Message ID | 1554129938-24987-1-git-send-email-olivier.maignial@smile.fr |
---|---|
State | Superseded |
Headers | show |
Hello all Just a reminder for this patch On Mon, Apr 1, 2019 at 4:45 PM Olivier Maignial <olivier.maignial@smile.fr> wrote: > RFC-4566 do not give any limit of size on interger parameters given in > fmtp line. > By reading some more RFCs it is possible to find examples where some > integers parameters are greater than 32 (see RFC-6416, 7.4) > > Instead I propose to check just check the eventual integer overflow. > Using INT_MIN and INT_MAX ensure that it will work whatever the size of > int given by compiler > > Signed-off-by: Olivier Maignial <olivier.maignial@smile.fr> > --- > > Changes v1 -> v2: > - Removed line break at end of 'if' line before brace > - Added Signed-Off-By line > > libavformat/rtpdec_mpeg4.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c > index 994ab49..14caa0a 100644 > --- a/libavformat/rtpdec_mpeg4.c > +++ b/libavformat/rtpdec_mpeg4.c > @@ -289,15 +289,23 @@ static int parse_fmtp(AVFormatContext *s, > for (i = 0; attr_names[i].str; ++i) { > if (!av_strcasecmp(attr, attr_names[i].str)) { > if (attr_names[i].type == ATTR_NAME_TYPE_INT) { > - int val = atoi(value); > - if (val > 32) { > + char *end_ptr = NULL; > + long int val = strtol(value, &end_ptr, 10); > + if (value[0] == '\n' || end_ptr[0] != '\0') { > av_log(s, AV_LOG_ERROR, > - "The %s field size is invalid (%d)\n", > + "The %s field value is not a number > (%s)\n", > + attr, value); > + return AVERROR_INVALIDDATA; > + } > + > + if (val > INT_MAX || val < INT_MIN) { > + av_log(s, AV_LOG_ERROR, > + "The %s field size is invalid (%ld)\n", > attr, val); > return AVERROR_INVALIDDATA; > } > *(int *)((char *)data+ > - attr_names[i].offset) = val; > + attr_names[i].offset) = (int) val; > } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) { > char *val = av_strdup(value); > if (!val) > -- > 2.7.4 > >
On Mon, Apr 01, 2019 at 04:45:38PM +0200, Olivier Maignial wrote: > RFC-4566 do not give any limit of size on interger parameters given in fmtp line. > By reading some more RFCs it is possible to find examples where some integers parameters are greater than 32 (see RFC-6416, 7.4) > > Instead I propose to check just check the eventual integer overflow. > Using INT_MIN and INT_MAX ensure that it will work whatever the size of int given by compiler > > Signed-off-by: Olivier Maignial <olivier.maignial@smile.fr> > --- > > Changes v1 -> v2: > - Removed line break at end of 'if' line before brace > - Added Signed-Off-By line > > libavformat/rtpdec_mpeg4.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c > index 994ab49..14caa0a 100644 > --- a/libavformat/rtpdec_mpeg4.c > +++ b/libavformat/rtpdec_mpeg4.c > @@ -289,15 +289,23 @@ static int parse_fmtp(AVFormatContext *s, > for (i = 0; attr_names[i].str; ++i) { > if (!av_strcasecmp(attr, attr_names[i].str)) { > if (attr_names[i].type == ATTR_NAME_TYPE_INT) { > - int val = atoi(value); > - if (val > 32) { > + char *end_ptr = NULL; > + long int val = strtol(value, &end_ptr, 10); > + if (value[0] == '\n' || end_ptr[0] != '\0') { > av_log(s, AV_LOG_ERROR, > - "The %s field size is invalid (%d)\n", > + "The %s field value is not a number (%s)\n", > + attr, value); > + return AVERROR_INVALIDDATA; > + } > + > + if (val > INT_MAX || val < INT_MIN) { This test only works if LONG_MAX > INT_MAX otherwise it will not detect out of range values [...]
diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c index 994ab49..14caa0a 100644 --- a/libavformat/rtpdec_mpeg4.c +++ b/libavformat/rtpdec_mpeg4.c @@ -289,15 +289,23 @@ static int parse_fmtp(AVFormatContext *s, for (i = 0; attr_names[i].str; ++i) { if (!av_strcasecmp(attr, attr_names[i].str)) { if (attr_names[i].type == ATTR_NAME_TYPE_INT) { - int val = atoi(value); - if (val > 32) { + char *end_ptr = NULL; + long int val = strtol(value, &end_ptr, 10); + if (value[0] == '\n' || end_ptr[0] != '\0') { av_log(s, AV_LOG_ERROR, - "The %s field size is invalid (%d)\n", + "The %s field value is not a number (%s)\n", + attr, value); + return AVERROR_INVALIDDATA; + } + + if (val > INT_MAX || val < INT_MIN) { + av_log(s, AV_LOG_ERROR, + "The %s field size is invalid (%ld)\n", attr, val); return AVERROR_INVALIDDATA; } *(int *)((char *)data+ - attr_names[i].offset) = val; + attr_names[i].offset) = (int) val; } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) { char *val = av_strdup(value); if (!val)
RFC-4566 do not give any limit of size on interger parameters given in fmtp line. By reading some more RFCs it is possible to find examples where some integers parameters are greater than 32 (see RFC-6416, 7.4) Instead I propose to check just check the eventual integer overflow. Using INT_MIN and INT_MAX ensure that it will work whatever the size of int given by compiler Signed-off-by: Olivier Maignial <olivier.maignial@smile.fr> --- Changes v1 -> v2: - Removed line break at end of 'if' line before brace - Added Signed-Off-By line libavformat/rtpdec_mpeg4.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-)