[FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: More strictly check tag order and multiplicity

Michael Niedermayer michael at niedermayer.cc
Tue Mar 30 19:49:35 EEST 2021 

On Sun, Dec 20, 2020 at 10:15:24PM +0100, Michael Niedermayer wrote:
> This is based on the encoder and a small number of CFHD sample files
> It should make the decoder more robust against crafted input.
> Due to the lack of a proper specification it is possible that this
> may be too strict and may need to be tuned as files not following this
> ordering are found.
> 
> Fixes: segfault
> Fixes: OOM
> Fixes: null pointer dereference
> Fixes: left shift of negative value -12
> Fixes: out of array write
> Fixes: 25367/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4865603750592512
> Fixes: 25958/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4851579923202048
> Fixes: 25988/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5643617157513216
> Fixes: 25995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5177442380283904
> Fixes: 25996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5663296026574848
> Fixes: 26082/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5126180416782336
> Fixes: 27872/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4916296355151872
> Fixes: 28305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6041755829010432

The following issues have been found by the fuzzer in CFHD since this was posted
With this applied none is reproducable


29754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6333598414274560
==18805==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000d6875d bp 0x000000000000 sp 0x7ffde47353d8 T0)
==18805==The signal is caused by a READ memory access.
==18805==Hint: address points to the zero page.
    #0 0xd6875c in ff_cfhd_vert_filter_sse2 libavcodec/x86/cfhddsp.asm:383



30519/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6298424511168512
libavcodec/cfhddsp.c:36:41: runtime error: load of null pointer of type 'const int16_t' (aka 'const short')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/cfhddsp.c:36:41 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18874==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005450d5 bp 0x7ffc0a6c6ee0 sp 0x7ffc0a6c6d60 T0)
==18874==The signal is caused by a READ memory access.
==18874==Hint: address points to the zero page.
    #0 0x5450d4 in filter libavcodec/cfhddsp.c:36:41
    #1 0x5450d4 in vert_filter libavcodec/cfhddsp.c:74
    #2 0x528cea in cfhd_decode libavcodec/cfhd.c:1167:13
    #3 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
    #4 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
    #5 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
    #6 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15



30739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5011292836462592
==18879==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2aa32a684e at pc 0x00000053ee8f bp 0x7ffca5380fe0 sp 0x7ffca5380fd8
WRITE of size 2 at 0x7f2aa32a684e thread T0
    #0 0x53ee8e in interlaced_vertical_filter libavcodec/cfhd.c:204:30
    #1 0x52c088 in cfhd_decode libavcodec/cfhd.c:1273:21
    #2 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
    #3 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
    #4 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
    #5 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15


    
32124/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5425980681355264
==18753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f3a5006284e at pc 0x00000054c97e bp 0x7ffc0327a620 sp 0x7ffc0327a618
WRITE of size 2 at 0x7f3a5006284e thread T0
    #0 0x54c97d in filter libavcodec/cfhddsp.c:52:36
    #1 0x54c97d in horiz_filter_clip libavcodec/cfhddsp.c:97
    #2 0x52cbed in cfhd_decode libavcodec/cfhd.c:1239:21
    #3 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
    #4 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
    #5 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
    #6 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20210330/b3e4d3e1/attachment.sig>

More information about the ffmpeg-devel mailing list