[FFmpeg-devel] [PATCH] avformat/aaxdec: Ask for a sample and disable COLUMN_FLAG_DEFAULT

[Michael Niedermayer]

The codepath repeatly seeks back to the same byte and fills the table with this
Fixes: Timeout (reading billions of times the same byte)
Fixes: 35510/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-5742289044504576

I have not found any samples in our archive or the fate samples which use this
codepath, also i found no specification. If anyone has either please reply

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavformat/aaxdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c
index 643bc5f9a5..1bf4b689c9 100644
--- a/libavformat/aaxdec.c
+++ b/libavformat/aaxdec.c
@@ -238,6 +238,10 @@ static int aax_read_header(AVFormatContext *s)
         for (uint64_t r = 0; r < a->nb_segments; r++) {
             if (flag & COLUMN_FLAG_DEFAULT) {
                 data_offset = a->schema_offset + col_offset;
+                if (a->nb_segments > 1) {
+                    avpriv_request_sample(s, "Column default");
+                    return AVERROR_PATCHWELCOME;
+                }
             } else if (flag & COLUMN_FLAG_ROW) {
                 data_offset = a->rows_offset + r * a->row_width + col_offset;
             } else
-- 
2.17.1