[FFmpeg-devel,3/4] avcodec/dxv: Check op_offset in both directions

Submitted by Michael Niedermayer on June 27, 2019, 12:35 a.m.

Details

Message ID 20190627003533.22314-3-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer June 27, 2019, 12:35 a.m.
Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in type 'int'
Fixes: 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paul B Mahol June 27, 2019, 7:32 a.m.
On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in
> type 'int'
> Fixes:
> 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/dxv.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
> index 5fd1844094..3506775560 100644
> --- a/libavcodec/dxv.c
> +++ b/libavcodec/dxv.c
> @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx,
> GetByteContext *gb,
>      int skip0, skip1, oi0 = 0, oi1 = 0;
>      int ret, state0 = 0, state1 = 0;
>
> -    if (op_offset < 12)
> +    if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb))
>          return AVERROR_INVALIDDATA;
>
>      dst = tex_data;
> --
> 2.22.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Make sure this does not break any files.
Michael Niedermayer July 19, 2019, 11:20 a.m.
On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in
> > type 'int'
> > Fixes:
> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/dxv.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
> > index 5fd1844094..3506775560 100644
> > --- a/libavcodec/dxv.c
> > +++ b/libavcodec/dxv.c
> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx,
> > GetByteContext *gb,
> >      int skip0, skip1, oi0 = 0, oi1 = 0;
> >      int ret, state0 = 0, state1 = 0;
> >
> > -    if (op_offset < 12)
> > +    if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb))
> >          return AVERROR_INVALIDDATA;
> >
> >      dst = tex_data;
> > --
> > 2.22.0
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel@ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> 
> Make sure this does not break any files.

Do you have any specific files i should test ?

I of course cannot test every file on earth ...

Thanks

[...]
Paul B Mahol July 19, 2019, 1:36 p.m.
On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
>> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented
>> > in
>> > type 'int'
>> > Fixes:
>> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
>> >
>> > Found-by: continuous fuzzing process
>> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> > ---
>> >  libavcodec/dxv.c | 2 +-
>> >  1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
>> > index 5fd1844094..3506775560 100644
>> > --- a/libavcodec/dxv.c
>> > +++ b/libavcodec/dxv.c
>> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx,
>> > GetByteContext *gb,
>> >      int skip0, skip1, oi0 = 0, oi1 = 0;
>> >      int ret, state0 = 0, state1 = 0;
>> >
>> > -    if (op_offset < 12)
>> > +    if (op_offset < 12 || op_offset - 12 >
>> > bytestream2_get_bytes_left(gb))
>> >          return AVERROR_INVALIDDATA;
>> >
>> >      dst = tex_data;
>> > --
>> > 2.22.0
>> >
>> > _______________________________________________
>> > ffmpeg-devel mailing list
>> > ffmpeg-devel@ffmpeg.org
>> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>> >
>> > To unsubscribe, visit link above, or email
>> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>>
>> Make sure this does not break any files.
>
> Do you have any specific files i should test ?
>
> I of course cannot test every file on earth ...

I'm on vacation, so when I get back I will give you some files.

>
> Thanks
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> If you fake or manipulate statistics in a paper in physics you will never
> get a job again.
> If you fake or manipulate statistics in a paper in medicin you will get
> a job for life at the pharma industry.
>
Michael Niedermayer July 19, 2019, 7:53 p.m.
On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote:
> On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
> >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented
> >> > in
> >> > type 'int'
> >> > Fixes:
> >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
> >> >
> >> > Found-by: continuous fuzzing process
> >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> > ---
> >> >  libavcodec/dxv.c | 2 +-
> >> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >> >
> >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
> >> > index 5fd1844094..3506775560 100644
> >> > --- a/libavcodec/dxv.c
> >> > +++ b/libavcodec/dxv.c
> >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx,
> >> > GetByteContext *gb,
> >> >      int skip0, skip1, oi0 = 0, oi1 = 0;
> >> >      int ret, state0 = 0, state1 = 0;
> >> >
> >> > -    if (op_offset < 12)
> >> > +    if (op_offset < 12 || op_offset - 12 >
> >> > bytestream2_get_bytes_left(gb))
> >> >          return AVERROR_INVALIDDATA;
> >> >
> >> >      dst = tex_data;
> >> > --
> >> > 2.22.0
> >> >
> >> > _______________________________________________
> >> > ffmpeg-devel mailing list
> >> > ffmpeg-devel@ffmpeg.org
> >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >> >
> >> > To unsubscribe, visit link above, or email
> >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> >>
> >> Make sure this does not break any files.
> >
> > Do you have any specific files i should test ?
> >
> > I of course cannot test every file on earth ...
> 
> I'm on vacation, so when I get back I will give you some files.

ok, ill wait, no hurry, enjoy your vacation!

Thanks!

[...]

Patch hide | download patch | download mbox

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 5fd1844094..3506775560 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -745,7 +745,7 @@  static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb,
     int skip0, skip1, oi0 = 0, oi1 = 0;
     int ret, state0 = 0, state1 = 0;
 
-    if (op_offset < 12)
+    if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb))
         return AVERROR_INVALIDDATA;
 
     dst = tex_data;