Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzzer fixes #37

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Fuzzer fixes #37

wants to merge 6 commits into from

Conversation

pallas
Copy link

@pallas pallas commented May 10, 2020

See Issue #36.

pallas added 6 commits May 10, 2020 12:30
@pallas
svc_split: prevent memory leak
27358f9 
Since pps_buf[...] might be allocated here already, prevent a memory leak by
calling realloc instead of malloc.
@pallas
h264_analyze: constraint_byte is unread
33115ec 
The value is being overwritten instead of or'd, which appears to be the
intention.
@pallas
h264_analyze: bail out before allocations
7422c48 
We're allocating and then checking to see if there are enough arguments.
This causes valgrind to report a memory leak, even if it doesn't matter;
therefore, just fix.
@pallas
h264_nal/find_nal_unit: fix buffer overread
622f191 
This function was not always checking to see buf[i+x] was inside the buffer
before reading the memory.  Now it does.
@pallas
h264_stream: fix leak in read_debug_nal_unit + write_nal_unit
7fdb248 
In one error path, `b` and `rbsp_buf` were being leaked.  It's worth noting
that this was fixed in read_nal_unit.
@pallas
h264_stream: add multiple bounds checks, & fix double-free of sps_sub…
2ecde3e 
…set_table

There are a bunch of array writes that take their index from the bitstream
but do not check to make sure the index is in-bound.  In many of these
cases, you'd expect the extra values to exist in the stream, so we still
must read them.

When fuzzing h256_analize with AFL++, these missing bounds checks frequently
cause segfaults & other issues.

Tied up in this, there is definitely a double free wrt sps_subset_table &
sps_subset, since the existing code was memcpy'ing pointers to arrays
between structures.  This code copies the contents of the arrays instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pallas