From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 57A5449835 for ; Thu, 21 Mar 2024 03:51:23 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CDE1168D51C; Thu, 21 Mar 2024 05:51:21 +0200 (EET) Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 47CDF68D50C for ; Thu, 21 Mar 2024 05:51:15 +0200 (EET) Received: by mail.gandi.net (Postfix) with ESMTPSA id 5232B1C0003 for ; Thu, 21 Mar 2024 03:51:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1710993074; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bNbSsNx14F7L1wBx0FY8i9PK5RAZsm1PudLAR5bgmPs=; b=QFDFtTaXrh6jBGN8Wd6sQ4LpEnN6kJkcdJHhpQMtRfameClXj8zkcAswmqP/pveqtbZl4a A6Q8QoZdgzlIDhPsd4DPBIasjtsRQGFnqn60XWoWQYJzuE1V7h4/9njLSCP6T4hNq9Cvza lGuIjZkObunhHrLGAs8mhkiaQFUrXuhfohG0r7u32Qc0dq3HdCXmf0IJNaHVgxiGo7acwW x1AuEiUU9fTQwRahITuom9QXLLVbsUcMTvgVPMSZYpn47utnnXCj6rJL3ci9MG1+2DC5b5 Xic30KZpgMF7vwXKkIQhJ8bExsInNIWtywtfoVRhnHH/jp3P0tf4wKByJOalfA== Date: Thu, 21 Mar 2024 04:51:13 +0100 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240321035113.GY6420@pb2> References: <20240321011517.10363-1-michael@niedermayer.cc> <20240321011517.10363-2-michael@niedermayer.cc> <8baceec2-1dcf-44ee-b507-3ebdec21225a@gmail.com> MIME-Version: 1.0 In-Reply-To: <8baceec2-1dcf-44ee-b507-3ebdec21225a@gmail.com> X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 2/4] avformat/iamf_reader: return REDO on failure to read X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============4448527563932620177==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============4448527563932620177== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="y+Pi1g9Ng1t2XB83" Content-Disposition: inline --y+Pi1g9Ng1t2XB83 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 20, 2024 at 11:22:11PM -0300, James Almer wrote: > On 3/20/2024 10:15 PM, Michael Niedermayer wrote: > > Fixes: null pointer derference > > Fixes: 67007/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6522= 819204677632 > >=20 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz= /tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer > > --- > > libavformat/iamf_reader.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > >=20 > > diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c > > index 42d20f1ae6..a06aa98cdb 100644 > > --- a/libavformat/iamf_reader.c > > +++ b/libavformat/iamf_reader.c > > @@ -26,6 +26,7 @@ > > #include "libavcodec/packet.h" > > #include "avformat.h" > > #include "avio_internal.h" > > +#include "demux.h" > > #include "iamf.h" > > #include "iamf_parse.h" > > #include "iamf_reader.h" > > @@ -322,7 +323,7 @@ int ff_iamf_read_packet(AVFormatContext *s, IAMFDem= uxContext *c, > > break; > > } > > - return read; > > + return FFERROR_REDO; >=20 > Where is the null pointer dereference happening? I don't particularly like > this approach because ff_iamf_read_packet() is also called by the mov > demuxer. =3D=3D8458=3D=3DERROR: AddressSanitizer: SEGV on unknown address 0x00000000= 0000 (pc 0x000000703a8b bp 0x7ffc691161f0 sp 0x7ffc69116000 T0) =3D=3D8458=3D=3DThe signal is caused by a READ memory access. =3D=3D8458=3D=3DHint: address points to the zero page. #0 0x703a8a in ff_read_packet ffmpeg/libavformat/demux.c:671:15 #1 0x7074cc in read_frame_internal ffmpeg/libavformat/demux.c:1346:15 #2 0x704a07 in av_read_frame ffmpeg/libavformat/demux.c:1550:17 #3 0x4c844f in LLVMFuzzerTestOneInput ffmpeg/tools/target_dem_fuzzer.c:= 211:15 SCARINESS: 10 (null-deref) #0 0x60b7cc in ff_read_packet /src/ffmpeg/libavformat/demux.c:683:15 #1 0x60cbcb in read_frame_internal /src/ffmpeg/libavformat/demux.c:1358= :15 #2 0x60c59b in av_read_frame /src/ffmpeg/libavformat/demux.c:1569:17 #3 0x57808a in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dem_fuzz= er.c:211:15 #4 0x449183 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, un= signed long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #5 0x4348e2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigne= d long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #6 0x43a18c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned cha= r const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDr= iver.cpp:860:9 #7 0x4636c2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain= =2Ecpp:20:10 #8 0x7854642cc082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/c= su/libc-start.c:308:16 #9 0x42aaad in _start Either way the iamf demuxer returns no packet but the caller believes it returns a packet. WHen that gets used things crash >=20 > > } > > void ff_iamf_read_deinit(IAMFDemuxContext *c) >=20 > Does the following also help? >=20 > > diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c > > index 42d20f1ae6..4e79691a03 100644 > > --- a/libavformat/iamf_reader.c > > +++ b/libavformat/iamf_reader.c > > @@ -311,8 +311,7 @@ int ff_iamf_read_packet(AVFormatContext *s, IAMFDem= uxContext *c, > > } else { > > int64_t offset =3D avio_skip(pb, obu_size); > > if (offset < 0) { > > - ret =3D offset; > > - break; > > + return offset; > > } > > } > > max_size -=3D len; yes, this seems to fix it too and is better thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Any man who breaks a law that conscience tells him is unjust and willingly= =20 accepts the penalty by staying in jail in order to arouse the conscience of= =20 the community on the injustice of the law is at that moment expressing the= =20 very highest respect for law. - Martin Luther King Jr --y+Pi1g9Ng1t2XB83 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZfuurgAKCRBhHseHBAsP q2z+AJ9KY6UM7uDWKDL/118PtoiBNgH5jgCfSsg3wZz9wrCZNplxtSidZfNJei4= =pCUa -----END PGP SIGNATURE----- --y+Pi1g9Ng1t2XB83-- --===============4448527563932620177== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============4448527563932620177==--