Message ID | 20190802234957.11098-5-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 9af8ce754b705c36ad4d2b6fd0f73f87ca4381c4 |
Headers | show |
lör 2019-08-03 klockan 01:49 +0200 skrev Michael Niedermayer: > Fixes: Timeout (108sec -> 160ms) > Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/hnm4video.c | 24 ++++++++++++++---------- > 1 file changed, 14 insertions(+), 10 deletions(-) > > diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c > index 68d0baef6d..177ce1d47a 100644 > --- a/libavcodec/hnm4video.c > +++ b/libavcodec/hnm4video.c > @@ -146,7 +146,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame) > } > } > > -static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) > +static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) > { > [...] > @@ -271,6 +272,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s > } > } > } > + return 0; > } > > static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src, > @@ -438,7 +440,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data, > decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8); > memcpy(hnm->processed, hnm->current, hnm->width * hnm->height); > } else { > - decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); > + int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); > + if (ret < 0) > + return ret; Looks OK /Tomas
On Sat, Aug 03, 2019 at 04:09:27PM +0200, Tomas Härdin wrote: > lör 2019-08-03 klockan 01:49 +0200 skrev Michael Niedermayer: > > Fixes: Timeout (108sec -> 160ms) > > Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/hnm4video.c | 24 ++++++++++++++---------- > > 1 file changed, 14 insertions(+), 10 deletions(-) > > > > diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c > > index 68d0baef6d..177ce1d47a 100644 > > --- a/libavcodec/hnm4video.c > > +++ b/libavcodec/hnm4video.c > > @@ -146,7 +146,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame) > > } > > } > > > > -static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) > > +static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) > > { > > [...] > > @@ -271,6 +272,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s > > } > > } > > } > > + return 0; > > } > > > > static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src, > > @@ -438,7 +440,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data, > > decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8); > > memcpy(hnm->processed, hnm->current, hnm->width * hnm->height); > > } else { > > - decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); > > + int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); > > + if (ret < 0) > > + return ret; > > Looks OK will apply thanks [...]
diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c index 68d0baef6d..177ce1d47a 100644 --- a/libavcodec/hnm4video.c +++ b/libavcodec/hnm4video.c @@ -146,7 +146,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame) } } -static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) +static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size) { Hnm4VideoContext *hnm = avctx->priv_data; GetByteContext gb; @@ -165,7 +165,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (tag == 0) { if (writeoffset + 2 > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } hnm->current[writeoffset++] = bytestream2_get_byte(&gb); hnm->current[writeoffset++] = bytestream2_get_byte(&gb); @@ -179,7 +179,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s count = bytestream2_get_byte(&gb) * 2; if (writeoffset + count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } while (count > 0) { hnm->current[writeoffset++] = bytestream2_peek_byte(&gb); @@ -191,7 +191,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } if (writeoffset > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { previous = bytestream2_peek_byte(&gb) & 0x20; @@ -207,24 +207,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s if (!backward && offset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (backward && offset + 1 >= hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } else if (writeoffset + 2*count > hnm->width * hnm->height) { av_log(avctx, AV_LOG_ERROR, "Attempting to write out of bounds\n"); - break; + return AVERROR_INVALIDDATA; + } if(backward) { if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } else { if (offset < (!!backline)*(2 * hnm->width - 1)) { av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n"); - break; + return AVERROR_INVALIDDATA; } } @@ -271,6 +272,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s } } } + return 0; } static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src, @@ -438,7 +440,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data, decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8); memcpy(hnm->processed, hnm->current, hnm->width * hnm->height); } else { - decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8); + if (ret < 0) + return ret; postprocess_current_frame(avctx); } copy_processed_frame(avctx, frame);
Fixes: Timeout (108sec -> 160ms) Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hnm4video.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-)