From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id D12724907E for ; Mon, 1 Apr 2024 23:50:10 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1031668CFF2; Tue, 2 Apr 2024 02:50:08 +0300 (EEST) Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 66D4E68CF98 for ; Tue, 2 Apr 2024 02:50:01 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id B43B160004 for ; Mon, 1 Apr 2024 23:50:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1712015400; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=tdOxdabDbJfaNpBb2Y1tXfDaClOXhZpuzHynoGRbakw=; b=c5KFbpbCB/dw745X5+g4Qh5DeZgJ8fX7h3C9YTBgzuLg6lHVnkgKUkG98XRzFxyuLgkB32 aAewPLv7S7HRCfv+l628JNdVEFM4ZIH7LKqyJvETpGnBsjZ25V7j2bhkfSPPVt2DQbcZB1 5H5kFNrd5YQMWayhx3hWC5glMt9mihLTqUX9hk9Qz9dLekB8lC5D32OjHuU/wPLNXKSSiw Qzqg80ncxb2yYEeZtBwNbOyDSLBNS1wu86N07bVLU0VTE+vlJ+zE8c2uBGK64Q+isHMDbc KepiGOBgFsEp/1K6Zndqaw8yATdhHMaJWzp/ltLyAnx0aItpJWHwRej+Vz1tew== Date: Tue, 2 Apr 2024 01:49:59 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240401234959.GN6420@pb2> References: <20240401205607.9093-1-michael@niedermayer.cc> <20240401205607.9093-2-michael@niedermayer.cc> <2d71814b-0e2a-4131-836a-c054c2b71fd7@gmail.com> MIME-Version: 1.0 In-Reply-To: <2d71814b-0e2a-4131-836a-c054c2b71fd7@gmail.com> X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 2/6] avformat/mov: Check that tile_item_list is initialized in read_image_iovl() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============3330739522881745669==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============3330739522881745669== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="M7tIvxYkF02Mp5vc" Content-Disposition: inline --M7tIvxYkF02Mp5vc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 01, 2024 at 06:54:35PM -0300, James Almer wrote: > On 4/1/2024 5:56 PM, Michael Niedermayer wrote: > > Fixes: null pointer dereference > > Fixes: 67494/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-65287= 14521247744 > >=20 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz= /tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer > > --- > > libavformat/mov.c | 4 ++++ > > 1 file changed, 4 insertions(+) > >=20 > > diff --git a/libavformat/mov.c b/libavformat/mov.c > > index 7bdeeb99f98..fa4c237c0d8 100644 > > --- a/libavformat/mov.c > > +++ b/libavformat/mov.c > > @@ -9364,6 +9364,10 @@ static int read_image_iovl(AVFormatContext *s, c= onst HEIFGrid *grid, > > } > > for (int i =3D 0; i < tile_grid->nb_tiles; i++) { > > + if (!grid->tile_item_list[i]) { > > + ret =3D AVERROR_INVALIDDATA; > > + goto fail; > > + } >=20 > This should not happen. We shouldn't get this far if the array was not > filled. >=20 > Can you please test the following? >=20 > > diff --git a/libavformat/mov.c b/libavformat/mov.c > > index 7bdeeb99f9..fb0113b149 100644 > > --- a/libavformat/mov.c > > +++ b/libavformat/mov.c > > @@ -9397,8 +9397,9 @@ static int mov_parse_tiles(AVFormatContext *s) > >=20 > > for (int j =3D 0; j < grid->nb_tiles; j++) { > > int tile_id =3D grid->tile_id_list[j]; > > + int k; > >=20 > > - for (int k =3D 0; k < mov->nb_heif_item; k++) { > > + for (k =3D 0; k < mov->nb_heif_item; k++) { > > HEIFItem *item =3D &mov->heif_item[k]; > > AVStream *st =3D item->st; > >=20 > > @@ -9424,6 +9425,13 @@ static int mov_parse_tiles(AVFormatContext *s) > > break; > > } > >=20 > > + if (k =3D=3D grid->nb_tiles) { > > + av_log(s, AV_LOG_WARNING, "HEIF item id %d referenced = by grid id %d doesn't " > > + "exist\n", > > + tile_id, grid->item->item_id); > > + ff_remove_stream_group(s, stg); > > + loop =3D 0; > > + } > > if (!loop) > > break; > > } i confirm the code fixes the issue, please apply (if it passes fate) and ba= ckport (if needed) thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Many things microsoft did are stupid, but not doing something just because microsoft did it is even more stupid. If everything ms did were stupid they would be bankrupt already. --M7tIvxYkF02Mp5vc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEIAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZgtIJwAKCRBhHseHBAsP qzcxAJ9L7t+/ACZfQt04JmynF8ddrJbW2gCdH3czKYH9D9l7hOTAVUPqkuMxOCc= =BuQ2 -----END PGP SIGNATURE----- --M7tIvxYkF02Mp5vc-- --===============3330739522881745669== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============3330739522881745669==--