| Message ID | 20230113000138.9994-2-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,1/5] avcodec/wbmpdec: use remaining size not whole size | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
On 1/12/2023 9:01 PM, Michael Niedermayer wrote: > Fixes:OOM > Fixes:out of array access (no testcase) > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/xpmdec.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c > index ff1f51dd32..504cc47d8f 100644 > --- a/libavcodec/xpmdec.c > +++ b/libavcodec/xpmdec.c > @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p, > > size *= 4; > > + if (size > SIZE_MAX) > + return AVERROR(ENOMEM); Maybe check for (size > SIZE_MAX / 4) before the multiplication above instead. > + > ptr += mod_strcspn(ptr, ",") + 1; > if (end - ptr < 1) > return AVERROR_INVALIDDATA;
On Thu, Jan 12, 2023 at 09:11:35PM -0300, James Almer wrote: > > > On 1/12/2023 9:01 PM, Michael Niedermayer wrote: > > Fixes:OOM > > Fixes:out of array access (no testcase) > > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/xpmdec.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c > > index ff1f51dd32..504cc47d8f 100644 > > --- a/libavcodec/xpmdec.c > > +++ b/libavcodec/xpmdec.c > > @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p, > > size *= 4; > > + if (size > SIZE_MAX) > > + return AVERROR(ENOMEM); > > Maybe check for (size > SIZE_MAX / 4) before the multiplication above > instead. what is the advantage of this ? thx [...]
On 1/13/2023 5:49 PM, Michael Niedermayer wrote: > On Thu, Jan 12, 2023 at 09:11:35PM -0300, James Almer wrote: >> >> >> On 1/12/2023 9:01 PM, Michael Niedermayer wrote: >>> Fixes:OOM >>> Fixes:out of array access (no testcase) >>> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 >>> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >>> --- >>> libavcodec/xpmdec.c | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c >>> index ff1f51dd32..504cc47d8f 100644 >>> --- a/libavcodec/xpmdec.c >>> +++ b/libavcodec/xpmdec.c >>> @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p, >>> size *= 4; >>> + if (size > SIZE_MAX) >>> + return AVERROR(ENOMEM); >> >> Maybe check for (size > SIZE_MAX / 4) before the multiplication above >> instead. > > what is the advantage of this ? An int64_t value will never be bigger than or equal to SIZE_MAX on 64 bits targets, so maybe some compiler out there will warn about it. > > thx > > [...] > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
On Fri, Jan 13, 2023 at 05:53:20PM -0300, James Almer wrote: > On 1/13/2023 5:49 PM, Michael Niedermayer wrote: > > On Thu, Jan 12, 2023 at 09:11:35PM -0300, James Almer wrote: > > > > > > > > > On 1/12/2023 9:01 PM, Michael Niedermayer wrote: > > > > Fixes:OOM > > > > Fixes:out of array access (no testcase) > > > > Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 > > > > > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > > --- > > > > libavcodec/xpmdec.c | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c > > > > index ff1f51dd32..504cc47d8f 100644 > > > > --- a/libavcodec/xpmdec.c > > > > +++ b/libavcodec/xpmdec.c > > > > @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p, > > > > size *= 4; > > > > + if (size > SIZE_MAX) > > > > + return AVERROR(ENOMEM); > > > > > > Maybe check for (size > SIZE_MAX / 4) before the multiplication above > > > instead. > > > > what is the advantage of this ? > > An int64_t value will never be bigger than or equal to SIZE_MAX on 64 bits > targets, so maybe some compiler out there will warn about it. hmm ok, ill apply it with that change thx [...]
diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c index ff1f51dd32..504cc47d8f 100644 --- a/libavcodec/xpmdec.c +++ b/libavcodec/xpmdec.c @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p, size *= 4; + if (size > SIZE_MAX) + return AVERROR(ENOMEM); + ptr += mod_strcspn(ptr, ",") + 1; if (end - ptr < 1) return AVERROR_INVALIDDATA;
Fixes:OOM Fixes:out of array access (no testcase) Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/xpmdec.c | 3 +++ 1 file changed, 3 insertions(+)