[FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run increase in minimal golomb frame size

Michael Niedermayer michael at niedermayer.cc
Thu Jul 21 09:45:03 EEST 2022


On Thu, Jul 21, 2022 at 12:46:38AM +0200, Michael Niedermayer wrote:
> On Thu, Jul 21, 2022 at 12:17:22AM +0200, Andreas Rheinhardt wrote:
> > Michael Niedermayer:
> > > On Tue, Jul 19, 2022 at 08:37:38AM -0300, James Almer wrote:
> > >>
> > >>
> > >> On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> > >>> Fixes: Timeout
> > >>> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> > >>>
> > >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > >>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > >>> ---
> > >>>   libavcodec/ffv1dec.c | 6 +++++-
> > >>>   1 file changed, 5 insertions(+), 1 deletion(-)
> > >>>
> > >>> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> > >>> index 01ddcaa512..9bdac0be4e 100644
> > >>> --- a/libavcodec/ffv1dec.c
> > >>> +++ b/libavcodec/ffv1dec.c
> > >>> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
> > >>>           if (buf_size < avctx->width * avctx->height / (128*8))
> > >>>               return AVERROR_INVALIDDATA;
> > >>>       } else {
> > >>> -        if (buf_size < avctx->height / 8)
> > >>> +        int i;
> > >>
> > >> for (int i...
> > > 
> > > will apply with that change
> > > 
> > > thx
> > > 
> > 
> > James' suggestion made you use an uninitialized i in the actual check;
> 
> yes
> 
> 
> > and even the original check is wrong, as one can overrun ff_log2_run
> > (unless there is a check that I am not missing). 
> 
> Theres a check but its too late
> 
> 
> > So it seems to me that
> > reverting 15785e044ee1265464bb4f3ed727e2a8074f97b4 is appropriate.
> 
> not against that but heres a quick fix attempt
> 
> 
> Author: Michael Niedermayer <michael at niedermayer.cc>
> Date:   Thu Jul 21 00:20:41 2022 +0200
> 
>     avcodec/ffv1dec: Fix AC_GOLOMB_RICE min size check

will apply this so the uninitialized read is fixed. If this has
some off by 1 error or something that can be adjusted later
dont want to leave this bug open

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No great genius has ever existed without some touch of madness. -- Aristotle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220721/d85ffc20/attachment.sig>


More information about the ffmpeg-devel mailing list