[PATCH 1/5] avcodec/get_buffer: Use av_buffer_mallocz() for audio same as its done for video
Fixes: Use of uninintialized value Fixes: 70993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6378949754552320 For the AAC/USAC/SBR code which reads uninitialized memory, it would be good, if it did not a fix for that is welcome! Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/get_buffer.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/get_buffer.c b/libavcodec/get_buffer.c index ff19f61e86b..7e705380fc6 100644 --- a/libavcodec/get_buffer.c +++ b/libavcodec/get_buffer.c @@ -142,7 +142,10 @@ static int update_frame_pool(AVCodecContext *avctx, AVFrame *frame) if (ret < 0) goto fail; - pool->pools[0] = av_buffer_pool_init(pool->linesize[0], NULL); + pool->pools[0] = av_buffer_pool_init(pool->linesize[0], + CONFIG_MEMORY_POISONING ? + NULL : + av_buffer_allocz); if (!pool->pools[0]) { ret = AVERROR(ENOMEM); goto fail; -- 2.46.0
Fixes: signed integer overflow: 24320 + 9223372036854775573 cannot be represented in type 'long' Fixes: 71001/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5644785744936960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/demux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/demux.c b/libavformat/demux.c index dc65f9ad912..bca819a09f7 100644 --- a/libavformat/demux.c +++ b/libavformat/demux.c @@ -2803,7 +2803,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) av_packet_unref(pkt1); break; } - if (pkt->duration > 0) { + if (pkt->duration > 0 && pkt->duration < INT64_MAX - sti->info->codec_info_duration) { const int fields = sti->codec_desc && (sti->codec_desc->props & AV_CODEC_PROP_FIELDS); if (avctx->codec_type == AVMEDIA_TYPE_SUBTITLE && pkt->pts != AV_NOPTS_VALUE && st->start_time != AV_NOPTS_VALUE && pkt->pts >= st->start_time && (uint64_t)pkt->pts - st->start_time < INT64_MAX -- 2.46.0
On Sat, Aug 17, 2024 at 01:15:01AM +0200, Michael Niedermayer wrote:
Fixes: signed integer overflow: 24320 + 9223372036854775573 cannot be represented in type 'long' Fixes: 71001/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5644785744936960
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/demux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Some Animals are More Equal Than Others. - George Orwell's book Animal Farm
Fixes: Assertion width > 0 && width <= 32 failed Fixes: 71012/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6073354744823808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/cbs_h265_syntax_template.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 12fa185c774..d23cb58e863 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -2307,6 +2307,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext else length = FFMAX(0, (int)current->exponent_ref_display_width[i] + (int)current->prec_ref_display_width - 31); + + if (length > 32) + return AVERROR_PATCHWELCOME; + if (length) ubs(length, mantissa_ref_display_width[i], 1, i); else @@ -2318,6 +2322,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext else length = FFMAX(0, (int)current->exponent_ref_viewing_distance[i] + (int)current->prec_ref_viewing_dist - 31); + + if (length > 32) + return AVERROR_PATCHWELCOME; + if (length) ubs(length, mantissa_ref_viewing_distance[i], 1, i); else -- 2.46.0
On 8/16/2024 8:15 PM, Michael Niedermayer wrote:
Fixes: Assertion width > 0 && width <= 32 failed Fixes: 71012/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6073354744823808
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/cbs_h265_syntax_template.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 12fa185c774..d23cb58e863 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -2307,6 +2307,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext else length = FFMAX(0, (int)current->exponent_ref_display_width[i] + (int)current->prec_ref_display_width - 31); + + if (length > 32) + return AVERROR_PATCHWELCOME;
I guess this error code is fine since CBS currently can't read values > 32 and this element can be up to 62 bits long. Maybe also print an error that says something like "refDispWidthBits > 32 is not supported".
+ if (length) ubs(length, mantissa_ref_display_width[i], 1, i); else @@ -2318,6 +2322,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext else length = FFMAX(0, (int)current->exponent_ref_viewing_distance[i] + (int)current->prec_ref_viewing_dist - 31); + + if (length > 32) + return AVERROR_PATCHWELCOME;
Ditto, "refViewDistBits > 32 is not supported".
+ if (length) ubs(length, mantissa_ref_viewing_distance[i], 1, i); else
On Fri, Aug 16, 2024 at 08:38:41PM -0300, James Almer wrote:
On 8/16/2024 8:15 PM, Michael Niedermayer wrote:
Fixes: Assertion width > 0 && width <= 32 failed Fixes: 71012/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6073354744823808
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/cbs_h265_syntax_template.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index 12fa185c774..d23cb58e863 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -2307,6 +2307,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext else length = FFMAX(0, (int)current->exponent_ref_display_width[i] + (int)current->prec_ref_display_width - 31); + + if (length > 32) + return AVERROR_PATCHWELCOME;
I guess this error code is fine since CBS currently can't read values > 32 and this element can be up to 62 bits long.
Maybe also print an error that says something like "refDispWidthBits > 32 is not supported".
