From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id A3C8C4031F
	for <ffmpegdev@gitmailbox.com>; Tue, 19 Jul 2022 11:37:51 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5244268B59D;
	Tue, 19 Jul 2022 14:37:50 +0300 (EEST)
Received: from mail-oo1-f54.google.com (mail-oo1-f54.google.com
 [209.85.161.54])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5D94268B379
 for <ffmpeg-devel@ffmpeg.org>; Tue, 19 Jul 2022 14:37:43 +0300 (EEST)
Received: by mail-oo1-f54.google.com with SMTP id
 j8-20020a4ac548000000b00435a8dd31a2so625216ooq.5
 for <ffmpeg-devel@ffmpeg.org>; Tue, 19 Jul 2022 04:37:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:subject:content-language:to
 :references:from:in-reply-to:content-transfer-encoding;
 bh=5cjquj7xXNBRPisuaTjSC1Rla2qKaz+3mYn28HL7HAc=;
 b=qKXci9h9s/A4yghNq3prHPmWZNonW9rw5QsgVNCcGt6BmlviWrmoc5lQ9WcZ0aCIUr
 HBHtyiexKduDpK7jtht7szdlkOWG2qCIE8YOfkyeHzimx5+70wHgETvFtfvEzrfENvc3
 WrHfP1F7Q4kcFnAb4cPuPNJ3sg7oCrHw2VnM41h0yfqGfrLOL5bBDXU4PyDm82w6RZ4t
 bDJ16DveX8FkBPlZT+q9dv9EOBSNTA8/llCAHzwh8+5/RGkMz9iHHocrhhRycmbuP/pO
 VNn5VnN3/Iq5dJed2jJizQWgIXZLOq871RV7ZYE7dSD3yOc91A/V0PUhjU2EwBFMyTvz
 pZRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
 :content-language:to:references:from:in-reply-to
 :content-transfer-encoding;
 bh=5cjquj7xXNBRPisuaTjSC1Rla2qKaz+3mYn28HL7HAc=;
 b=IY01uS8+KZdXUfPeG6zBAlUkA5d6jwVPIik4svUWR7IW765UJw+lQrseTcSGSJhhgi
 KiPohM1JW756aPS1A6wIrC5XoMQIzW44z0die4vDCsfEEf9sBh7pljQdnmBzaVA7iHwr
 qdFRDuhacocAMMx6ahCMFMRqJXuoOKOVMCdr+Igtqjqp/6BpfOVtm/W8GAk803Mq3T7H
 FuTX/0pe0kT2WdEwyYIAbORiZLAiuHYmtM/3oxo236DGqVbphtUOfbsYdrv0FBHvc6z4
 rgsHSptP5oAasZRT/3xpAY6u1MGCc0ot2VH37dTjR91ALLJKlqX/uh5dj3BWXo6+Hetv
 NKvQ==
X-Gm-Message-State: AJIora8wa9f3MCVOmLFpPXLaGPupHReYEKtrBSKuWV5f1ByyBVzrh5il
 dkVTIlIoJbBzvpDJXfsh+Jh27NkSEYluJg==
X-Google-Smtp-Source: AGRyM1tBgx5AQk6maL0R6jG1coOgPyEL/QOz8Ey+8iJLTas906LXghSa7oMwM4VhBk5xDuR7xMtXDw==
X-Received: by 2002:a4a:d552:0:b0:435:81c5:43ab with SMTP id
 q18-20020a4ad552000000b0043581c543abmr6729081oos.9.1658230661312; 
 Tue, 19 Jul 2022 04:37:41 -0700 (PDT)
Received: from [192.168.0.11] ([186.136.131.204])
 by smtp.gmail.com with ESMTPSA id
 y8-20020a4ae708000000b004357ccfc8bfsm4674263oou.7.2022.07.19.04.37.39
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 19 Jul 2022 04:37:40 -0700 (PDT)
Message-ID: <a8aa7518-8c0a-609a-6126-42c7e7074a96@gmail.com>
Date: Tue, 19 Jul 2022 08:37:38 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.11.0
Content-Language: en-US
To: ffmpeg-devel@ffmpeg.org
References: <20220719113453.23169-1-michael@niedermayer.cc>
 <20220719113453.23169-5-michael@niedermayer.cc>
From: James Almer <jamrial@gmail.com>
In-Reply-To: <20220719113453.23169-5-michael@niedermayer.cc>
Subject: Re: [FFmpeg-devel] [PATCH 5/6] avcodec/ffv1dec: consider run
 increase in minimal golomb frame size
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/a8aa7518-8c0a-609a-6126-42c7e7074a96@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>



On 7/19/2022 8:34 AM, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 49160/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-5672826144686080
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/ffv1dec.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
> index 01ddcaa512..9bdac0be4e 100644
> --- a/libavcodec/ffv1dec.c
> +++ b/libavcodec/ffv1dec.c
> @@ -883,7 +883,11 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
>           if (buf_size < avctx->width * avctx->height / (128*8))
>               return AVERROR_INVALIDDATA;
>       } else {
> -        if (buf_size < avctx->height / 8)
> +        int i;

for (int i...

> +        int w = avctx->width;
> +        for (i = 0; w > (1<<ff_log2_run[i]); i++)
> +            w -= ff_log2_run[i];
> +        if (buf_size < (avctx->height + i + 6)/ 8)
>               return AVERROR_INVALIDDATA;
>       }
>   
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".