[FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: More strictly check tag order and multiplicity

Paul B Mahol onemda at gmail.com
Fri Apr 2 18:40:50 EEST 2021 

I do not have time or motivation to deal with this and similar issues.

But applying band-aid solutions are not step forward.

On Fri, Apr 2, 2021 at 12:53 AM Michael Niedermayer <michael at niedermayer.cc>
wrote:

> On Fri, Apr 02, 2021 at 12:49:26AM +0200, Michael Niedermayer wrote:
> > On Fri, Apr 02, 2021 at 12:25:53AM +0200, Michael Niedermayer wrote:
> > > On Thu, Apr 01, 2021 at 09:22:23PM +0200, Paul B Mahol wrote:
> > > > Try this attached patch. I have not looked at all samples, as some
> allocate
> > > > too much memory for my system.
> > >
> > > > But this patch points where real bugs are, unlike yours patch which
> hides
> > > > real bugs even more.
> > >
> > > I would appreciate if cfhd wouldnt have so many real bugs.
> > > Your approach seems to be to fix what the fuzzer finds. What my patch
> was
> > > moving toward is to make the code more secure and robust not to fix
> individual
> > > bugs. My patch was never intended to be the end of such improvment,
> but with
> > > the first stage being rejected iam of course not putting time in the
> next ...
> > >
> > > but thats not so importrant now, whats important is the bugs here
> > > and your patch eliminates all of the current group but one. Thats good!
> > > Heres what remains:
> > > ffmpeg -threads 1 -i dec_fuzzer-30739.nut -f null -
> >
> > correction, the fuzzer found an alternative sample for 29754 which still
> crashes
> > this seems to also use less memory than the other remaining sample
> > will send the sample privatly
> >
> > [cfhd @ 0x16d92180] Invalid lowpass height
> > ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> > ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> > ==24087==    by 0x1234092: av_vlog (log.c:432)
> > ==24087==    by 0x1233EF1: av_log (log.c:411)
> > ==24087==    by 0x82FCFB: cfhd_decode (cfhd.c:721)
> > ==24087==    by 0x860064: decode_simple_internal (decode.c:327)
> > ==24087==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
> > ==24087==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
> > ==24087==    by 0x861019: avcodec_send_packet (decode.c:608)
> > ==24087==    by 0x2525A7: decode (ffmpeg.c:2285)
> > ==24087==    by 0x252DC7: decode_video (ffmpeg.c:2425)
> > ==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
> > ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> > ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> > ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> > ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> > Error while decoding stream #0:0: Invalid argument
> > ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> > ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> > ==24087==    by 0x1234092: av_vlog (log.c:432)
> > ==24087==    by 0x1233EF1: av_log (log.c:411)
> > ==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
> > ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> > ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> > ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> > ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> > [cfhd @ 0x16d92180] Invalid lowpass height
> > ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> > ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> > ==24087==    by 0x1234092: av_vlog (log.c:432)
> > ==24087==    by 0x1233EF1: av_log (log.c:411)
> > ==24087==    by 0x82FCFB: cfhd_decode (cfhd.c:721)
> > ==24087==    by 0x860064: decode_simple_internal (decode.c:327)
> > ==24087==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
> > ==24087==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
> > ==24087==    by 0x861019: avcodec_send_packet (decode.c:608)
> > ==24087==    by 0x2525A7: decode (ffmpeg.c:2285)
> > ==24087==    by 0x252DC7: decode_video (ffmpeg.c:2425)
> > ==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
> > ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> > ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> > ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> > ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> > Error while decoding stream #0:0: Invalid argument
> > ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> > ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> > ==24087==    by 0x1234092: av_vlog (log.c:432)
> > ==24087==    by 0x1233EF1: av_log (log.c:411)
> > ==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
> > ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> > ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> > ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> > ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> > [cfhd @ 0x16d92180] Sample format of 1039 is not implemented. Update
> your FFmpeg version to the newest one from Git. If the problem still
> occurs, it means that your file has a feature which has not been
> implemented.
> > Error while decoding stream #0:0: Not yet implemented in FFmpeg, patches
> welcome
> > ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> > ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> > ==24087==    by 0x1234092: av_vlog (log.c:432)
> > ==24087==    by 0x1233EF1: av_log (log.c:411)
> > ==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
> > ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> > ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> > ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> > ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> > [cfhd @ 0x16d92180] Invalid lowpass height
> > ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> > ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> > ==24087==    by 0x1234092: av_vlog (log.c:432)
> > ==24087==    by 0x1233EF1: av_log (log.c:411)
> > ==24087==    by 0x82FCFB: cfhd_decode (cfhd.c:721)
> > ==24087==    by 0x860064: decode_simple_internal (decode.c:327)
> > ==24087==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
> > ==24087==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
> > ==24087==    by 0x861019: avcodec_send_packet (decode.c:608)
> > ==24087==    by 0x2525A7: decode (ffmpeg.c:2285)
> > ==24087==    by 0x252DC7: decode_video (ffmpeg.c:2425)
> > ==24087==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
> > ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> > ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> > ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> > ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
> > Error while decoding stream #0:0: Invalid argument
> > ==24087==    at 0x123322D: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6303)
> > ==24087==    by 0x1233DEB: av_log_default_callback (log.c:397)
> > ==24087==    by 0x1234092: av_vlog (log.c:432)
> > ==24087==    by 0x1233EF1: av_log (log.c:411)
> > ==24087==    by 0x254285: process_input_packet (ffmpeg.c:2718)
> > ==24087==    by 0x25BB79: process_input (ffmpeg.c:4606)
> > ==24087==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> > ==24087==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> > ==24087==    by 0x25CB3F: main (ffmpeg.c:5005)
>
> > ==24087== Invalid read of size 16
> > ==24087==    at 0x10A1385: ??? (libavcodec/x86/cfhddsp.asm:384)
> > ==24087==    by 0x1FFEFFF74F: ???
> > ==24087==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
>
> without asm:
> ==24138== Invalid read of size 2
> ==24138==    at 0x835536: filter (cfhddsp.c:36)
> ==24138==    by 0x835A68: vert_filter (cfhddsp.c:74)
> ==24138==    by 0x8333AE: cfhd_decode (cfhd.c:1172)
> ==24138==    by 0x860064: decode_simple_internal (decode.c:327)
> ==24138==    by 0x860C9B: decode_simple_receive_frame (decode.c:526)
> ==24138==    by 0x860D95: decode_receive_frame_internal (decode.c:546)
> ==24138==    by 0x861019: avcodec_send_packet (decode.c:608)
> ==24138==    by 0x2525A7: decode (ffmpeg.c:2285)
> ==24138==    by 0x252DC7: decode_video (ffmpeg.c:2425)
> ==24138==    by 0x253EF3: process_input_packet (ffmpeg.c:2672)
> ==24138==    by 0x25BB79: process_input (ffmpeg.c:4606)
> ==24138==    by 0x25C06D: transcode_step (ffmpeg.c:4746)
> ==24138==    by 0x25C1D5: transcode (ffmpeg.c:4800)
> ==24138==    by 0x25CB3F: main (ffmpeg.c:5005)
> ==24138==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
>
>
> [...]
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> He who knows, does not speak. He who speaks, does not know. -- Lao Tsu
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-devel mailing list