diff mbox series

[FFmpeg-devel,2/3] avcodec/iff: Check length before memcpy() in decode_deep_rle32()

Message ID 20200420220341.7729-2-michael@niedermayer.cc
State Accepted
Headers show
Series [FFmpeg-devel,1/3] avcodec/iff: Fix invalid pointer intermediates in decode_deep_rle32() | expand

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Michael Niedermayer April 20, 2020, 10:03 p.m. UTC 
Fixes: out of array read
Fixes: 20796/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5111364702175232.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/iff.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Peter Ross April 22, 2020, 10:10 a.m. UTC | #1 
On Tue, Apr 21, 2020 at 12:03:40AM +0200, Michael Niedermayer wrote:
> Fixes: out of array read
> Fixes: 20796/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5111364702175232.fuzz
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/iff.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavcodec/iff.c b/libavcodec/iff.c
> index 2e65e266d0..23d19d8a25 100644
> --- a/libavcodec/iff.c
> +++ b/libavcodec/iff.c
> @@ -722,6 +722,8 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
>              int size = opcode + 1;
>              for (i = 0; i < size; i++) {
>                  int length = FFMIN(size - i, width);
> +                if (src_end - src < length)
> +                    return;
>                  memcpy(dst + y*linesize + x * 4, src, length * 4);
>                  src += length * 4;
>                  x += length;

hi michael.

i think the guard should be:

if (src_end - src < length * 4)
    return;

cheers,

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
Michael Niedermayer April 22, 2020, 9:20 p.m. UTC | #2 
On Wed, Apr 22, 2020 at 08:10:44PM +1000, Peter Ross wrote:
> On Tue, Apr 21, 2020 at 12:03:40AM +0200, Michael Niedermayer wrote:
> > Fixes: out of array read
> > Fixes: 20796/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5111364702175232.fuzz
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/iff.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/libavcodec/iff.c b/libavcodec/iff.c
> > index 2e65e266d0..23d19d8a25 100644
> > --- a/libavcodec/iff.c
> > +++ b/libavcodec/iff.c
> > @@ -722,6 +722,8 @@ static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
> >              int size = opcode + 1;
> >              for (i = 0; i < size; i++) {
> >                  int length = FFMIN(size - i, width);
> > +                if (src_end - src < length)
> > +                    return;
> >                  memcpy(dst + y*linesize + x * 4, src, length * 4);
> >                  src += length * 4;
> >                  x += length;
> 
> hi michael.
> 
> i think the guard should be:
> 
> if (src_end - src < length * 4)
>     return;

oops, will fix and apply

thx


[...]
diff mbox series

Patch

diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index 2e65e266d0..23d19d8a25 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -722,6 +722,8 @@  static void decode_deep_rle32(uint8_t *dst, const uint8_t *src, int src_size, in
             int size = opcode + 1;
             for (i = 0; i < size; i++) {
                 int length = FFMIN(size - i, width);
+                if (src_end - src < length)
+                    return;
                 memcpy(dst + y*linesize + x * 4, src, length * 4);
                 src += length * 4;
                 x += length;