| Message ID | 20211017140909.3224-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 97c3053d59f30f84b30efcc73ccf1b2e84b89006 |
| Headers | show |
| Series | [FFmpeg-devel] avformat/dhav: Limit get_duration() iterations | expand |
| Context | Check | Description |
|---|---|---|
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
| andriy/make_ppc | success | Make finished |
| andriy/make_fate_ppc | success | Make fate finished |
On Sun, Oct 17, 2021 at 04:09:09PM +0200, Michael Niedermayer wrote: > Fixes: Timeout > Fixes: 39971/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5756969890217984 > Fixes: 39977/clusterfuzz-testcase-minimized-ffmpeg_dem_DHAV_fuzzer-5327123053674496 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/dhav.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) will apply [...]
> diff --git a/libavformat/dhav.c b/libavformat/dhav.c > index b6bb25204c2..6c1cdde32c9 100644 > --- a/libavformat/dhav.c > +++ b/libavformat/dhav.c > @@ -234,12 +234,13 @@ static int64_t get_duration(AVFormatContext *s) > int64_t start_pos = avio_tell(s->pb); > int64_t start = 0, end = 0; > struct tm timeinfo; > + int max_interations = 100000; > I don't think this should be allowed. Kieran
On Sun, Nov 14, 2021 at 07:36:59PM +0000, Kieran Kunhya wrote: > > diff --git a/libavformat/dhav.c b/libavformat/dhav.c > > index b6bb25204c2..6c1cdde32c9 100644 > > --- a/libavformat/dhav.c > > +++ b/libavformat/dhav.c > > @@ -234,12 +234,13 @@ static int64_t get_duration(AVFormatContext *s) > > int64_t start_pos = avio_tell(s->pb); > > int64_t start = 0, end = 0; > > struct tm timeinfo; > > + int max_interations = 100000; > > > > I don't think this should be allowed. i dont like it either do you have a better idea ? [...]
On 11/15/2021 3:04 PM, Michael Niedermayer wrote: > i dont like it either > do you have a better idea ? Why is it seaching like this anyway? This is not even the only place in dhav.c it does this. Is the format documented somewhere by chance? There has to be a better early termination condition than an arbitrary number of iterations. - Derek
diff --git a/libavformat/dhav.c b/libavformat/dhav.c index b6bb25204c2..6c1cdde32c9 100644 --- a/libavformat/dhav.c +++ b/libavformat/dhav.c @@ -234,12 +234,13 @@ static int64_t get_duration(AVFormatContext *s) int64_t start_pos = avio_tell(s->pb); int64_t start = 0, end = 0; struct tm timeinfo; + int max_interations = 100000; if (!s->pb->seekable) return 0; avio_seek(s->pb, avio_size(s->pb) - 8, SEEK_SET); - while (avio_tell(s->pb) > 12) { + while (avio_tell(s->pb) > 12 && max_interations--) { if (avio_rl32(s->pb) == MKTAG('d','h','a','v')) { int seek_back = avio_rl32(s->pb);
Fixes: Timeout Fixes: 39971/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5756969890217984 Fixes: 39977/clusterfuzz-testcase-minimized-ffmpeg_dem_DHAV_fuzzer-5327123053674496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/dhav.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)