[FFmpeg-devel,1/2] avcodec/cbs_vp9: Check index_size

Message ID	20191214120820.15428-1-michael@niedermayer.cc
State	Accepted
Commit	d6553e2e60a389296dd2f83a96f944ccfa5877a0
Headers	show Return-Path: <ffmpeg-devel-bounces@ffmpeg.org> From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Sat, 14 Dec 2019 13:08:19 +0100 Message-Id: <20191214120820.15428-1-michael@niedermayer.cc> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/cbs_vp9: Check index_size Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Message ID

20191214120820.15428-1-michael@niedermayer.cc

State

Accepted

Commit

d6553e2e60a389296dd2f83a96f944ccfa5877a0

Headers

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 14 Dec 2019 13:08:19 +0100
Message-Id: <20191214120820.15428-1-michael@niedermayer.cc>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/cbs_vp9: Check index_size
Precedence: list
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Commit Message

Michael Niedermayer Dec. 14, 2019, 12:08 p.m. UTC

Fixes: out of array read
Fixes: 19300/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-5653911730126848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cbs_vp9.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

James Almer Dec. 14, 2019, 6:23 p.m. UTC | #1

On 12/14/2019 9:08 AM, Michael Niedermayer wrote:
> Fixes: out of array read
> Fixes: 19300/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-5653911730126848
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/cbs_vp9.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c
> index 42e4dcf5ac..98730e03e3 100644
> --- a/libavcodec/cbs_vp9.c
> +++ b/libavcodec/cbs_vp9.c
> @@ -428,6 +428,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx,
>          index_size = 2 + (((superframe_header & 0x18) >> 3) + 1) *
>                            ((superframe_header & 0x07) + 1);
>  
> +        if (index_size > frag->data_size)
> +            return AVERROR_INVALIDDATA;
> +
>          err = init_get_bits(&gbc, frag->data + frag->data_size - index_size,
>                              8 * index_size);
>          if (err < 0)

Should be ok.

Michael Niedermayer Dec. 24, 2019, 2:58 p.m. UTC | #2

On Sat, Dec 14, 2019 at 03:23:40PM -0300, James Almer wrote:
> On 12/14/2019 9:08 AM, Michael Niedermayer wrote:
> > Fixes: out of array read
> > Fixes: 19300/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-5653911730126848
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/cbs_vp9.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c
> > index 42e4dcf5ac..98730e03e3 100644
> > --- a/libavcodec/cbs_vp9.c
> > +++ b/libavcodec/cbs_vp9.c
> > @@ -428,6 +428,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx,
> >          index_size = 2 + (((superframe_header & 0x18) >> 3) + 1) *
> >                            ((superframe_header & 0x07) + 1);
> >  
> > +        if (index_size > frag->data_size)
> > +            return AVERROR_INVALIDDATA;
> > +
> >          err = init_get_bits(&gbc, frag->data + frag->data_size - index_size,
> >                              8 * index_size);
> >          if (err < 0)
> 
> Should be ok.

will apply 

Thanks

[...]

diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c
index 42e4dcf5ac..98730e03e3 100644
--- a/libavcodec/cbs_vp9.c
+++ b/libavcodec/cbs_vp9.c
@@ -428,6 +428,9 @@  static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx,
         index_size = 2 + (((superframe_header & 0x18) >> 3) + 1) *
                           ((superframe_header & 0x07) + 1);
 
+        if (index_size > frag->data_size)
+            return AVERROR_INVALIDDATA;
+
         err = init_get_bits(&gbc, frag->data + frag->data_size - index_size,
                             8 * index_size);
         if (err < 0)

[FFmpeg-devel,1/2] avcodec/cbs_vp9: Check index_size

Commit Message

Comments

Patch