On Fri, Oct 30, 2020 at 11:48:11PM +0100, Andreas Rheinhardt wrote: > Michael Niedermayer: > > On Thu, Oct 29, 2020 at 02:25:49PM +0100, Andreas Rheinhardt wrote: > >> Michael Niedermayer: > >>> Fixes: OOM > >>> Fixes: > >>> 26608/clusterfuzz-testcase-minimized-ffmpeg_dem_APNG_fuzzer-4839491644424192 > >>> > >>> Found-by: continuous fuzzing process > >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > >>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > >>> --- > >>> libavformat/apngdec.c | 2 ++ > >>> 1 file changed, 2 insertions(+) > >>> > >>> diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c > >>> index 0f1d04a365..2e79fdd85c 100644 > >>> --- a/libavformat/apngdec.c > >>> +++ b/libavformat/apngdec.c > >>> @@ -140,6 +140,8 @@ static int append_extradata(AVCodecParameters *par, > >>> AVIOContext *pb, int len) > >>> > >>> if ((ret = avio_read(pb, par->extradata + previous_size, len)) < 0) > >>> return ret; > >>> + if (ret < len) > >>> + return AVERROR_INVALIDDATA; > >>> > >>> return previous_size; > >>> } > >>> > >> Reminds me of > >> https://ffmpeg.org/pipermail/ffmpeg-devel/2020-January/255671.html. But > >> how can this fix an OOM scenario? If avio_read() couldn't read > >> everything it should read, then we are at the end of the file and the > >> avio_feof() check will make sure that this is the last iteration of the > >> loop. Or is this a file that is being written to while it is read? (In > >> which case an earlier reading attempt might have failed, but a new one > >> might succeed because there is new data.) > > > > The OOM occurs when the gigiabyte? sized uninitialized extradata is copied > > and moved around later outside the demuxer > > > > Yeah, I've forgotten: In this case the demuxer does not indicate an > error at all (which is precisely what I wanted to fix). >
> > If you prefer your patch from january that should achieve the same. > > > Actually I think one should use ffio_read_size() here (and one should > also adapt ffio_read_size() to forward the error if avio_read() returned > an error, unless said error was AVERROR_EOF). ok, patches doing that posted thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Freedom in capitalist society always remains about the same as it was in ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
