[FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Fix infinite loop with bz decompression

[FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Fix infinite loop with bz decompression

[Michael Niedermayer]

Fixes: Infinite loop
Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/matroskadec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index d165f6ab90..5a9acfb247 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1742,7 +1742,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size,
     case MATROSKA_TRACK_ENCODING_COMP_BZLIB:
     {
         bz_stream bzstream = { 0 };
-        if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
+        if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
             return -1;
         bzstream.next_in  = data;
         bzstream.avail_in = isize;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 2/2] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()

[Michael Niedermayer]

Fixes: pointer index expression with base 0x000000000000 overflowed to 0xffffffffffffffff
Fixes: 44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 940703e87d..cee86ae87b 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1244,7 +1244,7 @@ void ff_parse_key_value(const char *str, ff_parse_key_val_cb callback_get_buf,
         key_len = ptr - key;
 
         callback_get_buf(context, key, key_len, &dest, &dest_len);
-        dest_end = dest + dest_len - 1;
+        dest_end = dest ? dest + dest_len - 1 : NULL;
 
         if (*ptr == '\"') {
             ptr++;
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Fix infinite loop with bz decompression

[Andreas Rheinhardt]

Michael Niedermayer:
> Fixes: Infinite loop
> Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/matroskadec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> index d165f6ab90..5a9acfb247 100644
> --- a/libavformat/matroskadec.c
> +++ b/libavformat/matroskadec.c
> @@ -1742,7 +1742,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size,
>      case MATROSKA_TRACK_ENCODING_COMP_BZLIB:
>      {
>          bz_stream bzstream = { 0 };
> -        if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
> +        if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
>              return -1;
>          bzstream.next_in  = data;
>          bzstream.avail_in = isize;

I see nothing in the zlib-API manual that would preclude this from
happening with zlib, too, so it should be checked there, too.
LGTM apart from that.

- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Fix infinite loop with bz decompression

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1701 bytes --]

On Fri, Feb 04, 2022 at 04:29:18AM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: Infinite loop
> > Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/matroskadec.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> > index d165f6ab90..5a9acfb247 100644
> > --- a/libavformat/matroskadec.c
> > +++ b/libavformat/matroskadec.c
> > @@ -1742,7 +1742,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size,
> >      case MATROSKA_TRACK_ENCODING_COMP_BZLIB:
> >      {
> >          bz_stream bzstream = { 0 };
> > -        if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
> > +        if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
> >              return -1;
> >          bzstream.next_in  = data;
> >          bzstream.avail_in = isize;
> 
> I see nothing in the zlib-API manual that would preclude this from
> happening with zlib, too, so it should be checked there, too.
> LGTM apart from that.

It didnt happen with the same case when i just routed it to the zlib
instead of bz case. But i didnt look what happened exactly

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Whats the most studid thing your enemy could do ? Blow himself up
Whats the most studid thing you could do ? Give up your rights and
freedom because your enemy blew himself up.


[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 1/2] avformat/matroskadec: Fix infinite loop with bz decompression

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 1991 bytes --]

On Fri, Feb 04, 2022 at 04:07:10PM +0100, Michael Niedermayer wrote:
> On Fri, Feb 04, 2022 at 04:29:18AM +0100, Andreas Rheinhardt wrote:
> > Michael Niedermayer:
> > > Fixes: Infinite loop
> > > Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624
> > > 
> > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >  libavformat/matroskadec.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> > > index d165f6ab90..5a9acfb247 100644
> > > --- a/libavformat/matroskadec.c
> > > +++ b/libavformat/matroskadec.c
> > > @@ -1742,7 +1742,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size,
> > >      case MATROSKA_TRACK_ENCODING_COMP_BZLIB:
> > >      {
> > >          bz_stream bzstream = { 0 };
> > > -        if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
> > > +        if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK)
> > >              return -1;
> > >          bzstream.next_in  = data;
> > >          bzstream.avail_in = isize;
> > 
> > I see nothing in the zlib-API manual that would preclude this from
> > happening with zlib, too, so it should be checked there, too.
> > LGTM apart from that.
> 
> It didnt happen with the same case when i just routed it to the zlib
> instead of bz case. But i didnt look what happened exactly

will apply with the check for zlib too, it feels like a good idea even when
it seems not needed

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The day soldiers stop bringing you their problems is the day you have stopped 
leading them. They have either lost confidence that you can help or concluded 
you do not care. Either case is a failure of leadership. - Colin Powell

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 2/2] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 675 bytes --]

On Fri, Feb 04, 2022 at 01:58:11AM +0100, Michael Niedermayer wrote:
> Fixes: pointer index expression with base 0x000000000000 overflowed to 0xffffffffffffffff
> Fixes: 44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/utils.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is what and why we do it that matters, not just one of them.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".