[FFmpeg-devel] [PATCH 3/4] avcodec/dxv: Check op_offset in both directions

Paul B Mahol onemda at gmail.com
Mon Sep 23 12:09:28 EEST 2019


Feel free to apply this patch as it does not break current files, but
I think check is incomplete.

On 9/10/19, Paul B Mahol <onemda at gmail.com> wrote:
> On 9/10/19, Michael Niedermayer <michael at niedermayer.cc> wrote:
>> On Mon, Sep 09, 2019 at 10:29:14PM +0200, Paul B Mahol wrote:
>>> On 9/9/19, Michael Niedermayer <michael at niedermayer.cc> wrote:
>>> > On Fri, Jul 19, 2019 at 09:53:34PM +0200, Michael Niedermayer wrote:
>>> >> On Fri, Jul 19, 2019 at 03:36:43PM +0200, Paul B Mahol wrote:
>>> >> > On 7/19/19, Michael Niedermayer <michael at niedermayer.cc> wrote:
>>> >> > > On Thu, Jun 27, 2019 at 09:32:44AM +0200, Paul B Mahol wrote:
>>> >> > >> On 6/27/19, Michael Niedermayer <michael at niedermayer.cc> wrote:
>>> >> > >> > Fixes: signed integer overflow: 61 + 2147483647 cannot be
>>> >> > >> > represented
>>> >> > >> > in
>>> >> > >> > type 'int'
>>> >> > >> > Fixes:
>>> >> > >> > 15311/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5742552826773504
>>> >> > >> >
>>> >> > >> > Found-by: continuous fuzzing process
>>> >> > >> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> >> > >> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>>> >> > >> > ---
>>> >> > >> >  libavcodec/dxv.c | 2 +-
>>> >> > >> >  1 file changed, 1 insertion(+), 1 deletion(-)
>>> >> > >> >
>>> >> > >> > diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
>>> >> > >> > index 5fd1844094..3506775560 100644
>>> >> > >> > --- a/libavcodec/dxv.c
>>> >> > >> > +++ b/libavcodec/dxv.c
>>> >> > >> > @@ -745,7 +745,7 @@ static int dxv_decompress_cocg(DXVContext
>>> >> > >> > *ctx,
>>> >> > >> > GetByteContext *gb,
>>> >> > >> >      int skip0, skip1, oi0 = 0, oi1 = 0;
>>> >> > >> >      int ret, state0 = 0, state1 = 0;
>>> >> > >> >
>>> >> > >> > -    if (op_offset < 12)
>>> >> > >> > +    if (op_offset < 12 || op_offset - 12 >
>>> >> > >> > bytestream2_get_bytes_left(gb))
>>> >> > >> >          return AVERROR_INVALIDDATA;
>>> >> > >> >
>>> >> > >> >      dst = tex_data;
>>> >> > >> > --
>>> >> > >> > 2.22.0
>>> >> > >> >
>>> >> > >> > _______________________________________________
>>> >> > >> > ffmpeg-devel mailing list
>>> >> > >> > ffmpeg-devel at ffmpeg.org
>>> >> > >> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>> >> > >> >
>>> >> > >> > To unsubscribe, visit link above, or email
>>> >> > >> > ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>>> >> > >>
>>> >> > >> Make sure this does not break any files.
>>> >> > >
>>> >> > > Do you have any specific files i should test ?
>>> >> > >
>>> >> > > I of course cannot test every file on earth ...
>>> >> >
>>> >> > I'm on vacation, so when I get back I will give you some files.
>>> >>
>>> >> ok, ill wait, no hurry, enjoy your vacation!
>>> >
>>> > ping, this issue is reaching its deadline, so i would like to
>>> > fix it
>>>
>>> What deadline? Is this some kind of fancy corporation?
>>
>> first link for googling ossfuzz deadline explains it like this:
>>
>> "Once a project is signed up for OSS-Fuzz, it is automatically subject to
>> the 90-day disclosure deadline for newly reported bugs ..."
>>
>
> Irrelevant, this is not security issue at all.
>
>> thx
>>
>> [...]
>> --
>> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>>
>> "I am not trying to be anyone's saviour, I'm trying to think about the
>>  future and not be sad" - Elon Musk
>>
>>
>


More information about the ffmpeg-devel mailing list