On Mon, Mar 30, 2020 at 09:48:13PM -0700, John Rummell wrote: > Hit send too soon. Patch attached. > > On Mon, Mar 30, 2020 at 9:44 PM John Rummell <jrumm...@chromium.org> wrote: > > > Another uninitialized memory access detected by the Chromium fuzzers. > >
> amr.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
> db486a31c1d3c7f4f51a7e5f5333f871744d6c87
> 0001-libavformat-amr.c-Check-return-value-from-avio_read.patch
> From 0ef90d64a760f730652f3832da2abca47cff62d6 Mon Sep 17 00:00:00 2001
> From: John Rummell <jrumm...@chromium.org>
> Date: Mon, 30 Mar 2020 21:30:33 -0700
> Subject: [PATCH] libavformat/amr.c: Check return value from avio_read()
>
> If the buffer doesn't contain enough bytes when reading a stream,
> fail rather than continuing on with initialized data. Caught by
> Chromium fuzzeras (crbug.com/1065731).
> ---
> libavformat/amr.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/libavformat/amr.c b/libavformat/amr.c
> index eccbbde5b0..8570d43302 100644
> --- a/libavformat/amr.c
> +++ b/libavformat/amr.c
> @@ -89,13 +89,15 @@ static int amr_read_header(AVFormatContext *s)
> AVStream *st;
> uint8_t header[9];
>
> - avio_read(pb, header, 6);
> + if (avio_read(pb, header, 6) != 6)
> + return -1;
>
> st = avformat_new_stream(s, NULL);
> if (!st)
> return AVERROR(ENOMEM);
> if (memcmp(header, AMR_header, 6)) {
> - avio_read(pb, header + 6, 3);
> + if (avio_read(pb, header + 6, 3) != 3)
> + return -1;
I see some of the existing code uses -1 instead of AVERROR*
but i think for newly added cases AVERROR* codes would be better
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Why not whip the teacher when the pupil misbehaves? -- Diogenes of Sinope
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
