Message ID | 20190627003533.22314-3-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 8c7d5fcfc32d65951039ab2bb78947a41bdd96c4 |
Headers | show |
On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in > type 'int' > Fixes: > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/dxv.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c > index 5fd1844094..3506775560 100644 > --- a/libavcodec/dxv.c > +++ b/libavcodec/dxv.c > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, > GetByteContext *gb, > int skip0, skip1, oi0 = 0, oi1 = 0; > int ret, state0 = 0, state1 = 0; > > - if (op_offset < 12) > + if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb)) > return AVERROR_INVALIDDATA; > > dst = tex_data; > -- > 2.22.0 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". Make sure this does not break any files.
On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote: > On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in > > type 'int' > > Fixes: > > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/dxv.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c > > index 5fd1844094..3506775560 100644 > > --- a/libavcodec/dxv.c > > +++ b/libavcodec/dxv.c > > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, > > GetByteContext *gb, > > int skip0, skip1, oi0 = 0, oi1 = 0; > > int ret, state0 = 0, state1 = 0; > > > > - if (op_offset < 12) > > + if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb)) > > return AVERROR_INVALIDDATA; > > > > dst = tex_data; > > -- > > 2.22.0 > > > > _______________________________________________ > > ffmpeg-devel mailing list > > ffmpeg-devel@ffmpeg.org > > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > > > To unsubscribe, visit link above, or email > > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > > Make sure this does not break any files. Do you have any specific files i should test ? I of course cannot test every file on earth ... Thanks [...]
On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote: >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented >> > in >> > type 'int' >> > Fixes: >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 >> > >> > Found-by: continuous fuzzing process >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >> > --- >> > libavcodec/dxv.c | 2 +- >> > 1 file changed, 1 insertion(+), 1 deletion(-) >> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c >> > index 5fd1844094..3506775560 100644 >> > --- a/libavcodec/dxv.c >> > +++ b/libavcodec/dxv.c >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, >> > GetByteContext *gb, >> > int skip0, skip1, oi0 = 0, oi1 = 0; >> > int ret, state0 = 0, state1 = 0; >> > >> > - if (op_offset < 12) >> > + if (op_offset < 12 || op_offset - 12 > >> > bytestream2_get_bytes_left(gb)) >> > return AVERROR_INVALIDDATA; >> > >> > dst = tex_data; >> > -- >> > 2.22.0 >> > >> > _______________________________________________ >> > ffmpeg-devel mailing list >> > ffmpeg-devel@ffmpeg.org >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel >> > >> > To unsubscribe, visit link above, or email >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >> >> Make sure this does not break any files. > > Do you have any specific files i should test ? > > I of course cannot test every file on earth ... I'm on vacation, so when I get back I will give you some files. > > Thanks > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > If you fake or manipulate statistics in a paper in physics you will never > get a job again. > If you fake or manipulate statistics in a paper in medicin you will get > a job for life at the pharma industry. >
On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote: > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote: > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented > >> > in > >> > type 'int' > >> > Fixes: > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 > >> > > >> > Found-by: continuous fuzzing process > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > >> > --- > >> > libavcodec/dxv.c | 2 +- > >> > 1 file changed, 1 insertion(+), 1 deletion(-) > >> > > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c > >> > index 5fd1844094..3506775560 100644 > >> > --- a/libavcodec/dxv.c > >> > +++ b/libavcodec/dxv.c > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, > >> > GetByteContext *gb, > >> > int skip0, skip1, oi0 = 0, oi1 = 0; > >> > int ret, state0 = 0, state1 = 0; > >> > > >> > - if (op_offset < 12) > >> > + if (op_offset < 12 || op_offset - 12 > > >> > bytestream2_get_bytes_left(gb)) > >> > return AVERROR_INVALIDDATA; > >> > > >> > dst = tex_data; > >> > -- > >> > 2.22.0 > >> > > >> > _______________________________________________ > >> > ffmpeg-devel mailing list > >> > ffmpeg-devel@ffmpeg.org > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > >> > > >> > To unsubscribe, visit link above, or email > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > >> > >> Make sure this does not break any files. > > > > Do you have any specific files i should test ? > > > > I of course cannot test every file on earth ... > > I'm on vacation, so when I get back I will give you some files. ok, ill wait, no hurry, enjoy your vacation! Thanks! [...]
