[FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: Keep track of which subbands have been read

Michael Niedermayer michael at niedermayer.cc
Sat Apr 3 19:30:48 EEST 2021 

On Sat, Apr 03, 2021 at 04:39:08PM +0200, Michael Niedermayer wrote:
> This avoids use of uninitialized data
> also several checks are inside the band reading code
> so it is important that it is run at least once
> 
> Fixes: out of array accesses
> Fixes: 28209/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5684714694377472
> Fixes: 32124/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5425980681355264
> Fixes: 30519/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4558757155700736
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/cfhd.c | 20 ++++++++++++++++++++
>  libavcodec/cfhd.h |  1 +
>  2 files changed, 21 insertions(+)
> av_log(0,0, "TT %d ST %d\n", s->transform_type, s->sample_type);              s->codebook = 0;
> @@ -919,6 +929,16 @@ finish:
>          goto end;
>      }
>  
> +    for (plane = 0; plane < s->planes; plane++) {
> +        int o;
> +        for (o = 0; o < 4 ; o++) {
> +            if (!s->plane[plane].band[0][o].read_ok) {
> +                ret = AVERROR_INVALIDDATA;
> +                goto end;
> +            }
> +        }
> +    }

ive replaced this hunk by:
@@ -919,6 +929,22 @@ finish:
         goto end;
     }
 
+    for (plane = 0; plane < s->planes; plane++) {
+        int o, level;
+
+        for (level = 0; level < (s->transform_type == 0 ? DWT_LEVELS : DWT_LEVELS_3D) ; level++) {
+            if (s->transform_type == 2)
+                if (level == 2 || level == 5)
+                    continue;
+            for (o = !!level; o < 4 ; o++) {
+                if (!s->plane[plane].band[level][o].read_ok) {
+                    ret = AVERROR_INVALIDDATA;
+                    goto end;
+                }
+            }
+        }
+    }
+
     if (s->transform_type == 0 && s->sample_type != 1) {
         for (plane = 0; plane < s->planes && !ret; plane++) {
             /* level 1 */

so not just the first level is checked
             
[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The smallest minority on earth is the individual. Those who deny 
individual rights cannot claim to be defenders of minorities. - Ayn Rand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210403/f281345f/attachment.sig>

More information about the ffmpeg-devel mailing list