[FFmpeg-devel] [PATCH 1/5] avcodec/vp56: Consider the alpha start as end of the prior header

Michael Niedermayer michael at niedermayer.cc
Tue Aug 13 12:31:46 EEST 2019


On Mon, Aug 12, 2019 at 09:03:41PM +1000, Peter Ross wrote:
> On Sun, Aug 11, 2019 at 05:02:47PM +0200, Michael Niedermayer wrote:
> > On Sun, Aug 11, 2019 at 09:29:14AM +1000, Peter Ross wrote:
> > > On Tue, Aug 06, 2019 at 11:30:02PM +0200, Michael Niedermayer wrote:
> > > > Fixes: Timeout (23sec -> 71ms)
> > > > Fixes: 15661/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6A_fuzzer-6257865947348992
> > > > 
> > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > > ---
> > > >  libavcodec/vp56.c | 4 ++--
> > > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
> > > > index 72fea3780e..695f37e972 100644
> > > > --- a/libavcodec/vp56.c
> > > > +++ b/libavcodec/vp56.c
> > > > @@ -572,7 +572,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
> > > >      VP56Context *s = avctx->priv_data;
> > > >      AVFrame *const p = s->frames[VP56_FRAME_CURRENT];
> > > >      int remaining_buf_size = avpkt->size;
> > > > -    int av_uninit(alpha_offset);
> > > > +    int alpha_offset = remaining_buf_size;
> > > >      int i, res;
> > > >      int ret;
> > > >  
> > > > @@ -585,7 +585,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
> > > >              return AVERROR_INVALIDDATA;
> > > >      }
> > > >  
> > > > -    res = s->parse_header(s, buf, remaining_buf_size);
> > > > +    res = s->parse_header(s, buf, alpha_offset);
> > > >      if (res < 0)
> > > >          return res;
> > > >  
> > > 
> > > hi michael, i am strugling to see a problem with the existing logic.
> > > 
> > >     if (s->has_alpha) {
> > >         if (remaining_buf_size < 3)
> > >             return AVERROR_INVALIDDATA;
> > >         alpha_offset = bytestream_get_be24(&buf);
> > >         remaining_buf_size -= 3;
> > >         if (remaining_buf_size < alpha_offset)
> > >             return AVERROR_INVALIDDATA;
> > >     }
> > > 
> > >     res = s->parse_header(s, buf, remaining_buf_size);
> > >     if (res < 0)
> > >         return res;
> > > 
> > > 
> > > if the sample has alpha, remaining_buf_size is reduced in size.
> > 
> > > can you post the sanple that takes 23s to decode?
> > 
> > ill send the sample to you privatly
> 
> thanks, was able to reproduce. disregard my comment above regarding remaining_buf_size.
> 
> approve.

will apply

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190813/39ab2c21/attachment.sig>


More information about the ffmpeg-devel mailing list