Re: [FFmpeg-devel] [PATCH 1/2] avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder()

2017-03-07 Thread Michael Niedermayer 
On Tue, Mar 07, 2017 at 07:09:38PM +0100, Michael Niedermayer wrote:
> Fixes: timeout in 730/clusterfuzz-testcase-5265113739165696 (part 1 of 2)
> 
> Found-by: continuous fuzzing process 
> https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> Signed-off-by: Michael Niedermayer 
> ---
>  libavcodec/vp5.c |  5 -
>  libavcodec/vp56.h|  2 +-
>  libavcodec/vp56rac.c |  5 -
>  libavcodec/vp6.c | 15 +++
>  libavcodec/vp8.c | 21 ++---
>  libavcodec/vp9.c |  9 +++--
>  6 files changed, 41 insertions(+), 16 deletions(-)

patchset was approved by ronald and
applied

thx

[...]
-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Good people do not need laws to tell them to act responsibly, while bad
people will find a way around the laws. -- Plato


signature.asc
Description: Digital signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] [PATCH 1/2] avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder()

2017-03-07 Thread Michael Niedermayer 
Fixes: timeout in 730/clusterfuzz-testcase-5265113739165696 (part 1 of 2)

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/vp5.c |  5 -
 libavcodec/vp56.h|  2 +-
 libavcodec/vp56rac.c |  5 -
 libavcodec/vp6.c | 15 +++
 libavcodec/vp8.c | 21 ++---
 libavcodec/vp9.c |  9 +++--
 6 files changed, 41 insertions(+), 16 deletions(-)

diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c
index 54db620bde..b5f06a0940 100644
--- a/libavcodec/vp5.c
+++ b/libavcodec/vp5.c
@@ -38,8 +38,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
 {
 VP56RangeCoder *c = >c;
 int rows, cols;
+int ret;
 
-ff_vp56_init_range_decoder(>c, buf, buf_size);
+ret = ff_vp56_init_range_decoder(>c, buf, buf_size);
+if (ret < 0)
+return ret;
 s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c);
 vp56_rac_get(c);
 ff_vp56_init_dequant(s, vp56_rac_gets(c, 6));
diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h
index e5c5bea963..c049399df8 100644
--- a/libavcodec/vp56.h
+++ b/libavcodec/vp56.h
@@ -224,7 +224,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
  */
 
 extern const uint8_t ff_vp56_norm_shift[256];
-void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int 
buf_size);
+int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int 
buf_size);
 
 static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c)
 {
diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c
index 6061b7ee72..e70302bf85 100644
--- a/libavcodec/vp56rac.c
+++ b/libavcodec/vp56rac.c
@@ -37,11 +37,14 @@ const uint8_t ff_vp56_norm_shift[256]= {
  0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
 };
 
-void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int 
buf_size)
+int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int 
buf_size)
 {
 c->high = 255;
 c->bits = -16;
 c->buffer = buf;
 c->end = buf + buf_size;
+if (buf_size < 1)
+return AVERROR_INVALIDDATA;
 c->code_word = bytestream_get_be24(>buffer);
+return 0;
 }
diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 662126ca70..f0e60a3822 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -52,6 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
 int sub_version;
 int rows, cols;
 int res = 0;
+int ret;
 int separated_coeff = buf[0] & 1;
 
 s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80);
@@ -93,7 +94,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
 s->avctx->coded_width  = 16 * cols;
 s->avctx->coded_height = 16 * rows;
 } else {
-int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows);
+ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows);
 if (ret < 0)
 return ret;
 
@@ -105,7 +106,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
 res = VP56_SIZE_CHANGE;
 }
 
-ff_vp56_init_range_decoder(c, buf+6, buf_size-6);
+ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6);
+if (ret < 0)
+return ret;
 vp56_rac_gets(c, 2);
 
 parse_filter_info = s->filter_header;
@@ -122,7 +125,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
 buf += 2;
 buf_size -= 2;
 }
-ff_vp56_init_range_decoder(c, buf+1, buf_size-1);
+ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1);
+if (ret < 0)
+return ret;
 
 s->golden_frame = vp56_rac_get(c);
 if (s->filter_header) {
@@ -165,7 +170,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t 
*buf, int buf_size)
 s->parse_coeff = vp6_parse_coeff_huffman;
 init_get_bits(>gb, buf, buf_size<<3);
 } else {
-ff_vp56_init_range_decoder(>cc, buf, buf_size);
+ret = ff_vp56_init_range_decoder(>cc, buf, buf_size);
+if (ret < 0)
+return ret;
 s->ccp = >cc;
 }
 } else {
diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index fb17ff114d..a3d057d62e 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -261,6 +261,7 @@ static int setup_partitions(VP8Context *s, const uint8_t 
*buf, int buf_size)
 {
 const uint8_t *sizes = buf;
 int i;
+int ret;
 
 s->num_coeff_partitions = 1 << vp8_rac_get_uint(>c, 2);
 
@@ -274,13 +275,13 @@ static int setup_partitions(VP8Context *s, const uint8_t 
*buf, int buf_size)
 if (buf_size - size < 0)
 return -1;
 
-