Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH 2/3] avformat/mpc8: Check and propagate more errors
Date: Mon, 11 Jul 2022 23:44:16 +0200
Message-ID: <20220711214417.12286-2-michael@niedermayer.cc> (raw)
In-Reply-To: <20220711214417.12286-1-michael@niedermayer.cc>

Fixes: Timeout
Fixes: 48846/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-5278532493770752

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mpc8.c | 40 +++++++++++++++++++++++++---------------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 2822a08b55..95a1529c5d 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -135,37 +135,40 @@ static void mpc8_get_chunk_header(AVIOContext *pb, int *tag, int64_t *size)
         *size += pos;
 }
 
-static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
+static int mpc8_parse_seektable(AVFormatContext *s, int64_t off)
 {
     MPCContext *c = s->priv_data;
     int tag;
     int64_t size, pos, ppos[2];
     uint8_t *buf;
     int i, t, seekd, ret;
+    int64_t ret64;
     GetBitContext gb;
 
     if (s->nb_streams == 0) {
         av_log(s, AV_LOG_ERROR, "No stream added before parsing seek table\n");
-        return;
+        return AVERROR_INVALIDDATA;
     }
 
-    avio_seek(s->pb, off, SEEK_SET);
+    ret64 = avio_seek(s->pb, off, SEEK_SET);
+    if (ret64 < 0)
+        return AVERROR_INVALIDDATA;
     mpc8_get_chunk_header(s->pb, &tag, &size);
-    if(tag != TAG_SEEKTABLE){
+    if(tag != TAG_SEEKTABLE || avio_feof(s->pb)){
         av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
-        return;
+        return AVERROR_INVALIDDATA;
     }
     if (size > INT_MAX/10 || size<=0) {
         av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
-        return;
+        return AVERROR_INVALIDDATA;
     }
     if(!(buf = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE)))
-        return;
+        return AVERROR(ENOMEM);
     ret = avio_read(s->pb, buf, size);
     if (ret != size) {
         av_log(s, AV_LOG_ERROR, "seek table truncated\n");
         av_free(buf);
-        return;
+        return AVERROR_INVALIDDATA;
     }
     memset(buf+size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
 
@@ -174,14 +177,14 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
     if(size > UINT_MAX/4 || size > c->samples/1152){
         av_log(s, AV_LOG_ERROR, "Seek table is too big\n");
         av_free(buf);
-        return;
+        return AVERROR_INVALIDDATA;
     }
     seekd = get_bits(&gb, 4);
     for(i = 0; i < 2; i++){
         pos = gb_get_v(&gb);
         if (av_sat_add64(pos, c->header_pos) != pos + (uint64_t)c->header_pos) {
             av_free(buf);
-            return;
+            return AVERROR_INVALIDDATA;
         }
 
         pos += c->header_pos;
@@ -191,7 +194,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
     for(; i < size; i++){
         if (get_bits_left(&gb) < 13) {
             av_free(buf);
-            return;
+            return AVERROR_INVALIDDATA;
         }
         t = get_unary(&gb, 1, 33) << 12;
         t += get_bits(&gb, 12);
@@ -203,26 +206,31 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
         ppos[0] = pos;
     }
     av_free(buf);
+    return 0;
 }
 
-static void mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, int64_t size)
+static int mpc8_handle_chunk(AVFormatContext *s, int tag, int64_t chunk_pos, int64_t size)
 {
     AVIOContext *pb = s->pb;
     int64_t pos, off;
+    int ret;
 
     switch(tag){
     case TAG_SEEKTBLOFF:
         pos = avio_tell(pb);
         off = ffio_read_varlen(pb);
         if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos)
-            return;
+            return AVERROR_INVALIDDATA;
         pos += size;
-        mpc8_parse_seektable(s, chunk_pos + off);
+        ret = mpc8_parse_seektable(s, chunk_pos + off);
+        if (ret < 0)
+            return AVERROR_INVALIDDATA;
         avio_seek(pb, pos, SEEK_SET);
         break;
     default:
         avio_skip(pb, size);
     }
+    return 0;
 }
 
 static int mpc8_read_header(AVFormatContext *s)
@@ -249,7 +257,9 @@ static int mpc8_read_header(AVFormatContext *s)
         }
         if(tag == TAG_STREAMHDR)
             break;
-        mpc8_handle_chunk(s, tag, pos, size);
+        ret = mpc8_handle_chunk(s, tag, pos, size);
+        if (ret < 0)
+            return ret;
     }
     if(tag != TAG_STREAMHDR){
         av_log(s, AV_LOG_ERROR, "Stream header not found\n");
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

  reply	other threads:[~2022-07-11 21:45 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-07-11 21:44 [FFmpeg-devel] [PATCH 1/3] avformat/mxfdec: SMPTE RDD 48:2018 support Michael Niedermayer
2022-07-11 21:44 ` Michael Niedermayer [this message]
2022-07-21 17:38   ` [FFmpeg-devel] [PATCH 2/3] avformat/mpc8: Check and propagate more errors Michael Niedermayer
2022-07-11 21:44 ` [FFmpeg-devel] [PATCH 3/3] tools/target_dec_fuzzer: Adjust threshold for ANM Michael Niedermayer
2022-07-12 17:57   ` Michael Niedermayer
2022-07-13 13:58 ` [FFmpeg-devel] [PATCH 1/3] avformat/mxfdec: SMPTE RDD 48:2018 support Dave Rice
2022-07-18 18:35 ` Tomas Härdin
2022-07-19 11:54   ` Michael Niedermayer
2022-07-19 13:48 ` Tomas Härdin
2022-07-28 23:18   ` Michael Niedermayer
2022-07-29  4:15     ` Tomas Härdin
2022-07-29 12:14       ` Pierre-Anthony Lemieux
2022-07-29 14:19         ` Tomas Härdin
2022-07-29 14:24           ` Pierre-Anthony Lemieux

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220711214417.12286-2-michael@niedermayer.cc \
    --to=michael@niedermayer.cc \
    --cc=ffmpeg-devel@ffmpeg.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git