On Sun, Oct 22, 2023 at 03:34:20PM +0100, Mark Thompson wrote: > On 22/10/2023 01:35, Michael Niedermayer wrote: > > Fixes: Assertion length < 256 failed at libavcodec/cbs.c:517 > > Fixes: > > 62673/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6490971837431808 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <[email protected]> > > --- > > libavcodec/cbs.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c > > index cdd7adebebd..2f5d0334a2a 100644 > > --- a/libavcodec/cbs.c > > +++ b/libavcodec/cbs.c > > @@ -514,6 +514,11 @@ void ff_cbs_trace_read_log(void *trace_context, > > position = get_bits_count(gbc); > > + if (length >= 256) { > > + av_log(ctx->log_ctx, ctx->trace_level, "trace of %d bits truncated > > at 255\n", length); > > + length = 255; > > + } > > + > > av_assert0(length < 256); > > for (i = 0; i < length; i++) > > bits[i] = get_bits1(gbc) ? '1' : '0'; > > IMO the assert is sensible (no syntax element is that large) and so this must > be catching a bug somewhere else. Please don't nullify the assert to hide > the bug. > > Can you share the input stream which hit this case?
will mail it to you
the backtrce is this:
#7 0x505748 in ff_cbs_trace_read_log ffmpeg/libavcodec/cbs.c:517:5
#8 0x5273f1 in cbs_av1_read_uvlc ffmpeg/libavcodec/cbs_av1.c:67:5
#9 0x5273f1 in cbs_av1_read_timing_info
ffmpeg/libavcodec/cbs_av1_syntax_template.c:168
#10 0x5273f1 in cbs_av1_read_sequence_header_obu
ffmpeg/libavcodec/cbs_av1_syntax_template.c:214
#11 0x51278a in cbs_av1_read_unit ffmpeg/libavcodec/cbs_av1.c:856:19
#12 0x4ff30a in cbs_read_fragment_content ffmpeg/libavcodec/cbs.c:209:15
#13 0x4ff30a in cbs_read_data ffmpeg/libavcodec/cbs.c:276
#14 0x4edc32 in trace_headers ffmpeg/libavcodec/trace_headers_bsf.c:113:11
#15 0x4c9898 in LLVMFuzzerTestOneInput
ffmpeg/tools/target_bsf_fuzzer.c:154:16
#16 0x136900d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*,
unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
#17 0x135dbe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned
long) Fuzzer/build/../FuzzerDriver.cpp:273:6
#18 0x1362de1 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
#19 0x135d8c0 in main Fuzzer/build/../FuzzerMain.cpp:20:10
#20 0x7f456b8b8c86 in __libc_start_main
/build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#21 0x41f179 in _start
(ffmpeg/tools/target_bsf_trace_headers_fuzzer+0x41f179)
[...]
thx
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Whats the most studid thing your enemy could do ? Blow himself up
Whats the most studid thing you could do ? Give up your rights and
freedom because your enemy blew himself up.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
