[FFmpeg-devel,1/2] avformat/mp3dec: Check that the frame fits within the probe buffer

Submitted by Michael Niedermayer on Nov. 7, 2019, 9:25 p.m.

Details

Message ID 20191107212532.22861-1-michael@niedermayer.cc
State Accepted
Commit e9a335150a62bb377a26ce096187b4476145d02b
Headers show

Commit Message

Michael Niedermayer Nov. 7, 2019, 9:25 p.m.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mp3dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

lance.lmwang@gmail.com Nov. 8, 2019, 6:48 a.m.
On Thu, Nov 07, 2019 at 10:25:31PM +0100, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mp3dec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c
> index 258f19174b..6848415657 100644
> --- a/libavformat/mp3dec.c
> +++ b/libavformat/mp3dec.c
> @@ -91,7 +91,7 @@ static int mp3_read_probe(const AVProbeData *p)
>  
>              header = AV_RB32(buf2);
>              ret = avpriv_mpegaudio_decode_header(&h, header);
> -            if (ret != 0)
> +            if (ret != 0 || end - buf2 < h.frame_size)

I think it's unneed to do the extra checking, as the buf2 will add
the h.frame_size in the next code, it'll break still if buf2 > end
for the for condition.

>                  break;
>              buf2 += h.frame_size;
>              framesizes += h.frame_size;
> -- 
> 2.23.0
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer Nov. 16, 2019, 10:39 p.m.
On Thu, Nov 07, 2019 at 10:25:31PM +0100, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mp3dec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
James Almer Nov. 17, 2019, 1:03 p.m.
On 11/16/2019 7:39 PM, Michael Niedermayer wrote:
> On Thu, Nov 07, 2019 at 10:25:31PM +0100, Michael Niedermayer wrote:
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>  libavformat/mp3dec.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> will apply

There was a comment/review by Limin Wang you didn't address, unless i
missed a reply to some other patch.
lance.lmwang@gmail.com Nov. 18, 2019, 1:04 a.m.
On Sun, Nov 17, 2019 at 10:03:03AM -0300, James Almer wrote:
> On 11/16/2019 7:39 PM, Michael Niedermayer wrote:
> > On Thu, Nov 07, 2019 at 10:25:31PM +0100, Michael Niedermayer wrote:
> >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> ---
> >>  libavformat/mp3dec.c | 2 +-
> >>  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > will apply
> 
> There was a comment/review by Limin Wang you didn't address, unless i
> missed a reply to some other patch.

Yes, I have reply it in the patch 2/2, it needs the check. 

> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Patch hide | download patch | download mbox

diff --git a/libavformat/mp3dec.c b/libavformat/mp3dec.c
index 258f19174b..6848415657 100644
--- a/libavformat/mp3dec.c
+++ b/libavformat/mp3dec.c
@@ -91,7 +91,7 @@  static int mp3_read_probe(const AVProbeData *p)
 
             header = AV_RB32(buf2);
             ret = avpriv_mpegaudio_decode_header(&h, header);
-            if (ret != 0)
+            if (ret != 0 || end - buf2 < h.frame_size)
                 break;
             buf2 += h.frame_size;
             framesizes += h.frame_size;