[FFmpeg-devel,3/3] avformat/utils: Fix potential integer overflow in extract_extradata()

Submitted by Michael Niedermayer on Sept. 26, 2018, 10 p.m.

Details

Message ID 20180926220026.29751-3-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer Sept. 26, 2018, 10 p.m.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/utils.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

James Almer Sept. 26, 2018, 10:12 p.m.
On 9/26/2018 7:00 PM, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/utils.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/utils.c b/libavformat/utils.c
> index c1835b1ab5..3e99478ad9 100644
> --- a/libavformat/utils.c
> +++ b/libavformat/utils.c
> @@ -3544,7 +3544,9 @@ static int extract_extradata(AVStream *st, AVPacket *pkt)
>                                              &extradata_size);
>  
>          if (extradata) {
> -            avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
> +            av_assert0(!avsti->avctx->extradata);
> +            if ((unsigned)extradata_size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
> +                avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);

There's a FF_MAX_EXTRADATA_SIZE define in internal.h

>              if (!avsti->avctx->extradata) {
>                  av_packet_unref(pkt_ref);
>                  return AVERROR(ENOMEM);
>
Michael Niedermayer Oct. 6, 2018, 8:18 p.m.
On Wed, Sep 26, 2018 at 07:12:13PM -0300, James Almer wrote:
> On 9/26/2018 7:00 PM, Michael Niedermayer wrote:
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavformat/utils.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/libavformat/utils.c b/libavformat/utils.c
> > index c1835b1ab5..3e99478ad9 100644
> > --- a/libavformat/utils.c
> > +++ b/libavformat/utils.c
> > @@ -3544,7 +3544,9 @@ static int extract_extradata(AVStream *st, AVPacket *pkt)
> >                                              &extradata_size);
> >  
> >          if (extradata) {
> > -            avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
> > +            av_assert0(!avsti->avctx->extradata);
> > +            if ((unsigned)extradata_size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
> > +                avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
> 
> There's a FF_MAX_EXTRADATA_SIZE define in internal.h

seems this isnt used much
will use it and apply

thanks

[...]

Patch hide | download patch | download mbox

diff --git a/libavformat/utils.c b/libavformat/utils.c
index c1835b1ab5..3e99478ad9 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3544,7 +3544,9 @@  static int extract_extradata(AVStream *st, AVPacket *pkt)
                                             &extradata_size);
 
         if (extradata) {
-            avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
+            av_assert0(!avsti->avctx->extradata);
+            if ((unsigned)extradata_size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
+                avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
             if (!avsti->avctx->extradata) {
                 av_packet_unref(pkt_ref);
                 return AVERROR(ENOMEM);