On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote: > On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote: > > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote: > > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented > > >> > in > > >> > type 'int' > > >> > Fixes: > > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 > > >> > > > >> > Found-by: continuous fuzzing process > > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > >> > --- > > >> > libavcodec/dxv.c | 2 +- > > >> > 1 file changed, 1 insertion(+), 1 deletion(-) > > >> > > > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c > > >> > index 5fd1844094..3506775560 100644 > > >> > --- a/libavcodec/dxv.c > > >> > +++ b/libavcodec/dxv.c > > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, > > >> > GetByteContext *gb, > > >> > int skip0, skip1, oi0 = 0, oi1 = 0; > > >> > int ret, state0 = 0, state1 = 0; > > >> > > > >> > - if (op_offset < 12) > > >> > + if (op_offset < 12 || op_offset - 12 > > > >> > bytestream2_get_bytes_left(gb)) > > >> > return AVERROR_INVALIDDATA; > > >> > > > >> > dst = tex_data; > > >> > -- > > >> > 2.22.0 > > >> > > > >> > _______________________________________________ > > >> > ffmpeg-devel mailing list > > >> > ffmpeg-devel@ffmpeg.org > > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > >> > > > >> > To unsubscribe, visit link above, or email > > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > > >> > > >> Make sure this does not break any files. > > > > > > Do you have any specific files i should test ? > > > > > > I of course cannot test every file on earth ... > > > > I'm on vacation, so when I get back I will give you some files. > > ok, ill wait, no hurry, enjoy your vacation! ping, this issue is reaching its deadline, so i would like to fix it Thanks [...]
On 9/9/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote: >> On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote: >> > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >> > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote: >> > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >> > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be >> > >> > represented >> > >> > in >> > >> > type 'int' >> > >> > Fixes: >> > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 >> > >> > >> > >> > Found-by: continuous fuzzing process >> > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >> > >> > --- >> > >> > libavcodec/dxv.c | 2 +- >> > >> > 1 file changed, 1 insertion(+), 1 deletion(-) >> > >> > >> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c >> > >> > index 5fd1844094..3506775560 100644 >> > >> > --- a/libavcodec/dxv.c >> > >> > +++ b/libavcodec/dxv.c >> > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext >> > >> > *ctx, >> > >> > GetByteContext *gb, >> > >> > int skip0, skip1, oi0 = 0, oi1 = 0; >> > >> > int ret, state0 = 0, state1 = 0; >> > >> > >> > >> > - if (op_offset < 12) >> > >> > + if (op_offset < 12 || op_offset - 12 > >> > >> > bytestream2_get_bytes_left(gb)) >> > >> > return AVERROR_INVALIDDATA; >> > >> > >> > >> > dst = tex_data; >> > >> > -- >> > >> > 2.22.0 >> > >> > >> > >> > _______________________________________________ >> > >> > ffmpeg-devel mailing list >> > >> > ffmpeg-devel@ffmpeg.org >> > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel >> > >> > >> > >> > To unsubscribe, visit link above, or email >> > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >> > >> >> > >> Make sure this does not break any files. >> > > >> > > Do you have any specific files i should test ? >> > > >> > > I of course cannot test every file on earth ... >> > >> > I'm on vacation, so when I get back I will give you some files. >> >> ok, ill wait, no hurry, enjoy your vacation! > > ping, this issue is reaching its deadline, so i would like to > fix it What deadline? Is this some kind of fancy corporation? > > Thanks > > [...] > > > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > When you are offended at any man's fault, turn to yourself and study your > own failings. Then you will forget your anger. -- Epictetus >
On Mon, Sep 09, 2019 at 10:29:14PM +0200, Paul B Mahol wrote: > On 9/9/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > > On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote: > >> On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote: > >> > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > >> > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote: > >> > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > >> > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be > >> > >> > represented > >> > >> > in > >> > >> > type 'int' > >> > >> > Fixes: > >> > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 > >> > >> > > >> > >> > Found-by: continuous fuzzing process > >> > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > >> > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > >> > >> > --- > >> > >> > libavcodec/dxv.c | 2 +- > >> > >> > 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> > > >> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c > >> > >> > index 5fd1844094..3506775560 100644 > >> > >> > --- a/libavcodec/dxv.c > >> > >> > +++ b/libavcodec/dxv.c > >> > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext > >> > >> > *ctx, > >> > >> > GetByteContext *gb, > >> > >> > int skip0, skip1, oi0 = 0, oi1 = 0; > >> > >> > int ret, state0 = 0, state1 = 0; > >> > >> > > >> > >> > - if (op_offset < 12) > >> > >> > + if (op_offset < 12 || op_offset - 12 > > >> > >> > bytestream2_get_bytes_left(gb)) > >> > >> > return AVERROR_INVALIDDATA; > >> > >> > > >> > >> > dst = tex_data; > >> > >> > -- > >> > >> > 2.22.0 > >> > >> > > >> > >> > _______________________________________________ > >> > >> > ffmpeg-devel mailing list > >> > >> > ffmpeg-devel@ffmpeg.org > >> > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > >> > >> > > >> > >> > To unsubscribe, visit link above, or email > >> > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > >> > >> > >> > >> Make sure this does not break any files. > >> > > > >> > > Do you have any specific files i should test ? > >> > > > >> > > I of course cannot test every file on earth ... > >> > > >> > I'm on vacation, so when I get back I will give you some files. > >> > >> ok, ill wait, no hurry, enjoy your vacation! > > > > ping, this issue is reaching its deadline, so i would like to > > fix it > > What deadline? Is this some kind of fancy corporation? first link for googling ossfuzz deadline explains it like this: "Once a project is signed up for OSS-Fuzz, it is automatically subject to the 90-day disclosure deadline for newly reported bugs ..." thx [...]
On 9/10/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > On Mon, Sep 09, 2019 at 10:29:14PM +0200, Paul B Mahol wrote: >> On 9/9/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >> > On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote: >> >> On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote: >> >> > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >> >> > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote: >> >> > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >> >> > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be >> >> > >> > represented >> >> > >> > in >> >> > >> > type 'int' >> >> > >> > Fixes: >> >> > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 >> >> > >> > >> >> > >> > Found-by: continuous fuzzing process >> >> > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> >> > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >> >> > >> > --- >> >> > >> > libavcodec/dxv.c | 2 +- >> >> > >> > 1 file changed, 1 insertion(+), 1 deletion(-) >> >> > >> > >> >> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c >> >> > >> > index 5fd1844094..3506775560 100644 >> >> > >> > --- a/libavcodec/dxv.c >> >> > >> > +++ b/libavcodec/dxv.c >> >> > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext >> >> > >> > *ctx, >> >> > >> > GetByteContext *gb, >> >> > >> > int skip0, skip1, oi0 = 0, oi1 = 0; >> >> > >> > int ret, state0 = 0, state1 = 0; >> >> > >> > >> >> > >> > - if (op_offset < 12) >> >> > >> > + if (op_offset < 12 || op_offset - 12 > >> >> > >> > bytestream2_get_bytes_left(gb)) >> >> > >> > return AVERROR_INVALIDDATA; >> >> > >> > >> >> > >> > dst = tex_data; >> >> > >> > -- >> >> > >> > 2.22.0 >> >> > >> > >> >> > >> > _______________________________________________ >> >> > >> > ffmpeg-devel mailing list >> >> > >> > ffmpeg-devel@ffmpeg.org >> >> > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel >> >> > >> > >> >> > >> > To unsubscribe, visit link above, or email >> >> > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >> >> > >> >> >> > >> Make sure this does not break any files. >> >> > > >> >> > > Do you have any specific files i should test ? >> >> > > >> >> > > I of course cannot test every file on earth ... >> >> > >> >> > I'm on vacation, so when I get back I will give you some files. >> >> >> >> ok, ill wait, no hurry, enjoy your vacation! >> > >> > ping, this issue is reaching its deadline, so i would like to >> > fix it >> >> What deadline? Is this some kind of fancy corporation? > > first link for googling ossfuzz deadline explains it like this: > > "Once a project is signed up for OSS-Fuzz, it is automatically subject to > the 90-day disclosure deadline for newly reported bugs ..." > Irrelevant, this is not security issue at all. > thx > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > "I am not trying to be anyone's saviour, I'm trying to think about the > future and not be sad" - Elon Musk > >
