From patchwork Thu Aug 23 21:37:53 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Rodger Combs <rodger.combs@gmail.com>
X-Patchwork-Id: 10112
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 2002:a02:12c4:0:0:0:0:0 with SMTP id 65-v6csp2624720jap;
	Thu, 23 Aug 2018 14:44:09 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0Vda+7YuAa6HouyQntCth4KZLIEokVyfwfDbdGq9rccxcsIiGD6E7Gbe2GWr7TC3NFniTDz4s
X-Received: by 2002:a1c:4c0e:: with SMTP id
	z14-v6mr6819780wmf.89.1535060649663;
	Thu, 23 Aug 2018 14:44:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535060649; cv=none;
	d=google.com; s=arc-20160816;
	b=U3cl+JgrYVnY8LQmBf2n+/jHje2NOD+OXLi1oWhYhJ6sTXoNnNU6EXai//NIHwOdH2
	wedO+J6+O/+WJ6ylPH3KufNIBT8R7zQVPz2RbtwKYtJvTxyjAC0rlJDBr92XmX+TE+rd
	i83pre4vGyoEJe7yCchVg1ZgqwQPd+CNURvHxmnk/dLWpIzUImoUuTJ5MKHTIZjdbtHu
	50m14lDEtr+tTw7pWeY7svOdX1EXGOp6WCGyguaH7J27ChiaNXzsYbr8jI2+/e0jxavO
	fbZB5oBrFtQf1pbL/K8Z89FFyIfLLX1sq2zhM+I/LDfWhDxn3cG4c68Jgc+MapeouBkI
	zIxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:references:in-reply-to:message-id:date
	:to:from:dkim-signature:delivered-to:arc-authentication-results;
	bh=3qwYsEqlEaEeUwR8MuzDA77nOgzMjUov46SDfIwlAm0=;
	b=PcDFXeFXTokxllRedpzgud2qOd1hckBdYFvKKxUHR2t2eLpXDBNvf3/fUesPNPoS/P
	rEZdasIPt8nmGFu9zqefkcOJ0kG0T697oKbutOP1qhxyVDC16hpO64/12gGEw7FM2L9N
	M2JxHus3C6vN5U1koyB4IJQV1M2Z4VrZ6A7VI1+dHNOIYza/44I9dV0M8Anm4DQSAroj
	jQEHEw+H20O42eP74uLOG+qHIu4XLVBVRgeWmpvwD/MszNBlb/9TpZdz6oyyNEppXlLv
	dDwYLzB2JGI1l/z34Rm4YBTPDnzggLeNwzx67Glb2mOu1NPzYunzOFYu7HUKBCTEW2Vr
	GUmg==
ARC-Authentication-Results: i=1; mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com
	header.s=20161025 header.b=u0ax78Wq;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	o4-v6si4676518wri.245.2018.08.23.14.44.09;
	Thu, 23 Aug 2018 14:44:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com
	header.s=20161025 header.b=u0ax78Wq;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5CB5E689D72;
	Fri, 24 Aug 2018 00:44:06 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-it0-f41.google.com (mail-it0-f41.google.com
	[209.85.214.41])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6FE27689D4B
	for <ffmpeg-devel@ffmpeg.org>; Fri, 24 Aug 2018 00:43:59 +0300 (EEST)
Received: by mail-it0-f41.google.com with SMTP id h20-v6so9549014itf.2
	for <ffmpeg-devel@ffmpeg.org>; Thu, 23 Aug 2018 14:44:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:subject:date:message-id:in-reply-to:references;
	bh=5+Mw5yetn3Zmqk4nzBrB2jN7ntvwkeTRyPNDzqH+IAQ=;
	b=u0ax78Wq8RgS0mNN8eiSMHfxb3Qf36zS7yyez0Muvian3F398kVQNQezrCtGTNFSVv
	Z1czOg8w0IJH4nolrnynZ5zO4cx9MKrHhqkEDYsyJKAV3a3RtYqCn/veA99c2yy2u0kc
