Message ID | 20201107231710.24816-4-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | b1d99ab14f2fd273e678dcb618dabfb38aab91b6 |
Headers | show |
Series | [FFmpeg-devel,1/5] avformat/tedcaptionsdec: Check for overflow in parse_int() | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
LGTM On Sun, Nov 8, 2020 at 12:18 AM Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: assertion failure > Fixes: > 26905/clusterfuzz-testcase-minimized-ffmpeg_dem_LVF_fuzzer-5724267599364096.fuzz > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/lvfdec.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/libavformat/lvfdec.c b/libavformat/lvfdec.c > index 8b8d6f01b9..4c87728def 100644 > --- a/libavformat/lvfdec.c > +++ b/libavformat/lvfdec.c > @@ -106,6 +106,7 @@ static int lvf_read_packet(AVFormatContext *s, > AVPacket *pkt) > unsigned size, flags, timestamp, id; > int64_t pos; > int ret, is_video = 0; > + int stream_index; > > pos = avio_tell(s->pb); > while (!avio_feof(s->pb)) { > @@ -121,12 +122,15 @@ static int lvf_read_packet(AVFormatContext *s, > AVPacket *pkt) > case MKTAG('0', '1', 'w', 'b'): > if (size < 8) > return AVERROR_INVALIDDATA; > + stream_index = is_video ? 0 : 1; > + if (stream_index >= s->nb_streams) > + return AVERROR_INVALIDDATA; > timestamp = avio_rl32(s->pb); > flags = avio_rl32(s->pb); > ret = av_get_packet(s->pb, pkt, size - 8); > if (flags & (1 << 12)) > pkt->flags |= AV_PKT_FLAG_KEY; > - pkt->stream_index = is_video ? 0 : 1; > + pkt->stream_index = stream_index; > pkt->pts = timestamp; > pkt->pos = pos; > return ret; > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
On Sun, Nov 08, 2020 at 09:21:45PM +0100, Paul B Mahol wrote:
> LGTM
will apply
thx
[...]
diff --git a/libavformat/lvfdec.c b/libavformat/lvfdec.c index 8b8d6f01b9..4c87728def 100644 --- a/libavformat/lvfdec.c +++ b/libavformat/lvfdec.c @@ -106,6 +106,7 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) unsigned size, flags, timestamp, id; int64_t pos; int ret, is_video = 0; + int stream_index; pos = avio_tell(s->pb); while (!avio_feof(s->pb)) { @@ -121,12 +122,15 @@ static int lvf_read_packet(AVFormatContext *s, AVPacket *pkt) case MKTAG('0', '1', 'w', 'b'): if (size < 8) return AVERROR_INVALIDDATA; + stream_index = is_video ? 0 : 1; + if (stream_index >= s->nb_streams) + return AVERROR_INVALIDDATA; timestamp = avio_rl32(s->pb); flags = avio_rl32(s->pb); ret = av_get_packet(s->pb, pkt, size - 8); if (flags & (1 << 12)) pkt->flags |= AV_PKT_FLAG_KEY; - pkt->stream_index = is_video ? 0 : 1; + pkt->stream_index = stream_index; pkt->pts = timestamp; pkt->pos = pos; return ret;
Fixes: assertion failure Fixes: 26905/clusterfuzz-testcase-minimized-ffmpeg_dem_LVF_fuzzer-5724267599364096.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/lvfdec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)