From patchwork Fri Aug 11 21:21:23 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 4697
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.46.211 with SMTP id u202csp1340733vsu;
	Fri, 11 Aug 2017 14:21:59 -0700 (PDT)
X-Received: by 10.223.178.26 with SMTP id u26mr10926981wra.133.1502486519547;
	Fri, 11 Aug 2017 14:21:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1502486519; cv=none;
	d=google.com; s=arc-20160816;
	b=Yw3Jqr/S7/tp5rLcGZEZ4jJtsLLdiuX2jj0cgAiCDvbsJ/0x4bevkZs4N4TPYJNl5n
	BdtaX1BXrvVk3W5eY/zueY7YbURI4hUPEXV/gXXRPwcTNybualiaMdriXOXXHTACljQ3
	bxPGZyVB9teCiiC1YnJwFqTvXSIkJ9cfWa0toWqh9piLKutS4bX2sV0Pe3kmmDKrw6M0
	CpSIMs8kZKSOgtkzf+zhNK5dHQ2h2R/3CIXDdGMhTfGazGSzRRmJmPyZuoJCVGm+eE7f
	xa0bDaFC50vrHLWtNUcGqLMdxdsIXYV2YO7NPMehDnXTP7RHkpwpI5A72Do337BDg0z+
	bbeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:references:in-reply-to:message-id:date
	:to:from:delivered-to:arc-authentication-results;
	bh=J+8ONf3DvqynWkRGT/mnOd5KIvX0tp3BDLfJDA7UWlE=;
	b=axh8b9Jyo8a7RsofPza4ZQ9HZCKvdMrf2iTm70ewQHA0he2s7QnYbvEta/j2UpRJde
	Kg9iJBaudWniYx/B4yvWuYYB1iszycWoeP9amrrREaiWrkNmErC9hq4lWB0Q+42zzDMJ
	Q9vLL9DWebEr/qVjrUeOymG4D6ch9mSpi/oYZgeRmm/g+7Az89v3/QenrEmGRzOYaOZ7
	+/yyCEuNFK8iAsbMjvEQYfA6c90u7dAWc0PUroZsdNocxX8YfmUjWYq61xs2sSB3qJAy
	NVfgvRH4cD56dEE1kgNXU7FhOEl+EuMO15gD3UpGzXRSteOOfZXxTxa/fzO30UQxh3nB
	ildg==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	r19si1264533wrg.208.2017.08.11.14.21.59;
	Fri, 11 Aug 2017 14:21:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 47A52689B83;
	Sat, 12 Aug 2017 00:21:46 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-qmta-pe02-2.mx.upcmail.net
	(vie01a-qmta-pe02-2.mx.upcmail.net [62.179.121.182])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 44F41689B32
	for <ffmpeg-devel@ffmpeg.org>; Sat, 12 Aug 2017 00:21:39 +0300 (EEST)
Received: from [172.31.218.49] (helo=vie01a-dmta-pe05-1.mx.upcmail.net)
	by vie01a-pqmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dgHNG-0004wv-3g
	for ffmpeg-devel@ffmpeg.org; Fri, 11 Aug 2017 23:21:42 +0200
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe07.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dgHNA-0006Zm-8J
	for ffmpeg-devel@ffmpeg.org; Fri, 11 Aug 2017 23:21:36 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id vxMS1v0080S5wYM01xMTr1; Fri, 11 Aug 2017 23:21:27 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 11 Aug 2017 23:21:23 +0200
Message-Id: <20170811212123.22591-3-michael@niedermayer.cc>
X-Mailer: git-send-email 2.13.0
In-Reply-To: <20170811212123.22591-1-michael@niedermayer.cc>
References: <20170811212123.22591-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 3/3] avcodec/lagarith: Detect end of input in
	lag_decode_line() loop
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: timeout
Fixes: 2933/clusterfuzz-testcase-5124990208835584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/lagarith.c    | 6 ++++--
 libavcodec/lagarithrac.c | 1 +
 libavcodec/lagarithrac.h | 5 +++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c
index 860381746d..0f4aa89486 100644
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -455,10 +455,12 @@ static int lag_decode_arith_plane(LagarithContext *l, uint8_t *dst,
             return -1;
 
         ff_lag_rac_init(&rac, &gb, length - stride);
-
-        for (i = 0; i < height; i++)
+        for (i = 0; i < height; i++) {
+            if (rac.overread > MAX_OVERREAD)
+                return AVERROR_INVALIDDATA;
             read += lag_decode_line(l, &rac, dst + (i * stride), width,
                                     stride, esc_count);
+        }
 
         if (read > length)
             av_log(l->avctx, AV_LOG_WARNING,
diff --git a/libavcodec/lagarithrac.c b/libavcodec/lagarithrac.c
index 3d36d1b9e9..cdda67fb81 100644
--- a/libavcodec/lagarithrac.c
+++ b/libavcodec/lagarithrac.c
@@ -46,6 +46,7 @@ void ff_lag_rac_init(lag_rac *l, GetBitContext *gb, int length)
     l->range        = 0x80;
     l->low          = *l->bytestream >> 1;
     l->hash_shift   = FFMAX(l->scale, 10) - 10;
+    l->overread     = 0;
 
     for (i = j = 0; i < 1024; i++) {
         unsigned r = i << l->hash_shift;
diff --git a/libavcodec/lagarithrac.h b/libavcodec/lagarithrac.h
index dfdfea0db3..ee836d01db 100644
--- a/libavcodec/lagarithrac.h
+++ b/libavcodec/lagarithrac.h
@@ -47,6 +47,9 @@ typedef struct lag_rac {
     const uint8_t *bytestream;        /**< Current position in input bytestream. */
     const uint8_t *bytestream_end;    /**< End position of input bytestream. */
 
+    int overread;
+#define MAX_OVERREAD 4
+
     uint32_t prob[258];         /**< Table of cumulative probability for each symbol. */
     uint8_t  range_hash[1024];   /**< Hash table mapping upper byte to approximate symbol. */
 } lag_rac;
@@ -62,6 +65,8 @@ static inline void lag_rac_refill(lag_rac *l)
         l->low |= 0xff & (AV_RB16(l->bytestream) >> 1);
         if (l->bytestream < l->bytestream_end)
             l->bytestream++;
+        else
+            l->overread++;
     }
 }