[FFmpeg-devel] [PATCH] avcodec/flac_parser: Do not loose header count in find_headers_search()
Michael Niedermayer
michaelni at gmx.at
Sun Feb 9 21:38:43 EET 2020
On Tue, Feb 04, 2020 at 06:34:47PM +0100, Michael Niedermayer wrote:
> On Tue, Feb 04, 2020 at 11:10:00AM +0000, Andreas Rheinhardt wrote:
> > Michael Niedermayer:
> > > Fixes: Timeout
> > > Fixes: out of array access
> > > Fixes: 20274/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5649631988154368
> > > Fixes: 19275/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5757535722405888
> > >
> > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > ---
> > > libavcodec/flac_parser.c | 12 ++++++++----
> > > 1 file changed, 8 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c
> > > index 9ffa288548..3424583c49 100644
> > > --- a/libavcodec/flac_parser.c
> > > +++ b/libavcodec/flac_parser.c
> > > @@ -208,16 +208,20 @@ static int find_headers_search(FLACParseContext *fpc, uint8_t *buf,
> > > uint32_t x;
> > >
> > > for (i = 0; i < mod_offset; i++) {
> > > - if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8)
> > > - size = find_headers_search_validate(fpc, search_start + i);
> > > + if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) {
> > > + int ret = find_headers_search_validate(fpc, search_start + i);
> > > + size = FFMAX(size, ret);
> > > + }
> > > }
> > >
> > > for (; i < buf_size - 1; i += 4) {
> > > x = AV_RN32(buf + i);
> > > if (((x & ~(x + 0x01010101)) & 0x80808080)) {
> > > for (j = 0; j < 4; j++) {
> > > - if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8)
> > > - size = find_headers_search_validate(fpc, search_start + i + j);
> > > + if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) {
> > > + int ret = find_headers_search_validate(fpc, search_start + i + j);
> > > + size = FFMAX(size, ret);
> > > + }
> > > }
> > > }
> > > }
> > >
> > 1. Actually, find_headers_search_validate() can return an error and
> > these FFMAX (as well as the FFMAX already present in
> > find_new_headers()) will make sure that they are overwritten.
>
> yes
>
>
> > 2. The linked list of buffered headers is currently traversed pretty
> > often: E.g. if it seems that no new headers have been found in a call
> > to find_new_headers(), the linked list will be traversed again in
> > order to count the number of buffered headers. Maybe one should
> > instead directly increment fpc->nb_headers_buffered after a new header
> > has been added to the list in find_headers_search_validate() and only
> > use the return value of find_headers_search_validate(),
> > find_headers_search(), find_new_headers() to forward the allocation
> > failure errors? (If one stores a pointer to the end of the linked
> > list, one can also remove the while-loop in
> > find_headers_search_validate(); don't know if this helps with the
> > timeout.)
>
> These are good ideas. The problem iam facing a bit here is that i
> need to (or rather i want to) fix this in the releases too, so one
> goal is to keep the change simple as that makes it more likely to
> backport without too much issues.
> We can clean up the code afterwards and in fact there is probably
> more that can be cleaned up then what you mention (just by gut feeling
> from this code)
any objections ?
if not i will push this in a few days
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If you fake or manipulate statistics in a paper in physics you will never
get a job again.
If you fake or manipulate statistics in a paper in medicin you will get
a job for life at the pharma industry.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200209/de0fa208/attachment.sig>
More information about the ffmpeg-devel
mailing list