RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avformat/paf: Check for EOF in read_table() 

Fixes: OOM
Fixes: 26528/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5081929248145408
Fixes: 26584/clusterfuzz-testcase-minimized-ffmpeg_dem_PAF_fuzzer-5172661183053824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 437b7302b0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2020-10-24 20:30:48 +02:00
parent 5d804bfba3
commit f201ec88d0
1 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
libavformat/paf.c
View File

@ -75,14 +75,18 @@ static int read_close(AVFormatContext *s)
return 0;
}
static void read_table(AVFormatContext *s, uint32_t *table, uint32_t count)
static int read_table(AVFormatContext *s, uint32_t *table, uint32_t count)
{
int i;
for (i = 0; i < count; i++)
for (i = 0; i < count; i++) {
if (avio_feof(s->pb))
return AVERROR_INVALIDDATA;
table[i] = avio_rl32(s->pb);
}
avio_skip(s->pb, 4 * (FFALIGN(count, 512) - count));
return 0;
}
static int read_header(AVFormatContext *s)
@ -171,9 +175,15 @@ static int read_header(AVFormatContext *s)
avio_seek(pb, p->buffer_size, SEEK_SET);
read_table(s, p->blocks_count_table, p->nb_frames);
read_table(s, p->frames_offset_table, p->nb_frames);
read_table(s, p->blocks_offset_table, p->frame_blks);
ret = read_table(s, p->blocks_count_table, p->nb_frames);
if (ret < 0)
goto fail;
ret = read_table(s, p->frames_offset_table, p->nb_frames);
if (ret < 0)
goto fail;
ret = read_table(s, p->blocks_offset_table, p->frame_blks);
if (ret < 0)
goto fail;
p->got_audio = 0;
p->current_frame = 0;