From patchwork Sun Jul 23 18:02:59 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 42924
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:be1d:b0:130:ccc6:6c4b with SMTP id
 ge29csp1483879pzb;
        Sun, 23 Jul 2023 11:03:28 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlG2L2Cqsn7WyNGjEgnmQRQm/mNxT6MAysJ7uGPNL1fp9UZ/y+0N7gq0yL9Rx6wGOQllAuW0
X-Received: by 2002:a50:ee15:0:b0:522:200f:cc50 with SMTP id
 g21-20020a50ee15000000b00522200fcc50mr2937079eds.19.1690135407993;
        Sun, 23 Jul 2023 11:03:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690135407; cv=none;
        d=google.com; s=arc-20160816;
        b=PMA/pFfubDDgNddQ/xVyA8xmrzRFfVD0T+nJiRbUO2ivq9rlphEh9U0hTVgZgUtLNF
         R4CCJZGOqI2QnmTOCjAYFAOYdo5+K/0qbBm68Pdnh8F6aeWjX7/Ln9s+lw8EuDopZtbg
         uB4qos5GSyZ+nnd5lAPxR6FWdaPNDj1CrndLknKoXeKtsZz9cHnInpo7zOb838ZnijM4
         DDvJf3isqQ0MI+z/VeN9GN6ef68k7f6yRDjEuWKkceUYgRRQouxKDfpZg2GnRaLSCoEK
         3Shzi7CofD0+0H9OQ1xS3Rb8NYrdunfHwb2+Gbh7RD/BsiEqwG/5PL8v+GZee+GbLoaH
         mYJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:message-id:date:to:from:delivered-to;
        bh=GIsG8b6Ewel3yp9Bx2KxnNeXhzdDB5UrSf4v7fzkFQE=;
        fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=;
        b=oc5HO7dkI406/eL8mHsC7jxF+qdUyKIkyjOu4lT5G6jKjq9tMM1ghmwBjH1sw4ZJV+
         K881AbIYrM7xIZfJXt1Uf+xEwZuWi3cL6Sj7wT24pp6L0MfdvQ2VX2N5pj+RUTBx2ztZ
         uhXcBXO9/Jtq8H4bzTD5SevHxlw/mzsOQtu/8XE/hlxeWzy63MPeZfLFiO1Kq0cZ/PzU
         bcGrYVR/vMh89OZg++MdyvYaccsKzn+mDrwHVGLGT3e7EuFKOU/q2eOD2xN5tFv4gSgB
         u209N8/E4IPeditxUVFMCJWQXN7l1lQgio4aUcUGGB0xh6v8KOZzY/l9D8zqVLO3uA+p
         nyFg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 z9-20020aa7c649000000b005222c3c0debsi413625edr.526.2023.07.23.11.03.14;
        Sun, 23 Jul 2023 11:03:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6A8AC68C28D;
	Sun, 23 Jul 2023 21:03:11 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net
 [217.70.183.193])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1484E68C392
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 21:03:05 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 443AD240002
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 18:03:04 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 23 Jul 2023 20:02:59 +0200
Message-Id: <20230723180303.8000-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 1/5] avcodec/vmixdec: Check for end of input
 in decode_dcac()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: C0Cl9VRCF9P9

Fixes: Timeout
Fixes: 59952/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMIX_fuzzer-6718213736759296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/vmixdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/vmixdec.c b/libavcodec/vmixdec.c
index b77c90929a..4cc5963e25 100644
--- a/libavcodec/vmixdec.c
+++ b/libavcodec/vmixdec.c
@@ -115,6 +115,8 @@ static int decode_dcac(AVCodecContext *avctx,
             if (dc_run > 0) {
                 dc_run--;
             } else {
+                if (get_bits_left(dc_gb) < 1)
+                    return AVERROR_INVALIDDATA;
                 dc_v = get_se_golomb_vmix(dc_gb);
                 dc += (unsigned)dc_v;
                 if (!dc_v)
@@ -127,6 +129,8 @@ static int decode_dcac(AVCodecContext *avctx,
                     continue;
                 }
 
