[FFmpeg-devel] [PATCH] avcodec/vqavideo: Use GetByteContext and check for end
Michael Niedermayer
michael at niedermayer.cc
Mon Nov 29 18:12:59 EET 2021
On Mon, Nov 29, 2021 at 04:00:27PM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: out of array access
> > Fixes: Timeout
> > Fixes: 40481/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6502647583080448
> >
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/vqavideo.c | 15 ++++++++++-----
> > 1 file changed, 10 insertions(+), 5 deletions(-)
> >
> > diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
> > index 5466e25cdf1..755abf6bafa 100644
> > --- a/libavcodec/vqavideo.c
> > +++ b/libavcodec/vqavideo.c
> > @@ -633,7 +633,7 @@ static int vqa_decode_frame_hicolor(VqaContext *s, AVFrame *frame)
> > int vptr_chunk = -1;
> > int vprz_chunk = -1;
> >
> > - const unsigned char *stream;
> > + GetByteContext gb_stream;
> >
> > while (bytestream2_get_bytes_left(&s->gb) >= 8) {
> > chunk_type = bytestream2_get_be32u(&s->gb);
> > @@ -722,7 +722,7 @@ static int vqa_decode_frame_hicolor(VqaContext *s, AVFrame *frame)
> >
> > /* now uncompress the per-row RLE of the decode buffer and draw the blocks in framebuffer */
> >
> > - stream = (unsigned char*)s->decode_buffer;
> > + bytestream2_init(&gb_stream, s->decode_buffer, s->decode_buffer_size);
> >
> > for (int y_pos = 0; y_pos < s->height; y_pos += s->vector_height) {
> > int x_pos = 0;
> > @@ -730,9 +730,14 @@ static int vqa_decode_frame_hicolor(VqaContext *s, AVFrame *frame)
> > while (x_pos < s->width) {
> > int vector_index = 0;
> > int count = 0;
> > - uint16_t code = bytestream_get_le16(&stream);
> > + uint16_t code;
> > int type;
> >
> > + if (bytestream2_get_bytes_left(&gb_stream) < 1)
>
> Why are you only checking for one byte to be present although you read
> two bytes immediately afterwards?
because i apparently cannot count to 2
i will fix that before applying
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20211129/be33c0c9/attachment.sig>
More information about the ffmpeg-devel
mailing list