From patchwork Wed Jul 26 23:59:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 42998 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c11c:b0:130:ccc6:6c4b with SMTP id bh28csp68806pzb; Wed, 26 Jul 2023 16:59:29 -0700 (PDT) X-Google-Smtp-Source: APBJJlHiIDYch3tswINokEUhLK0oXV3uHtaX0IRJKBSaXDJZpkO2MnzmWkyF2lIVaPHMwYt2uOKe X-Received: by 2002:a05:6512:3d1e:b0:4fb:7cea:882a with SMTP id d30-20020a0565123d1e00b004fb7cea882amr524895lfv.3.1690415969418; Wed, 26 Jul 2023 16:59:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690415969; cv=none; d=google.com; s=arc-20160816; b=oBxAOnaox8A7sT4AwtWeR5uTtTsvY6purbFHf3t9X4GyRM9QZM6ftusEvr9pogKfzp lZSAGl8J5PtStNSFpVbOocsD2AKDtnNq1fDYe/nO5ohViDC0pWvD6ReHpiSLn2CDefrz LqUM7AwJZfUSlbRfVRF+IMHNrgcOMf6fERvpokkf3LTvSLPthvuUCiN3VHfC2MuiO1kq P/vANcgHoyKZn8uGXGDbSLFXsm6BVirvnK/JJQprQQ+plA7jYsahY3wI4Ls+NkVveEN7 6Vfb5MM0etb3APHfjw+++Tnia3hM9bTYqXD+JocLSPcYv0Vuksbebj603kn5tNf8Odmy hJZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=HqxaciOZfT6i8h7C7gP6HJBfrjAX6ZymZnmr8jA75CM=; fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=; b=Xppi1bTZe9bjKZxoN45UoTJpT2VtFRRehbpqsp072/7M1jJiSNv5W+HkrOU8RYTbmO nqlbaeZlROVAtOwFt/nzzF9DXKKCwF8PY0GWwUx1MyOyaPdzJqIRlXmGbHxHDzUvvMq5 qJr0xPFVWbOAP383UvpjAKEtFxf5DZHhx/PvYBwSGdJhZFKRnkz7x7RT15OFMmn3E2tw 9pNcAcD2Ko5MKsv1O9/FPwdyZu3MhaMqzwIVMtn5emFoWW3poWwgL/YQwUU9o9KGPb+4 7nJAqLfwt/Op/R9vAPvEDQ8ej5FlXZB6Dbp+Uo8mZS+FNIfaa0sgBD51qJrvO6EjUdXk Yumg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id z11-20020aa7c64b000000b005222fd51562si30001edr.69.2023.07.26.16.59.28; Wed, 26 Jul 2023 16:59:29 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1356C68C83C; Thu, 27 Jul 2023 02:59:25 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8301B68C64B for ; Thu, 27 Jul 2023 02:59:18 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id A166320003 for ; Wed, 26 Jul 2023 23:59:17 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 27 Jul 2023 01:59:13 +0200 Message-Id: <20230726235916.30058-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 1/4] avcodec/rtv1: Check if the minimal size is available in decode_rtv1() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: us/HILpvBE7K Signed-off-by: Michael Niedermayer --- libavcodec/rtv1.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c index 4b202e6a21..95fa9210d8 100644 --- a/libavcodec/rtv1.c +++ b/libavcodec/rtv1.c @@ -44,6 +44,8 @@ static int decode_rtv1(GetByteContext *gb, uint8_t *dst, ptrdiff_t linesize, uint8_t block[8] = { 0 }; int run = 0; + if (bytestream2_get_bytes_left(gb) < (width / 4) * (height / 4) / 0xFFFF * 4) + return AVERROR_INVALIDDATA; for (int y = 0; y < height; y += 4) { for (int x = 0; x < width * 4; x += 16) { int mode = 0; @@ -126,7 +128,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, dst = p->data[0] + p->linesize[0] * (avctx->coded_height - 1); linesize = -p->linesize[0]; - decode_rtv1(&gb, dst, linesize, width, height, flags, dsp->dxt1_block); + ret = decode_rtv1(&gb, dst, linesize, width, height, flags, dsp->dxt1_block); + if (ret < 0) + return ret; p->pict_type = AV_PICTURE_TYPE_I; p->flags |= AV_FRAME_FLAG_KEY; From patchwork Wed Jul 26 23:59:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 42999 