From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 483EA49B04
	for <ffmpegdev@gitmailbox.com>; Tue,  2 Apr 2024 12:07:21 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 76F3B68CEE7;
	Tue,  2 Apr 2024 15:07:19 +0300 (EEST)
Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com
 [209.85.210.179])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 886B168C37D
 for <ffmpeg-devel@ffmpeg.org>; Tue,  2 Apr 2024 15:07:12 +0300 (EEST)
Received: by mail-pf1-f179.google.com with SMTP id
 d2e1a72fcca58-6ea9a605ca7so3562613b3a.0
 for <ffmpeg-devel@ffmpeg.org>; Tue, 02 Apr 2024 05:07:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1712059630; x=1712664430; darn=ffmpeg.org;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id:from
 :to:cc:subject:date:message-id:reply-to;
 bh=AGI9IZPODkRkH5rGkcWNMDFbfm1l2Lneba0hHvSyM/8=;
 b=a62WYhMb24ETBZdYGBcPWvCOImIwfGPogzNqw5slJ58qPalORf67U5VAe1F6ccHERI
 yZqKoFHD1/US7KOwZy93Bk6MEE8P3Uob5b+DmmFTeEi22dz8oKf8lUXI0M7bSBQ1DwCU
 xZJKgOPTHQa4V7EVAwBC3P7kS0Z/Kz1g49eHcByMKuDXMjLU4mR4ozLSjK9LbpQxTkiq
 F4wkLxN2wXFeG78Sz3aYw9eRu0Mr/7qNE5MR+tqt9kDzUhhv2YUjuGOkUzfKfW7Vyf+1
 jQRFjmHO5M19/eo/i4Kyz0gX43ArmR24eB5pidwmo+OU5etpGwrk4fk3hQMviQtfRTmy
 fGEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712059630; x=1712664430;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=AGI9IZPODkRkH5rGkcWNMDFbfm1l2Lneba0hHvSyM/8=;
 b=tsiRVd2tDXrZO5PGB/GCRMeX2kvpWH6fwORFbN2zQR8fgt04LBiosd6ezNZcpGB9Zr
 oa0KOUU3sDZkHDHtieC3b9+mk9eMV04tAuGGHYhVbY9ja9AVomqYX15+R4SVRw224efE
 hB0oJD16DjwF28eZGJTsyOwtHc/C+uJ+3cFVr8feA34zxABJvSa8XNfr4N/LFlFqeCH/
 Ppk2h97IMoZ86C5mJCDufZ4sCUsIPm4vmu/26p7QsFeZAya33Qwz8aM5PPEsSHHVUYSC
 DdENlE0gbxLScRfzoWdEGfykajWwT3vdQsvZZdnNsvunW9KSit4q1wlrpAWo8cvh2UTQ
 Thgg==
X-Gm-Message-State: AOJu0YynAp3c/O9TS3vXmBjdwND2tzCZBLKgfQBbvwsS2fwZmAShU7RU
 mZCzEd0+kbqlWfK+7N+B5QWmcT2zaNjC8PV58YONKdd5ruJfZ9QmSt1rIiYs
X-Google-Smtp-Source: AGHT+IFNpU85tOlGXde23OMKaaNLTdZ/JzYRq9sgZgS6R/CL5+Oy+tSS9DWTm3XJOP8Dd0yTPbV89A==
X-Received: by 2002:a05:6a00:2395:b0:6ea:b606:6550 with SMTP id
 f21-20020a056a00239500b006eab6066550mr21728657pfc.4.1712059629907; 
 Tue, 02 Apr 2024 05:07:09 -0700 (PDT)
Received: from [192.168.0.15] ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 h6-20020a056a00230600b006e580678dfbsm9614067pfh.193.2024.04.02.05.07.08
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 02 Apr 2024 05:07:09 -0700 (PDT)
Message-ID: <368ae7ad-ca74-4fca-99c1-440760117a90@gmail.com>
Date: Tue, 2 Apr 2024 09:07:23 -0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: ffmpeg-devel@ffmpeg.org
References: <20240401205607.9093-1-michael@niedermayer.cc>
 <20240401205607.9093-2-michael@niedermayer.cc>
 <2d71814b-0e2a-4131-836a-c054c2b71fd7@gmail.com> <20240401234959.GN6420@pb2>
Content-Language: en-US
From: James Almer <jamrial@gmail.com>
In-Reply-To: <20240401234959.GN6420@pb2>
Subject: Re: [FFmpeg-devel] [PATCH 2/6] avformat/mov: Check that
 tile_item_list is initialized in read_image_iovl()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/368ae7ad-ca74-4fca-99c1-440760117a90@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 4/1/2024 8:49 PM, Michael Niedermayer wrote:
> On Mon, Apr 01, 2024 at 06:54:35PM -0300, James Almer wrote:
>> On 4/1/2024 5:56 PM, Michael Niedermayer wrote:
>>> Fixes: null pointer dereference
>>> Fixes: 67494/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6528714521247744
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>    libavformat/mov.c | 4 ++++
>>>    1 file changed, 4 insertions(+)
>>>
>>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>>> index 7bdeeb99f98..fa4c237c0d8 100644
>>> --- a/libavformat/mov.c
>>> +++ b/libavformat/mov.c
>>> @@ -9364,6 +9364,10 @@ static int read_image_iovl(AVFormatContext *s, const HEIFGrid *grid,
>>>        }
>>>        for (int i = 0; i < tile_grid->nb_tiles; i++) {
>>> +        if (!grid->tile_item_list[i]) {
>>> +            ret = AVERROR_INVALIDDATA;
>>> +            goto fail;
>>> +        }
>>
>> This should not happen. We shouldn't get this far if the array was not
>> filled.
>>
>> Can you please test the following?
>>
>>> diff --git a/libavformat/mov.c b/libavformat/mov.c
>>> index 7bdeeb99f9..fb0113b149 100644
>>> --- a/libavformat/mov.c
>>> +++ b/libavformat/mov.c
>>> @@ -9397,8 +9397,9 @@ static int mov_parse_tiles(AVFormatContext *s)
>>>
>>>           for (int j = 0; j < grid->nb_tiles; j++) {
>>>               int tile_id = grid->tile_id_list[j];
>>> +            int k;
>>>
>>> -            for (int k = 0; k < mov->nb_heif_item; k++) {
>>> +            for (k = 0; k < mov->nb_heif_item; k++) {
>>>                   HEIFItem *item = &mov->heif_item[k];
>>>                   AVStream *st = item->st;
>>>
>>> @@ -9424,6 +9425,13 @@ static int mov_parse_tiles(AVFormatContext *s)
>>>                   break;
>>>               }
>>>
>>> +            if (k == grid->nb_tiles) {
>>> +                av_log(s, AV_LOG_WARNING, "HEIF item id %d referenced by grid id %d doesn't "
>>> +                                          "exist\n",
>>> +                       tile_id, grid->item->item_id);
>>> +                ff_remove_stream_group(s, stg);
>>> +                loop = 0;
>>> +            }
>>>               if (!loop)
>>>                   break;
>>>           }
> 
> i confirm the code fixes the issue, please apply (if it passes fate) and backport (if needed)

Applied and backported.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".