Message ID | 20231004225921.30287-2-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | ac4e3e188af8bf6f0c4a808a24f6ff0daba78248 |
Headers | show |
Series | [FFmpeg-devel,1/4] avcodec/jpeg2000dec: Check image offset | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
> -----Original Message----- > From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of > Michael Niedermayer > Sent: czwartek, 5 października 2023 00:59 > To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> > Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check > num_remaining_tiles_in_slice_minus1 > > Fixes: out of array access > Fixes: 62467/clusterfuzz-testcase-minimized- > ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688 > > Found-by: continuous fuzzing process > https://protect2.fireeye.com/v1/url?k=10fdc12a-701f5c77-10fc4a65- > 000babd9f1ba-c93ee30773aca891&q=1&e=409cddd0-bda7-445c-b76b- > 1caf069ec3f8&u=https%3A%2F%2Fgithub.com%2Fgoogle%2Foss- > fuzz%2Ftree%2Fmaster%2Fprojects%2Fffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/evc_parse.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index > bd3a4416f2d..5ab33166cf3 100644 > --- a/libavcodec/evc_parse.c > +++ b/libavcodec/evc_parse.c > @@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb, > EVCParserSliceHeader *sh, > if (!sh->arbitrary_slice_flag) > sh->last_tile_id = get_bits(gb, pps->tile_id_len_minus1 + 1); > else { > - sh->num_remaining_tiles_in_slice_minus1 = get_ue_golomb_long(gb); > - num_tiles_in_slice = sh->num_remaining_tiles_in_slice_minus1 + 2; > + unsigned num_remaining_tiles_in_slice_minus1 = > get_ue_golomb_long(gb); > + if (num_remaining_tiles_in_slice_minus1 > EVC_MAX_TILE_ROWS * > EVC_MAX_TILE_COLUMNS - 2) > + return AVERROR_INVALIDDATA; > + > + num_tiles_in_slice = num_remaining_tiles_in_slice_minus1 + 2; > + sh->num_remaining_tiles_in_slice_minus1 = > + num_remaining_tiles_in_slice_minus1; > for (int i = 0; i < num_tiles_in_slice - 1; ++i) > sh->delta_tile_id_minus1[i] = get_ue_golomb_long(gb); > } > -- > 2.17.1 > Reviewed and tested. It can be merged. > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://protect2.fireeye.com/v1/url?k=91e63ba2-f104a6ff-91e7b0ed- > 000babd9f1ba-bd82db9b8a752a77&q=1&e=409cddd0-bda7-445c-b76b- > 1caf069ec3f8&u=https%3A%2F%2Fffmpeg.org%2Fmailman%2Flistinfo%2Fffmp > eg-devel > > To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org > with subject "unsubscribe".
On Fri, Oct 27, 2023 at 10:07:38AM +0200, Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics wrote: > > > > > > -----Original Message----- > > From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of > > Michael Niedermayer > > Sent: czwartek, 5 października 2023 00:59 > > To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> > > Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check > > num_remaining_tiles_in_slice_minus1 > > > > Fixes: out of array access > > Fixes: 62467/clusterfuzz-testcase-minimized- > > ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688 > > > > Found-by: continuous fuzzing process > > https://protect2.fireeye.com/v1/url?k=10fdc12a-701f5c77-10fc4a65- > > 000babd9f1ba-c93ee30773aca891&q=1&e=409cddd0-bda7-445c-b76b- > > 1caf069ec3f8&u=https%3A%2F%2Fgithub.com%2Fgoogle%2Foss- > > fuzz%2Ftree%2Fmaster%2Fprojects%2Fffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/evc_parse.c | 8 ++++++-- > > 1 file changed, 6 insertions(+), 2 deletions(-) > > > > diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index > > bd3a4416f2d..5ab33166cf3 100644 > > --- a/libavcodec/evc_parse.c > > +++ b/libavcodec/evc_parse.c > > @@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb, > > EVCParserSliceHeader *sh, > > if (!sh->arbitrary_slice_flag) > > sh->last_tile_id = get_bits(gb, pps->tile_id_len_minus1 + 1); > > else { > > - sh->num_remaining_tiles_in_slice_minus1 = > get_ue_golomb_long(gb); > > - num_tiles_in_slice = sh->num_remaining_tiles_in_slice_minus1 > + 2; > > + unsigned num_remaining_tiles_in_slice_minus1 = > > get_ue_golomb_long(gb); > > + if (num_remaining_tiles_in_slice_minus1 > EVC_MAX_TILE_ROWS * > > EVC_MAX_TILE_COLUMNS - 2) > > + return AVERROR_INVALIDDATA; > > + > > + num_tiles_in_slice = num_remaining_tiles_in_slice_minus1 + 2; > > + sh->num_remaining_tiles_in_slice_minus1 = > > + num_remaining_tiles_in_slice_minus1; > > for (int i = 0; i < num_tiles_in_slice - 1; ++i) > > sh->delta_tile_id_minus1[i] = get_ue_golomb_long(gb); > > } > > -- > > 2.17.1 > > > > Reviewed and tested. It can be merged. will apply thx [...]
