On Fri, Aug 30, 2019 at 08:57:29PM -0300, James Almer wrote: > On 8/30/2019 8:25 PM, Michael Niedermayer wrote: > > Fixes: Timeout (195sec -> 2ms) > > Fixes: > > 16735/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5090676403863552 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavformat/mov.c | 5 ++++- > > 1 file changed, 4 insertions(+), 1 deletion(-) > > > > diff --git a/libavformat/mov.c b/libavformat/mov.c > > index 675b915906..46c544b61f 100644 > > --- a/libavformat/mov.c > > +++ b/libavformat/mov.c > > @@ -4419,7 +4419,10 @@ static int mov_read_custom(MOVContext *c, > > AVIOContext *pb, MOVAtom atom) > > static int mov_read_meta(MOVContext *c, AVIOContext *pb, MOVAtom atom) > > { > > while (atom.size > 8) { > > - uint32_t tag = avio_rl32(pb); > > + uint32_t tag; > > + if (avio_feof(pb)) > > + return AVERROR_EOF; > > + tag = avio_rl32(pb); > > atom.size -= 4; > > if (tag == MKTAG('h','d','l','r')) { > > avio_seek(pb, -8, SEEK_CUR); > > Maybe do something like "while (atom.size > 8 && !avio_feof(pb))" > instead, which is similar to the loop in mov_read_default.
Can do but why ? the code in the patch returns an error if the atom is truncated the change suggested does not return an error if the atom is truncated on its own this doesnt sound better Thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The bravest are surely those who have the clearest vision of what is before them, glory and danger alike, and yet notwithstanding go out to meet it. -- Thucydides
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
