[FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: More strictly check tag order and multiplicity

Paul B Mahol onemda at gmail.com
Tue Mar 30 20:50:36 EEST 2021 

Please share files privately, do not apply non fix for this issue.

Give up with such this non-solution.

On Tue, Mar 30, 2021 at 6:49 PM Michael Niedermayer <michael at niedermayer.cc>
wrote:

> On Sun, Dec 20, 2020 at 10:15:24PM +0100, Michael Niedermayer wrote:
> > This is based on the encoder and a small number of CFHD sample files
> > It should make the decoder more robust against crafted input.
> > Due to the lack of a proper specification it is possible that this
> > may be too strict and may need to be tuned as files not following this
> > ordering are found.
> >
> > Fixes: segfault
> > Fixes: OOM
> > Fixes: null pointer dereference
> > Fixes: left shift of negative value -12
> > Fixes: out of array write
> > Fixes:
> 25367/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4865603750592512
> > Fixes:
> 25958/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4851579923202048
> > Fixes:
> 25988/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5643617157513216
> > Fixes:
> 25995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5177442380283904
> > Fixes:
> 25996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5663296026574848
> > Fixes:
> 26082/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5126180416782336
> > Fixes:
> 27872/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4916296355151872
> > Fixes:
> 28305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6041755829010432
>
> The following issues have been found by the fuzzer in CFHD since this was
> posted
> With this applied none is reproducable
>
>
>
> 29754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6333598414274560
> ==18805==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
> (pc 0x000000d6875d bp 0x000000000000 sp 0x7ffde47353d8 T0)
> ==18805==The signal is caused by a READ memory access.
> ==18805==Hint: address points to the zero page.
>     #0 0xd6875c in ff_cfhd_vert_filter_sse2 libavcodec/x86/cfhddsp.asm:383
>
>
>
>
> 30519/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6298424511168512
> libavcodec/cfhddsp.c:36:41: runtime error: load of null pointer of type
> 'const int16_t' (aka 'const short')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libavcodec/cfhddsp.c:36:41 in
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==18874==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
> (pc 0x0000005450d5 bp 0x7ffc0a6c6ee0 sp 0x7ffc0a6c6d60 T0)
> ==18874==The signal is caused by a READ memory access.
> ==18874==Hint: address points to the zero page.
>     #0 0x5450d4 in filter libavcodec/cfhddsp.c:36:41
>     #1 0x5450d4 in vert_filter libavcodec/cfhddsp.c:74
>     #2 0x528cea in cfhd_decode libavcodec/cfhd.c:1167:13
>     #3 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
>     #4 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
>     #5 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
>     #6 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15
>
>
>
>
> 30739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5011292836462592
> ==18879==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x7f2aa32a684e at pc 0x00000053ee8f bp 0x7ffca5380fe0 sp 0x7ffca5380fd8
> WRITE of size 2 at 0x7f2aa32a684e thread T0
>     #0 0x53ee8e in interlaced_vertical_filter libavcodec/cfhd.c:204:30
>     #1 0x52c088 in cfhd_decode libavcodec/cfhd.c:1273:21
>     #2 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
>     #3 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
>     #4 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
>     #5 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15
>
>
>
>
> 32124/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5425980681355264
> ==18753==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x7f3a5006284e at pc 0x00000054c97e bp 0x7ffc0327a620 sp 0x7ffc0327a618
> WRITE of size 2 at 0x7f3a5006284e thread T0
>     #0 0x54c97d in filter libavcodec/cfhddsp.c:52:36
>     #1 0x54c97d in horiz_filter_clip libavcodec/cfhddsp.c:97
>     #2 0x52cbed in cfhd_decode libavcodec/cfhd.c:1239:21
>     #3 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
>     #4 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
>     #5 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
>     #6 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15
>
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> If you think the mosad wants you dead since a long time then you are either
> wrong or dead since a long time.
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-devel mailing list