From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id C00E24C511
	for <ffmpegdev@gitmailbox.com>; Fri,  7 Feb 2025 11:23:34 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D86BB68BD0A;
	Fri,  7 Feb 2025 13:23:23 +0200 (EET)
Received: from relay8-d.mail.gandi.net (relay8-d.mail.gandi.net
 [217.70.183.201])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1C0D368B510
 for <ffmpeg-devel@ffmpeg.org>; Fri,  7 Feb 2025 13:23:16 +0200 (EET)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 62EBF43433
 for <ffmpeg-devel@ffmpeg.org>; Fri,  7 Feb 2025 11:23:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1738927395;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=eaFc129TfxjOM/lv2MzewS8ctlHSGvRPbHj8FaAwAJo=;
 b=Svr+UzWEZ13GVr/sdd07AjG0EFpum8pfVc8WRhUGlk2EqsfQVCe4hDkv3h49dPHr+r7ha0
 vVwitLu3jGNyR5vJrqNxYV7esErWU0ukY96Fe1AC+UJOpNcH/MXgjj+dXuvPRRJcd5mC7G
 VSjJlLbAZKS9EsICWkQFEvu1ffX3MraMoH266Huq5zw5XKXi2ioqRkq/x5JXeGf5KOroHc
 gKbkVdbIg0w69SD8bg3bI3LopBFgpHXlXr6QpA4ueBaVlL6aCUL+VoVlw3dLnvnIouPSXk
 Syt5wulosGN1tmZVSK0CpnMdXO75k8H/dUmL5mezzZaM6+0dAlAOWGgKsmVE+w==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Fri,  7 Feb 2025 12:23:13 +0100
Message-ID: <20250207112313.1762763-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.48.1
In-Reply-To: <20250207112313.1762763-1-michael@niedermayer.cc>
References: <20250207112313.1762763-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-State: clean
X-GND-Score: -85
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvleduhecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnegfrhhlucfvnfffucdludehmdenucfjughrpefhvffufffkofgjfhgggfestdekredtredttdenucfhrhhomhepofhitghhrggvlhcupfhivgguvghrmhgrhigvrhcuoehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgeqnecuggftrfgrthhtvghrnhepgeejhfetgefhgfeludegvdduvdffgeefvddtheetlefhueeitdevffevfeehhefgnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepgedurdeiiedrieejrdduudefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieejrdduudefpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 2/2] avformat/mlvdec: fix size checks
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250207112313.1762763-2-michael@niedermayer.cc/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Fixes: heap-buffer-overflow
Fixes: 391962476/clusterfuzz-testcase-minimized-ffmpeg_dem_MLV_fuzzer-5746746587676672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mlvdec.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 6f4fa80f32b..44f5c207559 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -471,6 +471,9 @@ static int get_packet_lj92(AVFormatContext *avctx, AVStream *st, AVIOContext *pb
     uint8_t *stripofs, *matrixofs;
 
 #define MAX_HEADER_SIZE 2048
+    if ((uint64_t)size > INT32_MAX - MAX_HEADER_SIZE)
+        return AVERROR_PATCHWELCOME;
+
     if ((ret = av_new_packet(pkt, size + MAX_HEADER_SIZE)) < 0)
         return ret;
 
@@ -562,10 +565,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt)
     avio_skip(pb, 12); //timestamp, frameNumber
     size -= 12;
     if (st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) {
+        if (size < 8)
+            return AVERROR_INVALIDDATA;
         avio_skip(pb, 8); // cropPosX, cropPosY, panPosX, panPosY
         size -= 8;
     }
     space = avio_rl32(pb);
+    if (size < space + 4LL)
+        return AVERROR_INVALIDDATA;
     avio_skip(pb, space);
     size -= space;
 
@@ -577,9 +584,7 @@ static int read_packet(AVFormatContext *avctx, AVPacket *pkt)
         else
             ret = av_get_packet(pb, pkt, (st->codecpar->width * st->codecpar->height * st->codecpar->bits_per_coded_sample + 7) >> 3);
     } else { // AVMEDIA_TYPE_AUDIO
-        if (space > UINT_MAX - 24 || size < (24 + space))
-            return AVERROR_INVALIDDATA;
-        ret = av_get_packet(pb, pkt, size - (24 + space));
+        ret = av_get_packet(pb, pkt, size - 4);
     }
 
     if (ret < 0)
-- 
2.48.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".