diff mbox

[FFmpeg-devel,1/4] avcodec/prosumer: Check for bytestream eof in decompress()

Message ID 20181031110115.31474-1-michael@niedermayer.cc
State Accepted
Commit 9acdf17b2c30c44e6e6a3d3b3c22989b7e1117c3
Headers show

Commit Message

Michael Niedermayer Oct. 31, 2018, 11:01 a.m. UTC 
Fixes: Infinite loop
Fixes: 10685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PROSUMER_fuzzer-5652236881887232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/prosumer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Hendrik Leppkes Oct. 31, 2018, 11:06 a.m. UTC | #1 
On Wed, Oct 31, 2018 at 12:03 PM Michael Niedermayer
<michael@niedermayer.cc> wrote:
>
> Fixes: Infinite loop
> Fixes: 10685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PROSUMER_fuzzer-5652236881887232
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/prosumer.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c
> index 6e98677b55..2fd9880ee1 100644
> --- a/libavcodec/prosumer.c
> +++ b/libavcodec/prosumer.c
> @@ -57,7 +57,7 @@ static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui
>      b = lut[2 * idx];
>
>      while (1) {
> -        if (bytestream2_get_bytes_left_p(pb) <= 0)
> +        if (bytestream2_get_bytes_left_p(pb) <= 0 || bytestream2_get_eof(pb))
>              return 0;
>          if (((b & 0xFF00u) != 0x8000u) || (b & 0xFFu)) {
>              if ((b & 0xFF00u) != 0x8000u) {

Why does bytestream2_get_bytes_left_p not return <= 0 at eof, where
there certainly arent any bytes left?

- Hendrik
Paul B Mahol Oct. 31, 2018, 11:13 a.m. UTC | #2 
On 10/31/18, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: Infinite loop
> Fixes:
> 10685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PROSUMER_fuzzer-5652236881887232
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/prosumer.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>

patchset looks ok.
Michael Niedermayer Oct. 31, 2018, 12:18 p.m. UTC | #3 
On Wed, Oct 31, 2018 at 12:06:28PM +0100, Hendrik Leppkes wrote:
> On Wed, Oct 31, 2018 at 12:03 PM Michael Niedermayer
> <michael@niedermayer.cc> wrote:
> >
> > Fixes: Infinite loop
> > Fixes: 10685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PROSUMER_fuzzer-5652236881887232
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/prosumer.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c
> > index 6e98677b55..2fd9880ee1 100644
> > --- a/libavcodec/prosumer.c
> > +++ b/libavcodec/prosumer.c
> > @@ -57,7 +57,7 @@ static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui
> >      b = lut[2 * idx];
> >
> >      while (1) {
> > -        if (bytestream2_get_bytes_left_p(pb) <= 0)
> > +        if (bytestream2_get_bytes_left_p(pb) <= 0 || bytestream2_get_eof(pb))
> >              return 0;
> >          if (((b & 0xFF00u) != 0x8000u) || (b & 0xFFu)) {
> >              if ((b & 0xFF00u) != 0x8000u) {
> 
> Why does bytestream2_get_bytes_left_p not return <= 0 at eof, where
> there certainly arent any bytes left?

there are 2 bytes left because a 4 byte write failed to fit in 2 bytes

maybe bytestream2_get_bytes_left_p() should be made to return 0 once eof is
set even if space remains


[...]
James Almer Oct. 31, 2018, 12:59 p.m. UTC | #4 
On 10/31/2018 9:18 AM, Michael Niedermayer wrote:
> On Wed, Oct 31, 2018 at 12:06:28PM +0100, Hendrik Leppkes wrote:
>> On Wed, Oct 31, 2018 at 12:03 PM Michael Niedermayer
>> <michael@niedermayer.cc> wrote:
>>>
>>> Fixes: Infinite loop
>>> Fixes: 10685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PROSUMER_fuzzer-5652236881887232
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>  libavcodec/prosumer.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c
>>> index 6e98677b55..2fd9880ee1 100644
>>> --- a/libavcodec/prosumer.c
>>> +++ b/libavcodec/prosumer.c
>>> @@ -57,7 +57,7 @@ static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui
>>>      b = lut[2 * idx];
>>>
>>>      while (1) {
>>> -        if (bytestream2_get_bytes_left_p(pb) <= 0)
>>> +        if (bytestream2_get_bytes_left_p(pb) <= 0 || bytestream2_get_eof(pb))
>>>              return 0;
>>>          if (((b & 0xFF00u) != 0x8000u) || (b & 0xFFu)) {
>>>              if ((b & 0xFF00u) != 0x8000u) {
>>
>> Why does bytestream2_get_bytes_left_p not return <= 0 at eof, where
>> there certainly arent any bytes left?
> 
> there are 2 bytes left because a 4 byte write failed to fit in 2 bytes
> 
> maybe bytestream2_get_bytes_left_p() should be made to return 0 once eof is
> set even if space remains

