From patchwork Tue Mar 22 23:09:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 34912 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:ab0:5fda:0:0:0:0:0 with SMTP id g26csp764147uaj; Tue, 22 Mar 2022 16:09:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzbCdiZfVh1+cGv+R4ZyhkuabpAk8e4IdDpRXMoY+jv3OZei3zcstCX+0aQAhLJ7i+YnxRW X-Received: by 2002:a17:906:5d04:b0:6db:7262:570e with SMTP id g4-20020a1709065d0400b006db7262570emr28896598ejt.8.1647990571318; Tue, 22 Mar 2022 16:09:31 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id c15-20020a50f60f000000b00418c2b5bec1si14745762edn.419.2022.03.22.16.09.30; Tue, 22 Mar 2022 16:09:31 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=OsiRp+WG; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7AA5F68B124; Wed, 23 Mar 2022 01:09:28 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-oln040092066052.outbound.protection.outlook.com [40.92.66.52]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id E3E8368A920 for ; Wed, 23 Mar 2022 01:09:21 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MQSzT7pQDeXD1IO76itrPjQ/MdHJZGzuhbHZp+3HAW70dAqh/o963q3H8cA2IvHRtYeG7YXKDuXEASpOxLc7L/KjS+w1kvlJEYatqCqlvlxr2kobv64mSBRcsNGyBKX+DMVoNY+E2CPOSOWssWqLOK7cAt/AKVO5gx8Ay5VBxXRBECnpoUZP5v6krznI2i/p1ySeOsiG9PLjl4Up/CkgPQzQl59jsuv0eyAzCojflv/Ouy9Y10CDzRwomxdvvpVufxA5vqTV8wUSF/AEWLMNx+SMU8irjmp/LQ+ygPCgfhsAHeVczWg/6Am9I1vDTOdNmXOKns3qdrT3VJ8GI1UNpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AcQM8IX1u13M1qwfGEKcOXm98t9Y+/hZz6anzXYB68o=; b=OhbOzxasHn10X+VFUe9uLCwrCCbKf7UwSQ53k3pgPWlTN+unyuAjUWcOsjHOK7D9CaLBuwiu9Ho+ZdHcnBwBGuFfptNLeYyE8HJyGokpEIKQNeqpd/A4B8BQMJ5/7e1KrBxIiEi7gBQGRJKRLXrvmxKaMfAVG7R++3N3Cj8vCGSRFmrjsTGdyqtFP5jVwf9lsIwG5r1AmrHy/ueoQr3KdkZSCZWBv+HxUbZIncT5smotuGBj4vub2EphaF4MnJ59WpAuHQ1e4/A/NqKy84OZSiWZSHuHcRa9oDdLLjUPJ/er+UzWz2z4xtNiHWfB8F2unNKEKNAZmrvaicbZJWjz5A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AcQM8IX1u13M1qwfGEKcOXm98t9Y+/hZz6anzXYB68o=; b=OsiRp+WGCJnYGoWEwNMqSWv6hze+vahQlr/dmUvmoU1lCdPaUKW1cNvuWDPzItb08ASs9dHEUl02ry8FFr8ExzKxCYNCVXjnickqjIle77ILkuvsS3U+ZXTKirwpOkJjnQbDBTyzSy1vS52eAYRmOFDRSu+dkGYQXWh+yKBxRIKTteCfVCVSuceZF9BRrBybcc1/9Eijmszd0Zs8JTsJ0w7CB/BETnjqQxZyp7s5WkaS9NO13zmuzJMQbc1wzy3AjK3706RJEnXNnxfVkDK0h90CyG05Evr+Ia++a1Dv2OWK3pf8MXPFKZWSrhAS+GWc5gLRtO7klLWWWRdPc2+qOw== Received: from AS1PR01MB9564.eurprd01.prod.exchangelabs.com (2603:10a6:20b:4d1::16) by AM0PR01MB4468.eurprd01.prod.exchangelabs.com (2603:10a6:208:f4::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.17; Tue, 22 Mar 2022 23:09:19 +0000 Received: from AS1PR01MB9564.eurprd01.prod.exchangelabs.com ([fe80::9070:a5fd:e532:bdf8]) by AS1PR01MB9564.eurprd01.prod.exchangelabs.com ([fe80::9070:a5fd:e532:bdf8%3]) with mapi id 15.20.5081.022; Tue, 22 Mar 2022 23:09:19 +0000 From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Wed, 23 Mar 2022 00:09:10 +0100 Message-ID: X-Mailer: git-send-email 2.32.0 In-Reply-To: References: X-TMN: [0tYDmGsV6EPCl+tHzql8RQpayBbFtlKB] X-ClientProxiedBy: AM6P195CA0066.