From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTPS id 3DF9B4C9C8
	for <ffmpegdev@gitmailbox.com>; Fri, 11 Apr 2025 22:27:43 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A8B9F68C40A;
	Sat, 12 Apr 2025 01:27:29 +0300 (EEST)
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [217.70.183.195])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D53E268C1CA
 for <ffmpeg-devel@ffmpeg.org>; Sat, 12 Apr 2025 01:27:21 +0300 (EEST)
Received: by mail.gandi.net (Postfix) with ESMTPSA id 29FC31FCE3
 for <ffmpeg-devel@ffmpeg.org>; Fri, 11 Apr 2025 22:27:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc;
 s=gm1; t=1744410441;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=pMxjL3QbMg4EOxkabp5suCWhm6xCBLdRnLsUNiUmW9k=;
 b=i2G0muT85FlXAJP3e63q5h0HelLgxvHOxqb0B8a9+lf4iXL49JwyLPD3OMiQjOrk780qOl
 ObYxgZL3sNgNkRS1UXwxRMjGRjgbndD0Y7nbZFKfF18KDhnjyVwxEFHno9mLouBC4Ag/rR
 OEMVSDCmdB3Ql8vjI1Q0OUtEQBrilsO/eoVGi26XF8BXWI7kzvxwiWif/Cr54hD2nfsSdy
 ZxaP1LcXIE9DtU0oHzdElU/3RabJdeNFgBcPaLbvDxwjyaxt0NJ/UEynmEVxEkbKae3ZkE
 FXa31qRzXMUTHCinTheLXJSB9ggWu3cCGEioCd5oi3uXj0T4If+X2+kv8ThILA==
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 12 Apr 2025 00:27:19 +0200
Message-ID: <20250411222719.2779176-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <20250411222719.2779176-1-michael@niedermayer.cc>
References: <20250411222719.2779176-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-GND-State: clean
X-GND-Score: -70
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvudeftddvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfghrlhcuvffnffculdeftddmnecujfgurhephffvufffkffojghfggfgsedtkeertdertddtnecuhfhrohhmpefoihgthhgrvghlucfpihgvuggvrhhmrgihvghruceomhhitghhrggvlhesnhhivgguvghrmhgrhigvrhdrtggtqeenucggtffrrghtthgvrhhnpedvgfefudeijeetieejkefgfffhtdeludeuffdvfeelieevjeetvedufeetfeejfeenucfkphepgedurdeiiedrieejrdduudefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepgedurdeiiedrieejrdduudefpdhhvghloheplhhotggrlhhhohhsthdpmhgrihhlfhhrohhmpehmihgthhgrvghlsehnihgvuggvrhhmrgihvghrrdgttgdpnhgspghrtghpthhtohepuddprhgtphhtthhopehffhhmphgvghdquggvvhgvlhesfhhfmhhpvghgrdhorhhg
X-GND-Sasl: michael@niedermayer.cc
Subject: [FFmpeg-devel] [PATCH 2/2] avformat/id3v2: Check that decode_str()
 did advance
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20250411222719.2779176-2-michael@niedermayer.cc/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Fixes infinite loop with unknown encodings

We could alternatively error out from decode_str() or consume all of taglen
this would affect other callers though.

Fixes: 409819224/clusterfuzz-testcase-minimized-ffmpeg_dem_H261_fuzzer-6003527535362048
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/id3v2.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 90314583a74..e3f7f9e2a90 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -341,10 +341,13 @@ static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen,
     taglen--; /* account for encoding type byte */
 
     while (taglen > 1) {
+        int current_taglen = taglen;
         if (decode_str(s, pb, encoding, &dst, &taglen) < 0) {
             av_log(s, AV_LOG_ERROR, "Error reading frame %s, skipped\n", key);
             return;
         }
+        if (current_taglen == taglen)
+            return;
 
         count++;
 
-- 
2.49.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".