summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
ea075ce)
We ran American Fuzzy Lop on IMF IAB master file reader and discovered a lot of crashes. These are fixes in the asdcplib code base.
if ( ASDCP_SUCCESS(result) )
{
if ( ASDCP_SUCCESS(result) )
{
+ if (m_ValueLength < 4)
+ {
+ DefaultLogSink().Error("RIP is too short.\n");
+ return RESULT_FAIL;
+ }
Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength - 4);
result = PairArray.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__);
}
Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength - 4);
result = PairArray.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__);
}
if ( ASDCP_SUCCESS(result) )
{
if ( ASDCP_SUCCESS(result) )
{
+ if (m_ValueStart + m_ValueLength > p + l)
+ {
+ DefaultLogSink().Error("Primer entry too long.\n");
+ return RESULT_FAIL;
+ }
Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength);
result = LocalTagEntryBatch.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__);
}
Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength);
result = LocalTagEntryBatch.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__);
}
if ( ASDCP_SUCCESS(result) )
{
if ( ASDCP_SUCCESS(result) )
{
+ if (m_ValueStart + m_ValueLength > p + l)
+ {
+ DefaultLogSink().Error("Interchange Object value extends past buffer length.\n");
+ return RESULT_FAIL;
+ }
TLVReader MemRDR(m_ValueStart, m_ValueLength, m_Lookup);
result = InitFromTLVSet(MemRDR);
}
TLVReader MemRDR(m_ValueStart, m_ValueLength, m_Lookup);
result = InitFromTLVSet(MemRDR);
}
//------------------------------------------------------------------------------------------
//------------------------------------------------------------------------------------------
+struct FactoryCompareUL
+{
+ bool operator()(const ASDCP::UL& lhs, const ASDCP::UL& rhs) const
+ {
+ ui32_t test_size = lhs.Size() < rhs.Size() ? lhs.Size() : rhs.Size();
+ for (ui32_t i = 0; i < test_size; i++)
+ {
+ if (i == 7) continue; // skip version to be symmetrical with UL::operator==
+ if (lhs.Value()[i] != rhs.Value()[i])
+ return lhs.Value()[i] < rhs.Value()[i];
+ }
+
+ return false;
+ }
+};
-typedef std::map<ASDCP::UL, ASDCP::MXF::MXFObjectFactory_t>FactoryMap_t;
+typedef std::map<ASDCP::UL, ASDCP::MXF::MXFObjectFactory_t, FactoryCompareUL>FactoryMap_t;
typedef FactoryMap_t::iterator FLi_t;
//
typedef FactoryMap_t::iterator FLi_t;
//
- FLi_t i = s_FactoryList.find(label.Value());
+ FLi_t i = s_FactoryList.find(label);
if ( i == s_FactoryList.end() )
return new InterchangeObject(Dict);
if ( i == s_FactoryList.end() )
return new InterchangeObject(Dict);
- if ( m_RIP.PairArray.front().ByteOffset != 0 )
+ if ( !m_RIP.PairArray.empty() && m_RIP.PairArray.front().ByteOffset != 0 )
{
DefaultLogSink().Error("First Partition in RIP is not at offset 0.\n");
return RESULT_AS02_FORMAT;
{
DefaultLogSink().Error("First Partition in RIP is not at offset 0.\n");
return RESULT_AS02_FORMAT;
- if ( m_RIP.PairArray.front().ByteOffset != 0 )
+ if ( !m_RIP.PairArray.empty() && m_RIP.PairArray.front().ByteOffset != 0 )
{
DefaultLogSink().Error("First Partition in RIP is not at offset 0.\n");
result = RESULT_FORMAT;
{
DefaultLogSink().Error("First Partition in RIP is not at offset 0.\n");
result = RESULT_FORMAT;