Message ID | 20181109093104.31176-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 1f99674ddddcc33f4c37def0a206e31ad7c4c1af |
Headers | show |
2018-11-09 10:31 GMT+01:00, Michael Niedermayer <michael@niedermayer.cc>: > method 0 (inflate/deflate) is the only specified in the specification and > the only supported > > Fixes: Timeout > Fixes: > 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/pngdec.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c > index 01144680f2..189bb9a4c1 100644 > --- a/libavcodec/pngdec.c > +++ b/libavcodec/pngdec.c > @@ -578,6 +578,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, > PNGDecContext *s, > } > s->color_type = bytestream2_get_byte(&s->gb); > s->compression_type = bytestream2_get_byte(&s->gb); > + if (s->compression_type) { > + av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", > s->compression_type); > + goto error; Would the native FFmpeg zlib decompression code - if merged - avoid this issue? Carl Eugen
On 11/9/18, Carl Eugen Hoyos <ceffmpeg@gmail.com> wrote: > 2018-11-09 10:31 GMT+01:00, Michael Niedermayer <michael@niedermayer.cc>: >> method 0 (inflate/deflate) is the only specified in the specification and >> the only supported >> >> Fixes: Timeout >> Fixes: >> 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 >> >> Found-by: continuous fuzzing process >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >> --- >> libavcodec/pngdec.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c >> index 01144680f2..189bb9a4c1 100644 >> --- a/libavcodec/pngdec.c >> +++ b/libavcodec/pngdec.c >> @@ -578,6 +578,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, >> PNGDecContext *s, >> } >> s->color_type = bytestream2_get_byte(&s->gb); >> s->compression_type = bytestream2_get_byte(&s->gb); >> + if (s->compression_type) { >> + av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", >> s->compression_type); >> + goto error; > > Would the native FFmpeg zlib decompression code - if merged - avoid this > issue? No.
On Fri, Nov 09, 2018 at 10:31:04AM +0100, Michael Niedermayer wrote: > method 0 (inflate/deflate) is the only specified in the specification and the only supported > > Fixes: Timeout > Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/pngdec.c | 4 ++++ > 1 file changed, 4 insertions(+) will apply this in a few days if there are no objections [...]
2018-11-09 16:13 GMT+01:00, Carl Eugen Hoyos <ceffmpeg@gmail.com>: > 2018-11-09 10:31 GMT+01:00, Michael Niedermayer <michael@niedermayer.cc>: >> method 0 (inflate/deflate) is the only specified in the specification and >> the only supported >> >> Fixes: Timeout >> Fixes: >> 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 >> >> Found-by: continuous fuzzing process >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >> --- >> libavcodec/pngdec.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c >> index 01144680f2..189bb9a4c1 100644 >> --- a/libavcodec/pngdec.c >> +++ b/libavcodec/pngdec.c >> @@ -578,6 +578,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, >> PNGDecContext *s, >> } >> s->color_type = bytestream2_get_byte(&s->gb); >> s->compression_type = bytestream2_get_byte(&s->gb); >> + if (s->compression_type) { >> + av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", >> s->compression_type); >> + goto error; > > Would the native FFmpeg zlib decompression code - if merged - > avoid this issue? Ping. It appears to me that if there is an issue, it cannot be fixed with the suggested patch, except that the fuzzer needs a little longer to find the final blocking sample. Or do I misunderstand? Carl Eugen
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 01144680f2..189bb9a4c1 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -578,6 +578,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); + if (s->compression_type) { + av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type); + goto error; + } s->filter_type = bytestream2_get_byte(&s->gb); s->interlace_type = bytestream2_get_byte(&s->gb); bytestream2_skip(&s->gb, 4); /* crc */
method 0 (inflate/deflate) is the only specified in the specification and the only supported Fixes: Timeout Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/pngdec.c | 4 ++++ 1 file changed, 4 insertions(+)