From 442d9412d21590c7a816118032c92070e00a1cc1 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 22 Sep 2023 21:13:44 +0200 Subject: [PATCH] avformat/mxfdec: Remove this_partition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Suggested-by: Tomas Härdin Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5130394286817280 Signed-off-by: Michael Niedermayer --- libavformat/mxfdec.c | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 4846c5d206..5fa2473e81 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -102,7 +102,6 @@ typedef struct MXFPartition { uint64_t previous_partition; int index_sid; int body_sid; - int64_t this_partition; int64_t essence_offset; ///< absolute offset of essence int64_t essence_length; int32_t kag_size; @@ -727,10 +726,13 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size UID op; uint64_t footer_partition; uint32_t nb_essence_containers; + uint64_t this_partition; if (mxf->partitions_count >= INT_MAX / 2) return AVERROR_INVALIDDATA; + av_assert0(klv_offset >= mxf->run_in); + tmp_part = av_realloc_array(mxf->partitions, mxf->partitions_count + 1, sizeof(*mxf->partitions)); if (!tmp_part) return AVERROR(ENOMEM); @@ -773,7 +775,13 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size partition->complete = uid[14] > 2; avio_skip(pb, 4); partition->kag_size = avio_rb32(pb); - partition->this_partition = avio_rb64(pb); + this_partition = avio_rb64(pb); + if (this_partition != klv_offset - mxf->run_in) { + av_log(mxf->fc, AV_LOG_ERROR, + "this_partition %"PRId64" mismatches %"PRId64"\n", + this_partition, klv_offset - mxf->run_in); + return AVERROR_INVALIDDATA; + } partition->previous_partition = avio_rb64(pb); footer_partition = avio_rb64(pb); partition->header_byte_count = avio_rb64(pb); @@ -793,8 +801,8 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size av_dict_set(&s->metadata, "operational_pattern_ul", str, 0); } - if (partition->this_partition && - partition->previous_partition == partition->this_partition) { + if (this_partition && + partition->previous_partition == this_partition) { av_log(mxf->fc, AV_LOG_ERROR, "PreviousPartition equal to ThisPartition %"PRIx64"\n", partition->previous_partition); @@ -802,11 +810,11 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size if (!mxf->parsing_backward && mxf->last_forward_partition > 1) { MXFPartition *prev = mxf->partitions + mxf->last_forward_partition - 2; - partition->previous_partition = prev->this_partition; + partition->previous_partition = prev->pack_ofs - mxf->run_in; } /* if no previous body partition are found point to the header * partition */ - if (partition->previous_partition == partition->this_partition) + if (partition->previous_partition == this_partition) partition->previous_partition = 0; av_log(mxf->fc, AV_LOG_ERROR, "Overriding PreviousPartition with %"PRIx64"\n", @@ -828,7 +836,7 @@ static int mxf_read_partition_pack(void *arg, AVIOContext *pb, int tag, int size "PartitionPack: ThisPartition = 0x%"PRIX64 ", PreviousPartition = 0x%"PRIX64", " "FooterPartition = 0x%"PRIX64", IndexSID = %i, BodySID = %i\n", - partition->this_partition, + this_partition, partition->previous_partition, footer_partition, partition->index_sid, partition->body_sid); @@ -902,7 +910,7 @@ static uint64_t partition_score(MXFPartition *p) score = 3; else score = 1; - return (score << 60) | ((uint64_t)p->this_partition >> 4); + return (score << 60) | ((uint64_t)p->pack_ofs >> 4); } static int mxf_add_metadata_set(MXFContext *mxf, MXFMetadataSet **metadata_set) @@ -3539,14 +3547,14 @@ static void mxf_compute_essence_containers(AVFormatContext *s) /* essence container spans to the next partition */ if (x < mxf->partitions_count - 1) - p->essence_length = mxf->partitions[x+1].this_partition - p->essence_offset; + p->essence_length = mxf->partitions[x+1].pack_ofs - mxf->run_in - p->essence_offset; if (p->essence_length < 0) { /* next ThisPartition < essence_offset */ p->essence_length = 0; av_log(mxf->fc, AV_LOG_ERROR, "partition %i: bad ThisPartition = %"PRIX64"\n", - x+1, mxf->partitions[x+1].this_partition); + x+1, mxf->partitions[x+1].pack_ofs - mxf->run_in); } } }