Re: [FFmpeg-devel] [PATCH 2/3] avcodec/lagarith: Optimize case with singleton probability distribution

[Michael Niedermayer]

On Mon, Dec 24, 2018 at 04:40:11PM +0000, Derek Buitenhuis wrote:
> On 24/12/2018 00:14, Michael Niedermayer wrote:
> > Fixes: Timeout
> > Fixes: 
> > 10554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5739938067251200
> > 
> > Found-by: continuous fuzzing 
> > processhttps://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer<mich...@niedermayer.cc>
> > ---
> >   libavcodec/lagarith.c    | 36 ++++++++++++++++++++++++++++++++++++
> >   libavcodec/lagarithrac.h |  1 +
> >   2 files changed, 37 insertions(+)
> 
> This adds a load of completely uncommented and confusing code; it murders
> readability for... what? Making a 'timeout' in a specific fuzzer go away?
> 

> Is there a real benefit or reason to pollute the code with this? Measurable 
> and
> useful speedup?

Yes, ive documented that more verbosly now below
i tend to be a bit terse by default on these fixes so as not to explain too 
detailedly
on how to abuse/exploit the code

commit 0ca7a8deeffd33e05ae15a447259b32b6678c727 (HEAD -> master)
Author: Michael Niedermayer <mich...@niedermayer.cc>
Date:   Mon Dec 24 01:14:50 2018 +0100

    avcodec/lagarith: Optimize case with singleton probability distribution
    
    Fixes: Timeout
    Fixes: 
10554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5739938067251200
    
    In case of a Denial of Service attack, the attacker wants to maximize the 
load on the target
    per byte transmitted from the attacker.
    For such a DoS attack it is best for the attacker to setup the 
probabilities so that the
    arithmetic decoder does not advance in the bytestream that way the attacker 
only needs to
    transmit the initial bytes and header for an arbitrary large frame.
    This patch here optimizes this codepath and avoids executing the arithmetic 
decoder more than
    once. It thus reduces the load causes by this codepath on the target.
    We also could completely disallow this codepath but it appears such odd 
probability
    distributions are not invalid.
    
    Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
    Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>


[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No snowflake in an avalanche ever feels responsible. -- Voltaire

signature.asc
Description: PGP signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel