From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 5855C42654 for ; Mon, 21 Mar 2022 20:59:11 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C30DD68AAAC; Mon, 21 Mar 2022 22:59:09 +0200 (EET) Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-oln040092069109.outbound.protection.outlook.com [40.92.69.109]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 7816A680105 for ; Mon, 21 Mar 2022 22:59:03 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b2ctklSVWUwsOVlZ29jLydJ50BOtoCGWXZCcM1OewUUUqby39VPuJ0tqwWmU/CWuk39Z0i2IZDhLnVCx6DfKKRfT2mtUCLkAFT3k6ZI1G0PrzOiMU0+1i3bgVbf9FtOLpCaGU4gMpnshTJU5lEzBBAAqD9HRbc1J3ROPK06X+gv0bdCwn2JcJ6zNDpP3KT+Rtu5raNdfx3k+fX2KTeL5AUCyNCKBgJyAJAVoIh/QsXgBuyZnuz4gh3/fbci0Cyo/vW0IqfzFcgUFu1NUNx+L8KRbUrBnp4UO5d7+oEAz6H/qsUvGOg0hJfXLoCmNajk1rq8nKK19QSmOkDgogtZttw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7JYNHPvLd+ymP8zbXNGmI4JOKllX3Mdtb1xF9mZO8Xg=; b=GwU6NA9riK9FsQoVNlStNtuuneSXNTEMeNt+nhwEeIj/Sa3NUVzt98y6USmnqzjph9bp0buJqh4xhbOp9KOJGArqKB1olgEkMPlyLhUp6GMBufqZ/aguCHVS9RbElvJGkEEVX92hfV0wPWq8MqVx95vers3S13CpDkinUe0Ky3F6FcrO3Sn+ndpiHiQR4rG2KnUYdSbWbNPkWeOmCsaqBCVRZLrXyMxKiy3uQ18sWmmDajiZciNO6hRDh7rXoR/C/AteuC9msex5TqbxePZhBvViUXS/feHMbvFaeLiXBKYKyAJNcP7KBWfh/kxjTocLNu4Dqru9niQhwoKx+w1WMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7JYNHPvLd+ymP8zbXNGmI4JOKllX3Mdtb1xF9mZO8Xg=; b=B0CGX66Xjnw8Z0Hbtlms0XN3uFNPvbq/gDsIyLn2fBYDsZvOd2xAOLDJhHMNLX3VPBXKG9Vk3Arx3gI+7tf11Ciu5FtHIyKgsDnWrbgM4hRI7cPIveJoscVOA/Z+0LcihDdVm2CIjFTMBD20mYQ7o832T2WDuFJEJLaEgADdlpf7GqrXyWfJwo/mSHjpr1ZkDBYGg5aiTVdQsk9+ClhIDs756kIjOY/AaJmR4rsgJODCr7bGL4fvbhWUA0Tt/lRX6fN58ECRIKFUaUHEy5COheIraAwAo5JR2GF5nxxJEOxzGOufkuT11Kp4RSBL/7V64YsVyE0NPZtARcZ3+BrN/g== Received: from AS1PR01MB9564.eurprd01.prod.exchangelabs.com (2603:10a6:20b:4d1::16) by DB7PR01MB5403.eurprd01.prod.exchangelabs.com (2603:10a6:10:85::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.19; Mon, 21 Mar 2022 20:59:01 +0000 Received: from AS1PR01MB9564.eurprd01.prod.exchangelabs.com ([fe80::9070:a5fd:e532:bdf8]) by AS1PR01MB9564.eurprd01.prod.exchangelabs.com ([fe80::9070:a5fd:e532:bdf8%3]) with mapi id 15.20.5081.022; Mon, 21 Mar 2022 20:59:01 +0000 Message-ID: Date: Mon, 21 Mar 2022 21:59:00 +0100 Content-Language: en-US To: ffmpeg-devel@ffmpeg.org References: <20220318174621.26974-1-michael@niedermayer.cc> <20220319173808.GA2829255@pb2> <20220321185431.GK2829255@pb2> From: Andreas Rheinhardt In-Reply-To: <20220321185431.GK2829255@pb2> X-TMN: [6U55H19zniUyX/ObakaptbUtTU04LQuy] X-ClientProxiedBy: AS8P250CA0013.