diff mbox series

[FFmpeg-devel] avformat/iamf_parse: add missing padding to AAC extradata

Message ID 20240618004901.4835-1-jamrial@gmail.com
State New
Headers show
Series [FFmpeg-devel] avformat/iamf_parse: add missing padding to AAC extradata | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

James Almer June 18, 2024, 12:49 a.m. UTC 
Fixes: out of array access
Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavformat/iamf_parse.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer June 18, 2024, 9:42 p.m. UTC | #1 
On Mon, Jun 17, 2024 at 09:49:01PM -0300, James Almer wrote:
> Fixes: out of array access
> Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: James Almer <jamrial@gmail.com>
> ---
>  libavformat/iamf_parse.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
> index 312090b247..ff1b6cc75b 100644
> --- a/libavformat/iamf_parse.c
> +++ b/libavformat/iamf_parse.c
> @@ -92,13 +92,16 @@ static int aac_decoder_config(IAMFCodecConfig *codec_config,
>      if (left <= 0)
>          return AVERROR_INVALIDDATA;
>  
> -    codec_config->extradata = av_malloc(left);
> +    // We pad extradata here because avpriv_mpeg4audio_get_config2() needs it.
> +    codec_config->extradata = av_malloc(left + AV_INPUT_BUFFER_PADDING_SIZE);

can this overflow ?

except that, it fixes the testcase

thx

[...]
diff mbox series

Patch

diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index 312090b247..ff1b6cc75b 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -92,13 +92,16 @@  static int aac_decoder_config(IAMFCodecConfig *codec_config,
     if (left <= 0)
         return AVERROR_INVALIDDATA;
 
-    codec_config->extradata = av_malloc(left);
+    // We pad extradata here because avpriv_mpeg4audio_get_config2() needs it.
+    codec_config->extradata = av_malloc(left + AV_INPUT_BUFFER_PADDING_SIZE);
     if (!codec_config->extradata)
         return AVERROR(ENOMEM);
 
     codec_config->extradata_size = avio_read(pb, codec_config->extradata, left);
     if (codec_config->extradata_size < left)
         return AVERROR_INVALIDDATA;
+    memset(codec_config->extradata + codec_config->extradata_size, 0,
+           AV_INPUT_BUFFER_PADDING_SIZE);
 
     ret = avpriv_mpeg4audio_get_config2(&cfg, codec_config->extradata,
                                         codec_config->extradata_size, 1, logctx);