From patchwork Wed Jun 19 13:38:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olivier Maignial X-Patchwork-Id: 13611 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 126B5449D48 for ; Wed, 19 Jun 2019 16:45:08 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EBCD068AA4D; Wed, 19 Jun 2019 16:45:07 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id F119868AA33 for ; Wed, 19 Jun 2019 16:45:01 +0300 (EEST) Received: by mail-wr1-f67.google.com with SMTP id m3so3498123wrv.2 for ; Wed, 19 Jun 2019 06:45:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smile-fr.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=zyQUe3x7i3DqdI1JUzhESqH1eOqmdwvCdbVXfUNPgNA=; b=bPJN7xG9bAM6i3DBI/Y6Crs7RHW3UGXlBtT+uHkK63UG356mWgcKZY3Qs+YN8/KpOP MuXmEK0kt5oQ4Tf505vmJzew3BPORGrttYe7CO6M/VEGNDfbPXZolXSZzDss30sz4cx+ LR1lYQz4nQDu8dWgX+bAHHY3N7wARUVM7n7Y1oFRgyvknlc4LqG9evcLVSKnREXKdZ8H a4uizjsrxIKlg9/EBJ9NCIQ29bB+AoIWPHFqD8eTAp83CsCY1zlfl4ItduA8C/g09LIM notwKS8ACNbxIve+LPNq65oKtb1S3JcH/Za6bHuaNRAKCY5aYpmiC1Kg0noHydRI4hSN 4fpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=zyQUe3x7i3DqdI1JUzhESqH1eOqmdwvCdbVXfUNPgNA=; b=hbLtdqhsCFQuXlrZwTzJQsdFdqeBQ9SIOQilz6TmJjAbytzMPBD7Y4Ncttg5mfFzWg +FuslNaCThr82oiF3AflZ1pXZ2jMudRSrBC+eHGWa12461ah123ONevCVO/IEWz6Y3m1 SG6ExROHGfPK5svklwzsn4JffFOLTAcNQ5/AZEUNFTwBPjREowYimapKcUE9gddqS3sw IPoz0KSnK+gNcoGN3qCJjsVX3L54qC+Zmy53eTeFoUPx8egshhWZAciXptp1HrgxK1id 3KVz0QiTJ2Nc3sWp033zksdgTg99p8zCqP+ihvMigpcGEPJzGIxgiVNX5YTWQMqOr2gb L3gw== X-Gm-Message-State: APjAAAUfw6slcBnYgwpdoZDr7ScfGZy9KzbfEVkR8cgkk77mFh4gqDsf dcRgTuIVQUB1W6pVWUuZALanFEYC4Iw= X-Google-Smtp-Source: APXvYqxVKphVV7qH/NXpgEMUXoNW4YxJLXaKSRktgGICtQ4tlSfHkCwwidcpZGa8lift98YNjg9VuA== X-Received: by 2002:a05:6000:11c2:: with SMTP id i2mr6282243wrx.199.1560951512175; Wed, 19 Jun 2019 06:38:32 -0700 (PDT) Received: from P-TLS-SASUKE-OLMAI.tagtec.fr (myfox-157-50.fib.nerim.net. [194.79.157.50]) by smtp.gmail.com with ESMTPSA id g2sm1664943wmh.0.2019.06.19.06.38.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 19 Jun 2019 06:38:31 -0700 (PDT) From: Olivier Maignial To: ffmpeg-devel@ffmpeg.org Date: Wed, 19 Jun 2019 15:38:26 +0200 Message-Id: <1560951506-2307-1-git-send-email-olivier.maignial@smile.fr> X-Mailer: git-send-email 2.7.4 Subject: [FFmpeg-devel] [PATCH v6] Fix integer parameters size check in SDP fmtp line X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Olivier Maignial MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" === PROBLEM === I was trying to record h264 + aac streams from an RTSP server to mp4 file. using this command line: ffmpeg -v verbose -y -i "rtsp:///my_resources" -codec copy -bsf:a aac_adtstoasc test.mp4 FFmpeg then fail to record audio and output this logs: [rtsp @ 0xcda1f0] The profile-level-id field size is invalid (40) [rtsp @ 0xcda1f0] Error parsing AU headers ... [rtsp @ 0xcda1f0] Could not find codec parameters for stream 1 (Audio: aac, 48000 Hz, 1 channels): unspecified sample format In SDP provided by my RTSP server I had this fmtp line: a=fmtp:98 streamType=5; profile-level-id=40; mode=AAC-hbr; config=1188; sizeLength=13; indexLength=3; indexDeltaLength=3; In FFmpeg code, I found a check introduced by commit 24130234cd9dd733116d17b724ea4c8e12ce097a. It disallows values greater than 32 for fmtp line parameters. However, In RFC-6416 (RTP Payload Format for MPEG-4 Audio/Visual Streams) give examples of "profile-level-id" values for AAC, up to 55. Furthermore, RFC-4566 (SDP: Session Description Protocol) do not give any limit of size on interger parameters given in fmtp line. === FIX === Instead of prohibit values over 32, I propose to check the possible integer overflow. The use of strtol allow to check the string validity and the possible overflow. Value is then checked against INT32_MIN and INT32_MAX. Using INT32_MIN/MAX ensure to have the same behavior on 32 or 64 bits platforms. This patch fix my problem and I now can record my RTSP AAC stream to mp4. It has passed the full fate tests suite sucessfully. Signed-off-by: Olivier Maignial --- Changes V5 -> V6: - Simplify code libavformat/rtpdec_mpeg4.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavformat/rtpdec_mpeg4.c b/libavformat/rtpdec_mpeg4.c index 4f70599..9c4f8a1 100644 --- a/libavformat/rtpdec_mpeg4.c +++ b/libavformat/rtpdec_mpeg4.c @@ -289,15 +289,20 @@ static int parse_fmtp(AVFormatContext *s, for (i = 0; attr_names[i].str; ++i) { if (!av_strcasecmp(attr, attr_names[i].str)) { if (attr_names[i].type == ATTR_NAME_TYPE_INT) { - int val = atoi(value); - if (val > 32) { + char *end_ptr = NULL; + errno = 0; + long int val = strtol(value, &end_ptr, 10); + if (end_ptr == value || end_ptr[0] != '\0' || + errno == ERANGE || + val < INT32_MIN || val > INT32_MAX) { av_log(s, AV_LOG_ERROR, - "The %s field size is invalid (%d)\n", - attr, val); + "The %s field value is not a valid number, or overflows int32: %s\n", + attr, value); return AVERROR_INVALIDDATA; } + *(int *)((char *)data+ - attr_names[i].offset) = val; + attr_names[i].offset) = (int) val; } else if (attr_names[i].type == ATTR_NAME_TYPE_STR) { char *val = av_strdup(value); if (!val)