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:330::18) To AS1PR01MB9564.eurprd01.prod.exchangelabs.com (2603:10a6:20b:4d1::16) X-Microsoft-Original-Message-ID: <320b3a30-4a22-aa4c-bb02-62821402c9a9@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4c6032d9-b092-4b06-ceaa-08da0b7da04c X-MS-TrafficTypeDiagnostic: DB7PR01MB5403:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: V8UlgmlvtGWlerDTGPK0RB0fw8vXN//QnJvsgi4SuwFdohi8Ic4gXK33QqiDefM/q/x3FG7djH1jPRrq24MKklzZjZWfK4oifPHIuDoGE80GQMR0MxkpcyWr/Yc3TX5aA/K2G7lYEiHL8BbbSNusgn5N4m1KmBWhSijrFwEi8ZGV+fQNvIABctwxMUG0S0whWCihW9RcNVVgQVGrAmXpmzNSio97R7Ljkmn7LM32EW0/HTyv806fiX26IzdkBFCLNeD409tzvBuP3iPXpFNCcKXhbFZV4dB3grC4eL1ZrFKquymngOoAZQl0W38ZMEwKx8jMNawPAE4KGyJm3Zr5LwJv49mdXjEwsMHk6VUTLY4/EXgkaasMBh1RHaE96cKzBBdRRDBwxVKgJlcFonu7mqrM9w/WexhG+LIhN0NozvBkUdN53l3SSJI2JHRwwsF6iOB7S5rmP1r3bcq5Qh5KFAWvPdfo8koD15qJIyEu4FWVsa2dCWDHY3GuJePtAdBAi8/m+XhnC+yKuJ4bu+t8B21JhqoSP7k9kXAQJeebcVIHpwf3n8Fw0P2ggQ6nLk+00ZHxvPChwimq/Hr0Cr9P7gEF/hX3cFru5Amkd55AjB2b84iaQK7SPWczweasE80jFnlGGUiYV4OepI0wrs8qTyb/kDM43EUjG2vF+6ssaVY= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?UTFnWGdzUmIrbnM1UXBFRVlkbTQ4RjRTQkpkejNKTkV3dVJ5dkRmLzNpay94?= =?utf-8?B?Tk5RVzUrTXEwT3ptWWlIZ1NQTi9EVFV2M08rV2tjcU16amhtZnNCcU1BZG5n?= =?utf-8?B?ZnVFVVBwYURVUDZ6RG5RMFZvN2UvNTNwR2hRdTRQTEdhTGVDVy80UmpmbzRw?= =?utf-8?B?MCtPcEFtUytKOXZwNElKMXZ0eGVVYnJuTENyWmNJSGpVSDljaVEralZwVmg4?= =?utf-8?B?eDlPMGxFUnUvdmRpREJ4Y0x1NWRjWmJBbE9kYTRkVXZ1bWs0TnV0UlZuVlFS?= =?utf-8?B?YzdrdU1tdE95dUhpTVV1YTM4L09JdC9LN21IakMyYjNBaUpKUmh3amRZYVdG?= =?utf-8?B?ZjdxZTBwTnh0a3BHczJVNzJHL2JwcjFYSURaT2cyalN6b05tRDk2WEE0eTk3?= =?utf-8?B?Z3Y3WGpPSkxKNWs2RVBqTDNKdXpMVEhLSWNTYjNUVW1QSnNlNnhXakZpTHAr?= =?utf-8?B?N1IrMC9yRFRvbzk3NHFpNmVaRFNhODdxTGkzUXQ0Z2xsaG1YclVkM1F4MFBi?= =?utf-8?B?TFRERExuMXVNSmhUVHNONi9GN200VDc4R3dBSlZ1aHdDYlJYSlVSdVE2Smg1?= =?utf-8?B?ZWdsL3dWbWJSNmZ3UHhZSmEwaTRBaEwrdkRFU1VxaTUyeWxKZUVhejRuTVVk?= =?utf-8?B?K2ZvZDV2WjFBeXRvYjUyZDhPeUlZRFRWUHhUQnBYekN4cS9OaEN5SEsxYVFt?= =?utf-8?B?b3EyZVVVZWJzbVhUS21pMUdmWVpNdVBPWDVhV3VuUVZSRzd4dWJ2R3NiMkNy?= =?utf-8?B?MkZwK2tTMHlvWlRORis4NGppR3NOcDZRMklYekkySStIZFNWQnBZMWRnUWFz?= =?utf-8?B?ZlUyVEJoMVhSVmhPYys3TDR3ZW5lWEpPbmRRRFU3T1dnWk0wWWpHUFFQUGRp?= =?utf-8?B?bXg3SUlyYWpRVGdseTQyeTFBSUtVS3FuWmxEVmNxT2xIamhnMGNHTzc4MjRY?= =?utf-8?B?Qk5IVkwrN2ZzYlpSTjJHK0huVlhDdmNCTWxMekNjMDRlZFBISXovdDhVV3lS?= =?utf-8?B?R2Y3SXBhTnhBMklNZlZIdmxscE5kcWZ1T3ZDeVdKL2c3K09EcHVaQ2ErN01w?= =?utf-8?B?SkxyTDlGTHZ6K3NSWHdRRVNmY0Y3azVJWE0xRVRpTkxzVlR2d05SazNZZDha?= =?utf-8?B?bDBvejQzRUZzNVArWmY2VXA2aWRkNW1YbmFmSHFJVExGeEZVNjd4ZXIwZFJY?= =?utf-8?B?Q2p5R0xLZjdFT2ZIamZMTEZNTVlnenE1M3ByTlBDbjU2VytPZ3RmekpGNlVX?= =?utf-8?B?Y3Y5SWtZakZPbkxuUUlBUHVMOVVrTVdxa1o3T0xIR1lMNUdDOXd6Y0lJdUdn?= =?utf-8?B?aXFlUG8xVDhQZHpQNXpveWZVZm1ObDJ0MmV4czZRNjZmekp6c0hBQVdCbWZy?= =?utf-8?B?dTJrZFIzeEkxMWpacHAwNTF6WTRjZ0U5TUZEQjBDZE1TekZlMEowdGNWanpF?= =?utf-8?B?WTVhVFo1L1lVS3hHak9TRjlxeDNmQ2FrWHlYN0VjZGZLQVRDcVBRUm0rSnJq?