[FFmpeg-devel,6/6] avformat/mov: Check avif_info

Message ID	20230921180912.10733-6-michael@niedermayer.cc
State	New
Headers	show Delivered-To: ffmpegpatchwork2@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Thu, 21 Sep 2023 20:09:12 +0200 Message-Id: <20230921180912.10733-6-michael@niedermayer.cc> In-Reply-To: <20230921180912.10733-1-michael@niedermayer.cc> References: <20230921180912.10733-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 6/6] avformat/mov: Check avif_info Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel,1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size \| expand [FFmpeg-devel,1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size [FFmpeg-devel,2/6] avcodec/wavarc: Fix integer overflwo in do_stereo() [FFmpeg-devel,3/6] avcodec/wavarc: Allocate AV_INPUT_BUFFER_PADDING_SIZE [FFmpeg-devel,4/6] avcodec/wavarc: Check k in decode_5elp() [FFmpeg-devel,5/6] avcodec/jpegxl_parse: Cleanup on error in read_vlc_prefix() [FFmpeg-devel,6/6] avformat/mov: Check avif_info

Message ID

20230921180912.10733-6-michael@niedermayer.cc

State

New

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Thu, 21 Sep 2023 20:09:12 +0200
Message-Id: <20230921180912.10733-6-michael@niedermayer.cc>
In-Reply-To: <20230921180912.10733-1-michael@niedermayer.cc>
References: <20230921180912.10733-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 6/6] avformat/mov: Check avif_info
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Series

[FFmpeg-devel,1/6] avcodec/osq: Check that pkt_offset does not exceed pkt size | expand

Context	Check	Description
andriy/make_x86	success	Make finished
andriy/make_fate_x86	success	Make fate finished

Context

Check

Description

andriy/make_x86

success

Make finished

andriy/make_fate_x86

success

Make fate finished

Commit Message

Michael Niedermayer Sept. 21, 2023, 6:09 p.m. UTC

Fixes: leak
Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6674082962997248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Anton Khirnov Sept. 28, 2023, 10:37 a.m. UTC | #1

Quoting Michael Niedermayer (2023-09-21 20:09:12)
> Fixes: leak
> Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6674082962997248
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mov.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 93c1f9e929a..52939a373ec 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -7767,7 +7767,7 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>          return 0;
>      }
>  
> -    if (c->fc->nb_streams) {
> +    if (c->fc->nb_streams || c->avif_info) {

I remember seeing this patch before and asking whether the first
condition is not redundant now.

Michael Niedermayer Sept. 29, 2023, 7:35 p.m. UTC | #2

On Thu, Sep 28, 2023 at 12:37:57PM +0200, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2023-09-21 20:09:12)
> > Fixes: leak
> > Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6674082962997248
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/mov.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 93c1f9e929a..52939a373ec 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -7767,7 +7767,7 @@ static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> >          return 0;
> >      }
> >  
> > -    if (c->fc->nb_streams) {
> > +    if (c->fc->nb_streams || c->avif_info) {
> 
> I remember seeing this patch before and asking whether the first
> condition is not redundant now.

right, the author of the underlaying code also suggested its redundant,
so as suggested there ill apply it with just the 2nd check

thx

[...]

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 93c1f9e929a..52939a373ec 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -7767,7 +7767,7 @@  static int mov_read_iloc(MOVContext *c, AVIOContext *pb, MOVAtom atom)
         return 0;
     }
 
-    if (c->fc->nb_streams) {
+    if (c->fc->nb_streams || c->avif_info) {
         av_log(c->fc, AV_LOG_INFO, "Duplicate iloc box found\n");
         return 0;
     }

[FFmpeg-devel,6/6] avformat/mov: Check avif_info

Checks

Commit Message

Comments

Patch