From patchwork Thu May 17 12:38:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 8999 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:155:0:0:0:0:0 with SMTP id c82-v6csp4045387jad; Thu, 17 May 2018 05:41:00 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr8h/9/VruiM44BuXmg58y5hyu6cpC2yisaOZUStKgNbdjYmIu89qc/IkSbYsObeXaoxQe3 X-Received: by 2002:a1c:78b:: with SMTP id 133-v6mr1735218wmh.72.1526560860746; Thu, 17 May 2018 05:41:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526560860; cv=none; d=google.com; s=arc-20160816; b=Iln2rnF9JOzABEK6oe7E1/WmJbKRiLsBpLRfc0kgs1THm+CV9Hv7MQv6vcqzarM4zJ UERnQJhY05NBTTBPgaePSdK9Eaic4p1KVX9KX39bbzFrOcw694AQm7uexFXZxRyZemYO huGROxDimBpygFoqlb+JPb9YRmd3Joyx8uppOc5u+ZInwnj7R5qIlF6ecQ8FAQ7xT1TA D2FyznoxVFAeG1viPVPRJGIDBoRs365WFuRYfskL4shVmA9kGRYSpcZ8tei2YzTl4o5L y1EiCsyZVrzqwHf9WutVKn1W2YgoBYJoNqYDiB0pRyEh6uhszP+ESiCkVsYwq0cw8Pvx lPyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to :arc-authentication-results; bh=HJuv2Er9z1llSRsXfBko46rOwiTRVnF4mB9lCmbtezU=; b=d3nZUCZcUBQAhQuqZIt7V/LwLOYeehsMkgn6JV3NcBCyVdu5rASvYgl9mO61DT84pq QgQR801rcMNgJ5WSjqXwgyvKBPc32qwNARYJIpjug7Hz5wpAv253KKxWqQ5IqBHFg8/9 OlEmWEugFg0mp+P948ejSZ2hee9/pODhpFT+u2qtZ9Tyc0lgTNXI6U7SyHR+aLnT9OhT owT9mLMI0obBWYy2/AcpPLVG9mNZBTTKBEkXFX18JgZR0ebXajxn35eDK1zOWqWUhh86 LIyfU8KQ95c+Ajp5sgEEI30vTnokWsAW9GqKAAzy7lKKrmI1G5vI1/8KpNxUQkySH+ue rmog== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id q10-v6si4065037wrn.453.2018.05.17.05.41.00; Thu, 17 May 2018 05:41:00 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 151CC68A497; Thu, 17 May 2018 15:40:13 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-qmta-pe01-2.mx.upcmail.net (vie01a-qmta-pe01-2.mx.upcmail.net [62.179.121.179]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3DBA868A448 for ; Thu, 17 May 2018 15:40:06 +0300 (EEST) Received: from [172.31.218.35] (helo=vie01a-dmta-pe02-2.mx.upcmail.net) by vie01a-pqmta-pe01.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1fJID7-0003LZ-59 for ffmpeg-devel@ffmpeg.org; Thu, 17 May 2018 14:40:45 +0200 Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1fJID1-0003p6-T2 for ffmpeg-devel@ffmpeg.org; Thu, 17 May 2018 14:40:39 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id nQgV1x02r0S5wYM01QgWeA; Thu, 17 May 2018 14:40:30 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 17 May 2018 14:38:57 +0200 Message-Id: <20180517123858.2940-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.0 Subject: [FFmpeg-devel] [PATCH 1/2] indeo4: Decode all or nothing of a band header. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" This avoids inconsistent value combinations. Alternatively it would be possible to add more checks and careful use of temporary variables, but my try of this quickly seemed to become a rather large change. The disadvantage of this, is that the struct is copied back and forth. Fixes: index 6 out of bounds for type 'const uint16_t [5][16]' Fixes: 6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/indeo4.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index a3562f6fd8..7dff9db877 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -260,12 +260,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) * @param[in] avctx pointer to the AVCodecContext * @return result code: 0 = OK, negative number = error */ -static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, +static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band, AVCodecContext *avctx) { int plane, band_num, indx, transform_id, scan_indx; int i; int quant_mat; + IVIBandDesc temp_band, *band = &temp_band; + memcpy(&temp_band, arg_band, sizeof(temp_band)); plane = get_bits(&ctx->gb, 2); band_num = get_bits(&ctx->gb, 4); @@ -395,10 +397,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, /* decode block huffman codebook */ if (!get_bits1(&ctx->gb)) - band->blk_vlc.tab = ctx->blk_vlc.tab; + arg_band->blk_vlc.tab = ctx->blk_vlc.tab; else if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF, - &band->blk_vlc, avctx)) + &arg_band->blk_vlc, avctx)) return AVERROR_INVALIDDATA; /* select appropriate rvmap table for this band */ @@ -439,6 +441,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, return AVERROR_INVALIDDATA; } + band->blk_vlc = arg_band->blk_vlc; + memcpy(arg_band, band, sizeof(*arg_band)); + return 0; }