Re: [FFmpeg-devel] [PATCH 12/12] avcodec/4xm: Check index in decode_i_block() also in the path where its not used.
On Thu, Sep 26, 2019 at 10:07:29AM +0200, Paul B Mahol wrote: > lgtm will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If you think the mosad wants you dead since a long time then you are either wrong or dead since a long time. signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 12/12] avcodec/4xm: Check index in decode_i_block() also in the path where its not used.
lgtm On 9/25/19, Michael Niedermayer wrote: > Fixes: Infinite loop > Fixes: signed integer overflow: 2147483644 + 16 cannot be represented in > type 'int' > Fixes: > 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584 > Fixes: > 16782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5743163859271680 > Fixes: > 17641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5711603562971136 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/4xm.c | 4 > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c > index 1f4e2aee24..336c651d31 100644 > --- a/libavcodec/4xm.c > +++ b/libavcodec/4xm.c > @@ -525,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t > *block) > break; > if (code == 0xf0) { > i += 16; > +if (i >= 64) { > +av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i); > +return 0; > +} > } else { > if (code & 0xf) { > level = get_xbits(&f->gb, code & 0xf); > -- > 2.23.0 > > ___ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 12/12] avcodec/4xm: Check index in decode_i_block() also in the path where its not used.
Fixes: Infinite loop Fixes: signed integer overflow: 2147483644 + 16 cannot be represented in type 'int' Fixes: 16169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5662570416963584 Fixes: 16782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5743163859271680 Fixes: 17641/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5711603562971136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/4xm.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 1f4e2aee24..336c651d31 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -525,6 +525,10 @@ static int decode_i_block(FourXContext *f, int16_t *block) break; if (code == 0xf0) { i += 16; +if (i >= 64) { +av_log(f->avctx, AV_LOG_ERROR, "run %d overflow\n", i); +return 0; +} } else { if (code & 0xf) { level = get_xbits(&f->gb, code & 0xf); -- 2.23.0 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".