	TI4rMNhANvkS+D9YhjvOIbNS0Kd20uXlDV3xx03zjHknjgmLInCWV2Wd1q2lJiQdJNTS
	pm4vqux5OIRaGs4r6MfFM906CrnzxAABWL/a4hzOPw5zHklS95QUDesfG3OhTZFheXIS
	iLzQfA63KrWAwmpKoUAONlBJxHJCLH+kKEfnIs1aq1rWVb19vWvf8ekSKjIfVZ87myiQ
	nIgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=5+Mw5yetn3Zmqk4nzBrB2jN7ntvwkeTRyPNDzqH+IAQ=;
	b=cyVtkNYVSAoi8Rw5xqepohQ3X011GrMnOMtwJIW59ynASI44lXWl0VWAbmY9Op4yb7
	WsmiNgSqr7xjcEG9om0AqcFu44Twit7pbZEF4SRMnY+IhP79QqOdB/GB16JtEOqtf0YG
	SK3rxsYcQNWVk9pw3WcMJq7m0v/L0OFz4XrnUy8OrIk5ievU+IcUkRLNLOAQ0M/KwkSS
	QX+s2+ZuT5ZQgbzXYwn6cztCS6l8c/gkXV89RbtCyR0JjTHTfZIKEm49sGgvjU3hEDKz
	bCmg9xrVokrTMd0FAK/ZaSmEvHFMzvRya5N6PDgphKoVmHbffBp842PDM330WoFWNITs
	WaLA==
X-Gm-Message-State: AOUpUlHxlQXal8/zRHhPoolSg91W+LueCINaXYG+25wSmZYx3nKWdd4g
	mpV0uUxq0k/Iea+Fm0A4XGern3WX
X-Received: by 2002:a02:cd0:: with SMTP id
	77-v6mr20465914jan.67.1535060299282;
	Thu, 23 Aug 2018 14:38:19 -0700 (PDT)
Received: from Rodgers-MBP.localdomain ([71.201.155.37])
	by smtp.gmail.com with ESMTPSA id
	d11-v6sm1946197ioh.22.2018.08.23.14.38.17
	for <ffmpeg-devel@ffmpeg.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 23 Aug 2018 14:38:18 -0700 (PDT)
From: Rodger Combs <rodger.combs@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 23 Aug 2018 16:37:53 -0500
Message-Id: <20180823213753.36856-2-rodger.combs@gmail.com>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180823213753.36856-1-rodger.combs@gmail.com>
References: <20180823213753.36856-1-rodger.combs@gmail.com>
Subject: [FFmpeg-devel] [PATCH 2/2] lavc/hevc_mp4toannexb_bsf: warn if a NAL
	size would overflow the buffer
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

This didn't actually cause a buffer overread previously, but it could result
in the end of a NAL being filled with zeros silently.
---
 libavcodec/hevc_mp4toannexb_bsf.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c
index fb4ea34a93..c40308f367 100644
--- a/libavcodec/hevc_mp4toannexb_bsf.c
+++ b/libavcodec/hevc_mp4toannexb_bsf.c
@@ -70,6 +70,10 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx)
 
         for (j = 0; j < cnt; j++) {
             int nalu_len = bytestream2_get_be16(&gb);
+            if (nalu_len < 1 || bytestream2_get_bytes_left(&gb) < nalu_len) {
+                av_log(ctx, AV_LOG_WARNING, "Extradata NAL ended prematurely\n");
+                goto done;
+            }
 
             if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
                 ret = AVERROR_INVALIDDATA;
@@ -86,6 +90,7 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx)
         }
     }
 
+done:
     av_freep(&ctx->par_out->extradata);
     ctx->par_out->extradata      = new_extradata;
     ctx->par_out->extradata_size = new_extradata_size;