From: michaelni <code@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Subject: [FFmpeg-devel] [PATCH] fix 2 vulnerabilities reported by ossuzz (PR #20163)
Date: Thu, 7 Aug 2025 21:43:38 +0300 (EEST)
Message-ID: <20250807184338.12C3468D164@ffbox0-bg.ffmpeg.org> (raw)
PR #20163 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20163
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20163.patch
From 0829dc148e00077acdb448f8f123d61a74202f9c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 7 Aug 2025 19:38:30 +0200
Subject: [PATCH 1/2] avcodec/sanm: Check mv in codec48_block()
Fixes: out of array read
Fixes: 436943287/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5011037029203968
This issue did oddly enough, not replicate
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/sanm.c | 28 +++++++++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index d345f58846..a066a864eb 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1427,8 +1427,18 @@ static void c48_4to8(uint8_t *dst, const uint8_t *src, const uint16_t w)
}
}
-static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db,
- const uint16_t w)
+static int check_mv(int x, int y, const uint16_t w, int h, int blocksize, int mvofs) {
+ if (mvofs < -x + -y*w)
+ return AVERROR_INVALIDDATA;
+
+ if (mvofs > w-x-blocksize + w*(h-y-blocksize))
+ return AVERROR_INVALIDDATA;
+
+ return 0;
+}
+
+static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db, int x, int y,
+ const uint16_t w, int h)
{
uint8_t opc, sb[16];
int i, j, k, l;
@@ -1453,6 +1463,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db,
if (bytestream2_get_bytes_left(&ctx->gb) < 2)
return 1;
mvofs = bytestream2_get_le16(&ctx->gb);
+ if (check_mv(x, y, w, h, 8, mvofs))
+ return 1;
for (i = 0; i < 8; i++) {
ofs = w * i;
for (k = 0; k < 8; k++)
@@ -1480,6 +1492,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db,
for (k = 0; k < 8; k += 4) {
opc = bytestream2_get_byteu(&ctx->gb);
mvofs = c37_mv[opc * 2] + (c37_mv[opc * 2 + 1] * w);
+ if (check_mv(x+k, y+i, w, h, 4, mvofs))
+ return 1;
for (j = 0; j < 4; j++) {
ofs = (w * (j + i)) + k;
for (l = 0; l < 4; l++)
@@ -1494,6 +1508,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db,
for (i = 0; i < 8; i += 4) {
for (k = 0; k < 8; k += 4) {
mvofs = bytestream2_get_le16(&ctx->gb);
+ if (check_mv(x+k, y+i, w, h, 4, mvofs))
+ return 1;
for (j = 0; j < 4; j++) {
ofs = (w * (j + i)) + k;
for (l = 0; l < 4; l++)
@@ -1516,6 +1532,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db,
ofs = (w * i) + j;
opc = bytestream2_get_byteu(&ctx->gb);
mvofs = c37_mv[opc * 2] + (c37_mv[opc * 2 + 1] * w);
+ if (check_mv(x+j, y+i, w, h, 2, mvofs))
+ return 1;
for (l = 0; l < 2; l++) {
*(dst + ofs + l + 0) = *(db + ofs + l + 0 + mvofs);
*(dst + ofs + l + w) = *(db + ofs + l + w + mvofs);
@@ -1530,6 +1548,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db,
for (j = 0; j < 8; j += 2) {
ofs = w * i + j;
mvofs = bytestream2_get_le16(&ctx->gb);
+ if (check_mv(x+j, y+i, w, h, 2, mvofs))
+ return 1;
for (l = 0; l < 2; l++) {
*(dst + ofs + l + 0) = *(db + ofs + l + 0 + mvofs);
*(dst + ofs + l + w) = *(db + ofs + l + w + mvofs);
@@ -1548,6 +1568,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db,
break;
default: // copy 8x8 block from prev, c37_mv from source
mvofs = c37_mv[opc * 2] + (c37_mv[opc * 2 + 1] * w);
+ if (check_mv(x, y, w, h, 8, mvofs))
+ return 1;
for (i = 0; i < 8; i++) {
ofs = i * w;
for (l = 0; l < 8; l++)
@@ -1613,7 +1635,7 @@ static int old_codec48(SANMVideoContext *ctx, int width, int height)
if (seq == ctx->prev_seq + 1) {
for (j = 0; j < height; j += 8) {
for (i = 0; i < width; i += 8) {
- if (codec48_block(ctx, dst + i, prev + i, width))
+ if (codec48_block(ctx, dst + i, prev + i, i, j, width, height))
return AVERROR_INVALIDDATA;
}
dst += width * 8;
--
2.49.1
From 9bcd6250889b7044636885152319de028a000a17 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 7 Aug 2025 19:56:53 +0200
Subject: [PATCH 2/2] avcodec/dxv: Use av_fast_realloc() and clear all new
space
The code writing in the buffer has a wide range of error checks
which simply leave it partly uninitialized.
Initializing it on allocation ensures no sensitive data leaks and that
bugs are more reliably reproduceable
Fixes: use of uninitialized memory
Fixes: 435225510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-4521918634196992
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/dxv.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 0b8e077ad6..7e11bef733 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -38,6 +38,7 @@ typedef struct DXVContext {
GetByteContext gbc;
uint8_t *tex_data; // Compressed texture
+ unsigned tex_data_size;
uint8_t *ctex_data; // Compressed chroma texture
int64_t tex_size; // Texture size
@@ -969,9 +970,14 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame *frame,
ctx->tex_size = avctx->coded_width / (texdsp_ctx.raw_ratio / (avctx->pix_fmt == AV_PIX_FMT_RGBA ? 4 : 1)) *
avctx->coded_height / TEXTURE_BLOCK_H *
texdsp_ctx.tex_ratio;
- ret = av_reallocp(&ctx->tex_data, ctx->tex_size + AV_INPUT_BUFFER_PADDING_SIZE);
- if (ret < 0)
- return ret;
+ unsigned old_size = ctx->tex_data_size;
+ void *ptr = av_fast_realloc(ctx->tex_data, &ctx->tex_data_size, ctx->tex_size + AV_INPUT_BUFFER_PADDING_SIZE);
+ if (!ptr)
+ return AVERROR(ENOMEM);
+ ctx->tex_data = ptr;
+
+ if (ctx->tex_data_size > old_size)
+ memset(ctx->tex_data + old_size, 0, ctx->tex_data_size - old_size);
if (avctx->pix_fmt != AV_PIX_FMT_RGBA) {
int i;
@@ -1078,6 +1084,8 @@ static av_cold int dxv_close(AVCodecContext *avctx)
DXVContext *ctx = avctx->priv_data;
av_freep(&ctx->tex_data);
+ ctx->tex_data_size = 0;
+
av_freep(&ctx->ctex_data);
av_freep(&ctx->op_data[0]);
av_freep(&ctx->op_data[1]);
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
reply other threads:[~2025-08-07 18:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250807184338.12C3468D164@ffbox0-bg.ffmpeg.org \
--to=code@ffmpeg.org \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git