Message ID | 20231018004935.18309-1-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/2] avformat/mxfdec: Check klv offset | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
ons 2023-10-18 klockan 02:49 +0200 skrev Michael Niedermayer: > Fixes: Assertion klv_offset >= mxf->run_in failed at > libavformat/mxfdec.c:736 > Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer- > 5778404366221312.fuzz > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mxfdec.c | 13 ++++++++----- > 1 file changed, 8 insertions(+), 5 deletions(-) > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c > index 68939091e6..f2ec508b72 100644 > --- a/libavformat/mxfdec.c > +++ b/libavformat/mxfdec.c > @@ -458,12 +458,15 @@ static int mxf_read_sync(AVIOContext *pb, const > uint8_t *key, unsigned size) > return i == size; > } > > -static int klv_read_packet(KLVPacket *klv, AVIOContext *pb) > +static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, > AVIOContext *pb) > { > int64_t length, pos; > if (!mxf_read_sync(pb, mxf_klv_key, 4)) > return AVERROR_INVALIDDATA; > klv->offset = avio_tell(pb) - 4; > + if (klv->offset < mxf->run_in) One stray space in there which of course can be fixed when pushing Looks OK /Tomas
On Wed, Oct 18, 2023 at 08:29:16PM +0200, Tomas Härdin wrote: > ons 2023-10-18 klockan 02:49 +0200 skrev Michael Niedermayer: > > Fixes: Assertion klv_offset >= mxf->run_in failed at > > libavformat/mxfdec.c:736 > > Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer- > > 5778404366221312.fuzz > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavformat/mxfdec.c | 13 ++++++++----- > > 1 file changed, 8 insertions(+), 5 deletions(-) > > > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c > > index 68939091e6..f2ec508b72 100644 > > --- a/libavformat/mxfdec.c > > +++ b/libavformat/mxfdec.c > > @@ -458,12 +458,15 @@ static int mxf_read_sync(AVIOContext *pb, const > > uint8_t *key, unsigned size) > > return i == size; > > } > > > > -static int klv_read_packet(KLVPacket *klv, AVIOContext *pb) > > +static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, > > AVIOContext *pb) > > { > > int64_t length, pos; > > if (!mxf_read_sync(pb, mxf_klv_key, 4)) > > return AVERROR_INVALIDDATA; > > klv->offset = avio_tell(pb) - 4; > > + if (klv->offset < mxf->run_in) > > One stray space in there which of course can be fixed when pushing > > Looks OK will apply with this change thx [...]
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 68939091e6..f2ec508b72 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -458,12 +458,15 @@ static int mxf_read_sync(AVIOContext *pb, const uint8_t *key, unsigned size) return i == size; } -static int klv_read_packet(KLVPacket *klv, AVIOContext *pb) +static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, AVIOContext *pb) { int64_t length, pos; if (!mxf_read_sync(pb, mxf_klv_key, 4)) return AVERROR_INVALIDDATA; klv->offset = avio_tell(pb) - 4; + if (klv->offset < mxf->run_in) + return AVERROR_INVALIDDATA; + memcpy(klv->key, mxf_klv_key, 4); avio_read(pb, klv->key + 4, 12); length = klv_decode_ber_length(pb); @@ -3435,7 +3438,7 @@ static int mxf_seek_to_previous_partition(MXFContext *mxf) /* Make sure this is actually a PartitionPack, and if so parse it. * See deadlock2.mxf */ - if ((ret = klv_read_packet(&klv, pb)) < 0) { + if ((ret = klv_read_packet(mxf, &klv, pb)) < 0) { av_log(mxf->fc, AV_LOG_ERROR, "failed to read PartitionPack KLV\n"); return ret; } @@ -3712,7 +3715,7 @@ static void mxf_read_random_index_pack(AVFormatContext *s) if (length < min_rip_length || length > max_rip_length) goto end; avio_seek(s->pb, file_size - length, SEEK_SET); - if (klv_read_packet(&klv, s->pb) < 0 || + if (klv_read_packet(mxf, &klv, s->pb) < 0 || !IS_KLV_KEY(klv.key, ff_mxf_random_index_pack_key)) goto end; if (klv.next_klv != file_size || klv.length <= 4 || (klv.length - 4) % 12) { @@ -3759,7 +3762,7 @@ static int mxf_read_header(AVFormatContext *s) while (!avio_feof(s->pb)) { const MXFMetadataReadTableEntry *metadata; - ret = klv_read_packet(&klv, s->pb); + ret = klv_read_packet(mxf, &klv, s->pb); if (ret < 0 || IS_KLV_KEY(klv.key, ff_mxf_random_index_pack_key)) { if (ret >= 0 && avio_size(s->pb) > klv.next_klv) av_log(s, AV_LOG_WARNING, "data after the RandomIndexPack, assuming end of file\n"); @@ -4011,7 +4014,7 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt) if (pos < mxf->current_klv_data.next_klv - mxf->current_klv_data.length || pos >= mxf->current_klv_data.next_klv) { mxf->current_klv_data = (KLVPacket){{0}}; - ret = klv_read_packet(&klv, s->pb); + ret = klv_read_packet(mxf, &klv, s->pb); if (ret < 0) break; max_data_size = klv.length;
Fixes: Assertion klv_offset >= mxf->run_in failed at libavformat/mxfdec.c:736 Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5778404366221312.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mxfdec.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)