diff mbox series

[FFmpeg-devel,3/4] avformat/img2dec: ensure input padding is zeroed

Message ID 20240627004037.1336-3-kasper93@gmail.com
State New
Headers show
Series [FFmpeg-devel,1/4] avcodec/jpegxl_parser: ensure input padding is zeroed | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Kacper Michajlow June 27, 2024, 12:40 a.m. UTC 
Fixes use of uninitialized value, reported by MSAN. Specifically in
jpegxl parser.

Found by OSS-Fuzz.

Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
 libavformat/img2dec.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Paul B Mahol June 27, 2024, 6:59 a.m. UTC | #1 
On Thu, Jun 27, 2024 at 3:57 AM Kacper Michajłow <kasper93@gmail.com> wrote:

> Fixes use of uninitialized value, reported by MSAN. Specifically in
> jpegxl parser.
>
> Found by OSS-Fuzz.
>
> Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
> ---
>  libavformat/img2dec.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c
> index ba52353074..c667d8574c 100644
> --- a/libavformat/img2dec.c
> +++ b/libavformat/img2dec.c
> @@ -549,6 +549,8 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket
> *pkt)
>          }
>      }
>
> +    memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
> +
>      if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) {
>          if (ret[0] < 0) {
>              res = ret[0];
> --
> 2.43.0
>
>
Isn't this done generically already?
Otherwise this fix is just fixing one single case of numerous others not
covered.


> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
Andreas Rheinhardt June 27, 2024, 8:11 a.m. UTC | #2 
Paul B Mahol:
> On Thu, Jun 27, 2024 at 3:57 AM Kacper Michajłow <kasper93@gmail.com> wrote:
> 
>> Fixes use of uninitialized value, reported by MSAN. Specifically in
>> jpegxl parser.
>>
>> Found by OSS-Fuzz.
>>
>> Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
>> ---
>>  libavformat/img2dec.c | 2 ++
>>  1 file changed, 2 insertions(+)
>>
>> diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c
>> index ba52353074..c667d8574c 100644
>> --- a/libavformat/img2dec.c
>> +++ b/libavformat/img2dec.c
>> @@ -549,6 +549,8 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket
>> *pkt)
>>          }
>>      }
>>
>> +    memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
>> +
>>      if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) {
>>          if (ret[0] < 0) {
>>              res = ret[0];
>> --
>> 2.43.0
>>
>>
> Isn't this done generically already?
> Otherwise this fix is just fixing one single case of numerous others not
> covered.
> 

av_new_packet() is zeroing the padding, but in case that less is read
than intended the bytes after the payload bytes are uninitialized.

- Andreas
diff mbox series

Patch

diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c
index ba52353074..c667d8574c 100644
--- a/libavformat/img2dec.c
+++ b/libavformat/img2dec.c
@@ -549,6 +549,8 @@  int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt)
         }
     }
 
+    memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
+
     if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) {
         if (ret[0] < 0) {
             res = ret[0];