| Message ID | 20231004225921.30287-4-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,1/4] avcodec/jpeg2000dec: Check image offset | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
> -----Original Message----- > From: ffmpeg-devel <ffmpeg-devel-bounces@ffmpeg.org> On Behalf Of > Michael Niedermayer > Sent: czwartek, 5 października 2023 00:59 > To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> > Subject: [FFmpeg-devel] [PATCH 4/4] avcodec/evc_parse: Check tid > > The check is based on not infinite looping. It is likely a more strict check can be > done > > Fixes: Infinite loop > Fixes: 62473/clusterfuzz-testcase-minimized- > ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5719883750703104 > > Found-by: continuous fuzzing process > https://protect2.fireeye.com/v1/url?k=a44f565e-c532bcdd-a44edd11- > 74fe48600158-625c91e4183f7607&q=1&e=5e707773-ad1c-4987-a095- > 2350d52c5cd3&u=https%3A%2F%2Fgithub.com%2Fgoogle%2Foss- > fuzz%2Ftree%2Fmaster%2Fprojects%2Fffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/evc_parse.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index > 20b6849041a..8c0ef16f3ad 100644 > --- a/libavcodec/evc_parse.c > +++ b/libavcodec/evc_parse.c > @@ -178,6 +178,9 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const > EVCParserSliceHeader *sh, > } else { > int SubGopLength = 1 << sps->log2_sub_gop_length; > > + if (tid > 1 + av_log2(SubGopLength - 1)) > + return AVERROR_INVALIDDATA; > + > if (tid == 0) { > poc->PicOrderCntVal = poc->prevPicOrderCntVal + SubGopLength; > poc->DocOffset = 0; int SubGopLength = 1 << sps->log2_sub_gop_length; if (tid > 1 + av_log2(SubGopLength - 1)) return AVERROR_INVALIDDATA; For the value of SubGopLength = 1 ( if sps->log2_sub_gop_length = 0; "The value of log2_sub_gop_length shall be in the range of 0 to 5, inclusive" - ISO_IEC_23094-1-2020 7.4.3.1), we have av_log2(0). The value of the logarithm of 0 with any base (in this case, log2) is minus infinity (-inf) Perhaps we should consider changing the condition to: if (tid < 0 || tid > av_log2(SubGopLength)) return AVERROR_INVALIDDATA; > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://protect2.fireeye.com/v1/url?k=30e716c0-519afc43-30e69d8f- > 74fe48600158-4965ec93628418ff&q=1&e=5e707773-ad1c-4987-a095- > 2350d52c5cd3&u=https%3A%2F%2Fffmpeg.org%2Fmailman%2Flistinfo%2Fffmp > eg-devel > > To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org > with subject "unsubscribe".
diff --git a/libavcodec/evc_parse.c b/libavcodec/evc_parse.c index 20b6849041a..8c0ef16f3ad 100644 --- a/libavcodec/evc_parse.c +++ b/libavcodec/evc_parse.c @@ -178,6 +178,9 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const EVCParserSliceHeader *sh, } else { int SubGopLength = 1 << sps->log2_sub_gop_length; + if (tid > 1 + av_log2(SubGopLength - 1)) + return AVERROR_INVALIDDATA; + if (tid == 0) { poc->PicOrderCntVal = poc->prevPicOrderCntVal + SubGopLength; poc->DocOffset = 0;
The check is based on not infinite looping. It is likely a more strict check can be done Fixes: Infinite loop Fixes: 62473/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5719883750703104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/evc_parse.c | 3 +++ 1 file changed, 3 insertions(+)