Message ID | 20190331153117.19239-1-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
On 3/31/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: Out of array access > Fixes: > 13984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5734128093233152 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/rscc.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c > index 7d4e842cd3..4adee9d7d4 100644 > --- a/libavcodec/rscc.c > +++ b/libavcodec/rscc.c > @@ -199,6 +199,13 @@ static int rscc_decode_frame(AVCodecContext *avctx, > void *data, > /* If necessary, uncompress tiles, and hijack the bytestream reader > */ > if (packed_tiles_size != tiles_nb * TILE_SIZE) { > uLongf length = tiles_nb * TILE_SIZE; > + > + if (bytestream2_get_bytes_left(gbc) < packed_tiles_size) { > + av_log(avctx, AV_LOG_ERROR, "compressed input > truncated\n"); > + ret = AVERROR_INVALIDDATA; > + goto end; > + } > + > inflated_tiles = av_malloc(length); > if (!inflated_tiles) { > ret = AVERROR(ENOMEM); > -- > 2.21.0 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". Please commit without log message.
On Sun, Mar 31, 2019 at 05:35:33PM +0200, Paul B Mahol wrote: > On 3/31/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: Out of array access > > Fixes: > > 13984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5734128093233152 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/rscc.c | 7 +++++++ > > 1 file changed, 7 insertions(+) > > > > diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c > > index 7d4e842cd3..4adee9d7d4 100644 > > --- a/libavcodec/rscc.c > > +++ b/libavcodec/rscc.c > > @@ -199,6 +199,13 @@ static int rscc_decode_frame(AVCodecContext *avctx, > > void *data, > > /* If necessary, uncompress tiles, and hijack the bytestream reader > > */ > > if (packed_tiles_size != tiles_nb * TILE_SIZE) { > > uLongf length = tiles_nb * TILE_SIZE; > > + > > + if (bytestream2_get_bytes_left(gbc) < packed_tiles_size) { > > + av_log(avctx, AV_LOG_ERROR, "compressed input > > truncated\n"); > > + ret = AVERROR_INVALIDDATA; > > + goto end; > > + } > > + > > inflated_tiles = av_malloc(length); > > if (!inflated_tiles) { > > ret = AVERROR(ENOMEM); > > -- > > 2.21.0 > > > > _______________________________________________ > > ffmpeg-devel mailing list > > ffmpeg-devel@ffmpeg.org > > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > > > To unsubscribe, visit link above, or email > > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > > Please commit without log message. if you prefer that, sure, will do. this will be the only AVERROR_INVALIDDATA case in that file without a log message though. Thanks [...]
On 4/1/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > On Sun, Mar 31, 2019 at 05:35:33PM +0200, Paul B Mahol wrote: >> On 3/31/19, Michael Niedermayer <michael@niedermayer.cc> wrote: >> > Fixes: Out of array access >> > Fixes: >> > 13984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5734128093233152 >> > >> > Found-by: continuous fuzzing process >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >> > --- >> > libavcodec/rscc.c | 7 +++++++ >> > 1 file changed, 7 insertions(+) >> > >> > diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c >> > index 7d4e842cd3..4adee9d7d4 100644 >> > --- a/libavcodec/rscc.c >> > +++ b/libavcodec/rscc.c >> > @@ -199,6 +199,13 @@ static int rscc_decode_frame(AVCodecContext >> > *avctx, >> > void *data, >> > /* If necessary, uncompress tiles, and hijack the bytestream >> > reader >> > */ >> > if (packed_tiles_size != tiles_nb * TILE_SIZE) { >> > uLongf length = tiles_nb * TILE_SIZE; >> > + >> > + if (bytestream2_get_bytes_left(gbc) < packed_tiles_size) { >> > + av_log(avctx, AV_LOG_ERROR, "compressed input >> > truncated\n"); >> > + ret = AVERROR_INVALIDDATA; >> > + goto end; >> > + } >> > + >> > inflated_tiles = av_malloc(length); >> > if (!inflated_tiles) { >> > ret = AVERROR(ENOMEM); >> > -- >> > 2.21.0 >> > >> > _______________________________________________ >> > ffmpeg-devel mailing list >> > ffmpeg-devel@ffmpeg.org >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel >> > >> > To unsubscribe, visit link above, or email >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >> >> Please commit without log message. > > if you prefer that, sure, will do. > this will be the only AVERROR_INVALIDDATA case in that file without a log > message though. Yes, I prefer without log message. Printing log messages is also slow. > > Thanks > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > It is dangerous to be right in matters on which the established authorities > are wrong. -- Voltaire >
On Mon, Apr 01, 2019 at 10:08:10AM +0200, Paul B Mahol wrote: > On 4/1/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > > On Sun, Mar 31, 2019 at 05:35:33PM +0200, Paul B Mahol wrote: > >> On 3/31/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > >> > Fixes: Out of array access > >> > Fixes: > >> > 13984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5734128093233152 > >> > > >> > Found-by: continuous fuzzing process > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > >> > --- > >> > libavcodec/rscc.c | 7 +++++++ > >> > 1 file changed, 7 insertions(+) > >> > > >> > diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c > >> > index 7d4e842cd3..4adee9d7d4 100644 > >> > --- a/libavcodec/rscc.c > >> > +++ b/libavcodec/rscc.c > >> > @@ -199,6 +199,13 @@ static int rscc_decode_frame(AVCodecContext > >> > *avctx, > >> > void *data, > >> > /* If necessary, uncompress tiles, and hijack the bytestream > >> > reader > >> > */ > >> > if (packed_tiles_size != tiles_nb * TILE_SIZE) { > >> > uLongf length = tiles_nb * TILE_SIZE; > >> > + > >> > + if (bytestream2_get_bytes_left(gbc) < packed_tiles_size) { > >> > + av_log(avctx, AV_LOG_ERROR, "compressed input > >> > truncated\n"); > >> > + ret = AVERROR_INVALIDDATA; > >> > + goto end; > >> > + } > >> > + > >> > inflated_tiles = av_malloc(length); > >> > if (!inflated_tiles) { > >> > ret = AVERROR(ENOMEM); > >> > -- > >> > 2.21.0 > >> > > >> > _______________________________________________ > >> > ffmpeg-devel mailing list > >> > ffmpeg-devel@ffmpeg.org > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > >> > > >> > To unsubscribe, visit link above, or email > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > >> > >> Please commit without log message. > > > > if you prefer that, sure, will do. > > this will be the only AVERROR_INVALIDDATA case in that file without a log > > message though. > > Yes, I prefer without log message. > Printing log messages is also slow. applied thanks [...]
diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index 7d4e842cd3..4adee9d7d4 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -199,6 +199,13 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, /* If necessary, uncompress tiles, and hijack the bytestream reader */ if (packed_tiles_size != tiles_nb * TILE_SIZE) { uLongf length = tiles_nb * TILE_SIZE; + + if (bytestream2_get_bytes_left(gbc) < packed_tiles_size) { + av_log(avctx, AV_LOG_ERROR, "compressed input truncated\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } + inflated_tiles = av_malloc(length); if (!inflated_tiles) { ret = AVERROR(ENOMEM);
Fixes: Out of array access Fixes: 13984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RSCC_fuzzer-5734128093233152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/rscc.c | 7 +++++++ 1 file changed, 7 insertions(+)