diff mbox series

[FFmpeg-devel,6/6] avformat/concatdec: use av_strstart()

Message ID 20201031224633.27872-6-michael@niedermayer.cc
State Accepted
Commit 2610acb49a140901dacbd36c598a5514cf9ade0d
Headers show
Series [FFmpeg-devel,1/6] avformat/avidec: Use av_sat_sub64() in check_stream_max_drift()
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer Oct. 31, 2020, 10:46 p.m. UTC
Fixes: out array read
Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/concatdec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Andreas Rheinhardt Nov. 2, 2020, 1:50 a.m. UTC | #1
Michael Niedermayer:
> Fixes: out array read
> Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/concatdec.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c
> index 4b56b61404..6d5b9914f9 100644
> --- a/libavformat/concatdec.c
> +++ b/libavformat/concatdec.c
> @@ -113,7 +113,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile,
>      ConcatFile *file;
>      char *url = NULL;
>      const char *proto;
> -    size_t url_len, proto_len;
> +    const char *ptr;
> +    size_t url_len;
>      int ret;
>  
>      if (cat->safe > 0 && !safe_filename(filename)) {
> @@ -122,9 +123,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile,
>      }
>  
>      proto = avio_find_protocol_name(filename);
> -    proto_len = proto ? strlen(proto) : 0;
> -    if (proto && !memcmp(filename, proto, proto_len) &&
> -        (filename[proto_len] == ':' || filename[proto_len] == ',')) {
> +    if (proto && av_strstart(filename, proto, &ptr) &&
> +        (*ptr == ':' || *ptr == ',')) {
>          url = filename;
>          filename = NULL;
>      } else {
> 
LGTM.

- Andreas
Nicolas George Nov. 2, 2020, 12:02 p.m. UTC | #2
Michael Niedermayer (12020-10-31):
> Fixes: out array read
> Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/concatdec.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)

LGTM, thanks.

Regards,
Michael Niedermayer Nov. 2, 2020, 11:46 p.m. UTC | #3
On Mon, Nov 02, 2020 at 01:02:14PM +0100, Nicolas George wrote:
> Michael Niedermayer (12020-10-31):
> > Fixes: out array read
> > Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/concatdec.c | 8 ++++----
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> LGTM, thanks.

will apply

thx to both you and andreas

[...]
diff mbox series

Patch

diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c
index 4b56b61404..6d5b9914f9 100644
--- a/libavformat/concatdec.c
+++ b/libavformat/concatdec.c
@@ -113,7 +113,8 @@  static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile,
     ConcatFile *file;
     char *url = NULL;
     const char *proto;
-    size_t url_len, proto_len;
+    const char *ptr;
+    size_t url_len;
     int ret;
 
     if (cat->safe > 0 && !safe_filename(filename)) {
@@ -122,9 +123,8 @@  static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile,
     }
 
     proto = avio_find_protocol_name(filename);
-    proto_len = proto ? strlen(proto) : 0;
-    if (proto && !memcmp(filename, proto, proto_len) &&
-        (filename[proto_len] == ':' || filename[proto_len] == ',')) {
+    if (proto && av_strstart(filename, proto, &ptr) &&
+        (*ptr == ':' || *ptr == ',')) {
         url = filename;
         filename = NULL;
     } else {