har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/rmdec: Check remaining space in debug av_log() loop

Browse Source 
Fixes: Timeout (long -> 2 ms)
Fixes: 26709/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5665833403285504
Fixes: 27522/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-6321071221112832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2020-10-30 22:04:37 +01:00
parent f514113cfa
commit a8fe78decd
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavformat/rmdec.c
View File

@ -1290,8 +1290,11 @@ static int ivr_read_header(AVFormatContext *s)
int j; int j;
av_log(s, AV_LOG_DEBUG, "%s = '0x", key); av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
for (j = 0; j < len; j++) for (j = 0; j < len; j++) {
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
}
av_log(s, AV_LOG_DEBUG, "'\n"); av_log(s, AV_LOG_DEBUG, "'\n");
} else if (len == 4 && type == 3 && !strncmp(key, "Duration", tlen)) { } else if (len == 4 && type == 3 && !strncmp(key, "Duration", tlen)) {
st->duration = avio_rb32(pb); st->duration = avio_rb32(pb);