[FFmpeg-devel,1/4] avformat/realtextdec: free queue on error

Fixes: memleak
Fixes: 16277/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5696629440512000

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/realtextdec.c | 2 ++
 1 file changed, 2 insertions(+)

On 8/21/2019 7:18 PM, Michael Niedermayer wrote:
> Fixes: memleak
> Fixes: 16277/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5696629440512000
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/realtextdec.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c
> index 204e557aa2..c2316da0ed 100644
> --- a/libavformat/realtextdec.c
> +++ b/libavformat/realtextdec.c
> @@ -123,6 +123,8 @@ static int realtext_read_header(AVFormatContext *s)
>  
>  end:
>      av_bprint_finalize(&buf, NULL);
> +    if (res < 0)
> +        ff_subtitles_queue_clean(&rt->q);

LGTM

>      return res;
>  }
>  
>

Why not fix issues listed in decoder code instead of this hack?

On Thu, Aug 22, 2019 at 12:21 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: Timeout (128sec -> 6sec)
> Fixes:
> 16568/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IDCIN_fuzzer-5675004095627264
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> index d83039417c..fd76553ec8 100644
> --- a/tools/target_dec_fuzzer.c
> +++ b/tools/target_dec_fuzzer.c
> @@ -177,6 +177,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t
> size) {
>      case AV_CODEC_ID_GDV:       maxpixels /= 256; break;
>          // Postprocessing in C
>      case AV_CODEC_ID_HNM4_VIDEO:maxpixels /= 128; break;
> +        // Unoptimized VLC reading and allows a small input to generate
> gigantic output
> +    case AV_CODEC_ID_IDCIN:     maxpixels /= 2048; break;
>      }
>
>
> --
> 2.23.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

On Thu, Aug 22, 2019 at 10:09:30AM +0200, Paul B Mahol wrote:
> Why not fix issues listed in decoder code instead of this hack?

I can improve the VLC reader and will probably look into that
but i dont think that will provide the factor of 2000 speedup needed 
to avoid the adjustment. It might reduce the factor needed though.

thx


[...]

> > +        // Unoptimized VLC reading and allows a small input to generate
> > gigantic output
> > +    case AV_CODEC_ID_IDCIN:     maxpixels /= 2048; break;
[...]

On Thu, Aug 22, 2019 at 10:16 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> On Thu, Aug 22, 2019 at 10:09:30AM +0200, Paul B Mahol wrote:
> > Why not fix issues listed in decoder code instead of this hack?
>
> I can improve the VLC reader and will probably look into that
> but i dont think that will provide the factor of 2000 speedup needed
> to avoid the adjustment. It might reduce the factor needed though.
>
>
Also all this old game codecs never used very high resolutions.
Max something vga, but not even that.


> thx
>
>
> [...]
>
> > > +        // Unoptimized VLC reading and allows a small input to
> generate
> > > gigantic output
> > > +    case AV_CODEC_ID_IDCIN:     maxpixels /= 2048; break;
> [...]
>
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Take away the freedom of one citizen and you will be jailed, take away
> the freedom of all citizens and you will be congratulated by your peers
> in Parliament.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

On Thu, Aug 22, 2019 at 10:23:40AM +0200, Paul B Mahol wrote:
> On Thu, Aug 22, 2019 at 10:16 AM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > On Thu, Aug 22, 2019 at 10:09:30AM +0200, Paul B Mahol wrote:
> > > Why not fix issues listed in decoder code instead of this hack?
> >
> > I can improve the VLC reader and will probably look into that
> > but i dont think that will provide the factor of 2000 speedup needed
> > to avoid the adjustment. It might reduce the factor needed though.
> >
> >
> Also all this old game codecs never used very high resolutions.
> Max something vga, but not even that.

limiting to 640x480 instead of 4096x4096 would give a factor of about 55
speedup, thats still a long way from 2000 so that solves also only
part of it

anyway ill provide a patch that limits resolution so theres something
that can be discussed. 

