* [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset
@ 2023-10-18 0:49 Michael Niedermayer
2023-10-18 0:49 ` [FFmpeg-devel] [PATCH 2/2] avcodec/hevc_ps: Dont leave invalid cpb_cnt_minus1 in the context Michael Niedermayer
2023-10-18 18:29 ` [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset Tomas Härdin
0 siblings, 2 replies; 6+ messages in thread
From: Michael Niedermayer @ 2023-10-18 0:49 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: Assertion klv_offset >= mxf->run_in failed at libavformat/mxfdec.c:736
Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5778404366221312.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/mxfdec.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 68939091e6..f2ec508b72 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -458,12 +458,15 @@ static int mxf_read_sync(AVIOContext *pb, const uint8_t *key, unsigned size)
return i == size;
}
-static int klv_read_packet(KLVPacket *klv, AVIOContext *pb)
+static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, AVIOContext *pb)
{
int64_t length, pos;
if (!mxf_read_sync(pb, mxf_klv_key, 4))
return AVERROR_INVALIDDATA;
klv->offset = avio_tell(pb) - 4;
+ if (klv->offset < mxf->run_in)
+ return AVERROR_INVALIDDATA;
+
memcpy(klv->key, mxf_klv_key, 4);
avio_read(pb, klv->key + 4, 12);
length = klv_decode_ber_length(pb);
@@ -3435,7 +3438,7 @@ static int mxf_seek_to_previous_partition(MXFContext *mxf)
/* Make sure this is actually a PartitionPack, and if so parse it.
* See deadlock2.mxf
*/
- if ((ret = klv_read_packet(&klv, pb)) < 0) {
+ if ((ret = klv_read_packet(mxf, &klv, pb)) < 0) {
av_log(mxf->fc, AV_LOG_ERROR, "failed to read PartitionPack KLV\n");
return ret;
}
@@ -3712,7 +3715,7 @@ static void mxf_read_random_index_pack(AVFormatContext *s)
if (length < min_rip_length || length > max_rip_length)
goto end;
avio_seek(s->pb, file_size - length, SEEK_SET);
- if (klv_read_packet(&klv, s->pb) < 0 ||
+ if (klv_read_packet(mxf, &klv, s->pb) < 0 ||
!IS_KLV_KEY(klv.key, ff_mxf_random_index_pack_key))
goto end;
if (klv.next_klv != file_size || klv.length <= 4 || (klv.length - 4) % 12) {
@@ -3759,7 +3762,7 @@ static int mxf_read_header(AVFormatContext *s)
while (!avio_feof(s->pb)) {
const MXFMetadataReadTableEntry *metadata;
- ret = klv_read_packet(&klv, s->pb);
+ ret = klv_read_packet(mxf, &klv, s->pb);
if (ret < 0 || IS_KLV_KEY(klv.key, ff_mxf_random_index_pack_key)) {
if (ret >= 0 && avio_size(s->pb) > klv.next_klv)
av_log(s, AV_LOG_WARNING, "data after the RandomIndexPack, assuming end of file\n");
@@ -4011,7 +4014,7 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt)
if (pos < mxf->current_klv_data.next_klv - mxf->current_klv_data.length || pos >= mxf->current_klv_data.next_klv) {
mxf->current_klv_data = (KLVPacket){{0}};
- ret = klv_read_packet(&klv, s->pb);
+ ret = klv_read_packet(mxf, &klv, s->pb);
if (ret < 0)
break;
max_data_size = klv.length;
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* [FFmpeg-devel] [PATCH 2/2] avcodec/hevc_ps: Dont leave invalid cpb_cnt_minus1 in the context
2023-10-18 0:49 [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset Michael Niedermayer
@ 2023-10-18 0:49 ` Michael Niedermayer
2023-10-18 13:17 ` Andreas Rheinhardt
2023-10-18 18:29 ` [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset Tomas Härdin
1 sibling, 1 reply; 6+ messages in thread
From: Michael Niedermayer @ 2023-10-18 0:49 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: index 32 out of bounds for type 'uint32_t [32]'
