From patchwork Sat Oct 20 10:42:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 10725 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 21AEF448218 for ; Sat, 20 Oct 2018 13:42:35 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7A4A168A6D9; Sat, 20 Oct 2018 13:42:16 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0D63D68A550 for ; Sat, 20 Oct 2018 13:42:09 +0300 (EEST) X-Originating-IP: 213.47.41.20 Received: from localhost (213-47-41-20.cable.dynamic.surfer.at [213.47.41.20]) (Authenticated sender: michael@niedermayer.cc) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 224CD6000E for ; Sat, 20 Oct 2018 10:42:35 +0000 (UTC) Date: Sat, 20 Oct 2018 12:42:35 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20181020104235.GB3743@michaelspb> MIME-Version: 1.0 User-Agent: Mutt/1.5.24 (2015-08-30) Subject: [FFmpeg-devel] [PATCH] 2 alternative ways to check in vp9 decode_tiles() if there is data remaining X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Hi 2 alternative patchsets are attached to fix $SUBJ The 2 alternatives should behave similar. The first adds a function to check if the next range coder symbol read would trigger the end of input case. We then error out before reading in case the read would trigger this case The second sets a flag if the end of input case triggered and subsequently errors out The second case should be slower as it requires additional checks in inner loops, but i was asked to implement this with a flag, so i implemented both ways. Which version, if any, should i apply ? Thanks [...] From 72aa2377c7b401f1a0c2866bc1471f4c98310415 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 Aug 2018 22:21:02 +0200 Subject: [PATCH 2/2] avcodec/vp9: Check in decode_tiles() if there is data remaining Fixes: Timeout Fixes: 9330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5707345857347584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vp9.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index b1178c9c0c..dd5c8098c8 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -1308,6 +1308,9 @@ static int decode_tiles(AVCodecContext *avctx, } else { decode_sb(td, row, col, lflvl_ptr, yoff2, uvoff2, BL_64X64); + if (td->c->is_end) { + return AVERROR_INVALIDDATA; + } } } } -- 2.19.1