y1xEpTd4eWJbywEIhMRF7mfHs=;
        b=AgnnAjJEnEzrtJ2ad5JhkC7izCFOnOcC2HbcvRuXx64PUROvW5rrDnzWLvFHHFQzKD
         r3iFUv/uqIT6qRnTfmQxBSoJ6/qkDylK5YbKLewpheohMd2YzclvslgOhRSfQU3bVyHo
         PTl8wGMVm6w+R2l9Lfwbm5ecd97lMFUt+ArexvCm1oKFkh59h88kjYkZs/UwYzr5nuK9
         VD413cmwv20+BhvbqG+sjAlF2P+gHv84L6OTUtR0OtUvQgwST/h/CLr64RVRmRCzv3ZB
         tqxYv24n8T6ePqfRkON6A0fASgxWIh92wwCp1No5hY94qwddbjIgIc/vXSyKNk+/vmcX
         ST6A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 fv36-20020a17090750a400b0094f1fa2b276si659316ejc.650.2023.04.16.09.49.08;
        Sun, 16 Apr 2023 09:49:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 35B9368BDDD;
	Sun, 16 Apr 2023 19:48:44 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay11.mail.gandi.net (relay11.mail.gandi.net
 [217.70.178.231])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 792B968BCE9
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:38 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 8100D100008
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:37 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:22 +0200
Message-Id: <20230416164830.15664-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 03/11] avcodec/pngdec: Do not pass AVFrame
 into global header decode
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: h7Fmti0Lwgzs

The global header should not contain a frame, and decoding it
would result in leaks

Fixes: memleak
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-6603443149340672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 679cb8c2281..5dc36d400c2 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -734,6 +734,8 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
     int ret;
     size_t byte_depth = s->bit_depth > 8 ? 2 : 1;
 
+    if (!p)
+        return AVERROR_INVALIDDATA;
     if (!(s->hdr_state & PNG_IHDR)) {
         av_log(avctx, AV_LOG_ERROR, "IDAT without IHDR\n");
         return AVERROR_INVALIDDATA;
@@ -1515,6 +1517,9 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
     }
 exit_loop:
 
+    if (!p)
+        return AVERROR_INVALIDDATA;
+
     if (avctx->codec_id == AV_CODEC_ID_PNG &&
         avctx->skip_frame == AVDISCARD_ALL) {
         return 0;
@@ -1727,7 +1732,7 @@ static int decode_frame_apng(AVCodecContext *avctx, AVFrame *p,
         if ((ret = inflateReset(&s->zstream.zstream)) != Z_OK)
             return AVERROR_EXTERNAL;
         bytestream2_init(&s->gb, avctx->extradata, avctx->extradata_size);
-        if ((ret = decode_frame_common(avctx, s, p, avpkt)) < 0)
+        if ((ret = decode_frame_common(avctx, s, NULL, avpkt)) < 0)
             return ret;
     }
 

