From patchwork Sat Sep 30 22:30:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44061 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp598688pzf; Sat, 30 Sep 2023 15:30:56 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEG3dbEnMA/LrfccqCaYdP5JfBJs8EBrTnmo7BdWaiXb70V6DNCXGQyyu/zP/tTsFs5UYbv X-Received: by 2002:a17:906:f55:b0:993:fba5:cdf1 with SMTP id h21-20020a1709060f5500b00993fba5cdf1mr6013537ejj.22.1696113056348; Sat, 30 Sep 2023 15:30:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113056; cv=none; d=google.com; s=arc-20160816; b=FEmEGJx7jsAiCE+yK+D7oGGCEQ6wjx3Zh/VHODpdJqlCADJmnu3PewfGOSvTcUmUY0 votgI+USMaOHy8zfW9C58w4sYXoIZjKMttCKcG81psy6Hd9PwOa0zMJQxD6omCKismou ZGlkajDsPQfYvHhZEGN8e1t63XgmHvQ0oo0y6qeJ7O9k30tITEhAwX4yhlklclP83ijN MpGKuJIAFRUSV6Y4572LUjYTd78OtZqupgEklT6fDWHU1Fi6BU4VGDM6fsrrXcIfpw9f j9PK9MlqGcMwX8HSVcR/CFYqQuPEnQkTkn5XIgQ5mzREG9PqoDb6Hgv7DETE5IjRjvHf HGBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=zJzmi/MlCPTZ2lBsRFWW+jUi+O0UeM2VFA4ATD6XWhc=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=YRkj8D+Ja6c8wmXFgCR5w22/yAHlCWHikepv3QYA2MTbu72a1EXOg97FpqddpsSWhB c6rtR+Q451lxv/VKUSLdDTeWHWK98BHho8qCMNW5ArbT7ZaYUql8abjsIwerOk3lm3iT pVH8G82uKA7R2cbUqYJqhBtUzHACaGZR/vsJ6HlawaAkLlqAJ/55U/0sB8G3Hx4pk3oH lTmm5LT3J15NWdR6ATkIZZ/xNssm7LSocULZEhkslr/yIR+5ay4V1f1IgdARlOvsnHAx SjkAieOR542Ci2nm9yTvK6zzSNgo5Od5QhahrFY0ku6Xy9c2KOPZ00DQrYUSajigICJh J6tg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id bk19-20020a170906b0d300b0099d5e9aedd7si16710808ejb.482.2023.09.30.15.30.56; Sat, 30 Sep 2023 15:30:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D0C1E68CD3F; Sun, 1 Oct 2023 01:30:53 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D04C868CD25 for ; Sun, 1 Oct 2023 01:30:47 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 2E69620003 for ; Sat, 30 Sep 2023 22:30:46 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:32 +0200 Message-Id: <20230930223046.22896-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-Spam-Flag: yes X-Spam-Level: ************** X-GND-Spam-Score: 215 X-GND-Status: SPAM X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 01/15] avformat/concatdec: Check in/outpoint for overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: hp1BK0SnvtqO Fixes: signed integer overflow: 91542414454000000 - -9154241494546000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-4739147999084544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/concatdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 5d4f67d0acd..114b6c6564c 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -667,7 +667,9 @@ static int concat_read_header(AVFormatContext *avf) else time = cat->files[i].start_time; if (cat->files[i].user_duration == AV_NOPTS_VALUE) { - if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE) + if (cat->files[i].inpoint == AV_NOPTS_VALUE || cat->files[i].outpoint == AV_NOPTS_VALUE || + cat->files[i].outpoint - (uint64_t)cat->files[i].inpoint != av_sat_sub64(cat->files[i].outpoint, cat->files[i].inpoint) + ) break; cat->files[i].user_duration = cat->files[i].outpoint - cat->files[i].inpoint; } From patchwork Sat Sep 30 22:30:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44062 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp598727pzf; Sat, 30 Sep 2023 15:31:05 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE5l9r8c+lrUMxNXWpDiIBz62OxVP32wZx+Bt0vA1f+l32RemZ4ghSxnKqXeoGXEkqqOytT X-Received: by 2002:a05:6402:b3a:b0:51d:f5bd:5a88 with SMTP id bo26-20020a0564020b3a00b0051df5bd5a88mr6165918edb.38.1696113065589; Sat, 30 Sep 2023 15:31:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113065; cv=none; d=google.com; s=arc-20160816; b=bwR5vP60y1jB3rPSuSL52n5RabOwLEVPFzhPobg0cJNUOv2fmBO+z6GbhOWaTyyBdM xv+carvnOu05KNX9MAJi3e1OLWOSb5aNH857753uWlKoK/cwV61QV2xRenUBb4EF+APF /b401DIdPGVGMEkRIgaTl9Ak/+36J3W9/Mk4yGRJyC5oOhu335pACJeDSEitGDxwIhDQ zejrC6vjQTz6Iz7K1/A4MqzD78PXGRLzxemZTGG7w+aEnqDjNJICtsYqmR5+6oZcCecg 45MADzQqtonkeiQDsLv9FHXvg2WZ1XHWHQbWf/srOgn4z6ehkw1RPRI9/dOzpnW954B5 7KKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=LebQWgeLSI/k81AaEM81ummGJFLk6hy2CR/h7U52EcU=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=xxHuFL8q92Ba7Vu4q48WSlyqEM36WjCQXSIig+9EW/tTXbdcyJcTUcIrt8CrfxHDaX GtD3/xHuufXinj47hRHY6QG98bnMHLV/+FzaABg1Fv3zcmviG7ploDMNqMwA4nXO4SDi 94l/iTtudHkhPs49YQeNaPsYjmn7VYYmZNRHPT+nv3RmihukBLDgFus00ElJcQ+4dOLQ q1/kEWPRAg9SXdWg7d/NSzsMph6+HSbZcOH5fEZL8x9Rsv+GHZN5IlUF2cy/N2Jjh3g6 FSOz4mZ/Iha3bk80iwdvDMMDQbLunUEaI9CUBvQ1Hu8f9S0AZVQHBkEug5tOSlmiWGoJ VtcQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id bc4-20020a056402204400b0053445f6ec46si8646670edb.279.2023.09.30.15.31.05; Sat, 30 Sep 2023 15:31:05 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CC60068CD44; Sun, 1 Oct 2023 01:30:55 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4959968CD25 for ; Sun, 1 Oct 2023 01:30:49 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 718DF240003 for ; Sat, 30 Sep 2023 22:30:48 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:33 +0200 Message-Id: <20230930223046.22896-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 02/15] avformat/jacosubdec: Factorize code in get_shift() a bit X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 2QyQIvl5tGRv Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 61b1316dc9b..42c201f93af 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -143,16 +143,12 @@ static int get_shift(int timeres, const char *buf) ret = 0; switch (n) { - case 4: - ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); - break; - case 3: - ret = sign * (( (int64_t)a*60 + b) * timeres + c); - break; - case 2: - ret = sign * (( (int64_t)a) * timeres + b); - break; + case 1: a = 0; + case 2: c = b; b = a; a = 0; + case 3: d = c; c = b; b = a; a = 0; } + + ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); if ((int)ret != ret) ret = 0; From patchwork Sat Sep 30 22:30:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44063 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp598788pzf; Sat, 30 Sep 2023 15:31:14 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEvqHADWHpQofiPKaUI4K+UOtMRnHvq/EgRu7mmza26D62ZKfIweA/esjshGQVdyT9divpA X-Received: by 2002:a17:906:530b:b0:9a1:af6f:e373 with SMTP id h11-20020a170906530b00b009a1af6fe373mr7620419ejo.42.1696113074703; Sat, 30 Sep 2023 15:31:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113074; cv=none; d=google.com; s=arc-20160816; b=vDbggsewvcP0WjUHE8KXMgpCEGlhpG+1lAX4oswi7tMr4GP+F2Dj3KQfU5dWNvJpA5 YQjWvTfZxWn0WxWOZTWLivp7b1s9zRdjKDvVz3UNJmuDUvV9iacLzwpNlLRuvNeaiWF0 xexWdx4C6Cpl3McldL3Vbu6s3zp9Wnw6YSxoIXgx8jx6e51A9oINm9RHfGHNWwg5IaPB iOOKdIk+f0WcSMb9b4zBUkxQdK4EUM86IAG4XAqZtiDNUBAByfBXZ9yoIywjgTNQQbDe aECKPCMjUKxiA4HyWUmV7fpibgTUwy/AGiI5FYbRQuADuGSwyqfPeNxtBtCOTzOjAcIS pR/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=fMvmlawWpUEAFIxUOnpTo34UAcEgpR8FBGNS+y34/h4=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=q1JT7CSa6m6zt3d1HSuWwEt1Lqq86iutGkVl+6RVnEHRCpnoC8cL+1smlLBKXcKKWP gDcdWkOYLTsy9zohxGGW6MmPQoj5AtqmDP/biKq3VsMfvND8ifsDDtw2wB1zZ/4vHrVn zoH9wXx65YyXTskeAI5hN5FcHs0DUY+M7GQfGi27s+/m93eBZj0ZgAsagIWSaMVUiGJU KvmF0CJgJIA6BYfEVBkRK72SItJgSgZm8+RlDsCq9VqIWrW1CPAa6TT0YeeQUwxXINcB RS64a/kSV7lKWCt2l3bC9xFm3/neSAkPBpphZbDjImmRhKYxIAATiW5C+Yijbo7DuZeY tJsg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id pv7-20020a170907208700b00991ece4c95esi17363288ejb.487.2023.09.30.15.31.14; Sat, 30 Sep 2023 15:31:14 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E083F68CD4D; Sun, 1 Oct 2023 01:30:56 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1D06168CD3A for ; Sun, 1 Oct 2023 01:30:50 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 73777FF805 for ; Sat, 30 Sep 2023 22:30:49 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:34 +0200 Message-Id: <20230930223046.22896-3-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 03/15] avformat/jacosubdec: avoid signed integer overflows in get_shift() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Gii0OcWENFxj Fixes: signed integer overflow: 22014562800 * 934633746 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5189603246866432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 42c201f93af..41216081ee0 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -124,7 +124,7 @@ shift_and_ret: return buf + len; } -static int get_shift(int timeres, const char *buf) +static int get_shift(unsigned timeres, const char *buf) { int sign = 1; int a = 0, b = 0, c = 0, d = 0; @@ -148,7 +148,11 @@ static int get_shift(int timeres, const char *buf) case 3: d = c; c = b; b = a; a = 0; } - ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); + ret = (int64_t)a*3600 + (int64_t)b*60 + c; + if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres) + return 0; + ret = sign * (ret * timeres + d); + if ((int)ret != ret) ret = 0; From patchwork Sat Sep 30 22:30:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44064 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp598833pzf; Sat, 30 Sep 2023 15:31:23 -0700 (PDT) X-Google-Smtp-Source: AGHT+IET6sVe+ZtQiZwB33uOC5wN77G7mzWJaTSn3nkrBdZ5Dku7f3PYGNjXQbi5klY8ryb7MVcc X-Received: by 2002:a17:907:b10:b0:9b2:78bf:d8d4 with SMTP id h16-20020a1709070b1000b009b278bfd8d4mr6142871ejl.5.1696113083170; Sat, 30 Sep 2023 15:31:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113083; cv=none; d=google.com; s=arc-20160816; b=do2AFsPHxrFlxV2ne5+7bU+P7djOudr4lh2Vl/OXu5wEjE3MDJl2DMTOkkrchp+rI9 FyytdU5bzNRJ9v+fLP+4eE08n2jncYRr1RexZ5TQIfpOzzHbphRJ+nq7gEaXwgc09QeR eyCrHPILwEszuQ7OyF3H9RZ9mCi5G1ZUli9WKG9gw/U7HoQiw4TEMb+nHIF5W2qZ+V1t LN14VFca3OCmna3K/b+BsWO/WRqaAOKvL2b2lwoplFZyH3dFhSs09jJhU1GQpBMxYhff ujCg3ewZLIjtp33xz1oeC/xQyslXfRtHJEQtsEyCuVengF5YYQA41+/d4MuZ8f8nSXbO YZ1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=Pbi+g5qSDagWlwmW6P8A+dKtIENagx4CQPjc9ltby9k=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=kXt3IGtryoLQQquj1IHNMExZprQX51j3xOXwn6niOdv0uixtGYNqIK2o352SyAMZ0a sOJkFXc0GA9a7wE1OmtozP9PsmOw7u8GThfka7oz8Bi8uxuWHmBzYKBDErE7veAjpEA6 SlAa42bo6PczoiATaxf7l+g/nbo1OFECCGVGdDsiou8Z7lxd9M9iDFRjkafTdXoq8pcv 2SiB3ldvhKnsjQdm45lN6i+OuRkl1LSv9P+YWKqJFIzdmzw5nO54nt/odM350H/fhpEH 3qxZOziytaLvlEbARF45ed9J1hOxC5qSsHz5TQS9/eXPu4CFFdKPKm7FsfSuRpvOVkPb XoYg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id k11-20020a170906a38b00b009b2cfb2e67dsi2168392ejz.856.2023.09.30.15.31.22; Sat, 30 Sep 2023 15:31:23 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DA1FC68CD4C; Sun, 1 Oct 2023 01:30:58 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5589D68CD49 for ; Sun, 1 Oct 2023 01:30:51 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id A0DB81C0006 for ; Sat, 30 Sep 2023 22:30:50 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:35 +0200 Message-Id: <20230930223046.22896-4-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 04/15] avformat/jacosubdec: Check timeres X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: D0zVn+lZCiHd Signed-off-by: Michael Niedermayer --- libavformat/jacosubdec.