Fixes: 63003/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4685160840560640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/hevc_ps.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index a6b64b92e3..f4365ef5b5 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -421,6 +421,7 @@ static int decode_hrd(GetBitContext *gb, int common_inf_present,
if (hdr->cpb_cnt_minus1[i] > 31) {
av_log(NULL, AV_LOG_ERROR, "nb_cpb %d invalid\n",
hdr->cpb_cnt_minus1[i]);
+ hdr->cpb_cnt_minus1[i] = 0;
return AVERROR_INVALIDDATA;
}
}
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/2] avcodec/hevc_ps: Dont leave invalid cpb_cnt_minus1 in the context
2023-10-18 0:49 ` [FFmpeg-devel] [PATCH 2/2] avcodec/hevc_ps: Dont leave invalid cpb_cnt_minus1 in the context Michael Niedermayer
@ 2023-10-18 13:17 ` Andreas Rheinhardt
2023-10-19 16:55 ` Michael Niedermayer
0 siblings, 1 reply; 6+ messages in thread
From: Andreas Rheinhardt @ 2023-10-18 13:17 UTC (permalink / raw)
To: ffmpeg-devel
Michael Niedermayer:
> Fixes: index 32 out of bounds for type 'uint32_t [32]'
> Fixes: 63003/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4685160840560640
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavcodec/hevc_ps.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
> index a6b64b92e3..f4365ef5b5 100644
> --- a/libavcodec/hevc_ps.c
> +++ b/libavcodec/hevc_ps.c
> @@ -421,6 +421,7 @@ static int decode_hrd(GetBitContext *gb, int common_inf_present,
> if (hdr->cpb_cnt_minus1[i] > 31) {
> av_log(NULL, AV_LOG_ERROR, "nb_cpb %d invalid\n",
> hdr->cpb_cnt_minus1[i]);
> + hdr->cpb_cnt_minus1[i] = 0;
> return AVERROR_INVALIDDATA;
> }
> }
There is a second issue here: There can be truncation during the
previous assignment, because cpb_cnt_minus1 is uint8_t. So this should
be fixed by properly checking the value and only putting it in the
parameter set after it has been validated (which also avoids having to
reset it).
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset
2023-10-18 0:49 [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset Michael Niedermayer
2023-10-18 0:49 ` [FFmpeg-devel] [PATCH 2/2] avcodec/hevc_ps: Dont leave invalid cpb_cnt_minus1 in the context Michael Niedermayer
@ 2023-10-18 18:29 ` Tomas Härdin
2023-10-19 17:18 ` Michael Niedermayer
1 sibling, 1 reply; 6+ messages in thread
From: Tomas Härdin @ 2023-10-18 18:29 UTC (permalink / raw)
To: FFmpeg development discussions and patches
ons 2023-10-18 klockan 02:49 +0200 skrev Michael Niedermayer:
> Fixes: Assertion klv_offset >= mxf->run_in failed at
> libavformat/mxfdec.c:736
> Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-
> 5778404366221312.fuzz
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/mxfdec.c | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index 68939091e6..f2ec508b72 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -458,12 +458,15 @@ static int mxf_read_sync(AVIOContext *pb, const
> uint8_t *key, unsigned size)
> return i == size;
> }
>
> -static int klv_read_packet(KLVPacket *klv, AVIOContext *pb)
> +static int klv_read_packet(MXFContext *mxf, KLVPacket *klv,
> AVIOContext *pb)
> {
> int64_t length, pos;
> if (!mxf_read_sync(pb, mxf_klv_key, 4))
> return AVERROR_INVALIDDATA;
> klv->offset = avio_tell(pb) - 4;
> + if (klv->offset < mxf->run_in)
One stray space in there which of course can be fixed when pushing
Looks OK
/Tomas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/2] avcodec/hevc_ps: Dont leave invalid cpb_cnt_minus1 in the context
2023-10-18 13:17 ` Andreas Rheinhardt
@ 2023-10-19 16:55 ` Michael Niedermayer
0 siblings, 0 replies; 6+ messages in thread
From: Michael Niedermayer @ 2023-10-19 16:55 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1638 bytes --]
On Wed, Oct 18, 2023 at 03:17:41PM +0200, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: index 32 out of bounds for type 'uint32_t [32]'
