Message ID | 20230726235916.30058-4-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/4] avcodec/rtv1: Check if the minimal size is available in decode_rtv1() | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On 7/26/2023 8:59 PM, Michael Niedermayer wrote: > Fixes: out of array write > Fixes: 60798/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-4633529766772736 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/evc_ps.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/libavcodec/evc_ps.c b/libavcodec/evc_ps.c > index 04ee6a45e6..64384a392c 100644 > --- a/libavcodec/evc_ps.c > +++ b/libavcodec/evc_ps.c > @@ -243,11 +243,20 @@ int ff_evc_parse_sps(GetBitContext *gb, EVCParamSets *ps) > sps->rpl1_same_as_rpl0_flag = get_bits1(gb); > sps->num_ref_pic_list_in_sps[0] = get_ue_golomb(gb); > > + if ((unsigned)sps->num_ref_pic_list_in_sps[0] >= EVC_MAX_NUM_RPLS) { EVC_MAX_NUM_RPLS should be 64, not 32 as it's currently defined. So change that too and it LGTM. > + ret = AVERROR_INVALIDDATA; > + goto fail; > + } > + > for (int i = 0; i < sps->num_ref_pic_list_in_sps[0]; ++i) > ref_pic_list_struct(gb, &sps->rpls[0][i]); > > if (!sps->rpl1_same_as_rpl0_flag) { > sps->num_ref_pic_list_in_sps[1] = get_ue_golomb(gb); > + if ((unsigned)sps->num_ref_pic_list_in_sps[1] >= EVC_MAX_NUM_RPLS) { > + ret = AVERROR_INVALIDDATA; > + goto fail; > + } > for (int i = 0; i < sps->num_ref_pic_list_in_sps[1]; ++i) > ref_pic_list_struct(gb, &sps->rpls[1][i]); > }
On Wed, Jul 26, 2023 at 09:19:10PM -0300, James Almer wrote: > On 7/26/2023 8:59 PM, Michael Niedermayer wrote: > > Fixes: out of array write > > Fixes: 60798/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-4633529766772736 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/evc_ps.c | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/libavcodec/evc_ps.c b/libavcodec/evc_ps.c > > index 04ee6a45e6..64384a392c 100644 > > --- a/libavcodec/evc_ps.c > > +++ b/libavcodec/evc_ps.c > > @@ -243,11 +243,20 @@ int ff_evc_parse_sps(GetBitContext *gb, EVCParamSets *ps) > > sps->rpl1_same_as_rpl0_flag = get_bits1(gb); > > sps->num_ref_pic_list_in_sps[0] = get_ue_golomb(gb); > > + if ((unsigned)sps->num_ref_pic_list_in_sps[0] >= EVC_MAX_NUM_RPLS) { > > EVC_MAX_NUM_RPLS should be 64, not 32 as it's currently defined. So change > that too and it LGTM. ok will do thx for reviewing [...]
diff --git a/libavcodec/evc_ps.c b/libavcodec/evc_ps.c index 04ee6a45e6..64384a392c 100644 --- a/libavcodec/evc_ps.c +++ b/libavcodec/evc_ps.c @@ -243,11 +243,20 @@ int ff_evc_parse_sps(GetBitContext *gb, EVCParamSets *ps) sps->rpl1_same_as_rpl0_flag = get_bits1(gb); sps->num_ref_pic_list_in_sps[0] = get_ue_golomb(gb); + if ((unsigned)sps->num_ref_pic_list_in_sps[0] >= EVC_MAX_NUM_RPLS) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + for (int i = 0; i < sps->num_ref_pic_list_in_sps[0]; ++i) ref_pic_list_struct(gb, &sps->rpls[0][i]); if (!sps->rpl1_same_as_rpl0_flag) { sps->num_ref_pic_list_in_sps[1] = get_ue_golomb(gb); + if ((unsigned)sps->num_ref_pic_list_in_sps[1] >= EVC_MAX_NUM_RPLS) { + ret = AVERROR_INVALIDDATA; + goto fail; + } for (int i = 0; i < sps->num_ref_pic_list_in_sps[1]; ++i) ref_pic_list_struct(gb, &sps->rpls[1][i]); }
Fixes: out of array write Fixes: 60798/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-4633529766772736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/evc_ps.c | 9 +++++++++ 1 file changed, 9 insertions(+)