diff mbox series

[FFmpeg-devel,5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size

Message ID 20220719113453.23169-5-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/6] avcodec/mpeg4videoenc: fix encoding long frames | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer July 19, 2022, 11:34 a.m. UTC 
Fixes: Timeout
Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/ffv1dec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

James Almer July 19, 2022, 11:37 a.m. UTC | #1 
On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/ffv1dec.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> index 01ddcaa512..9bdac0be4e 100644
> --- a/libavcodec/ffv1dec.c
> +++ b/libavcodec/ffv1dec.c
> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
>           if (buf_size < avctx->width * avctx->height / (128*8))
>               return AVERROR_INVALIDDATA;
>       } else {
> -        if (buf_size < avctx->height / 8)
> +        int i;

for (int i...

> +        int w = avctx->width;
> +        for (i = 0; w > (1<<ff_log2_run[i]); i++)
> +            w -= ff_log2_run[i];
> +        if (buf_size < (avctx->height + i + 6)/ 8)
>               return AVERROR_INVALIDDATA;
>       }
>
Michael Niedermayer July 20, 2022, 2:30 p.m. UTC | #2 
On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
> 
> 
> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> > Fixes: Timeout
> > Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/ffv1dec.c | 6 +++++-
> >   1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> > index 01ddcaa512..9bdac0be4e 100644
> > --- a/libavcodec/ffv1dec.c
> > +++ b/libavcodec/ffv1dec.c
> > @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
> >           if (buf_size < avctx->width * avctx->height / (128*8))
> >               return AVERROR_INVALIDDATA;
> >       } else {
> > -        if (buf_size < avctx->height / 8)
> > +        int i;
> 
> for (int i...

will apply with that change

thx

[...]
Andreas Rheinhardt July 20, 2022, 10:17 p.m. UTC | #3 
Michael Niedermayer:
> On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
>>
>>
>> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
>>> Fixes: Timeout
>>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>   libavcodec/ffv1dec.c | 6 +++++-
>>>   1 file changed, 5 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
>>> index 01ddcaa512..9bdac0be4e 100644
>>> --- a/libavcodec/ffv1dec.c
>>> +++ b/libavcodec/ffv1dec.c
>>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
>>>           if (buf_size < avctx->width * avctx->height / (128*8))
>>>               return AVERROR_INVALIDDATA;
>>>       } else {
>>> -        if (buf_size < avctx->height / 8)
>>> +        int i;
>>
>> for (int i...
> 
> will apply with that change
> 
> thx
> 

James' suggestion made you use an uninitialized i in the actual check;
and even the original check is wrong, as one can overrun ff_log2_run
(unless there is a check that I am not missing). So it seems to me that
reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.

- Andreas
Michael Niedermayer July 20, 2022, 10:46 p.m. UTC | #4 
On Thu, Jul 21, 2022 at 12:17:22AM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
> >>
> >>
> >> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> >>> Fixes: Timeout
> >>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> >>>
> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >>> ---
> >>>   libavcodec/ffv1dec.c | 6 +++++-
> >>>   1 file changed, 5 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> >>> index 01ddcaa512..9bdac0be4e 100644
> >>> --- a/libavcodec/ffv1dec.c
> >>> +++ b/libavcodec/ffv1dec.c
> >>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
> >>>           if (buf_size < avctx->width * avctx->height / (128*8))
> >>>               return AVERROR_INVALIDDATA;
> >>>       } else {
> >>> -        if (buf_size < avctx->height / 8)
> >>> +        int i;
> >>
> >> for (int i...
> > 
> > will apply with that change
> > 
> > thx
> > 
> 
> James' suggestion made you use an uninitialized i in the actual check;

yes


> and even the original check is wrong, as one can overrun ff_log2_run
> (unless there is a check that I am not missing). 

Theres a check but its too late


> So it seems to me that
> reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.

not against that but heres a quick fix attempt


Author: Michael Niedermayer <michael@niedermayer.cc>
Date:   Thu Jul 21 00:20:41 2022 +0200

    avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check
    
    Found-by: mkver
    
    Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index d71584505d..c6eca3227c 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -884,9 +884,14 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
             return AVERROR_INVALIDDATA;
     } else {
         int w = avctx->width;
-        for (int i = 0; w > (1<<ff_log2_run[i]); i++)
+        int s = 1 + w / (1<<23);
+        int i;
+
+        w /= s;
+
+        for (i = 0; w > (1<<ff_log2_run[i]); i++)
             w -= ff_log2_run[i];
-        if (buf_size < (avctx->height + i + 6)/ 8)
+        if (buf_size < (avctx->height + s*i + 6)/ 8)
             return AVERROR_INVALIDDATA;
     }
 
 

