diff mbox series

[FFmpeg-devel,1/3] avcodec/mpeg12dec: Check input size

Message ID 20221127223435.8362-1-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/3] avcodec/mpeg12dec: Check input size | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Nov. 27, 2022, 10:34 p.m. UTC 
Fixes: Timeout
Fixes: 53599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IPU_fuzzer-4950102511058944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/mpeg12dec.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Kieran Kunhya Nov. 28, 2022, 12:47 a.m. UTC | #1 
On Sun, 27 Nov 2022 at 22:34, Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: Timeout
> Fixes:
> 53599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IPU_fuzzer-4950102511058944
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/mpeg12dec.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
> index 914516bbd9..c93368e255 100644
> --- a/libavcodec/mpeg12dec.c
> +++ b/libavcodec/mpeg12dec.c
> @@ -2969,6 +2969,9 @@ static int ipu_decode_frame(AVCodecContext *avctx,
> AVFrame *frame,
>      GetBitContext *gb = &m->gb;
>      int ret;
>
> +    if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16)
> * 2 * 7)
> +        return AVERROR_INVALIDDATA;
> +
>      ret = ff_get_buffer(avctx, frame, 0);
>      if (ret < 0)
>          return ret;
>

Where does this AVPacket limitation come from?
Are you able to explain in a comment where these numbers come from? In
particular the "2 * 7".

Kieran
Michael Niedermayer Nov. 28, 2022, 9:33 p.m. UTC | #2 
On Mon, Nov 28, 2022 at 12:47:32AM +0000, Kieran Kunhya wrote:
> On Sun, 27 Nov 2022 at 22:34, Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > Fixes: Timeout
> > Fixes:
> > 53599/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IPU_fuzzer-4950102511058944
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/mpeg12dec.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
> > index 914516bbd9..c93368e255 100644
> > --- a/libavcodec/mpeg12dec.c
> > +++ b/libavcodec/mpeg12dec.c
> > @@ -2969,6 +2969,9 @@ static int ipu_decode_frame(AVCodecContext *avctx,
> > AVFrame *frame,
> >      GetBitContext *gb = &m->gb;
> >      int ret;
> >
> > +    if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16)
> > * 2 * 7)
> > +        return AVERROR_INVALIDDATA;
> > +
> >      ret = ff_get_buffer(avctx, frame, 0);
> >      if (ret < 0)
> >          return ret;
> >
> 
> Where does this AVPacket limitation come from?
> Are you able to explain in a comment where these numbers come from? In
> particular the "2 * 7".

the ipu format has 2 bits minimum per MB except the first but theres more than
1 bit before so that can be simplified to 2 bits minimum per MB "header"
each MB has 6 blocks
blocks can be mpeg1 intra or mpeg2 intra these will at least contain one DC VLC
and the shortest is 2 bits. We could consider that the luma one is min 3 but i
didnt also we could consider teh AC EOB again i didnt
6 blocks 2 bits + 2 for MB is 7*2
(3*4 + 2*2 + 2) would consider the luma dc seperatly.
we could add a 6*2 for the AC EOBs
so 2 + 3*4 + 2*2 + 6*2 would be closer to the theoretic minimum.
i will change the code to that and add a comment that this is the minimum
MB size considering MB, DC and AC-EOB

thx

[...]
diff mbox series

Patch

diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
index 914516bbd9..c93368e255 100644
--- a/libavcodec/mpeg12dec.c
+++ b/libavcodec/mpeg12dec.c
@@ -2969,6 +2969,9 @@  static int ipu_decode_frame(AVCodecContext *avctx, AVFrame *frame,
     GetBitContext *gb = &m->gb;
     int ret;
 
+    if (avpkt->size*8LL < (avctx->width+15)/16 * ((avctx->height+15)/16) * 2 * 7)
+        return AVERROR_INVALIDDATA;
+
     ret = ff_get_buffer(avctx, frame, 0);
     if (ret < 0)
         return ret;