[FFmpeg-devel] [PATCH 5/5] avcodec/cbs_apv_syntax_template: Check tile_data_size

Wed Jul 30 00:51:44 EEST 2025

On Sat, Jun 21, 2025 at 11:15:21PM +0200, Michael Niedermayer wrote:
> Fixes: heap-buffer-overflow
> Fixes: 418421333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-6592025183191040
> Fixes: 418804929/clusterfuzz-testcase-minimized-ffmpeg_BSF_APV_METADATA_fuzzer-5773904646045696
> Fixes: 420737045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-5535272169439232
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/cbs_apv_syntax_template.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavcodec/cbs_apv_syntax_template.c b/libavcodec/cbs_apv_syntax_template.c
> index fc8a08ff31d..b84565b1076 100644
> --- a/libavcodec/cbs_apv_syntax_template.c
> +++ b/libavcodec/cbs_apv_syntax_template.c
> @@ -236,6 +236,8 @@ static int FUNC(tile)(CodedBitstreamContext *ctx, RWContext *rw,
>  #ifdef READ
>          int pos = get_bits_count(rw);
>          av_assert0(pos % 8 == 0);
> +        if (get_bits_left(rw) < 8LL * comp_size)
> +            return AVERROR_INVALIDDATA;
>          current->tile_data[c] = (uint8_t*)align_get_bits(rw);
>          skip_bits_long(rw, 8 * comp_size);
>  #else

will apply

there has been a similar patch posted to ffmpeg-security that adds this error
message:

+            av_log(ctx->log_ctx, AV_LOG_ERROR,
+                   "Tile component size %u exceeds unit data remaining " \
+                   "(%d bytes left for %u declared).\n",
+                   comp_size, get_bits_left(rw) / 8, comp_size);

what do people think of this ?
should we add more detailed error messages ?

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The educated differ from the uneducated as much as the living from the
dead. -- Aristotle 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20250729/6686e24a/attachment.sig>