From patchwork Sat Aug 3 23:16:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 14215 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 79F39449D9B for ; Sun, 4 Aug 2019 02:17:51 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4C6E1680628; Sun, 4 Aug 2019 02:17:51 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe05-1.mx.upcmail.net (vie01a-dmta-pe05-1.mx.upcmail.net [84.116.36.11]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 102176803B3 for ; Sun, 4 Aug 2019 02:17:44 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1hu3HT-00071n-25 for ffmpeg-devel@ffmpeg.org; Sun, 04 Aug 2019 01:17:43 +0200 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id u3GUhVdAO5D5Nu3GUh48X1; Sun, 04 Aug 2019 01:16:42 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.41.20 X-CNFS-Analysis: v=2.3 cv=bu8y+3Si c=1 sm=1 tr=0 a=I1eytVlZLDX1BM2VTtTtSw==:117 a=I1eytVlZLDX1BM2VTtTtSw==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=Ra54Gp1d3jDA4DLl1DcA:9 a=qHQ1P4eCo79AI3Kf:21 a=W7-iIDS8_m9-fU_1:21 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 4 Aug 2019 01:16:06 +0200 Message-Id: <20190803231608.10534-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.22.0 MIME-Version: 1.0 X-CMAE-Envelope: MS4wfKiN/03DbTwyuYbnN470ymEDKOAUtDbdK/0LjxPmVGwmvM4gFXJKHVA0JCuH87wAhMSSr/o8VLXs4s4+UbVDkgJBV5EMRiM//MlRop8gfI6HE7STU+B6 ypoDEBRU4YF9WDIypMRpOIKAN9I1D/hgUeoBxy1GHoKgeGKmGbYiu4+8 Subject: [FFmpeg-devel] [PATCH 1/3] avcodec/bink: Add many end of input checks X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Fixes: Timeout (83sec -> 15sec) Fixes: 15595/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5689153263501312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/bink.c | 52 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 43 insertions(+), 9 deletions(-) diff --git a/libavcodec/bink.c b/libavcodec/bink.c index d18c0ceae4..5bb3955f93 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -241,16 +241,19 @@ static void merge(GetBitContext *gb, uint8_t *dst, uint8_t *src, int size) * @param gb context for reading bits * @param tree pointer for storing tree data */ -static void read_tree(GetBitContext *gb, Tree *tree) +static int read_tree(GetBitContext *gb, Tree *tree) { uint8_t tmp1[16] = { 0 }, tmp2[16], *in = tmp1, *out = tmp2; int i, t, len; + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; + tree->vlc_num = get_bits(gb, 4); if (!tree->vlc_num) { for (i = 0; i < 16; i++) tree->syms[i] = i; - return; + return 0; } if (get_bits1(gb)) { len = get_bits(gb, 3); @@ -273,6 +276,7 @@ static void read_tree(GetBitContext *gb, Tree *tree) } memcpy(tree->syms, in, 16); } + return 0; } /** @@ -282,19 +286,27 @@ static void read_tree(GetBitContext *gb, Tree *tree) * @param c decoder context * @param bundle_num number of the bundle to initialize */ -static void read_bundle(GetBitContext *gb, BinkContext *c, int bundle_num) +static int read_bundle(GetBitContext *gb, BinkContext *c, int bundle_num) { int i; if (bundle_num == BINK_SRC_COLORS) { - for (i = 0; i < 16; i++) - read_tree(gb, &c->col_high[i]); + for (i = 0; i < 16; i++) { + int ret = read_tree(gb, &c->col_high[i]); + if (ret < 0) + return ret; + } c->col_lastval = 0; } - if (bundle_num != BINK_SRC_INTRA_DC && bundle_num != BINK_SRC_INTER_DC) - read_tree(gb, &c->bundle[bundle_num].tree); + if (bundle_num != BINK_SRC_INTRA_DC && bundle_num != BINK_SRC_INTER_DC) { + int ret = read_tree(gb, &c->bundle[bundle_num].tree); + if (ret < 0) + return ret; + } c->bundle[bundle_num].cur_dec = c->bundle[bundle_num].cur_ptr = c->bundle[bundle_num].data; + + return 0; } /** @@ -324,6 +336,8 @@ static int read_runs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b) av_log(avctx, AV_LOG_ERROR, "Run value went out of bounds\n"); return AVERROR_INVALIDDATA; } + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(gb)) { v = get_bits(gb, 4); memset(b->cur_dec, v, t); @@ -346,6 +360,8 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle * av_log(avctx, AV_LOG_ERROR, "Too many motion values\n"); return AVERROR_INVALIDDATA; } + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(gb)) { v = get_bits(gb, 4); if (v) { @@ -389,6 +405,8 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b) av_log(avctx, AV_LOG_ERROR, "Too many block type values\n"); return AVERROR_INVALIDDATA; } + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(gb)) { v = get_bits(gb, 4); memset(b->cur_dec, v, t); @@ -424,6 +442,8 @@ static int read_patterns(AVCodecContext *avctx, GetBitContext *gb, Bundle *b) return AVERROR_INVALIDDATA; } while (b->cur_dec < dec_end) { + if (get_bits_left(gb) < 2) + return AVERROR_INVALIDDATA; v = GET_HUFF(gb, b->tree); v |= GET_HUFF(gb, b->tree) << 4; *b->cur_dec++ = v; @@ -443,6 +463,8 @@ static int read_colors(GetBitContext *gb, Bundle *b, BinkContext *c) av_log(c->avctx, AV_LOG_ERROR, "Too many color values\n"); return AVERROR_INVALIDDATA; } + if (get_bits_left(gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(gb)) { c->col_lastval = GET_HUFF(gb, c->col_high[c->col_lastval]); v = GET_HUFF(gb, b->tree); @@ -456,6 +478,8 @@ static int read_colors(GetBitContext *gb, Bundle *b, BinkContext *c) b->cur_dec += t; } else { while (b->cur_dec < dec_end) { + if (get_bits_left(gb) < 2) + return AVERROR_INVALIDDATA; c->col_lastval = GET_HUFF(gb, c->col_high[c->col_lastval]); v = GET_HUFF(gb, b->tree); v = (c->col_lastval << 4) | v; @@ -481,6 +505,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b, int16_t *dst_end = (int16_t*)b->data_end; CHECK_READ_VAL(gb, b, len); + if (get_bits_left(gb) < start_bits - has_sign) + return AVERROR_INVALIDDATA; v = get_bits(gb, start_bits - has_sign); if (v && has_sign) { sign = -get_bits1(gb); @@ -620,6 +646,9 @@ static int read_dct_coeffs(BinkContext *c, GetBitContext *gb, int32_t block[64], int coef_count = 0; int quant_idx; + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; + coef_list[list_end] = 4; mode_list[list_end++] = 0; coef_list[list_end] = 24; mode_list[list_end++] = 0; coef_list[list_end] = 44; mode_list[list_end++] = 0; @@ -1015,8 +1044,11 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, } init_lengths(c, FFMAX(width, 8), bw); - for (i = 0; i < BINK_NB_SRC; i++) - read_bundle(gb, c, i); + for (i = 0; i < BINK_NB_SRC; i++) { + ret = read_bundle(gb, c, i); + if (ret < 0) + return ret; + } ref_start = c->last->data[plane_idx] ? c->last->data[plane_idx] : frame->data[plane_idx]; @@ -1066,6 +1098,8 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, blk = get_value(c, BINK_SRC_SUB_BLOCK_TYPES); switch (blk) { case RUN_BLOCK: + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; scan = bink_patterns[get_bits(gb, 4)]; i = 0; do {