| Message ID | 20201107231710.24816-5-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,1/5] avformat/tedcaptionsdec: Check for overflow in parse_int() | expand |
| Context | Check | Description |
|---|---|---|
| andriy/x86_make | success | Make finished |
| andriy/x86_make_fate | success | Make fate finished |
| andriy/PPC64_make | success | Make finished |
| andriy/PPC64_make_fate | success | Make fate finished |
Michael Niedermayer: > Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' > Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/cfhd.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c > index a2b9c7c76a..e3fbfa4b91 100644 > --- a/libavcodec/cfhd.c > +++ b/libavcodec/cfhd.c > @@ -617,6 +617,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, > s->peak.level = 0; > } else if (tag == -PeakLevel && s->peak.offset) { > s->peak.level = data; > + if (s->peak.offset < INT_MIN + 4) { > + ret = AVERROR_INVALIDDATA; > + goto end; > + } > bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR); > } else > av_log(avctx, AV_LOG_DEBUG, "Unknown tag %i data %x\n", tag, data); > Is this peak.offset actually intended to be signed? And if so wouldn't it make more sense to actually check that the buffer contains the seek target? - Andreas
On Sun, Nov 08, 2020 at 03:42:30AM +0100, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' > > Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/cfhd.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c > > index a2b9c7c76a..e3fbfa4b91 100644 > > --- a/libavcodec/cfhd.c > > +++ b/libavcodec/cfhd.c > > @@ -617,6 +617,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, > > s->peak.level = 0; > > } else if (tag == -PeakLevel && s->peak.offset) { > > s->peak.level = data; > > + if (s->peak.offset < INT_MIN + 4) { > > + ret = AVERROR_INVALIDDATA; > > + goto end; > > + } > > bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR); > > } else > > av_log(avctx, AV_LOG_DEBUG, "Unknown tag %i data %x\n", tag, data); > > > Is this peak.offset actually intended to be signed? it is signed in the reference code ive seen > And if so wouldn't > it make more sense to actually check that the buffer contains the seek > target? the reference code does not check that but i agree it of course makes sense. posted a patch which should do that thx [...]
diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index a2b9c7c76a..e3fbfa4b91 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -617,6 +617,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, s->peak.level = 0; } else if (tag == -PeakLevel && s->peak.offset) { s->peak.level = data; + if (s->peak.offset < INT_MIN + 4) { + ret = AVERROR_INVALIDDATA; + goto end; + } bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR); } else av_log(avctx, AV_LOG_DEBUG, "Unknown tag %i data %x\n", tag, data);
Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int' Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/cfhd.c | 4 ++++ 1 file changed, 4 insertions(+)