[FFmpeg-devel] avcodec/pngdec: Check for fctl after idat

Message ID	20200625181308.16685-1-michael@niedermayer.cc
State	Accepted
Commit	65b1ba680fb67902a9c876a49d0146eaae5a1c3d
Headers	show Return-Path: <ffmpeg-devel-bounces@ffmpeg.org> From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Thu, 25 Jun 2020 20:13:08 +0200 Message-Id: <20200625181308.16685-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH] avcodec/pngdec: Check for fctl after idat Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel] avcodec/pngdec: Check for fctl after idat \| expand [FFmpeg-devel] avcodec/pngdec: Check for fctl after idat

Message ID

20200625181308.16685-1-michael@niedermayer.cc

State

Accepted

Commit

65b1ba680fb67902a9c876a49d0146eaae5a1c3d

Headers

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Thu, 25 Jun 2020 20:13:08 +0200
Message-Id: <20200625181308.16685-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH] avcodec/pngdec: Check for fctl after idat
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Series

[FFmpeg-devel] avcodec/pngdec: Check for fctl after idat | expand

Context	Check	Description
andriy/default	pending
andriy/make	success	Make finished
andriy/make_fate	success	Make fate finished

Context

Check

Description

andriy/default

pending

andriy/make

success

Make finished

andriy/make_fate

success

Make fate finished

Commit Message

Michael Niedermayer June 25, 2020, 6:13 p.m. UTC

Fixes: out of array access
Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pngdec.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Michael Niedermayer July 1, 2020, 9:30 a.m. UTC | #1

On Thu, Jun 25, 2020 at 08:13:08PM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/pngdec.c | 5 +++++
>  1 file changed, 5 insertions(+)

will apply

[...]

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index ff3882a58d..647e7f0a74 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -984,6 +984,11 @@  static int decode_fctl_chunk(AVCodecContext *avctx, PNGDecContext *s,
         return AVERROR_INVALIDDATA;
     }
 
+    if (s->pic_state & PNG_IDAT) {
+        av_log(avctx, AV_LOG_ERROR, "fctl after IDAT\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     s->last_w = s->cur_w;
     s->last_h = s->cur_h;
     s->last_x_offset = s->x_offset;

[FFmpeg-devel] avcodec/pngdec: Check for fctl after idat

Checks

Commit Message

Comments

Patch