[FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size

Andreas Rheinhardt andreas.rheinhardt at outlook.com
Mon Jan 10 11:17:39 EET 2022


Michael Niedermayer:
> Fixes: division by zero
> Fixes: integer overflow
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavformat/rawvideodec.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..387c4ba80f5 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>      enum AVPixelFormat pix_fmt;
>      AVStream *st;
>      int packet_size;
> +    int ret;
>  
>      st = avformat_new_stream(ctx, NULL);
>      if (!st)
> @@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>  
>      avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num);
>  
> +    ret = av_image_check_size(s->width, s->height, 0, ctx);

Looking at av_image_check_size() this seems to ensure that 8 * width
*height fits in an int. So this should indeed fix all the overflows.

> +    if (ret < 0)
> +        return ret;
> +
>      st->codecpar->width  = s->width;
>      st->codecpar->height = s->height;
>  
> @@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>          if (packet_size < 0)
>              return packet_size;
>      }
> +    if (packet_size == 0)
> +        return AVERROR(EINVAL);
>  
>      st->codecpar->format = pix_fmt;
>      ctx->packet_size = packet_size;
> 



More information about the ffmpeg-devel mailing list