From patchwork Sun Apr 16 16:48:23 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41207
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1838875pzb;
        Sun, 16 Apr 2023 09:49:17 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350ZSS6Ze55gMkPlN/SE0xQLO2+m7XSUgzLTusc2aY5A6/R20CMfZgnzQ7XfR3HmOPtleUGyv
X-Received: by 2002:a17:907:3c07:b0:92b:6b6d:2daf with SMTP id
 gh7-20020a1709073c0700b0092b6b6d2dafmr4322783ejc.77.1681663756987;
        Sun, 16 Apr 2023 09:49:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663756; cv=none;
        d=google.com; s=arc-20160816;
        b=yTEmVD7MtIeOXQ8Ifeh9h0vhfQXx39liZcoJ8bB11rPcsEJWcmmi8kPz8bArYzcVBU
         LdDoLZxody655iJZd6M3nFHZNZ8nzBxiYv+Fq2vF6dDFCuYgJBTM2zrx6dGm60pp+pcv
         bGr6ZQ4fb4C9kyDGvougMYyFTLvpCQ+VhCbUrSviwhh8ZDNoa8POYvuZpIlK7gmd/trQ
         3Y5Ho//+o6/v/2Z4R5DAOzFMfyql75F+Iw3BaDHqdsyzDEmafx3uciJUc0u6aVnA6bGD
         P3sww33IWJeT7WaaeGo/Hs7nPyq5BFsxXijuDJuuE90c1MxdOAw+se3LL8xNzCv2rJbO
         VmwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=0391rR0TbDsSP3IXQSr1ZMoFFZfrWCrctasLzb47Ly0=;
        b=s791wdOPJCl6xNx3/FljwuWshn1SVYmK38ljj9QE1nNBwKBLqGDBMkSN/ovdI8UVvs
         8QhzfyMO1rAdYdu6bBgYM6RdUNQYTblXT0as8AofUN245Ocx3Q+5TO9xiNxyIye9YH9e
         gNAZL+tesScloxZ74h+akl+Ipg4KPeBrO0kG4eg3sMadYDZYkkXpLWpF94PBtpHttwnj
         eQ/0CPH5dZfckrRTIALbZIFGQMNmsGqbPWG+peIobUsxoyuRN+g2KRzS+kW0TuIwXu0p
         87mBr3znCDkvKVIcBEdobwvF3rY/h5PBplFTExmy7AFEPJIpsfLNI5J3Qz45/w4z4JSs
         abSQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 fp22-20020a1709069e1600b0094ef0b84fbbsi4518723ejc.77.2023.04.16.09.49.16;
        Sun, 16 Apr 2023 09:49:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3DF2068BD27;
	Sun, 16 Apr 2023 19:48:47 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id ED5CB68BD27
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:39 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 2C9821C0002
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:38 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:23 +0200
Message-Id: <20230416164830.15664-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 04/11] avcodec/exr: Cleanup befor return
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: pOC9Ehbt2Xqe

Fixes: leaks
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6703454090559488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/exr.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 2f1766c17bf..8cc6b056b29 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1930,8 +1930,10 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 
             bytestream2_get_buffer(gb, key, FFMIN(sizeof(key) - 1, var_size));
             if (strncmp("scanlineimage", key, var_size) &&
-                strncmp("tiledimage", key, var_size))
-                return AVERROR_PATCHWELCOME;
+                strncmp("tiledimage", key, var_size)) {
+                ret = AVERROR_PATCHWELCOME;
+                goto fail;
+            }
 
             continue;
         } else if ((var_size = check_header_variable(s, "preview",
@@ -1939,12 +1941,16 @@ static int decode_header(EXRContext *s, AVFrame *frame)
             uint32_t pw = bytestream2_get_le32(gb);
             uint32_t ph = bytestream2_get_le32(gb);
             uint64_t psize = pw * ph;
-            if (psize > INT64_MAX / 4)
-                return AVERROR_INVALIDDATA;
+            if (psize > INT64_MAX / 4) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
             psize *= 4;
 
-            if ((int64_t)psize >= bytestream2_get_bytes_left(gb))
-                return AVERROR_INVALIDDATA;
+            if ((int64_t)psize >= bytestream2_get_bytes_left(gb)) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
 
             bytestream2_skip(gb, psize);
 

From patchwork Sun Apr 16 16:48:24 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41208
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1838954pzb;
        Sun, 16 Apr 2023 09:49:26 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350Z389x1Dk8f3puS/Xu66QVgnr8IpblfJOq3Lben/7Ddz4i0IizJwPgoydRjVqKnVBwmH1tu
X-Received: by 2002:a17:906:80e:b0:947:92c9:6aa4 with SMTP id
 e14-20020a170906080e00b0094792c96aa4mr5090867ejd.4.1681663766590;
        Sun, 16 Apr 2023 09:49:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663766; cv=none;
        d=google.com; s=arc-20160816;
        b=CCMpA/UHvlS4Aus+rGXQbIwIttO+vbO8xFGGOK7qBcW+1mPevusUlH0sZdO7bpU7Dx
         Pe3b3ZZiI4Hj3HdZKlg9E7Cxoe0OTX5gF+5PTp5x0x4hiKzw1CroBiO6bD3O8a31h48T
         tL2Db/bj335Swa0FC3c5ST+qt3VfSztaeAo5elrQPhPfrEl6xnA4oTVItxX9D4cJquhe
         5h5sRKxtIrFzmixaZ6PiGmVnIbexYG10v+qsOy1pQ3kkDYhquhh38cS8vdgjR+mfowGx
         5aXekCce5pHZqwN5JfsHS7jEpSLmpvZZCg21kHh+Z9NqM4t60su6AlreqshTVTBKvrNG
         Rbqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=GzpxC6Sdp7zHg9jIphsvk7Fo1UWZ7VKJcT1pp40hQcA=;
        b=om4qa44e1AYF0z0S+003Z2mvlNBOWhE2ismxwWZdbEKsK9fKjhZGjbTGDKjsQvNM/a
         YS2rwWWrU4JzoBTBoxt3xL8JRg/QKbClVk10u5koUum0nUfD6+mEvDo8EUvyPKR59N7I
         H3m9kr7TRt/ver+l83qWNHVEaOQz4ApD5ztWfcVAkAtGNm7+QenjUEHFT+5+GEC38mVo
         0UaDDC0E4rT11RK9+PylDQrq5rmORl7k5mSt3PpJFmxoDjkDKIM3QYw4JzYzQEjQVuiK
         bkoVQh0XLx9BqSJEGScuyW8NEpJ/LpWracxVBG2MnFlx9Zbu7VrsdSMcXpYT/ynYDZ7F
         T5Yw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 mx9-20020a1709065a0900b0094f201d3030si2883911ejc.1027.2023.04.16.09.49.25;
        Sun, 16 Apr 2023 09:49:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4020468BE1A;
	Sun, 16 Apr 2023 19:48:49 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net
 [217.70.183.198])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6B31568BDF4
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:42 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 68D14C0002
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:41 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:24 +0200
Message-Id: <20230416164830.15664-5-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 05/11] avcodec/flacdec: Fix signed integre
 overflow
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 6yOdkaspy/34

Fixes: signed integer overflow: 3011809745540902265 + 6323452730883571725 cannot be represented in type 'long'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-6687553022722048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/flacdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index cc778a8dff1..524a0469495 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -513,7 +513,7 @@ static int decode_subframe_lpc_33bps(FLACContext *s, int64_t *decoded,
     for (i = pred_order; i < s->blocksize; i++, decoded++) {
         int64_t sum = 0;
         for (j = 0; j < pred_order; j++)
-            sum += (int64_t)coeffs[j] * decoded[j];
+            sum += (int64_t)coeffs[j] * (uint64_t)decoded[j];
         decoded[j] = residual[i] + (sum >> qlevel);
     }
 

From patchwork Sun Apr 16 16:48:25 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41211
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1839147pzb;
        Sun, 16 Apr 2023 09:49:52 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350ZY0dhKFBSR0ldhLDpnjb54GliQmJcGIXtNILkTFnKoeieolMnkM0fWOiOwBfoGSGmi30WB
X-Received: by 2002:a17:907:844:b0:94f:61f5:9ef7 with SMTP id
 ww4-20020a170907084400b0094f61f59ef7mr1898548ejb.44.1681663792573;
        Sun, 16 Apr 2023 09:49:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663792; cv=none;
        d=google.com; s=arc-20160816;
        b=ftUPg7UgR/6OMOrycP4ljH1J2X6IKC0N7oPJoPF46T1c7W+rr4wFDT4XB3DJAnvcdD
         97mrEtKVkfr8xatzXzAKasPJO+Gl87Tc1NudFU5X9Nzes9zMzzzqkRDoL0bm3bISDZoO
         xpPMGzOYQ/od0xiNFqzIMOYnbGPwVWvYVyviROHy/B1dgs2pnYaDnESD/LSm+yUDBvjG
         1eulfdMqy1OHx55mWp1AL9NK6E9mOBriTRw2zpzuife9PYA4QdnKmylnl3ch19PYUhZP
         I5aKDptAJIYV6Y2itMgEakmFObFLEK3P3IXiWKi3WjtMFxLVhYODyoH3ZSyvH+tGlULA
         OcOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=KKDciejrT2iK2DpdoN+V5fuKcA4I34t4Rsbt17LQmUo=;
        b=vQLwCxrEq14aWPh3kZpXFz86mInRzenXS6gAa3CjDzfPxc1Yfk2hxyJrQlP7+YkK0p
         fd6+d+Xpqy27JHqLcuKSWrmYuVK+giPIKuV40Q8bRh+MplyOD39bjHLFUUgib6+aYDnR
         BZnMkSZeZL+MCKF2ypbZtt60YawTRXdlSHXUYGWM/A5qgvh3D8fkUBqg20EnAo4NuKNi
         ofupOU41q1uNP61f4sW3iWyJDQMtnT1UpQ9i5jN2LjnsGBf7W0p8OpmjmzBqZSNKDNxX
         IWlABjoVbyixwaFXjXwmodB0SgE/yTdixe4UlR2PQ8aikfhgyLUlEksuVzRI8kXfA9yn
         SzSg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 wg10-20020a1709078f0a00b0094f547d5444si1590992ejc.352.2023.04.16.09.49.52;
        Sun, 16 Apr 2023 09:49:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7F23668BE42;
	Sun, 16 Apr 2023 19:48:53 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay10.mail.gandi.net (relay10.mail.gandi.net
 [217.70.178.230])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0A77468BE2E
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:45 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id D473E240002
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:44 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:25 +0200
Message-Id: <20230416164830.15664-6-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 06/11] avcodec/utils: the IFF_ILBM
 implementation assumes that there are a multiple of 16 allocated
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: uvJXTSAaWI61

