From patchwork Fri Mar 22 11:07:55 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Olivier Maignial <olivier.maignial@smile.fr>
X-Patchwork-Id: 12390
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 00E11448EFD
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Fri, 22 Mar 2019 13:08:07 +0200 (EET)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D2E2468AAF9;
	Fri, 22 Mar 2019 13:08:06 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com
	[209.85.221.54])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id DCFBF68A774
	for <ffmpeg-devel@ffmpeg.org>; Fri, 22 Mar 2019 13:08:00 +0200 (EET)
Received: by mail-wr1-f54.google.com with SMTP id y13so1888545wrd.3
	for <ffmpeg-devel@ffmpeg.org>; Fri, 22 Mar 2019 04:08:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=smile-fr.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=b7crNwUOJQrxB8kSS1xxvufS6RsDf3TNPwSOu36ax3Q=;
	b=nSx7u0PkdNTQQZWH9g+ISrKQZJqg88J++mT4KtTpqPdWkC8CKoqpwPXeduw5ZBrh3t
	WjgZUlzeuZK0/Py2NhQ2yLmZuS4VtdjpUgVDIw+jHe7MwwZANw6p6FOh7TCWTK1oMmRk
	ikQoGyOQLMiCdp3BtWUQ+fFMuPDnZr1fhC9qFHUfmQvNtn14jzRpLYK92L4H1aiblCX9
	0xZWs3KSjHescG8gqWzb5pqjvGkN4207Pe60Dz14BvAEyg9yhhUZEbiZi1xAHd3z8g4V
	Ow3OwIw3h5VphGNl3lVv2Vd0O+HR0PHtM+UARTaTaZRYv7wM64YGtVg+edj5rLJSRUaD
	weUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=b7crNwUOJQrxB8kSS1xxvufS6RsDf3TNPwSOu36ax3Q=;
	b=qd1NhOoNIsGABZDy8tZX85XXiOBUmJYUiJ+LX4ycuDa1BJmmpRW2mbf2zxVYsPV7pR
	4DJ8MhY16331ufuXv+EVUCfhi4TqUrFeLkLXG8Fcao0XL6/4BwCA+r/bJDYRGm24MOb2
	h4C0c0ZTknQEBiNl1GhFVpjxEXXN1RENDazWKodzoVE3rc3YnObRJM6Bwxk8pUlVOhSs
	kItWs1af8pjYAtYBfL0P4wYjGOWuSm2lNeZIqQvAV8YjEg4o4mf+EyQGwxF3qpn1MPfK
	O21NZVaAUMyjnHRVNRWpTMxAvXDNCH1h1m0QS4nft0o1s3b3AoiFJ5bBxbBhrYWW1ppd
	3nFw==
X-Gm-Message-State: APjAAAWOiOYwkgPGuhzTrz4gRC1kdwM+A/ervk1gK+/oqlfC8prjY/k4
	eniR/D7sqbJqdtQ9V7j3TxDXv6aZqEY=
X-Google-Smtp-Source: 
 APXvYqycbwi3w3q5rJSBp5O3Y08VI4gU2VWtSNMjI5Zyau1XS8i1b3ZZt2WbNJi5FhhGm7gkjEUAyA==
X-Received: by 2002:a5d:4e87:: with SMTP id e7mr5803061wru.161.1553252880147;
	Fri, 22 Mar 2019 04:08:00 -0700 (PDT)
Received: from P-TLS-SASUKE-OLMAI.tagtec.fr (myfox-157-50.fib.nerim.net.
	[194.79.157.50]) by smtp.gmail.com with ESMTPSA id
	q17sm3345589wrw.70.2019.03.22.04.07.59
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 22 Mar 2019 04:07:59 -0700 (PDT)
From: Olivier Maignial <olivier.maignial@smile.fr>
To: ffmpeg-devel@ffmpeg.org
Date: Fri, 22 Mar 2019 12:07:55 +0100
Message-Id: <1553252875-8877-1-git-send-email-olivier.maignial@smile.fr>
X-Mailer: git-send-email 2.7.4
Subject: [FFmpeg-devel] [PATCH] Fix sdp size check on fmtp integer parameters
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: Olivier Maignial <olivier.maignial@smile.fr>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

RFC-4566 do not give any limit of size on interger parameters given in fmtp line.
By reading some more RFCs it is possible to find examples where some integers parameters are greater than 32 (see RFC-6416, 7.4)

Instead I propose to check just check the eventual integer overflow.
Using INT_MIN and INT_MAX ensure that it will work whatever the size of int given by compiler
---
 libavformat/rtpdec_mpeg4.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
index 994ab49..14caa0a 100644
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@ -289,15 +289,23 @@ static int parse_fmtp(AVFormatContext *s,
         for (i = 0; attr_names[i].str; ++i) {
             if (!av_strcasecmp(attr, attr_names[i].str)) {
                 if (attr_names[i].type == ATTR_NAME_TYPE_INT) {
-                    int val = atoi(value);
-                    if (val > 32) {
+                    char *end_ptr = NULL;
+                    long int val = strtol(value, &end_ptr, 10);
+                    if (value[0] == '\n' || end_ptr[0] != '\0') {
                         av_log(s, AV_LOG_ERROR,
-                               "The %s field size is invalid (%d)\n",
+                               "The %s field value is not a number (%s)\n",
+                               attr, value);
+                        return AVERROR_INVALIDDATA;
+                    }
+
+                    if (val > INT_MAX || val < INT_MIN) {
+                        av_log(s, AV_LOG_ERROR,
+                               "The %s field size is invalid (%ld)\n",
                                attr, val);
                         return AVERROR_INVALIDDATA;
                     }
                     *(int *)((char *)data+
-                        attr_names[i].offset) = val;
+                        attr_names[i].offset) = (int) val;
                 } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) {
                     char *val = av_strdup(value);
                     if (!val)