[FFmpeg-devel] avcodec/hq_hqa: Check info size

Message ID	20200529235354.30990-1-michael@niedermayer.cc
State	Accepted
Commit	cf28521fee22dbe2f7eeb8ab0306c0fd0802c48a
Headers	show Return-Path: <ffmpeg-devel-bounces@ffmpeg.org> From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Sat, 30 May 2020 01:53:54 +0200 Message-Id: <20200529235354.30990-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH] avcodec/hq_hqa: Check info size Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel] avcodec/hq_hqa: Check info size \| expand [FFmpeg-devel] avcodec/hq_hqa: Check info size

Message ID

20200529235354.30990-1-michael@niedermayer.cc

State

Accepted

Commit

cf28521fee22dbe2f7eeb8ab0306c0fd0802c48a

Headers

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 30 May 2020 01:53:54 +0200
Message-Id: <20200529235354.30990-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH] avcodec/hq_hqa: Check info size
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Series

[FFmpeg-devel] avcodec/hq_hqa: Check info size | expand

Context	Check	Description
andriy/default	pending
andriy/make	success	Make finished
andriy/make_fate	success	Make fate finished

Context

Check

Description

andriy/default

pending

andriy/make

success

Make finished

andriy/make_fate

success

Make fate finished

Commit Message

Michael Niedermayer May 29, 2020, 11:53 p.m. UTC

Fixes: assertion failure
Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hq_hqa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Hendrik Leppkes May 30, 2020, 12:09 a.m. UTC | #1

On Sat, May 30, 2020 at 2:01 AM Michael Niedermayer
<michael@niedermayer.cc> wrote:
>
> Fixes: assertion failure
> Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/hq_hqa.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
> index eec2e980b3..8404e80ec8 100644
> --- a/libavcodec/hq_hqa.c
> +++ b/libavcodec/hq_hqa.c
> @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data,
>          int info_size;
>          bytestream2_skip(&ctx->gbc, 4);
>          info_size = bytestream2_get_le32(&ctx->gbc);
> -        if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
> +        if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
>              av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size);
>              return AVERROR_INVALIDDATA;
>          }
> --

bytestream2_get_le32 returns an unsigned type, wouldn't it be better
to make info_size unsigned and avoid the type cast and signed overflow
that results in this check failing?

- Hendrik

Michael Niedermayer May 30, 2020, 4:31 p.m. UTC | #2

On Sat, May 30, 2020 at 02:09:42AM +0200, Hendrik Leppkes wrote:
> On Sat, May 30, 2020 at 2:01 AM Michael Niedermayer
> <michael@niedermayer.cc> wrote:
> >
> > Fixes: assertion failure
> > Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/hq_hqa.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
> > index eec2e980b3..8404e80ec8 100644
> > --- a/libavcodec/hq_hqa.c
> > +++ b/libavcodec/hq_hqa.c
> > @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data,
> >          int info_size;
> >          bytestream2_skip(&ctx->gbc, 4);
> >          info_size = bytestream2_get_le32(&ctx->gbc);
> > -        if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
> > +        if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
> >              av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size);
> >              return AVERROR_INVALIDDATA;
> >          }
> > --
> 
> bytestream2_get_le32 returns an unsigned type, wouldn't it be better
> to make info_size unsigned and avoid the type cast and signed overflow
> that results in this check failing?

The value is ultimatly passed into bytestream2_init()
where its in int so it cannot be beyond the positive signed int range

thx

[...]

Michael Niedermayer June 4, 2020, 10:39 p.m. UTC | #3

On Sat, May 30, 2020 at 06:31:24PM +0200, Michael Niedermayer wrote:
> On Sat, May 30, 2020 at 02:09:42AM +0200, Hendrik Leppkes wrote:
> > On Sat, May 30, 2020 at 2:01 AM Michael Niedermayer
> > <michael@niedermayer.cc> wrote:
> > >
> > > Fixes: assertion failure
> > > Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640
> > >
> > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >  libavcodec/hq_hqa.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
> > > index eec2e980b3..8404e80ec8 100644
> > > --- a/libavcodec/hq_hqa.c
> > > +++ b/libavcodec/hq_hqa.c
> > > @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data,
> > >          int info_size;
> > >          bytestream2_skip(&ctx->gbc, 4);
> > >          info_size = bytestream2_get_le32(&ctx->gbc);
> > > -        if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
> > > +        if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
> > >              av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size);
> > >              return AVERROR_INVALIDDATA;
> > >          }
> > > --
> > 
> > bytestream2_get_le32 returns an unsigned type, wouldn't it be better
> > to make info_size unsigned and avoid the type cast and signed overflow
> > that results in this check failing?
> 
> The value is ultimatly passed into bytestream2_init()
> where its in int so it cannot be beyond the positive signed int range

will apply

[...]

diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
index eec2e980b3..8404e80ec8 100644
--- a/libavcodec/hq_hqa.c
+++ b/libavcodec/hq_hqa.c
@@ -321,7 +321,7 @@  static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data,
         int info_size;
         bytestream2_skip(&ctx->gbc, 4);
         info_size = bytestream2_get_le32(&ctx->gbc);
-        if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
+        if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) {
             av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size);
             return AVERROR_INVALIDDATA;
         }

[FFmpeg-devel] avcodec/hq_hqa: Check info size

Checks

Commit Message

Comments

Patch