The codepath repeatly seeks back to the same byte and fills the table with this Fixes: Timeout (reading billions of times the same byte) Fixes: 35510/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-5742289044504576
I have not found any samples in our archive or the fate samples which use this codepath, also i found no specification. If anyone has either please reply Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavformat/aaxdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c index 643bc5f9a5..1bf4b689c9 100644 --- a/libavformat/aaxdec.c +++ b/libavformat/aaxdec.c @@ -238,6 +238,10 @@ static int aax_read_header(AVFormatContext *s) for (uint64_t r = 0; r < a->nb_segments; r++) { if (flag & COLUMN_FLAG_DEFAULT) { data_offset = a->schema_offset + col_offset; + if (a->nb_segments > 1) { + avpriv_request_sample(s, "Column default"); + return AVERROR_PATCHWELCOME; + } } else if (flag & COLUMN_FLAG_ROW) { data_offset = a->rows_offset + r * a->row_width + col_offset; } else -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".