[FFmpeg-devel] [PATCH 1/2] avcodec/cbs_vp9: Check index_size

Michael Niedermayer michael at niedermayer.cc
Tue Dec 24 16:58:18 EET 2019


On Sat, Dec 14, 2019 at 03:23:40PM -0300, James Almer wrote:
> On 12/14/2019 9:08 AM, Michael Niedermayer wrote:
> > Fixes: out of array read
> > Fixes: 19300/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-5653911730126848
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/cbs_vp9.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c
> > index 42e4dcf5ac..98730e03e3 100644
> > --- a/libavcodec/cbs_vp9.c
> > +++ b/libavcodec/cbs_vp9.c
> > @@ -428,6 +428,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx,
> >          index_size = 2 + (((superframe_header & 0x18) >> 3) + 1) *
> >                            ((superframe_header & 0x07) + 1);
> >  
> > +        if (index_size > frag->data_size)
> > +            return AVERROR_INVALIDDATA;
> > +
> >          err = init_get_bits(&gbc, frag->data + frag->data_size - index_size,
> >                              8 * index_size);
> >          if (err < 0)
> 
> Should be ok.

will apply 

Thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Observe your enemies, for they first find out your faults. -- Antisthenes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191224/087537e8/attachment.sig>


More information about the ffmpeg-devel mailing list