On 21/02/2021 20:58, Michael Niedermayer wrote:
On Tue, Feb 02, 2021 at 08:58:11PM +0000, Mark Thompson wrote:
The top-level GetBitContext is sized for the whole NAL unit, so it fails
to detect overflows where a payload continues into the following message.
To fix that, we make a new context on the stack for reading each payload.
---
On 01/02/2021 22:31, Michael Niedermayer wrote:
Fixes: Timeout
Fixes:
29892/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-6310830956216320
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/cbs_sei_syntax_template.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/cbs_sei_syntax_template.c
b/libavcodec/cbs_sei_syntax_template.c
index 9114e61ff6..3b9bc942f5 100644
--- a/libavcodec/cbs_sei_syntax_template.c
+++ b/libavcodec/cbs_sei_syntax_template.c
@@ -178,6 +178,8 @@ static int FUNC(message)(CodedBitstreamContext *ctx,
RWContext *rw,
GetBitContext tmp = *rw;
int trailing_bits, trailing_zero_bits;
+ if (8 * current->payload_size < bits_written)
+ return AVERROR_INVALIDDATA;
bits_left = 8 * current->payload_size - bits_written;
if (bits_left > 8)
skip_bits_long(&tmp, bits_left - 8);
So it looks like the actual problem is that we don't detect payload overflow,
so the calculation here underflows if the payload is invalid such that we read
more bits than there actually are.
How about this answer, which tries to fix the general problem by detecting
overflow properly -
does it fix your fuzzed case?
yes
Added appropriate annotation and applied.
Thanks,
- Mark
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".