On Tue, Feb 04, 2020 at 06:34:47PM +0100, Michael Niedermayer wrote: > On Tue, Feb 04, 2020 at 11:10:00AM +0000, Andreas Rheinhardt wrote: > > Michael Niedermayer: > > > Fixes: Timeout > > > Fixes: out of array access > > > Fixes: > > > 20274/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5649631988154368 > > > Fixes: > > > 19275/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLAC_fuzzer-5757535722405888 > > > > > > Found-by: continuous fuzzing process > > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > > --- > > > libavcodec/flac_parser.c | 12 ++++++++---- > > > 1 file changed, 8 insertions(+), 4 deletions(-) > > > > > > diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c > > > index 9ffa288548..3424583c49 100644 > > > --- a/libavcodec/flac_parser.c > > > +++ b/libavcodec/flac_parser.c > > > @@ -208,16 +208,20 @@ static int find_headers_search(FLACParseContext > > > *fpc, uint8_t *buf, > > > uint32_t x; > > > > > > for (i = 0; i < mod_offset; i++) { > > > - if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) > > > - size = find_headers_search_validate(fpc, search_start + i); > > > + if ((AV_RB16(buf + i) & 0xFFFE) == 0xFFF8) { > > > + int ret = find_headers_search_validate(fpc, search_start + > > > i); > > > + size = FFMAX(size, ret); > > > + } > > > } > > > > > > for (; i < buf_size - 1; i += 4) { > > > x = AV_RN32(buf + i); > > > if (((x & ~(x + 0x01010101)) & 0x80808080)) { > > > for (j = 0; j < 4; j++) { > > > - if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) > > > - size = find_headers_search_validate(fpc, > > > search_start + i + j); > > > + if ((AV_RB16(buf + i + j) & 0xFFFE) == 0xFFF8) { > > > + int ret = find_headers_search_validate(fpc, > > > search_start + i + j); > > > + size = FFMAX(size, ret); > > > + } > > > } > > > } > > > } > > > > > 1. Actually, find_headers_search_validate() can return an error and > > these FFMAX (as well as the FFMAX already present in > > find_new_headers()) will make sure that they are overwritten. > > yes > > > > 2. The linked list of buffered headers is currently traversed pretty > > often: E.g. if it seems that no new headers have been found in a call > > to find_new_headers(), the linked list will be traversed again in > > order to count the number of buffered headers. Maybe one should > > instead directly increment fpc->nb_headers_buffered after a new header > > has been added to the list in find_headers_search_validate() and only > > use the return value of find_headers_search_validate(), > > find_headers_search(), find_new_headers() to forward the allocation > > failure errors? (If one stores a pointer to the end of the linked > > list, one can also remove the while-loop in > > find_headers_search_validate(); don't know if this helps with the > > timeout.) > > These are good ideas. The problem iam facing a bit here is that i > need to (or rather i want to) fix this in the releases too, so one > goal is to keep the change simple as that makes it more likely to > backport without too much issues. > We can clean up the code afterwards and in fact there is probably > more that can be cleaned up then what you mention (just by gut feeling > from this code)
any objections ? if not i will push this in a few days thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If you fake or manipulate statistics in a paper in physics you will never get a job again. If you fake or manipulate statistics in a paper in medicin you will get a job for life at the pharma industry.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
