From patchwork Wed May 22 10:03:55 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Olivier Maignial <olivier.maignial@smile.fr>
X-Patchwork-Id: 13245
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 6230044720A
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Wed, 22 May 2019 13:04:07 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 40E90680921;
	Wed, 22 May 2019 13:04:07 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com
	[209.85.221.67])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 571F368033F
	for <ffmpeg-devel@ffmpeg.org>; Wed, 22 May 2019 13:04:00 +0300 (EEST)
Received: by mail-wr1-f67.google.com with SMTP id f10so1568031wre.7
	for <ffmpeg-devel@ffmpeg.org>; Wed, 22 May 2019 03:04:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=smile-fr.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=f+6TvHzq2w6esnGj1LUWgpa/fW+68zngUj63CWvFIZs=;
	b=Fc1uO97+aTb9ijICAAXgT40v/WiCBkyA39Dwa2+9vbVxiNlF2P4wasBBqyRKfNQN1k
	/k1rM1GouIoVeaaxhlEi+wRArFwrcamkXKAefIJxfkFEeL3cmu3dL+PIctJcLMPn4D7O
	Qc1lWovnHzZxQ5oiEb2ZrHB6a8G1jQNH2WXSaRsVRG2Mk6FQHO0T4DrbAfvvUi6B/usp
	mBl/LusN5wNlg2osOCVrPT7oBZRyiVb2PMO4KK4gKKg65U4eva6sj8Dv3qy3qtjEej6x
	HtFHrI7pIeHKZdvo28/Mb8cODOH7QWS6c1psZcnMnQ2L6LLfRkXsYwSiR/qvSiXCW2Sk
	d4NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=f+6TvHzq2w6esnGj1LUWgpa/fW+68zngUj63CWvFIZs=;
	b=Org5E8K3SLvZQ+NCJ/WFlZ53yb+kcQCyxY93RXFj3P1pK16AX80o27cqNxfC3Huf4Z
	mteMUFKfMu/69U86zDbA3iQTF2JXyyT+hRC5EXAOjoSpE2X/6PS848KygFHeNB7AKBY+
	e7ND46WhlCkP8Mc3Jetrb8v2uF+qhVMQ6UHLSei/yWsxIGb8OjY+bUQGR9Ir6yuEoJdY
	SXDU33pghW49rWjRLDRrD4ZFTMKUa4TXDP+W5r9C04mhBw4uyreLbUedEqmpd3bnO03H
	tHgx8qwsxgk4W27kI/P2vJFWqe5JUx7HLSvcCOPtJ1L2o3Wkpspfbaoofdlkoy+nl7XP
	Tvkg==
X-Gm-Message-State: APjAAAVWa2TlUJUUeIMaIEZ+Lidlpk+3W/Ze01juvYMv256nMr7QaSeW
	n9ProyyXGw28zgb5ahZpgCn2yKnoiDM=
X-Google-Smtp-Source: 
 APXvYqxXi6IikLOQIQRRw4f2vbEtnX+0x1aEOvF5677tbPkBUyEi4Dh9ErJPdL+lUj2cXedetG1RNg==
X-Received: by 2002:a5d:40ca:: with SMTP id b10mr2385862wrq.10.1558519439737;
	Wed, 22 May 2019 03:03:59 -0700 (PDT)
Received: from P-TLS-SASUKE-OLMAI.tagtec.fr (myfox-157-50.fib.nerim.net.
	[194.79.157.50]) by smtp.gmail.com with ESMTPSA id
	y4sm3789878wmj.20.2019.05.22.03.03.59
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 22 May 2019 03:03:59 -0700 (PDT)
From: Olivier Maignial <olivier.maignial@smile.fr>
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 22 May 2019 12:03:55 +0200
Message-Id: <1558519435-31008-1-git-send-email-olivier.maignial@smile.fr>
X-Mailer: git-send-email 2.7.4
Subject: [FFmpeg-devel] [PATCH v4] Fix integer parameters size check in SDP
	fmtp line
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: lu_zero@gentoo.org, Olivier Maignial <olivier.maignial@smile.fr>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>


