[FFmpeg-devel,3/4] avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

On Sun, 13 Mar 2022, Michael Niedermayer wrote:

> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/mxfdec.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index d7cdd22c8a..828fc0f9f1 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -932,6 +932,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i
>
> static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
> {
> +    int64_t ret;
>     unsigned c = avio_rb32(pb);
>
>     //avio_read() used int
> @@ -946,7 +947,12 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
>         return AVERROR(ENOMEM);
>     }
>     avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */
> -    avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> +    ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> +    if (ret != *count * sizeof(UID)) {
> +        *count = ret < 0 ? 0   : ret / sizeof(UID);

I suggest you hard fail if the read count is not the expected, do not 
silently ignore corrupt file.

Regards,
Marton

> +        return   ret < 0 ? ret : AVERROR_INVALIDDATA;
> +    }
> +
>     return 0;
> }
>
> -- 
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>

On Sun, Mar 13, 2022 at 04:52:25PM +0100, Marton Balint wrote:
> 
> 
> On Sun, 13 Mar 2022, Michael Niedermayer wrote:
> 
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavformat/mxfdec.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > index d7cdd22c8a..828fc0f9f1 100644
> > --- a/libavformat/mxfdec.c
> > +++ b/libavformat/mxfdec.c
> > @@ -932,6 +932,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i
> > 
> > static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
> > {
> > +    int64_t ret;
> >     unsigned c = avio_rb32(pb);
> > 
> >     //avio_read() used int
> > @@ -946,7 +947,12 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
> >         return AVERROR(ENOMEM);
> >     }
> >     avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */
> > -    avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> > +    ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> > +    if (ret != *count * sizeof(UID)) {
> > +        *count = ret < 0 ? 0   : ret / sizeof(UID);
> 

> I suggest you hard fail if the read count is not the expected, do not
> silently ignore corrupt file.
> 
> Regards,
> Marton
> 
> > +        return   ret < 0 ? ret : AVERROR_INVALIDDATA;

Does it not hard fail here ?

thx

[...]

On Mon, 14 Mar 2022, Michael Niedermayer wrote:

> On Sun, Mar 13, 2022 at 04:52:25PM +0100, Marton Balint wrote:
>>
>>
>> On Sun, 13 Mar 2022, Michael Niedermayer wrote:
>>
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>> libavformat/mxfdec.c | 8 +++++++-
>>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
>>> index d7cdd22c8a..828fc0f9f1 100644
>>> --- a/libavformat/mxfdec.c
>>> +++ b/libavformat/mxfdec.c
>>> @@ -932,6 +932,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i
>>>
>>> static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
>>> {
>>> +    int64_t ret;
>>>     unsigned c = avio_rb32(pb);
>>>
>>>     //avio_read() used int
>>> @@ -946,7 +947,12 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
>>>         return AVERROR(ENOMEM);
>>>     }
>>>     avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */
>>> -    avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
>>> +    ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
>>> +    if (ret != *count * sizeof(UID)) {
>>> +        *count = ret < 0 ? 0   : ret / sizeof(UID);
>>
>
>> I suggest you hard fail if the read count is not the expected, do not
>> silently ignore corrupt file.
>>
>> Regards,
>> Marton
>>
>>> +        return   ret < 0 ? ret : AVERROR_INVALIDDATA;
>
> Does it not hard fail here ?

Yeah, it does, sorry. This extra count calculation confused me... I'd just 
probably set it to 0 in case of a partial read, same as in case of an 
error, but fine either way I guess.

