[FFmpeg-devel] [PATCH 2/3] avcodec/lagarith: Optimize case with singleton probability distribution
michael at niedermayer.cc
Mon Dec 24 23:42:45 EET 2018
On Mon, Dec 24, 2018 at 04:40:11PM +0000, Derek Buitenhuis wrote:
> On 24/12/2018 00:14, Michael Niedermayer wrote:
> > Fixes: Timeout
> > Fixes: 10554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5739938067251200
> > Found-by: continuous fuzzing processhttps://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer<michael at niedermayer.cc>
> > ---
> > libavcodec/lagarith.c | 36 ++++++++++++++++++++++++++++++++++++
> > libavcodec/lagarithrac.h | 1 +
> > 2 files changed, 37 insertions(+)
> This adds a load of completely uncommented and confusing code; it murders
> readability for... what? Making a 'timeout' in a specific fuzzer go away?
> Is there a real benefit or reason to pollute the code with this? Measurable and
> useful speedup?
Yes, ive documented that more verbosly now below
i tend to be a bit terse by default on these fixes so as not to explain too detailedly
on how to abuse/exploit the code
commit 0ca7a8deeffd33e05ae15a447259b32b6678c727 (HEAD -> master)
Author: Michael Niedermayer <michael at niedermayer.cc>
Date: Mon Dec 24 01:14:50 2018 +0100
avcodec/lagarith: Optimize case with singleton probability distribution
In case of a Denial of Service attack, the attacker wants to maximize the load on the target
per byte transmitted from the attacker.
For such a DoS attack it is best for the attacker to setup the probabilities so that the
arithmetic decoder does not advance in the bytestream that way the attacker only needs to
transmit the initial bytes and header for an arbitrary large frame.
This patch here optimizes this codepath and avoids executing the arithmetic decoder more than
once. It thus reduces the load causes by this codepath on the target.
We also could completely disallow this codepath but it appears such odd probability
distributions are not invalid.
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
No snowflake in an avalanche ever feels responsible. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: not available
More information about the ffmpeg-devel