[FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: More strictly check tag order and multiplicity

Paul B Mahol onemda at gmail.com
Wed Mar 31 21:26:51 EEST 2021 

I can not reproduce any crash either with address sanitizer or valgrind
with samples you provided.
Are you sure this apply to master?

On Tue, Mar 30, 2021 at 7:50 PM Paul B Mahol <onemda at gmail.com> wrote:

> Please share files privately, do not apply non fix for this issue.
>
> Give up with such this non-solution.
>
> On Tue, Mar 30, 2021 at 6:49 PM Michael Niedermayer <michael at niedermayer.cc>
> wrote:
>
>> On Sun, Dec 20, 2020 at 10:15:24PM +0100, Michael Niedermayer wrote:
>> > This is based on the encoder and a small number of CFHD sample files
>> > It should make the decoder more robust against crafted input.
>> > Due to the lack of a proper specification it is possible that this
>> > may be too strict and may need to be tuned as files not following this
>> > ordering are found.
>> >
>> > Fixes: segfault
>> > Fixes: OOM
>> > Fixes: null pointer dereference
>> > Fixes: left shift of negative value -12
>> > Fixes: out of array write
>> > Fixes:
>> 25367/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4865603750592512
>> > Fixes:
>> 25958/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4851579923202048
>> > Fixes:
>> 25988/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5643617157513216
>> > Fixes:
>> 25995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5177442380283904
>> > Fixes:
>> 25996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5663296026574848
>> > Fixes:
>> 26082/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5126180416782336
>> > Fixes:
>> 27872/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4916296355151872
>> > Fixes:
>> 28305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6041755829010432
>>
>> The following issues have been found by the fuzzer in CFHD since this was
>> posted
>> With this applied none is reproducable
>>
>>
>>
>> 29754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6333598414274560
>> ==18805==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
>> (pc 0x000000d6875d bp 0x000000000000 sp 0x7ffde47353d8 T0)
>> ==18805==The signal is caused by a READ memory access.
>> ==18805==Hint: address points to the zero page.
>>     #0 0xd6875c in ff_cfhd_vert_filter_sse2 libavcodec/x86/cfhddsp.asm:383
>>
>>
>>
>>
>> 30519/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6298424511168512
>> libavcodec/cfhddsp.c:36:41: runtime error: load of null pointer of type
>> 'const int16_t' (aka 'const short')
>> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
>> libavcodec/cfhddsp.c:36:41 in
>> AddressSanitizer:DEADLYSIGNAL
>> =================================================================
>> ==18874==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
>> (pc 0x0000005450d5 bp 0x7ffc0a6c6ee0 sp 0x7ffc0a6c6d60 T0)
>> ==18874==The signal is caused by a READ memory access.
>> ==18874==Hint: address points to the zero page.
>>     #0 0x5450d4 in filter libavcodec/cfhddsp.c:36:41
>>     #1 0x5450d4 in vert_filter libavcodec/cfhddsp.c:74
>>     #2 0x528cea in cfhd_decode libavcodec/cfhd.c:1167:13
>>     #3 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
>>     #4 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
>>     #5 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
>>     #6 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15
>>
>>
>>
>>
>> 30739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5011292836462592
>> ==18879==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x7f2aa32a684e at pc 0x00000053ee8f bp 0x7ffca5380fe0 sp 0x7ffca5380fd8
>> WRITE of size 2 at 0x7f2aa32a684e thread T0
>>     #0 0x53ee8e in interlaced_vertical_filter libavcodec/cfhd.c:204:30
>>     #1 0x52c088 in cfhd_decode libavcodec/cfhd.c:1273:21
>>     #2 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
>>     #3 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
>>     #4 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
>>     #5 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15
>>
>>
>>
>>
>> 32124/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5425980681355264
>> ==18753==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x7f3a5006284e at pc 0x00000054c97e bp 0x7ffc0327a620 sp 0x7ffc0327a618
>> WRITE of size 2 at 0x7f3a5006284e thread T0
>>     #0 0x54c97d in filter libavcodec/cfhddsp.c:52:36
>>     #1 0x54c97d in horiz_filter_clip libavcodec/cfhddsp.c:97
>>     #2 0x52cbed in cfhd_decode libavcodec/cfhd.c:1239:21
>>     #3 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
>>     #4 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
>>     #5 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
>>     #6 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15
>>
>>
>> [...]
>> --
>> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>>
>> If you think the mosad wants you dead since a long time then you are
>> either
>> wrong or dead since a long time.
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel at ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>
>

More information about the ffmpeg-devel mailing list