diff mbox series

[FFmpeg-devel,4/4] avcodec/speedhq: Check width

Message ID 20220818223535.13078-4-michael@niedermayer.cc
State Accepted
Commit f0395f9ef6051315973f1fdded1804f81458566d
Headers show
Series [FFmpeg-devel,1/4] avcodec/bethsoftvideo: Pass GetByteContext into set_palette() | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Aug. 18, 2022, 10:35 p.m. UTC 
Fixes: out of array access
Fixes: 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400

Alternatively the buffer size can be increased

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/speedhq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paul B Mahol Aug. 21, 2022, 10:54 a.m. UTC | #1 
On Fri, Aug 19, 2022 at 12:36 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: out of array access
> Fixes:
> 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400
>
> Alternatively the buffer size can be increased
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/speedhq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
> index c43de4f199..ffee5f973b 100644
> --- a/libavcodec/speedhq.c
> +++ b/libavcodec/speedhq.c
> @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
> AVFrame *frame,
>      uint32_t second_field_offset;
>      int ret;
>
> -    if (buf_size < 4 || avctx->width < 8)
> +    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
>          return AVERROR_INVALIDDATA;
>

Is this right thing to do?


>
>      quality = buf[0];
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
Michael Niedermayer Aug. 21, 2022, 2:23 p.m. UTC | #2 
On Sun, Aug 21, 2022 at 12:54:57PM +0200, Paul B Mahol wrote:
> On Fri, Aug 19, 2022 at 12:36 AM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > Fixes: out of array access
> > Fixes:
> > 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400
> >
> > Alternatively the buffer size can be increased
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/speedhq.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
> > index c43de4f199..ffee5f973b 100644
> > --- a/libavcodec/speedhq.c
> > +++ b/libavcodec/speedhq.c
> > @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
> > AVFrame *frame,
> >      uint32_t second_field_offset;
> >      int ret;
> >
> > -    if (buf_size < 4 || avctx->width < 8)
> > +    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
> >          return AVERROR_INVALIDDATA;
> >
> 
> Is this right thing to do?

We can increase the buffer size or change how the %8 != 0 case is handled
WIthout a non fuzzed file with such dimensions, I do not know what the
correct handling of such a file is.
What do you prefer to be done ?

Thanks

[...]
Michael Niedermayer Aug. 28, 2022, 5:39 p.m. UTC | #3 
On Sun, Aug 21, 2022 at 04:23:09PM +0200, Michael Niedermayer wrote:
> On Sun, Aug 21, 2022 at 12:54:57PM +0200, Paul B Mahol wrote:
> > On Fri, Aug 19, 2022 at 12:36 AM Michael Niedermayer <michael@niedermayer.cc>
> > wrote:
> > 
> > > Fixes: out of array access
> > > Fixes:
> > > 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400
> > >
> > > Alternatively the buffer size can be increased
> > >
> > > Found-by: continuous fuzzing process
> > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by
> > > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > > Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >  libavcodec/speedhq.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
> > > index c43de4f199..ffee5f973b 100644
> > > --- a/libavcodec/speedhq.c
> > > +++ b/libavcodec/speedhq.c
> > > @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
> > > AVFrame *frame,
> > >      uint32_t second_field_offset;
> > >      int ret;
> > >
> > > -    if (buf_size < 4 || avctx->width < 8)
> > > +    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
> > >          return AVERROR_INVALIDDATA;
> > >
> > 
> > Is this right thing to do?
> 
> We can increase the buffer size or change how the %8 != 0 case is handled
> WIthout a non fuzzed file with such dimensions, I do not know what the
> correct handling of such a file is.

> What do you prefer to be done ?

ping

[...]
Michael Niedermayer Sept. 2, 2022, 9:02 a.m. UTC | #4 
On Sun, Aug 28, 2022 at 07:39:53PM +0200, Michael Niedermayer wrote:
> On Sun, Aug 21, 2022 at 04:23:09PM +0200, Michael Niedermayer wrote:
> > On Sun, Aug 21, 2022 at 12:54:57PM +0200, Paul B Mahol wrote:
> > > On Fri, Aug 19, 2022 at 12:36 AM Michael Niedermayer <michael@niedermayer.cc>
> > > wrote:
> > > 
> > > > Fixes: out of array access
> > > > Fixes:
> > > > 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400
> > > >
> > > > Alternatively the buffer size can be increased
> > > >
> > > > Found-by: continuous fuzzing process
> > > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > > Signed-off-by
> > > > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > > > Michael Niedermayer <michael@niedermayer.cc>
> > > > ---
> > > >  libavcodec/speedhq.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
> > > > index c43de4f199..ffee5f973b 100644
> > > > --- a/libavcodec/speedhq.c
> > > > +++ b/libavcodec/speedhq.c
> > > > @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx,
> > > > AVFrame *frame,
> > > >      uint32_t second_field_offset;
> > > >      int ret;
> > > >
> > > > -    if (buf_size < 4 || avctx->width < 8)
> > > > +    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
> > > >          return AVERROR_INVALIDDATA;
> > > >
> > > 
> > > Is this right thing to do?
> > 
> > We can increase the buffer size or change how the %8 != 0 case is handled
> > WIthout a non fuzzed file with such dimensions, I do not know what the
> > correct handling of such a file is.
> 
> > What do you prefer to be done ?
> 
> ping

i will apply this in the next 24h

thx

[...]
diff mbox series

Patch

diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c
index c43de4f199..ffee5f973b 100644
--- a/libavcodec/speedhq.c
+++ b/libavcodec/speedhq.c
@@ -499,7 +499,7 @@  static int speedhq_decode_frame(AVCodecContext *avctx, AVFrame *frame,
     uint32_t second_field_offset;
     int ret;
 
-    if (buf_size < 4 || avctx->width < 8)
+    if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0)
         return AVERROR_INVALIDDATA;
 
     quality = buf[0];