diff mbox series

[FFmpeg-devel,1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size

Message ID 20230921180912.10733-1-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Sept. 21, 2023, 6:09 p.m. UTC 
Fixes: out of array access
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/osq.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Paul B Mahol Sept. 21, 2023, 6:14 p.m. UTC | #1 
On Thu, Sep 21, 2023 at 8:09 PM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: out of array access
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/osq.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/osq.c b/libavcodec/osq.c
> index e7f11691d2e..bcc75fef6fc 100644
> --- a/libavcodec/osq.c
> +++ b/libavcodec/osq.c
> @@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx,
> AVFrame *frame)
>      GetBitContext *gb = &s->gb;
>      int ret, n;
>
> +    if (s->pkt_offset > s->pkt->size)
> +        s->pkt_offset = 0;
>

This is more hack than real fix.

Can you provide input file?


> +
>      while (s->bitstream_size < s->max_framesize) {
>          int size;
>
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
Michael Niedermayer Sept. 22, 2023, 4:47 p.m. UTC | #2 
On Thu, Sep 21, 2023 at 08:14:31PM +0200, Paul B Mahol wrote:
> On Thu, Sep 21, 2023 at 8:09 PM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > Fixes: out of array access
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
> > Fixes:
> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/osq.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/osq.c b/libavcodec/osq.c
> > index e7f11691d2e..bcc75fef6fc 100644
> > --- a/libavcodec/osq.c
> > +++ b/libavcodec/osq.c
> > @@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx,
> > AVFrame *frame)
> >      GetBitContext *gb = &s->gb;
> >      int ret, n;
> >
> > +    if (s->pkt_offset > s->pkt->size)
> > +        s->pkt_offset = 0;
> >
> 
> This is more hack than real fix.

why ?

pkt->size is reset outside the codec, so either it needs to be
checked on codec entry or the codec should not use
internal->in_pkt and expect its size to be conserved
or implement flush() or something

ff_decode_flush_buffers() for example will clear teh packet

if you prefer i can implement flush() and reset pkt_offset in it
that probably would achieve teh same
just say if you prefer that ?

thx

[...]
Paul B Mahol Sept. 22, 2023, 5:36 p.m. UTC | #3 
On 9/22/23, Michael Niedermayer <michael@niedermayer.cc> wrote:
> On Thu, Sep 21, 2023 at 08:14:31PM +0200, Paul B Mahol wrote:
>> On Thu, Sep 21, 2023 at 8:09 PM Michael Niedermayer
>> <michael@niedermayer.cc>
>> wrote:
>>
>> > Fixes: out of array access
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
>> > Fixes:
>> > 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
>> >
>> > Found-by: continuous fuzzing process
>> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> > Signed-off-by
>> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
>> > Michael Niedermayer <michael@niedermayer.cc>
>> > ---
>> >  libavcodec/osq.c | 3 +++
>> >  1 file changed, 3 insertions(+)
>> >
>> > diff --git a/libavcodec/osq.c b/libavcodec/osq.c
>> > index e7f11691d2e..bcc75fef6fc 100644
>> > --- a/libavcodec/osq.c
>> > +++ b/libavcodec/osq.c
>> > @@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx,
>> > AVFrame *frame)
>> >      GetBitContext *gb = &s->gb;
>> >      int ret, n;
>> >
>> > +    if (s->pkt_offset > s->pkt->size)
>> > +        s->pkt_offset = 0;
>> >
>>
>> This is more hack than real fix.
>
> why ?
>
> pkt->size is reset outside the codec, so either it needs to be
> checked on codec entry or the codec should not use
> internal->in_pkt and expect its size to be conserved
> or implement flush() or something
>
> ff_decode_flush_buffers() for example will clear teh packet
>
> if you prefer i can implement flush() and reset pkt_offset in it
> that probably would achieve teh same
> just say if you prefer that ?

Yup, that is much cleaner, go ahead with that solution with flush().
I forgot about flush() case completely.

>
> thx
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> When the tyrant has disposed of foreign enemies by conquest or treaty, and
> there is nothing more to fear from them, then he is always stirring up
> some war or other, in order that the people may require a leader. -- Plato
>
diff mbox series

Patch

diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index e7f11691d2e..bcc75fef6fc 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -408,6 +408,9 @@  static int osq_receive_frame(AVCodecContext *avctx, AVFrame *frame)
     GetBitContext *gb = &s->gb;
     int ret, n;
 
+    if (s->pkt_offset > s->pkt->size)
+        s->pkt_offset = 0;
+
     while (s->bitstream_size < s->max_framesize) {
         int size;