From patchwork Tue Apr 10 21:25:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 8383 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.2.1.70 with SMTP id c67csp1537129jad; Tue, 10 Apr 2018 14:26:50 -0700 (PDT) X-Google-Smtp-Source: AIpwx48pGT99AKGZ3nd54G1jhr7ZSPevAHd7SfMR9a/G6aH0UD9k+UXyE+ZglYcE8R9q+/Gsxfw5 X-Received: by 10.28.27.194 with SMTP id b185mr760651wmb.57.1523395610356; Tue, 10 Apr 2018 14:26:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523395610; cv=none; d=google.com; s=arc-20160816; b=yECWIstiBPmAUzKIyic+OAxhmmN25Rh+UrlLWgjXKjYQ+Tkafk4VdpsCIMWzLvaqp5 GACeGZmgvuOu92qB6TvfxPlDEU0jZphi74HXeRuDeh0ZlLNXmej+tSeDct+a9IsSy79U xF+wOU5Ganu/mHTspEw4fTaR3Oxc0RIYl9HJUfbB0IG4YY65bebwAaLnEBaoweWNw932 3saPV4lAWxYNB3yVDHKcnim7x4qDCDqf0JkepQ9IWkYbdMTC0+M1z4TJyl5Fanz2GgiX rQqiCRsVkLFSkQjiveHI1Ydpcj/lhnhMqUjIHnPj31jWDpORY+QiXdhT50xCVaP9sANc 9BeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to:arc-authentication-results; bh=Pahwg9pae2r64R+b1NqC5/nHs03RblR9Yd6mAX/0Xq8=; b=PQeht2dkpYV5ecMstVmgQFikRLu/+IPR2EtACFxiq3ox50r05iS+CoWPwBHTD9YMxh 8DliUEkUi64xGsfhHXCu2k0ibR1EAGZxrhWiGACmLODXvTUO6PuF2Zs9rG0EDr0br34R J7xW+SrCqn/itwVqp9HPFbCqhSxu2ZAre3WMEEju0SfgLa+UPmqynfup332ZW6YCzM0i vUlqrLbGldWkyv3tn+zX1mXsKuKDlrNJkAQmrSuobw0KJD9uf5BDM3/C0uT7f1T2EbB7 KP7C/hZVBNYF0D7AwckQQu9BIVrZWw2xIZZsXwfA6Emo2OSIY5xSydyH3xZSSe+NsSJd yTyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id k27si2394595wrf.541.2018.04.10.14.26.49; Tue, 10 Apr 2018 14:26:50 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 85D5A68A106; Wed, 11 Apr 2018 00:26:18 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe08-2.mx.upcmail.net (vie01a-dmta-pe08-2.mx.upcmail.net [84.116.36.21]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3966668A0D3 for ; Wed, 11 Apr 2018 00:26:12 +0300 (EEST) Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe08.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1f60mh-0007Y2-U5 for ffmpeg-devel@ffmpeg.org; Tue, 10 Apr 2018 23:26:35 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id YlST1x0240S5wYM01lSUH5; Tue, 10 Apr 2018 23:26:28 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Tue, 10 Apr 2018 23:25:40 +0200 Message-Id: <20180410212540.13543-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180410212540.13543-1-michael@niedermayer.cc> References: <20180410212540.13543-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 2/2] avcodec/truemotion2: Propagate out of bounds error from GET_TOK() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Timeout Fixes: 6389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5695918121680896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/truemotion2.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 97c38f7f08..f7dbe047c7 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -63,6 +63,7 @@ typedef struct TM2Context { AVFrame *pic; GetBitContext gb; + int error; BswapDSPContext bdsp; uint8_t *buffer; @@ -398,6 +399,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) { if (ctx->tok_ptrs[type] >= ctx->tok_lens[type]) { av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]); + ctx->error = 1; return 0; } if (type <= TM2_MOT) { @@ -809,6 +811,8 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) default: av_log(ctx->avctx, AV_LOG_ERROR, "Skipping unknown block type %i\n", type); } + if (ctx->error) + return AVERROR_INVALIDDATA; } } @@ -889,6 +893,8 @@ static int decode_frame(AVCodecContext *avctx, int offset = TM2_HEADER_SIZE; int i, t, ret; + l->error = 0; + av_fast_padded_malloc(&l->buffer, &l->buffer_size, buf_size); if (!l->buffer) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");