From patchwork Wed Feb 13 12:41:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 12062 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 409F1447ABE for ; Wed, 13 Feb 2019 14:43:03 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 1FCDB68A171; Wed, 13 Feb 2019 14:43:03 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-qmta-pe01-2.mx.upcmail.net (vie01a-qmta-pe01-2.mx.upcmail.net [62.179.121.179]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B8F36689D32 for ; Wed, 13 Feb 2019 14:42:56 +0200 (EET) Received: from [172.31.218.51] (helo=vie01a-dmta-pe07-3.mx.upcmail.net) by vie01a-pqmta-pe01.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1gttsN-0002mR-IF for ffmpeg-devel@ffmpeg.org; Wed, 13 Feb 2019 13:42:55 +0100 Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-pe07.mx.upcmail.net with esmtp (Exim 4.88) (envelope-from ) id 1gttsI-0006nZ-0e for ffmpeg-devel@ffmpeg.org; Wed, 13 Feb 2019 13:42:50 +0100 Received: from localhost ([213.47.41.20]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id ttrKgxIt92WSsttrKgHkle; Wed, 13 Feb 2019 13:41:50 +0100 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.41.20 X-CNFS-Analysis: v=2.3 cv=E7kcWpVl c=1 sm=1 tr=0 a=I1eytVlZLDX1BM2VTtTtSw==:117 a=I1eytVlZLDX1BM2VTtTtSw==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=uYhZUKMSOivlEtBUOpAA:9 a=R7Ox1p97D-VQtDtK:21 a=JUT1euz6d4GxOA9Z:21 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 13 Feb 2019 13:41:31 +0100 Message-Id: <20190213124131.25774-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-CMAE-Envelope: MS4wfPJzX3vtaEuFIhP+xqUhOh3zvlKX4iR+dCcm0I/HT3AJPlGd6Gvj9XxwoEVPVTNISE6KDMlwE5TSslutEKMLmQ4A2smsjgHPIk5//OfyzgfJFUR3CbMb c6kVHMUXSU5b/5nRWIcOq5ITPWPNxorBPeC/ZE4LY7KdRPjsnbGBEZwT Subject: [FFmpeg-devel] [PATCH] avformat/matroskadec: Check parents remaining length X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Reported-by: Steve Lhomme This was found through the Hacker One program on VLC but is not a security issue in libavformat Signed-off-by: Michael Niedermayer --- libavformat/matroskadec.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 4ad99db7db..4b10f44712 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -792,6 +792,19 @@ static int matroska_resync(MatroskaDemuxContext *matroska, int64_t last_pos) return AVERROR_EOF; } +static int64_t ebml_parent_size_remaining(MatroskaDemuxContext *matroska) +{ + AVIOContext *pb = matroska->ctx->pb; + int64_t pos = avio_tell(pb); + + if (matroska->num_levels > 0) { + MatroskaLevel *level = &matroska->levels[matroska->num_levels - 1]; + if (level->length != (uint64_t)-1) + return level->length - (pos - level->start); + } + return INT64_MAX; +} + /* * Return: Whether we reached the end of a level in the hierarchy or not. */ @@ -1197,6 +1210,14 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska, length, max_lengths[syntax->type], syntax->type); return AVERROR_INVALIDDATA; } + + av_assert0(length <= INT64_MAX); + if (ebml_parent_size_remaining(matroska) < (int64_t)length) { + av_log(matroska->ctx, AV_LOG_ERROR, + "Invalid length 0x%"PRIx64" > 0x%"PRIx64" parent length\n", + length, ebml_parent_size_remaining(matroska)); + return AVERROR_INVALIDDATA; + } } switch (syntax->type) {