From patchwork Sat Oct 31 14:16:23 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 23299
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 5359E44B01B
	for <patchwork@ffaux-bg.ffmpeg.org>; Sat, 31 Oct 2020 16:16:42 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1125468AB04;
	Sat, 31 Oct 2020 16:16:42 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com
 [209.85.221.67])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 31F0768AA83
 for <ffmpeg-devel@ffmpeg.org>; Sat, 31 Oct 2020 16:16:34 +0200 (EET)
Received: by mail-wr1-f67.google.com with SMTP id b3so3578828wrx.11
 for <ffmpeg-devel@ffmpeg.org>; Sat, 31 Oct 2020 07:16:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:reply-to:mime-version
 :content-transfer-encoding;
 bh=+P3kLmuMbzoAXNsIblX6hjxCJ5j32HY/bvcI5rCjJj4=;
 b=G3z1+t+MKShH/8Xoe+LoQ+lkHctBVUWT9AIyIoNaxedopk2x04NcbJgxuMh+/jglHZ
 17ro88Sbit+tMxRHYuMOLf5PAYhH8Yk3egp3q6rHcMfwlG5/5PIU/eZNACWSkLUlzY1k
 zEVm2JUKIpqrqJQuV7TDS1mbDIu+A5Z1PxkcpWBzAq+vf45bqzImz3aA2fzeFQvCiq8O
 V7a8hgpJDkiBK7NAvyJBYUMZ4xGl3igK78g5E9FuKbAD9mLfE+iA+P3I7QZDh0wXcgR7
 Z/rgR+MQKteUuirBpKbSL/k2V6E0eZKgFn4HTdlyVSynYMEENeeyJeVydpQdPmqV3eF5
 xvZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:reply-to
 :mime-version:content-transfer-encoding;
 bh=+P3kLmuMbzoAXNsIblX6hjxCJ5j32HY/bvcI5rCjJj4=;
 b=R6+q4RD2qJ3TFHnH3VGnnZvgshj1Vexod1L1/01iwBOL69D75aMq4dpDhawjJGQVkw
 Kzi2ZFH964/BuYeYxzA9xbSiat6TVkKfyC6HTfPNT+KQjWp3q3XjiTzV/gWs48n3oIbx
 WdUgSZ8n3Y3fRpTk5ch/LAaR1zbs63Q12o/XtPuhrjPqHDLGSm6hMHkOt9vQ+Dx36Nme
 n0vVnZ1Ugyu/aVdEtB3OOJe0CaFbVf0i77p2ilKVMveccDpG+l+PnhtdjsqdibxOv08d
 TKYwbyp/AJmDLnl25WEChsEk+uwvm0jRXLddd4dB/U1xD/aybQwhD6FsW7Prnce4FR7I
 JI3w==
X-Gm-Message-State: AOAM531v61/bPbrNe985F/EqnrC1dFqAxIZY7na/cegBf4a9bVi6jXu+
 FpMt67oXHxM2NzgME8alaUHVB4qQSZA=
X-Google-Smtp-Source: 
 ABdhPJwNowL36vkARGMziCV5HzW9fvCbV1/nbfkaYsjtfn9owX+JweYlETlYoAtQdY+ufUxllef7zg==
X-Received: by 2002:adf:dd8d:: with SMTP id x13mr9654015wrl.398.1604153793113;
 Sat, 31 Oct 2020 07:16:33 -0700 (PDT)
Received: from sblaptop.fritz.box (ipbcc1aa4b.dynamic.kabel-deutschland.de.
 [188.193.170.75])
 by smtp.gmail.com with ESMTPSA id r1sm15522273wro.18.2020.10.31.07.16.31
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 31 Oct 2020 07:16:32 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Sat, 31 Oct 2020 15:16:23 +0100
Message-Id: <20201031141626.727000-1-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH v3 1/4] avformat/apngdec: Return error for
	incomplete header
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

If avio_read() could read anything, it returns the number of bytes read,
even if it could not read as much as the caller desired.
apng_read_header() only checked the return value of its avio_read() calls
for being negative and this meant that it was possible for an incomplete
header to not be detected. The return value of the last successfull call
has been returned instead. This commit changes this.

Fixes: OOM
Fixes: 26608/clusterfuzz-testcase-minimized-ffmpeg_dem_APNG_fuzzer-4839491644424192

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavformat/apngdec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
index 0f1d04a365..23d7e15393 100644
--- a/libavformat/apngdec.c
+++ b/libavformat/apngdec.c
@@ -138,7 +138,7 @@ static int append_extradata(AVCodecParameters *par, AVIOContext *pb, int len)
     par->extradata = new_extradata;
     par->extradata_size = new_size;
 
-    if ((ret = avio_read(pb, par->extradata + previous_size, len)) < 0)
+    if ((ret = ffio_read_size(pb, par->extradata + previous_size, len)) < 0)
         return ret;
 
     return previous_size;
@@ -185,10 +185,10 @@ static int apng_read_header(AVFormatContext *s)
     AV_WL32(st->codecpar->extradata+4,  tag);
     AV_WB32(st->codecpar->extradata+8,  st->codecpar->width);
     AV_WB32(st->codecpar->extradata+12, st->codecpar->height);
-    if ((ret = avio_read(pb, st->codecpar->extradata+16, 9)) < 0)
-        goto fail;
+    if ((ret = ffio_read_size(pb, st->codecpar->extradata + 16, 9)) < 0)
+        return ret;
 
-    while (!avio_feof(pb)) {
+    while (1) {
         if (acTL_found && ctx->num_play != 1) {
             int64_t size   = avio_size(pb);
             int64_t offset = avio_tell(pb);