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c11c:b0:130:ccc6:6c4b with SMTP id bh28csp68847pzb; Wed, 26 Jul 2023 16:59:39 -0700 (PDT) X-Google-Smtp-Source: APBJJlG2nRlo0rdZ8ZqWr4vj8HozIDRpeZcsQJjOQo80DJcY77RS36RtrsqmtRX2D08BSHQVsi69 X-Received: by 2002:a17:907:2cf6:b0:994:54af:e27d with SMTP id hz22-20020a1709072cf600b0099454afe27dmr356078ejc.29.1690415979497; Wed, 26 Jul 2023 16:59:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690415979; cv=none; d=google.com; s=arc-20160816; b=qVU+EpXrB4Jd4f/sobrjJ5BwyAFRuZ2zRhwaGH7kXnq419ZjzZnCsJ5m8qbzlp5mMf y0nyRjdT3RB6TN6FN92MJVH+d1uxDJNTdP88lFDt8BHJZML0HE9Dm3ZfJdF50bLXhboM RAFZOIRNZen2Cg5MNSE2UYR11lpASfUrKVDDy4MkbojKo18fXWJZOkwhOarqKs4llSzH UVHWiAo9VKFfhC8NQj5gwYEYNi0xtiDVX9A4fLHJOjw8umFLtErXMi1yrFrLg3yJin7T eLyZnlgUqKwqB4c6N3vK0KIjvDXyFhGJh8X+VGoyMR+s+tW2SSvaP6Xy2XD4sGp2wLox E3dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=h6FxkYxs0aTfa9uH1H2mh4io6vJphHJHxmE2DEag7N4=; fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=; b=mcJaNAo3y2HzPCXo1uaoI/ZIfRKzFM1pOtao57S0eGpAabbX+Eu35mA3phSDaOX7Qr dCi169xssG5T0J8dNgp06rGE1D8P/tLIaLdkRXkfXl7kDNv9NcE3ScH3NQTjcfeQ8VsU citRroO0c4p8MJg69OVPfOkTrda9vLsopKW7xBScHn8S9S3+hcKavyydbI+xp+ZY2zst PvFT6jNtXIJEz3MC7Oz+DQgxB8Y/OAD1D9p/czUhWpqg29oiSPmTJEbKCYlgzYBXz6DV PCIpWXhRCEJz4MYpH1eacmAF87pz15WW0UNeUi2Yg5Dft10qHchGYAJvxM0l//Md8Ne5 K5yg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id m17-20020a17090607d100b00993860a6d38si67874ejc.314.2023.07.26.16.59.38; Wed, 26 Jul 2023 16:59:39 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 64F5F68C872; Thu, 27 Jul 2023 02:59:26 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 706E868C64B for ; Thu, 27 Jul 2023 02:59:19 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id AF049C0003 for ; Wed, 26 Jul 2023 23:59:18 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 27 Jul 2023 01:59:14 +0200 Message-Id: <20230726235916.30058-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230726235916.30058-1-michael@niedermayer.cc> References: <20230726235916.30058-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 2/4] tools/target_dec_fuzzer: Adjust threshold for rtv1 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: c0IZbwIZzqXf Fixes: 60499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-5020295866744832 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- tools/target_dec_fuzzer.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 165951dc9d..570291fa79 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -274,6 +274,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { case AV_CODEC_ID_RKA: maxsamples /= 256; break; case AV_CODEC_ID_RSCC: maxpixels /= 256; break; case AV_CODEC_ID_RASC: maxpixels /= 16; break; + case AV_CODEC_ID_RTV1: maxpixels /= 16; break; case AV_CODEC_ID_SANM: maxpixels /= 16; break; case AV_CODEC_ID_SCPR: maxpixels /= 32; break; case AV_CODEC_ID_SCREENPRESSO:maxpixels /= 64; break; From patchwork Wed Jul 26 23:59:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 43000 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c11c:b0:130:ccc6:6c4b with SMTP id bh28csp68913pzb; Wed, 26 Jul 2023 16:59:48 -0700 (PDT) X-Google-Smtp-Source: APBJJlGd+clstEMCD/fTGe7OGdQyAsahsLn0olp/WxzTcTO5Vrc2ZCPeeZB7LeUOQIkn1ePu/LGW