From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id C8C4344E04
	for <ffmpegdev@gitmailbox.com>; Fri, 25 Nov 2022 14:11:43 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 379DD68BC09;
	Fri, 25 Nov 2022 16:11:40 +0200 (EET)
Received: from mail0.khirnov.net (red.khirnov.net [176.97.15.12])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EC4D868BB6C
 for <ffmpeg-devel@ffmpeg.org>; Fri, 25 Nov 2022 16:11:33 +0200 (EET)
Received: from localhost (localhost [IPv6:::1])
 by mail0.khirnov.net (Postfix) with ESMTP id 81BB7240499
 for <ffmpeg-devel@ffmpeg.org>; Fri, 25 Nov 2022 15:11:33 +0100 (CET)
Received: from mail0.khirnov.net ([IPv6:::1])
 by localhost (mail0.khirnov.net [IPv6:::1]) (amavisd-new, port 10024)
 with ESMTP id MZijJbq7JWkp for <ffmpeg-devel@ffmpeg.org>;
 Fri, 25 Nov 2022 15:11:32 +0100 (CET)
Received: from lain.khirnov.net (lain.khirnov.net [IPv6:2001:67c:1138:4306::3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "lain.khirnov.net", Issuer "smtp.khirnov.net SMTP CA" (verified OK))
 by mail0.khirnov.net (Postfix) with ESMTPS id D277E2400F5
 for <ffmpeg-devel@ffmpeg.org>; Fri, 25 Nov 2022 15:11:32 +0100 (CET)
Received: by lain.khirnov.net (Postfix, from userid 1000)
 id C15061601B2; Fri, 25 Nov 2022 15:11:32 +0100 (CET)
From: Anton Khirnov <anton@khirnov.net>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
In-Reply-To: <20221125133846.GB3806951@pb2>
References: <20221122225652.1341-1-michael@niedermayer.cc>
 <Y4BkiUUWM/dO6gX0@4eb231a0d1b36cedda43a2a005befe4d>
 <20221125133846.GB3806951@pb2>
Mail-Followup-To: FFmpeg development discussions and patches
 <ffmpeg-devel@ffmpeg.org>
Date: Fri, 25 Nov 2022 15:11:32 +0100
Message-ID: <166938549275.4503.16165224502546034668@lain.khirnov.net>
User-Agent: alot/0.8.1
MIME-Version: 1.0
Subject: Re: [FFmpeg-devel] [PATCH 1/2] avcodec/pictordec: Check that the
 image fits in the input
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/166938549275.4503.16165224502546034668@lain.khirnov.net/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Quoting Michael Niedermayer (2022-11-25 14:38:46)
> t   On Fri, Nov 25, 2022 at 05:45:29PM +1100, Peter Ross wrote:
> > On Tue, Nov 22, 2022 at 11:56:51PM +0100, Michael Niedermayer wrote:
> > > Fixes: Timeout
> > > Fixes: 53438/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-5458939919859712
> > > 
> > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpe
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >  libavcodec/pictordec.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
> > > index 71bad40a0a..09229b94fd 100644
> > > --- a/libavcodec/pictordec.c
> > > +++ b/libavcodec/pictordec.c
> > > @@ -162,6 +162,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
> > >  
> > >      if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
> > >          return -1;
> > > +    if (bytestream2_get_bytes_left(&s->g) < s->width * s->height / 65536 * 5)
> > > +        return AVERROR_INVALIDDATA;
> > 
> > how did you arrive at this formula?
> 
> There are 2 coding modes, RLE and RAW
> I assume usable raw images will need around W*H and thus more than RLE
> RLE codes the most compressed runs by
> 1 byte for val (=marker)
> 1 byte run (=0)
> 2 bytes run 
> 1 byte val
> thats 5 bytes and the maximum run we can code is 65535
> 
> The RLE decoder loop exits before applying the last RLE run and then
> there is a seperate piece of code after it that fills the last color to
> the end. Iam not sure why its done like that way but if i remove that
> mid exit the seperate code piece becomes unused for all images i have
> so it seems all RLE images are always fully coded with no special case
> at the end.
> Based on this iam guesing that my formula is correct for undamaged images
> but of course i could find one tomorrow that exploits the special end
> handling and breaks this formula
> and of course its very possible that i missed some other thing that changes
> this limit

This should be written in a comment above the code then, otherwise all
future readers will be completely clueless.

-- 
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".