[FFmpeg-devel] [PATCH 1/3] avcodec/agm: Do not crash on invalid codes

Michael Niedermayer michael at niedermayer.cc
Sun Apr 21 12:59:03 EEST 2019 

On Sun, Apr 21, 2019 at 11:31:10AM +0200, Paul B Mahol wrote:
> On 4/21/19, Michael Niedermayer <michael at niedermayer.cc> wrote:
> > I do not know if such vlc trees are allowed in agm, I have no specification
> > So i do not know if these should be treated as error, or not.
> > But the code does contain a check for idx < 0 already ...
> >
> > untested due to lack of valid samples using this codepath
> >
> > Fixes: Stack-buffer-overflow in get_tree_codes
> > Fixes:
> > 14189/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5745747003179008
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/agm.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/agm.c b/libavcodec/agm.c
> > index f5fd5d065e..f3d81bf163 100644
> > --- a/libavcodec/agm.c
> > +++ b/libavcodec/agm.c
> > @@ -913,7 +913,7 @@ static void get_tree_codes(uint32_t *codes, Node *nodes,
> > int idx, uint32_t pfx,
> >  {
> >      if (idx < 256 && idx >= 0) {
> >          codes[idx] = pfx;
> > -    } else {
> > +    } else if (idx >= 0) {
> >          get_tree_codes(codes, nodes, nodes[idx].child[0], pfx + (0 <<
> > bitpos), bitpos + 1);
> >          get_tree_codes(codes, nodes, nodes[idx].child[1], pfx + (1 <<
> > bitpos), bitpos + 1);
> >      }
> > --
> > 2.21.0
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel at ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
> 
> lgtm

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many that live deserve death. And some that die deserve life. Can you give
it to them? Then do not be too eager to deal out death in judgement. For
even the very wise cannot see all ends. -- Gandalf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190421/01618712/attachment.sig>

More information about the ffmpeg-devel mailing list