From fbeb429e6640090158610f03a8bbaca004b6f256 Mon Sep 17 00:00:00 2001 From: Katerina Blinova Date: Wed, 29 May 2019 18:39:10 -0700 Subject: [PATCH] Fix crashes from AFL run We ran American Fuzzy Lop on IMF IAB master file reader and discovered a lot of crashes. These are fixes in the asdcplib code base. --- src/MXF.cpp | 34 ++++++++++++++++++++++++++++++++-- src/h__02_Reader.cpp | 2 +- src/h__Reader.cpp | 2 +- 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/src/MXF.cpp b/src/MXF.cpp index 743cc69..df8bb28 100755 --- a/src/MXF.cpp +++ b/src/MXF.cpp @@ -125,6 +125,11 @@ ASDCP::MXF::RIP::InitFromFile(const Kumu::FileReader& Reader) if ( ASDCP_SUCCESS(result) ) { + if (m_ValueLength < 4) + { + DefaultLogSink().Error("RIP is too short.\n"); + return RESULT_FAIL; + } Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength - 4); result = PairArray.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__); } @@ -448,6 +453,11 @@ ASDCP::MXF::Primer::InitFromBuffer(const byte_t* p, ui32_t l) if ( ASDCP_SUCCESS(result) ) { + if (m_ValueStart + m_ValueLength > p + l) + { + DefaultLogSink().Error("Primer entry too long.\n"); + return RESULT_FAIL; + } Kumu::MemIOReader MemRDR(m_ValueStart, m_ValueLength); result = LocalTagEntryBatch.Unarchive(&MemRDR) ? RESULT_OK : RESULT_KLV_CODING(__LINE__, __FILE__); } @@ -1380,6 +1390,11 @@ ASDCP::MXF::InterchangeObject::InitFromBuffer(const byte_t* p, ui32_t l) if ( ASDCP_SUCCESS(result) ) { + if (m_ValueStart + m_ValueLength > p + l) + { + DefaultLogSink().Error("Interchange Object value extends past buffer length.\n"); + return RESULT_FAIL; + } TLVReader MemRDR(m_ValueStart, m_ValueLength, m_Lookup); result = InitFromTLVSet(MemRDR); } @@ -1440,9 +1455,24 @@ ASDCP::MXF::InterchangeObject::IsA(const byte_t* label) //------------------------------------------------------------------------------------------ +struct FactoryCompareUL +{ + bool operator()(const ASDCP::UL& lhs, const ASDCP::UL& rhs) const + { + ui32_t test_size = lhs.Size() < rhs.Size() ? lhs.Size() : rhs.Size(); + for (ui32_t i = 0; i < test_size; i++) + { + if (i == 7) continue; // skip version to be symmetrical with UL::operator== + if (lhs.Value()[i] != rhs.Value()[i]) + return lhs.Value()[i] < rhs.Value()[i]; + } + + return false; + } +}; -typedef std::mapFactoryMap_t; +typedef std::mapFactoryMap_t; typedef FactoryMap_t::iterator FLi_t; // @@ -1503,7 +1533,7 @@ ASDCP::MXF::CreateObject(const Dictionary*& Dict, const UL& label) } } - FLi_t i = s_FactoryList.find(label.Value()); + FLi_t i = s_FactoryList.find(label); if ( i == s_FactoryList.end() ) return new InterchangeObject(Dict); diff --git a/src/h__02_Reader.cpp b/src/h__02_Reader.cpp index 17e9b0d..39db8cb 100644 --- a/src/h__02_Reader.cpp +++ b/src/h__02_Reader.cpp @@ -430,7 +430,7 @@ AS_02::h__AS02Reader::OpenMXFRead(const std::string& filename) } // - if ( m_RIP.PairArray.front().ByteOffset != 0 ) + if ( !m_RIP.PairArray.empty() && m_RIP.PairArray.front().ByteOffset != 0 ) { DefaultLogSink().Error("First Partition in RIP is not at offset 0.\n"); return RESULT_AS02_FORMAT; diff --git a/src/h__Reader.cpp b/src/h__Reader.cpp index a764767..77f532e 100755 --- a/src/h__Reader.cpp +++ b/src/h__Reader.cpp @@ -108,7 +108,7 @@ ASDCP::h__ASDCPReader::OpenMXFRead(const std::string& filename) } } - if ( m_RIP.PairArray.front().ByteOffset != 0 ) + if ( !m_RIP.PairArray.empty() && m_RIP.PairArray.front().ByteOffset != 0 ) { DefaultLogSink().Error("First Partition in RIP is not at offset 0.\n"); result = RESULT_FORMAT; -- 2.30.2