| Message ID | 20191005214107.20093-1-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
On 10/5/2019 6:41 PM, Michael Niedermayer wrote: > Fixes: Timeout (17sec ->281ms) > Fixes: 17833/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5638346914660352 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/h2645_parse.c | 6 +++++- > libavcodec/h2645_parse.h | 1 + > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c > index ef6a6b4b4f..34c731430f 100644 > --- a/libavcodec/h2645_parse.c > +++ b/libavcodec/h2645_parse.c > @@ -455,8 +455,12 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, > > if (pkt->nals_allocated < pkt->nb_nals + 1) { > int new_size = pkt->nals_allocated + 1; > - void *tmp = av_realloc_array(pkt->nals, new_size, sizeof(*pkt->nals)); > + void *tmp; > > + if (new_size >= INT_MAX / sizeof(*pkt->nals)) > + return AVERROR(ENOMEM); > + > + tmp = av_fast_realloc(pkt->nals, &pkt->nals_byte_allocated, new_size * sizeof(*pkt->nals)); > if (!tmp) > return AVERROR(ENOMEM); > > diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h > index 2c29ca517c..0ac2b1bd9d 100644 > --- a/libavcodec/h2645_parse.h > +++ b/libavcodec/h2645_parse.h > @@ -78,6 +78,7 @@ typedef struct H2645Packet { > H2645RBSP rbsp; > int nb_nals; > int nals_allocated; > + unsigned nals_byte_allocated; Maybe nal_buffer_size instead. LGTM either way. > } H2645Packet; > > /** >
On Sat, Oct 05, 2019 at 08:01:31PM -0300, James Almer wrote: > On 10/5/2019 6:41 PM, Michael Niedermayer wrote: > > Fixes: Timeout (17sec ->281ms) > > Fixes: 17833/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5638346914660352 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/h2645_parse.c | 6 +++++- > > libavcodec/h2645_parse.h | 1 + > > 2 files changed, 6 insertions(+), 1 deletion(-) > > > > diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c > > index ef6a6b4b4f..34c731430f 100644 > > --- a/libavcodec/h2645_parse.c > > +++ b/libavcodec/h2645_parse.c > > @@ -455,8 +455,12 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, > > > > if (pkt->nals_allocated < pkt->nb_nals + 1) { > > int new_size = pkt->nals_allocated + 1; > > - void *tmp = av_realloc_array(pkt->nals, new_size, sizeof(*pkt->nals)); > > + void *tmp; > > > > + if (new_size >= INT_MAX / sizeof(*pkt->nals)) > > + return AVERROR(ENOMEM); > > + > > + tmp = av_fast_realloc(pkt->nals, &pkt->nals_byte_allocated, new_size * sizeof(*pkt->nals)); > > if (!tmp) > > return AVERROR(ENOMEM); > > > > diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h > > index 2c29ca517c..0ac2b1bd9d 100644 > > --- a/libavcodec/h2645_parse.h > > +++ b/libavcodec/h2645_parse.h > > @@ -78,6 +78,7 @@ typedef struct H2645Packet { > > H2645RBSP rbsp; > > int nb_nals; > > int nals_allocated; > > + unsigned nals_byte_allocated; > > Maybe nal_buffer_size instead. yeah i was also before posting this hesitating on the name > > LGTM either way. will change and apply it thx [...]
diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index ef6a6b4b4f..34c731430f 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -455,8 +455,12 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, if (pkt->nals_allocated < pkt->nb_nals + 1) { int new_size = pkt->nals_allocated + 1; - void *tmp = av_realloc_array(pkt->nals, new_size, sizeof(*pkt->nals)); + void *tmp; + if (new_size >= INT_MAX / sizeof(*pkt->nals)) + return AVERROR(ENOMEM); + + tmp = av_fast_realloc(pkt->nals, &pkt->nals_byte_allocated, new_size * sizeof(*pkt->nals)); if (!tmp) return AVERROR(ENOMEM); diff --git a/libavcodec/h2645_parse.h b/libavcodec/h2645_parse.h index 2c29ca517c..0ac2b1bd9d 100644 --- a/libavcodec/h2645_parse.h +++ b/libavcodec/h2645_parse.h @@ -78,6 +78,7 @@ typedef struct H2645Packet { H2645RBSP rbsp; int nb_nals; int nals_allocated; + unsigned nals_byte_allocated; } H2645Packet; /**
Fixes: Timeout (17sec ->281ms) Fixes: 17833/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5638346914660352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/h2645_parse.c | 6 +++++- libavcodec/h2645_parse.h | 1 + 2 files changed, 6 insertions(+), 1 deletion(-)