[FFmpeg-devel] [PATCH 1/3] avformat/av1dec: Fix padding in obu_get_packet()

James Almer jamrial at gmail.com
Fri Oct 16 16:12:38 EEST 2020


On 10/16/2020 7:46 AM, Michael Niedermayer wrote:
> Fixes: stack buffer overflow (read)
> Fixes: 26369/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-5721057325219840
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavformat/av1dec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/av1dec.c b/libavformat/av1dec.c
> index 10c4560968..395eef6522 100644
> --- a/libavformat/av1dec.c
> +++ b/libavformat/av1dec.c
> @@ -382,7 +382,7 @@ static int obu_read_header(AVFormatContext *s)
>  static int obu_get_packet(AVFormatContext *s, AVPacket *pkt)
>  {
>      ObuContext *c = s->priv_data;
> -    uint8_t header[MAX_OBU_HEADER_SIZE];
> +    uint8_t header[MAX_OBU_HEADER_SIZE + AV_INPUT_BUFFER_PADDING_SIZE];
>      int64_t obu_size;
>      int size = av_fifo_space(c->fifo);
>      int ret, len, type;

Where is header being overread? All reads and writes are always
constrained to MAX_OBU_HEADER_SIZE bytes at most by the fifo.


More information about the ffmpeg-devel mailing list