[FFmpeg-devel,8/9] avcodec/smcenc: width < 4 is unsupported

Message ID	20240616230831.912377-8-michael@niedermayer.cc
State	New
Headers	show Delivered-To: ffmpegpatchwork2@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Mon, 17 Jun 2024 01:08:30 +0200 Message-ID: <20240616230831.912377-8-michael@niedermayer.cc> In-Reply-To: <20240616230831.912377-1-michael@niedermayer.cc> References: <20240616230831.912377-1-michael@niedermayer.cc> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 8/9] avcodec/smcenc: width < 4 is unsupported Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel,1/9] avcodec/targaenc: Allocate space for the palette \| expand [FFmpeg-devel,1/9] avcodec/targaenc: Allocate space for the palette [FFmpeg-devel,2/9] avcodec/mpeg4audio: Check that there is enough space for the first 3 elements in… [FFmpeg-devel,3/9] avformat/iamf_parse: Try to use less space after the array [FFmpeg-devel,4/9] avformat/iamf_parse: Layer, thou shalt not be 0 [FFmpeg-devel,5/9] avformat/mov: Check extend and base offset [FFmpeg-devel,6/9] avcodec/libvpxenc: Cleanup on error [FFmpeg-devel,7/9] MAINTAINERS: Update the entries for the release maintainer for FFmpeg [FFmpeg-devel,8/9] avcodec/smcenc: width < 4 is unsupported [FFmpeg-devel,9/9] avcodec/r210enc: Use av_rescale for bitrate

Context	Check	Description
yinshiyou/make_loongarch64	success	Make finished
yinshiyou/make_fate_loongarch64	success	Make fate finished

Michael Niedermayer June 16, 2024, 11:08 p.m. UTC

Fixes: out of array read
Fixes: 68939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-587804104884224

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/smcenc.c | 3 +++
 1 file changed, 3 insertions(+)

Paul B Mahol June 17, 2024, 7:50 a.m. UTC | #1

On Mon, Jun 17, 2024 at 1:09 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> Fixes: out of array read
> Fixes:
> 68939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-587804104884224
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/smcenc.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c
> index 789aef4f770..d70cce900ec 100644
> --- a/libavcodec/smcenc.c
> +++ b/libavcodec/smcenc.c
> @@ -537,6 +537,9 @@ static int smc_encode_frame(AVCodecContext *avctx,
> AVPacket *pkt,
>      uint8_t *pal;
>      int ret;
>
> +    if (avctx->width < 4)
> +        return AVERROR_PATCHWELCOME;
> +
>

I just enabled address sanitizer for smc encoder and i do not get any
errors.
Where is log of where overread happens?



>      ret = ff_alloc_packet(avctx, pkt, 8LL * avctx->height * avctx->width);
>      if (ret < 0)
>          return ret;
> --
> 2.45.2
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>

Michael Niedermayer June 17, 2024, 11:52 p.m. UTC | #2

On Mon, Jun 17, 2024 at 09:50:18AM +0200, Paul B Mahol wrote:
> On Mon, Jun 17, 2024 at 1:09 AM Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> 
> > Fixes: out of array read
> > Fixes:
> > 68939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-587804104884224
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/smcenc.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c
> > index 789aef4f770..d70cce900ec 100644
> > --- a/libavcodec/smcenc.c
> > +++ b/libavcodec/smcenc.c
> > @@ -537,6 +537,9 @@ static int smc_encode_frame(AVCodecContext *avctx,
> > AVPacket *pkt,
> >      uint8_t *pal;
> >      int ret;
> >
> > +    if (avctx->width < 4)
> > +        return AVERROR_PATCHWELCOME;
> > +
> >
> 
> I just enabled address sanitizer for smc encoder and i do not get any
> errors.
> Where is log of where overread happens?

log is below:

