From patchwork Wed Apr 15 19:18:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 18985 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id B931A44A4CD for ; Wed, 15 Apr 2020 22:25:18 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 875E168B6D3; Wed, 15 Apr 2020 22:25:18 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-1.mx.upcmail.net (vie01a-dmta-pe01-1.mx.upcmail.net [62.179.121.154]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E6E99688157 for ; Wed, 15 Apr 2020 22:25:11 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jOnZX-0000D3-0v for ffmpeg-devel@ffmpeg.org; Wed, 15 Apr 2020 21:19:43 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id OnYYje2Ow6Jy6OnYYjy0eP; Wed, 15 Apr 2020 21:18:43 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=pAK3-j9G_tsEL4Xyh58A:9 a=VlZU0XKO32wA:10 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=bWyr8ysk75zN3GCy5bjg:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 15 Apr 2020 21:18:41 +0200 Message-Id: <20200415191842.5461-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfOzUvi9AxF7fICzZdwSTv42RcR5uEI4WZ0ZI3a55pIbF8QnLKXFO4gUQfIKPghhzjdGyOyjGO3gySHI1mvCK5QE7R2b0FgMEGMDYh1fbcLN1E9/GDmGP 0+LF84FN4hQlaYfweR3IBeHDMWq/qmFJxH+UOW8qwJDvZrePnIzOwUbs Subject: [FFmpeg-devel] [PATCH 1/2] avformat/thp: Require a video stream X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The demuxer code assumes the existence of a video stream Fixes: assertion failure Fixes: 21512/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5699660783288320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/thp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/thp.c b/libavformat/thp.c index 332ed79128..d3ae86c645 100644 --- a/libavformat/thp.c +++ b/libavformat/thp.c @@ -145,6 +145,9 @@ static int thp_read_header(AVFormatContext *s) } } + if (!thp->vst) + return AVERROR_INVALIDDATA; + return 0; } From patchwork Wed Apr 15 19:18:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 18986 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id C2CDD44A4CD for ; Wed, 15 Apr 2020 22:25:52 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id ACB1868BB60; Wed, 15 Apr 2020 22:25:52 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe01-1.mx.upcmail.net (vie01a-dmta-pe01-1.mx.upcmail.net [62.179.121.154]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C1C1668BB4C for ; Wed, 15 Apr 2020 22:25:46 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1jOnZY-0009nf-1D for ffmpeg-devel@ffmpeg.org; Wed, 15 Apr 2020 21:19:44 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id OnYZje2Qa6Jy6OnYajy0fk; Wed, 15 Apr 2020 21:18:44 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=GKl27dFK c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=7zRheiduMfI0tRZ8pm8A:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=QOGEsqRv6VhmHaoFNykA:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 15 Apr 2020 21:18:42 +0200 Message-Id: <20200415191842.5461-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200415191842.5461-1-michael@niedermayer.cc> References: <20200415191842.5461-1-michael@niedermayer.cc> X-CMAE-Envelope: MS4wfCjDAYONDeYdWopI0F91cVOAidAmYDCLaVEcFQugtnpE6Y31P4dJF6NCirk6lL8MuEGkAKctOteSjZKstdEe9KCVWY1aeaanF2CipZSUk5l/fzM1Qdbj 2J1VFsLnrG95qzXvkit1hfzsC6olO9dLrhqYTXpBVnYJIIMgX/hycCea Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/aacdec_template: Pass AVCodecContext seperatly to set_default_channel_config() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Regression since 4d9b9c5e4637ac15205467f16fcac92a28e18f18 Fixes: Null pointer dereference Fixes: 21642/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5670101358739456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 3c7818530a..a473e1bad7 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -520,14 +520,14 @@ static void flush(AVCodecContext *avctx) * * @return Returns error status. 0 - OK, !0 - error */ -static int set_default_channel_config(AACContext *ac, +static int set_default_channel_config(AACContext *ac, AVCodecContext *avctx, uint8_t (*layout_map)[3], int *tags, int channel_config) { if (channel_config < 1 || (channel_config > 7 && channel_config < 11) || channel_config > 12) { - av_log(ac->avctx, AV_LOG_ERROR, + av_log(avctx, AV_LOG_ERROR, "invalid default channel configuration (%d)\n", channel_config); return AVERROR_INVALIDDATA; @@ -547,8 +547,8 @@ static int set_default_channel_config(AACContext *ac, * As actual intended 7.1(wide) streams are very rare, default to assuming a * 7.1 layout was intended. */ - if (channel_config == 7 && ac->avctx->strict_std_compliance < FF_COMPLIANCE_STRICT && !ac->warned_71_wide++) { - av_log(ac->avctx, AV_LOG_INFO, "Assuming an incorrectly encoded 7.1 channel layout" + if (channel_config == 7 && avctx->strict_std_compliance < FF_COMPLIANCE_STRICT && (!ac || !ac->warned_71_wide++)) { + av_log(avctx, AV_LOG_INFO, "Assuming an incorrectly encoded 7.1 channel layout" " instead of a spec-compliant 7.1(wide) layout, use -strict %d to decode" " according to the specification instead.\n", FF_COMPLIANCE_STRICT); layout_map[2][2] = AAC_CHANNEL_SIDE; @@ -573,7 +573,7 @@ static ChannelElement *get_che(AACContext *ac, int type, int elem_id) av_log(ac->avctx, AV_LOG_DEBUG, "mono with CPE\n"); - if (set_default_channel_config(ac, layout_map, + if (set_default_channel_config(ac, ac->avctx, layout_map, &layout_map_tags, 2) < 0) return NULL; if (output_configure(ac, layout_map, layout_map_tags, @@ -592,7 +592,7 @@ static ChannelElement *get_che(AACContext *ac, int type, int elem_id) av_log(ac->avctx, AV_LOG_DEBUG, "stereo with SCE\n"); - if (set_default_channel_config(ac, layout_map, + if (set_default_channel_config(ac, ac->avctx, layout_map, &layout_map_tags, 1) < 0) return NULL; if (output_configure(ac, layout_map, layout_map_tags, @@ -841,7 +841,7 @@ static int decode_ga_specific_config(AACContext *ac, AVCodecContext *avctx, if (tags < 0) return tags; } else { - if ((ret = set_default_channel_config(ac, layout_map, + if ((ret = set_default_channel_config(ac, avctx, layout_map, &tags, channel_config))) return ret; } @@ -937,7 +937,7 @@ static int decode_eld_specific_config(AACContext *ac, AVCodecContext *avctx, skip_bits_long(gb, 8 * len); } - if ((ret = set_default_channel_config(ac, layout_map, + if ((ret = set_default_channel_config(ac, avctx, layout_map, &tags, channel_config))) return ret; @@ -1200,7 +1200,7 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) ac->oc[1].m4ac.chan_config = i; if (ac->oc[1].m4ac.chan_config) { - int ret = set_default_channel_config(ac, layout_map, + int ret = set_default_channel_config(ac, avctx, layout_map, &layout_map_tags, ac->oc[1].m4ac.chan_config); if (!ret) output_configure(ac, layout_map, layout_map_tags, @@ -3002,7 +3002,7 @@ static int parse_adts_frame_header(AACContext *ac, GetBitContext *gb) push_output_configuration(ac); if (hdr_info.chan_config) { ac->oc[1].m4ac.chan_config = hdr_info.chan_config; - if ((ret = set_default_channel_config(ac, + if ((ret = set_default_channel_config(ac, ac->avctx, layout_map, &layout_map_tags, hdr_info.chan_config)) < 0)