=== PROBLEM ===

I was trying to record h264 + aac streams from an RTSP server to mp4 file. using this command line:
    ffmpeg -v verbose -y -i "rtsp://<ip>/my_resources" -codec copy -bsf:a aac_adtstoasc test.mp4

FFmpeg then fail to record audio and output this logs:
    [rtsp @ 0xcda1f0] The profile-level-id field size is invalid (40)
    [rtsp @ 0xcda1f0] Error parsing AU headers
    ...
    [rtsp @ 0xcda1f0] Could not find codec parameters for stream 1 (Audio: aac, 48000 Hz, 1 channels): unspecified sample format

In SDP provided by my RTSP server I had this fmtp line:
    a=fmtp:98 streamType=5; profile-level-id=40; mode=AAC-hbr; config=1188; sizeLength=13; indexLength=3; indexDeltaLength=3;

In FFmpeg code, I found a check introduced by commit 24130234cd9dd733116d17b724ea4c8e12ce097a. It disallow values greater than 32 for fmtp line parameters.
However, In RFC-6416 (RTP Payload Format for MPEG-4 Audio/Visual Streams) give examples of "profile-level-id" values for AAC, up to 55.
Furthermore, RFC-4566 (SDP: Session Description Protocol) do not give any limit of size on interger parameters given in fmtp line.

=== FIX ===

Instead of prohibit values over 32, I propose to check the possible integer overflow.
The use of strtol allow to check the string validity and the possible overflow.
Using INT_MIN, LONG_MIN, INT_MAX and LON_MAX definitions ensure that it will work whatever the size of int/long given by compiler.

This patch fix my problem and I now can record my RTSP AAC stream to mp4.
It has passed the full fate tests suite sucessfully.

Signed-off-by: Olivier Maignial <olivier.maignial@smile.fr>
---

Changes v3->v4
    - Rebased my patch on master
    - Updated comit log to provide better explanation of the problem
    - Re-passed fate tests on master


 libavformat/rtpdec_mpeg4.c | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c
index 4f70599..d40cb5a 100644
--- a/libavformat/rtpdec_mpeg4.c
+++ b/libavformat/rtpdec_mpeg4.c
@@ -289,15 +289,33 @@ static int parse_fmtp(AVFormatContext *s,
         for (i = 0; attr_names[i].str; ++i) {
             if (!av_strcasecmp(attr, attr_names[i].str)) {
                 if (attr_names[i].type == ATTR_NAME_TYPE_INT) {
-                    int val = atoi(value);
-                    if (val > 32) {
+                    char *end_ptr = NULL;
+                    errno = 0;
+                    long int val = strtol(value, &end_ptr, 10);
+                    if (value[0] == '\n' || end_ptr[0] != '\0') {
                         av_log(s, AV_LOG_ERROR,
-                               "The %s field size is invalid (%d)\n",
-                               attr, val);
+                               "The %s field value is not a number (%s)\n",
+                               attr, value);
                         return AVERROR_INVALIDDATA;
                     }
+                    if ((val == LONG_MAX && errno == ERANGE) ||
+                        val > INT_MAX) {
+                        av_log(s, AV_LOG_ERROR,
+                               "Value of field %s overflow maximum integer value.\n",
+                               attr);
+                        return AVERROR_INVALIDDATA;
+                    }
+                    if ((val == LONG_MIN && errno == ERANGE) ||
+                        val < INT_MIN)
+                    {
+                        av_log(s, AV_LOG_ERROR,
+                               "Value of field %s underflow minimum integer value.\n",
+                               attr);
+                        return AVERROR_INVALIDDATA;
+                    }
+
                     *(int *)((char *)data+
-                        attr_names[i].offset) = val;
+                        attr_names[i].offset) = (int) val;
                 } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) {
                     char *val = av_strdup(value);
                     if (!val)