diff mbox

[FFmpeg-devel,4/5] avcodec/tiff: Detect infinite retry loop

Message ID 20190806213006.25210-4-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer Aug. 6, 2019, 9:30 p.m. UTC
Fixes: Timeout (Infinite->Finite)
Fixes: 15706/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5114674904825856

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/tiff.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer Aug. 7, 2019, 11:25 p.m. UTC | #1
On Tue, Aug 06, 2019 at 11:30:05PM +0200, Michael Niedermayer wrote:
> Fixes: Timeout (Infinite->Finite)
> Fixes: 15706/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5114674904825856
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/tiff.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

This patch is likely buggy, ill write a better one

Note, testcases which fail are welcome (i have none ATM)

Thanks

[...]
diff mbox

Patch

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index c520d7df83..8c9e7b0881 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1407,7 +1407,7 @@  static int decode_frame(AVCodecContext *avctx,
     GetByteContext stripsizes;
     GetByteContext stripdata;
     int retry_for_subifd, retry_for_page;
-
+    int retry_count = 1;
     bytestream2_init(&s->gb, avpkt->data, avpkt->size);
 
     // parse image header
@@ -1467,6 +1467,10 @@  again:
             av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n");
             return AVERROR_INVALIDDATA;
         }
+        if (!retry_count--) {
+            av_log(avctx, AV_LOG_ERROR, "too many retries\n");
+            return AVERROR_INVALIDDATA;
+        }
         s->sub_ifd = 0;
         goto again;
     }