+                if (get_bits_left(ac_gb) < 1)
+                    return AVERROR_INVALIDDATA;
                 ac_v = get_se_golomb_vmix(ac_gb);
                 i = scan[n];
                 block[i] = ((unsigned)ac_v * factors[i]) >> 4;

From patchwork Sun Jul 23 18:03:00 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 42925
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:be1d:b0:130:ccc6:6c4b with SMTP id
 ge29csp1483915pzb;
        Sun, 23 Jul 2023 11:03:33 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlGRKC4MFwRadexWa4vS7WELb3FRx1t6ckGU6T7pWv9gae/zRRAeMb/uXNEt2JF2fO3mLqpT
X-Received: by 2002:a17:906:209e:b0:993:d617:bdc2 with SMTP id
 30-20020a170906209e00b00993d617bdc2mr7799500ejq.75.1690135413623;
        Sun, 23 Jul 2023 11:03:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690135413; cv=none;
        d=google.com; s=arc-20160816;
        b=U06TGYiTPFm98dYf1h837le1l8Vq0pTIqodqP3H2auxxYMwZAR+31o26aM4FK+IA3p
         R//tkWR1r2GhMKxmatu9l9LE7cLJHIAE/xxNoSCzL0JCzz9rRVaj3BGiWiP8nA1tql2J
         EcIkBcMaQ5nWh+J4d5l8H6Wjc8dbs+sM+G54Ou5b9OWO3NCvcZmnE9OyOjdfmRgeKeR/
         LXm2LMGMA6W4KnxNg/MLyNfBa1zoZXb4uh36Gd9BwvLOam+WJ5hOwZp21amb9u1AtICc
         B/Qw/KV8SlbGYhGnZK9HIFOLi1xXtWdyAR1BHzJyoICQbYNvAyNaMBi2Y8S3dkAcIytg
         pPEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=tmBqDbLTJ2L6B927gsT5O2ecZ4I3e0oPTyo0MSPCPyc=;
        fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=;
        b=DSr+rYPOdfPy8QmxIb4/9G7vX2hU0spwQZ68FF+C+XeA4816NPI6bXL8vY1vNcog5B
         2AgwGcthn6aPIt0/CxMUt4JppLaKn/OS2wSrU76SxHFu7KCiDjkBZ6qQrW1LWEf8Ern2
         mFVJ03aJKQjQBbO9YaKth+x71svRjqFQj/CLZGURrJS8KopwoD8j/wfYk2fpg9iAH7i4
         5KixyyFLWMkzwTCKWVgDk/EkLDEfyqGUgi6WJoPQ2ewX4KNX1OOOh+/RRn0e2Qo+UnRq
         MJGr8F2+9FdwlBqq/I/KTAIva7ezx4b39T0wkj/f2j2xR7yVttMCTcD3xi0X24iIHmok
         FcBw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 bx13-20020a170906a1cd00b00987a1823cfesi5115865ejb.569.2023.07.23.11.03.24;
        Sun, 23 Jul 2023 11:03:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 740BD68C6E4;
	Sun, 23 Jul 2023 21:03:12 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
 [217.70.183.196])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0D79168C6A6
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 21:03:06 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 64E0EE0002
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 18:03:05 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 23 Jul 2023 20:03:00 +0200
Message-Id: <20230723180303.8000-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230723180303.8000-1-michael@niedermayer.cc>
References: <20230723180303.8000-1-michael@niedermayer.cc>
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 2/5] avcodec/mpeg4videodec: consider lowres
 in dest_pcm[]
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: vdbTTC1++rfb

