[FFmpeg-devel] [PATCH] cbs_sei: Detect payload overflows when reading SEI messages
Michael Niedermayer
michael at niedermayer.cc
Sun Feb 21 22:58:50 EET 2021
On Tue, Feb 02, 2021 at 08:58:11PM +0000, Mark Thompson wrote:
> The top-level GetBitContext is sized for the whole NAL unit, so it fails
> to detect overflows where a payload continues into the following message.
> To fix that, we make a new context on the stack for reading each payload.
> ---
> On 01/02/2021 22:31, Michael Niedermayer wrote:
> > Fixes: Timeout
> > Fixes: 29892/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-6310830956216320
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/cbs_sei_syntax_template.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/libavcodec/cbs_sei_syntax_template.c b/libavcodec/cbs_sei_syntax_template.c
> > index 9114e61ff6..3b9bc942f5 100644
> > --- a/libavcodec/cbs_sei_syntax_template.c
> > +++ b/libavcodec/cbs_sei_syntax_template.c
> > @@ -178,6 +178,8 @@ static int FUNC(message)(CodedBitstreamContext *ctx, RWContext *rw,
> > GetBitContext tmp = *rw;
> > int trailing_bits, trailing_zero_bits;
> > + if (8 * current->payload_size < bits_written)
> > + return AVERROR_INVALIDDATA;
> > bits_left = 8 * current->payload_size - bits_written;
> > if (bits_left > 8)
> > skip_bits_long(&tmp, bits_left - 8);
> >
> So it looks like the actual problem is that we don't detect payload overflow, so the calculation here underflows if the payload is invalid such that we read more bits than there actually are.
>
> How about this answer, which tries to fix the general problem by detecting overflow properly -
> does it fix your fuzzed case?
yes
thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If the United States is serious about tackling the national security threats
related to an insecure 5G network, it needs to rethink the extent to which it
values corporate profits and government espionage over security.-Bruce Schneier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210221/18d853a5/attachment.sig>
More information about the ffmpeg-devel
mailing list