Message ID | 20201023183940.31485-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Headers | show |
Series | [FFmpeg-devel,1/8] avcodec/magicyuv: Check slice size before reading flags and pred | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
Michael Niedermayer: > Fixes: heap-buffer-overflow > Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/magicyuv.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c > index ea1f727e5c..e2b7bdd326 100644 > --- a/libavcodec/magicyuv.c > +++ b/libavcodec/magicyuv.c > @@ -267,6 +267,9 @@ static int magy_decode_slice(AVCodecContext *avctx, void *tdata, > const uint8_t *slice = s->buf + s->slices[i][j].start; > int flags, pred; > > + if (s->slices[i][j].size < 2) > + return AVERROR_INVALIDDATA; > + > flags = bytestream_get_byte(&slice); > pred = bytestream_get_byte(&slice); > > It would be better to add this to line 625 to error out earlier (that's where I forgot to check). - Andreas
On Fri, Oct 23, 2020 at 08:54:33PM +0200, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: heap-buffer-overflow > > Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/magicyuv.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c > > index ea1f727e5c..e2b7bdd326 100644 > > --- a/libavcodec/magicyuv.c > > +++ b/libavcodec/magicyuv.c > > @@ -267,6 +267,9 @@ static int magy_decode_slice(AVCodecContext *avctx, void *tdata, > > const uint8_t *slice = s->buf + s->slices[i][j].start; > > int flags, pred; > > > > + if (s->slices[i][j].size < 2) > > + return AVERROR_INVALIDDATA; > > + > > flags = bytestream_get_byte(&slice); > > pred = bytestream_get_byte(&slice); > > > > > It would be better to add this to line 625 to error out earlier (that's > where I forgot to check). yes, thats better, will use that and will apply thx [...]
diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index ea1f727e5c..e2b7bdd326 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -267,6 +267,9 @@ static int magy_decode_slice(AVCodecContext *avctx, void *tdata, const uint8_t *slice = s->buf + s->slices[i][j].start; int flags, pred; + if (s->slices[i][j].size < 2) + return AVERROR_INVALIDDATA; + flags = bytestream_get_byte(&slice); pred = bytestream_get_byte(&slice);
Fixes: heap-buffer-overflow Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/magicyuv.c | 3 +++ 1 file changed, 3 insertions(+)