Message ID | 20230807004949.31634-2-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/5] avcodec/mv30: Allocate frame later | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
NAK
On Mon, Aug 07, 2023 at 10:22:25AM +0200, Paul B Mahol wrote:
> NAK
will apply unless you provide technical comments
thx
[...]
On 9/22/23, Michael Niedermayer <michael@niedermayer.cc> wrote: > On Mon, Aug 07, 2023 at 10:22:25AM +0200, Paul B Mahol wrote: >> NAK > > will apply unless you provide technical comments NAK, never provided proof that this hack does not break decoding. This is not really security fix. > > thx > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > Good people do not need laws to tell them to act responsibly, while bad > people will find a way around the laws. -- Plato >
On Fri, Sep 22, 2023 at 09:31:39PM +0200, Paul B Mahol wrote: > On 9/22/23, Michael Niedermayer <michael@niedermayer.cc> wrote: > > On Mon, Aug 07, 2023 at 10:22:25AM +0200, Paul B Mahol wrote: > >> NAK > > > > will apply unless you provide technical comments > > NAK, never provided proof that this hack does not break decoding. i think i did in "[FFmpeg-devel] [PATCH v2] avcodec/mv30: Check the input length before allocation" it seems i replied to the older of these fixes by mistake, but really they do the same [...] thx
On 9/22/23, Michael Niedermayer <michael@niedermayer.cc> wrote: > On Fri, Sep 22, 2023 at 09:31:39PM +0200, Paul B Mahol wrote: >> On 9/22/23, Michael Niedermayer <michael@niedermayer.cc> wrote: >> > On Mon, Aug 07, 2023 at 10:22:25AM +0200, Paul B Mahol wrote: >> >> NAK >> > >> > will apply unless you provide technical comments >> >> NAK, never provided proof that this hack does not break decoding. > > i think i did in > "[FFmpeg-devel] [PATCH v2] avcodec/mv30: Check the input length before > allocation" > > it seems i replied to the older of these fixes by mistake, but really > they do the same If this one appears to need to be reverted because it breaks decoding than you should resign from your current role. > > [...] > > thx > > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > Some people wanted to paint the bikeshed green, some blue and some pink. > People argued and fought, when they finally agreed, only rust was left. >
diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c index 0b19534b00..a5d272762b 100644 --- a/libavcodec/mv30.c +++ b/libavcodec/mv30.c @@ -411,6 +411,8 @@ static int decode_intra(AVCodecContext *avctx, GetBitContext *gb, AVFrame *frame mgb = *gb; if (get_bits_left(gb) < s->mode_size * 8) return AVERROR_INVALIDDATA; + if (get_bits_left(gb) < 2 * 6 * (avctx->height / 16) * (avctx->width / 16)) + return AVERROR_INVALIDDATA; skip_bits_long(gb, s->mode_size * 8); @@ -476,6 +478,9 @@ static int decode_inter(AVCodecContext *avctx, GetBitContext *gb, int ret, cnt = 0; int flags = 0; + if (get_bits_left(gb) < (mask_size + s->mode_size) * 8) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0) return ret;
Fixes: Timeout Fixes: 60867/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-6381933108527104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/mv30.c | 5 +++++ 1 file changed, 5 insertions(+)