From patchwork Tue Apr 25 18:38:13 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41324
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:dca6:b0:f3:34fa:f187 with SMTP id
 ky38csp2452211pzb;
        Tue, 25 Apr 2023 11:38:27 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350ZkD0vi0cW+mLB563v0sy+ExPz9IrRh/3v9Vl7KIX3ovVwkkB/bOkISSOoGQKlP1OgPNmUV
X-Received: by 2002:a17:906:12:b0:94e:6edc:71bc with SMTP id
 18-20020a170906001200b0094e6edc71bcmr14059021eja.25.1682447907581;
        Tue, 25 Apr 2023 11:38:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1682447907; cv=none;
        d=google.com; s=arc-20160816;
        b=NdVCoU34AEXbMEBABPlHi8eqqSTmFdEEhqCw2eH9wsG6YyopRG+8TnoBovEYYqDrZj
         a7aw44HZXA0OrprWymslCNR6hHv0CoGNOub3nYSilwEWskBRuIhu+r7hRztlwnEiC1BF
         1YGyqc/gW7Icjd+xEBhWOUezZejA6jJaUofqKyPRn5STegoLIdQMckXU1W/iLkWtggln
         HiDKnOmghVwd2IzxLs+GOnckr0MSjB9ph7jWalDKEhSJSz6qpMfS3DCxIPeYasn8NgY2
         8LA2HIioglkOQvUSB0UUijmfl/q72ssoAl2SDP4M1ooCsH7vzho8f6/JCTgvY0P1YM3Y
         QX3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:message-id:date:to:from:delivered-to;
        bh=L6eswHTA4ZmN4oO55z7I6OkFDc4gkTED/lkMfkmO7zo=;
        b=NVLmhdE1gdFk/ahaBxOKll6qTaIjDXc/s4SKZJkFkWq8BmXtmXCuXVQcPfk3qK+97v
         MB0J6/aCj2UUz6N+xPPNyIa8Q7dB9e+szOs0o8C2AbwA1i3lffj8LJZs9ZCiAhuY4eUO
         9pWNFbjK3JhV7B+sKuVDSxXeqjTLwAyfFTk2C6xIjQjGMWnNRRViiOlbpZUxjCEgv2lY
         YOJk/KFB6Ofx/9UNzB8n7c3YJMIUVZ4VSsg73SDZwZkOkOkakJAqENHrpCzPQ1ZjfXdK
         nletiVm1JZ80wD05dMZibpdh0n0yz7RBruyd7CQZpZNQV/63qQMVXPkK2xfirEVitKVe
         Ib1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 j2-20020a170906474200b0094efb4f4271si11775115ejs.434.2023.04.25.11.38.27;
        Tue, 25 Apr 2023 11:38:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DD9A068BF7A;
	Tue, 25 Apr 2023 21:38:23 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [217.70.183.195])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3DFB168BA82
 for <ffmpeg-devel@ffmpeg.org>; Tue, 25 Apr 2023 21:38:17 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 27EF760008
 for <ffmpeg-devel@ffmpeg.org>; Tue, 25 Apr 2023 18:38:15 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 25 Apr 2023 20:38:13 +0200
Message-Id: <20230425183814.18486-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/wavarc: Fix k limit
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: VxDOmaK7OfDb

The implementation does not support k=32

Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 57976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5911925807775744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavarc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 827803c91d..312e4beb7f 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -192,7 +192,7 @@ static int decode_1dif(AVCodecContext *avctx,
         if (block_type < 4 && block_type >= 0) {
             k = 1 + (avctx->sample_fmt == AV_SAMPLE_FMT_S16P);
             k = get_urice(gb, k) + 1;
-            if (k > 32)
+            if (k >= 32)
                 return AVERROR_INVALIDDATA;
         }
 
@@ -284,7 +284,7 @@ static int decode_2slp(AVCodecContext *avctx,
         if (block_type < 5 && block_type >= 0) {
             k = 1 + (avctx->sample_fmt == AV_SAMPLE_FMT_S16P);
             k = get_urice(gb, k) + 1;
-            if (k > 32)
+            if (k >= 32)
                 return AVERROR_INVALIDDATA;
         }
 

