diff mbox series

[FFmpeg-devel,3/3] avformat/moflex: Check m->size before seeking

Message ID 20201002125915.17281-3-michael@niedermayer.cc
State Accepted
Commit acd735efaf0ceba95c3f07751182af485af993d2
Headers show
Series [FFmpeg-devel,1/3] avcodec/dxtory: Fix negative stride shift in dx2_decode_slice_420() | expand

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Michael Niedermayer Oct. 2, 2020, 12:59 p.m. UTC 
Fixes: Infinite loop
Fixes: 26016/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6195663833137152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/moflex.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Paul B Mahol Oct. 2, 2020, 2:27 p.m. UTC | #1 
On Fri, Oct 02, 2020 at 02:59:15PM +0200, Michael Niedermayer wrote:
> Fixes: Infinite loop
> Fixes: 26016/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6195663833137152
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/moflex.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 

lgtm
Michael Niedermayer Oct. 3, 2020, 6:44 p.m. UTC | #2 
On Fri, Oct 02, 2020 at 04:27:47PM +0200, Paul B Mahol wrote:
> On Fri, Oct 02, 2020 at 02:59:15PM +0200, Michael Niedermayer wrote:
> > Fixes: Infinite loop
> > Fixes: 26016/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6195663833137152
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/moflex.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> 
> lgtm

will apply

thx

[...]
diff mbox series

Patch

diff --git a/libavformat/moflex.c b/libavformat/moflex.c
index 937f63cb63..a24e12eb8e 100644
--- a/libavformat/moflex.c
+++ b/libavformat/moflex.c
@@ -342,8 +342,11 @@  static int moflex_read_packet(AVFormatContext *s, AVPacket *pkt)
 
         m->in_block = 0;
 
-        if (m->flags % 2 == 0)
+        if (m->flags % 2 == 0) {
+            if (m->size <= 0)
+                return AVERROR_INVALIDDATA;
             avio_seek(pb, m->pos + m->size, SEEK_SET);
+        }
     }
 
     return AVERROR_EOF;