[FFmpeg-devel] [PATCH 1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size
Paul B Mahol
onemda at gmail.com
Thu Sep 21 21:14:31 EEST 2023
On Thu, Sep 21, 2023 at 8:09 PM Michael Niedermayer <michael at niedermayer.cc>
wrote:
> Fixes: out of array access
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
> Fixes:
> 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavcodec/osq.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/osq.c b/libavcodec/osq.c
> index e7f11691d2e..bcc75fef6fc 100644
> --- a/libavcodec/osq.c
> +++ b/libavcodec/osq.c
> @@ -408,6 +408,9 @@ static int osq_receive_frame(AVCodecContext *avctx,
> AVFrame *frame)
> GetBitContext *gb = &s->gb;
> int ret, n;
>
> + if (s->pkt_offset > s->pkt->size)
> + s->pkt_offset = 0;
>
This is more hack than real fix.
Can you provide input file?
> +
> while (s->bitstream_size < s->max_framesize) {
> int size;
>
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>
More information about the ffmpeg-devel
mailing list