diff mbox series

[FFmpeg-devel] avformat/mov: ensure required number of bytes is read

Message ID 20240807140920.1583-1-kasper93@gmail.com
State New
Headers show
Series [FFmpeg-devel] avformat/mov: ensure required number of bytes is read | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished

Commit Message

Kacper Michajlow Aug. 7, 2024, 2:09 p.m. UTC
Fixes: use-of-uninitialized-value

Found by OSS-Fuzz.
---
 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer Aug. 8, 2024, 4:05 p.m. UTC | #1
On Wed, Aug 07, 2024 at 04:09:20PM +0200, Kacper Michajłow wrote:
> Fixes: use-of-uninitialized-value
> 
> Found by OSS-Fuzz.
> ---
>  libavformat/mov.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

thx

[...]
James Almer Aug. 8, 2024, 4:09 p.m. UTC | #2
On 8/7/2024 11:09 AM, Kacper Michajłow wrote:
> Fixes: use-of-uninitialized-value
> 
> Found by OSS-Fuzz.
> ---
>   libavformat/mov.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index 1052691936..f2d8aee766 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -7096,7 +7096,7 @@ static int mov_read_free(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>       if (atom.size < 8)
>           return 0;
>   
> -    ret = avio_read(pb, content, FFMIN(sizeof(content), atom.size));
> +    ret = ffio_read_size(pb, content, FFMIN(sizeof(content), atom.size));
>       if (ret < 0)
>           return ret;

Unrelated (somewhat) to this patch, but why does ffio_read_size() 
replace EOF with INVALIDDATA? Is it a good idea to mask the former?
Michael Niedermayer Aug. 8, 2024, 4:12 p.m. UTC | #3
On Thu, Aug 08, 2024 at 01:09:01PM -0300, James Almer wrote:
> On 8/7/2024 11:09 AM, Kacper Michajłow wrote:
> > Fixes: use-of-uninitialized-value
> > 
> > Found by OSS-Fuzz.
> > ---
> >   libavformat/mov.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/mov.c b/libavformat/mov.c
> > index 1052691936..f2d8aee766 100644
> > --- a/libavformat/mov.c
> > +++ b/libavformat/mov.c
> > @@ -7096,7 +7096,7 @@ static int mov_read_free(MOVContext *c, AVIOContext *pb, MOVAtom atom)
> >       if (atom.size < 8)
> >           return 0;
> > -    ret = avio_read(pb, content, FFMIN(sizeof(content), atom.size));
> > +    ret = ffio_read_size(pb, content, FFMIN(sizeof(content), atom.size));
> >       if (ret < 0)
> >           return ret;
> 
> Unrelated (somewhat) to this patch, but why does ffio_read_size() replace
> EOF with INVALIDDATA? Is it a good idea to mask the former?

EOF might be interpreted as normal / no error end of file i guess

thx

[...]
Andreas Rheinhardt Aug. 8, 2024, 8:25 p.m. UTC | #4
James Almer:
> On 8/7/2024 11:09 AM, Kacper Michajłow wrote:
>> Fixes: use-of-uninitialized-value
>>
>> Found by OSS-Fuzz.
>> ---
>>   libavformat/mov.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>> index 1052691936..f2d8aee766 100644
>> --- a/libavformat/mov.c
>> +++ b/libavformat/mov.c
>> @@ -7096,7 +7096,7 @@ static int mov_read_free(MOVContext *c,
>> AVIOContext *pb, MOVAtom atom)
>>       if (atom.size < 8)
>>           return 0;
>>   -    ret = avio_read(pb, content, FFMIN(sizeof(content), atom.size));
>> +    ret = ffio_read_size(pb, content, FFMIN(sizeof(content),
>> atom.size));
>>       if (ret < 0)
>>           return ret;
> 
> Unrelated (somewhat) to this patch, but why does ffio_read_size()
> replace EOF with INVALIDDATA? Is it a good idea to mask the former?
> 

ffio_read_size() is supposed to be used in scenarios where a certain
number of bytes is supposed to be available (e.g. because some size
field says that there have to be that many bytes of payload there). If
we are at EOF when there is supposed to be data, the file is invalid.

- Andreas
diff mbox series

Patch

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 1052691936..f2d8aee766 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -7096,7 +7096,7 @@  static int mov_read_free(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     if (atom.size < 8)
         return 0;
 
-    ret = avio_read(pb, content, FFMIN(sizeof(content), atom.size));
+    ret = ffio_read_size(pb, content, FFMIN(sizeof(content), atom.size));
     if (ret < 0)
         return ret;