Re: [FFmpeg-devel] [PATCH 3/4] avformat/mlvdec: fail reading a packet with 0 streams
On Mon, Jun 01, 2020 at 11:51:41PM +0200, Michael Niedermayer wrote:
> On Sun, May 31, 2020 at 07:07:11PM -0300, James Almer wrote:
> > On 5/31/2020 6:48 PM, Michael Niedermayer wrote:
> > > On Sun, May 31, 2020 at 10:58:16AM -0300, James Almer wrote:
> > >> On 5/31/2020 10:50 AM, Michael Niedermayer wrote:
> > >>> Fixes: NULL pointer dereference
> > >>> Fixes:
> > >>> 22604/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5667739074297856.fuzz
> > >>>
> > >>> Found-by: continuous fuzzing process
> > >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > >>> Signed-off-by: Michael Niedermayer
> > >>> ---
> > >>> libavformat/mlvdec.c | 6 +-
> > >>> 1 file changed, 5 insertions(+), 1 deletion(-)
> > >>>
> > >>> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
> > >>> index dae13cae53..03aed71024 100644
> > >>> --- a/libavformat/mlvdec.c
> > >>> +++ b/libavformat/mlvdec.c
> > >>> @@ -393,10 +393,14 @@ static int read_packet(AVFormatContext *avctx,
> > >>> AVPacket *pkt)
> > >>> {
> > >>> MlvContext *mlv = avctx->priv_data;
> > >>> AVIOContext *pb;
> > >>> -AVStream *st = avctx->streams[mlv->stream_index];
> > >>> +AVStream *st;
> > >>> int index, ret;
> > >>> unsigned int size, space;
> > >>>
> > >>> +if (!avctx->nb_streams)
> > >>> +return AVERROR_EOF;
> > >>
> > >> Shouldn't you abort during read_header() instead if no streams are ever
> > >> allocated?
> > >
> > > read_header() should fail if the haeder is invalid.
> > > is there something which says that "no streams" is invalid ?
> > >
> > > As it is the read_header() code contains a if() which only make
> > > a difference for a "no stream" case. Which gave me the feeling that
> > > it wasnt intended to fail in that case
> >
> > The checks i'm seeing are all considering video only, audio only, or
> > both, like the very last check in the function where there's no last
> > resort else that would cover a no streams case.
>
> if (vst && ast)
> A
> else if (vst)
> B
> else if (ast)
> C
>
> if one didnt think of "no streams" this would be
> if (vst && ast)
> A
> else if (vst)
> B
> else
> C
>
> if one wanted to reject "no streams" this would be
>
> if (vst && ast)
> A
> else if (vst)
> B
> else if (ast)
> C
> else
> FAIL
>
> to me this looked like the intend was to support that
>
> I have no preferrance between any of this, just wanted to not error
> out on a path that seemed the author didnt want it to error ...
>
>
> >
> > > but i can add the check for no streams in there where theres already
> > > a check for that in read_header ...
> >
> > Unless there's something in a file that could be signaled without
> > streams (All the metadata strings in scan_file() look like they
> > definitely apply to some video or audio stream), such a file seems odd
> > to me, and if the end result will be just signaling EOF as soon as the
> > first attempt at fetching a packet, then might as well just abort in
> > read_header() and save the library caller further processing.
> >
> > Maybe Peter Ross can comment. But in any case, no strong feelings about
> > it, so apply whatever you think is best.
