[FFmpeg-devel] [PATCH] avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized
Michael Niedermayer
michael at niedermayer.cc
Tue Sep 5 14:24:20 EEST 2017
On Tue, Sep 05, 2017 at 01:16:22PM +0200, Paul B Mahol wrote:
> On 9/5/17, Michael Niedermayer <michael at niedermayer.cc> wrote:
> > Hi
> >
> > On Mon, Sep 04, 2017 at 06:45:02PM -0400, Ronald S. Bultje wrote:
> >> Hi,
> >>
> >> On Mon, Sep 4, 2017 at 6:04 PM, Michael Niedermayer
> >> <michael at niedermayer.cc>
> >> wrote:
> >>
> >> > Fixes: OOM
> >> > Fixes: 2225/clusterfuzz-testcase-minimized-5505632079708160
> >> >
> >> > Found-by: continuous fuzzing process https://github.com/google/oss-
> >> > fuzz/tree/master/projects/ffmpeg
> >> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> >> > ---
> >> > libavcodec/jpeg2000.c | 4 ++++
> >> > 1 file changed, 4 insertions(+)
> >> >
> >> > diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
> >> > index 94efc94c4d..9e1bbc2ec4 100644
> >> > --- a/libavcodec/jpeg2000.c
> >> > +++ b/libavcodec/jpeg2000.c
> >> > @@ -506,6 +506,10 @@ int ff_jpeg2000_init_component(Jpeg2000Component
> >> > *comp,
> >> > // update precincts size: 2^n value
> >> > reslevel->log2_prec_width = codsty->log2_prec_widths[
> >> > reslevelno];
> >> > reslevel->log2_prec_height = codsty->log2_prec_heights[
> >> > reslevelno];
> >> > + if (!reslevel->log2_prec_width || !reslevel->log2_prec_height)
> >> > {
> >> > + av_log(avctx, AV_LOG_ERROR, "COD/COC is missing\n");
> >> > + return AVERROR_INVALIDDATA;
> >> > + }
> >>
> >>
> >> Please change it to ff_tlog().
> >
> > that would make the message unavailable to the user, so the user
> > would not know why a decoding failure occured.
> >
> > It would also make it unavailable in bug reports as the message is
> > not in the compiled binary. Even at highest verbosity and debug levels
> > it would not show up not even with debug builds. Only in special trace
> > builds would it show up.
> >
> > Users would not be able to find existing bug reports based on the error
> > message, would not be able to google it, would not be able to refer to
> > it in a specific way "a issue with missing COC/COD".
> >
> > This is not a obscure detail of bitstream parsing, its a error in
> > the headers that will lead to the loss of a frame.
> >
> > Lets also look at what other software does
> > picking lena converted to jpeg2000 and a damaged COD with a hex editor
> >
> > j2k_to_image -i lena-noco.jp2 -o image.pgm
> >
> > [ERROR] Error decoding component 0.
> > The number of resolutions is too big: 256 vs max= 33. Truncating.
> >
> > [ERROR] Error decoding component 1.
> > The number of resolutions is too big: 256 vs max= 33. Truncating.
> >
> > [ERROR] Error decoding component 2.
> > The number of resolutions is too big: 256 vs max= 33. Truncating.
> >
> > [ERROR] Failed to decode J2K image
> > ERROR -> j2k_to_image: failed to decode image!
> >
> > You can see openjpeg shows detailed error messages
> > Lets try the clusterfuzz testcase directly:
> >
> > j2k_to_image -i clusterfuzz-testcase-minimized-5505632079708160.jp2 -o
> > image.pnm
> >
> > [ERROR] Integer overflow in box->length
> > [ERROR] Failed to read boxhdr
> > [ERROR] Failed to decode jp2 structure
> > ERROR -> j2k_to_image: failed to decode image!
> >
> > again, a detailed error message
> >
> > lets try jasper
> >
> > jasper --input lena-noco.jp2 --output file.pnm
> > cannot get marker segment
> > error: cannot decode code stream
> > error: cannot load image data
> >
> > and the testcase directly:
> > jasper --input clusterfuzz-testcase-minimized-5505632079708160 --output
> > image.pnm
> > cannot get marker segment
> > error: cannot load image data
> >
> > and jasper also shows more than just a generic error
> >
> > Thats by default. no debug build, no trace build, no verbosity, no
> > debug options.
> >
> > just for completeness lets run jasper with debug level 99
> > jasper --debug-level 99 --input
> > clusterfuzz-testcase-minimized-5505632079708160.jp2 --output image.pnm
> > type = 0xff4f (SOC);
> > type = 0xff51 (SIZ); len = 41;caps = 0x2020;
> > width = 25632; height = 32; xoff = 0; yoff = 0;
> > tilewidth = 538976288; tileheight = 538976288; tilexoff = 0; tileyoff =
> > 0;
> > prec[0] = 8; sgnd[0] = 0; hsamp[0] = 1; vsamp[0] = 1
> > type = 0xff52 (COD); len = 13;csty = 0x01;
> > numdlvls = 0; qmfbid = 0; mctrans = 0
> > prg = 32; numlyrs = 8224;
> > cblkwidthval = 32; cblkheightval = 32; cblksty = 0x20;
> > prcwidth[0] = 0, prcheight[0] = 0
> > type = 0xff90 (SOT); len = 10;tileno = 0; len = 0; partno = 0; numparts
> > = 32
> > cannot get marker segment
> > error: cannot load image data
> >
> > You can again see, theres lots of details, which may be critically
> > important in a bug report.
> >
> > More so users may have bug report samples that are not sharable
> > for all kinds of contractual reasons. Having detailed information
> > available is the only chance to debug such issues.
> > Requiring the user to build his own binary FFmpeg with custom build
> > flags is a large hurdle for reporting a bug
>
> FFmpeg is not meant to have every log for every error return.
>
> COD/COC sounds funny.
COD/COC is how its called in most of the jpeg2000 spec
I can write the full terms out of course
"Coding style component" and "Coding style default"
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
"Nothing to hide" only works if the folks in power share the values of
you and everyone you know entirely and always will -- Tom Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170905/204ad716/attachment.sig>
More information about the ffmpeg-devel
mailing list