Michael Could you please apply the following patch [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check num_remaining_tiles_in_slice_minus1 https://patchwork.ffmpeg.org/project/ffmpeg/patch/20231004225921.30287-2-michael@niedermayer.cc/ Dawid > -----Original Message----- > From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of > Michael Niedermayer > Sent: piątek, 27 października 2023 21:43 > To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> > Subject: Re: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check > num_remaining_tiles_in_slice_minus1 > > On Fri, Oct 27, 2023 at 10:07:38AM +0200, Dawid Kozinski/Multimedia (PLT) > /SRPOL/Staff Engineer/Samsung Electronics wrote: > > > > > > > > > > > -----Original Message----- > > > From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of > > > Michael Niedermayer > > > Sent: czwartek, 5 października 2023 00:59 > > > To: FFmpeg development discussions and patches > > > <ffmpeg-devel@ffmpeg.org> > > > Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_parse: Check > > > num_remaining_tiles_in_slice_minus1 > > > > > > Fixes: out of array access > > > Fixes: 62467/clusterfuzz-testcase-minimized- > > > ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688 > > > > > > Found-by: continuous fuzzing process > > > https://protect2.fireeye.com/v1/url?k=10fdc12a-701f5c77-10fc4a65- > > > 000babd9f1ba-c93ee30773aca891&q=1&e=409cddd0-bda7-445c-b76b- > > > 1caf069ec3f8&u=https%3A%2F%2Fgithub.com%2Fgoogle%2Foss- > > > fuzz%2Ftree%2Fmaster%2Fprojects%2Fffmpeg > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > --- > > > libavcodec/evc_parse.c | 8 ++++++-- > > > 1 file changed, 6 insertions(+), 2 deletions(-) > > > > > > diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index > > > bd3a4416f2d..5ab33166cf3 100644 > > > --- a/libavcodec/evc_parse.c > > > +++ b/libavcodec/evc_parse.c > > > @@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb, > > > EVCParserSliceHeader *sh, > > > if (!sh->arbitrary_slice_flag) > > > sh->last_tile_id = get_bits(gb, pps->tile_id_len_minus1 + 1); > > > else { > > > - sh->num_remaining_tiles_in_slice_minus1 = > > get_ue_golomb_long(gb); > > > - num_tiles_in_slice = sh->num_remaining_tiles_in_slice_minus1 > > + 2; > > > + unsigned num_remaining_tiles_in_slice_minus1 = > > > get_ue_golomb_long(gb); > > > + if (num_remaining_tiles_in_slice_minus1 > > > > + EVC_MAX_TILE_ROWS * > > > EVC_MAX_TILE_COLUMNS - 2) > > > + return AVERROR_INVALIDDATA; > > > + > > > + num_tiles_in_slice = num_remaining_tiles_in_slice_minus1 + 2; > > > + sh->num_remaining_tiles_in_slice_minus1 = > > > + num_remaining_tiles_in_slice_minus1; > > > for (int i = 0; i < num_tiles_in_slice - 1; ++i) > > > sh->delta_tile_id_minus1[i] = get_ue_golomb_long(gb); > > > } > > > -- > > > 2.17.1 > > > > > > > Reviewed and tested. It can be merged. > > will apply > > thx > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > Homeopathy is like voting while filling the ballot out with transparent ink. > Sometimes the outcome one wanted occurs. Rarely its worse than filling out a > ballot properly.
On Thu, Nov 09, 2023 at 10:27:28AM +0100, Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics wrote: > Michael > > Could you please apply the following patch yes, sorry i somehow seem to have forgotten thx [...]
diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index bd3a4416f2d..5ab33166cf3 100644 --- a/libavcodec/evc_parse.c +++ b/libavcodec/evc_parse.c @@ -58,8 +58,12 @@ int ff_evc_parse_slice_header(GetBitContext *gb, EVCParserSliceHeader *sh, if (!sh->arbitrary_slice_flag) sh->last_tile_id = get_bits(gb, pps->tile_id_len_minus1 + 1); else { - sh->num_remaining_tiles_in_slice_minus1 = get_ue_golomb_long(gb); - num_tiles_in_slice = sh->num_remaining_tiles_in_slice_minus1 + 2; + unsigned num_remaining_tiles_in_slice_minus1 = get_ue_golomb_long(gb); + if (num_remaining_tiles_in_slice_minus1 > EVC_MAX_TILE_ROWS * EVC_MAX_TILE_COLUMNS - 2) + return AVERROR_INVALIDDATA; + + num_tiles_in_slice = num_remaining_tiles_in_slice_minus1 + 2; + sh->num_remaining_tiles_in_slice_minus1 = num_remaining_tiles_in_slice_minus1; for (int i = 0; i < num_tiles_in_slice - 1; ++i) sh->delta_tile_id_minus1[i] = get_ue_golomb_long(gb); }
Fixes: out of array access Fixes: 62467/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-6092990982258688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/evc_parse.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)