[FFmpeg-devel,3/4] avcodec/dxv: Check op_offset in both directions

Submitted by Michael Niedermayer on June 27, 2019, 12:35 a.m.

Details

Message ID 20190627003533.22314-3-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer June 27, 2019, 12:35 a.m.
Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in type 'int'
Fixes: 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dxv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Paul B Mahol June 27, 2019, 7:32 a.m.
On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in
> type 'int'
> Fixes:
> 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/dxv.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
> index 5fd1844094..3506775560 100644
> --- a/libavcodec/dxv.c
> +++ b/libavcodec/dxv.c
> @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx,
> GetByteContext *gb,
>      int skip0, skip1, oi0 = 0, oi1 = 0;
>      int ret, state0 = 0, state1 = 0;
>
> -    if (op_offset < 12)
> +    if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb))
>          return AVERROR_INVALIDDATA;
>
>      dst = tex_data;
> --
> 2.22.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Make sure this does not break any files.
Michael Niedermayer July 19, 2019, 11:20 a.m.
On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented in
> > type 'int'
> > Fixes:
> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/dxv.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
> > index 5fd1844094..3506775560 100644
> > --- a/libavcodec/dxv.c
> > +++ b/libavcodec/dxv.c
> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx,
> > GetByteContext *gb,
> >      int skip0, skip1, oi0 = 0, oi1 = 0;
> >      int ret, state0 = 0, state1 = 0;
> >
> > -    if (op_offset < 12)
> > +    if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb))
> >          return AVERROR_INVALIDDATA;
> >
> >      dst = tex_data;
> > --
> > 2.22.0
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel@ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> 
> Make sure this does not break any files.

Do you have any specific files i should test ?

I of course cannot test every file on earth ...

Thanks

[...]
Paul B Mahol July 19, 2019, 1:36 p.m.
On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
>> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented
>> > in
>> > type 'int'
>> > Fixes:
>> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
>> >
>> > Found-by: continuous fuzzing process
>> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> > ---
>> >  libavcodec/dxv.c | 2 +-
>> >  1 file changed, 1 insertion(+), 1 deletion(-)
>> >
>> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
>> > index 5fd1844094..3506775560 100644
>> > --- a/libavcodec/dxv.c
>> > +++ b/libavcodec/dxv.c
>> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx,
>> > GetByteContext *gb,
>> >      int skip0, skip1, oi0 = 0, oi1 = 0;
>> >      int ret, state0 = 0, state1 = 0;
>> >
>> > -    if (op_offset < 12)
>> > +    if (op_offset < 12 || op_offset - 12 >
>> > bytestream2_get_bytes_left(gb))
>> >          return AVERROR_INVALIDDATA;
>> >
>> >      dst = tex_data;
>> > --
>> > 2.22.0
>> >
>> > _______________________________________________
>> > ffmpeg-devel mailing list
>> > ffmpeg-devel@ffmpeg.org
>> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>> >
>> > To unsubscribe, visit link above, or email
>> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>>
>> Make sure this does not break any files.
>
> Do you have any specific files i should test ?
>
> I of course cannot test every file on earth ...

I'm on vacation, so when I get back I will give you some files.

>
> Thanks
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> If you fake or manipulate statistics in a paper in physics you will never
> get a job again.
> If you fake or manipulate statistics in a paper in medicin you will get
> a job for life at the pharma industry.
>
Michael Niedermayer July 19, 2019, 7:53 p.m.
On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote:
> On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
> >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented
> >> > in
> >> > type 'int'
> >> > Fixes:
> >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
> >> >
> >> > Found-by: continuous fuzzing process
> >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> > ---
> >> >  libavcodec/dxv.c | 2 +-
> >> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >> >
> >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
> >> > index 5fd1844094..3506775560 100644
> >> > --- a/libavcodec/dxv.c
> >> > +++ b/libavcodec/dxv.c
> >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx,
> >> > GetByteContext *gb,
> >> >      int skip0, skip1, oi0 = 0, oi1 = 0;
> >> >      int ret, state0 = 0, state1 = 0;
> >> >
> >> > -    if (op_offset < 12)
> >> > +    if (op_offset < 12 || op_offset - 12 >
> >> > bytestream2_get_bytes_left(gb))
> >> >          return AVERROR_INVALIDDATA;
> >> >
> >> >      dst = tex_data;
> >> > --
> >> > 2.22.0
> >> >
> >> > _______________________________________________
> >> > ffmpeg-devel mailing list
> >> > ffmpeg-devel@ffmpeg.org
> >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >> >
> >> > To unsubscribe, visit link above, or email
> >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> >>
> >> Make sure this does not break any files.
> >
> > Do you have any specific files i should test ?
> >
> > I of course cannot test every file on earth ...
> 
> I'm on vacation, so when I get back I will give you some files.

ok, ill wait, no hurry, enjoy your vacation!

Thanks!