Fixes: out of array access
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5124452659888128
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6362836707442688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 599da21dba2..ef1845954e8 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -317,7 +317,7 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height,
     }
 
     if (s->codec_id == AV_CODEC_ID_IFF_ILBM) {
-        w_align = FFMAX(w_align, 8);
+        w_align = FFMAX(w_align, 16);
     }
 
     *width  = FFALIGN(*width, w_align);

From patchwork Sun Apr 16 16:48:26 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41209
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1839031pzb;
        Sun, 16 Apr 2023 09:49:35 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350bPffwmKnGARfxENXWjb3JUT07kDkEEj1v/pkR79r765FSdHHKlpFc+84cmCO+j/DFOko8u
X-Received: by 2002:aa7:cd4f:0:b0:506:9ece:60cb with SMTP id
 v15-20020aa7cd4f000000b005069ece60cbmr2346716edw.38.1681663775372;
        Sun, 16 Apr 2023 09:49:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663775; cv=none;
        d=google.com; s=arc-20160816;
        b=0y059wGZE+2MWHkBvuiqtFWOB26SUVWMKivndpqY88iN7Rszd1OQOdS1jYXQokA4I+
         OIDLTnZIZ5IBrAU40ysQz723JCzzV32f+cmA/y7DPlGvPAtssfvGhsFeLATY0v+gmEpT
         Pd/4vuDqrBBHENXOr1sxXDFH5HPR66fnDZzZRAFba+VuC9Uu8c6DY07uORqxU/9hChDq
         nDyNpiQDeVASagePrbLibJEp9DcoyzX3Z+eN4vnD1FxI0HFdYc+WHhVXcQG6ZAvFJDQT
         6OEXQ+MzDiNRDnLxzP/rxevEegsrGs74DlcQcJGE2wFn4W4bnOBRTlqbyxM0AIVCxcN2
         rCCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=fnKpF52WoWyYqIrqmMrZFWusXoTygnfDBt6K7h4VZ/A=;
        b=M3GRB4jodr7dVKJiJleTGOE0ptYClZmZhAENYS6xEdAiaSfTHQp4/zpxPH3OWhyKlq
         4E6fudX1mUSnb4XSvQAN3ALCvBplVhaqDFgICMWpPBL8PkBphPe6qpY1+ECa47h90MVr
         IWIo9esAprTNTkO2yZzOXmc0046Xlh23c5QLxYddjuk4lth0/Q6stN7Z4TnO7C5kBfgI
         4Da9R5Ff5gCvLX8REKr+zFv8RTPXlke12YVxDN2HPpJOwJLd+imgGsUKT/qxmS/X/gcY
         pH2VMNwdNUiYLqrMrRqQGm3LophkcJyBUg5Jma3ilQBiNcZAe2tM4RDwbV/myaHDF7gn
         DC4Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 u21-20020aa7d895000000b0050514a0a7d2si8554289edq.60.2023.04.16.09.49.35;
        Sun, 16 Apr 2023 09:49:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4030A68BE3D;
	Sun, 16 Apr 2023 19:48:51 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [217.70.183.195])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 23F9A68BE10
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:48 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id A5C3060008
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:47 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:26 +0200
Message-Id: <20230416164830.15664-7-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 07/11] avcodec/sonic: Fix two undefined
 integer overflows
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: dXRE3AHfUaS8

