aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/mxfdec.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2023-10-18 01:39:16 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2023-10-19 20:44:56 +0200
commit70f5fa63258f548cd8d067d479658bae61711ff4 (patch)
tree5d5d4545d15417b2167b05b0d24dd80ec97a0419 /libavformat/mxfdec.c
parent644b2235c5bb1e3ee89a92180d87796ec4c18ec8 (diff)
downloadffmpeg-70f5fa63258f548cd8d067d479658bae61711ff4.tar.gz
avformat/mxfdec: Check klv offset
Fixes: Assertion klv_offset >= mxf->run_in failed at libavformat/mxfdec.c:736 Fixes: 62936/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5778404366221312.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin <git@haerdin.se> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat/mxfdec.c')
-rw-r--r--libavformat/mxfdec.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 68939091e6..e42975e7fd 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -458,12 +458,15 @@ static int mxf_read_sync(AVIOContext *pb, const uint8_t *key, unsigned size)
return i == size;
}
-static int klv_read_packet(KLVPacket *klv, AVIOContext *pb)
+static int klv_read_packet(MXFContext *mxf, KLVPacket *klv, AVIOContext *pb)
{
int64_t length, pos;
if (!mxf_read_sync(pb, mxf_klv_key, 4))
return AVERROR_INVALIDDATA;
klv->offset = avio_tell(pb) - 4;
+ if (klv->offset < mxf->run_in)
+ return AVERROR_INVALIDDATA;
+
memcpy(klv->key, mxf_klv_key, 4);
avio_read(pb, klv->key + 4, 12);
length = klv_decode_ber_length(pb);
@@ -3435,7 +3438,7 @@ static int mxf_seek_to_previous_partition(MXFContext *mxf)
/* Make sure this is actually a PartitionPack, and if so parse it.
* See deadlock2.mxf
*/
- if ((ret = klv_read_packet(&klv, pb)) < 0) {
+ if ((ret = klv_read_packet(mxf, &klv, pb)) < 0) {
av_log(mxf->fc, AV_LOG_ERROR, "failed to read PartitionPack KLV\n");
return ret;
}
@@ -3712,7 +3715,7 @@ static void mxf_read_random_index_pack(AVFormatContext *s)
if (length < min_rip_length || length > max_rip_length)
goto end;
avio_seek(s->pb, file_size - length, SEEK_SET);
- if (klv_read_packet(&klv, s->pb) < 0 ||
+ if (klv_read_packet(mxf, &klv, s->pb) < 0 ||
!IS_KLV_KEY(klv.key, ff_mxf_random_index_pack_key))
goto end;
if (klv.next_klv != file_size || klv.length <= 4 || (klv.length - 4) % 12) {
@@ -3759,7 +3762,7 @@ static int mxf_read_header(AVFormatContext *s)
while (!avio_feof(s->pb)) {
const MXFMetadataReadTableEntry *metadata;
- ret = klv_read_packet(&klv, s->pb);
+ ret = klv_read_packet(mxf, &klv, s->pb);
if (ret < 0 || IS_KLV_KEY(klv.key, ff_mxf_random_index_pack_key)) {
if (ret >= 0 && avio_size(s->pb) > klv.next_klv)
av_log(s, AV_LOG_WARNING, "data after the RandomIndexPack, assuming end of file\n");
@@ -4011,7 +4014,7 @@ static int mxf_read_packet(AVFormatContext *s, AVPacket *pkt)
if (pos < mxf->current_klv_data.next_klv - mxf->current_klv_data.length || pos >= mxf->current_klv_data.next_klv) {
mxf->current_klv_data = (KLVPacket){{0}};
- ret = klv_read_packet(&klv, s->pb);
+ ret = klv_read_packet(mxf, &klv, s->pb);
if (ret < 0)
break;
max_data_size = klv.length;