Message ID | 20200212220319.4802-1-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/2] avcodec/midivid: Check dimensions to be the multiple assumed by the implementation | expand |
Context | Check | Description |
---|---|---|
andriy/ffmpeg-patchwork | success | Make fate finished |
This is incorrect. On 2/12/20, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: out of array access > Fixes: > 20626/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-6279905350516736 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/midivid.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/midivid.c b/libavcodec/midivid.c > index 8d4c3b369e..a30cf25207 100644 > --- a/libavcodec/midivid.c > +++ b/libavcodec/midivid.c > @@ -236,6 +236,9 @@ static av_cold int decode_init(AVCodecContext *avctx) > MidiVidContext *s = avctx->priv_data; > int ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); > > + if (avctx->width%32 || avctx->height%4) > + ret = AVERROR_INVALIDDATA; > + > if (ret < 0) { > av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n", > avctx->width, avctx->height); > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
On 2020-02-12T23:17:09+0100, Paul B Mahol <onemda@gmail.com> wrote: > This is incorrect. > > On 2/12/20, Michael Niedermayer <michael@niedermayer.cc> wrote: >> Fixes: out of array access >> Fixes: >> 20626/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-6279905350516736 >> >> Found-by: continuous fuzzing process >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >> [...] Wow! What a wonderful nicely bottom-posted expressed opinion <https://ffmpeg.org/pipermail/ffmpeg-devel/2020-January/256462.html>! That certainly must have been very helpful for Michael. -- Reino
On 2/13/20, Reino Wijnsma <rwijnsma@xs4all.nl> wrote: > On 2020-02-12T23:17:09+0100, Paul B Mahol <onemda@gmail.com> wrote: >> This is incorrect. >> >> On 2/12/20, Michael Niedermayer <michael@niedermayer.cc> wrote: >>> Fixes: out of array access >>> Fixes: >>> 20626/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-6279905350516736 >>> >>> Found-by: continuous fuzzing process >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >>> [...] > > Wow! What a wonderful nicely bottom-posted expressed opinion > <https://ffmpeg.org/pipermail/ffmpeg-devel/2020-January/256462.html>! That > certainly must have been very helpful for Michael. What a nice and tolerant opinion, with so big acceptance. I'm deeply touched.
diff --git a/libavcodec/midivid.c b/libavcodec/midivid.c index 8d4c3b369e..a30cf25207 100644 --- a/libavcodec/midivid.c +++ b/libavcodec/midivid.c @@ -236,6 +236,9 @@ static av_cold int decode_init(AVCodecContext *avctx) MidiVidContext *s = avctx->priv_data; int ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + if (avctx->width%32 || avctx->height%4) + ret = AVERROR_INVALIDDATA; + if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "Invalid image size %dx%d.\n", avctx->width, avctx->height);
Fixes: out of array access Fixes: 20626/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVDV_fuzzer-6279905350516736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/midivid.c | 3 +++ 1 file changed, 3 insertions(+)