[FFmpeg-devel,1/4] avformat/matroskadec: Check for EOF in resync loop

Fixes: Timeout (too long -> instantly)
Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/matroskadec.c | 2 ++
 1 file changed, 2 insertions(+)

Michael Niedermayer:
> Fixes: Timeout (too long -> instantly)
> Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/matroskadec.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> index 374831baa3..1f28108887 100644
> --- a/libavformat/matroskadec.c
> +++ b/libavformat/matroskadec.c
> @@ -2895,6 +2895,8 @@ static int matroska_read_header(AVFormatContext *s)
>              goto fail;
>          pos = avio_tell(matroska->ctx->pb);
>          res = ebml_parse(matroska, matroska_segment, matroska);
> +        if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF
> +            goto fail;
>      }
>      /* Set data_offset as it might be needed later by seek_frame_generic. */
>      if (matroska->current_id == MATROSKA_ID_CLUSTER)
> 

I see two types of files for which this check can be problematic: Those
with an unknown-length segment and truncated files: In both cases a
child element may extend beyond the actually existing data without this
being caught by the check for whether the element extends beyond its
parent (i.e. beyond the end of the segment). But I don't really see a
better way, so go ahead.

- Andreas

On Tue, Feb 02, 2021 at 06:10:39AM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: Timeout (too long -> instantly)
> > Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/matroskadec.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> > index 374831baa3..1f28108887 100644
> > --- a/libavformat/matroskadec.c
> > +++ b/libavformat/matroskadec.c
> > @@ -2895,6 +2895,8 @@ static int matroska_read_header(AVFormatContext *s)
> >              goto fail;
> >          pos = avio_tell(matroska->ctx->pb);
> >          res = ebml_parse(matroska, matroska_segment, matroska);
> > +        if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF
> > +            goto fail;
> >      }
> >      /* Set data_offset as it might be needed later by seek_frame_generic. */
> >      if (matroska->current_id == MATROSKA_ID_CLUSTER)
> > 
> 
> I see two types of files for which this check can be problematic: Those
> with an unknown-length segment and truncated files: In both cases a
> child element may extend beyond the actually existing data without this
> being caught by the check for whether the element extends beyond its
> parent (i.e. beyond the end of the segment). 

> But I don't really see a
> better way, so go ahead.

ok, will apply

thx

[...]