Message ID | 20200920202608.11653-4-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 34df97b0886c728e1ae430a7de8b3dfd2f1a5744 |
Headers | show |
Series | [FFmpeg-devel,1/4] avformat/wvdec: Check rate for overflow | expand |
Context | Check | Description |
---|---|---|
andriy/default | pending | |
andriy/make | success | Make finished |
andriy/make_fate | success | Make fate finished |
On Sun, Sep 20, 2020 at 10:26:08PM +0200, Michael Niedermayer wrote: > Fixes: out of memory > Fixes: 25588/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PHOTOCD_fuzzer-6612945080156160 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/photocd.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/photocd.c b/libavcodec/photocd.c > index 057c9d33d4..07f10e28b7 100644 > --- a/libavcodec/photocd.c > +++ b/libavcodec/photocd.c > @@ -324,8 +324,9 @@ static int photocd_decode_frame(AVCodecContext *avctx, void *data, > else > s->resolution = av_clip(4 - s->lowres, 0, 4); > > - avctx->width = img_info[s->resolution].width; > - avctx->height = img_info[s->resolution].height; > + ret = ff_set_dimensions(avctx, img_info[s->resolution].width, img_info[s->resolution].height); > + if (ret < 0) > + return ret; > > if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) > return ret; Why is this needed at all, dimensions are alway static and completely allocable.
On Mon, Sep 21, 2020 at 12:28:37AM +0200, Paul B Mahol wrote: > On Sun, Sep 20, 2020 at 10:26:08PM +0200, Michael Niedermayer wrote: > > Fixes: out of memory > > Fixes: 25588/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PHOTOCD_fuzzer-6612945080156160 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/photocd.c | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/libavcodec/photocd.c b/libavcodec/photocd.c > > index 057c9d33d4..07f10e28b7 100644 > > --- a/libavcodec/photocd.c > > +++ b/libavcodec/photocd.c > > @@ -324,8 +324,9 @@ static int photocd_decode_frame(AVCodecContext *avctx, void *data, > > else > > s->resolution = av_clip(4 - s->lowres, 0, 4); > > > > - avctx->width = img_info[s->resolution].width; > > - avctx->height = img_info[s->resolution].height; > > + ret = ff_set_dimensions(avctx, img_info[s->resolution].width, img_info[s->resolution].height); > > + if (ret < 0) > > + return ret; > > > > if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) > > return ret; > > Why is this needed at all, dimensions are alway static and completely allocable. ff_set_dimensions() sets more than width and height, for example it also sets coded_width and coded_height. And it checks dimension validity and compliance to the users requirements. There are multiple things here the previous code failed to do and which could cause problems. I would suggest to simply always use ff_set_dimensions(). Thanks [...]
On Sat, Oct 10, 2020 at 01:00:14PM +0200, Michael Niedermayer wrote: > On Mon, Sep 21, 2020 at 12:28:37AM +0200, Paul B Mahol wrote: > > On Sun, Sep 20, 2020 at 10:26:08PM +0200, Michael Niedermayer wrote: > > > Fixes: out of memory > > > Fixes: 25588/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PHOTOCD_fuzzer-6612945080156160 > > > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > --- > > > libavcodec/photocd.c | 5 +++-- > > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > > > diff --git a/libavcodec/photocd.c b/libavcodec/photocd.c > > > index 057c9d33d4..07f10e28b7 100644 > > > --- a/libavcodec/photocd.c > > > +++ b/libavcodec/photocd.c > > > @@ -324,8 +324,9 @@ static int photocd_decode_frame(AVCodecContext *avctx, void *data, > > > else > > > s->resolution = av_clip(4 - s->lowres, 0, 4); > > > > > > - avctx->width = img_info[s->resolution].width; > > > - avctx->height = img_info[s->resolution].height; > > > + ret = ff_set_dimensions(avctx, img_info[s->resolution].width, img_info[s->resolution].height); > > > + if (ret < 0) > > > + return ret; > > > > > > if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) > > > return ret; > > > > Why is this needed at all, dimensions are alway static and completely allocable. > > ff_set_dimensions() sets more than width and height, for example > it also sets coded_width and coded_height. And it checks dimension validity and > compliance to the users requirements. > There are multiple things here the previous code failed to do and which could > cause problems. > > I would suggest to simply always use ff_set_dimensions(). will apply patch [...]
diff --git a/libavcodec/photocd.c b/libavcodec/photocd.c index 057c9d33d4..07f10e28b7 100644 --- a/libavcodec/photocd.c +++ b/libavcodec/photocd.c @@ -324,8 +324,9 @@ static int photocd_decode_frame(AVCodecContext *avctx, void *data, else s->resolution = av_clip(4 - s->lowres, 0, 4); - avctx->width = img_info[s->resolution].width; - avctx->height = img_info[s->resolution].height; + ret = ff_set_dimensions(avctx, img_info[s->resolution].width, img_info[s->resolution].height); + if (ret < 0) + return ret; if ((ret = ff_thread_get_buffer(avctx, &frame, 0)) < 0) return ret;
Fixes: out of memory Fixes: 25588/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PHOTOCD_fuzzer-6612945080156160 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/photocd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)