> > Fixes: 63003/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4685160840560640
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/hevc_ps.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
> > index a6b64b92e3..f4365ef5b5 100644
> > --- a/libavcodec/hevc_ps.c
> > +++ b/libavcodec/hevc_ps.c
> > @@ -421,6 +421,7 @@ static int decode_hrd(GetBitContext *gb, int common_inf_present,
> > if (hdr->cpb_cnt_minus1[i] > 31) {
> > av_log(NULL, AV_LOG_ERROR, "nb_cpb %d invalid\n",
> > hdr->cpb_cnt_minus1[i]);
> > + hdr->cpb_cnt_minus1[i] = 0;
> > return AVERROR_INVALIDDATA;
> > }
> > }
>
> There is a second issue here: There can be truncation during the
> previous assignment, because cpb_cnt_minus1 is uint8_t. So this should
> be fixed by properly checking the value and only putting it in the
> parameter set after it has been validated (which also avoids having to
> reset it).
ok, will apply with that
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
When you are offended at any man's fault, turn to yourself and study your
own failings. Then you will forget your anger. -- Epictetus
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset
2023-10-18 18:29 ` [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset Tomas Härdin
@ 2023-10-19 17:18 ` Michael Niedermayer
0 siblings, 0 replies; 6+ messages in thread
From: Michael Niedermayer @ 2023-10-19 17:18 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 1882 bytes --]
On Wed, Oct 18, 2023 at 08:29:16PM +0200, Tomas Härdin wrote:
> ons 2023-10-18 klockan 02:49 +0200 skrev Michael Niedermayer:
> > Fixes: Assertion klv_offset >= mxf->run_in failed at
> > libavformat/mxfdec.c:736
> > Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-
> > 5778404366221312.fuzz
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavformat/mxfdec.c | 13 ++++++++-----
> > 1 file changed, 8 insertions(+), 5 deletions(-)
> >
> > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > index 68939091e6..f2ec508b72 100644
> > --- a/libavformat/mxfdec.c
> > +++ b/libavformat/mxfdec.c
> > @@ -458,12 +458,15 @@ static int mxf_read_sync(AVIOContext *pb, const
> > uint8_t *key, unsigned size)
> > return i == size;
> > }
> >
> > -static int klv_read_packet(KLVPacket *klv, AVIOContext *pb)
> > +static int klv_read_packet(MXFContext *mxf, KLVPacket *klv,
> > AVIOContext *pb)
> > {
> > int64_t length, pos;
> > if (!mxf_read_sync(pb, mxf_klv_key, 4))
> > return AVERROR_INVALIDDATA;
> > klv->offset = avio_tell(pb) - 4;
> > + if (klv->offset < mxf->run_in)
>
> One stray space in there which of course can be fixed when pushing
>
> Looks OK
will apply with this change
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Modern terrorism, a quick summary: Need oil, start war with country that
has oil, kill hundread thousand in war. Let country fall into chaos,
be surprised about raise of fundamantalists. Drop more bombs, kill more
people, be surprised about them taking revenge and drop even more bombs
and strip your own citizens of their rights and freedoms. to be continued
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-10-19 17:18 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-18 0:49 [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset Michael Niedermayer
2023-10-18 0:49 ` [FFmpeg-devel] [PATCH 2/2] avcodec/hevc_ps: Dont leave invalid cpb_cnt_minus1 in the context Michael Niedermayer
2023-10-18 13:17 ` Andreas Rheinhardt
2023-10-19 16:55 ` Michael Niedermayer
2023-10-18 18:29 ` [FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Check klv offset Tomas Härdin
2023-10-19 17:18 ` Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git