From patchwork Sun Apr 29 19:19:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 8694 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:155:0:0:0:0:0 with SMTP id c82-v6csp2812797jad; Sun, 29 Apr 2018 12:21:12 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqsx41pvp2bTh+QHc5T3aKqAOjYBZ7J1yBapxBRaHR6mWOdigtXCWaftiEU4i8QpeXf2jo+ X-Received: by 2002:adf:99b5:: with SMTP id y50-v6mr6490516wrb.168.1525029672766; Sun, 29 Apr 2018 12:21:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525029672; cv=none; d=google.com; s=arc-20160816; b=bDddxjDVWg2lxUSHexoWqpZrgIptx4+0ir9FvVgo63B4PGtlMQS+PZ/WEG6zT0K7eL DQExT3Ic5iufR4MhnbxPiyLxAzJg40HxgyhIg05EJqfU+Otd8jrMzgPZ2jY4Y2Cf6utO vZh2y2o16AH81C5vF35Gj/Olf/V0wI/p6wNo8zfdEuqh2H11SnEYwq92WnhokbA1QayR 2iOT+wqkMuHh9wnIQnUGIEWzyj6XoLChVva8CuGIj6pmyoygG42VLibQrs0odBYeDu++ X7nYNN4HSSgx6+CZ7qxmvs4tL93YB/t+j0j3fUVAeDoKiOKOH2I5UR3DViDz/AlUgQvS o1dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to:arc-authentication-results; bh=66ajQQnY7VWvRylofBi963H4QmiRHfxyuPsP/+WJORg=; b=NpZhjsR0kdkECztCNmOLPqz2R4DdsBTmTw6XDM/yUVM92OGSiLlDQ0YeqoqOBFqZeC MOUrZlJNyc5chZ/2U/5fuJ3VO8VZWFKuREZk9ng8giOPUJnn00379dVBMZYvEjcZkqn8 IQg8YfEknngjEnOwuzbNVNTocl/UvtKnaIjlT4tTiH/tJmSjhYh3wguuxsyG1KXJdp8h ChnGXsoyKlJqcZMInQpeqp/VTRWpKIweqiCHz9dOPoy/xQK4XlVfMUh2sjD5cMYwSSza M5GQsfQdOdoRXjGfOf2wUz7WFlNEaqelEoCZhCyCN4CT/DBTM1Xd2zvCRpOBJ6qvjuzG 97Zg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a10si4168200wmh.41.2018.04.29.12.21.12; Sun, 29 Apr 2018 12:21:12 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 6F10468A6A1; Sun, 29 Apr 2018 22:20:21 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-qmta-pe01-2.mx.upcmail.net (vie01a-qmta-pe01-2.mx.upcmail.net [62.179.121.179]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D6A5D68A663 for ; Sun, 29 Apr 2018 22:20:14 +0300 (EEST) Received: from [172.31.218.49] (helo=vie01a-dmta-pe07-1.mx.upcmail.net) by vie01a-pqmta-pe01.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1fCrsM-0007G4-KG for ffmpeg-devel@ffmpeg.org; Sun, 29 Apr 2018 21:20:46 +0200 Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe07.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1fCrsH-0003Ta-29 for ffmpeg-devel@ffmpeg.org; Sun, 29 Apr 2018 21:20:41 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id gKLX1x04E0S5wYM01KLY6k; Sun, 29 Apr 2018 21:20:33 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 29 Apr 2018 21:19:18 +0200 Message-Id: <20180429191918.2915-5-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180429191918.2915-1-michael@niedermayer.cc> References: <20180429191918.2915-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 5/5] avcodec/mpeg4videodec: Check bps (VOL header) before VOP for studio profile X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: runtime error: shift exponent -1 is negative Fixes: 7486/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4977380939530240 Fixes: runtime error: index 36 out of bounds for type 'const uint8_t [32]' Fixes: 7566/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-6536620682510336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 33cdc7a1b2..ada5cdc6fa 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -3217,9 +3217,13 @@ end: s->low_delay = 1; s->avctx->has_b_frames = !s->low_delay; - if (s->studio_profile) + if (s->studio_profile) { + if (!s->avctx->bits_per_raw_sample) { + av_log(s->avctx, AV_LOG_ERROR, "Missing VOL header\n"); + return AVERROR_INVALIDDATA; + } return decode_studio_vop_header(ctx, gb); - else + } else return decode_vop_header(ctx, gb); }