From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH] avformat/rawvideodec: check packet size
Date: Thu, 6 Jan 2022 10:52:04 +0100
Message-ID: <AM7PR03MB6660F42248F0C2D550389B4D8F4C9@AM7PR03MB6660.eurprd03.prod.outlook.com> (raw)
In-Reply-To: <20220106084203.27906-1-michael@niedermayer.cc>
Michael Niedermayer:
> Fixes: division by zero
> Fixes: 43347/clusterfuzz-testcase-minimized-ffmpeg_dem_V210X_fuzzer-5846911637127168
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/rawvideodec.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libavformat/rawvideodec.c b/libavformat/rawvideodec.c
> index 68547fc50ff..7581ba2c7d2 100644
> --- a/libavformat/rawvideodec.c
> +++ b/libavformat/rawvideodec.c
> @@ -100,6 +100,8 @@ static int rawvideo_read_header(AVFormatContext *ctx)
> if (packet_size < 0)
> return packet_size;
> }
> + if (packet_size == 0)
> + return AVERROR_INVALIDDATA;
>
> st->codecpar->format = pix_fmt;
> ctx->packet_size = packet_size;
>
1. I agree with Lance that AVERROR(EINVAL) is the proper error code;
after all, the dimensions are based upon options and not read from the
input.
2. The dimensions were checked by av_image_check_size() before
41f213c3bf629d549400e935e7f123e6cfa959ab.
3. The same can happen with bitpacked. Your check should also catch this.
4. But I don't see anything that actually ensures that the
multiplications do not overflow.
- Andreas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2022-01-06 9:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-06 8:42 Michael Niedermayer
2022-01-06 9:05 ` lance.lmwang
2022-01-06 9:52 ` Andreas Rheinhardt [this message]
2022-01-07 16:51 Michael Niedermayer
2022-01-08 12:27 ` lance.lmwang
2022-01-10 9:17 ` Andreas Rheinhardt
2022-01-13 18:44 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AM7PR03MB6660F42248F0C2D550389B4D8F4C9@AM7PR03MB6660.eurprd03.prod.outlook.com \
--to=andreas.rheinhardt@outlook.com \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git