Fixes: signed integer overflow: 2147483372 - -148624 cannot be represented in type 'int'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5477177805373440
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-6681622236233728

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/sonic.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index 62e6193ac63..0544fecf469 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -473,7 +473,7 @@ static void predictor_init_state(int *k, int *state, int order)
 
 static int predictor_calc_error(int *k, int *state, int order, int error)
 {
-    int i, x = error - shift_down(k[order-1] *  (unsigned)state[order-1], LATTICE_SHIFT);
+    int i, x = error - (unsigned)shift_down(k[order-1] *  (unsigned)state[order-1], LATTICE_SHIFT);
 
 #if 1
     int *k_ptr = &(k[order-2]),
@@ -1013,7 +1013,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, AVFrame *frame,
     if (s->lossless)
         quant = 1;
     else
-        quant = get_symbol(&c, state, 0) * SAMPLE_FACTOR;
+        quant = get_symbol(&c, state, 0) * (unsigned)SAMPLE_FACTOR;
 
 //    av_log(NULL, AV_LOG_INFO, "quant: %d\n", quant);
 

From patchwork Sun Apr 16 16:48:27 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41210
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1839093pzb;
        Sun, 16 Apr 2023 09:49:44 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350YatDG6Q+0GEMqhOrDkDm7dMzCd1KAeWIoeeBq6FSkps3tpxLUuAIDPLtQTih9UWXS+TBtO
X-Received: by 2002:a17:906:824e:b0:94f:31da:8c38 with SMTP id
 f14-20020a170906824e00b0094f31da8c38mr3633390ejx.24.1681663784277;
        Sun, 16 Apr 2023 09:49:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663784; cv=none;
        d=google.com; s=arc-20160816;
        b=psZYvS7AqDy3kFz7bXRIheR/VzG8RdCOnbk3OzBHexgJrE2Sk79I9kotcNXD0exHK+
         UjGOjviOWrFUIptiv5Fn2COvd5XPFjFZnwL0qpYbkpS/m/LfP3DVA6aj0NpMbXIoEDgq
         Owaq3XMmL0Zbm7DeLD2W75THAQ+Cu5cYcm4XD+h/L2t92kgrrhDmTMIuDHTNI/VWg4Ho
         8zOWLSo95FbU1Jg8Or1NUltQjDAUZ3ysq5FkZHg908vEuBOTY2aAXns5F333D6yNiEvD
         wWmN4CBx/Bjj2WSI75TjOGGxqBn7/EGPqbfRWsRZB7ndkpwthwjDlgTBrerpPC71QwDQ
         j+hA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=mjmL3qZhUm5dDTxpdK9oPQz8mpwYzRLedOTKvsHxdUI=;
        b=bQVF/tK4OSf7FgXkw8npVjH9UA3qvbXrY/Q81zpqfIBHJMmuVI/bWRSsbLeTtw4YJ8
         XibTNvaEXl8+KgQZMHyKEVgTrrlCT0s2wZyW9UfWlF0ilJHv/jYLNT78F+gW2xSFm3Jb
         fMjSDLRY2XW8seZLVXnz7T1TlDek+tj+IMOnvygGKDukjxu/YuyDWfw8HkGx8i5EeYQa
         i1m3hgSZ7bJBCOzg1UG65ofDzs342weOgLBPIPdtwpEQ7ql+fXHTiSRvEBZ4CmnfSzGS
         e7JYQLkj/XrszBDL5Xx9hMNsbnrz/IyKtPrpxvohr8lEAiQkNsmC9c5P05GAiEgg1rYa
         PSEg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 lc17-20020a170906dff100b009332d9b2a96si9085588ejc.955.2023.04.16.09.49.43;
        Sun, 16 Apr 2023 09:49:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 61BF468BE49;
	Sun, 16 Apr 2023 19:48:52 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net
 [217.70.183.198])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 05D6D68BE0B
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:50 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 0806AC0006
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:49 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:27 +0200
Message-Id: <20230416164830.15664-8-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 08/11] avcodec/tak: Check remaining bits in
 ff_tak_decode_frame_header()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: u+8G9DRAV8sB

