[FFmpeg-devel] [PATCH 1/3] avformat/matroskadec: Reset state also on failure in matroska_reset_status()

Andreas Rheinhardt andreas.rheinhardt at outlook.com
Tue Jul 20 00:12:11 EEST 2021


Michael Niedermayer:
> On Fri, Jul 02, 2021 at 06:17:58PM +0200, Andreas Rheinhardt wrote:
>> Michael Niedermayer:
>>> The calling code does not handle failures and will fail with assertion failures later.
>>> Seeking can always fail even when the position was previously read.
>>>
>>> Fixes: Assertion failure
>>> Fixes: 35253/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-4693059982983168
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>>> ---
>>>  libavformat/matroskadec.c | 19 ++++++++++++-------
>>>  1 file changed, 12 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
>>> index 356a02339c..a0e6e0cf8b 100644
>>> --- a/libavformat/matroskadec.c
>>> +++ b/libavformat/matroskadec.c
>>> @@ -804,20 +804,22 @@ static int matroska_read_close(AVFormatContext *s);
>>>  static int matroska_reset_status(MatroskaDemuxContext *matroska,
>>>                                   uint32_t id, int64_t position)
>>>  {
>>> +    int64_t err = 0;
>>>      if (position >= 0) {
>>> -        int64_t err = avio_seek(matroska->ctx->pb, position, SEEK_SET);
>>> -        if (err < 0)
>>> -            return err;
>>> -    }
>>> +        err = avio_seek(matroska->ctx->pb, position, SEEK_SET);
>>> +        if (err > 0)
>>> +            err = 0;
>>> +    } else
>>> +        position = avio_tell(matroska->ctx->pb);
>>>  
>>>      matroska->current_id    = id;
>>>      matroska->num_levels    = 1;
>>>      matroska->unknown_count = 0;
>>> -    matroska->resync_pos = avio_tell(matroska->ctx->pb);
>>> +    matroska->resync_pos    = position;
>>>      if (id)
>>>          matroska->resync_pos -= (av_log2(id) + 7) / 8;
>>>  
>>> -    return 0;
>>> +    return err;
>>
>> The changes here will make the demuxer update its internal state as if
>> it had seeked to its target level-1-element, even though it didn't. Is
>> this really good?
> 
> I dont know.
> Ive not seen this issue happen in reality just in a fuzzer
> environment.
> 

Can you send me this sample (with instructions how to reproduce it if
necessary)?

- Andreas


More information about the ffmpeg-devel mailing list