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 41216081ee0..c6e5b4aa6dc 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -227,14 +227,17 @@ static int jacosub_read_header(AVFormatContext *s) } av_bprintf(&header, "#S %s", p); break; - case 'T': // ...but must be placed after TIMERES - jacosub->timeres = strtol(p, NULL, 10); - if (!jacosub->timeres) + case 'T': { // ...but must be placed after TIMERES + int64_t timeres = strtol(p, NULL, 10); + if (timeres <= 0 || timeres > UINT32_MAX) { jacosub->timeres = 30; - else + } else { + jacosub->timeres = timeres; av_bprintf(&header, "#T %s", p); + } break; } + } } /* general/essential directives in the extradata */ From patchwork Sat Sep 30 22:30:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44065 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp598886pzf; Sat, 30 Sep 2023 15:31:32 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHi12+5XeEzTSHh66RrAx+ksl+fNoZhBPedvozbn/yYMMp71Vhe8xZK74VB9cmtd82fH19q X-Received: by 2002:a17:906:301b:b0:9a5:b876:b1e3 with SMTP id 27-20020a170906301b00b009a5b876b1e3mr6911561ejz.20.1696113091898; Sat, 30 Sep 2023 15:31:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113091; cv=none; d=google.com; s=arc-20160816; b=K/Q3gnxRshs3Qv+t0AkWoIoKWFlFQQJAn4bh9Ya6IYkQei2Dv2W3Z44ed+VuDxh1sm yVQJxeF3wsW62AuPP+O6+V/wkVUiZ/27C1iOjjwgCvDITqagcygDtBhzWvf2u0yhf2z3 5Gvn5uOKdTwm+EeXM7RFjLcPtVkl84oo6NO3DaAadrn2evaOqyYqB0Rp/rZJVqsZxwlc SNZMNJ3NLKYlNqQfYZitP2IhB85IwANJ/3ENZxUApE6zRSCQhffOjLPDX5DZ5zkAp+fx eDb7QE0bgkQKay4vWPUTIAleGDxX9CPXQE566mFB63iehJyGzKpm4Wzrw95c1v01pN9r vu2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=ZF5o/549dkyCKSY7pFvlfDAthOvMBAkVOPcYR9xnGYc=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=lqdkEvpdcRWJsRQKC26kWBzseUHw/5rtbirCnFVEj29FKyRM54rlpexw2toz0isyB1 T7GU2mYUo1kc9AaWRN3dOqBDrB34sH5wqlbSSS+K06LEbsL+FTns0v128cG58nmJATl1 1NhW1j0eXTgAaR6pU+owjLH2MCyley+qkGRY0HwLAtyPSLjKVwzZyNZorOFBsnfnoNzB NAfvvo9HzjNQH5i5PUNIu8C/Mw0SbghbfsHxvor6vI7xO8uTzC3iMhf9mi9oEL9ohCJT JaN/UyhTxApoyiO9QST8Bkl2foVuSfqy2awaMky3/FpHyhnrCoR4N1eYFDvUK/Ia69uJ FHYQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id w4-20020a170906130400b0099364d9f0e0si17533309ejb.540.2023.09.30.15.31.31; Sat, 30 Sep 2023 15:31:31 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E1D2E68CD51; Sun, 1 Oct 2023 01:30:59 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 77CC768CD51 for ; Sun, 1 Oct 2023 01:30:52 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id A2F2940003 for ; Sat, 30 Sep 2023 22:30:51 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:36 +0200 Message-Id: <20230930223046.22896-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 05/15] avformat/mov: compute absolute dts difference without overflow in mov_find_next_sample() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: db79vE8qMyVF Fixes: signed integer overflow: -9223372036854775808 - 9222726413022000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5959420033761280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/mov.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 294c864fbd6..369c9b2ffd9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -8795,12 +8795,13 @@ static AVIndexEntry *mov_find_next_sample(AVFormatContext *s, AVStream **st) if (msc->pb && msc->current_sample < avsti->nb_index_entries) { AVIndexEntry *current_sample = &avsti->index_entries[msc->current_sample]; int64_t dts = av_rescale(current_sample->timestamp, AV_TIME_BASE, msc->time_scale); + uint64_t dtsdiff = best_dts > dts ? best_dts - (uint64_t)dts : ((uint64_t)dts - best_dts); av_log(s, AV_LOG_TRACE, "stream %d, sample %d, dts %"PRId64"\n", i, msc->current_sample, dts); if (!sample || (no_interleave && current_sample->pos < sample->pos) || ((s->pb->seekable & AVIO_SEEKABLE_NORMAL) && ((msc->pb != s->pb && dts < best_dts) || (msc->pb == s->pb && dts != AV_NOPTS_VALUE && - ((FFABS(best_dts - dts) <= AV_TIME_BASE && current_sample->pos < sample->pos) || - (FFABS(best_dts - dts) > AV_TIME_BASE && dts < best_dts)))))) { + ((dtsdiff <= AV_TIME_BASE && current_sample->pos < sample->pos) || + (dtsdiff > AV_TIME_BASE && dts < best_dts)))))) { sample = current_sample; best_dts = dts; *st = avst; From patchwork Sat Sep 30 22:30:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44067 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp598964pzf; Sat, 30 Sep 2023 15:31:48 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHwh6GJRTW8pBztHW0EiusWlMS3upUuw8AcslpFm0Hb+ppx7tFQdrj2xDk0UQtn413n3jfO X-Received: by 2002:a17:906:cc15:b0:9ad:a86b:2337 with SMTP id ml21-20020a170906cc1500b009ada86b2337mr7167170ejb.23.1696113108287; Sat, 30 Sep 2023 15:31:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113108; cv=none; d=google.com; s=arc-20160816; b=AS2dP9oIHO8d8B742RfuiWXM6xwWjKiuvppjKPGI3OtLEAcPrYYF4eeBJBoN11jVIl VWbDWlqFJ59xa+GLxIUwhlOq5rPq+y+cCY8qc1U59wUOo7crmrq73nu1WNa9cQseyHYi mxp44JSsDOwDtT4tR6pnOj1s+ebbUQsLOsq3SRYNB3ckeVmXk4ByLAM3aLiEkMhWAqAS cMXpM5cvPIR0OuUwR+sef4Y5dJCrtNCUwOJpjdp0yBt49m/Rxf1vFoitb+RvV4n/CZIF KbtrOZU4Bv2oXuCYdw2EagD8TkX1VaqDNGEoPNx9pagX4E0EHzwG3Xe4naVpDNTOk7Cv HFQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=V1QWe2aoV00NHOUalDzGD8mT+ewq3wRh+RmIuJWPTKE=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=NcFLQNCiFEW+KwLPbnrC3BQ26A09wTrPd0B3lCO2arM9i9ci/Kc957b/YCnw/Jjohu delKUv59jegyj1mHRpylcrnZTU8Bb+Ql9pYzcW+vmFZz/9ukgUhTeZY7kcFAjvV5/s2x hmjsfJwKyehf0zYRrqksrnhbQJH7TPZ2VbBpacLzh1O2Rp4ekWjRa1P9j2TpKbwSkHLo YuOOI+5hQYdiOcDGveJA/BRUFa4IO1P9J28MXdIyTeNa76TR3rkF/KbDxlnYWhJwZngo 2QqbgvCOaH+RqhpQ666CBNXi3wX8YWaC+gG/e1FpCFYTdynRzZJxx4uOLahaC4tUwjGs TPCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id