From patchwork Mon Apr 1 14:45:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olivier Maignial X-Patchwork-Id: 12551 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 45BA9447FC0 for ; Mon, 1 Apr 2019 17:45:57 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2326F68AC8C; Mon, 1 Apr 2019 17:45:57 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com [209.85.128.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 493CC689B11 for ; Mon, 1 Apr 2019 17:45:50 +0300 (EEST) Received: by mail-wm1-f65.google.com with SMTP id 4so10739287wmf.1 for ; Mon, 01 Apr 2019 07:45:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile-fr.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=cO2nk9uOFkgDKSeOnBXKqs6Mqlt7xudwzj5LsAeUXYU=; b=afCMU4aP5Clk+NAooWJVrZJXIQGHRZd2IeaTh8cQ93uI+wfKsUkJnpMpinpW+0PzEY o6jihv/SKIsa4bdBQwcwZ0DtseuIZUT6PZsZQhVpfyc0LqU5B378DAa7xvWZpBCpzgKI Qu3ZUEwAo64+BNoJF8qz+ebXlY8Rax79NYMgbHvl+yX9m4zbk8McEgDnux+l8kW3NgAT FtLeHq11fxKsf7KzNfnNSu0DR3NDt/jcZVD3hUUzDwkEpcszsjVwA/DA9a7s2yl1o9+e zTbS0rkGpG/NKxKYyDhD8KL+WFd26uWQnsKs2j9yWSdColmcu4QFYzfdopbOKrTrg1Nn 43Yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=cO2nk9uOFkgDKSeOnBXKqs6Mqlt7xudwzj5LsAeUXYU=; b=cgSIOkaE2TCPmD9xEXM0ag9TnahOoztpkdM53sEjctBFwfVMehkUaEPmcygH0khS+T /73MolgiPR949hsd7Nts8z/jSEInKcDceTF9RMWbobDvdjuYtd+sjEkBCw2D5g8mvvUw DsYp10oUYE2g1e8QWft5sRHNuY/IjgKI0564lKpbQyzCupSxRkrjQBNCnijyuD9YvdQ/ zQ1jnQkAV5zDyx3yH+QCYNdtEL9JAg2rnXaChvRgBvkYXEiXJIDYFVCPyGIL+a8z0kiD n/5NwJLpd/hLWQd0tuu5kwpsiKk6zTTcvsoQFiLQd3G6R4hHwkhUL+mNyBZFSHGdzzxX olXg== X-Gm-Message-State: APjAAAUmDBglRjzv6tt7K74Sr/5BpsRHXgWGEMyDBtKKPT1CL1VZq4C/ XI0aJuYu2ChAeNsz9DBJEjNMx8Sc+V4= X-Google-Smtp-Source: APXvYqyEca03eco+7BrFo/9N78evx1+7eD4zTaiXmIqTlVebXHA5yyM7KioYiNqVf34ZT1+57+O0DQ== X-Received: by 2002:a1c:7dd7:: with SMTP id y206mr12845924wmc.81.1554129949497; Mon, 01 Apr 2019 07:45:49 -0700 (PDT) Received: from P-TLS-SASUKE-OLMAI.tagtec.fr (myfox-157-50.fib.nerim.net. [194.79.157.50]) by smtp.gmail.com with ESMTPSA id b3sm11808701wrx.57.2019.04.01.07.45.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 01 Apr 2019 07:45:49 -0700 (PDT) From: Olivier Maignial To: ffmpeg-devel@ffmpeg.org Date: Mon, 1 Apr 2019 16:45:38 +0200 Message-Id: <1554129938-24987-1-git-send-email-olivier.maignial@smile.fr> X-Mailer: git-send-email 2.7.4 Subject: [FFmpeg-devel] [PATCH v2] Fix sdp size check on fmtp integer parameters X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Olivier Maignial MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" RFC-4566 do not give any limit of size on interger parameters given in fmtp line. By reading some more RFCs it is possible to find examples where some integers parameters are greater than 32 (see RFC-6416, 7.4) Instead I propose to check just check the eventual integer overflow. Using INT_MIN and INT_MAX ensure that it will work whatever the size of int given by compiler Signed-off-by: Olivier Maignial --- Changes v1 -> v2: - Removed line break at end of 'if' line before brace - Added Signed-Off-By line libavformat/rtpdec_mpeg4.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c index 994ab49..14caa0a 100644 --- a/libavformat/rtpdec_mpeg4.c +++ b/libavformat/rtpdec_mpeg4.c @@ -289,15 +289,23 @@ static int parse_fmtp(AVFormatContext *s, for (i = 0; attr_names[i].str; ++i) { if (!av_strcasecmp(attr, attr_names[i].str)) { if (attr_names[i].type == ATTR_NAME_TYPE_INT) { - int val = atoi(value); - if (val > 32) { + char *end_ptr = NULL; + long int val = strtol(value, &end_ptr, 10); + if (value[0] == '\n' || end_ptr[0] != '\0') { av_log(s, AV_LOG_ERROR, - "The %s field size is invalid (%d)\n", + "The %s field value is not a number (%s)\n", + attr, value); + return AVERROR_INVALIDDATA; + } + + if (val > INT_MAX || val < INT_MIN) { + av_log(s, AV_LOG_ERROR, + "The %s field size is invalid (%ld)\n", attr, val); return AVERROR_INVALIDDATA; } *(int *)((char *)data+ - attr_names[i].offset) = val; + attr_names[i].offset) = (int) val; } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) { char *val = av_strdup(value); if (!val)