Re: [FFmpeg-devel] [PATCH] avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure

2017-05-07 Thread Michael Niedermayer 
On Mon, Apr 10, 2017 at 03:27:38AM +0200, Michael Niedermayer wrote:
> Fixes: out of array read
> Fixes: 1072/clusterfuzz-testcase-6456688074817536
> 
> Found-by: continuous fuzzing process 
> https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> Signed-off-by: Michael Niedermayer 
> ---
>  libavcodec/aacdec_template.c | 14 --
>  1 file changed, 12 insertions(+), 2 deletions(-)

applied

[...]
-- 
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you drop bombs on a foreign country and kill a hundred thousand
innocent people, expect your government to call the consequence
"unprovoked inhuman terrorist attacks" and use it to justify dropping
more bombs and killing more people. The technology changed, the idea is old.


signature.asc
Description: Digital signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] [PATCH] avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure

2017-04-09 Thread Michael Niedermayer 
Fixes: out of array read
Fixes: 1072/clusterfuzz-testcase-6456688074817536

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 
---
 libavcodec/aacdec_template.c | 14 --
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 98a3240597..b20855b99d 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -406,11 +406,15 @@ static uint64_t sniff_channel_order(uint8_t 
(*layout_map)[3], int tags)
 /**
  * Save current output configuration if and only if it has been locked.
  */
-static void push_output_configuration(AACContext *ac) {
+static int push_output_configuration(AACContext *ac) {
+int pushed = 0;
+
 if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) {
 ac->oc[0] = ac->oc[1];
+pushed = 1;
 }
 ac->oc[1].status = OC_NONE;
+return pushed;
 }
 
 /**
@@ -3026,7 +3030,13 @@ static int aac_decode_frame_int(AVCodecContext *avctx, 
void *data,
 case TYPE_PCE: {
 uint8_t layout_map[MAX_ELEM_ID*4][3];
 int tags;
-push_output_configuration(ac);
+
+int pushed = push_output_configuration(ac);
+if (pce_found && !pushed) {
+err = AVERROR_INVALIDDATA;
+goto fail;
+}
+
 tags = decode_pce(avctx, >oc[1].m4ac, layout_map, gb,
   payload_alignment);
 if (tags < 0) {
-- 
2.11.0

___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel