[FFmpeg-devel] [PATCH] avcodec/msp2dec: Check available space in RLE decoder
Michael Niedermayer
michael at niedermayer.cc
Wed Apr 7 17:59:09 EEST 2021
On Wed, Apr 07, 2021 at 12:42:50AM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: out of array read
> > Fixes: 32968/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSP2_fuzzer-5315296027082752
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/msp2dec.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/msp2dec.c b/libavcodec/msp2dec.c
> > index cc548d218a..87057fb5e2 100644
> > --- a/libavcodec/msp2dec.c
> > +++ b/libavcodec/msp2dec.c
> > @@ -68,9 +68,10 @@ static int msp2_decode_frame(AVCodecContext *avctx,
> >
> > bytestream2_init(&gb, buf, pkt_size);
> > x = 0;
> > - while (bytestream2_get_bytes_left(&gb) && x < width) {
> > + while (bytestream2_get_bytes_left(&gb) > 0 && x < width) {
>
> This decoder uses the checked bytestream2 API, so != 0 and > 0 should be
> equivalent for bytestream2_get_bytes_left(&gb).
I changed it to "> 0" because it felt clearer&more robust
i will drop that as its not needed for the bugfix
>
> > int size = bytestream2_get_byte(&gb);
> > if (size) {
> > + size = FFMIN(size, bytestream2_get_bytes_left(&gb));
> > memcpy(p->data[0] + y * p->linesize[0] + x, gb.buffer, FFMIN(size, width - x));
>
> width can include seven bytes of the packet's padding, but it stays
> within the padding, so I wonder where the out of array read comes from.
> The only fishy thing in this decoder I see is that 2 * avctx->height
> might overflow.
size is a value read from the bytestream, theres no guarntee that
the amount that byte calls for is not beyond the end of the bytestream
and its not checked by memcpy
bytestream2_get_buffer() would check it and it can maybe be used instead
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Never trust a computer, one day, it may think you are the virus. -- Compn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210407/3f800b42/attachment.sig>
More information about the ffmpeg-devel
mailing list