[FFmpeg-devel] [PATCH 2/5] avcodec/xpmdec: Check size before allocation to avoid truncation

James Almer jamrial at gmail.com
Fri Jan 13 22:53:20 EET 2023


On 1/13/2023 5:49 PM, Michael Niedermayer wrote:
> On Thu, Jan 12, 2023 at 09:11:35PM -0300, James Almer wrote:
>>
>>
>> On 1/12/2023 9:01 PM, Michael Niedermayer wrote:
>>> Fixes:OOM
>>> Fixes:out of array access (no testcase)
>>> Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-6573323838685184
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>>> ---
>>>    libavcodec/xpmdec.c | 3 +++
>>>    1 file changed, 3 insertions(+)
>>>
>>> diff --git a/libavcodec/xpmdec.c b/libavcodec/xpmdec.c
>>> index ff1f51dd32..504cc47d8f 100644
>>> --- a/libavcodec/xpmdec.c
>>> +++ b/libavcodec/xpmdec.c
>>> @@ -356,6 +356,9 @@ static int xpm_decode_frame(AVCodecContext *avctx, AVFrame *p,
>>>        size *= 4;
>>> +    if (size > SIZE_MAX)
>>> +        return AVERROR(ENOMEM);
>>
>> Maybe check for (size > SIZE_MAX / 4) before the multiplication above
>> instead.
> 
> what is the advantage of this ?

An int64_t value will never be bigger than or equal to SIZE_MAX on 64 
bits targets, so maybe some compiler out there will warn about it.

> 
> thx
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".


More information about the ffmpeg-devel mailing list