cfhd: More strictly check tag order and multiplicity

Michael Niedermayer Tue, 30 Mar 2021 09:49:51 -0700

On Sun, Dec 20, 2020 at 10:15:24PM +0100, Michael Niedermayer wrote:
> This is based on the encoder and a small number of CFHD sample files
> It should make the decoder more robust against crafted input.
> Due to the lack of a proper specification it is possible that this
> may be too strict and may need to be tuned as files not following this
> ordering are found.
> 
> Fixes: segfault
> Fixes: OOM
> Fixes: null pointer dereference
> Fixes: left shift of negative value -12
> Fixes: out of array write
> Fixes: 
> 25367/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4865603750592512
> Fixes: 
> 25958/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4851579923202048
> Fixes: 
> 25988/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5643617157513216
> Fixes: 
> 25995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5177442380283904
> Fixes: 
> 25996/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5663296026574848
> Fixes: 
> 26082/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5126180416782336
> Fixes: 
> 27872/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4916296355151872
> Fixes: 
> 28305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6041755829010432


The following issues have been found by the fuzzer in CFHD since this was posted
With this applied none is reproducable


29754/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6333598414274560
==18805==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x000000d6875d bp 0x000000000000 sp 0x7ffde47353d8 T0)
==18805==The signal is caused by a READ memory access.
==18805==Hint: address points to the zero page.
    #0 0xd6875c in ff_cfhd_vert_filter_sse2 libavcodec/x86/cfhddsp.asm:383



30519/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6298424511168512
libavcodec/cfhddsp.c:36:41: runtime error: load of null pointer of type 'const 
int16_t' (aka 'const short')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
libavcodec/cfhddsp.c:36:41 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18874==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x0000005450d5 bp 0x7ffc0a6c6ee0 sp 0x7ffc0a6c6d60 T0)
==18874==The signal is caused by a READ memory access.
==18874==Hint: address points to the zero page.
    #0 0x5450d4 in filter libavcodec/cfhddsp.c:36:41
    #1 0x5450d4 in vert_filter libavcodec/cfhddsp.c:74
    #2 0x528cea in cfhd_decode libavcodec/cfhd.c:1167:13
    #3 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
    #4 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
    #5 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
    #6 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15



30739/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5011292836462592
==18879==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x7f2aa32a684e at pc 0x00000053ee8f bp 0x7ffca5380fe0 sp 0x7ffca5380fd8
WRITE of size 2 at 0x7f2aa32a684e thread T0
    #0 0x53ee8e in interlaced_vertical_filter libavcodec/cfhd.c:204:30
    #1 0x52c088 in cfhd_decode libavcodec/cfhd.c:1273:21
    #2 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
    #3 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
    #4 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
    #5 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15


    
32124/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5425980681355264
==18753==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x7f3a5006284e at pc 0x00000054c97e bp 0x7ffc0327a620 sp 0x7ffc0327a618
WRITE of size 2 at 0x7f3a5006284e thread T0
    #0 0x54c97d in filter libavcodec/cfhddsp.c:52:36
    #1 0x54c97d in horiz_filter_clip libavcodec/cfhddsp.c:97
    #2 0x52cbed in cfhd_decode libavcodec/cfhd.c:1239:21
    #3 0x57d746 in decode_simple_internal libavcodec/decode.c:327:15
    #4 0x557ec7 in decode_simple_receive_frame libavcodec/decode.c:526:15
    #5 0x557ec7 in decode_receive_frame_internal libavcodec/decode.c:546
    #6 0x5574ea in avcodec_send_packet libavcodec/decode.c:608:15


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.

signature.asc
Description: PGP signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 3/3] avcodec/cfhd: More strictly check tag order and multiplicity

Reply via email to