Message ID | 20201031092957.14996-2-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/2] libavformat/aviobuf: Forward error from avio_read in ffio_read_size() | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
Michael Niedermayer: > Fixes: OOM > Fixes: 26608/clusterfuzz-testcase-minimized-ffmpeg_dem_APNG_fuzzer-4839491644424192 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/apngdec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c > index 0f1d04a365..4e1d21031f 100644 > --- a/libavformat/apngdec.c > +++ b/libavformat/apngdec.c > @@ -138,7 +138,7 @@ static int append_extradata(AVCodecParameters *par, AVIOContext *pb, int len) > par->extradata = new_extradata; > par->extradata_size = new_size; > > - if ((ret = avio_read(pb, par->extradata + previous_size, len)) < 0) > + if ((ret = ffio_read_size(pb, par->extradata + previous_size, len)) < 0) > return ret; > > return previous_size; > There is a second avio_read() call that does not check whether it has read all it wanted. It can not really lead to OOM (as the extradata size in this case is 29), but it is not nice to not return an error in this case. I therefore resurrected my old patchset: https://ffmpeg.org/pipermail/ffmpeg-devel/2020-October/271779.html - Andreas
diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index 0f1d04a365..4e1d21031f 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -138,7 +138,7 @@ static int append_extradata(AVCodecParameters *par, AVIOContext *pb, int len) par->extradata = new_extradata; par->extradata_size = new_size; - if ((ret = avio_read(pb, par->extradata + previous_size, len)) < 0) + if ((ret = ffio_read_size(pb, par->extradata + previous_size, len)) < 0) return ret; return previous_size;
Fixes: OOM Fixes: 26608/clusterfuzz-testcase-minimized-ffmpeg_dem_APNG_fuzzer-4839491644424192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/apngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)