diff mbox

[FFmpeg-devel] avcodec/pngdec: Check compression method

Message ID 20181109093104.31176-1-michael@niedermayer.cc
State Accepted
Commit 1f99674ddddcc33f4c37def0a206e31ad7c4c1af
Headers show

Commit Message

Michael Niedermayer Nov. 9, 2018, 9:31 a.m. UTC 
method 0 (inflate/deflate) is the only specified in the specification and the only supported

Fixes: Timeout
Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Carl Eugen Hoyos Nov. 9, 2018, 3:13 p.m. UTC | #1 
2018-11-09 10:31 GMT+01:00, Michael Niedermayer <michael@niedermayer.cc>:
> method 0 (inflate/deflate) is the only specified in the specification and
> the only supported
>
> Fixes: Timeout
> Fixes:
> 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/pngdec.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
> index 01144680f2..189bb9a4c1 100644
> --- a/libavcodec/pngdec.c
> +++ b/libavcodec/pngdec.c
> @@ -578,6 +578,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx,
> PNGDecContext *s,
>      }
>      s->color_type       = bytestream2_get_byte(&s->gb);
>      s->compression_type = bytestream2_get_byte(&s->gb);
> +    if (s->compression_type) {
> +        av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n",
> s->compression_type);
> +        goto error;

Would the native FFmpeg zlib decompression code - if merged - avoid this issue?

Carl Eugen
Paul B Mahol Nov. 9, 2018, 3:45 p.m. UTC | #2 
On 11/9/18, Carl Eugen Hoyos <ceffmpeg@gmail.com> wrote:
> 2018-11-09 10:31 GMT+01:00, Michael Niedermayer <michael@niedermayer.cc>:
>> method 0 (inflate/deflate) is the only specified in the specification and
>> the only supported
>>
>> Fixes: Timeout
>> Fixes:
>> 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>  libavcodec/pngdec.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
>> index 01144680f2..189bb9a4c1 100644
>> --- a/libavcodec/pngdec.c
>> +++ b/libavcodec/pngdec.c
>> @@ -578,6 +578,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx,
>> PNGDecContext *s,
>>      }
>>      s->color_type       = bytestream2_get_byte(&s->gb);
>>      s->compression_type = bytestream2_get_byte(&s->gb);
>> +    if (s->compression_type) {
>> +        av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n",
>> s->compression_type);
>> +        goto error;
>
> Would the native FFmpeg zlib decompression code - if merged - avoid this
> issue?

No.
Michael Niedermayer Nov. 13, 2018, 9:26 p.m. UTC | #3 
On Fri, Nov 09, 2018 at 10:31:04AM +0100, Michael Niedermayer wrote:
> method 0 (inflate/deflate) is the only specified in the specification and the only supported
> 
> Fixes: Timeout
> Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/pngdec.c | 4 ++++
>  1 file changed, 4 insertions(+)

will apply this in a few days if there are no objections

[...]
Carl Eugen Hoyos Nov. 27, 2018, 6:53 p.m. UTC | #4 
2018-11-09 16:13 GMT+01:00, Carl Eugen Hoyos <ceffmpeg@gmail.com>:
> 2018-11-09 10:31 GMT+01:00, Michael Niedermayer <michael@niedermayer.cc>:
>> method 0 (inflate/deflate) is the only specified in the specification and
>> the only supported
>>
>> Fixes: Timeout
>> Fixes:
>> 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>  libavcodec/pngdec.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
>> index 01144680f2..189bb9a4c1 100644
>> --- a/libavcodec/pngdec.c
>> +++ b/libavcodec/pngdec.c
>> @@ -578,6 +578,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx,
>> PNGDecContext *s,
>>      }
>>      s->color_type       = bytestream2_get_byte(&s->gb);
>>      s->compression_type = bytestream2_get_byte(&s->gb);
>> +    if (s->compression_type) {
>> +        av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n",
>> s->compression_type);
>> +        goto error;
>
> Would the native FFmpeg zlib decompression code - if merged -
> avoid this issue?

Ping.

It appears to me that if there is an issue, it cannot be fixed with the
suggested patch, except that the fuzzer needs a little longer to find
the final blocking sample.
Or do I misunderstand?

Carl Eugen
diff mbox

Patch

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 01144680f2..189bb9a4c1 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -578,6 +578,10 @@  static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s,
     }
     s->color_type       = bytestream2_get_byte(&s->gb);
     s->compression_type = bytestream2_get_byte(&s->gb);
+    if (s->compression_type) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type);
+        goto error;
+    }
     s->filter_type      = bytestream2_get_byte(&s->gb);
     s->interlace_type   = bytestream2_get_byte(&s->gb);
     bytestream2_skip(&s->gb, 4); /* crc */