diff mbox series

[FFmpeg-devel,5/7] avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()

Message ID 20211205211907.30010-5-michael@niedermayer.cc
State Accepted
Commit 4f44a218e53cd92e64ba10a935bc1e7583c3e218
Headers show
Series [FFmpeg-devel,1/7] avformat/vivo: Do not use the general expression evaluator for parsing a floating point value
Related show

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished
andriy/make_ppc success Make finished
andriy/make_fate_ppc success Make fate finished

Commit Message

Michael Niedermayer Dec. 5, 2021, 9:19 p.m. UTC
Fixes: memleak
Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Tomas Härdin Dec. 7, 2021, 11:41 p.m. UTC | #1
sön 2021-12-05 klockan 22:19 +0100 skrev Michael Niedermayer:
> Fixes: memleak
> Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-
> 6439060204290048
> 
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mxfdec.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index c231c944c01..1d501982793 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -1111,6 +1111,9 @@ static int
> mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
>  {
>      int i, length;
>  
> +    if (segment->temporal_offset_entries)
> +        return AVERROR_INVALIDDATA;
> +
>      segment->nb_index_entries = avio_rb32(pb);
>  
>      length = avio_rb32(pb);

Should be OK. Not sure if the spec allows multiple IndexEntryArrays per
index table, but this at least shouldn't break anything since it
wouldn't have been working correctly before either way.

/Tomas
Michael Niedermayer Dec. 9, 2021, 12:41 p.m. UTC | #2
On Wed, Dec 08, 2021 at 12:41:43AM +0100, Tomas Härdin wrote:
> sön 2021-12-05 klockan 22:19 +0100 skrev Michael Niedermayer:
> > Fixes: memleak
> > Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-
> > 6439060204290048
> > 
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/mxfdec.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > index c231c944c01..1d501982793 100644
> > --- a/libavformat/mxfdec.c
> > +++ b/libavformat/mxfdec.c
> > @@ -1111,6 +1111,9 @@ static int
> > mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
> >  {
> >      int i, length;
> >  
> > +    if (segment->temporal_offset_entries)
> > +        return AVERROR_INVALIDDATA;
> > +
> >      segment->nb_index_entries = avio_rb32(pb);
> >  
> >      length = avio_rb32(pb);
> 
> Should be OK. Not sure if the spec allows multiple IndexEntryArrays per
> index table, but this at least shouldn't break anything since it
> wouldn't have been working correctly before either way.

will apply

thx

[...]
diff mbox series

Patch

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index c231c944c01..1d501982793 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1111,6 +1111,9 @@  static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
 {
     int i, length;
 
+    if (segment->temporal_offset_entries)
+        return AVERROR_INVALIDDATA;
+
     segment->nb_index_entries = avio_rb32(pb);
 
     length = avio_rb32(pb);