[...]
Michael Niedermayer July 21, 2022, 6:45 a.m. UTC | #5 
On Thu, Jul 21, 2022 at 12:46:38AM +0200, Michael Niedermayer wrote:
> On Thu, Jul 21, 2022 at 12:17:22AM +0200, Andreas Rheinhardt wrote:
> > Michael Niedermayer:
> > > On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
> > >>
> > >>
> > >> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> > >>> Fixes: Timeout
> > >>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> > >>>
> > >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > >>> ---
> > >>>   libavcodec/ffv1dec.c | 6 +++++-
> > >>>   1 file changed, 5 insertions(+), 1 deletion(-)
> > >>>
> > >>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> > >>> index 01ddcaa512..9bdac0be4e 100644
> > >>> --- a/libavcodec/ffv1dec.c
> > >>> +++ b/libavcodec/ffv1dec.c
> > >>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
> > >>>           if (buf_size < avctx->width * avctx->height / (128*8))
> > >>>               return AVERROR_INVALIDDATA;
> > >>>       } else {
> > >>> -        if (buf_size < avctx->height / 8)
> > >>> +        int i;
> > >>
> > >> for (int i...
> > > 
> > > will apply with that change
> > > 
> > > thx
> > > 
> > 
> > James' suggestion made you use an uninitialized i in the actual check;
> 
> yes
> 
> 
> > and even the original check is wrong, as one can overrun ff_log2_run
> > (unless there is a check that I am not missing). 
> 
> Theres a check but its too late
> 
> 
> > So it seems to me that
> > reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.
> 
> not against that but heres a quick fix attempt
> 
> 
> Author: Michael Niedermayer <michael@niedermayer.cc>
> Date:   Thu Jul 21 00:20:41 2022 +0200
> 
>     avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check

will apply this so the uninitialized read is fixed. If this has
some off by 1 error or something that can be adjusted later
dont want to leave this bug open

[...]
Andreas Rheinhardt July 21, 2022, 7:11 p.m. UTC | #6 
Michael Niedermayer:
> On Thu, Jul 21, 2022 at 12:17:22AM +0200, Andreas Rheinhardt wrote:
>> Michael Niedermayer:
>>> On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
>>>>
>>>>
>>>> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
>>>>> Fixes: Timeout
>>>>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
>>>>>
>>>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>>>> ---
>>>>>   libavcodec/ffv1dec.c | 6 +++++-
>>>>>   1 file changed, 5 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
>>>>> index 01ddcaa512..9bdac0be4e 100644
>>>>> --- a/libavcodec/ffv1dec.c
>>>>> +++ b/libavcodec/ffv1dec.c
>>>>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
>>>>>           if (buf_size < avctx->width * avctx->height / (128*8))
>>>>>               return AVERROR_INVALIDDATA;
>>>>>       } else {
>>>>> -        if (buf_size < avctx->height / 8)
>>>>> +        int i;
>>>>
>>>> for (int i...
>>>
>>> will apply with that change
>>>
>>> thx
>>>
>>
>> James' suggestion made you use an uninitialized i in the actual check;
> 
> yes
> 
> 
>> and even the original check is wrong, as one can overrun ff_log2_run
>> (unless there is a check that I am not missing). 
> 
> Theres a check but its too late
> 
> 
>> So it seems to me that
>> reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.
> 
> not against that but heres a quick fix attempt
> 

I thought that it would be easier to backport the fix if it were one
patch; of course it was never my intention to force you to revert this.

> 
> Author: Michael Niedermayer <michael@niedermayer.cc>
> Date:   Thu Jul 21 00:20:41 2022 +0200
> 
>     avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check
>     
>     Found-by: mkver

Please don't use my nickname in the future in commit messages.

>     
>     Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> 
> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> index d71584505d..c6eca3227c 100644
> --- a/libavcodec/ffv1dec.c
> +++ b/libavcodec/ffv1dec.c
> @@ -884,9 +884,14 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
>              return AVERROR_INVALIDDATA;
>      } else {
>          int w = avctx->width;
> -        for (int i = 0; w > (1<<ff_log2_run[i]); i++)
> +        int s = 1 + w / (1<<23);
> +        int i;
> +
> +        w /= s;
> +
> +        for (i = 0; w > (1<<ff_log2_run[i]); i++)
>              w -= ff_log2_run[i];
> -        if (buf_size < (avctx->height + i + 6)/ 8)
> +        if (buf_size < (avctx->height + s*i + 6)/ 8)
>              return AVERROR_INVALIDDATA;
>      }
>  
>  
>
diff mbox series

Patch

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 01ddcaa512..9bdac0be4e 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -883,7 +883,11 @@  static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
         if (buf_size < avctx->width * avctx->height / (128*8))
             return AVERROR_INVALIDDATA;
     } else {
-        if (buf_size < avctx->height / 8)
+        int i;
+        int w = avctx->width;
+        for (i = 0; w > (1<<ff_log2_run[i]); i++)
+            w -= ff_log2_run[i];
+        if (buf_size < (avctx->height + i + 6)/ 8)
             return AVERROR_INVALIDDATA;
     }