X-Received: by 2002:aa7:da43:0:b0:51e:1af0:3a90 with SMTP id w3-20020aa7da43000000b0051e1af03a90mr430890eds.37.1690415987850; Wed, 26 Jul 2023 16:59:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690415987; cv=none; d=google.com; s=arc-20160816; b=s3SQpU/ftAozHBcNhMzawCeW6/G5jscDu/oxxAJSBJpYj+fF+VJR4b03rEwSsyrYje KHG6Rwcew6Kdmp2KQH09dAWd3QJxx15HWm3/vrDm9PQl3exjpylcGQGvV/BzT781+vWJ iCu6L+vh3gf4LCLqIGOBh0ZJsLJmyP/qU47Q6JHsERLK+77IYWJE0ealCSCh5VJK2vDh 9Hxqd7BghSmmfEuBYhL9ym0wViycZef0UeOoWIjXmYOWMm5OYEjd9m/B07VgTZ8Hrf4a 8r2Qz+JNChydgORKU4cZiQxQm9UF3q6RDDBARUdvlaX53Qhw7sKt4OB0Eb9fXpAKONsX +A0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=//hjThHc6jFx3EtFu3XTKRJXrNLpkE74l/X0y9rwGgo=; fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=; b=ZBIhfmOE/IJ/TTLcfX59PyNUFUQVS/VGVvWpNO9GmfygLMg1sdjqB4AKCIHkiIaFEi 9sJwZzWp///Bfo/J+Wj5MVDy889x4uLST76WHv6qn8DgSxZBqRA68A7oKN52CPOlImuf 4T39gubHEca86mn/Hp9IHH5/5wiHGSDYes/gTqTGXiK4ZhbViYcKzw1dK0dkkcScBCXK gA2cynmZ3c93iHUJN629i3vZ4fMEHNwKrBu2AXa+WfpJ8UzPs5pnYibjR/T7cmZSH/Vt Hw1be9AN9ecMWvmI17/8DNjl2WUGdgffbjHfFg6glmjQIeQ3HulDWsk/TE5ijozvZiIJ 2JaA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id p23-20020a056402045700b0051da5244b7bsi12017edw.469.2023.07.26.16.59.47; Wed, 26 Jul 2023 16:59:47 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 60D6E68C8F4; Thu, 27 Jul 2023 02:59:32 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 10E0D68C853 for ; Thu, 27 Jul 2023 02:59:25 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 7213320002 for ; Wed, 26 Jul 2023 23:59:19 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 27 Jul 2023 01:59:15 +0200 Message-Id: <20230726235916.30058-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230726235916.30058-1-michael@niedermayer.cc> References: <20230726235916.30058-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 3/4] avcodec/vvc_parser: Avoid undefined overflow in POC computation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: xKlTJmX264xE The comments to the function say that it does not implement the spec and instead follows VTM. This patch is quite likely not the right solution and more intended to show the issue to people knowing the specific part of VTM ... Fixes: signed integer overflow: 2147483392 + 256 cannot be represented in type 'int' Fixes: 60505/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6216675924770816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vvc_parser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vvc_parser.c b/libavcodec/vvc_parser.c index 3951ebe50a..c661595e1e 100644 --- a/libavcodec/vvc_parser.c +++ b/libavcodec/vvc_parser.c @@ -225,10 +225,10 @@ static void get_slice_poc(VVCParserContext *s, int *poc, } else { if ((poc_lsb < prev_poc_lsb) && ((prev_poc_lsb - poc_lsb) >= (max_poc_lsb / 2))) - poc_msb = prev_poc_msb + max_poc_lsb; + poc_msb = prev_poc_msb + (unsigned)max_poc_lsb; else if ((poc_lsb > prev_poc_lsb) && ((poc_lsb - prev_poc_lsb) > (max_poc_lsb / 2))) - poc_msb = prev_poc_msb - max_poc_lsb; + poc_msb = prev_poc_msb - (unsigned)max_poc_lsb; else poc_msb = prev_poc_msb; } From patchwork Wed Jul 26 23:59:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 43001 