[FFmpeg-devel] [PATCH] 2 alternative ways to check in vp9 decode_tiles() if there is data remaining

Sat, 20 Oct 2018 03:42:51 -0700 

Hi

2 alternative patchsets are attached to fix $SUBJ

The 2 alternatives should behave similar.

The first adds a function to check if the next range coder symbol read would
trigger the end of input case.
We then error out before reading in case the read would trigger this case

The second sets a flag if the end of input case triggered and subsequently
errors out

The second case should be slower as it requires additional checks in inner
loops, but i was asked to implement this with a flag, so i implemented both
ways.

Which version, if any, should i apply ?

Thanks

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I do not agree with what you have to say, but I'll defend to the death your
right to say it. -- Voltaire

From 9ce6dc735dd44c31d9210b1ff5f595a9cb46638c Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <mich...@niedermayer.cc>
Date: Sat, 11 Aug 2018 22:28:31 +0200
Subject: [PATCH 1/2] avcodec/vp56: Add vpX_rac_is_end() to check for the end
 of input

Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/vp56.h | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h
index b8dda9e73a..70e1d38a83 100644
--- a/libavcodec/vp56.h
+++ b/libavcodec/vp56.h
@@ -227,6 +227,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
 extern const uint8_t ff_vp56_norm_shift[256];
 int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size);
 
+/**
+ * vp5689 returns 1 if the end of the stream has been reached, 0 otherwise.
+ */
+static av_always_inline int vpX_rac_is_end(VP56RangeCoder *c)
+{
+    return c->end <= c->buffer && c->bits >= 0;
+}
+
 static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c)
 {
     int shift = ff_vp56_norm_shift[c->high];
-- 
2.19.1


From 868608bd9d0b72944bd3448adb03366949541b5b Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <mich...@niedermayer.cc>
Date: Sat, 4 Aug 2018 22:21:02 +0200
Subject: [PATCH 2/2] avcodec/vp9: Check in decode_tiles() if there is data
 remaining

Fixes: Timeout
Fixes: 9330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5707345857347584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/vp9.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index b1178c9c0c..acf3ffc9e7 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -1306,6 +1306,9 @@ static int decode_tiles(AVCodecContext *avctx,
                         decode_sb_mem(td, row, col, lflvl_ptr,
                                       yoff2, uvoff2, BL_64X64);
                     } else {
+                        if (vpX_rac_is_end(td->c)) {
+                            return AVERROR_INVALIDDATA;
+                        }
                         decode_sb(td, row, col, lflvl_ptr,
                                   yoff2, uvoff2, BL_64X64);
                     }
-- 
2.19.1


From 39f3aa2218b7019ef13d990ee70a61dffa71fd13 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <mich...@niedermayer.cc>
Date: Sat, 11 Aug 2018 22:32:06 +0200
Subject: [PATCH 1/2] avcodec/vp56: Add is_end flag

Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/vp56.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h
index b8dda9e73a..25da1c75cb 100644
--- a/libavcodec/vp56.h
+++ b/libavcodec/vp56.h
@@ -89,6 +89,7 @@ typedef struct VP56RangeCoder {
     const uint8_t *buffer;
     const uint8_t *end;
     unsigned int code_word;
+    int is_end;
 } VP56RangeCoder;
 
 typedef struct VP56RefDc {
@@ -236,9 +237,12 @@ static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c)
     c->high   <<= shift;
     code_word <<= shift;
     bits       += shift;
-    if(bits >= 0 && c->buffer < c->end) {
-        code_word |= bytestream_get_be16(&c->buffer) << bits;
-        bits -= 16;
+    if(bits >= 0) {
+        if (c->buffer < c->end) {
+            code_word |= bytestream_get_be16(&c->buffer) << bits;
+            bits -= 16;
+        } else
+            c->is_end = 1;
     }
     c->bits = bits;
     return code_word;
-- 
2.19.1


From 72aa2377c7b401f1a0c2866bc1471f4c98310415 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <mich...@niedermayer.cc>
Date: Sat, 4 Aug 2018 22:21:02 +0200
Subject: [PATCH 2/2] avcodec/vp9: Check in decode_tiles() if there is data
 remaining

Fixes: Timeout
Fixes: 9330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-5707345857347584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/vp9.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index b1178c9c0c..dd5c8098c8 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -1308,6 +1308,9 @@ static int decode_tiles(AVCodecContext *avctx,
                     } else {
                         decode_sb(td, row, col, lflvl_ptr,
                                   yoff2, uvoff2, BL_64X64);
+                        if (td->c->is_end) {
+                            return AVERROR_INVALIDDATA;
+                        }
                     }
                 }
             }
-- 
2.19.1

Attachment: signature.asc
Description: PGP signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to