diff options
| author | Katerina Blinova <kblin@dolby.com> | 2019-05-29 18:39:10 -0700 |
|---|---|---|
| committer | Katerina Blinova <kblin@dolby.com> | 2019-05-29 18:39:10 -0700 |
| commit | e195bf10ce03b9501ddab62073bef602713cdda6 (patch) | |
| tree | b6b2dbd81ea54ddc72bb284f55606aadb99d02eb /src/MXF.cpp | |
| parent | a47c9580834223971a310e572a249e7fdb115618 (diff) | |
Fix crashes from AFL run
We ran American Fuzzy Lop on IMF IAB master file reader and discovered a lot of crashes. These are fixes in the asdcplib code base.
Diffstat (limited to 'src/MXF.cpp')
| -rwxr-xr-x | src/MXF.cpp | 34 |
1 files changed, 32 insertions, 2 deletions
diff --git a/src/MXF.cpp b/src/MXF.cpp index 743cc69..df8bb28 100755 --- a/src/MXF.cpp +++ b/src/MXF.cpp @@ -125,6 +125,11 @@ ASDCP::MXF::RIP::InitFromFile(const Kumu::FileReader& Reader) if ( ASDCP_SUCCESS(result) ) { + if (m_ValueLength < 4) + { + DefaultLogSink().Error("RIP is too short.\n"); + return RESULT_FAIL; + } Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength - 4); result = PairArray.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__); } @@ -448,6 +453,11 @@ ASDCP::MXF::Primer::InitFromBuffer(const byte_t* p, ui32_t l) if ( ASDCP_SUCCESS(result) ) { + if (m_ValueStart + m_ValueLength > p + l) + { + DefaultLogSink().Error("Primer entry too long.\n"); + return RESULT_FAIL; + } Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength); result = LocalTagEntryBatch.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__); } @@ -1380,6 +1390,11 @@ ASDCP::MXF::InterchangeObject::InitFromBuffer(const byte_t* p, ui32_t l) if ( ASDCP_SUCCESS(result) ) { + if (m_ValueStart + m_ValueLength > p + l) + { + DefaultLogSink().Error("Interchange Object value extends past buffer length.\n"); + return RESULT_FAIL; + } TLVReader MemRDR(m_ValueStart, m_ValueLength, m_Lookup); result = InitFromTLVSet(MemRDR); } @@ -1440,9 +1455,24 @@ ASDCP::MXF::InterchangeObject::IsA(const byte_t* label) //------------------------------------------------------------------------------------------ +struct FactoryCompareUL +{ + bool operator()(const ASDCP::UL& lhs, const ASDCP::UL& rhs) const + { + ui32_t test_size = lhs.Size() < rhs.Size() ? lhs.Size() : rhs.Size(); + for (ui32_t i = 0; i < test_size; i++) + { + if (i == 7) continue; // skip version to be symmetrical with UL::operator== + if (lhs.Value()[i] != rhs.Value()[i]) + return lhs.Value()[i] < rhs.Value()[i]; + } + + return false; + } +}; -typedef std::map<ASDCP::UL, ASDCP::MXF::MXFObjectFactory_t>FactoryMap_t; +typedef std::map<ASDCP::UL, ASDCP::MXF::MXFObjectFactory_t, FactoryCompareUL>FactoryMap_t; typedef FactoryMap_t::iterator FLi_t; // @@ -1503,7 +1533,7 @@ ASDCP::MXF::CreateObject(const Dictionary*& Dict, const UL& label) } } - FLi_t i = s_FactoryList.find(label.Value()); + FLi_t i = s_FactoryList.find(label); if ( i == s_FactoryList.end() ) return new InterchangeObject(Dict); |