From patchwork Thu Oct 17 08:29:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 15797 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 92F97449FA2 for ; Thu, 17 Oct 2019 11:30:47 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 791F668A6B6; Thu, 17 Oct 2019 11:30:47 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com [209.85.128.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 67A7A68A664 for ; Thu, 17 Oct 2019 11:30:40 +0300 (EEST) Received: by mail-wm1-f66.google.com with SMTP id 7so1592145wme.1 for ; Thu, 17 Oct 2019 01:30:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ABe7C492Axiyekos5fCcbwopIF6UJiv7EPR+kncdbQM=; b=t07+JuDpOVLTvLDe0Y4AXAYOPFt646wwqwaI8X+wQGVDAdfcN8VjAqG//nihypKfFC 0kS8m+AvNGCH5Wf44qtuQy32GyoaUDnOwKA5VKDnmb/FJCvS9cY62LnHpWb7fGK5U4K7 o9D/wlgpvMprfljTsIGqOvsM9MgmvOZv8zAKKXrvcjLH7MC88irHpPa1LXSnUF2Iv4oY gp1jzvcpXNXIyC6DsK9gYGqxBLsH0vfqHrDpAjbvyIJDqy/pT1HE16yeSEyWliB9eQda kHYFCJXcrcLGiYIGK0F7HxxkWRm8I/MCo/LamBLrYz4ZzXnJpE91jJhUo0Z0J61vi1zv MG7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ABe7C492Axiyekos5fCcbwopIF6UJiv7EPR+kncdbQM=; b=ZfifsciuLuhe6/GeBSTw1HAr7p5R0N5sUhXAtq5M1n/ExiUCXbJ40LgNiagzC7RjlA v/YJe4ZJWh5NLQMkpM1LM7iJ6QwJM55H/V5tJysY4fGfvI6d5NkxM+M8JZSf07pY/jqk jCvmOQ8DegdXSG5+awg9lyHxsrgUhfkCxJMkzpM4DJbEVArn2vBSiLPZSHwTsn13ultY B8yLNHDBBaSa8+qFr7FSAVWUijI13aJDrtjJlI5dIkc2E8iwJnUJuQ+s1dNPrKTeToQk BbdE3QPdXOA4yt3PZgq/gbivcGBVJv2c8zIBjT+LYp/28nnsWx+wgoqPfSn9VkBN361o st+Q== X-Gm-Message-State: APjAAAXW1L3ak98UjAi2j+G0y1brgH9mLUXDvnAM0qYT0ing4C85AozD UAv1Ng2BDOMEN5fm9mJlZMYv4wsw X-Google-Smtp-Source: APXvYqx651J94K1mV5z9t+0H3aGzS/+nXX3U3ct9vK9cBT/9w12u/TG3oBhbQxRAqzmSFrHu8BHvJA== X-Received: by 2002:a05:600c:54e:: with SMTP id k14mr1924877wmc.9.1571301039695; Thu, 17 Oct 2019 01:30:39 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc08937.dynamic.kabel-deutschland.de. [188.192.137.55]) by smtp.gmail.com with ESMTPSA id l7sm1369273wrv.77.2019.10.17.01.30.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Oct 2019 01:30:39 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Thu, 17 Oct 2019 10:29:34 +0200 Message-Id: <20191017082945.13534-4-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191017082945.13534-1-andreas.rheinhardt@gmail.com> References: <20191017082945.13534-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 04/15] h264_mp4toannexb: Improve extradata overread checks X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Currently during parsing the extradata, h264_mp4toannexb checks for overreads by adding the size of the current unit to the current position pointer and comparing this to the end position of the extradata. But pointer comparisons and pointer arithmetic is only defined if it does not exceed the object it is used on (one past the last element of an array is allowed, too). In practice, this might lead to overflows. Therefore the check has been changed, using the new bytestream2_get_bytes_leftu function. Furthermore, now the right error code is returned on error. Signed-off-by: Andreas Rheinhardt --- libavcodec/h264_mp4toannexb_bsf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c index f31902b506..4390bc3dc5 100644 --- a/libavcodec/h264_mp4toannexb_bsf.c +++ b/libavcodec/h264_mp4toannexb_bsf.c @@ -101,11 +101,11 @@ static int h264_extradata_to_annexb(AVBSFContext *ctx, const int padding) unit_size = bytestream2_get_be16u(gb); total_size += unit_size + 4; av_assert1(total_size <= INT_MAX - padding); - if (gb->buffer + unit_size > gb->buffer_end) { + if (bytestream2_get_bytes_leftu(gb) < unit_size) { av_log(ctx, AV_LOG_ERROR, "Packet header is not contained in global extradata, " "corrupted stream or invalid MP4/AVCC bitstream\n"); av_free(out); - return AVERROR(EINVAL); + return AVERROR_INVALIDDATA; } if ((err = av_reallocp(&out, total_size + padding)) < 0) return err;