[FFmpeg-devel] [PATCH 1/2] avformat/mxfdec: Fix integer overflow in next position in mxf_read_local_tags()
James Almer
jamrial at gmail.com
Fri Jan 22 16:23:09 EET 2021
On 1/22/2021 11:09 AM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 9223372036854775723 + 8192 cannot be represented in type 'long'
> Fixes: 29072/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4812604904177664
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/mxfdec.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index 4c932e954c..f1167761f9 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -2865,8 +2865,10 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket *klv, MXFMetadataReadF
> int ret;
> int tag = avio_rb16(pb);
> int size = avio_rb16(pb); /* KLV specified by 0x53 */
> - uint64_t next = avio_tell(pb) + size;
> + uint64_t next = avio_tell(pb);
> UID uid = {0};
> + if (next > INT64_MAX - size)
> + size = 0;
You're discarding the tag's size. The code below could misbehave as it
will assume it's an empty tag when it's not. Not to mention the log
message will print a bogus value.
Abort instead (Invalid data or erange) in this scenario since going
beyond INT64_MAX is clearly not supported by avio, and then do next +=
size to ensure the avio_seek() at the end works as expected.
You could make next an int64_t too after this.
>
> av_log(mxf->fc, AV_LOG_TRACE, "local tag %#04x size %d\n", tag, size);
> if (!size) { /* ignore empty tag, needed for some files with empty UMID tag */
>
More information about the ffmpeg-devel
mailing list