>
> ok, ill wait for peter to reply then or in absence of a reply, next time
> i remember ill apply something
just remembered, so will apply, feel free to replace by another solution
or if peter comes across this in the future. iam happy to replace it
but trying to move forward, leaving it open is worst
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If you drop bombs on a foreign country and kill a hundred thousand
innocent people, expect your government to call the consequence
"unprovoked inhuman terrorist attacks" and use it to justify dropping
more bombs and killing more people. The technology changed, the idea is old.
signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 3/4] avformat/mlvdec: fail reading a packet with 0 streams
On Sun, May 31, 2020 at 07:07:11PM -0300, James Almer wrote:
> On 5/31/2020 6:48 PM, Michael Niedermayer wrote:
> > On Sun, May 31, 2020 at 10:58:16AM -0300, James Almer wrote:
> >> On 5/31/2020 10:50 AM, Michael Niedermayer wrote:
> >>> Fixes: NULL pointer dereference
> >>> Fixes:
> >>> 22604/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5667739074297856.fuzz
> >>>
> >>> Found-by: continuous fuzzing process
> >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >>> Signed-off-by: Michael Niedermayer
> >>> ---
> >>> libavformat/mlvdec.c | 6 +-
> >>> 1 file changed, 5 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
> >>> index dae13cae53..03aed71024 100644
> >>> --- a/libavformat/mlvdec.c
> >>> +++ b/libavformat/mlvdec.c
> >>> @@ -393,10 +393,14 @@ static int read_packet(AVFormatContext *avctx,
> >>> AVPacket *pkt)
> >>> {
> >>> MlvContext *mlv = avctx->priv_data;
> >>> AVIOContext *pb;
> >>> -AVStream *st = avctx->streams[mlv->stream_index];
> >>> +AVStream *st;
> >>> int index, ret;
> >>> unsigned int size, space;
> >>>
> >>> +if (!avctx->nb_streams)
> >>> +return AVERROR_EOF;
> >>
> >> Shouldn't you abort during read_header() instead if no streams are ever
> >> allocated?
> >
> > read_header() should fail if the haeder is invalid.
> > is there something which says that "no streams" is invalid ?
> >
> > As it is the read_header() code contains a if() which only make
> > a difference for a "no stream" case. Which gave me the feeling that
> > it wasnt intended to fail in that case
>
> The checks i'm seeing are all considering video only, audio only, or
> both, like the very last check in the function where there's no last
> resort else that would cover a no streams case.
if (vst && ast)
A
else if (vst)
B
else if (ast)
C
if one didnt think of "no streams" this would be
if (vst && ast)
A
else if (vst)
B
else
C
if one wanted to reject "no streams" this would be
if (vst && ast)
A
else if (vst)
B
else if (ast)
C
else
FAIL
to me this looked like the intend was to support that
I have no preferrance between any of this, just wanted to not error
out on a path that seemed the author didnt want it to error ...
>
> > but i can add the check for no streams in there where theres already
> > a check for that in read_header ...
>
> Unless there's something in a file that could be signaled without
> streams (All the metadata strings in scan_file() look like they
> definitely apply to some video or audio stream), such a file seems odd
> to me, and if the end result will be just signaling EOF as soon as the
> first attempt at fetching a packet, then might as well just abort in
> read_header() and save the library caller further processing.
>
> Maybe Peter Ross can comment. But in any case, no strong feelings about
> it, so apply whatever you think is best.
ok, ill wait for peter to reply then or in absence of a reply, next time
i remember ill apply something
thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Those who are best at talking, realize last or never when they are wrong.
signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 3/4] avformat/mlvdec: fail reading a packet with 0 streams
On 5/31/2020 6:48 PM, Michael Niedermayer wrote:
> On Sun, May 31, 2020 at 10:58:16AM -0300, James Almer wrote:
>> On 5/31/2020 10:50 AM, Michael Niedermayer wrote:
>>> Fixes: NULL pointer dereference
>>> Fixes:
>>> 22604/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5667739074297856.fuzz
>>>
>>> Found-by: continuous fuzzing process
>>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer
>>> ---
>>> libavformat/mlvdec.c | 6 +-
>>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
>>> index dae13cae53..03aed71024 100644
>>> --- a/libavformat/mlvdec.c
>>> +++ b/libavformat/mlvdec.c
>>> @@ -393,10 +393,14 @@ static int read_packet(AVFormatContext *avctx,
>>> AVPacket *pkt)
>>> {
>>> MlvContext *mlv = avctx->priv_data;
>>> AVIOContext *pb;
>>> -AVStream *st = avctx->streams[mlv->stream_index];
>>> +AVStream *st;
>>> int index, ret;
>>> unsigned int size, space;
>>>
>>> +if (!avctx->nb_streams)
>>> +return AVERROR_EOF;
>>
>> Shouldn't you abort during read_header() instead if no streams are ever
>> allocated?