[...]
Michael Niedermayer Sept. 9, 2019, 8:12 p.m.
On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote:
> On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote:
> > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
> > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be represented
> > >> > in
> > >> > type 'int'
> > >> > Fixes:
> > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
> > >> >
> > >> > Found-by: continuous fuzzing process
> > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > >> > ---
> > >> >  libavcodec/dxv.c | 2 +-
> > >> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >> >
> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
> > >> > index 5fd1844094..3506775560 100644
> > >> > --- a/libavcodec/dxv.c
> > >> > +++ b/libavcodec/dxv.c
> > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext *ctx,
> > >> > GetByteContext *gb,
> > >> >      int skip0, skip1, oi0 = 0, oi1 = 0;
> > >> >      int ret, state0 = 0, state1 = 0;
> > >> >
> > >> > -    if (op_offset < 12)
> > >> > +    if (op_offset < 12 || op_offset - 12 >
> > >> > bytestream2_get_bytes_left(gb))
> > >> >          return AVERROR_INVALIDDATA;
> > >> >
> > >> >      dst = tex_data;
> > >> > --
> > >> > 2.22.0
> > >> >
> > >> > _______________________________________________
> > >> > ffmpeg-devel mailing list
> > >> > ffmpeg-devel@ffmpeg.org
> > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> > >> >
> > >> > To unsubscribe, visit link above, or email
> > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> > >>
> > >> Make sure this does not break any files.
> > >
> > > Do you have any specific files i should test ?
> > >
> > > I of course cannot test every file on earth ...
> > 
> > I'm on vacation, so when I get back I will give you some files.
> 
> ok, ill wait, no hurry, enjoy your vacation!

ping, this issue is reaching its deadline, so i would like to
fix it 

Thanks

[...]
Paul B Mahol Sept. 9, 2019, 8:29 p.m.
On 9/9/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote:
>> On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote:
>> > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
>> > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be
>> > >> > represented
>> > >> > in
>> > >> > type 'int'
>> > >> > Fixes:
>> > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
>> > >> >
>> > >> > Found-by: continuous fuzzing process
>> > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> > >> > ---
>> > >> >  libavcodec/dxv.c | 2 +-
>> > >> >  1 file changed, 1 insertion(+), 1 deletion(-)
>> > >> >
>> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
>> > >> > index 5fd1844094..3506775560 100644
>> > >> > --- a/libavcodec/dxv.c
>> > >> > +++ b/libavcodec/dxv.c
>> > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext
>> > >> > *ctx,
>> > >> > GetByteContext *gb,
>> > >> >      int skip0, skip1, oi0 = 0, oi1 = 0;
>> > >> >      int ret, state0 = 0, state1 = 0;
>> > >> >
>> > >> > -    if (op_offset < 12)
>> > >> > +    if (op_offset < 12 || op_offset - 12 >
>> > >> > bytestream2_get_bytes_left(gb))
>> > >> >          return AVERROR_INVALIDDATA;
>> > >> >
>> > >> >      dst = tex_data;
>> > >> > --
>> > >> > 2.22.0
>> > >> >
>> > >> > _______________________________________________
>> > >> > ffmpeg-devel mailing list
>> > >> > ffmpeg-devel@ffmpeg.org
>> > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>> > >> >
>> > >> > To unsubscribe, visit link above, or email
>> > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>> > >>
>> > >> Make sure this does not break any files.
>> > >
>> > > Do you have any specific files i should test ?
>> > >
>> > > I of course cannot test every file on earth ...
>> >
>> > I'm on vacation, so when I get back I will give you some files.
>>
>> ok, ill wait, no hurry, enjoy your vacation!
>
> ping, this issue is reaching its deadline, so i would like to
> fix it

What deadline? Is this some kind of fancy corporation?

