Re: [FFmpeg-devel] [PATCH] avcodec/vqavideo: Use GetByteContext and check for end

Mon, 29 Nov 2021 08:13:16 -0800 

On Mon, Nov 29, 2021 at 04:00:27PM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: out of array access
> > Fixes: Timeout
> > Fixes: 
> > 40481/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6502647583080448
> > 
> > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> > ---
> >  libavcodec/vqavideo.c | 15 ++++++++++-----
> >  1 file changed, 10 insertions(+), 5 deletions(-)
> > 
> > diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
> > index 5466e25cdf1..755abf6bafa 100644
> > --- a/libavcodec/vqavideo.c
> > +++ b/libavcodec/vqavideo.c
> > @@ -633,7 +633,7 @@ static int vqa_decode_frame_hicolor(VqaContext *s, 
> > AVFrame *frame)
> >      int vptr_chunk = -1;
> >      int vprz_chunk = -1;
> >  
> > -    const unsigned char *stream;
> > +    GetByteContext gb_stream;
> >  
> >      while (bytestream2_get_bytes_left(&s->gb) >= 8) {
> >          chunk_type = bytestream2_get_be32u(&s->gb);
> > @@ -722,7 +722,7 @@ static int vqa_decode_frame_hicolor(VqaContext *s, 
> > AVFrame *frame)
> >  
> >      /* now uncompress the per-row RLE of the decode buffer and draw the 
> > blocks in framebuffer */
> >  
> > -    stream = (unsigned char*)s->decode_buffer;
> > +    bytestream2_init(&gb_stream, s->decode_buffer, s->decode_buffer_size);
> >  
> >      for (int y_pos = 0; y_pos < s->height; y_pos += s->vector_height) {
> >          int x_pos = 0;
> > @@ -730,9 +730,14 @@ static int vqa_decode_frame_hicolor(VqaContext *s, 
> > AVFrame *frame)
> >          while (x_pos < s->width) {
> >              int vector_index = 0;
> >              int count = 0;
> > -            uint16_t code = bytestream_get_le16(&stream);
> > +            uint16_t code;
> >              int type;
> >  
> > +            if (bytestream2_get_bytes_left(&gb_stream) < 1)
> 
> Why are you only checking for one byte to be present although you read
> two bytes immediately afterwards?

because i apparently cannot count to 2
i will fix that before applying
thx


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

it is not once nor twice but times without number that the same ideas make
their appearance in the world. -- Aristotle

Attachment: signature.asc
Description: PGP signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to