Unrelated to this, but seeing how all the main GetByteContext functions
start with bytestream2_get and all the PutByteContext functions with
bytestream2_put, the fact these two functions from the latter start with
bytestream2_get is not ideal.
You have bytestream2_get_bytes_left for GetByteContext and
bytestream2_get_bytes_left_p with the suffix p hinting it's for
PutByteContext, but then you have bytestream2_get_eof for PutByteContext
without a suffix and nothing for GetByteContext. It's confusing and not
exactly intuitive.

In GetBitContext and PutBitContext they are properly called
get_bits_left() and put_bits_left() respectively, for example.
Michael Niedermayer Oct. 31, 2018, 10:06 p.m. UTC | #5 
On Wed, Oct 31, 2018 at 09:59:04AM -0300, James Almer wrote:
> On 10/31/2018 9:18 AM, Michael Niedermayer wrote:
> > On Wed, Oct 31, 2018 at 12:06:28PM +0100, Hendrik Leppkes wrote:
> >> On Wed, Oct 31, 2018 at 12:03 PM Michael Niedermayer
> >> <michael@niedermayer.cc> wrote:
> >>>
> >>> Fixes: Infinite loop
> >>> Fixes: 10685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PROSUMER_fuzzer-5652236881887232
> >>>
> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >>> ---
> >>>  libavcodec/prosumer.c | 2 +-
> >>>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c
> >>> index 6e98677b55..2fd9880ee1 100644
> >>> --- a/libavcodec/prosumer.c
> >>> +++ b/libavcodec/prosumer.c
> >>> @@ -57,7 +57,7 @@ static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui
> >>>      b = lut[2 * idx];
> >>>
> >>>      while (1) {
> >>> -        if (bytestream2_get_bytes_left_p(pb) <= 0)
> >>> +        if (bytestream2_get_bytes_left_p(pb) <= 0 || bytestream2_get_eof(pb))
> >>>              return 0;
> >>>          if (((b & 0xFF00u) != 0x8000u) || (b & 0xFFu)) {
> >>>              if ((b & 0xFF00u) != 0x8000u) {
> >>
> >> Why does bytestream2_get_bytes_left_p not return <= 0 at eof, where
> >> there certainly arent any bytes left?
> > 
> > there are 2 bytes left because a 4 byte write failed to fit in 2 bytes
> > 
> > maybe bytestream2_get_bytes_left_p() should be made to return 0 once eof is
> > set even if space remains
> 
> Unrelated to this, but seeing how all the main GetByteContext functions
> start with bytestream2_get and all the PutByteContext functions with
> bytestream2_put, the fact these two functions from the latter start with
> bytestream2_get is not ideal.
> You have bytestream2_get_bytes_left for GetByteContext and
> bytestream2_get_bytes_left_p with the suffix p hinting it's for
> PutByteContext, but then you have bytestream2_get_eof for PutByteContext
> without a suffix and nothing for GetByteContext. It's confusing and not
> exactly intuitive.

fully agree



> 
> In GetBitContext and PutBitContext they are properly called
> get_bits_left() and put_bits_left() respectively, for example.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
Michael Niedermayer Nov. 2, 2018, 10:44 p.m. UTC | #6 
On Wed, Oct 31, 2018 at 12:13:50PM +0100, Paul B Mahol wrote:
> On 10/31/18, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: Infinite loop
> > Fixes:
> > 10685/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PROSUMER_fuzzer-5652236881887232
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/prosumer.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> 
> patchset looks ok.

will apply

thx

[...]
diff mbox

Patch

diff --git a/libavcodec/prosumer.c b/libavcodec/prosumer.c
index 6e98677b55..2fd9880ee1 100644
--- a/libavcodec/prosumer.c
+++ b/libavcodec/prosumer.c
@@ -57,7 +57,7 @@  static int decompress(GetByteContext *gb, int size, PutByteContext *pb, const ui
     b = lut[2 * idx];
 
     while (1) {
-        if (bytestream2_get_bytes_left_p(pb) <= 0)
+        if (bytestream2_get_bytes_left_p(pb) <= 0 || bytestream2_get_eof(pb))
             return 0;
         if (((b & 0xFF00u) != 0x8000u) || (b & 0xFFu)) {
             if ((b & 0xFF00u) != 0x8000u) {