[FFmpeg-devel] [PATCH 2/3] avcodec/lagarith: Optimize case with singleton probability distribution

Michael Niedermayer michael at niedermayer.cc
Mon Dec 24 23:42:45 EET 2018

On Mon, Dec 24, 2018 at 04:40:11PM +0000, Derek Buitenhuis wrote:
> On 24/12/2018 00:14, Michael Niedermayer wrote:
> > Fixes: Timeout
> > Fixes: 10554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5739938067251200
> > 
> > Found-by: continuous fuzzing processhttps://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer<michael at niedermayer.cc>
> > ---
> >   libavcodec/lagarith.c    | 36 ++++++++++++++++++++++++++++++++++++
> >   libavcodec/lagarithrac.h |  1 +
> >   2 files changed, 37 insertions(+)
> This adds a load of completely uncommented and confusing code; it murders
> readability for... what? Making a 'timeout' in a specific fuzzer go away?

> Is there a real benefit or reason to pollute the code with this? Measurable and
> useful speedup?

Yes, ive documented that more verbosly now below
i tend to be a bit terse by default on these fixes so as not to explain too detailedly
on how to abuse/exploit the code

commit 0ca7a8deeffd33e05ae15a447259b32b6678c727 (HEAD -> master)
Author: Michael Niedermayer <michael at niedermayer.cc>
Date:   Mon Dec 24 01:14:50 2018 +0100

    avcodec/lagarith: Optimize case with singleton probability distribution
    Fixes: Timeout
    Fixes: 10554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5739938067251200
    In case of a Denial of Service attack, the attacker wants to maximize the load on the target
    per byte transmitted from the attacker.
    For such a DoS attack it is best for the attacker to setup the probabilities so that the
    arithmetic decoder does not advance in the bytestream that way the attacker only needs to
    transmit the initial bytes and header for an arbitrary large frame.
    This patch here optimizes this codepath and avoids executing the arithmetic decoder more than
    once. It thus reduces the load causes by this codepath on the target.
    We also could completely disallow this codepath but it appears such odd probability
    distributions are not invalid.
    Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
    Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>


Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

No snowflake in an avalanche ever feels responsible. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20181224/5de87712/attachment.sig>

More information about the ffmpeg-devel mailing list