Message ID | 20190609204319.3004-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 0334632d5c02720f1829d59cd20c009584b5b163 |
Headers | show |
Michael Niedermayer: > Fixes: Assertion failure > Fixes: 15151/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5757079496687616 > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/aviobuf.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c > index 5a33f82950..6a5cd97b0a 100644 > --- a/libavformat/aviobuf.c > +++ b/libavformat/aviobuf.c > @@ -570,7 +570,7 @@ static void fill_buffer(AVIOContext *s) > } > > /* make buffer smaller in case it ended up large after probing */ > - if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size) { > + if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size && len >= s->orig_buffer_size) { > if (dst == s->buffer && s->buf_ptr != dst) { > int ret = ffio_set_buf_size(s, s->orig_buffer_size); > if (ret < 0) > @@ -578,7 +578,6 @@ static void fill_buffer(AVIOContext *s) > > s->checksum_ptr = dst = s->buffer; > } > - av_assert0(len >= s->orig_buffer_size); > len = s->orig_buffer_size; > } > > I just noticed that ticket #7094 is about this assert. Could you test whether everything works fine with your fix applied (and then mention said this ticket in the commit message)? - Andreas
On Mon, Jun 17, 2019 at 11:12:00PM +0000, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: Assertion failure > > Fixes: 15151/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5757079496687616 > > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/aviobuf.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c > > index 5a33f82950..6a5cd97b0a 100644 > > --- a/libavformat/aviobuf.c > > +++ b/libavformat/aviobuf.c > > @@ -570,7 +570,7 @@ static void fill_buffer(AVIOContext *s) > > } > > > > /* make buffer smaller in case it ended up large after probing */ > > - if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size) { > > + if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size && len >= s->orig_buffer_size) { > > if (dst == s->buffer && s->buf_ptr != dst) { > > int ret = ffio_set_buf_size(s, s->orig_buffer_size); > > if (ret < 0) > > @@ -578,7 +578,6 @@ static void fill_buffer(AVIOContext *s) > > > > s->checksum_ptr = dst = s->buffer; > > } > > - av_assert0(len >= s->orig_buffer_size); > > len = s->orig_buffer_size; > > } > > > > > I just noticed that ticket #7094 is about this assert. Could you test > whether everything works fine with your fix applied (and then mention > said this ticket in the commit message)? The ticket does not contain a full testcase, just a code snippet, and the person reporting the issue has not yet replied I suggest we apply this fix with a "May fix Ticket7094" [...]
Michael Niedermayer: > On Mon, Jun 17, 2019 at 11:12:00PM +0000, Andreas Rheinhardt wrote: >> Michael Niedermayer: >>> Fixes: Assertion failure >>> Fixes: 15151/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5757079496687616 >>> >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >>> --- >>> libavformat/aviobuf.c | 3 +-- >>> 1 file changed, 1 insertion(+), 2 deletions(-) >>> >>> diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c >>> index 5a33f82950..6a5cd97b0a 100644 >>> --- a/libavformat/aviobuf.c >>> +++ b/libavformat/aviobuf.c >>> @@ -570,7 +570,7 @@ static void fill_buffer(AVIOContext *s) >>> } >>> >>> /* make buffer smaller in case it ended up large after probing */ >>> - if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size) { >>> + if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size && len >= s->orig_buffer_size) { >>> if (dst == s->buffer && s->buf_ptr != dst) { >>> int ret = ffio_set_buf_size(s, s->orig_buffer_size); >>> if (ret < 0) >>> @@ -578,7 +578,6 @@ static void fill_buffer(AVIOContext *s) >>> >>> s->checksum_ptr = dst = s->buffer; >>> } >>> - av_assert0(len >= s->orig_buffer_size); >>> len = s->orig_buffer_size; >>> } >>> >>> >> I just noticed that ticket #7094 is about this assert. Could you test >> whether everything works fine with your fix applied (and then mention >> said this ticket in the commit message)? > > The ticket does not contain a full testcase, just a code snippet, > and the person reporting the issue has not yet replied > I suggest we apply this fix with a "May fix Ticket7094" > > Agreed. - Andreas
On Sun, Jun 30, 2019 at 01:07:00PM +0000, Andreas Rheinhardt wrote: > Michael Niedermayer: > > On Mon, Jun 17, 2019 at 11:12:00PM +0000, Andreas Rheinhardt wrote: > >> Michael Niedermayer: > >>> Fixes: Assertion failure > >>> Fixes: 15151/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5757079496687616 > >>> > >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > >>> --- > >>> libavformat/aviobuf.c | 3 +-- > >>> 1 file changed, 1 insertion(+), 2 deletions(-) > >>> > >>> diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c > >>> index 5a33f82950..6a5cd97b0a 100644 > >>> --- a/libavformat/aviobuf.c > >>> +++ b/libavformat/aviobuf.c > >>> @@ -570,7 +570,7 @@ static void fill_buffer(AVIOContext *s) > >>> } > >>> > >>> /* make buffer smaller in case it ended up large after probing */ > >>> - if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size) { > >>> + if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size && len >= s->orig_buffer_size) { > >>> if (dst == s->buffer && s->buf_ptr != dst) { > >>> int ret = ffio_set_buf_size(s, s->orig_buffer_size); > >>> if (ret < 0) > >>> @@ -578,7 +578,6 @@ static void fill_buffer(AVIOContext *s) > >>> > >>> s->checksum_ptr = dst = s->buffer; > >>> } > >>> - av_assert0(len >= s->orig_buffer_size); > >>> len = s->orig_buffer_size; > >>> } > >>> > >>> > >> I just noticed that ticket #7094 is about this assert. Could you test > >> whether everything works fine with your fix applied (and then mention > >> said this ticket in the commit message)? > > > > The ticket does not contain a full testcase, just a code snippet, > > and the person reporting the issue has not yet replied > > I suggest we apply this fix with a "May fix Ticket7094" > > > > > Agreed. will apply thanks [...]
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 5a33f82950..6a5cd97b0a 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -570,7 +570,7 @@ static void fill_buffer(AVIOContext *s) } /* make buffer smaller in case it ended up large after probing */ - if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size) { + if (s->read_packet && s->orig_buffer_size && s->buffer_size > s->orig_buffer_size && len >= s->orig_buffer_size) { if (dst == s->buffer && s->buf_ptr != dst) { int ret = ffio_set_buf_size(s, s->orig_buffer_size); if (ret < 0) @@ -578,7 +578,6 @@ static void fill_buffer(AVIOContext *s) s->checksum_ptr = dst = s->buffer; } - av_assert0(len >= s->orig_buffer_size); len = s->orig_buffer_size; }
Fixes: Assertion failure Fixes: 15151/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5757079496687616 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/aviobuf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)