diff mbox series

[FFmpeg-devel,2/3] avformat/tty: Fix division by 0 in probe

Message ID 20200206134549.29792-2-michael@niedermayer.cc
State Accepted
Headers show
Series [FFmpeg-devel,1/3] avcodec/cavsdsp: Fix invalid left shifts in cavs_idct8_add_c() | expand

Checks

Context Check Description
andriy/ffmpeg-patchwork success Make fate finished

Commit Message

Michael Niedermayer Feb. 6, 2020, 1:45 p.m. UTC
Fixes: division by zero
Fixes: 20436/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5763229752229888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/tty.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Paul B Mahol Feb. 6, 2020, 2:27 p.m. UTC | #1
Nonsense, why would this code be called with 0 buffer?

On 2/6/20, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: division by zero
> Fixes:
> 20436/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5763229752229888
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/tty.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavformat/tty.c b/libavformat/tty.c
> index 60f7e9f87e..854a23c500 100644
> --- a/libavformat/tty.c
> +++ b/libavformat/tty.c
> @@ -53,6 +53,9 @@ static int read_probe(const AVProbeData *p)
>  {
>      int cnt = 0;
>
> +    if (!p->buf_size)
> +        return 0;
> +
>      for (int i = 0; i < p->buf_size; i++)
>          cnt += !!isansicode(p->buf[i]);
>
> --
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer Feb. 6, 2020, 11:15 p.m. UTC | #2
On Thu, Feb 06, 2020 at 03:27:11PM +0100, Paul B Mahol wrote:
> Nonsense, why would this code be called with 0 buffer?

I guess because code calls av_probe_input_format3() with a 0 buffer
its a public function and called by multiple places from our code base
as well. Theres even code in it to handle the case of a 0 sized input.

The code that triggers it in this case seems to be probing the stream
content. Its not a 0 byte input file

Thanks


> 
> On 2/6/20, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: division by zero
> > Fixes:
> > 20436/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5763229752229888
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/tty.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/libavformat/tty.c b/libavformat/tty.c
> > index 60f7e9f87e..854a23c500 100644
> > --- a/libavformat/tty.c
> > +++ b/libavformat/tty.c
> > @@ -53,6 +53,9 @@ static int read_probe(const AVProbeData *p)
> >  {
> >      int cnt = 0;
> >
> > +    if (!p->buf_size)
> > +        return 0;
> > +
> >      for (int i = 0; i < p->buf_size; i++)
> >          cnt += !!isansicode(p->buf[i]);
> >
> > --
> > 2.17.1
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel@ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Hendrik Leppkes Feb. 6, 2020, 11:19 p.m. UTC | #3
On Fri, Feb 7, 2020 at 12:16 AM Michael Niedermayer <michaelni@gmx.at> wrote:
>
> On Thu, Feb 06, 2020 at 03:27:11PM +0100, Paul B Mahol wrote:
> > Nonsense, why would this code be called with 0 buffer?
>
> I guess because code calls av_probe_input_format3() with a 0 buffer
> its a public function and called by multiple places from our code base
> as well. Theres even code in it to handle the case of a 0 sized input.
>
> The code that triggers it in this case seems to be probing the stream
> content. Its not a 0 byte input file
>

The generic code in the public API calls should probably catch that
then, a probe function really can't do anything meaningful on a NULL
or zero-sized buffer.

- Hendrik
Michael Niedermayer Feb. 7, 2020, 11:44 a.m. UTC | #4
On Fri, Feb 07, 2020 at 12:19:32AM +0100, Hendrik Leppkes wrote:
> On Fri, Feb 7, 2020 at 12:16 AM Michael Niedermayer <michaelni@gmx.at> wrote:
> >
> > On Thu, Feb 06, 2020 at 03:27:11PM +0100, Paul B Mahol wrote:
> > > Nonsense, why would this code be called with 0 buffer?
> >
> > I guess because code calls av_probe_input_format3() with a 0 buffer
> > its a public function and called by multiple places from our code base
> > as well. Theres even code in it to handle the case of a 0 sized input.
> >
> > The code that triggers it in this case seems to be probing the stream
> > content. Its not a 0 byte input file
> >
> 
> The generic code in the public API calls should probably catch that
> then, a probe function really can't do anything meaningful on a NULL
> or zero-sized buffer.

some of our probe functions have code to handle zero buffers,
an example of this is to search the file name for placeholders
like %d with image extensions. If the file failed to open and has that
in its name that identifies it as a sequence of images.

I suspect v4l2 will also give you a 0 buffer and i guess there are
others


Thanks

[...]
diff mbox series

Patch

diff --git a/libavformat/tty.c b/libavformat/tty.c
index 60f7e9f87e..854a23c500 100644
--- a/libavformat/tty.c
+++ b/libavformat/tty.c
@@ -53,6 +53,9 @@  static int read_probe(const AVProbeData *p)
 {
     int cnt = 0;
 
+    if (!p->buf_size)
+        return 0;
+
     for (int i = 0; i < p->buf_size; i++)
         cnt += !!isansicode(p->buf[i]);