[FFmpeg-devel] [PATCH 1/8] avcodec/magicyuv: Check slice size before reading flags and pred

Michael Niedermayer michael at niedermayer.cc
Sat Oct 24 15:13:22 EEST 2020


On Fri, Oct 23, 2020 at 08:54:33PM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: heap-buffer-overflow
> > Fixes: 26487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-5742553675333632
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/magicyuv.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c
> > index ea1f727e5c..e2b7bdd326 100644
> > --- a/libavcodec/magicyuv.c
> > +++ b/libavcodec/magicyuv.c
> > @@ -267,6 +267,9 @@ static int magy_decode_slice(AVCodecContext *avctx, void *tdata,
> >          const uint8_t *slice = s->buf + s->slices[i][j].start;
> >          int flags, pred;
> >  
> > +        if (s->slices[i][j].size < 2)
> > +            return AVERROR_INVALIDDATA;
> > +
> >          flags = bytestream_get_byte(&slice);
> >          pred  = bytestream_get_byte(&slice);
> >  
> > 
> It would be better to add this to line 625 to error out earlier (that's
> where I forgot to check).

yes, thats better, will use that and will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Concerning the gods, I have no means of knowing whether they exist or not
or of what sort they may be, because of the obscurity of the subject, and
the brevity of human life -- Protagoras
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20201024/c8580a10/attachment.sig>


More information about the ffmpeg-devel mailing list