[FFmpeg-devel] [PATCH] avformat/mxfdec: Fix false positive in infinite loop detector

tomas.hardin at codemill.se tomas.hardin at codemill.se
Mon Oct 27 16:52:26 CET 2014


On 2014-10-27 16:27, Michael Niedermayer wrote:
> Fixes Ticket4040
> 
> Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> ---
>  libavformat/mxfdec.c |   11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index b01dd0c..a1abc34 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -2211,6 +2211,13 @@ end:
>      avio_seek(s->pb, mxf->run_in, SEEK_SET);
>  }
> 
> +static uint64_t loop_detection_state(AVFormatContext *s)
> +{
> +    MXFContext *mxf = s->priv_data;
> +
> +    return avio_tell(s->pb) + 0xA987654321*!mxf->current_partition;
> +}
> +

What the hell? Just use a flag or something, or mxf->parsing_backward 
(preferably)

>  static int mxf_read_header(AVFormatContext *s)
>  {
>      MXFContext *mxf = s->priv_data;
> @@ -2235,12 +2242,12 @@ static int mxf_read_header(AVFormatContext *s)
> 
>      while (!avio_feof(s->pb)) {
>          const MXFMetadataReadTableEntry *metadata;
> -        if (avio_tell(s->pb) == last_pos) {
> +        if (loop_detection_state(s) == last_pos) {
>              av_log(mxf->fc, AV_LOG_ERROR, "MXF structure loop 
> detected\n");
>              return AVERROR_INVALIDDATA;
>          }
>          if ((1ULL<<61) % last_pos_index++ == 0)

This looks extremely dubious, but I see 1c010fd03 was a stop gap to fix 
a an issue discovered by fuzzing. Why didn't anyone poke my on IRC about 
it?
I have furniture to move today, after that I might have some time to 
develop an non-awful fix.

/Tomas


More information about the ffmpeg-devel mailing list