Message ID | 20240731195410.274508-1-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/6] avcodec/cbs: sei_3d_reference_displays_info uses length 0 elements | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On Wed, Jul 31, 2024 at 09:54:10PM +0200, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: 70741/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5703668010647552 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/snow.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) I intend to apply this and the other snow patch (which was on the ML since a while with a different commit message) very soon because they affect upcoming point releases [...]
On 7/31/2024 4:54 PM, Michael Niedermayer wrote: > Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192 > Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/cbs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c > index b26e39eab4d..dcbc86a5f7d 100644 > --- a/libavcodec/cbs.c > +++ b/libavcodec/cbs.c > @@ -605,7 +605,7 @@ static av_always_inline int cbs_read_unsigned(CodedBitstreamContext *ctx, > > CBS_TRACE_READ_START(); > > - av_assert0(width > 0 && width <= 32); > + av_assert0(width >= 0 && width <= 32); No, sei_3d_reference_displays_info should instead not attempt to read from the bitstream when width is 0. I'll send a patch for this later. > > if (get_bits_left(gbc) < width) { > av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid value at "
diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c index b26e39eab4d..dcbc86a5f7d 100644 --- a/libavcodec/cbs.c +++ b/libavcodec/cbs.c @@ -605,7 +605,7 @@ static av_always_inline int cbs_read_unsigned(CodedBitstreamContext *ctx, CBS_TRACE_READ_START(); - av_assert0(width > 0 && width <= 32); + av_assert0(width >= 0 && width <= 32); if (get_bits_left(gbc) < width) { av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid value at "
Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192 Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/cbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)