[FFmpeg-devel] [PATCH 1/5] avcodec/vp56: Consider the alpha start as end of the prior header
Michael Niedermayer
michael at niedermayer.cc
Tue Aug 13 12:31:46 EEST 2019
On Mon, Aug 12, 2019 at 09:03:41PM +1000, Peter Ross wrote:
> On Sun, Aug 11, 2019 at 05:02:47PM +0200, Michael Niedermayer wrote:
> > On Sun, Aug 11, 2019 at 09:29:14AM +1000, Peter Ross wrote:
> > > On Tue, Aug 06, 2019 at 11:30:02PM +0200, Michael Niedermayer wrote:
> > > > Fixes: Timeout (23sec -> 71ms)
> > > > Fixes: 15661/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6A_fuzzer-6257865947348992
> > > >
> > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > > ---
> > > > libavcodec/vp56.c | 4 ++--
> > > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
> > > > index 72fea3780e..695f37e972 100644
> > > > --- a/libavcodec/vp56.c
> > > > +++ b/libavcodec/vp56.c
> > > > @@ -572,7 +572,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
> > > > VP56Context *s = avctx->priv_data;
> > > > AVFrame *const p = s->frames[VP56_FRAME_CURRENT];
> > > > int remaining_buf_size = avpkt->size;
> > > > - int av_uninit(alpha_offset);
> > > > + int alpha_offset = remaining_buf_size;
> > > > int i, res;
> > > > int ret;
> > > >
> > > > @@ -585,7 +585,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
> > > > return AVERROR_INVALIDDATA;
> > > > }
> > > >
> > > > - res = s->parse_header(s, buf, remaining_buf_size);
> > > > + res = s->parse_header(s, buf, alpha_offset);
> > > > if (res < 0)
> > > > return res;
> > > >
> > >
> > > hi michael, i am strugling to see a problem with the existing logic.
> > >
> > > if (s->has_alpha) {
> > > if (remaining_buf_size < 3)
> > > return AVERROR_INVALIDDATA;
> > > alpha_offset = bytestream_get_be24(&buf);
> > > remaining_buf_size -= 3;
> > > if (remaining_buf_size < alpha_offset)
> > > return AVERROR_INVALIDDATA;
> > > }
> > >
> > > res = s->parse_header(s, buf, remaining_buf_size);
> > > if (res < 0)
> > > return res;
> > >
> > >
> > > if the sample has alpha, remaining_buf_size is reduced in size.
> >
> > > can you post the sanple that takes 23s to decode?
> >
> > ill send the sample to you privatly
>
> thanks, was able to reproduce. disregard my comment above regarding remaining_buf_size.
>
> approve.
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190813/39ab2c21/attachment.sig>
More information about the ffmpeg-devel
mailing list