= =?utf-8?B?Ui90anFCeDRreHI0RFpHVHVSaS9QeHNyUTRJajJsblVYZThzajFHczFHd3pM?= =?utf-8?Q?J5DFVJlJZV92ed7RcCdKkpD0Q=3D?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4c6032d9-b092-4b06-ceaa-08da0b7da04c X-MS-Exchange-CrossTenant-AuthSource: AS1PR01MB9564.eurprd01.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Mar 2022 20:59:01.6895 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB5403 Subject: Re: [FFmpeg-devel] [PATCH] avcodec/vp9_superframe_split_bsf: Check in size X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Michael Niedermayer: > On Sat, Mar 19, 2022 at 06:38:08PM +0100, Michael Niedermayer wrote: >> On Fri, Mar 18, 2022 at 06:56:19PM +0100, Andreas Rheinhardt wrote: >>> Michael Niedermayer: >>>> Fixes: Out of array read >>>> Fixes: 45137/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_SUPERFRAME_SPLIT_fuzzer-4984270639202304 >>>> >>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>>> Signed-off-by: Michael Niedermayer >>>> --- >>>> libavcodec/vp9_superframe_split_bsf.c | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c >>>> index ed0444561a..481484a4f0 100644 >>>> --- a/libavcodec/vp9_superframe_split_bsf.c >>>> +++ b/libavcodec/vp9_superframe_split_bsf.c >>>> @@ -51,7 +51,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out) >>>> return ret; >>>> in = s->buffer_pkt; >>>> >>>> - marker = in->data[in->size - 1]; >>>> + marker = in->size ? in->data[in->size - 1] : 0; >>>> if ((marker & 0xe0) == 0xc0) { >>>> int length_size = 1 + ((marker >> 3) & 0x3); >>>> int nb_frames = 1 + (marker & 0x7); >>> >>> There is a second place in this BSF where data might be read in the >>> absence of data, namely if one of the frames in a superframe have size >>> of zero (its attempted to read its profile; no actual read takes place >>> due to the checks of the get_bits API, but it is nevertheless invalid >>> data). See >>> https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200530160541.29517-7-andreas.rheinhardt@gmail.com/; > > The get bits API checks for NULL data, if data is not NULL it must be padded > even when size is 0. > Nothing against the 2nd check, but thats a seperate issue I know that there is no invalid read (and said as much) > > >>> also see >>> https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200530160541.29517-11-andreas.rheinhardt@gmail.com/ > > please apply your bugfixes! especially if its about out or array accesses > Will do. > >>> and >>> https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200530160541.29517-1-andreas.rheinhardt@gmail.com/ > > thats now found by the fuzzer too, in 45722 > if you dont apply your fix i will post a fix > > thx > > [...] > > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".