diff mbox series

[FFmpeg-devel,1/2] avcodec/midivid: Check dimensions to be the multiple assumed by the implementation

Message ID 20200212220319.4802-1-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/2] avcodec/midivid: Check dimensions to be the multiple assumed by the implementation | expand

Checks

Context Check Description
andriy/ffmpeg-patchwork success Make fate finished

Commit Message

Michael Niedermayer Feb. 12, 2020, 10:03 p.m. UTC
Fixes: out of array access
Fixes: 20626/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-6279905350516736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/midivid.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Paul B Mahol Feb. 12, 2020, 10:17 p.m. UTC | #1
This is incorrect.

On 2/12/20, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: out of array access
> Fixes:
> 20626/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-6279905350516736
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/midivid.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/midivid.c b/libavcodec/midivid.c
> index 8d4c3b369e..a30cf25207 100644
> --- a/libavcodec/midivid.c
> +++ b/libavcodec/midivid.c
> @@ -236,6 +236,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
>      MidiVidContext *s = avctx->priv_data;
>      int ret = av_image_check_size(avctx->width, avctx->height, 0, avctx);
>
> +    if (avctx->width%32 || avctx->height%4)
> +        ret = AVERROR_INVALIDDATA;
> +
>      if (ret < 0) {
>          av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n",
>                 avctx->width, avctx->height);
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Reino Wijnsma Feb. 12, 2020, 11:01 p.m. UTC | #2
On 2020-02-12T23:17:09+0100, Paul B Mahol <onemda@gmail.com> wrote:
> This is incorrect.
>
> On 2/12/20, Michael Niedermayer <michael@niedermayer.cc> wrote:
>> Fixes: out of array access
>> Fixes:
>> 20626/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-6279905350516736
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> [...]

Wow! What a wonderful nicely bottom-posted expressed opinion <https://ffmpeg.org/pipermail/ffmpeg-devel/2020-January/256462.html>! That certainly must have been very helpful for Michael.

-- Reino
Paul B Mahol Feb. 13, 2020, 8:06 a.m. UTC | #3
On 2/13/20, Reino Wijnsma <rwijnsma@xs4all.nl> wrote:
> On 2020-02-12T23:17:09+0100, Paul B Mahol <onemda@gmail.com> wrote:
>> This is incorrect.
>>
>> On 2/12/20, Michael Niedermayer <michael@niedermayer.cc> wrote:
>>> Fixes: out of array access
>>> Fixes:
>>> 20626/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-6279905350516736
>>>
>>> Found-by: continuous fuzzing process
>>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> [...]
>
> Wow! What a wonderful nicely bottom-posted expressed opinion
> <https://ffmpeg.org/pipermail/ffmpeg-devel/2020-January/256462.html>! That
> certainly must have been very helpful for Michael.

What a nice and tolerant opinion, with so big acceptance. I'm deeply touched.
diff mbox series

Patch

diff --git a/libavcodec/midivid.c b/libavcodec/midivid.c
index 8d4c3b369e..a30cf25207 100644
--- a/libavcodec/midivid.c
+++ b/libavcodec/midivid.c
@@ -236,6 +236,9 @@  static av_cold int decode_init(AVCodecContext *avctx)
     MidiVidContext *s = avctx->priv_data;
     int ret = av_image_check_size(avctx->width, avctx->height, 0, avctx);
 
+    if (avctx->width%32 || avctx->height%4)
+        ret = AVERROR_INVALIDDATA;
+
     if (ret < 0) {
         av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n",
                avctx->width, avctx->height);