diff mbox

[FFmpeg-devel,5/6] avcodec/hnm4video: Forward errors of decode_interframe_v4()

Message ID 20190802234957.11098-5-michael@niedermayer.cc
State Accepted
Commit 9af8ce754b705c36ad4d2b6fd0f73f87ca4381c4
Headers show

Commit Message

Michael Niedermayer Aug. 2, 2019, 11:49 p.m. UTC 
Fixes: Timeout (108sec -> 160ms)
Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hnm4video.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

Comments

Tomas Härdin Aug. 3, 2019, 2:09 p.m. UTC | #1 
lör 2019-08-03 klockan 01:49 +0200 skrev Michael Niedermayer:
> Fixes: Timeout (108sec -> 160ms)
> Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/hnm4video.c | 24 ++++++++++++++----------
>  1 file changed, 14 insertions(+), 10 deletions(-)
> 
> diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c
> index 68d0baef6d..177ce1d47a 100644
> --- a/libavcodec/hnm4video.c
> +++ b/libavcodec/hnm4video.c
> @@ -146,7 +146,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame)
>      }
>  }
>  
> -static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
> +static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
>  {
> [...]
> @@ -271,6 +272,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
>              }
>          }
>      }
> +    return 0;
>  }
>  
>  static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
> @@ -438,7 +440,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data,
>              decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8);
>              memcpy(hnm->processed, hnm->current, hnm->width * hnm->height);
>          } else {
> -            decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
> +            int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
> +            if (ret < 0)
> +                return ret;

Looks OK

/Tomas
Michael Niedermayer Aug. 3, 2019, 5 p.m. UTC | #2 
On Sat, Aug 03, 2019 at 04:09:27PM +0200, Tomas Härdin wrote:
> lör 2019-08-03 klockan 01:49 +0200 skrev Michael Niedermayer:
> > Fixes: Timeout (108sec -> 160ms)
> > Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/hnm4video.c | 24 ++++++++++++++----------
> >  1 file changed, 14 insertions(+), 10 deletions(-)
> > 
> > diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c
> > index 68d0baef6d..177ce1d47a 100644
> > --- a/libavcodec/hnm4video.c
> > +++ b/libavcodec/hnm4video.c
> > @@ -146,7 +146,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame)
> >      }
> >  }
> >  
> > -static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
> > +static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
> >  {
> > [...]
> > @@ -271,6 +272,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
> >              }
> >          }
> >      }
> > +    return 0;
> >  }
> >  
> >  static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
> > @@ -438,7 +440,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data,
> >              decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8);
> >              memcpy(hnm->processed, hnm->current, hnm->width * hnm->height);
> >          } else {
> > -            decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
> > +            int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
> > +            if (ret < 0)
> > +                return ret;
> 
> Looks OK

will apply

thanks

[...]
diff mbox

Patch

diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c
index 68d0baef6d..177ce1d47a 100644
--- a/libavcodec/hnm4video.c
+++ b/libavcodec/hnm4video.c
@@ -146,7 +146,7 @@  static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame)
     }
 }
 
-static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
+static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
 {
     Hnm4VideoContext *hnm = avctx->priv_data;
     GetByteContext gb;
@@ -165,7 +165,7 @@  static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
             if (tag == 0) {
                 if (writeoffset + 2 > hnm->width * hnm->height) {
                     av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                 }
                 hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
                 hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
@@ -179,7 +179,7 @@  static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
                 count = bytestream2_get_byte(&gb) * 2;
                 if (writeoffset + count > hnm->width * hnm->height) {
                     av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                 }
                 while (count > 0) {
                     hnm->current[writeoffset++] = bytestream2_peek_byte(&gb);
@@ -191,7 +191,7 @@  static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
             }
             if (writeoffset > hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
             }
         } else {
             previous = bytestream2_peek_byte(&gb) & 0x20;
@@ -207,24 +207,25 @@  static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
 
             if (!backward && offset + 2*count > hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
             } else if (backward && offset + 1 >= hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
             } else if (writeoffset + 2*count > hnm->width * hnm->height) {
                 av_log(avctx, AV_LOG_ERROR,
                        "Attempting to write out of bounds\n");
-                break;
+                return AVERROR_INVALIDDATA;
+
             }
             if(backward) {
                 if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) {
                     av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                 }
             } else {
                 if (offset < (!!backline)*(2 * hnm->width - 1)) {
                     av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
-                    break;
+                    return AVERROR_INVALIDDATA;
                 }
             }
 
@@ -271,6 +272,7 @@  static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
             }
         }
     }
+    return 0;
 }
 
 static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
@@ -438,7 +440,9 @@  static int hnm_decode_frame(AVCodecContext *avctx, void *data,
             decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8);
             memcpy(hnm->processed, hnm->current, hnm->width * hnm->height);
         } else {
-            decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+            int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+            if (ret < 0)
+                return ret;
             postprocess_current_frame(avctx);
         }
         copy_processed_frame(avctx, frame);