[FFmpeg-devel] [PATCH 2/2] avformat/id3v2: Check that decode_str() did advance
softworkz .
softworkz at hotmail.com
Sat Apr 12 04:49:53 EEST 2025
> -----Original Message-----
> From: ffmpeg-devel <ffmpeg-devel-bounces at ffmpeg.org> On Behalf Of
> Michael Niedermayer
> Sent: Samstag, 12. April 2025 00:27
> To: FFmpeg development discussions and patches <ffmpeg-devel at ffmpeg.org>
> Subject: [FFmpeg-devel] [PATCH 2/2] avformat/id3v2: Check that
> decode_str() did advance
>
> Fixes infinite loop with unknown encodings
>
> We could alternatively error out from decode_str() or consume all of
> taglen
> this would affect other callers though.
>
> Fixes: 409819224/clusterfuzz-testcase-minimized-ffmpeg_dem_H261_fuzzer-
> 6003527535362048
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/id3v2.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
> index 90314583a74..e3f7f9e2a90 100644
> --- a/libavformat/id3v2.c
> +++ b/libavformat/id3v2.c
> @@ -341,10 +341,13 @@ static void read_ttag(AVFormatContext *s,
> AVIOContext *pb, int taglen,
> taglen--; /* account for encoding type byte */
>
> while (taglen > 1) {
> + int current_taglen = taglen;
> if (decode_str(s, pb, encoding, &dst, &taglen) < 0) {
> av_log(s, AV_LOG_ERROR, "Error reading frame %s,
> skipped\n", key);
> return;
> }
> + if (current_taglen == taglen)
> + return;
>
> count++;
>
> --
> 2.49.0
>
> _______________________________________________
Hi Michael,
this kind of conflicts with this patch that I had submitted recently:
https://patchwork.ffmpeg.org/project/ffmpeg/patch/pull.54.ffstaging.FFmpeg.1740873449247.ffmpegagent@gmail.com/
I wonder whether my patch would still be prone to the issue your patch is addressing - do you have a test file perhaps?
Thanks
sw
More information about the ffmpeg-devel
mailing list