From 9bc15dfba44533c9e0f2cc54eec519b359f7f0c5 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Thu, 17 Nov 2016 00:04:57 +0100
Subject: [PATCH] ffmdec: sanitize codec parameters
A negative extradata size for example gets passed to memcpy in
avcodec_parameters_from_context causing a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
libavformat/ffmdec.c | 105 ++++++++++++++++++++++++++++++---------------------
1 file changed, 62 insertions(+), 43 deletions(-)
@@ -21,6 +21,7 @@
#include <stdint.h>
+#include "libavutil/imgutils.h"
#include "libavutil/internal.h"
#include "libavutil/intreadwrite.h"
#include "libavutil/intfloat.h"
@@ -28,6 +29,7 @@
#include "libavutil/avassert.h"
#include "libavutil/avstring.h"
#include "libavutil/pixdesc.h"
+#include "libavcodec/internal.h"
#include "avformat.h"
#include "internal.h"
#include "ffm.h"
@@ -277,6 +279,13 @@ static int ffm_append_recommended_configuration(AVStream *st, char **conf)
return 0;
}
+#define SANITIZE_PARAMETER(parameter, name, check, default) { \
+ if (check) { \
+ av_log(codec, AV_LOG_WARNING, "Invalid " name " %d\n", codec->parameter); \
+ codec->parameter = default; \
+ } \
+}
+
static int ffm2_read_header(AVFormatContext *s)
{
FFMContext *ffm = s->priv_data;
@@ -346,23 +355,29 @@ static int ffm2_read_header(AVFormatContext *s)
}
codec->codec_type = avio_r8(pb);
if (codec->codec_type != codec_desc->type) {
- av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n",
+ av_log(s, AV_LOG_WARNING, "Codec type mismatch: expected %d, found %d\n",
codec_desc->type, codec->codec_type);
- codec->codec_id = AV_CODEC_ID_NONE;
- codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
- goto fail;
+ codec->codec_type = codec_desc->type;
}
codec->bit_rate = avio_rb32(pb);
+ if (codec->bit_rate < 0) {
+ av_log(codec, AV_LOG_WARNING, "Invalid bit rate %"PRId64"\n", codec->bit_rate);
+ codec->bit_rate = 0;
+ }
codec->flags = avio_rb32(pb);
codec->flags2 = avio_rb32(pb);
codec->debug = avio_rb32(pb);
if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) {
int size = avio_rb32(pb);
- codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
- if (!codec->extradata)
- return AVERROR(ENOMEM);
- codec->extradata_size = size;
- avio_read(pb, codec->extradata, size);
+ if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) {
+ av_log(s, AV_LOG_WARNING, "Invalid extradata size %d\n", size);
+ } else {
+ codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
+ if (!codec->extradata)
+ return AVERROR(ENOMEM);
+ codec->extradata_size = size;
+ avio_read(pb, codec->extradata, size);
+ }
}
break;
case MKBETAG('S', 'T', 'V', 'I'):
@@ -372,21 +387,21 @@ static int ffm2_read_header(AVFormatContext *s)
}
codec->time_base.num = avio_rb32(pb);
codec->time_base.den = avio_rb32(pb);
- if (codec->time_base.num <= 0 || codec->time_base.den <= 0) {
- av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n",
+ if (codec->time_base.num < 0 || codec->time_base.den <= 0) {
+ av_log(s, AV_LOG_WARNING, "Invalid time base %d/%d\n",
codec->time_base.num, codec->time_base.den);
- ret = AVERROR_INVALIDDATA;
- goto fail;
+ codec->time_base.num = 0;
+ codec->time_base.den = 1;
}
codec->width = avio_rb16(pb);
codec->height = avio_rb16(pb);
+ if (av_image_check_size(codec->width, codec->height, 0, s) < 0) {
+ codec->width = 0;
+ codec->height = 0;
+ }
codec->gop_size = avio_rb16(pb);
codec->pix_fmt = avio_rb32(pb);
- if (!av_pix_fmt_desc_get(codec->pix_fmt)) {
- av_log(s, AV_LOG_ERROR, "Invalid pix fmt id: %d\n", codec->pix_fmt);
- codec->pix_fmt = AV_PIX_FMT_NONE;
- goto fail;
- }
+ SANITIZE_PARAMETER(pix_fmt, "pixel format", codec->pix_fmt != AV_PIX_FMT_NONE && !av_pix_fmt_desc_get(codec->pix_fmt), AV_PIX_FMT_NONE)
codec->qmin = avio_r8(pb);
