From patchwork Thu Sep 21 18:09:07 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 43866
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:38a7:b0:15d:8365:d4b8 with SMTP id n39csp309984pzf;
        Thu, 21 Sep 2023 11:09:25 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEpXkLNM0psFZXVvpySnlsJp1JiBMe4b/ksCysA94tr6y6QPUk2L5a9UvdRyGu3AHbunNol
X-Received: by 2002:a2e:8656:0:b0:2c0:3413:5d9a with SMTP id
 i22-20020a2e8656000000b002c034135d9amr6326549ljj.34.1695319765033;
        Thu, 21 Sep 2023 11:09:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695319765; cv=none;
        d=google.com; s=arc-20160816;
        b=f2CdW5S9NxlbAUM8/8R94ty0zss1JzhRZePwojvvNK9KK8oKNA5AHFEtfrpskWzs8D
         vpud1C9sSZce6iLsBLC7y2izGKF+To6LZhFnzMmmS2eSRHxRmPyD5q5/0QHpZBlJb6td
         aQkZG7sf4gDToDjjJAVSjWLMwaT/shQGzkb8Bq92miljZe/za/5/TEFljPVI9+aOv7BI
         6YahdTLEeLX82vWRvt1/uAv4MEGu/AimpUQz3zEj0XQVml+SNu22Ho/nWuprrJRwAbUU
         07Td9tQS+LVcCrfx5Lx7QW5Eswf7PvvQS3mLpmXb8sWpYcrIztYEhNikNNidFSBl2tqb
         ZQ5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:message-id:date:to:from:delivered-to;
        bh=r1CYRuKUXe937GElrN45abVpeDbBZVwyYJbAslYgYRM=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=PqVEGxwLNY+oJnuIKvGmqaiHuz+t2uPUjZtabWRCg7A7Aqqe1RohTs90MN0d6LPnqe
         3NdoG4Z3onx2+nh2tPniR2f2oqiGkCw6bfGWsbCBXWhexKbkKnd4Ln0W0ZSjShxgNsBV
         h9lOw5eQyUYif09uUTxr4pksaZL1moSJAfXi5rr/j7TmcAfDecpBMgN4UVMiEWNwzIZ5
         kURZC9H8kmfWp1MiIGTMShVflrbfGvSnEJZavwHRGujxANoR3lonzUqaTW7mOlaggAzx
         VGskEt6RU00u/nL9D2zSpzt2vWZCaqMudvgJDq9/qQ3jb39bM9Bz4763hdNjw8YqKzXj
         UlTg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 l15-20020a1709067d4f00b00988994251edsi1933747ejp.258.2023.09.21.11.09.24;
        Thu, 21 Sep 2023 11:09:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 934C068C911;
	Thu, 21 Sep 2023 21:09:20 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net
 [217.70.183.194])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D332768C1C2
 for <ffmpeg-devel@ffmpeg.org>; Thu, 21 Sep 2023 21:09:13 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 2BC6F40002
 for <ffmpeg-devel@ffmpeg.org>; Thu, 21 Sep 2023 18:09:12 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Thu, 21 Sep 2023 20:09:07 +0200
Message-Id: <20230921180912.10733-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does
 not exceed pkt size
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: ltgP+pnhzbvk

Fixes: out of array access
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/osq.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index e7f11691d2e..bcc75fef6fc 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx, AVFrame *frame)
     GetBitContext *gb = &s->gb;
     int ret, n;
 
+    if (s->pkt_offset > s->pkt->size)
+        s->pkt_offset = 0;
+
     while (s->bitstream_size < s->max_framesize) {
         int size;