From patchwork Thu Dec 13 02:53:01 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: chcunningham@chromium.org
X-Patchwork-Id: 11396
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 4274144E215
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Thu, 13 Dec 2018 04:53:29 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 85FB868A87F;
	Thu, 13 Dec 2018 04:53:19 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com
	[209.85.214.173])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C7DD868A860
	for <ffmpeg-devel@ffmpeg.org>; Thu, 13 Dec 2018 04:53:12 +0200 (EET)
Received: by mail-pl1-f173.google.com with SMTP id k8so294181pls.11
	for <ffmpeg-devel@ffmpeg.org>; Wed, 12 Dec 2018 18:53:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org;
	s=google; h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=z+foLcwOgI4BnYPKFHISDNoTAtRZbdVNVKzUQvA7efY=;
	b=FknlJvkLhtVdAeX7TG2kjEH/nrQvrZDLplq+sDMGqAxV0I2F253pjlj9t5S+OgoRsy
	/ZTjwe/AWIQkhB4RffyofV/gsWjZ1WeOcmwnKKaXJZFOsr8CfJze50fjZhjCEdEmfAdy
	1vCkUePpm6F/yBNKNSu4znY7Oe50DxpeIn7hw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=z+foLcwOgI4BnYPKFHISDNoTAtRZbdVNVKzUQvA7efY=;
	b=Q1fSmmWxt+hXsonwcwCE9HcBnF4pjdIHSqF+FNIueu7isVT414zLJzhQHD65DpZtbm
	9MyfSscIdUntoqU1EQ7+oSMSX/5EsgtUNbYT0MfYpuxObwrAuAs5raDe8zVkZSRCigzv
	+3E4Qcb7B1+yKTy/S8iEhc8rSSbpbXnwicnZNV+NptHJhdV5Dgk/197QWmbeR9bPd2MM
	KTgKL34Bzg4Tx+pDT8ltbQY1cdWSO3rw1wTIAbQ6QinS+ToONZznZFw8F6WWs5tO2YPO
	IbAU98b2IsrPktkGqdVeD9xhGE/hyzomfUyJKna8Mek2mYxhVzvM8IEUfi2v1SnKS9F1
	nMPw==
X-Gm-Message-State: AA+aEWYBd0AwnTxlG+rwt6ZFL7JBmUBhFjiJPjy31CtVi6hzcEDIwZzX
	JwpFLIaI8jsEbfHxz5uPV0vHRCR/gL8d1Q==
X-Google-Smtp-Source: 
 AFSGD/VSt5FpUtiAvdT25VjOmpKFTdVIGlqHg12iz8S70Qea4xksWpuEuM0gtZ1axE2OITuhuJ5q5g==
X-Received: by 2002:a17:902:7848:: with SMTP id
	e8mr22710302pln.100.1544669602829;
	Wed, 12 Dec 2018 18:53:22 -0800 (PST)
Received: from chcunningham-linux.sea.corp.google.com
	([2620:15c:38:200:74b:ad27:5acb:a21])
	by smtp.gmail.com with ESMTPSA id
	v12sm429533pgg.41.2018.12.12.18.53.21
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 12 Dec 2018 18:53:22 -0800 (PST)
From: chcunningham <chcunningham@chromium.org>
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 12 Dec 2018 18:53:01 -0800
Message-Id: <20181213025301.191821-1-chcunningham@chromium.org>
X-Mailer: git-send-email 2.20.0.rc2.403.gdbc3b29805-goog
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] lavf/mov: ensure only one tkhd per trak
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: michael@niedermayer.cc
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.
---
 libavformat/isom.h | 3 ++-
 libavformat/mov.c  | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/libavformat/isom.h b/libavformat/isom.h
index e629663949..e14d670f2f 100644
--- a/libavformat/isom.h
+++ b/libavformat/isom.h
@@ -230,7 +230,8 @@ typedef struct MOVStreamContext {
 
     uint32_t format;
 
-    int has_sidx;  // If there is an sidx entry for this stream.
+    int has_sidx;  ///< If there is a sidx entry for this stream.
+    int has_tkhd;  ///< If there is a tkhd entry for this stream.
     struct {
         struct AVAESCTR* aes_ctr;
         unsigned int per_sample_iv_size;  // Either 0, 8, or 16.
diff --git a/libavformat/mov.c b/libavformat/mov.c
index ec57a05803..47c53d7992 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4438,6 +4438,12 @@ static int mov_read_tkhd(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     st = c->fc->streams[c->fc->nb_streams-1];
     sc = st->priv_data;
 
+    // Each stream (trak) should have exactly 1 tkhd. This catches bad files and
+    // avoids corrupting AVStreams mapped to an earlier tkhd.
+    if (sc->has_tkhd)
+        return AVERROR_INVALIDDATA;
+    sc->has_tkhd = 1;
+
     version = avio_r8(pb);
     flags = avio_rb24(pb);
     st->disposition |= (flags & MOV_TKHD_FLAG_ENABLED) ? AV_DISPOSITION_DEFAULT : 0;
@@ -4704,6 +4710,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom)
             break;
         }
     }
+    av_assert0(index_entry_pos <= st->nb_index_entries);
 
     avio_r8(pb); /* version */
     flags = avio_rb24(pb);