From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id AC5684BBF3
	for <ffmpegdev@gitmailbox.com>; Mon, 15 Jul 2024 15:16:04 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id E72C468D9D1;
	Mon, 15 Jul 2024 18:16:01 +0300 (EEST)
Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com
 [209.85.215.176])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0407D68D654
 for <ffmpeg-devel@ffmpeg.org>; Mon, 15 Jul 2024 18:15:56 +0300 (EEST)
Received: by mail-pg1-f176.google.com with SMTP id
 41be03b00d2f7-767506e1136so3206799a12.0
 for <ffmpeg-devel@ffmpeg.org>; Mon, 15 Jul 2024 08:15:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1721056553; x=1721661353; darn=ffmpeg.org;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id:from
 :to:cc:subject:date:message-id:reply-to;
 bh=epdDJNnbbn8bttPyK5HY0VYjcYEYaVhrCrHfNP6QZnI=;
 b=CErcOQl/rSLGE2UCeUKp6BF8bfE7zowIhlZzKneB4qbNl9ZdoQKDY0wpXe0Qt7506c
 VDEYL6IdX3VQX9tK7G6ddOKEyMTFJbQVAks82Gm5li6x1lJBjNF8YHrv0WpKR74merym
 aZY6Y8JW8qXa5sMZdeTHi97fiTrCeQyn9S9flDvjGaOub7EFxc34TZyZ5lpgEHFYR9Up
 rPP/OuVx/M2T7j7uG2dtXWeQSDF7PtX1p0o9/U3eUFFpS5PhKf88VmvTCcFbyyhubX7y
 7mcJfn1ojTK7aD+tJjhXbbD/EnDtzReLES7KShxhp05Jc6NUos6myf8D4NKeg+X/1UQz
 uhtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1721056553; x=1721661353;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=epdDJNnbbn8bttPyK5HY0VYjcYEYaVhrCrHfNP6QZnI=;
 b=MerhJjlKjmfiEVNh7Yi49YSuSjqg6gfDXRtvflUphlvH2tvRju4XoEb/oiC3vkNvst
 nj4BnlyNZrFVwfvH2rS/Sg3qoG6p064XJ4TqtheM+62QbIx8z94MDOaEmYVoVPoSmIk4
 8+36NDekljNY8c/YRDLeHP8o+1dY+q8OPLvPjEBWfuWjjRZQZLyrWXnsbquO+x4mpiup
 nYTNt1Kdpd8gNsM2V4YUsuDbqFmY4P2N6Y+5kytzWbI014QoWe1RePTlSUiJkzvDKTyz
 i3npCagIL1UQxfxTJBgid9jZuExlIym0G9uTh6gJyHQ9nMTAyTVXbCe840xVbGoiHECH
 sYVw==
X-Gm-Message-State: AOJu0YwdRMf+qdxU+bns46g5ubEV75fiu1mGU8gBklmiT2ZiVFPEqB1L
 VUvifCPmb+iFpqP+8w6hWeqaVW9xgKRbM7l3niy1dL643j7TNZrXuvrQhA==
X-Google-Smtp-Source: AGHT+IEoGKYHE7xuCaUKI7wYlIHX4YlBT31vP/pMegDYx4huF4Cj3n3hVfFCeKhAPfmmd/QP5fEKrw==
X-Received: by 2002:a05:6a20:6a23:b0:1c0:f6b7:a89a with SMTP id
 adf61e73a8af0-1c3ee5057b9mr298859637.8.1721056553456; 
 Mon, 15 Jul 2024 08:15:53 -0700 (PDT)
Received: from [192.168.0.16] ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-70b7eb9e204sm4455350b3a.32.2024.07.15.08.15.52
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Mon, 15 Jul 2024 08:15:52 -0700 (PDT)
Message-ID: <a8657646-4534-4978-9f49-efa3dc276b90@gmail.com>
Date: Mon, 15 Jul 2024 12:16:08 -0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: ffmpeg-devel@ffmpeg.org
References: <20240623230137.1749178-1-michael@niedermayer.cc>
 <20240623230137.1749178-5-michael@niedermayer.cc>
Content-Language: en-US
From: James Almer <jamrial@gmail.com>
In-Reply-To: <20240623230137.1749178-5-michael@niedermayer.cc>
Subject: Re: [FFmpeg-devel] [PATCH 5/5] avformat/iamf: Check substreams in
 ff_iamf_free_audio_element()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/a8657646-4534-4978-9f49-efa3dc276b90@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 6/23/2024 8:01 PM, Michael Niedermayer wrote:
> Fixes: member access within null pointer of type 'IAMFSubStream' (aka 'struct IAMFSubStream')
> Fixes: 69795/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6216287009701888
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/iamf.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/iamf.c b/libavformat/iamf.c
> index 5de70dc0828..364cb60e021 100644
> --- a/libavformat/iamf.c
> +++ b/libavformat/iamf.c
> @@ -74,8 +74,10 @@ void ff_iamf_free_audio_element(IAMFAudioElement **paudio_element)
>       if (!audio_element)
>           return;
>   
> -    for (int i = 0; i < audio_element->nb_substreams; i++)
> -        avcodec_parameters_free(&audio_element->substreams[i].codecpar);
> +    if (audio_element->nb_substreams)
> +        for (int i = 0; i < audio_element->nb_substreams; i++) {
> +            avcodec_parameters_free(&audio_element->substreams[i].codecpar);
> +        }
>       av_free(audio_element->substreams);
>       av_free(audio_element->layers);
>       av_iamf_audio_element_free(&audio_element->element);

Sorry, i missed this.

nb_substreams shouldn't be anything but 0 here if nb_substreams is NULL, 
so the following is IMO better:

> diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
> index 9cec12d46f..a69d4a2f3a 100644
> --- a/libavformat/iamf_parse.c
> +++ b/libavformat/iamf_parse.c
> @@ -594,7 +594,7 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len)
>      FFIOContext b;
>      AVIOContext *pbc;
>      uint8_t *buf;
> -    unsigned audio_element_id, codec_config_id, num_parameters;
> +    unsigned audio_element_id, nb_substreams, codec_config_id, num_parameters;
>      int audio_element_type, ret;
> 
>      buf = av_malloc(len);
> @@ -649,14 +649,15 @@ static int audio_element_obu(void *s, IAMFContext *c, AVIOContext *pb, int len)
>          goto fail;
>      }
> 
> -    audio_element->nb_substreams = ffio_read_leb(pbc);
> +    nb_substreams = ffio_read_leb(pbc);
>      audio_element->codec_config_id = codec_config_id;
>      audio_element->audio_element_id = audio_element_id;
> -    audio_element->substreams = av_calloc(audio_element->nb_substreams, sizeof(*audio_element->substreams));
> +    audio_element->substreams = av_calloc(nb_substreams, sizeof(*audio_element->substreams));
>      if (!audio_element->substreams) {
>          ret = AVERROR(ENOMEM);
>          goto fail;
>      }
> +    audio_element->nb_substreams = nb_substreams;
> 
>      element = audio_element->element = av_iamf_audio_element_alloc();
>      if (!element) {
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".