[FFmpeg-devel] [PATCH 3/3] avcodec/hapdec: Check that compressed_offset is non negative
Michael Niedermayer
michael at niedermayer.cc
Fri Feb 19 22:16:09 EET 2021
On Thu, Feb 04, 2021 at 12:02:07PM +0100, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2021-01-30 20:28:26)
> > Fixes: out of array access
> > Fixes: 29345/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HAP_fuzzer-5401813482340352
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/hapdec.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c
> > index ab364aa790..260fda2968 100644
> > --- a/libavcodec/hapdec.c
> > +++ b/libavcodec/hapdec.c
> > @@ -86,6 +86,8 @@ static int hap_parse_decode_instructions(HapContext *ctx, int size)
> > return ret;
> > for (i = 0; i < section_size / 4; i++) {
> > ctx->chunks[i].compressed_offset = bytestream2_get_le32(gbc);
> > + if (ctx->chunks[i].compressed_offset < 0)
>
> Would it not be better to change compressed_offset to uint32 or size_t?
its more work to change the type of a variable as there is more
to check. But i agree that a unsigend 32bit should be better (in theory) to
hold these 32bit
Will post a new patch
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If the United States is serious about tackling the national security threats
related to an insecure 5G network, it needs to rethink the extent to which it
values corporate profits and government espionage over security.-Bruce Schneier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210219/248d2bc3/attachment.sig>
More information about the ffmpeg-devel
mailing list