From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH 3/4] avcodec/flicvideo: consider width in copy loops
Date: Fri, 3 Nov 2023 21:49:13 +0100
Message-ID: <20231103204913.GE3543730@pb2> (raw)
In-Reply-To: <CAPBf_OnKutcphRF0hK-sBnK_5e0UKJ87-3W-ryQR1GRLn1u+7A@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 3694 bytes --]
On Thu, Nov 02, 2023 at 08:08:41PM -0400, Sean McGovern wrote:
> On Thu, Nov 2, 2023, 19:50 Michael Niedermayer <michael@niedermayer.cc>
> wrote:
>
> > Fixes: out of array write
> > Fixes:
> > 63520/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4876198087622656
> > Regression since: c7f8d42c12582b0626ea38117df6c9aea9fcf5b1 (was not posted
> > to ffmpeg-devel)
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by
> > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> > Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/flicvideo.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
> > index 6ce033ba409..43f3f83bf65 100644
> > --- a/libavcodec/flicvideo.c
> > +++ b/libavcodec/flicvideo.c
> > @@ -642,7 +642,7 @@ static int flic_decode_frame_8BPP(AVCodecContext
> > *avctx,
> > "has incorrect size, skipping chunk\n", chunk_size
> > - 6);
> > bytestream2_skip(&g2, chunk_size - 6);
> > } else {
> > - for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit,
> > direction) == 0;
> > + for (y_ptr = 0; check_pixel_ptr(y_ptr, s->avctx->width,
> > pixel_limit, direction) == 0;
> > y_ptr += s->frame->linesize[0]) {
> > bytestream2_get_buffer(&g2, &pixels[y_ptr],
> > s->avctx->width);
> > @@ -949,7 +949,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext
> > *avctx,
> >
> > if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width
> > * s->avctx->height )
> > return AVERROR_INVALIDDATA;
> > - for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit,
> > direction) == 0;
> > + for (y_ptr = 0; check_pixel_ptr(y_ptr, 2*s->avctx->width,
> > pixel_limit, direction) == 0;
> > y_ptr += s->frame->linesize[0]) {
> >
> > pixel_countdown = s->avctx->width;
> > @@ -1235,7 +1235,7 @@ static int flic_decode_frame_24BPP(AVCodecContext
> > *avctx,
> > "bigger than image, skipping chunk\n", chunk_size
> > - 6);
> > bytestream2_skip(&g2, chunk_size - 6);
> > } else {
> > - for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit,
> > direction) == 0;
> > + for (y_ptr = 0; check_pixel_ptr(y_ptr, 3*s->avctx->width,
> > pixel_limit, direction) == 0;
> > y_ptr += s->frame->linesize[0]) {
> >
> > bytestream2_get_buffer(&g2, pixels + y_ptr,
> > 3*s->avctx->width);
> > --
> > 2.17.1
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel@ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> >
>
> On quick inspection this looks OK,
will apply patchset (the first 2 with less funny commit messages)
>but is s->avctx->width guaranteed to be
> non-zero as well?
if width somehow manages to be 0 then reget_buffer would fail
so none of this code should be reachable
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The smallest minority on earth is the individual. Those who deny
individual rights cannot claim to be defenders of minorities. - Ayn Rand
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2023-11-03 20:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-02 23:50 [FFmpeg-devel] [PATCH 1/4] avfilter/framesync: cuddle () closer around = Michael Niedermayer
2023-11-02 23:50 ` [FFmpeg-devel] [PATCH 2/4] avfilter/buffersink: " Michael Niedermayer
2023-11-03 0:04 ` Sean McGovern
2023-11-03 20:53 ` Nicolas George
2023-11-02 23:50 ` [FFmpeg-devel] [PATCH 3/4] avcodec/flicvideo: consider width in copy loops Michael Niedermayer
2023-11-03 0:08 ` Sean McGovern
2023-11-03 20:49 ` Michael Niedermayer [this message]
2023-11-02 23:50 ` [FFmpeg-devel] [PATCH 4/4] avformat/lafdec: Check for 0 parameters Michael Niedermayer
2023-11-03 0:09 ` Sean McGovern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231103204913.GE3543730@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git