[FFmpeg-devel] [PATCH 4/5] avformat/mxfdec: Check index_edit_rate

Mon Apr 8 13:39:04 EEST 2024

tor 2024-04-04 klockan 00:51 +0200 skrev Michael Niedermayer:
> Fixes: Assertion b >=0 failed at libavutil/mathematics.c:62
> Fixes: 67811/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-
> 5108429687422976
> 
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavformat/mxfdec.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index 04de4c1d5e3..233d614f783 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -1264,6 +1264,9 @@ static int mxf_read_index_table_segment(void
> *arg, AVIOContext *pb, int tag, int
>      case 0x3F0B:
>          segment->index_edit_rate.num = avio_rb32(pb);
>          segment->index_edit_rate.den = avio_rb32(pb);
> +        if (segment->index_edit_rate.num <= 0 ||
> +            segment->index_edit_rate.den <= 0)
> +            return AVERROR_INVALIDDATA;

mxf_compute_index_tables() has a check for index_edit_rate that you
probably want to remove as well. It was introduced in c6fff3d, but the
files it supposedly fixes aren't in FATE. We shouldn't encourage broken
muxers.

/Tomas