[FFmpeg-devel] [PATCH] avcodec/agm: Check that there is available input in read_code() before reading it

Michael Niedermayer michael at niedermayer.cc
Wed Apr 3 03:13:16 EEST 2019


On Tue, Apr 02, 2019 at 09:19:26PM +0200, Paul B Mahol wrote:
> On 4/2/19, Michael Niedermayer <michael at niedermayer.cc> wrote:
> > Fixes: out of array access
> > Fixes:
> > 13997/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5701427252428800
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/agm.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/libavcodec/agm.c b/libavcodec/agm.c
> > index b0e8b80f81..8e4d6eb342 100644
> > --- a/libavcodec/agm.c
> > +++ b/libavcodec/agm.c
> > @@ -88,6 +88,9 @@ static int read_code(GetBitContext *gb, int *oskip, int
> > *level, int *map, int mo
> >  {
> >      int len = 0, skip = 0, max;
> >
> > +    if (get_bits_left(gb) < 2)
> > +        return AVERROR_INVALIDDATA;
> > +
> >      if (show_bits(gb, 2)) {
> >          switch (show_bits(gb, 4)) {
> >          case 1:
> > --
> > 2.21.0
> >
> 
> What? show_bits() can overread?
> That is bug.

ill send a better patch

thanks for reviewing

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Observe your enemies, for they first find out your faults. -- Antisthenes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190403/c22a014a/attachment.sig>


More information about the ffmpeg-devel mailing list