From patchwork Sun Aug 11 18:17:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Thompson X-Patchwork-Id: 50989 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:612c:1ff2:b0:489:2eb3:e4c4 with SMTP id ks18csp971210vqb; Sun, 11 Aug 2024 11:17:25 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWNAQyBMpIyt625fwxS5i2a5Ov/Ee2GY7WRCQjQZe+iVfOwH04e1UhuuV8QT44qiOh9r1eSiEBxiA4ZjYHuFUwBvdD7tXsJyUb5Ag== X-Google-Smtp-Source: AGHT+IHcBXddS+kElvIIi7wcrsuQ5EVymnXb8keLvFMvon/TG6VDg/VBXSWuqzWV4pD5fGoKcYof X-Received: by 2002:a17:907:a08:b0:a7a:929f:c0d6 with SMTP id a640c23a62f3a-a80aa606f11mr661633266b.38.1723400244991; Sun, 11 Aug 2024 11:17:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1723400244; cv=none; d=google.com; s=arc-20160816; b=x/gl9xyjp39Q97H8PY14RqWk+LGVwdKecOKrtvUcA4drsObkk7wcUzgXvsolR6ZWeE mGOSrUQF1EmuNppO7k0MtnaiQdi441gYTkeslZLzFyenruwAzyi4W+Br7aoyZ7LmULIY w6/LvNpexVM8RDku2cR2jd+upBhzk7vk9X9E+0tlHgBrlaZIvZe4iEbg/8FXL0GBxQL3 d6U/rUycTUrc8InGfbHHLHnCh/W0sM4Sc/6Sih67Kp1B1uv0gye1t5j+jFxIcaCOQ4EB 17GgL9cwpu58SYp/v0dpW3gbXyysfbpcm1qy2ns8o+HjuG4I2pAqUEWAeAvKKVWhn2Ll D5xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:in-reply-to:references:to:from:content-language :user-agent:mime-version:date:message-id:dkim-signature:delivered-to; bh=+tnH0JRkZxzs4ujkbyBUluXhNPKKjmwv9GPv5ORS1So=; fh=YOA8vD9MJZuwZ71F/05pj6KdCjf6jQRmzLS+CATXUQk=; b=XDX/fOmOEbd/8qebsFYNdsfLqyHUvv+HrIcTGLedjupUmHa6SuTeHGrBB2GR5Kfozm HqX8nc+7x26Rakt9E31TWVA0lIW34Oe6AyVd4FCPffqDAFDRYlTV98QTCQbwYCLP7/cA A2c1FD9CisKOBU4Fdp++TgnDAgeXhYjXhHtDGtFOhyVO/jmSgYNjHVHPH2jkhQ5q1L/8 ewL9ECpOJQV7XfBYzqTNn/aQHRk2mOwAL1WJhlbarmxUM7ZpOuBBcG7D09+V9La29Z7h Ud6e04eQm7sp6HYH2iMCF5lY4+Mm10oVdr4IOfCr4mkyUMRlJACpRvYQrptFo2WE2Akq /a0w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@jkqxz-net.20230601.gappssmtp.com header.s=20230601 header.b=BuILLSIC; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dara=fail header.i=@gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a80bb21565asi185050166b.526.2024.08.11.11.17.24; Sun, 11 Aug 2024 11:17:24 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@jkqxz-net.20230601.gappssmtp.com header.s=20230601 header.b=BuILLSIC; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dara=fail header.i=@gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id AA69768D9B7; Sun, 11 Aug 2024 21:17:21 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CC20E68D9D4 for ; Sun, 11 Aug 2024 21:17:14 +0300 (EEST) Received: by mail-lj1-f173.google.com with SMTP id 38308e7fff4ca-2ef2cce8be8so39208651fa.1 for ; Sun, 11 Aug 2024 11:17:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jkqxz-net.20230601.gappssmtp.com; s=20230601; t=1723400234; x=1724005034; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:references:to:from :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=50MfjONFZiGSlptczJ5p5UeaDEhhWCFztrxZbpzPw4k=; b=BuILLSIC8oiMkWEO7elZq0gEbB9b529UTVoD9KyLhgI2NNK7DUvWlRCv6FjYtEDzw+ Gji2Frx0o9Di/tlGPbSIwg9BEtcJ6wL66838k9k8td+aNkw4lOK6s1HSkAiFlxH+rI0d 54eWxd+LkUJP9QUuBb4t/h61f2e5agjx1zEmYOzLVQADtJWxqUYtc7ClZReO0PYSEvjM HBvURPbLjXBjSHl4t+iHWGOvPk6sQdVAJaFYD48tieZOxnubRHgPAjJRNN3sdePyrl2p qv5gHdjV6VGPqR72xSK4b73u9MtRwVQ3LTj4jol2UZ6YvOnD0BG5j6v1vj9pnjOBc54p oWTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723400234; x=1724005034; h=content-transfer-encoding:in-reply-to:references:to:from :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=50MfjONFZiGSlptczJ5p5UeaDEhhWCFztrxZbpzPw4k=; b=hw5U74tco6tGn+Qha7XSBESYZEfzvxBjkeGoB/9WqgkF+kKehQgNjIoAqF66yKBlBl 4cNZkmlbvIiQq2VU11/ygFdMb38bTqD5gnTDTeEEB+srCyrRPJgzftwloJzzQ0CG60uE +gN0JCJ2vhCWNuCAmrxFvKN5jR6e8f61l+CnKNVEft1glnpyyRTOnbbg8n6rKFZKhyM+ pHX30ZKWfkTDbaDVqJoq+7VC665OeyZL1jMrDW0B0hqG3iiMBKrVRuwZ9P8f8rGfY1uB ry+jeJ49b/7RjACggKlsUNjZVj/40oGNex/rKW9fU5CY0QnwYWs2FxHmwFy6hT2nbBLE LC9w== X-Gm-Message-State: AOJu0Yx9X81ZXnd5DVM0BzMCKcEb+1p2nRxTbdDQE+ue7ksntU372JEY