+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-0e842ae89cdd58a7ef107605832b8beb5821004e
Time ran: 0.04435396194458008
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 267861690
INFO: Loaded 1 modules   (65950 inline 8-bit counters): 65950 [0x8b8e570, 0x8b9e70e),
INFO: Loaded 1 PC tables (65950 PCs): 65950 [0x8a2d0d0,0x8aaddc0),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-0e842ae89cdd58a7ef107605832b8beb5821004e
=================================================================
==23375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf76af7fe at pc 0x08141703 bp 0xffb541a8 sp 0xffb53d80
READ of size 1 at 0xf76af7fe thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x8141702 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned int), void const*, void const*, unsigned int) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:860:7
    #1 0x8141c31 in memcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:892:10
    #2 0x822ccab in smc_encode_stream /src/ffmpeg/libavcodec/smcenc.c:193:30
    #3 0x822ccab in smc_encode_frame /src/ffmpeg/libavcodec/smcenc.c:560:5
    #4 0x820f5cc in ff_encode_encode_cb /src/ffmpeg/libavcodec/encode.c:254:11
    #5 0x82114db in encode_simple_internal /src/ffmpeg/libavcodec/encode.c:340:15
    #6 0x82114db in encode_simple_receive_packet /src/ffmpeg/libavcodec/encode.c:354:15
    #7 0x82114db in encode_receive_packet_internal /src/ffmpeg/libavcodec/encode.c:388:15
    #8 0x821082f in avcodec_send_frame /src/ffmpeg/libavcodec/encode.c:531:15
    #9 0x81ef067 in encode /src/ffmpeg/tools/target_enc_fuzzer.c:56:11
    #10 0x81ef067 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:186:15
    #11 0x80aefce in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #12 0x8099f2e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #13 0x809fb30 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #14 0x80c9717 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0xf7c6aed4 in __libc_start_main
    #16 0x8091075 in _start
0xf76af7fe is located 2 bytes to the left of 264320-byte region [0xf76af800,0xf76f0080)
allocated by thread T0 here:
    #0 0x81ab67a in posix_memalign /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x884f02f in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x880036a in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x8821c97 in get_video_buffer /src/ffmpeg/libavutil/frame.c:215:21
    #4 0x8821c97 in av_frame_get_buffer /src/ffmpeg/libavutil/frame.c:294:16
    #5 0x81eed9f in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:171:15
    #6 0x80aefce in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #7 0x8099f2e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x809fb30 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #9 0x80c9717 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0xf7c6aed4 in __libc_start_main
SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141702)
Shadow bytes around the buggy address:
  0x3eed5ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eed5eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eed5ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eed5ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3eed5ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3eed5ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x3eed5f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eed5f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eed5f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eed5f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3eed5f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23375==ABORTING
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
READ of size 1 at 0xf76af7fe thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x8141702  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141702)
    #1 0x8141c31  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141c31)
    #2 0x822ccab  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x822ccab)
    #3 0x820f5cc  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x820f5cc)
    #4 0x82114db  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x82114db)
    #5 0x821082f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x821082f)
    #6 0x81ef067  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81ef067)
    #7 0x80aefce  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aefce)
    #8 0x8099f2e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099f2e)
    #9 0x809fb30  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809fb30)
    #10 0x80c9717  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9717)
    #11 0xf7c6aed4  (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
    #12 0x8091075  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8091075)
0xf76af7fe is located 2 bytes to the left of 264320-byte region [0xf76af800,0xf76f0080)
allocated by thread T0 here:
    #0 0x81ab67a  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81ab67a)
    #1 0x884f02f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x884f02f)
    #2 0x880036a  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x880036a)
    #3 0x8821c97  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8821c97)
    #4 0x81eed9f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81eed9f)
    #5 0x80aefce  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aefce)
    #6 0x8099f2e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099f2e)
    #7 0x809fb30  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809fb30)
    #8 0x80c9717  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9717)
    #9 0xf7c6aed4  (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
ORIGINAL STACKTRACE ON REVISION 9C6C4F3D476D7A8D423EC3B954254C6A67EBC792 (110 LINES)
+----------------------------------------Release Build Stacktrace----------------------------------------+
Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/e3430abcedf901dbb1adbcd2478114b79cdd58a7ef107605832b8beb5821004e
Time ran: 0.05047249794006348
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2836813750
INFO: Loaded 1 modules   (65781 inline 8-bit counters): 65781 [0x8b7f310, 0x8b8f405),
