Message ID | 20220107165111.9929-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | c36a5dfc8f68316f93d03081e5a367b04e1cbd3c |
Headers | show |
Series | [FFmpeg-devel] avformat/rawvideodec: check packet size | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
andriy/make_ppc | success | Make finished |
andriy/make_fate_ppc | success | Make fate finished |
On Fri, Jan 07, 2022 at 05:51:11PM +0100, Michael Niedermayer wrote: > Fixes: division by zero > Fixes: integer overflow > Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/rawvideodec.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c > index 68547fc50ff..387c4ba80f5 100644 > --- a/libavformat/rawvideodec.c > +++ b/libavformat/rawvideodec.c > @@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx) > enum AVPixelFormat pix_fmt; > AVStream *st; > int packet_size; > + int ret; > > st = avformat_new_stream(ctx, NULL); > if (!st) > @@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx) > > avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num); > > + ret = av_image_check_size(s->width, s->height, 0, ctx); > + if (ret < 0) > + return ret; > + > st->codecpar->width = s->width; > st->codecpar->height = s->height; > > @@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx) > if (packet_size < 0) > return packet_size; > } > + if (packet_size == 0) > + return AVERROR(EINVAL); > > st->codecpar->format = pix_fmt; > ctx->packet_size = packet_size; > -- > 2.17.1 > LGTM > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer: > Fixes: division by zero > Fixes: integer overflow > Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/rawvideodec.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c > index 68547fc50ff..387c4ba80f5 100644 > --- a/libavformat/rawvideodec.c > +++ b/libavformat/rawvideodec.c > @@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx) > enum AVPixelFormat pix_fmt; > AVStream *st; > int packet_size; > + int ret; > > st = avformat_new_stream(ctx, NULL); > if (!st) > @@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx) > > avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num); > > + ret = av_image_check_size(s->width, s->height, 0, ctx); Looking at av_image_check_size() this seems to ensure that 8 * width *height fits in an int. So this should indeed fix all the overflows. > + if (ret < 0) > + return ret; > + > st->codecpar->width = s->width; > st->codecpar->height = s->height; > > @@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx) > if (packet_size < 0) > return packet_size; > } > + if (packet_size == 0) > + return AVERROR(EINVAL); > > st->codecpar->format = pix_fmt; > ctx->packet_size = packet_size; >
On Fri, Jan 07, 2022 at 05:51:11PM +0100, Michael Niedermayer wrote: > Fixes: division by zero > Fixes: integer overflow > Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/rawvideodec.c | 7 +++++++ > 1 file changed, 7 insertions(+) will apply thx for the reviews [...]
diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c index 68547fc50ff..387c4ba80f5 100644 --- a/libavformat/rawvideodec.c +++ b/libavformat/rawvideodec.c @@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx) enum AVPixelFormat pix_fmt; AVStream *st; int packet_size; + int ret; st = avformat_new_stream(ctx, NULL); if (!st) @@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx) avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num); + ret = av_image_check_size(s->width, s->height, 0, ctx); + if (ret < 0) + return ret; + st->codecpar->width = s->width; st->codecpar->height = s->height; @@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx) if (packet_size < 0) return packet_size; } + if (packet_size == 0) + return AVERROR(EINVAL); st->codecpar->format = pix_fmt; ctx->packet_size = packet_size;
Fixes: division by zero Fixes: integer overflow Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/rawvideodec.c | 7 +++++++ 1 file changed, 7 insertions(+)