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:c11c:b0:130:ccc6:6c4b with SMTP id bh28csp68971pzb; Wed, 26 Jul 2023 16:59:56 -0700 (PDT) X-Google-Smtp-Source: APBJJlGKBHi3LvYX0f4xXWVKDK/jxviOOhMqdXiPkraMVRjK74v/NiWaTvpKHmL1gqdN2WE5Zjr0 X-Received: by 2002:a17:906:2cf:b0:98e:1b9b:aef7 with SMTP id 15-20020a17090602cf00b0098e1b9baef7mr526187ejk.64.1690415996633; Wed, 26 Jul 2023 16:59:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690415996; cv=none; d=google.com; s=arc-20160816; b=wDOWZCRebhMmI0GMUVlF66OpJMz7H1Lk7t293wwSIrSGRfCc5GKQsdvah6Tzj6U5rK w49BVHV0g/5o3TyH7LN560v6reT8e06XhsrgtFMagE3TOwoliDOViBMmXdicph65FSZC 2XHkNYQYWhzNOz8sMfSPvnd3SoyZlWBbG4uY5yN5r/jtfqQEO3sp9STUCWm/mCSFqeeu /gPbP3E8L43TlAcI5XK9DxXLOZvT4F/Jnjzu4MrDsN04sumXLJSm7YQGpXNoM7k3IHnM OqDi08rVnSnlZSPCWTn9TwyClbIXeZxyGfOR4ee5yAnkAqF5EJZ4D+7iadIlM1o5GRkK KwZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=590jcgFtko06XSfVjmVqFTH7DUf+nj7Aad1uFKUpNZc=; fh=YYwLYmpaV0Fpw/rxmSKNRLS2XzDkAlGbHATiKOPtZrY=; b=p+5DyfABKoIpLtF41S7KB7NKBLW/2ePxZYGH9lGYkIb+iTafBHclvbiimK2P6uqx3u hP4TpB9nD41pZVTCRZ6yPtj5GpYArN6SyZen707mzz5yov+OU4/J8aIu8dYxFsesIXhO Le7z+IvBkK1tTxwUFoj9GXtXdLxEp5zj3HODmLRV2x0CGJ1mGnmSsYZzK192lA17aS6t fvNvzgPSWvn5IsR4/2sikZhWQZHISPZco5Hu+j+xDM+vkZvS8fPgKRv7bWplSJx/BmXi HRDC74fa9Aw4x/CIWnioJg0iup6lzG+GdrgRHDPxnuRpIrcRuMv6mZjrWOabbGo//21P 2Pvw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id g16-20020a17090613d000b0099367e9043dsi47642ejc.870.2023.07.26.16.59.56; Wed, 26 Jul 2023 16:59:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 89D7068C7F6; Thu, 27 Jul 2023 02:59:38 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 25A6B68C8D9 for ; Thu, 27 Jul 2023 02:59:32 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 5E4611C0002 for ; Wed, 26 Jul 2023 23:59:25 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 27 Jul 2023 01:59:16 +0200 Message-Id: <20230726235916.30058-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230726235916.30058-1-michael@niedermayer.cc> References: <20230726235916.30058-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 4/4] avcodec/evc_ps: Check num_ref_pic_list_in_sps X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: e8uuU+DQF2Nb Fixes: out of array write Fixes: 60798/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-4633529766772736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/evc_ps.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/evc_ps.c b/libavcodec/evc_ps.c index 04ee6a45e6..64384a392c 100644 --- a/libavcodec/evc_ps.c +++ b/libavcodec/evc_ps.c @@ -243,11 +243,20 @@ int ff_evc_parse_sps(GetBitContext *gb, EVCParamSets *ps) sps->rpl1_same_as_rpl0_flag = get_bits1(gb); sps->num_ref_pic_list_in_sps[0] = get_ue_golomb(gb); + if ((unsigned)sps->num_ref_pic_list_in_sps[0] >= EVC_MAX_NUM_RPLS) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + for (int i = 0; i < sps->num_ref_pic_list_in_sps[0]; ++i) ref_pic_list_struct(gb, &sps->rpls[0][i]); if (!sps->rpl1_same_as_rpl0_flag) { sps->num_ref_pic_list_in_sps[1] = get_ue_golomb(gb); + if ((unsigned)sps->num_ref_pic_list_in_sps[1] >= EVC_MAX_NUM_RPLS) { + ret = AVERROR_INVALIDDATA; + goto fail; + } for (int i = 0; i < sps->num_ref_pic_list_in_sps[1]; ++i) ref_pic_list_struct(gb, &sps->rpls[1][i]); }