diff mbox series

[FFmpeg-devel,1/5] avcodec/notchlc: Check uncompressed size against input for LZ4

Message ID 20201015203232.18258-1-michael@niedermayer.cc
State Accepted
Commit 51002362c4ed301e54cea1597666cd5cc9a134f3
Headers show
Series [FFmpeg-devel,1/5] avcodec/notchlc: Check uncompressed size against input for LZ4
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished

Commit Message

Michael Niedermayer Oct. 15, 2020, 8:32 p.m. UTC
Fixes: OOM
Fixes: 26168/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-6019839015256064

Equation is based on LZ4_COMPRESSBOUND from lz4.h
Suggested-by: Paul
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/notchlc.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Michael Niedermayer Oct. 20, 2020, 1:43 p.m. UTC | #1
On Thu, Oct 15, 2020 at 10:32:28PM +0200, Michael Niedermayer wrote:
> Fixes: OOM
> Fixes: 26168/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-6019839015256064
> 
> Equation is based on LZ4_COMPRESSBOUND from lz4.h
> Suggested-by: Paul
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/notchlc.c | 5 +++++
>  1 file changed, 5 insertions(+)

will apply

[...]
Paul B Mahol Oct. 20, 2020, 2:57 p.m. UTC | #2
This broke decoding of every single file.

Please revert ASAP!

On Tue, Oct 20, 2020 at 3:43 PM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> On Thu, Oct 15, 2020 at 10:32:28PM +0200, Michael Niedermayer wrote:
> > Fixes: OOM
> > Fixes:
> 26168/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-6019839015256064
> >
> > Equation is based on LZ4_COMPRESSBOUND from lz4.h
> > Suggested-by: Paul
> > Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/notchlc.c | 5 +++++
> >  1 file changed, 5 insertions(+)
>
> will apply
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> Elect your leaders based on what they did after the last election, not
> based on what they say before an election.
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer Oct. 20, 2020, 3:37 p.m. UTC | #3
On Tue, Oct 20, 2020 at 04:57:47PM +0200, Paul B Mahol wrote:
> This broke decoding of every single file.
> 

> Please revert ASAP!

reverted, i have to say though that this was the bound that you posted.
I think you mixed upper and lower bounds and I didnt notice

The patch i originally posted works with the 2 test samples I now have
are you ok with it (the change is below for reference)

@@ -490,6 +490,9 @@ static int decode_frame(AVCodecContext *avctx,
 
         bytestream2_init(gb, s->lzf_buffer, uncompressed_size);
     } else if (s->format == 1) {
+        if (bytestream2_get_bytes_left(gb) < uncompressed_size / 255)
+            return AVERROR_INVALIDDATA;
+
         av_fast_padded_malloc(&s->uncompressed_buffer, &s->uncompressed_size,
                               uncompressed_size);
         if (!s->uncompressed_buffer)

Thanks

[...]
diff mbox series

Patch

diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c
index 3f7079da70..d13ce3193c 100644
--- a/libavcodec/notchlc.c
+++ b/libavcodec/notchlc.c
@@ -490,6 +490,11 @@  static int decode_frame(AVCodecContext *avctx,
 
         bytestream2_init(gb, s->lzf_buffer, uncompressed_size);
     } else if (s->format == 1) {
+        unsigned remaining = bytestream2_get_bytes_left(gb);
+
+        if (remaining > 0x7E000000U || remaining + remaining/255 + 16 < uncompressed_size)
+            return AVERROR_INVALIDDATA;
+
         av_fast_padded_malloc(&s->uncompressed_buffer, &s->uncompressed_size,
                               uncompressed_size);
         if (!s->uncompressed_buffer)