Feel free to apply this patch as it does not break current files, but I think check is incomplete. On 9/10/19, Paul B Mahol <onemda@gmail.com> wrote: > On 9/10/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >> On Mon, Sep 09, 2019 at 10:29:14PM +0200, Paul B Mahol wrote: >>> On 9/9/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >>> > On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote: >>> >> On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote: >>> >> > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >>> >> > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote: >>> >> > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >>> >> > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be >>> >> > >> > represented >>> >> > >> > in >>> >> > >> > type 'int' >>> >> > >> > Fixes: >>> >> > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 >>> >> > >> > >>> >> > >> > Found-by: continuous fuzzing process >>> >> > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> >> > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >>> >> > >> > --- >>> >> > >> > libavcodec/dxv.c | 2 +- >>> >> > >> > 1 file changed, 1 insertion(+), 1 deletion(-) >>> >> > >> > >>> >> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c >>> >> > >> > index 5fd1844094..3506775560 100644 >>> >> > >> > --- a/libavcodec/dxv.c >>> >> > >> > +++ b/libavcodec/dxv.c >>> >> > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext >>> >> > >> > *ctx, >>> >> > >> > GetByteContext *gb, >>> >> > >> > int skip0, skip1, oi0 = 0, oi1 = 0; >>> >> > >> > int ret, state0 = 0, state1 = 0; >>> >> > >> > >>> >> > >> > - if (op_offset < 12) >>> >> > >> > + if (op_offset < 12 || op_offset - 12 > >>> >> > >> > bytestream2_get_bytes_left(gb)) >>> >> > >> > return AVERROR_INVALIDDATA; >>> >> > >> > >>> >> > >> > dst = tex_data; >>> >> > >> > -- >>> >> > >> > 2.22.0 >>> >> > >> > >>> >> > >> > _______________________________________________ >>> >> > >> > ffmpeg-devel mailing list >>> >> > >> > ffmpeg-devel@ffmpeg.org >>> >> > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel >>> >> > >> > >>> >> > >> > To unsubscribe, visit link above, or email >>> >> > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >>> >> > >> >>> >> > >> Make sure this does not break any files. >>> >> > > >>> >> > > Do you have any specific files i should test ? >>> >> > > >>> >> > > I of course cannot test every file on earth ... >>> >> > >>> >> > I'm on vacation, so when I get back I will give you some files. >>> >> >>> >> ok, ill wait, no hurry, enjoy your vacation! >>> > >>> > ping, this issue is reaching its deadline, so i would like to >>> > fix it >>> >>> What deadline? Is this some kind of fancy corporation? >> >> first link for googling ossfuzz deadline explains it like this: >> >> "Once a project is signed up for OSS-Fuzz, it is automatically subject to >> the 90-day disclosure deadline for newly reported bugs ..." >> > > Irrelevant, this is not security issue at all. > >> thx >> >> [...] >> -- >> Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB >> >> "I am not trying to be anyone's saviour, I'm trying to think about the >> future and not be sad" - Elon Musk >> >> >
On Mon, Sep 23, 2019 at 11:09:28AM +0200, Paul B Mahol wrote: > Feel free to apply this patch as it does not break current files, but ok, will apply > I think check is incomplete. yes, more things need to be checked ill send another patch thx [...]
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 5fd1844094..3506775560 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb, int skip0, skip1, oi0 = 0, oi1 = 0; int ret, state0 = 0, state1 = 0; - if (op_offset < 12) + if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb)) return AVERROR_INVALIDDATA; dst = tex_data;
Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in type 'int' Fixes: 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/dxv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)