o26-20020a170906359a00b0099e0daaa531si18022229ejb.556.2023.09.30.15.31.47; Sat, 30 Sep 2023 15:31:48 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B55BB68CD58; Sun, 1 Oct 2023 01:31:01 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 17A5268CD55 for ; Sun, 1 Oct 2023 01:30:53 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 74D4C20002 for ; Sat, 30 Sep 2023 22:30:52 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:37 +0200 Message-Id: <20230930223046.22896-6-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 06/15] avformat/rpl: Check for number_of_chunks overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: MPtoZUKuB00b Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int32_t' (aka 'int') Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6086131095830528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/rpl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 3ef6fda3862..eae0da891bc 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -268,6 +268,9 @@ static int rpl_read_header(AVFormatContext *s) "Video stream will be broken!\n", av_fourcc2str(vst->codecpar->codec_tag)); number_of_chunks = read_line_and_int(pb, &error); // number of chunks in the file + if (number_of_chunks == INT_MAX) + return AVERROR_INVALIDDATA; + // The number in the header is actually the index of the last chunk. number_of_chunks++; From patchwork Sat Sep 30 22:30:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44069 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp599042pzf; Sat, 30 Sep 2023 15:32:05 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGGGrdqlyJ9lB8GO2lk4zZMkZgkLRFrbcaF+vxx7spFFLopjUsDU122r3jAS/dSsDBh2xvI X-Received: by 2002:a17:906:2249:b0:9a3:faf:7aaa with SMTP id 9-20020a170906224900b009a30faf7aaamr6593170ejr.15.1696113125014; Sat, 30 Sep 2023 15:32:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113125; cv=none; d=google.com; s=arc-20160816; b=0Ixec0g+77PgzVudTcubkGfZphkG9iRK1chWKhiQlMG6kfWlQD4hGv4R4ZPQCKQ5RW xN8zZYtflQO0Mgr+ac3bpzbjPZe32RMiMBE2ojITXdNylXS2ZpBNrDHqkL+acRDkbi+r epF2EGIe77rQFZU28KYmPFaA8FY00izCflis9kPPncmXDk6nScbGrLnEWFo5Eeq60gNf 1igOqe5fOSxavOwKAyPnracotx9BrmrHcZHKE1FjP7PVmChlX7+31cVhsnXb6r2OV77N GJBaaedKXquXBBty9U2EQNEjIDHuERPyUhEKMTawZEzbVhMwvnGLPEjrbPg/Yn9jM6Lk We2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=SX++90ZUeNEYKf8Oh5uSMqDHTD7nWg4P68w5+5maWh0=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=o/v69joOp7JOnra1x/jwgVEuAsEUAt5b3T7I0zeQNE+3h338Urs9kOGhJBs6xylkYR wKEkk+ZICRz2fDby6WwlFdAg7ebNYMClJZGrSF5f6fwZYJBSOcRAC4abGnN2uT2y8nxt xvU+cVIQk33Lhj7x0kk+zVu2p2GIwLKLsdseZo+ckUa9mWpIQ7z/9fUQQ7fGwU39Lk9K 1bml3Lv8T+fx+QoipRU6fonV4eIqjC8lJSp8pVNJsyhhp0GdHBLpj2y4aXy3DzAgv64+ YKgO/jD0zTJeBowdwR6aPvEgTPIESQfCeE+nmdDGLX2F4J6vQ5NNKVtJYnSAn3+ibY2b HrYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id o20-20020a170906775400b0099cb1ff44bcsi17193025ejn.613.2023.09.30.15.32.04; Sat, 30 Sep 2023 15:32:04 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C7BA068CD7C; Sun, 1 Oct 2023 01:31:03 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net [217.70.183.201]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 513BF68CD5E for ; Sun, 1 Oct 2023 01:30:54 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 978C11BF206 for ; Sat, 30 Sep 2023 22:30:53 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:38 +0200 Message-Id: <20230930223046.22896-7-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 07/15] avformat/sbgdec: Check for period overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: LPsgcL0pmvKQ Fixes: signed integer overflow: 4481246996173000000 - -4778576820000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5063670588899328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index c1995759a8f..73b5be9007d 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1273,7 +1273,10 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* SBaGen handles the time before and after the extremal events, and the corresponding transitions, as if the sequence were cyclic with a 24-hours period. */ - period = s->events[s->nb_events - 1].ts - s->events[0].ts; + period = s->events[s->nb_events - 1].ts - (uint64_t)s->events[0].ts; + if (period < 0) + return AVERROR_INVALIDDATA; + period = (period + (DAY_TS - 1)) / DAY_TS * DAY_TS; period = FFMAX(period, DAY_TS); From patchwork Sat Sep 30 22:30:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44071 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp599137pzf; Sat, 30 Sep 2023 15:32:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGavppqu3KErhus7vlo3vWNVc9KYN6fvxoJRwNYwQy35oyqnP1dHXibM6Rp0jHhHMnE1GRa X-Received: by 2002:a17:906:3152:b0:9b2:89ec:d701 with SMTP id e18-20020a170906315200b009b289ecd701mr7254015eje.27.1696113142598; Sat, 30 Sep 2023 15:32:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113142; cv=none; d=google.com; s=arc-20160816; b=Z3sJdIL9z5UmyGG2e/cNByMataNECj3U3AdcQ2Hq7Qy1T5S5KTGLydfeyLhpQB9I8X CoBaj3s+pSryNRdYd1/TxLEAOoY1AbmeCFyREtrHfbmXYGO3mTqljF++eBpW9wyPv3Hs 0QfE3Ab4OjNikSfm4uFfQ8r429h1EcbQ+jTkqOItNwlYPnsgVZ/Jd91zXfmjVayrhWDF v3UWhJnX5Mxi+tDcduHXQRIjFVUhhKx5dxKQUdfm5h6TRyBaNgpU/zmUygtzjGtM7a2q C3L8C/VXZi8at4gPd9viPiYmV46e7Mh6x8kmtR19PNPqLlzoH5NlNXA3jgqmD9ii1fGY +XHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=04XvgE3JRAabH8fxIroHUdmL9zmZEKIX1dAbNrz/nrY=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=PQwAxiS8WcD1AGDI73cJfWORWVaOyKH+C/bYcnKw+BddAKTblE6G8vtFg5qBlg8qc+ ZaTCpPorZNr2U8d8DGfbGrcMkg/idzrywOjHOWJXcY27yMqE+k9a/h7dwJX6jHMBPsw9 YuxlfQCVnTOuhKyo5QU6WM+v19A0J+Y3RXYDMIVi3zBAZKyN95wwMB5loPpyDRRzQ0+q