diff mbox series

[FFmpeg-devel] avformat/rawvideodec: check packet size

Message ID 20220106084203.27906-1-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel] avformat/rawvideodec: check packet size | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished
andriy/make_ppc success Make finished
andriy/make_fate_ppc success Make fate finished

Commit Message

Michael Niedermayer Jan. 6, 2022, 8:42 a.m. UTC 
Fixes: division by zero
Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rawvideodec.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Lance Wang Jan. 6, 2022, 9:05 a.m. UTC | #1 
On Thu, Jan 06, 2022 at 09:42:03AM +0100, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/rawvideodec.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..7581ba2c7d2 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -100,6 +100,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>          if (packet_size < 0)
>              return packet_size;
>      }
> +    if (packet_size == 0)
> +        return AVERROR_INVALIDDATA;

I prefer to return AVERROR(EINVAL).

>  
>      st->codecpar->format = pix_fmt;
>      ctx->packet_size = packet_size;
> -- 
> 2.17.1
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Andreas Rheinhardt Jan. 6, 2022, 9:52 a.m. UTC | #2 
Michael Niedermayer:
> Fixes: division by zero
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/rawvideodec.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..7581ba2c7d2 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -100,6 +100,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>          if (packet_size < 0)
>              return packet_size;
>      }
> +    if (packet_size == 0)
> +        return AVERROR_INVALIDDATA;
>  
>      st->codecpar->format = pix_fmt;
>      ctx->packet_size = packet_size;
> 

1. I agree with Lance that AVERROR(EINVAL) is the proper error code;
after all, the dimensions are based upon options and not read from the
input.
2. The dimensions were checked by av_image_check_size() before
41f213c3bf629d549400e935e7f123e6cfa959ab.
3. The same can happen with bitpacked. Your check should also catch this.
4. But I don't see anything that actually ensures that the
multiplications do not overflow.

- Andreas
diff mbox series

Patch

diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
index 68547fc50ff..7581ba2c7d2 100644
--- a/libavformat/rawvideodec.c
+++ b/libavformat/rawvideodec.c
@@ -100,6 +100,8 @@  static int rawvideo_read_header(AVFormatContext *ctx)
         if (packet_size < 0)
             return packet_size;
     }
+    if (packet_size == 0)
+        return AVERROR_INVALIDDATA;
 
     st->codecpar->format = pix_fmt;
     ctx->packet_size = packet_size;