From patchwork Fri Sep 22 19:13:44 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 43874
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:38a7:b0:15d:8365:d4b8 with SMTP id
 n39csp1032369pzf;
        Fri, 22 Sep 2023 12:13:55 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IH+FXUbCcTlhhaZA6ifyxc2y5Lkk4KQnyeOzKj5sHiP2LS8+YS6PlRhc4sYS8GMexPdpInv
X-Received: by 2002:aa7:c943:0:b0:533:1832:f2b4 with SMTP id
 h3-20020aa7c943000000b005331832f2b4mr308615edt.13.1695410035665;
        Fri, 22 Sep 2023 12:13:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695410035; cv=none;
        d=google.com; s=arc-20160816;
        b=cy+UggJhtVasDue4bQBdlqrSy+c9+dfc4SdQffajhhwacudTfOf5bhNTeL+U2oLYXk
         PyevthfOgOVVdQqLezNe8fS2aJzv1w2AcGLMi1XkhzkasE1QzLnIvxNF8uhcfCd1NdQY
         QZGi9yqiuBgQqqXGwLJi+5roD52nDOj1Y/KLg9Edw8apZxbcN6BUYWFaBTu8YH2+JLul
         DAfuIv1aNYko6EeA79hKVlXlWMBcPmvN3q1wdVo7+Km9IDWbMC/TVzhQwEW/kOQksqn+
         lzTEWDCWb8lyrLsMCSkXfI4k1ZxWaNn0+Ma1TGLHKHwE2hmEZkQ+OjhkL6b4nTKB4btn
         BQww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:message-id:date:to:from
         :delivered-to;
        bh=ZA/Ig12WExjtrmzj/TMImt4sBgnPk15rcxfntbugJrQ=;
        fh=e5zN9xSzcxLA6bGo3lF+CqTbY/oLwzApV03EO/RBfgQ=;
        b=NoGj+4YyaPj0iKGnbSnYfMCc6EFtPBAxY+Wx+GI2uyh0QUuaey/+33Y2woic29QvLm
         aOcd+jmzdi1oIGFnCCsDRK2iocHw60xv3RnDoBj7b64g35vd10pQja4z9SkUjki/xPqU
         L7NKC2+BbWFu0RwPiaoGX7fgND28MMBPx31wIpwyGVaN5XDc0fS7Gv6tiLJ/9sq/r/LP
         ztfQLw/HB2sddbTvs4qyBicXzXkiOpwz6mXWfjb1U3kN+F7gY3f8VqnLhzC33s0pO6Tw
         st9zo17mOoYiCiuV/4wdIANSRglJ0PRjVHPteoNAvGt6uTlciYGABPLvmXyNjia3DA4K
         bfBg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 p24-20020aa7d318000000b0052e81d36920si3870458edq.451.2023.09.22.12.13.54;
        Fri, 22 Sep 2023 12:13:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DEAAE68C9D5;
	Fri, 22 Sep 2023 22:13:51 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net
 [217.70.183.200])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D495068C807
 for <ffmpeg-devel@ffmpeg.org>; Fri, 22 Sep 2023 22:13:45 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 3746C20008
 for <ffmpeg-devel@ffmpeg.org>; Fri, 22 Sep 2023 19:13:44 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri, 22 Sep 2023 21:13:44 +0200
Message-Id: <20230922191344.7018-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH v3] avformat/mxfdec: Remove this_partition
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: ydoENcrnw5aF

Suggested-by: Tomas Härdin <git@haerdin.se>
Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5130394286817280

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mxfdec.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 4846c5d206a..1313f14fa03 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -102,7 +102,6 @@ typedef struct MXFPartition {
     uint64_t previous_partition;
     int index_sid;
     int body_sid;
-    int64_t this_partition;
     int64_t essence_offset;         ///< absolute offset of essence
     int64_t essence_length;
     int32_t kag_size;
@@ -727,10 +726,13 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size
     UID op;
     uint64_t footer_partition;
     uint32_t nb_essence_containers;
+    uint64_t this_partition;
 
     if (mxf->partitions_count >= INT_MAX / 2)
         return AVERROR_INVALIDDATA;
 
