Message ID | 20201031224633.27872-6-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 2610acb49a140901dacbd36c598a5514cf9ade0d |
Headers | show |
Series | [FFmpeg-devel,1/6] avformat/avidec: Use av_sat_sub64() in check_stream_max_drift() | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
Michael Niedermayer: > Fixes: out array read > Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/concatdec.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c > index 4b56b61404..6d5b9914f9 100644 > --- a/libavformat/concatdec.c > +++ b/libavformat/concatdec.c > @@ -113,7 +113,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, > ConcatFile *file; > char *url = NULL; > const char *proto; > - size_t url_len, proto_len; > + const char *ptr; > + size_t url_len; > int ret; > > if (cat->safe > 0 && !safe_filename(filename)) { > @@ -122,9 +123,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, > } > > proto = avio_find_protocol_name(filename); > - proto_len = proto ? strlen(proto) : 0; > - if (proto && !memcmp(filename, proto, proto_len) && > - (filename[proto_len] == ':' || filename[proto_len] == ',')) { > + if (proto && av_strstart(filename, proto, &ptr) && > + (*ptr == ':' || *ptr == ',')) { > url = filename; > filename = NULL; > } else { > LGTM. - Andreas
Michael Niedermayer (12020-10-31): > Fixes: out array read > Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/concatdec.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) LGTM, thanks. Regards,
On Mon, Nov 02, 2020 at 01:02:14PM +0100, Nicolas George wrote: > Michael Niedermayer (12020-10-31): > > Fixes: out array read > > Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/concatdec.c | 8 ++++---- > > 1 file changed, 4 insertions(+), 4 deletions(-) > > LGTM, thanks. will apply thx to both you and andreas [...]
diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 4b56b61404..6d5b9914f9 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -113,7 +113,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, ConcatFile *file; char *url = NULL; const char *proto; - size_t url_len, proto_len; + const char *ptr; + size_t url_len; int ret; if (cat->safe > 0 && !safe_filename(filename)) { @@ -122,9 +123,8 @@ static int add_file(AVFormatContext *avf, char *filename, ConcatFile **rfile, } proto = avio_find_protocol_name(filename); - proto_len = proto ? strlen(proto) : 0; - if (proto && !memcmp(filename, proto, proto_len) && - (filename[proto_len] == ':' || filename[proto_len] == ',')) { + if (proto && av_strstart(filename, proto, &ptr) && + (*ptr == ':' || *ptr == ',')) { url = filename; filename = NULL; } else {
Fixes: out array read Fixes: 26610/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5631838049271808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/concatdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)