diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2023-10-18 01:39:16 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2023-10-19 20:44:56 +0200 |
commit | 70f5fa63258f548cd8d067d479658bae61711ff4 (patch) | |
tree | 5d5d4545d15417b2167b05b0d24dd80ec97a0419 /libavformat/mxfdec.c | |
parent | 644b2235c5bb1e3ee89a92180d87796ec4c18ec8 (diff) | |
download | ffmpeg-70f5fa63258f548cd8d067d479658bae61711ff4.tar.gz |
avformat/mxfdec: Check klv offset
Fixes: Assertion klv_offset >= mxf->run_in failed at libavformat/mxfdec.c:736
Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5778404366221312.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <git@haerdin.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat/mxfdec.c')
-rw-r--r-- | libavformat/mxfdec.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 68939091e6..e42975e7fd 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -458,12 +458,15 @@ static int mxf_read_sync(AVIOContext *pb, const uint8_t *key, unsigned size) return i == size; } -static int klv_read_packet(KLVPacket *klv, AVIOContext *pb) +static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, AVIOContext *pb) { int64_t length, pos; if (!mxf_read_sync(pb, mxf_klv_key, 4)) return AVERROR_INVALIDDATA; klv->offset = avio_tell(pb) - 4; + if (klv->offset < mxf->run_in) + return AVERROR_INVALIDDATA; + memcpy(klv->key, mxf_klv_key, 4); avio_read(pb, klv->key + 4, 12); length = klv_decode_ber_length(pb); @@ -3435,7 +3438,7 @@ static int mxf_seek_to_previous_partition(MXFContext *mxf) /* Make sure this is actually a PartitionPack, and if so parse it. * See deadlock2.mxf */ - if ((ret = klv_read_packet(&klv, pb)) < 0) { + if ((ret = klv_read_packet(mxf, &klv, pb)) < 0) { av_log(mxf->fc, AV_LOG_ERROR, "failed to read PartitionPack KLV\n"); return ret; } @@ -3712,7 +3715,7 @@ static void mxf_read_random_index_pack(AVFormatContext *s) if (length < min_rip_length || length > max_rip_length) goto end; avio_seek(s->pb, file_size - length, SEEK_SET); - if (klv_read_packet(&klv, s->pb) < 0 || + if (klv_read_packet(mxf, &klv, s->pb) < 0 || !IS_KLV_KEY(klv.key, ff_mxf_random_index_pack_key)) goto end; if (klv.next_klv != file_size || klv.length <= 4 || (klv.length - 4) % 12) { @@ -3759,7 +3762,7 @@ static int mxf_read_header(AVFormatContext *s) while (!avio_feof(s->pb)) { const MXFMetadataReadTableEntry *metadata; - ret = klv_read_packet(&klv, s->pb); + ret = klv_read_packet(mxf, &klv, s->pb); if (ret < 0 || IS_KLV_KEY(klv.key, ff_mxf_random_index_pack_key)) { if (ret >= 0 && avio_size(s->pb) > klv.next_klv) av_log(s, AV_LOG_WARNING, "data after the RandomIndexPack, assuming end of file\n"); @@ -4011,7 +4014,7 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt) if (pos < mxf->current_klv_data.next_klv - mxf->current_klv_data.length || pos >= mxf->current_klv_data.next_klv) { mxf->current_klv_data = (KLVPacket){{0}}; - ret = klv_read_packet(&klv, s->pb); + ret = klv_read_packet(mxf, &klv, s->pb); if (ret < 0) break; max_data_size = klv.length; |