diff mbox series

[FFmpeg-devel] avformat/mspdec: Check packet_size more completely

Message ID 20210303100023.17550-1-michael@niedermayer.cc
State Accepted
Commit 787501db16cbe6874ad42acd539fa4595dd64e66
Headers show
Series [FFmpeg-devel] avformat/mspdec: Check packet_size more completely | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer March 3, 2021, 10 a.m. UTC 
Fixes: OOM
Fixes: 28348/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-4612055872831488
Fixes: 28360/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-6245230626078720

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mspdec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Michael Niedermayer March 3, 2021, 10:08 a.m. UTC | #1 
On Wed, Mar 03, 2021 at 11:00:23AM +0100, Michael Niedermayer wrote:
> Fixes: OOM
> Fixes: 28348/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-4612055872831488
> Fixes: 28360/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-6245230626078720
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mspdec.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)

i seem to have forgotten to post this in december when i wrote it, i found it in my
pending patches branch but not on the mailing list

[...]
Paul B Mahol March 3, 2021, 11:58 a.m. UTC | #2 
lgtm

On Wed, Mar 3, 2021 at 11:01 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: OOM
> Fixes:
> 28348/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-4612055872831488
> Fixes:
> 28360/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-6245230626078720
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mspdec.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/mspdec.c b/libavformat/mspdec.c
> index b81d835a63..4845eb3729 100644
> --- a/libavformat/mspdec.c
> +++ b/libavformat/mspdec.c
> @@ -70,11 +70,12 @@ static int msp_read_header(AVFormatContext *s)
>
>      if (st->codecpar->codec_id == AV_CODEC_ID_RAWVIDEO) {
>          cntx->packet_size =
> av_image_get_buffer_size(st->codecpar->format, st->codecpar->width,
> st->codecpar->height, 1);
> -        if (cntx->packet_size < 0)
> -            return cntx->packet_size;
>      } else
>          cntx->packet_size = 2 * st->codecpar->height;
>
> +    if (cntx->packet_size <= 0)
> +        return cntx->packet_size < 0 ? cntx->packet_size :
> AVERROR_INVALIDDATA;
> +
>      return 0;
>  }
>
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer March 3, 2021, 3:34 p.m. UTC | #3 
On Wed, Mar 03, 2021 at 12:58:40PM +0100, Paul B Mahol wrote:
> lgtm

will apply

thx

[...]
diff mbox series

Patch

diff --git a/libavformat/mspdec.c b/libavformat/mspdec.c
index b81d835a63..4845eb3729 100644
--- a/libavformat/mspdec.c
+++ b/libavformat/mspdec.c
@@ -70,11 +70,12 @@  static int msp_read_header(AVFormatContext *s)
 
     if (st->codecpar->codec_id == AV_CODEC_ID_RAWVIDEO) {
         cntx->packet_size = av_image_get_buffer_size(st->codecpar->format, st->codecpar->width, st->codecpar->height, 1);
-        if (cntx->packet_size < 0)
-            return cntx->packet_size;
     } else
         cntx->packet_size = 2 * st->codecpar->height;
 
+    if (cntx->packet_size <= 0)
+        return cntx->packet_size < 0 ? cntx->packet_size : AVERROR_INVALIDDATA;
+
     return 0;
 }