Fixes: out of array access
Fixes: 59999/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5767982157266944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 30aec5e529..b7fab5a4df 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -295,7 +295,7 @@ void ff_mpeg4_decode_studio(MpegEncContext *s, uint8_t *dest_y, uint8_t *dest_cb
             int hsub = i ? s->chroma_x_shift : 0;
             int lowres = s->avctx->lowres;
             int step = 1 << lowres;
-            dest_pcm[i] += (linesize[i] / 2) * ((16 >> vsub) - 1);
+            dest_pcm[i] += (linesize[i] / 2) * ((16 >> vsub + lowres) - 1);
             for (int h = (16 >> (vsub + lowres)) - 1; h >= 0; h--){
                 for (int w = (16 >> (hsub + lowres)) - 1, idx = 0; w >= 0; w--, idx += step)
                     dest_pcm[i][w] = src[idx];

From patchwork Sun Jul 23 18:03:01 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 42926
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:be1d:b0:130:ccc6:6c4b with SMTP id
 ge29csp1483972pzb;
        Sun, 23 Jul 2023 11:03:42 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlGaLy4x2fRgqFqPPXMnp4dL8u0p8oeLF/G9s0tfeL+P2Ue/+d6aohvtYi9eVxAbHxWHeQ7w
X-Received: by 2002:a17:906:7a13:b0:993:eddd:6df9 with SMTP id
 d19-20020a1709067a1300b00993eddd6df9mr7456303ejo.2.1690135421899;
        Sun, 23 Jul 2023 11:03:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690135421; cv=none;
        d=google.com; s=arc-20160816;
        b=xP2ApgxLREetajhAZbMipVY05WHUdQr2MyWKC20EXZm06iTZuAVQfgrhWK5y29/1sa
         QnXmrRpTHuaP+WU0rgSxXSfpzj2DKBZ78l2Ye5DV15wx3eOiFWl6yll469beJt7a3Adz
         yM2sOr8l0zPjFthAdXbdk6Q+wqxya12CAhjF0mtezp7s+Y7sr2AGCbQNtumAieDa545O
         fdHvipOwmiEI4OhUNrMbngu68UQwkUgLYJivQrl0x5UBPl7tEYiJjXi+F9S8eFf+r1gc
         zmvheFLQED2ikdMEJgQXiwfg6Oiq68hr7chkenio+Q/ChOBDiCQXsDHYjTqmGCJlNF6P
         j4NQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=aLLuk+KOqCplvFVxH5xVNoBVKsgxNCQNMmLhmPSk/mo=;
        fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=;
        b=wJPgSobBN/hGnbo3y/4aVALU4QjIJDzjCLBh871VrWqiHO/NhlyW4nMXw6MJu5bzGM
         ExLkU+wOOJQvm4VS2MRfrGLe9j+f9C4PUJZT6fjFRLk/utZ360DvVUdBQq9kBvRPwBm8
         e8dI7csJwT9f+uNe+7gw7nhwgQQ0wdBsy6VFWqoCGkwZVyxUSwtd73xOr+O/8bXPYElt
         2Ew4zqhzPlhAo18FCPEH94xRlW/ReFZKg0KM+oM4YVI90YoN/xz+W/fgyc/6EDZY3FCA
         1FpFccbaoQVmnV6n9QogxALmH0m7DwMgQ21gQQrvPHRPrsnyvNm+/bFEEiAk9V6ZFp3i
         aJcw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 fx24-20020a170906b75800b009874409d1e9si5467481ejb.200.2023.07.23.11.03.32;
        Sun, 23 Jul 2023 11:03:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9EBEC68C6EF;
	Sun, 23 Jul 2023 21:03:15 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net
 [217.70.183.193])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B61C368C6DC
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 21:03:06 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 227D4240005
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 18:03:05 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 23 Jul 2023 20:03:01 +0200
Message-Id: <20230723180303.8000-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230723180303.8000-1-michael@niedermayer.cc>
References: <20230723180303.8000-1-michael@niedermayer.cc>
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 3/5] avformat/imf_cpl: xmlNodeListGetString()
 can return NULL
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 6UGS7CDrsXXx

