From patchwork Wed Feb 8 23:48:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew Wolenetz X-Patchwork-Id: 2459 Delivered-To: ffmpegpatchwork@gmail.com Received: by 10.103.89.21 with SMTP id n21csp59830vsb; Wed, 8 Feb 2017 15:49:11 -0800 (PST) X-Received: by 10.223.166.80 with SMTP id k74mr86998wrc.171.1486597751706; Wed, 08 Feb 2017 15:49:11 -0800 (PST) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id i1si10834719wrc.240.2017.02.08.15.49.11; Wed, 08 Feb 2017 15:49:11 -0800 (PST) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@chromium.org; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3FCE4689CAB; Thu, 9 Feb 2017 01:49:05 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm0-f44.google.com (mail-wm0-f44.google.com [74.125.82.44]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 08279689C48 for ; Thu, 9 Feb 2017 01:48:59 +0200 (EET) Received: by mail-wm0-f44.google.com with SMTP id v186so65479532wmd.0 for ; Wed, 08 Feb 2017 15:49:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to; bh=aCjY4h/49PaoXB22bpAyAJT9aYDHuD8Wp8hB/dwj4cY=; b=oJyegSGNEC9Dn3AFGcMhTRD8DcgIl4rR+L9Nd9O7LMnYbvW6mahRtRj4gh41zi6tR1 yxMGd9mdnc/2eSxgFvdIsjjaQD73cnSbQaEI7OgHNpvxSsUuCLzvh10Yt+xgvhdftyeh YB+/Qo7PLkRBxClW5uWYcl9W1cQVH5dLfTtFE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to; bh=aCjY4h/49PaoXB22bpAyAJT9aYDHuD8Wp8hB/dwj4cY=; b=VVQGvcosbn/vLJM6kpFFJidHxlyAKEUJNR8+HLNyDrZaNswkP5IZM/eob1Ow9oM49M PbAoNc85DtexwbxRhLXJL0dNKoWfluCjXrsNY1yr5iT8/cNkaq4DIuNqXzrLyjOmw4m9 Wq/Y1RdnAUc7/lXGHFazKdpApfTwWuV9wB6x2Z3Ro4MlusR59hQRT12Bk5J4pvBifmFH PaF8QEXJPTL7E/DUWmRTs0oJ8hC3sKbxDPKvI39mjx0w0n+xyRdm/w1vHUs59J9CASGo zygVLllTRQxgxKAf4XSlCrzRi2OG29HXheiaFP2gQUf1sbmnwZEkQBIDGr9mOk7W80eb CdRw== X-Gm-Message-State: AMke39mLs+TGxdDrY9BkIxhIiy8yGOA7MqvrTILJfU5R3QvFAGbeKX0c8cB9GUwfagcYzRQS X-Received: by 10.28.182.6 with SMTP id g6mr414887wmf.11.1486597741582; Wed, 08 Feb 2017 15:49:01 -0800 (PST) Received: from mail-wr0-f171.google.com (mail-wr0-f171.google.com. [209.85.128.171]) by smtp.gmail.com with ESMTPSA id z90sm15576835wrc.24.2017.02.08.15.49.00 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 15:49:00 -0800 (PST) Received: by mail-wr0-f171.google.com with SMTP id 89so71135708wrr.2 for ; Wed, 08 Feb 2017 15:49:00 -0800 (PST) X-Received: by 10.223.169.164 with SMTP id b33mr126232wrd.132.1486597739994; Wed, 08 Feb 2017 15:48:59 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.74.220 with HTTP; Wed, 8 Feb 2017 15:48:19 -0800 (PST) In-Reply-To: <0297849e-fd4c-6d2a-2127-3f15b91222f2@googlemail.com> References: <0297849e-fd4c-6d2a-2127-3f15b91222f2@googlemail.com> From: Matthew Wolenetz Date: Wed, 8 Feb 2017 15:48:19 -0800 X-Gmail-Original-Message-ID: Message-ID: To: FFmpeg development discussions and patches X-Content-Filtered-By: Mailman/MimeDel 2.1.20 Subject: Re: [FFmpeg-devel] [PATCH] lavf/mov.c: Avoid heap allocation wraps and OOB in mov_read_{senc, saiz, udta_string}() X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" I've separated and updated the mov_read_udta_string() patch, attached. It prevents accessing