[FFmpeg-devel] [PATCH] avformat/aaxdec: Check for empty segments

Tue Jun 28 14:26:54 EEST 2022

On 6/28/2022 2:21 AM, Anton Khirnov wrote:
> Quoting Michael Niedermayer (2022-06-27 10:43:47)
>> Fixes: Timeout
>> Fixes: 48154/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-5149094353436672
>>
>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>> ---
>>   libavformat/aaxdec.c | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c
>> index dd1fbde736..bcbff216db 100644
>> --- a/libavformat/aaxdec.c
>> +++ b/libavformat/aaxdec.c
>> @@ -252,6 +252,8 @@ static int aax_read_header(AVFormatContext *s)
>>                   size  = avio_rb32(pb);
>>                   a->segments[r].start = start + a->data_offset;
>>                   a->segments[r].end   = a->segments[r].start + size;
>> +                if (!size)
>> +                    return AVERROR_INVALIDDATA;
> 
> Why check for invalid size only after some things are set based on it
> and not before?

Also, if the problem is that a->segments[r].start == a->segments[r].end, 
then maybe it'd be better, or at least more clear to the reader, to 
ensure that as part of the checks immediately after this line.