[FFmpeg-devel] [FFmpeg-cvslog] avcodec/hcadec: support decoding with extradata provided in first packet

Michael Niedermayer michael at niedermayer.cc
Tue Oct 3 01:23:44 EEST 2023


Hi

On Tue, Sep 05, 2023 at 09:25:45PM +0000, Paul B Mahol wrote:
> ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Tue Sep  5 23:14:58 2023 +0200| [d464a687c9dd03246795d62151809167e8381932] | committer: Paul B Mahol
> 
> avcodec/hcadec: support decoding with extradata provided in first packet

I cannot find this patch on the mailing list

Also this adds null pointer writes
The init_hca() function which previously was only called once and failure
ended all further processing now is called optionally per frame and its
failure does not stop further processing so half initialized contexts
can be created by an attacker

Note, this sort of stuff delays the release

thx


[...]
> @@ -385,16 +404,34 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
>                          int *got_frame_ptr, AVPacket *avpkt)
>  {
>      HCAContext *c = avctx->priv_data;
> -    int ch, ret, packed_noise_level;
> +    int ch, offset = 0, ret, packed_noise_level;
>      GetBitContext gb0, *const gb = &gb0;
>      float **samples;
>  
> +    if (avpkt->size <= 8)
> +        return AVERROR_INVALIDDATA;
> +
> +    if (AV_RN16(avpkt->data) != 0xFFFF) {
> +        if (AV_RL32(avpkt->data) != MKTAG('H','C','A',0)) {
> +            return AVERROR_INVALIDDATA;
> +        } else if (AV_RB16(avpkt->data + 6) <= avpkt->size) {
> +            ret = init_hca(avctx, avpkt->data, AV_RB16(avpkt->data + 6));
> +            if (ret < 0)
> +                return ret;
> +            offset = AV_RB16(avpkt->data + 6);
> +            if (offset == avpkt->size)
> +                return avpkt->size;
> +        } else {
> +            return AVERROR_INVALIDDATA;
> +        }
> +    }

[...]

==6921==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005c8da1 bp 0x7fff5a918390 sp 0x7fff5a918200 T0)
==6921==The signal is caused by a WRITE memory access.
==6921==Hint: address points to the zero page.
    #0 0x5c8da1 in unpack /src/ffmpeg/libavcodec/hcadec.c:392:30
    #1 0x5c8da1 in decode_frame /src/ffmpeg/libavcodec/hcadec.c:456:9
    #2 0x5b41ff in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:433:20
    #3 0x5b41ff in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:607:15
    #4 0x5b41ff in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:635:15
    #5 0x5b3aee in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:732:15
    #6 0x59f64f in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:522:25
    #7 0x46e913 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #8 0x45a072 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #9 0x45f91c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #10 0x488e52 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7849ef29a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #12 0x45023d in _start



-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Rewriting code that is poorly written but fully understood is good.
Rewriting code that one doesnt understand is a sign that one is less smart
than the original author, trying to rewrite it will not make it better.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20231003/d5ce44d5/attachment.sig>


More information about the ffmpeg-devel mailing list