Fix crashes from AFL run

We ran American Fuzzy Lop on IMF IAB master file reader and discovered a lot of crashes. These are fixes in the asdcplib code base.

diff --git a/src/MXF.cpp b/src/MXF.cpp
index 743cc69ea0ddd4499c7da64a29c6392497eaf3d5..df8bb2846cd5bf9c21250b7383129c51f3db7d9b 100755 (executable)
--- a/src/MXF.cpp
+++ b/src/MXF.cpp
@@ -125,6 +125,11 @@ ASDCP::MXF::RIP::InitFromFile(const Kumu::FileReader& Reader)
 
   if ( ASDCP_SUCCESS(result) )
     {
+      if (m_ValueLength < 4)
+      {
+        DefaultLogSink().Error("RIP is too short.\n");
+        return RESULT_FAIL;
+      }
       Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength - 4);
       result = PairArray.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__);
     }
@@ -448,6 +453,11 @@ ASDCP::MXF::Primer::InitFromBuffer(const byte_t* p, ui32_t l)
 
   if ( ASDCP_SUCCESS(result) )
     {
+      if (m_ValueStart + m_ValueLength > p + l)
+      {
+        DefaultLogSink().Error("Primer entry too long.\n");
+        return RESULT_FAIL;
+      }
       Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength);
       result = LocalTagEntryBatch.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__);
     }
@@ -1380,6 +1390,11 @@ ASDCP::MXF::InterchangeObject::InitFromBuffer(const byte_t* p, ui32_t l)
 
       if ( ASDCP_SUCCESS(result) )
        {
+    if (m_ValueStart + m_ValueLength > p  + l)
+    {
+      DefaultLogSink().Error("Interchange Object value extends past buffer length.\n");
+      return RESULT_FAIL;
+    }
          TLVReader MemRDR(m_ValueStart, m_ValueLength, m_Lookup);
          result = InitFromTLVSet(MemRDR);
        }
@@ -1440,9 +1455,24 @@ ASDCP::MXF::InterchangeObject::IsA(const byte_t* label)
 
 
 //------------------------------------------------------------------------------------------
+struct FactoryCompareUL
+{
+    bool operator()(const ASDCP::UL& lhs, const ASDCP::UL& rhs) const
+    {
+        ui32_t test_size = lhs.Size() < rhs.Size() ? lhs.Size() : rhs.Size();
 
+        for (ui32_t i = 0; i < test_size; i++)
+        {
+            if (i == 7) continue; // skip version to be symmetrical with UL::operator==
+            if (lhs.Value()[i] != rhs.Value()[i])
+                return lhs.Value()[i] < rhs.Value()[i];
+        }
+
+        return false;
+    }
+};
 
-typedef std::map<ASDCP::UL, ASDCP::MXF::MXFObjectFactory_t>FactoryMap_t;
+typedef std::map<ASDCP::UL, ASDCP::MXF::MXFObjectFactory_t, FactoryCompareUL>FactoryMap_t;
 typedef FactoryMap_t::iterator FLi_t;
 
 //
@@ -1503,7 +1533,7 @@ ASDCP::MXF::CreateObject(const Dictionary*& Dict, const UL& label)
        }
     }
 
-  FLi_t i = s_FactoryList.find(label.Value());
+  FLi_t i = s_FactoryList.find(label);
 
   if ( i == s_FactoryList.end() )
     return new InterchangeObject(Dict);

diff --git a/src/h__02_Reader.cpp b/src/h__02_Reader.cpp
index 17e9b0d78385ce9b93c3d95db490ac5befc3a2b7..39db8cbe37623a3a20a0e4b16daafe167e42a5a3 100644 (file)
--- a/src/h__02_Reader.cpp
+++ b/src/h__02_Reader.cpp
@@ -430,7 +430,7 @@ AS_02::h__AS02Reader::OpenMXFRead(const std::string& filename)
        }
 
       //
-      if ( m_RIP.PairArray.front().ByteOffset != 0 )
+      if ( !m_RIP.PairArray.empty() && m_RIP.PairArray.front().ByteOffset != 0 )
        {
          DefaultLogSink().Error("First Partition in RIP is not at offset 0.\n");
          return RESULT_AS02_FORMAT;

diff --git a/src/h__Reader.cpp b/src/h__Reader.cpp
index a764767fc99837062595229503fbcf17e98bfc26..77f532e7fe20c1edd6d90a29d37b9ec9f1900c55 100755 (executable)
--- a/src/h__Reader.cpp
+++ b/src/h__Reader.cpp
@@ -108,7 +108,7 @@ ASDCP::h__ASDCPReader::OpenMXFRead(const std::string& filename)
            }
        }
 
-      if ( m_RIP.PairArray.front().ByteOffset != 0 )
+      if ( !m_RIP.PairArray.empty() && m_RIP.PairArray.front().ByteOffset != 0 )
        {
          DefaultLogSink().Error("First Partition in RIP is not at offset 0.\n");
          result = RESULT_FORMAT;