[FFmpeg-devel,3/3] avcodec/qdm2: Check checksum_size for 0

Message ID	20190623230104.13666-3-michael@niedermayer.cc
State	Accepted
Commit	7b2ebf89a411d957ca999f1e7a919ff617fbfd56
Headers	show Return-Path: <ffmpeg-devel-bounces@ffmpeg.org> From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Mon, 24 Jun 2019 01:01:04 +0200 Message-Id: <20190623230104.13666-3-michael@niedermayer.cc> In-Reply-To: <20190623230104.13666-1-michael@niedermayer.cc> References: <20190623230104.13666-1-michael@niedermayer.cc> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 3/3] avcodec/qdm2: Check checksum_size for 0 Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Message ID

20190623230104.13666-3-michael@niedermayer.cc

State

Accepted

Commit

7b2ebf89a411d957ca999f1e7a919ff617fbfd56

Headers

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Mon, 24 Jun 2019 01:01:04 +0200
Message-Id: <20190623230104.13666-3-michael@niedermayer.cc>
In-Reply-To: <20190623230104.13666-1-michael@niedermayer.cc>
References: <20190623230104.13666-1-michael@niedermayer.cc>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 3/3] avcodec/qdm2: Check checksum_size for 0
Precedence: list
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Commit Message

Michael Niedermayer June 23, 2019, 11:01 p.m. UTC

Fixes: Infinite loop
Fixes: 15337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5757428949319680

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/qdm2.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Michael Niedermayer July 8, 2019, 7:47 a.m. UTC | #1

On Mon, Jun 24, 2019 at 01:01:04AM +0200, Michael Niedermayer wrote:
> Fixes: Infinite loop
> Fixes: 15337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5757428949319680
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/qdm2.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

will apply

[...]

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 42e10829e9..05519d61a4 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1703,8 +1703,8 @@  static av_cold int qdm2_decode_init(AVCodecContext *avctx)
     s->group_size = bytestream2_get_be32(&gb);
     s->fft_size = bytestream2_get_be32(&gb);
     s->checksum_size = bytestream2_get_be32(&gb);
-    if (s->checksum_size >= 1U << 28) {
-        av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
+    if (s->checksum_size >= 1U << 28 || !s->checksum_size) {
+        av_log(avctx, AV_LOG_ERROR, "data block size invalid (%u)\n", s->checksum_size);
         return AVERROR_INVALIDDATA;
     }

[FFmpeg-devel,3/3] avcodec/qdm2: Check checksum_size for 0

Commit Message

Comments

Patch