Fixes: NULL pointer dereference
Fixes: 60166/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5998301577871360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/imf_cpl.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavformat/imf_cpl.c b/libavformat/imf_cpl.c
index fe975c2f0c..69155d786d 100644
--- a/libavformat/imf_cpl.c
+++ b/libavformat/imf_cpl.c
@@ -75,6 +75,8 @@ int ff_imf_xml_read_uuid(xmlNodePtr element, AVUUID uuid)
     int ret = 0;
 
     xmlChar *element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
+    if (!element_text)
+        return AVERROR_INVALIDDATA;
     ret = av_uuid_urn_parse(element_text, uuid);
     if (ret)
         ret = AVERROR_INVALIDDATA;
@@ -88,7 +90,7 @@ int ff_imf_xml_read_rational(xmlNodePtr element, AVRational *rational)
     int ret = 0;
 
     xmlChar *element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
-    if (sscanf(element_text, "%i %i", &rational->num, &rational->den) != 2)
+    if (element_text == NULL || sscanf(element_text, "%i %i", &rational->num, &rational->den) != 2)
         ret = AVERROR_INVALIDDATA;
     xmlFree(element_text);
 
@@ -100,7 +102,7 @@ int ff_imf_xml_read_uint32(xmlNodePtr element, uint32_t *number)
     int ret = 0;
 
     xmlChar *element_text = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
-    if (sscanf(element_text, "%" PRIu32, number) != 1)
+    if (element_text == NULL || sscanf(element_text, "%" PRIu32, number) != 1)
         ret = AVERROR_INVALIDDATA;
     xmlFree(element_text);
 
@@ -245,6 +247,8 @@ static int fill_timecode(xmlNodePtr cpl_element, FFIMFCPL *cpl)
         return AVERROR_INVALIDDATA;
 
     tc_str = xmlNodeListGetString(element->doc, element->xmlChildrenNode, 1);
+    if (!tc_str)
+        return AVERROR_INVALIDDATA;
     ret = parse_cpl_tc_type(tc_str, comps);
     xmlFree(tc_str);
     if (ret)

From patchwork Sun Jul 23 18:03:02 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 42927
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:be1d:b0:130:ccc6:6c4b with SMTP id
 ge29csp1484069pzb;
        Sun, 23 Jul 2023 11:03:53 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlFWbf6dtlzjUUwCCsNaqquQydpBEmb/968BqECkVNu8cDCli0DSYAjaV7dzRqjZGLHEgm1Y
X-Received: by 2002:a05:6402:6cf:b0:51d:8f9b:b6ce with SMTP id
 n15-20020a05640206cf00b0051d8f9bb6cemr7729732edy.1.1690135433108;
        Sun, 23 Jul 2023 11:03:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690135433; cv=none;
        d=google.com; s=arc-20160816;
        b=t24zkeXV9t3CHgne5F5kEoPUfp+LaNwj4V4c3c9g4drIqJI5jEtdq89XtNoGF3pECS
         ETvnoWiCggHRKzXu34dz/4Rmp1f45gZDgxB/XYajqMMoEL26cazX0dhh5SeBksXAq0/8
         X7HgZ5RgpbnyFt0KCZqExyJKN7WEpRrI9yoIexvfk2J0sEc8dzhxtT0exyuJHv4pQ+C7
         MigkIMwxbIwbML18G+d7mLp4ba2SuVLh9uZB7cYmIaoaud5hyEiT2F9jbvk2DYefK/h8
         /Xl5xEqt6D7+qM8neVkQgKExR4Z41J5NK5ysw7ksavERRkK64eNodTS97nLWtbMWNmsU
         HcVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=rpViHHbrDKcz/Jsq2lWOtvuHzWQbqKwGVtQ3fuQVOn0=;
        fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=;
        b=eNA4iozXUHxca60kXXMyIclcwgAUVPPf9cd2HRtToX9j4RtNh4Lw0v7mLfphYQLLwU
         FVfyRlaIVNjX7roljn7V4VOdAf9/Nyser89Djz/NtsfwMJsoH1F4BREJ2SVVFOMManKG
         TH5yXbB1EwQVRoFbr33eyNYRLekMMWo7qkUvEcnI1AmBmsctN8utOyFvxZeokGdDOBdc
         0wLdAyeW02Hw5m2c20uBbhqpI6PZBgXT1R7nV4cxtjXb7lq34q/WpxharKWb+LrLgGZe
         XOp5uVayw02izemBZvfMwW3cRPlcGhqrWeb/sbIc6MNz1wSP1vfLKfHuI4YWL1getQIH
         LAVg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 c9-20020aa7d609000000b005222252bfafsi1310816edr.547.2023.07.23.11.03.41;
        Sun, 23 Jul 2023 11:03:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 69E9168C6DE;
	Sun, 23 Jul 2023 21:03:16 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 314C768C6A6
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 21:03:08 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 66E151C0002
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 18:03:07 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 23 Jul 2023 20:03:02 +0200
Message-Id: <20230723180303.8000-4-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230723180303.8000-1-michael@niedermayer.cc>
References: <20230723180303.8000-1-michael@niedermayer.cc>
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 4/5] avcodec/hevcdec: Fix undefined memcpy()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: IsCHumLaDVc3

