From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 9012642574 for ; Fri, 18 Mar 2022 17:56:31 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8765A68B0FB; Fri, 18 Mar 2022 19:56:28 +0200 (EET) Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05olkn2086.outbound.protection.outlook.com [40.92.90.86]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id BF57B68A5B3 for ; Fri, 18 Mar 2022 19:56:22 +0200 (EET) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M/AphUG7R6SXw2gfn+yg5BvQ6mKUGTqWqtAvQuHelCZFbd3fCWdBeTlav2xuHr5obsD4Tpdu0QcN5NMiqSQk9+OdNqL6p0kFvPFKNt1ll3jl+K7Pct4WfIezgCGXKx/n1f9FuEKzJKjw01Uun07ugK8mMgqsDvA+CFPVomFBZyOsfezfi2PoJV1V4bSBO4S+AvfVx5b2oiL3Away671OYYPqZMq0jTJ8z0ZigaNwfNSYjj5IqWgi7EUOL3Fyf7EeSqhGuqXjwBm2jFRaAsdmpfsDWNxvKf0icBk/JsCGN1gGscLnmlllFor75sslAIZhEvMO/RPxeEYjhXNDgju+3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rfUpF7y3g/pq9o0vKjaMp7GDHP5dF52cFibTlhMeQfo=; b=MhdnQ7l5nI30jL4xIoKc4SjkkgRag3lFB4/OEJXRvEh2ttC6hZpKsNS7ErT5utwI6l3qmyDn4qavzALCSSypWB3x3WWrLBhymDDqCC2usP6gE2/7Mi12YWEEuh9Xd5lhtn//sS9issrr54L3aj55Eosy/SdSBIWAGP1nBYrVbEwv+1e/7u2NAw1QAOVpKi0/40t3mpTSmoWboiF1o5+f43cZFUK6i8BQQwq+9AzDs/GwHSPHRDPfzqWhRSvudVJiHPKo4sJktwjwwswXQirb2ykfMfsAl+W6+j0Ru2Sq+5hNgdMX4R2bOzSfrcSS30RtIhQAsuHJ3YkrRGg/IvsR5A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rfUpF7y3g/pq9o0vKjaMp7GDHP5dF52cFibTlhMeQfo=; b=q/R92DKwRYE4NsD14SJaGTOHAuwWs0Oqu3+sKM0Tc0Yq+mm5IChZcgG21qaOJFXOt713XiqSLzVMmXUXd27l2pdYy1cp8KNlEH2Uiw1Uun9UVhQHmEn6G66VbYQre1m+mF9clgSgUC/HmaEXU9LbGXcx9L2sDdKo6quIHDjnCaqJTOLnqFD/9dXusYaaEJJ7bRP4wnsADp55ATyYq7Ddcyj4sOlP0ijbm0Rn/ki8rMt/64GJdAd5hE6zQTrHFISFgul5yKvkQEUbXIpC9mMzZEiLkrwdyC6uPjQ2yzI35r0AaxSH1NoFwwdIjKsUGMV3DSpQwzR+N/VoCv8Cy1qEqA== Received: from AS1PR01MB9564.eurprd01.prod.exchangelabs.com (2603:10a6:20b:4d1::16) by GV1PR01MB8817.eurprd01.prod.exchangelabs.com (2603:10a6:150:2c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.14; Fri, 18 Mar 2022 17:56:21 +0000 Received: from AS1PR01MB9564.eurprd01.prod.exchangelabs.com ([fe80::9070:a5fd:e532:bdf8]) by AS1PR01MB9564.eurprd01.prod.exchangelabs.com ([fe80::9070:a5fd:e532:bdf8%3]) with mapi id 15.20.5081.016; Fri, 18 Mar 2022 17:56:21 +0000 Message-ID: Date: Fri, 18 Mar 2022 18:56:19 +0100 Content-Language: en-US To: ffmpeg-devel@ffmpeg.org References: <20220318174621.26974-1-michael@niedermayer.cc> From: Andreas Rheinhardt In-Reply-To: <20220318174621.26974-1-michael@niedermayer.cc> X-TMN: [1cyEAmPkvpnzK5c6Xpnkd36UYKytAlz8] X-ClientProxiedBy: AM5PR0601CA0039.eurprd06.prod.outlook.com (2603:10a6:203:68::25) To AS1PR01MB9564.eurprd01.prod.exchangelabs.com (2603:10a6:20b:4d1::16) X-Microsoft-Original-Message-ID: MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9e4719f0-5708-4d42-f418-08da09089c07 X-MS-TrafficTypeDiagnostic: GV1PR01MB8817:EE_ X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: oJMOAyuLQuM5ve/PmSB5/wIv/xycyanW2Mak+ZtFq+KvJJ9PUtTlmh4nI4MVdQ/Wzr6yG+ek/DgN6XEnFDz1GCyxelhdlcnh0AtGLyIxuTLn03PmKwT4I5NZZ+Ke3gufZpURhEqSLORhn94u+ABH+IoJ6DuBXv1Cl55nQAdl+VaiZed/B9hIleY/CiGGjWMP9n4PGeWO91l7rH0FisbVJ0tH9zkK5fUZWrPptrJBMaSmnKaWUnJ8zjTNRBNJO1LxpvhsILWCkWSe1Mn1BetyWMZjyNRQvWaIm0a9cUq08+6CeeEJgX9sNtlAdF4WyPElrtwyenJ16bvbfxBL51x3MgJj5Pu8EGcj9bCan0L7+wbSWfUJB64JPuPg1qJAEkb9Ic0odpCKGONJVA3vrNHfcvssz/NSwWE9/NAh45nnJ4ERx0serkKMhb1+jlEBuoazbdP9IsUlHEElIsAv9C5JNAtG8AbHYaMq5bwgH/f/uuRC+AYCW112r8YjG/03eeX/6zeDjRrImgqnPSU1mvKgIq+zJ5w440ikFG7S56MJsE3kEmRGA/uTx97u6jdfpFRJWytJu8wmtjE3C4FyA52Dc3ZxNXeA105l8c8tJC3LwF17bO2Hk8P5Y3Q4c0CtPwMMGWV6lbOE3Vyp3xX3xdfRlMDZ0z6VQncvbw6SeWNbAK0= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?NEo3dnZxN0xZUVZnZWg3WXZaOGgxN3BnSlhxMlduYWpKeEs1QlVnSElTdFpE?= =?utf-8?B?eXBxUk55bFZDdUZQekEyWDZOMU1aNDVYQmpJckUxNkwzT0VmVVR5TFJjTHU2?= =?utf-8?B?dlJEMXdRcmtsaC9CdFlEelp2U1cwS1N0NjAyaGRpa3BDYlllazBlRTlSR0Z4?= =?utf-8?B?cmJTMU8zd3VKU0c4TmsyUDdmd2FMTkJ5a0lZQWFzdnhsK1VURUlBcmdlazI3?= =?utf-8?B?ZGphSFlDcEVBMjBIYlZXSG1DNk9FU042RWlzcXZKWlMvOHVXZGFGRU1Sa1Zh?= =?utf-8?B?UCtDejlObEN5YmwybUg4YUhSNHFjZnVnaGM3SXR1L3lLZkhodm1xeHV3b3BX?= =?utf-8?B?dmU4cUpCRlN1YnhKYzRObWwyY01HZ1M0dGFSUkxsYkltdE1XQ3R4V2dFMDZE?= =?utf-8?B?SXZuYzd1NFc5Z2pWZ2Q4UWxqTmlOKzVmczFpcWNVQ282STFHWFdmVEliTXQw?= =?utf-8?B?QS9xU2oyK2lMakdrMDlYV204MVdaNittcjRJTmRWS2xGT2hvTFl4bklRVWc1?= =?utf-8?B?RGcyZkFJZVl1Y0lQOG5rRU9iQUFkZ1BGcEI3R1A2L09UcnZRZ0poZFVLeHFk?= =?utf-8?B?akI2OXNmR0xuWnRXMnlIakptTWJSV2t4L2trQVdBemNWTkR6OVo4U0llMkxi?= =?utf-8?B?SnpxcUZEckZPNkJvbVVSM3RtQ0FiQjNleHFEWkZFWCtINGx4dFV2UVcvOFdD?= =?utf-8?B?Nm4yekh1blBmVmpRL25oWExUaDBLeWJYdTUveE1sQ216cU5WVUY3UldvWWs1?= =?utf-8?B?VSsrN29oa01zczBOUmdadjBrdTQvZGpyVSs3ZFN5N2hGYUFmZG1lbW0yQ2Rt?= =?utf-8?B?UHJPT050Rk5IYVpHV3lJbTM4WkVBUU1CbHVWODZhLzF2Q0tQZVFId0NZUm1E?= =?utf-8?B?aHlsVmRneSsrb3V6Ti9nNXZIYjBnNUdYdHc1RUU5cWtBeWVzU01JcFRISG9k?= =?utf-8?B?akttNWM1WDk3TnladDBvMUl1UkVrN2d1Z2xaTnBQaEMwcE0wWFdraEFrbFZv?= =?utf-8?B?a2RTQWwwaEF2VnpGeTVHZndTSlZKWDJGdUR1UU03RnQzOWJWczFlU0tLamxL?