[FFmpeg-devel] [PATCH] avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized
Michael Niedermayer
michael at niedermayer.cc
Tue Sep 5 14:04:14 EEST 2017
Hi
On Mon, Sep 04, 2017 at 06:45:02PM -0400, Ronald S. Bultje wrote:
> Hi,
>
> On Mon, Sep 4, 2017 at 6:04 PM, Michael Niedermayer <michael at niedermayer.cc>
> wrote:
>
> > Fixes: OOM
> > Fixes: 2225/clusterfuzz-testcase-minimized-5505632079708160
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-
> > fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/jpeg2000.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
> > index 94efc94c4d..9e1bbc2ec4 100644
> > --- a/libavcodec/jpeg2000.c
> > +++ b/libavcodec/jpeg2000.c
> > @@ -506,6 +506,10 @@ int ff_jpeg2000_init_component(Jpeg2000Component
> > *comp,
> > // update precincts size: 2^n value
> > reslevel->log2_prec_width = codsty->log2_prec_widths[
> > reslevelno];
> > reslevel->log2_prec_height = codsty->log2_prec_heights[
> > reslevelno];
> > + if (!reslevel->log2_prec_width || !reslevel->log2_prec_height) {
> > + av_log(avctx, AV_LOG_ERROR, "COD/COC is missing\n");
> > + return AVERROR_INVALIDDATA;
> > + }
>
>
> Please change it to ff_tlog().
that would make the message unavailable to the user, so the user
would not know why a decoding failure occured.
It would also make it unavailable in bug reports as the message is
not in the compiled binary. Even at highest verbosity and debug levels
it would not show up not even with debug builds. Only in special trace
builds would it show up.
Users would not be able to find existing bug reports based on the error
message, would not be able to google it, would not be able to refer to
it in a specific way "a issue with missing COC/COD".
This is not a obscure detail of bitstream parsing, its a error in
the headers that will lead to the loss of a frame.
Lets also look at what other software does
picking lena converted to jpeg2000 and a damaged COD with a hex editor
j2k_to_image -i lena-noco.jp2 -o image.pgm
[ERROR] Error decoding component 0.
The number of resolutions is too big: 256 vs max= 33. Truncating.
[ERROR] Error decoding component 1.
The number of resolutions is too big: 256 vs max= 33. Truncating.
[ERROR] Error decoding component 2.
The number of resolutions is too big: 256 vs max= 33. Truncating.
[ERROR] Failed to decode J2K image
ERROR -> j2k_to_image: failed to decode image!
You can see openjpeg shows detailed error messages
Lets try the clusterfuzz testcase directly:
j2k_to_image -i clusterfuzz-testcase-minimized-5505632079708160.jp2 -o image.pnm
[ERROR] Integer overflow in box->length
[ERROR] Failed to read boxhdr
[ERROR] Failed to decode jp2 structure
ERROR -> j2k_to_image: failed to decode image!
again, a detailed error message
lets try jasper
jasper --input lena-noco.jp2 --output file.pnm
cannot get marker segment
error: cannot decode code stream
error: cannot load image data
and the testcase directly:
jasper --input clusterfuzz-testcase-minimized-5505632079708160 --output image.pnm
cannot get marker segment
error: cannot load image data
and jasper also shows more than just a generic error
Thats by default. no debug build, no trace build, no verbosity, no
debug options.
just for completeness lets run jasper with debug level 99
jasper --debug-level 99 --input clusterfuzz-testcase-minimized-5505632079708160.jp2 --output image.pnm
type = 0xff4f (SOC);
type = 0xff51 (SIZ); len = 41;caps = 0x2020;
width = 25632; height = 32; xoff = 0; yoff = 0;
tilewidth = 538976288; tileheight = 538976288; tilexoff = 0; tileyoff = 0;
prec[0] = 8; sgnd[0] = 0; hsamp[0] = 1; vsamp[0] = 1
type = 0xff52 (COD); len = 13;csty = 0x01;
numdlvls = 0; qmfbid = 0; mctrans = 0
prg = 32; numlyrs = 8224;
cblkwidthval = 32; cblkheightval = 32; cblksty = 0x20;
prcwidth[0] = 0, prcheight[0] = 0
type = 0xff90 (SOT); len = 10;tileno = 0; len = 0; partno = 0; numparts = 32
cannot get marker segment
error: cannot load image data
You can again see, theres lots of details, which may be critically
important in a bug report.
More so users may have bug report samples that are not sharable
for all kinds of contractual reasons. Having detailed information
available is the only chance to debug such issues.
Requiring the user to build his own binary FFmpeg with custom build
flags is a large hurdle for reporting a bug
Thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The real ebay dictionary, page 1
"Used only once" - "Some unspecified defect prevented a second use"
"In good condition" - "Can be repaird by experienced expert"
"As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170905/10d70dac/attachment.sig>
More information about the ffmpeg-devel
mailing list