Merge pull request #312 from mozilla/ossfuzz-35486

baumanj · web-flow · commit 5b3179473b60 · 2021-06-22T14:50:30.000-07:00
Gracefully fail when the number of bytes a ctts box reports overflows `u32`
diff --git a/mp4parse/src/lib.rs b/mp4parse/src/lib.rs
@@ -3439,11 +3439,9 @@ fn read_ctts<T: Read>(src: &mut BMFFBox<T>) -> Result<CompositionOffsetBox> {
 
     let counts = be_u32(src)?;
 
-    if src.bytes_left()
-        < counts
-            .checked_mul(8)
-            .expect("counts -> bytes overflow")
-            .into()
+    if counts
+        .checked_mul(8)
+        .map_or(true, |bytes| u64::from(bytes) > src.bytes_left())
     {
         return Err(Error::InvalidData("insufficient data in 'ctts' box"));
     }
@@ -3469,7 +3467,7 @@ fn read_ctts<T: Read>(src: &mut BMFFBox<T>) -> Result<CompositionOffsetBox> {
         })?;
     }
 
-    skip_box_remain(src)?;
+    check_parser_state!(src.content);
 
     Ok(CompositionOffsetBox { samples: offsets })
 }
diff --git a/mp4parse/tests/clusterfuzz-testcase-minimized-mp4-6093954524250112 b/mp4parse/tests/clusterfuzz-testcase-minimized-mp4-6093954524250112
diff --git a/mp4parse/tests/public.rs b/mp4parse/tests/public.rs
@@ -723,6 +723,13 @@ fn public_mp4_bug_1185230() {
     assert_eq!(number_audio_tracks, 2);
 }
 
+#[test]
+fn public_mp4_ctts_overflow() {
+    let input = &mut File::open("tests/clusterfuzz-testcase-minimized-mp4-6093954524250112")
+        .expect("Unknown file");
+    assert_invalid_data(mp4::read_mp4(input), "insufficient data in 'ctts' box");
+}
+
 #[test]
 fn public_avif_primary_item() {
     let input = &mut File::open(IMAGE_AVIF).expect("Unknown file");

Original file line number	Diff line number	Diff line change
`@@ -3439,11 +3439,9 @@ fn read_ctts<T: Read>(src: &mut BMFFBox<T>) -> Result<CompositionOffsetBox> {`
`3439`	`3439`
`3440`	`3440`	`let counts = be_u32(src)?;`
`3441`	`3441`
`3442`		`- if src.bytes_left()`
`3443`		`- < counts`
`3444`		`- .checked_mul(8)`
`3445`		`- .expect("counts -> bytes overflow")`
`3446`		`- .into()`
	`3442`	`+ if counts`
	`3443`	`+ .checked_mul(8)`
	`3444`	`+ .map_or(true, \|bytes\| u64::from(bytes) > src.bytes_left())`
`3447`	`3445`	`{`
`3448`	`3446`	`return Err(Error::InvalidData("insufficient data in 'ctts' box"));`
`3449`	`3447`	`}`
`@@ -3469,7 +3467,7 @@ fn read_ctts<T: Read>(src: &mut BMFFBox<T>) -> Result<CompositionOffsetBox> {`
`3469`	`3467`	`})?;`
`3470`	`3468`	`}`
`3471`	`3469`
`3472`		`- skip_box_remain(src)?;`
	`3470`	`+ check_parser_state!(src.content);`
`3473`	`3471`
`3474`	`3472`	`Ok(CompositionOffsetBox { samples: offsets })`
`3475`	`3473`	`}`