From patchwork Sat Jul 27 22:31:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 14100 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 1617B448462 for ; Sun, 28 Jul 2019 01:32:55 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E20A9689B11; Sun, 28 Jul 2019 01:32:54 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe07-3.mx.upcmail.net (vie01a-dmta-pe07-3.mx.upcmail.net [84.116.36.19]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EFA4868053A for ; Sun, 28 Jul 2019 01:32:48 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe07.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1hrVFA-0003xw-29 for ffmpeg-devel@ffmpeg.org; Sun, 28 Jul 2019 00:32:48 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id rVEChlZFV5D5NrVEChsB7O; Sun, 28 Jul 2019 00:31:48 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.41.20 X-CNFS-Analysis: v=2.3 cv=bu8y+3Si c=1 sm=1 tr=0 a=I1eytVlZLDX1BM2VTtTtSw==:117 a=I1eytVlZLDX1BM2VTtTtSw==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=ijq6PI8-UHFQTyDkenwA:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=UDnyf2zBuKT2w-IlGP_r:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 28 Jul 2019 00:31:22 +0200 Message-Id: <20190727223122.28243-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190727223122.28243-1-michael@niedermayer.cc> References: <20190727223122.28243-1-michael@niedermayer.cc> MIME-Version: 1.0 X-CMAE-Envelope: MS4wfC0S+/XiJklEhOV0bEVp3e0Az+3ZFQmSP305shO4XPiLTqpgLtvlJjwvfagCMgM8kdUFiIESyj872jvmWe8uSifpHjUkMfvn/2qgmpjE9C3AyKWFo5Kt o/N59go+gep1E3jBQkWQcwSuI3XSvuYCYQe4I2/Z20OtyUEPISI9kfr5 Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/lcldec: Check mthread_inlen instead of cliping X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Clipping was added in 2009 to avoid crashes. The clipped case would produce a 2nd slice with 0 input thus also producing 0 output. Subsequent checks will cause decoder failure unless both slices have the same output length. thus the only way this would not already fail is if the output from both slices was 0 bytes. Fixes: Timeout (134sec -> 241ms) Fixes: 15599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSZH_fuzzer-5658127116009472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/lcldec.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index c3787b3cbe..ae7426144d 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -190,11 +190,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac ; } else if (c->flags & FLAG_MULTITHREAD) { mthread_inlen = AV_RL32(buf); - if (len < 8) { + if (len < 8 || len - 8 < mthread_inlen) { av_log(avctx, AV_LOG_ERROR, "len %d is too small\n", len); return AVERROR_INVALIDDATA; } - mthread_inlen = FFMIN(mthread_inlen, len - 8); mthread_outlen = AV_RL32(buf + 4); mthread_outlen = FFMIN(mthread_outlen, c->decomp_size); mszh_dlen = mszh_decomp(buf + 8, mthread_inlen, c->decomp_buf, c->decomp_size);