There is likely a better way to fix this, this is mainly to show the problem

Fixes: MC within same frame resulting in overlapping memcpy()
Fixes: 60189/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4992746590175232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hevcdec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index fcf19b4eb6..1536fa5b4b 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -1563,7 +1563,8 @@ static void luma_mc_uni(HEVCLocalContext *lc, uint8_t *dst, ptrdiff_t dststride,
 
     if (x_off < QPEL_EXTRA_BEFORE || y_off < QPEL_EXTRA_AFTER ||
         x_off >= pic_width - block_w - QPEL_EXTRA_AFTER ||
-        y_off >= pic_height - block_h - QPEL_EXTRA_AFTER) {
+        y_off >= pic_height - block_h - QPEL_EXTRA_AFTER ||
+        ref == s->frame) {
         const ptrdiff_t edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift;
         int offset     = QPEL_EXTRA_BEFORE * srcstride       + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift);
         int buf_offset = QPEL_EXTRA_BEFORE * edge_emu_stride + (QPEL_EXTRA_BEFORE << s->ps.sps->pixel_shift);
@@ -1713,6 +1714,7 @@ static void chroma_mc_uni(HEVCLocalContext *lc, uint8_t *dst0,
     intptr_t my          = av_mod_uintp2(mv->y, 2 + vshift);
     intptr_t _mx         = mx << (1 - hshift);
     intptr_t _my         = my << (1 - vshift);
+    int emu              = src0 == s->frame->data[1] || src0 == s->frame->data[2];
 
     x_off += mv->x >> (2 + hshift);
     y_off += mv->y >> (2 + vshift);
@@ -1720,7 +1722,8 @@ static void chroma_mc_uni(HEVCLocalContext *lc, uint8_t *dst0,
 
     if (x_off < EPEL_EXTRA_BEFORE || y_off < EPEL_EXTRA_AFTER ||
         x_off >= pic_width - block_w - EPEL_EXTRA_AFTER ||
-        y_off >= pic_height - block_h - EPEL_EXTRA_AFTER) {
+        y_off >= pic_height - block_h - EPEL_EXTRA_AFTER ||
+        emu) {
         const int edge_emu_stride = EDGE_EMU_BUFFER_STRIDE << s->ps.sps->pixel_shift;
         int offset0 = EPEL_EXTRA_BEFORE * (srcstride + (1 << s->ps.sps->pixel_shift));
         int buf_offset0 = EPEL_EXTRA_BEFORE *

