Message ID | 20240627004037.1336-3-kasper93@gmail.com |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/4] avcodec/jpegxl_parser: ensure input padding is zeroed | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On Thu, Jun 27, 2024 at 3:57 AM Kacper Michajłow <kasper93@gmail.com> wrote: > Fixes use of uninitialized value, reported by MSAN. Specifically in > jpegxl parser. > > Found by OSS-Fuzz. > > Signed-off-by: Kacper Michajłow <kasper93@gmail.com> > --- > libavformat/img2dec.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c > index ba52353074..c667d8574c 100644 > --- a/libavformat/img2dec.c > +++ b/libavformat/img2dec.c > @@ -549,6 +549,8 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket > *pkt) > } > } > > + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); > + > if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) { > if (ret[0] < 0) { > res = ret[0]; > -- > 2.43.0 > > Isn't this done generically already? Otherwise this fix is just fixing one single case of numerous others not covered. > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >
Paul B Mahol: > On Thu, Jun 27, 2024 at 3:57 AM Kacper Michajłow <kasper93@gmail.com> wrote: > >> Fixes use of uninitialized value, reported by MSAN. Specifically in >> jpegxl parser. >> >> Found by OSS-Fuzz. >> >> Signed-off-by: Kacper Michajłow <kasper93@gmail.com> >> --- >> libavformat/img2dec.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c >> index ba52353074..c667d8574c 100644 >> --- a/libavformat/img2dec.c >> +++ b/libavformat/img2dec.c >> @@ -549,6 +549,8 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket >> *pkt) >> } >> } >> >> + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); >> + >> if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) { >> if (ret[0] < 0) { >> res = ret[0]; >> -- >> 2.43.0 >> >> > Isn't this done generically already? > Otherwise this fix is just fixing one single case of numerous others not > covered. > av_new_packet() is zeroing the padding, but in case that less is read than intended the bytes after the payload bytes are uninitialized. - Andreas
diff --git a/libavformat/img2dec.c b/libavformat/img2dec.c index ba52353074..c667d8574c 100644 --- a/libavformat/img2dec.c +++ b/libavformat/img2dec.c @@ -549,6 +549,8 @@ int ff_img_read_packet(AVFormatContext *s1, AVPacket *pkt) } } + memset(pkt->data + pkt->size, 0, AV_INPUT_BUFFER_PADDING_SIZE); + if (ret[0] <= 0 || ret[1] < 0 || ret[2] < 0) { if (ret[0] < 0) { res = ret[0];
Fixes use of uninitialized value, reported by MSAN. Specifically in jpegxl parser. Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow <kasper93@gmail.com> --- libavformat/img2dec.c | 2 ++ 1 file changed, 2 insertions(+)