= =?utf-8?B?dFRNczA4cCtJY1RBYlNncTUxT3Boc1ZJR3VKbGRwcUIzQWVDK1doeGtlNnEw?= =?utf-8?B?d01zM3ZORnlyV3ptRnBrVFhZTkpkTlEyME1MaDVzUjhDbGVMSzNmSFIvSUJm?= =?utf-8?B?RkQxY2NJaXozWmd3YnFYUlNUVmFQRHNiVDhaaElKbWxYd3FXcnE3UldBWVlU?= =?utf-8?B?M3hEb3o0VCt3OEJKbllrbzRqRUpVRzByeE9iMGZrZ0gyeStseHRMSmoyODlV?= =?utf-8?B?WmtESUFhT3QxYmFYb2NPbTZaZ3BudjRFc3dqV1pUUE5aaDZmZnFSSTBYWW1D?= =?utf-8?B?MEt2OWNUaWY2Q00vK29IQ0hrTE1LT3ZLTHdXSEl0VnJQWi85SitkaG0zNzZY?= =?utf-8?B?QlR5M3dLSnkvMmxITEhKazk0cjZUMGR3bXlhNzJCZHNxN2hnbzhhMXJmV3ZR?= =?utf-8?B?T2tFV1FibkJFYlVJV1V5WHBmN2hVdmorS2ZOaGp4TDFraGhPWUI0TXk5YU1Z?= =?utf-8?Q?eBFUCWpeIYHq03q7t190YYyJs=3D?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9e4719f0-5708-4d42-f418-08da09089c07 X-MS-Exchange-CrossTenant-AuthSource: AS1PR01MB9564.eurprd01.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Mar 2022 17:56:21.0567 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR01MB8817 Subject: Re: [FFmpeg-devel] [PATCH] avcodec/vp9_superframe_split_bsf: Check in size X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Michael Niedermayer: > Fixes: Out of array read > Fixes: 45137/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_SUPERFRAME_SPLIT_fuzzer-4984270639202304 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/vp9_superframe_split_bsf.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c > index ed0444561a..481484a4f0 100644 > --- a/libavcodec/vp9_superframe_split_bsf.c > +++ b/libavcodec/vp9_superframe_split_bsf.c > @@ -51,7 +51,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out) > return ret; > in = s->buffer_pkt; > > - marker = in->data[in->size - 1]; > + marker = in->size ? in->data[in->size - 1] : 0; > if ((marker & 0xe0) == 0xc0) { > int length_size = 1 + ((marker >> 3) & 0x3); > int nb_frames = 1 + (marker & 0x7); There is a second place in this BSF where data might be read in the absence of data, namely if one of the frames in a superframe have size of zero (its attempted to read its profile; no actual read takes place due to the checks of the get_bits API, but it is nevertheless invalid data). See https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200530160541.29517-7-andreas.rheinhardt@gmail.com/; also see https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200530160541.29517-11-andreas.rheinhardt@gmail.com/ and https://patchwork.ffmpeg.org/project/ffmpeg/patch/20200530160541.29517-1-andreas.rheinhardt@gmail.com/ - Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".