diff mbox series

[FFmpeg-devel] avformat/rawvideodec: check packet size

Message ID 20220107165111.9929-1-michael@niedermayer.cc
State Accepted
Commit c36a5dfc8f68316f93d03081e5a367b04e1cbd3c
Headers show
Series [FFmpeg-devel] avformat/rawvideodec: check packet size | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished
andriy/make_ppc success Make finished
andriy/make_fate_ppc success Make fate finished

Commit Message

Michael Niedermayer Jan. 7, 2022, 4:51 p.m. UTC
Fixes: division by zero
Fixes: integer overflow
Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/rawvideodec.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Limin Wang Jan. 8, 2022, 12:27 p.m. UTC | #1
On Fri, Jan 07, 2022 at 05:51:11PM +0100, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: integer overflow
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/rawvideodec.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..387c4ba80f5 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>      enum AVPixelFormat pix_fmt;
>      AVStream *st;
>      int packet_size;
> +    int ret;
>  
>      st = avformat_new_stream(ctx, NULL);
>      if (!st)
> @@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>  
>      avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num);
>  
> +    ret = av_image_check_size(s->width, s->height, 0, ctx);
> +    if (ret < 0)
> +        return ret;
> +
>      st->codecpar->width  = s->width;
>      st->codecpar->height = s->height;
>  
> @@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>          if (packet_size < 0)
>              return packet_size;
>      }
> +    if (packet_size == 0)
> +        return AVERROR(EINVAL);
>  
>      st->codecpar->format = pix_fmt;
>      ctx->packet_size = packet_size;
> -- 
> 2.17.1
> 

LGTM


> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Andreas Rheinhardt Jan. 10, 2022, 9:17 a.m. UTC | #2
Michael Niedermayer:
> Fixes: division by zero
> Fixes: integer overflow
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/rawvideodec.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..387c4ba80f5 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>      enum AVPixelFormat pix_fmt;
>      AVStream *st;
>      int packet_size;
> +    int ret;
>  
>      st = avformat_new_stream(ctx, NULL);
>      if (!st)
> @@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>  
>      avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num);
>  
> +    ret = av_image_check_size(s->width, s->height, 0, ctx);

Looking at av_image_check_size() this seems to ensure that 8 * width
*height fits in an int. So this should indeed fix all the overflows.

> +    if (ret < 0)
> +        return ret;
> +
>      st->codecpar->width  = s->width;
>      st->codecpar->height = s->height;
>  
> @@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>          if (packet_size < 0)
>              return packet_size;
>      }
> +    if (packet_size == 0)
> +        return AVERROR(EINVAL);
>  
>      st->codecpar->format = pix_fmt;
>      ctx->packet_size = packet_size;
>
Michael Niedermayer Jan. 13, 2022, 6:44 p.m. UTC | #3
On Fri, Jan 07, 2022 at 05:51:11PM +0100, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: integer overflow
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/rawvideodec.c | 7 +++++++
>  1 file changed, 7 insertions(+)

will apply
thx for the reviews

[...]
diff mbox series

Patch

diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
index 68547fc50ff..387c4ba80f5 100644
--- a/libavformat/rawvideodec.c
+++ b/libavformat/rawvideodec.c
@@ -42,6 +42,7 @@  static int rawvideo_read_header(AVFormatContext *ctx)
     enum AVPixelFormat pix_fmt;
     AVStream *st;
     int packet_size;
+    int ret;
 
     st = avformat_new_stream(ctx, NULL);
     if (!st)
@@ -62,6 +63,10 @@  static int rawvideo_read_header(AVFormatContext *ctx)
 
     avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num);
 
+    ret = av_image_check_size(s->width, s->height, 0, ctx);
+    if (ret < 0)
+        return ret;
+
     st->codecpar->width  = s->width;
     st->codecpar->height = s->height;
 
@@ -100,6 +105,8 @@  static int rawvideo_read_header(AVFormatContext *ctx)
         if (packet_size < 0)
             return packet_size;
     }
+    if (packet_size == 0)
+        return AVERROR(EINVAL);
 
     st->codecpar->format = pix_fmt;
     ctx->packet_size = packet_size;