[FFmpeg-devel,1/5] avcodec/iff: Fix off by x error

Message ID	20200613112345.13515-1-michael@niedermayer.cc
State	Accepted
Commit	51225dee0a6266780d26d43bd6802bbcf736327e
Headers	show Return-Path: <ffmpeg-devel-bounces@ffmpeg.org> From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Sat, 13 Jun 2020 13:23:41 +0200 Message-Id: <20200613112345.13515-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 1/5] avcodec/iff: Fix off by x error Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel,1/5] avcodec/iff: Fix off by x error \| expand [FFmpeg-devel,1/5] avcodec/iff: Fix off by x error [FFmpeg-devel,2/5] avformat/ape: Cleanup after ape_read_header() failure [FFmpeg-devel,3/5] avcodec/pixlet: Fix log(0) check [FFmpeg-devel,4/5] avcodec/mpeg4videodec: avoid invalid values and reinitialize in format changes f… [FFmpeg-devel,5/5] avformat/oggdec: Disable mid stream codec changes

Message ID

20200613112345.13515-1-michael@niedermayer.cc

State

Accepted

Commit

51225dee0a6266780d26d43bd6802bbcf736327e

Headers

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 13 Jun 2020 13:23:41 +0200
Message-Id: <20200613112345.13515-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 1/5] avcodec/iff: Fix off by x error
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Series

[FFmpeg-devel,1/5] avcodec/iff: Fix off by x error | expand

Context	Check	Description
andriy/default	pending
andriy/make	success	Make finished
andriy/make_fate	success	Make fate finished

Context

Check

Description

andriy/default

pending

andriy/make

success

Make finished

andriy/make_fate

success

Make fate finished

Commit Message

Michael Niedermayer June 13, 2020, 11:23 a.m. UTC

Fixes: out of array access
Fixes: 23245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723121327013888.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/iff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer June 14, 2020, 4:38 p.m. UTC | #1

On Sat, Jun 13, 2020 at 01:23:41PM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 23245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723121327013888.fuzz

will apply patchset with requested modifications


[...]

diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index 66879cbf5d..79f6215c77 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -723,7 +723,7 @@  static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
         if (opcode >= 0) {
             int size = opcode + 1;
             for (i = 0; i < size; i++) {
-                int length = FFMIN(size - i, width);
+                int length = FFMIN(size - i, width - x);
                 if (src_end - src < length * 4)
                     return;
                 memcpy(dst + y*linesize + x * 4, src, length * 4);

[FFmpeg-devel,1/5] avcodec/iff: Fix off by x error

Checks

Commit Message

Comments

Patch