flvdec: Check for nesting depth in amf_parse_object()

Anton Khirnov Tue, 26 Jan 2021 07:37:55 -0800

Quoting Michael Niedermayer (2021-01-25 21:29:21)
> On Sun, Jan 24, 2021 at 02:14:43PM +0100, Anton Khirnov wrote:
> > Quoting Michael Niedermayer (2021-01-23 23:10:54)
> > > Fixes: out of array access
> > > Fixes: 
> > > 29202/clusterfuzz-testcase-minimized-ffmpeg_dem_KUX_fuzzer-5112845840809984
> > > 
> > > Found-by: continuous fuzzing process 
> > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> > > ---
> > >  libavformat/flvdec.c | 5 +++++
> > >  1 file changed, 5 insertions(+)
> > > 
> > > diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
> > > index 07ef342278..e15be0a221 100644
> > > --- a/libavformat/flvdec.c
> > > +++ b/libavformat/flvdec.c
> > > @@ -41,6 +41,8 @@
> > >  
> > >  #define RESYNC_BUFFER_SIZE (1<<20)
> > >  
> > > +#define MAX_DEPTH 10
> > 
> > Why 10 specifically.
> 
> 10 is arbitrary, we could pick 5 or 100 probably


or a round number like 16 :)

> 
> > And which buffer overflows?
> 
> stack

Okay, please add a comment like
// arbitrary limit to prevent unbounded recursion

-- 
Anton Khirnov
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH 4/6] avformat/flvdec: Check for nesting depth in amf_parse_object()

Reply via email to