[FFmpeg-devel] [PATCH] avcodec/sanm: Check w,h,left,top (PR #20268)

2025-08-17 Thread michaelni via ffmpeg-devel 
PR #20268 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20268
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20268.patch

The setup code fow w,h,left,top is complex, the code using it also falls in
at least 2 different classes, one using left/top the other not.

To ensure no out of array access happens we add this clear check.

Fixes: out of array access
Fixes: 
439261995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5383455572819968

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 


>From 134fbfd1dcb59441e38d870ddd231772f4e8e127 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sun, 17 Aug 2025 15:31:48 +0200
Subject: [PATCH] avcodec/sanm: Check w,h,left,top

The setup code fow w,h,left,top is complex, the code using it also falls in
at least 2 different classes, one using left/top the other not.

To ensure no out of array access happens we add this clear check.

Fixes: out of array access
Fixes: 
439261995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5383455572819968

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/sanm.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index a066a864eb..9e99aa9dd9 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1757,6 +1757,11 @@ static int process_frame_obj(SANMVideoContext *ctx, 
GetByteContext *gb)
 memset(ctx->fbuf, 0, ctx->frm0_size);
 }
 
+if (w + FFMAX(left, 0) > ctx->avctx->width || h + FFMAX(top, 0) > 
ctx->avctx->height) {
+avpriv_request_sample(ctx->avctx, "overly large frame\n");
+return AVERROR_PATCHWELCOME;
+}
+
 switch (codec) {
 case 1:
 case 3:
-- 
2.49.1

___
ffmpeg-devel mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".

[FFmpeg-devel] [PATCH] swscale/swscale_internal: Use more precisse gamma (PR #20274)

2025-08-18 Thread michaelni via ffmpeg-devel 
PR #20274 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20274
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20274.patch

Avoids failure of xyz12 fate tests on mingw and linux x86-32

Signed-off-by: Michael Niedermayer 


>From a9bc076f4873161e96098337a16b4657a0174fd5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Mon, 18 Aug 2025 16:31:05 +0200
Subject: [PATCH] swscale/swscale_interna: Use more precisse gamma

Avoids failure of xyz12 fate tests on mingw and linux x86-32

Signed-off-by: Michael Niedermayer 
---
 libswscale/swscale_internal.h| 4 ++--
 tests/ref/fate/filter-pixdesc-xyz12be| 2 +-
 tests/ref/fate/filter-pixdesc-xyz12le| 2 +-
 tests/ref/fate/filter-pixfmts-copy   | 4 ++--
 tests/ref/fate/filter-pixfmts-crop   | 4 ++--
 tests/ref/fate/filter-pixfmts-field  | 4 ++--
 tests/ref/fate/filter-pixfmts-fieldorder | 4 ++--
 tests/ref/fate/filter-pixfmts-hflip  | 4 ++--
 tests/ref/fate/filter-pixfmts-il | 4 ++--
 tests/ref/fate/filter-pixfmts-null   | 4 ++--
 tests/ref/fate/filter-pixfmts-scale  | 4 ++--
 tests/ref/fate/filter-pixfmts-transpose  | 4 ++--
 tests/ref/fate/filter-pixfmts-vflip  | 4 ++--
 tests/ref/pixfmt/xyz12le | 2 +-
 14 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h
index 32428c56fb..5dd65a8d71 100644
--- a/libswscale/swscale_internal.h
+++ b/libswscale/swscale_internal.h
@@ -545,8 +545,8 @@ struct SwsInternal {
 int use_mmx_vfilter;
 
 /* pre defined color-spaces gamma */
-#define XYZ_GAMMA (2.6f)
-#define RGB_GAMMA (2.2f)
+#define XYZ_GAMMA (2.6)
+#define RGB_GAMMA (2.2)
 uint16_t *xyzgamma;
 uint16_t *rgbgamma;
 uint16_t *xyzgammainv;
diff --git a/tests/ref/fate/filter-pixdesc-xyz12be 
b/tests/ref/fate/filter-pixdesc-xyz12be
index 6610444e76..3cef4083c7 100644
--- a/tests/ref/fate/filter-pixdesc-xyz12be
+++ b/tests/ref/fate/filter-pixdesc-xyz12be
@@ -1 +1 @@
-pixdesc-xyz12be 1508a33dea936c45d9ee13f7743af00d
+pixdesc-xyz12be 198f43f452bc55f4ca1e0e0171de5c4c
diff --git a/tests/ref/fate/filter-pixdesc-xyz12le 
b/tests/ref/fate/filter-pixdesc-xyz12le
index 41b4907923..6193c3193a 100644
--- a/tests/ref/fate/filter-pixdesc-xyz12le
+++ b/tests/ref/fate/filter-pixdesc-xyz12le
@@ -1 +1 @@
-pixdesc-xyz12le da2d1326fa5747a7f6ce5ac1e1494aea
+pixdesc-xyz12le 5ca7d9ab5e01cc1bdc906520926721eb
diff --git a/tests/ref/fate/filter-pixfmts-copy 
b/tests/ref/fate/filter-pixfmts-copy
index 84a407c8fa..d42e2f6b33 100644
--- a/tests/ref/fate/filter-pixfmts-copy
+++ b/tests/ref/fate/filter-pixfmts-copy
@@ -117,8 +117,8 @@ xv36be  9f556ee59a672fd8725f0bb36ce3e4b0
 xv36le  e08dcbde02f1c28a3554f372ad1278e2
 xv48be  ce34993b4b4411bba1d852b9b86aa39e
 xv48le  df913a7e61b162aa98303e5393e60c63
-xyz12be f257f86373207af8aed0a1a05171df3b
-xyz12le 7922f99edc44a2c26a25becbea9914cc
+xyz12be d4562ab725e3ab7e5573dd03218bb03c
+xyz12le ce17d867c3fea4c42324e40353b72de4
 y210le  04e9487b6cce38e7531437e946cdd586
 y212le  825768be8fe92708ae80be84855066ed
 y216le  0e99aeddfee304e72d525d72998d9e9b
diff --git a/tests/ref/fate/filter-pixfmts-crop 
b/tests/ref/fate/filter-pixfmts-crop
index 05bb5b1b19..a86113c631 100644
--- a/tests/ref/fate/filter-pixfmts-crop
+++ b/tests/ref/fate/filter-pixfmts-crop
@@ -114,8 +114,8 @@ xv36be  23b6f253fcb375e4145cfcb562268c5f
 xv36le  778286003497f92b84d0bd8258d6b85d
 xv48be  c90889b2cf54cc78bd58e8c47d4eb791
 xv48le  2c15c1254449ec5f9135ae61bdf4e1d5
-xyz12be e2f9f6a1ec205ab675a5a1c9521dfa6c
-xyz12le fea1da11c07736303b139bc52b7d4759
+xyz12be 05d6fc3fbe70403160ff4e1b8a4aa969
+xyz12le 3c7328a2f8497f0b4635b84df381a2b8
 ya16be  071add03126a11dc6a06209e9b409f8d
 ya16le  b723211dc0647c944768c6e45e066b36
 ya8 51a8dd297e35d40b06d3ebe8f4717895
diff --git a/tests/ref/fate/filter-pixfmts-field 
b/tests/ref/fate/filter-pixfmts-field
index d8a0d5234a..c05dba55f6 100644
--- a/tests/ref/fate/filter-pixfmts-field
+++ b/tests/ref/fate/filter-pixfmts-field
@@ -117,8 +117,8 @@ xv36be  bcc7bda2d0a5d43db4464af6a4cb5d65
 xv36le  ba99f258370f2a56993e8760e6b30194
 xv48be  2abcd986a34789ba4310be3969020d0d
 xv48le  f6f2e33f260f48334197538f3331f7bc
-xyz12be 3b6eb75517263b9e54b9bfa869de394f
-xyz12le 27d1d6a488cbc5d53e8d12fa0e162ddb
+xyz12be a17930e991ca4ff86de5c2dc3b1e9b51
+xyz12le b134b258a9593bc2019f0493f079f3a1
 y210le  4c2fba1dc40322584977d15dd07c9146
 y212le  ac2a47c45187dd54d0f55293cbffd954
 y216le  e65b5bfae1b40edbbed2012e9cd45e31
diff --git a/tests/ref/fate/filter-pixfmts-fieldorder 
b/tests/ref/fate/filter-pi

[FFmpeg-devel] [PATCH] avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32 (PR #20277)

2025-08-18 Thread michaelni via ffmpeg-devel 
PR #20277 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20277
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20277.patch

Signed-off-by: Michael Niedermayer 


>From fddada82fb61a75f207b57d316114a57b97781a0 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Mon, 18 Aug 2025 17:20:49 +0200
Subject: [PATCH] avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32

Signed-off-by: Michael Niedermayer 
---
 libavformat/lrcdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index ebef87da6c..68dadf7bd3 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -92,7 +92,7 @@ static int64_t read_ts(const char *p, int64_t *start)
 if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
 return 0;
 }
-*start = (mm * 60 + ss) * AV_TIME_BASE;
+*start = lrint((mm * 60 + ss) * AV_TIME_BASE);
 if (prefix[1] == '-') {
 *start = - *start;
 }
-- 
2.49.1

___
ffmpeg-devel mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".

[FFmpeg-devel] [PATCH] Fix 3 bigsleep issues in exr (PR #20550)

2025-09-18 Thread michaelni via ffmpeg-devel 
PR #20550 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20550
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20550.patch


>From 38d62a1a51a84e220b6dbeaefd961f170d2d5c72 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Thu, 18 Sep 2025 17:32:46 +0200
Subject: [PATCH 1/3] avcodec/exr: check ac_size

Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr

The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly

Found-by: Google Big Sleep

Signed-off-by: Michael Niedermayer 
---
 libavcodec/exr.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index e6051567d1..b772f1f74a 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1021,6 +1021,11 @@ static int dwa_uncompress(const EXRContext *s, const 
uint8_t *src, int compresse
 )
 return AVERROR_INVALIDDATA;
 
+if (ac_size <= 0) {
+avpriv_request_sample(s->avctx, "Zero ac_size");
+return AVERROR_INVALIDDATA;
+}
+
 if ((uint64_t)rle_raw_size > INT_MAX) {
 avpriv_request_sample(s->avctx, "Too big rle_raw_size");
 return AVERROR_INVALIDDATA;
-- 
2.49.1


>From c440bc3aed7b71217f9d552839f1e31155b6d2aa Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Thu, 18 Sep 2025 21:28:04 +0200
Subject: [PATCH 2/3] avcodec/exr: Round dc_w/h up

Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file

Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer 
---
 libavcodec/exr.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b772f1f74a..9da935b382 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -992,8 +992,8 @@ static int dwa_uncompress(const EXRContext *s, const 
uint8_t *src, int compresse
 int64_t version, lo_usize, lo_size;
 int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
 int64_t ac_count, dc_count, ac_compression;
-const int dc_w = td->xsize >> 3;
-const int dc_h = td->ysize >> 3;
+const int dc_w = (td->xsize + 7) >> 3;
+const int dc_h = (td->ysize + 7) >> 3;
 GetByteContext gb, agb;
 int skip, ret;
 int have_rle = 0;
@@ -1031,6 +1031,10 @@ static int dwa_uncompress(const EXRContext *s, const 
uint8_t *src, int compresse
 return AVERROR_INVALIDDATA;
 }
 
+if (td->xsize % 8 || td->ysize % 8) {
+avpriv_request_sample(s->avctx, "odd dimensions DWA");
+}
+
 bytestream2_init(&gb, src + 88, compressed_size - 88);
 skip = bytestream2_get_le16(&gb);
 if (skip < 2)
-- 
2.49.1


>From cd05df4a3c216f24830c86e7c376acdc7edf71a5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 19 Sep 2025 00:18:30 +0200
Subject: [PATCH 3/3] avcodec/exr: Check that DWA has 3 channels

The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer 
---
 libavcodec/exr.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9da935b382..c83325aa52 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1005,6 +1005,11 @@ static int dwa_uncompress(const EXRContext *s, const 
uint8_t *src, int compresse
 if (version != 2)
 return AVERROR_INVALIDDATA;
 
