[FFmpeg-devel,3/3] avcodec/lagarith: Sanity check scale

Message ID	20200128193217.30405-3-michael@niedermayer.cc
State	Accepted
Headers	show Return-Path: <ffmpeg-devel-bounces@ffmpeg.org> From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Tue, 28 Jan 2020 20:32:17 +0100 Message-Id: <20200128193217.30405-3-michael@niedermayer.cc> In-Reply-To: <20200128193217.30405-1-michael@niedermayer.cc> References: <20200128193217.30405-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 3/3] avcodec/lagarith: Sanity check scale Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel,1/3] avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() \| expand [FFmpeg-devel,1/3] avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() [FFmpeg-devel,2/3] avcodec/pngdec: Check amount decoded [FFmpeg-devel,3/3] avcodec/lagarith: Sanity check scale

Message ID

20200128193217.30405-3-michael@niedermayer.cc

State

Accepted

Headers

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 28 Jan 2020 20:32:17 +0100
Message-Id: <20200128193217.30405-3-michael@niedermayer.cc>
In-Reply-To: <20200128193217.30405-1-michael@niedermayer.cc>
References: <20200128193217.30405-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 3/3] avcodec/lagarith: Sanity check scale
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Series

[FFmpeg-devel,1/3] avcodec/apedec: Fix integer overflows in predictor_decode_mono_3950() | expand

Context	Check	Description
andriy/ffmpeg-patchwork	success	Make fate finished

Context

Check

Description

andriy/ffmpeg-patchwork

success

Make fate finished

Commit Message

Michael Niedermayer Jan. 28, 2020, 7:32 p.m. UTC

A value of 24 and above can collaps the range to 0 which would not work.

Fixes: Timeout (75sec -> 21sec)
Fixes: 18707/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5708950892969984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/lagarith.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c
index 59169be5de..0a45812bc1 100644
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -226,6 +226,9 @@  static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
         }
     }
 
+    if (scale_factor > 23)
+        return AVERROR_INVALIDDATA;
+
     rac->scale = scale_factor;
 
     /* Fill probability array with cumulative probability for each symbol. */

[FFmpeg-devel,3/3] avcodec/lagarith: Sanity check scale

Checks

Commit Message

Patch