[FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size
Michael Niedermayer
michael at niedermayer.cc
Thu Jul 21 09:45:03 EEST 2022
On Thu, Jul 21, 2022 at 12:46:38AM +0200, Michael Niedermayer wrote:
> On Thu, Jul 21, 2022 at 12:17:22AM +0200, Andreas Rheinhardt wrote:
> > Michael Niedermayer:
> > > On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
> > >>
> > >>
> > >> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> > >>> Fixes: Timeout
> > >>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> > >>>
> > >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > >>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > >>> ---
> > >>> libavcodec/ffv1dec.c | 6 +++++-
> > >>> 1 file changed, 5 insertions(+), 1 deletion(-)
> > >>>
> > >>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> > >>> index 01ddcaa512..9bdac0be4e 100644
> > >>> --- a/libavcodec/ffv1dec.c
> > >>> +++ b/libavcodec/ffv1dec.c
> > >>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
> > >>> if (buf_size < avctx->width * avctx->height / (128*8))
> > >>> return AVERROR_INVALIDDATA;
> > >>> } else {
> > >>> - if (buf_size < avctx->height / 8)
> > >>> + int i;
> > >>
> > >> for (int i...
> > >
> > > will apply with that change
> > >
> > > thx
> > >
> >
> > James' suggestion made you use an uninitialized i in the actual check;
>
> yes
>
>
> > and even the original check is wrong, as one can overrun ff_log2_run
> > (unless there is a check that I am not missing).
>
> Theres a check but its too late
>
>
> > So it seems to me that
> > reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.
>
> not against that but heres a quick fix attempt
>
>
> Author: Michael Niedermayer <michael at niedermayer.cc>
> Date: Thu Jul 21 00:20:41 2022 +0200
>
> avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check
will apply this so the uninitialized read is fixed. If this has
some off by 1 error or something that can be adjusted later
dont want to leave this bug open
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No great genius has ever existed without some touch of madness. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220721/d85ffc20/attachment.sig>
More information about the ffmpeg-devel
mailing list