From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 145884782D for ; Mon, 23 Oct 2023 21:36:34 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2261468CA4D; Tue, 24 Oct 2023 00:36:30 +0300 (EEST) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2937A68C7F7 for ; Tue, 24 Oct 2023 00:36:23 +0300 (EEST) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4084e49a5e5so32213405e9.3 for ; Mon, 23 Oct 2023 14:36:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jkqxz-net.20230601.gappssmtp.com; s=20230601; t=1698096982; x=1698701782; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=jRwNT5KtWPYr2z421a9po0kw+Udty/7S3WIuxodJU5Y=; b=YAlINTb01inufwFD3RlJgQCpTZybXuKGNVvxtY7XcjIUX7gxVk+VUMwqU820eYvsnS kUcfF9QhyA06jrePmbDQg/JAMSK83WFdQiPxNTIzMfYyC51akA0vjLRpdRUQjnJ2bq9J AubZUJ3Qug6XJs0QguWIpLBl8tTDCHwQJvDsv4qj+d8lpO/CEkXB3dZTD05Cn9+pUFdE 3eVj8HRt7Bira2HIBTDoXAzHOR/ew3jf3vUAXB52oJ2UyyTS5er/ulMG2d6zfjOtcfnc 8RWpp4iAaC2EvLFReAzEdimm/pEowdMyF1JRlcbsmAjfaGZxPA+O0zPY/Z6DklAn7SnA M5MA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698096982; x=1698701782; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jRwNT5KtWPYr2z421a9po0kw+Udty/7S3WIuxodJU5Y=; b=i1Ox+g7L4HTz+o0MBoVwmM8kAtAmcXJZxUZp2K7t6pU1gnO+W+Em+VtQfiJpspDNAv 7L9xrc6FffMCYM9QoQR5eO/SqVwmMm+I5KrFZHMQxCepEJZLKDpAqR3SjLY3iV+VJ/UN OKF53Qn5a9I9Q6EtXA8Uxgz+Wy4peQdeA92sSkEwQkV7ArC7lJnsbtZqCWpLearclsU7 5uMPY+Lr6p7i+SlP8tPbhCF3H2vgaqGGGyBJ+rPmgeJ8T687mn/I2idZIjjLU0UdgEMS 0SIUvWMs8QWUO/FqPalc0pJQt1iL4C4iHc7UwZMJRX1D1CaK4GU8N74JXr8Xp9WBxYGP w0Ug== X-Gm-Message-State: AOJu0YyRj7ef31o37MbcFwSKpFU7Edhay1Pjzr9g7DA2dbHeXrz6hXBs kpufGP03PKnJbQVvv/xsj1zksBuyOmv/PIjrnow= X-Google-Smtp-Source: AGHT+IFDjSC5QNeuPt7YL9Et4a7Q1qvhhYzVZ9Znm5rU42jRrkPGzjOtZ2wlEH2ErmvvkuGxnp/I3A== X-Received: by 2002:a05:600c:a47:b0:408:3e7a:82ea with SMTP id c7-20020a05600c0a4700b004083e7a82eamr8345197wmq.1.1698096982270; Mon, 23 Oct 2023 14:36:22 -0700 (PDT) Received: from [192.168.0.15] (cpc92320-cmbg19-2-0-cust383.5-4.cable.virginm.net. [82.13.65.128]) by smtp.gmail.com with ESMTPSA id x22-20020a05600c189600b004083a105f27sm14855906wmp.26.2023.10.23.14.36.21 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 23 Oct 2023 14:36:22 -0700 (PDT) Message-ID: <14ffa41d-53b0-47b3-a1c3-1030b3a885b6@jkqxz.net> Date: Mon, 23 Oct 2023 22:36:34 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: ffmpeg-devel@ffmpeg.org References: <20231022003520.17154-1-michael@niedermayer.cc> <20231022003520.17154-2-michael@niedermayer.cc> <20231023205356.GD3543730@pb2> From: Mark Thompson In-Reply-To: <20231023205356.GD3543730@pb2> Subject: Re: [FFmpeg-devel] [PATCH 2/6] avcodec/cbs: Do not assert on traces beyond 255 bits X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 23/10/2023 21:53, Michael Niedermayer wrote: > On Sun, Oct 22, 2023 at 03:34:20PM +0100, Mark Thompson wrote: >> On 22/10/2023 01:35, Michael Niedermayer wrote: >>> Fixes: Assertion length < 256 failed at libavcodec/cbs.c:517 >>> Fixes: 62673/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6490971837431808 >>> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer >>> --- >>> libavcodec/cbs.c | 5 +++++ >>> 1 file changed, 5 insertions(+) >>> >>> diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c >>> index cdd7adebebd..2f5d0334a2a 100644 >>> --- a/libavcodec/cbs.c >>> +++ b/libavcodec/cbs.c >>> @@ -514,6 +514,11 @@ void ff_cbs_trace_read_log(void *trace_context, >>> position = get_bits_count(gbc); >>> + if (length >= 256) { >>> + av_log(ctx->log_ctx, ctx->trace_level, "trace of %d bits truncated at 255\n", length); >>> + length = 255; >>> + } >>> + >>> av_assert0(length < 256); >>> for (i = 0; i < length; i++) >>> bits[i] = get_bits1(gbc) ? '1' : '0'; >> >> IMO the assert is sensible (no syntax element is that large) and so this must be catching a bug somewhere else. Please don't nullify the assert to hide the bug. >> >> Can you share the input stream which hit this case? > > will mail it to you > > the backtrce is this: > > #7 0x505748 in ff_cbs_trace_read_log ffmpeg/libavcodec/cbs.c:517:5 > #8 0x5273f1 in cbs_av1_read_uvlc ffmpeg/libavcodec/cbs_av1.c:67:5 > #9 0x5273f1 in cbs_av1_read_timing_info ffmpeg/libavcodec/cbs_av1_syntax_template.c:168 > #10 0x5273f1 in cbs_av1_read_sequence_header_obu ffmpeg/libavcodec/cbs_av1_syntax_template.c:214 > #11 0x51278a in cbs_av1_read_unit ffmpeg/libavcodec/cbs_av1.c:856:19 > #12 0x4ff30a in cbs_read_fragment_content ffmpeg/libavcodec/cbs.c:209:15 > #13 0x4ff30a in cbs_read_data ffmpeg/libavcodec/cbs.c:276 > #14 0x4edc32 in trace_headers ffmpeg/libavcodec/trace_headers_bsf.c:113:11 > #15 0x4c9898 in LLVMFuzzerTestOneInput ffmpeg/tools/target_bsf_fuzzer.c:154:16 > #16 0x136900d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13 > #17 0x135dbe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6 > #18 0x1362de1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9 > #19 0x135d8c0 in main Fuzzer/build/../FuzzerMain.cpp:20:10 > #20 0x7f456b8b8c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310 > #21 0x41f179 in _start (ffmpeg/tools/target_bsf_trace_headers_fuzzer+0x41f179) This is the case in , and would be fixed by that patch. Since the problem is a dubious feature of the standard which other implementations then do not follow I would appreciate thoughts from other people on what to do with it, though. Thanks, - Mark _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".