[FFmpeg-devel] [PATCH] avcodec/fic: Check available input space for cursor

Michael Niedermayer michael at niedermayer.cc
Thu May 17 00:11:02 EEST 2018 

On Sun, May 06, 2018 at 12:47:25AM +0200, Michael Niedermayer wrote:
> On Sat, May 05, 2018 at 11:12:06PM +0200, Paul B Mahol wrote:
> > On 5/5/18, wm4 <nfxjfg at googlemail.com> wrote:
> > > On Sat,  5 May 2018 22:47:37 +0200
> > > Michael Niedermayer <michael at niedermayer.cc> wrote:
> > >
> > >> Fixes: out of array read
> > >> Fixes:
> > >> 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984
> > >>
> > >> Found-by: continuous fuzzing process
> > >> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > >> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > >> ---
> > >>  libavcodec/fic.c | 5 +++++
> > >>  1 file changed, 5 insertions(+)
> > >>
> > >> diff --git a/libavcodec/fic.c b/libavcodec/fic.c
> > >> index d7ee370423..6824a5683c 100644
> > >> --- a/libavcodec/fic.c
> > >> +++ b/libavcodec/fic.c
> > >> @@ -337,6 +337,11 @@ static int fic_decode_frame(AVCodecContext *avctx,
> > >> void *data,
> > >>          skip_cursor = 1;
> > >>      }
> > >>
> > >> +    if (!skip_cursor && avpkt->size < 59 + 32 * 32 * 4) {
> > >> +        av_log(avctx, AV_LOG_WARNING, "Input is cursorless\n");
> > >> +        skip_cursor = 1;
> > >> +    }
> > >> +
> > >>      /* Slice height for all but the last slice. */
> > >>      ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices;
> > >>      if (ctx->slice_h % 16)
> > >
> > > No warning needed.
> > 
> > Agreed.
> 
> Do you prefer i remove the message completely or make it a debug level one ?
> Note, it seems every other case that sets skip_cursor in result of a 
> unexpected condition prints something

will apply without the error message

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Into a blind darkness they enter who follow after the Ignorance,
they as if into a greater darkness enter who devote themselves
to the Knowledge alone. -- Isha Upanishad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20180516/cf706230/attachment.sig>

More information about the ffmpeg-devel mailing list