[FFmpeg-devel] [PATCH] avcodec/zmbv: Check decomp_size

Michael Niedermayer michael at niedermayer.cc
Wed Aug 16 15:35:08 EEST 2017


On Wed, Aug 16, 2017 at 09:48:43AM +0200, Tomas Härdin wrote:
> On 2017-08-16 05:04, Michael Niedermayer wrote:
> >Fixes: OOM
> >Fixes: 2710/clusterfuzz-testcase-minimized-4750001420894208
> >
> >Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> >---
> >  libavcodec/zmbv.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >
> >diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
> >index f126515bd1..861098a0f2 100644
> >--- a/libavcodec/zmbv.c
> >+++ b/libavcodec/zmbv.c
> >@@ -589,8 +589,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
> >      // Needed if zlib unused or init aborted before inflateInit
> >      memset(&c->zstream, 0, sizeof(z_stream));
> >-    c->decomp_size = (avctx->width + 255) * 4 * (avctx->height + 64);
> >+    if ((avctx->width + 255ULL) * (avctx->height + 64ULL) > avctx->max_pixels) {
> 
> Are width and height constrained somewhere? If both end up around
> 1<<32 then the multiplication can overflow.

width and height are signed integers and checked in avcodec_open2()

I can replicate the check here if you think depending on a distant
check is too fragile.


> 
> >+        av_log(avctx, AV_LOG_ERROR, "Internal buffer larger than max_pixels\n");
> >+        return AVERROR_INVALIDDATA;
> >+    }
> >+    c->decomp_size = (avctx->width + 255) * 4 * (avctx->height + 64);
> 
> Use 255ULL and 64ULL maybe? It's almost conceivable that you could
> have a file constructed to be (1<<31 - 255)x1 that passes the
> max_pixels check

such file could exist but avcodec_open2() will reject this currently.
I think adding an explicit check of some kind would make sense
255ULL and 64ULL wont help as  decomp_size is just a unsigned int and
its passed into zlib which uses  a uInt ...

ill send a new patch

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Its not that you shouldnt use gotos but rather that you should write
readable code and code with gotos often but not always is less readable
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170816/9abcca79/attachment.sig>


More information about the ffmpeg-devel mailing list