Fixes: out of array access
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-6682195323650048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tak.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/tak.c b/libavcodec/tak.c
index f26574c968e..48fe83381f1 100644
--- a/libavcodec/tak.c
+++ b/libavcodec/tak.c
@@ -169,6 +169,9 @@ int ff_tak_decode_frame_header(AVCodecContext *avctx, GetBitContext *gb,
     if (ti->flags & TAK_FRAME_FLAG_HAS_METADATA)
         return AVERROR_INVALIDDATA;
 
+    if (get_bits_left(gb) < 24)
+        return AVERROR_INVALIDDATA;
+
     skip_bits(gb, 24);
 
     return 0;

From patchwork Sun Apr 16 16:48:28 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41212
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1839191pzb;
        Sun, 16 Apr 2023 09:50:01 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350ZDnrlZhLoCfFx++3QzMSpJ7U72+M1gERrCACik4AUZs9QfOxus4wvDtM1r4ut1zDUwwt5B
X-Received: by 2002:aa7:da8f:0:b0:4ac:b687:f57e with SMTP id
 q15-20020aa7da8f000000b004acb687f57emr11357682eds.1.1681663801075;
        Sun, 16 Apr 2023 09:50:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663801; cv=none;
        d=google.com; s=arc-20160816;
        b=y7lxOJVBFjeHRTbWjonxoG0BjOxUw5Ve1wwB7414FkAJ1Gdh8V1gPSFP9YQDpkLY7S
         A8VMmUmooGTNrsraONwJUlaRoMH+M42IMk+7jlq7gp7OsX7MKhVU00QxtwOnAeJeVWDc
         qBertwU4bR2dPhWw84Z/4XePj8riYIgLuMAiROAWAgU1pWI8EXge2dTIK/6nh+q81KsI
         7hy4JnJ5sa5Tle/Tba9ogSxpVHc+2IsfJtRWZlGCJ0nYNZk1iy8/PO66N0S2zZ6f8JXX
         +W8e0K8QWhggcrK+UyMnntqn3fKid6Ow3qm7GhLxpFiMSYuulV0TptYyc1YT3zRWtdZz
         Hf9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=Qjs8jsJC17YKRyHNDvuDaF1jF3moZL2UuNiVhANNc1A=;
        b=WKQd3o/2sYMz2+7hJiWd43Yr7EA7vUcLtHuMNnlYLJEAf3l3P0PyIqYWuFGUa+DJvW
         V2CVVhtkvxXqQ0Srhp+91RSD5BeOCX/mgpvb2icSwwHxC6SmKL1FAXilOq/zbTrw6gvr
         CX9gjbLpObCN9XNT6z1gJS+KeZ4JBcOS7IFRHOTz/6FYUhNYBkgr6a062i/Xfzp6WMBP
         iAEcqTj9GnQWiygT0/+uw7hBhvs7IhVvnhgDuFLeielioB4FoxKoBYUZDumSf8UQD/pN
         e5EAesWwbiP035GpmUsgdk0+rOZesyPX5WhO36YdFHAxR/gUDRXhIBtSMo+I/7xGzCaG
         XzKg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 n13-20020aa7c44d000000b00506934d9569si3082075edr.227.2023.04.16.09.50.00;
        Sun, 16 Apr 2023 09:50:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 715E268BE4E;
	Sun, 16 Apr 2023 19:48:55 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 40C3868BE4E
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:53 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 4B6101C0003
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:51 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:28 +0200
Message-Id: <20230416164830.15664-9-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 09/11] avcodec/tiff: add a zero
 DNG_LINEARIZATION_TABLE check
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: a3/IYH0lYEDS

