Message ID | 20210130150021.2584-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | 5282147d0c92ac821e85b93e2db6704f4720e0c1 |
Headers | show |
Series | [FFmpeg-devel,1/4] avformat/matroskadec: Check for EOF in resync loop | expand |
Context | Check | Description |
---|---|---|
andriy/x86_make | success | Make finished |
andriy/x86_make_fate | success | Make fate finished |
andriy/PPC64_make | success | Make finished |
andriy/PPC64_make_fate | success | Make fate finished |
Michael Niedermayer: > Fixes: Timeout (too long -> instantly) > Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/matroskadec.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c > index 374831baa3..1f28108887 100644 > --- a/libavformat/matroskadec.c > +++ b/libavformat/matroskadec.c > @@ -2895,6 +2895,8 @@ static int matroska_read_header(AVFormatContext *s) > goto fail; > pos = avio_tell(matroska->ctx->pb); > res = ebml_parse(matroska, matroska_segment, matroska); > + if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF > + goto fail; > } > /* Set data_offset as it might be needed later by seek_frame_generic. */ > if (matroska->current_id == MATROSKA_ID_CLUSTER) > I see two types of files for which this check can be problematic: Those with an unknown-length segment and truncated files: In both cases a child element may extend beyond the actually existing data without this being caught by the check for whether the element extends beyond its parent (i.e. beyond the end of the segment). But I don't really see a better way, so go ahead. - Andreas
On Tue, Feb 02, 2021 at 06:10:39AM +0100, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: Timeout (too long -> instantly) > > Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/matroskadec.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c > > index 374831baa3..1f28108887 100644 > > --- a/libavformat/matroskadec.c > > +++ b/libavformat/matroskadec.c > > @@ -2895,6 +2895,8 @@ static int matroska_read_header(AVFormatContext *s) > > goto fail; > > pos = avio_tell(matroska->ctx->pb); > > res = ebml_parse(matroska, matroska_segment, matroska); > > + if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF > > + goto fail; > > } > > /* Set data_offset as it might be needed later by seek_frame_generic. */ > > if (matroska->current_id == MATROSKA_ID_CLUSTER) > > > > I see two types of files for which this check can be problematic: Those > with an unknown-length segment and truncated files: In both cases a > child element may extend beyond the actually existing data without this > being caught by the check for whether the element extends beyond its > parent (i.e. beyond the end of the segment). > But I don't really see a > better way, so go ahead. ok, will apply thx [...]
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 374831baa3..1f28108887 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2895,6 +2895,8 @@ static int matroska_read_header(AVFormatContext *s) goto fail; pos = avio_tell(matroska->ctx->pb); res = ebml_parse(matroska, matroska_segment, matroska); + if (res == AVERROR(EIO)) // EOF is translated to EIO, this exists the loop on EOF + goto fail; } /* Set data_offset as it might be needed later by seek_frame_generic. */ if (matroska->current_id == MATROSKA_ID_CLUSTER)
Fixes: Timeout (too long -> instantly) Fixes: 29136/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4586141227548672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+)