| Message ID | 20190620141710.32418-1-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
Am 20.06.19 um 16:17 schrieb Michael Niedermayer: > Fixes: out of array access > Fixes: 15277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5184853437317120 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/alsdec.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c > index e50a287f19..f94086efcb 100644 > --- a/libavcodec/alsdec.c > +++ b/libavcodec/alsdec.c > @@ -789,14 +789,15 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) > > // read first value and residuals in case of a random access block > if (bd->ra_block) { > - if (opt_order) pls add a comment here like: // limit possibly corrupted opt_order and push if tested. > + int len = FFMIN(opt_order, sconf->frame_length); > + if (len) > bd->raw_samples[0] = decode_rice(gb, avctx->bits_per_raw_sample - 4); > - if (opt_order > 1) > + if (len > 1) > bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max)); > - if (opt_order > 2) > + if (len > 2) > bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max)); > > - start = FFMIN(opt_order, 3); > + start = FFMIN(len, 3); > } > > // read all residuals > -Thilo
On Thu, Jun 20, 2019 at 06:06:29PM +0200, Thilo Borgmann wrote: > Am 20.06.19 um 16:17 schrieb Michael Niedermayer: > > Fixes: out of array access > > Fixes: 15277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5184853437317120 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/alsdec.c | 9 +++++---- > > 1 file changed, 5 insertions(+), 4 deletions(-) > > > > diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c > > index e50a287f19..f94086efcb 100644 > > --- a/libavcodec/alsdec.c > > +++ b/libavcodec/alsdec.c > > @@ -789,14 +789,15 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) > > > > // read first value and residuals in case of a random access block > > if (bd->ra_block) { > > - if (opt_order) > > pls add a comment here like: > > // limit possibly corrupted opt_order will do > > and push if tested. yes it fixes this issue but there are more related issues, ill post a patch that should fix all. thx [...]
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index e50a287f19..f94086efcb 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -789,14 +789,15 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) // read first value and residuals in case of a random access block if (bd->ra_block) { - if (opt_order) + int len = FFMIN(opt_order, sconf->frame_length); + if (len) bd->raw_samples[0] = decode_rice(gb, avctx->bits_per_raw_sample - 4); - if (opt_order > 1) + if (len > 1) bd->raw_samples[1] = decode_rice(gb, FFMIN(s[0] + 3, ctx->s_max)); - if (opt_order > 2) + if (len > 2) bd->raw_samples[2] = decode_rice(gb, FFMIN(s[0] + 1, ctx->s_max)); - start = FFMIN(opt_order, 3); + start = FFMIN(len, 3); } // read all residuals
Fixes: out of array access Fixes: 15277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5184853437317120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/alsdec.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)