oWygfcQxDbC6etipHoOqM/oXs271df7p5sfeSk+ZV3hoTIaqLZz1072F+ihQLbI7P2ls pYLc8oWfUALze2lu/52JN4MlKzBgc9wT/+sTWRMRnwuH3SXe58LCpEOGwh+CXAZMrZj9 6qKQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id l22-20020a1709062a9600b009ad84bdfe4fsi11494495eje.581.2023.09.30.15.32.22; Sat, 30 Sep 2023 15:32:22 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B854C68CD8A; Sun, 1 Oct 2023 01:31:05 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0E94868CD55 for ; Sun, 1 Oct 2023 01:30:55 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 6E303FF806 for ; Sat, 30 Sep 2023 22:30:54 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:39 +0200 Message-Id: <20230930223046.22896-8-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 08/15] avformat/sbgdec: Check for negative duration or un-representable end pts X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: cJVeLHMWMxwu Fixes: signed integer overflow: 9230955872951340 - -9223372036854775808 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6330481893572608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/sbgdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 73b5be9007d..b2662ea4188 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1447,6 +1447,13 @@ static av_cold int sbg_read_header(AVFormatContext *avf) st->duration = script.end_ts == AV_NOPTS_VALUE ? AV_NOPTS_VALUE : av_rescale(script.end_ts - script.start_ts, sbg->sample_rate, AV_TIME_BASE); + + if (st->duration != AV_NOPTS_VALUE && ( + st->duration < 0 || st->start_time > INT64_MAX - st->duration)) { + r = AVERROR_INVALIDDATA; + goto fail; + } + sti->cur_dts = st->start_time; r = encode_intervals(&script, st->codecpar, &inter); if (r < 0) From patchwork Sat Sep 30 22:30:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44073 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp599282pzf; Sat, 30 Sep 2023 15:32:39 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHF4DeIrTZp/0gKUnoY/RIFm/1z32xutXcYWZaGkqJvo+v0n6qYvXcgXnrdqVbXbYNhHtFI X-Received: by 2002:a5d:6a41:0:b0:31f:d8b3:ea06 with SMTP id t1-20020a5d6a41000000b0031fd8b3ea06mr6783124wrw.0.1696113159202; Sat, 30 Sep 2023 15:32:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113159; cv=none; d=google.com; s=arc-20160816; b=Ge7q4ubY6ZacakIY5JjaI1iSwYoKgJpLp8ZM4DbAF7Ka7qhGFssRHnLfX1Gn+tQcNp XT35JHFTjqH7AajFiTO4NK2pEwR8ub1CL3Ew8ZgFr+ecw5WgF6dg/Z+WKRGvkfASqL8Z M/U56J7rMnJpp/C+TLiPQ6DJ2ICKVpMHZnCT88iCsq1HIRlehwEZH5VEnMebPnaroQ7L ihQ3yHsKaHRHXsNvDyZrATK+Tua+J4Pz7BxxgjJ+rGXX9SnEgAnmDadIApoSkGIBtViF mQFYWaGYNisIutVg8nkhUNZNb6nc31/aGsqNZ5p0PdKJ2Pwk28coojVBm+wCbaMSXCkw Rwug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=Wl89eKOGeHfOFqXHSJcBxQYkdDnltBPi6rVJxXRIFgw=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=I3y+1O8AxgiY502cF9sADrGWndPwoBfwRLkowT9zoVIxJiQcpzTF7CYiO2eBFHZiQF +pGrAtLSgEP7E93LOGGHicfBclGbrgvVHATg1xdmOxfTv8926ekShsLD4oAxJVrhcaYG M/PkcZHIBpP+v8hriWKsg8k9yR+Snh0BCjyDOTNJYAKlEirX/K2hOq4o8yAE1AfhhH+E aWZFdAGDZAF9JoeyVo9YtYfjPCDhPUf+T688M8FmMwC+HAxo2bhyiobib+cpHMaPOj+B t6B3drT3QitA23Ksudle2XxlvXRebrXQKRWmgr53+wmYK96kRH7o+AH66BB9pcg8Us/o Hzig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id n22-20020a056402515600b005381491e162si906367edd.681.2023.09.30.15.32.38; Sat, 30 Sep 2023 15:32:39 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 9070668CD97; Sun, 1 Oct 2023 01:31:07 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2647D68CD6F for ; Sun, 1 Oct 2023 01:30:56 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 75D08C0003 for ; Sat, 30 Sep 2023 22:30:55 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:40 +0200 Message-Id: <20230930223046.22896-9-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 09/15] avformat/tta: Better totalframes check X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: slk6YrbxzJT5 Fixes: signed integer overflow: 4 * 740491135 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-6298893367508992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/tta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/tta.c b/libavformat/tta.c index 21830459401..54776540142 100644 --- a/libavformat/tta.c +++ b/libavformat/tta.c @@ -91,7 +91,7 @@ static int tta_read_header(AVFormatContext *s) c->totalframes = nb_samples / c->frame_size + (c->last_frame_size < c->frame_size); c->currentframe = 0; - if(c->totalframes >= UINT_MAX/sizeof(uint32_t) || c->totalframes <= 0){ + if(c->totalframes >= (INT_MAX - 4)/sizeof(uint32_t) || c->totalframes <= 0){ av_log(s, AV_LOG_ERROR, "totalframes %d invalid\n", c->totalframes); return AVERROR_INVALIDDATA; } From patchwork Sat Sep 30 22:30:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44074 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp599367pzf; Sat, 30 Sep 2023 15:32:56 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG/Ws/XbJLXXyq/h/4yIV59rGBJdJz8RNHetRCI1nx47tx89MhWCopgbny6SnTLs38/+4tC X-Received: by 2002:a05:6402:2694:b0:530:dd97:fe78 with SMTP id w20-20020a056402269400b00530dd97fe78mr9264055edd.7.1696113176067; Sat, 30 Sep 2023 15:32:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113176; cv=none; d=google.com; s=arc-20160816; b=mTzV+XHzMupgIU0VoMHuaXef+HXVxu7LqZVuCdfBHeVjvVQGC8HjqK5y6PjnzkFal3 0T1NN+klFiexExyc3UvfwvpEFtNUoCgHwyWLzLnKfyFyK4UbQo4VMUaqMErPr82moH+O YP1azM4SeR+ODGpbe0Pv5hmtmQ4+TGIfd+/HwTjagTR6h1rEEdRNNErHyNOnQy6HeudR /BzM/K7d4viKqhFKQf1S1SVeoEoYRwhzWms0IbVTJVZVHpJgk1TvsjZpH7NW7F2x9viQ 4eDQRSjrY4jdDw0+3WLthbYIKg8yt82ukXaVV7JDpGbJyn5UkSqqwTYuSv9PVZmbuq6+ dLsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=HX59INerhoRtchTXeUXjgAz7Hgll4wLYKbtnfUz79PQ=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=xiUpOOGy4eskcmPaH44E3dJ9E16DH+hy2jS6snqosxoOSJ9ZuybTI0pIaDuX0Wrzyf