* [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta()
@ 2022-03-23 14:05 Michael Niedermayer
2022-03-23 14:05 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: cleanup size handling for extreem cases Michael Niedermayer
2022-06-16 23:47 ` [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta() Michael Niedermayer
0 siblings, 2 replies; 4+ messages in thread
From: Michael Niedermayer @ 2022-03-23 14:05 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/aiffdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index 3634bb4960..5236cc2807 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -72,7 +72,7 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
/* Metadata string read */
static void get_meta(AVFormatContext *s, const char *key, int size)
{
- uint8_t *str = av_malloc(size+1);
+ uint8_t *str = av_malloc(size+1U);
if (str) {
int res = avio_read(s->pb, str, size);
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
* [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: cleanup size handling for extreem cases
2022-03-23 14:05 [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta() Michael Niedermayer
@ 2022-03-23 14:05 ` Michael Niedermayer
2022-07-02 12:14 ` Michael Niedermayer
2022-06-16 23:47 ` [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta() Michael Niedermayer
1 sibling, 1 reply; 4+ messages in thread
From: Michael Niedermayer @ 2022-03-23 14:05 UTC (permalink / raw)
To: FFmpeg development discussions and patches
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavformat/aiffdec.c | 29 ++++++++++++-----------------
1 file changed, 12 insertions(+), 17 deletions(-)
diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index 5236cc2807..2bdcd1362b 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -53,9 +53,9 @@ static enum AVCodecID aiff_codec_get_id(int bps)
}
/* returns the size of the found tag */
-static int get_tag(AVIOContext *pb, uint32_t * tag)
+static int64_t get_tag(AVIOContext *pb, uint32_t * tag)
{
- int size;
+ int64_t size;
if (avio_feof(pb))
return AVERROR(EIO);
@@ -63,16 +63,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
*tag = avio_rl32(pb);
size = avio_rb32(pb);
- if (size < 0)
- size = 0x7fffffff;
-
return size;
}
/* Metadata string read */
-static void get_meta(AVFormatContext *s, const char *key, int size)
+static void get_meta(AVFormatContext *s, const char *key, int64_t size)
{
- uint8_t *str = av_malloc(size+1U);
+ uint8_t *str = NULL;
+
+ if (size < SIZE_MAX)
+ str = av_malloc(size+1);
if (str) {
int res = avio_read(s->pb, str, size);
@@ -89,7 +89,7 @@ static void get_meta(AVFormatContext *s, const char *key, int size)
}
/* Returns the number of sound data frames or negative on error */
-static int get_aiff_header(AVFormatContext *s, int size,
+static int get_aiff_header(AVFormatContext *s, int64_t size,
unsigned version)
{
AVIOContext *pb = s->pb;
@@ -101,9 +101,6 @@ static int get_aiff_header(AVFormatContext *s, int size,
unsigned int num_frames;
int channels;
- if (size == INT_MAX)
- return AVERROR_INVALIDDATA;
-
if (size & 1)
size++;
par->codec_type = AVMEDIA_TYPE_AUDIO;
@@ -215,7 +212,8 @@ static int aiff_probe(const AVProbeData *p)
/* aiff input */
static int aiff_read_header(AVFormatContext *s)
{
- int ret, size, filesize;
+ int ret;
+ int64_t filesize, size;
int64_t offset = 0, position;
uint32_t tag;
unsigned version = AIFF_C_VERSION1;
@@ -226,7 +224,7 @@ static int aiff_read_header(AVFormatContext *s)
/* check FORM header */
filesize = get_tag(pb, &tag);
- if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M'))
+ if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M'))
return AVERROR_INVALIDDATA;
/* AIFF data type */
@@ -253,10 +251,7 @@ static int aiff_read_header(AVFormatContext *s)
if (size < 0)
return size;
- if (size >= 0x7fffffff - 8)
- filesize = 0;
- else
- filesize -= size + 8;
+ filesize -= size + 8;
switch (tag) {
case MKTAG('C', 'O', 'M', 'M'): /* Common chunk */
--
2.17.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta()
2022-03-23 14:05 [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta() Michael Niedermayer
2022-03-23 14:05 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: cleanup size handling for extreem cases Michael Niedermayer
@ 2022-06-16 23:47 ` Michael Niedermayer
1 sibling, 0 replies; 4+ messages in thread
From: Michael Niedermayer @ 2022-06-16 23:47 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 865 bytes --]
On Wed, Mar 23, 2022 at 03:05:02PM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
> Fixes: 45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/aiffdec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Dictatorship: All citizens are under surveillance, all their steps and
actions recorded, for the politicians to enforce control.
Democracy: All politicians are under surveillance, all their steps and
actions recorded, for the citizens to enforce control.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: cleanup size handling for extreem cases
2022-03-23 14:05 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: cleanup size handling for extreem cases Michael Niedermayer
@ 2022-07-02 12:14 ` Michael Niedermayer
0 siblings, 0 replies; 4+ messages in thread
From: Michael Niedermayer @ 2022-07-02 12:14 UTC (permalink / raw)
To: FFmpeg development discussions and patches
[-- Attachment #1.1: Type: text/plain, Size: 523 bytes --]
On Wed, Mar 23, 2022 at 03:05:03PM +0100, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
> libavformat/aiffdec.c | 29 ++++++++++++-----------------
> 1 file changed, 12 insertions(+), 17 deletions(-)
will apply
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
In fact, the RIAA has been known to suggest that students drop out
of college or go to community college in order to be able to afford
settlements. -- The RIAA
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-07-02 12:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-23 14:05 [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta() Michael Niedermayer
2022-03-23 14:05 ` [FFmpeg-devel] [PATCH 2/2] avformat/aiffdec: cleanup size handling for extreem cases Michael Niedermayer
2022-07-02 12:14 ` Michael Niedermayer
2022-06-16 23:47 ` [FFmpeg-devel] [PATCH 1/2] avformat/aiffdec: avoid integer overflow in get_meta() Michael Niedermayer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git