From patchwork Sun Jul 23 18:03:03 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 42928
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:be1d:b0:130:ccc6:6c4b with SMTP id
 ge29csp1484102pzb;
        Sun, 23 Jul 2023 11:03:58 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlHHmqEuKkf7Fz+onhX2JWCpG5jpkxRi5XDy+cNMs592zMrsatOlqLkweO87uhyNvSU8siiU
X-Received: by 2002:a17:906:5d:b0:988:9b29:5653 with SMTP id
 29-20020a170906005d00b009889b295653mr6845976ejg.77.1690135438268;
        Sun, 23 Jul 2023 11:03:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690135438; cv=none;
        d=google.com; s=arc-20160816;
        b=amkX/gS2j7e66zeVAgVRKG0CJE+F0x8rW6blb0xr4Kydhywv7fEdpwoqiLLUAEfu2W
         fOiJAJivyRLNUnB3+8499JI+lbTR9xDlEHQzWYSk4IWTRzW8t6PWUdpgjphR0NLe3xkd
         XogkcNX3+mVtpGw6TSknr3Mdxt1o6JQBPnPpY8/Pha46T4w7uxVs16bMi6s9qkoe+oko
         tggfbaOXWGTYbrtG6JRsngpwt6b2kD+cZjaK3Ft+x4IsTjxeii9dtdNfLCErUNpLUkQP
         XG1JigXHF+kWyS2TYpIHWFc6iWXWkK9jFsofyKOUQuZ8CI3eDs8M3ERlTOVhHsxi4Tqv
         m33Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:references:in-reply-to:message-id:date
         :to:from:delivered-to;
        bh=M0cYdEpRJvVcffq02diYiQWvfMLoomtZJ5X5rrpbYUc=;
        fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=;
        b=O+4P6zbKEakl/uSxFXfroRyaJkXUKcZ+9ZglAAmnAlO2kKGeaN8iFwBg1IRvC7gFV3
         guuHpC+LqBcPIYjbhZz2gG4+iN++fVShzKSW/3AluaqEUxeLte6eZ1S8uNHae1VCbgDd
         cBcln1QzszgMpn92bJyX55S6TtCkwg3PcPNoPYN4iQNBZ3p/3I0l5y7PgwJwsGWX1Uj8
         GXbHFGunft4PAMxCdyGFU+eMRStTMFJbP2dEpEdGAX/IA0d+7CrjK93oBtjCQC3+mJXy
         3fy1MbwdYSVqjhHDGZMt77xcHPKLVpB0wldAo1C2Gw1lFNe01v8xeG98x2Ul2Rd21dtH
         4GZg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 l6-20020a170906078600b00993860a6d36si4990067ejc.374.2023.07.23.11.03.49;
        Sun, 23 Jul 2023 11:03:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3B5C868C6EC;
	Sun, 23 Jul 2023 21:03:17 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net
 [217.70.183.201])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2320C68C6E7
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 21:03:09 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 542D11BF206
 for <ffmpeg-devel@ffmpeg.org>; Sun, 23 Jul 2023 18:03:08 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sun, 23 Jul 2023 20:03:03 +0200
Message-Id: <20230723180303.8000-5-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230723180303.8000-1-michael@niedermayer.cc>
References: <20230723180303.8000-1-michael@niedermayer.cc>
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 5/5] avcodec/h266_metadata_bsf: Check if
 there are CodedBitstreamFragment units
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 5ABUjoh4ZwhA

Fixes: NULL pointer dereference
Fixes: 60269/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-5215449416335360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/h266_metadata_bsf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h266_metadata_bsf.c b/libavcodec/h266_metadata_bsf.c
index c0dbf8ef96..1f0f875cfe 100644
--- a/libavcodec/h266_metadata_bsf.c
+++ b/libavcodec/h266_metadata_bsf.c
@@ -43,7 +43,7 @@ static int h266_metadata_update_fragment(AVBSFContext *bsf, AVPacket *pkt,
     int err, i;
 
     // If an AUD is present, it must be the first NAL unit.
-    if (pu->units[0].type == VVC_AUD_NUT) {
+    if (pu->nb_units && pu->units[0].type == VVC_AUD_NUT) {
         if (ctx->aud == BSF_ELEMENT_REMOVE)
             ff_cbs_delete_unit(pu, 0);
     } else if ( pkt && ctx->aud == BSF_ELEMENT_INSERT) {