[FFmpeg-devel] [PATCH] avformat/aaxdec: Check for empty segments
James Almer
jamrial at gmail.com
Tue Jun 28 14:26:54 EEST 2022
On 6/28/2022 2:21 AM, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2022-06-27 10:43:47)
>> Fixes: Timeout
>> Fixes: 48154/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-5149094353436672
>>
>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>> ---
>> libavformat/aaxdec.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c
>> index dd1fbde736..bcbff216db 100644
>> --- a/libavformat/aaxdec.c
>> +++ b/libavformat/aaxdec.c
>> @@ -252,6 +252,8 @@ static int aax_read_header(AVFormatContext *s)
>> size = avio_rb32(pb);
>> a->segments[r].start = start + a->data_offset;
>> a->segments[r].end = a->segments[r].start + size;
>> + if (!size)
>> + return AVERROR_INVALIDDATA;
>
> Why check for invalid size only after some things are set based on it
> and not before?
Also, if the problem is that a->segments[r].start == a->segments[r].end,
then maybe it'd be better, or at least more clear to the reader, to
ensure that as part of the checks immediately after this line.
More information about the ffmpeg-devel
mailing list