[FFmpeg-devel] [PATCH] libavformat/amr.c: Check return value from avio_read()
Michael Niedermayer
michael at niedermayer.cc
Fri Apr 3 00:33:55 EEST 2020
On Wed, Apr 01, 2020 at 01:55:12PM -0700, John Rummell wrote:
> Updated to return AVERROR_INVALIDDATA.
>
> On Wed, Apr 1, 2020 at 12:33 PM Michael Niedermayer <michael at niedermayer.cc>
> wrote:
>
> > On Mon, Mar 30, 2020 at 09:48:13PM -0700, John Rummell wrote:
> > > Hit send too soon. Patch attached.
> > >
> > > On Mon, Mar 30, 2020 at 9:44 PM John Rummell <jrummell at chromium.org>
> > wrote:
> > >
> > > > Another uninitialized memory access detected by the Chromium fuzzers.
> > > >
> >
> > > amr.c | 6 ++++--
> > > 1 file changed, 4 insertions(+), 2 deletions(-)
> > > db486a31c1d3c7f4f51a7e5f5333f871744d6c87
> > 0001-libavformat-amr.c-Check-return-value-from-avio_read.patch
> > > From 0ef90d64a760f730652f3832da2abca47cff62d6 Mon Sep 17 00:00:00 2001
> > > From: John Rummell <jrummell at chromium.org>
> > > Date: Mon, 30 Mar 2020 21:30:33 -0700
> > > Subject: [PATCH] libavformat/amr.c: Check return value from avio_read()
> > >
> > > If the buffer doesn't contain enough bytes when reading a stream,
> > > fail rather than continuing on with initialized data. Caught by
> > > Chromium fuzzeras (crbug.com/1065731).
> > > ---
> > > libavformat/amr.c | 6 ++++--
> > > 1 file changed, 4 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/libavformat/amr.c b/libavformat/amr.c
> > > index eccbbde5b0..8570d43302 100644
> > > --- a/libavformat/amr.c
> > > +++ b/libavformat/amr.c
> > > @@ -89,13 +89,15 @@ static int amr_read_header(AVFormatContext *s)
> > > AVStream *st;
> > > uint8_t header[9];
> > >
> > > - avio_read(pb, header, 6);
> > > + if (avio_read(pb, header, 6) != 6)
> > > + return -1;
> > >
> > > st = avformat_new_stream(s, NULL);
> > > if (!st)
> > > return AVERROR(ENOMEM);
> > > if (memcmp(header, AMR_header, 6)) {
> > > - avio_read(pb, header + 6, 3);
> > > + if (avio_read(pb, header + 6, 3) != 3)
> > > + return -1;
> >
> > I see some of the existing code uses -1 instead of AVERROR*
> > but i think for newly added cases AVERROR* codes would be better
> >
> > thx
> >
> > [...]
> >
> > --
> > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
> >
> > Why not whip the teacher when the pupil misbehaves? -- Diogenes of Sinope
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel at ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
> amr.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
> 193bfc49b025e3cf58b28a53b38eb2e02a1e0e5f 0001-libavformat-amr.c-Check-return-value-from-avio_read.patch
> From 1d6313c4354f88ea985b32b6cc0255081a3fff7b Mon Sep 17 00:00:00 2001
> From: John Rummell <jrummell at chromium.org>
> Date: Mon, 30 Mar 2020 21:30:33 -0700
> Subject: [PATCH] libavformat/amr.c: Check return value from avio_read()
>
> If the buffer doesn't contain enough bytes when reading a stream,
> fail rather than continuing on with initialized data. Caught by
> Chromium fuzzeras (crbug.com/1065731).
> ---
> libavformat/amr.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If you think the mosad wants you dead since a long time then you are either
wrong or dead since a long time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200402/0f920f4e/attachment.sig>
More information about the ffmpeg-devel
mailing list