[PATCH 1/7] [RFC] Revert "avcodec/adpcm_swf: support decoding multiple fixed-sized blocks at once"
The reverted code split at block_align boundaries, but there was already code which splits at a hardcoded 4096 sample boundary. reverting this seemed like the easiest fix but this is a RFC in case another solution is preferred Fixes: out of array write Fixes: 26821/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_SWF_fuzzer-5764465137811456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg This reverts commit e9dd73d30d09043446ac6dd7b8ad31e557873852. --- libavcodec/adpcm.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 701b125c47..d018c1f91b 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -880,7 +880,7 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, } case AV_CODEC_ID_ADPCM_SWF: { - int buf_bits = (avctx->block_align ? avctx->block_align : buf_size) * 8 - 2; + int buf_bits = buf_size * 8 - 2; int nbits = (bytestream2_get_byte(gb) >> 6) + 2; int block_hdr_size = 22 * ch; int block_size = block_hdr_size + nbits * ch * 4095; @@ -889,9 +889,6 @@ static int get_nb_samples(AVCodecContext *avctx, GetByteContext *gb, nb_samples = nblocks * 4096; if (bits_left >= block_hdr_size) nb_samples += 1 + (bits_left - block_hdr_size) / (nbits * ch); - - if (avctx->block_align) - nb_samples *= buf_size / avctx->block_align; break; } case AV_CODEC_ID_ADPCM_THP: @@ -1770,17 +1767,9 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data, } break; case AV_CODEC_ID_ADPCM_SWF: - { - const int nb_blocks = avctx->block_align ? avpkt->size / avctx->block_align : 1; - const int block_size = avctx->block_align ? avctx->block_align : avpkt->size; - - for (int block = 0; block < nb_blocks; block++) { - adpcm_swf_decode(avctx, buf + block * block_size, block_size, samples); - samples += nb_samples / nb_blocks; - } + adpcm_swf_decode(avctx, buf, buf_size, samples); bytestream2_seek(&gb, 0, SEEK_END); break; - } case AV_CODEC_ID_ADPCM_YAMAHA: for (n = nb_samples >> (1 - st); n > 0; n--) { int v = bytestream2_get_byteu(&gb); -- 2.17.1
Fixes: signed integer overflow: 46671062 * 100 cannot be represented in type 'int' Fixes: 26826/clusterfuzz-testcase-minimized-ffmpeg_dem_REALTEXT_fuzzer-5644062910316544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/realtextdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c index c2316da0ed..390f8ddc67 100644 --- a/libavformat/realtextdec.c +++ b/libavformat/realtextdec.c @@ -45,16 +45,16 @@ static int realtext_probe(const AVProbeData *p) return !av_strncasecmp(buf, "<window", 7) ? AVPROBE_SCORE_EXTENSION : 0; } -static int read_ts(const char *s) +static int64_t read_ts(const char *s) { int hh, mm, ss, ms; - if (sscanf(s, "%u:%u:%u.%u", &hh, &mm, &ss, &ms) == 4) return (hh*3600 + mm*60 + ss) * 100 + ms; - if (sscanf(s, "%u:%u:%u" , &hh, &mm, &ss ) == 3) return (hh*3600 + mm*60 + ss) * 100; - if (sscanf(s, "%u:%u.%u", &mm, &ss, &ms) == 3) return ( mm*60 + ss) * 100 + ms; - if (sscanf(s, "%u:%u" , &mm, &ss ) == 2) return ( mm*60 + ss) * 100; - if (sscanf(s, "%u.%u", &ss, &ms) == 2) return ( ss) * 100 + ms; - return strtol(s, NULL, 10) * 100; + if (sscanf(s, "%u:%u:%u.%u", &hh, &mm, &ss, &ms) == 4) return (hh*3600LL + mm*60LL + ss) * 100LL + ms; + if (sscanf(s, "%u:%u:%u" , &hh, &mm, &ss ) == 3) return (hh*3600LL + mm*60LL + ss) * 100LL; + if (sscanf(s, "%u:%u.%u", &mm, &ss, &ms) == 3) return ( mm*60LL + ss) * 100LL + ms; + if (sscanf(s, "%u:%u" , &mm, &ss ) == 2) return ( mm*60LL + ss) * 100LL; + if (sscanf(s, "%u.%u", &ss, &ms) == 2) return ( ss) * 100LL + ms; + return strtol(s, NULL, 10) * 100LL; } static int realtext_read_header(AVFormatContext *s) -- 2.17.1
Fixes: signed integer overflow: 175 + 2147483571 cannot be represented in type 'int' Fixes: 26833/clusterfuzz-testcase-minimized-ffmpeg_dem_IMAGE2_fuzzer-5969501214212096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/av1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/av1dec.c b/libavformat/av1dec.c index 395eef6522..5ae81b34d4 100644 --- a/libavformat/av1dec.c +++ b/libavformat/av1dec.c @@ -361,7 +361,7 @@ static int obu_probe(const AVProbeData *p) ret = read_obu_with_size(p->buf + cnt, p->buf_size - cnt, &obu_size, &type); if (ret < 0 || obu_size <= 0) return 0; - cnt += ret; + cnt += FFMIN(ret, p->buf_size - cnt); ret = get_score(type, &seq); if (ret >= 0) -- 2.17.1
