Message ID | 20230618215021.3044-4-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/6] avformat/jpegxl_anim_dec: Perform operations in a different order | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On 6/18/2023 6:50 PM, Michael Niedermayer wrote: > Fixes: 1.70141e+38 is outside the range of representable values of type 'int' > Fixes: 59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/evc_parse.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c > index 44be5c5291..822b236423 100644 > --- a/libavcodec/evc_parse.c > +++ b/libavcodec/evc_parse.c > @@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext *ctx, const uint8_t *bs, int bs_ > > if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) { > sps->log2_sub_gop_length = get_ue_golomb(&gb); > + if (sps->log2_sub_gop_length > 5U) > + return NULL; > if (sps->log2_sub_gop_length == 0) > sps->log2_ref_pic_gap_length = get_ue_golomb(&gb); > } LGTM, but please let me apply it as part of my evc patchset to prevent conflicts.
On 6/18/2023 7:27 PM, James Almer wrote: > On 6/18/2023 6:50 PM, Michael Niedermayer wrote: >> Fixes: 1.70141e+38 is outside the range of representable values of >> type 'int' >> Fixes: >> 59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696 >> >> Found-by: continuous fuzzing process >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >> --- >> libavcodec/evc_parse.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c >> index 44be5c5291..822b236423 100644 >> --- a/libavcodec/evc_parse.c >> +++ b/libavcodec/evc_parse.c >> @@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext >> *ctx, const uint8_t *bs, int bs_ >> if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) { >> sps->log2_sub_gop_length = get_ue_golomb(&gb); >> + if (sps->log2_sub_gop_length > 5U) >> + return NULL; >> if (sps->log2_sub_gop_length == 0) >> sps->log2_ref_pic_gap_length = get_ue_golomb(&gb); >> } > > LGTM, but please let me apply it as part of my evc patchset to prevent > conflicts. Actually, this is leaving the SPS allocated in the array, which should be freed if we're going to start erroring out on failed range checks. I'll amend it before applying it.
On 6/18/2023 8:01 PM, James Almer wrote: > On 6/18/2023 7:27 PM, James Almer wrote: >> On 6/18/2023 6:50 PM, Michael Niedermayer wrote: >>> Fixes: 1.70141e+38 is outside the range of representable values of >>> type 'int' >>> Fixes: >>> 59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696 >>> >>> Found-by: continuous fuzzing process >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >>> --- >>> libavcodec/evc_parse.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c >>> index 44be5c5291..822b236423 100644 >>> --- a/libavcodec/evc_parse.c >>> +++ b/libavcodec/evc_parse.c >>> @@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext >>> *ctx, const uint8_t *bs, int bs_ >>> if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) { >>> sps->log2_sub_gop_length = get_ue_golomb(&gb); >>> + if (sps->log2_sub_gop_length > 5U) >>> + return NULL; >>> if (sps->log2_sub_gop_length == 0) >>> sps->log2_ref_pic_gap_length = get_ue_golomb(&gb); >>> } >> >> LGTM, but please let me apply it as part of my evc patchset to prevent >> conflicts. > > Actually, this is leaving the SPS allocated in the array, which should > be freed if we're going to start erroring out on failed range checks. > I'll amend it before applying it. Applied.
diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index 44be5c5291..822b236423 100644 --- a/libavcodec/evc_parse.c +++ b/libavcodec/evc_parse.c @@ -277,6 +277,8 @@ EVCParserSPS *ff_evc_parse_sps(EVCParserContext *ctx, const uint8_t *bs, int bs_ if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) { sps->log2_sub_gop_length = get_ue_golomb(&gb); + if (sps->log2_sub_gop_length > 5U) + return NULL; if (sps->log2_sub_gop_length == 0) sps->log2_ref_pic_gap_length = get_ue_golomb(&gb); }
Fixes: 1.70141e+38 is outside the range of representable values of type 'int' Fixes: 59883/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5557887217565696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/evc_parse.c | 2 ++ 1 file changed, 2 insertions(+)