From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 847B147B44 for ; Mon, 2 Oct 2023 22:23:57 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3DA9D68CAB8; Tue, 3 Oct 2023 01:23:54 +0300 (EEST) Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [217.70.183.198]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6848B68C9D6 for ; Tue, 3 Oct 2023 01:23:46 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id E423AC0003 for ; Mon, 2 Oct 2023 22:23:45 +0000 (UTC) Date: Tue, 3 Oct 2023 00:23:44 +0200 From: Michael Niedermayer To: ffmpeg-devel@ffmpeg.org Message-ID: <20231002222344.GC2105706@pb2> References: <20230905212547.00596410A28@natalya.videolan.org> MIME-Version: 1.0 In-Reply-To: <20230905212547.00596410A28@natalya.videolan.org> X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [FFmpeg-cvslog] avcodec/hcadec: support decoding with extradata provided in first packet X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============8388281426593932149==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============8388281426593932149== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8w3uRX/HFJGApMzv" Content-Disposition: inline --8w3uRX/HFJGApMzv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi On Tue, Sep 05, 2023 at 09:25:45PM +0000, Paul B Mahol wrote: > ffmpeg | branch: master | Paul B Mahol | Tue Sep 5 23= :14:58 2023 +0200| [d464a687c9dd03246795d62151809167e8381932] | committer: = Paul B Mahol >=20 > avcodec/hcadec: support decoding with extradata provided in first packet I cannot find this patch on the mailing list Also this adds null pointer writes The init_hca() function which previously was only called once and failure ended all further processing now is called optionally per frame and its failure does not stop further processing so half initialized contexts can be created by an attacker Note, this sort of stuff delays the release thx [...] > @@ -385,16 +404,34 @@ static int decode_frame(AVCodecContext *avctx, AVFr= ame *frame, > int *got_frame_ptr, AVPacket *avpkt) > { > HCAContext *c =3D avctx->priv_data; > - int ch, ret, packed_noise_level; > + int ch, offset =3D 0, ret, packed_noise_level; > GetBitContext gb0, *const gb =3D &gb0; > float **samples; > =20 > + if (avpkt->size <=3D 8) > + return AVERROR_INVALIDDATA; > + > + if (AV_RN16(avpkt->data) !=3D 0xFFFF) { > + if (AV_RL32(avpkt->data) !=3D MKTAG('H','C','A',0)) { > + return AVERROR_INVALIDDATA; > + } else if (AV_RB16(avpkt->data + 6) <=3D avpkt->size) { > + ret =3D init_hca(avctx, avpkt->data, AV_RB16(avpkt->data + 6= )); > + if (ret < 0) > + return ret; > + offset =3D AV_RB16(avpkt->data + 6); > + if (offset =3D=3D avpkt->size) > + return avpkt->size; > + } else { > + return AVERROR_INVALIDDATA; > + } > + } [...] =3D=3D6921=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x00000000= 0000 (pc 0x0000005c8da1 bp 0x7fff5a918390 sp 0x7fff5a918200 T0) =3D=3D6921=3D=3DThe signal is caused by a WRITE memory access. =3D=3D6921=3D=3DHint: address points to the zero page. #0 0x5c8da1 in unpack /src/ffmpeg/libavcodec/hcadec.c:392:30 #1 0x5c8da1 in decode_frame /src/ffmpeg/libavcodec/hcadec.c:456:9 #2 0x5b41ff in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:4= 33:20 #3 0x5b41ff in decode_simple_receive_frame /src/ffmpeg/libavcodec/decod= e.c:607:15 #4 0x5b41ff in decode_receive_frame_internal /src/ffmpeg/libavcodec/dec= ode.c:635:15 #5 0x5b3aee in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:732:= 15 #6 0x59f64f in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzz= er.c:522:25 #7 0x46e913 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, un= signed long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #8 0x45a072 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigne= d long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #9 0x45f91c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned cha= r const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDr= iver.cpp:860:9 #10 0x488e52 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMai= n.cpp:20:10 #11 0x7849ef29a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 #12 0x45023d in _start --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Rewriting code that is poorly written but fully understood is good. Rewriting code that one doesnt understand is a sign that one is less smart than the original author, trying to rewrite it will not make it better. --8w3uRX/HFJGApMzv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZRtC7AAKCRBhHseHBAsP q5FOAJ4zw/0J9C3Hk5MoY39AdWGVDNJBPwCeMNxxrt9s9zM3O4I/cxi/UfSyVmU= =PNFu -----END PGP SIGNATURE----- --8w3uRX/HFJGApMzv-- --===============8388281426593932149== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============8388281426593932149==--