X7sTwkBHf72UN4xY8g5Pfn5f5APdjLPgQOd4cOdcTJtOdtsra7xTpyNSysnyi25Tixq1 My89Z3uvXfSnZ/F6ae3C8bQQ0TGfZ8hs2U5We26s2Mt2ZpolYVYvxJfrVY92jNWX2oKO EtF3laCr2uuh1Gsz0+Rq+Ec2l+XjYiLpGDTVy+WodNCT7hGWAjUZOV3e5vIBNQF6yAWX GWsxG5is608jDqg6XL4vylsM40KSsf840hkrB8uy4ueUo4lv37whmQjM27dBfDVAZGx+ VrFA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id e6-20020a056402148600b00530facdd601si12123062edv.342.2023.09.30.15.32.55; Sat, 30 Sep 2023 15:32:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7684768CDA1; Sun, 1 Oct 2023 01:31:09 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E619968CD72 for ; Sun, 1 Oct 2023 01:30:56 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 501DAC0004 for ; Sat, 30 Sep 2023 22:30:56 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:41 +0200 Message-Id: <20230930223046.22896-10-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 10/15] avformat/wavdec: Check left avio_tell for overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: mIlrBtxJ3tEE Fixes: signed integer overflow: 155 + 9223372036854775655 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-5364032278495232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/wavdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 97e69ab2ee4..b145e980414 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -767,6 +767,8 @@ smv_out: goto smv_retry; return AVERROR_EOF; } + if (INT64_MAX - left < avio_tell(s->pb)) + return AVERROR_INVALIDDATA; wav->data_end = avio_tell(s->pb) + left; } From patchwork Sat Sep 30 22:30:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44066 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp598927pzf; Sat, 30 Sep 2023 15:31:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IErvgXtPVEE1ibPqE+YwE3AOcTYIdIDLHowPXpygbvPFDpV9RQcJpcmuKDgR8GWbvOpEG2b X-Received: by 2002:a17:906:19b:b0:9ae:4eb9:e09b with SMTP id 27-20020a170906019b00b009ae4eb9e09bmr7391360ejb.27.1696113099888; Sat, 30 Sep 2023 15:31:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113099; cv=none; d=google.com; s=arc-20160816; b=UlcQ9WaKgfqNV/yXtpAGuB1XJBuvePyKM+sjZqKOfV/Kx2kZkkuJQS+QD/P40gWcYP vGgzbS88tH3gx93u5RAUX7vFmQo2rOIn9sjFozqvTjL/1lVjBPlUbRJ2VTn9hWW9Sjji ESGb+sl/IF9nOGscOhyyJOWaUgpJLZr/vDmH4J3rYzFuEuxwAF9aqJUIL/KVn2GtW44/ KMgjaz0RV2FbFo+N9uGr02i7nC1471t2lsSWhG9qRBck7GRKzEChjEoQMAEuDU10Yljr Fx0VmozXXIrmwBIsVaoXpmjxnLqxb44xujxh41hoNe7AAcqYx6hiIkkcWQ6gIWbA5ZKD d9VQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=DiIH/gozSRbwkBDcUBglo8DaU6gpAPjatbIQrjz/nPA=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=CGhx7QCObIoKyIhHs4gGpVwPvQ5CigYodHHRDjjbHcSNZRarA1F1CZcNBstM0ziOfM B7bEp8syEt4x9HpuUcao+5otHX4FCNgJ+YUyNp5YTBY+s/0EspY7h30U6iy8gzBeuKn5 RRNdU6+lERGx5FDoveKFVziIQ8riWmrvgVEBXCcROyPBCSGzlji7Rvg599LzRSbvoZnm LGWaOIOcafk4Hv8BRy4bcki1SQNJgeslyNQzp1BiBLJmyHFt/wqQKEfbJGhE8kOqEuV9 VdVl0/0Kqg6icuAMdjKjf9C1mCb0MFSnfm1rY6g8R6SSaacc1J1luyDR5SmytzqPeXGj bCCA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id j5-20020a170906104500b009b2da273439si1689506ejj.884.2023.09.30.15.31.39; Sat, 30 Sep 2023 15:31:39 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DB4E568CD6D; Sun, 1 Oct 2023 01:31:00 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E0F3068CD4C for ; Sun, 1 Oct 2023 01:30:57 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 332ACFF805 for ; Sat, 30 Sep 2023 22:30:56 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:42 +0200 Message-Id: <20230930223046.22896-11-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 11/15] avformat/matroskadec: Check prebuffered_ns for overflow X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: oxqlsgyYZw7/ Fixes: signed integer overflow: 9223372036630775808 + 1000000000 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-5406131992526848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 941c0bcdc9f..ae8823ae58e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4537,13 +4537,17 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t int64_t prebuffer_ns = 1000000000; int64_t time_ns = sti->index_entries[i].timestamp * matroska->time_scale; double nano_seconds_per_second = 1000000000.0; - int64_t prebuffered_ns = time_ns + prebuffer_ns; + int64_t prebuffered_ns; double prebuffer_bytes = 0.0; int64_t temp_prebuffer_ns = prebuffer_ns; int64_t pre_bytes, pre_ns; double pre_sec, prebuffer, bits_per_second; CueDesc desc_beg = get_cue_desc(s, time_ns, cues_start); + if (time_ns > INT64_MAX - prebuffer_ns) + return -1; + prebuffered_ns = time_ns + prebuffer_ns; + // Start with the first Cue. CueDesc desc_end = desc_beg; From patchwork Sat Sep 30 22:30:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44068 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp599005pzf; Sat, 30 Sep 2023 15:31:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH5T4CAYJVg3J0SAYCRigVxehBxWn8wxCj9ltshjhnIT12JwlrJEXXheKtCJFkTq+OC8uFD X-Received: by 2002:a17:906:319a:b0:9ae:7943:b0ff with SMTP id 26-20020a170906319a00b009ae7943b0ffmr7214043ejy.27.1696113116957; Sat, 30 Sep 2023 15:31:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113116; cv=none; d=google.com; s=arc-20160816; b=Oal6jO4dGK25V/9axi17bRh7sLVjjMEguIyl9+3SNvNlPiUDO4ZEoFJ70GkqnqL0S0 sQjFZfQxsQMlhQ++OtQSxVytSjD2AmhLQ1OzhOujCuT6BnghEg4sKM4BKkn7uVl9s9GJ J2C9b9iCXEqPt8MVpoDNZ/8eLFBnhW1vAMSZQeKX3Oru5GATE4QyCMwOAWnGEuRVS3Y+ OQZMol7DNOBCkZ26Gwd61T6hrAhwNR4p2JI+tVhGDEocnQZM32YXYPg8LZdGwQj1zYBz WaOUn3bVhRMA11EpCLP7+yVlOlaSknIgSZ1x55iASxmMxhWhEkQcfvIwJxUmnDc4HLzz UHYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=IquD4OXH7C9HazBqHmCPsJ+S+CFsiZ5ZHwY3SLbOvKE=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=FLt7iYTFdzs3pJklV0bGTl3AZZzFm4daok5bEjApi6TTrs/YBYzouaBBK96LcgukO+ JthHgLD/kANMTqO8bTWz8dlaPd05bCJyoj+i5H3HMKKeQWmkOuqfSF3U4Qory5QcuTIu 4eEIvQXHx9BbWphnASNPH7fz10mFU0tqtFjezGlyXEIbwS2u0v6htPnpSEObhbA2GNP/ FNnpOf+kFQPlISP0bUGOn/dPTkYBSchsnJdCl7e9XkLfLj7s7JA7TsQB0U8BQ/2jurAk NmhPXQlTUStmq7agqCu6Jq2AmTkqM4Q2F3uJ3f4KYNV2Pj+mPQCd5zI1K7SJ1yoEfRCR ipWA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id lr2-20020a170906fb8200b0098e48ad11e8si16639235ejb.902.2023.09.30.15.31.56; Sat, 30 Sep 2023 15:31:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id AE07968CD7E; Sun, 1 Oct 2023 01:31:02 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BB42168CD54 for ; Sun, 1 Oct 2023 01:30:58 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 167A520005 for ; Sat, 30 Sep 2023 22:30:57 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:43 +0200 Message-Id: <20230930223046.22896-12-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 12/15] avformat/westwood_vqa: Do not leave vqfl_chunk_size invalid X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: rUzoUwt1q3gG Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4613908817903616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/westwood_vqa.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c index e3d2e2668c4..18948d14ccc 100644 --- a/libavformat/westwood_vqa.c +++ b/libavformat/westwood_vqa.c @@ -194,8 +194,10 @@ static int wsvqa_read_packet(AVFormatContext *s, * includes a whole frame as expected. */ wsvqa->vqfl_chunk_pos = avio_tell(pb); wsvqa->vqfl_chunk_size = (int)(chunk_size); - if (wsvqa->vqfl_chunk_size < 0 || wsvqa->vqfl_chunk_size > 3 * (1 << 20)) + if (wsvqa->vqfl_chunk_size < 0 || wsvqa->vqfl_chunk_size > 3 * (1 << 20)) { + wsvqa->vqfl_chunk_size = 0; return AVERROR_INVALIDDATA; + } /* We need a big seekback buffer because there can be SNxx, VIEW and ZBUF * chunks (<512 KiB total) in the stream before we read VQFR (<256 KiB) and * seek back here. */ From patchwork Sat Sep 30 22:30:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44070 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp599091pzf; Sat, 30 Sep 2023 15:32:14 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHT7ix78Wrn42lNBM9HTc/tE+1xKOSYcHBsFNxmw+HG7L6LZ+a4dhBM0P9PhhTeOeVjkJZp X-Received: by 2002:a17:907:7712:b0:9a5:7759:19c0 with SMTP id kw18-20020a170907771200b009a5775919c0mr7057183ejc.64.1696113134136; Sat, 30 Sep 2023 15:32:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113134; cv=none; d=google.com; s=arc-20160816; b=voW2cLmtT2rehFnPBcsq6N+Py4hpous0tGLUYloID3MpefpacjXmWtGIzDEEWoN/W2 kF94J5UXuwGJJ+eGX9M+ecZmbGUDaebWQXhTtsXwrUloNth5JErifnVXDeuLftD8jT5B 3t0g055c3vekOAEur0ZAzMJ/kl3b8dafJ/27N5oMvkAcSE1m9wr6KuhnaEYJwjt6/ODl 0XF0hIQqfV73GfGu9Yg+dvmWHWO2VTVKjdbqDn23SJ4TVk5oQFWfRSQyF/IEwT7Qze4v FWbLuACN+SrmrTnhhOUVp9XJHIgACtttq2+5yQ5TmPzTKYFieViUGfInlUQUwFfGDPHr bhow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=UZAMoU7Zy9q/0E8IOfMKjdMn8T3yduWtcrgKhcFCWaA=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=itg1DtMdLwXzPgKJHHuKx60es/NAUgizdQ4cW2IETrGN3QGn2F1PZirvLhV80KhoLH FSZUW1IABG6WNy4Xgm0IyBD021HBLKCLZ9AlCAe5lXxvq3SbeKvFbTHSIXY5OkYjdTCu 2yUmXmWp6kIMAPAiXm+Z+WHRzOnJ+r6/hobYxH3sWZMdgEu9wXJOSQSS1AkGK8Lf4z95 /KYKrMFcF0L8KwZWaJ+s+7ObmOjwJm39uDVxsnfAbjQ041h/QPAG6yiEWBFVBHKvZjSi QXDt814u0LZDCp1kx8YUflFFn6CYBSUh9RS+TNcuWgVPe0gYOCpIYomFnPhAr7K3S2+0 V5kA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id kf16-20020a17090776d000b009b2e3afd8aasi1216775ejc.605.2023.09.30.15.32.13; Sat, 30 Sep 2023 15:32:14 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B95B868CD84; Sun, 1 Oct 2023 01:31:04 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8B6A168CD5E for ; Sun, 1 Oct 2023 01:30:59 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id DCAA7C0007 for ; Sat, 30 Sep 2023 22:30:58 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:44 +0200 Message-Id: <20230930223046.22896-13-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 13/15] avformat/xwma: sanity check bits_per_coded_sample X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Yxbihy7jdHjd Fixes: signed integer overflow: 65312 * 524296 cannot be represented in type 'int' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_XWMA_fuzzer-6595971445555200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/xwma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/xwma.c b/libavformat/xwma.c index 12689f37fd7..b830f9ed75f 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -151,7 +151,7 @@ static int xwma_read_header(AVFormatContext *s) st->codecpar->ch_layout.nb_channels); return AVERROR_INVALIDDATA; } - if (!st->codecpar->bits_per_coded_sample) { + if (!st->codecpar->bits_per_coded_sample || st->codecpar->bits_per_coded_sample > 64) { av_log(s, AV_LOG_WARNING, "Invalid bits_per_coded_sample: %d\n", st->codecpar->bits_per_coded_sample); return AVERROR_INVALIDDATA; From patchwork Sat Sep 30 22:30:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44072 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp599232pzf; Sat, 30 Sep 2023 15:32:31 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH+h9mGGpHQDWy9k1I7BSALwBllJAu+LejB20XM8pSD8/IPx1QYZJo6Y+XWdHVTyoW08a9O X-Received: by 2002:a05:6000:136b:b0:324:8536:f582 with SMTP id q11-20020a056000136b00b003248536f582mr6471941wrz.27.1696113151154; Sat, 30 Sep 2023 15:32:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113151; cv=none; d=google.com; s=arc-20160816; b=COY44t4cTfhmTiWO9HNxQxGZKGPk3wgcyczXgNNjpnTSvmdkyluina6BGeayb+0z3T