Fixes: memleak Fixes: 26841/clusterfuzz-testcase-minimized-ffmpeg_dem_AU_fuzzer-5174166309044224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/au.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/au.c b/libavformat/au.c index b4eb4f8477..4f2b81119f 100644 --- a/libavformat/au.c +++ b/libavformat/au.c @@ -84,8 +84,11 @@ static int au_read_annotation(AVFormatContext *s, int size) av_bprint_init(&bprint, 64, AV_BPRINT_SIZE_UNLIMITED); while (size-- > 0) { - if (avio_feof(pb)) + if (avio_feof(pb)) { + av_bprint_finalize(&bprint, NULL); + av_freep(&key); return AVERROR_EOF; + } c = avio_r8(pb); switch(state) { case PARSE_KEY: -- 2.17.1
Fixes: infinite loop Fixes: 26865/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-5649473830912000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/dsfdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/dsfdec.c b/libavformat/dsfdec.c index c9740cf28f..1df163e114 100644 --- a/libavformat/dsfdec.c +++ b/libavformat/dsfdec.c @@ -124,8 +124,8 @@ static int dsf_read_header(AVFormatContext *s) dsf->audio_size = avio_rl64(pb) / 8 * st->codecpar->channels; st->codecpar->block_align = avio_rl32(pb); - if (st->codecpar->block_align > INT_MAX / st->codecpar->channels) { - avpriv_request_sample(s, "block_align overflow"); + if (st->codecpar->block_align > INT_MAX / st->codecpar->channels || st->codecpar->block_align <= 0) { + avpriv_request_sample(s, "block_align invalid"); return AVERROR_INVALIDDATA; } st->codecpar->block_align *= st->codecpar->channels; -- 2.17.1
Fixes: signed integer overflow: -2105540608 - 2105540608 cannot be represented in type 'int' Fixes: 26870/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5656647567147008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/h264idct_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index f19579a47c..ce66ed3ab8 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -283,8 +283,8 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){ dctcoef *block = (dctcoef*)_block; for(i=0; i<4; i++){ - temp[2*i+0] = block[stride*i + xStride*0] + block[stride*i + xStride*1]; - temp[2*i+1] = block[stride*i + xStride*0] - block[stride*i + xStride*1]; + temp[2*i+0] = block[stride*i + xStride*0] + (unsigned)block[stride*i + xStride*1]; + temp[2*i+1] = block[stride*i + xStride*0] - (unsigned)block[stride*i + xStride*1]; } for(i=0; i<2; i++){ -- 2.17.1
strips + tiles is not allowed in TIFF DNG uses a separate codepath Regression since da5b3d002862d1e105002a6dc1567e6551860896. Fixes: NULL pointer dereference Fixes: poc1 Found-by: 1vanChen of NSFOCUS Security Team Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/tiff.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 2e45464218..00f0c0ccf7 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1923,14 +1923,17 @@ again: has_strip_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff; if (has_tile_bits && has_strip_bits) { - av_log(avctx, AV_LOG_WARNING, "Tiled TIFF is not allowed to strip\n"); + int tiled_dng = s->is_tiled && is_dng; + av_log(avctx, tiled_dng ? AV_LOG_WARNING : AV_LOG_ERROR, "Tiled TIFF is not allowed to strip\n"); + if (!tiled_dng) + return AVERROR_INVALIDDATA; } /* now we have the data and may start decoding */ if ((ret = init_image(s, &frame)) < 0) return ret; - if (!s->is_tiled) { + if (!s->is_tiled || has_strip_bits) { if (s->strips == 1 && !s->stripsize) { av_log(avctx, AV_LOG_WARNING, "Image data size missing\n"); s->stripsize = avpkt->size - s->stripoff; -- 2.17.1
On Fri, Nov 06, 2020 at 12:10:21AM +0100, Michael Niedermayer wrote:
The reverted code split at block_align boundaries, but there was already code which splits at a hardcoded 4096 sample boundary.
reverting this seemed like the easiest fix but this is a RFC in case another solution is preferred
Fixes: out of array write Fixes: 26821/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_SWF_fuzzer-5764465137811456
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg This reverts commit e9dd73d30d09043446ac6dd7b8ad31e557873852. --- libavcodec/adpcm.c | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-)
please disregard this patchset, this was sent by mistake to the wrong mailing list, this was intended all for ffmpeg-devel [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The worst form of inequality is to try to make unequal things equal. -- Aristotle
participants (1)
-
Michael Niedermayer