Message ID | 20200209130957.25474-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Headers | show |
Series | [FFmpeg-devel,1/2] avcodec/agm: Test remaining data in decode_raw_intra_rgb() | expand |
Context | Check | Description |
---|---|---|
andriy/ffmpeg-patchwork | success | Make fate finished |
Michael Niedermayer: > Fixes: Timeout (270sec -> 25ms) > Fixes: 20485/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5636954207289344 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/agm.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/agm.c b/libavcodec/agm.c > index 80f4697ee5..957131648b 100644 > --- a/libavcodec/agm.c > +++ b/libavcodec/agm.c > @@ -573,6 +573,9 @@ static int decode_raw_intra_rgb(AVCodecContext *avctx, GetByteContext *gbyte, AV > uint8_t *dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; > uint8_t r = 0, g = 0, b = 0; > > + if (bytestream2_get_bytes_left(gbyte) < 3 * avctx->width * avctx->height) Can the multiplication on the right overflow? > + return AVERROR_INVALIDDATA; > + > for (int y = 0; y < avctx->height; y++) { > for (int x = 0; x < avctx->width; x++) { > dst[x*3+0] = bytestream2_get_byte(gbyte) + r; After one has checked once that enough data is present, one can use the unchecked bytestream2-API here and for the other two reads. - Andreas
On Sun, Feb 09, 2020 at 01:55:00PM +0000, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: Timeout (270sec -> 25ms) > > Fixes: 20485/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5636954207289344 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/agm.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavcodec/agm.c b/libavcodec/agm.c > > index 80f4697ee5..957131648b 100644 > > --- a/libavcodec/agm.c > > +++ b/libavcodec/agm.c > > @@ -573,6 +573,9 @@ static int decode_raw_intra_rgb(AVCodecContext *avctx, GetByteContext *gbyte, AV > > uint8_t *dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; > > uint8_t r = 0, g = 0, b = 0; > > > > + if (bytestream2_get_bytes_left(gbyte) < 3 * avctx->width * avctx->height) > > Can the multiplication on the right overflow? ff_set_dimensions() and others check for the dimensions not being too large. So if they can overflow then there needs to be a bug elsewhere > > > + return AVERROR_INVALIDDATA; > > + > > for (int y = 0; y < avctx->height; y++) { > > for (int x = 0; x < avctx->width; x++) { > > dst[x*3+0] = bytestream2_get_byte(gbyte) + r; > > After one has checked once that enough data is present, one can use > the unchecked bytestream2-API here and for the other two reads. will do thx [...]
diff --git a/libavcodec/agm.c b/libavcodec/agm.c index 80f4697ee5..957131648b 100644 --- a/libavcodec/agm.c +++ b/libavcodec/agm.c @@ -573,6 +573,9 @@ static int decode_raw_intra_rgb(AVCodecContext *avctx, GetByteContext *gbyte, AV uint8_t *dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; uint8_t r = 0, g = 0, b = 0; + if (bytestream2_get_bytes_left(gbyte) < 3 * avctx->width * avctx->height) + return AVERROR_INVALIDDATA; + for (int y = 0; y < avctx->height; y++) { for (int x = 0; x < avctx->width; x++) { dst[x*3+0] = bytestream2_get_byte(gbyte) + r;
Fixes: Timeout (270sec -> 25ms) Fixes: 20485/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5636954207289344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/agm.c | 3 +++ 1 file changed, 3 insertions(+)