Message ID | 20230326222642.2489-4-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | dab1cd2dc0471d497f481736059b2023c5b7986a |
Headers | show |
Series | [FFmpeg-devel,1/4] avcodec/wavarc: Fix several integer overflows | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On Sun, 26 Mar 2023, 23:27 Michael Niedermayer, <michael@niedermayer.cc> wrote: > Fixes: Assertion failure on x86-32 > Fixes: > 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/vp3.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c > index 9660def675f..22348559461 100644 > --- a/libavcodec/vp3.c > +++ b/libavcodec/vp3.c > @@ -2353,6 +2353,8 @@ static av_cold int vp3_decode_init(AVCodecContext > *avctx) > s->avctx = avctx; > s->width = FFALIGN(avctx->coded_width, 16); > s->height = FFALIGN(avctx->coded_height, 16); > + if (s->width < 18) > + return AVERROR_PATCHWELCOME; > if (avctx->codec_id != AV_CODEC_ID_THEORA) > avctx->pix_fmt = AV_PIX_FMT_YUV420P; > avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; > @@ -2919,7 +2921,9 @@ static int theora_decode_header(AVCodecContext > *avctx, GetBitContext *gb) > /* sanity check */ > if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 > || > visible_width + offset_x > s->width || > - visible_height + offset_y > s->height) { > + visible_height + offset_y > s->height || > + visible_width < 18 > + ) { > av_log(avctx, AV_LOG_ERROR, > "Invalid frame dimensions - w:%d h:%d x:%d y:%d > (%dx%d).\n", > visible_width, visible_height, offset_x, offset_y, > @@ -2965,6 +2969,8 @@ static int theora_decode_header(AVCodecContext > *avctx, GetBitContext *gb) > } else > avctx->pix_fmt = AV_PIX_FMT_YUV420P; > > + if (s->width < 18) > + return AVERROR_PATCHWELCOME; > ret = ff_set_dimensions(avctx, s->width, s->height); > if (ret < 0) > return ret; > -- > 2.17.1 > Please provide some explanation around the number "18" Kieran >
Michael Niedermayer: > Fixes: Assertion failure on x86-32 > Fixes: 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/vp3.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c > index 9660def675f..22348559461 100644 > --- a/libavcodec/vp3.c > +++ b/libavcodec/vp3.c > @@ -2353,6 +2353,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) > s->avctx = avctx; > s->width = FFALIGN(avctx->coded_width, 16); > s->height = FFALIGN(avctx->coded_height, 16); > + if (s->width < 18) > + return AVERROR_PATCHWELCOME; > if (avctx->codec_id != AV_CODEC_ID_THEORA) > avctx->pix_fmt = AV_PIX_FMT_YUV420P; > avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; > @@ -2919,7 +2921,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) > /* sanity check */ > if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 || > visible_width + offset_x > s->width || > - visible_height + offset_y > s->height) { > + visible_height + offset_y > s->height || > + visible_width < 18 > + ) { > av_log(avctx, AV_LOG_ERROR, > "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n", > visible_width, visible_height, offset_x, offset_y, > @@ -2965,6 +2969,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) > } else > avctx->pix_fmt = AV_PIX_FMT_YUV420P; > > + if (s->width < 18) > + return AVERROR_PATCHWELCOME; > ret = ff_set_dimensions(avctx, s->width, s->height); > if (ret < 0) > return ret; Always mention in the commit message which assertion fails when fixing an assertion. - Andreas
On Mon, Mar 27, 2023 at 01:45:01AM +0100, Kieran Kunhya wrote: > On Sun, 26 Mar 2023, 23:27 Michael Niedermayer, <michael@niedermayer.cc> > wrote: > > > Fixes: Assertion failure on x86-32 > > Fixes: > > 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by > > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > > Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/vp3.c | 8 +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > > diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c > > index 9660def675f..22348559461 100644 > > --- a/libavcodec/vp3.c > > +++ b/libavcodec/vp3.c > > @@ -2353,6 +2353,8 @@ static av_cold int vp3_decode_init(AVCodecContext > > *avctx) > > s->avctx = avctx; > > s->width = FFALIGN(avctx->coded_width, 16); > > s->height = FFALIGN(avctx->coded_height, 16); > > + if (s->width < 18) > > + return AVERROR_PATCHWELCOME; > > if (avctx->codec_id != AV_CODEC_ID_THEORA) > > avctx->pix_fmt = AV_PIX_FMT_YUV420P; > > avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; > > @@ -2919,7 +2921,9 @@ static int theora_decode_header(AVCodecContext > > *avctx, GetBitContext *gb) > > /* sanity check */ > > if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 > > || > > visible_width + offset_x > s->width || > > - visible_height + offset_y > s->height) { > > + visible_height + offset_y > s->height || > > + visible_width < 18 > > + ) { > > av_log(avctx, AV_LOG_ERROR, > > "Invalid frame dimensions - w:%d h:%d x:%d y:%d > > (%dx%d).\n", > > visible_width, visible_height, offset_x, offset_y, > > @@ -2965,6 +2969,8 @@ static int theora_decode_header(AVCodecContext > > *avctx, GetBitContext *gb) > > } else > > avctx->pix_fmt = AV_PIX_FMT_YUV420P; > > > > + if (s->width < 18) > > + return AVERROR_PATCHWELCOME; > > ret = ff_set_dimensions(avctx, s->width, s->height); > > if (ret < 0) > > return ret; > > -- > > 2.17.1 > > > > Please provide some explanation around the number "18" Its because the source needed for MC of a block is 9x9 and chroma is 1/2 so a width of 18 is ok but 16 could result in a 8 linesize into which a 9x9 block would not fit. This is x86-32 specific probably as the linesize is rouded up more on 64bit If theres some value in such small sizes i could look into adjusting the linesize up in these cases? ill add this to the commit message: Fixes: Assertion failure on x86-32 av_assert2(block_w * sizeof(pixel) <= FFABS(buf_linesize)); in ff_emulated_edge_mc() [...]
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 9660def675f..22348559461 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2353,6 +2353,8 @@ static av_cold int vp3_decode_init(AVCodecContext *avctx) s->avctx = avctx; s->width = FFALIGN(avctx->coded_width, 16); s->height = FFALIGN(avctx->coded_height, 16); + if (s->width < 18) + return AVERROR_PATCHWELCOME; if (avctx->codec_id != AV_CODEC_ID_THEORA) avctx->pix_fmt = AV_PIX_FMT_YUV420P; avctx->chroma_sample_location = AVCHROMA_LOC_CENTER; @@ -2919,7 +2921,9 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) /* sanity check */ if (av_image_check_size(visible_width, visible_height, 0, avctx) < 0 || visible_width + offset_x > s->width || - visible_height + offset_y > s->height) { + visible_height + offset_y > s->height || + visible_width < 18 + ) { av_log(avctx, AV_LOG_ERROR, "Invalid frame dimensions - w:%d h:%d x:%d y:%d (%dx%d).\n", visible_width, visible_height, offset_x, offset_y, @@ -2965,6 +2969,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) } else avctx->pix_fmt = AV_PIX_FMT_YUV420P; + if (s->width < 18) + return AVERROR_PATCHWELCOME; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret;
Fixes: Assertion failure on x86-32 Fixes: 39641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THEORA_fuzzer-5925660741206016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/vp3.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)