fix: ensure ssix box is large enough to read

Author: eric

mp4/fuzz_test.go

@@ -9,10 +9,12 @@ import (
 	"errors"
 	"io"
 	"os"
+	"path/filepath"
 	"runtime"
-	"strings"
 	"testing"
 	"time"
+
+	"github.com/Eyevinn/mp4ff/bits"
 )
 
 func monitorMemory(ctx context.Context, t *testing.T, memoryLimit int) {
@@ -43,8 +45,18 @@ func FuzzDecodeBox(f *testing.F) {
 		f.Fatal(err)
 	}
 
+	validExts := map[string]bool{
+		".mp4":  true,
+		".m4s":  true,
+		".cmfv": true,
+	}
+
 	for _, entry := range entries {
-		if !entry.IsDir() && strings.HasSuffix(entry.Name(), ".mp4") {
+		if entry.IsDir() {
+			continue
+		}
+
+		if validExts[filepath.Ext(entry.Name())] {
 			testData, err := os.ReadFile("testdata/" + entry.Name())
 			if err != nil {
 				f.Fatal(err)
@@ -59,7 +71,6 @@ func FuzzDecodeBox(f *testing.F) {
 		monitorMemory(ctx, t, 500*1024*1024) // 500MB
 
 		r := bytes.NewReader(b)
-
 		var pos uint64 = 0
 		for {
 			box, err := DecodeBox(pos, r)
@@ -73,5 +84,20 @@ func FuzzDecodeBox(f *testing.F) {
 			}
 			pos += box.Size()
 		}
+
+		pos = 0
+		sr := bits.NewFixedSliceReader(b)
+		for {
+			box, err := DecodeBoxSR(pos, sr)
+			if err != nil {
+				if errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF) {
+					break
+				}
+			}
+			if box == nil {
+				break
+			}
+			pos += box.Size()
+		}
 	})
 }

mp4/ssix.go

@@ -70,6 +70,9 @@ func DecodeSsixSR(hdr BoxHeader, startPos uint64, sr bits.SliceReader) (Box, err
 		Version: version,
 		Flags:   versionAndFlags & flagsMask,
 	}
+	if hdr.Size < 16 {
+		return nil, fmt.Errorf("ssix: box is too small")
+	}
 	subSegmentCount := sr.ReadUint32()
 	sizeLeft := hdr.Size - 16
 	if subSegmentCount > uint32(sizeLeft/8) {

mp4/testdata/fuzz/FuzzDecodeBox/6041c517bf46e9ee

@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("\x00\x00\x00\bssix\x00\x00\x00\x0100,\x00")