+ if (length) ubs(length, mantissa_ref_display_width[i], 1, i); else @@ -2318,6 +2322,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext else length = FFMAX(0, (int)current->exponent_ref_viewing_distance[i] + (int)current->prec_ref_viewing_dist - 31); + + if (length > 32) + return AVERROR_PATCHWELCOME;
Ditto, "refViewDistBits > 32 is not supported".
will apply with these changes thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws. -- Plato
This is likely not the proper way to fix this Fixes: null pointer dereference Fixes: 70781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5010401476018176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/hevcdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c index 193d624fc98..dc8497bff12 100644 --- a/libavcodec/hevc/hevcdec.c +++ b/libavcodec/hevc/hevcdec.c @@ -1933,12 +1933,16 @@ static void hls_prediction_unit(HEVCLocalContext *lc, tab_mvf[(y_pu + j) * min_pu_width + x_pu + i] = current_mv; if (current_mv.pred_flag & PF_L0) { + if (!refPicList) + return; ref0 = refPicList[0].ref[current_mv.ref_idx[0]]; if (!ref0 || !ref0->f) return; hevc_await_progress(s, ref0, ¤t_mv.mv[0], y0, nPbH); } if (current_mv.pred_flag & PF_L1) { + if (!refPicList) + return; ref1 = refPicList[1].ref[current_mv.ref_idx[1]]; if (!ref1 || !ref1->f) return; -- 2.46.0
Quoting Michael Niedermayer (2024-08-17 01:15:03)
This is likely not the proper way to fix this
I agree. Can you share the sample? -- Anton Khirnov
On Mon, Aug 19, 2024 at 09:28:22PM +0200, Anton Khirnov wrote:
Quoting Michael Niedermayer (2024-08-17 01:15:03)
This is likely not the proper way to fix this
I agree. Can you share the sample?
In case anyone doesnt have the sample yet, the sample is publically available here: https://issues.oss-fuzz.com/issues/42537501 thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Those who are best at talking, realize last or never when they are wrong.
Rather than just != 0. These values are read as uint32 and can become negative when cast to int. --- The only issue I see triggered by the sample is fixed by this patch. I do not see any refPicList=NULL crashes --- libavcodec/hevc/hevcdec.c | 2 +- libavcodec/hevc/parser.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c index 4077ed3ac5..09f7e1d31f 100644 --- a/libavcodec/hevc/hevcdec.c +++ b/libavcodec/hevc/hevcdec.c @@ -369,7 +369,7 @@ static void export_stream_params(HEVCContext *s, const HEVCSPS *sps) den = sps->vui.vui_time_scale; } - if (num != 0 && den != 0) + if (num > 0 && den > 0) av_reduce(&avctx->framerate.den, &avctx->framerate.num, num, den, 1 << 30); } diff --git a/libavcodec/hevc/parser.c b/libavcodec/hevc/parser.c index 8db56e259e..2d14b4fae2 100644 --- a/libavcodec/hevc/parser.c +++ b/libavcodec/hevc/parser.c @@ -101,7 +101,7 @@ static int hevc_parse_slice_header(AVCodecParserContext *s, H2645NAL *nal, den = sps->vui.vui_time_scale; } - if (num != 0 && den != 0) + if (num > 0 && den > 0) av_reduce(&avctx->framerate.den, &avctx->framerate.num, num, den, 1 << 30); -- 2.43.0
Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 70726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6149928703819776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c index 80ac35a7dbf..cd5ece72b0a 100644 --- a/libavcodec/hevc/ps.c +++ b/libavcodec/hevc/ps.c @@ -1101,7 +1101,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->used_by_curr_pic_lt = 0; for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); - sps->used_by_curr_pic_lt |= get_bits1(gb) * (1 << i); + sps->used_by_curr_pic_lt |= get_bits1(gb) * (1U << i); } } -- 2.46.0
On 8/16/2024 8:15 PM, Michael Niedermayer wrote:
Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 70726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6149928703819776
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c index 80ac35a7dbf..cd5ece72b0a 100644 --- a/libavcodec/hevc/ps.c +++ b/libavcodec/hevc/ps.c @@ -1101,7 +1101,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->used_by_curr_pic_lt = 0; for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); - sps->used_by_curr_pic_lt |= get_bits1(gb) * (1 << i); + sps->used_by_curr_pic_lt |= get_bits1(gb) * (1U << i);
Why not just get_bits1(gb) << i? get_bits1() returns an unsigned int (Either 0 or 1), so no chances for a left shift of negative number.
On Fri, Aug 16, 2024 at 08:27:07PM -0300, James Almer wrote:
On 8/16/2024 8:15 PM, Michael Niedermayer wrote:
Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 70726/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6149928703819776
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevc/ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c index 80ac35a7dbf..cd5ece72b0a 100644 --- a/libavcodec/hevc/ps.c +++ b/libavcodec/hevc/ps.c @@ -1101,7 +1101,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->used_by_curr_pic_lt = 0; for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); - sps->used_by_curr_pic_lt |= get_bits1(gb) * (1 << i); + sps->used_by_curr_pic_lt |= get_bits1(gb) * (1U << i);
Why not just get_bits1(gb) << i? get_bits1() returns an unsigned int (Either 0 or 1), so no chances for a left shift of negative number.
ok, will apply with that thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB "Nothing to hide" only works if the folks in power share the values of you and everyone you know entirely and always will -- Tom Scott
On Sat, Aug 17, 2024 at 01:15:00AM +0200, Michael Niedermayer wrote:
Fixes: Use of uninintialized value Fixes: 70993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6378949754552320
For the AAC/USAC/SBR code which reads uninitialized memory, it would be good, if it did not a fix for that is welcome!
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/get_buffer.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Everything should be made as simple as possible, but not simpler. -- Albert Einstein
participants (3)
-
Anton Khirnov -
James Almer -
Michael Niedermayer