[FFmpeg-devel] [PATCH] avformat/matroskadec: Sanity check codec_id/track type
Michael Niedermayer
michael at niedermayer.cc
Wed Dec 9 22:35:37 EET 2020
On Mon, Dec 07, 2020 at 02:20:50AM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: memleak
> > Fixes: 27766/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5198300814508032
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavformat/matroskadec.c | 12 ++++++++++++
> > 1 file changed, 12 insertions(+)
> >
> > diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> > index 44db2c8358..18fc2750a1 100644
> > --- a/libavformat/matroskadec.c
> > +++ b/libavformat/matroskadec.c
> > @@ -2318,6 +2318,18 @@ static int matroska_parse_tracks(AVFormatContext *s)
> > if (!track->codec_id)
> > continue;
> >
> > + if (track->type == MATROSKA_TRACK_TYPE_AUDIO && track->codec_id[0] == 'A') {
> > + ;
> > + } else if (track->type == MATROSKA_TRACK_TYPE_VIDEO && track->codec_id[0] == 'V') {
> > + ;
> > + } else if ((track->type == MATROSKA_TRACK_TYPE_SUBTITLE || track->type == MATROSKA_TRACK_TYPE_METADATA) &&
> > + (track->codec_id[0] == 'S' || track->codec_id[0] == 'D')) {
> > + ;
> > + } else {
> > + av_log(matroska->ctx, AV_LOG_INFO, "Inconsistent track type\n");
> > + continue;
> > + }
> > +
> > if (track->audio.samplerate < 0 || track->audio.samplerate > INT_MAX ||
> > isnan(track->audio.samplerate)) {
> > av_log(matroska->ctx, AV_LOG_WARNING,
> >
> Let me guess: The audio buffer used for Real audio codecs leaks because
> matroska_read_close() only frees it for audio tracks, whereas it is
> possible that a codec gets one of these audio track codec ids without
> being of MATROSKA_TRACK_TYPE_AUDIO (hence also not being of
> AVMEDIA_TYPE_AUDIO, which is a bug in itself). So I agree with the aim
> of these checks, but I think writing
>
> if ((track->type == MATROSKA_TRACK_TYPE_AUDIO && track->codec_id[0] !=
> 'A') ||
> (track->type == MATROSKA_TRACK_TYPE_VIDEO && track->codec_id[0] !=
> 'V') ||
> ...
>
> makes the intent clearer.
will apply with this change
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Into a blind darkness they enter who follow after the Ignorance,
they as if into a greater darkness enter who devote themselves
to the Knowledge alone. -- Isha Upanishad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20201209/3c53f94c/attachment.sig>
More information about the ffmpeg-devel
mailing list