diff mbox series

[FFmpeg-devel,5/5] avcodec/cfhd: check peak.offset so it stays within the 32bit range

Message ID 20201107231710.24816-5-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/5] avformat/tedcaptionsdec: Check for overflow in parse_int()
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer Nov. 7, 2020, 11:17 p.m. UTC
Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int'
Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cfhd.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Andreas Rheinhardt Nov. 8, 2020, 2:42 a.m. UTC | #1
Michael Niedermayer:
> Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int'
> Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/cfhd.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
> index a2b9c7c76a..e3fbfa4b91 100644
> --- a/libavcodec/cfhd.c
> +++ b/libavcodec/cfhd.c
> @@ -617,6 +617,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
>              s->peak.level   = 0;
>          } else if (tag == -PeakLevel && s->peak.offset) {
>              s->peak.level = data;
> +            if (s->peak.offset < INT_MIN + 4) {
> +                ret = AVERROR_INVALIDDATA;
> +                goto end;
> +            }
>              bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR);
>          } else
>              av_log(avctx, AV_LOG_DEBUG,  "Unknown tag %i data %x\n", tag, data);
> 
Is this peak.offset actually intended to be signed? And if so wouldn't
it make more sense to actually check that the buffer contains the seek
target?

- Andreas
Michael Niedermayer Dec. 20, 2020, 9:17 p.m. UTC | #2
On Sun, Nov 08, 2020 at 03:42:30AM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: signed integer overflow: -2147483648 - 4 cannot be represented in type 'int'
> > Fixes: 26907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5746202330267648
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/cfhd.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
> > index a2b9c7c76a..e3fbfa4b91 100644
> > --- a/libavcodec/cfhd.c
> > +++ b/libavcodec/cfhd.c
> > @@ -617,6 +617,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
> >              s->peak.level   = 0;
> >          } else if (tag == -PeakLevel && s->peak.offset) {
> >              s->peak.level = data;
> > +            if (s->peak.offset < INT_MIN + 4) {
> > +                ret = AVERROR_INVALIDDATA;
> > +                goto end;
> > +            }
> >              bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR);
> >          } else
> >              av_log(avctx, AV_LOG_DEBUG,  "Unknown tag %i data %x\n", tag, data);
> > 
> Is this peak.offset actually intended to be signed? 

it is signed in the reference code ive seen


> And if so wouldn't
> it make more sense to actually check that the buffer contains the seek
> target?

the reference code does not check that but i agree it of course makes
sense. posted a patch which should do that

thx

[...]
diff mbox series

Patch

diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index a2b9c7c76a..e3fbfa4b91 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -617,6 +617,10 @@  static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->peak.level   = 0;
         } else if (tag == -PeakLevel && s->peak.offset) {
             s->peak.level = data;
+            if (s->peak.offset < INT_MIN + 4) {
+                ret = AVERROR_INVALIDDATA;
+                goto end;
+            }
             bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR);
         } else
             av_log(avctx, AV_LOG_DEBUG,  "Unknown tag %i data %x\n", tag, data);