+    av_assert0(klv_offset >= mxf->run_in);
+
     tmp_part = av_realloc_array(mxf->partitions, mxf->partitions_count + 1, sizeof(*mxf->partitions));
     if (!tmp_part)
         return AVERROR(ENOMEM);
@@ -773,7 +775,13 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size
     partition->complete = uid[14] > 2;
     avio_skip(pb, 4);
     partition->kag_size = avio_rb32(pb);
-    partition->this_partition = avio_rb64(pb);
+    this_partition = avio_rb64(pb);
+    if (this_partition != klv_offset - mxf->run_in) {
+        av_log(mxf->fc, AV_LOG_WARNING,
+               "this_partition %"PRId64" mismatches %"PRId64"\n",
+               this_partition, klv_offset - mxf->run_in);
+    }
+    this_partition = klv_offset - mxf->run_in;
     partition->previous_partition = avio_rb64(pb);
     footer_partition = avio_rb64(pb);
     partition->header_byte_count = avio_rb64(pb);
@@ -793,8 +801,8 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size
         av_dict_set(&s->metadata, "operational_pattern_ul", str, 0);
     }
 
-    if (partition->this_partition &&
-        partition->previous_partition == partition->this_partition) {
+    if (this_partition &&
+        partition->previous_partition == this_partition) {
         av_log(mxf->fc, AV_LOG_ERROR,
                "PreviousPartition equal to ThisPartition %"PRIx64"\n",
                partition->previous_partition);
@@ -802,11 +810,11 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size
         if (!mxf->parsing_backward && mxf->last_forward_partition > 1) {
             MXFPartition *prev =
                 mxf->partitions + mxf->last_forward_partition - 2;
-            partition->previous_partition = prev->this_partition;
+            partition->previous_partition = prev->pack_ofs - mxf->run_in;
         }
         /* if no previous body partition are found point to the header
          * partition */
-        if (partition->previous_partition == partition->this_partition)
+        if (partition->previous_partition == this_partition)
             partition->previous_partition = 0;
         av_log(mxf->fc, AV_LOG_ERROR,
                "Overriding PreviousPartition with %"PRIx64"\n",
@@ -828,7 +836,7 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size
             "PartitionPack: ThisPartition = 0x%"PRIX64
             ", PreviousPartition = 0x%"PRIX64", "
             "FooterPartition = 0x%"PRIX64", IndexSID = %i, BodySID = %i\n",
-            partition->this_partition,
+            this_partition,
             partition->previous_partition, footer_partition,
             partition->index_sid, partition->body_sid);
 
@@ -902,7 +910,7 @@ static uint64_t partition_score(MXFPartition *p)
         score = 3;
     else
         score = 1;
-    return (score << 60) | ((uint64_t)p->this_partition >> 4);
+    return (score << 60) | ((uint64_t)p->pack_ofs >> 4);
 }
 
 static int mxf_add_metadata_set(MXFContext *mxf, MXFMetadataSet **metadata_set)
@@ -3539,14 +3547,14 @@ static void mxf_compute_essence_containers(AVFormatContext *s)
 
             /* essence container spans to the next partition */
             if (x < mxf->partitions_count - 1)
-                p->essence_length = mxf->partitions[x+1].this_partition - p->essence_offset;
+                p->essence_length = mxf->partitions[x+1].pack_ofs - mxf->run_in - p->essence_offset;
 
             if (p->essence_length < 0) {
                 /* next ThisPartition < essence_offset */
                 p->essence_length = 0;
                 av_log(mxf->fc, AV_LOG_ERROR,
                        "partition %i: bad ThisPartition = %"PRIX64"\n",
-                       x+1, mxf->partitions[x+1].this_partition);
+                       x+1, mxf->partitions[x+1].pack_ofs - mxf->run_in);
             }
         }
     }