diff mbox series

[FFmpeg-devel,4/6] avcodec/evc_parse: Check log2_sub_gop_length

Message ID 20230618215021.3044-4-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/6] avformat/jpegxl_anim_dec: Perform operations in a different order | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer June 18, 2023, 9:50 p.m. UTC
Fixes: 1.70141e+38 is outside the range of representable values of type 'int'
Fixes: 59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/evc_parse.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

James Almer June 18, 2023, 10:27 p.m. UTC | #1
On 6/18/2023 6:50 PM, Michael Niedermayer wrote:
> Fixes: 1.70141e+38 is outside the range of representable values of type 'int'
> Fixes: 59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/evc_parse.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
> index 44be5c5291..822b236423 100644
> --- a/libavcodec/evc_parse.c
> +++ b/libavcodec/evc_parse.c
> @@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext *ctx, const uint8_t *bs, int bs_
>   
>       if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) {
>           sps->log2_sub_gop_length = get_ue_golomb(&gb);
> +        if (sps->log2_sub_gop_length > 5U)
> +            return NULL;
>           if (sps->log2_sub_gop_length == 0)
>               sps->log2_ref_pic_gap_length = get_ue_golomb(&gb);
>       }

LGTM, but please let me apply it as part of my evc patchset to prevent 
conflicts.
James Almer June 18, 2023, 11:01 p.m. UTC | #2
On 6/18/2023 7:27 PM, James Almer wrote:
> On 6/18/2023 6:50 PM, Michael Niedermayer wrote:
>> Fixes: 1.70141e+38 is outside the range of representable values of 
>> type 'int'
>> Fixes: 
>> 59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696
>>
>> Found-by: continuous fuzzing process 
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>   libavcodec/evc_parse.c | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
>> index 44be5c5291..822b236423 100644
>> --- a/libavcodec/evc_parse.c
>> +++ b/libavcodec/evc_parse.c
>> @@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext 
>> *ctx, const uint8_t *bs, int bs_
>>       if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) {
>>           sps->log2_sub_gop_length = get_ue_golomb(&gb);
>> +        if (sps->log2_sub_gop_length > 5U)
>> +            return NULL;
>>           if (sps->log2_sub_gop_length == 0)
>>               sps->log2_ref_pic_gap_length = get_ue_golomb(&gb);
>>       }
> 
> LGTM, but please let me apply it as part of my evc patchset to prevent 
> conflicts.

Actually, this is leaving the SPS allocated in the array, which should 
be freed if we're going to start erroring out on failed range checks.
I'll amend it before applying it.
James Almer June 19, 2023, 7:03 p.m. UTC | #3
On 6/18/2023 8:01 PM, James Almer wrote:
> On 6/18/2023 7:27 PM, James Almer wrote:
>> On 6/18/2023 6:50 PM, Michael Niedermayer wrote:
>>> Fixes: 1.70141e+38 is outside the range of representable values of 
>>> type 'int'
>>> Fixes: 
>>> 59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696
>>>
>>> Found-by: continuous fuzzing process 
>>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>   libavcodec/evc_parse.c | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
>>> index 44be5c5291..822b236423 100644
>>> --- a/libavcodec/evc_parse.c
>>> +++ b/libavcodec/evc_parse.c
>>> @@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext 
>>> *ctx, const uint8_t *bs, int bs_
>>>       if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) {
>>>           sps->log2_sub_gop_length = get_ue_golomb(&gb);
>>> +        if (sps->log2_sub_gop_length > 5U)
>>> +            return NULL;
>>>           if (sps->log2_sub_gop_length == 0)
>>>               sps->log2_ref_pic_gap_length = get_ue_golomb(&gb);
>>>       }
>>
>> LGTM, but please let me apply it as part of my evc patchset to prevent 
>> conflicts.
> 
> Actually, this is leaving the SPS allocated in the array, which should 
> be freed if we're going to start erroring out on failed range checks.
> I'll amend it before applying it.

Applied.
diff mbox series

Patch

diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c
index 44be5c5291..822b236423 100644
--- a/libavcodec/evc_parse.c
+++ b/libavcodec/evc_parse.c
@@ -277,6 +277,8 @@  EVCParserSPS *ff_evc_parse_sps(EVCParserContext *ctx, const uint8_t *bs, int bs_
 
     if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) {
         sps->log2_sub_gop_length = get_ue_golomb(&gb);
+        if (sps->log2_sub_gop_length > 5U)
+            return NULL;
         if (sps->log2_sub_gop_length == 0)
             sps->log2_ref_pic_gap_length = get_ue_golomb(&gb);
     }