[FFmpeg-devel] [PATCH 2/2] avformat/mpc8: fix hang with fuzzed file

wm4 nfxjfg at googlemail.com
Tue Feb 3 19:04:12 CET 2015


This can lead to an endless loop by seeking back a few bytes after each
attempted chunk read. Assuming negative sizes are always invalid, this
is easy to fix. Other code in this demuxer treats negative sizes as
invalid as well.

Fixes ticket #4262.
---
 libavformat/mpc8.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index d6ca338..6524c7e 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -223,6 +223,10 @@ static int mpc8_read_header(AVFormatContext *s)
     while(!avio_feof(pb)){
         pos = avio_tell(pb);
         mpc8_get_chunk_header(pb, &tag, &size);
+        if (size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
+            return AVERROR_INVALIDDATA;
+        }
         if(tag == TAG_STREAMHDR)
             break;
         mpc8_handle_chunk(s, tag, pos, size);
-- 
2.1.4



More information about the ffmpeg-devel mailing list