From patchwork Sat Dec 24 22:50:34 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 39748
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:bc95:b0:ad:ade2:bfd2 with SMTP id
 fx21csp1658693pzb;
        Sat, 24 Dec 2022 14:50:48 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXuK0HAFtjLYP/JklVeNOFg7pQdah6Pry8LMDtgfoyukRWn7w/Nw4oa6r9w8XDQJ5pflPuZd
X-Received: by 2002:a05:6402:538f:b0:47c:4479:d60d with SMTP id
 ew15-20020a056402538f00b0047c4479d60dmr11971761edb.20.1671922248355;
        Sat, 24 Dec 2022 14:50:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671922248; cv=none;
        d=google.com; s=arc-20160816;
        b=qyxwhGEpjIvJC69ei5WSmD74Mp18koAWV3QksaBri4nszVMjAxH24q9dluT954mJ46
         xqM9LFB3G6qq1YRbl6Zs1NHoNBIH+9Gf3XaQwcfM+/urZp4u07euzg/KTJu0/u3XNocL
         xmD++cHk7ny1+iEVUMgyyK77YlZ+aol+qbDqPJbSNLNjHNw+BxsoRym6aWNBp/iYZiEb
         t/BGroQCXFYGfwo4xHI0iBeDMdVdZzp2AVmw37HsJ2sFW/0kD9VMySxjCe2g+t0b0Nfe
         Og+U53wJ/fftG+UifI+cypmfX8Isj2UB0xtgLkl0QpuhEAc3Mp8vrwTQHsp1MWwsKON1
         8JOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:message-id:date:to:from:delivered-to;
        bh=lsRCqM9VXaPb3iY2SptVC7o35iHvppHc633OP6rboEA=;
        b=fvGlQX064jvm0LWToJiBoSPeWToheWa8rWwh+9G0rMxCNp0LmXORzgDqqNY2/b8KZY
         p6OdgYFS8Rch5Bo4JRv15VoYeBdAXG058QvuVDPxlPf9tIqTWpw9dH5EZc17J2ew6KqU
         QFCT8Kxx0ICE+7tL8ChKTnrKhTTO8v6TI0FVWUFgWBJZm72mVs5th+zkxWlxt6DU+4wE
         X44+zX6bRvN21MkH8NK2pwfZQbeqN60AoemCUINYpCUcjSSAluW7dnKI4EJCKDV4wN1L
         QcVtTbQavVXQZAtCB54h8NeSCMhQ9xn+ZFdmdaz9/d1iVapKnnSNa4rvaDhdYqPR18P4
         P62g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 u26-20020a50a41a000000b00476ac0819ecsi6621329edb.426.2022.12.24.14.50.47;
        Sat, 24 Dec 2022 14:50:48 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 72AFD689B6B;
	Sun, 25 Dec 2022 00:50:43 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
 [217.70.183.196])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C6D246807D9
 for <ffmpeg-devel@ffmpeg.org>; Sun, 25 Dec 2022 00:50:36 +0200 (EET)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 8EE30E0003
 for <ffmpeg-devel@ffmpeg.org>; Sat, 24 Dec 2022 22:50:35 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 24 Dec 2022 23:50:34 +0100
Message-Id: <20221224225034.449-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
Subject: [FFmpeg-devel] [PATCH] avformat/mxfdec: Check index_duration
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: EFRBQcJFCjCE

Fixes: OOM
Fixes: 50551/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6607795234930688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 0553728253..64ac6a44b8 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1943,6 +1943,10 @@ static int mxf_compute_ptses_fake_index(MXFContext *mxf, MXFIndexTable *index_ta
         }
 
         index_table->nb_ptses += s->index_duration;
+        // If index_duration is substantially larger than nb_index_entries then this algorithm which
+        // allocates index_duration elements is a bad idea. All files i tried have it equal
+        if (s->index_duration > 10LL * s->nb_index_entries)
+            return AVERROR_PATCHWELCOME;
     }
 
     /* paranoid check */