| Message ID | 20181215014444.8313-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | b11b3d2585cda24e60160070f10f5d70a8c42fbf |
| Headers | show |
On Sat, Dec 15, 2018 at 02:44:43AM +0100, Michael Niedermayer wrote: > Fixes: Timeout > Fixes: 10313/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP7_fuzzer-5637719389110272 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/vp8.c | 21 ++++++++++++++------- > 1 file changed, 14 insertions(+), 7 deletions(-) > > diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c > index a06692c476..ba79e5fdab 100644 > --- a/libavcodec/vp8.c > +++ b/libavcodec/vp8.c > @@ -2268,7 +2268,7 @@ void filter_mb_simple(VP8Context *s, uint8_t *dst, VP8FilterStrength *f, > > #define MARGIN (16 << 2) > static av_always_inline > -void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, > +int vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, > VP8Frame *prev_frame, int is_vp7) > { > VP8Context *s = avctx->priv_data; > @@ -2285,6 +2285,10 @@ void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, > > s->mv_bounds.mv_min.x = -MARGIN; > s->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; > + > + if (vpX_rac_is_end(&s->c)) { > + return AVERROR_INVALIDDATA; > + } > for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { ok. -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
On Sat, Dec 15, 2018 at 01:21:52PM +1100, Peter Ross wrote: > On Sat, Dec 15, 2018 at 02:44:43AM +0100, Michael Niedermayer wrote: > > Fixes: Timeout > > Fixes: 10313/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP7_fuzzer-5637719389110272 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/vp8.c | 21 ++++++++++++++------- > > 1 file changed, 14 insertions(+), 7 deletions(-) > > > > diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c > > index a06692c476..ba79e5fdab 100644 > > --- a/libavcodec/vp8.c > > +++ b/libavcodec/vp8.c > > @@ -2268,7 +2268,7 @@ void filter_mb_simple(VP8Context *s, uint8_t *dst, VP8FilterStrength *f, > > > > #define MARGIN (16 << 2) > > static av_always_inline > > -void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, > > +int vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, > > VP8Frame *prev_frame, int is_vp7) > > { > > VP8Context *s = avctx->priv_data; > > @@ -2285,6 +2285,10 @@ void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, > > > > s->mv_bounds.mv_min.x = -MARGIN; > > s->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; > > + > > + if (vpX_rac_is_end(&s->c)) { > > + return AVERROR_INVALIDDATA; > > + } > > for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { > > ok. will apply thx [...]
diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index a06692c476..ba79e5fdab 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -2268,7 +2268,7 @@ void filter_mb_simple(VP8Context *s, uint8_t *dst, VP8FilterStrength *f, #define MARGIN (16 << 2) static av_always_inline -void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, +int vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, VP8Frame *prev_frame, int is_vp7) { VP8Context *s = avctx->priv_data; @@ -2285,6 +2285,10 @@ void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, s->mv_bounds.mv_min.x = -MARGIN; s->mv_bounds.mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; + + if (vpX_rac_is_end(&s->c)) { + return AVERROR_INVALIDDATA; + } for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { if (mb_y == 0) AV_WN32A((mb - s->mb_width - 1)->intra4x4_pred_mode_top, @@ -2298,18 +2302,19 @@ void vp78_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *curframe, s->mv_bounds.mv_min.y -= 64; s->mv_bounds.mv_max.y -= 64; } + return 0; } -static void vp7_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, +static int vp7_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, VP8Frame *prev_frame) { - vp78_decode_mv_mb_modes(avctx, cur_frame, prev_frame, IS_VP7); + return vp78_decode_mv_mb_modes(avctx, cur_frame, prev_frame, IS_VP7); } -static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, +static int vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, VP8Frame *prev_frame) { - vp78_decode_mv_mb_modes(avctx, cur_frame, prev_frame, IS_VP8); + return vp78_decode_mv_mb_modes(avctx, cur_frame, prev_frame, IS_VP8); } #if HAVE_THREADS @@ -2744,9 +2749,11 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, !s->segmentation.update_map) ff_thread_await_progress(&prev_frame->tf, 1, 0); if (is_vp7) - vp7_decode_mv_mb_modes(avctx, curframe, prev_frame); + ret = vp7_decode_mv_mb_modes(avctx, curframe, prev_frame); else - vp8_decode_mv_mb_modes(avctx, curframe, prev_frame); + ret = vp8_decode_mv_mb_modes(avctx, curframe, prev_frame); + if (ret < 0) + goto err; } if (avctx->active_thread_type == FF_THREAD_FRAME)
Fixes: Timeout Fixes: 10313/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP7_fuzzer-5637719389110272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/vp8.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-)