[FFmpeg-devel] [PATCH 5/5] avcodec/apedec: Check max_samples
Michael Niedermayer
michael at niedermayer.cc
Tue Sep 3 14:13:22 EEST 2019
On Mon, Sep 02, 2019 at 09:40:47PM -0300, James Almer wrote:
> On 9/2/2019 9:14 PM, Michael Niedermayer wrote:
> > Fixes: OOM
> > Fixes: 16627/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5638059583864832
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/apedec.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
> > index e218f7c043..774ce18531 100644
> > --- a/libavcodec/apedec.c
> > +++ b/libavcodec/apedec.c
> > @@ -1475,6 +1475,9 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data,
> > return AVERROR_INVALIDDATA;
> > }
> >
> > + if (nblocks * (int64_t)avctx->channels > avctx->max_samples)
> > + return AVERROR(EINVAL);
> > +
>
> Shouldn't this be checked in ff_get_buffer()? Same as max_pixels, but
> checking "frame->nb_samples > avctx->max_samples" instead or
> width/height. Otherwise it will barely be used.
you are correct, it should be checked in *get_buffer somewhere too.
But the offending allocation occurs before any *get_buffer calls so
this check here is what is neccessary and sufficient for this specific
bug
Thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
It is what and why we do it that matters, not just one of them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190903/5e7bc414/attachment.sig>
More information about the ffmpeg-devel
mailing list