+if (s->nb_channels < 3) {
+avpriv_request_sample(s->avctx, "Gray DWA");
+return AVERROR_PATCHWELCOME;
+}
+
 lo_usize = AV_RL64(src + 8);
 lo_size = AV_RL64(src + 16);
 ac_size = AV_RL64(src + 24);
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/exr: Simple check for available channels (PR #20551)

2025-09-18 Thread michaelni via ffmpeg-devel 
PR #20551 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20551
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20551.patch

The existing is_luma check is fragile as depending on the order
of channels it can be set or reset

No testcase

Signed-off-by: Michael Niedermayer 


>From 37895af982ce07a74e02e80d40a23ad55034fcb6 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 19 Sep 2025 00:20:36 +0200
Subject: [PATCH] avcodec/exr: Simple check for available channels

The existing is_luma check is fragile as depending on the order
of channels it can be set or reset

No testcase

Signed-off-by: Michael Niedermayer 
---
 libavcodec/exr.c | 29 +
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index e6051567d1..cf6de22a42 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -175,6 +175,9 @@ typedef struct EXRContext {
 
 int is_luma;/* 1 if there is an Y plane */
 
+#define M(chr) (1is_multipart   = 0;
 s->is_luma= 0;
+s->has_channel= 0;
 s->current_part   = 0;
 
 if (bytestream2_get_bytes_left(gb) < 10) {
@@ -1711,23 +1715,26 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 }
 
 if (layer_match) { /* only search channel if the layer match 
is valid */
+if (strlen(ch_gb.buffer) == 1) {
+int ch_chr = av_toupper(*ch_gb.buffer);
+if (ch_chr >= 'A' && ch_chr <= 'Z')
+s->has_channel |= M(ch_chr);
+av_log(0,0, "%c\n", ch_chr);
+}
+
 if (!av_strcasecmp(ch_gb.buffer, "R") ||
 !av_strcasecmp(ch_gb.buffer, "X") ||
 !av_strcasecmp(ch_gb.buffer, "U")) {
 channel_index = 0;
-s->is_luma = 0;
 } else if (!av_strcasecmp(ch_gb.buffer, "G") ||
!av_strcasecmp(ch_gb.buffer, "V")) {
 channel_index = 1;
-s->is_luma = 0;
 } else if (!av_strcasecmp(ch_gb.buffer, "Y")) {
 channel_index = 1;
-s->is_luma = 1;
 } else if (!av_strcasecmp(ch_gb.buffer, "B") ||
!av_strcasecmp(ch_gb.buffer, "Z") ||
!av_strcasecmp(ch_gb.buffer, "W")) {
 channel_index = 2;
-s->is_luma = 0;
 } else if (!av_strcasecmp(ch_gb.buffer, "A")) {
 channel_index = 3;
 } else {
@@ -1803,6 +1810,20 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 s->current_channel_offset += 4;
 }
 }
+if(!((M('R') + M('G') + M('B')) & ~s->has_channel)) {
+s->is_luma = 0;
+} else if (!((M('X') + M('Y') + M('Z')) & ~s->has_channel)) {
+s->is_luma = 0;
+} else if (!((M('Y') + M('U') + M('V')) & ~s->has_channel)) {
+s->is_luma = 0;
+} else if (!((M('Y')  ) & ~s->has_channel) &&
+   !((M('R') + M('G') + M('B') + M('U') + M('V') + M('X') 
+ M('Z')) &  s->has_channel)) {
+s->is_luma = 1;
+} else {
+avpriv_request_sample(s->avctx, "Uncommon channel 
combination");
+ret = AVERROR(AVERROR_PATCHWELCOME);
+goto fail;
+}
 
 /* Check if all channels are set with an offset or if the channels
  * are causing an overflow  */
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] Animated webp decoder (PR #20568)

2025-09-21 Thread michaelni via ffmpeg-devel 
PR #20568 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20568
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20568.patch

simply updated and rebased to current git master
is it ok as is or should we ignore ANMF chunks if strict_std_compliance > 
FF_COMPLIANCE_EXPERIMENTAL ?


>From 942408d01009653f314469e1ce2e58b105cbce1d Mon Sep 17 00:00:00 2001
From: Thilo Borgmann 
Date: Fri, 21 Jun 2024 12:43:16 +0200
Subject: [PATCH 1/8] avcodec/webp: remove unused definitions

Signed-off-by: Michael Niedermayer 
---
 libavcodec/webp.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index 62967a394d..d6aa57ce48 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -60,8 +60,6 @@
 #define VP8X_FLAG_ALPHA 0x10
 #define VP8X_FLAG_ICC   0x20
 
-#define MAX_PALETTE_SIZE256
-#define MAX_CACHE_BITS  11
 #define NUM_CODE_LENGTH_CODES   19
 #define HUFFMAN_CODES_PER_META_CODE 5
 #define NUM_LITERAL_CODES   256
-- 
2.49.1


>From 0434920a3087b95cc1a41bbe52fdfe899906a81d Mon Sep 17 00:00:00 2001
From: Thilo Borgmann 
Date: Fri, 21 Jun 2024 12:43:17 +0200
Subject: [PATCH 2/8] avcodec/webp: separate VP8 decoding

Signed-off-by: Michael Niedermayer 
---
 libavcodec/webp.c | 50 +--
 1 file changed, 44 insertions(+), 6 deletions(-)

diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index d6aa57ce48..e5b061ae62 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -195,6 +195,7 @@ typedef struct WebPContext {
 AVFrame *alpha_frame;   /* AVFrame for alpha data decompressed 
from VP8L */
 AVPacket *pkt;  /* AVPacket to be passed to the 
underlying VP8 decoder */
 AVCodecContext *avctx;  /* parent AVCodecContext */
+AVCodecContext *avctx_vp8;  /* wrapper context for VP8 decoder */
 int initialized;/* set once the VP8 context is 
initialized */
 int has_alpha;  /* has a separate alpha chunk */
 enum AlphaCompression alpha_compression; /* compression type for alpha 
chunk */
@@ -1302,12 +1303,13 @@ static int vp8_lossy_decode_frame(AVCodecContext 
*avctx, AVFrame *p,
 int ret;
 
 if (!s->initialized) {
-ff_vp8_decode_init(avctx);
+VP8Context *s_vp8 = s->avctx_vp8->priv_data;
+s_vp8->actually_webp = 1;
 s->initialized = 1;
-s->v.actually_webp = 1;
 }
 avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P;
 s->lossless = 0;
+s->avctx_vp8->pix_fmt = avctx->pix_fmt;
 
 if (data_size > INT_MAX) {
 av_log(avctx, AV_LOG_ERROR, "unsupported chunk size\n");
@@ -1318,14 +1320,32 @@ static int vp8_lossy_decode_frame(AVCodecContext 
*avctx, AVFrame *p,
 s->pkt->data = data_start;
 s->pkt->size = data_size;
 
-ret = ff_vp8_decode_frame(avctx, p, got_frame, s->pkt);
-if (ret < 0)
+ret = avcodec_send_packet(s->avctx_vp8, s->pkt);
+if (ret < 0) {
+av_log(avctx, AV_LOG_ERROR, "Error submitting a packet for 
decoding\n");
 return ret;
+}
 
-if (!*got_frame)
+ret = avcodec_receive_frame(s->avctx_vp8, p);
+if (ret < 0) {
+av_log(avctx, AV_LOG_ERROR, "VP8 decoding error: %s.\n", 
av_err2str(ret));
 return AVERROR_INVALIDDATA;
+}
 
-update_canvas_size(avctx, avctx->width, avctx->height);
+ret = ff_decode_frame_props(avctx, p);
+if (ret < 0) {
+return ret;
+}
+
+if (!p->private_ref) {
+ret = ff_attach_decode_data(p);
+if (ret < 0) {
+return ret;
+}
+}
+
+*got_frame = 1;
+update_canvas_size(avctx, s->avctx_vp8->width, s->avctx_vp8->height);
 
 if (s->has_alpha) {
 ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data,
@@ -1539,11 +1559,28 @@ exif_end:
 static av_cold int webp_decode_init(AVCodecContext *avctx)
 {
 WebPContext *s = avctx->priv_data;
+int ret;
+const AVCodec *codec;
 
 s->pkt = av_packet_alloc();
 if (!s->pkt)
 return AVERROR(ENOMEM);
 
+
+/* Prepare everything needed for VP8 decoding */
+codec = avcodec_find_decoder(AV_CODEC_ID_VP8);
+if (!codec)
+return AVERROR_BUG;
+s->avctx_vp8 = avcodec_alloc_context3(codec);
+if (!s->avctx_vp8)
+return AVERROR(ENOMEM);
+s->avctx_vp8->flags = avctx->flags;
+s->avctx_vp8->flags2 = avctx->flags2;
+s->avctx_vp8->pix_fmt = avctx->pix_fmt;
+ret = avcodec_open2(s->avctx_vp8, codec, NULL);
+if (ret < 0) {
+return ret;
+}
 return 0;
 }
 
@@ -1552,6 +1589,7 @@ static av_cold int webp_decode_close(AVCodecContext 
*avctx)
 WebPContext *s = avctx->priv_data;
 
 av_packet_free(&s->pkt);
+avcodec_free_context(&s->avctx_vp8);
 
 if (s->initialized)
 return ff_vp8_decode_free(avctx);
-- 
2.49.1


>From cd22c2f8e2803c4a854c

[FFmpeg-devel] [PATCH] avformat/dhav: Factrorize some code in get_duration() (PR #20560)

2025-09-19 Thread michaelni via ffmpeg-devel 
PR #20560 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20560
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20560.patch

Signed-off-by: Michael Niedermayer 


>From 798c4c50d53a01eb24f172575869738c9e26d93c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sat, 20 Sep 2025 01:56:20 +0200
Subject: [PATCH] avformat/dhav: Factrorize some code in get_duration()

Signed-off-by: Michael Niedermayer 
---
 libavformat/dhav.c | 12 
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/libavformat/dhav.c b/libavformat/dhav.c
index 21c9c530d6..e28631770d 100644
--- a/libavformat/dhav.c
+++ b/libavformat/dhav.c
@@ -242,7 +242,7 @@ static int64_t get_duration(AVFormatContext *s)
 
 int64_t start_pos = avio_tell(s->pb);
 int64_t pos = -1;
-int64_t start = 0, end = 0;
+int64_t start = 0;
 struct tm timeinfo;
 uint8_t *buffer;
 int64_t buffer_size;
@@ -250,6 +250,7 @@ static int64_t get_duration(AVFormatContext *s)
 int64_t offset;
 unsigned date;
 int64_t size = avio_size(s->pb);
+int64_t ret = 0;
 
 if (start_pos + 16 > size)
 return 0;
@@ -284,17 +285,12 @@ static int64_t get_duration(AVFormatContext *s)
 
 date = AV_RL32(buffer + (pos - buffer_pos) + 16);
 get_timeinfo(date, &timeinfo);
-end = av_timegm(&timeinfo) * 1000LL;
 
-av_freep(&buffer);
-
-avio_seek(s->pb, start_pos, SEEK_SET);
-
-return end - start;
+ret = av_timegm(&timeinfo) * 1000LL - start;
 fail:
 av_freep(&buffer);
 avio_seek(s->pb, start_pos, SEEK_SET);
-return 0;
+return ret;
 }
 
 static int dhav_read_header(AVFormatContext *s)
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avformat/dhav: Fix off by length of read element error (PR #20559)

2025-09-20 Thread michaelni via ffmpeg-devel 
PR #20559 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20559
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20559.patch

Fixes: out of array read
Fixes: BIGSLEEP-445383648
Fixes: crash_input_1/2/3.dhav

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer 


>From e66d02f3c566e42984ad6862bdcbe2a6796ec2a1 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sat, 20 Sep 2025 01:25:51 +0200
Subject: [PATCH] avformat/dhav: Fix off by length of read element error

Fixes: out of array read
Fixes: BIGSLEEP-445383648
Fixes: crash_input_1/2/3.dhav

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer 
---
 libavformat/dhav.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/dhav.c b/libavformat/dhav.c
index 21c9c530d6..105a987aa3 100644
--- a/libavformat/dhav.c
+++ b/libavformat/dhav.c
@@ -279,7 +279,7 @@ static int64_t get_duration(AVFormatContext *s)
 }
 }
 