>
> read_header() should fail if the haeder is invalid.
> is there something which says that "no streams" is invalid ?
>
> As it is the read_header() code contains a if() which only make
> a difference for a "no stream" case. Which gave me the feeling that
> it wasnt intended to fail in that case
The checks i'm seeing are all considering video only, audio only, or
both, like the very last check in the function where there's no last
resort else that would cover a no streams case.
> but i can add the check for no streams in there where theres already
> a check for that in read_header ...
Unless there's something in a file that could be signaled without
streams (All the metadata strings in scan_file() look like they
definitely apply to some video or audio stream), such a file seems odd
to me, and if the end result will be just signaling EOF as soon as the
first attempt at fetching a packet, then might as well just abort in
read_header() and save the library caller further processing.
Maybe Peter Ross can comment. But in any case, no strong feelings about
it, so apply whatever you think is best.
>
> thx
>
> [...]
>
>
> ___
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
>
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 3/4] avformat/mlvdec: fail reading a packet with 0 streams
On Sun, May 31, 2020 at 10:58:16AM -0300, James Almer wrote:
> On 5/31/2020 10:50 AM, Michael Niedermayer wrote:
> > Fixes: NULL pointer dereference
> > Fixes:
> > 22604/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5667739074297856.fuzz
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer
> > ---
> > libavformat/mlvdec.c | 6 +-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
> > index dae13cae53..03aed71024 100644
> > --- a/libavformat/mlvdec.c
> > +++ b/libavformat/mlvdec.c
> > @@ -393,10 +393,14 @@ static int read_packet(AVFormatContext *avctx,
> > AVPacket *pkt)
> > {
> > MlvContext *mlv = avctx->priv_data;
> > AVIOContext *pb;
> > -AVStream *st = avctx->streams[mlv->stream_index];
> > +AVStream *st;
> > int index, ret;
> > unsigned int size, space;
> >
> > +if (!avctx->nb_streams)
> > +return AVERROR_EOF;
>
> Shouldn't you abort during read_header() instead if no streams are ever
> allocated?
read_header() should fail if the haeder is invalid.
is there something which says that "no streams" is invalid ?
As it is the read_header() code contains a if() which only make
a difference for a "no stream" case. Which gave me the feeling that
it wasnt intended to fail in that case
but i can add the check for no streams in there where theres already
a check for that in read_header ...
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Its not that you shouldnt use gotos but rather that you should write
readable code and code with gotos often but not always is less readable
signature.asc
Description: PGP signature
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 3/4] avformat/mlvdec: fail reading a packet with 0 streams
On 5/31/2020 10:50 AM, Michael Niedermayer wrote:
> Fixes: NULL pointer dereference
> Fixes:
> 22604/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5667739074297856.fuzz
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer
> ---
> libavformat/mlvdec.c | 6 +-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
> index dae13cae53..03aed71024 100644
> --- a/libavformat/mlvdec.c
> +++ b/libavformat/mlvdec.c
> @@ -393,10 +393,14 @@ static int read_packet(AVFormatContext *avctx, AVPacket
> *pkt)
> {
> MlvContext *mlv = avctx->priv_data;
> AVIOContext *pb;
> -AVStream *st = avctx->streams[mlv->stream_index];
> +AVStream *st;
> int index, ret;
> unsigned int size, space;
>
> +if (!avctx->nb_streams)
> +return AVERROR_EOF;
Shouldn't you abort during read_header() instead if no streams are ever
allocated?
> +
> +st = avctx->streams[mlv->stream_index];
> if (mlv->pts >= st->duration)
> return AVERROR_EOF;
>
>
___
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
