From patchwork Thu Jun 21 22:15:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 9476 Delivered-To: ffmpegpatchwork@gmail.com Received: by 2002:a02:141:0:0:0:0:0 with SMTP id c62-v6csp129411jad; Thu, 21 Jun 2018 15:16:43 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIPa+qhxiZB2cWJ1mzQ7rEFmKwLxsbt4S/q7h7IU64tuMFaLVyLp5jRow0eBhZw/QhJbKC0 X-Received: by 2002:a1c:b745:: with SMTP id h66-v6mr6323614wmf.151.1529619403416; Thu, 21 Jun 2018 15:16:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529619403; cv=none; d=google.com; s=arc-20160816; b=uubdt62tL1cehojoh9NIL0sEIqkQGLRftyqPq6MS/oE8ZESDZ5WCRPJk2RjnIJqlkl AiqhixqaWbTcozzrxhk4MnHJvG0T/y6ihVSmFS3TnggkksGuIXH1g0ItlRmnC+hcBa37 HsaZgdQwmyh3oGf9OJInQ4FJ3Guw6zqPvtZp57LKlD2AgPcKJ7Q1V0WWDDLV98R3f548 MUIjyd17KwAStoXRqucaK2m7iuF5rsSCV4Qi39FMe6J/vztDwTNcztBVBhBKp5tkkaMS 7KmEygbNg0Bkt6Cg4SrdF9Qdsxm9b/6HWvBVuUySsK+BAGJLO6z10FwqGyd4+N2JmedN T2Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:delivered-to:arc-authentication-results; bh=qcjPVD7C179g/+htT6QgMHQ2Qq+FzCn5sSfa1A4jgUk=; b=sy9G+HP+aBO6x61nCDt0MRZNfTrtNsn8D9iB4lj9fCIL2+osBp9RA21gIQzPF6Ad0g 9qlTLhLfMIpE5OP4C1RjrRLsCChjWdW8Ueh/2iAp6jpF7hqWvQUvsi8QHSnPFppFr3xM EcJ+Hc4EJG4pWtliZf8VtZBS45qs9x7eCtr0I8/+yTj3apv3974dTL9/WCwKfU6Ud8n3 iCphfTi5pl++qUsdilG7exSxSalTNGxnwXoSqZRyZlO6ajn5zHfYqdBEQLI7+jYGAlyn /+gkMNdUNllyEa/0TOWMIeWcD4K2LKP/HU+0W8HibAbaL/pKGnC+Y9KUFkrHd30YocAQ Df1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id y204-v6si126082wmb.5.2018.06.21.15.16.43; Thu, 21 Jun 2018 15:16:43 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1AF4068A78D; Fri, 22 Jun 2018 01:15:19 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-qmta-pe02-1.mx.upcmail.net (vie01a-qmta-pe02-1.mx.upcmail.net [62.179.121.181]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4BD3D68A788 for ; Fri, 22 Jun 2018 01:15:11 +0300 (EEST) Received: from [172.31.218.54] (helo=vie01a-dmta-pe08-3.mx.upcmail.net) by vie01a-pqmta-pe02.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1fW7s5-0002BZ-1N for ffmpeg-devel@ffmpeg.org; Fri, 22 Jun 2018 00:16:05 +0200 Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe08.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1fW7rz-0002vg-Hb for ffmpeg-devel@ffmpeg.org; Fri, 22 Jun 2018 00:15:59 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id 1aFv1y01B0S5wYM01aFwbi; Fri, 22 Jun 2018 00:15:56 +0200 X-SourceIP: 213.47.41.20 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Fri, 22 Jun 2018 00:15:14 +0200 Message-Id: <20180621221517.25133-2-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180621221517.25133-1-michael@niedermayer.cc> References: <20180621221517.25133-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 2/5] avcodec/ffv1dec: Check state transition table X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Timeout Fixes: 8646/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5649968353247232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/ffv1dec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 7658a51685..261e0cf70c 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -546,8 +546,14 @@ static int read_header(FFV1Context *f) f->ac = get_symbol(c, state, 0); if (f->ac == AC_RANGE_CUSTOM_TAB) { - for (i = 1; i < 256; i++) - f->state_transition[i] = get_symbol(c, state, 1) + c->one_state[i]; + for (i = 1; i < 256; i++) { + int st = get_symbol(c, state, 1) + c->one_state[i]; + if (st < 1 || st > 255) { + av_log(f->avctx, AV_LOG_ERROR, "invalid state transition %d\n", st); + return AVERROR_INVALIDDATA; + } + f->state_transition[i] = st; + } } colorspace = get_symbol(c, state, 0); //YUV cs type