From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id D98594BCD8
	for <ffmpegdev@gitmailbox.com>; Tue, 16 Jul 2024 13:31:48 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 65A1368D99C;
	Tue, 16 Jul 2024 16:31:45 +0300 (EEST)
Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com
 [209.85.215.180])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id EC9C568D67D
 for <ffmpeg-devel@ffmpeg.org>; Tue, 16 Jul 2024 16:31:38 +0300 (EEST)
Received: by mail-pg1-f180.google.com with SMTP id
 41be03b00d2f7-75e7e110e89so3261509a12.3
 for <ffmpeg-devel@ffmpeg.org>; Tue, 16 Jul 2024 06:31:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1721136696; x=1721741496; darn=ffmpeg.org;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id:from
 :to:cc:subject:date:message-id:reply-to;
 bh=0I1YHJDqNEitp0VITwQC4M8a5ENOg0u8q9mnTsiYDzk=;
 b=C8hVZq8RDHZ8vgnvcB6msYT+87PDzFK7ywDSql3Gh8GzDr8LVsqYnUCcyf/hzbH2mm
 bl/GlVkIiC/WdqWyT7hyWqYdifCdxkI8itDfzNWHHtKx71J7bRLiTH1O1i5S8C/D3xsj
 3d88BKRM2+u+qEkehKaB+HMHXLuIju4cBIer+PFeHcuyQEm3Qo+/nbq7me+Rz027kmqX
 uJ6xdjBT+j1aVOW1sdV3GWPpoFVFMaWuXWEhYr1x3QzPpyjgBOcAn97LAgDPWBr2V6s/
 dE0GhK0rS+JnasPteq/8Tw35lA/O/HJKl8BGzi7WikmZOyz8TLMqcggU+iUIdjBirYnK
 iIaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1721136696; x=1721741496;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=0I1YHJDqNEitp0VITwQC4M8a5ENOg0u8q9mnTsiYDzk=;
 b=i5agiybuNcfAVorOUjX511vC8UAvpECnVfJRlP511a5Wht2gpSnf7kIaLnJqpvfikc
 S8ptXwsaBEIZQDRZQ6GZPbexjoYrzaK//vWRcN7EiT3aYN8sbt16T2hPpCy1qevR3KAL
 OD0tBRpAMyP+ATmIz1HUir3q+CSuXOq6t0b9RUD0NHT2Tygp4TWdbgxiKjy18yagoHRI
 t5cGijbKId480a9xro1PqVYODNpNlrJoqlnAg3ULHpIAe5i6lsTbslINiWPbTdcsj6/9
 DYo5kCnBES0hv1UyaFlJSgXyOQFTHeXoq8Yfk8y4AEVaQENtjE8grx7VZwrIPFuOkXNZ
 LfAQ==
X-Gm-Message-State: AOJu0YyRF7PHYoMtOkJBAZzi08VenBLuo71J76xaQZuCopleOwlsdrb/
 5XAkmyoIYqw3mlVdKK37Kyr2Q1oayieH78SbuyjCUmXRwqyY43/SmRLUQw==
X-Google-Smtp-Source: AGHT+IGCJwEOzu5Hi7bem6Lol0n5/nMDv7Tb48leWmGMV0H6fZkxO6K57sHjh011ViJWALyBA1LW/Q==
X-Received: by 2002:a05:6a21:6d91:b0:1c0:eba5:e192 with SMTP id
 adf61e73a8af0-1c3f1249dafmr2644558637.27.1721136696348; 
 Tue, 16 Jul 2024 06:31:36 -0700 (PDT)
Received: from [192.168.0.12] ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-70b7ec7e4bcsm6253262b3a.117.2024.07.16.06.31.35
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 16 Jul 2024 06:31:35 -0700 (PDT)
Message-ID: <f7e06b99-bae8-4fed-a3dd-c0450e8cdc36@gmail.com>
Date: Tue, 16 Jul 2024 10:31:54 -0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: ffmpeg-devel@ffmpeg.org
References: <20240716131929.3708881-1-michael@niedermayer.cc>
Content-Language: en-US
From: James Almer <jamrial@gmail.com>
In-Reply-To: <20240716131929.3708881-1-michael@niedermayer.cc>
Subject: Re: [FFmpeg-devel] [PATCH] avformat/mov: sanity check count in IPRP
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/f7e06b99-bae8-4fed-a3dd-c0450e8cdc36@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 7/16/2024 10:19 AM, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 69230/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6540512101203968
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavformat/mov.c | 5 +++++
>   1 file changed, 5 insertions(+)
> 
> diff --git a/libavformat/mov.c b/libavformat/mov.c
> index ce95842ce58..9042753d221 100644
> --- a/libavformat/mov.c
> +++ b/libavformat/mov.c
> @@ -8925,6 +8925,11 @@ static int mov_read_iprp(MOVContext *c, AVIOContext *pb, MOVAtom atom)
>       flags   = avio_rb24(pb);
>       count   = avio_rb32(pb);
>   
> +    if (count * 5LL > a.size) {
> +        ret = AVERROR_INVALIDDATA;
> +        goto fail;
> +    }

a.size is also read from the aviocontext, so i think it'd be better to 
add an avio_feof() check inside the for loop below, after assoc_count is 
read.

> +
>       for (int i = 0; i < count; i++) {
>           int item_id = version ? avio_rb32(pb) : avio_rb16(pb);
>           int assoc_count = avio_r8(pb);
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".