diff mbox series

[FFmpeg-devel,2/2] avformat/mvdec: Check stream numbers

Message ID 20200223172726.20720-2-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/2] tools/target_dec_fuzzer: Adjust threshold for zerocodec
Related show

Checks

Context Check Description
andriy/ffmpeg-patchwork pending
andriy/ffmpeg-patchwork success Applied patch
andriy/ffmpeg-patchwork success Configure finished
andriy/ffmpeg-patchwork success Make finished
andriy/ffmpeg-patchwork success Make fate finished

Commit Message

Michael Niedermayer Feb. 23, 2020, 5:27 p.m. UTC
Fixes: null pointer dereference
Fixes: 20768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5638648978735104.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mvdec.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Andreas Rheinhardt Feb. 23, 2020, 8:54 p.m. UTC | #1
Michael Niedermayer:
> Fixes: null pointer dereference
> Fixes: 20768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5638648978735104.fuzz
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mvdec.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
> index f9f7e38137..64166a84b1 100644
> --- a/libavformat/mvdec.c
> +++ b/libavformat/mvdec.c
> @@ -363,6 +363,12 @@ static int mv_read_header(AVFormatContext *avctx)
>          if ((ret = read_table(avctx, NULL, parse_global_var)) < 0)
>              return ret;
>  
> +        if (mv->nb_audio_tracks < 0  || mv->nb_video_tracks < 0 ||
> +           (mv->nb_audio_tracks == 0 && mv->nb_video_tracks == 0)) {
> +            av_log(avctx, AV_LOG_ERROR, "Stream count is invalid.\n");
> +            return AVERROR_INVALIDDATA;
> +        }
> +
>          if (mv->nb_audio_tracks > 1) {
>              avpriv_request_sample(avctx, "Multiple audio streams support");
>              return AVERROR_PATCHWELCOME;
> 
LGTM.

- Andreas

PS: Is it actually allowed to set the channel_layout to stereo if
there are more than two channels (as set_channels() does)?
Michael Niedermayer Feb. 25, 2020, 4:46 p.m. UTC | #2
On Sun, Feb 23, 2020 at 08:54:00PM +0000, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: null pointer dereference
> > Fixes: 20768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5638648978735104.fuzz
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/mvdec.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
> > index f9f7e38137..64166a84b1 100644
> > --- a/libavformat/mvdec.c
> > +++ b/libavformat/mvdec.c
> > @@ -363,6 +363,12 @@ static int mv_read_header(AVFormatContext *avctx)
> >          if ((ret = read_table(avctx, NULL, parse_global_var)) < 0)
> >              return ret;
> >  
> > +        if (mv->nb_audio_tracks < 0  || mv->nb_video_tracks < 0 ||
> > +           (mv->nb_audio_tracks == 0 && mv->nb_video_tracks == 0)) {
> > +            av_log(avctx, AV_LOG_ERROR, "Stream count is invalid.\n");
> > +            return AVERROR_INVALIDDATA;
> > +        }
> > +
> >          if (mv->nb_audio_tracks > 1) {
> >              avpriv_request_sample(avctx, "Multiple audio streams support");
> >              return AVERROR_PATCHWELCOME;
> > 
> LGTM.

will apply


> 
> - Andreas
> 
> PS: Is it actually allowed to set the channel_layout to stereo if
> there are more than two channels (as set_channels() does)?

id say code which sets this inconsistently should be fixed

thx

[...]
diff mbox series

Patch

diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index f9f7e38137..64166a84b1 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -363,6 +363,12 @@  static int mv_read_header(AVFormatContext *avctx)
         if ((ret = read_table(avctx, NULL, parse_global_var)) < 0)
             return ret;
 
+        if (mv->nb_audio_tracks < 0  || mv->nb_video_tracks < 0 ||
+           (mv->nb_audio_tracks == 0 && mv->nb_video_tracks == 0)) {
+            av_log(avctx, AV_LOG_ERROR, "Stream count is invalid.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         if (mv->nb_audio_tracks > 1) {
             avpriv_request_sample(avctx, "Multiple audio streams support");
             return AVERROR_PATCHWELCOME;