Re: [FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: Keep track of which subbands have been read

Sat, 03 Apr 2021 09:31:05 -0700 

On Sat, Apr 03, 2021 at 04:39:08PM +0200, Michael Niedermayer wrote:
> This avoids use of uninitialized data
> also several checks are inside the band reading code
> so it is important that it is run at least once
> 
> Fixes: out of array accesses
> Fixes: 
> 28209/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5684714694377472
> Fixes: 
> 32124/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5425980681355264
> Fixes: 
> 30519/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4558757155700736
> 
> Found-by: continuous fuzzing process 
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <[email protected]>
> ---
>  libavcodec/cfhd.c | 20 ++++++++++++++++++++
>  libavcodec/cfhd.h |  1 +
>  2 files changed, 21 insertions(+)
> av_log(0,0, "TT %d ST %d\n", s->transform_type, s->sample_type);              
> s->codebook = 0;
> @@ -919,6 +929,16 @@ finish:
>          goto end;
>      }
>  
> +    for (plane = 0; plane < s->planes; plane++) {
> +        int o;
> +        for (o = 0; o < 4 ; o++) {
> +            if (!s->plane[plane].band[0][o].read_ok) {
> +                ret = AVERROR_INVALIDDATA;
> +                goto end;
> +            }
> +        }
> +    }

ive replaced this hunk by:
@@ -919,6 +929,22 @@ finish:
         goto end;
     }
 
+    for (plane = 0; plane < s->planes; plane++) {
+        int o, level;
+
+        for (level = 0; level < (s->transform_type == 0 ? DWT_LEVELS : 
DWT_LEVELS_3D) ; level++) {
+            if (s->transform_type == 2)
+                if (level == 2 || level == 5)
+                    continue;
+            for (o = !!level; o < 4 ; o++) {
+                if (!s->plane[plane].band[level][o].read_ok) {
+                    ret = AVERROR_INVALIDDATA;
+                    goto end;
+                }
+            }
+        }
+    }
+
     if (s->transform_type == 0 && s->sample_type != 1) {
         for (plane = 0; plane < s->planes && !ret; plane++) {
             /* level 1 */

so not just the first level is checked
             
[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The smallest minority on earth is the individual. Those who deny 
individual rights cannot claim to be defenders of minorities. - Ayn Rand

Attachment: signature.asc
Description: PGP signature

_______________________________________________
ffmpeg-devel mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".

Reply via email to