>
> Thanks
>
> [...]
>
>
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> When you are offended at any man's fault, turn to yourself and study your
> own failings. Then you will forget your anger. -- Epictetus
>
Michael Niedermayer Sept. 10, 2019, 2:32 p.m.
On Mon, Sep 09, 2019 at 10:29:14PM +0200, Paul B Mahol wrote:
> On 9/9/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote:
> >> On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote:
> >> > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> >> > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
> >> > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> >> > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be
> >> > >> > represented
> >> > >> > in
> >> > >> > type 'int'
> >> > >> > Fixes:
> >> > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
> >> > >> >
> >> > >> > Found-by: continuous fuzzing process
> >> > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >> > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> > >> > ---
> >> > >> >  libavcodec/dxv.c | 2 +-
> >> > >> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >> > >> >
> >> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
> >> > >> > index 5fd1844094..3506775560 100644
> >> > >> > --- a/libavcodec/dxv.c
> >> > >> > +++ b/libavcodec/dxv.c
> >> > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext
> >> > >> > *ctx,
> >> > >> > GetByteContext *gb,
> >> > >> >      int skip0, skip1, oi0 = 0, oi1 = 0;
> >> > >> >      int ret, state0 = 0, state1 = 0;
> >> > >> >
> >> > >> > -    if (op_offset < 12)
> >> > >> > +    if (op_offset < 12 || op_offset - 12 >
> >> > >> > bytestream2_get_bytes_left(gb))
> >> > >> >          return AVERROR_INVALIDDATA;
> >> > >> >
> >> > >> >      dst = tex_data;
> >> > >> > --
> >> > >> > 2.22.0
> >> > >> >
> >> > >> > _______________________________________________
> >> > >> > ffmpeg-devel mailing list
> >> > >> > ffmpeg-devel@ffmpeg.org
> >> > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >> > >> >
> >> > >> > To unsubscribe, visit link above, or email
> >> > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> >> > >>
> >> > >> Make sure this does not break any files.
> >> > >
> >> > > Do you have any specific files i should test ?
> >> > >
> >> > > I of course cannot test every file on earth ...
> >> >
> >> > I'm on vacation, so when I get back I will give you some files.
> >>
> >> ok, ill wait, no hurry, enjoy your vacation!
> >
> > ping, this issue is reaching its deadline, so i would like to
> > fix it
> 
> What deadline? Is this some kind of fancy corporation?

first link for googling ossfuzz deadline explains it like this:

"Once a project is signed up for OSS-Fuzz, it is automatically subject to the 90-day disclosure deadline for newly reported bugs ..."

thx

[...]
Paul B Mahol Sept. 10, 2019, 3:13 p.m.
On 9/10/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Mon, Sep 09, 2019 at 10:29:14PM +0200, Paul B Mahol wrote:
>> On 9/9/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> > On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote:
>> >> On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote:
>> >> > On 7/19/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> >> > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
>> >> > >> On 6/27/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> >> > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be
>> >> > >> > represented
>> >> > >> > in
>> >> > >> > type 'int'
>> >> > >> > Fixes:
>> >> > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
>> >> > >> >
>> >> > >> > Found-by: continuous fuzzing process
>> >> > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> >> > >> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> >> > >> > ---
>> >> > >> >  libavcodec/dxv.c | 2 +-
>> >> > >> >  1 file changed, 1 insertion(+), 1 deletion(-)
>> >> > >> >
>> >> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
>> >> > >> > index 5fd1844094..3506775560 100644
>> >> > >> > --- a/libavcodec/dxv.c
>> >> > >> > +++ b/libavcodec/dxv.c
>> >> > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext
>> >> > >> > *ctx,
>> >> > >> > GetByteContext *gb,
>> >> > >> >      int skip0, skip1, oi0 = 0, oi1 = 0;
>> >> > >> >      int ret, state0 = 0, state1 = 0;
>> >> > >> >
>> >> > >> > -    if (op_offset < 12)
>> >> > >> > +    if (op_offset < 12 || op_offset - 12 >
>> >> > >> > bytestream2_get_bytes_left(gb))
>> >> > >> >          return AVERROR_INVALIDDATA;
>> >> > >> >
>> >> > >> >      dst = tex_data;
>> >> > >> > --
>> >> > >> > 2.22.0
>> >> > >> >
>> >> > >> > _______________________________________________
>> >> > >> > ffmpeg-devel mailing list
>> >> > >> > ffmpeg-devel@ffmpeg.org
>> >> > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>> >> > >> >
>> >> > >> > To unsubscribe, visit link above, or email
>> >> > >> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>> >> > >>
>> >> > >> Make sure this does not break any files.
>> >> > >
>> >> > > Do you have any specific files i should test ?
>> >> > >
>> >> > > I of course cannot test every file on earth ...
>> >> >
>> >> > I'm on vacation, so when I get back I will give you some files.
>> >>
>> >> ok, ill wait, no hurry, enjoy your vacation!
>> >
>> > ping, this issue is reaching its deadline, so i would like to
>> > fix it
>>
>> What deadline? Is this some kind of fancy corporation?
>
> first link for googling ossfuzz deadline explains it like this:
>
> "Once a project is signed up for OSS-Fuzz, it is automatically subject to
> the 90-day disclosure deadline for newly reported bugs ..."
>

Irrelevant, this is not security issue at all.

> thx
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> "I am not trying to be anyone's saviour, I'm trying to think about the
>  future and not be sad" - Elon Musk
>
>

Patch hide | download patch | download mbox

diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 5fd1844094..3506775560 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -745,7 +745,7 @@  static int dxv_decompress_cocg(DXVContext *ctx, GetByteContext *gb,
     int skip0, skip1, oi0 = 0, oi1 = 0;
     int ret, state0 = 0, state1 = 0;
 
-    if (op_offset < 12)
+    if (op_offset < 12 || op_offset - 12 > bytestream2_get_bytes_left(gb))
         return AVERROR_INVALIDDATA;
 
     dst = tex_data;