From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id BD1B147816 for ; Mon, 23 Oct 2023 20:54:06 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D1B4F68CA14; Mon, 23 Oct 2023 23:54:03 +0300 (EEST) Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0CDF768C898 for ; Mon, 23 Oct 2023 23:53:58 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 7161BFF803 for ; Mon, 23 Oct 2023 20:53:57 +0000 (UTC) Date: Mon, 23 Oct 2023 22:53:56 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20231023205356.GD3543730@pb2> References: <20231022003520.17154-1-michael@niedermayer.cc> <20231022003520.17154-2-michael@niedermayer.cc> MIME-Version: 1.0 In-Reply-To: X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 2/6] avcodec/cbs: Do not assert on traces beyond 255 bits X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============0500812670303691458==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============0500812670303691458== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Sj+0NnLBLqZEx9Ke" Content-Disposition: inline --Sj+0NnLBLqZEx9Ke Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 22, 2023 at 03:34:20PM +0100, Mark Thompson wrote: > On 22/10/2023 01:35, Michael Niedermayer wrote: > > Fixes: Assertion length < 256 failed at libavcodec/cbs.c:517 > > Fixes: 62673/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fu= zzer-6490971837431808 > >=20 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz= /tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer > > --- > > libavcodec/cbs.c | 5 +++++ > > 1 file changed, 5 insertions(+) > >=20 > > diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c > > index cdd7adebebd..2f5d0334a2a 100644 > > --- a/libavcodec/cbs.c > > +++ b/libavcodec/cbs.c > > @@ -514,6 +514,11 @@ void ff_cbs_trace_read_log(void *trace_context, > > position =3D get_bits_count(gbc); > > + if (length >=3D 256) { > > + av_log(ctx->log_ctx, ctx->trace_level, "trace of %d bits trunc= ated at 255\n", length); > > + length =3D 255; > > + } > > + > > av_assert0(length < 256); > > for (i =3D 0; i < length; i++) > > bits[i] =3D get_bits1(gbc) ? '1' : '0'; >=20 > IMO the assert is sensible (no syntax element is that large) and so this = must be catching a bug somewhere else. Please don't nullify the assert to = hide the bug. >=20 > Can you share the input stream which hit this case? will mail it to you the backtrce is this: #7 0x505748 in ff_cbs_trace_read_log ffmpeg/libavcodec/cbs.c:517:5 #8 0x5273f1 in cbs_av1_read_uvlc ffmpeg/libavcodec/cbs_av1.c:67:5 #9 0x5273f1 in cbs_av1_read_timing_info ffmpeg/libavcodec/cbs_av1_synta= x_template.c:168 #10 0x5273f1 in cbs_av1_read_sequence_header_obu ffmpeg/libavcodec/cbs_= av1_syntax_template.c:214 #11 0x51278a in cbs_av1_read_unit ffmpeg/libavcodec/cbs_av1.c:856:19 #12 0x4ff30a in cbs_read_fragment_content ffmpeg/libavcodec/cbs.c:209:15 #13 0x4ff30a in cbs_read_data ffmpeg/libavcodec/cbs.c:276 #14 0x4edc32 in trace_headers ffmpeg/libavcodec/trace_headers_bsf.c:113= :11 #15 0x4c9898 in LLVMFuzzerTestOneInput ffmpeg/tools/target_bsf_fuzzer.c= :154:16 #16 0x136900d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, = unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13 #17 0x135dbe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsig= ned long) Fuzzer/build/../FuzzerDriver.cpp:273:6 #18 0x1362de1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned c= har const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9 #19 0x135d8c0 in main Fuzzer/build/../FuzzerMain.cpp:20:10 #20 0x7f456b8b8c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/= csu/../csu/libc-start.c:310 #21 0x41f179 in _start (ffmpeg/tools/target_bsf_trace_headers_fuzzer+0x= 41f179) [...] thx --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Whats the most studid thing your enemy could do ? Blow himself up Whats the most studid thing you could do ? Give up your rights and freedom because your enemy blew himself up. --Sj+0NnLBLqZEx9Ke Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZTbdZAAKCRBhHseHBAsP q4y8AJ4x8xj1lOfbizD1+bq6F++UpYNTkwCdFClMSDhA2ayP6pNMia/rxQoPFUE= =Hl9p -----END PGP SIGNATURE----- --Sj+0NnLBLqZEx9Ke-- --===============0500812670303691458== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============0500812670303691458==--