Hs3ebrYBTpiinEwAARLOoTSewnm4nELo/z8BfKtfxr3Ofp+hMh+PhJS1cCO3IasSesY/ J7kCRHFix7xieWS3F+HnrUZcQudpe9VX8JS8vA+sG08JmI/aVTqEisw93Gq/QsVJ/cUg FcA3DcQMW0ShkKDoE1j9kwz/fAmC7k+5HlSy2jMdTJ9RXle8IxQP0vkuth6IF/9x6hFo ufCZhV5ZaN6rIvrMeyA8K7tHe1t3Si1FUciF8s7A5ScwSq44FwGeC3aj1D89bJCpcZRj Snjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=KpwH0NKp4P8v19Dko9VM1NcsTHuzrFrPs1EFr6amj1Y=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=ZabKRlBhlRC2VemVp6sCgoWMjew36kXpqHRrBkwBiI3OVLXFTweIBTNuqM/GVcCD21 P2Rt1C5X4eaWEIqhzt8jf6bVOXHsn29Pw3WzVVlutNpG9XcO9oaTZ7upnaLmkshXHfc4 U6EWx/jg6UDkf8cVWRZ43AkKwx+mvO/Ufh759H4U3weBm8Nu/qnuocXiNWSeIijCnCrd 22MM2hoNpgM0xLnw61xsGWgaHlknr8mXg8WDqNu+VSL32hDuOTSgxM6Rg62x7up1cJ2O tz9ESxWogEOmxt3zmri94a6MscqmFaa2jPBeOYmuIVHukAkchGricE9TnExE8/BFDRKw yQ/A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id w14-20020aa7cb4e000000b005234b299bf4si18060233edt.311.2023.09.30.15.32.30; Sat, 30 Sep 2023 15:32:31 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A555768CD91; Sun, 1 Oct 2023 01:31:06 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 68A4068CD5D for ; Sun, 1 Oct 2023 01:31:00 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id B8C83240002 for ; Sat, 30 Sep 2023 22:30:59 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:45 +0200 Message-Id: <20230930223046.22896-14-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 14/15] avformat/asfdec_f: Saturate presentation time in marker X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: KU2/dodE0nGH Fixes: signed integer overflow: -9223372036315799520 - 3873890816 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5009302746431488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/asfdec_f.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 54059564670..a579c3e894b 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -674,7 +674,7 @@ static int asf_read_marker(AVFormatContext *s) avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time - pres_time -= asf->hdr.preroll * 10000; + pres_time = av_sat_sub64(pres_time, asf->hdr.preroll * 10000); avio_rl16(pb); // entry length avio_rl32(pb); // send time avio_rl32(pb); // flags From patchwork Sat Sep 30 22:30:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 44060 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1204:b0:15d:8365:d4b8 with SMTP id v4csp599315pzf; Sat, 30 Sep 2023 15:32:47 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEdZM9LMrc1+ZISQe5u657taTt8Olv412+iej37/DSBhfcTH5p4btAv4plj3Azp9iq/2VI9 X-Received: by 2002:a05:6402:1f0e:b0:530:7ceb:334 with SMTP id b14-20020a0564021f0e00b005307ceb0334mr7718706edb.3.1696113167504; Sat, 30 Sep 2023 15:32:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696113167; cv=none; d=google.com; s=arc-20160816; b=L8qRoKcadNAZIylkruYYB4Bs080f9jnWNm2ItgDiY2rjt2vDJQlq0xTRVsRAZp95Ij jhYIuuBdztVs8ipgsDQYAstjkMjk0QIawyrJeVl8PuxsPI5gEsflLYlpkTF5sPRa7EdW dewjZxxZveNJXoSu7RDQSJ3CAe4b8jWj2X7BieQkyXs0Ew8VXbJGtAA2V34CrWNkqwkc t0ZOZaE3UWKUwOuwEua3xaI0Bd83jyyDDhFUkImHWZ/qn/YNPYVu/EjEQApoaOp0fh7N BJ6n2ydw058CaS92G9j5ns9Kih2Y+WjvKprLsEO3+rdJ/+ITCanKg1f1H/LQNJra2OS1 KjRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=thtinLeQgFPbZcOEj7D0JFfdkzZZyED2lUmIvieybyQ=; fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=; b=TYzefJlnPA/xbOiAV2jjUqDYl2EdC2jkgZCGt7eztrH2e6ARnhJYkf5CbApqDe1v9F oUzTM5GCWjPJDybnntCBue0AoARPBa4g4NPjp1zqiuixTZIscHRrqBOkSUCC+A0neMZY e0IT15yiTPp6U83sLHO2N55Lk1iZ+nDSdH27UEFQWdKyN7+kAjBe10g/hKqklqmoKQ4X u/zkbMu+Faf9p7QoO48zYBsu5tUNHIrBnJIxRFF1yTjZLv1/kIlhZEz8OUk9Wgc3NNR+ Vh3xxh+eNaoAXI6WIPI+qtCoa6C7tphgSDlecXZ7LCp3rHRGuWttV9cudJboyY+VG+Tx 44Ew== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id dy21-20020a05640231f500b005346627df53si6856372edb.661.2023.09.30.15.32.47; Sat, 30 Sep 2023 15:32:47 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 80A9268CD4E; Sun, 1 Oct 2023 01:31:08 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 44FEC68CD55 for ; Sun, 1 Oct 2023 01:31:01 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 93973240002 for ; Sat, 30 Sep 2023 22:31:00 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 1 Oct 2023 00:30:46 +0200 Message-Id: <20230930223046.22896-15-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230930223046.22896-1-michael@niedermayer.cc> References: <20230930223046.22896-1-michael@niedermayer.cc> X-GND-Sasl: michael@niedermayer.cc Subject: [FFmpeg-devel] [PATCH 15/15] avcodec/h264_parser: saturate dts a bit X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: ENg3F5yJIWZI Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6112289464123392 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/h264_parser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 43abc45f9cd..6ab8f659cb6 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -646,10 +646,10 @@ static int h264_parse(AVCodecParserContext *s, int64_t num = time_base.num * (int64_t)avctx->pkt_timebase.den; if (s->dts != AV_NOPTS_VALUE) { // got DTS from the stream, update reference timestamp - p->reference_dts = s->dts - av_rescale(s->dts_ref_dts_delta, num, den); + p->reference_dts = av_sat_sub64(s->dts, av_rescale(s->dts_ref_dts_delta, num, den)); } else if (p->reference_dts != AV_NOPTS_VALUE) { // compute DTS based on reference timestamp - s->dts = p->reference_dts + av_rescale(s->dts_ref_dts_delta, num, den); + s->dts = av_sat_add64(p->reference_dts, av_rescale(s->dts_ref_dts_delta, num, den)); } if (p->reference_dts != AV_NOPTS_VALUE && s->pts == AV_NOPTS_VALUE)