From patchwork Sat Jun 19 20:37:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 28584 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6602:2042:0:0:0:0 with SMTP id z2csp553033iod; Sat, 19 Jun 2021 13:38:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy93f9nK6W9/SCN7MlzLIZVrRoKa5AazKlgQpRrVgo3sRqLrV+nm6vNNNWyepuo9+KnzNlI X-Received: by 2002:a17:906:9bce:: with SMTP id de14mr17140861ejc.353.1624135131748; Sat, 19 Jun 2021 13:38:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624135131; cv=none; d=google.com; s=arc-20160816; b=sW622lR4h6ZC/jFgr2zSTG1Wp0/q6clLdq092o/W7PxQYq4ksDXGW6VvVb0ef4LLLX P96KVljXu5s1DRb5mQJiHKtc91BrQB6bvcrJUzMZwfmW3sBN9SvAtSn/CgHYrdBAJTM1 anmZm4UUOFIyAaGFFkSAZwSX3RF3G5uaEkr54J+6Q8pKg5K5pxDzk4MnEE8FxyypfgdX CyMZbDqCLYG80Y0Fp9a7zoXw96jKB9Cq1av5JySauMZYNNy8FOK8zcCEDHioD4z92JE3 w9vqxCrXs6IJwLBFQJ7yR1BjTEia7rgk2aMAzCA69A34ivzp7kKanV+zHUhw/5tsfmE4 kC1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=+CuIin0Uo/4T9t+9TyYUHs0MtnjC6aJDIoXDOBsPqyo=; b=bOdAn/5YXrcrYckeo/BQ09Y/5R0dloRdAAdO/dh5xHkzvyJYP79BUzwYY1gzweEKXg Ogs0MxUtVg5chE7vIZ4kYQBHH3Qylc128qLtkt/Q01LIJfhcAN6E/4HmGoZ3ozcWHeYB 6+VdRgj5eC6LI0WcPQHp+7nF/kDuSa2D/jGSmp4tunMBDs1PQWWILG7uVfZ+RKC/eBoC EGN2NUeLbYke21WLMe2SUJV6xVSFiNEtgB1kaz3cX3KzkCAnEMC/OlFUZ8n1otPHOSbP V5u/3qsEdauGeBoGov4iaVJ0o3WCB9RBSe2Vbflmh6nU4Qoz9tkA8MxWKQhNUx4f5sfz RfaQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id o5si5998693edc.244.2021.06.19.13.38.51; Sat, 19 Jun 2021 13:38:51 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8D1C7689C64; Sat, 19 Jun 2021 23:38:47 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-pe02-3.mx.upcmail.net (vie01a-dmta-pe02-3.mx.upcmail.net [62.179.121.159]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EC030680518 for ; Sat, 19 Jun 2021 23:38:40 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1luhjk-000V5D-05 for ffmpeg-devel@ffmpeg.org; Sat, 19 Jun 2021 22:38:40 +0200 Received: from localhost ([213.47.68.29]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id uhimlDITiljeHuhimlZmaO; Sat, 19 Jun 2021 22:37:40 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.3 cv=BoHjPrf5 c=1 sm=1 tr=0 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20 a=tP59zikuAr0Ih-KI514A:9 a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22 a=jd6J4Gguk5HxikPWLKER:22 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sat, 19 Jun 2021 22:37:40 +0200 Message-Id: <20210619203740.29982-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfAgegSa0PU5dEqDY5tigN64Oy7jhqIMof2JN3k2HOBwBhU0j33FUJk42Z5a5uA1ljOFBnGz1t8xQj1eCNIqcdxQt3hijRWKp74Blj/7BMi7IhHueUlfJ v1jVkzgbDU0h5/zlvhXMgl8pYhMPGi0srYIoqQUSMJN0ofUOT21dFj13 Subject: [FFmpeg-devel] [PATCH] avformat/aaxdec: Check avio_seek() in header reading X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 3CirV0Q4yAtV Fixes: Timeout Fixes: 32450/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-4875522262827008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/aaxdec.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c index 0cbf933dfd..866b3ca1fd 100644 --- a/libavformat/aaxdec.c +++ b/libavformat/aaxdec.c @@ -117,6 +117,7 @@ static int aax_read_header(AVFormatContext *s) int64_t column_offset = 0; int ret, extradata_size; char *codec; + int64_t ret64; avio_skip(pb, 4); a->table_size = avio_rb32(pb) + 8LL; @@ -218,7 +219,10 @@ static int aax_read_header(AVFormatContext *s) } } - avio_seek(pb, a->strings_offset, SEEK_SET); + ret = ret64 = avio_seek(pb, a->strings_offset, SEEK_SET); + if (ret64 < 0) + goto fail; + ret = avio_read(pb, a->string_table, a->strings_size); if (ret != a->strings_size) { if (ret < 0) @@ -249,7 +253,10 @@ static int aax_read_header(AVFormatContext *s) goto fail; } - avio_seek(pb, data_offset, SEEK_SET); + ret = ret64 = avio_seek(pb, data_offset, SEEK_SET); + if (ret64 < 0) + goto fail; + if (type == COLUMN_TYPE_VLDATA) { int64_t start, size; @@ -281,8 +288,8 @@ static int aax_read_header(AVFormatContext *s) codec = a->string_table + a->name_offset; if (!strcmp(codec, "AAX")) { par->codec_id = AV_CODEC_ID_ADPCM_ADX; - avio_seek(pb, a->segments[0].start, SEEK_SET); - if (avio_rb16(pb) != 0x8000) { + ret64 = avio_seek(pb, a->segments[0].start, SEEK_SET); + if (ret64 < 0 || avio_rb16(pb) != 0x8000) { ret = AVERROR_INVALIDDATA; goto fail; }