[FFmpeg-devel] [PATCH 02/13] avformat/mxfdec: Check run_in to fit in int and be valid
Tomas Härdin
tjoppen at acc.umu.se
Wed Sep 21 16:23:21 EEST 2022
ons 2022-09-21 klockan 11:35 +0200 skrev Michael Niedermayer:
> On Tue, Sep 20, 2022 at 01:20:00PM +0200, Tomas Härdin wrote:
> > tis 2022-09-20 klockan 13:07 +0200 skrev Tomas Härdin:
> > > sön 2022-09-18 klockan 19:13 +0200 skrev Michael Niedermayer:
> > > > Fixes: signed integer overflow: 9223372036854775807 - -
> > > > 2146905566
> > > > cannot be represented in type 'long'
> > > > Fixes: 50993/clusterfuzz-testcase-minimized-
> > > > ffmpeg_dem_MXF_fuzzer-
> > > > 6570996594769920
> > > >
> > > > Found-by: continuous fuzzing process
> > > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > > ---
> > > > libavformat/mxfdec.c | 6 +++++-
> > > > 1 file changed, 5 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> > > > index e63e803aa56..da81fea3bc1 100644
> > > > --- a/libavformat/mxfdec.c
> > > > +++ b/libavformat/mxfdec.c
> > > > @@ -3681,6 +3681,7 @@ static int
> > > > mxf_read_header(AVFormatContext
> > > > *s)
> > > > KLVPacket klv;
> > > > int64_t essence_offset = 0;
> > > > int ret;
> > > > + int64_t run_in;
> > > >
> > > > mxf->last_forward_tell = INT64_MAX;
> > > >
> > > > @@ -3690,7 +3691,10 @@ static int
> > > > mxf_read_header(AVFormatContext
> > > > *s)
> > > > }
> > > > avio_seek(s->pb, -14, SEEK_CUR);
> > > > mxf->fc = s;
> > > > - mxf->run_in = avio_tell(s->pb);
> > > > + run_in = avio_tell(s->pb);
> > > > + if (run_in < 0 || run_in != (int)run_in)
> > >
> > > run_in > INT_MAX is more clear
> > >
> > > It strikes me that run_in is also used in lots of places in the
> > > demuxer
> > > without checking for overflow
> >
> > I went and checked S377m and the run-in sequence "shall be less
> > than
> > 65536 bytes long". Both the 2004 and 2009 version of the spec agree
> > on
> > this. So we should reject run_in >= 65536, and mxf_probe() should
> > be
> > similarly adjusted.
>
> ok, will do
>
> thx for checking
>
> i will change the patch by:
> @@ -3717,7 +3717,7 @@ static int mxf_read_header(AVFormatContext *s)
> avio_seek(s->pb, -14, SEEK_CUR);
> mxf->fc = s;
> run_in = avio_tell(s->pb);
> - if (run_in < 0 || run_in != (int)run_in)
> + if (run_in < 0 || run_in > 65535)
Let's avoid magic numbers:
#define RUN_IN_MAX 65535 // S377m-2004 section 5.5 and S377-1-2009
section 6.5
> return AVERROR_INVALIDDATA;
> mxf->run_in = run_in;
>
> @@ -4125,7 +4125,7 @@ static int mxf_read_close(AVFormatContext *s)
>
> static int mxf_probe(const AVProbeData *p) {
> const uint8_t *bufp = p->buf;
> - const uint8_t *end = p->buf + p->buf_size;
> + const uint8_t *end = p->buf + FFMIN(p->buf_size, 65536 +
> sizeof(mxf_header_partition_pack_key));
Seems correct. I tested this by prefixing fate-suite/mxf/Meridian-
Apple_ProResProxy-HDR10.mxf with 65535 NUL bytes which worked fine, and
65536 NUL bytes which does not probe as MXF as expected
/Tomas
More information about the ffmpeg-devel
mailing list