Fixes: index 4294967295 out of bounds for type 'uint16_t [65536]'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5950405086674944
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6666195176914944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 1a1879de890..ebc7505dcdf 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1451,7 +1451,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
         break;
     case TIFF_GRAY_RESPONSE_CURVE:
     case DNG_LINEARIZATION_TABLE:
-        if (count > FF_ARRAY_ELEMS(s->dng_lut))
+        if (count < 1 || count > FF_ARRAY_ELEMS(s->dng_lut))
             return AVERROR_INVALIDDATA;
         for (int i = 0; i < count; i++)
             s->dng_lut[i] = ff_tget(&s->gb, type, s->le);

From patchwork Sun Apr 16 16:48:29 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41213
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1839266pzb;
        Sun, 16 Apr 2023 09:50:10 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350ZkqT0v/aC+w3mJx6JcCAuaLkMXEkddHUSjnfD+YjAu8R0FaeWX3Tpd5+nxUCyJGkZKWVBI
X-Received: by 2002:a17:906:28d0:b0:94f:27a1:f1d with SMTP id
 p16-20020a17090628d000b0094f27a10f1dmr4307427ejd.77.1681663810448;
        Sun, 16 Apr 2023 09:50:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663810; cv=none;
        d=google.com; s=arc-20160816;
        b=jUipRB1VontL3Svjo8lgk9zOfMEcXlubVba4GPA/+VU+sI/mD7ii1JWekd8HHuUkD/
         LSq/Lea3/pmePQ53zzgupfyTPOWesbAHfnaHtfvWp/1Jjp1+lNkehiUykky0L96VsqqT
         2xOFR2M4GwjxVTnW0HAM3OoZQfGDW8chhReRfTwIKovOmGW3lh/EK0r50V6krHwMTz7s
         tD+YbbfrTSfRrURXTERw21Gp5b9tvxF+HUhYY+RnIHeNJ2DdbIx8c0sR+cJSzmzwqzHu
         a2liBrsC8VoWKgCoNKqoIxeMd2Z6dsjJmzeLC9h4Z98mZ6njDD1yRAXhCL2pUndoVq7g
         jQ2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=iz5GiWRqruF6e1h30sSoZ6r4KacpOYNLhy+6eFunaGE=;
        b=OxEwe69KTQAg3K17p0kPTnz9s2tmncX11Sexft2YQ9cK96OEaIefpKIoJBk7P+JKzO
         eM6K0msJJFSNjmZMqTOcZyPirh7igyc0mU7URgt/T+6kXzmxAQclG5vDASYhUqjeJHVC
         KyD2XKSO/a5FZIqSlARk1idhPPYo7bIhsk/v6ivqG/aqrvmPCESfizz472UrJqFbfjp3
         LEvlkty+TasmFIpapY+nQmGTlanH4Br6nCikGiRYlxgXh6e/5diFhADOYgG2Vgkl1Lar
         wlsKeRzSTzA9QwL/hzj55rY4xJ1tTvgC4cG2ZeKlwbE58923QELPc+L1M+1VA1lAlMiF
         aR0w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 kb17-20020a170907925100b0094f1c206e28si3121221ejb.861.2023.04.16.09.50.10;
        Sun, 16 Apr 2023 09:50:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 53B0668BE72;
	Sun, 16 Apr 2023 19:48:57 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay11.mail.gandi.net (relay11.mail.gandi.net
 [217.70.178.231])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B7EF068BBDD
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:55 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id B584C100006
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:54 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:29 +0200
Message-Id: <20230416164830.15664-10-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 10/11] avcodec/dpcm: fix undefined interger
 overflow in wady
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: Fx2TWM447DmA

Fixes: signed integer overflow: -2147375930 + -133875 cannot be represented in type 'int'
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WADY_DPCM_fuzzer-6703727013920768

