[FFmpeg-devel] [PATCH 3/3] avcodec/huffyuvdec: Check input buffer size

Michael Niedermayer michael at niedermayer.cc
Thu Feb 1 03:36:16 EET 2018


On Wed, Jan 31, 2018 at 07:56:06PM +0100, Paul B Mahol wrote:
> On 1/31/18, Michael Niedermayer <michael at niedermayer.cc> wrote:
> > Fixes: Timeout
> > Fixes: 5487/clusterfuzz-testcase-4696837035393024
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/huffyuvdec.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c
> > index 979c4b9d5c..66357bfb40 100644
> > --- a/libavcodec/huffyuvdec.c
> > +++ b/libavcodec/huffyuvdec.c
> > @@ -919,6 +919,9 @@ static int decode_frame(AVCodecContext *avctx, void
> > *data, int *got_frame,
> >      AVFrame *const p = data;
> >      int table_size = 0, ret;
> >
> > +    if (buf_size < (width * height + 7)/8)
> > +        return AVERROR_INVALIDDATA;
> > +
> 
> Are you sure this is enough?

I dont know if thats the only way the decoder can be made to waste
large amounts of CPU with little input data

I do belive it stops this specific class of issues though


> 
> Something similar you had already posted long ago.

for other decoders, yes. Did i forget a patch for huffyuv ?

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Old school: Use the lowest level language in which you can solve the problem
            conveniently.
New school: Use the highest level language in which the latest supercomputer
            can solve the problem without the user falling asleep waiting.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20180201/2665b398/attachment.sig>


More information about the ffmpeg-devel mailing list