* [FFmpeg-devel] [PATCH 1/4] avcodec/vp9_raw_reorder_bsf: Check for existence of data before reading it
@ 2022-03-22 23:07 Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vp9_superframe_bsf: " Andreas Rheinhardt
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Andreas Rheinhardt @ 2022-03-22 23:07 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
@michaelni: Please tell me the exact fuzzer issue id.
libavcodec/vp9_raw_reorder_bsf.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/vp9_raw_reorder_bsf.c b/libavcodec/vp9_raw_reorder_bsf.c
index 6562399159..1608360fe1 100644
--- a/libavcodec/vp9_raw_reorder_bsf.c
+++ b/libavcodec/vp9_raw_reorder_bsf.c
@@ -292,6 +292,11 @@ static int vp9_raw_reorder_filter(AVBSFContext *bsf, AVPacket *out)
return err;
}
+ if (!in->size) {
+ av_packet_free(&in);
+ return AVERROR_INVALIDDATA;
+ }
+
if ((in->data[in->size - 1] & 0xe0) == 0xc0) {
av_log(bsf, AV_LOG_ERROR, "Input in superframes is not "
"supported.\n");
--
2.32.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
* [FFmpeg-devel] [PATCH 2/4] avcodec/vp9_superframe_bsf: Check for existence of data before reading it
2022-03-22 23:07 [FFmpeg-devel] [PATCH 1/4] avcodec/vp9_raw_reorder_bsf: Check for existence of data before reading it Andreas Rheinhardt
@ 2022-03-22 23:09 ` Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 3/4] avcodec/vp9_superframe_split_bsf: Discard invalid zero-sized frames Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 4/4] avcodec/vp9_superframe_split_bsf: Don't read inexistent data Andreas Rheinhardt
2 siblings, 0 replies; 4+ messages in thread
From: Andreas Rheinhardt @ 2022-03-22 23:09 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
Packets without data need to be handled specially in order to avoid
undefined reads. Pass these packets through unchanged in case there
are no cached packets* and error out in case there are cached packets:
Returning the packet would mess with the order of the packets;
if one returned the zero-sized packet before the superframe that will
be created from the packets in the cache, the zero-sized packet would
overtake the packets in the cache; if one returned the packet later,
the packets that complete the superframe will overtake the zero-sized
packet.
*: This case e.g. encompasses the scenario of updated extradata
side-data at the end.
Fixes: Out of array read
Fixes: 45722/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_SUPERFRAME_fuzzer-5173378975137792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
The current way of passthrough has been suggested by James.
libavcodec/vp9_superframe_bsf.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libavcodec/vp9_superframe_bsf.c b/libavcodec/vp9_superframe_bsf.c
index 57681e29e4..df9b97fa3c 100644
--- a/libavcodec/vp9_superframe_bsf.c
+++ b/libavcodec/vp9_superframe_bsf.c
@@ -108,6 +108,15 @@ static int vp9_superframe_filter(AVBSFContext *ctx, AVPacket *pkt)
if (res < 0)
return res;
+ if (!pkt->size) {
+ /* In case the cache is empty we can pass side-data-only packets
+ * through unchanged. Otherwise, such a packet makes no sense. */
+ if (!s->n_cache)
+ return 0;
+ res = AVERROR_INVALIDDATA;
+ goto done;
+ }
+
marker = pkt->data[pkt->size - 1];
if ((marker & 0xe0) == 0xc0) {
int nbytes = 1 + ((marker >> 3) & 0x3);
--
2.32.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
* [FFmpeg-devel] [PATCH 3/4] avcodec/vp9_superframe_split_bsf: Discard invalid zero-sized frames
2022-03-22 23:07 [FFmpeg-devel] [PATCH 1/4] avcodec/vp9_raw_reorder_bsf: Check for existence of data before reading it Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vp9_superframe_bsf: " Andreas Rheinhardt
@ 2022-03-22 23:09 ` Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 4/4] avcodec/vp9_superframe_split_bsf: Don't read inexistent data Andreas Rheinhardt
2 siblings, 0 replies; 4+ messages in thread
From: Andreas Rheinhardt @ 2022-03-22 23:09 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
They are invalid in VP9. If any of the frames inside a superframe
had a size of zero, the code would either read into the next frame
or into the superframe index; so check for the length to stop this.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
Now split into a patch of its own.
libavcodec/vp9_superframe_split_bsf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c
index ed0444561a..7f0cad1ea0 100644
--- a/libavcodec/vp9_superframe_split_bsf.c
+++ b/libavcodec/vp9_superframe_split_bsf.c
@@ -70,7 +70,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
frame_size |= bytestream2_get_byte(&bc) << (j * 8);
total_size += frame_size;
- if (frame_size < 0 || total_size > in->size - idx_size) {
+ if (frame_size <= 0 || total_size > in->size - idx_size) {
av_log(ctx, AV_LOG_ERROR,
"Invalid frame size in a superframe: %d\n", frame_size);
ret = AVERROR(EINVAL);
--
2.32.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
* [FFmpeg-devel] [PATCH 4/4] avcodec/vp9_superframe_split_bsf: Don't read inexistent data
2022-03-22 23:07 [FFmpeg-devel] [PATCH 1/4] avcodec/vp9_raw_reorder_bsf: Check for existence of data before reading it Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vp9_superframe_bsf: " Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 3/4] avcodec/vp9_superframe_split_bsf: Discard invalid zero-sized frames Andreas Rheinhardt
@ 2022-03-22 23:09 ` Andreas Rheinhardt
2 siblings, 0 replies; 4+ messages in thread
From: Andreas Rheinhardt @ 2022-03-22 23:09 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Andreas Rheinhardt
Fixes: Out of array read
Fixes: 45137/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_SUPERFRAME_SPLIT_fuzzer-4984270639202304
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
libavcodec/vp9_superframe_split_bsf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c
index 7f0cad1ea0..c9cf21b541 100644
--- a/libavcodec/vp9_superframe_split_bsf.c
+++ b/libavcodec/vp9_superframe_split_bsf.c
@@ -51,6 +51,9 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
return ret;
in = s->buffer_pkt;
+ if (!in->size)
+ goto passthrough;
+
marker = in->data[in->size - 1];
if ((marker & 0xe0) == 0xc0) {
int length_size = 1 + ((marker >> 3) & 0x3);
@@ -121,6 +124,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
out->pts = AV_NOPTS_VALUE;
} else {
+passthrough:
av_packet_move_ref(out, s->buffer_pkt);
}
--
2.32.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-03-22 23:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-22 23:07 [FFmpeg-devel] [PATCH 1/4] avcodec/vp9_raw_reorder_bsf: Check for existence of data before reading it Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 2/4] avcodec/vp9_superframe_bsf: " Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 3/4] avcodec/vp9_superframe_split_bsf: Discard invalid zero-sized frames Andreas Rheinhardt
2022-03-22 23:09 ` [FFmpeg-devel] [PATCH 4/4] avcodec/vp9_superframe_split_bsf: Don't read inexistent data Andreas Rheinhardt
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git