Message ID | 20200115002108.25753-1-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/2] avcodec/wmalosslessdec: move channel check up | expand |
Context | Check | Description |
---|---|---|
andriy/ffmpeg-patchwork | success | Make fate finished |
On Wed, Jan 15, 2020 at 1:25 AM Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: out of array access > Fixes: 2nd part of > 18429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-6210814364614656 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/wmalosslessdec.c | 20 ++++++++++---------- > 1 file changed, 10 insertions(+), 10 deletions(-) > > diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c > index d2f9d4a70f..2b97c2a848 100644 > --- a/libavcodec/wmalosslessdec.c > +++ b/libavcodec/wmalosslessdec.c > @@ -189,6 +189,16 @@ static av_cold int decode_init(AVCodecContext *avctx) > return AVERROR(EINVAL); > } > > + if (avctx->channels < 0) { > + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", > + avctx->channels); > + return AVERROR_INVALIDDATA; > + } else if (avctx->channels > WMALL_MAX_CHANNELS) { > + avpriv_request_sample(avctx, > + "More than %d channels", > WMALL_MAX_CHANNELS); > This looks like it could benefit from AV_STRINGIFY. LGTM apart from that. - Andreas
On Wed, Jan 15, 2020 at 02:33:28AM +0100, Andreas Rheinhardt wrote: > On Wed, Jan 15, 2020 at 1:25 AM Michael Niedermayer <michael@niedermayer.cc> > wrote: > > > Fixes: out of array access > > Fixes: 2nd part of > > 18429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-6210814364614656 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by > > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > > Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/wmalosslessdec.c | 20 ++++++++++---------- > > 1 file changed, 10 insertions(+), 10 deletions(-) > > > > diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c > > index d2f9d4a70f..2b97c2a848 100644 > > --- a/libavcodec/wmalosslessdec.c > > +++ b/libavcodec/wmalosslessdec.c > > @@ -189,6 +189,16 @@ static av_cold int decode_init(AVCodecContext *avctx) > > return AVERROR(EINVAL); > > } > > > > + if (avctx->channels < 0) { > > + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", > > + avctx->channels); > > + return AVERROR_INVALIDDATA; > > + } else if (avctx->channels > WMALL_MAX_CHANNELS) { > > + avpriv_request_sample(avctx, > > + "More than %d channels", > > WMALL_MAX_CHANNELS); > > > > This looks like it could benefit from AV_STRINGIFY. LGTM apart from that. will apply with a AV_STRINGIFY patch thanks [...]
diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index d2f9d4a70f..2b97c2a848 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -189,6 +189,16 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR(EINVAL); } + if (avctx->channels < 0) { + av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", + avctx->channels); + return AVERROR_INVALIDDATA; + } else if (avctx->channels > WMALL_MAX_CHANNELS) { + avpriv_request_sample(avctx, + "More than %d channels", WMALL_MAX_CHANNELS); + return AVERROR_PATCHWELCOME; + } + s->max_frame_size = MAX_FRAMESIZE * avctx->channels; s->frame_data = av_mallocz(s->max_frame_size + AV_INPUT_BUFFER_PADDING_SIZE); if (!s->frame_data) @@ -267,16 +277,6 @@ static av_cold int decode_init(AVCodecContext *avctx) ++s->lfe_channel; } - if (s->num_channels < 0) { - av_log(avctx, AV_LOG_ERROR, "invalid number of channels %"PRId8"\n", - s->num_channels); - return AVERROR_INVALIDDATA; - } else if (s->num_channels > WMALL_MAX_CHANNELS) { - avpriv_request_sample(avctx, - "More than %d channels", WMALL_MAX_CHANNELS); - return AVERROR_PATCHWELCOME; - } - s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM);
Fixes: out of array access Fixes: 2nd part of 18429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-6210814364614656 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/wmalosslessdec.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-)