On 6/28/2022 2:21 AM, Anton Khirnov wrote:
Quoting Michael Niedermayer (2022-06-27 10:43:47)
Fixes: Timeout
Fixes:
48154/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-5149094353436672
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavformat/aaxdec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c
index dd1fbde736..bcbff216db 100644
--- a/libavformat/aaxdec.c
+++ b/libavformat/aaxdec.c
@@ -252,6 +252,8 @@ static int aax_read_header(AVFormatContext *s)
size = avio_rb32(pb);
a->segments[r].start = start + a->data_offset;
a->segments[r].end = a->segments[r].start + size;
+ if (!size)
+ return AVERROR_INVALIDDATA;
Why check for invalid size only after some things are set based on it
and not before?
Also, if the problem is that a->segments[r].start == a->segments[r].end,
then maybe it'd be better, or at least more clear to the reader, to
ensure that as part of the checks immediately after this line.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
