| Message ID | 20210413154539.16739-3-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,1/5] avcodec/dpx: Check bits_per_color earlier | expand |
| Context | Check | Description |
|---|---|---|
| andriy/x86_make | success | Make finished |
| andriy/x86_make_fate | success | Make fate finished |
| andriy/PPC64_make | success | Make finished |
| andriy/PPC64_make_fate | success | Make fate finished |
On 4/13/2021 12:45 PM, Michael Niedermayer wrote: > Fixes: Timeout > Fixes: 32450/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-4875522262827008 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/aaxdec.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c > index c6d2d1c8d1..ff9768efac 100644 > --- a/libavformat/aaxdec.c > +++ b/libavformat/aaxdec.c > @@ -249,7 +249,10 @@ static int aax_read_header(AVFormatContext *s) > goto fail; > } > > - avio_seek(pb, data_offset, SEEK_SET); > + ret = avio_seek(pb, data_offset, SEEK_SET); There's another unchecked seek, and for both you should use an int64_t variable to store the return value, otherwise values > INT_MAX could be misinterpreted as errors. > + if (ret < 0) > + goto fail; > + > if (type == COLUMN_TYPE_VLDATA) { > int64_t start, size; > >
On Tue, Apr 13, 2021 at 01:09:52PM -0300, James Almer wrote: > On 4/13/2021 12:45 PM, Michael Niedermayer wrote: > > Fixes: Timeout > > Fixes: 32450/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-4875522262827008 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/aaxdec.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c > > index c6d2d1c8d1..ff9768efac 100644 > > --- a/libavformat/aaxdec.c > > +++ b/libavformat/aaxdec.c > > @@ -249,7 +249,10 @@ static int aax_read_header(AVFormatContext *s) > > goto fail; > > } > > - avio_seek(pb, data_offset, SEEK_SET); > > + ret = avio_seek(pb, data_offset, SEEK_SET); > > There's another unchecked seek, and for both you should use an int64_t > variable to store the return value, otherwise values > INT_MAX could be > misinterpreted as errors. There are 3 other unchecked seeks in the function, and 2 outside. do you want me to add checks to all ? we tend not to check avio_seek() unless its needed i chanegd the code locally to use 64bit Thanks [...]
diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c index c6d2d1c8d1..ff9768efac 100644 --- a/libavformat/aaxdec.c +++ b/libavformat/aaxdec.c @@ -249,7 +249,10 @@ static int aax_read_header(AVFormatContext *s) goto fail; } - avio_seek(pb, data_offset, SEEK_SET); + ret = avio_seek(pb, data_offset, SEEK_SET); + if (ret < 0) + goto fail; + if (type == COLUMN_TYPE_VLDATA) { int64_t start, size;
Fixes: Timeout Fixes: 32450/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-4875522262827008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/aaxdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)