-if (pos < buffer_pos || pos + 16 > buffer_pos + buffer_size)
+if (pos < buffer_pos || pos + 20 > buffer_pos + buffer_size)
 goto fail;
 
 date = AV_RL32(buffer + (pos - buffer_pos) + 16);
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/g723_1enc: Make min_err 64bit (PR #20658)

2025-10-18 Thread michaelni via ffmpeg-devel 
PR #20658 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20658
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20658.patch

This fixes the case of leaving the struct uninitialized and crashing
Untested, as no testcase

Signed-off-by: Michael Niedermayer 


>From 54e775f818592e54c7e0fe2603bfd15e9a8e24bb Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Tue, 7 Oct 2025 01:58:34 +0200
Subject: [PATCH] avcodec/g723_1enc: Make min_err 64bit

This fixes the case of leaving the struct uninitialized and crashing
Untested, as no testcase

Signed-off-by: Michael Niedermayer 
---
 libavcodec/g723_1.h| 2 +-
 libavcodec/g723_1enc.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h
index 521f220b2a..f3cd32e37d 100644
--- a/libavcodec/g723_1.h
+++ b/libavcodec/g723_1.h
@@ -108,7 +108,7 @@ typedef struct HFParam {
  * Optimized fixed codebook excitation parameters
  */
 typedef struct FCBParam {
-int min_err;
+int64_t min_err;
 int amp_index;
 int grid_index;
 int dirac_train;
diff --git a/libavcodec/g723_1enc.c b/libavcodec/g723_1enc.c
index ee5b0fe251..4fd4567a87 100644
--- a/libavcodec/g723_1enc.c
+++ b/libavcodec/g723_1enc.c
@@ -1013,7 +1013,7 @@ static void fcb_search(G723_1_ChannelContext *p, int16_t 
*impulse_resp,
 int pulse_cnt = pulses[index];
 int i;
 
-optim.min_err = 1 << 30;
+optim.min_err = 1LL << 31;
 get_fcb_param(&optim, impulse_resp, buf, pulse_cnt, SUBFRAME_LEN);
 
 if (p->pitch_lag[index >> 1] < SUBFRAME_LEN - 2) {
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/vvc/dec: Always clear tab in tl_create() (PR #20670)

2025-10-18 Thread michaelni via ffmpeg-devel 
PR #20670 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20670
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20670.patch

Fixes: use of uninitialized memory
Fixes: 
449549597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-5600497089445888

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 


>From b8be9468dc6fb2baa880c45c2e89ab04d056c1c8 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Wed, 8 Oct 2025 17:21:31 +0200
Subject: [PATCH] avcodec/vvc/dec: Always clear tab in tl_create()

Fixes: use of uninitialized memory
Fixes: 
449549597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-5600497089445888

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/vvc/dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vvc/dec.c b/libavcodec/vvc/dec.c
index b31fceef40..9b738b8a44 100644
--- a/libavcodec/vvc/dec.c
+++ b/libavcodec/vvc/dec.c
@@ -86,7 +86,7 @@ static int tl_create(TabList *l)
 
 for (int i = 0; i < l->nb_tabs; i++) {
 Tab *t = l->tabs + i;
-*t->tab = l->zero ? av_mallocz(t->size) : av_malloc(t->size);
+*t->tab = av_mallocz(t->size);
 if (!*t->tab)
 return AVERROR(ENOMEM);
 }
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] ff-tmp-sanm-unhack (PR #20306)

2025-08-21 Thread michaelni via ffmpeg-devel 
PR #20306 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20306
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20306.patch

Remove some pointers into freed buffers
Fixes BIGSLEEP-440183164


>From fbc1d9dca1aa30ac5e2c63c295652c4b1f54d7be Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Thu, 21 Aug 2025 18:40:26 +0200
Subject: [PATCH 1/3] avcodec/sanm: Replace impossible bitstream check by
 assert

the space left and size have already been cross checked by the caller

Signed-off-by: Michael Niedermayer 
---
 libavcodec/sanm.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index e4308af647..1495da2a1e 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1832,8 +1832,7 @@ static int process_ftch(SANMVideoContext *ctx, int size)
 xoff = bytestream2_get_le16u(&ctx->gb);
 yoff = bytestream2_get_le16u(&ctx->gb);
 } else {
-if (bytestream2_get_bytes_left(&ctx->gb) < 12)
-return AVERROR_INVALIDDATA;
+av_assert0(bytestream2_get_bytes_left(&ctx->gb) >= 12);
 bytestream2_skip(&ctx->gb, 4);
 xoff = bytestream2_get_be32u(&ctx->gb);
 yoff = bytestream2_get_be32u(&ctx->gb);
-- 
2.49.1


>From e7b08e87c6f5205bc4c6355ab7138a2ae0a8de17 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Thu, 21 Aug 2025 18:59:36 +0200
Subject: [PATCH 2/3] avcodec/sanm: Remove left/top adjustment hack

Fixes: write after free
Fixes: BIGSLEEP-440183164/process_ftch.anim

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer 
---
 libavcodec/sanm.c | 20 ++--
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 1495da2a1e..83e0eb7241 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1660,7 +1660,7 @@ static int old_codec48(SANMVideoContext *ctx, int width, 
int height)
 return 0;
 }
 
-static int process_frame_obj(SANMVideoContext *ctx, GetByteContext *gb)
+static int process_frame_obj(SANMVideoContext *ctx, GetByteContext *gb, int 
extraleft, int extratop)
 {
 uint16_t w, h, parm2;
 uint8_t codec, param;
@@ -1669,8 +1669,8 @@ static int process_frame_obj(SANMVideoContext *ctx, 
GetByteContext *gb)
 
 codec = bytestream2_get_byteu(gb);
 param = bytestream2_get_byteu(gb);
-left  = bytestream2_get_le16u(gb);
-top   = bytestream2_get_le16u(gb);
+left  = bytestream2_get_le16u(gb) + extraleft;
+top   = bytestream2_get_le16u(gb) + extratop;
 w = bytestream2_get_le16u(gb);
 h = bytestream2_get_le16u(gb);
 bytestream2_skip(gb, 2);
@@ -1820,7 +1820,7 @@ static int process_frame_obj(SANMVideoContext *ctx, 
GetByteContext *gb)
 static int process_ftch(SANMVideoContext *ctx, int size)
 {
 uint8_t *sf = ctx->stored_frame;
-int xoff, yoff, left, top, ret;
+int xoff, yoff, ret;
 GetByteContext gb;
 uint32_t sz;
 
@@ -1841,18 +1841,10 @@ static int process_ftch(SANMVideoContext *ctx, int size)
 sz = *(uint32_t *)(sf + 0);
 if ((sz > 0) && (sz <= ctx->stored_frame_size - 4)) {
 /* add the FTCH offsets to the left/top values of the stored FOBJ */
-left = av_le2ne16(*(int16_t *)(sf + 4 + 2));
-top  = av_le2ne16(*(int16_t *)(sf + 4 + 4));
-*(int16_t *)(sf + 4 + 2) = av_le2ne16(left + xoff);
-*(int16_t *)(sf + 4 + 4) = av_le2ne16(top  + yoff);
 
 /* decode the stored FOBJ */
 bytestream2_init(&gb, sf + 4, sz);
-ret = process_frame_obj(ctx, &gb);
-
-/* now restore the original left/top values again */
-*(int16_t *)(sf + 4 + 2) = av_le2ne16(left);
-*(int16_t *)(sf + 4 + 4) = av_le2ne16(top);
+ret = process_frame_obj(ctx, &gb, xoff, yoff);
 } else {
 /* this happens a lot in RA1: The individual files are meant to
  * be played in sequence, with some referencing objects STORed
@@ -2359,7 +2351,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame 
*frame,
 case MKBETAG('F', 'O', 'B', 'J'):
 if (size < 16)
 return AVERROR_INVALIDDATA;
-if (ret = process_frame_obj(ctx, &ctx->gb))
+if (ret = process_frame_obj(ctx, &ctx->gb, 0, 0))
 return ret;
 have_img = 1;
 
-- 
2.49.1


>From 36ca6798358686268093473cbbcb3e706d8ad2c2 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Thu, 21 Aug 2025 19:06:03 +0200
Subject: [PATCH 3/3] avcodec/sanm: Eliminate reference into reallocated frame

AFAIK the original decoder uses the frame buffers in very strange ways
our implementation seems to mimic that and that results in the
bitstream input to point into a frame buffer while code then
parses that and potentially reallocates the frame buffer
leaving pointers hanging into dealllocated space

This simply uses a temporary buffer

Fixes: Writing into freed buffers
Fixes: BIGSLEEP-440183164/old_codec21.ani

[FFmpeg-devel] [PATCH] A few new decoders and a parser from almpeg (PR #20325)

2025-08-23 Thread michaelni via ffmpeg-devel 
PR #20325 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20325
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20325.patch

These are taken from before the switch to GPLv3+
If people prefer, we can merge the GPLv3+ switch for these modules too and put 
them under --enable-gpl and --enable-v3


>From 560ebf42e09e4e378c420908f2eed81d893f9df6 Mon Sep 17 00:00:00 2001
From: Paul B Mahol 
Date: Mon, 18 Nov 2024 19:04:23 +
Subject: [PATCH 01/15] avcodec: add AHX decoder

(cherry picked from commit 039dc23d185214b8b0ef2bbccae197ceb5ad42a2)
---
 libavcodec/Makefile|  1 +
 libavcodec/allcodecs.c |  1 +
 libavcodec/bitstream_filters.c |  1 +
 libavcodec/bsf/Makefile|  1 +
 libavcodec/bsf/ahx_to_mp2.c| 62 ++
 libavcodec/codec_desc.c|  7 
 libavcodec/codec_id.h  |  1 +
 libavcodec/mpegaudiodec_float.c| 18 +
 libavcodec/mpegaudiodec_template.c |  3 +-
 9 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 libavcodec/bsf/ahx_to_mp2.c

diff --git a/libavcodec/Makefile b/libavcodec/Makefile
index 3d036de4b6..e1cce1275b 100644
--- a/libavcodec/Makefile
+++ b/libavcodec/Makefile
@@ -219,6 +219,7 @@ OBJS-$(CONFIG_AC3_FIXED_ENCODER)   += ac3enc_fixed.o 
ac3enc.o ac3tab.o ac3.o
 OBJS-$(CONFIG_AC3_MF_ENCODER)  += mfenc.o mf_utils.o
 OBJS-$(CONFIG_ACELP_KELVIN_DECODER)+= g729dec.o lsp.o celp_filters.o 
acelp_filters.o acelp_pitch_delay.o acelp_vectors.o g729postfilter.o
 OBJS-$(CONFIG_AGM_DECODER) += agm.o jpegquanttables.o
+OBJS-$(CONFIG_AHX_DECODER) += mpegaudiodec_float.o
 OBJS-$(CONFIG_AIC_DECODER) += aic.o
 OBJS-$(CONFIG_ALAC_DECODER)+= alac.o alac_data.o alacdsp.o
 OBJS-$(CONFIG_ALAC_ENCODER)+= alacenc.o alac_data.o
diff --git a/libavcodec/allcodecs.c b/libavcodec/allcodecs.c
index f5ec2e01e8..017d100848 100644
--- a/libavcodec/allcodecs.c
+++ b/libavcodec/allcodecs.c
@@ -434,6 +434,7 @@ extern const FFCodec ff_ac3_decoder;
 extern const FFCodec ff_ac3_fixed_encoder;
 extern const FFCodec ff_ac3_fixed_decoder;
 extern const FFCodec ff_acelp_kelvin_decoder;
+extern const FFCodec ff_ahx_decoder;
 extern const FFCodec ff_alac_encoder;
 extern const FFCodec ff_alac_decoder;
 extern const FFCodec ff_als_decoder;
diff --git a/libavcodec/bitstream_filters.c b/libavcodec/bitstream_filters.c
index c277bc1a71..b4b852c7e6 100644
--- a/libavcodec/bitstream_filters.c
+++ b/libavcodec/bitstream_filters.c
@@ -25,6 +25,7 @@
 #include "bsf_internal.h"
 
 extern const FFBitStreamFilter ff_aac_adtstoasc_bsf;
+extern const FFBitStreamFilter ff_ahx_to_mp2_bsf;
 extern const FFBitStreamFilter ff_apv_metadata_bsf;
 extern const FFBitStreamFilter ff_av1_frame_merge_bsf;
 extern const FFBitStreamFilter ff_av1_frame_split_bsf;
diff --git a/libavcodec/bsf/Makefile b/libavcodec/bsf/Makefile
index 8e2e6f7b14..48a2f85ac7 100644
--- a/libavcodec/bsf/Makefile
+++ b/libavcodec/bsf/Makefile
@@ -3,6 +3,7 @@ clean::
 
