From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 617B644DF6
	for <ffmpegdev@gitmailbox.com>; Fri, 25 Nov 2022 13:38:56 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 94BB768BBE6;
	Fri, 25 Nov 2022 15:38:54 +0200 (EET)
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
 [217.70.183.196])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4417168B95C
 for <ffmpeg-devel@ffmpeg.org>; Fri, 25 Nov 2022 15:38:48 +0200 (EET)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 599E6E0004
 for <ffmpeg-devel@ffmpeg.org>; Fri, 25 Nov 2022 13:38:46 +0000 (UTC)
Date: Fri, 25 Nov 2022 14:38:46 +0100
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Message-ID: <20221125133846.GB3806951@pb2>
References: <20221122225652.1341-1-michael@niedermayer.cc>
 <Y4BkiUUWM/dO6gX0@4eb231a0d1b36cedda43a2a005befe4d>
MIME-Version: 1.0
In-Reply-To: <Y4BkiUUWM/dO6gX0@4eb231a0d1b36cedda43a2a005befe4d>
Subject: Re: [FFmpeg-devel] [PATCH 1/2] avcodec/pictordec: Check that the
 image fits in the input
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: multipart/mixed; boundary="===============6315634103573184274=="
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20221125133846.GB3806951@pb2/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>


--===============6315634103573184274==
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="A6N2fC+uXW/VQSAv"
Content-Disposition: inline


--A6N2fC+uXW/VQSAv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

t   On Fri, Nov 25, 2022 at 05:45:29PM +1100, Peter Ross wrote:
> On Tue, Nov 22, 2022 at 11:56:51PM +0100, Michael Niedermayer wrote:
> > Fixes: Timeout
> > Fixes: 53438/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_f=
uzzer-5458939919859712
> >=20
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz=
/tree/master/projects/ffmpe
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/pictordec.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >=20
> > diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
> > index 71bad40a0a..09229b94fd 100644
> > --- a/libavcodec/pictordec.c
> > +++ b/libavcodec/pictordec.c
> > @@ -162,6 +162,9 @@ static int decode_frame(AVCodecContext *avctx, AVFr=
ame *frame,
> > =20
> >      if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
> >          return -1;
> > +    if (bytestream2_get_bytes_left(&s->g) < s->width * s->height / 655=
36 * 5)
> > +        return AVERROR_INVALIDDATA;
>=20
> how did you arrive at this formula?

There are 2 coding modes, RLE and RAW
I assume usable raw images will need around W*H and thus more than RLE
RLE codes the most compressed runs by
1 byte for val (=3Dmarker)
1 byte run (=3D0)
2 bytes run=20
1 byte val
thats 5 bytes and the maximum run we can code is 65535

The RLE decoder loop exits before applying the last RLE run and then
there is a seperate piece of code after it that fills the last color to
the end. Iam not sure why its done like that way but if i remove that
mid exit the seperate code piece becomes unused for all images i have
so it seems all RLE images are always fully coded with no special case
at the end.
Based on this iam guesing that my formula is correct for undamaged images
but of course i could find one tomorrow that exploits the special end
handling and breaks this formula
and of course its very possible that i missed some other thing that changes
this limit

thx

[...]

--=20
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Many that live deserve death. And some that die deserve life. Can you give
it to them? Then do not be too eager to deal out death in judgement. For
even the very wise cannot see all ends. -- Gandalf

--A6N2fC+uXW/VQSAv
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCY4DFXwAKCRBhHseHBAsP
q4JwAJ44gDTWzQBX4vdIhVP9N0zOJ9/Q4QCdEZlVbQZ3CngFLHzD08UA6G1sNC4=
=voBF
-----END PGP SIGNATURE-----

--A6N2fC+uXW/VQSAv--

--===============6315634103573184274==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

--===============6315634103573184274==--