Message ID | TYSPR06MB6433FAD9F3799D6F5277EE44AA442@TYSPR06MB6433.apcprd06.prod.outlook.com |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel] avcodec/vvc_mp4toannexb: check the return of bytestream2_get_buffer | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
Nuo Mi: > Fixes: fuzzer timeout > Fixes: 65253/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_MP4TOANNEXB_fuzzer-4972412487467008 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/bsf/vvc_mp4toannexb.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/bsf/vvc_mp4toannexb.c b/libavcodec/bsf/vvc_mp4toannexb.c > index 25c3726918..a15c1eef5b 100644 > --- a/libavcodec/bsf/vvc_mp4toannexb.c > +++ b/libavcodec/bsf/vvc_mp4toannexb.c > @@ -168,8 +168,10 @@ static int vvc_extradata_to_annexb(AVBSFContext *ctx) > goto fail; > > AV_WB32(new_extradata + new_extradata_size, 1); // add the startcode > - bytestream2_get_buffer(&gb, new_extradata + new_extradata_size + 4, > - nalu_len); > + if (bytestream2_get_buffer(&gb, new_extradata + new_extradata_size + 4, nalu_len) != nalu_len) { > + ret = AVERROR_INVALIDDATA; > + goto fail; > + } > new_extradata_size += 4 + nalu_len; > memset(new_extradata + new_extradata_size, 0, > AV_INPUT_BUFFER_PADDING_SIZE); > @@ -298,8 +300,10 @@ static int vvc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) > if (extra_size) > memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size); > AV_WB32(out->data + prev_size + extra_size, 1); > - bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, > - nalu_size); > + if (bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size) != nalu_size) { > + ret = AVERROR_INVALIDDATA; > + goto fail; > + } > } > > ret = av_packet_copy_props(out, in); It is better to check that there is enough input before growing the packet/the extradata. This also allows to use unchecked reads lateron. - Andreas
On Thu, Feb 8, 2024 at 11:50 PM Andreas Rheinhardt < andreas.rheinhardt@outlook.com> wrote: > Nuo Mi: > > Fixes: fuzzer timeout > > Fixes: > 65253/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_MP4TOANNEXB_fuzzer-4972412487467008 > > > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/bsf/vvc_mp4toannexb.c | 12 ++++++++---- > > 1 file changed, 8 insertions(+), 4 deletions(-) > > > > diff --git a/libavcodec/bsf/vvc_mp4toannexb.c > b/libavcodec/bsf/vvc_mp4toannexb.c > > index 25c3726918..a15c1eef5b 100644 > > --- a/libavcodec/bsf/vvc_mp4toannexb.c > > +++ b/libavcodec/bsf/vvc_mp4toannexb.c > > @@ -168,8 +168,10 @@ static int vvc_extradata_to_annexb(AVBSFContext > *ctx) > > goto fail; > > > > AV_WB32(new_extradata + new_extradata_size, 1); // add the > startcode > > - bytestream2_get_buffer(&gb, new_extradata + > new_extradata_size + 4, > > - nalu_len); > > + if (bytestream2_get_buffer(&gb, new_extradata + > new_extradata_size + 4, nalu_len) != nalu_len) { > > + ret = AVERROR_INVALIDDATA; > > + goto fail; > > + } > > new_extradata_size += 4 + nalu_len; > > memset(new_extradata + new_extradata_size, 0, > > AV_INPUT_BUFFER_PADDING_SIZE); > > @@ -298,8 +300,10 @@ static int vvc_mp4toannexb_filter(AVBSFContext > *ctx, AVPacket *out) > > if (extra_size) > > memcpy(out->data + prev_size, ctx->par_out->extradata, > extra_size); > > AV_WB32(out->data + prev_size + extra_size, 1); > > - bytestream2_get_buffer(&gb, out->data + prev_size + 4 + > extra_size, > > - nalu_size); > > + if (bytestream2_get_buffer(&gb, out->data + prev_size + 4 + > extra_size, nalu_size) != nalu_size) { > > + ret = AVERROR_INVALIDDATA; > > + goto fail; > > + } > > } > > > > ret = av_packet_copy_props(out, in); > > It is better to check that there is enough input before growing the > packet/the extradata. This also allows to use unchecked reads lateron. > Good idea, fixed in v2. > > - Andreas > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >
diff --git a/libavcodec/bsf/vvc_mp4toannexb.c b/libavcodec/bsf/vvc_mp4toannexb.c index 25c3726918..a15c1eef5b 100644 --- a/libavcodec/bsf/vvc_mp4toannexb.c +++ b/libavcodec/bsf/vvc_mp4toannexb.c @@ -168,8 +168,10 @@ static int vvc_extradata_to_annexb(AVBSFContext *ctx) goto fail; AV_WB32(new_extradata + new_extradata_size, 1); // add the startcode - bytestream2_get_buffer(&gb, new_extradata + new_extradata_size + 4, - nalu_len); + if (bytestream2_get_buffer(&gb, new_extradata + new_extradata_size + 4, nalu_len) != nalu_len) { + ret = AVERROR_INVALIDDATA; + goto fail; + } new_extradata_size += 4 + nalu_len; memset(new_extradata + new_extradata_size, 0, AV_INPUT_BUFFER_PADDING_SIZE); @@ -298,8 +300,10 @@ static int vvc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) if (extra_size) memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size); AV_WB32(out->data + prev_size + extra_size, 1); - bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, - nalu_size); + if (bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size) != nalu_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } } ret = av_packet_copy_props(out, in);
Fixes: fuzzer timeout Fixes: 65253/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_MP4TOANNEXB_fuzzer-4972412487467008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/bsf/vvc_mp4toannexb.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)