 OBJS-$(CONFIG_AAC_ADTSTOASC_BSF)  += bsf/aac_adtstoasc.o
 OBJS-$(CONFIG_APV_METADATA_BSF)   += bsf/apv_metadata.o
+OBJS-$(CONFIG_AHX_TO_MP2_BSF) += bsf/ahx_to_mp2.o
 OBJS-$(CONFIG_AV1_FRAME_MERGE_BSF)+= bsf/av1_frame_merge.o
 OBJS-$(CONFIG_AV1_FRAME_SPLIT_BSF)+= bsf/av1_frame_split.o
 OBJS-$(CONFIG_AV1_METADATA_BSF)   += bsf/av1_metadata.o
diff --git a/libavcodec/bsf/ahx_to_mp2.c b/libavcodec/bsf/ahx_to_mp2.c
new file mode 100644
index 00..eae71fe5ee
--- /dev/null
+++ b/libavcodec/bsf/ahx_to_mp2.c
@@ -0,0 +1,62 @@
+/*
+ * AHX to MP2 bitstream filter
+ * Copyright (c) 2024 Paul B Mahol
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/**
+ * @file
+ * AHX to MP2 bitstream filter.
+ */
+
+#include "libavutil/intreadwrite.h"
+#include "bsf.h"
+#include "bsf_internal.h"
+
+static av_cold int init(AVBSFContext *ctx)
+{
+ctx->par_out->codec_id = AV_CODEC_ID_MP2;
+
+return 0;
+}
+
+static int filter(AVBSFContext *ctx, AVPacket *pkt)
+{
+int ret;
+
+ret = ff_bsf_get_packet_ref(ctx, pkt);
+if (ret < 0)
+return ret;
+
+if (pkt->size < 1044) {
+ret = av_grow_packet(pkt, 1044-pkt->size);
+i

[FFmpeg-devel] [PATCH] aacdec_usac: use RefStruct to track unfinished extension buffers [Lynnes version + 2 bugfixes] (PR #20261)

2025-08-16 Thread michaelni via ffmpeg-devel 
PR #20261 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20261
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20261.patch

Extensions in AAC USAC can be stored across multiple frames (mainly to keep CBR 
compliance).
This means that we need to reallocate a buffer when new data is received, 
accumulate the bitstream data,
and so on until the end of extension flag is signalled and the extension can be 
decoded.

This is made more complicated by the way in which the AAC channel layout 
switching is performed.
After decades of evolution, our AAC decoder evolved to double-buffer its entire 
configuration.
All changes are buffered, verified, and applied, on a per-frame basis if 
required, in often
random order.

Since we allocate the extension data on heap, this means that if configuration 
is applied,
in order to avoid double-freeing, we have to keep track of what we've allocated.

It should be noted that extensions which are spread in multiple frames are 
generally rare,
so an optimization to introduce av_refstruct_realloc() wouldn't generally be 
useful across the codebase.
Therefore, a copy is good enough for now.

Fixes: double free
Fixes: 
393523547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6740617236905984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg


>From 364fd9e815a33ed2d55271cda252106889bdae3f Mon Sep 17 00:00:00 2001
From: Lynne 
Date: Mon, 11 Aug 2025 22:26:35 +0900
Subject: [PATCH] aacdec_usac: use RefStruct to track unfinished extension
 buffers

Extensions in AAC USAC can be stored across multiple frames (mainly to keep CBR 
compliance).
This means that we need to reallocate a buffer when new data is received, 
accumulate the bitstream data,
and so on until the end of extension flag is signalled and the extension can be 
decoded.

This is made more complicated by the way in which the AAC channel layout 
switching is performed.
After decades of evolution, our AAC decoder evolved to double-buffer its entire 
configuration.
All changes are buffered, verified, and applied, on a per-frame basis if 
required, in often
random order.

Since we allocate the extension data on heap, this means that if configuration 
is applied,
in order to avoid double-freeing, we have to keep track of what we've allocated.

It should be noted that extensions which are spread in multiple frames are 
generally rare,
so an optimization to introduce av_refstruct_realloc() wouldn't generally be 
useful across the codebase.
Therefore, a copy is good enough for now.

Fixes: double free
Fixes: 
393523547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6740617236905984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libavcodec/aac/aacdec.c  | 28 +---
 libavcodec/aac/aacdec.h  |  4 ++--
 libavcodec/aac/aacdec_usac.c | 31 +++
 3 files changed, 46 insertions(+), 17 deletions(-)

diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c
index 6a2aa9dc8e..90a8468898 100644
--- a/libavcodec/aac/aacdec.c
+++ b/libavcodec/aac/aacdec.c
@@ -62,6 +62,7 @@
 #include "libavutil/opt.h"
 #include "libavutil/tx.h"
 #include "libavutil/version.h"
+#include "libavutil/refstruct.h"
 
 /*
  * supported tools
@@ -421,6 +422,26 @@ static uint64_t sniff_channel_order(uint8_t 
(*layout_map)[3], int tags)
 return layout;
 }
 
+static void copy_oc(OutputConfiguration *dst, OutputConfiguration *src)
+{
+int i;
+
+for (i = 0; i < src->usac.nb_elems; i++) {
+AACUsacElemConfig *src_e = &src->usac.elems[i];
+AACUsacElemConfig *dst_e = &dst->usac.elems[i];
+
+av_refstruct_replace(&dst_e->ext.pl_buf, src_e->ext.pl_buf);
+av_assert0(dst_e->ext.pl_buf == src_e->ext.pl_buf);
+}
+for (; i < dst->usac.nb_elems; i++) {
+AACUsacElemConfig *dst_e = &dst->usac.elems[i];
+
+av_refstruct_replace(&dst_e->ext.pl_buf, NULL);
+}
+
+*dst = *src;
+}
+
 /**
  * Save current output configuration if and only if it has been locked.
  */
@@ -429,7 +450,7 @@ static int push_output_configuration(AACDecContext *ac)
 int pushed = 0;
 
 if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) {
-ac->oc[0] = ac->oc[1];
+copy_oc(&ac->oc[0], &ac->oc[1]);
 pushed = 1;
 }
 ac->oc[1].status = OC_NONE;
@@ -443,7 +464,8 @@ static int push_output_configuration(AACDecContext *ac)
 static void pop_output_configuration(AACDecContext *ac)
 {
 if (ac->oc[1].status != OC_LOCKED && ac->oc[0].status != OC_NONE) {
-ac->oc[1] = ac->oc[0];
+copy_oc(&ac->oc[1], &ac->oc[0]);
+
 ac->avctx->ch_layout = ac->oc[1].ch_layout;
 ff_aac_output_configure(ac, ac->oc[1].layout_map, 
ac->oc[1].layout_map_tags,
 ac->oc[1].status, 0);
@@ -1107,7 +1129,7 @@ static av_cold int decode_close

[FFmpeg-devel] [PATCH] ff_lxf_uncompress realloc vs av_fast_realloc fix (PR #20280)

2025-08-18 Thread michaelni via ffmpeg-devel 
PR #20280 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20280
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20280.patch

ff_lxf_uncompress() reallocates the array which we allocated with 
av_fast_realloc(), 
this patchset fixes this by adding av_fast_realloc() support to 
ff_lxf_uncompress()



>From cee3985dd978103cab742b6cc5fa98aad9ad8608 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Tue, 19 Aug 2025 03:09:14 +0200
Subject: [PATCH 1/2] avcode: Use av_fast_realloc() in ff_lzf_uncompress()

Fixes: 
438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Fixes: mixed up realloc() functions

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/dxv.c |  2 +-
 libavcodec/lzf.c | 28 +++-
 libavcodec/lzf.h |  2 +-
 libavcodec/notchlc.c |  2 +-
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index dd82e450b1..b48ee76a88 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -828,7 +828,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
 static int dxv_decompress_lzf(AVCodecContext *avctx)
 {
 DXVContext *ctx = avctx->priv_data;
-return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size);
+return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size, 
&ctx->tex_data_size);
 }
 
 static int dxv_decompress_raw(AVCodecContext *avctx)
diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c
index 94b369dd59..3e8780d599 100644
--- a/libavcodec/lzf.c
+++ b/libavcodec/lzf.c
@@ -37,7 +37,27 @@
 #define LZF_LITERAL_MAX (1 << 5)
 #define LZF_LONG_BACKREF 7 + 2
 
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
+
+static inline int lzf_realloc(uint8_t **buf, int64_t *size, int addition, 
unsigned *allocated_size)
+{
+if (allocated_size) {
+void *ptr = av_fast_realloc(*buf, allocated_size, *size + addition);
+if (!ptr) {
+av_freep(buf); //probably not needed
+return AVERROR(ENOMEM);
+}
+*buf = ptr;
+*size += addition;
+
+return 0;
+} else {
+//TODO remove this codepath after updating notchlc
+*size += addition + *size / 2;
+return av_reallocp(buf, *size);
+}
+}
+
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size, 
unsigned *allocated_size)
 {
 int ret = 0;
 uint8_t *p  = *buf;
@@ -49,8 +69,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, 
int64_t *size)
 if (s < LZF_LITERAL_MAX) {
 s++;
 if (s > *size - len) {
-*size += s + *size /2;
-ret = av_reallocp(buf, *size);
+ret = lzf_realloc(buf, size, s, allocated_size);
 if (ret < 0)
 return ret;
 p = *buf + len;
@@ -75,8 +94,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, 
int64_t *size)
 return AVERROR_INVALIDDATA;
 
 if (l > *size - len) {
-*size += l + *size / 2;
-ret = av_reallocp(buf, *size);
+ret = lzf_realloc(buf, size, l, allocated_size);
 if (ret < 0)
 return ret;
 p = *buf + len;
diff --git a/libavcodec/lzf.h b/libavcodec/lzf.h
index 0ad73d9f79..5a89b6a876 100644
--- a/libavcodec/lzf.h
+++ b/libavcodec/lzf.h
@@ -24,6 +24,6 @@
 
 #include "bytestream.h"
 
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size);
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size, 
unsigned *allocated_size);
 
 #endif /* AVCODEC_LZF_H */
diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c
index 246a3e0174..51a94660cd 100644
--- a/libavcodec/notchlc.c
+++ b/libavcodec/notchlc.c
@@ -490,7 +490,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
 return AVERROR_PATCHWELCOME;
 
 if (s->format == 0) {
-ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size);
+ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size, NULL);
 if (ret < 0)
 return ret;
 
-- 
2.49.1


>From 19c8df9cc45d63361e578fa78c835712ea7b72a0 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Tue, 19 Aug 2025 03:12:37 +0200
Subject: [PATCH 2/2] avcodec/dxv: Check coded_height, to avoid invalid
 av_clip()

Fixes: assertion failure
Fixes: 
438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/dxv.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index b48ee76a88..c3fe5c5ab2 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -940,6 +940,8 @@ static in

[FFmpeg-devel] [PATCH] ff-tmp-exif-clear (PR #20513)

2025-09-13 Thread michaelni via ffmpeg-devel 
PR #20513 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20513
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20513.patch

avcodec/exif: Use av_fast_mallocz() in av_exif_clone_ifd()

using fast realloc leaves the entries uninitialized and frees garbage pointers 
on
errors



>From f4cfb976540b4eaed69873b6168ebc331b8923b2 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sat, 13 Sep 2025 13:53:53 +0200
Subject: [PATCH 1/2] avcodec/exif: Do not leave uninitialized pointers on
 errors in exif_clone_entry()

