[FFmpeg-devel] [PATCH 7/7] avcodec/cri: check for available input in unpack_10bit()
Michael Niedermayer
michael at niedermayer.cc
Thu Jan 21 20:53:02 EET 2021
On Tue, Nov 10, 2020 at 05:17:40PM +0100, Michael Niedermayer wrote:
> On Tue, Nov 10, 2020 at 01:46:10AM +0100, Andreas Rheinhardt wrote:
> > Michael Niedermayer:
> > > Fixes: Timeout (>20sec -> 56ms)
> > > Fixes: 26995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-5107217080254464
> > >
> > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > ---
> > > libavcodec/cri.c | 11 +++++++----
> > > 1 file changed, 7 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/libavcodec/cri.c b/libavcodec/cri.c
> > > index dafbc1f1be..9bcd2ebfc6 100644
> > > --- a/libavcodec/cri.c
> > > +++ b/libavcodec/cri.c
> > > @@ -80,10 +80,13 @@ static void unpack_10bit(GetByteContext *gb, uint16_t *dst, int shift,
> > > int pos = 0;
> > >
> > > while (count > 0) {
> > > - uint32_t a0 = bytestream2_get_le32(gb);
> > > - uint32_t a1 = bytestream2_get_le32(gb);
> > > - uint32_t a2 = bytestream2_get_le32(gb);
> > > - uint32_t a3 = bytestream2_get_le32(gb);
> > > + uint32_t a0, a1,a2,a3;
> > > + if (bytestream2_get_bytes_left(gb) < 4)
> > > + break;
> > > + a0 = bytestream2_get_le32(gb);
> > > + a1 = bytestream2_get_le32(gb);
> > > + a2 = bytestream2_get_le32(gb);
> > > + a3 = bytestream2_get_le32(gb);
> > > dst[pos] = (((a0 >> 1) & 0xE00) | (a0 & 0x1FF)) << shift;
> > > pos++;
> > > if (pos >= w) {
> > >
> > Wouldn't it make sense to check for 16 bytes to be left given that
> > that's the amount that is read immediately afterwards? And if you check
> > for this, you could just use bytestream2_get_le32u().
>
> the code can break out before using all 4 so i felt it was more
> cautious to check only for the first
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Take away the freedom of one citizen and you will be jailed, take away
the freedom of all citizens and you will be congratulated by your peers
in Parliament.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210121/7cd13003/attachment.sig>
More information about the ffmpeg-devel
mailing list