f6onzxUlc4BxF5k4UGTPYJj2MJ5BCr7FFQkqV+QTMp8cogg+xNijkj3YLPNl/2DbBYRvvbSuh4g s X-Received: by 2002:a2e:702:0:b0:2ef:28da:246f with SMTP id 38308e7fff4ca-2f1a6cdbae3mr51274911fa.35.1723400232866; Sun, 11 Aug 2024 11:17:12 -0700 (PDT) Received: from [192.168.0.15] (cpc92320-cmbg19-2-0-cust955.5-4.cable.virginm.net. [82.13.67.188]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4290c7bf87fsm161051935e9.48.2024.08.11.11.17.12 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 11 Aug 2024 11:17:12 -0700 (PDT) Message-ID: <011aa19c-d4dd-4dec-b7e6-3243187a215f@jkqxz.net> Date: Sun, 11 Aug 2024 19:17:25 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US From: Mark Thompson To: ffmpeg-devel@ffmpeg.org References: <20240807235333.2148870-1-michael@niedermayer.cc> <20240807235333.2148870-2-michael@niedermayer.cc> In-Reply-To: Subject: [FFmpeg-devel] [PATCH] cbs_vp9: Ensure that the two superframe_header instances are identical X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: x7mUNld8Uovd Fixes: use of uninitialized value Fixes: 70907/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-6339363208757248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- On 11/08/2024 19:05, Mark Thompson wrote: > The correct fix therefore would be to constrain the second read values to be identical to the first, not to introduce new syntax elements not in the standard to cover the invalid case. Like this. (Marked in the same way as your suggested patch based on my assumption that it fixes the problem - please check.) Trace output is correct in the normal case, and catches the error in the bad one: [trace_headers @ 0x55a0f5decb40] Packet: 11971 bytes, pts 366, dts 366. [trace_headers @ 0x55a0f5decb40] Superframe Index [trace_headers @ 0x55a0f5decb40] 0 superframe_marker 110 = 6 [trace_headers @ 0x55a0f5decb40] 3 bytes_per_framesize_minus_1 01 = 1 [trace_headers @ 0x55a0f5decb40] 5 frames_in_superframe_minus_1 001 = 1 [trace_headers @ 0x55a0f5decb40] 8 frame_sizes[0] 1011110000101110 = 11964 [trace_headers @ 0x55a0f5decb40] 24 frame_sizes[1] 0000000100000000 = 1 [trace_headers @ 0x55a0f5decb40] 40 superframe_marker 110 = 6 [trace_headers @ 0x55a0f5decb40] 43 bytes_per_framesize_minus_1 01 = 1 [trace_headers @ 0x55a0f5decb40] 45 frames_in_superframe_minus_1 001 = 1 or [trace_headers @ 0x555af04d7b40] Packet: 11971 bytes, pts 366, dts 366. [trace_headers @ 0x555af04d7b40] Superframe Index [trace_headers @ 0x555af04d7b40] 0 superframe_marker 110 = 6 [trace_headers @ 0x555af04d7b40] 3 bytes_per_framesize_minus_1 01 = 1 [trace_headers @ 0x555af04d7b40] 5 frames_in_superframe_minus_1 001 = 1 [trace_headers @ 0x555af04d7b40] 8 frame_sizes[0] 1011110000101110 = 11964 [trace_headers @ 0x555af04d7b40] 24 frame_sizes[1] 0000000100000000 = 1 [trace_headers @ 0x555af04d7b40] 40 superframe_marker 110 = 6 [trace_headers @ 0x555af04d7b40] 43 bytes_per_framesize_minus_1 10 = 2 [trace_headers @ 0x555af04d7b40] bytes_per_framesize_minus_1 out of range: 2, but must be in [1,1]. [vost#0:0/copy @ 0x555af0538400] Error applying bitstream filters to a packet: Invalid data found when processing input Thanks, - Mark libavcodec/cbs_vp9_syntax_template.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/cbs_vp9_syntax_template.c b/libavcodec/cbs_vp9_syntax_template.c index 2f08eccf18..5ed3c700dc 100644 --- a/libavcodec/cbs_vp9_syntax_template.c +++ b/libavcodec/cbs_vp9_syntax_template.c @@ -421,9 +421,14 @@ static int FUNC(superframe_index)(CodedBitstreamContext *ctx, RWContext *rw, frame_sizes[i], 1, i); } - f(3, superframe_marker); - f(2, bytes_per_framesize_minus_1); - f(3, frames_in_superframe_minus_1); + // Second instance of the superframe header must be identical + // to the first. + fixed(3, superframe_marker, + current->superframe_marker); + fixed(2, bytes_per_framesize_minus_1, + current->bytes_per_framesize_minus_1); + fixed(3, frames_in_superframe_minus_1, + current->frames_in_superframe_minus_1); return 0; }