[FFmpeg-devel] [PATCH] avcodec/vp9_superframe_split_bsf: Check in size

Sat Mar 19 19:38:08 EET 2022

On Fri, Mar 18, 2022 at 06:56:19PM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: Out of array read
> > Fixes: 45137/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_SUPERFRAME_SPLIT_fuzzer-4984270639202304
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/vp9_superframe_split_bsf.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c
> > index ed0444561a..481484a4f0 100644
> > --- a/libavcodec/vp9_superframe_split_bsf.c
> > +++ b/libavcodec/vp9_superframe_split_bsf.c
> > @@ -51,7 +51,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
> >              return ret;
> >          in = s->buffer_pkt;
> >  
> > -        marker = in->data[in->size - 1];
> > +        marker = in->size ? in->data[in->size - 1] : 0;
> >          if ((marker & 0xe0) == 0xc0) {
> >              int length_size = 1 + ((marker >> 3) & 0x3);
> >              int   nb_frames = 1 + (marker & 0x7);
> 
> There is a second place in this BSF where data might be read in the
> absence of data, namely if one of the frames in a superframe have size
> of zero (its attempted to read its profile; no actual read takes place
> due to the checks of the get_bits API, but it is nevertheless invalid
> data). See
> https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200530160541.29517-7-andreas.rheinhardt@gmail.com/;
> also see
> https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200530160541.29517-11-andreas.rheinhardt@gmail.com/
> and
> https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200530160541.29517-1-andreas.rheinhardt@gmail.com/

Why did you not apply your bugfixes ?
I think you should apply them

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you drop bombs on a foreign country and kill a hundred thousand
innocent people, expect your government to call the consequence
"unprovoked inhuman terrorist attacks" and use it to justify dropping
more bombs and killing more people. The technology changed, the idea is old.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20220319/0660dace/attachment.sig>