codec->qmax = avio_r8(pb);
codec->max_qdiff = avio_r8(pb);
@@ -432,13 +447,11 @@ static int ffm2_read_header(AVFormatContext *s)
goto fail;
}
codec->sample_rate = avio_rb32(pb);
- if (codec->sample_rate <= 0) {
- av_log(s, AV_LOG_ERROR, "Invalid sample rate %d\n", codec->sample_rate);
- ret = AVERROR_INVALIDDATA;
- goto fail;
- }
+ SANITIZE_PARAMETER(sample_rate, "sample rate", codec->sample_rate < 0, 0)
codec->channels = avio_rl16(pb);
+ SANITIZE_PARAMETER(channels, "number of channels", codec->channels < 0, 0)
codec->frame_size = avio_rl16(pb);
+ SANITIZE_PARAMETER(frame_size, "frame size", codec->frame_size < 0, 0)
break;
case MKBETAG('C', 'P', 'R', 'V'):
if (f_cprv++) {
@@ -563,13 +576,15 @@ static int ffm_read_header(AVFormatContext *s)
}
codec->codec_type = avio_r8(pb); /* codec_type */
if (codec->codec_type != codec_desc->type) {
- av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n",
+ av_log(s, AV_LOG_WARNING, "Codec type mismatch: expected %d, found %d\n",
codec_desc->type, codec->codec_type);
- codec->codec_id = AV_CODEC_ID_NONE;
- codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
- goto fail;
+ codec->codec_type = codec_desc->type;
}
codec->bit_rate = avio_rb32(pb);
+ if (codec->bit_rate < 0) {
+ av_log(codec, AV_LOG_WARNING, "Invalid bit rate %"PRId64"\n", codec->bit_rate);
+ codec->bit_rate = 0;
+ }
codec->flags = avio_rb32(pb);
codec->flags2 = avio_rb32(pb);
codec->debug = avio_rb32(pb);
@@ -579,19 +594,20 @@ static int ffm_read_header(AVFormatContext *s)
codec->time_base.num = avio_rb32(pb);
codec->time_base.den = avio_rb32(pb);
if (codec->time_base.num <= 0 || codec->time_base.den <= 0) {
- av_log(s, AV_LOG_ERROR, "Invalid time base %d/%d\n",
+ av_log(s, AV_LOG_WARNING, "Invalid time base %d/%d\n",
codec->time_base.num, codec->time_base.den);
- goto fail;
+ codec->time_base.num = 0;
+ codec->time_base.den = 1;
}
codec->width = avio_rb16(pb);
codec->height = avio_rb16(pb);
+ if (av_image_check_size(codec->width, codec->height, 0, s) < 0) {
+ codec->width = 0;
+ codec->height = 0;
+ }
codec->gop_size = avio_rb16(pb);
codec->pix_fmt = avio_rb32(pb);
- if (!av_pix_fmt_desc_get(codec->pix_fmt)) {
- av_log(s, AV_LOG_ERROR, "Invalid pix fmt id: %d\n", codec->pix_fmt);
- codec->pix_fmt = AV_PIX_FMT_NONE;
- goto fail;
- }
+ SANITIZE_PARAMETER(pix_fmt, "pixel format", codec->pix_fmt != AV_PIX_FMT_NONE && !av_pix_fmt_desc_get(codec->pix_fmt), AV_PIX_FMT_NONE)
codec->qmin = avio_r8(pb);
codec->qmax = avio_r8(pb);
codec->max_qdiff = avio_r8(pb);
@@ -633,23 +649,26 @@ static int ffm_read_header(AVFormatContext *s)
break;
case AVMEDIA_TYPE_AUDIO:
codec->sample_rate = avio_rb32(pb);
- if (codec->sample_rate <= 0) {
- av_log(s, AV_LOG_ERROR, "Invalid sample rate %d\n", codec->sample_rate);
- goto fail;
- }
+ SANITIZE_PARAMETER(sample_rate, "sample rate", codec->sample_rate < 0, 0)
codec->channels = avio_rl16(pb);
+ SANITIZE_PARAMETER(channels, "number of channels", codec->channels < 0, 0)
codec->frame_size = avio_rl16(pb);
+ SANITIZE_PARAMETER(frame_size, "frame size", codec->frame_size < 0, 0)
break;
default:
goto fail;
}
if (codec->flags & AV_CODEC_FLAG_GLOBAL_HEADER) {
int size = avio_rb32(pb);
- codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
- if (!codec->extradata)
- return AVERROR(ENOMEM);
- codec->extradata_size = size;
- avio_read(pb, codec->extradata, size);
+ if (size < 0 || size >= FF_MAX_EXTRADATA_SIZE) {
+ av_log(s, AV_LOG_WARNING, "Invalid extradata size %d\n", size);
+ } else {
+ codec->extradata = av_mallocz(size + AV_INPUT_BUFFER_PADDING_SIZE);
+ if (!codec->extradata)
+ return AVERROR(ENOMEM);
+ codec->extradata_size = size;
+ avio_read(pb, codec->extradata, size);
+ }
}
avcodec_parameters_from_context(st->codecpar, codec);
--
2.10.2