No testcase, but this looks like it could free garbage pointers

Signed-off-by: Michael Niedermayer 
---
 libavcodec/exif.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index f9ad3e1bdb..3e86833986 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -953,6 +953,7 @@ static int exif_clone_entry(AVExifEntry *dst, const 
AVExifEntry *src)
 dst->count = src->count;
 dst->id = src->id;
 dst->type = src->type;
+memset(&dst->value, 0, sizeof(dst->value));
 
 dst->ifd_offset = src->ifd_offset;
 if (src->ifd_lead) {
-- 
2.49.1


>From 2e8cc7b86019fb32bdf0b23a138901e6f65238f5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sat, 13 Sep 2025 14:00:55 +0200
Subject: [PATCH 2/2] avcodec/exif: Use av_fast_mallocz() in
 av_exif_clone_ifd()

using fast realloc leaves the entries uninitialized and frees garbage pointers 
on
errors

Fixes: bug_triggering_file

Found-by: *2ourc3, 5pider
Signed-off-by: Michael Niedermayer 
---
 libavcodec/exif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index 3e86833986..cd6c0c3771 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -1152,7 +1152,7 @@ AVExifMetadata *av_exif_clone_ifd(const AVExifMetadata 
*ifd)
 size_t required_size;
 if (av_size_mult(ret->count, sizeof(*ret->entries), &required_size) < 
0)
 goto fail;
-ret->entries = av_fast_realloc(NULL, &ret->size, required_size);
+av_fast_mallocz(&ret->entries, &ret->size, required_size);
 if (!ret->entries)
 goto fail;
 }
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/mjpegdec: Explain buf_size/width/height check (PR #20495)

2025-09-11 Thread michaelni via ffmpeg-devel 
PR #20495 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20495
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20495.patch

Suggested-by: Ramiro

Signed-off-by: Michael Niedermayer 


>From 16ba3a971069e4013ff86229df4a9a1d30d12074 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Thu, 11 Sep 2025 20:12:55 +0200
Subject: [PATCH] avcodec/mjpegdec: Explain buf_size/width/height check

Suggested-by: Ramiro

Signed-off-by: Michael Niedermayer 
---
 libavcodec/mjpegdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 3dde759fea..76a98bb521 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -342,6 +342,9 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
 if (av_image_check_size(width, height, 0, s->avctx) < 0)
 return AVERROR_INVALIDDATA;
+
+// can the smallest valid representation (of blank 8x8 blocks) be in 
buf_size ?
+// if thats not possible than this cannot be a valid frame
 if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 
4LL)
 return AVERROR_INVALIDDATA;
 
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] Allow the user to limit metadata length and bext coding history (PR #20642)

2025-10-02 Thread michaelni via ffmpeg-devel 
PR #20642 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20642
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20642.patch


>From 42e879d0a91dcb4ee5d21329b58ef93014ea3cb3 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 3 Oct 2025 00:12:32 +0200
Subject: [PATCH 1/2] avformat: Add max_metadata_length to limit the maximum
 length of metadata entries

Signed-off-by: Michael Niedermayer 
---
 doc/APIchanges  | 3 +++
 libavformat/avformat.h  | 8 
 libavformat/options_table.h | 1 +
 libavformat/version.h   | 2 +-
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/doc/APIchanges b/doc/APIchanges
index 6e7f5d2037..01faaa4dff 100644
--- a/doc/APIchanges
+++ b/doc/APIchanges
@@ -2,6 +2,9 @@ The last version increases of all libraries were on 2025-03-28
 
 API changes, most recent first:
 
+2025-10-xx - xx - lavf 62.7.100 - avformat.h
+  Add max_metadata_length
+
 2025-08-xx - xx - lavf 62.6.100 - oggparsevorbis.h oggparseopus.h 
oggparseflac.h
   Drop header packets from secondary chained ogg/{flac, opus, vorbis} streams
   from demuxer output.
diff --git a/libavformat/avformat.h b/libavformat/avformat.h
index a7446546e5..2ce09f31fa 100644
--- a/libavformat/avformat.h
+++ b/libavformat/avformat.h
@@ -1884,6 +1884,14 @@ typedef struct AVFormatContext {
  * @see skip_estimate_duration_from_pts
  */
 int64_t duration_probesize;
+
+/**
+ * The maximum length of metadata fields.
+ * This gives demuxers a guideline of what is "too large"
+ * - encoding: unused
+ * - decoding: set by user
+ */
+int max_metadata_length;
 } AVFormatContext;
 
 /**
diff --git a/libavformat/options_table.h b/libavformat/options_table.h
index 5047b5ce50..1d458c1200 100644
--- a/libavformat/options_table.h
+++ b/libavformat/options_table.h
@@ -106,6 +106,7 @@ static const AVOption avformat_options[] = {
 {"skip_estimate_duration_from_pts", "skip duration calculation in 
estimate_timings_from_pts", OFFSET(skip_estimate_duration_from_pts), 
AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, D},
 {"max_probe_packets", "Maximum number of packets to probe a codec", 
OFFSET(max_probe_packets), AV_OPT_TYPE_INT, { .i64 = 2500 }, 0, INT_MAX, D },
 {"duration_probesize", "Maximum number of bytes to probe the durations of the 
streams in estimate_timings_from_pts", OFFSET(duration_probesize), 
AV_OPT_TYPE_INT64, {.i64 = 0 }, 0, (double)INT64_MAX, D},
+{"max_metadata_length", "Maximum length of metadata fields", 
OFFSET(max_metadata_length), AV_OPT_TYPE_INT, { .i64 = INT_MAX }, 0, INT_MAX, D 
},
 {NULL},
 };
 
diff --git a/libavformat/version.h b/libavformat/version.h
index 4bde82abb4..70c554c19c 100644
--- a/libavformat/version.h
+++ b/libavformat/version.h
@@ -31,7 +31,7 @@
 
 #include "version_major.h"
 
-#define LIBAVFORMAT_VERSION_MINOR   6
+#define LIBAVFORMAT_VERSION_MINOR   7
 #define LIBAVFORMAT_VERSION_MICRO 100
 
 #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \
-- 
2.49.1


>From dad6cf719230e6d6c486880d621204d885ef055f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 3 Oct 2025 00:14:46 +0200
Subject: [PATCH 2/2] avformat/wavdec: Limit the BEXT coding history size to
 the max metadata length

The specification has no limit on its size.
This can cause allocation of physical memory
twice the size of the input file.

giving the user a way to limit this makes sense.
Even though there are other ways to cause more memory
to be allocated.

Reported-by: Albin V, AWS Security
Signed-off-by: Michael Niedermayer 
---
 libavformat/wavdec.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index 7d701c517a..4ee9658be6 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -32,6 +32,7 @@
 #include "libavutil/dict.h"
 #include "libavutil/intreadwrite.h"
 #include "libavutil/log.h"
+#include "libavutil/macros.h"
 #include "libavutil/mathematics.h"
 #include "libavutil/mem.h"
 #include "libavutil/opt.h"
@@ -322,15 +323,20 @@ static int wav_parse_bext_tag(AVFormatContext *s, int64_t 
size)
 /* CodingHistory present */
 size -= 602;
 
-if (!(coding_history = av_malloc(size + 1)))
+int read_len = FFMIN3(size, s->max_metadata_length, INT_MAX - 1);
+
+if (!(coding_history = av_malloc(read_len + 1)))
 return AVERROR(ENOMEM);
 
-if ((ret = ffio_read_size(s->pb, coding_history, size)) < 0) {
+if ((ret = ffio_read_size(s->pb, coding_history, read_len)) < 0) {
 av_free(coding_history);
 return ret;
 }
 
-coding_history[size] = 0;
+if (read_len < size)
+avio_skip(s->pb, size - read_len);
+
+coding_history[read_len] = 0;
 if ((ret = av_dict_set(&s->metadata, "coding_history", coding_history,
AV_DICT_DONT_STRDUP_VAL)) < 0)
 return ret;
-- 
2.4

[FFmpeg-devel] [PATCH] avcodec/vlc: Clear val8/16 in vlc_multi_gen() (PR #20673)

2025-10-17 Thread michaelni via ffmpeg-devel 
PR #20673 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20673
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20673.patch

Fixes: use of uninitialized memory
Fixes: 
427814450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_DEC_fuzzer-646512196065689
Fixes: 
445961558/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5515158672965632

the multi vlc code will otherwise return uninitialized data. Now one can argue 
that this data should
not be used, but on errors this data can remain ...

Alternatively the whole table can be cleared on allocation (which is what i 
proposed previously in pr/20134)

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 


>From 8150bca3d133f12193696e19da9c8dbb24c03a37 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Wed, 6 Aug 2025 12:49:49 +0200
Subject: [PATCH] avcodec/vlc: Clear val8/16 in vlc_multi_gen()

Fixes: use of uninitialized memory
Fixes: 
427814450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_DEC_fuzzer-646512196065689
Fixes: 
445961558/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5515158672965632

the multi vlc code will otherwise return uninitialized data. Now one can argue 
that this data should
not be used, but on errors this data can remain ...

Alternatively the whole table can be cleared on allocation (which is what i 
proposed previously in pr/20134)

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/vlc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c
index 260b2052be..8d07ab8188 100644
--- a/libavcodec/vlc.c
+++ b/libavcodec/vlc.c
@@ -499,6 +499,7 @@ static int vlc_multi_gen(VLC_MULTI_ELEM *table, const VLC 
*single,
 for (int j = 0; j < 1table[j].len > 0 ? 1 : 0;
+AV_ZERO64(table[j].val8);
 if (is16bit)
 table[j].val16[0] = single->table[j].sym;
 else
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] swscale/output: Fix unsigned cast position in yuv2* (PR #20698)

2025-10-17 Thread michaelni via ffmpeg-devel 
PR #20698 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20698
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20698.patch


>From 93794583405909cfe8e7abffdd84c2454959ff18 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Mon, 13 Oct 2025 14:32:45 +0200
Subject: [PATCH 1/2] swscale/output: Fix integer overflow in
 yuv2ya16_X_c_template()

Found-by: colod colod 

Signed-off-by: Michael Niedermayer 
---
 libswscale/output.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libswscale/output.c b/libswscale/output.c
index b873276c00..cb6630bd73 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -1028,7 +1028,7 @@ yuv2ya16_X_c_template(SwsInternal *c, const int16_t 
*lumFilter,
 int A = 0x;
 
 for (j = 0; j < lumFilterSize; j++)
-Y += (unsigned)(lumSrc[j][i] * lumFilter[j]);
+Y += lumSrc[j][i] * (unsigned)lumFilter[j];
 
 Y >>= 15;
 Y += (1<<3) + 0x8000;
@@ -1037,7 +1037,7 @@ yuv2ya16_X_c_template(SwsInternal *c, const int16_t 
*lumFilter,
 if (hasAlpha) {
 A = -0x4000 + (1<<14);
 for (j = 0; j < lumFilterSize; j++)
-A += (unsigned)(alpSrc[j][i] * lumFilter[j]);
+A += alpSrc[j][i] * (unsigned)lumFilter[j];
 
 A >>= 15;
 A += 0x8000;
-- 
2.49.1


>From 9d0761453e5ecaa1344d63e2fcc9bd3cc6d4d0f6 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Mon, 13 Oct 2025 14:46:16 +0200
Subject: [PATCH 2/2] swscale/output: Fix unsigned cast position in  yuv2*

