[FFmpeg-devel] [PATCH] avformat/icodec: Fix crash probing fuzzed file

Mark Harris mark.hsj at gmail.com
Mon Feb 15 20:27:20 CET 2016


On Mon, Feb 15, 2016 at 11:02 AM, Michael Niedermayer
<michael at niedermayer.cc> wrote:
> On Mon, Feb 15, 2016 at 09:57:51AM -0800, Mark Harris wrote:
>> Avoid invalid memory read/crash when ico offset >= 0xfffffff8.
>> Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w==
>> ---
>>  libavformat/icodec.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/libavformat/icodec.c b/libavformat/icodec.c
>> index 6ddb901..8f84337 100644
>> --- a/libavformat/icodec.c
>> +++ b/libavformat/icodec.c
>> @@ -60,7 +60,7 @@ static int probe(AVProbeData *p)
>>          offset = AV_RL32(p->buf + 18 + i * 16);
>>          if (offset < 22)
>>              return FFMIN(i, AVPROBE_SCORE_MAX / 4);
>> -        if (offset + 8 > p->buf_size)
>> +        if (offset > p->buf_size - 8)
>
> buf_size - 8 can underflow or more precissely is not guranteed to be
> representable as unsigned while the compare is using unsigned
>

If p->buf_size was less than 8, would it not have returned before
this?  AV_RL32(p->buf + 14) would be 0 and offset = AV_RL32(p->buf +
18) would be 0, due to the zero padding of the probe buffer.

 - Mark


More information about the ffmpeg-devel mailing list