Message ID | 20210318204958.21176-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | f733688d30021587c3f3a1b280d6ece8b04f26ff |
Headers | show |
Series | [FFmpeg-devel,1/4] avformat/avidec: Check for dv streams before using priv_data in parse ##dc/##wb | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
Michael Niedermayer: > Fixes: null pointer dereference > Fixes: 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/avidec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavformat/avidec.c b/libavformat/avidec.c > index fa0599501a..48370fe5ce 100644 > --- a/libavformat/avidec.c > +++ b/libavformat/avidec.c > @@ -1288,7 +1288,7 @@ start_sync: > AVStream *st1 = s->streams[1]; > AVIStream *ast1 = st1->priv_data; > // workaround for broken small-file-bug402.avi > - if ( d[2] == 'w' && d[3] == 'b' > + if (ast1 && d[2] == 'w' && d[3] == 'b' > && n == 0 > && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO > && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO > How is this possible? After all, dv streams also have an AVIStream as priv_data; and only the very first stream can ever be a dv stream due to the check in line 605. - Andreas
On Fri, Mar 19, 2021 at 12:20:23AM +0100, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: null pointer dereference > > Fixes: 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/avidec.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavformat/avidec.c b/libavformat/avidec.c > > index fa0599501a..48370fe5ce 100644 > > --- a/libavformat/avidec.c > > +++ b/libavformat/avidec.c > > @@ -1288,7 +1288,7 @@ start_sync: > > AVStream *st1 = s->streams[1]; > > AVIStream *ast1 = st1->priv_data; > > // workaround for broken small-file-bug402.avi > > - if ( d[2] == 'w' && d[3] == 'b' > > + if (ast1 && d[2] == 'w' && d[3] == 'b' > > && n == 0 > > && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO > > && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO > > > How is this possible? After all, dv streams also have an AVIStream as The DV demuxer creates streams in dv_extract_audio_info() without a AVIStream > priv_data; and only the very first stream can ever be a dv stream due to > the check in line 605. I assume they are created after that check [...]
Michael Niedermayer: > On Fri, Mar 19, 2021 at 12:20:23AM +0100, Andreas Rheinhardt wrote: >> Michael Niedermayer: >>> Fixes: null pointer dereference >>> Fixes: 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 >>> >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> >>> --- >>> libavformat/avidec.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/libavformat/avidec.c b/libavformat/avidec.c >>> index fa0599501a..48370fe5ce 100644 >>> --- a/libavformat/avidec.c >>> +++ b/libavformat/avidec.c >>> @@ -1288,7 +1288,7 @@ start_sync: >>> AVStream *st1 = s->streams[1]; >>> AVIStream *ast1 = st1->priv_data; >>> // workaround for broken small-file-bug402.avi >>> - if ( d[2] == 'w' && d[3] == 'b' >>> + if (ast1 && d[2] == 'w' && d[3] == 'b' >>> && n == 0 >>> && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO >>> && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO >>> >> How is this possible? After all, dv streams also have an AVIStream as > > The DV demuxer creates streams in dv_extract_audio_info() without a AVIStream > That explains it. Thanks. Patch is fine by me, but I haven't looked at it in detail. But neither dv nor avi set the AVFMTCTX_NOHEADER flag, so adding streams later is an API violation. > >> priv_data; and only the very first stream can ever be a dv stream due to >> the check in line 605. > > I assume they are created after that check > >
On Fri, Mar 19, 2021 at 01:19:28AM +0100, Andreas Rheinhardt wrote: > Michael Niedermayer: > > On Fri, Mar 19, 2021 at 12:20:23AM +0100, Andreas Rheinhardt wrote: > >> Michael Niedermayer: > >>> Fixes: null pointer dereference > >>> Fixes: 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 > >>> > >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > >>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > >>> --- > >>> libavformat/avidec.c | 2 +- > >>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>> > >>> diff --git a/libavformat/avidec.c b/libavformat/avidec.c > >>> index fa0599501a..48370fe5ce 100644 > >>> --- a/libavformat/avidec.c > >>> +++ b/libavformat/avidec.c > >>> @@ -1288,7 +1288,7 @@ start_sync: > >>> AVStream *st1 = s->streams[1]; > >>> AVIStream *ast1 = st1->priv_data; > >>> // workaround for broken small-file-bug402.avi > >>> - if ( d[2] == 'w' && d[3] == 'b' > >>> + if (ast1 && d[2] == 'w' && d[3] == 'b' > >>> && n == 0 > >>> && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO > >>> && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO > >>> > >> How is this possible? After all, dv streams also have an AVIStream as > > > > The DV demuxer creates streams in dv_extract_audio_info() without a AVIStream > > > > That explains it. Thanks. Patch is fine by me, will apply thx > but I haven't looked at > it in detail. But neither dv nor avi set the AVFMTCTX_NOHEADER flag, so > adding streams later is an API violation. > > > > >> priv_data; and only the very first stream can ever be a dv stream due to > >> the check in line 605. > > > > I assume they are created after that check > > > > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavformat/avidec.c b/libavformat/avidec.c index fa0599501a..48370fe5ce 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -1288,7 +1288,7 @@ start_sync: AVStream *st1 = s->streams[1]; AVIStream *ast1 = st1->priv_data; // workaround for broken small-file-bug402.avi - if ( d[2] == 'w' && d[3] == 'b' + if (ast1 && d[2] == 'w' && d[3] == 'b' && n == 0 && st ->codecpar->codec_type == AVMEDIA_TYPE_VIDEO && st1->codecpar->codec_type == AVMEDIA_TYPE_AUDIO
Fixes: null pointer dereference Fixes: 31588/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6165716135968768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)