Fixes: signed overflow

Signed-off-by: Michael Niedermayer 
---
 libswscale/output.c | 90 ++---
 1 file changed, 45 insertions(+), 45 deletions(-)

diff --git a/libswscale/output.c b/libswscale/output.c
index cb6630bd73..877db04f36 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -503,8 +503,8 @@ static void yuv2nv12cX_c(enum AVPixelFormat dstFormat, 
const uint8_t *chrDither,
 int v = chrDither[(i + 3) & 7] << 12;
 int j;
 for (j=0; j>19);
@@ -516,8 +516,8 @@ static void yuv2nv12cX_c(enum AVPixelFormat dstFormat, 
const uint8_t *chrDither,
 int v = chrDither[(i + 3) & 7] << 12;
 int j;
 for (j=0; j>19);
@@ -577,8 +577,8 @@ static void yuv2p01xcX_c(int big_endian, const uint8_t 
*chrDither,
 int v = 1 << (shift - 1);
 
 for (j = 0; j < chrFilterSize; j++) {
-u += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
-v += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+u += chrUSrc[j][i] * (unsigned)chrFilter[j];
+v += chrVSrc[j][i] * (unsigned)chrFilter[j];
 }
 
 output_pixel(&dest[2*i]  , u);
@@ -678,8 +678,8 @@ yuv2mono_X_c_template(SwsInternal *c, const int16_t 
*lumFilter,
 int Y2 = 1 << 18;
 
 for (j = 0; j < lumFilterSize; j++) {
-Y1 += (unsigned)(lumSrc[j][i]   * lumFilter[j]);
-Y2 += (unsigned)(lumSrc[j][i+1] * lumFilter[j]);
+Y1 += lumSrc[j][i]   * (unsigned)lumFilter[j];
+Y2 += lumSrc[j][i+1] * (unsigned)lumFilter[j];
 }
 Y1 >>= 19;
 Y2 >>= 19;
@@ -896,12 +896,12 @@ yuv2422_X_c_template(SwsInternal *c, const int16_t 
*lumFilter,
 int V  = 1 << 18;
 
 for (j = 0; j < lumFilterSize; j++) {
-Y1 += (unsigned)(lumSrc[j][i * 2] * lumFilter[j]);
-Y2 += (unsigned)(lumSrc[j][i * 2 + 1] * lumFilter[j]);
+Y1 += lumSrc[j][i * 2] * (unsigned)lumFilter[j];
+Y2 += lumSrc[j][i * 2 + 1] * (unsigned)lumFilter[j];
 }
 for (j = 0; j < chrFilterSize; j++) {
-U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
-V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+U += chrUSrc[j][i] * (unsigned)chrFilter[j];
+V += chrVSrc[j][i] * (unsigned)chrFilter[j];
 }
 Y1 >>= 19;
 Y2 >>= 19;
@@ -1802,12 +1802,12 @@ yuv2rgb_X_c_template(SwsInternal *c, const int16_t 
*lumFilter,
 const void *r, *g, *b;
 
 for (j = 0; j < lumFilterSize; j++) {
-Y1 += (unsigned)(lumSrc[j][i * 2] * lumFilter[j]);
-Y2 += (unsigned)(lumSrc[j][i * 2 + 1] * lumFilter[j]);
+Y1 += lumSrc[j][i * 2] * (unsigned)lumFilter[j];
+Y2 += lumSrc[j][i * 2 + 1] * (unsigned)lumFilter[j];
 }
 for (j = 0; j < chrFilterSize; j++) {
-U += (unsigned)(chrUSrc[j][i] * chrFilter[j]);
-V += (unsigned)(chrVSrc[j][i] * chrFilter[j]);
+U += chrUSrc[j][i] * (unsigned)chrFilter[j];
+V += chrVSrc[j][i] * (unsigned)chrFilter[j];
 }
 Y1 >>= 19;
 Y2 >>= 19;
@@ -1817,8 +1817,8 @@ yuv2rgb_X_c_template(SwsInternal *c, const int16_t 
*lumFilter,
 A1 = 1 << 18;
 A2 = 1 << 18;
 for (j = 0; j < lumFilterSize; j++) {
-

[FFmpeg-devel] [PATCH] avcodec/exif: also copy zero termination for AV_TIFF_STRING (PR #20354)

2025-08-27 Thread michaelni via ffmpeg-devel 
PR #20354 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20354
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20354.patch

Fixes: out of array read
Fixes: 
441131173/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_DEC_fuzzer-6700429212975104

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 


>From a03941944dfd74d1869ee92d650fcaabe6c8092a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Wed, 27 Aug 2025 15:00:56 +0200
Subject: [PATCH] avcodec/exif: also copy zero termination for AV_TIFF_STRING

Fixes: out of array read
Fixes: 
441131173/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_DEC_fuzzer-6700429212975104

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/exif.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/exif.c b/libavcodec/exif.c
index f7effa6dbd..2ac54e51af 100644
--- a/libavcodec/exif.c
+++ b/libavcodec/exif.c
@@ -993,7 +993,11 @@ static int exif_clone_entry(AVExifEntry *dst, const 
AVExifEntry *src)
 EXIF_COPY(dst->value.sbytes, src->value.sbytes);
 break;
 case AV_TIFF_STRING:
-EXIF_COPY(dst->value.str, src->value.str);
+dst->value.str = av_memdup(src->value.str, src->count+1);
+if (!dst->value.str) {
+ret = AVERROR(ENOMEM);
+goto end;
+}
 break;
 }
 
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] configure: strip non numeric trailer from gcc version (PR #20570)

2025-09-21 Thread michaelni via ffmpeg-devel 
PR #20570 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20570
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20570.patch

Fixes: ../configure: 7820: [: Illegal number: 13-win32

Signed-off-by: Michael Niedermayer 


>From 45a2307024ce23bbc29a425159f73a77c3b0ac10 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sun, 21 Sep 2025 16:49:45 +0200
Subject: [PATCH] configure: strip non numeric trailer from gcc version

Fixes: ../configure: 7820: [: Illegal number: 13-win32

Signed-off-by: Michael Niedermayer 
---
 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 8def62a5d9..fe8c3bc238 100755
--- a/configure
+++ b/configure
@@ -7815,7 +7815,7 @@ if enabled icc; then
 fi
 elif enabled gcc; then
 gcc_version=$($cc -dumpversion)
-major_version=${gcc_version%%.*}
+major_version=${gcc_version%%[!0-9]*}
 if [ $major_version -lt 13 ]; then
 # Disable tree-vectorize for GCC <13 - it has historically been buggy.
 check_optflags -fno-tree-vectorize
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/hevc/sei: Do not leave invalid values in HEVCSEITDRDI (PR #20675)

2025-10-08 Thread michaelni via ffmpeg-devel 
PR #20675 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20675
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20675.patch

Fixes: 
439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680
Fixes: out of array access

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 


>From 4e1ade1212daf4b71a5e28a791eeea5b1c13f7e7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Thu, 9 Oct 2025 03:25:01 +0200
Subject: [PATCH] avcodec/hevc/sei: Do not leave invalid values in HEVCSEITDRDI

Fixes: 
439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680
Fixes: out of array access

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/hevc/sei.c | 20 ++--
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c
index b8e98cde89..525f524492 100644
--- a/libavcodec/hevc/sei.c
+++ b/libavcodec/hevc/sei.c
@@ -167,18 +167,21 @@ static int decode_nal_sei_timecode(HEVCSEITimeCode *s, 
GetBitContext *gb)
 
 static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, 
GetBitContext *gb)
 {
+HEVCSEITDRDI bak = *s;
+
 s->prec_ref_display_width = get_ue_golomb(gb);
 if (s->prec_ref_display_width > 31)
-return AVERROR_INVALIDDATA;
+goto fail;
 s->ref_viewing_distance_flag = get_bits1(gb);
 if (s->ref_viewing_distance_flag) {
 s->prec_ref_viewing_dist = get_ue_golomb(gb);
 if (s->prec_ref_viewing_dist > 31)
-return AVERROR_INVALIDDATA;
+goto fail;
 }
 s->num_ref_displays = get_ue_golomb(gb);
+
 if (s->num_ref_displays > 31)
-return AVERROR_INVALIDDATA;
+goto fail;
 s->num_ref_displays += 1;
 
 for (int i = 0; i < s->num_ref_displays; i++) {
@@ -187,7 +190,7 @@ static int 
decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
 s->right_view_id[i] = get_ue_golomb(gb);
 s->exponent_ref_display_width[i] = get_bits(gb, 6);
 if (s->exponent_ref_display_width[i] > 62)
-return AVERROR_INVALIDDATA;
+goto fail;
 else if (!s->exponent_ref_display_width[i])
 length = FFMAX(0, (int)s->prec_ref_display_width - 30);
 else
@@ -197,7 +200,7 @@ static int 
decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
 if (s->ref_viewing_distance_flag) {
 s->exponent_ref_viewing_distance[i] = get_bits(gb, 6);
 if (s->exponent_ref_viewing_distance[i] > 62)
-return AVERROR_INVALIDDATA;
+goto fail;
 else if (!s->exponent_ref_viewing_distance[i])
 length = FFMAX(0, (int)s->prec_ref_viewing_dist - 30);
 else
@@ -209,13 +212,18 @@ static int 
decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
 if (s->additional_shift_present_flag[i]) {
 s->num_sample_shift[i] = get_bits(gb, 10);
 if (s->num_sample_shift[i] > 1023)
-return AVERROR_INVALIDDATA;
+goto fail;
 s->num_sample_shift[i] -= 512;
 }
 }
 s->three_dimensional_reference_displays_extension_flag = get_bits1(gb);
 
 return 0;
+fail:
+
+*s = bak;
+
+return AVERROR_INVALIDDATA;
 }
 
 static int decode_nal_sei_prefix(GetBitContext *gb, GetByteContext *gbyte,
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avformat/rtpenc_h264_hevc: Check space for nal_length_size in ff_rtp_send_h264_hevc() (PR #20746)

2025-10-24 Thread michaelni via ffmpeg-devel 
PR #20746 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20746
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20746.patch

Fixes: memcpy with negative size
Fixes: momo_trip-poc/input

Reported-by: Momoko Shiraishi 
Signed-off-by: Michael Niedermayer 


>From 3924caed9dd6345bcfa5ce09e9dbc8d5403a7525 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 24 Oct 2025 20:29:23 +0200
Subject: [PATCH] avformat/rtpenc_h264_hevc: Check space for nal_length_size in
 ff_rtp_send_h264_hevc()

Fixes: memcpy with negative size
Fixes: momo_trip-poc/input

Reported-by: Momoko Shiraishi 
Signed-off-by: Michael Niedermayer 
---
 libavformat/rtpenc_h264_hevc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/rtpenc_h264_hevc.c b/libavformat/rtpenc_h264_hevc.c
index 4d222dca75..ea19cb0627 100644
--- a/libavformat/rtpenc_h264_hevc.c
+++ b/libavformat/rtpenc_h264_hevc.c
@@ -196,6 +196,8 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const 
uint8_t *buf1, int size)
 r1 = ff_nal_mp4_find_startcode(r, end, s->nal_length_size);
 if (!r1)
 r1 = end;
+if (r1 - r < s->nal_length_size)
+break;
 r += s->nal_length_size;
 } else {
 while (!*(r++));
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avformat/http: Fix off by 1 error (PR #20804)

2025-10-31 Thread michaelni via ffmpeg-devel 
PR #20804 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20804
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20804.patch

Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte

Found-by: Joshua Rogers 
Signed-off-by: Michael Niedermayer 


>From 6f8c0708d86ff376ee1bfc2be811579e58a44491 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 31 Oct 2025 17:32:56 +0100
Subject: [PATCH] avformat/http: Fix off by 1 error

Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte

Found-by: Joshua Rogers 
Signed-off-by: Michael Niedermayer 
---
 libavformat/http.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/http.c b/libavformat/http.c
index 49d750b512..c4e6292a95 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -1875,7 +1875,7 @@ static int store_icy(URLContext *h, int size)
 ret = http_read_stream_all(h, data, len);
 if (ret < 0)
 return ret;
-data[len + 1] = 0;
+data[len] = 0;
 if ((ret = av_opt_set(s, "icy_metadata_packet", data, 0)) < 0)
 return ret;
 update_metadata(h, data);
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/mediacodecdec_common: Check that the input to mediacodec_wrap_sw_audio_buffer() contains channel * sample_size (PR #20810)

2025-10-31 Thread michaelni via ffmpeg-devel 
PR #20810 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20810
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20810.patch

Fixes: out of array access
no testcase

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 


>From ac541f9e21806a4a0a0db1815582da7dfb944625 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 31 Oct 2025 23:31:40 +0100
Subject: [PATCH] avcodec/mediacodecdec_common: Check that the input to
 mediacodec_wrap_sw_audio_buffer() contains channel * sample_size

Fixes: out of array access
no testcase

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 
---
 libavcodec/mediacodecdec_common.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/mediacodecdec_common.c 
b/libavcodec/mediacodecdec_common.c
index ae336ab835..9b91c8edf5 100644
--- a/libavcodec/mediacodecdec_common.c
+++ b/libavcodec/mediacodecdec_common.c
@@ -385,6 +385,12 @@ static int mediacodec_wrap_sw_audio_buffer(AVCodecContext 
*avctx,
 goto done;
 }
 