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dpcm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 6ea9e2c0650..eff6587404d 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -444,7 +444,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, AVFrame *frame,
             if (n & 0x80)
                 s->sample[idx] = sign_extend((n & 0x7f) << 9, 16);
             else
-                s->sample[idx] += s->scale * wady_table[n & 0x7f];
+                s->sample[idx] += s->scale * (unsigned)wady_table[n & 0x7f];
             *output_samples++ = av_clip_int16(s->sample[idx]);
             idx ^= stereo;
         }

From patchwork Sun Apr 16 16:48:30 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41214
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1839326pzb;
        Sun, 16 Apr 2023 09:50:20 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350aCo+GZRHXQq/YfFlDZfm9UyXHGU1YgjJpnIqq6w3WaEp5njJxf924qDzajxQUeBviSIj3m
X-Received: by 2002:a05:6402:1353:b0:500:46f2:e7db with SMTP id
 y19-20020a056402135300b0050046f2e7dbmr12342994edw.15.1681663820245;
        Sun, 16 Apr 2023 09:50:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681663820; cv=none;
        d=google.com; s=arc-20160816;
        b=UKnAoD0sIg29uLN1zybVCY+SigefO0YHTWdjiMinkP3QbQ4YE2iBjmn/C5LIVhdeUW
         iZLWi6BT6pGgE9iFRzqS/roo3ZTiX8YehDS3Ugxi2n+MaDUON7sA/RhLeHLQQetiJxUT
         Eb4b44qEmWcJ/Z6D47Lz9YB6Av9gdzTGarY9TkCus982F0V1WlbcTLtdEjPE8Ow/6QGX
         903ncZWnFEj2T3liV0MhOq8Gbbf1CDBLoo2HMYdUvW33DB0IFe/7bcJq/8HJNNv+nDoZ
         wZLfV8RdEu1wMXli1DMmSop+yRAa/2MhmX+SaYiJQ++M1rDueAJpt9dhb520gZlpFBor
         Cjxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=2rd/FWkX9wtnKBYHdFgU3kKFKxyqvh4/pCZ1dtYOkRw=;
        b=BkRy3GNHSUNsSOrhW0IaOJtWR9CK5jzCT0cJGy95jf8wHz48X/ptDHRq9C8VC2BpMP
         AMkuO9c0auMPhDDuhlqxnntcBhahaK0MnwVNN9BxRGDGlFKJlN6WKI9ci9Fr3q1S0Ehk
         5tSi0vltDGvbgfdFOcEtGjFA/lUxEOPOT3d6LTH/KpfhI7JrN3uUK72lyyFW9ErtUqSk
         r5t8js+YUdFMztyn7QTLXhhXuEurPdm4f5H/+JlIhvCR+dpeoNe/WrlJ29E7DlkmaTlP
         lk+iVNxZO0mPZyRu8UV/2P6DO7u7ien5q+2jjGWLXA/6HK3tPFOb/iPaFBJbBkVUvW8R
         pz1g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 fp6-20020a1709069e0600b0094f1a10c6c5si3433456ejc.894.2023.04.16.09.50.19;
        Sun, 16 Apr 2023 09:50:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2C06D68BE77;
	Sun, 16 Apr 2023 19:48:59 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EA21168BE67
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 19:48:57 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 021411C0002
 for <ffmpeg-devel@ffmpeg.org>; Sun, 16 Apr 2023 16:48:56 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 16 Apr 2023 18:48:30 +0200
Message-Id: <20230416164830.15664-11-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230416164830.15664-1-michael@niedermayer.cc>
References: <20230416164830.15664-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 11/11] avcodec/wavarc: Check order before
 using it to write the list
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: x7Gh8H8S0Sb0

Fixes: out of array access
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6247711015043072
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6487578428964864
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6651587794960384
Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6686265824378880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavarc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 896972cec82..827803c91d0 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -343,6 +343,8 @@ static int decode_2slp(AVCodecContext *avctx,
             break;
         case 0:
             order = get_urice(gb, 2);
+            if ((unsigned)order >= FF_ARRAY_ELEMS(s->filter[ch]))
+                return AVERROR_INVALIDDATA;
             for (int o = 0; o < order; o++)
                 s->filter[ch][o] = get_srice(gb, 2);
             for (int n = 0; n < s->nb_samples; n++) {