diff mbox series

[FFmpeg-devel,1/8] avcodec/magicyuv: Check slice size before reading flags and pred

Message ID 20201023183940.31485-1-michael@niedermayer.cc
State Accepted
Headers show
Series [FFmpeg-devel,1/8] avcodec/magicyuv: Check slice size before reading flags and pred
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished

Commit Message

Michael Niedermayer Oct. 23, 2020, 6:39 p.m. UTC
Fixes: heap-buffer-overflow
Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/magicyuv.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Andreas Rheinhardt Oct. 23, 2020, 6:54 p.m. UTC | #1
Michael Niedermayer:
> Fixes: heap-buffer-overflow
> Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/magicyuv.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c
> index ea1f727e5c..e2b7bdd326 100644
> --- a/libavcodec/magicyuv.c
> +++ b/libavcodec/magicyuv.c
> @@ -267,6 +267,9 @@ static int magy_decode_slice(AVCodecContext *avctx, void *tdata,
>          const uint8_t *slice = s->buf + s->slices[i][j].start;
>          int flags, pred;
>  
> +        if (s->slices[i][j].size < 2)
> +            return AVERROR_INVALIDDATA;
> +
>          flags = bytestream_get_byte(&slice);
>          pred  = bytestream_get_byte(&slice);
>  
> 
It would be better to add this to line 625 to error out earlier (that's
where I forgot to check).

- Andreas
Michael Niedermayer Oct. 24, 2020, 12:13 p.m. UTC | #2
On Fri, Oct 23, 2020 at 08:54:33PM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: heap-buffer-overflow
> > Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/magicyuv.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c
> > index ea1f727e5c..e2b7bdd326 100644
> > --- a/libavcodec/magicyuv.c
> > +++ b/libavcodec/magicyuv.c
> > @@ -267,6 +267,9 @@ static int magy_decode_slice(AVCodecContext *avctx, void *tdata,
> >          const uint8_t *slice = s->buf + s->slices[i][j].start;
> >          int flags, pred;
> >  
> > +        if (s->slices[i][j].size < 2)
> > +            return AVERROR_INVALIDDATA;
> > +
> >          flags = bytestream_get_byte(&slice);
> >          pred  = bytestream_get_byte(&slice);
> >  
> > 
> It would be better to add this to line 625 to error out earlier (that's
> where I forgot to check).

yes, thats better, will use that and will apply

thx

[...]
diff mbox series

Patch

diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c
index ea1f727e5c..e2b7bdd326 100644
--- a/libavcodec/magicyuv.c
+++ b/libavcodec/magicyuv.c
@@ -267,6 +267,9 @@  static int magy_decode_slice(AVCodecContext *avctx, void *tdata,
         const uint8_t *slice = s->buf + s->slices[i][j].start;
         int flags, pred;
 
+        if (s->slices[i][j].size < 2)
+            return AVERROR_INVALIDDATA;
+
         flags = bytestream_get_byte(&slice);
         pred  = bytestream_get_byte(&slice);