[FFmpeg-devel] [PATCHv4] VP4 video decoder

Peter Ross pross at xvid.org
Thu May 23 14:55:32 EEST 2019


On Tue, May 21, 2019 at 08:38:02PM +0200, Reimar Döffinger wrote:
> On Tue, May 21, 2019 at 11:15:03AM -0300, James Almer wrote:
> > > I have a feeling this loop should have a stop condition like v <
> > > SOME_LARGE_VALUE, say INT_MAX-255 or yuv_macroblock_count, to reject
> > > corrupt/malicious files and not cause undefined behavior
> >
> > Using get_bits_left(gb) would be better than an arbitrary large value.
> 
> It seems the original comment wasn't preserved, but get_bits_left
> is fairly pointless because the 0-padding will cause loop exit
> anyway.
> Also get_bits_left wouldn't address the point that a 2GB input frame
> of all-1s from the right position would here end up reading 2GB
> 9 bits at a time.
> Overflow by my calculations would only happen after > 500 GB,
> so not sure that's a worry.
> But depending on the contexts in which this function is used,
> there might be obvious limits for v, in which case an early
> exit would make sense (even when not, runs > 250 bytes can
> likely safely assumed broken).

x/y macroblock counts are limited 8-bit, so yuv_macroblock_count never
exceeds (255 * 255 * 3/2 = 97537). i this kind of check will suffice
and speed up fuzzing tests.

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190523/2468933d/attachment.sig>


More information about the ffmpeg-devel mailing list