diff mbox series

[FFmpeg-devel] avformat/aaxdec: Ask for a sample and disable COLUMN_FLAG_DEFAULT

Message ID 20210710212617.28438-1-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel] avformat/aaxdec: Ask for a sample and disable COLUMN_FLAG_DEFAULT | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Michael Niedermayer July 10, 2021, 9:26 p.m. UTC 
The codepath repeatly seeks back to the same byte and fills the table with this
Fixes: Timeout (reading billions of times the same byte)
Fixes: 35510/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-5742289044504576

I have not found any samples in our archive or the fate samples which use this
codepath, also i found no specification. If anyone has either please reply

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/aaxdec.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Michael Niedermayer Sept. 14, 2021, 9:01 p.m. UTC | #1 
On Sat, Jul 10, 2021 at 11:26:17PM +0200, Michael Niedermayer wrote:
> The codepath repeatly seeks back to the same byte and fills the table with this
> Fixes: Timeout (reading billions of times the same byte)
> Fixes: 35510/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-5742289044504576
> 
> I have not found any samples in our archive or the fate samples which use this
> codepath, also i found no specification. If anyone has either please reply
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/aaxdec.c | 4 ++++
>  1 file changed, 4 insertions(+)

will apply


[...]
Paul B Mahol Sept. 15, 2021, 7:02 a.m. UTC | #2 
please do not apply
Michael Niedermayer Sept. 15, 2021, 12:38 p.m. UTC | #3 
On Wed, Sep 15, 2021 at 09:02:13AM +0200, Paul B Mahol wrote:
> please do not apply

ok, what else should be done ?

thx

[...]
diff mbox series

Patch

diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c
index 643bc5f9a5..1bf4b689c9 100644
--- a/libavformat/aaxdec.c
+++ b/libavformat/aaxdec.c
@@ -238,6 +238,10 @@  static int aax_read_header(AVFormatContext *s)
         for (uint64_t r = 0; r < a->nb_segments; r++) {
             if (flag & COLUMN_FLAG_DEFAULT) {
                 data_offset = a->schema_offset + col_offset;
+                if (a->nb_segments > 1) {
+                    avpriv_request_sample(s, "Column default");
+                    return AVERROR_PATCHWELCOME;
+                }
             } else if (flag & COLUMN_FLAG_ROW) {
                 data_offset = a->rows_offset + r * a->row_width + col_offset;
             } else