| Message ID | 20211205211907.30010-5-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 4f44a218e53cd92e64ba10a935bc1e7583c3e218 |
| Headers | show |
| Series | [FFmpeg-devel,1/7] avformat/vivo: Do not use the general expression evaluator for parsing a floating point value | expand |
| Context | Check | Description |
|---|---|---|
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
| andriy/make_ppc | success | Make finished |
| andriy/make_fate_ppc | success | Make fate finished |
sön 2021-12-05 klockan 22:19 +0100 skrev Michael Niedermayer: > Fixes: memleak > Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer- > 6439060204290048 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mxfdec.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c > index c231c944c01..1d501982793 100644 > --- a/libavformat/mxfdec.c > +++ b/libavformat/mxfdec.c > @@ -1111,6 +1111,9 @@ static int > mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg > { > int i, length; > > + if (segment->temporal_offset_entries) > + return AVERROR_INVALIDDATA; > + > segment->nb_index_entries = avio_rb32(pb); > > length = avio_rb32(pb); Should be OK. Not sure if the spec allows multiple IndexEntryArrays per index table, but this at least shouldn't break anything since it wouldn't have been working correctly before either way. /Tomas
On Wed, Dec 08, 2021 at 12:41:43AM +0100, Tomas Härdin wrote: > sön 2021-12-05 klockan 22:19 +0100 skrev Michael Niedermayer: > > Fixes: memleak > > Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer- > > 6439060204290048 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/mxfdec.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c > > index c231c944c01..1d501982793 100644 > > --- a/libavformat/mxfdec.c > > +++ b/libavformat/mxfdec.c > > @@ -1111,6 +1111,9 @@ static int > > mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg > > { > > int i, length; > > > > + if (segment->temporal_offset_entries) > > + return AVERROR_INVALIDDATA; > > + > > segment->nb_index_entries = avio_rb32(pb); > > > > length = avio_rb32(pb); > > Should be OK. Not sure if the spec allows multiple IndexEntryArrays per > index table, but this at least shouldn't break anything since it > wouldn't have been working correctly before either way. will apply thx [...]
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index c231c944c01..1d501982793 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1111,6 +1111,9 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg { int i, length; + if (segment->temporal_offset_entries) + return AVERROR_INVALIDDATA; + segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb);
Fixes: memleak Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+)