Message ID | 20190402182713.10524-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | caa9b4ff89c00591a0730d2cc5db8693da8dffba |
Headers | show |
On 4/2/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: out of array access > Fixes: > 13997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5701427252428800 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/agm.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/agm.c b/libavcodec/agm.c > index b0e8b80f81..8e4d6eb342 100644 > --- a/libavcodec/agm.c > +++ b/libavcodec/agm.c > @@ -88,6 +88,9 @@ static int read_code(GetBitContext *gb, int *oskip, int > *level, int *map, int mo > { > int len = 0, skip = 0, max; > > + if (get_bits_left(gb) < 2) > + return AVERROR_INVALIDDATA; > + > if (show_bits(gb, 2)) { > switch (show_bits(gb, 4)) { > case 1: > -- > 2.21.0 > What? show_bits() can overread? That is bug.
On Tue, Apr 02, 2019 at 09:19:26PM +0200, Paul B Mahol wrote: > On 4/2/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: out of array access > > Fixes: > > 13997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5701427252428800 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/agm.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavcodec/agm.c b/libavcodec/agm.c > > index b0e8b80f81..8e4d6eb342 100644 > > --- a/libavcodec/agm.c > > +++ b/libavcodec/agm.c > > @@ -88,6 +88,9 @@ static int read_code(GetBitContext *gb, int *oskip, int > > *level, int *map, int mo > > { > > int len = 0, skip = 0, max; > > > > + if (get_bits_left(gb) < 2) > > + return AVERROR_INVALIDDATA; > > + > > if (show_bits(gb, 2)) { > > switch (show_bits(gb, 4)) { > > case 1: > > -- > > 2.21.0 > > > > What? show_bits() can overread? > That is bug. ill send a better patch thanks for reviewing [...]
diff --git a/libavcodec/agm.c b/libavcodec/agm.c index b0e8b80f81..8e4d6eb342 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -88,6 +88,9 @@ static int read_code(GetBitContext *gb, int *oskip, int *level, int *map, int mo { int len = 0, skip = 0, max; + if (get_bits_left(gb) < 2) + return AVERROR_INVALIDDATA; + if (show_bits(gb, 2)) { switch (show_bits(gb, 4)) { case 1:
Fixes: out of array access Fixes: 13997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5701427252428800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/agm.c | 3 +++ 1 file changed, 3 insertions(+)