[FFmpeg-devel] [PATCH 4/4] avcodec/faxcompr: Check for invalid VLC in decode_group3_1d_line()

Michael Niedermayer michael at niedermayer.cc
Thu Apr 29 17:29:33 EEST 2021 

On Wed, Apr 28, 2021 at 05:37:39PM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: infinite loop
> > Fixes: 33674/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4816457818046464
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/faxcompr.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c
> > index 7bf11d80ca..f1f7e67762 100644
> > --- a/libavcodec/faxcompr.c
> > +++ b/libavcodec/faxcompr.c
> > @@ -213,7 +213,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx, GetBitContext *gb,
> >          run += t;
> >          if (t < 64) {
> >              *runs++ = run;
> > -            if (runs >= runend) {
> > +            if (runs >= runend || t < 0) {
> >                  av_log(avctx, AV_LOG_ERROR, "Run overrun\n");
> >                  return AVERROR_INVALIDDATA;
> >              }
> > 
> This t is unsigned, so your added check is void. There is btw an else
> part here that checks for errors: "} else if ((int)t == -1) {".
> The only way I can think of for an infinite loop is that the part after
> the end of the get_bits-reader needn't be zeroed and so it can be
> mistaken for a valid code and enter the codepath for valid codes; in
> particular, it can be a code corresponding to the symbol 0 in which case
> one is not saved by the "if (pix_left <= run) {" check. And given that
> this code does not use the unchecked bitstream reader, it will never
> advance.
> So it seems like the best way to fix this is to check for whether there
> are any bits left before the get_vlc2() call.

yes, ill do that.

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many that live deserve death. And some that die deserve life. Can you give
it to them? Then do not be too eager to deal out death in judgement. For
even the very wise cannot see all ends. -- Gandalf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210429/43218bca/attachment.sig>

More information about the ffmpeg-devel mailing list