* [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: cleanup size handling for extreem cases
2022-03-23 14:05 [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta() Michael Niedermayer
@ 2022-03-23 14:05 ` Michael Niedermayer
2022-07-02 12:14 ` Michael Niedermayer
2022-06-16 23:47 ` [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta() Michael Niedermayer
1 sibling, 1 reply; 4+ messages in thread
From: Michael Niedermayer @ 2022-03-23 14:05 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/aiffdec.c | 29 ++++++++++++-----------------
1 file changed, 12 insertions(+), 17 deletions(-)
diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index 5236cc2807..2bdcd1362b 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -53,9 +53,9 @@ static enum AVCodecID aiff_codec_get_id(int bps)
}
/* returns the size of the found tag */
-static int get_tag(AVIOContext *pb, uint32_t * tag)
+static int64_t get_tag(AVIOContext *pb, uint32_t * tag)
{
- int size;
+ int64_t size;
if (avio_feof(pb))
return AVERROR(EIO);
@@ -63,16 +63,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
*tag = avio_rl32(pb);
size = avio_rb32(pb);
- if (size < 0)
- size = 0x7fffffff;
-
return size;
}
/* Metadata string read */
-static void get_meta(AVFormatContext *s, const char *key, int size)
+static void get_meta(AVFormatContext *s, const char *key, int64_t size)
{
- uint8_t *str = av_malloc(size+1U);
+ uint8_t *str = NULL;
+
+ if (size < SIZE_MAX)
+ str = av_malloc(size+1);
if (str) {
int res = avio_read(s->pb, str, size);
@@ -89,7 +89,7 @@ static void get_meta(AVFormatContext *s, const char *key, int size)
}
/* Returns the number of sound data frames or negative on error */
-static int get_aiff_header(AVFormatContext *s, int size,
+static int get_aiff_header(AVFormatContext *s, int64_t size,
unsigned version)
{
AVIOContext *pb = s->pb;
@@ -101,9 +101,6 @@ static int get_aiff_header(AVFormatContext *s, int size,
unsigned int num_frames;
int channels;
- if (size == INT_MAX)
- return AVERROR_INVALIDDATA;
-
if (size & 1)
size++;
par->codec_type = AVMEDIA_TYPE_AUDIO;
@@ -215,7 +212,8 @@ static int aiff_probe(const AVProbeData *p)
/* aiff input */
static int aiff_read_header(AVFormatContext *s)
{
- int ret, size, filesize;
+ int ret;
+ int64_t filesize, size;
int64_t offset = 0, position;
uint32_t tag;
unsigned version = AIFF_C_VERSION1;
@@ -226,7 +224,7 @@ static int aiff_read_header(AVFormatContext *s)
/* check FORM header */
filesize = get_tag(pb, &tag);
- if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M'))
+ if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M'))
return AVERROR_INVALIDDATA;
/* AIFF data type */
@@ -253,10 +251,7 @@ static int aiff_read_header(AVFormatContext *s)
if (size < 0)
return size;
- if (size >= 0x7fffffff - 8)
- filesize = 0;
- else
- filesize -= size + 8;
+ filesize -= size + 8;
switch (tag) {
case MKTAG('C', 'O', 'M', 'M'): /* Common chunk */
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta()
2022-03-23 14:05 [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta() Michael Niedermayer
2022-03-23 14:05 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: cleanup size handling for extreem cases Michael Niedermayer
@ 2022-06-16 23:47 ` Michael Niedermayer
1 sibling, 0 replies; 4+ messages in thread
From: Michael Niedermayer @ 2022-06-16 23:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 865 bytes --]
On Wed, Mar 23, 2022 at 03:05:02PM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
> Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/aiffdec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Dictatorship: All citizens are under surveillance, all their steps and
actions recorded, for the politicians to enforce control.
Democracy: All politicians are under surveillance, all their steps and
actions recorded, for the citizens to enforce control.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread