On Thu, Oct 22, 2020 at 06:55:37PM +0200, Andreas Rheinhardt wrote: > Michael Niedermayer: > > On Thu, Oct 22, 2020 at 07:55:31AM +0200, Andreas Rheinhardt wrote: > >> Michael Niedermayer: > >>> Fixes: SEGV on unknown address 0x000000000000 > >>> Fixes: > >>> 26482/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVIDAS_fuzzer-4905102324006912 > >>> > >>> Found-by: continuous fuzzing process > >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > >>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > >>> --- > >>> libavformat/vividas.c | 4 ++-- > >>> 1 file changed, 2 insertions(+), 2 deletions(-) > >>> > >>> diff --git a/libavformat/vividas.c b/libavformat/vividas.c > >>> index 999c4a5d1c..6e93d96aef 100644 > >>> --- a/libavformat/vividas.c > >>> +++ b/libavformat/vividas.c > >>> @@ -682,7 +682,7 @@ static int viv_read_packet(AVFormatContext *s, > >>> return AVERROR_INVALIDDATA; > >>> > >>> ffio_read_varlen(pb); > >>> - if (v_size > INT_MAX) > >>> + if (v_size > INT_MAX || !v_size) > >>> return AVERROR_INVALIDDATA; > >>> ret = av_get_packet(pb, pkt, v_size); > >>> if (ret < 0) > >>> @@ -711,7 +711,7 @@ static int viv_read_packet(AVFormatContext *s, > >>> } else { > >>> uint64_t v_size = ffio_read_varlen(pb); > >>> > >>> - if (v_size > INT_MAX) > >>> + if (v_size > INT_MAX || !v_size) > >>> return AVERROR_INVALIDDATA; > >>> ret = av_get_packet(pb, pkt, v_size); > >>> if (ret < 0) > >>> > >> av_get_packet(pb, pkt, 0) should get a packet with pkt->data pointing to > >> a zeroed buffer of size AV_INPUT_BUFFER_PADDING_SIZE. So accessing > >> pkt->data[0] for the flags should not segfault (but it would set the > >> wrong result: that it is a keyframe). So where is the segfault? > > > > I tried to simulate this in a different demuxer: > > (different to make sure its not the file or demuxer that somehow affects > > this) > > --- a/libavformat/avidec.c > > +++ b/libavformat/avidec.c > > @@ -1446,9 +1446,10 @@ resync: > > if (size > ast->remaining) > > size = ast->remaining; > > avi->last_pkt_pos = avio_tell(pb); > > - err = av_get_packet(pb, pkt, size); > > + err = av_get_packet(pb, pkt, 0); > > if (err < 0) > > return err; > > + av_log(0,0, "P %p\n", pkt->data); > > size = err; > > > > if (ast->has_pal && pkt->size < (unsigned)INT_MAX / 2) { > > > > what is printed is: > > P (nil) > > > My bad: append_packet_chunked() unrefs the packet if pkt->size is zero > before returning (without returning an error). So your patch seems to be > the way to go.
ok, will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB "You are 36 times more likely to die in a bathtub than at the hands of a terrorist. Also, you are 2.5 times more likely to become a president and 2 times more likely to become an astronaut, than to die in a terrorist attack." -- Thoughty2
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
