* [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size
@ 2022-01-06 8:42 Michael Niedermayer
2022-01-06 9:05 ` lance.lmwang
2022-01-06 9:52 ` Andreas Rheinhardt
0 siblings, 2 replies; 7+ messages in thread
From: Michael Niedermayer @ 2022-01-06 8:42 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: division by zero
Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/rawvideodec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
index 68547fc50ff..7581ba2c7d2 100644
--- a/libavformat/rawvideodec.c
+++ b/libavformat/rawvideodec.c
@@ -100,6 +100,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
if (packet_size < 0)
return packet_size;
}
+ if (packet_size == 0)
+ return AVERROR_INVALIDDATA;
st->codecpar->format = pix_fmt;
ctx->packet_size = packet_size;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size
2022-01-06 8:42 [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size Michael Niedermayer
@ 2022-01-06 9:05 ` lance.lmwang
2022-01-06 9:52 ` Andreas Rheinhardt
1 sibling, 0 replies; 7+ messages in thread
From: lance.lmwang @ 2022-01-06 9:05 UTC (permalink / raw)
To: ffmpeg-devel
On Thu, Jan 06, 2022 at 09:42:03AM +0100, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/rawvideodec.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..7581ba2c7d2 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -100,6 +100,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
> if (packet_size < 0)
> return packet_size;
> }
> + if (packet_size == 0)
> + return AVERROR_INVALIDDATA;
I prefer to return AVERROR(EINVAL).
>
> st->codecpar->format = pix_fmt;
> ctx->packet_size = packet_size;
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
--
Thanks,
Limin Wang
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size
2022-01-06 8:42 [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size Michael Niedermayer
2022-01-06 9:05 ` lance.lmwang
@ 2022-01-06 9:52 ` Andreas Rheinhardt
1 sibling, 0 replies; 7+ messages in thread
From: Andreas Rheinhardt @ 2022-01-06 9:52 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: division by zero
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/rawvideodec.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..7581ba2c7d2 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -100,6 +100,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
> if (packet_size < 0)
> return packet_size;
> }
> + if (packet_size == 0)
> + return AVERROR_INVALIDDATA;
>
> st->codecpar->format = pix_fmt;
> ctx->packet_size = packet_size;
>
1. I agree with Lance that AVERROR(EINVAL) is the proper error code;
after all, the dimensions are based upon options and not read from the
input.
2. The dimensions were checked by av_image_check_size() before
41f213c3bf629d549400e935e7f123e6cfa959ab.
3. The same can happen with bitpacked. Your check should also catch this.
4. But I don't see anything that actually ensures that the
multiplications do not overflow.
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size
2022-01-07 16:51 Michael Niedermayer
2022-01-08 12:27 ` lance.lmwang
2022-01-10 9:17 ` Andreas Rheinhardt
@ 2022-01-13 18:44 ` Michael Niedermayer
2 siblings, 0 replies; 7+ messages in thread
From: Michael Niedermayer @ 2022-01-13 18:44 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 757 bytes --]
On Fri, Jan 07, 2022 at 05:51:11PM +0100, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: integer overflow
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/rawvideodec.c | 7 +++++++
> 1 file changed, 7 insertions(+)
will apply
thx for the reviews
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The bravest are surely those who have the clearest vision
of what is before them, glory and danger alike, and yet
notwithstanding go out to meet it. -- Thucydides
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size
2022-01-07 16:51 Michael Niedermayer
2022-01-08 12:27 ` lance.lmwang
@ 2022-01-10 9:17 ` Andreas Rheinhardt
2022-01-13 18:44 ` Michael Niedermayer
2 siblings, 0 replies; 7+ messages in thread
From: Andreas Rheinhardt @ 2022-01-10 9:17 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: division by zero
> Fixes: integer overflow
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/rawvideodec.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..387c4ba80f5 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx)
> enum AVPixelFormat pix_fmt;
> AVStream *st;
> int packet_size;
> + int ret;
>
> st = avformat_new_stream(ctx, NULL);
> if (!st)
> @@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>
> avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num);
>
> + ret = av_image_check_size(s->width, s->height, 0, ctx);
Looking at av_image_check_size() this seems to ensure that 8 * width
*height fits in an int. So this should indeed fix all the overflows.
> + if (ret < 0)
> + return ret;
> +
> st->codecpar->width = s->width;
> st->codecpar->height = s->height;
>
> @@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
> if (packet_size < 0)
> return packet_size;
> }
> + if (packet_size == 0)
> + return AVERROR(EINVAL);
>
> st->codecpar->format = pix_fmt;
> ctx->packet_size = packet_size;
>
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size
2022-01-07 16:51 Michael Niedermayer
@ 2022-01-08 12:27 ` lance.lmwang
2022-01-10 9:17 ` Andreas Rheinhardt
2022-01-13 18:44 ` Michael Niedermayer
2 siblings, 0 replies; 7+ messages in thread
From: lance.lmwang @ 2022-01-08 12:27 UTC (permalink / raw)
To: ffmpeg-devel
On Fri, Jan 07, 2022 at 05:51:11PM +0100, Michael Niedermayer wrote:
> Fixes: division by zero
> Fixes: integer overflow
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/rawvideodec.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..387c4ba80f5 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx)
> enum AVPixelFormat pix_fmt;
> AVStream *st;
> int packet_size;
> + int ret;
>
> st = avformat_new_stream(ctx, NULL);
> if (!st)
> @@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx)
>
> avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num);
>
> + ret = av_image_check_size(s->width, s->height, 0, ctx);
> + if (ret < 0)
> + return ret;
> +
> st->codecpar->width = s->width;
> st->codecpar->height = s->height;
>
> @@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
> if (packet_size < 0)
> return packet_size;
> }
> + if (packet_size == 0)
> + return AVERROR(EINVAL);
>
> st->codecpar->format = pix_fmt;
> ctx->packet_size = packet_size;
> --
> 2.17.1
>
LGTM
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
--
Thanks,
Limin Wang
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
* [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size
@ 2022-01-07 16:51 Michael Niedermayer
2022-01-08 12:27 ` lance.lmwang
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Michael Niedermayer @ 2022-01-07 16:51 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: division by zero
Fixes: integer overflow
Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/rawvideodec.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
index 68547fc50ff..387c4ba80f5 100644
--- a/libavformat/rawvideodec.c
+++ b/libavformat/rawvideodec.c
@@ -42,6 +42,7 @@ static int rawvideo_read_header(AVFormatContext *ctx)
enum AVPixelFormat pix_fmt;
AVStream *st;
int packet_size;
+ int ret;
st = avformat_new_stream(ctx, NULL);
if (!st)
@@ -62,6 +63,10 @@ static int rawvideo_read_header(AVFormatContext *ctx)
avpriv_set_pts_info(st, 64, s->framerate.den, s->framerate.num);
+ ret = av_image_check_size(s->width, s->height, 0, ctx);
+ if (ret < 0)
+ return ret;
+
st->codecpar->width = s->width;
st->codecpar->height = s->height;
@@ -100,6 +105,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
if (packet_size < 0)
return packet_size;
}
+ if (packet_size == 0)
+ return AVERROR(EINVAL);
st->codecpar->format = pix_fmt;
ctx->packet_size = packet_size;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-01-13 18:44 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-06 8:42 [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size Michael Niedermayer
2022-01-06 9:05 ` lance.lmwang
2022-01-06 9:52 ` Andreas Rheinhardt
2022-01-07 16:51 Michael Niedermayer
2022-01-08 12:27 ` lance.lmwang
2022-01-10 9:17 ` Andreas Rheinhardt
2022-01-13 18:44 ` Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git