Re: [FFmpeg-devel] [PATCH] avcodec/arbc: Check nb_segments before allocating and copying frame

2019-03-20 Thread Michael Niedermayer 
On Thu, Mar 14, 2019 at 12:03:17AM +0100, Michael Niedermayer wrote:
> Fixes: Timeout (30sec -> 2sec)
> Fixes: 
> 13578/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARBC_fuzzer-5685625527730176
> 
> Found-by: continuous fuzzing process 
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer 
> ---
>  libavcodec/arbc.c | 15 +--
>  1 file changed, 9 insertions(+), 6 deletions(-)

will apply

[...]
-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Whats the most studid thing your enemy could do ? Blow himself up
Whats the most studid thing you could do ? Give up your rights and
freedom because your enemy blew himself up.



signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] [PATCH] avcodec/arbc: Check nb_segments before allocating and copying frame

2019-03-13 Thread Michael Niedermayer 
Fixes: Timeout (30sec -> 2sec)
Fixes: 
13578/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARBC_fuzzer-5685625527730176

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/arbc.c | 15 +--
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/libavcodec/arbc.c b/libavcodec/arbc.c
index 841a9f10ac..52c9a197f9 100644
--- a/libavcodec/arbc.c
+++ b/libavcodec/arbc.c
@@ -121,6 +121,15 @@ static int decode_frame(AVCodecContext *avctx, void *data,
 if (avpkt->size < 10)
 return AVERROR_INVALIDDATA;
 
+bytestream2_init(>gb, avpkt->data, avpkt->size);
+bytestream2_skip(>gb, 8);
+nb_segments = bytestream2_get_le16(>gb);
+if (nb_segments == 0)
+keyframe = 0;
+
+if (7 * nb_segments > bytestream2_get_bytes_left(>gb))
+return AVERROR_INVALIDDATA;
+
 if ((ret = ff_get_buffer(avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
 return ret;
 
@@ -130,12 +139,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
 return ret;
 }
 
-bytestream2_init(>gb, avpkt->data, avpkt->size);
-bytestream2_skip(>gb, 8);
-nb_segments = bytestream2_get_le16(>gb);
-if (nb_segments == 0)
-keyframe = 0;
-
 for (int i = 0; i < nb_segments; i++) {
 int resolution_flag;
 uint8_t fill[3];
-- 
2.21.0

___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel