From patchwork Mon Mar 18 15:08:40 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Olivier Maignial <olivier.maignial@smile.fr>
X-Patchwork-Id: 12345
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id A482544922A
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Mon, 18 Mar 2019 20:46:57 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8F49B689D0F;
	Mon, 18 Mar 2019 20:46:57 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com
	[209.85.221.54])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 2AE3A6809B6
	for <ffmpeg-devel@ffmpeg.org>; Mon, 18 Mar 2019 17:08:59 +0200 (EET)
Received: by mail-wr1-f54.google.com with SMTP id q1so1796697wrp.0
	for <ffmpeg-devel@ffmpeg.org>; Mon, 18 Mar 2019 08:08:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=smile-fr.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=FIp3JUP05N2tOxHf4V3tN9ycwZNQ/VJXhwFcGuQkACc=;
	b=A9vT9E+c4Xpe8yNXcISKkyxqnZFivLXCYBuMCE6lx8Awrs5+dT7ajGPLUbuhipdgT4
	g0PDgIhPg0uvpccsXqthyN+ghtdoZwEKzz2dQNP8uMKvK9C3Jv+kL+Zar69CAAY9l8vr
	0Cx6sWiDD38pDYFA2Ir9CumCUcugmAhIHgXpZR5zWMhQrUssglnvuEweDnsil0DRUW7t
	yzXJ0TjDrLzXthKFpX81As4m/UyjMQgFz46qrWUnXYbyAZT6Jgd0FDxnNuHmsa054WS7
	+d7PmZa1DwQGLqeHXrN0Xreq2wmLKsRBjzYdWQGLU0Yvck+BZ7UQYCjojaXTOoMQH22O
	jvCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=FIp3JUP05N2tOxHf4V3tN9ycwZNQ/VJXhwFcGuQkACc=;
	b=guT3HRGHhASuaXBMy8sd5U9/DY0RcP7wC+Axvm8APOTP7OwBMxgudTcgxKxI1Go2iy
	IEUxlWiY3QHw/QNu/JTVUmvfp+UvgEwrt6oL6mUkWGAXU8zke5+RaQC3UT9G+ML5krsN
	a5G1OzHrYbXs6PwtKVFIUreCoD/fdcuisn4kIc1mXpuZf2+hlaflE2Fal36/PdW3lNXS
	35pQbjYIFzK+7Bsvxsmgi2np1WxoVNfO3KX+yeEK8c6xQ4eGjpxdsq/j1nnBetVZEwzY
	AI5a8/idhmma0RwuRpJYTJU7i71uU90YMaMrybt/zTL3zaHs7qtClrduD5dewnGrAGZK
	QhAg==
X-Gm-Message-State: APjAAAWEpGqOgSUolH0rUEEvSvYx1jqOlGQtgSh9fnLc5X+4hCbCyfar
	HWfnzoGTW2cp+L7aepcqNesIrHpmplw=
X-Google-Smtp-Source: 
 APXvYqymAei0hvjv8FWOEBnr6m5TA1Jq0x5PJcraJcGtTS97MVANO/SRiRbwCzkvOat2LnV1IBZOgw==
X-Received: by 2002:adf:fbd2:: with SMTP id d18mr6813057wrs.55.1552921739321;
	Mon, 18 Mar 2019 08:08:59 -0700 (PDT)
Received: from P-TLS-SASUKE-OLMAI.tagtec.fr (myfox-157-50.fib.nerim.net.
	[194.79.157.50]) by smtp.gmail.com with ESMTPSA id
	u3sm9511093wrq.86.2019.03.18.08.08.58
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 18 Mar 2019 08:08:58 -0700 (PDT)
From: Olivier Maignial <olivier.maignial@smile.fr>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 18 Mar 2019 16:08:40 +0100
Message-Id: <1552921720-13028-1-git-send-email-olivier.maignial@smile.fr>
X-Mailer: git-send-email 2.7.4
X-Mailman-Approved-At: Mon, 18 Mar 2019 20:46:56 +0200
Subject: [FFmpeg-devel] [PATCH] Fix sdp size check on fmtp integer parameters
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: Olivier Maignial <olivier.maignial@smile.fr>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

RFC-4566 do not give any limit of size on interger parameters given in fmtp line.
By reading some more RFCs it is possible to find examples where some integers parameters are greater than 32 (see RFC-6416, 7.4)
---
 libavformat/rtpdec_mpeg4.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
index 994ab49..4b86f4a 100644
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@ -289,15 +289,24 @@ static int parse_fmtp(AVFormatContext *s,
         for (i = 0; attr_names[i].str; ++i) {
             if (!av_strcasecmp(attr, attr_names[i].str)) {
                 if (attr_names[i].type == ATTR_NAME_TYPE_INT) {
-                    int val = atoi(value);
-                    if (val > 32) {
+                    char * end_ptr = NULL;
+                    long int val = strtol(value, &end_ptr, 10);
+                    if (value[0] == '\n' || end_ptr[0] != '\0')
+                    {
                         av_log(s, AV_LOG_ERROR,
-                               "The %s field size is invalid (%d)\n",
+                               "The %s field value is not a number (%s)\n",
+                               attr, value);
+                        return AVERROR_INVALIDDATA;
+                    }
+
+                    if (val > INT_MAX || val < INT_MIN) {
+                        av_log(s, AV_LOG_ERROR,
+                               "The %s field size is invalid (%ld)\n",
                                attr, val);
                         return AVERROR_INVALIDDATA;
                     }
                     *(int *)((char *)data+
-                        attr_names[i].offset) = val;
+                        attr_names[i].offset) = (int) val;
                 } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) {
                     char *val = av_strdup(value);
                     if (!val)