[FFmpeg-devel] [PATCH 3/4] avformat/mxfdec: Ensure klv->key is initialized
Marton Balint
cus at passwd.hu
Thu Jul 24 01:51:24 EEST 2025
On Wed, 23 Jul 2025, Tomas Härdin wrote:
> ons 2025-07-23 klockan 13:45 +0200 skrev Michael Niedermayer:
>> Fixes: read of uninitialized memory
>> Fixes: 391916474/clusterfuzz-testcase-minimized-
>> ffmpeg_dem_MXF_fuzzer-4935250956845056
>>
>> Found-by: continuous fuzzing process
>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>> ---
>> libavformat/mxfdec.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
>> index 0eed13d850d..184e97256cd 100644
>> --- a/libavformat/mxfdec.c
>> +++ b/libavformat/mxfdec.c
>> @@ -491,7 +491,9 @@ static int klv_read_packet(MXFContext *mxf,
>> KLVPacket *klv, AVIOContext *pb)
>> return AVERROR_INVALIDDATA;
>>
>> memcpy(klv->key, mxf_klv_key, 4);
>> - avio_read(pb, klv->key + 4, 12);
>> + int ret = ffio_read_size(pb, klv->key + 4, 12);
>> + if (ret < 0)
>> + return ret;
>
> ret != 12 is better. If it's non-negative then return AVERROR_EOF
ffio_read_size always returns the requested size or negative.
Also AVERROR_EOF would be a valid file ending, but a truncated read
clearly means AVERROR_INVALIDDATA, and that is exactly what
ffio_read_size() returns on a short read. So the patch is correct as is
IMHO.
Regards,
Marton
More information about the ffmpeg-devel
mailing list