Re: [FFmpeg-devel] [PATCH 2/3] avcodec/iff: Check ham vs bpp
On Sun, Jun 23, 2019 at 10:45:56AM +0200, Michael Niedermayer wrote:
> On Sun, Jun 23, 2019 at 06:33:02PM +1000, Peter Ross wrote:
> > On Sun, Jun 23, 2019 at 12:30:54AM +0200, Michael Niedermayer wrote:
> > > This checks the ham value much stricter and avoids hitting cases which
> > > cannot be reached
> > > with data from the libavformat demuxer.
> > >
> > > Fixes: out of array access
> > > Fixes:
> > > 15320/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5080476840099840
> > > Fixes:
> > > 15423/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5630765833912320
> > >
> > > Found-by: continuous fuzzing process
> > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer
> > > ---
> > > libavcodec/iff.c | 15 ---
> > > 1 file changed, 12 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/libavcodec/iff.c b/libavcodec/iff.c
> > > index b43bd507b3..b065bbe598 100644
> > > --- a/libavcodec/iff.c
> > > +++ b/libavcodec/iff.c
> > > @@ -280,6 +280,18 @@ static int extract_header(AVCodecContext *const
> > > avctx,
> > > for (i = 0; i < 16; i++)
> > > s->tvdc[i] = bytestream_get_be16();
> > >
> > > +if (s->ham) {
> > > +if (s->bpp > 8) {
> > > +av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits
> > > for HAM: %u\n", s->ham);
> > > +s->ham = 0;
> > > +return AVERROR_INVALIDDATA;
> > > +} if (s->ham != (s->bpp > 6 ? 6 : 4)) {
> > > +av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits
> > > for HAM: %u, BPP: %u\n", s->ham, s->bpp);
> > > +s->ham = 0;
> > > +return AVERROR_INVALIDDATA;
> > > +}
> > > +}
> >
> > i am curious why we need to reset ham = 0? otherwise patch okay.
>
> That was just so as not to leave an invalid value in the context. It is
> very likely not needed, I will remove it.
will apply without the ham = 0
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
In a rich man's house there is no place to spit but his face.
-- Diogenes of Sinope
signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 2/3] avcodec/iff: Check ham vs bpp
On Sun, Jun 23, 2019 at 06:33:02PM +1000, Peter Ross wrote:
> On Sun, Jun 23, 2019 at 12:30:54AM +0200, Michael Niedermayer wrote:
> > This checks the ham value much stricter and avoids hitting cases which
> > cannot be reached
> > with data from the libavformat demuxer.
> >
> > Fixes: out of array access
> > Fixes:
> > 15320/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5080476840099840
> > Fixes:
> > 15423/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5630765833912320
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer
> > ---
> > libavcodec/iff.c | 15 ---
> > 1 file changed, 12 insertions(+), 3 deletions(-)
> >
> > diff --git a/libavcodec/iff.c b/libavcodec/iff.c
> > index b43bd507b3..b065bbe598 100644
> > --- a/libavcodec/iff.c
> > +++ b/libavcodec/iff.c
> > @@ -280,6 +280,18 @@ static int extract_header(AVCodecContext *const avctx,
> > for (i = 0; i < 16; i++)
> > s->tvdc[i] = bytestream_get_be16();
> >
> > +if (s->ham) {
> > +if (s->bpp > 8) {
> > +av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits
> > for HAM: %u\n", s->ham);
> > +s->ham = 0;
> > +return AVERROR_INVALIDDATA;
> > +} if (s->ham != (s->bpp > 6 ? 6 : 4)) {
> > +av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits
> > for HAM: %u, BPP: %u\n", s->ham, s->bpp);
> > +s->ham = 0;
> > +return AVERROR_INVALIDDATA;
> > +}
> > +}
>
> i am curious why we need to reset ham = 0? otherwise patch okay.
That was just so as not to leave an invalid value in the context. It is
very likely not needed, I will remove it.
>
> patch 1 and 3 okay.
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 2/3] avcodec/iff: Check ham vs bpp
On Sun, Jun 23, 2019 at 12:30:54AM +0200, Michael Niedermayer wrote:
> This checks the ham value much stricter and avoids hitting cases which cannot
> be reached
> with data from the libavformat demuxer.
>
> Fixes: out of array access
> Fixes:
> 15320/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5080476840099840
> Fixes:
> 15423/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5630765833912320
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer
> ---
> libavcodec/iff.c | 15 ---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/libavcodec/iff.c b/libavcodec/iff.c
> index b43bd507b3..b065bbe598 100644
> --- a/libavcodec/iff.c
> +++ b/libavcodec/iff.c
> @@ -280,6 +280,18 @@ static int extract_header(AVCodecContext *const avctx,
> for (i = 0; i < 16; i++)
> s->tvdc[i] = bytestream_get_be16();
>
> +if (s->ham) {
> +if (s->bpp > 8) {
> +av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for
> HAM: %u\n", s->ham);
> +s->ham = 0;
> +return AVERROR_INVALIDDATA;
> +} if (s->ham != (s->bpp > 6 ? 6 : 4)) {
> +av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for
> HAM: %u, BPP: %u\n", s->ham, s->bpp);
> +s->ham = 0;
> +return AVERROR_INVALIDDATA;
> +}
> +}
i am curious why we need to reset ham = 0? otherwise patch okay.
patch 1 and 3 okay.
-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 2/3] avcodec/iff: Check ham vs bpp
This checks the ham value much stricter and avoids hitting cases which cannot
be reached
with data from the libavformat demuxer.
Fixes: out of array access
Fixes:
15320/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5080476840099840
Fixes:
15423/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5630765833912320
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
---
libavcodec/iff.c | 15 ---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index b43bd507b3..b065bbe598 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -280,6 +280,18 @@ static int extract_header(AVCodecContext *const avctx,
for (i = 0; i < 16; i++)
s->tvdc[i] = bytestream_get_be16();
+if (s->ham) {
+if (s->bpp > 8) {
+av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for
HAM: %u\n", s->ham);
+s->ham = 0;
+return AVERROR_INVALIDDATA;
+} if (s->ham != (s->bpp > 6 ? 6 : 4)) {
+av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for
HAM: %u, BPP: %u\n", s->ham, s->bpp);
+s->ham = 0;
+return AVERROR_INVALIDDATA;
+}
+}
+
if (s->masking == MASK_HAS_MASK) {
if (s->bpp >= 8 && !s->ham) {
avctx->pix_fmt = AV_PIX_FMT_RGB32;
@@ -307,9 +319,6 @@ static int extract_header(AVCodecContext *const avctx,
if (!s->bpp || s->bpp > 32) {
av_log(avctx, AV_LOG_ERROR, "Invalid number of bitplanes: %u\n",
s->bpp);
return AVERROR_INVALIDDATA;
-} else if (s->ham >= 8) {
-av_log(avctx, AV_LOG_ERROR, "Invalid number of hold bits for HAM:
%u\n", s->ham);
-return AVERROR_INVALIDDATA;
}
av_freep(>ham_buf);
--
2.22.0
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
