From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id BBFBD49824 for ; Thu, 21 Mar 2024 02:22:05 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 83A5368D48D; Thu, 21 Mar 2024 04:22:02 +0200 (EET) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 62EB368D48D for ; Thu, 21 Mar 2024 04:21:55 +0200 (EET) Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-1e0000cdf99so3559695ad.0 for ; Wed, 20 Mar 2024 19:21:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710987712; x=1711592512; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=DCTDtGuEXS7fw3mOyiAqueG6xWDZNYreg2UJZtQvLZE=; b=LtYzygtq8vyosaVpT776e2eEY2fGqBkXoDNZt4/2S0+ENA7AEg1W/sGPYWfdDVdJii p5V6IEJ1QcMqimSlLNpthVcHY1B71V0GbEYzcK6yxvuZcWyi/jLASaPe4xugEIj5CHxj bMXmn/VsMWkZiYISLaPBnjQdT002bACVrQ8GN6KgmytFuICuaCd4GUnVb3633RJgE9zV f7vnonxCd8xEP6pB3i9dDMM3o14ql9QtW4gwSMdkoCf7LWS+OndbNordzGw6FmTn6p9s AA3j2taYuQ0l8Yi5sevorKhS/O4m1xpX4Mo1Pfm1S9Oka4s+jHNAtdW5qk/bPKjqmVGa L2yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710987712; x=1711592512; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DCTDtGuEXS7fw3mOyiAqueG6xWDZNYreg2UJZtQvLZE=; b=Dx1ZROdbrpbZfYvLNMePWiSJ/Jr88XZtwHn9INKa4FLtHncPtBRFmVWr0vYbJhjHAQ ll0wR7hJh84DMHk0SS/eUn4PAh0ShvIrllD3bZAosZTO5YLC2ATSq1TuFH8T8QkiXCuk JtvJXUxo272MI/buszomXE+FaAW+1CIRLe6G1bnYjtlfNsowoMybTBNAjPqAtBI19h1j JrEoOCTlB+RDuKH8v8j/9T0Q6ZUOTjZ7Ec9II5NGT9/oKJhkoE0f4QJ85/lrbL0SQ2R8 CZEdKyOYO+jNZ7PAR3aLFBK4tb4IBo18Vhn9Ayj2D578JFdboSmFMc1moWSbZ4czcHLn mNCA== X-Gm-Message-State: AOJu0Yz8Sk76hRZin63QpKPR5t6OqhJbJnhfxxF7pzfn3SVzQK3ZQxis gi5UM6U6WvkLEuUxlzl4T87pBJEPqVH/TBXH0H/LPNj/m+St1lVubDBgB3Lz X-Google-Smtp-Source: AGHT+IH5J+RY8smpyXCd2b78JqL/IrnL0xV0acAIhwnCbYCYQy/T0nvPM8t4IQP4uWVlL7C5W0neqw== X-Received: by 2002:a17:903:8cb:b0:1dd:878d:9dca with SMTP id lk11-20020a17090308cb00b001dd878d9dcamr946743plb.48.1710987712564; Wed, 20 Mar 2024 19:21:52 -0700 (PDT) Received: from [192.168.0.10] ([190.194.167.233]) by smtp.gmail.com with ESMTPSA id le13-20020a170902fb0d00b001dd6e0a0c1bsm14459727plb.268.2024.03.20.19.21.51 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 20 Mar 2024 19:21:52 -0700 (PDT) Message-ID: <8baceec2-1dcf-44ee-b507-3ebdec21225a@gmail.com> Date: Wed, 20 Mar 2024 23:22:11 -0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: ffmpeg-devel@ffmpeg.org References: <20240321011517.10363-1-michael@niedermayer.cc> <20240321011517.10363-2-michael@niedermayer.cc> From: James Almer In-Reply-To: <20240321011517.10363-2-michael@niedermayer.cc> Subject: Re: [FFmpeg-devel] [PATCH 2/4] avformat/iamf_reader: return REDO on failure to read X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 3/20/2024 10:15 PM, Michael Niedermayer wrote: > Fixes: null pointer derference > Fixes: 67007/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6522819204677632 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavformat/iamf_reader.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c > index 42d20f1ae6..a06aa98cdb 100644 > --- a/libavformat/iamf_reader.c > +++ b/libavformat/iamf_reader.c > @@ -26,6 +26,7 @@ > #include "libavcodec/packet.h" > #include "avformat.h" > #include "avio_internal.h" > +#include "demux.h" > #include "iamf.h" > #include "iamf_parse.h" > #include "iamf_reader.h" > @@ -322,7 +323,7 @@ int ff_iamf_read_packet(AVFormatContext *s, IAMFDemuxContext *c, > break; > } > > - return read; > + return FFERROR_REDO; Where is the null pointer dereference happening? I don't particularly like this approach because ff_iamf_read_packet() is also called by the mov demuxer. > } > > void ff_iamf_read_deinit(IAMFDemuxContext *c) Does the following also help? > diff --git a/libavformat/iamf_reader.c b/libavformat/iamf_reader.c > index 42d20f1ae6..4e79691a03 100644 > --- a/libavformat/iamf_reader.c > +++ b/libavformat/iamf_reader.c > @@ -311,8 +311,7 @@ int ff_iamf_read_packet(AVFormatContext *s, IAMFDemuxContext *c, > } else { > int64_t offset = avio_skip(pb, obu_size); > if (offset < 0) { > - ret = offset; > - break; > + return offset; > } > } > max_size -= len; Setting ret there and breaking the loop was wrong, as the scope of ret doesn't reach outside loop. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".