Message ID | 20240618004901.4835-1-jamrial@gmail.com |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel] avformat/iamf_parse: add missing padding to AAC extradata | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On Mon, Jun 17, 2024 at 09:49:01PM -0300, James Almer wrote: > Fixes: out of array access > Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: James Almer <jamrial@gmail.com> > --- > libavformat/iamf_parse.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c > index 312090b247..ff1b6cc75b 100644 > --- a/libavformat/iamf_parse.c > +++ b/libavformat/iamf_parse.c > @@ -92,13 +92,16 @@ static int aac_decoder_config(IAMFCodecConfig *codec_config, > if (left <= 0) > return AVERROR_INVALIDDATA; > > - codec_config->extradata = av_malloc(left); > + // We pad extradata here because avpriv_mpeg4audio_get_config2() needs it. > + codec_config->extradata = av_malloc(left + AV_INPUT_BUFFER_PADDING_SIZE); can this overflow ? except that, it fixes the testcase thx [...]
diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c index 312090b247..ff1b6cc75b 100644 --- a/libavformat/iamf_parse.c +++ b/libavformat/iamf_parse.c @@ -92,13 +92,16 @@ static int aac_decoder_config(IAMFCodecConfig *codec_config, if (left <= 0) return AVERROR_INVALIDDATA; - codec_config->extradata = av_malloc(left); + // We pad extradata here because avpriv_mpeg4audio_get_config2() needs it. + codec_config->extradata = av_malloc(left + AV_INPUT_BUFFER_PADDING_SIZE); if (!codec_config->extradata) return AVERROR(ENOMEM); codec_config->extradata_size = avio_read(pb, codec_config->extradata, left); if (codec_config->extradata_size < left) return AVERROR_INVALIDDATA; + memset(codec_config->extradata + codec_config->extradata_size, 0, + AV_INPUT_BUFFER_PADDING_SIZE); ret = avpriv_mpeg4audio_get_config2(&cfg, codec_config->extradata, codec_config->extradata_size, 1, logctx);
Fixes: out of array access Fixes: 68863/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4833546039525376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer <jamrial@gmail.com> --- libavformat/iamf_parse.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)