Message ID | 20200529235354.30990-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | cf28521fee22dbe2f7eeb8ab0306c0fd0802c48a |
Headers | show |
Series | [FFmpeg-devel] avcodec/hq_hqa: Check info size | expand |
Context | Check | Description |
---|---|---|
andriy/default | pending | |
andriy/make | success | Make finished |
andriy/make_fate | success | Make fate finished |
On Sat, May 30, 2020 at 2:01 AM Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: assertion failure > Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/hq_hqa.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c > index eec2e980b3..8404e80ec8 100644 > --- a/libavcodec/hq_hqa.c > +++ b/libavcodec/hq_hqa.c > @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data, > int info_size; > bytestream2_skip(&ctx->gbc, 4); > info_size = bytestream2_get_le32(&ctx->gbc); > - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { > + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) { > av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size); > return AVERROR_INVALIDDATA; > } > -- bytestream2_get_le32 returns an unsigned type, wouldn't it be better to make info_size unsigned and avoid the type cast and signed overflow that results in this check failing? - Hendrik
On Sat, May 30, 2020 at 02:09:42AM +0200, Hendrik Leppkes wrote: > On Sat, May 30, 2020 at 2:01 AM Michael Niedermayer > <michael@niedermayer.cc> wrote: > > > > Fixes: assertion failure > > Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/hq_hqa.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c > > index eec2e980b3..8404e80ec8 100644 > > --- a/libavcodec/hq_hqa.c > > +++ b/libavcodec/hq_hqa.c > > @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data, > > int info_size; > > bytestream2_skip(&ctx->gbc, 4); > > info_size = bytestream2_get_le32(&ctx->gbc); > > - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { > > + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) { > > av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size); > > return AVERROR_INVALIDDATA; > > } > > -- > > bytestream2_get_le32 returns an unsigned type, wouldn't it be better > to make info_size unsigned and avoid the type cast and signed overflow > that results in this check failing? The value is ultimatly passed into bytestream2_init() where its in int so it cannot be beyond the positive signed int range thx [...]
On Sat, May 30, 2020 at 06:31:24PM +0200, Michael Niedermayer wrote: > On Sat, May 30, 2020 at 02:09:42AM +0200, Hendrik Leppkes wrote: > > On Sat, May 30, 2020 at 2:01 AM Michael Niedermayer > > <michael@niedermayer.cc> wrote: > > > > > > Fixes: assertion failure > > > Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640 > > > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > --- > > > libavcodec/hq_hqa.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c > > > index eec2e980b3..8404e80ec8 100644 > > > --- a/libavcodec/hq_hqa.c > > > +++ b/libavcodec/hq_hqa.c > > > @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data, > > > int info_size; > > > bytestream2_skip(&ctx->gbc, 4); > > > info_size = bytestream2_get_le32(&ctx->gbc); > > > - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { > > > + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) { > > > av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size); > > > return AVERROR_INVALIDDATA; > > > } > > > -- > > > > bytestream2_get_le32 returns an unsigned type, wouldn't it be better > > to make info_size unsigned and avoid the type cast and signed overflow > > that results in this check failing? > > The value is ultimatly passed into bytestream2_init() > where its in int so it cannot be beyond the positive signed int range will apply [...]
diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index eec2e980b3..8404e80ec8 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -321,7 +321,7 @@ static int hq_hqa_decode_frame(AVCodecContext *avctx, void *data, int info_size; bytestream2_skip(&ctx->gbc, 4); info_size = bytestream2_get_le32(&ctx->gbc); - if (bytestream2_get_bytes_left(&ctx->gbc) < info_size) { + if (info_size < 0 || bytestream2_get_bytes_left(&ctx->gbc) < info_size) { av_log(avctx, AV_LOG_ERROR, "Invalid INFO size (%d).\n", info_size); return AVERROR_INVALIDDATA; }
Fixes: assertion failure Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hq_hqa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)