MOVContext.meta_keys[0] in that method. That array is 1-based. On Wed, Dec 14, 2016 at 5:40 PM, Andreas Cadhalpun < andreas.cadhalpun@googlemail.com> wrote: > On 15.12.2016 00:37, Matthew Wolenetz wrote: > > From 8622f9398e7c89a664c4c2ceff9d35b89ff17bb5 Mon Sep 17 00:00:00 2001 > > From: Matt Wolenetz > > Date: Tue, 6 Dec 2016 12:54:23 -0800 > > Subject: [PATCH] lavf/mov.c: Avoid heap allocation wraps and OOB in > > mov_read_{senc,saiz,udta_string}() > > > > Core of patch is from paul@paulmehta.com > > Reference https://crbug.com/643952 > > --- > > libavformat/mov.c | 11 ++++++++--- > > 1 file changed, 8 insertions(+), 3 deletions(-) > > > > diff --git a/libavformat/mov.c b/libavformat/mov.c > > index e506d20..87ad91a 100644 > > --- a/libavformat/mov.c > > +++ b/libavformat/mov.c > > @@ -404,7 +404,7 @@ retry: > > return ret; > > } else if (!key && c->found_hdlr_mdta && c->meta_keys) { > > uint32_t index = AV_RB32(&atom.type); > > - if (index < c->meta_keys_count) { > > + if (index < c->meta_keys_count && index > 0) { > > This should be in a separate patch. > > > key = c->meta_keys[index]; > > } else { > > av_log(c->fc, AV_LOG_WARNING, > > @@ -4502,8 +4502,8 @@ static int mov_read_senc(MOVContext *c, > AVIOContext *pb, MOVAtom atom) > > > > avio_rb32(pb); /* entries */ > > > > - if (atom.size < 8) { > > - av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" too > small\n", atom.size); > > + if (atom.size < 8 || atom.size > UINT_MAX) { > > + av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" > invalid\n", atom.size); > > return AVERROR_INVALIDDATA; > > } > > > > @@ -4571,6 +4571,11 @@ static int mov_read_saiz(MOVContext *c, > AVIOContext *pb, MOVAtom atom) > > return 0; > > } > > > > + if (atom.size > UINT_MAX) { > > + av_log(c->fc, AV_LOG_ERROR, "saiz atom auxiliary_info_sizes > size %"PRId64" invalid\n", atom.size); > > + return AVERROR_INVALIDDATA; > > + } > > + > > /* save the auxiliary info sizes as is */ > > data_size = atom.size - atom_header_size; > > > > And these should also check for SIZE_MAX. > > Best regards, > Andreas > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > From 1a1ad08dfdb4d3c76c64fc3d569ad360b737b0d6 Mon Sep 17 00:00:00 2001 From: Matt Wolenetz Date: Wed, 8 Feb 2017 15:40:46 -0800 Subject: [PATCH] lavf/mov.c: Avoid OOB in mov_read_udta_string() Core of patch is from paul@paulmehta.com Reference https://crbug.com/643952 (udta_string portion) Signed-off-by: Matt Wolenetz --- libavformat/mov.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index ca49786ea2..f804614a50 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -407,11 +407,11 @@ retry: return ret; } else if (!key && c->found_hdlr_mdta && c->meta_keys) { uint32_t index = AV_RB32(&atom.type); - if (index < c->meta_keys_count) { + if (index < c->meta_keys_count && index > 0) { key = c->meta_keys[index]; } else { av_log(c->fc, AV_LOG_WARNING, - "The index of 'data' is out of range: %d >= %d.\n", + "The index of 'data' is out of range: %d < 1 or >= %d.\n", index, c->meta_keys_count); } } -- 2.11.0.483.g087da7b7c-goog