From patchwork Mon Sep 17 19:34:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 10348 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:12c4:0:0:0:0:0 with SMTP id 65-v6csp3884649jap; Mon, 17 Sep 2018 12:35:03 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZSECnlP2flAuuuDGhP5XcdqIXTJhFyi94RprVZb/HdYsXinGP5fa85LdqBACprtNw3SYuf X-Received: by 2002:a1c:dc41:: with SMTP id t62-v6mr12421118wmg.137.1537212903373; Mon, 17 Sep 2018 12:35:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537212903; cv=none; d=google.com; s=arc-20160816; b=DIoCjip5TNuGfNGFW8G8pCt9CTc7R13Uaot51+XMxRHbP5vicsQaHNOwxzRwAX61hL +zoPzYgAKF+ftO0EbN1o5od1PCZjWHW3ewT7PVucpPKuab4NvuRGA46sNBIOEKrzQAlf /9sqJ2ce1gIHE9Yq/EMmKEb7p3xij/HEDuiblvxa3CmEtM1xOMSpqpr69gyny4uUCNJe rV1n36H0Ay3I5aNcnQmZbfXLDMoX+06/xwJEmRhOjdrK+k78OUEW1RHhuOBxPiZGSe9U 0Opv3qVyBMwZ4p/gxjRTKVWHIOM5ZyImfBiDQkSTaTBWJA4Uu0E4hUEuH2IW0xfseBx/ U8fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to; bh=H5s15gq9LlfAW6A+XuREaAl31Bk066rLh6MlwAjAISE=; b=NR+Oa18jMHwk5bBtqAAJx/KoA99eRXCbB9xFxRZAO2CVsS0BLK2sQ4Nf2tyy5WWiVC iScX37gLL13gkbTyOhtpbEpDDWZUbZu3nh415jDTRLiQ4SAkhr8oUufAeMxJVvac7gYu wOm7CP09+p+EO5oLdmrjDyBf9Bjj/Aq/c29/L9gf6z54CbcIByyxPAvoUjXC2l9a9CyS mWt5JnlVSqTP7VFLHmi8RanqdVUcBtt7/ntY3bFqJcSQ7to0vs7GD/XSYTQkJnOYOSq4 G8Vsw3wHQ+PjPIpiqPPobMH719oYC/NlJwxvrDXzajPnbzgeb6S/6kQWC7Jk+poV5Djh A9Tg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id x128-v6si8501627wmd.185.2018.09.17.12.35.02; Mon, 17 Sep 2018 12:35:03 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1470E68A775; Mon, 17 Sep 2018 22:34:48 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-qmta-pe01-1.mx.upcmail.net (vie01a-qmta-pe01-1.mx.upcmail.net [62.179.121.178]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DC94A68A6BC for ; Mon, 17 Sep 2018 22:34:41 +0300 (EEST) Received: from [172.31.218.46] (helo=vie01a-dmta-pe06-1.mx.upcmail.net) by vie01a-pqmta-pe01.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1g1zIM-0004HX-5P for ffmpeg-devel@ffmpeg.org; Mon, 17 Sep 2018 21:34:54 +0200 Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe06.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1g1zIF-0006u7-O2 for ffmpeg-devel@ffmpeg.org; Mon, 17 Sep 2018 21:34:47 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id cjai1y06Z0S5wYM01jajH5; Mon, 17 Sep 2018 21:34:43 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Mon, 17 Sep 2018 21:34:00 +0200 Message-Id: <20180917193400.3276-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180917193400.3276-1-michael@niedermayer.cc> References: <20180917193400.3276-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/zmbv: Check that the decompressed data is large enough to contain MVs or an intra frame X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Timeout Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/zmbv.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 177993d0a6..0c2daf47c2 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -409,6 +409,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int zret = Z_OK; // Zlib return code int len = buf_size; int hi_ver, lo_ver, ret; + int min_size; /* parse header */ if (len < 1) @@ -510,7 +511,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8)); c->decode_intra= decode_intra; } - + if (c->flags & ZMBV_KEYFRAME) { + min_size = avctx->width * avctx->height * (c->bpp / 8); + } else { + min_size = (c->bx * c->by * 2 + 3) & ~3; + } if (!c->decode_intra) { av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n"); return AVERROR_INVALIDDATA; @@ -539,6 +544,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } c->decomp_len = c->zstream.total_out; } + if (min_size > c->decomp_len) { + av_log(avctx, AV_LOG_ERROR, "input too small\n"); + return AVERROR_INVALIDDATA; + } if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I;