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:87::43) To AS1PR01MB9564.eurprd01.prod.exchangelabs.com (2603:10a6:20b:4d1::16) X-Microsoft-Original-Message-ID: <20220322230912.466724-1-andreas.rheinhardt@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ea076801-b92d-4ec0-a9a5-08da0c58fe94 X-MS-Exchange-SLBlob-MailProps: +LiGfBxqLEuR8JRu/bs3HX1KZ0ZBmgn5tXvuUuldVISQuswswiQO15LZU3BpWd1ENQTqolBc2oI1jov6bcK2/CWA2hWcx8HMpN2H/GB8ndHZZWXcbT+aAWUk7JqcF8eLAtR8CbVTpfo873EHxnntQoLwICRDWToiepVs6TvCbWqIab/TmMeDWI3yv0CyrEaRrjnloYEJFBZlCFAPP7un+oO6Xy9qYSbU46S7xwB8DpRzceSicJLt+mLN6wMsjYdKOKaK4WlrBE/bwYsdRBRp3iCoC4TdUFeySkrD4v73emELFLCmVI/Yjaz2ybimo1fj04aVna9A9f/NAl9GQx0waUOFEnXuk9L6cQrv5AqMrFz6eKz43OHXiRkINCNMZEYhgvk7LKOx5S82uLuXqCjL8ObXhHhP1htDJhWMlrYWJeGQLBmFtcc0XfNwPimzK6BJ0C/q5k9wi6r92KKXJupxS6E5V+ziLFvpl2Uc0HeTKdmxI24GDfiSBprAvPY7GSgqORdEnxBgOzhXaPVApEzA4cyJm6576o1aUla7deEGgAkOabcRGNxgDjjSqj8HyiRq2lgJfbYNsGjoP5L71NTcFah8tkLTc1JdGQlvQM3WylwshMJbzHeUP+97bhGu/l7+FW/qaPWZ8JiChvsnIsMqr1XLjqvy+SL5chDvSh7sJ1p97W8B13iUZ14VGRHCx9mnXvkXAYQIJKku01bZ/y7IkeKuiJgkGFOcO9UR7/L0i4FoHF1Rae271AiTohdffQG3UyCVf7+QO7gc7g3SXrQHs4857B3ep2AC X-MS-TrafficTypeDiagnostic: AM0PR01MB4468:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: dMRe60k3v5uUURyeK7Elf7Aj39jn7QZZgSwdlfERf2C9os4zK3j6VTH6LSa/27rYB44Q8EKInM8H3A5HuzAfUn0FJka/4OgU1pJ2km+uUSY0WFe4fmDJKbYZVQne+Ic2tY7LmzZPF4z8Vc6UgZjraTYdimA/Je+3xp5JhsEnekSbX8APFkGHg9ZNzFzcATM4BUEXMHtWllbS3knSTOp/VvPqWHd+Fo2GHLh7ChWWBjp9xvpI1mSzw4+K1Fn357IZaDXTVj7P5A3nGP8Rj3v3DD8T9ozU3XbHoy6SEkrGlYzFdt/76Lrwzv45rzm+uEZYs000lLv99F86cK3KfIHC09QaB1e7SDGT9sUVgP1wlvWrAQCpYhe7UpZcjgfzBIkvzr4dYoDKwUmASO2p6+8g0pJuiEoWVMCV/ptrG2KjqsyVEkWI7H9+Yp55nUiYoUszhMI7xfZ6gRCUbukUzLNNhTp4XFa9vXmo4xXpKh81cK2lQIidmYp10ATITpMCOPM9szEd+7pCmxlL0JQMAd3Ifq/ZKDB3gvy2Md+B+j0s6ujHucB3iTDrP6uHR3z6xb2L+A/CNvcjmyd2O7Li1Sc8wlQobaj4X6WVl+8d0vNmP0v5cZ8Xz88CUYlyBZyE1rjt X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jFFM7jpl1Bp7CUDEGpp6U9HOyOxyY21iSWBZ0EQ4V397o6RE6w9ZyS+fcjHZPrQNNMgi83n2hZaC6ai/mR9XJN4ZPgXtd7gh8HB2cD/fIKHY3xe3dElGHM6P1VqhQ8S879wZuxNB5mpL6dgu3OJGQSz59cBNRvKtTTGl8s/7x2z8JpRqnnyEMQvhVEaaIR27h+6lLYsNMIAs/ilR+udYv7clHv6I7X5ruuOC/dyZoMnzRL/aJuSALENMc2BDQ7jJ+0Wdb2SCVZPLC9CVA7OzC/SuexAudw2n3U+7BITU5i0JOhEG1ajaldZQ03fnnO2ZdMXRSWt/v8VfcPxP2E7epgBmRpepracwDDGzU6pRfoEAFH2BPAv3WbkPRr12aYboDrR3lTuibQ2WgQAWR6code6T2Edx5aWj7UjMDf8N9UgUnKudRVjJjO53FrUDWm6nZeOfu4+MfeZogC+Txv87ljrZeio+IW2x7M/MeYAjUShxxQ3XtuLdpdetz5u3cfv4mq2v2iXTx7YohmFVvzUd4vX6qkA+s3DkG6PgsHAadxfyPl6w+YSCTgz0e7YH9mIdIwnfwkky2Iwy7HXScWCOguupbpG3bEBWmV2CkuM/kIojq4Wk0BdFS/dt5eBBCWKaNPr3LfHfrulzcHJ4+e/thAK4ziQjtBO3IKreuZLrGEWm9HdFwvdEyySPm6afw39VbP4VZlz0FqN9Sdgnhn443xRbnpkqKMBOg1UokHBV2D9cAuuphzteNxP7RF3HtVeNru/Rag04YfbbiuMjgR7O4ACrLA+9EA3gBcD/5LsgGdx774ybLbS9QWVZhQ8s2w+3YIsvGaWJjUufLlFove9eFE7UtdwO5UWcXxjPF5Z5Txo3BIraUnrQNMbNA1l/VsboLswY4GFmtx8MHmW7+Cmq7erLjU/mDd8baHF7xSOXK4u2vkRP2AqQEUxLYPWfPj5MPdlVlPf4pf1vekuVM8HKDOCSYkZq7us8WBy+AFUQLdLfUh+6eKv8Mk1oeFPnjfYhogczPZscYxwTBHQSmc0nh2m1X6pSLDm0BhrA+Y3LPClO6iYbdFsPH/1ViSGQcAru1egmtSj4AwOPwl4wt3FpEdUN5f3zAU+cmEvoryKkbH09sjJVuS7FRZbkCWNQW2mKpY5Sv52hJMc6gdQK2iCQgQ38nZbvjRDwj1DmzpRI6iU= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: ea076801-b92d-4ec0-a9a5-08da0c58fe94 X-MS-Exchange-CrossTenant-AuthSource: AS1PR01MB9564.eurprd01.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2022 23:09:19.8063 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR01MB4468 Subject: [FFmpeg-devel] [PATCH 2/4] avcodec/vp9_superframe_bsf: Check for existence of data before reading it X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: +3pX5KERbN3O Packets without data need to be handled specially in order to avoid undefined reads. Pass these packets through unchanged in case there are no cached packets* and error out in case there are cached packets: Returning the packet would mess with the order of the packets; if one returned the zero-sized packet before the superframe that will be created from the packets in the cache, the zero-sized packet would overtake the packets in the cache; if one returned the packet later, the packets that complete the superframe will overtake the zero-sized packet. *: This case e.g. encompasses the scenario of updated extradata side-data at the end. Fixes: Out of array read Fixes: 45722/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_SUPERFRAME_fuzzer-5173378975137792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Andreas Rheinhardt --- The current way of passthrough has been suggested by James. libavcodec/vp9_superframe_bsf.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/vp9_superframe_bsf.c b/libavcodec/vp9_superframe_bsf.c index 57681e29e4..df9b97fa3c 100644 --- a/libavcodec/vp9_superframe_bsf.c +++ b/libavcodec/vp9_superframe_bsf.c @@ -108,6 +108,15 @@ static int vp9_superframe_filter(AVBSFContext *ctx, AVPacket *pkt) if (res < 0) return res; + if (!pkt->size) { + /* In case the cache is empty we can pass side-data-only packets + * through unchanged. Otherwise, such a packet makes no sense. */ + if (!s->n_cache) + return 0; + res = AVERROR_INVALIDDATA; + goto done; + } + marker = pkt->data[pkt->size - 1]; if ((marker & 0xe0) == 0xc0) { int nbytes = 1 + ((marker >> 3) & 0x3);