From patchwork Tue Nov 3 13:50:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zane van Iperen X-Patchwork-Id: 23358 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 00DD144BC5E for ; Tue, 3 Nov 2020 15:50:48 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C267C68AC9B; Tue, 3 Nov 2020 15:50:47 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail2.protonmail.ch (mail2.protonmail.ch [185.70.40.22]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B529868A0FA for ; Tue, 3 Nov 2020 15:50:41 +0200 (EET) Date: Tue, 03 Nov 2020 13:50:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zanevaniperen.com; s=protonmail2; t=1604411440; bh=kcsPMoDwqf1WuV4P+yQKoks1uvE1BPoDs+ruucif7Ak=; h=Date:To:From:Cc:Reply-To:Subject:From; b=ioxh9BgIgVFQAapZTjo2IYxu5AN5N9yfciPHPGpOX/kpWUoWN47jxPbX1tL95I4se 85YnvCDbCa8LkagxDP3W1mFf1vPGVZqr2lP2eDHknjGO0HYo7kWNSXeBshxKXDZSNm ee/Xivq9m3yGq+1cOoG9LPIkfus3jvoJ0R9ZqQtzrD2QWt8TNn4lci2iCAML9eEiIg Dv0lgL7IHtN6tTgvGZ7AgFZVL4WspHPmyHpcLVBWlveZzBnlkZ8o4VuevKjeuXyt0S xTH98vMxFvoDArfBXcY8psmwuPKWViHmXgIN4rbndR8CoI+VTE/+GsmPZpVNW7WLPs OhJKb4Fb2wmjw== To: ffmpeg-devel@ffmpeg.org From: Zane van Iperen Message-ID: <20201103134956.21780-1-zane@zanevaniperen.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch Subject: [FFmpeg-devel] [PATCH] avformat/argo_brp: remove block_align check for audio X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Zane van Iperen Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Causes a divide-by-zero in the rare case where: - the file has an audio stream, - the first audio frame isn't within the first BRP_BASF_LOOKAHEAD frames, - an audio frame is encountered later, and - its chunk header (except num_blocks) contains all zeros (matching the uninitialised structure in the context) The decoder will discard any garbage data, so the check isn't really needed. Fixes: division by 0 Fixes: 26667/clusterfuzz-testcase-minimized-ffmpeg_dem_ARGO_BRP_fuzzer-5645146928185344.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Zane van Iperen --- libavformat/argo_brp.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/argo_brp.c b/libavformat/argo_brp.c index 766d4fd261..6d6da851e9 100644 --- a/libavformat/argo_brp.c +++ b/libavformat/argo_brp.c @@ -392,9 +392,6 @@ static int argo_brp_read_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR_INVALIDDATA; blk.size -= ASF_CHUNK_HEADER_SIZE; - - if (blk.size % st->codecpar->block_align != 0) - return AVERROR_INVALIDDATA; } if ((ret = av_get_packet(s->pb, pkt, blk.size)) < 0)