Message ID | 20210303100023.17550-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 787501db16cbe6874ad42acd539fa4595dd64e66 |
Headers | show |
Series | [FFmpeg-devel] avformat/mspdec: Check packet_size more completely | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
On Wed, Mar 03, 2021 at 11:00:23AM +0100, Michael Niedermayer wrote: > Fixes: OOM > Fixes: 28348/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-4612055872831488 > Fixes: 28360/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-6245230626078720 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mspdec.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) i seem to have forgotten to post this in december when i wrote it, i found it in my pending patches branch but not on the mailing list [...]
lgtm On Wed, Mar 3, 2021 at 11:01 AM Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: OOM > Fixes: > 28348/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-4612055872831488 > Fixes: > 28360/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-6245230626078720 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mspdec.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/libavformat/mspdec.c b/libavformat/mspdec.c > index b81d835a63..4845eb3729 100644 > --- a/libavformat/mspdec.c > +++ b/libavformat/mspdec.c > @@ -70,11 +70,12 @@ static int msp_read_header(AVFormatContext *s) > > if (st->codecpar->codec_id == AV_CODEC_ID_RAWVIDEO) { > cntx->packet_size = > av_image_get_buffer_size(st->codecpar->format, st->codecpar->width, > st->codecpar->height, 1); > - if (cntx->packet_size < 0) > - return cntx->packet_size; > } else > cntx->packet_size = 2 * st->codecpar->height; > > + if (cntx->packet_size <= 0) > + return cntx->packet_size < 0 ? cntx->packet_size : > AVERROR_INVALIDDATA; > + > return 0; > } > > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
On Wed, Mar 03, 2021 at 12:58:40PM +0100, Paul B Mahol wrote:
> lgtm
will apply
thx
[...]
diff --git a/libavformat/mspdec.c b/libavformat/mspdec.c index b81d835a63..4845eb3729 100644 --- a/libavformat/mspdec.c +++ b/libavformat/mspdec.c @@ -70,11 +70,12 @@ static int msp_read_header(AVFormatContext *s) if (st->codecpar->codec_id == AV_CODEC_ID_RAWVIDEO) { cntx->packet_size = av_image_get_buffer_size(st->codecpar->format, st->codecpar->width, st->codecpar->height, 1); - if (cntx->packet_size < 0) - return cntx->packet_size; } else cntx->packet_size = 2 * st->codecpar->height; + if (cntx->packet_size <= 0) + return cntx->packet_size < 0 ? cntx->packet_size : AVERROR_INVALIDDATA; + return 0; }
Fixes: OOM Fixes: 28348/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-4612055872831488 Fixes: 28360/clusterfuzz-testcase-minimized-ffmpeg_dem_MSP_fuzzer-6245230626078720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mspdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)