Regards,
Marton

sön 2022-03-13 klockan 00:52 +0100 skrev Michael Niedermayer:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mxfdec.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index d7cdd22c8a..828fc0f9f1 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -932,6 +932,7 @@ static int mxf_read_cryptographic_context(void
> *arg, AVIOContext *pb, int tag, i
>  
>  static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs,
> int *count)
>  {
> +    int64_t ret;
>      unsigned c = avio_rb32(pb);
>  
>      //avio_read() used int
> @@ -946,7 +947,12 @@ static int mxf_read_strong_ref_array(AVIOContext
> *pb, UID **refs, int *count)
>          return AVERROR(ENOMEM);
>      }
>      avio_skip(pb, 4); /* useless size of objects, always 16
> according to specs */
> -    avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> +    ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> +    if (ret != *count * sizeof(UID)) {
> +        *count = ret < 0 ? 0   : ret / sizeof(UID);
> +        return   ret < 0 ? ret : AVERROR_INVALIDDATA;

Looks ok

/Tomas

On Mon, Mar 14, 2022 at 06:08:32PM +0100, Marton Balint wrote:
> 
> 
> On Mon, 14 Mar 2022, Michael Niedermayer wrote:
> 
> > On Sun, Mar 13, 2022 at 04:52:25PM +0100, Marton Balint wrote:
> > > 
> > > 
> > > On Sun, 13 Mar 2022, Michael Niedermayer wrote:
> > > 
> > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > > ---
> > > > libavformat/mxfdec.c | 8 +++++++-
> > > > 1 file changed, 7 insertions(+), 1 deletion(-)
> > > > 
> > > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > > > index d7cdd22c8a..828fc0f9f1 100644
> > > > --- a/libavformat/mxfdec.c
> > > > +++ b/libavformat/mxfdec.c
> > > > @@ -932,6 +932,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i
> > > > 
> > > > static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
> > > > {
> > > > +    int64_t ret;
> > > >     unsigned c = avio_rb32(pb);
> > > > 
> > > >     //avio_read() used int
> > > > @@ -946,7 +947,12 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
> > > >         return AVERROR(ENOMEM);
> > > >     }
> > > >     avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */
> > > > -    avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> > > > +    ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> > > > +    if (ret != *count * sizeof(UID)) {
> > > > +        *count = ret < 0 ? 0   : ret / sizeof(UID);
> > > 
> > 
> > > I suggest you hard fail if the read count is not the expected, do not
> > > silently ignore corrupt file.
> > > 
> > > Regards,
> > > Marton
> > > 
> > > > +        return   ret < 0 ? ret : AVERROR_INVALIDDATA;
> > 
> > Does it not hard fail here ?
> 
> Yeah, it does, sorry. This extra count calculation confused me... I'd just
> probably set it to 0 in case of a partial read, same as in case of an error,
> but fine either way I guess.

i wanted to set the count to be most correct value. So if someone was
debuging this and tried to just not fail it would already have a useable
value in count.

thx
[...]

On Mon, Mar 14, 2022 at 08:21:04PM +0100, Tomas Härdin wrote:
> sön 2022-03-13 klockan 00:52 +0100 skrev Michael Niedermayer:
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/mxfdec.c | 8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > index d7cdd22c8a..828fc0f9f1 100644
> > --- a/libavformat/mxfdec.c
> > +++ b/libavformat/mxfdec.c
> > @@ -932,6 +932,7 @@ static int mxf_read_cryptographic_context(void
> > *arg, AVIOContext *pb, int tag, i
> >  
> >  static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs,
> > int *count)
> >  {
> > +    int64_t ret;
> >      unsigned c = avio_rb32(pb);
> >  
> >      //avio_read() used int
> > @@ -946,7 +947,12 @@ static int mxf_read_strong_ref_array(AVIOContext
> > *pb, UID **refs, int *count)
> >          return AVERROR(ENOMEM);
> >      }
> >      avio_skip(pb, 4); /* useless size of objects, always 16
> > according to specs */
> > -    avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> > +    ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
> > +    if (ret != *count * sizeof(UID)) {
> > +        *count = ret < 0 ? 0   : ret / sizeof(UID);
> > +        return   ret < 0 ? ret : AVERROR_INVALIDDATA;
> 
> Looks ok

i will apply once we agree on the previous patch as that is on top of it

thx

[...]