[FFmpeg-devel] [PATCH 2/2] avformat/apngdec: Check for incomplete reads in append_extradata()
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Sat Oct 31 16:28:42 EET 2020
Michael Niedermayer:
> Fixes: OOM
> Fixes: 26608/clusterfuzz-testcase-minimized-ffmpeg_dem_APNG_fuzzer-4839491644424192
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/apngdec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
> index 0f1d04a365..4e1d21031f 100644
> --- a/libavformat/apngdec.c
> +++ b/libavformat/apngdec.c
> @@ -138,7 +138,7 @@ static int append_extradata(AVCodecParameters *par, AVIOContext *pb, int len)
> par->extradata = new_extradata;
> par->extradata_size = new_size;
>
> - if ((ret = avio_read(pb, par->extradata + previous_size, len)) < 0)
> + if ((ret = ffio_read_size(pb, par->extradata + previous_size, len)) < 0)
> return ret;
>
> return previous_size;
>
There is a second avio_read() call that does not check whether it has
read all it wanted. It can not really lead to OOM (as the extradata size
in this case is 29), but it is not nice to not return an error in this
case. I therefore resurrected my old patchset:
https://ffmpeg.org/pipermail/ffmpeg-devel/2020-October/271779.html
- Andreas
More information about the ffmpeg-devel
mailing list