From patchwork Wed Jul 24 17:15:53 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
X-Patchwork-Id: 14057
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 4D720448079
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Wed, 24 Jul 2019 20:24:32 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 19F32688362;
	Wed, 24 Jul 2019 20:24:32 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com
	[209.85.128.66])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 84165680C46
	for <ffmpeg-devel@ffmpeg.org>; Wed, 24 Jul 2019 20:24:25 +0300 (EEST)
Received: by mail-wm1-f66.google.com with SMTP id v15so42563166wml.0
	for <ffmpeg-devel@ffmpeg.org>; Wed, 24 Jul 2019 10:24:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=XRPZ9jrGPgv78A1idlliRq3YNSIpGmxR1XpJIcSnmwQ=;
	b=MMiasrjJkUOwuOQ2RbULDZ1EvGiDmL96Z8tvZa/kK6bX8kKxUu0Xt7hgSjVxjKByLQ
	5F8P/qy8p10O5sPQpOrUIUCTtA+T+pJRuq1xuswsDQHcunwfnOCwXqdLSrEsDwZ9WDrA
	PMkIJwx1ykEFRuxq2dFt/VSFjJ2nDofWAlTBphmGaYQDIPoRJCjPa19iX/QMgVl8nQgc
	8e5gHwu7whKQxQ7u3pGdLqCWDcy7P/3t66REiglZAcoEZ8aXbbsaVFyJlCMJoRsUuYtj
	nWN5cIU+biDW0LiCZ4YzkJ8X8KBdJEajPJUGgu0Tt54S3h2IokgNFvJUCrYr0K1jopGr
	/dQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=XRPZ9jrGPgv78A1idlliRq3YNSIpGmxR1XpJIcSnmwQ=;
	b=mss88oN6NUO5yGQloUZcB/Sw41IKVDp3tH3/R4iNVhrVHAhQiRQQmHrgfjqW9bTdoJ
	TE1nmEttZmukfT8zoozDP2SqPsb1Bzl4b1f6+MSF6OXLBqLO7DVZt7faLtfB4T6PIgoW
	SdZnrrTrJwNCdon9AyR6LFxVHmgkTGwrCsDpCwoSjlxELJeCc19v+UDI9eQcoYDYEgFk
	kz4tLNelwpAQm6KPq3WhwZBKVqGtxNqlouHVaey0GzsGxmlfnR3ofIVFgY6A238GrIsy
	iwwLMiOzXpWzM/uWykRCJlNJO+kOKdI1FDYNW/Td5q8k4rDh0TljJvY06/kuSjDzfDKT
	Em8A==
X-Gm-Message-State: APjAAAX0oQopT/kZbpnJkHPioxGRmzM88dpc1mpGj+SGpIYbEuMkHVvn
	zcySAW977y95/vJQLrOZeGOhIxFl
X-Google-Smtp-Source: 
 APXvYqycS+XXqWbt5EE+KUZQ/GyH4R7u5Mtzt1FJjFgXI8YY0Ce5kYd4hG0M+K7BOxOJIx1ijPbUYg==
X-Received: by 2002:a1c:2d8b:: with SMTP id
	t133mr75154718wmt.57.1563988585284;
	Wed, 24 Jul 2019 10:16:25 -0700 (PDT)
Received: from localhost.localdomain
	(ipbcc08b8f.dynamic.kabel-deutschland.de. [188.192.139.143])
	by smtp.gmail.com with ESMTPSA id
	l8sm82829930wrg.40.2019.07.24.10.16.23
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Wed, 24 Jul 2019 10:16:24 -0700 (PDT)
From: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Wed, 24 Jul 2019 19:15:53 +0200
Message-Id: <20190724171557.10037-1-andreas.rheinhardt@gmail.com>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190724074358.GU3219@michaelspb>
References: <20190724074358.GU3219@michaelspb>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 2/6] h264_mp4toannexb_bsf: Improve extradata
	overread checks
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Currently during parsing the extradata, h264_mp4toannexb checks for
overreads by adding the size of the current unit to the current position
pointer and comparing this to the end position of the extradata. But
pointer comparisons and pointer arithmetic is only defined if it does not
exceed the object it is used on (one past the last element of an array
is allowed, too). In practice, this might lead to overflows. Therefore
the check has been changed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavcodec/h264_mp4toannexb_bsf.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c
index bbf124ad04..374c2d59fb 100644
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -72,7 +72,8 @@ static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding)
     uint32_t total_size                 = 0;
     uint8_t *out                        = NULL, unit_nb, sps_done = 0,
              sps_seen                   = 0, pps_seen = 0;
-    const uint8_t *extradata            = ctx->par_in->extradata + 4;
+    const uint8_t *extradata            = ctx->par_in->extradata + 4,
+                  *extradata_end        = ctx->par_in->extradata + ctx->par_in->extradata_size;
     static const uint8_t nalu_header[4] = { 0, 0, 0, 1 };
     int length_size = (*extradata++ & 0x3) + 1; // retrieve length coded size
 
@@ -91,9 +92,10 @@ static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding)
         int err;
 
         unit_size   = AV_RB16(extradata);
+        extradata  += 2;
         total_size += unit_size + 4;
         av_assert1(total_size <= INT_MAX - padding);
-        if (extradata + 2 + unit_size > ctx->par_in->extradata + ctx->par_in->extradata_size) {
+        if (extradata_end - extradata < unit_size) {
             av_log(ctx, AV_LOG_ERROR, "Packet header is not contained in global extradata, "
                    "corrupted stream or invalid MP4/AVCC bitstream\n");
             av_free(out);
@@ -102,8 +104,8 @@ static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding)
         if ((err = av_reallocp(&out, total_size + padding)) < 0)
             return err;
         memcpy(out + total_size - unit_size - 4, nalu_header, 4);
-        memcpy(out + total_size - unit_size, extradata + 2, unit_size);
-        extradata += 2 + unit_size;
+        memcpy(out + total_size - unit_size, extradata, unit_size);
+        extradata += unit_size;
 pps:
         if (!unit_nb && !sps_done++) {
             unit_nb = *extradata++; /* number of pps unit(s) */