INFO: Loaded 1 PC tables (65781 PCs): 65781 [0x8a20d40,0x8aa14e8),
/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/e3430abcedf901dbb1adbcd2478114b79cdd58a7ef107605832b8beb5821004e
=================================================================
==1182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf791b7fe at pc 0x08141413 bp 0xffafff08 sp 0xffaffae0
READ of size 1 at 0xf791b7fe thread T0
    #0 0x8141412 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned int), void const*, void const*, unsigned int) /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:860:7
    #1 0x8141941 in memcmp /src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:892:10
    #2 0x822c60b in smc_encode_stream /src/ffmpeg/libavcodec/smcenc.c:193:30
    #3 0x822c60b in smc_encode_frame /src/ffmpeg/libavcodec/smcenc.c:560:5
    #4 0x820efcc in ff_encode_encode_cb /src/ffmpeg/libavcodec/encode.c:254:11
    #5 0x8210edb in encode_simple_internal /src/ffmpeg/libavcodec/encode.c:340:15
    #6 0x8210edb in encode_simple_receive_packet /src/ffmpeg/libavcodec/encode.c:354:15
    #7 0x8210edb in encode_receive_packet_internal /src/ffmpeg/libavcodec/encode.c:388:15
    #8 0x821022f in avcodec_send_frame /src/ffmpeg/libavcodec/encode.c:531:15
    #9 0x81eed77 in encode /src/ffmpeg/tools/target_enc_fuzzer.c:56:11
    #10 0x81eed77 in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:186:15
    #11 0x80aecde in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #12 0x8099c3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #13 0x809f840 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #14 0x80c9427 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0xf7bdced4 in __libc_start_main
    #16 0x8090d85 in _start
0xf791b7fe is located 2 bytes to the left of 296064-byte region [0xf791b800,0xf7963c80)
allocated by thread T0 here:
    #0 0x81ab38a in posix_memalign /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x885246f in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x88037ca in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x88250d7 in get_video_buffer /src/ffmpeg/libavutil/frame.c:215:21
    #4 0x88250d7 in av_frame_get_buffer /src/ffmpeg/libavutil/frame.c:294:16
    #5 0x81eeaaf in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_enc_fuzzer.c:171:15
    #6 0x80aecde in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #7 0x8099c3e in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned int) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x809f840 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #9 0x80c9427 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0xf7bdced4 in __libc_start_main
SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141412)
Shadow bytes around the buggy address:
  0x3ef236a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ef236b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ef236c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ef236d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ef236e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ef236f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x3ef23700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ef23710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ef23720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ef23730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3ef23740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1182==ABORTING
+----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
==1182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf791b7fe at pc 0x08141413 bp 0xffafff08 sp 0xffaffae0
READ of size 1 at 0xf791b7fe thread T0
    #0 0x8141412  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141412)
    #1 0x8141941  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8141941)
    #2 0x822c60b  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x822c60b)
    #3 0x820efcc  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x820efcc)
    #4 0x8210edb  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8210edb)
    #5 0x821022f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x821022f)
    #6 0x81eed77  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81eed77)
    #7 0x80aecde  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aecde)
    #8 0x8099c3e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099c3e)
    #9 0x809f840  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809f840)
    #10 0x80c9427  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9427)
    #11 0xf7bdced4  (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)
    #12 0x8090d85  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8090d85)
0xf791b7fe is located 2 bytes to the left of 296064-byte region [0xf791b800,0xf7963c80)
allocated by thread T0 here:
    #0 0x81ab38a  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81ab38a)
    #1 0x885246f  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x885246f)
    #2 0x88037ca  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x88037ca)
    #3 0x88250d7  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x88250d7)
    #4 0x81eeaaf  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x81eeaaf)
    #5 0x80aecde  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80aecde)
    #6 0x8099c3e  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x8099c3e)
    #7 0x809f840  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x809f840)
    #8 0x80c9427  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds-i386_ffmpeg_bbf927d7e4cde0b71897048111a2d684e48dfab7/revisions/ffmpeg_AV_CODEC_ID_SMC_fuzzer+0x80c9427)
    #9 0xf7bdced4  (/lib32/libc.so.6+0x1aed4) (BuildId: 8c11d7b4ac6d685f0bba1cf2506a80f64d314582)

[...]

Paul B Mahol June 18, 2024, 7:42 a.m. UTC | #3

Fixed by making nx/ny always >= 0.

Michael Niedermayer June 25, 2024, 7:56 p.m. UTC | #4

On Tue, Jun 18, 2024 at 09:42:50AM +0200, Paul B Mahol wrote:
> Fixed by making nx/ny always >= 0.

will apply your commit

thx

[...]

[FFmpeg-devel,8/9] avcodec/smcenc: width < 4 is unsupported

Checks

Commit Message

Comments

Patch