Thanks

[...]

tor 2019-08-22 klockan 10:34 +0200 skrev Michael Niedermayer:
> On Thu, Aug 22, 2019 at 10:23:40AM +0200, Paul B Mahol wrote:
> > On Thu, Aug 22, 2019 at 10:16 AM Michael Niedermayer <
> > michael@niedermayer.cc>
> > wrote:
> > 
> > > On Thu, Aug 22, 2019 at 10:09:30AM +0200, Paul B Mahol wrote:
> > > > Why not fix issues listed in decoder code instead of this hack?

I think there's better things we could have Michael do. That said:

> > Also all this old game codecs never used very high resolutions.
> > Max something vga, but not even that.
> 
> limiting to 640x480 instead of 4096x4096 would give a factor of about
> 55
> speedup, thats still a long way from 2000 so that solves also only
> part of it
> 
> anyway ill provide a patch that limits resolution so theres something
> that can be discussed. 

The probing in lavf/idcin.c already limits the resolution to 1024x1024.
The only sample we have is 320x240. The Quake 2 decoder (cl_cin.c)
limits CIN frames to 128 KiB compressed, from which the 1024x1024 limit
in idcinvideo.c likely derives (128 KiB == 1 Mib == 1 Mipx if always
using the shortest Huffman code). Zero-byte packets are also not
allowed.

If we're looking over this anyway we could toss in all these
limitations, and maybe limit audio to 11025, 22050 and 44100 Hz.

I also notice that idcinvideo.c contains code copy-pasted from cl_cin.c
in Quake 2 (SmallestNode1 -> huff_smallest_node). The copyright header
should reflect this.

/Tomas

On Thu, Aug 22, 2019 at 11:24 AM Tomas Härdin <tjoppen@acc.umu.se> wrote:

> tor 2019-08-22 klockan 10:34 +0200 skrev Michael Niedermayer:
> > On Thu, Aug 22, 2019 at 10:23:40AM +0200, Paul B Mahol wrote:
> > > On Thu, Aug 22, 2019 at 10:16 AM Michael Niedermayer <
> > > michael@niedermayer.cc>
> > > wrote:
> > >
> > > > On Thu, Aug 22, 2019 at 10:09:30AM +0200, Paul B Mahol wrote:
> > > > > Why not fix issues listed in decoder code instead of this hack?
>
> I think there's better things we could have Michael do. That said:
>

Yes, more timeouts fixes as always.


>
> > > Also all this old game codecs never used very high resolutions.
> > > Max something vga, but not even that.
> >
> > limiting to 640x480 instead of 4096x4096 would give a factor of about
> > 55
> > speedup, thats still a long way from 2000 so that solves also only
> > part of it
> >
> > anyway ill provide a patch that limits resolution so theres something
> > that can be discussed.
>
> The probing in lavf/idcin.c already limits the resolution to 1024x1024.
> The only sample we have is 320x240. The Quake 2 decoder (cl_cin.c)
> limits CIN frames to 128 KiB compressed, from which the 1024x1024 limit
> in idcinvideo.c likely derives (128 KiB == 1 Mib == 1 Mipx if always
> using the shortest Huffman code). Zero-byte packets are also not
> allowed.
>
> If we're looking over this anyway we could toss in all these
> limitations, and maybe limit audio to 11025, 22050 and 44100 Hz.
>
> I also notice that idcinvideo.c contains code copy-pasted from cl_cin.c
> in Quake 2 (SmallestNode1 -> huff_smallest_node). The copyright header
> should reflect this.
>

That is sole reason why that awful code should not be kept, and instead
should be rewritten.


> /Tomas
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

On Wed, Aug 21, 2019 at 08:48:25PM -0300, James Almer wrote:
> On 8/21/2019 7:18 PM, Michael Niedermayer wrote:
> > Fixes: memleak
> > Fixes: 16277/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5696629440512000
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/realtextdec.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c
> > index 204e557aa2..c2316da0ed 100644
> > --- a/libavformat/realtextdec.c
> > +++ b/libavformat/realtextdec.c
> > @@ -123,6 +123,8 @@ static int realtext_read_header(AVFormatContext *s)
> >  
> >  end:
> >      av_bprint_finalize(&buf, NULL);
> > +    if (res < 0)
> > +        ff_subtitles_queue_clean(&rt->q);
> 
> LGTM

will apply

thx

[...]