+if (info->size % (sample_size * avctx->ch_layout.nb_channels)) {
+av_log(avctx, AV_LOG_ERROR, "input is not a multiple of channels * 
sample_size\n");
+ret = AVERROR(EINVAL);
+goto done;
+}
+
 frame->format = avctx->sample_fmt;
 frame->sample_rate = avctx->sample_rate;
 frame->nb_samples = info->size / (sample_size * 
avctx->ch_layout.nb_channels);
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avformat/sctp: Check size in sctp_write() (PR #20809)

2025-10-31 Thread michaelni via ffmpeg-devel 
PR #20809 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20809
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20809.patch

Fixes: out of array access
No testcase

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 


>From e124c1f611e45eda94192afbdb6d0d36747892e9 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 31 Oct 2025 23:08:45 +0100
Subject: [PATCH] avformat/sctp: Check size in sctp_write()

Fixes: out of array access
No testcase

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 
---
 libavformat/sctp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/sctp.c b/libavformat/sctp.c
index 4122fbe312..9a6b991803 100644
--- a/libavformat/sctp.c
+++ b/libavformat/sctp.c
@@ -332,6 +332,9 @@ static int sctp_write(URLContext *h, const uint8_t *buf, 
int size)
 }
 
 if (s->max_streams) {
+if (size < 2)
+return AVERROR(EINVAL);
+
 /*StreamId is introduced as a 2byte code into the stream*/
 struct sctp_sndrcvinfo info = { 0 };
 info.sinfo_stream   = AV_RB16(buf);
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avformat/whip: Fix rtp_ctx->streams access (PR #20805)

2025-10-31 Thread michaelni via ffmpeg-devel 
PR #20805 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20805
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20805.patch

Fixes: out of array access
No testcase

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 


>From e01eb935a6b919d0bc4361e30a0ab00ff01783af Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 31 Oct 2025 18:00:11 +0100
Subject: [PATCH] avformat/whip: Fix rtp_ctx->streams access

Fixes: out of array access
No testcase

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 
---
 libavformat/whip.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/whip.c b/libavformat/whip.c
index a11fffb9c6..6a9b208f69 100644
--- a/libavformat/whip.c
+++ b/libavformat/whip.c
@@ -1592,8 +1592,8 @@ static int create_rtp_muxer(AVFormatContext *s)
  * therefore, we deactivate the extradata detection for the RTP muxer.
  */
 if (s->streams[i]->codecpar->codec_id == AV_CODEC_ID_H264) {
-av_freep(&rtp_ctx->streams[i]->codecpar->extradata);
-rtp_ctx->streams[i]->codecpar->extradata_size = 0;
+av_freep(&rtp_ctx->streams[0]->codecpar->extradata);
+rtp_ctx->streams[0]->codecpar->extradata_size = 0;
 }
 
 buffer = av_malloc(buffer_size);
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avformat/rtpdec_rfc4175: several bug fixes (PR #20803)

2025-10-31 Thread michaelni via ffmpeg-devel 
PR #20803 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20803
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20803.patch


>From ec17f9d7a3ec23b1efafd53978a8d5b2866d2f40 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 31 Oct 2025 16:17:27 +0100
Subject: [PATCH 1/3] avformat/rtpdec_rfc4175: Fix memleak of sampling

Signed-off-by: Michael Niedermayer 
---
 libavformat/rtpdec_rfc4175.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index d6260ab69e..c41e4f19e0 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -128,7 +128,7 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream 
*stream,
 data->width = atoi(value);
 else if (!strncmp(attr, "height", 6))
 data->height = atoi(value);
-else if (!strncmp(attr, "sampling", 8))
+else if (data->sampling == NULL && !strncmp(attr, "sampling", 8))
 data->sampling = av_strdup(value);
 else if (!strncmp(attr, "depth", 5))
 data->depth = atoi(value);
-- 
2.49.1


>From 90b4c0094eb52dbac388803482e0704121a752ca Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 31 Oct 2025 16:27:56 +0100
Subject: [PATCH 2/3] avformat/rtpdec_rfc4175: Only change PayloadContext on
 success

Signed-off-by: Michael Niedermayer 
---
 libavformat/rtpdec_rfc4175.c | 21 ++---
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index c41e4f19e0..d793f56949 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -23,6 +23,7 @@
 
 #include "avio_internal.h"
 #include "rtpdec_formats.h"
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/mem.h"
 #include "libavutil/pixdesc.h"
@@ -172,30 +173,36 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, 
AVStream *stream,
 }
 
 static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
-  PayloadContext *data, const char *line)
+  PayloadContext *data_arg, const char *line)
 {
 const char *p;
 
 if (st_index < 0)
 return 0;
 
+av_assert0(!data_arg->sampling);
+
 if (av_strstart(line, "fmtp:", &p)) {
 AVStream *stream = s->streams[st_index];
+PayloadContext data0 = *data_arg, *data = &data0;
 int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp);
 
-if (ret < 0)
-return ret;
-
-
 if (!data->sampling || !data->depth || !data->width || !data->height)
-return AVERROR(EINVAL);
+ret =  AVERROR(EINVAL);
+
+if (ret < 0)
+goto fail;
+
 
 stream->codecpar->width = data->width;
 stream->codecpar->height = data->height;
 
 ret = rfc4175_parse_format(stream, data);
 av_freep(&data->sampling);
-
+if (ret >= 0)
+*data_arg = *data;
+fail:
+av_freep(&data->sampling);
 return ret;
 }
 
-- 
2.49.1


>From 26ddbac6eccdfdf5cf8b1088a4c28292ba9d49e0 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 31 Oct 2025 16:28:49 +0100
Subject: [PATCH 3/3] avformat/rtpdec_rfc4175: Check dimensions

Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175

Found-by: Joshua Rogers 
Signed-off-by: Michael Niedermayer 
---
 libavformat/rtpdec_rfc4175.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index d793f56949..b49fc55d2d 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -25,6 +25,7 @@
 #include "rtpdec_formats.h"
 #include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/mem.h"
 #include "libavutil/pixdesc.h"
 #include "libavutil/parseutils.h"
@@ -193,6 +194,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int 
st_index,
 if (ret < 0)
 goto fail;
 
+ret = av_image_check_size(data->width, data->height, 0, s);
+if (ret < 0)
+goto fail;
 
 stream->codecpar->width = data->width;
 stream->codecpar->height = data->height;
@@ -303,6 +307,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx, 
PayloadContext *data,
 if (data->interlaced)
 line = 2 * line + field;
 
+if (line >= data->height)
+return AVERROR_INVALIDDATA;
+
 /* prevent ill-formed packets to write after buffer's end */
 copy_offset = (line * data->width + offset) * data->pgroup / 
data->xinc;
 if (copy_offset + length > data->frame_size || !data->frame)
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avfilter/vf_drawtext: Account for bbox text seperator (PR #20811)

2025-10-31 Thread michaelni via ffmpeg-devel 
PR #20811 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20811
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20811.patch

Fixes: out of array access
no test case

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 


>From bb465160a15208fc663086ec2f0a0e6d6b676702 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sat, 1 Nov 2025 01:29:32 +0100
Subject: [PATCH] avfilter/vf_drawtext: Account for bbox text seperator

Fixes: out of array access
no test case

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 
---
 libavfilter/vf_drawtext.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c
index 867536aa61..1d23805b54 100644
--- a/libavfilter/vf_drawtext.c
+++ b/libavfilter/vf_drawtext.c
@@ -1011,7 +1011,7 @@ static av_cold int init(AVFilterContext *ctx)
 av_log(ctx, AV_LOG_WARNING, "Multiple texts provided, will use 
text_source only\n");
 av_free(s->text);
 }
-s->text = av_mallocz(AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE *
+s->text = av_mallocz((AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE + 1) *
  (AV_NUM_DETECTION_BBOX_CLASSIFY + 1));
 if (!s->text)
 return AVERROR(ENOMEM);
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avformat/rtpdec_qdm2: Check block_size (PR #20812)

2025-10-31 Thread michaelni via ffmpeg-devel 
PR #20812 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20812
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20812.patch

Fixes: out of array access
no testcase

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 


>From c772162c87dab3db5910db5e33dcc6f6dc34c2ba Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sat, 1 Nov 2025 02:02:44 +0100
Subject: [PATCH] avformat/rtpdec_qdm2: Check block_size

Fixes: out of array access
no testcase

Found-by: Joshua Rogers  with ZeroPath
Signed-off-by: Michael Niedermayer 
---
 libavformat/rtpdec_qdm2.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavformat/rtpdec_qdm2.c b/libavformat/rtpdec_qdm2.c
index dce3c48bcc..9d71fe67dd 100644
--- a/libavformat/rtpdec_qdm2.c
+++ b/libavformat/rtpdec_qdm2.c
@@ -186,8 +186,9 @@ static int qdm2_parse_subpacket(PayloadContext *qdm, 
AVStream *st,
  */
 static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
 {
-int to_copy, n, res, include_csum;
+int to_copy, n, res;
 uint8_t *p, *csum_pos = NULL;
+int include_csum = qdm->block_type == 2 || qdm->block_type == 4;
 
 /* create packet to hold subpkts into a superblock */
 av_assert0(qdm->cache > 0);
@@ -196,6 +197,11 @@ static int qdm2_restore_block(PayloadContext *qdm, 
AVStream *st, AVPacket *pkt)
 break;
 av_assert0(n < 0x80);
 
+int min_size = 2 + (qdm->len[n] > 0xff) + 2*include_csum;
+
+if (qdm->block_size < min_size)
+return AVERROR_INVALIDDATA;
+
 if ((res = av_new_packet(pkt, qdm->block_size)) < 0)
 return res;
 memset(pkt->data, 0, pkt->size);
@@ -211,7 +217,7 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream 
*st, AVPacket *pkt)
 *p++ = qdm->block_type;
 *p++ = qdm->len[n];
 }
-if ((include_csum = (qdm->block_type == 2 || qdm->block_type == 4))) {
+if (include_csum) {
 csum_pos = p;
 p   += 2;
 }
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/exr: use tile dimensions in pxr24 UINT case (PR #20821)

2025-11-02 Thread michaelni via ffmpeg-devel 
PR #20821 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20821
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20821.patch

update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.

Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax 


>From 60657f201e11532457863a9ce90b2198937fb96c Mon Sep 17 00:00:00 2001
From: veygax 
Date: Sun, 2 Nov 2025 02:35:40 +
Subject: [PATCH] avcodec/exr: use tile dimensions in pxr24 UINT case

update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.

Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax 
---
 libavcodec/exr.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index c83325aa52..733ad76316 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -745,12 +745,12 @@ static int pxr24_uncompress(const EXRContext *s, const 
uint8_t *src,
 break;
 case EXR_UINT:
 ptr[0] = in;
-ptr[1] = ptr[0] + s->xdelta;
-ptr[2] = ptr[1] + s->xdelta;
-ptr[3] = ptr[2] + s->xdelta;
-in = ptr[3] + s->xdelta;
+ptr[1] = ptr[0] + td->xsize;
+ptr[2] = ptr[1] + td->xsize;
+ptr[3] = ptr[2] + td->xsize;
+in = ptr[3] + td->xsize;
 
-for (j = 0; j < s->xdelta; ++j) {
+for (j = 0; j < td->xsize; ++j) {
 uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
 (*(ptr[1]++) << 16) |
 (*(ptr[2]++) << 8 ) |
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avformat/rtmpproto: consider command line argument lengths (PR #20796)

2025-10-30 Thread michaelni via ffmpeg-devel 
PR #20796 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20796
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20796.patch


>From 844511d76807d4ad2b248540b20f534bc640540c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Thu, 30 Oct 2025 23:05:57 +0100
Subject: [PATCH 1/2] avformat/rtmpproto_ Check tcurl and flashver length

Fixes: out of array accesses

Signed-off-by: Michael Niedermayer 
---
 libavformat/rtmpproto.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 4f866eb76c..5de3bebc62 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2859,6 +2859,12 @@ reconnect:
 "FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT);
 }
 }
+if (   strlen(rt->flashver) > FLASHVER_MAX_LENGTH
+|| strlen(rt->tcurl   ) >TCURL_MAX_LENGTH
+) {
+ret = AVERROR(EINVAL);
+goto fail;
+}
 
 rt->receive_report_size = 1048576;
 rt->bytes_read = 0;
-- 
2.49.1


>From 708ab1bc8ee6e6c28005b3bc219bc7fc0b693b16 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Thu, 30 Oct 2025 23:20:41 +0100
Subject: [PATCH 2/2] avformat/rtmpproto: consider command line argument
 lengths

Fixes: out of array access
Fixes: zeropath/rtmp-2025-10

Found-by: Joshua Rogers 
Signed-off-by: Michael Niedermayer 
---
 libavformat/rtmpproto.c | 22 --
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 5de3bebc62..b029c57621 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -163,6 +163,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket 
*pkt);
 static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
 static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
 
+static size_t zstrlen(const char *c)
+{
+if(c)
+return strlen(c);
+return 0;
+}
+
 static int add_tracked_method(RTMPContext *rt, const char *name, int id)
 {
 int err;
@@ -327,7 +334,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
 int ret;
 
 if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
- 0, 4096 + APP_MAX_LENGTH)) < 0)
+ 0, 4096 + APP_MAX_LENGTH
+ + strlen(rt->auth_params) + 
strlen(rt->flashver)
+ + zstrlen(rt->enhanced_codecs)/5*7
+ + zstrlen(rt->swfurl)
+ + zstrlen(rt->swfverify)
+ + zstrlen(rt->tcurl)
+ + zstrlen(rt->auth_params)
+ + zstrlen(rt->pageurl)
+ + zstrlen(rt->conn)*3
+ )) < 0)
 return ret;
 
 p = pkt.data;
@@ -1926,7 +1942,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
 
 if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
  RTMP_PT_INVOKE, 0,
- RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
+ RTMP_PKTDATA_DEFAULT_SIZE
+ + strlen(status) + strlen(description)
+ + zstrlen(details))) < 0) {
 av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
 return ret;
 }
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/rv60dec: Clear blk_info (PR #20878)

2025-11-09 Thread michaelni via ffmpeg-devel 
PR #20878 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20878
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20878.patch

Fixes: use of uninitialized memory
Fixes: 
418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 


>From fcc23a774c8d1a3d77f9ea60a04572587d7f6146 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sun, 9 Nov 2025 16:03:32 +0100
Subject: [PATCH] avcodec/rv60dec: Clear blk_info

Fixes: use of uninitialized memory
Fixes: 
418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/rv60dec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index b7b4f46512..76caa6a361 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -311,6 +311,7 @@ static int update_dimensions_clear_info(RV60Context *s, int 
width, int height)
 return ret;
 
 memset(s->pu_info, 0, s->pu_stride * (s->cu_height << 3) * 
sizeof(s->pu_info[0]));
+memset(s->blk_info, 0, s->blk_stride * (s->cu_height << 4) * 
sizeof(s->blk_info[0]));
 
 for (int j = 0; j < s->cu_height << 4; j++)
 for (int i = 0; i < s->cu_width << 4; i++)
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/exr: Handle axmax like bxmin in 04d7a6d3db56ea1a93908ff2d3d312e3fc40a58c (PR #20879)

2025-11-09 Thread michaelni via ffmpeg-devel 
PR #20879 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20879
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20879.patch

Fixes: out of array access
Fixes: 
418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_DEC_fuzzer-6718455383654400

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 


>From f14110ac5d9d7deff51c5bdcdd38eace991fc199 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sun, 9 Nov 2025 16:39:45 +0100
Subject: [PATCH] avcodec/exr: Handle axmax like bxmin in
 04d7a6d3db56ea1a93908ff2d3d312e3fc40a58c

Fixes: out of array access
Fixes: 
418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_DEC_fuzzer-6718455383654400

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/exr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 536a55c5be..ca450a988e 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1485,7 +1485,8 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 }
 
 // Zero out the end if xmax+1 is not w
-memset(ptr_x, 0, axmax);
+if (s->desc->flags & AV_PIX_FMT_FLAG_PLANAR || !c)
+memset(ptr_x, 0, axmax);
 channel_buffer[c] += td->channel_line_size;
 }
 }
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/prores_raw: Check get_value() return code (PR #20855)

2025-11-06 Thread michaelni via ffmpeg-devel 
PR #20855 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20855
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20855.patch


>From 5ccb2c9934615db1d55a7a62dda551c4d02c6fd6 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 7 Nov 2025 01:47:40 +0100
Subject: [PATCH 1/3] avcodec/prores_raw: Prettify ff_prores_raw_*_cb

the values contain 3 4 bit values, thus using hex is more natural
and shows more information

Signed-off-by: Michael Niedermayer 
---
 libavcodec/prores_raw.c | 24 
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c
index 0298956efd..f293e489bc 100644
--- a/libavcodec/prores_raw.c
+++ b/libavcodec/prores_raw.c
@@ -101,30 +101,30 @@ static const uint8_t align_tile_w[16] = {
 
 #define DC_CB_MAX 12
 const uint8_t ff_prores_raw_dc_cb[DC_CB_MAX + 1] = {
-16, 33, 50, 51, 51, 51, 68, 68, 68, 68, 68, 68, 118,
+0x010, 0x021, 0x032, 0x033, 0x033, 0x033, 0x044, 0x044, 0x044, 0x044, 
0x044, 0x044, 0x076,
 };
 
 #define AC_CB_MAX 94
 const int16_t ff_prores_raw_ac_cb[AC_CB_MAX + 1] = {
-  0, 529, 273, 273, 546, 546, 546, 290, 290, 290, 563, 563,
-563, 563, 563, 563, 563, 563, 307, 307, 580, 580, 580, 580,
-580, 580, 580, 580, 580, 580, 580, 580, 580, 580, 580, 580,
-580, 580, 580, 580, 580, 580, 853, 853, 853, 853, 853, 853,
-853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853,
-853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853,
-853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 853,
-853, 853, 853, 853, 853, 853, 853, 853, 853, 853, 358
+0x000, 0x211, 0x111, 0x111, 0x222, 0x222, 0x222, 0x122, 0x122, 0x122,
+0x233, 0x233, 0x233, 0x233, 0x233, 0x233, 0x233, 0x233, 0x133, 0x133,
+0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 
0x244,
+0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 0x244, 
0x244,
+0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 
0x355, 0x355, 0x355,
+0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 
0x355, 0x355, 0x355,
+0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 
0x355, 0x355, 0x355,
+0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 0x355, 
0x355, 0x355, 0x355, 0x166,
 };
 
 #define RN_CB_MAX 27
 const int16_t ff_prores_raw_rn_cb[RN_CB_MAX + 1] = {
-512, 256, 0, 0, 529, 529, 273, 273, 17, 17, 33, 33, 546,
-34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 34, 50, 50, 68,
+0x200, 0x100, 0x000, 0x000, 0x211, 0x211, 0x111, 0x111, 0x011, 0x011, 
0x021, 0x021, 0x222, 0x022,
+0x022, 0x022, 0x022, 0x022, 0x022, 0x022, 0x022, 0x022, 0x022, 0x022, 
0x022, 0x032, 0x032, 0x044
 };
 
 #define LN_CB_MAX 14
 const int16_t ff_prores_raw_ln_cb[LN_CB_MAX + 1] = {
-256, 273, 546, 546, 290, 290, 1075, 1075, 563, 563, 563, 563, 563, 563, 51
+0x100, 0x111, 0x222, 0x222, 0x122, 0x122, 0x433, 0x433, 0x233, 0x233, 
0x233, 0x233, 0x233, 0x233, 0x033,
 };
 
 static int decode_comp(AVCodecContext *avctx, TileContext *tile,
-- 
2.49.1


>From 2620c7dc76234dc1e9d0ece586a607e680d82e76 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 7 Nov 2025 01:53:17 +0100
Subject: [PATCH 2/3] avcodec/prores_raw: Check bits in get_value()

The code loads 32bit so we can at maximum use 32bit

Fixes: runtime error: shift exponent -9 is negative
Fixes: 
439483046/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_RAW_DEC_fuzzer-6649466540326912

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/prores_raw.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c
index f293e489bc..7d78a043b1 100644
--- a/libavcodec/prores_raw.c
+++ b/libavcodec/prores_raw.c
@@ -87,6 +87,8 @@ static int16_t get_value(GetBitContext *gb, int16_t codebook)
 }
 
 bits = exp_order + (q << 1) - switch_bits;
+if (bits > 32)
+return -1;
 skip_bits_long(gb, bits);
 return (b >> (32 - bits)) +
((switch_bits + 1) << rice_order) -
-- 
2.49.1


>From 375a4fd43300674d9b251be203f38593215ca5c1 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Fri, 7 Nov 2025 01:55:39 +0100
Subject: [PATCH 3/3] avcodec/prores_raw: Check get_value() return code

Fixes: out of array access
Fixes: 
439483046/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PRORES_RAW_DEC_fuzzer-6649466540326912

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/prores_raw.c | 13 +
 1 file changed, 13 insertions(+)

diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c
index 7d78a043b1..ceee757420 100644
--- a/libavcodec/prores_raw.c
+++ b/libavcodec/prores_raw.c
@@ -171,6 +171,8 @@ static int decode_comp(AVCodecCont

[FFmpeg-devel] [PATCH] avcodec/utvideodec: Set B for the width= 1 case in restore_median_planar_il() (PR #20872)

2025-11-08 Thread michaelni via ffmpeg-devel 
PR #20872 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20872
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20872.patch

Fixes: use of uninitialized memory
Fixes: 
439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5635866203848704

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 


>From 2a1a04c4b0cbe64a534d05ea1a321e6175f5bb2c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Sat, 8 Nov 2025 23:22:56 +0100
Subject: [PATCH] avcodec/utvideodec: Set B for the width= 1 case in
 restore_median_planar_il()

Fixes: use of uninitialized memory
Fixes: 
439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5635866203848704

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/utvideodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index bc02ac44d5..098706b705 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -457,7 +457,7 @@ static void restore_median_planar_il(UtvideoContext *c, 
uint8_t *src, ptrdiff_t
 // second line - first element has top prediction, the rest uses median
 C= bsrc[-stride2];
 bsrc[0] += C;
-A= bsrc[0];
+A = B= bsrc[0];
 for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need 
align 16) */
 B= bsrc[i - stride2];
 bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PATCH] avcodec/omx: Check extradata size and nFilledLen (PR #20894)

2025-11-11 Thread michaelni via ffmpeg-devel 
PR #20894 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20894
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20894.patch

No testcase, its unknown if this is a real issue

Reported-by: Peter Teoh 
Signed-off-by: Michael Niedermayer 


>From 67eea3903e440bf1162423be651654bc0275 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer 
Date: Wed, 12 Nov 2025 03:05:15 +0100
Subject: [PATCH] avcodec/omx: Check extradata size and nFilledLen

No testcase, its unknown if this is a real issue

Reported-by: Peter Teoh 
Signed-off-by: Michael Niedermayer 
---
 libavcodec/omx.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/omx.c b/libavcodec/omx.c
index 6b900d741d..7b003ac1b7 100644
--- a/libavcodec/omx.c
+++ b/libavcodec/omx.c
@@ -688,6 +688,11 @@ static av_cold int omx_encode_init(AVCodecContext *avctx)
 buffer = get_buffer(&s->output_mutex, &s->output_cond,
 &s->num_done_out_buffers, s->done_out_buffers, 
1);
 if (buffer->nFlags & OMX_BUFFERFLAG_CODECCONFIG) {
+if (buffer->nFilledLen > INT32_MAX - 
AV_INPUT_BUFFER_PADDING_SIZE - avctx->extradata_size) {
+ret = AVERROR(ENOMEM);
+goto fail;
+}
+
 if ((ret = av_reallocp(&avctx->extradata, 
avctx->extradata_size + buffer->nFilledLen + AV_INPUT_BUFFER_PADDING_SIZE)) < 
0) {
 avctx->extradata_size = 0;
 goto fail;
-- 
2.49.1

___
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]