From patchwork Tue Apr 25 18:38:14 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41325
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:dca6:b0:f3:34fa:f187 with SMTP id
 ky38csp2452270pzb;
        Tue, 25 Apr 2023 11:38:36 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350YlaWUEd1obrLoH7DhbkR6N5vv0OJgC7P3bwPzwsiBhmEGG9i2cgkjLY58c0gazKG9zCrfx
X-Received: by 2002:a17:907:a070:b0:94f:2948:b15e with SMTP id
 ia16-20020a170907a07000b0094f2948b15emr13630892ejc.5.1682447916563;
        Tue, 25 Apr 2023 11:38:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1682447916; cv=none;
        d=google.com; s=arc-20160816;
        b=xNpvd6LLs8EjnC/IUREncqRSCw0TiwgyK2aC0Ei+Mt5GQz1PZCAqkiDAUCcQTcWz9q
         GVW5Mk4OTpyfGe059vzA1HepEWAfBETfH2b1yW29VFvQeiO9AgbEFJn4StqNQ1cF2+tS
         vSRNhUCu2/c8HKITMqtqmBGONGNReGoLoFkpLU/DetyVibiPn0mH2sC+Gy7+ItY6Iwy5
         tmNs0lYNcEsfsxLYWSz2p/gJYoYw2gePHrW96mWlplUg1l08JVN5YcV7xrGKXGQKEgPm
         uTiiSj3sz51j6GP+qM9zlCq0MwyyvuEjhlSFviAQY/9cPu7y3jKsw5reFQ1aQ3gPSoNh
         omug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=TwrcbamG8BBSw97ze5noVeurj7ozx0Bur5nIPIDpOs4=;
        b=KioDm/4TqD+rW9itF9BiNghgY+b03ziQo/cBnwD4YZVGSlKj6nXiKb88pp4W1zZxS9
         V9OvYTxPdR2vQSxy3EfxzLp6IHXBEXyeyqZ2tMfSSgDA9Hh4CS9qtFOAb+PWoOhXcIjn
         rqaDGpgSB2zTyX4/9eeLRMDK65hwhG4DPw6InIq3gnTLkx2wA/HE9IQynrAnIyv5XZZB
         /8pAm9MtuaDGdsL8Gq/e23jM+f+cr7Hj/cLAdeIvTFtCL0L800RGAM3enpGKAaBfyVvE
         JMXvM9lZkbXIS3gLDp/u2pvFkAc0BW/+hehhCs2t8nYxIwifdrcTuuEBXI7MX+Yiv6Lg
         6wyA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 jj13-20020a170907984d00b0094f8f6a912bsi10518536ejc.416.2023.04.25.11.38.36;
        Tue, 25 Apr 2023 11:38:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EF59968BF8A;
	Tue, 25 Apr 2023 21:38:25 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net
 [217.70.183.194])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D2EE268BA82
 for <ffmpeg-devel@ffmpeg.org>; Tue, 25 Apr 2023 21:38:19 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id C048A40005
 for <ffmpeg-devel@ffmpeg.org>; Tue, 25 Apr 2023 18:38:18 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 25 Apr 2023 20:38:14 +0200
Message-Id: <20230425183814.18486-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230425183814.18486-1-michael@niedermayer.cc>
References: <20230425183814.18486-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/aacdec_template: Fix undefined
 signed interger operations
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: sOGCVD0ZJ+11

Fixed: signed integer overflow: -2 * -1085502286 cannot be represented in type 'int'
Fixed: 57986/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5123651145170944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/aacdec_template.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 444dc4fa9d..237ec8828f 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -2856,8 +2856,8 @@ static void imdct_and_windowing_eld(AACContext *ac, SingleChannelElement *sce)
         ac->mdct512_fn(ac->mdct512, buf, in, sizeof(INTFLOAT));
 
     for (i = 0; i < n; i+=2) {
-        buf[i + 0] = -(USE_FIXED + 1)*buf[i + 0];
-        buf[i + 1] =  (USE_FIXED + 1)*buf[i + 1];
+        buf[i + 0] = -(USE_FIXED + 1U)*buf[i + 0];
+        buf[i + 1] =  (USE_FIXED + 1U)*buf[i + 1];
     }
     // Like with the regular IMDCT at this point we still have the middle half
     // of a transform but with even symmetry on the left and odd symmetry on